Description

Several related issues with the Dockerfile configuration:

1. Pinned OpenClaw version (2026.3.11)

The Dockerfile pins openclaw@2026.3.11 but OpenClaw 2026.3.22 is available with important fixes. There is no documented mechanism to update OpenClaw inside the sandbox without rebuilding the entire image, since /sandbox/.openclaw is read-only (by design). Running openclaw update inside the sandbox fails with EACCES.

A documented workflow for updating OpenClaw (e.g. a nemoclaw rebuild command or a build-arg override) would be helpful.

2. Restrictive allowedOrigins

The config generator only adds http://127.0.0.1:18789 to allowedOrigins. This breaks remote dashboard access — for example, accessing Mission Control on port 3333 from a LAN machine, or via SSH tunnel with a different origin. Adding '*' (or at least common local origins like http://127.0.0.1:3333) would make remote access work out of the box.

3. trustedProxies missing private network CIDRs

trustedProxies only lists 127.0.0.1 and ::1. For SSH tunnel or reverse proxy setups (common on DGX Spark headless deployments), private network CIDRs (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) should be included so that X-Forwarded-For headers are trusted correctly.

Environment

• DGX Spark (aarch64, headless)
• Accessed via SSH tunnel / LAN