mirror of
https://github.com/moltbot/moltbot.git
synced 2026-03-08 06:54:24 +00:00
449511484d
* fix(gateway): allow ws:// to RFC 1918 private network addresses resolve ws-private-network conflicts * gateway: keep ws security strict-by-default with private opt-in * gateway: apply private ws opt-in in connection detail guard * gateway: apply private ws opt-in in websocket client * onboarding: gate private ws urls behind explicit opt-in * gateway tests: enforce strict ws defaults with private opt-in * onboarding tests: validate private ws opt-in behavior * gateway client tests: cover private ws env override * gateway call tests: cover private ws env override * changelog: add ws strict-default security entry for pr 28670 * docs(onboard): document private ws break-glass env * docs(gateway): add private ws env to remote guide * docs(docker): add private ws break-glass env var * docs(security): add private ws break-glass guidance * docs(config): document OPENCLAW_ALLOW_PRIVATE_WS * Update CHANGELOG.md * gateway: normalize private-ws host classification * test(gateway): cover non-unicast ipv6 private-ws edges * changelog: rename insecure private ws break-glass env * docs(onboard): rename insecure private ws env * docs(gateway): rename insecure private ws env in config reference * docs(gateway): rename insecure private ws env in remote guide * docs(security): rename insecure private ws env * docs(docker): rename insecure private ws env * test(onboard): rename insecure private ws env * onboard: rename insecure private ws env * test(gateway): rename insecure private ws env in call tests * gateway: rename insecure private ws env in call flow * test(gateway): rename insecure private ws env in client tests * gateway: rename insecure private ws env in client * docker: pass insecure private ws env to services * docker-setup: persist insecure private ws env --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
69 lines
2.0 KiB
YAML
69 lines
2.0 KiB
YAML
services:
|
|
openclaw-gateway:
|
|
image: ${OPENCLAW_IMAGE:-openclaw:local}
|
|
environment:
|
|
HOME: /home/node
|
|
TERM: xterm-256color
|
|
OPENCLAW_GATEWAY_TOKEN: ${OPENCLAW_GATEWAY_TOKEN}
|
|
OPENCLAW_ALLOW_INSECURE_PRIVATE_WS: ${OPENCLAW_ALLOW_INSECURE_PRIVATE_WS:-}
|
|
CLAUDE_AI_SESSION_KEY: ${CLAUDE_AI_SESSION_KEY:-}
|
|
CLAUDE_WEB_SESSION_KEY: ${CLAUDE_WEB_SESSION_KEY:-}
|
|
CLAUDE_WEB_COOKIE: ${CLAUDE_WEB_COOKIE:-}
|
|
volumes:
|
|
- ${OPENCLAW_CONFIG_DIR}:/home/node/.openclaw
|
|
- ${OPENCLAW_WORKSPACE_DIR}:/home/node/.openclaw/workspace
|
|
ports:
|
|
- "${OPENCLAW_GATEWAY_PORT:-18789}:18789"
|
|
- "${OPENCLAW_BRIDGE_PORT:-18790}:18790"
|
|
init: true
|
|
restart: unless-stopped
|
|
command:
|
|
[
|
|
"node",
|
|
"dist/index.js",
|
|
"gateway",
|
|
"--bind",
|
|
"${OPENCLAW_GATEWAY_BIND:-lan}",
|
|
"--port",
|
|
"18789",
|
|
]
|
|
healthcheck:
|
|
test:
|
|
[
|
|
"CMD",
|
|
"node",
|
|
"-e",
|
|
"fetch('http://127.0.0.1:18789/healthz').then((r)=>process.exit(r.ok?0:1)).catch(()=>process.exit(1))",
|
|
]
|
|
interval: 30s
|
|
timeout: 5s
|
|
retries: 5
|
|
start_period: 20s
|
|
|
|
openclaw-cli:
|
|
image: ${OPENCLAW_IMAGE:-openclaw:local}
|
|
network_mode: "service:openclaw-gateway"
|
|
cap_drop:
|
|
- NET_RAW
|
|
- NET_ADMIN
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
environment:
|
|
HOME: /home/node
|
|
TERM: xterm-256color
|
|
OPENCLAW_GATEWAY_TOKEN: ${OPENCLAW_GATEWAY_TOKEN}
|
|
OPENCLAW_ALLOW_INSECURE_PRIVATE_WS: ${OPENCLAW_ALLOW_INSECURE_PRIVATE_WS:-}
|
|
BROWSER: echo
|
|
CLAUDE_AI_SESSION_KEY: ${CLAUDE_AI_SESSION_KEY:-}
|
|
CLAUDE_WEB_SESSION_KEY: ${CLAUDE_WEB_SESSION_KEY:-}
|
|
CLAUDE_WEB_COOKIE: ${CLAUDE_WEB_COOKIE:-}
|
|
volumes:
|
|
- ${OPENCLAW_CONFIG_DIR}:/home/node/.openclaw
|
|
- ${OPENCLAW_WORKSPACE_DIR}:/home/node/.openclaw/workspace
|
|
stdin_open: true
|
|
tty: true
|
|
init: true
|
|
entrypoint: ["node", "dist/index.js"]
|
|
depends_on:
|
|
- openclaw-gateway
|