mirror of
https://github.com/nearai/ironclaw.git
synced 2026-06-08 19:04:10 +08:00
c26f116a98
* fix(deploy): harden production container and bootstrap security - Replace --network=host with explicit port mapping (-p 3000:3000) to restore Docker network isolation. The prior config gave the container full access to the host network namespace including the Cloud SQL Auth Proxy on localhost:5432. (CWE-668) - Support pinned image versions via IRONCLAW_VERSION env var instead of always pulling :latest. Mutable tags allow uncontrolled deployments if the registry is compromised or a broken image is pushed. Falls back to :latest when unset for backwards compatibility. (CWE-829) - Add SHA256 checksum verification after downloading the Cloud SQL Auth Proxy binary. The prior script executed an unverified binary downloaded over the network with direct access to the production database. (CWE-494) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * chore(ci): rerun regression gate [skip-regression-check] --------- Co-authored-by: Rafael Martinez <rgmllc@yahoo.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>