mirror of
https://github.com/nearai/ironclaw.git
synced 2026-06-09 19:58:10 +08:00
c26f116a98
* fix(deploy): harden production container and bootstrap security - Replace --network=host with explicit port mapping (-p 3000:3000) to restore Docker network isolation. The prior config gave the container full access to the host network namespace including the Cloud SQL Auth Proxy on localhost:5432. (CWE-668) - Support pinned image versions via IRONCLAW_VERSION env var instead of always pulling :latest. Mutable tags allow uncontrolled deployments if the registry is compromised or a broken image is pushed. Falls back to :latest when unset for backwards compatibility. (CWE-829) - Add SHA256 checksum verification after downloading the Cloud SQL Auth Proxy binary. The prior script executed an unverified binary downloaded over the network with direct access to the production database. (CWE-494) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * chore(ci): rerun regression gate [skip-regression-check] --------- Co-authored-by: Rafael Martinez <rgmllc@yahoo.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
45 lines
1.6 KiB
Plaintext
45 lines
1.6 KiB
Plaintext
# WARNING: Replace all CHANGE_ME values before deploying.
|
|
# Do not use placeholder passwords in production.
|
|
|
|
# Pin the Docker image version for deterministic deployments.
|
|
# Update this value when deploying a new release.
|
|
# IRONCLAW_VERSION=v1.0.0
|
|
|
|
DATABASE_URL=postgres://ironclaw:CHANGE_ME@localhost:5432/ironclaw
|
|
|
|
# NEAR AI Cloud (API key auth, Chat Completions API)
|
|
# Get an API key from https://cloud.near.ai
|
|
NEARAI_API_KEY=CHANGE_ME
|
|
NEARAI_MODEL=claude-3-5-sonnet-20241022
|
|
NEARAI_BASE_URL=https://cloud-api.near.ai
|
|
|
|
# Or use NEAR AI Chat (session token auth, Responses API):
|
|
# NEARAI_SESSION_TOKEN=sess_...
|
|
# NEARAI_BASE_URL=https://private.near.ai
|
|
|
|
# Agent
|
|
AGENT_NAME=ironclaw
|
|
CLI_ENABLED=false
|
|
|
|
# Web Gateway
|
|
GATEWAY_ENABLED=true
|
|
# 0.0.0.0 binds to all interfaces (required for Docker --network=host).
|
|
# Use 127.0.0.1 if running outside Docker or for local-only access.
|
|
GATEWAY_HOST=0.0.0.0
|
|
GATEWAY_PORT=3000
|
|
GATEWAY_AUTH_TOKEN=CHANGE_ME
|
|
|
|
# Restart Feature (Docker containers only)
|
|
# IMPORTANT: Set this in the container entrypoint or docker-compose to enable restart.
|
|
# The Docker entrypoint loop monitors exit codes:
|
|
# - Exit code 0 = clean restart: reset failure counter, wait IRONCLAW_RESTART_DELAY, restart
|
|
# - Exit code ≠ 0 = failure: increment counter, exit after IRONCLAW_MAX_FAILURES
|
|
IRONCLAW_IN_DOCKER=false
|
|
IRONCLAW_RESTART_DELAY=5 # seconds to wait before restarting (range: 1-30)
|
|
IRONCLAW_MAX_FAILURES=10 # max consecutive failures before container exits
|
|
|
|
# Disabled for initial deploy
|
|
SANDBOX_ENABLED=false
|
|
HEARTBEAT_ENABLED=false
|
|
EMBEDDING_ENABLED=false
|