limbo-ai 1.20.2 → 1.20.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/cli.js +11 -20
- package/package.json +1 -1
package/cli.js
CHANGED
|
@@ -159,12 +159,9 @@ function composeContent() {
|
|
|
159
159
|
- ${VAULT_DIR}:/data/vault
|
|
160
160
|
- limbo-zeroclaw-state:/home/limbo/.zeroclaw
|
|
161
161
|
secrets:
|
|
162
|
-
-
|
|
163
|
-
|
|
164
|
-
-
|
|
165
|
-
mode: 0444
|
|
166
|
-
- source: gateway_token
|
|
167
|
-
mode: 0444
|
|
162
|
+
- llm_api_key
|
|
163
|
+
- telegram_bot_token
|
|
164
|
+
- gateway_token
|
|
168
165
|
env_file:
|
|
169
166
|
- ${LIMBO_DIR}/.env
|
|
170
167
|
environment:
|
|
@@ -182,13 +179,10 @@ function composeContent() {
|
|
|
182
179
|
secrets:
|
|
183
180
|
llm_api_key:
|
|
184
181
|
file: ${SECRETS_DIR}/llm_api_key
|
|
185
|
-
mode: 0444
|
|
186
182
|
telegram_bot_token:
|
|
187
183
|
file: ${SECRETS_DIR}/telegram_bot_token
|
|
188
|
-
mode: 0444
|
|
189
184
|
gateway_token:
|
|
190
185
|
file: ${SECRETS_DIR}/gateway_token
|
|
191
|
-
mode: 0444
|
|
192
186
|
|
|
193
187
|
volumes:
|
|
194
188
|
limbo-data:
|
|
@@ -221,12 +215,9 @@ function composeContentHardened() {
|
|
|
221
215
|
- ${VAULT_DIR}:/data/vault
|
|
222
216
|
- limbo-zeroclaw-state:/home/limbo/.zeroclaw
|
|
223
217
|
secrets:
|
|
224
|
-
-
|
|
225
|
-
|
|
226
|
-
-
|
|
227
|
-
mode: 0444
|
|
228
|
-
- source: gateway_token
|
|
229
|
-
mode: 0444
|
|
218
|
+
- llm_api_key
|
|
219
|
+
- telegram_bot_token
|
|
220
|
+
- gateway_token
|
|
230
221
|
env_file:
|
|
231
222
|
- ${LIMBO_DIR}/.env
|
|
232
223
|
environment:
|
|
@@ -275,13 +266,10 @@ networks:
|
|
|
275
266
|
secrets:
|
|
276
267
|
llm_api_key:
|
|
277
268
|
file: ${SECRETS_DIR}/llm_api_key
|
|
278
|
-
mode: 0444
|
|
279
269
|
telegram_bot_token:
|
|
280
270
|
file: ${SECRETS_DIR}/telegram_bot_token
|
|
281
|
-
mode: 0444
|
|
282
271
|
gateway_token:
|
|
283
272
|
file: ${SECRETS_DIR}/gateway_token
|
|
284
|
-
mode: 0444
|
|
285
273
|
|
|
286
274
|
volumes:
|
|
287
275
|
limbo-data:
|
|
@@ -719,7 +707,10 @@ function normalizeConfig(cfg, existingEnv = {}) {
|
|
|
719
707
|
function writeSecretFile(name, value) {
|
|
720
708
|
fs.mkdirSync(SECRETS_DIR, { recursive: true, mode: 0o700 });
|
|
721
709
|
const filePath = path.join(SECRETS_DIR, name);
|
|
722
|
-
|
|
710
|
+
// Use 0644 so any container user can read the mounted file.
|
|
711
|
+
// Docker Compose file-based secrets ignore uid/gid/mode settings,
|
|
712
|
+
// so the host file permissions are what the container sees.
|
|
713
|
+
fs.writeFileSync(filePath, value || '', { mode: 0o644 });
|
|
723
714
|
}
|
|
724
715
|
|
|
725
716
|
function writeSecrets(cfg, existingEnv = {}) {
|
|
@@ -933,7 +924,7 @@ function ensureComposeFile(hardened = false) {
|
|
|
933
924
|
// Ensure secret files exist (Docker Compose secrets require the files to be present)
|
|
934
925
|
for (const name of ['llm_api_key', 'telegram_bot_token', 'gateway_token']) {
|
|
935
926
|
const fp = path.join(SECRETS_DIR, name);
|
|
936
|
-
if (!fs.existsSync(fp)) fs.writeFileSync(fp, '', { mode:
|
|
927
|
+
if (!fs.existsSync(fp)) fs.writeFileSync(fp, '', { mode: 0o644 });
|
|
937
928
|
}
|
|
938
929
|
if (hardened) {
|
|
939
930
|
// Copy squid config files for egress filtering
|