limbo-ai 1.20.3 → 1.20.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/cli.js +11 -14
- package/package.json +1 -1
package/cli.js
CHANGED
|
@@ -159,12 +159,9 @@ function composeContent() {
|
|
|
159
159
|
- ${VAULT_DIR}:/data/vault
|
|
160
160
|
- limbo-zeroclaw-state:/home/limbo/.zeroclaw
|
|
161
161
|
secrets:
|
|
162
|
-
-
|
|
163
|
-
|
|
164
|
-
-
|
|
165
|
-
mode: 0444
|
|
166
|
-
- source: gateway_token
|
|
167
|
-
mode: 0444
|
|
162
|
+
- llm_api_key
|
|
163
|
+
- telegram_bot_token
|
|
164
|
+
- gateway_token
|
|
168
165
|
env_file:
|
|
169
166
|
- ${LIMBO_DIR}/.env
|
|
170
167
|
environment:
|
|
@@ -218,12 +215,9 @@ function composeContentHardened() {
|
|
|
218
215
|
- ${VAULT_DIR}:/data/vault
|
|
219
216
|
- limbo-zeroclaw-state:/home/limbo/.zeroclaw
|
|
220
217
|
secrets:
|
|
221
|
-
-
|
|
222
|
-
|
|
223
|
-
-
|
|
224
|
-
mode: 0444
|
|
225
|
-
- source: gateway_token
|
|
226
|
-
mode: 0444
|
|
218
|
+
- llm_api_key
|
|
219
|
+
- telegram_bot_token
|
|
220
|
+
- gateway_token
|
|
227
221
|
env_file:
|
|
228
222
|
- ${LIMBO_DIR}/.env
|
|
229
223
|
environment:
|
|
@@ -713,7 +707,10 @@ function normalizeConfig(cfg, existingEnv = {}) {
|
|
|
713
707
|
function writeSecretFile(name, value) {
|
|
714
708
|
fs.mkdirSync(SECRETS_DIR, { recursive: true, mode: 0o700 });
|
|
715
709
|
const filePath = path.join(SECRETS_DIR, name);
|
|
716
|
-
|
|
710
|
+
// Use 0644 so any container user can read the mounted file.
|
|
711
|
+
// Docker Compose file-based secrets ignore uid/gid/mode settings,
|
|
712
|
+
// so the host file permissions are what the container sees.
|
|
713
|
+
fs.writeFileSync(filePath, value || '', { mode: 0o644 });
|
|
717
714
|
}
|
|
718
715
|
|
|
719
716
|
function writeSecrets(cfg, existingEnv = {}) {
|
|
@@ -927,7 +924,7 @@ function ensureComposeFile(hardened = false) {
|
|
|
927
924
|
// Ensure secret files exist (Docker Compose secrets require the files to be present)
|
|
928
925
|
for (const name of ['llm_api_key', 'telegram_bot_token', 'gateway_token']) {
|
|
929
926
|
const fp = path.join(SECRETS_DIR, name);
|
|
930
|
-
if (!fs.existsSync(fp)) fs.writeFileSync(fp, '', { mode:
|
|
927
|
+
if (!fs.existsSync(fp)) fs.writeFileSync(fp, '', { mode: 0o644 });
|
|
931
928
|
}
|
|
932
929
|
if (hardened) {
|
|
933
930
|
// Copy squid config files for egress filtering
|