fix(docker): remove --bind lan from default CMD to work out of the box

Addresses review feedback: --bind lan requires auth token, so default CMD should bind to loopback only. For container platforms needing LAN binding for health checks: 1. Set OPENCLAW_GATEWAY_TOKEN env var 2. Override CMD: ["node","dist/index.js","gateway","--allow-unconfigured","--bind","lan"]
2026-02-09 05:19:32 +08:00 · 2026-02-02 03:46:30 +05:30
parent 1a05ee941e
commit bb3d7343f4
1 changed files with 7 additions and 1 deletions
--- a/8
+++ b/8
@@ -39,4 +39,10 @@ RUN chown -R node:node /app
 # This reduces the attack surface by preventing container escape via root privileges
 USER node

-CMD ["node", "dist/index.js", "gateway", "--allow-unconfigured", "--bind", "lan"]
+# Start gateway server with default config.
+# Binds to loopback (127.0.0.1) by default for security.
+#
+# For container platforms requiring external health checks:
+#   1. Set OPENCLAW_GATEWAY_TOKEN or OPENCLAW_GATEWAY_PASSWORD env var
+#   2. Override CMD: ["node","dist/index.js","gateway","--allow-unconfigured","--bind","lan"]
+CMD ["node", "dist/index.js", "gateway", "--allow-unconfigured"]