Skip to content

fix(render): add docker entrypoint for config seeding#2

Merged
gavinwxx-vybers merged 97 commits intomainfrom
fix/docker-render-deploy
Feb 25, 2026
Merged

fix(render): add docker entrypoint for config seeding#2
gavinwxx-vybers merged 97 commits intomainfrom
fix/docker-render-deploy

Conversation

@gavinwxx-vybers
Copy link

@gavinwxx-vybers gavinwxx-vybers commented Feb 25, 2026

Summary

  • Add scripts/docker-entrypoint.sh that seeds a minimal openclaw.json with dangerouslyAllowHostHeaderOriginFallback: true on first boot
  • Update Dockerfile to chmod the entrypoint script
  • Update render.yaml to use the entrypoint instead of inline shell

Fixes the non-loopback Control UI requires gateway.controlUi.allowedOrigins error on Render.

🤖 Generated with Claude Code

shakkernerd and others added 30 commits February 24, 2026 22:28
@shakkernerd
ui: block svg data image opens and harden tests
e975010
@shakkernerd
changelog: credit both chat-image fix contributors
e7298b8
@shakkernerd
test(ui): reject base64 SVG data URLs
30cb849
@shakkernerd
changelog: include openclaw#25847 in chat image safety entry (opencla…
853f755 
…w#25847) (thanks @shakkernerd)
@steipete
refactor(ios): drop legacy talk payload and keychain fallbacks
f4e6f87
@shakkernerd
chore: sync plugin versions to 2026.2.24
955cc90
@shakkernerd
chore: refresh lockfile after plugin devDependency cleanup
039ae0b
@steipete @chilu18
fix(config): soften antigravity removal fallout (openclaw#25538)
bf8ca07 
Land openclaw#25538 by @chilu18 to keep legacy google-antigravity-auth config entries non-fatal after removal (see openclaw#25862).

Co-authored-by: chilu18 <chilu.machona@icloud.com>
@steipete
fix(security): lock sandbox tmp media paths to openclaw roots
d3da67c
@steipete
docs(security): document openclaw temp-folder boundary
2d159e5
@steipete
fix(security): restrict default safe-bin trusted dirs
b67e600
@steipete
fix: enforce local media root checks for attachment hydration
270ab03
@steipete
fix(synology-chat): fail closed empty allowlist
0ee3036
@steipete
docs(changelog): add synology-chat allowlist fail-closed note
7655c0c
@steipete
fix: harden routing/session isolation for followups and heartbeat
ccbeb33
@steipete
feat(sandbox): block container namespace joins by default
14b6eea
@steipete
refactor(sandbox): centralize network mode policy helpers
5552f90
@steipete @pewallin
@joshjhall @DennisGoldfinger @peteragility
fix(channels,sandbox): land hard breakage cluster from reviewed PR bases
e7a5f9f 
Lands reviewed fixes based on openclaw#25839 (@pewallin), openclaw#25841 (@joshjhall), and openclaw#25737/@25713 (@DennisGoldfinger/@peteragility), with additional hardening + regression tests for queue cleanup and shell script safety.

Fixes openclaw#25836
Fixes openclaw#25840
Fixes openclaw#25824
Fixes openclaw#25868

Co-authored-by: Peter Wallin <pwallin@gmail.com>
Co-authored-by: Joshua Hall <josh@yaplabs.com>
Co-authored-by: Dennis Goldfinger <dennisgoldfinger@gmail.com>
Co-authored-by: peteragility <peteragility@users.noreply.github.com>
@steipete
refactor(synology-chat): centralize DM auth and fail fast startup
9fccf60
@steipete
test: add routing/session isolation edge-case regressions
9b53102
@steipete
refactor: centralize followup origin routing helpers
54648a9
@steipete
refactor(outbound): centralize attachment media policy
5c2a483
@steipete
refactor: harden safe-bin trusted dir diagnostics
4355e08
@steipete
fix(zalo): enforce group sender policy in groups
b4010a0
@steipete
docs: update changelog for safe-bin hardening
79e2328
@steipete
test(line): align tmp-root expectation after sandbox hardening
79a7b3d
@steipete
fix(web-search): reduce provider auto-detect log noise
13a1c46
@steipete
test(matrix,discord,sandbox): expand breakage regression coverage
a2529c2
@steipete
refactor(matrix,tests): extract helpers and inject send-queue timing
58309fd
@steipete
refactor(zalo): split monitor access and webhook logic
453664f
vincentkoc and others added 29 commits February 24, 2026 19:16
@vincentkoc
Agents: trust explicit allowlist refs beyond catalog
e9068e2
@vincentkoc
Tests: cover allowlist refs missing from catalog
f34325e
@vincentkoc
Gateway tests: accept allowlisted refs absent from catalog
f7cf3d0
@vincentkoc
Gateway tests: include synthetic allowlist models in models.list
5509bf2
@vincentkoc
Changelog: note allowlist stale-catalog model selection fix
1839ba8
@steipete @frankekn @docaohieu2808
fix(discord): harden voice DAVE receive reliability (openclaw#25861)
9cd50c5 
Reimplements and consolidates related work:
- openclaw#24339 stale disconnect/destroyed session guards
- openclaw#25312 voice listener cleanup on stop
- openclaw#23036 restore @snazzah/davey runtime dependency

Adds Discord voice DAVE config passthrough, repeated decrypt failure
rejoin recovery, regression tests, docs, and changelog updates.

Co-authored-by: Frank Yang <frank.ekn@gmail.com>
Co-authored-by: Do Cao Hieu <admin@docaohieu.com>
@steipete
fix(macos): clean warnings and harden gateway/talk config parsing
ce1dbeb
@steipete
docs(discord): document DAVE defaults and decrypt recovery
ee6fec3
@steipete
test: bridge discord voice private casts via unknown
a1a6235
@steipete
docs(changelog): remove next-release shipping sentence
b0f3925
@steipete
refactor(exec): split system.run phases and align ts/swift validator …
3c95f89 
…contracts
@steipete
fix(windows): skip unreliable dev comparison in fs-safe openVerifiedL…
7455cee 
…ocalFile

On Windows, device IDs (dev) returned by handle.stat() and fs.lstat()
may differ even for the same file, causing false-positive 'path-mismatch'
errors when reading local media files.

This fix introduces a statsMatch() helper that:
- Always compares inode (ino) values
- Skips device ID (dev) comparison on Windows where it's unreliable
- Maintains full comparison on Unix platforms

Fixes openclaw#25699
@steipete
fix: align windows safe-open file identity checks
943b8f1
@steipete
refactor: dedupe exec wrapper denial plan and test setup
a9ce6bd
@steipete
fix: harden iMessage echo dedupe and reasoning suppression (openclaw#…
2a11c09 
…25897)
@steipete
test(media): add win32 dev=0 local media regression
196a7db
@steipete
refactor: extract iMessage echo cache and unify suppression guards
5c6b2cb
@steipete
test: normalize tmp media path assertion for windows
2157c49
@claude
fix(render): seed Control UI origin config on first boot
a6460be 
The gateway requires controlUi.allowedOrigins when binding to LAN.
On Render, the persistent disk starts empty with no openclaw.json.
Seed a minimal config with dangerouslyAllowHostHeaderOriginFallback
on first boot (safe behind Render's HTTPS reverse proxy).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@steipete
chore(deps): update dependencies except carbon
8470dff
@steipete @Zjianru
fix(agents): normalize SiliconFlow Pro thinking=off payload (openclaw…
bd213cf 
…#25435)

Land PR openclaw#25435 from @Zjianru.
Changelog: add 2026.2.24 fix entry with contributor credit.

Co-authored-by: codez <codezhujr@gmail.com>
@steipete @lairtonlelis
fix(telegram): refresh global undici dispatcher for autoSelectFamily (o…
0078070 
…penclaw#25682)

Land PR openclaw#25682 from @lairtonlelis after maintainer rework:
track dispatcher updates when network decision changes to avoid stale global fetch behavior.

Co-authored-by: Ailton <lairton@telnyx.com>
@steipete
fix(synology-chat): land @bmendonca3 fail-closed allowlist follow-up (o…
7dfac70 
…penclaw#25827)

Carry fail-closed empty-allowlist guard clarity and changelog attribution for PR openclaw#25827.

Co-authored-by: Brian Mendonca <brianmendonca@Brians-MacBook-Air.local>
@steipete @lairtonlelis
fix(agents): reduce billing false positives on long text (openclaw#25680
43f318c 
)

Land PR openclaw#25680 from @lairtonlelis.
Retain explicit status/code/http 402 detection for oversized structured payloads.

Co-authored-by: Ailton <lairton@telnyx.com>
@claude
fix(render): add docker entrypoint script for config seeding
a9e40a2 
The inline shell command in render.yaml's dockerCommand wasn't
reliably creating the seed config. Replace with a proper entrypoint
script that creates a minimal openclaw.json with
dangerouslyAllowHostHeaderOriginFallback on first boot, then starts
the gateway bound to LAN on the PORT env var.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@steipete @Suko
fix(ui): inherit default model fallbacks in agents overview (openclaw…
4d89548 
…#25729)

Land PR openclaw#25729 from @Suko.
Use shared fallback-resolution helper and add regression coverage for default, override, and explicit-empty cases.

Co-authored-by: suko <miha.sukic@gmail.com>
@steipete
fix(heartbeat): default target none and internalize relay prompts
e2362d3
@steipete
test(windows): normalize risky-path assertions
a177b10
@gavinwxx-vybers
Merge branch 'main' into fix/docker-render-deploy
5199e5a
@gavinwxx-vybers gavinwxx-vybers merged commit 15d1d68 into main Feb 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@gavinwxx-vybers @shakkernerd @steipete @vincentkoc @markmusson @Suko @fwhite13