Peter Steinberger
17085ec1a4
fix: make qa lab docker boot resilient
2026-04-07 09:04:18 +01:00
Gustavo Madeira Santana
7155aa9c15
fix(docker): use built bundled plugins in runtime images ( #62316 )
...
Merged via squash.
Prepared head SHA: c2bbfef1885599352+gumadeiras@users.noreply.github.com >
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com >
Reviewed-by: @gumadeiras
2026-04-07 02:18:24 -04:00
Peter Steinberger
8e0ab35b0e
refactor(plugins): decouple bundled plugin runtime loading
2026-03-29 09:10:38 +01:00
Josh Avant
a2a9a553e1
Stabilize plugin loader and Docker extension smoke ( #50058 )
...
* Plugins: stabilize Area 6 loader and Docker smoke
* Docker: fail fast on extension npm install errors
* Tests: stabilize loader non-native Jiti boundary CI timeout
* Tests: stabilize plugin loader Jiti source-runtime coverage
* Docker: keep extension deps on lockfile graph
* Tests: cover tsx-cache renamed package cwd fallback
* Tests: stabilize plugin-sdk export subpath assertions
* Plugins: align tsx-cache alias fallback with subpath fallback
* Tests: normalize guardrail path checks for Windows
* Plugins: restrict plugin-sdk cwd fallback to trusted roots
* Tests: exempt outbound-session from extension import guard
* Tests: tighten guardrails and cli-entry trust coverage
* Tests: guard optional loader fixture exports
* Tests: make loader fixture package exports null-safe
* Tests: make loader fixture package exports null-safe
* Tests: make loader fixture package exports null-safe
* changelog
Signed-off-by: joshavant <830519+joshavant@users.noreply.github.com >
---------
Signed-off-by: joshavant <830519+joshavant@users.noreply.github.com >
2026-03-18 23:35:32 -05:00
Altay
deada7edd3
build: default to Node 24 and keep Node 22 compat
2026-03-12 20:07:44 +05:30
Vincent Koc
3f3f66a5f7
Docker: trim runtime image payload ( #40307 )
...
* Docker: shrink runtime image payload
* Docker: add runtime pnpm opt-in
* Docker: collapse helper entrypoint chmod layers
* Docker: restore bundled pnpm runtime
* Update CHANGELOG.md
2026-03-08 16:07:04 -07:00
Peter Steinberger
5759b93dda
fix(ci): pin multi-arch docker base digests
2026-03-08 02:55:15 +00:00
苏敏童0668001043
b29e913efe
fix(docker): correct awk quoting in Docker GPG fingerprint check ( #32153 )
2026-03-03 02:32:46 +00:00
edincampara
577f2fa540
fix(docker): harden /app/extensions permissions to 755 ( #30191 )
...
* fix(docker): harden /app/extensions permissions to 755
Bundled extension directories shipped as world-writable (mode 777)
in the Docker image. The plugin security scanner blocks any world-
writable path with:
WARN: blocked plugin candidate: world-writable path
(/app/extensions/memory-core, mode=777)
Add chmod -R 755 /app/extensions in the final USER root RUN step so
all bundled extensions are readable but not world-writable. This runs
as root before switching back to the node user, matching the pattern
already used for chmod 755 /app/openclaw.mjs.
Fixes #30139
* fix(docker): normalize plugin and agent path permissions
* docs(changelog): add docker permissions entry for #30191
* Update CHANGELOG.md
---------
Co-authored-by: Vincent Koc <vincentkoc@ieee.org >
2026-03-01 15:45:21 -08:00
Peter Steinberger
35976da7a0
fix: harden Docker/GCP onboarding flow ( #26253 ) (thanks @pandego)
2026-02-26 04:46:18 +00:00
Sebastian
b7cf28f407
test(docker): cover browser install build arg
2026-02-16 22:35:27 -05:00
