Skip to content

refactor(infra): Docker → Node.js direct install + security fixes#8

Open
arch-team wants to merge 3 commits into
mainfrom
refactor/direct-install-openclaw
Open

refactor(infra): Docker → Node.js direct install + security fixes#8
arch-team wants to merge 3 commits into
mainfrom
refactor/direct-install-openclaw

Conversation

@arch-team

@arch-team arch-team commented Mar 4, 2026

Copy link
Copy Markdown
Owner

Summary

  • CR-014: Replace Docker container deployment with Node.js direct install + systemd service, giving AI Agent full system-level access
  • CR-015: Remove leaked Feishu credentials from cdk.json (RISK-001) and fix /home/node EACCES error
  • systemd hardening: Restart=on-failure → Restart=always for auto-recovery from SIGHUP

Changes

Infra (core):

  • user-data.ts: dockerInstall() → nodeInstall() (Node.js 22 + pnpm), systemd service, /home/node symlink
  • compute.ts: Remove Docker props
  • cdk.json: Feishu credentials → empty placeholders (inject via -c at deploy)
  • Delete infra/assets/docker-compose.yml

Tests: 43 user-data tests (systemd, Node.js, symlink, Restart=always)

New: scripts/e2e-verify-mos.sh, .devpace/rules/test-strategy.md, CR-014/015, RISK-001

MoS Metrics

Metric Target Actual
Deploy success rate ≥ 90% 100%
Response rate ≥ 95% 100%
First response latency < 10s 493ms
Feishu stability ≥ 99% connected
Checklist 6/6 6/6

Test plan

  • 117/117 CDK tests pass
  • lint + format + typecheck clean
  • cdk destroy + deploy verified (3x)
  • E2E MoS all pass
  • Restart=always verified

🤖 Generated with Claude Code

arch-team and others added 3 commits March 4, 2026 21:27
…l + systemd

Remove Docker container layer so AI agents gain full EC2 system-level access
(install browsers, system tools, etc.). OpenClaw now runs as a systemd service
with Node.js 22 LTS installed via NodeSource and built from source with pnpm.

Key changes:
- dockerInstall() → nodeInstall() (Node.js 22 + pnpm via corepack)
- Docker build → pnpm install + pnpm build (NODE_OPTIONS OOM guard)
- New createOpenClawService() for systemd unit with Restart=on-failure
- docker compose up → systemctl start openclaw-gateway
- Remove IMDSv2 hop limit=2 override (no Docker, default hop=1 suffices)
- Remove UFW FORWARD policy (no Docker port mapping)
- Add .openclaw → openclaw/config symlink for config discovery
- Delete infra/assets/docker-compose.yml

117/117 tests passing, lint/format/typecheck/cdk synth clean.

CR-014 | PF-015 → BR-001

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…S error

- Replace real Feishu appId/appSecret in cdk.json with empty placeholders
  (RISK-001 mitigation — credentials now injected via `cdk deploy -c`)
- Add /home/node → /home/ubuntu symlink in UserData for Docker-era EFS
  session compatibility (old sessions reference cwd=/home/node)
- Add unit test for symlink presence in UserData
- Add E2E verification script (scripts/e2e-verify-mos.sh) for MoS metrics
- Add test strategy (.devpace/rules/test-strategy.md)
- Add CR-015 tracking and update RISK-001 status to mitigated

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
SIGHUP from config hot-reload is not considered a failure, so
Restart=on-failure left the gateway dead. Restart=always ensures
auto-recovery regardless of exit signal.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@arch-team arch-team changed the title refactor(infra): Docker → Node.js direct install + systemd refactor(infra): Docker → Node.js direct install + security fixes Mar 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant