indifferentketchup
7f0fd1281b
Splits the previous /opt:/opt:rw bind into two mounts to narrow the writable scope of the container: - /opt:/opt:ro — read-only mount for legacy/existing project add-existing flow. resolveProjectPath still uses PROJECT_ROOT_WHITELIST (/opt by default) so existing projects under /opt/<name> (analytics, boolab, boocode itself) continue to resolve and serve their file-tree via the read-only tools. - /opt/projects:/opt/projects:rw — writable mount targeted at the create-new-project bootstrap path. Picked Option B from the spec (simpler than two scan roots): PROJECT_ROOT_WHITELIST stays /opt, new BOOTSTRAP_ROOT env var defaults to /opt/projects and is used by project_bootstrap.ts as the mkdir target. Bootstrap path-escape check now compares against BOOTSTRAP_ROOT. Prereq: host must `mkdir -p /opt/projects` before next container restart. Documented in CLAUDE.md and .env.example. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
9 lines
258 B
Plaintext
9 lines
258 B
Plaintext
NODE_ENV=production
|
|
PORT=3000
|
|
DATABASE_URL=postgres://boocode:CHANGE_ME@boocode_db:5432/boocode
|
|
LLAMA_SWAP_URL=http://100.101.41.16:8401
|
|
PROJECT_ROOT_WHITELIST=/opt
|
|
BOOTSTRAP_ROOT=/opt/projects
|
|
DEFAULT_MODEL=qwen3.6-35b-a3b-mxfp4
|
|
POSTGRES_PASSWORD=CHANGE_ME
|