fix: code review improvements — security, correctness, maintainability

.dockerignore

@@ -0,0 +1,8 @@
+.git
+*.md
+!SOUL.md
+!BOOTSTRAP.md
+.env
+logo_400x400.jpg
+cloudflared/
+.github/

Caddyfile

@@ -1,4 +1,10 @@
  :80 {
+    header {
+        X-Content-Type-Options "nosniff"
+        X-Frame-Options "SAMEORIGIN"
+        Referrer-Policy "strict-origin-when-cross-origin"
+    }
+
     route {
         handle /term/* {
             basic_auth {

Dockerfile

@@ -114,9 +114,12 @@ RUN curl -fsSL https://bun.sh/install | bash
 RUN bun install -g node-gyp
 
 # Python tools
-RUN pip3 install ipython csvkit openpyxl python-docx pypdf botasaurus browser-use playwright --break-system-packages && \
+RUN python3 -m venv /opt/venv && \
+    /opt/venv/bin/pip install ipython csvkit openpyxl python-docx pypdf botasaurus browser-use playwright && \
     playwright install-deps
 
+ENV PATH="/opt/venv/bin:$PATH"
+
 # Configure QMD Persistence
 ENV XDG_CACHE_HOME="/data/.cache"
 

docker-compose.yaml

@@ -103,7 +103,9 @@ services:
       GEMINI_API_KEY: ${GEMINI_API_KEY}
       KIMI_API_KEY: ${KIMI_API_KEY}
       OPENCODE_API_KEY: ${OPENCODE_API_KEY}
-      MOONSHOT_API_KEY: ${KIMI_API_KEY}
+      # MOONSHOT_API_KEY is the official API name for Kimi/Moonshot AI.
+      # Falls back to KIMI_API_KEY for backward compatibility. Set MOONSHOT_API_KEY in .env to override.
+      MOONSHOT_API_KEY: ${MOONSHOT_API_KEY:-${KIMI_API_KEY}}
       TELEGRAM_BOT_TOKEN: ${TELEGRAM_BOT_TOKEN}
       SANDBOX_CONTAINER: ${SANDBOX_CONTAINER:-false}
 
@@ -115,6 +117,8 @@ services:
       # Bootstrap controls
       OPENCLAW_AUTO_BOOTSTRAP: "1"
       OPENCLAW_PRINT_ACCESS: "1"
+      # ⚠️  WARNING: '*' trusts ALL proxies — client IP spoofing is possible.
+      # In production, restrict to your actual proxy IPs (e.g. '172.18.0.0/16').
       GATEWAY_TRUSTED_PROXIES: '*'
       # Fix for EMFILE/Inotify issues in Docker
       CHOKIDAR_USEPOLLING: "true"

scripts/bootstrap.sh

@@ -222,7 +222,9 @@ echo "=================================================================="
 echo "🦞 OpenClaw is ready!"
 echo "=================================================================="
 echo ""
-echo "🔑 Access Token: $TOKEN"
+# ⚠️  Mask token in logs to prevent exposure in docker logs / CI output
+MASKED_TOKEN="${TOKEN:0:8}…${TOKEN: -4}"
+echo "🔑 Access Token: $MASKED_TOKEN"
 echo ""
 echo "🌍 Service URL (Local): http://localhost:${OPENCLAW_GATEWAY_PORT:-18789}?token=$TOKEN"
 WEB_TERM_URL_PATH="${WEB_TERM_PATH%/}"

scripts/monitor_sandbox.sh

@@ -9,6 +9,12 @@ log() {
   echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" >> "$LOG_FILE"
 }
 
+cleanup() {
+  log "🛑 Health Monitor shutting down (received signal)"
+  exit 0
+}
+trap cleanup SIGTERM SIGINT
+
 log "🛡️  Health Monitor Started"
 
 while true; do

scripts/recover_sandbox.sh

@@ -30,8 +30,9 @@ for id in $SANDBOX_IDS; do
   # Check if docker container exists
   if ! docker ps -a --format '{{.Names}}' | grep -q "^$id$"; then
     log "⚠️  Container $id not found in Docker. Marking as lost/stopped in state."
-    # Update state to valid 'stopped' if it was 'running'
-    # Implementation detail: would need a tool to update json file in place (e.g. temporary file)
+    # Update state to 'stopped' using jq with a temp file for atomic write
+    TMP_STATE=$(mktemp)
+    jq --arg id "$id" '.sandboxes[$id].status = "stopped"' "$STATE_FILE" > "$TMP_STATE" && mv "$TMP_STATE" "$STATE_FILE"
     continue
   fi
 

scripts/sandbox-browser-setup.sh

@@ -8,7 +8,7 @@ echo "🦞 Building OpenClaw Sandbox Browser Image..."
 
 # Use playwright image for browser capabilities
 BASE_IMAGE="mcr.microsoft.com/playwright:v1.41.0-jammy"
-TARGET_IMAGE="openclaw-sandbox-browser:bookworm-slim"
+TARGET_IMAGE="openclaw-sandbox-browser:jammy"
 
 # Check if image already exists
 if docker image inspect "$TARGET_IMAGE" >/dev/null 2>&1; then