mirror of
https://github.com/nexu-io/open-design.git
synced 2026-06-01 03:14:35 +07:00
369d136d19
* Add Docker Compose deployment workflow * Address Docker deployment review feedback Harden publishing inputs and temporary credential handling, and tighten Docker runtime defaults requested by the PR review. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Fix Docker publish build in CI mode Set CI=true during the image build so pnpm prune can run non-interactively inside Docker. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Fix Docker runtime dependency layout Use pnpm deploy for the daemon package so the runtime image includes production dependencies where Node resolves them. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Use legacy pnpm deploy in Docker build Allow pnpm v10 deploy to package the daemon workspace without requiring injected workspace packages. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Align Docker runtime with Node 24 Use Node 24 for both build and runtime stages and update image verification for the workspace daemon dependency layout. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Remove legacy OD_HOST Docker binding fallback Use OD_BIND_HOST as the single daemon bind-host setting for Docker deployment and origin validation. * Update Docker image verifier for daemon dist runtime Check the packaged daemon dist entrypoint and allow npm from the Node 24 runtime image while still rejecting build-only tools. * Allow private LAN browser origins for daemon * Share daemon origin validation helpers Move browser origin validation into a shared daemon module so tests exercise the production logic and cover the remaining private LAN edge cases. * Harden Docker Compose port exposure Bind the Compose deployment to localhost by default and pass the published port through to the daemon origin checks so host-port overrides remain same-origin. * Keep deployment hosts out of local-only no-origin checks Require an actual matching Origin before configured deployment origins can satisfy local-only daemon guards, preventing no-Origin remote clients from bypassing those checks. --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: mrcfps <mrc@powerformer.com> Co-authored-by: lefarcen <935902669@qq.com>
18 lines
786 B
Text
18 lines
786 B
Text
# Image published by deploy/scripts/publish-images.sh.
|
|
OPEN_DESIGN_IMAGE=docker.io/vanjayak/open-design:latest
|
|
|
|
# Host port exposed on 127.0.0.1 by docker compose.
|
|
# Keep Compose bound to localhost; use an authenticated reverse proxy, SSH tunnel,
|
|
# or VPN before exposing Open Design remotely.
|
|
OPEN_DESIGN_PORT=7456
|
|
|
|
# Comma-separated browser origins allowed to call /api when deployed behind a
|
|
# domain, public IP, or reverse proxy, e.g. http://203.0.113.10:7456,https://od.example.com.
|
|
OPEN_DESIGN_ALLOWED_ORIGINS=
|
|
|
|
# Container memory limit. The idle service has been verified around 18-22 MiB.
|
|
# Raise this for large exports, concurrent agent runs, or heavy upload workflows.
|
|
OPEN_DESIGN_MEM_LIMIT=384m
|
|
|
|
# Node.js heap cap inside the container.
|
|
NODE_OPTIONS=--max-old-space-size=192
|