From bb3d7343f4befc45be548ab72890eef62193b020 Mon Sep 17 00:00:00 2001
From: Rishi Vhavle <134706404+kaizen403@users.noreply.github.com>
Date: Mon, 2 Feb 2026 03:46:30 +0530
Subject: [PATCH] fix(docker): remove --bind lan from default CMD to work out
 of the box

Addresses review feedback: --bind lan requires auth token, so default
CMD should bind to loopback only.

For container platforms needing LAN binding for health checks:
1. Set OPENCLAW_GATEWAY_TOKEN env var
2. Override CMD: ["node","dist/index.js","gateway","--allow-unconfigured","--bind","lan"]
---
 Dockerfile | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 523b50e31f..d8572616fb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -39,4 +39,10 @@ RUN chown -R node:node /app
 # This reduces the attack surface by preventing container escape via root privileges
 USER node
 
-CMD ["node", "dist/index.js", "gateway", "--allow-unconfigured", "--bind", "lan"]
+# Start gateway server with default config.
+# Binds to loopback (127.0.0.1) by default for security.
+#
+# For container platforms requiring external health checks:
+#   1. Set OPENCLAW_GATEWAY_TOKEN or OPENCLAW_GATEWAY_PASSWORD env var
+#   2. Override CMD: ["node","dist/index.js","gateway","--allow-unconfigured","--bind","lan"]
+CMD ["node", "dist/index.js", "gateway", "--allow-unconfigured"]