Kayos
44a8fe743f
LAN-only HTTP service that runs claude -p subprocess on behalf of Sulkta apps. Bearer token + IP allowlist gated. SQLite-backed token registry + run audit log. - POST /run run a prompt, return parsed result - POST /files upload a file, get a file_token to attach to /run - POST /admin/tokens mint per-app tokens (admin-bootstrap-token gated) - GET /admin/tokens list, DELETE /admin/tokens/<name> revoke - GET /healthz liveness + claude --version smoke Container = node:22 + npm-installed @anthropic-ai/claude-code + uvicorn/FastAPI wrapper. Persistent volumes for /data (sqlite + run staging) and /root/.claude (subscription auth — survives container rebuilds; auth via 'docker exec -it clawdforge claude /login' once). Compose binds 192.168.0.5:8800 only — no public proxy. First consumer = cauldron (about to land).
29 lines
1 KiB
Text
29 lines
1 KiB
Text
# clawdforge — copy to .env on Lucy at /mnt/cache/appdata/secrets/clawdforge.env
|
|
# (chmod 600, root:root)
|
|
|
|
# Bind
|
|
BIND_HOST=0.0.0.0
|
|
BIND_PORT=8800
|
|
|
|
# Bootstrap admin token. Used to mint per-app tokens via /admin/tokens.
|
|
# Once the SQLite db has any token, this var becomes a "root override" and
|
|
# should be rotated or unset.
|
|
ADMIN_BOOTSTRAP_TOKEN=change-me-32-bytes-of-entropy
|
|
|
|
# IP allowlist applied to ALL requests. CIDR list, comma-separated.
|
|
# 172.24.0.0/16 = sulkta bridge (where clawdforge sits with peer apps)
|
|
# 172.17.0.0/16 = docker0 default (some legacy apps still here)
|
|
# 192.168.0.0/24 = LAN clients
|
|
# Loopback always allowed.
|
|
ALLOW_CIDRS=172.24.0.0/16,172.17.0.0/16,192.168.0.0/24
|
|
|
|
# Default claude config (per-request override allowed)
|
|
CLAUDE_BIN=claude
|
|
DEFAULT_MODEL=sonnet
|
|
DEFAULT_TIMEOUT_SECS=120
|
|
|
|
# Run-staging area inside the container (don't change unless you also change compose mount)
|
|
RUNS_DIR=/data/runs
|
|
|
|
# SQLite db path (don't change unless you also change compose mount)
|
|
DB_PATH=/data/clawdforge.db
|