furyhawk/deer-flow
1
0
Fork 0
mirror of https://github.com/bytedance/deer-flow.git synced 2026-06-14 03:15:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): do not bind-mount host CLI auth dirs by default (#3521)

Browse Source 
* fix(security): do not bind-mount host CLI auth dirs by default

The Compose stack bind-mounted the entire ~/.claude and ~/.codex dirs
(read-only) into the root gateway container in every configuration -- exposing
not just credentials but full conversation history, per-project session data,
and global CLI config. The default OpenAI-compatible model providers and the
local sandbox never use them.

Move the mounts to an opt-in docker/docker-compose.cli-auth.yaml overlay.
Document env-token paths (CLAUDE_CODE_OAUTH_TOKEN, CODEX_AUTH_PATH) in
.env.example -- the Gateway credential loader reads env first, so most setups
need no mount at all. Document the exposure and per-mode options in SECURITY.md.

Reported by @greatmengqi.

* docs: clarify ACP adapter auth and add Claude single-file credential option

- ACP adapters authenticate independently (many take an env API key like
  ANTHROPIC_API_KEY and need no mount); the cli-auth overlay is only for
  adapters that read the full CLI config dir. Avoids steering users toward
  mounting the whole dir for ACP when env auth usually suffices.
- Add CLAUDE_CODE_CREDENTIALS_PATH (single .credentials.json) as a Claude
  one-file option, matching codex CODEX_AUTH_PATH and the README.

* docs: cite claude-code-acp env auth and CLAUDE_CONFIG_DIR in ACP guidance

Replace the generic 'some adapters' wording with the verified behavior of
the common claude-code-acp adapter (env ANTHROPIC_API_KEY startup + CLAUDE_CONFIG_DIR),
so the 'no ~/.claude mount needed for ACP' guidance is backed by a concrete adapter.
This commit is contained in:
Xinmin Zeng
2026-06-14 10:50:05 +08:00
committed by GitHub
parent f43aa78107
commit 474c89bac2
5 changed files with 92 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.env.example
+15
View File
@@ -66,3 +66,18 @@ INFOQUEST_API_KEY=your-infoquest-api-key
# alias, or behind a different port). docker-compose already sets these.
# DEER_FLOW_INTERNAL_GATEWAY_BASE_URL=http://localhost:8001
# DEER_FLOW_TRUSTED_ORIGINS=http://localhost:3000,http://localhost:2026
# ── Claude Code / Codex CLI subscription as a model provider (optional) ───────
# If you configure a ClaudeChatModel / Codex model provider (or an ACP agent)
# that reuses your CLI subscription login, prefer passing a token via env over
# bind-mounting your whole ~/.claude / ~/.codex into the container. The Gateway
# credential loader reads these first, so no directory mount is needed.
# CLAUDE_CODE_CREDENTIALS_PATH points at a single .credentials.json (Claude)
# rather than the whole dir. docker-compose.cli-auth.yaml is the opt-in
# directory-mount fallback for adapters that need the full CLI config.
# ACP adapters often take their own env API key (e.g. ANTHROPIC_API_KEY) and
# need no mount at all — check the adapter's docs. See SECURITY.md.
# CLAUDE_CODE_OAUTH_TOKEN=your-claude-code-oauth-token
# ANTHROPIC_AUTH_TOKEN=your-anthropic-auth-token
# CLAUDE_CODE_CREDENTIALS_PATH=/path/to/.claude/.credentials.json
# CODEX_AUTH_PATH=/path/to/codex/auth.json