Change image to run as non-root

[St0rmz1]

• run as non root
• create openclaw user
• force chown to openclaw:openclaw on every provision to clean up just in case

1. Unit Tests - PASS

• 13/13 test files passed, 212/212 tests passed (458ms)
• Covers: auth, JWT, gateway tokens, sandbox IDs, encryption, env building, Fly client, Durable
  Objects, logging

2. Local Worker Proxy - PASS

• GET /health returns 200 in 6ms
• Response: {"status":"ok","service":"kiloclaw","gateway_port":18789}

3. Fly.io Instance - PASS

• Machine 784e119f94d338 in iad region, state started
• Image: kiloclaw-machines:dev-1771464050
• Size: shared-cpu-2x:4096MB
• Volume: vol_r775kz96x2ynek9r mounted
• Logs show healthy gateway with active WebSocket clients, node.list requests completing in 0-1ms,
  health events every 60s

4. Platform API - PASS

• redacted

5. Gateway & Machine - PASS

• Gateway responds with OpenClaw Control UI HTML from inside Fly machine
• OpenClaw version: 2026.2.9
• Node version: v22.13.1
• Runtime config validated:
  • gateway.port: 18789
  • gateway.auth.mode: token (HMAC matches gateway-token API)
  • gateway.bind: loopback
  • tools.exec.security: deny (locked down)
  • controlUi.allowedOrigins: 5 origins configured
  • AUTO_APPROVE_DEVICES: true (controlUi.allowInsecureAuth)
  • KiloCode provider: configured with ngrok baseUrl and JWT apiKey
  • Model list: 150+ models from KILOCODE_MODELS_JSON env
  • All directory ownership: openclaw:openclaw

6. Docker Image Local Build - PASS

Check: Build
Result: Cached layers, no errors
────────────────────────────────────────
Check: OpenClaw version
Result: 2026.2.9
────────────────────────────────────────
Check: Node version
Result: v22.13.1
────────────────────────────────────────
Check: Binaries present
Result: gosu, git, curl, pnpm, openclaw
────────────────────────────────────────
Check: openclaw user
Result: uid=999(openclaw)
────────────────────────────────────────
Check: Directories
Result: /root/.openclaw, /root/clawd, /root/clawd/skills - all openclaw:openclaw
────────────────────────────────────────
Check: Scripts
Result: All 3 present and executable
────────────────────────────────────────
Check: Startup (plain env)
Result: Gateway starts, listens on ws://0.0.0.0:18789
────────────────────────────────────────
Check: Config generation
Result: All 9/9 config assertions PASS
────────────────────────────────────────
Check: Missing KILOCODE_API_KEY
Result: Exits 1 with clear error
────────────────────────────────────────
Check: Encrypted vars without key
Result: Exits 1 with FATAL (fail-closed)
────────────────────────────────────────
Check: Telegram channel config
Result: enabled: true, dmPolicy: pairing, plugin enabled
────────────────────────────────────────
Check: openclaw doctor
Result: Expected warnings only (no config pre-existing, no systemd)
────────────────────────────────────────
Check: Image size
Result: 2.2GB

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

The PR correctly implements non-root runtime for the kiloclaw container using the standard gosu privilege-dropping pattern. Key observations:

• gosu usage is correct — it execs the target command directly, bypassing the user's login shell (/bin/false), so start-openclaw.sh runs fine under #!/bin/bash.
• Volume ownership fix in entrypoint.sh is idempotent and handles the migration from root-owned Fly Volumes gracefully.
• ENTRYPOINT + CMD split follows Docker best practices, allowing CMD to be overridden independently.
• File permissions — skills are copied with --chown=openclaw:openclaw, and /root is chowned during build. The entrypoint handles re-chowning on volume mount.
• start-openclaw.sh compatibility — all paths (/root/.openclaw, /root/clawd, /tmp) remain accessible to the openclaw user.

Files Reviewed (2 files)

• kiloclaw/Dockerfile - 0 new issues
• kiloclaw/entrypoint.sh - 0 new issues