fix(render): use startup script to configure trustedProxies

The key difference from the wrapper:
- Wrapper strips proxy headers before forwarding to internal gateway
- Direct deployment needs trustedProxies config to trust Render's proxy IPs

This script:
1. Creates config with gateway.trustedProxies for Render's internal IPs
2. Sets allowInsecureAuth for Control UI access
3. Starts gateway with token auth

render.yaml

@@ -3,7 +3,7 @@ services:
     name: moltbot
     runtime: docker
     plan: starter
-    dockerCommand: node dist/index.js gateway --port 8080 --bind lan --auth token --allow-unconfigured
+    dockerCommand: /bin/sh scripts/render-start.sh
     envVars:
       - key: PORT
         value: "8080"

scripts/render-start.sh

@@ -3,12 +3,14 @@
 set -e
 
 # Create config directory
-mkdir -p "$CLAWDBOT_STATE_DIR"
+mkdir -p "${CLAWDBOT_STATE_DIR:-/data/.clawdbot}"
 
 # Write config file with Render-specific settings
-cat > "$CLAWDBOT_STATE_DIR/clawdbot.json" << 'EOF'
+# trustedProxies allows Render's internal proxy IPs to be trusted
+cat > "${CLAWDBOT_STATE_DIR:-/data/.clawdbot}/clawdbot.json" << 'EOF'
 {
   "gateway": {
+    "mode": "local",
     "trustedProxies": ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"],
     "controlUi": {
       "allowInsecureAuth": true
@@ -17,12 +19,13 @@ cat > "$CLAWDBOT_STATE_DIR/clawdbot.json" << 'EOF'
 }
 EOF
 
-echo "Config written to $CLAWDBOT_STATE_DIR/clawdbot.json"
+echo "Config written to ${CLAWDBOT_STATE_DIR:-/data/.clawdbot}/clawdbot.json"
+cat "${CLAWDBOT_STATE_DIR:-/data/.clawdbot}/clawdbot.json"
 
-# Start the gateway with password from env var
+# Start the gateway with token from env var
 exec node dist/index.js gateway \
   --port 8080 \
   --bind lan \
-  --auth password \
-  --password "$CLAWDBOT_GATEWAY_PASSWORD" \
+  --auth token \
+  --token "$CLAWDBOT_GATEWAY_TOKEN" \
   --allow-unconfigured