From e56581caf2dabda3e21d5f41fd61fdbcf66ce2d2 Mon Sep 17 00:00:00 2001
From: Ojus Save <ojusave@users.noreply.github.com>
Date: Mon, 26 Jan 2026 01:04:34 -0800
Subject: [PATCH] fix(render): use startup script to configure trustedProxies

The key difference from the wrapper:
- Wrapper strips proxy headers before forwarding to internal gateway
- Direct deployment needs trustedProxies config to trust Render's proxy IPs

This script:
1. Creates config with gateway.trustedProxies for Render's internal IPs
2. Sets allowInsecureAuth for Control UI access
3. Starts gateway with token auth
---
 render.yaml             |  2 +-
 scripts/render-start.sh | 15 +++++++++------
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/render.yaml b/render.yaml
index 8f7523ddf..7b7c6efec 100644
--- a/render.yaml
+++ b/render.yaml
@@ -3,7 +3,7 @@ services:
     name: moltbot
     runtime: docker
     plan: starter
-    dockerCommand: node dist/index.js gateway --port 8080 --bind lan --auth token --allow-unconfigured
+    dockerCommand: /bin/sh scripts/render-start.sh
     envVars:
       - key: PORT
         value: "8080"
diff --git a/scripts/render-start.sh b/scripts/render-start.sh
index 1f804657c..82a52fcac 100755
--- a/scripts/render-start.sh
+++ b/scripts/render-start.sh
@@ -3,12 +3,14 @@
 set -e
 
 # Create config directory
-mkdir -p "$CLAWDBOT_STATE_DIR"
+mkdir -p "${CLAWDBOT_STATE_DIR:-/data/.clawdbot}"
 
 # Write config file with Render-specific settings
-cat > "$CLAWDBOT_STATE_DIR/clawdbot.json" << 'EOF'
+# trustedProxies allows Render's internal proxy IPs to be trusted
+cat > "${CLAWDBOT_STATE_DIR:-/data/.clawdbot}/clawdbot.json" << 'EOF'
 {
   "gateway": {
+    "mode": "local",
     "trustedProxies": ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"],
     "controlUi": {
       "allowInsecureAuth": true
@@ -17,12 +19,13 @@ cat > "$CLAWDBOT_STATE_DIR/clawdbot.json" << 'EOF'
 }
 EOF
 
-echo "Config written to $CLAWDBOT_STATE_DIR/clawdbot.json"
+echo "Config written to ${CLAWDBOT_STATE_DIR:-/data/.clawdbot}/clawdbot.json"
+cat "${CLAWDBOT_STATE_DIR:-/data/.clawdbot}/clawdbot.json"
 
-# Start the gateway with password from env var
+# Start the gateway with token from env var
 exec node dist/index.js gateway \
   --port 8080 \
   --bind lan \
-  --auth password \
-  --password "$CLAWDBOT_GATEWAY_PASSWORD" \
+  --auth token \
+  --token "$CLAWDBOT_GATEWAY_TOKEN" \
   --allow-unconfigured