- package.json: name moltbot, bin moltbot + clawdbot (compat shim)
- paths.ts: MOLTBOT_* preferred, CLAWDBOT_* legacy; default ~/.clawdbot; config moltbot.json; export STATE_DIR/CONFIG_PATH
- render.yaml: service name moltbot, disk moltbot-data; CLAWDBOT_* env vars and /data/.clawdbot (match upstream)
- render-start.sh: support CLAWDBOT_* and MOLTBOT_* for state/token; write moltbot.json
- Dockerfile: MOLTBOT_DOCKER_APT_PACKAGES, MOLTBOT_PREFER_PNPM
- config/io.ts: MOLTBOT_* env for gateway token and config cache
- Replace STATE_DIR_CLAWDBOT/CONFIG_PATH_CLAWDBOT with STATE_DIR_MOLTBOT/CONFIG_PATH_MOLTBOT across src; paths exports both for compat
- Add USER node directive to Dockerfile for non-root container execution
- Update SECURITY.md with Node.js version requirements (CVE-2025-59466, CVE-2026-21636)
- Add Docker security best practices documentation
- Document detect-secrets usage for local security scanning
Reviewed-by: Agents Council (5/5 approval)
Security-Score: 8.8/10
Watchdog-Verdict: SAFE WITH CONDITIONS
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>