Update Dockerfile

Dockerfile

@@ -1,69 +1,95 @@
-FROM ghcr.io/openclaw/openclaw:latest
+# ════════════════════════════════════════════════════════════════
+# 🦞 HuggingClaw — OpenClaw Gateway for HuggingFace Spaces
+# 使用 Storage Buckets 作为持久存储，不再依赖 hf-sync-manager
+# ════════════════════════════════════════════════════════════════
 
-USER root
+# ── Stage 1: Pull pre-built OpenClaw ──
+ARG OPENCLAW_VERSION=latest
+FROM ghcr.io/openclaw/openclaw:${OPENCLAW_VERSION} AS openclaw
 
-# Copy Space repo files into container
-COPY openclaw.json          /app/openclaw-template.json
-COPY setup-hf-config.mjs   /app/spaces/huggingface/setup-hf-config.mjs
-COPY entrypoint.sh          /app/entrypoint.sh
-COPY hf-sync-manager.mjs    /app/hf-sync-manager.mjs
-COPY security-check.sh      /app/security-check.sh
+# ── Stage 2: Runtime ──
+FROM node:22-slim
+ARG OPENCLAW_VERSION=latest
 
-# PATCH: fix meta.lastTouchedAt triggering unnecessary gateway restarts
-# Issue: https://github.com/openclaw/openclaw/issues/11744
-# meta.lastTouchedAt is updated on every config write, but it is not in
-# BASE_RELOAD_RULES, so every config save triggers a full gateway restart.
-# Fix: inject {prefix:"meta",kind:"none"} into BASE_RELOAD_RULES.
-RUN node -e " \
-  const fs = require('fs'); \
-  const { execSync } = require('child_process'); \
-  function findBundles() { \
-    try { \
-      const out = execSync('find /app -name \"gateway-cli*.js\" -not -path \"*/node_modules/*\" 2>/dev/null').toString().trim(); \
-      return out ? out.split('\n').filter(Boolean) : []; \
-    } catch(e) { return []; } \
-  } \
-  const bundles = findBundles(); \
-  if (bundles.length === 0) { console.log('[patch] No bundle found - skipping'); process.exit(0); } \
-  
-  let patched = 0; \
-  bundles.forEach(function(file) { \
-    let src = fs.readFileSync(file, 'utf-8'); \
-    if (src.includes('prefix:\"meta\"') || src.includes(\"prefix:'meta'\")) { \
-      console.log('[patch] Already patched: ' + file); return; \
-    } \
-    const patterns = [ \
-      ['{prefix:\"channels\",kind:', '{prefix:\"meta\",kind:\"none\"},{prefix:\"channels\",kind:'], \
-      ['{prefix:\"update\",kind:',   '{prefix:\"meta\",kind:\"none\"},{prefix:\"update\",kind:'], \
-      ['{prefix:\"agents\",kind:',   '{prefix:\"meta\",kind:\"none\"},{prefix:\"agents\",kind:'] \
-    ]; \
-    let applied = false; \
-    for (let i = 0; i < patterns.length; i++) { \
-      if (src.includes(patterns[i][0])) { \
-        src = src.replace(patterns[i][0], patterns[i][1]); \
-        applied = true; break; \
-      } \
-    } \
-    if (applied) { fs.writeFileSync(file, src, 'utf-8'); \
-    console.log('[patch] Patched: ' + file); patched++; } \
-    else { console.log('[patch] Pattern not found: ' + file); \
-    } \
-  }); \
-  console.log('[patch] Done. Patched: ' + patched + '/' + bundles.length); \
-" || echo "[patch] Non-fatal: patch step failed"
+# Install system dependencies
+RUN apt-get update && apt-get install -y \
+    git \
+    ca-certificates \
+    jq \
+    curl \
+    python3 \
+    python3-pip \
+    chromium \
+    libnss3 \
+    libatk1.0-0 \
+    libatk-bridge2.0-0 \
+    libdrm2 \
+    libgbm1 \
+    libxcomposite1 \
+    libxdamage1 \
+    libxrandr2 \
+    libxkbcommon0 \
+    libx11-6 \
+    libxext6 \
+    libxfixes3 \
+    libasound2 \
+    fonts-dejavu-core \
+    fonts-liberation \
+    fonts-noto-color-emoji \
+    fonts-freefont-ttf \
+    fonts-ipafont-gothic \
+    fonts-wqy-zenhei \
+    xfonts-scalable \
+    --no-install-recommends && \
+    pip3 install --no-cache-dir --break-system-packages huggingface_hub && \
+    rm -rf /var/lib/apt/lists/*
 
-RUN chmod +x /app/entrypoint.sh \
-             /app/security-check.sh && \
-    mkdir -p /home/user && \
-    chown -R node:node /home/user && \
-    chown node:node /app/entrypoint.sh \
-                    /app/hf-sync-manager.mjs \
-                    /app/security-check.sh \
-                    /app/openclaw-template.json \
-                    /app/spaces/huggingface/setup-hf-config.mjs
+# Reuse existing node user (UID 1000)
+RUN mkdir -p /home/node/app /home/node/.openclaw && \
+    chown -R 1000:1000 /home/node
+
+# Copy pre-built OpenClaw
+COPY --from=openclaw --chown=1000:1000 /app /home/node/.openclaw/openclaw-app
+
+# Add Playwright in an isolated sidecar
+RUN mkdir -p /home/node/browser-deps && \
+    cd /home/node/browser-deps && \
+    npm init -y && \
+    PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1 npm install --omit=dev playwright@1.59.1
+
+# Symlink openclaw CLI
+RUN ln -s /home/node/.openclaw/openclaw-app/openclaw.mjs /usr/local/bin/openclaw 2>/dev/null || \
+    npm install -g openclaw@${OPENCLAW_VERSION}
+
+# Copy HuggingClaw files（不再复制 hf-sync-manager.mjs）
+COPY --chown=1000:1000 dns-fix.js /opt/dns-fix.js
+COPY --chown=1000:1000 health-server.js /home/node/app/health-server.js
+COPY --chown=1000:1000 iframe-fix.cjs /home/node/app/iframe-fix.cjs
+COPY --chown=1000:1000 start.sh /home/node/app/start.sh
+COPY --chown=1000:1000 wa-guardian.js /home/node/app/wa-guardian.js
+COPY --chown=1000:1000 workspace-sync.py /home/node/app/workspace-sync.py
+
+# Copy our optimized files
+COPY --chown=1000:1000 entrypoint.sh /home/node/app/entrypoint.sh
+COPY --chown=1000:1000 security-check.sh /home/node/app/security-check.sh
+COPY --chown=1000:1000 openclaw.json /home/node/app/openclaw-template.json
+COPY --chown=1000:1000 setup-hf-config.mjs /home/node/app/spaces/huggingface/setup-hf-config.mjs
+
+RUN chmod +x /home/node/app/entrypoint.sh \
+             /home/node/app/security-check.sh \
+             /home/node/app/start.sh
 
 USER node
 
-EXPOSE 7860
+ENV HOME=/home/node \
+    OPENCLAW_VERSION=${OPENCLAW_VERSION} \
+    PATH=/home/node/.local/bin:/usr/local/bin:$PATH \
+    NODE_PATH=/home/node/browser-deps/node_modules \
+    NODE_OPTIONS="--require /opt/dns-fix.js"
+
+WORKDIR /home/node/app
+
+EXPOSE 7861
 
-ENTRYPOINT ["/app/entrypoint.sh"]
+# 使用我们优化的 entrypoint
+CMD ["/home/node/app/entrypoint.sh"]