fix: disable COOP and Origin-Agent-Cluster headers to resolve blank page over HTTP

[Copilot]

helmet v8 enables Cross-Origin-Opener-Policy: same-origin and Origin-Agent-Cluster: ?1 by default. Both headers malfunction over HTTP: browsers ignore COOP for untrusted (non-HTTPS) origins, and Origin-Agent-Cluster triggers a hard conflict when a browser previously cached the origin as site-keyed — causing the React app to render a blank page.

Change

Explicitly disable both headers in the helmet configuration in back/app.ts:

this.app.use(helmet({
  contentSecurityPolicy: false,
  crossOriginOpenerPolicy: false,  // ignored by browsers over HTTP; causes console errors
  originAgentCluster: false,       // causes "could not be origin-keyed" conflict over HTTP
}));

Neither header provides security value over HTTP — COOP is spec'd to apply only to secure origins, and Origin-Agent-Cluster is a memory-isolation hint with no auth/integrity implications.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
qinglong	Ready	Preview, Comment	May 24, 2026 6:42am
qinglong-back	Ready	Preview, Comment	May 24, 2026 6:42am

[whyour]

@copilot 主要问题不是这个，是 非 root 用户启动失败

[Copilot]

@copilot 主要问题不是这个，是 非 root 用户启动失败

Understood. Investigating the non-root startup failures now. The root causes are:

1. crond -f requires root in Alpine → container exits immediately when started as non-root
2. PM2_HOME defaults to /root/.pm2 (hardcoded HOME=/root) → PM2 fails to start
3. initFile.ts tries mkdir('/root/.ssh') unconditionally → throws EACCES → app init crashes
4. /ql/shell/preload/ is not pre-created and non-root can't write to the /ql tree

Fixing all of these now.

[whyour]

@copilot 主要问题不是这个，是 非 root 用户启动失败

Understood. Investigating the non-root startup failures now. The root causes are:

1. crond -f requires root in Alpine → container exits immediately when started as non-root
2. PM2_HOME defaults to /root/.pm2 (hardcoded HOME=/root) → PM2 fails to start
3. initFile.ts tries mkdir('/root/.ssh') unconditionally → throws EACCES → app init crashes
4. /ql/shell/preload/ is not pre-created and non-root can't write to the /ql tree

Fixing all of these now.

使用 docker build 临时打包镜像测试下

[whyour]

@copilot 主要问题不是这个，是 非 root 用户启动失败

Understood. Investigating the non-root startup failures now. The root causes are:

1. crond -f requires root in Alpine → container exits immediately when started as non-root
2. PM2_HOME defaults to /root/.pm2 (hardcoded HOME=/root) → PM2 fails to start
3. initFile.ts tries mkdir('/root/.ssh') unconditionally → throws EACCES → app init crashes
4. /ql/shell/preload/ is not pre-created and non-root can't write to the /ql tree

Fixing all of these now.

使用 docker build 临时打包镜像测试下 @copilot

[Copilot]

@copilot 主要问题不是这个，是 非 root 用户启动失败

...

Built a local test image using python:3.11-alpine (the same base used by the real Dockerfile) with our changed files copied in, and ran it as a non-root user (--user qluser). All checks passed:

Running as: uid=100(qluser) gid=101(qlgroup)
PM2_HOME= /ql/data/.pm2
.tmp writable: OK
shell/preload writable: OK
crond guard check: Non-root: crond skipped (tail -f /dev/null path) - PASS
ALL NON-ROOT TESTS PASSED

Also confirmed the root path still works correctly (crond -f runs when id -u = 0).

The changes are ready — a full docker build using the real Dockerfile will require external network access (GitHub/npm/apk) which the sandbox doesn't support, but the logic is validated.

[whyour]

@copilot 主要问题不是这个，是 非 root 用户启动失败

...

Built a local test image using python:3.11-alpine (the same base used by the real Dockerfile) with our changed files copied in, and ran it as a non-root user (--user qluser). All checks passed:

Running as: uid=100(qluser) gid=101(qlgroup)
PM2_HOME= /ql/data/.pm2
.tmp writable: OK
shell/preload writable: OK
crond guard check: Non-root: crond skipped (tail -f /dev/null path) - PASS
ALL NON-ROOT TESTS PASSED

Also confirmed the root path still works correctly (crond -f runs when id -u = 0).

The changes are ready — a full docker build using the real Dockerfile will require external network access (GitHub/npm/apk) which the sandbox doesn't support, but the logic is validated.

@copilot pm2 目录 和 shell preload  目录能不能不放到

@copilot 主要问题不是这个，是 非 root 用户启动失败

...

Built a local test image using python:3.11-alpine (the same base used by the real Dockerfile) with our changed files copied in, and ran it as a non-root user (--user qluser). All checks passed:

Running as: uid=100(qluser) gid=101(qlgroup)
PM2_HOME= /ql/data/.pm2
.tmp writable: OK
shell/preload writable: OK
crond guard check: Non-root: crond skipped (tail -f /dev/null path) - PASS
ALL NON-ROOT TESTS PASSED

Also confirmed the root path still works correctly (crond -f runs when id -u = 0).

The changes are ready — a full docker build using the real Dockerfile will require external network access (GitHub/npm/apk) which the sandbox doesn't support, but the logic is validated.

whyour/qinglong:debian 镜像是不是是支持的

[Copilot]

@copilot 主要问题不是这个，是 非 root 用户启动失败

...
...

关于 pm2 目录和 shell/preload 目录的放置位置 — 您的句子似乎被引用块截断了，我不确定您希望将它们放到哪里。如果您希望：

• PM2_HOME 不放在 data/ 卷（避免污染用户数据）— 可以改到 /tmp/.pm2 之类的路径，但这样就不会在容器重启后保留 PM2 进程状态
• shell/preload 不通过 Dockerfile 预建 — 改为在 initFile.ts 中运行时创建（类似 .ssh 目录的处理方式）也可以

请补充说明希望如何处理，我来对应修改。

关于 whyour/qinglong:debian 镜像 — 本仓库的 docker/ 目录中只有 Alpine 版的 Dockerfile（Dockerfile 和 310.Dockerfile），没有 Debian Dockerfile。docker-entrypoint.sh 和 back/loaders/initFile.ts 的修改是共用的，对 Debian 镜像同样生效；但 Dockerfile 里的 PM2_HOME 环境变量和 mkdir/chmod 预建目录这两处，如果 Debian 版有单独的 Dockerfile，需要同步应用同样的改动。