feat(script): Auto bind WebUI to 0.0.0.0 in headless mode

[lyjjl]

Summary by Sourcery

在无头模式下运行时将 WebUI 绑定到 0.0.0.0，并显示有关潜在暴露风险的安全警告。

新功能：

• 在通过启动脚本以无头（xvfb）模式启动时，将 WebUI 暴露在 0.0.0.0 上。

增强内容：

• 在无头模式下显示清晰的安全警告，提示网络暴露风险，并建议使用防火墙或 SSH 隧道。

Original summary in English

Summary by Sourcery

Bind the WebUI to 0.0.0.0 when running in headless mode and surface security warnings about potential exposure.

New Features:

• Expose the WebUI on 0.0.0.0 when launching in headless (xvfb) mode via the startup script.

Enhancements:

• Display clear security warnings in headless mode about network exposure and recommend firewall or SSH tunnel usage.

[sourcery-ai]

审阅者指南（在小型 PR 上默认折叠）

审阅者指南

在无头（xvfb）模式下，启动脚本现在会将 WebUI 绑定到 0.0.0.0，并向用户警告潜在的暴露风险，同时进行了少量空白字符清理。

无头启动时将 WebUI 绑定到 0_0_0_0 的时序图

sequenceDiagram
    actor User
    participant start_linux_sh
    participant xvfb_run
    participant LLBOT_CLI
    participant WebUI_Client

    User->>start_linux_sh: run start_linux_sh
    start_linux_sh->>start_linux_sh: detect_headless_mode USE_XVFB=1
    start_linux_sh->>User: warn Headless mode will listen on 0.0.0.0
    start_linux_sh->>User: warn Restrict access via firewall or SSH tunnel
    start_linux_sh->>xvfb_run: exec xvfb_run -a LLBOT_CLI_BIN --host=0.0.0.0
    xvfb_run->>LLBOT_CLI: start WebUI bound to 0.0.0.0
    WebUI_Client->>LLBOT_CLI: HTTP request to WebUI on 0.0.0.0
    LLBOT_CLI-->>WebUI_Client: WebUI response

Loading

文件级变更

变更	详情	文件
调整无头启动，使 WebUI 绑定到 0.0.0.0，并附带安全警告。	在 xvfb-run 下运行时，更新 CLI 的无头执行逻辑，传入 --host=0.0.0.0。 添加警告信息，说明无头模式将监听在 0.0.0.0 上，可能暴露服务，并建议使用防火墙/安全组或 SSH 隧道。 除周边上下文外，保持 GUI 模式的调用方式不变。	script/start-linux.sh
启动脚本中的轻微格式清理。	删除 trap、confirm 以及 echo/菜单部分周围的一些多余空行，使脚本格式更整洁。	script/start-linux.sh

---

提示与命令

与 Sourcery 交互

• 触发新的审查： 在 pull request 中评论 @sourcery-ai review。
• 继续讨论： 直接回复 Sourcery 的审查评论。
• 从审查评论生成 GitHub issue： 通过回复某条审查评论让 Sourcery 从该评论创建一个 issue。你也可以回复审查评论 @sourcery-ai issue 来从中创建一个 issue。
• 生成 pull request 标题： 在 pull request 标题的任意位置写上 @sourcery-ai，即可随时生成标题。你也可以在 pull request 中评论 @sourcery-ai title 来（重新）生成标题。
• 生成 pull request 概要： 在 pull request 正文任意位置写上 @sourcery-ai summary，即可在你想要的位置随时生成 PR 概要。你也可以在 pull request 中评论 @sourcery-ai summary 来（重新）生成概要。
• 生成审阅者指南： 在 pull request 中评论 @sourcery-ai guide，即可随时（重新）生成审阅者指南。
• 解决所有 Sourcery 评论： 在 pull request 中评论 @sourcery-ai resolve，即可将所有 Sourcery 评论标记为已解决。如果你已经处理完所有评论且不想再看到它们，这会很有用。
• 撤销所有 Sourcery 审查： 在 pull request 中评论 @sourcery-ai dismiss，即可撤销所有现有的 Sourcery 审查。尤其适用于你想从头开始一次新的审查——别忘了再评论 @sourcery-ai review 来触发新的审查！

自定义你的体验

访问你的 控制面板 以：

• 启用或禁用审查功能，例如 Sourcery 生成的 pull request 概要、审阅者指南等。
• 更改审查语言。
• 添加、删除或编辑自定义审查说明。
• 调整其他审查相关设置。

获取帮助

• 联系支持团队 以获取帮助或提交反馈。
• 访问我们的文档以查看详细指南和信息。
• 通过关注我们的 X/Twitter、LinkedIn 或 GitHub 与 Sourcery 团队保持联系。

Original review guide in English

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

In headless (xvfb) mode the startup script now binds the WebUI to 0.0.0.0 and warns the user about potential exposure, while also doing minor whitespace cleanups.

Sequence diagram for headless startup binding WebUI to 0_0_0_0

sequenceDiagram
    actor User
    participant start_linux_sh
    participant xvfb_run
    participant LLBOT_CLI
    participant WebUI_Client

    User->>start_linux_sh: run start_linux_sh
    start_linux_sh->>start_linux_sh: detect_headless_mode USE_XVFB=1
    start_linux_sh->>User: warn Headless mode will listen on 0.0.0.0
    start_linux_sh->>User: warn Restrict access via firewall or SSH tunnel
    start_linux_sh->>xvfb_run: exec xvfb_run -a LLBOT_CLI_BIN --host=0.0.0.0
    xvfb_run->>LLBOT_CLI: start WebUI bound to 0.0.0.0
    WebUI_Client->>LLBOT_CLI: HTTP request to WebUI on 0.0.0.0
    LLBOT_CLI-->>WebUI_Client: WebUI response

Loading

File-Level Changes

Change	Details	Files
Adjust headless startup to bind WebUI to 0.0.0.0 with safety warnings.	Update headless execution of the CLI to pass --host=0.0.0.0 when running under xvfb-run. Add warning messages explaining that headless mode will listen on 0.0.0.0 and may expose the service, suggesting firewall/security group or SSH tunnel usage. Keep GUI mode invocation unchanged aside from surrounding context.	script/start-linux.sh
Minor formatting cleanup in the startup script.	Remove a few redundant blank lines around trap, confirm, and echo/menu sections to tidy the script formatting.	script/start-linux.sh

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - 我在这里给出了一些总体反馈：

• 与其硬编码 --host=0.0.0.0，不如考虑从一个可配置变量中读取绑定地址（例如使用默认值为 0.0.0.0 的 LLBOT_WEB_HOST），这样在无头运行时，用户可以选择使用更受限制的绑定地址。
• 这一行 env $IM_ENV xvfb-run -a "$LLBOT_CLI_BIN" --host=0.0.0.0 可以通过显式导出变量并避免单词拆分来变得更健壮（例如将 IM_ENV 用作在 env 调用之前的 KEY=VALUE 形式的导出，或者改用 LLBOT_WEB_HOST=${LLBOT_WEB_HOST:-0.0.0.0}，并显式传递该变量）。

给 AI 代理的提示

Please address the comments from this code review:

## Overall Comments
- Instead of hardcoding `--host=0.0.0.0`, consider reading the bind address from a configurable variable (e.g. `LLBOT_WEB_HOST` with a default of `0.0.0.0`) so users can opt into a more restrictive binding when running headless.
- The `env $IM_ENV xvfb-run -a "$LLBOT_CLI_BIN" --host=0.0.0.0` line could be made more robust by explicitly exporting variables and avoiding word-splitting (e.g. using `IM_ENV` as `KEY=VALUE` exports before the `env` call or switching to `LLBOT_WEB_HOST=${LLBOT_WEB_HOST:-0.0.0.0}` and passing that variable explicitly).

---

Sourcery 对开源项目是免费的——如果你觉得我们的评审对你有帮助，欢迎分享给更多人 ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{帮我变得更有用！请在每条评论上点 👍 或 👎，我会根据你的反馈改进之后的评审。}

Original comment in English

Hey - I've left some high level feedback:

• Instead of hardcoding --host=0.0.0.0, consider reading the bind address from a configurable variable (e.g. LLBOT_WEB_HOST with a default of 0.0.0.0) so users can opt into a more restrictive binding when running headless.
• The env $IM_ENV xvfb-run -a "$LLBOT_CLI_BIN" --host=0.0.0.0 line could be made more robust by explicitly exporting variables and avoiding word-splitting (e.g. using IM_ENV as KEY=VALUE exports before the env call or switching to LLBOT_WEB_HOST=${LLBOT_WEB_HOST:-0.0.0.0} and passing that variable explicitly).

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Instead of hardcoding `--host=0.0.0.0`, consider reading the bind address from a configurable variable (e.g. `LLBOT_WEB_HOST` with a default of `0.0.0.0`) so users can opt into a more restrictive binding when running headless.
- The `env $IM_ENV xvfb-run -a "$LLBOT_CLI_BIN" --host=0.0.0.0` line could be made more robust by explicitly exporting variables and avoiding word-splitting (e.g. using `IM_ENV` as `KEY=VALUE` exports before the `env` call or switching to `LLBOT_WEB_HOST=${LLBOT_WEB_HOST:-0.0.0.0}` and passing that variable explicitly).

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[lyjjl]

不对，我好像理解错了。

[linyuchen]

这里的 host 是 pmhq 的 host，如果想要默认开放 webui 到 0.0.0.0，那么要像 Docker script 一样强制让用户输入设置 webui 密码，然后修改 default_config.json 或者 config_<qq>.json 中的 webui.host

[lyjjl]

对，我理解错了（ 在 2026-01-31 12:44:07，"linyuchen" ***@***.***> 写道： linyuchen left a comment (LLOneBot/LuckyLilliaBot#696) 这里的 host 是 pmhq 的 host，如果想要默认开放 webui 到 0.0.0.0，那么要像 Docker script 一样强制让用户输入设置 webui 密码，然后修改 default_config.json 或者 config_<qq>.json 中的 webui.host — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you modified the open/close state.Message ID: ***@***.***>