Skip to content

wagmios

Productivity & Wikis

A self‑hosted Docker management platform that gives OpenClaw agents scoped API control over containers and apps in a homelab.

Track releases GitHub Website
Go Latest v2.6.1 · 3d ago Security brief →

Features

  • Self‑hosted Docker management with REST API for listing, creating, starting/stopping, restarting, and deleting containers
  • Scope‑based permission system granting fine‑grained access (e.g., read/write/delete containers, image operations, marketplace actions)
  • WAGMIOS Marketplace enabling one‑click installation of 34+ self‑hosted apps such as Plex, Jellyfin, Ollama, Home Assistant
  • Real‑time WebSocket activity feed showing every action performed in the homelab
  • Multi‑machine support – each WAGM​IOS instance runs independently and can be managed by agents with separate scoped keys

Recent releases

View all 6 releases →
Upgrade now
v2.6.1 Mixed
Auth Breaking upgrade Dependencies

Runtime hardening + Docker path safety

Open
Upgrade now
v2.6.0 Breaking risk
Auth RBAC Dependencies

Security hardening + fixes

Open
v2.5.0 Security relevant
⚠ Upgrade required
  • Pull latest images: docker compose pull
  • Restart services: docker compose up -d
  • Upgrading from v2.3.0 or earlier: existing single admin key will be automatically migrated to the new multi-key format with admin role. No manual migration required.
Breaking changes
  • WebSocket endpoint /api/ws/activity now requires authentication via ?key= query parameter — previously listed in PublicPaths and accessible without credentials. Unauthenticated WebSocket clients will be rejected.
  • Scope checks now validate the requesting key specifically rather than any key in the store. Agent keys that previously bypassed scope restrictions due to the HasScope() bug will now be correctly denied.
Security fixes
  • [P0] Compose Path Traversal — /api/marketplace/start accepted an arbitrary compose_path and passed it directly to docker compose -f, allowing host filesystem access. Fixed: path now validated with filepath.Abs + strings.HasPrefix to enforce /app/data/containers/ prefix.
  • [P0] Scope Check Bypass — All 9 scope checks in server.go called keyStore.HasScope(), which checked if any key in the store had the scope, not the requesting key. Agent keys with no permissions could act with admin privileges. Fixed: changed to auth.KeyStoreHasScope(meta, scope) to validate the specific requesting key.
  • [P1] Unauthenticated WebSocket — /api/ws/activity was in PublicPaths, allowing unauthenticated network access to container activity events. Fixed: removed from public paths, added ?key= query parameter authentication.
Notable features
  • Admin and Agent roles — admin keys can manage other keys; agent keys are restricted to their assigned scopes with no escalation path
  • Key Management API — GET/POST/DELETE /api/keys for programmatic key lifecycle management
  • Key Management UI in Settings — create agent keys with custom scopes, revoke keys, view role badges
View release on GitHub
v2.4.0 Bug fix
Notable features
  • docker-compose V2 support
  • WAGMIOS_HOST_PATH volume path configuration
View release on GitHub
v2.3.0 New feature
Breaking changes
  • API key format changed from single-key to scoped tokens
  • Installation method changed from source build to docker compose
Security fixes
  • /api/settings/scopes endpoint now requires authentication and prevents permission self-escalation
Notable features
  • Scoped API with granular permissions
  • Multi-architecture support for ARM64 and x86_64
  • App marketplace with 30+ self-hosted applications
View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

About

Stars
55
Forks
3
Languages
Go Vue TypeScript
View on GitHub Homepage

Install & Platforms

Install via
docker-compose
Platforms
linux macos windows arm64

Similar tools

jonradoff/lightcms
Scriberr
Umbraco
wapy.dev
kuku-mom/kuku

Beta — feedback welcome: [email protected]