@1claw/cli 0.36.1 → 0.36.2

package/README.md

@@ -1,4 +1,4 @@
-# @1claw/cli (v0.36.1)
+# @1claw/cli (v0.36.2)
 
 Command-line interface for [1Claw](https://1claw.xyz) — HSM-backed secret management for AI agents and humans.
 

package/dist/src/docker/base/entrypoint.sh

@@ -1,45 +1,58 @@
 #!/bin/sh
 # 1Claw agent container entrypoint.
-# Supports two modes:
-#   local  (ONECLAW_LOCAL_VAULT=true)  → credentials injected by the host daemon
-#                                         over the mounted Unix socket. The key
-#                                         NEVER enters the container.
-#   cloud  (ONECLAW_LOCAL_VAULT=false) → the agent API key is provided directly
-#                                         (e.g. via a Secret Manager mount).
+#
+# Credentials are brokered one of two ways:
+#   daemon-brokered → a host daemon Unix socket is mounted at
+#                     $ONECLAW_DAEMON_SOCKET. The daemon injects the agent key
+#                     (and any provider keys) into outbound requests. The keys
+#                     NEVER enter the container. Used by `1claw init --docker`
+#                     for both cloud and local modes.
+#   direct          → no daemon socket; the agent API key is provided directly
+#                     via $ONECLAW_AGENT_API_KEY (e.g. a Secret Manager mount on
+#                     Cloud Run via `1claw deploy`).
 set -e
 
 CHAT_UI_PORT="${CHAT_UI_PORT:-3000}"
+DAEMON_SOCKET="${ONECLAW_DAEMON_SOCKET:-/run/1claw/daemon.sock}"
 
 echo "─────────────────────────────────────────────"
 echo " 1Claw agent container starting"
 echo "   Agent ID:  ${ONECLAW_AGENT_ID:-not set}"
 echo "   Modules:   ${ONECLAW_CONTAINER_MODULES:-none}"
 
-if [ "$ONECLAW_LOCAL_VAULT" = "true" ]; then
-    echo "   Mode:      local (daemon socket)"
-    echo "   Socket:    $ONECLAW_DAEMON_SOCKET"
-    if [ ! -S "$ONECLAW_DAEMON_SOCKET" ]; then
-        echo ""
-        echo "ERROR: Daemon socket not found at $ONECLAW_DAEMON_SOCKET"
-        echo ""
-        echo "The 1Claw daemon must be running on the host with the socket mounted:"
-        echo "  1claw daemon start"
-        echo "  docker run -v ~/.config/1claw/daemon.sock:/run/1claw/daemon.sock:ro ..."
-        exit 1
-    fi
+if [ -S "$DAEMON_SOCKET" ]; then
+    # Daemon socket present → host daemon brokers all credentials. This is the
+    # default for `1claw init --docker` (cloud and local). The agent/provider
+    # keys stay on the host and never enter the container.
+    echo "   Mode:      ${ONECLAW_MODE:-cloud} (daemon socket)"
+    echo "   Socket:    $DAEMON_SOCKET"
     echo "─────────────────────────────────────────────"
     # Start the MCP server in local daemon mode (best-effort).
     if command -v 1claw-mcp >/dev/null 2>&1; then
-        ONECLAW_LOCAL_VAULT=true 1claw-mcp --local 2>/tmp/mcp.log &
+        ONECLAW_LOCAL_VAULT=true ONECLAW_DAEMON_SOCKET="$DAEMON_SOCKET" 1claw-mcp --local 2>/tmp/mcp.log &
     else
         echo "NOTE: @1claw/mcp not installed in image; chat UI uses the daemon directly."
     fi
+elif [ "$ONECLAW_LOCAL_VAULT" = "true" ]; then
+    # Local mode explicitly requested but no socket is mounted → misconfiguration.
+    echo ""
+    echo "ERROR: Daemon socket not found at $DAEMON_SOCKET"
+    echo ""
+    echo "The 1Claw daemon must be running on the host with the socket mounted:"
+    echo "  1claw daemon start"
+    echo "  docker run -v ~/.config/1claw/daemon.sock:/run/1claw/daemon.sock:ro ..."
+    exit 1
 else
-    echo "   Mode:      cloud (agent API key)"
+    # No daemon socket → standalone deploy. The agent API key must be supplied
+    # directly (e.g. Secret Manager mount).
+    echo "   Mode:      cloud (direct agent API key)"
     if [ -z "$ONECLAW_AGENT_API_KEY" ]; then
         echo ""
-        echo "ERROR: ONECLAW_AGENT_API_KEY is not set (cloud mode)."
-        echo "Provide it via a Secret Manager mount or -e ONECLAW_AGENT_API_KEY=..."
+        echo "ERROR: No daemon socket mounted and ONECLAW_AGENT_API_KEY is not set."
+        echo ""
+        echo "Either run via '1claw init --docker' (mounts the host daemon socket),"
+        echo "or provide the key directly: -e ONECLAW_AGENT_API_KEY=... (or a Secret"
+        echo "Manager mount)."
         exit 1
     fi
     echo "─────────────────────────────────────────────"

package/dist/src/lib/image-build.d.ts

@@ -5,7 +5,7 @@ export declare const DEFAULT_BASE_IMAGE = "1claw/agent:stable";
  * this whenever those change so an existing `1claw/agent:stable` is rebuilt
  * instead of silently reused. Stamped into the image as a label.
  */
-export declare const BASE_IMAGE_VERSION = "3";
+export declare const BASE_IMAGE_VERSION = "4";
 /** Build the base image from the bundled Docker context. */
 export declare function buildBaseImage(tag?: string, onProgress?: (line: string) => void): Promise<string>;
 /**

package/dist/src/lib/image-build.js

@@ -10,7 +10,7 @@ export const DEFAULT_BASE_IMAGE = "1claw/agent:stable";
  * this whenever those change so an existing `1claw/agent:stable` is rebuilt
  * instead of silently reused. Stamped into the image as a label.
  */
-export const BASE_IMAGE_VERSION = "3";
+export const BASE_IMAGE_VERSION = "4";
 const BASE_VERSION_LABEL = "org.1claw.base-version";
 /** Build the base image from the bundled Docker context. */
 export async function buildBaseImage(tag = DEFAULT_BASE_IMAGE, onProgress) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@1claw/cli",
-  "version": "0.36.1",
+  "version": "0.36.2",
   "description": "CLI for 1Claw — secrets management for AI agents and humans",
   "license": "MIT",
   "repository": {