@hitechclaw/clawspark 2.0.0

package/lib/setup-sandbox.sh

@@ -0,0 +1,188 @@
+#!/usr/bin/env bash
+# lib/setup-sandbox.sh -- Optional Docker-based sandbox for safe code execution.
+# Enables OpenClaw to run agent-generated code in an isolated container.
+# If Docker is not installed, the installer continues without sandbox support.
+set -euo pipefail
+
+setup_sandbox() {
+    # Install Docker if not available
+    if ! check_command docker; then
+        log_info "Docker not found. Installing for sandboxed code execution..."
+        if check_command apt-get; then
+            # Linux: install via official Docker convenience script
+            (curl -fsSL https://get.docker.com | sh) >> "${CLAWSPARK_LOG}" 2>&1 &
+            spinner $! "Installing Docker..."
+            if check_command docker; then
+                # Add current user to docker group so we don't need sudo
+                sudo usermod -aG docker "${USER}" 2>> "${CLAWSPARK_LOG}" || true
+                # Start Docker daemon
+                sudo systemctl start docker 2>> "${CLAWSPARK_LOG}" || true
+                sudo systemctl enable docker 2>> "${CLAWSPARK_LOG}" || true
+                log_success "Docker installed."
+            else
+                log_warn "Docker installation failed -- sandbox will not be available."
+                return 0
+            fi
+        elif check_command brew; then
+            log_info "Installing Docker via Homebrew..."
+            (brew install --cask docker) >> "${CLAWSPARK_LOG}" 2>&1 &
+            spinner $! "Installing Docker..."
+            if [[ -d "/Applications/Docker.app" ]]; then
+                log_success "Docker installed. Open Docker.app to start the daemon."
+                log_warn "Docker daemon not running yet -- sandbox will be available after starting Docker."
+                return 0
+            else
+                log_warn "Docker installation failed -- sandbox will not be available."
+                return 0
+            fi
+        else
+            log_warn "No package manager found -- install Docker manually for sandbox support."
+            return 0
+        fi
+    fi
+
+    # Check if Docker daemon is running
+    if ! docker info &>/dev/null; then
+        # Try to start it
+        if check_command systemctl; then
+            sudo systemctl start docker 2>> "${CLAWSPARK_LOG}" || true
+            sleep 2
+        fi
+        if ! docker info &>/dev/null; then
+            log_warn "Docker is installed but daemon is not running -- sandbox skipped."
+            log_info "Start Docker and run: clawspark sandbox on"
+            return 0
+        fi
+    fi
+
+    log_info "Setting up Docker sandbox for safe code execution..."
+
+    # ── Create sandbox directory and Dockerfile ───────────────────────────────
+    local sandbox_dir="${CLAWSPARK_DIR}/sandbox"
+    mkdir -p "${sandbox_dir}"
+
+    cat > "${sandbox_dir}/Dockerfile" <<'DOCKERFILE'
+FROM ubuntu:22.04
+
+# Non-interactive apt
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Install common dev tools
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    python3 python3-pip python3-venv \
+    nodejs npm \
+    git curl wget jq \
+    build-essential \
+    && rm -rf /var/lib/apt/lists/*
+
+# Create non-root user
+RUN useradd -m -s /bin/bash sandbox
+USER sandbox
+WORKDIR /sandbox
+
+# Set up Python virtual env
+RUN python3 -m venv /sandbox/.venv
+ENV PATH="/sandbox/.venv/bin:$PATH"
+
+# Install common Python packages
+RUN pip install --no-cache-dir \
+    requests flask fastapi uvicorn \
+    pandas numpy matplotlib \
+    beautifulsoup4 lxml
+
+CMD ["/bin/bash"]
+DOCKERFILE
+
+    # ── Seccomp profile (block dangerous syscalls) ────────────────────────────
+    cat > "${sandbox_dir}/seccomp-profile.json" <<'SECCOMP'
+{
+    "defaultAction": "SCMP_ACT_ALLOW",
+    "syscalls": [
+        {
+            "names": [
+                "mount", "umount2", "pivot_root",
+                "swapon", "swapoff",
+                "reboot", "kexec_load", "kexec_file_load",
+                "init_module", "finit_module", "delete_module",
+                "acct", "settimeofday", "clock_settime",
+                "ptrace",
+                "add_key", "request_key", "keyctl",
+                "unshare", "setns"
+            ],
+            "action": "SCMP_ACT_ERRNO",
+            "errnoRet": 1
+        }
+    ]
+}
+SECCOMP
+
+    # ── Build the sandbox image ───────────────────────────────────────────────
+    log_info "Building sandbox image (this may take a minute)..."
+    (docker build -t clawspark-sandbox:latest "${sandbox_dir}") >> "${CLAWSPARK_LOG}" 2>&1 &
+    spinner $! "Building clawspark-sandbox image..."
+
+    if docker image inspect clawspark-sandbox:latest &>/dev/null; then
+        log_success "Sandbox image built: clawspark-sandbox:latest"
+    else
+        log_warn "Sandbox image build failed. Check ${CLAWSPARK_LOG}."
+        return 0
+    fi
+
+    # NOTE: We do NOT write sandbox config to openclaw.json during install.
+    # Setting agents.defaults.sandbox with network:"none" breaks the main agent's
+    # network access. The sandbox image and seccomp profile are ready for use via
+    # "clawspark sandbox on" which will enable it when the user explicitly wants it.
+    # The sandbox run.sh helper works standalone without any openclaw.json changes.
+
+    # Persist sandbox state as "off" (available but not active)
+    echo "false" > "${CLAWSPARK_DIR}/sandbox.state"
+    log_success "Sandbox image and seccomp profile ready."
+    log_info "Enable later with: clawspark sandbox on"
+
+    # ── Helper script for manual sandbox use ──────────────────────────────────
+    cat > "${sandbox_dir}/run.sh" <<'RUNSH'
+#!/usr/bin/env bash
+# run.sh -- Run a command inside the clawspark sandbox.
+# Usage: ~/.clawspark/sandbox/run.sh <command>
+# Example: ~/.clawspark/sandbox/run.sh python3 -c "print('hello')"
+set -euo pipefail
+
+SANDBOX_DIR="${HOME}/.clawspark/sandbox"
+
+if ! command -v docker &>/dev/null; then
+    echo "Error: Docker is not installed." >&2
+    exit 1
+fi
+
+if ! docker info &>/dev/null; then
+    echo "Error: Docker daemon is not running." >&2
+    exit 1
+fi
+
+if ! docker image inspect clawspark-sandbox:latest &>/dev/null; then
+    echo "Error: Sandbox image not found. Run install.sh or rebuild with:" >&2
+    echo "  docker build -t clawspark-sandbox:latest ${SANDBOX_DIR}" >&2
+    exit 1
+fi
+
+docker run --rm -it \
+    --read-only \
+    --tmpfs /tmp:size=100m \
+    --tmpfs /sandbox/work:size=500m \
+    --network=none \
+    --cap-drop=ALL \
+    --security-opt=no-new-privileges \
+    --security-opt="seccomp=${SANDBOX_DIR}/seccomp-profile.json" \
+    --memory=1g \
+    --cpus=2 \
+    --pids-limit=200 \
+    -v "${PWD}:/sandbox/code:ro" \
+    clawspark-sandbox:latest \
+    "$@"
+RUNSH
+    chmod +x "${sandbox_dir}/run.sh"
+
+    log_success "Sandbox setup complete."
+    log_info "Sub-agent code execution will run in isolated Docker containers."
+    log_info "Manual use: ~/.clawspark/sandbox/run.sh <command>"
+}

package/lib/setup-skills.sh

@@ -0,0 +1,113 @@
+#!/usr/bin/env bash
+# lib/setup-skills.sh — Reads skills.yaml and installs each enabled skill via clawhub.
+set -euo pipefail
+
+setup_skills() {
+    log_info "Installing OpenClaw skills..."
+    hr
+
+    # ── Locate skills.yaml ──────────────────────────────────────────────────
+    local skills_file=""
+    local search_paths=(
+        "${CLAWSPARK_DIR}/skills.yaml"
+        "${SCRIPT_DIR:-/opt/clawspark}/configs/skills.yaml"
+    )
+
+    for candidate in "${search_paths[@]}"; do
+        if [[ -f "${candidate}" ]]; then
+            skills_file="${candidate}"
+            break
+        fi
+    done
+
+    if [[ -z "${skills_file}" ]]; then
+        log_warn "No skills.yaml found — skipping skill installation."
+        return 0
+    fi
+
+    log_info "Using skills config: ${skills_file}"
+
+    # Copy to CLAWSPARK_DIR if not already there
+    if [[ "${skills_file}" != "${CLAWSPARK_DIR}/skills.yaml" ]]; then
+        cp "${skills_file}" "${CLAWSPARK_DIR}/skills.yaml"
+    fi
+
+    local -a skills=()
+    while IFS= read -r slug; do
+        skills+=("${slug}")
+    done < <(_parse_enabled_skills "${skills_file}")
+
+    if [[ ${#skills[@]} -eq 0 ]]; then
+        log_warn "No skills found under 'enabled:' in ${skills_file}."
+        return 0
+    fi
+
+    log_info "Found ${#skills[@]} skill(s) to install."
+
+    # ── Fix npm cache permissions (root-owned ~/.npm from sudo npm) ─────────
+    _fix_npm_cache_perms
+
+    # ── Install each skill ──────────────────────────────────────────────────
+    local installed=0
+    local failed=0
+
+    local skill_timeout=120  # 2 minutes max per skill
+
+    for skill in "${skills[@]}"; do
+        printf '  %s→%s Installing %s%s%s ... ' "${CYAN}" "${RESET}" "${BOLD}" "${skill}" "${RESET}"
+        if timeout "${skill_timeout}" npx --yes clawhub@latest install --force "${skill}" >> "${CLAWSPARK_LOG}" 2>&1; then
+            printf '%s✓%s\n' "${GREEN}" "${RESET}"
+            installed=$(( installed + 1 ))
+        else
+            local ec=$?
+            if [[ ${ec} -eq 124 ]]; then
+                printf '%s✗ (timed out after %ds, skipping)%s\n' "${YELLOW}" "${skill_timeout}" "${RESET}"
+            else
+                printf '%s✗ (failed, continuing)%s\n' "${YELLOW}" "${RESET}"
+            fi
+            log_warn "Skill '${skill}' failed to install — see ${CLAWSPARK_LOG}"
+            failed=$(( failed + 1 ))
+        fi
+    done
+
+    printf '\n'
+    log_success "Skills installed: ${installed} succeeded, ${failed} failed."
+
+    # ── Install essential community skills (web search, research) ─────────
+    _install_community_skills
+}
+
+# ── Community skills that don't need API keys ─────────────────────────────
+_install_community_skills() {
+    log_info "Installing community web search skills..."
+    local -a community_skills=(
+        "ddg-web-search"
+        "deep-research-pro"
+        "local-web-search-skill"
+    )
+    for skill in "${community_skills[@]}"; do
+        printf '  %s->%s Installing %s%s%s ... ' "${CYAN}" "${RESET}" "${BOLD}" "${skill}" "${RESET}"
+        if timeout 120 npx --yes clawhub@latest install --force "${skill}" >> "${CLAWSPARK_LOG}" 2>&1; then
+            printf '%sOK%s\n' "${GREEN}" "${RESET}"
+        else
+            printf '%sskipped%s\n' "${YELLOW}" "${RESET}"
+        fi
+    done
+    log_success "Community skills installed (web search, deep research)."
+}
+
+# ── Fix root-owned npm cache (common after sudo npm install -g) ───────────
+_fix_npm_cache_perms() {
+    local npm_cache="${HOME}/.npm"
+    if [[ -d "${npm_cache}" ]]; then
+        # Check if any files are owned by root (uid 0)
+        local root_files
+        root_files=$(find "${npm_cache}" -maxdepth 2 -uid 0 2>/dev/null | head -1)
+        if [[ -n "${root_files}" ]]; then
+            log_info "Fixing npm cache permissions (root-owned files in ~/.npm)..."
+            sudo chown -R "$(id -u):$(id -g)" "${npm_cache}" 2>/dev/null || {
+                log_warn "Could not fix ~/.npm permissions. Skills may fail to install."
+            }
+        fi
+    fi
+}

package/lib/setup-systemd.sh

@@ -0,0 +1,224 @@
+#!/usr/bin/env bash
+# lib/setup-systemd.sh -- Creates systemd services for OpenClaw gateway,
+# node host, and ClawMetry dashboard so they auto-start on boot.
+# Skipped on platforms without systemd (macOS, containers).
+set -euo pipefail
+
+setup_systemd_services() {
+    # Skip on non-systemd platforms (macOS, Docker, WSL1, etc.)
+    if ! check_command systemctl; then
+        log_info "systemd not available -- services will use PID-based management."
+        return 0
+    fi
+
+    # Verify systemd is actually running (not just the binary present)
+    # is-system-running returns non-zero for "degraded" (common when minor
+    # services fail), so we must check the output text, not the exit code.
+    local sys_state
+    sys_state=$(systemctl is-system-running 2>/dev/null || true)
+    case "${sys_state}" in
+        running|degraded|starting|initializing)
+            log_info "systemd active (state: ${sys_state})."
+            ;;
+        *)
+            log_info "systemd not active (state: ${sys_state}) -- skipping service creation."
+            return 0
+            ;;
+    esac
+
+    log_info "Creating systemd services for auto-start on boot..."
+
+    local user_name
+    user_name=$(whoami)
+    local user_home="${HOME}"
+
+    # Find binary paths
+    local openclaw_bin
+    openclaw_bin=$(command -v openclaw 2>/dev/null || echo "")
+    if [[ -z "${openclaw_bin}" ]]; then
+        local npm_bin
+        npm_bin="$(npm config get prefix 2>/dev/null)/bin"
+        [[ -x "${npm_bin}/openclaw" ]] && openclaw_bin="${npm_bin}/openclaw"
+    fi
+
+    if [[ -z "${openclaw_bin}" ]]; then
+        log_warn "openclaw binary not found -- skipping systemd setup."
+        return 0
+    fi
+
+    local env_file="${user_home}/.openclaw/gateway.env"
+
+    # Compute a comprehensive PATH for systemd (it starts with minimal PATH)
+    # The env file also has PATH, but belt-and-suspenders is safer here
+    local npm_prefix_bin
+    npm_prefix_bin="$(npm config get prefix 2>/dev/null)/bin"
+    local svc_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+    [[ -d "${npm_prefix_bin}" ]] && svc_path="${npm_prefix_bin}:${svc_path}"
+    [[ -d "${user_home}/.npm-global/bin" ]] && svc_path="${user_home}/.npm-global/bin:${svc_path}"
+    [[ -d "/snap/bin" ]] && svc_path="${svc_path}:/snap/bin"
+
+    # ── Gateway service ──────────────────────────────────────────────────────
+    sudo tee /etc/systemd/system/clawspark-gateway.service > /dev/null <<GWEOF
+[Unit]
+Description=clawspark OpenClaw Gateway
+After=network.target ollama.service
+Wants=ollama.service
+
+[Service]
+Type=simple
+User=${user_name}
+Environment=HOME=${user_home}
+Environment=PATH=${svc_path}
+EnvironmentFile=-${env_file}
+ExecStart=${openclaw_bin} gateway run --bind loopback
+Restart=on-failure
+RestartSec=5
+StandardOutput=append:${user_home}/.clawspark/gateway.log
+StandardError=append:${user_home}/.clawspark/gateway.log
+
+[Install]
+WantedBy=multi-user.target
+GWEOF
+    log_success "Created clawspark-gateway.service"
+
+    # ── Node host service ────────────────────────────────────────────────────
+    sudo tee /etc/systemd/system/clawspark-nodehost.service > /dev/null <<NHEOF
+[Unit]
+Description=clawspark OpenClaw Node Host
+After=clawspark-gateway.service
+Requires=clawspark-gateway.service
+
+[Service]
+Type=simple
+User=${user_name}
+Environment=HOME=${user_home}
+Environment=PATH=${svc_path}
+EnvironmentFile=-${env_file}
+ExecStartPre=/bin/sleep 3
+ExecStart=${openclaw_bin} node run --host 127.0.0.1 --port 18789
+Restart=on-failure
+RestartSec=5
+StandardOutput=append:${user_home}/.clawspark/node.log
+StandardError=append:${user_home}/.clawspark/node.log
+
+[Install]
+WantedBy=multi-user.target
+NHEOF
+    log_success "Created clawspark-nodehost.service"
+
+    # ── Dashboard service ────────────────────────────────────────────────────
+    local clawmetry_bin=""
+    if command -v clawmetry &>/dev/null; then
+        clawmetry_bin=$(command -v clawmetry)
+    elif [[ -x "${user_home}/.local/bin/clawmetry" ]]; then
+        clawmetry_bin="${user_home}/.local/bin/clawmetry"
+    fi
+
+    if [[ -n "${clawmetry_bin}" ]]; then
+        sudo tee /etc/systemd/system/clawspark-dashboard.service > /dev/null <<DBEOF
+[Unit]
+Description=clawspark ClawMetry Dashboard
+After=network.target
+
+[Service]
+Type=simple
+User=${user_name}
+Environment=HOME=${user_home}
+ExecStart=${clawmetry_bin} --port 8900 --host 127.0.0.1
+Restart=on-failure
+RestartSec=5
+StandardOutput=append:${user_home}/.clawspark/dashboard.log
+StandardError=append:${user_home}/.clawspark/dashboard.log
+
+[Install]
+WantedBy=multi-user.target
+DBEOF
+        log_success "Created clawspark-dashboard.service"
+    else
+        log_info "clawmetry binary not found -- dashboard service not created."
+    fi
+
+    # ── Enable all services ──────────────────────────────────────────────────
+    sudo systemctl daemon-reload
+
+    sudo systemctl enable clawspark-gateway.service >> "${CLAWSPARK_LOG}" 2>&1 || true
+    sudo systemctl enable clawspark-nodehost.service >> "${CLAWSPARK_LOG}" 2>&1 || true
+    if [[ -n "${clawmetry_bin}" ]]; then
+        sudo systemctl enable clawspark-dashboard.service >> "${CLAWSPARK_LOG}" 2>&1 || true
+    fi
+
+    log_success "Systemd services enabled -- will auto-start on boot."
+
+    # ── Migrate running nohup processes to systemd ───────────────────────────
+    # Stop the nohup-started processes and let systemd take over.
+    # This ensures a clean state right now, not just after next reboot.
+    log_info "Migrating running services to systemd..."
+
+    # Helper: safely kill a PID from a pid file (validates numeric + process identity)
+    _safe_kill_pid() {
+        local pid_file="$1" name_hint="$2"
+        if [[ -f "${pid_file}" ]]; then
+            local pid
+            pid=$(cat "${pid_file}" 2>/dev/null || echo "")
+            if [[ -n "${pid}" ]] && [[ "${pid}" =~ ^[0-9]+$ ]]; then
+                # Verify the PID belongs to an openclaw/clawmetry process
+                local proc_cmd
+                proc_cmd=$(ps -p "${pid}" -o comm= 2>/dev/null || echo "")
+                if [[ "${proc_cmd}" == *"openclaw"* ]] || [[ "${proc_cmd}" == *"clawmetry"* ]] || [[ "${proc_cmd}" == *"python"* ]]; then
+                    kill "${pid}" 2>/dev/null || true
+                fi
+            fi
+            rm -f "${pid_file}"
+        fi
+    }
+
+    _safe_kill_pid "${CLAWSPARK_DIR}/gateway.pid" "gateway"
+    _safe_kill_pid "${CLAWSPARK_DIR}/node.pid" "node"
+    _safe_kill_pid "${CLAWSPARK_DIR}/dashboard.pid" "dashboard"
+
+    sleep 2
+
+    # Start via systemd
+    sudo systemctl start clawspark-gateway.service || {
+        log_warn "Gateway systemd start failed. Check: sudo journalctl -u clawspark-gateway"
+    }
+    sleep 3
+    sudo systemctl start clawspark-nodehost.service || {
+        log_warn "Node host systemd start failed. Check: sudo journalctl -u clawspark-nodehost"
+    }
+    if [[ -n "${clawmetry_bin}" ]]; then
+        sudo systemctl start clawspark-dashboard.service || {
+            log_warn "Dashboard systemd start failed. Check: sudo journalctl -u clawspark-dashboard"
+        }
+    fi
+
+    # Verify
+    sleep 3
+    local all_ok=true
+    if sudo systemctl is-active --quiet clawspark-gateway.service; then
+        log_success "Gateway running via systemd."
+    else
+        log_warn "Gateway not running via systemd."
+        all_ok=false
+    fi
+    if sudo systemctl is-active --quiet clawspark-nodehost.service; then
+        log_success "Node host running via systemd."
+    else
+        log_warn "Node host not running via systemd."
+        all_ok=false
+    fi
+    if [[ -n "${clawmetry_bin}" ]]; then
+        if sudo systemctl is-active --quiet clawspark-dashboard.service; then
+            log_success "Dashboard running via systemd."
+        else
+            log_warn "Dashboard not running via systemd."
+            all_ok=false
+        fi
+    fi
+
+    if [[ "${all_ok}" == "true" ]]; then
+        log_success "All services running via systemd. They will auto-start on boot."
+    else
+        log_warn "Some services failed to start via systemd. Use 'clawspark restart' or check journalctl."
+    fi
+}