@rozek/nanoclaw 1.2.17

package/README.md

@@ -0,0 +1,261 @@
+<p align="center">
+  <img src="assets/nanoclaw-logo.png" alt="NanoClaw" width="400">
+</p>
+
+<p align="center">
+  An AI assistant that runs agents securely in their own containers. Lightweight, built to be easily understood and completely customized for your needs.
+</p>
+
+<p align="center">
+  <a href="https://nanoclaw.dev">nanoclaw.dev</a>&nbsp; • &nbsp;
+  <a href="README_zh.md">中文</a>&nbsp; • &nbsp;
+  <a href="https://discord.gg/VDdww8qS42"><img src="https://img.shields.io/discord/1470188214710046894?label=Discord&logo=discord&v=2" alt="Discord" valign="middle"></a>&nbsp; • &nbsp;
+  <a href="repo-tokens"><img src="repo-tokens/badge.svg" alt="34.9k tokens, 17% of context window" valign="middle"></a>
+</p>
+
+---
+
+> **Important:** this is my own fork of the original [qwibitai/nanoclaw](https://github.com/qwibitai/nanoclaw).
+> 
+> It adds a **built-in web channel** (multi-session browser UI with Markdown Support + HTTP server) and a CLI entry point that lets you start NanoClaw with a single `npx @rozek/nanoclaw` command — no cloning or manual setup required. See [NanoClaw_with_Web-Support.md](NanoClaw_with_Web-Support.md) for the full installation guide.
+
+---
+
+<h2 align="center">🐳 Now Runs in Docker Sandboxes</h2>
+<p align="center">Every agent gets its own isolated container inside a micro VM.<br>Hypervisor-level isolation. Millisecond startup. No complex setup.</p>
+
+**macOS (Apple Silicon)**
+```bash
+curl -fsSL https://nanoclaw.dev/install-docker-sandboxes.sh | bash
+```
+
+**Windows (WSL)**
+```bash
+curl -fsSL https://nanoclaw.dev/install-docker-sandboxes-windows.sh | bash
+```
+
+> Currently supported on macOS (Apple Silicon) and Windows (x86). Linux support coming soon.
+
+<p align="center"><a href="https://nanoclaw.dev/blog/nanoclaw-docker-sandboxes">Read the announcement →</a>&nbsp; · &nbsp;<a href="docs/docker-sandboxes.md">Manual setup guide →</a></p>
+
+---
+
+## Why I Built NanoClaw
+
+[OpenClaw](https://github.com/openclaw/openclaw) is an impressive project, but I wouldn't have been able to sleep if I had given complex software I didn't understand full access to my life. OpenClaw has nearly half a million lines of code, 53 config files, and 70+ dependencies. Its security is at the application level (allowlists, pairing codes) rather than true OS-level isolation. Everything runs in one Node process with shared memory.
+
+NanoClaw provides that same core functionality, but in a codebase small enough to understand: one process and a handful of files. Claude agents run in their own Linux containers with filesystem isolation, not merely behind permission checks.
+
+## Quick Start
+
+### With npx (this fork — recommended)
+
+```bash
+npx @rozek/nanoclaw
+```
+
+Then open **http://localhost:3099** in your browser. That's it.
+
+```bash
+# Custom port, workspace, and token protection:
+npx @rozek/nanoclaw --port 8080 --workspace ~/my-workspace --token mySecretToken
+```
+
+See [NanoClaw_with_Web-Support.md](NanoClaw_with_Web-Support.md) for all options and prerequisites.
+
+### From source (upstream workflow)
+
+```bash
+gh repo fork rozek/nanoclaw --clone
+cd nanoclaw
+claude
+```
+
+<details>
+<summary>Without GitHub CLI</summary>
+
+1. Fork [rozek/nanoclaw](https://github.com/rozek/nanoclaw) on GitHub (click the Fork button)
+2. `git clone https://github.com/<your-username>/nanoclaw.git`
+3. `cd nanoclaw`
+4. `claude`
+
+</details>
+
+Then run `/setup`. Claude Code handles everything: dependencies, authentication, container setup and service configuration.
+
+> **Note:** Commands prefixed with `/` (like `/setup`, `/add-whatsapp`) are [Claude Code skills](https://code.claude.com/docs/en/skills). Type them inside the `claude` CLI prompt, not in your regular terminal. If you don't have Claude Code installed, get it at [claude.com/product/claude-code](https://claude.com/product/claude-code).
+
+## Philosophy
+
+**Small enough to understand.** One process, a few source files and no microservices. If you want to understand the full NanoClaw codebase, just ask Claude Code to walk you through it.
+
+**Secure by isolation.** Agents run in Linux containers (Apple Container on macOS, or Docker) and they can only see what's explicitly mounted. Bash access is safe because commands run inside the container, not on your host.
+
+**Built for the individual user.** NanoClaw isn't a monolithic framework; it's software that fits each user's exact needs. Instead of becoming bloatware, NanoClaw is designed to be bespoke. You make your own fork and have Claude Code modify it to match your needs.
+
+**Customization = code changes.** No configuration sprawl. Want different behavior? Modify the code. The codebase is small enough that it's safe to make changes.
+
+**AI-native.**
+- No installation wizard; Claude Code guides setup.
+- No monitoring dashboard; ask Claude what's happening.
+- No debugging tools; describe the problem and Claude fixes it.
+
+**Skills over features.** Instead of adding features (e.g. support for Telegram) to the codebase, contributors submit [claude code skills](https://code.claude.com/docs/en/skills) like `/add-telegram` that transform your fork. You end up with clean code that does exactly what you need.
+
+**Best harness, best model.** NanoClaw runs on the Claude Agent SDK, which means you're running Claude Code directly. Claude Code is highly capable and its coding and problem-solving capabilities allow it to modify and expand NanoClaw and tailor it to each user.
+
+## What It Supports
+
+- **Built-in web channel** — Start with `npx @rozek/nanoclaw` and open your browser. No messaging app required. Full-featured chat UI with Markdown, math (KaTeX), syntax highlighting, and Mermaid diagrams. Multi-session, persistent, accessible from the LAN. *(Added in this fork — see [NanoClaw_with_Web-Support.md](NanoClaw_with_Web-Support.md))*
+- **Multi-channel messaging** - Talk to your assistant from WhatsApp, Telegram, Discord, Slack, or Gmail. Add channels with skills like `/add-whatsapp` or `/add-telegram`. Run one or many at the same time.
+- **Isolated group context** - Each group has its own `CLAUDE.md` memory, isolated filesystem, and runs in its own container sandbox with only that filesystem mounted to it.
+- **Main channel** - Your private channel (self-chat) for admin control; every group is completely isolated
+- **Scheduled tasks** - Recurring jobs that run Claude and can message you back
+- **Web access** - Search and fetch content from the Web
+- **Container isolation** - Agents are sandboxed in [Docker Sandboxes](https://nanoclaw.dev/blog/nanoclaw-docker-sandboxes) (micro VM isolation), Apple Container (macOS), or Docker (macOS/Linux)
+- **Agent Swarms** - Spin up teams of specialized agents that collaborate on complex tasks
+- **Optional integrations** - Add Gmail (`/add-gmail`) and more via skills
+
+## Usage
+
+Talk to your assistant with the trigger word (default: `@Andy`):
+
+```
+@Andy send an overview of the sales pipeline every weekday morning at 9am (has access to my Obsidian vault folder)
+@Andy review the git history for the past week each Friday and update the README if there's drift
+@Andy every Monday at 8am, compile news on AI developments from Hacker News and TechCrunch and message me a briefing
+```
+
+From the main channel (your self-chat), you can manage groups and tasks:
+```
+@Andy list all scheduled tasks across groups
+@Andy pause the Monday briefing task
+@Andy join the Family Chat group
+```
+
+## Customizing
+
+NanoClaw doesn't use configuration files. To make changes, just tell Claude Code what you want:
+
+- "Change the trigger word to @Bob"
+- "Remember in the future to make responses shorter and more direct"
+- "Add a custom greeting when I say good morning"
+- "Store conversation summaries weekly"
+
+Or run `/customize` for guided changes.
+
+The codebase is small enough that Claude can safely modify it.
+
+## Contributing
+
+**Don't add features. Add skills.**
+
+If you want to add Telegram support, don't create a PR that adds Telegram to the core codebase. Instead, fork NanoClaw, make the code changes on a branch, and open a PR. We'll create a `skill/telegram` branch from your PR that other users can merge into their fork.
+
+Users then run `/add-telegram` on their fork and get clean code that does exactly what they need, not a bloated system trying to support every use case.
+
+### RFS (Request for Skills)
+
+Skills we'd like to see:
+
+**Communication Channels**
+- `/add-signal` - Add Signal as a channel
+
+**Session Management**
+- `/clear` - Add a `/clear` command that compacts the conversation (summarizes context while preserving critical information in the same session). Requires figuring out how to trigger compaction programmatically via the Claude Agent SDK.
+
+## Requirements
+
+- macOS or Linux
+- Node.js 20+
+- [Claude Code](https://claude.ai/download)
+- [Apple Container](https://github.com/apple/container) (macOS) or [Docker](https://docker.com/products/docker-desktop) (macOS/Linux)
+
+## Architecture
+
+```
+Channels --> SQLite --> Polling loop --> Container (Claude Agent SDK) --> Response
+```
+
+Single Node.js process. Channels are added via skills and self-register at startup — the orchestrator connects whichever ones have credentials present. Agents execute in isolated Linux containers with filesystem isolation. Only mounted directories are accessible. Per-group message queue with concurrency control. IPC via filesystem.
+
+For the full architecture details, see [docs/SPEC.md](docs/SPEC.md).
+
+Key files:
+- `src/index.ts` - Orchestrator: state, message loop, agent invocation
+- `src/cli.ts` - CLI entry point (enables `npx @rozek/nanoclaw`) *(added in this fork)*
+- `src/channels/web.ts` - Built-in web channel: HTTP server + embedded browser UI *(added in this fork)*
+- `src/channels/registry.ts` - Channel registry (self-registration at startup)
+- `src/ipc.ts` - IPC watcher and task processing
+- `src/router.ts` - Message formatting and outbound routing
+- `src/group-queue.ts` - Per-group queue with global concurrency limit
+- `src/container-runner.ts` - Spawns streaming agent containers
+- `src/task-scheduler.ts` - Runs scheduled tasks
+- `src/db.ts` - SQLite operations (messages, groups, sessions, state)
+- `groups/*/CLAUDE.md` - Per-group memory
+
+## FAQ
+
+**Why Docker?**
+
+Docker provides cross-platform support (macOS, Linux and even Windows via WSL2) and a mature ecosystem. On macOS, you can optionally switch to Apple Container via `/convert-to-apple-container` for a lighter-weight native runtime.
+
+**Can I run this on Linux?**
+
+Yes. Docker is the default runtime and works on both macOS and Linux. Just run `/setup`.
+
+**Is this secure?**
+
+Agents run in containers, not behind application-level permission checks. They can only access explicitly mounted directories. You should still review what you're running, but the codebase is small enough that you actually can. See [docs/SECURITY.md](docs/SECURITY.md) for the full security model.
+
+**Should I protect the web UI with a token?**
+
+Yes, if NanoClaw is accessible from your LAN or the internet. Pass `--token mySecretToken` to `npx @rozek/nanoclaw`. See [NanoClaw_with_Web-Support.md](NanoClaw_with_Web-Support.md) for details.
+
+**Why no configuration files?**
+
+We don't want configuration sprawl. Every user should customize NanoClaw so that the code does exactly what they want, rather than configuring a generic system. If you prefer having config files, you can tell Claude to add them.
+
+**Can I use third-party or open-source models?**
+
+Yes. NanoClaw supports any Claude API-compatible model endpoint. Set these environment variables in your `.env` file:
+
+```bash
+ANTHROPIC_BASE_URL=https://your-api-endpoint.com
+ANTHROPIC_AUTH_TOKEN=your-token-here
+```
+
+This allows you to use:
+- Local models via [Ollama](https://ollama.ai) with an API proxy
+- Open-source models hosted on [Together AI](https://together.ai), [Fireworks](https://fireworks.ai), etc.
+- Custom model deployments with Anthropic-compatible APIs
+
+Note: The model must support the Anthropic API format for best compatibility.
+
+**How do I debug issues?**
+
+Ask Claude Code. "Why isn't the scheduler running?" "What's in the recent logs?" "Why did this message not get a response?" That's the AI-native approach that underlies NanoClaw.
+
+**Why isn't the setup working for me?**
+
+If you have issues, during setup, Claude will try to dynamically fix them. If that doesn't work, run `claude`, then run `/debug`. If Claude finds an issue that is likely affecting other users, open a PR to modify the setup SKILL.md.
+
+**What changes will be accepted into the codebase?**
+
+Only security fixes, bug fixes, and clear improvements will be accepted to the base configuration. That's all.
+
+Everything else (new capabilities, OS compatibility, hardware support, enhancements) should be contributed as skills.
+
+This keeps the base system minimal and lets every user customize their installation without inheriting features they don't want.
+
+## Community
+
+Questions? Ideas? [Join the Discord](https://discord.gg/VDdww8qS42).
+
+## Changelog
+
+See [CHANGELOG.md](CHANGELOG.md) for breaking changes and migration notes.
+
+## License
+
+MIT

package/README_zh.md

@@ -0,0 +1,200 @@
+<p align="center">
+  <img src="assets/nanoclaw-logo.png" alt="NanoClaw" width="400">
+</p>
+
+<p align="center">
+  NanoClaw —— 您的专属 Claude 助手，在容器中安全运行。它轻巧易懂，并能根据您的个人需求灵活定制。
+</p>
+
+<p align="center">
+  <a href="https://nanoclaw.dev">nanoclaw.dev</a>&nbsp; • &nbsp;
+  <a href="README.md">English</a>&nbsp; • &nbsp;
+  <a href="https://discord.gg/VDdww8qS42"><img src="https://img.shields.io/discord/1470188214710046894?label=Discord&logo=discord&v=2" alt="Discord" valign="middle"></a>&nbsp; • &nbsp;
+  <a href="repo-tokens"><img src="repo-tokens/badge.svg" alt="34.9k tokens, 17% of context window" valign="middle"></a>
+</p>
+通过 Claude Code，NanoClaw 可以动态重写自身代码，根据您的需求定制功能。
+
+**新功能：** 首个支持 [Agent Swarms（智能体集群）](https://code.claude.com/docs/en/agent-teams) 的 AI 助手。可轻松组建智能体团队，在您的聊天中高效协作。
+
+## 我为什么创建这个项目
+
+[OpenClaw](https://github.com/openclaw/openclaw) 是一个令人印象深刻的项目，但我无法安心使用一个我不了解却能访问我个人隐私的软件。OpenClaw 有近 50 万行代码、53 个配置文件和 70+ 个依赖项。其安全性是应用级别的（通过白名单、配对码实现），而非操作系统级别的隔离。所有东西都在一个共享内存的 Node 进程中运行。
+
+NanoClaw 用一个您能快速理解的代码库，为您提供了同样的核心功能。只有一个进程，少数几个文件。智能体（Agent）运行在具有文件系统隔离的真实 Linux 容器中，而不是依赖于权限检查。
+
+## 快速开始
+
+```bash
+git clone https://github.com/qwibitai/nanoclaw.git
+cd nanoclaw
+claude
+```
+
+然后运行 `/setup`。Claude Code 会处理一切：依赖安装、身份验证、容器设置、服务配置。
+
+> **注意：** 以 `/` 开头的命令（如 `/setup`、`/add-whatsapp`）是 [Claude Code 技能](https://code.claude.com/docs/en/skills)。请在 `claude` CLI 提示符中输入，而非在普通终端中。
+
+## 设计哲学
+
+**小巧易懂：** 单一进程，少量源文件。无微服务、无消息队列、无复杂抽象层。让 Claude Code 引导您轻松上手。
+
+**通过隔离保障安全:** 智能体运行在 Linux 容器（在 macOS 上是 Apple Container，或 Docker）中。它们只能看到被明确挂载的内容。即便通过 Bash 访问也十分安全，因为所有命令都在容器内执行，不会直接操作您的宿主机。
+
+**为单一用户打造:** 这不是一个框架，是一个完全符合您个人需求的、可工作的软件。您可以 Fork 本项目，然后让 Claude Code 根据您的精确需求进行修改和适配。
+
+**定制即代码修改:** 没有繁杂的配置文件。想要不同的行为？直接修改代码。代码库足够小，这样做是安全的。
+
+**AI 原生:** 无安装向导（由 Claude Code 指导安装）。无需监控仪表盘，直接询问 Claude 即可了解系统状况。无调试工具（描述问题，Claude 会修复它）。
+
+**技能（Skills）优于功能（Features）:** 贡献者不应该向代码库添加新功能（例如支持 Telegram）。相反，他们应该贡献像 `/add-telegram` 这样的 [Claude Code 技能](https://code.claude.com/docs/en/skills)，这些技能可以改造您的 fork。最终，您得到的是只做您需要事情的整洁代码。
+
+**最好的工具套件，最好的模型:** 本项目运行在 Claude Agent SDK 之上，这意味着您直接运行的就是 Claude Code。Claude Code 高度强大，其编码和问题解决能力使其能够修改和扩展 NanoClaw，为每个用户量身定制。
+
+## 功能支持
+
+- **多渠道消息** - 通过 WhatsApp、Telegram、Discord、Slack 或 Gmail 与您的助手对话。使用 `/add-whatsapp` 或 `/add-telegram` 等技能添加渠道，可同时运行一个或多个。
+- **隔离的群组上下文** - 每个群组都拥有独立的 `CLAUDE.md` 记忆和隔离的文件系统。它们在各自的容器沙箱中运行，且仅挂载所需的文件系统。
+- **主频道** - 您的私有频道（self-chat），用于管理控制；其他所有群组都完全隔离
+- **计划任务** - 运行 Claude 的周期性作业，并可以给您回发消息
+- **网络访问** - 搜索和抓取网页内容
+- **容器隔离** - 智能体在 Apple Container (macOS) 或 Docker (macOS/Linux) 的沙箱中运行
+- **智能体集群（Agent Swarms）** - 启动多个专业智能体团队，协作完成复杂任务（首个支持此功能的个人 AI 助手）
+- **可选集成** - 通过技能添加 Gmail (`/add-gmail`) 等更多功能
+
+## 使用方法
+
+使用触发词（默认为 `@Andy`）与您的助手对话：
+
+```
+@Andy 每周一到周五早上9点，给我发一份销售渠道的概览（需要访问我的 Obsidian vault 文件夹）
+@Andy 每周五回顾过去一周的 git 历史，如果与 README 有出入，就更新它
+@Andy 每周一早上8点，从 Hacker News 和 TechCrunch 收集关于 AI 发展的资讯，然后发给我一份简报
+```
+
+在主频道（您的self-chat）中，可以管理群组和任务：
+```
+@Andy 列出所有群组的计划任务
+@Andy 暂停周一简报任务
+@Andy 加入"家庭聊天"群组
+```
+
+## 定制
+
+没有需要学习的配置文件。直接告诉 Claude Code 您想要什么：
+
+- "把触发词改成 @Bob"
+- "记住以后回答要更简短直接"
+- "当我说早上好的时候，加一个自定义的问候"
+- "每周存储一次对话摘要"
+
+或者运行 `/customize` 进行引导式修改。
+
+代码库足够小，Claude 可以安全地修改它。
+
+## 贡献
+
+**不要添加功能，而是添加技能。**
+
+如果您想添加 Telegram 支持，不要创建一个 PR 同时添加 Telegram 和 WhatsApp。而是贡献一个技能文件 (`.claude/skills/add-telegram/SKILL.md`)，教 Claude Code 如何改造一个 NanoClaw 安装以使用 Telegram。
+
+然后用户在自己的 fork 上运行 `/add-telegram`，就能得到只做他们需要事情的整洁代码，而不是一个试图支持所有用例的臃肿系统。
+
+### RFS (技能征集)
+
+我们希望看到的技能：
+
+**通信渠道**
+- `/add-signal` - 添加 Signal 作为渠道
+
+**会话管理**
+- `/clear` - 添加一个 `/clear` 命令，用于压缩会话（在同一会话中总结上下文，同时保留关键信息）。这需要研究如何通过 Claude Agent SDK 以编程方式触发压缩。
+
+## 系统要求
+
+- macOS 或 Linux
+- Node.js 20+
+- [Claude Code](https://claude.ai/download)
+- [Apple Container](https://github.com/apple/container) (macOS) 或 [Docker](https://docker.com/products/docker-desktop) (macOS/Linux)
+
+## 架构
+
+```
+渠道 --> SQLite --> 轮询循环 --> 容器 (Claude Agent SDK) --> 响应
+```
+
+单一 Node.js 进程。渠道通过技能添加，启动时自注册 — 编排器连接具有凭据的渠道。智能体在具有文件系统隔离的 Linux 容器中执行。每个群组的消息队列带有并发控制。通过文件系统进行 IPC。
+
+完整架构详情请见 [docs/SPEC.md](docs/SPEC.md)。
+
+关键文件：
+- `src/index.ts` - 编排器：状态管理、消息循环、智能体调用
+- `src/channels/registry.ts` - 渠道注册表（启动时自注册）
+- `src/ipc.ts` - IPC 监听与任务处理
+- `src/router.ts` - 消息格式化与出站路由
+- `src/group-queue.ts` - 带全局并发限制的群组队列
+- `src/container-runner.ts` - 生成流式智能体容器
+- `src/task-scheduler.ts` - 运行计划任务
+- `src/db.ts` - SQLite 操作（消息、群组、会话、状态）
+- `groups/*/CLAUDE.md` - 各群组的记忆
+
+## FAQ
+
+**为什么是 Docker？**
+
+Docker 提供跨平台支持（macOS 和 Linux）和成熟的生态系统。在 macOS 上，您可以选择通过运行 `/convert-to-apple-container` 切换到 Apple Container，以获得更轻量级的原生运行时体验。
+
+**我可以在 Linux 上运行吗？**
+
+可以。Docker 是默认的容器运行时，在 macOS 和 Linux 上都可以使用。只需运行 `/setup`。
+
+**这个项目安全吗？**
+
+智能体在容器中运行，而不是在应用级别的权限检查之后。它们只能访问被明确挂载的目录。您仍然应该审查您运行的代码，但这个代码库小到您真的可以做到。完整的安全模型请见 [docs/SECURITY.md](docs/SECURITY.md)。
+
+**为什么没有配置文件？**
+
+我们不希望配置泛滥。每个用户都应该定制它，让代码完全符合他们的需求，而不是去配置一个通用的系统。如果您喜欢用配置文件，告诉 Claude 让它加上。
+
+**我可以使用第三方或开源模型吗？**
+
+可以。NanoClaw 支持任何 API 兼容的模型端点。在 `.env` 文件中设置以下环境变量：
+
+```bash
+ANTHROPIC_BASE_URL=https://your-api-endpoint.com
+ANTHROPIC_AUTH_TOKEN=your-token-here
+```
+
+这使您能够使用：
+- 通过 [Ollama](https://ollama.ai) 配合 API 代理运行的本地模型
+- 托管在 [Together AI](https://together.ai)、[Fireworks](https://fireworks.ai) 等平台上的开源模型
+- 兼容 Anthropic API 格式的自定义模型部署
+
+注意：为获得最佳兼容性，模型需支持 Anthropic API 格式。
+
+**我该如何调试问题？**
+
+问 Claude Code。"为什么计划任务没有运行？" "最近的日志里有什么？" "为什么这条消息没有得到回应？" 这就是 AI 原生的方法。
+
+**为什么我的安装不成功？**
+
+如果遇到问题，安装过程中 Claude 会尝试动态修复。如果问题仍然存在，运行 `claude`，然后运行 `/debug`。如果 Claude 发现一个可能影响其他用户的问题，请开一个 PR 来修改 setup SKILL.md。
+
+**什么样的代码更改会被接受？**
+
+安全修复、bug 修复，以及对基础配置的明确改进。仅此而已。
+
+其他一切（新功能、操作系统兼容性、硬件支持、增强功能）都应该作为技能来贡献。
+
+这使得基础系统保持最小化，并让每个用户可以定制他们的安装，而无需继承他们不想要的功能。
+
+## 社区
+
+有任何疑问或建议？欢迎[加入 Discord 社区](https://discord.gg/VDdww8qS42)与我们交流。
+
+## 更新日志
+
+破坏性变更和迁移说明请见 [CHANGELOG.md](CHANGELOG.md)。
+
+## 许可证
+
+MIT

package/config-examples/mount-allowlist.json

@@ -0,0 +1,25 @@
+{
+  "allowedRoots": [
+    {
+      "path": "~/projects",
+      "allowReadWrite": true,
+      "description": "Development projects"
+    },
+    {
+      "path": "~/repos",
+      "allowReadWrite": true,
+      "description": "Git repositories"
+    },
+    {
+      "path": "~/Documents/work",
+      "allowReadWrite": false,
+      "description": "Work documents (read-only)"
+    }
+  ],
+  "blockedPatterns": [
+    "password",
+    "secret",
+    "token"
+  ],
+  "nonMainReadOnly": true
+}

package/container/Dockerfile

@@ -0,0 +1,70 @@
+# NanoClaw Agent Container
+# Runs Claude Agent SDK in isolated Linux VM with browser automation
+
+FROM node:22-slim
+
+# Install system dependencies for Chromium
+RUN apt-get update && apt-get install -y \
+    chromium \
+    fonts-liberation \
+    fonts-noto-cjk \
+    fonts-noto-color-emoji \
+    libgbm1 \
+    libnss3 \
+    libatk-bridge2.0-0 \
+    libgtk-3-0 \
+    libx11-xcb1 \
+    libxcomposite1 \
+    libxdamage1 \
+    libxrandr2 \
+    libasound2 \
+    libpangocairo-1.0-0 \
+    libcups2 \
+    libdrm2 \
+    libxshmfence1 \
+    curl \
+    git \
+    && rm -rf /var/lib/apt/lists/*
+
+# Set Chromium path for agent-browser
+ENV AGENT_BROWSER_EXECUTABLE_PATH=/usr/bin/chromium
+ENV PLAYWRIGHT_CHROMIUM_EXECUTABLE_PATH=/usr/bin/chromium
+
+# Install agent-browser and claude-code globally
+RUN npm install -g agent-browser @anthropic-ai/claude-code
+
+# Create app directory
+WORKDIR /app
+
+# Copy package files first for better caching
+COPY agent-runner/package*.json ./
+
+# Install dependencies
+RUN npm install
+
+# Copy source code
+COPY agent-runner/ ./
+
+# Build TypeScript
+RUN npm run build
+
+# Create workspace directories
+RUN mkdir -p /workspace/group /workspace/global /workspace/extra /workspace/ipc/messages /workspace/ipc/tasks /workspace/ipc/input
+
+# Create entrypoint script
+# Container input (prompt, group info) is passed via stdin JSON.
+# Credentials are injected by the host's credential proxy — never passed here.
+# Follow-up messages arrive via IPC files in /workspace/ipc/input/
+RUN printf '#!/bin/bash\nset -e\ncd /app && npx tsc --outDir /tmp/dist 2>&1 >&2\nln -s /app/node_modules /tmp/dist/node_modules\nchmod -R a-w /tmp/dist\ncat > /tmp/input.json\nnode /tmp/dist/index.js < /tmp/input.json\n' > /app/entrypoint.sh && chmod +x /app/entrypoint.sh
+
+# Set ownership to node user (non-root) for writable directories
+RUN chown -R node:node /workspace && chmod 777 /home/node
+
+# Switch to non-root user (required for --dangerously-skip-permissions)
+USER node
+
+# Set working directory to group workspace
+WORKDIR /workspace/group
+
+# Entry point reads JSON from stdin, outputs JSON to stdout
+ENTRYPOINT ["/app/entrypoint.sh"]