arc402-cli 1.4.24 → 1.4.25

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "arc402-cli",
-  "version": "1.4.24",
+  "version": "1.4.25",
   "description": "ARC-402 CLI for discovery, negotiation payloads, hire/remediation/dispute workflows, and network reads",
   "bin": {
     "arc402": "./dist/index.js"
@@ -8,11 +8,12 @@
   "main": "./dist/index.js",
   "files": [
     "dist/",
-    "../workroom/credentials.template.toml"
+    "workroom/"
   ],
   "scripts": {
     "build": "tsc",
-    "test": "node --test test/**/*.test.js"
+    "test": "node --test test/**/*.test.js",
+    "prepublishOnly": "npm run build && node -e \"const fs=require('fs'),path=require('path'); const src=path.resolve(__dirname,'../workroom'); const dst=path.resolve(__dirname,'workroom'); if(fs.existsSync(src)){fs.cpSync(src,dst,{recursive:true}); console.log('Copied workroom/ into package');} else { console.warn('WARNING: ../workroom not found — workroom files will be missing from package'); }\""
   },
   "dependencies": {
     "@arc402/sdk": "^0.6.0",

package/workroom/Dockerfile

@@ -0,0 +1,56 @@
+FROM node:22-slim
+
+# Runtime dependencies for network enforcement + diagnostics
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    iptables curl dnsutils iproute2 procps jq ca-certificates python3 make g++ \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install arc402-cli globally — Linux-compiled native binaries (better-sqlite3, etc.)
+# This runs at image build time so native addons compile for Linux, not the host OS.
+# ARG allows pinning a specific version: docker build --build-arg ARC402_CLI_VERSION=1.4.19
+ARG ARC402_CLI_VERSION=latest
+RUN npm install -g arc402-cli@${ARC402_CLI_VERSION} --build-from-source 2>&1 | tail -5
+# Stamp the CLI version as an image label so workroom start can detect stale images.
+LABEL arc402.cli.version=${ARC402_CLI_VERSION}
+
+# Create workroom user with the same UID/GID as the host user (default: 1000).
+# This ensures bind-mounted volumes are readable/writable without permission fights.
+# Override at build time: docker build --build-arg HOST_UID=1001 --build-arg HOST_GID=1001
+ARG HOST_UID=1000
+ARG HOST_GID=1000
+# node:22-slim already has a 'node' user at UID 1000. Rename it to 'workroom'
+# so the container user matches the host user (bind mount permissions).
+RUN usermod -l workroom -d /workroom -m node \
+    && groupmod -n workroom node \
+    && usermod -u ${HOST_UID} workroom 2>/dev/null || true \
+    && groupmod -g ${HOST_GID} workroom 2>/dev/null || true
+
+# Workroom scripts
+COPY entrypoint.sh /entrypoint.sh
+COPY dns-refresh.sh /dns-refresh.sh
+COPY policy-parser.sh /policy-parser.sh
+COPY derive-policy.sh /derive-policy.sh
+RUN chmod +x /entrypoint.sh /dns-refresh.sh /policy-parser.sh /derive-policy.sh
+
+# Job workspace directory
+RUN mkdir -p /workroom/jobs && chown workroom:workroom /workroom/jobs
+
+# OpenClaw runtime directory (mounted from host)
+RUN mkdir -p /workroom/openclaw && chown workroom:workroom /workroom/openclaw
+
+# Worker specialisation directories (created by worker init, but ensure they exist)
+RUN mkdir -p /workroom/.arc402/worker/{knowledge,datasets,skills,memory} \
+    && chown -R workroom:workroom /workroom/.arc402
+
+# Home directory for workroom user (auth files mounted here)
+RUN mkdir -p /home/workroom/.openclaw && chown -R workroom:workroom /home/workroom
+
+# Arena directories — feed index, profile cache, daemon state, approval queue
+RUN mkdir -p /workroom/arena/{feed,profile,state,queue} \
+    && chown -R workroom:workroom /workroom/arena
+
+# Default arena policy (can be overridden by mount)
+COPY arena-policy.yaml /workroom/defaults/arena-policy.yaml
+
+WORKDIR /workroom
+ENTRYPOINT ["/entrypoint.sh"]

package/workroom/Dockerfile.gpu

@@ -0,0 +1,74 @@
+# ARC-402 GPU Workroom
+# CUDA-enabled variant of the standard workroom container.
+# Run with: docker run --gpus all --runtime=nvidia arc402-workroom:gpu
+#
+# Build:
+#   docker build -f workroom/Dockerfile.gpu -t arc402-workroom:gpu workroom/
+
+FROM nvidia/cuda:12.4.0-runtime-ubuntu22.04
+
+# ─── System dependencies ──────────────────────────────────────────────────────
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    # Same runtime deps as base Dockerfile
+    iptables curl dnsutils iproute2 procps jq ca-certificates \
+    # GPU metering
+    python3-minimal \
+    # Node.js 22 (LTS) via NodeSource
+    && curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
+    && apt-get install -y --no-install-recommends nodejs \
+    && rm -rf /var/lib/apt/lists/*
+
+# ─── NVIDIA container toolkit check ──────────────────────────────────────────
+# nvidia-smi is provided by the host driver mounted into the container.
+# Validate it's accessible at container startup (see entrypoint.sh).
+# NVIDIA_VISIBLE_DEVICES and NVIDIA_DRIVER_CAPABILITIES must be set at runtime.
+
+ENV NVIDIA_VISIBLE_DEVICES=all
+ENV NVIDIA_DRIVER_CAPABILITIES=compute,utility
+
+# ─── User setup (mirrors base Dockerfile) ────────────────────────────────────
+
+ARG HOST_UID=1000
+ARG HOST_GID=1000
+
+# Ubuntu 22.04 ships with ubuntu user at UID 1000; rename to workroom.
+RUN groupadd -f -g ${HOST_GID} workroom 2>/dev/null || true \
+    && useradd -u ${HOST_UID} -g ${HOST_GID} -m -d /workroom -s /bin/bash workroom 2>/dev/null \
+    || usermod -u ${HOST_UID} -g ${HOST_GID} -d /workroom workroom 2>/dev/null || true
+
+# ─── Workroom scripts ─────────────────────────────────────────────────────────
+
+COPY entrypoint.sh     /entrypoint.sh
+COPY dns-refresh.sh    /dns-refresh.sh
+COPY policy-parser.sh  /policy-parser.sh
+COPY derive-policy.sh  /derive-policy.sh
+RUN chmod +x /entrypoint.sh /dns-refresh.sh /policy-parser.sh /derive-policy.sh
+
+# ─── Directory layout (same as base Dockerfile) ───────────────────────────────
+
+RUN mkdir -p /workroom/jobs                               && chown workroom:workroom /workroom/jobs
+RUN mkdir -p /workroom/openclaw                           && chown workroom:workroom /workroom/openclaw
+RUN mkdir -p /workroom/.arc402/worker/{knowledge,datasets,skills,memory} \
+                                                          && chown -R workroom:workroom /workroom/.arc402
+RUN mkdir -p /home/workroom/.openclaw                     && chown -R workroom:workroom /home/workroom
+RUN mkdir -p /workroom/arena/{feed,profile,state,queue}   && chown -R workroom:workroom /workroom/arena
+
+# ─── GPU-specific directories ─────────────────────────────────────────────────
+
+# Compute session data directory (metrics + reports written by metering daemon)
+RUN mkdir -p /workroom/.arc402/compute && chown workroom:workroom /workroom/.arc402/compute
+
+# ─── Default arena policy ─────────────────────────────────────────────────────
+
+COPY arena-policy.yaml /workroom/defaults/arena-policy.yaml
+
+WORKDIR /workroom
+ENTRYPOINT ["/entrypoint.sh"]
+
+# ─── Runtime labels ───────────────────────────────────────────────────────────
+
+LABEL org.opencontainers.image.title="arc402-workroom-gpu"
+LABEL org.opencontainers.image.description="ARC-402 GPU workroom — CUDA 12.4, nvidia-smi metering"
+LABEL arc402.gpu="true"
+LABEL arc402.cuda.version="12.4.0"

package/workroom/arena-policy.yaml

@@ -0,0 +1,152 @@
+# ARC-402 Arena Policy — extends the base workroom policy
+# This file defines the network, spend, and behavior boundaries for Arena operations
+# running inside the Workroom container.
+#
+# Merged with openshell-policy.yaml at workroom startup.
+# Arena-specific policies are additive — they don't override base security.
+
+version: 1
+
+# ─── Arena Network Policy ──────────────────────────────────────────────────────
+# Which external hosts Arena processes can reach from inside the Workroom.
+# Everything else is DROP via iptables.
+
+arena_network:
+  # Base mainnet RPC — for contract reads and transaction submission
+  base_rpc:
+    endpoints:
+      - host: mainnet.base.org
+        port: 443
+      - host: base-mainnet.g.alchemy.com
+        port: 443
+      - host: base.llamarpc.com
+        port: 443
+
+  # ARC-402 infrastructure — relay, API, public pages
+  arc402_infra:
+    endpoints:
+      - host: api.arc402.xyz
+        port: 443
+      - host: arc402.xyz
+        port: 443
+      - host: relay.arc402.xyz
+        port: 443
+      - host: gigabrain.arc402.xyz
+        port: 443
+
+  # ERC-4337 bundler — for UserOp submission
+  bundler:
+    endpoints:
+      - host: public.pimlico.io
+        port: 443
+
+  # Notifications — Telegram alerts for arena events
+  notifications:
+    endpoints:
+      - host: api.telegram.org
+        port: 443
+
+  # Data feeds — for prediction round research (read-only intelligence)
+  # Add specific API hosts as needed. Each addition is a policy decision.
+  data_feeds:
+    endpoints:
+      - host: api.coingecko.com
+        port: 443
+      - host: pro-api.coinmarketcap.com
+        port: 443
+
+# ─── Arena Spend Policy ────────────────────────────────────────────────────────
+# Workroom-level spend limits. These are ADDITIONAL to PolicyEngine onchain limits.
+# The tighter of the two always wins.
+#
+# These are enforced by the Arena daemon before submitting transactions.
+# They protect against bugs, not just malice.
+
+arena_spend:
+  handshake:
+    max_per_handshake_eth: "0.01"       # max ETH tip per handshake
+    max_per_handshake_usdc: "10.00"     # max USDC tip per handshake
+    daily_count_cap: 50                  # mirrors contract cap
+    daily_spend_cap_eth: "0.5"           # total handshake spend per day
+    daily_spend_cap_usdc: "100.00"       # total handshake USDC spend per day
+
+  arena:
+    max_stake_per_round_eth: "0.1"       # max stake per prediction round
+    max_stake_per_round_usdc: "50.00"
+    daily_rounds_cap: 10                 # max rounds entered per day
+    daily_spend_cap_eth: "1.0"           # total arena spend per day
+    daily_spend_cap_usdc: "500.00"
+
+  subscriptions:
+    max_per_subscription_eth: "0.05"     # max per subscription payment
+    max_per_subscription_usdc: "25.00"
+    max_active_subscriptions: 20         # cap on simultaneous subscriptions
+
+# ─── Arena Behavior Policy ─────────────────────────────────────────────────────
+# Controls what the Arena daemon can do autonomously vs what requires approval.
+
+arena_behavior:
+  # Autonomous actions — daemon can do these without human approval
+  autonomous:
+    - send_handshake                     # respond to inbound handshakes
+    - post_status                        # publish status updates
+    - index_feed                         # consume and index feed events
+    - update_profile                     # refresh profile metadata
+
+  # Approval-required actions — daemon queues these for human review
+  approval_required:
+    - enter_arena_round                  # stake money on prediction
+    - back_agent                         # back another agent's forecast
+    - create_subscription                # open a paid subscription channel
+    - publish_newsletter                 # publish content to subscribers
+    - join_squad                         # join a research squad
+
+  # Forbidden actions — daemon cannot do these at all
+  forbidden:
+    - modify_wallet_policy               # never change its own spending rules
+    - transfer_ownership                 # never transfer wallet ownership
+    - upgrade_registry                   # never propose registry updates
+    - whitelist_contracts                # never add new contract whitelists
+
+# ─── Arena Daemon Config ───────────────────────────────────────────────────────
+# How the Arena daemon runs inside the Workroom.
+
+arena_daemon:
+  # Feed indexer — listens for HandshakeSent, NewConnection, arena events
+  indexer:
+    poll_interval_seconds: 30
+    start_block: "latest"                # or specific block number
+    contracts:
+      - name: handshake
+        address: ""                      # filled after deployment
+        events:
+          - HandshakeSent
+          - NewConnection
+      # Future: ArenaRound events added here
+
+  # Status publisher — posts agent status updates
+  status:
+    auto_publish: false                  # manual by default
+    max_per_day: 10
+
+  # Discovery — how the agent finds other agents
+  discovery:
+    refresh_interval_seconds: 300
+    trending_window_hours: 24
+
+# ─── Arena Filesystem Policy ───────────────────────────────────────────────────
+# What Arena processes can read and write inside the Workroom.
+
+arena_filesystem:
+  read_write:
+    - /workroom/arena/feed               # indexed feed data
+    - /workroom/arena/profile            # agent profile cache
+    - /workroom/arena/state              # daemon state (last block, etc.)
+    - /workroom/arena/queue              # approval queue for human review
+
+  read_only:
+    - /workroom/runtime                  # CLI and daemon code
+    - /workroom/.arc402                  # policy files
+
+  forbidden:
+    - /workroom/.arc402/keys             # private keys (injected as env vars only)

package/workroom/credentials.template.toml

@@ -0,0 +1,167 @@
+# ─────────────────────────────────────────────────────────────────────────────
+# ARC-402 Workroom Credentials Template
+#
+# This file configures LLM provider access for your workroom worker.
+# Copy to ~/.arc402/worker/credentials.toml and fill in your keys.
+#
+# NEVER commit this file. It is gitignored by default.
+# The workroom setup script reads this to:
+#   1. Pass API keys as Docker env vars (never written to disk in container)
+#   2. Auto-generate network policy entries (iptables whitelist)
+#
+# Two modes:
+#   Tier 1 (recommended): Use OpenClaw as your worker runtime.
+#     → OpenClaw's openclaw.json already has all provider configs.
+#     → You DON'T need this file. Everything is auto-derived.
+#     → Set runtime = "openclaw" in worker/config.json.
+#
+#   Tier 2 (advanced): Bring your own harness (raw Claude Code, Codex, etc.)
+#     → Fill in the providers below for your chosen harness.
+#     → The setup script generates matching iptables rules.
+# ─────────────────────────────────────────────────────────────────────────────
+
+# ── Anthropic (Claude Code) ─────────────────────────────────────────────────
+# Two auth modes:
+#   api_key: Direct API key (pay per token)
+#   oauth:   Max subscription OAuth (unlimited, mounted from host)
+
+[providers.anthropic]
+enabled = false
+auth = "api_key"                          # "api_key" or "oauth"
+env = "ANTHROPIC_API_KEY"                 # Set this env var on the host
+# oauth_token_path = "~/.claude/oauth"   # For OAuth mode (mounted read-only)
+hosts = ["api.anthropic.com"]
+
+# ── OpenAI (Codex, GPT) ────────────────────────────────────────────────────
+
+[providers.openai]
+enabled = false
+auth = "api_key"
+env = "OPENAI_API_KEY"
+hosts = ["api.openai.com"]
+
+# ── OpenAI Codex (dedicated endpoint) ──────────────────────────────────────
+
+[providers.openai_codex]
+enabled = false
+auth = "api_key"
+env = "OPENAI_API_KEY"                    # Same key as OpenAI
+hosts = ["api.openai.com"]               # Same endpoint
+
+# ── Google (Gemini) ─────────────────────────────────────────────────────────
+
+[providers.google]
+enabled = false
+auth = "api_key"
+env = "GOOGLE_API_KEY"
+# Alternative: service account JSON
+# service_account_path = "~/.config/gcloud/application_default_credentials.json"
+hosts = ["generativelanguage.googleapis.com"]
+
+# ── OpenRouter ──────────────────────────────────────────────────────────────
+# Routes to multiple providers (Anthropic, OpenAI, Google, etc.)
+# Single key, many models.
+
+[providers.openrouter]
+enabled = false
+auth = "api_key"
+env = "OPENROUTER_API_KEY"
+hosts = ["openrouter.ai"]
+
+# ── Mistral ─────────────────────────────────────────────────────────────────
+
+[providers.mistral]
+enabled = false
+auth = "api_key"
+env = "MISTRAL_API_KEY"
+hosts = ["api.mistral.ai"]
+
+# ── Groq ────────────────────────────────────────────────────────────────────
+
+[providers.groq]
+enabled = false
+auth = "api_key"
+env = "GROQ_API_KEY"
+hosts = ["api.groq.com"]
+
+# ── Together AI ─────────────────────────────────────────────────────────────
+
+[providers.together]
+enabled = false
+auth = "api_key"
+env = "TOGETHER_API_KEY"
+hosts = ["api.together.xyz"]
+
+# ── Fireworks AI ────────────────────────────────────────────────────────────
+
+[providers.fireworks]
+enabled = false
+auth = "api_key"
+env = "FIREWORKS_API_KEY"
+hosts = ["api.fireworks.ai"]
+
+# ── DeepSeek ────────────────────────────────────────────────────────────────
+
+[providers.deepseek]
+enabled = false
+auth = "api_key"
+env = "DEEPSEEK_API_KEY"
+hosts = ["api.deepseek.com"]
+
+# ── Cohere ──────────────────────────────────────────────────────────────────
+
+[providers.cohere]
+enabled = false
+auth = "api_key"
+env = "COHERE_API_KEY"
+hosts = ["api.cohere.ai"]
+
+# ── Perplexity ──────────────────────────────────────────────────────────────
+
+[providers.perplexity]
+enabled = false
+auth = "api_key"
+env = "PERPLEXITY_API_KEY"
+hosts = ["api.perplexity.ai"]
+
+# ── xAI (Grok) ─────────────────────────────────────────────────────────────
+
+[providers.xai]
+enabled = false
+auth = "api_key"
+env = "XAI_API_KEY"
+hosts = ["api.x.ai"]
+
+# ── Custom Provider ─────────────────────────────────────────────────────────
+# Add your own provider. The setup script reads `hosts` to generate
+# iptables rules and `env` to mount the key into the container.
+
+# [providers.custom_provider]
+# enabled = false
+# auth = "api_key"
+# env = "CUSTOM_API_KEY"
+# hosts = ["api.custom-provider.com"]
+
+# ─────────────────────────────────────────────────────────────────────────────
+# USAGE:
+#
+# 1. Copy this file:
+#    cp credentials.template.toml ~/.arc402/worker/credentials.toml
+#
+# 2. Enable the providers you need:
+#    Set enabled = true for each provider you want
+#
+# 3. Set your API keys as environment variables:
+#    export ANTHROPIC_API_KEY="sk-ant-..."
+#    export OPENAI_API_KEY="sk-..."
+#
+# 4. Run workroom setup (reads credentials, generates network policy):
+#    arc402 workroom init
+#
+# 5. The workroom container will:
+#    - Receive your API keys as Docker env vars (never on disk)
+#    - Have iptables rules allowing only your enabled providers' hosts
+#    - Block all other outbound network traffic
+#
+# For OpenClaw users (Tier 1): skip all of this. OpenClaw handles it.
+# ─────────────────────────────────────────────────────────────────────────────

package/workroom/derive-policy.sh

@@ -0,0 +1,84 @@
+#!/bin/bash
+# ─────────────────────────────────────────────────────────────────────────────
+# ARC-402 Policy Derivation — Auto-generate network policy from OpenClaw config
+#
+# Reads the OpenClaw configuration to determine which LLM providers are
+# configured, then ensures those endpoints are in the workroom network policy.
+#
+# Usage: ./derive-policy.sh [openclaw-config-path] [policy-output-path]
+# ─────────────────────────────────────────────────────────────────────────────
+set -euo pipefail
+
+OPENCLAW_CONFIG="${1:-$HOME/.openclaw/openclaw.json}"
+POLICY_FILE="${2:-$HOME/.arc402/openshell-policy.yaml}"
+
+# Known LLM provider → endpoint mapping
+declare -A PROVIDER_HOSTS
+PROVIDER_HOSTS=(
+  ["anthropic"]="api.anthropic.com"
+  ["openai"]="api.openai.com"
+  ["google"]="generativelanguage.googleapis.com"
+  ["mistral"]="api.mistral.ai"
+  ["groq"]="api.groq.com"
+  ["openrouter"]="openrouter.ai"
+  ["together"]="api.together.xyz"
+  ["fireworks"]="api.fireworks.ai"
+  ["deepseek"]="api.deepseek.com"
+  ["cohere"]="api.cohere.ai"
+  ["perplexity"]="api.perplexity.ai"
+  ["xai"]="api.x.ai"
+)
+
+if [ ! -f "$OPENCLAW_CONFIG" ]; then
+  echo "[derive-policy] OpenClaw config not found: $OPENCLAW_CONFIG"
+  exit 0
+fi
+
+if [ ! -f "$POLICY_FILE" ]; then
+  echo "[derive-policy] Policy file not found: $POLICY_FILE"
+  exit 1
+fi
+
+echo "[derive-policy] Reading OpenClaw config: $OPENCLAW_CONFIG"
+
+# Extract configured providers from openclaw.json
+# Look for provider keys in models/providers config
+CONFIGURED_PROVIDERS=$(jq -r '
+  (.models // {} | keys[]) // empty,
+  (.providers // {} | keys[]) // empty
+' "$OPENCLAW_CONFIG" 2>/dev/null | sort -u)
+
+ADDED=0
+for provider in $CONFIGURED_PROVIDERS; do
+  # Normalize provider name (strip prefixes like "openai-codex" → "openai")
+  base_provider=$(echo "$provider" | sed 's/-.*//')
+  
+  host="${PROVIDER_HOSTS[$base_provider]:-}"
+  if [ -z "$host" ]; then
+    continue
+  fi
+  
+  # Check if host is already in the policy
+  if grep -q "$host" "$POLICY_FILE" 2>/dev/null; then
+    echo "[derive-policy] Already in policy: $host (for $provider)"
+    continue
+  fi
+  
+  # Append to policy file
+  cat >> "$POLICY_FILE" << EOF
+  ${base_provider}_api:
+    name: ${base_provider}-llm-api
+    endpoints:
+      - host: ${host}
+        port: 443
+        protocol: rest
+        tls: terminate
+        enforcement: enforce
+        access: read-write
+    binaries: *a1
+EOF
+  echo "[derive-policy] Added: $host (for $provider)"
+  ADDED=$((ADDED + 1))
+done
+
+echo "[derive-policy] Done. $ADDED new provider endpoints added to policy."

package/workroom/dns-refresh.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+# ─────────────────────────────────────────────────────────────────────────────
+# ARC-402 Workroom DNS Refresh
+#
+# Periodically re-resolves policy hostnames and updates iptables rules.
+# Handles CDN IP rotation, failover, and DNS changes without container restart.
+#
+# Runs as root in the background. The entrypoint starts this automatically.
+# ─────────────────────────────────────────────────────────────────────────────
+set -euo pipefail
+
+readonly POLICY_FILE="${1:-/workroom/.arc402/openshell-policy.yaml}"
+readonly REFRESH_INTERVAL="${ARC402_DNS_REFRESH_SECONDS:-300}"
+readonly RULES_LOG="/workroom/.arc402/iptables-rules.log"
+
+log() { echo "[dns-refresh] $*"; }
+
+log "Starting (interval: ${REFRESH_INTERVAL}s, policy: $POLICY_FILE)"
+
+while true; do
+  sleep "$REFRESH_INTERVAL"
+
+  log "Refreshing..."
+
+  # Flush and rebuild OUTPUT chain from scratch
+  # This is atomic from the kernel's perspective — no gap in enforcement.
+  iptables -F OUTPUT 2>/dev/null || true
+
+  # Core rules (always present)
+  iptables -A OUTPUT -o lo -j ACCEPT
+  iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+  iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+  iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
+
+  # Re-resolve and apply
+  RULE_COUNT=0
+  while IFS=: read -r host port; do
+    [ -z "$host" ] && continue
+    port="${port:-443}"
+
+    ips=$(getent ahosts "$host" 2>/dev/null | awk '{print $1}' | sort -u || true)
+    if [ -z "$ips" ]; then
+      log "WARN: Could not resolve $host"
+      continue
+    fi
+
+    while IFS= read -r ip; do
+      iptables -A OUTPUT -p tcp -d "$ip" --dport "$port" -j ACCEPT
+      RULE_COUNT=$((RULE_COUNT + 1))
+    done <<< "$ips"
+  done < <(/policy-parser.sh "$POLICY_FILE")
+
+  # Log updated rules
+  iptables -L OUTPUT -n --line-numbers > "$RULES_LOG" 2>/dev/null || true
+
+  log "Refreshed: $RULE_COUNT rules applied"
+done

package/workroom/entrypoint.sh

@@ -0,0 +1,235 @@
+#!/bin/bash
+# ─────────────────────────────────────────────────────────────────────────────
+# ARC-402 Workroom Entrypoint
+#
+# This is the governed execution environment for hired work. The entrypoint:
+#   1. Reads the workroom policy (YAML → host:port pairs)
+#   2. Resolves all hostnames to IPs while DNS is still open
+#   3. Applies iptables rules: ALLOW resolved IPs, DROP everything else
+#   4. Starts the DNS refresh daemon for IP rotation
+#   5. Drops privileges and starts the ARC-402 daemon
+#
+# Runs as root for iptables setup. Drops to 'workroom' user for the daemon.
+# ─────────────────────────────────────────────────────────────────────────────
+set -euo pipefail
+
+# ─── log() must be defined first — used throughout ────────────────────────────
+log() { echo "[workroom] $*"; }
+
+readonly POLICY_FILE="/workroom/.arc402/openshell-policy.yaml"
+readonly RULES_LOG="/workroom/.arc402/iptables-rules.log"
+readonly ARENA_POLICY="/workroom/.arc402/arena-policy.yaml"
+readonly ARENA_DEFAULT="/workroom/defaults/arena-policy.yaml"
+
+# ─── Locate globally installed arc402-cli (Linux-native binaries) ─────────────
+# The image runs npm install -g arc402-cli --build-from-source at build time.
+# We must always use this global install for native addons (better-sqlite3 etc.),
+# never the host mount which carries macOS/Windows binaries.
+GLOBAL_NPM_ROOT=$(npm root -g 2>/dev/null || echo "")
+GLOBAL_CLI_ROOT="${GLOBAL_NPM_ROOT}/arc402-cli"
+GLOBAL_DAEMON="${GLOBAL_CLI_ROOT}/dist/daemon/index.js"
+log "Global npm root: ${GLOBAL_NPM_ROOT:-not found}"
+log "Global cli root: ${GLOBAL_CLI_ROOT}"
+
+# NODE_PATH: if a host dist/ is mounted (--dev mode), require() calls from it
+# must still resolve native addons from the Linux global install.
+# Set unconditionally — harmless if the mount doesn't exist.
+if [ -d "${GLOBAL_CLI_ROOT}/node_modules" ]; then
+  export NODE_PATH="${GLOBAL_CLI_ROOT}/node_modules${NODE_PATH:+:$NODE_PATH}"
+  log "NODE_PATH → ${GLOBAL_CLI_ROOT}/node_modules (Linux-native addons)"
+fi
+
+# ─── Resolve daemon entry point ───────────────────────────────────────────────
+# Production (no --dev mount): /workroom/runtime/dist/daemon/index.js won't exist.
+#   → use global install directly.
+# Dev (--dev mount): mounted dist/ exists, global node_modules via NODE_PATH.
+#   → use mounted dist so JS changes propagate without rebuild.
+if [ -f "/workroom/runtime/dist/daemon/index.js" ]; then
+  DAEMON_ENTRY="/workroom/runtime/dist/daemon/index.js"
+  log "Daemon: host dist/ mount (dev mode)"
+elif [ -f "${GLOBAL_DAEMON}" ]; then
+  DAEMON_ENTRY="${GLOBAL_DAEMON}"
+  log "Daemon: global install (production)"
+else
+  DAEMON_ENTRY=""
+fi
+readonly DAEMON_ENTRY
+
+# ─── Validate prerequisites ────────────────────────────────────────────────
+
+if [ ! -f "$POLICY_FILE" ]; then
+  log "ERROR: Policy file not found at $POLICY_FILE"
+  log "Run 'arc402 workroom init' on the host first."
+  exit 1
+fi
+
+# ─── Phase 0b: Auto-derive LLM provider endpoints from OpenClaw config ────
+#
+# If OpenClaw config is mounted, read it and ensure all configured LLM
+# providers have their API endpoints in the network policy. This runs
+# BEFORE host resolution so the derived hosts get resolved too.
+
+OPENCLAW_CONFIG="/home/workroom/.openclaw/openclaw.json"
+if [ -f "$OPENCLAW_CONFIG" ]; then
+  log "OpenClaw config found — deriving LLM provider endpoints..."
+  /derive-policy.sh "$OPENCLAW_CONFIG" "$POLICY_FILE" || log "WARN: Policy derivation failed (non-fatal)"
+else
+  log "No OpenClaw config mounted — using static policy only"
+fi
+
+# ─── Phase 1: Resolve all policy hosts (DNS is still open) ─────────────────
+#
+# We resolve hostnames BEFORE applying the DROP policy. Once DROP is active,
+# only explicitly allowed IPs are reachable. By resolving first, we capture
+# the current DNS state into concrete IP rules.
+
+declare -a RESOLVED_IPS=()
+declare -a RESOLVED_PORTS=()
+RESOLVE_COUNT=0
+
+resolve_policy_hosts() {
+  local policy_file="$1"
+
+  while IFS=: read -r host port; do
+    [ -z "$host" ] && continue
+    port="${port:-443}"
+
+    local ips
+    ips=$(getent ahosts "$host" 2>/dev/null | awk '{print $1}' | sort -u || true)
+
+    if [ -z "$ips" ]; then
+      log "WARN: Could not resolve $host — skipping"
+      continue
+    fi
+
+    local ip_count
+    ip_count=$(echo "$ips" | wc -l | tr -d ' ')
+    log "Resolved: $host → $ip_count IPs"
+
+    while IFS= read -r ip; do
+      RESOLVED_IPS+=("$ip")
+      RESOLVED_PORTS+=("$port")
+      RESOLVE_COUNT=$((RESOLVE_COUNT + 1))
+    done <<< "$ips"
+  done < <(/policy-parser.sh "$policy_file")
+}
+
+log "Resolving policy hosts..."
+resolve_policy_hosts "$POLICY_FILE"
+
+# Also resolve arena policy if present
+if [ -f "$ARENA_POLICY" ]; then
+  resolve_policy_hosts "$ARENA_POLICY"
+elif [ -f "$ARENA_DEFAULT" ]; then
+  resolve_policy_hosts "$ARENA_DEFAULT"
+fi
+
+# ─── Phase 2: Apply network enforcement ────────────────────────────────────
+#
+# Default policy: DROP all outbound.
+# Exceptions: loopback, established connections, DNS, and resolved policy hosts.
+#
+# DNS is allowed broadly (not just 127.0.0.11) because the daemon and worker
+# need to resolve hostnames at runtime. The iptables rules restrict which IPs
+# are reachable, so DNS resolution alone doesn't grant access — only hosts
+# whose IPs match a rule can actually be connected to.
+
+iptables -P OUTPUT DROP 2>/dev/null || true
+iptables -F OUTPUT 2>/dev/null || true
+
+# Core rules: loopback, established, DNS
+iptables -A OUTPUT -o lo -j ACCEPT
+iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
+
+log "Default policy: DROP all outbound (except loopback, established, DNS)"
+
+# Apply resolved IP rules
+for i in "${!RESOLVED_IPS[@]}"; do
+  iptables -A OUTPUT -p tcp -d "${RESOLVED_IPS[$i]}" --dport "${RESOLVED_PORTS[$i]}" -j ACCEPT
+done
+
+log "$RESOLVE_COUNT iptables rules applied"
+
+# ─── Phase 3: Log applied rules ───────────────────────────────────────────
+
+iptables -L OUTPUT -n --line-numbers > "$RULES_LOG" 2>/dev/null || true
+log "Rules logged to $RULES_LOG"
+
+# ─── Phase 4: Start DNS refresh daemon ─────────────────────────────────────
+#
+# Hostnames may resolve to different IPs over time (CDN rotation, failover).
+# The refresh daemon re-resolves all policy hosts periodically and atomically
+# updates iptables rules.
+
+/dns-refresh.sh "$POLICY_FILE" &
+local_dns_pid=$!
+log "DNS refresh daemon started (PID: $local_dns_pid, interval: ${ARC402_DNS_REFRESH_SECONDS:-300}s)"
+
+# ─── Phase 5: Validate daemon entry point ──────────────────────────────────
+
+if [ -z "$DAEMON_ENTRY" ] || [ ! -f "$DAEMON_ENTRY" ]; then
+  log "ERROR: Daemon entry point not found."
+  log "Tried: /workroom/runtime/dist/daemon/index.js (host --dev mount)"
+  log "Tried: ${GLOBAL_DAEMON} (global npm install inside image)"
+  log "Rebuild the workroom image: arc402 workroom init"
+  exit 1
+fi
+log "Daemon entry: $DAEMON_ENTRY"
+
+# ─── Phase 5b: Worker identity + agent runtimes on PATH ────────────────────
+
+WORKER_DIR="/workroom/.arc402/worker"
+
+# Verify worker identity
+if [ -f "$WORKER_DIR/SOUL.md" ]; then
+  log "Worker SOUL.md: found"
+else
+  log "WARN: No worker SOUL.md — agent will use generic identity"
+  log "  Run 'arc402 worker init' on the host to create one"
+fi
+
+if [ -f "$WORKER_DIR/config.json" ]; then
+  WORKER_NAME=$(jq -r '.name // "unnamed"' "$WORKER_DIR/config.json" 2>/dev/null || echo "unnamed")
+  WORKER_CAPS=$(jq -r '.capabilities // [] | join(", ")' "$WORKER_DIR/config.json" 2>/dev/null || echo "none")
+  log "Worker: $WORKER_NAME | Capabilities: $WORKER_CAPS"
+else
+  log "WARN: No worker config.json"
+fi
+
+# Check knowledge/datasets/skills directories
+for dir in knowledge datasets skills; do
+  if [ -d "$WORKER_DIR/$dir" ]; then
+    count=$(find "$WORKER_DIR/$dir" -type f 2>/dev/null | wc -l)
+    log "Worker $dir/: $count files"
+  fi
+done
+
+# Add agent runtimes to PATH
+PATH_ADDITIONS=""
+# OpenClaw (preferred runtime)
+if [ -d "/workroom/openclaw" ]; then
+  PATH_ADDITIONS="/workroom/openclaw:$PATH_ADDITIONS"
+  log "OpenClaw runtime found at /workroom/openclaw"
+fi
+# Claude Code
+if [ -d "/workroom/claude-code" ]; then
+  PATH_ADDITIONS="/workroom/claude-code:$PATH_ADDITIONS"
+  log "Claude Code found at /workroom/claude-code"
+fi
+if [ -n "$PATH_ADDITIONS" ]; then
+  export PATH="$PATH_ADDITIONS$PATH"
+fi
+
+# Verify Claude auth
+if [ -f "/home/workroom/.claude.json" ]; then
+  log "AUTH OK: Claude auth file found"
+else
+  log "WARN: No Claude auth — mount -v ~/.claude.json:/home/workroom/.claude.json:ro"
+fi
+
+# ─── Phase 6: Drop privileges and start daemon ────────────────────────────
+
+log "Starting ARC-402 daemon as user 'workroom'..."
+exec su -s /bin/bash workroom -c "export PATH='$PATH' && export ARC402_WORKER_DIR='$WORKER_DIR' && node $DAEMON_ENTRY --foreground"

package/workroom/policy-parser.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+# ─────────────────────────────────────────────────────────────────────────────
+# ARC-402 Workroom Policy Parser
+#
+# Reads the workroom policy YAML and outputs HOST:PORT pairs, one per line.
+# Used by the entrypoint and DNS refresh scripts to build iptables rules.
+#
+# Input:  YAML file with network_policies.<name>.endpoints[].host/port
+# Output: hostname:port (one per line, to stdout)
+# ─────────────────────────────────────────────────────────────────────────────
+set -euo pipefail
+
+readonly POLICY_FILE="${1:-/workroom/.arc402/openshell-policy.yaml}"
+
+if [ ! -f "$POLICY_FILE" ]; then
+  echo "ERROR: Policy file not found: $POLICY_FILE" >&2
+  exit 1
+fi
+
+# Extract host:port pairs from the YAML network_policies section.
+# Each policy block contains endpoints with host and port fields.
+awk '
+  /host:/ { gsub(/.*host: */, ""); host = $0 }
+  /port:/ { gsub(/.*port: */, ""); if (host != "") { print host ":" $0; host = "" } }
+' "$POLICY_FILE"