clawup 1.0.0

package/infra/dist/components/config-generator.js

@@ -0,0 +1,254 @@
+"use strict";
+/**
+ * OpenClaw configuration generator
+ * Builds the openclaw.json configuration file content
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateOpenClawConfig = generateOpenClawConfig;
+exports.generateOpenClawConfigJson = generateOpenClawConfigJson;
+exports.generateConfigPatchScript = generateConfigPatchScript;
+const core_1 = require("@clawup/core");
+/**
+ * Generates an openclaw.json configuration object
+ */
+function generateOpenClawConfig(options) {
+    const config = {
+        gateway: {
+            port: options.gatewayPort ?? 18789,
+            bind: "127.0.0.1", // Bind to loopback for Tailscale Serve
+            trustedProxies: options.trustedProxies ?? ["127.0.0.1"],
+            controlUi: {
+                enabled: options.enableControlUi ?? true,
+                allowInsecureAuth: true, // Safe behind Tailscale
+            },
+            auth: {
+                mode: "token",
+                token: options.gatewayToken,
+            },
+        },
+    };
+    if (options.browserPort) {
+        config.browser = {
+            port: options.browserPort,
+        };
+    }
+    if (options.enableSandbox !== undefined) {
+        config.sandbox = {
+            enabled: options.enableSandbox,
+        };
+    }
+    // Note: model config is now handled in generateConfigPatchScript() via agents.defaults.model
+    if (options.braveApiKey) {
+        config.web = { braveApiKey: options.braveApiKey };
+    }
+    // Merge custom config
+    if (options.customConfig) {
+        Object.assign(config, options.customConfig);
+    }
+    return config;
+}
+/**
+ * Generates openclaw.json as a JSON string
+ */
+function generateOpenClawConfigJson(options) {
+    return JSON.stringify(generateOpenClawConfig(options), null, 2);
+}
+/**
+ * Generates Python code to configure a single plugin in openclaw.json.
+ * Secrets are injected from environment variables.
+ *
+ * Slack is special-cased: it writes to config["channels"]["slack"] (channel config)
+ * AND config["plugins"]["entries"]["slack"] (plugin entry).
+ */
+function generatePluginPython(plugin) {
+    if (plugin.name === "slack") {
+        return generateSlackPluginPython(plugin);
+    }
+    // Build the config dict, injecting secrets from env vars
+    const configEntries = [];
+    // Secret env var values
+    if (plugin.secretEnvVars) {
+        for (const [configKey, envVar] of Object.entries(plugin.secretEnvVars)) {
+            configEntries.push(`        "${configKey}": os.environ.get("${envVar}", "")`);
+        }
+    }
+    // Non-secret config values
+    for (const [key, value] of Object.entries(plugin.config)) {
+        configEntries.push(`        "${key}": ${JSON.stringify(value)}`);
+    }
+    const configBlock = configEntries.length > 0
+        ? `{
+${configEntries.join(",\n")}
+    }`
+        : "{}";
+    return `
+# Configure ${plugin.name} plugin
+config.setdefault("plugins", {})
+config["plugins"].setdefault("entries", {})
+config["plugins"]["entries"]["${plugin.name}"] = {
+    "enabled": ${plugin.enabled ? "True" : "False"},
+    "config": ${configBlock}
+}
+print("Configured ${plugin.name} plugin")
+`;
+}
+/**
+ * Generates Python code for Slack channel + plugin configuration.
+ * Slack writes to config["channels"]["slack"] with secrets from env vars
+ * and non-secret config from plugin defaults, plus enables the plugin entry.
+ */
+function generateSlackPluginPython(plugin) {
+    // Build channel config entries from non-secret plugin config
+    const channelEntries = [];
+    // Secret env var values (botToken, appToken)
+    if (plugin.secretEnvVars) {
+        for (const [configKey, envVar] of Object.entries(plugin.secretEnvVars)) {
+            channelEntries.push(`    "${configKey}": os.environ.get("${envVar}", "")`);
+        }
+    }
+    // Non-secret config values (mode, userTokenReadOnly, groupPolicy, dm, etc.)
+    for (const [key, value] of Object.entries(plugin.config)) {
+        channelEntries.push(`    "${key}": ${JSON.stringify(value)}`);
+    }
+    // Add enabled: True
+    channelEntries.push(`    "enabled": True`);
+    const channelBlock = channelEntries.length > 0
+        ? `{
+${channelEntries.join(",\n")}
+}`
+        : "{}";
+    return `
+# Configure Slack channel (Socket Mode) and plugin
+config.setdefault("channels", {})
+config["channels"]["slack"] = ${channelBlock}
+config.setdefault("plugins", {})
+config["plugins"].setdefault("entries", {})
+config["plugins"]["entries"]["slack"] = {"enabled": ${plugin.enabled ? "True" : "False"}}
+print("Configured Slack channel with Socket Mode")
+`;
+}
+/**
+ * Generates Python script for modifying existing openclaw.json
+ * Used in cloud-init after onboarding creates the initial config
+ */
+function generateConfigPatchScript(options) {
+    const configPatches = {
+        trustedProxies: options.trustedProxies ?? ["127.0.0.1"],
+        enableControlUi: options.enableControlUi ?? true,
+    };
+    // Build model config (primary + optional fallbacks)
+    const model = options.model ?? "anthropic/claude-opus-4-6";
+    const backupModel = options.backupModel;
+    // Build cliBackends config from coding agent registry
+    const codingAgentName = options.codingAgent ?? "claude-code";
+    const codingAgentEntry = core_1.CODING_AGENT_REGISTRY[codingAgentName];
+    const cliBackendsJson = codingAgentEntry
+        ? JSON.stringify({ "claude-cli": codingAgentEntry.cliBackend })
+        : "{}";
+    // Build dynamic plugin config sections
+    const pluginConfigs = (options.plugins ?? [])
+        .map((plugin) => generatePluginPython(plugin))
+        .join("");
+    return `
+import json
+import os
+
+config_path = "/home/ubuntu/.openclaw/openclaw.json"
+
+with open(config_path) as f:
+    config = json.load(f)
+
+# Configure gateway for Tailscale Serve
+config["gateway"]["trustedProxies"] = ${JSON.stringify(configPatches.trustedProxies)}
+config["gateway"]["controlUi"] = {
+    "enabled": ${configPatches.enableControlUi ? "True" : "False"},
+    "allowInsecureAuth": True
+}
+config["gateway"]["auth"] = {
+    "mode": "token",
+    "token": os.environ["GATEWAY_TOKEN"]
+}
+
+# Configure environment variables for child processes (including Claude Code, Linear CLI)
+# Auto-detect credential type: OAuth token (oat) vs API key (api)
+anthropic_cred = os.environ.get("ANTHROPIC_API_KEY", "")
+if anthropic_cred.startswith("sk-ant-oat"):
+    # OAuth token from Claude Pro/Max subscription (use with CLAUDE_CODE_OAUTH_TOKEN)
+    config["env"] = {
+        "CLAUDE_CODE_OAUTH_TOKEN": anthropic_cred
+    }
+    print("Configured environment variables: CLAUDE_CODE_OAUTH_TOKEN (OAuth/subscription)")
+else:
+    # API key from Anthropic Console (use with ANTHROPIC_API_KEY)
+    config["env"] = {
+        "ANTHROPIC_API_KEY": anthropic_cred
+    }
+    print("Configured environment variables: ANTHROPIC_API_KEY (API key)")
+
+# Configure heartbeat (proactive mode)
+config.setdefault("agents", {})
+config["agents"].setdefault("defaults", {})
+config["agents"]["defaults"]["heartbeat"] = {
+    "every": "1m",
+    "session": "main"
+}
+print("Configured heartbeat: every 1m")
+
+# Configure model with optional fallbacks
+${backupModel
+        ? `config["agents"]["defaults"]["model"] = {
+    "primary": "${model}",
+    "fallbacks": ["${backupModel}"]
+}
+print("Configured model: ${model} (fallback: ${backupModel})")`
+        : `config["agents"]["defaults"]["model"] = "${model}"
+print("Configured model: ${model}")`}
+
+# Configure coding agent CLI backend
+config["agents"]["defaults"]["cliBackends"] = ${cliBackendsJson}
+print("Configured cliBackends for ${codingAgentName}")
+${pluginConfigs}
+# Configure agent identity for Slack mentions/tags
+agent_name = os.environ.get("AGENT_NAME", "")
+agent_emoji = os.environ.get("AGENT_EMOJI", "")
+if agent_name:
+    config.setdefault("agents", {})
+    config["agents"].setdefault("list", [])
+    # Find or create the "default" agent entry
+    default_agent = None
+    for agent in config["agents"]["list"]:
+        if agent.get("id") == "default":
+            default_agent = agent
+            break
+    if not default_agent:
+        default_agent = {"id": "default"}
+        config["agents"]["list"].append(default_agent)
+    default_agent.setdefault("identity", {})
+    default_agent["identity"]["name"] = agent_name
+    if agent_emoji:
+        default_agent["identity"]["emoji"] = agent_emoji
+    print(f"Configured agent identity: {agent_name} (:{agent_emoji}:)")
+
+    # Enable allowBots so agents can see each other's messages in shared channels
+    if "channels" in config and "slack" in config["channels"]:
+        config["channels"]["slack"]["allowBots"] = True
+        print("Enabled allowBots for Slack channel")
+
+    # Add ack reaction for visual feedback when processing messages
+    config.setdefault("messages", {})
+    config["messages"]["ackReaction"] = "eyes"
+    print("Configured ackReaction: eyes")
+
+# Configure web search (Brave API key) if available
+brave_api_key = os.environ.get("BRAVE_API_KEY", "")
+if brave_api_key:
+    config["web"] = {"braveApiKey": brave_api_key}
+    print("Configured web search with Brave API key")
+
+with open(config_path, "w") as f:
+    json.dump(config, f, indent=2)
+
+print("Configured gateway with trustedProxies, controlUi, and token auth")
+`.trim();
+}
+//# sourceMappingURL=config-generator.js.map

package/infra/dist/components/hetzner-agent.js

@@ -0,0 +1,162 @@
+"use strict";
+/**
+ * HetznerOpenClaw Agent - Reusable Pulumi ComponentResource
+ * Provisions a single OpenClaw agent on Hetzner Cloud
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HetznerOpenClawAgent = void 0;
+const pulumi = __importStar(require("@pulumi/pulumi"));
+const hcloud = __importStar(require("@pulumi/hcloud"));
+const shared_1 = require("./shared");
+/**
+ * HetznerOpenClaw Agent ComponentResource
+ *
+ * Provisions a complete OpenClaw agent on Hetzner Cloud including:
+ * - SSH key for access
+ * - Firewall allowing only SSH inbound
+ * - Server with Ubuntu 24.04
+ * - Docker, Node.js 22, and OpenClaw installation
+ * - Tailscale for secure HTTPS access
+ * - Systemd service for auto-start
+ *
+ * @example
+ * ```typescript
+ * const agent = new HetznerOpenClawAgent("my-agent", {
+ *   anthropicApiKey: config.requireSecret("anthropicApiKey"),
+ *   tailscaleAuthKey: config.requireSecret("tailscaleAuthKey"),
+ *   tailnetDnsName: config.require("tailnetDnsName"),
+ * });
+ *
+ * export const url = agent.tailscaleUrl;
+ * ```
+ */
+class HetznerOpenClawAgent extends pulumi.ComponentResource {
+    /** Server public IP (IPv4) */
+    publicIp;
+    /** Tailscale URL with authentication token */
+    tailscaleUrl;
+    /** Gateway authentication token */
+    gatewayToken;
+    /** SSH private key (Ed25519) */
+    sshPrivateKey;
+    /** SSH public key */
+    sshPublicKey;
+    /** Hetzner server ID */
+    serverId;
+    /** Firewall ID */
+    firewallId;
+    constructor(name, args, opts) {
+        super("clawup:hetzner:HetznerOpenClawAgent", name, {}, opts);
+        const defaultResourceOptions = { parent: this };
+        // Defaults
+        const serverType = args.serverType ?? "cx22";
+        const location = args.location ?? "nbg1";
+        const baseLabels = args.labels ?? {};
+        // Generate SSH key pair + gateway token
+        const { sshKey, gatewayTokenValue } = (0, shared_1.generateKeyPairAndToken)(name, defaultResourceOptions);
+        // Create Hetzner SSH key
+        const hcloudSshKey = new hcloud.SshKey(`${name}-sshkey`, {
+            publicKey: sshKey.publicKeyOpenssh,
+            labels: pulumi.output(baseLabels).apply((labels) => ({
+                ...labels,
+                name: name,
+            })),
+        }, defaultResourceOptions);
+        // Create firewall allowing only SSH inbound
+        const firewall = new hcloud.Firewall(`${name}-firewall`, {
+            labels: pulumi.output(baseLabels).apply((labels) => ({
+                ...labels,
+                name: name,
+            })),
+            // Only add SSH rule if allowedSshIps is explicitly provided
+            // Tailscale is the primary access method; SSH is optional fallback
+            rules: pulumi
+                .output(args.allowedSshIps ?? [])
+                .apply((ips) => ips.length > 0
+                ? [
+                    {
+                        direction: "in",
+                        protocol: "tcp",
+                        port: "22",
+                        sourceIps: ips,
+                        description: "SSH access (restricted)",
+                    },
+                ]
+                : []),
+        }, defaultResourceOptions);
+        // Generate cloud-init user data (compressed for Hetzner's 32KB limit)
+        const userData = (0, shared_1.buildCloudInitUserData)(name, args, gatewayTokenValue, {
+            createUbuntuUser: true,
+            compress: true,
+        });
+        // Create Hetzner server
+        const server = new hcloud.Server(`${name}-server`, {
+            serverType: serverType,
+            image: "ubuntu-24.04",
+            location: location,
+            sshKeys: [hcloudSshKey.id],
+            firewallIds: [firewall.id.apply((id) => parseInt(id, 10))],
+            userData: userData,
+            labels: pulumi.output(baseLabels).apply((labels) => ({
+                ...labels,
+                name: name,
+                component: "openclaw-agent",
+            })),
+        }, defaultResourceOptions);
+        // Set outputs
+        this.publicIp = server.ipv4Address;
+        this.serverId = server.id;
+        this.firewallId = firewall.id;
+        this.sshPrivateKey = pulumi.secret(sshKey.privateKeyOpenssh);
+        this.sshPublicKey = sshKey.publicKeyOpenssh;
+        this.gatewayToken = pulumi.secret(gatewayTokenValue);
+        // Tailscale hostname includes stack name to avoid conflicts (e.g., dev-agent-pm)
+        const tsHostname = `${pulumi.getStack()}-${name}`;
+        this.tailscaleUrl = pulumi.secret(pulumi.interpolate `https://${tsHostname}.${args.tailnetDnsName}/?token=${gatewayTokenValue}`);
+        // Register outputs
+        this.registerOutputs({
+            publicIp: this.publicIp,
+            tailscaleUrl: this.tailscaleUrl,
+            gatewayToken: this.gatewayToken,
+            sshPrivateKey: this.sshPrivateKey,
+            sshPublicKey: this.sshPublicKey,
+            serverId: this.serverId,
+            firewallId: this.firewallId,
+        });
+    }
+}
+exports.HetznerOpenClawAgent = HetznerOpenClawAgent;
+//# sourceMappingURL=hetzner-agent.js.map

package/infra/dist/components/index.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildCloudInitUserData = exports.generateKeyPairAndToken = exports.generateConfigPatchScript = exports.generateOpenClawConfigJson = exports.generateOpenClawConfig = exports.interpolateCloudInit = exports.generateCloudInit = exports.HetznerOpenClawAgent = exports.OpenClawAgent = void 0;
+var openclaw_agent_1 = require("./openclaw-agent");
+Object.defineProperty(exports, "OpenClawAgent", { enumerable: true, get: function () { return openclaw_agent_1.OpenClawAgent; } });
+var hetzner_agent_1 = require("./hetzner-agent");
+Object.defineProperty(exports, "HetznerOpenClawAgent", { enumerable: true, get: function () { return hetzner_agent_1.HetznerOpenClawAgent; } });
+var cloud_init_1 = require("./cloud-init");
+Object.defineProperty(exports, "generateCloudInit", { enumerable: true, get: function () { return cloud_init_1.generateCloudInit; } });
+Object.defineProperty(exports, "interpolateCloudInit", { enumerable: true, get: function () { return cloud_init_1.interpolateCloudInit; } });
+var config_generator_1 = require("./config-generator");
+Object.defineProperty(exports, "generateOpenClawConfig", { enumerable: true, get: function () { return config_generator_1.generateOpenClawConfig; } });
+Object.defineProperty(exports, "generateOpenClawConfigJson", { enumerable: true, get: function () { return config_generator_1.generateOpenClawConfigJson; } });
+Object.defineProperty(exports, "generateConfigPatchScript", { enumerable: true, get: function () { return config_generator_1.generateConfigPatchScript; } });
+var shared_1 = require("./shared");
+Object.defineProperty(exports, "generateKeyPairAndToken", { enumerable: true, get: function () { return shared_1.generateKeyPairAndToken; } });
+Object.defineProperty(exports, "buildCloudInitUserData", { enumerable: true, get: function () { return shared_1.buildCloudInitUserData; } });
+//# sourceMappingURL=index.js.map