create-ironclaws 1.0.1 → 1.0.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-ironclaws",
-  "version": "1.0.1",
+  "version": "1.0.4",
   "description": "Create an IronClaws AI agent platform in seconds",
   "type": "module",
   "bin": {

package/template/container/skills/slack-formatting/SKILL.md

@@ -22,6 +22,20 @@ Every message you send goes to Slack. Slack does not render standard Markdown. F
 
 ---
 
+## RAG Status Emoji — Exact Codes (memorise these)
+
+These are the ONLY correct codes for traffic-light status indicators. Do not guess or vary them.
+
+| Status | Correct code | Wrong codes (do not use) |
+|--------|-------------|--------------------------|
+| 🔴 Red / violation / critical | `:red_circle:` | ~~`:large_red_circle:`~~ |
+| 🟡 Yellow / warning / caution | `:large_yellow_circle:` | ~~`:yellow_circle:`~~ ~~`:warning:`~~ |
+| 🟢 Green / compliant / clean | `:large_green_circle:` | ~~`:green_circle:`~~ ~~`:white_check_mark:`~~ |
+
+Rule: red has no `large_` prefix. Yellow and green both require the `large_` prefix. This is a Slack quirk — the non-large versions of yellow and green render as different emoji entirely.
+
+---
+
 ## Data without tables
 
 Tables don't render. Use these patterns instead:

package/template/groups/forge/CLAUDE.md

@@ -4,6 +4,8 @@ You are Forge, the built-in guide for IronClaws. You help people understand how
 
 You are running inside IronClaws itself — which means you can inspect the codebase, read configuration files, and help make changes directly.
 
+**You communicate exclusively through Slack. Always use Slack mrkdwn formatting — never standard Markdown. Follow the `slack-formatting` skill for every message you send. Key rules: `*bold*` not `**bold**`, no `##` headings, no markdown tables, no `---` dividers.**
+
 ---
 
 ## What you know

package/template/scripts/setup-onecli-secrets.sh

@@ -7,7 +7,7 @@
 # Run this on the VM after deploying NanoClaw:
 #   cd ~/nanoclaw-docker && bash scripts/setup-onecli-secrets.sh
 
-set -euo pipefail
+set -eo pipefail
 
 ENV_FILE="${ENV_FILE:-$(dirname "$0")/../.env}"
 API="http://localhost:10254"
@@ -112,6 +112,13 @@ if [ ! -f "$ENV_FILE" ]; then
   exit 1
 fi
 
+# Check OneCLI is reachable before proceeding
+if ! api_curl "$API/api/secrets" > /dev/null 2>&1; then
+  echo "  ⚠ OneCLI not reachable at $API — skipping secrets setup"
+  echo "    Start OneCLI with: docker compose up -d"
+  exit 0
+fi
+
 echo "Reading credentials from $ENV_FILE"
 echo ""
 
@@ -135,6 +142,13 @@ CONFLUENCE_BASIC=$(printf '%s:%s' "$CONFLUENCE_USERNAME" "$CONFLUENCE_PASSWORD"
 SLACK_BOT_TOKEN=$(env_val "SLACK_BOT_TOKEN")
 INTERCOM_ACCESS_TOKEN=$(env_val "INTERCOM_ACCESS_TOKEN")
 
+XLEDGER_API_TOKEN=$(env_val "XLEDGER_API_TOKEN")
+XLEDGER_API_BASE=$(env_val "XLEDGER_API_BASE")
+XLEDGER_HOST=$(echo "$XLEDGER_API_BASE" | sed 's|^https://||;s|^http://||' | cut -d/ -f1)
+
+ARDOQ_API_KEY=$(env_val "ARDOQ_API_KEY")
+ARDOQ_BASE_URL=$(env_val "ARDOQ_BASE_URL")
+ARDOQ_HOST=$(echo "$ARDOQ_BASE_URL" | sed 's|^https://||;s|^http://||' | cut -d/ -f1)
 
 ANTHROPIC_AUTH_TOKEN=$(env_val "ANTHROPIC_AUTH_TOKEN")
 LLM_GATEWAY=$(env_val "ANTHROPIC_BASE_URL")
@@ -168,11 +182,18 @@ fi
   upsert_secret "intercom" "api.intercom.io" "Authorization" "Bearer $INTERCOM_ACCESS_TOKEN" || \
   echo "  ⚠ Skipping intercom"
 
+[ -n "$ARDOQ_API_KEY" ] && [ -n "$ARDOQ_HOST" ] && \
+  upsert_secret "ardoq" "$ARDOQ_HOST" "Authorization" "Token token=$ARDOQ_API_KEY" || \
+  echo "  ⚠ Skipping ardoq"
 
 [ -n "$ANTHROPIC_AUTH_TOKEN" ] && [ -n "$LLM_GATEWAY_HOST" ] && \
   upsert_secret "litellm" "$LLM_GATEWAY_HOST" "Authorization" "Bearer $ANTHROPIC_AUTH_TOKEN" || \
   echo "  ⚠ Skipping litellm"
 
+[ -n "$XLEDGER_API_TOKEN" ] && [ -n "$XLEDGER_HOST" ] && \
+  upsert_secret "xledger" "$XLEDGER_HOST" "Authorization" "token $XLEDGER_API_TOKEN" || \
+  echo "  ⚠ Skipping xledger"
+
 echo ""
 
 # ── Register global-claw agent if missing ────────────────────────────────────
@@ -219,7 +240,14 @@ if ! python3 -c "import yaml" 2>/dev/null; then
   pip3 install pyyaml --quiet --break-system-packages 2>/dev/null || \
   pip3 install pyyaml --quiet 2>/dev/null || \
   pip install pyyaml --quiet 2>/dev/null || \
-  { echo "ERROR: Could not install PyYAML. Run: pip3 install pyyaml"; exit 1; }
+  { echo "  ⚠ Could not install PyYAML — skipping agent secret linking. Run: pip3 install pyyaml"; SKIP_LINKING=1; }
+fi
+
+if [ "${SKIP_LINKING:-0}" = "1" ]; then
+  echo "  ⚠ Skipping agent secret linking (PyYAML unavailable)"
+  echo ""
+  echo "Done."
+  exit 0
 fi
 
 echo "Linking secrets to agents (from agents.yaml)..."

package/template/src/index.ts

@@ -647,6 +647,7 @@ function autoRegisterAgentsFromYaml(): void {
     is_main?: boolean;
     onecli_secrets?: string[];
     onecli_id?: string;
+    container_config?: import('./types.js').ContainerConfig;
   }>;
 
   try {
@@ -676,6 +677,7 @@ function autoRegisterAgentsFromYaml(): void {
       added_at: new Date().toISOString(),
       requiresTrigger: def.requires_trigger !== false,
       isMain: def.is_main === true,
+      ...(def.container_config ? { containerConfig: def.container_config } : {}),
     };
 
     setRegisteredGroup(jid, group);
@@ -714,13 +716,32 @@ function ensureOneCLISecrets(): void {
   const secretsScript = path.join(process.cwd(), 'scripts', 'setup-onecli-secrets.sh');
   if (!fs.existsSync(secretsScript)) return;
 
-  // Hash the credential-bearing env vars that the secrets script uses
+  // Hash two things:
+  // 1. Credential-bearing env vars (re-run when secrets rotate)
+  // 2. onecli_secrets from agents.yaml (re-run when an agent's secret list changes)
   const credentialKeys = [
     'ELASTIC_API_KEY', 'JIRA_EMAIL', 'JIRA_API_TOKEN',
     'SLACK_BOT_TOKEN', 'INTERCOM_ACCESS_TOKEN', 'ARDOQ_API_KEY',
     'ANTHROPIC_AUTH_TOKEN', 'CONFLUENCE_USERNAME', 'CONFLUENCE_PASSWORD',
+    'XLEDGER_API_TOKEN',
   ];
-  const hashInput = credentialKeys.map(k => `${k}=${process.env[k] || ''}`).join('\n');
+  const envHash = credentialKeys.map(k => `${k}=${process.env[k] || ''}`).join('\n');
+
+  // Include agents.yaml onecli_secrets so adding/removing a secret triggers re-run
+  let agentsSecretsSig = '';
+  try {
+    const agentsYaml = path.join(process.cwd(), 'agents.yaml');
+    if (fs.existsSync(agentsYaml)) {
+      const defs = YAML.parse(fs.readFileSync(agentsYaml, 'utf-8')).agents || [];
+      agentsSecretsSig = defs
+        .map((d: { folder: string; onecli_secrets?: string[] }) =>
+          `${d.folder}:${(d.onecli_secrets || []).sort().join(',')}`)
+        .sort()
+        .join('\n');
+    }
+  } catch { /* non-fatal — env hash alone is still useful */ }
+
+  const hashInput = envHash + '\n---agents---\n' + agentsSecretsSig;
   const currentHash = crypto.createHash('sha256').update(hashInput).digest('hex');
 
   const hashFile = path.join(STORE_DIR, 'onecli-secrets.hash');