fireclaw 0.1.2 → 0.2.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 bchewy
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -1,149 +1,157 @@
 # fireclaw
 
-Run [OpenClaw](https://github.com/openclaw/openclaw) instances inside Firecracker microVMs, each fully isolated with its own filesystem, network, and process tree.
-
-## Why
-
-Running OpenClaw directly on a host (bare metal or in Docker) means every instance shares the kernel, network namespace, and often the Docker socket. That's fine for a single bot, but problematic when you want:
-
-- **Isolation** — one misbehaving instance can't interfere with others or the host
-- **Reproducibility** — each VM boots from a clean rootfs image, no drift
-- **Security** — no Docker socket mount into the container; the guest runs its own Docker daemon
-- **Density** — Firecracker VMs boot in ~125ms and use ~5MB overhead per VM, so you can pack many instances on a single host
-
-This repo is a minimal control plane that wires up Firecracker VM lifecycle, networking, and OpenClaw provisioning with plain bash and systemd. No orchestrator, no Kubernetes, no extra daemons.
+Run [OpenClaw](https://github.com/openclaw/openclaw) agents inside Firecracker microVMs — one VM per instance, each with its own kernel, filesystem, Docker daemon, and network. A small Bash CLI drives Firecracker + systemd directly: no Kubernetes, no always-on daemon, no hidden state.
 
 ## How it works
 
+`fireclaw setup` builds four things on the host, then provisions the guest over SSH:
+
+1. **Instance state** — `/var/lib/fireclaw/.vm-<id>/` holds `.env` (allocation + config), `.token` (gateway auth token), `provision.vars` (guest provisioning input, including secrets), and `known_hosts` (the guest SSH host key, pinned after the first successful login). The directory is root-only (`0700`); the secret files are mode `0600`.
+2. **VM assets** — `/srv/firecracker/vm-demo/<id>/`: a copy of the base rootfs resized to `--disk-size`, kernel (+ optional initrd), a cloud-init seed image (ubuntu user, SSH key, static IP by MAC match), the Firecracker JSON config, and generated `start-vm.sh` / `stop-vm.sh`.
+3. **Two systemd units** — `firecracker-vmdemo-<id>.service` runs the VM: `Restart=always` (an in-guest reboot or VMM crash comes back on its own) and an `ExecStop` that asks the guest to shut down cleanly through the Firecracker API socket before the VMM exits. `vmdemo-proxy-<id>.service` runs socat as an unprivileged dynamic user, forwarding `127.0.0.1:<HOST_PORT>` → `<VM_IP>:18789`, and starts/stops with the VM unit.
+4. **Network** — one tap per VM on the `fc-br0` bridge (`172.16.0.1/24`). Each tap is an *isolated* bridge port, so VMs cannot exchange IP or ARP traffic with each other — only with the host and, via a MASQUERADE rule, the internet. Host port and VM IP are allocated under a lock, so concurrent setups cannot collide.
+
+Guest provisioning (`scripts/provision-guest.sh`, SCP'd in and run once over SSH) installs Docker with bridge/iptables disabled, pulls the OpenClaw image, writes the gateway/model/skills config (Telegram is enabled only when a token was provided, otherwise explicitly disabled), installs a health script, and creates `openclaw-<id>.service`, which runs the container with `--network host` serving the gateway on `:18789`. The copied secrets are removed from guest `/tmp` when the script exits.
+
+```mermaid
+flowchart LR
+  cli["fireclaw CLI<br/>sudo fireclaw ..."]
+
+  subgraph host["Host"]
+    state["state<br/>/var/lib/fireclaw/.vm-id"]
+    assets["assets<br/>/srv/firecracker/vm-demo/id"]
+    vmUnit["firecracker-vmdemo-id.service"]
+    proxyUnit["vmdemo-proxy-id.service<br/>socat 127.0.0.1:HOST_PORT"]
+    net["fc-br0 bridge + NAT<br/>isolated tap per VM"]
+  end
+
+  subgraph guest["Firecracker VM"]
+    cloudInit["cloud-init<br/>ubuntu user, SSH, static IP"]
+    docker["Docker (bridge off)"]
+    guestUnit["openclaw-id.service"]
+    container["OpenClaw container<br/>gateway :18789"]
+  end
+
+  cli --> state
+  cli --> assets
+  cli --> vmUnit
+  vmUnit --> net
+  net --> guest
+  cli -->|"SCP + SSH provision"| docker
+  docker --> guestUnit
+  guestUnit --> container
+  proxyUnit -->|"forwards to VM_IP:18789"| container
+  cli -->|"health gates"| proxyUnit
 ```
-Host
-├── systemd: firecracker-vmdemo-<id>.service   ← runs the VM
-├── systemd: vmdemo-proxy-<id>.service          ← socat: localhost:<port> → VM:18789
-├── bridge: fc-br0 (172.16.0.0/24)              ← shared bridge for all VMs
-│
-└── Firecracker VM (172.16.0.x)
-    ├── cloud-init: ubuntu user, SSH key, Docker install
-    ├── Docker: pulls OpenClaw image
-    ├── systemd: openclaw-<id>.service          ← docker run --network host ... gateway --bind lan --port 18789
-    └── Browser binaries (Playwright Chromium, installed at provision time)
-```
-
-1. **`fireclaw setup`** creates a new instance: copies the base rootfs, optionally resizes it (default `40G`), generates a cloud-init seed image, allocates an IP + host port, writes a Firecracker config, creates systemd units, boots the VM with a per-instance Firecracker API socket, waits for SSH, then SCPs `provision-guest.sh` into the guest and runs it.
-
-2. **`provision-guest.sh`** runs inside the VM as root: waits for cloud-init/apt locks, expands the guest ext4 filesystem (`resize2fs`), configures Docker for Firecracker (`iptables=false`, `ip6tables=false`, `bridge=none`), pulls the OpenClaw image, runs the OpenClaw CLI (`doctor --fix` included), installs Playwright Chromium, writes browser path + health-check script, then creates and starts the guest systemd service.
-
-3. **`fireclaw`** manages the lifecycle after setup: start/stop/restart VMs, tail logs (guest or host side), open an SSH shell, show status, or destroy an instance.
 
-All state lives in two places:
-- **Instance state** `/var/lib/fireclaw/.vm-<id>/` — env file, token, provision vars
-- **VM runtime** `/srv/firecracker/vm-demo/<id>/` — VM images, Firecracker config, logs
+Lifecycle semantics:
 
-## Prerequisites
+- `setup`, `provision`, and `start` return success only after **both** health gates pass: the guest health script (container running + `/health` inside the VM) and the localhost proxy `/health`. `start` never reprovisions. `list`/`status` are looser inspection views (health may read up when either the proxy or the guest check responds).
+- A `setup` failure *before* guest provisioning completes rolls back only that instance (units, tap, API socket, state, assets). After guest provisioning succeeds, failures keep the instance — inspect with `status`, retry with `provision`.
+- `stop` shuts down proxy → guest service → VM (clean guest shutdown via the API socket) and disables the units, so a stopped instance stays stopped across host reboots until `start`.
+- `provision <id> [flags]` updates the saved config and reruns guest provisioning on the existing VM — no new IP, port, or disk. Overrides are validated first; a rejected run changes nothing.
+- `destroy` removes units, tap, API socket, state, and assets; `--force` also cleans up instances with unreadable state (units and directories only — a leftover tap or socket then needs manual removal).
 
-- Linux host with KVM support (`/dev/kvm` accessible)
-- `firecracker` binary at `/usr/local/bin/firecracker` ([install guide](https://github.com/firecracker-microvm/firecracker/blob/main/docs/getting-started.md))
-- `qemu-img` (from `qemu-utils`) for rootfs resizing
-- `cloud-localds` (from `cloud-image-utils`), `socat`, `jq`, `iptables`, `iproute2`, `ssh`, `scp`, `curl`, `openssl`
-- Base VM images: a Linux kernel (`vmlinux`) and an ext4 rootfs with cloud-init support. Optionally an initrd.
-
-Set `BASE_IMAGES_DIR` or pass `--base-kernel`/`--base-rootfs`/`--base-initrd` to point at your images.
+Naming note: runtime paths keep the historical `vmdemo` names (`/srv/firecracker/vm-demo`, `firecracker-vmdemo-*`, `vmdemo-proxy-*`) so existing instances keep working.
 
 ## Install
 
+Host needs Linux with KVM (`/dev/kvm`), root access, `firecracker` on `PATH`, the usual tools (`systemctl`, `cloud-localds`, `qemu-img`, `iptables`, `ip`, `bridge`, `socat`, `jq`, `curl`, `openssl`, `ssh`, `scp`, `install`, `flock`), and base images (kernel + cloud-init-capable ext4 rootfs, default dir `/srv/firecracker/base/images`). `fireclaw doctor` checks all of this.
+
 ```bash
 npm install -g fireclaw
 ```
 
-## Setup
+If `sudo fireclaw` reports `command not found` (nvm/user-prefix installs aren't on root's `secure_path`):
 
 ```bash
-sudo fireclaw setup \
-  --instance my-bot \
-  --telegram-token "<your-bot-token>" \
-  --telegram-users "<your-telegram-user-id>" \
-  --model "anthropic/claude-opus-4-6" \
-  --anthropic-api-key "<key>"
+sudo ln -s "$(command -v fireclaw)" /usr/local/bin/fireclaw
 ```
 
-This will generate an SSH keypair (if needed), copy + configure the rootfs, boot the VM via systemd, wait for SSH, provision OpenClaw inside the guest, start the localhost proxy, and print the instance details (IP, port, token).
+## Quick start
 
-### Options
+```bash
+sudo fireclaw doctor
 
-| Flag | Default | Description |
-|------|---------|-------------|
-| `--instance` | (required) | Instance ID (`[a-z0-9_-]+`) |
-| `--telegram-token` | (required) | Telegram bot token |
-| `--telegram-users` | | Comma-separated Telegram user IDs for allowlist |
-| `--model` | `anthropic/claude-opus-4-6` | Model ID |
-| `--skills` | `github,tmux,coding-agent,session-logs,skill-creator` | Comma-separated skill list |
-| `--openclaw-image` | `ghcr.io/openclaw/openclaw:latest` | Docker image for OpenClaw |
-| `--vm-vcpu` | `4` | vCPUs per VM |
-| `--vm-mem-mib` | `8192` | Memory per VM (MiB) |
-| `--disk-size` | `40G` | Resize copied rootfs image to this virtual size before boot |
-| `--api-sock` | `<fc-dir>/firecracker.socket` | Firecracker API socket path (must be unique per VM) |
-| `--anthropic-api-key` | | Anthropic API key |
-| `--openai-api-key` | | OpenAI API key |
-| `--minimax-api-key` | | MiniMax API key |
-| `--skip-browser-install` | `false` | Skip Playwright Chromium install |
-
-## Usage
+# Local-only gateway (Telegram disabled):
+sudo fireclaw setup --instance my-bot --model "openai/gpt-5.5" --openai-api-key "<key>"
+
+# Telegram bot (DM allowlist, groups disabled):
+sudo fireclaw setup --instance my-bot \
+  --telegram-token "<bot-token>" --telegram-users "<comma-separated-user-ids>" \
+  --model "openai/gpt-5.5" --openai-api-key "<key>"
+```
+
+Setup fails fast if the model's provider key is missing (`openai/*` → OpenAI key, `anthropic/*` → Anthropic, `minimax/*` → MiniMax). Keys can come from the environment instead of flags, keeping them out of `ps` output:
 
 ```bash
-# List all instances
-sudo fireclaw list
+sudo OPENAI_API_KEY="<key>" fireclaw setup --instance my-bot
+```
 
-# Status of one instance
+Setup prints the instance's IP, proxy port, and health on success. Verify any time with:
+
+```bash
 sudo fireclaw status my-bot
+curl -fsS http://127.0.0.1:<HOST_PORT>/health
+```
+
+## Commands
 
-# Stop / start / restart
-sudo fireclaw stop my-bot
-sudo fireclaw start my-bot
-sudo fireclaw restart my-bot
+```bash
+sudo fireclaw doctor                     # preflight: commands, /dev/kvm, base images, bridge, capacity
+sudo fireclaw setup <flags...>           # create + provision a new instance (flags below)
+sudo fireclaw provision <id> [flags...]  # update saved config + rerun guest provisioning
+sudo fireclaw list                       # fleet table with health
+sudo fireclaw status [id]                # detail for one instance (or the fleet)
+sudo fireclaw start|stop|restart <id>    # lifecycle; stop persists across host reboots
+sudo fireclaw logs <id> [guest|host]     # tail the guest service or host units
+sudo fireclaw shell <id> ["command"]     # SSH into the VM, or run one command
+sudo fireclaw token <id>                 # print the gateway auth token
+sudo fireclaw destroy <id> [--force]     # full teardown
+```
 
-# Tail guest logs (OpenClaw service)
-sudo fireclaw logs my-bot
+`provision` accepts `--telegram-token`, `--no-telegram`, `--telegram-users`, `--model`, `--skills`, `--openclaw-image`, the three API-key flags, `--skip-browser-install`, and `--browser-install` — e.g. rotate a key with `provision my-bot --openai-api-key "<new>"`, or enable Telegram on a local-only instance later.
 
-# Tail host logs (Firecracker + proxy)
-sudo fireclaw logs my-bot host
+## Setup flags
 
-# SSH into the VM
-sudo fireclaw shell my-bot
+| Flag | Default | Description |
+|------|---------|-------------|
+| `--instance <id>` | required | Instance ID (`[a-z0-9_-]+`) |
+| `--telegram-token <token>` | none | Omit for a local-only gateway with Telegram disabled |
+| `--telegram-users <csv>` | none | Allowed Telegram user IDs; required with `--telegram-token` |
+| `--model <id>` | `openai/gpt-5.5` | OpenClaw model; its provider API key must be set |
+| `--skills <csv>` | `github,tmux,coding-agent,session-logs,skill-creator` | Skill set |
+| `--openclaw-image <image>` | `ghcr.io/openclaw/openclaw:latest` | Container image |
+| `--host-port <n>` | first free port above `BASE_PORT` | Localhost proxy port (>= 1024) |
+| `--vm-vcpu <n>` / `--vm-mem-mib <n>` | `4` / `8192` | VM sizing |
+| `--disk-size <size>` | `40G` | Rootfs resize target |
+| `--api-sock <path>` | `<fc-instance-dir>/firecracker.socket` | Firecracker API socket |
+| `--base-kernel/-rootfs/-initrd <path>` | `<BASE_IMAGES_DIR>/...` | Base image paths |
+| `--anthropic/openai/minimax-api-key <key>` | env var or empty | Provider keys |
+| `--skip-browser-install` | off | Skip Playwright Chromium in the guest |
 
-# Run a command inside the VM
-sudo fireclaw shell my-bot "docker ps"
+## Defaults and state
 
-# Get the gateway token
-sudo fireclaw token my-bot
+Networking: bridge `fc-br0` at `172.16.0.1/24`, VM subnet `172.16.0.0/24` (auto-allocation requires `/24`), guest gateway `:18789`, first auto host port `18891` (`BASE_PORT`+1). The proxy is the intended access path; the guest gateway itself binds `0.0.0.0:18789` inside the VM, so keep bridge/subnet reachability private.
 
-# Health check
-curl -fsS http://127.0.0.1:<HOST_PORT>/health
-# If proxy health is flaky, inspect VM-side health too:
-sudo fireclaw status my-bot
+Overridable via environment: `STATE_ROOT` (`/var/lib/fireclaw`), `FC_ROOT` (`/srv/firecracker/vm-demo`), `BASE_PORT` (`18890`), `BRIDGE_NAME`, `BRIDGE_ADDR`, `SUBNET_CIDR`, `SSH_KEY_PATH` (`/home/ubuntu/.ssh/vmdemo_vm`), `BASE_IMAGES_DIR`, `DISK_SIZE`, `API_SOCK`, `OPENCLAW_IMAGE_DEFAULT`.
 
-# Destroy (interactive confirmation)
-sudo fireclaw destroy my-bot
+Per instance on disk: state in `STATE_ROOT/.vm-<id>/` (`.env`, `.token`, `provision.vars`, `known_hosts`), runtime in `FC_ROOT/<id>/` (`images/`, `config/`, `logs/`, `start-vm.sh`, `stop-vm.sh`), units in `/etc/systemd/system/firecracker-vmdemo-<id>.service` and `vmdemo-proxy-<id>.service`.
 
-# Destroy (skip confirmation)
-sudo fireclaw destroy my-bot --force
-```
+## Security model
 
-## Networking
+- The isolation boundary is the VM, not a container namespace; no host Docker socket is mounted anywhere.
+- VMs cannot reach each other (isolated bridge ports block IP and ARP between guests, plus an intra-bridge iptables `FORWARD` drop as defense-in-depth where `br_netfilter` is active); each sees only the host gateway and NATed egress.
+- The host proxy is localhost-only and runs unprivileged; guest SSH host keys are pinned per instance and mismatches are reported.
+- Secrets live root-only under `STATE_ROOT` (mode `0600`). The provisioning copies are removed from guest `/tmp` afterwards; the runtime secrets the service needs persist inside the guest in a `0600` env file and the OpenClaw config. The gateway token is never echoed — use `fireclaw token <id>`. Prefer env vars over flags for API keys.
 
-Each VM gets a static IP on a bridge (`fc-br0`, `172.16.0.0/24`). The host acts as the gateway at `172.16.0.1` with NAT for outbound traffic. A `socat` proxy on the host forwards `127.0.0.1:<HOST_PORT>` to the VM's gateway port (`18789`), so the OpenClaw API is only reachable from localhost.
+## Troubleshooting
 
-## Environment variables
+- VM won't start: `sudo journalctl -u firecracker-vmdemo-<id>.service -xe`; check `/dev/kvm` and `sudo fireclaw doctor`.
+- SSH unreachable: `sudo fireclaw status <id>`; a host-key mismatch is reported explicitly — remove `STATE_ROOT/.vm-<id>/known_hosts` if the change is expected. If SSH never comes up, read the boot/console output in `/srv/firecracker/vm-demo/<id>/logs/`.
+- Proxy health down: `curl -v http://127.0.0.1:<port>/health`, then `sudo fireclaw shell <id> "curl -fsS http://127.0.0.1:18789/health"`.
+- Disk pressure in the guest: recreate with a larger `--disk-size`.
 
-All scripts respect these overrides:
+## Development
 
-| Variable | Default |
-|----------|---------|
-| `STATE_ROOT` | `/var/lib/fireclaw` |
-| `FC_ROOT` | `/srv/firecracker/vm-demo` |
-| `BASE_PORT` | `18890` |
-| `BRIDGE_NAME` | `fc-br0` |
-| `BRIDGE_ADDR` | `172.16.0.1/24` |
-| `SUBNET_CIDR` | `172.16.0.0/24` |
-| `SSH_KEY_PATH` | `~/.ssh/vmdemo_vm` |
-| `BASE_IMAGES_DIR` | `/srv/firecracker/base/images` |
-| `DISK_SIZE` | `40G` |
-| `API_SOCK` | `<FC_ROOT>/<instance>/firecracker.socket` |
+`npm test` runs shell syntax checks plus unit tests for `bin/vm-common.sh`; `npm run pack:check` validates package contents. Contributor conventions live in [AGENTS.md](AGENTS.md).

package/bin/fireclaw

@@ -13,11 +13,13 @@ ${bold}USAGE${reset}
   fireclaw <command> [args...]
 
 ${bold}COMMANDS${reset}
+  ${cyan}doctor${reset}                       Check host prerequisites
   ${cyan}setup${reset} <flags...>             Create and provision a new VM instance
+  ${cyan}provision${reset} <id> [flags...]     Update saved config and re-run guest provisioning
   ${cyan}list${reset}                         List all instances
   ${cyan}status${reset} [id]                  Show instance status (all or one)
   ${cyan}start${reset} <id>                   Start an instance
-  ${cyan}stop${reset} <id>                    Stop an instance
+  ${cyan}stop${reset} <id>                    Stop an instance (stays stopped across host reboots)
   ${cyan}restart${reset} <id>                 Restart an instance
   ${cyan}logs${reset} <id> [guest|host]       Stream logs
   ${cyan}shell${reset} <id> [command...]      SSH into VM or run a command
@@ -25,7 +27,10 @@ ${bold}COMMANDS${reset}
   ${cyan}destroy${reset} <id> [--force]       Destroy an instance
 
 ${bold}EXAMPLES${reset}
-  ${dim}\$${reset} sudo fireclaw setup --instance my-bot --telegram-token <tok> --telegram-users <uid>
+  ${dim}\$${reset} sudo fireclaw doctor
+  ${dim}\$${reset} sudo fireclaw setup --instance my-bot --openai-api-key <key>
+  ${dim}\$${reset} sudo fireclaw setup --instance my-bot --telegram-token <tok> --telegram-users <uid> --openai-api-key <key>
+  ${dim}\$${reset} sudo fireclaw provision my-bot --model openai/gpt-5.5
   ${dim}\$${reset} sudo fireclaw list
   ${dim}\$${reset} sudo fireclaw status my-bot
   ${dim}\$${reset} sudo fireclaw shell my-bot
@@ -43,9 +48,12 @@ shift || true
 
 case "$cmd" in
   setup|create|provision)
+    if [[ "$cmd" == "provision" ]]; then
+      VM_PROVISION_CMD_NAME="fireclaw provision" exec "$SCRIPT_DIR/vm-provision" "$@"
+    fi
     VM_SETUP_CMD_NAME="fireclaw setup" exec "$SCRIPT_DIR/vm-setup" "$@"
     ;;
-  list|status|start|stop|restart|logs|shell|token|destroy)
+  doctor|list|status|start|stop|restart|logs|shell|token|destroy)
     if [[ "${1:-}" == "-h" || "${1:-}" == "--help" || "${1:-}" == "help" ]]; then
       VM_CTL_CMD_NAME="fireclaw" exec "$SCRIPT_DIR/vm-ctl" --help
     fi