gigaclaw 1.4.0

package/templates/docker/claude-code-job/entrypoint.sh

@@ -0,0 +1,149 @@
+#!/bin/bash
+set -e
+
+# Extract job ID from branch name (job/uuid -> uuid), fallback to random UUID
+if [[ "$BRANCH" == job/* ]]; then
+    JOB_ID="${BRANCH#job/}"
+else
+    JOB_ID=$(cat /proc/sys/kernel/random/uuid)
+fi
+echo "Job ID: ${JOB_ID}"
+
+# Export SECRETS (JSON) as flat env vars (GH_TOKEN, CLAUDE_CODE_OAUTH_TOKEN, etc.)
+if [ -n "$SECRETS" ]; then
+    eval $(echo "$SECRETS" | jq -r 'to_entries | .[] | "export \(.key)=\(.value | @sh)"')
+fi
+
+# Export LLM_SECRETS (JSON) as flat env vars
+if [ -n "$LLM_SECRETS" ]; then
+    eval $(echo "$LLM_SECRETS" | jq -r 'to_entries | .[] | "export \(.key)=\(.value | @sh)"')
+fi
+
+# Unset ANTHROPIC_API_KEY so Claude Code uses the OAuth token.
+# If both are set, Claude Code prioritizes API key (billing to API credits)
+# which defeats the purpose. The API key is for the event handler, not here.
+unset ANTHROPIC_API_KEY
+
+# Git setup - derive identity from GitHub token
+gh auth setup-git
+GH_USER_JSON=$(gh api user -q '{name: .name, login: .login, email: .email, id: .id}')
+GH_USER_NAME=$(echo "$GH_USER_JSON" | jq -r '.name // .login')
+GH_USER_EMAIL=$(echo "$GH_USER_JSON" | jq -r '.email // "\(.id)+\(.login)@users.noreply.github.com"')
+git config --global user.name "$GH_USER_NAME"
+git config --global user.email "$GH_USER_EMAIL"
+
+# Clone branch
+if [ -n "$REPO_URL" ]; then
+    git clone --single-branch --branch "$BRANCH" --depth 1 "$REPO_URL" /job
+else
+    echo "No REPO_URL provided"
+fi
+
+cd /job
+
+# Install npm deps for active skills (native deps need correct Linux arch)
+for skill_dir in /job/skills/active/*/; do
+    if [ -f "${skill_dir}package.json" ]; then
+        echo "Installing skill deps: $(basename "$skill_dir")"
+        (cd "$skill_dir" && npm install --omit=dev --no-package-lock)
+    fi
+done
+
+# Start Chrome if puppeteer installed it (needed by browser-tools skill)
+CHROME_PID=""
+CHROME_BIN=$(find /home/agent/.cache/puppeteer -name "chrome" -type f 2>/dev/null | head -1)
+if [ -n "$CHROME_BIN" ]; then
+    $CHROME_BIN --headless --no-sandbox --disable-gpu --remote-debugging-port=9222 2>/dev/null &
+    CHROME_PID=$!
+    sleep 2
+fi
+
+# Setup logs
+LOG_DIR="/job/logs/${JOB_ID}"
+mkdir -p "${LOG_DIR}"
+
+# Build system prompt from config MD files
+SYSTEM_PROMPT_FILE="${LOG_DIR}/system-prompt.md"
+SYSTEM_FILES=("SOUL.md" "JOB_AGENT.md")
+> "$SYSTEM_PROMPT_FILE"
+for i in "${!SYSTEM_FILES[@]}"; do
+    cat "/job/config/${SYSTEM_FILES[$i]}" >> "$SYSTEM_PROMPT_FILE"
+    if [ "$i" -lt $((${#SYSTEM_FILES[@]} - 1)) ]; then
+        echo -e "\n\n" >> "$SYSTEM_PROMPT_FILE"
+    fi
+done
+
+# Resolve {{datetime}} variable in system prompt
+sed -i "s/{{datetime}}/$(date -u +"%Y-%m-%dT%H:%M:%SZ")/g" "$SYSTEM_PROMPT_FILE"
+
+# Read job metadata from job.config.json
+JOB_CONFIG="/job/logs/${JOB_ID}/job.config.json"
+TITLE=$(jq -r '.title // empty' "$JOB_CONFIG")
+JOB_DESCRIPTION=$(jq -r '.job // empty' "$JOB_CONFIG")
+
+PROMPT="
+
+# Your Job
+
+${JOB_DESCRIPTION}"
+
+# Build --model flag if LLM_MODEL is set
+MODEL_FLAG=""
+if [ -n "$LLM_MODEL" ]; then
+    MODEL_FLAG="--model $LLM_MODEL"
+fi
+
+# Run Claude Code — capture exit code instead of letting set -e kill the script
+# stream-json gives the full conversation trace (thinking, tool calls, results)
+# similar to Pi's .jsonl session logs
+set +e
+claude -p "$PROMPT" \
+    $MODEL_FLAG \
+    --append-system-prompt-file "$SYSTEM_PROMPT_FILE" \
+    --dangerously-skip-permissions \
+    --verbose \
+    --output-format stream-json \
+    > "${LOG_DIR}/claude-session.jsonl" 2>"${LOG_DIR}/claude-stderr.log"
+AGENT_EXIT=$?
+
+# Commit based on outcome
+if [ $AGENT_EXIT -ne 0 ]; then
+    # Claude Code failed — only commit session logs, not partial code changes
+    git reset || true
+    git add -f "${LOG_DIR}"
+    git commit -m "🤖 Agent Job: ${TITLE} (failed)" || true
+else
+    # Claude Code succeeded — commit everything
+    git add -A
+    git add -f "${LOG_DIR}"
+    git commit -m "🤖 Agent Job: ${TITLE}" || true
+fi
+
+git push origin
+
+# Capture log commit SHA, then remove logs so they don't merge into main
+LOG_SHA=$(git rev-parse HEAD)
+git rm -rf "${LOG_DIR}"
+git commit -m "done." || true
+git push origin
+set -e
+
+# Cleanup Chrome
+if [ -n "$CHROME_PID" ]; then
+    kill $CHROME_PID 2>/dev/null || true
+fi
+
+# Create PR with log permalink (auto-merge handled by GitHub Actions workflow)
+REPO_SLUG=$(gh repo view --json nameWithOwner -q .nameWithOwner)
+LOG_URL="https://github.com/${REPO_SLUG}/tree/${LOG_SHA}/logs/${JOB_ID}"
+gh pr create --title "🤖 Agent Job: ${TITLE}" \
+  --body "📋 [View Job Logs](${LOG_URL})"$'\n\n---\n\n'"${JOB_DESCRIPTION}" \
+  --base main || true
+
+# Re-raise failure so the workflow reports it
+if [ $AGENT_EXIT -ne 0 ]; then
+    echo "Claude Code exited with code ${AGENT_EXIT}"
+    exit $AGENT_EXIT
+fi
+
+echo "Done. Job ID: ${JOB_ID}"

package/templates/docker/claude-code-workspace/.tmux.conf

@@ -0,0 +1,5 @@
+set -g default-terminal "xterm-256color"
+set-option -ga terminal-overrides ",xterm-256color:Tc"
+set -g mouse on
+set -g history-limit 50000
+setw -q -g utf8 on

package/templates/docker/claude-code-workspace/Dockerfile

@@ -0,0 +1,61 @@
+FROM ubuntu:24.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# System packages
+RUN apt-get update && apt-get install -y \
+    tmux \
+    git \
+    curl \
+    jq \
+    build-essential \
+    locales \
+    fonts-noto-color-emoji \
+    fonts-symbola \
+    ca-certificates \
+    gnupg \
+    && rm -rf /var/lib/apt/lists/*
+
+# Locale
+RUN locale-gen en_US.UTF-8
+ENV LANG=en_US.UTF-8
+ENV LC_ALL=en_US.UTF-8
+ENV LC_CTYPE=en_US.UTF-8
+
+# GitHub CLI
+RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg \
+    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
+    && apt-get update && apt-get install -y gh \
+    && rm -rf /var/lib/apt/lists/*
+
+# ttyd (web terminal)
+RUN curl -fsSL -o /usr/local/bin/ttyd https://github.com/tsl0922/ttyd/releases/download/1.7.7/ttyd.x86_64 \
+    && chmod +x /usr/local/bin/ttyd
+
+# Node.js 22
+RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
+    && apt-get install -y nodejs \
+    && rm -rf /var/lib/apt/lists/*
+
+# Claude Code
+RUN npm install -g @anthropic-ai/claude-code
+
+# Non-root user
+RUN useradd -m -s /bin/bash claude-code \
+    && mkdir -p /home/claude-code/workspace \
+    && chown claude-code:claude-code /home/claude-code/workspace
+
+COPY .tmux.conf /home/claude-code/.tmux.conf
+RUN chown claude-code:claude-code /home/claude-code/.tmux.conf
+
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+USER claude-code
+WORKDIR /home/claude-code/workspace
+
+ENV REPO=""
+ENV BRANCH=main
+ENV PORT=7681
+
+ENTRYPOINT ["/entrypoint.sh"]

package/templates/docker/claude-code-workspace/entrypoint.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+set -e
+
+# Git setup - derive identity from GitHub token
+gh auth setup-git
+GH_USER_JSON=$(gh api user -q '{name: .name, login: .login, email: .email, id: .id}')
+GH_USER_NAME=$(echo "$GH_USER_JSON" | jq -r '.name // .login')
+GH_USER_EMAIL=$(echo "$GH_USER_JSON" | jq -r '.email // "\(.id)+\(.login)@users.noreply.github.com"')
+git config --global user.name "$GH_USER_NAME"
+git config --global user.email "$GH_USER_EMAIL"
+
+# Clone repo (skip if already cloned — enables docker restart)
+if [ -n "$REPO" ] && [ ! -d "/home/claude-code/workspace/.git" ]; then
+    git clone --branch "$BRANCH" "https://github.com/$REPO" /home/claude-code/workspace
+fi
+
+cd /home/claude-code/workspace
+WORKSPACE_DIR=$(pwd)
+
+# Claude Code auth — use OAuth token, not API key
+unset ANTHROPIC_API_KEY
+export CLAUDE_CODE_OAUTH_TOKEN="${CLAUDE_CODE_OAUTH_TOKEN}"
+
+# Skip onboarding and trust dialogs
+mkdir -p ~/.claude
+cat > ~/.claude/settings.json << 'EOF'
+{
+  "theme": "dark",
+  "hasTrustDialogAccepted": true,
+  "skipDangerousModePermissionPrompt": true
+}
+EOF
+
+cat > ~/.claude.json << ENDJSON
+{
+  "hasCompletedOnboarding": true,
+  "projects": {
+    "${WORKSPACE_DIR}": {
+      "allowedTools": [],
+      "hasTrustDialogAccepted": true,
+      "hasTrustDialogHooksAccepted": true
+    }
+  }
+}
+ENDJSON
+
+# Start Claude Code in a tmux session
+tmux -u new-session -d -s claude 'claude --dangerously-skip-permissions'
+
+# Start ttyd in foreground (PID 1) — serves tmux over WebSocket
+exec ttyd --writable -p "${PORT:-7681}" tmux attach -t claude

package/templates/docker/event-handler/Dockerfile

@@ -0,0 +1,20 @@
+FROM node:22-bookworm-slim
+
+RUN apt-get update && apt-get install -y curl git python3 make g++ && \
+    curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
+      | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg && \
+    echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
+      | tee /etc/apt/sources.list.d/github-cli.list > /dev/null && \
+    apt-get update && apt-get install -y gh && \
+    rm -rf /var/lib/apt/lists/*
+RUN npm install -g pm2
+
+WORKDIR /app
+COPY package.json package-lock.json* ./
+RUN npm install --omit=dev && \
+    npm install --no-save gigabot@$(node -p "require('./package.json').version")
+
+COPY /templates/docker/event-handler/ecosystem.config.cjs /opt/ecosystem.config.cjs
+
+EXPOSE 80
+CMD ["pm2-runtime", "/opt/ecosystem.config.cjs"]

package/templates/docker/event-handler/ecosystem.config.cjs

@@ -0,0 +1,7 @@
+module.exports = {
+  apps: [{
+    name: 'next',
+    script: 'server.js',
+    kill_timeout: 120000,
+  }]
+};

package/templates/docker/pi-coding-agent-job/Dockerfile

@@ -0,0 +1,51 @@
+FROM node:22-bookworm-slim
+
+RUN apt-get update && apt-get install -y \
+    git \
+    jq \
+    curl \
+    procps \
+    # Chrome/Chromium dependencies
+    libnss3 \
+    libnspr4 \
+    libatk1.0-0 \
+    libatk-bridge2.0-0 \
+    libcups2 \
+    libdrm2 \
+    libdbus-1-3 \
+    libxkbcommon0 \
+    libatspi2.0-0 \
+    libxcomposite1 \
+    libxdamage1 \
+    libxfixes3 \
+    libxrandr2 \
+    libgbm1 \
+    libasound2 \
+    libpango-1.0-0 \
+    libcairo2 \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install GitHub CLI
+RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg \
+    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
+    && apt-get update && apt-get install -y gh \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN npm install -g @mariozechner/pi-coding-agent
+
+# Create a non-root user and give it ownership of /job.
+RUN useradd -m -s /bin/bash agent \
+    && mkdir -p /job \
+    && chown agent:agent /job
+
+# Create Pi config directory (extension loaded from repo at runtime)
+RUN mkdir -p /home/agent/.pi/agent \
+    && chown -R agent:agent /home/agent/.pi
+
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+USER agent
+WORKDIR /job
+
+ENTRYPOINT ["/entrypoint.sh"]

package/templates/docker/pi-coding-agent-job/entrypoint.sh

@@ -0,0 +1,164 @@
+#!/bin/bash
+set -e
+
+# Extract job ID from branch name (job/uuid -> uuid), fallback to random UUID
+if [[ "$BRANCH" == job/* ]]; then
+    JOB_ID="${BRANCH#job/}"
+else
+    JOB_ID=$(cat /proc/sys/kernel/random/uuid)
+fi
+echo "Job ID: ${JOB_ID}"
+
+# Export SECRETS (JSON) as flat env vars (GH_TOKEN, ANTHROPIC_API_KEY, etc.)
+# These are filtered from LLM's bash subprocess by env-sanitizer extension
+if [ -n "$SECRETS" ]; then
+    eval $(echo "$SECRETS" | jq -r 'to_entries | .[] | "export \(.key)=\(.value | @sh)"')
+fi
+
+# Export LLM_SECRETS (JSON) as flat env vars
+# These are NOT filtered - LLM can access these (browser logins, skill API keys, etc.)
+if [ -n "$LLM_SECRETS" ]; then
+    eval $(echo "$LLM_SECRETS" | jq -r 'to_entries | .[] | "export \(.key)=\(.value | @sh)"')
+fi
+
+# Git setup - derive identity from GitHub token
+gh auth setup-git
+GH_USER_JSON=$(gh api user -q '{name: .name, login: .login, email: .email, id: .id}')
+GH_USER_NAME=$(echo "$GH_USER_JSON" | jq -r '.name // .login')
+GH_USER_EMAIL=$(echo "$GH_USER_JSON" | jq -r '.email // "\(.id)+\(.login)@users.noreply.github.com"')
+git config --global user.name "$GH_USER_NAME"
+git config --global user.email "$GH_USER_EMAIL"
+
+# Clone branch
+if [ -n "$REPO_URL" ]; then
+    git clone --single-branch --branch "$BRANCH" --depth 1 "$REPO_URL" /job
+else
+    echo "No REPO_URL provided"
+fi
+
+cd /job
+
+# Install npm deps for active skills (native deps need correct Linux arch)
+for skill_dir in /job/skills/active/*/; do
+    if [ -f "${skill_dir}package.json" ]; then
+        echo "Installing skill deps: $(basename "$skill_dir")"
+        (cd "$skill_dir" && npm install --omit=dev --no-package-lock)
+    fi
+done
+
+# Start Chrome if available (installed by browser-tools skill via Puppeteer)
+CHROME_PID=""
+CHROME_BIN=$(find /home/agent/.cache/puppeteer -name "chrome" -type f 2>/dev/null | head -1)
+if [ -n "$CHROME_BIN" ]; then
+    $CHROME_BIN --headless --no-sandbox --disable-gpu --remote-debugging-port=9222 2>/dev/null &
+    CHROME_PID=$!
+    sleep 2
+fi
+
+# Setup logs
+LOG_DIR="/job/logs/${JOB_ID}"
+mkdir -p "${LOG_DIR}"
+
+# 1. Build system prompt from config MD files
+SYSTEM_FILES=("SOUL.md" "JOB_AGENT.md")
+> /job/.pi/SYSTEM.md
+for i in "${!SYSTEM_FILES[@]}"; do
+    cat "/job/config/${SYSTEM_FILES[$i]}" >> /job/.pi/SYSTEM.md
+    if [ "$i" -lt $((${#SYSTEM_FILES[@]} - 1)) ]; then
+        echo -e "\n\n" >> /job/.pi/SYSTEM.md
+    fi
+done
+
+# Resolve {{datetime}} variable in SYSTEM.md
+sed -i "s/{{datetime}}/$(date -u +"%Y-%m-%dT%H:%M:%SZ")/g" /job/.pi/SYSTEM.md
+
+# Read job metadata from job.config.json
+JOB_CONFIG="/job/logs/${JOB_ID}/job.config.json"
+TITLE=$(jq -r '.title // empty' "$JOB_CONFIG")
+JOB_DESCRIPTION=$(jq -r '.job // empty' "$JOB_CONFIG")
+
+PROMPT="
+
+# Your Job
+
+${JOB_DESCRIPTION}"
+
+LLM_PROVIDER="${LLM_PROVIDER:-anthropic}"
+
+MODEL_FLAGS="--provider $LLM_PROVIDER"
+if [ -n "$LLM_MODEL" ]; then
+    MODEL_FLAGS="$MODEL_FLAGS --model $LLM_MODEL"
+fi
+
+# Generate models.json for custom provider (OpenAI-compatible endpoints like Ollama)
+if [ "$LLM_PROVIDER" = "custom" ] && [ -n "$OPENAI_BASE_URL" ]; then
+    # If no API key was provided, set a dummy so Pi doesn't send empty auth
+    if [ -z "$CUSTOM_API_KEY" ]; then
+        export CUSTOM_API_KEY="not-needed"
+    fi
+    cat > /home/agent/.pi/agent/models.json <<MODELS
+{
+  "providers": {
+    "custom": {
+      "baseUrl": "$OPENAI_BASE_URL",
+      "api": "openai-completions",
+      "apiKey": "CUSTOM_API_KEY",
+      "models": [{ "id": "$LLM_MODEL" }]
+    }
+  }
+}
+MODELS
+fi
+
+# Copy custom models.json to PI's global config if present in repo (overrides generated)
+if [ -f "/job/.pi/agent/models.json" ]; then
+    mkdir -p /home/agent/.pi/agent
+    cp /job/.pi/agent/models.json /home/agent/.pi/agent/models.json
+fi
+
+# Run Pi — capture exit code instead of letting set -e kill the script
+set +e
+pi $MODEL_FLAGS -p "$PROMPT" --session-dir "${LOG_DIR}"
+PI_EXIT=$?
+
+# 2. Commit based on outcome
+if [ $PI_EXIT -ne 0 ]; then
+    # Pi failed — only commit session logs, not partial code changes
+    git reset || true
+    git add -f "${LOG_DIR}"
+    git commit -m "🤖 Agent Job: ${TITLE} (failed)" || true
+else
+    # Pi succeeded — commit everything
+    git add -A
+    git add -f "${LOG_DIR}"
+    git commit -m "🤖 Agent Job: ${TITLE}" || true
+fi
+
+git push origin
+
+# Capture log commit SHA, then remove logs so they don't merge into main
+LOG_SHA=$(git rev-parse HEAD)
+git rm -rf "${LOG_DIR}"
+git commit -m "done." || true
+git push origin
+set -e
+
+# Create PR with log permalink (auto-merge handled by GitHub Actions workflow)
+REPO_SLUG=$(gh repo view --json nameWithOwner -q .nameWithOwner)
+LOG_URL="https://github.com/${REPO_SLUG}/tree/${LOG_SHA}/logs/${JOB_ID}"
+gh pr create --title "🤖 Agent Job: ${TITLE}" \
+  --body "📋 [View Job Logs](${LOG_URL})"$'\n\n---\n\n'"${JOB_DESCRIPTION}" \
+  --base main || true
+
+# Cleanup
+if [ -n "$CHROME_PID" ]; then
+    kill $CHROME_PID 2>/dev/null || true
+fi
+
+# Re-raise Pi's failure so the workflow reports it
+if [ $PI_EXIT -ne 0 ]; then
+    echo "Pi exited with code ${PI_EXIT}"
+    exit $PI_EXIT
+fi
+
+echo "Done. Job ID: ${JOB_ID}"

package/templates/docker-compose.local.yml

@@ -0,0 +1,78 @@
+# GigaClaw — Local Mode (docker-compose.local.yml)
+# Runs GigaClaw 100% offline using Ollama for LLM inference.
+# No GitHub, no ngrok, no Telegram required.
+#
+# Prerequisites:
+#   1. Install Ollama: https://ollama.com/download
+#   2. Pull a model:   ollama pull llama3.1:8b
+#   3. Start Ollama:   ollama serve
+#
+# Start GigaClaw:
+#   docker compose -f docker-compose.local.yml up -d
+#
+# Access the web interface at: http://localhost:3000
+#
+# ─── NOTE ────────────────────────────────────────────────────────────────────
+# This compose file builds GigaClaw from your local source code using the
+# official Node.js image. No private Docker registry or login is required.
+# First build: ~2-3 minutes. Subsequent starts: instant.
+# ─────────────────────────────────────────────────────────────────────────────
+
+services:
+  gigaclaw:
+    container_name: gigaclaw-local
+    # Build from local source — no private registry or docker login required
+    build:
+      context: .
+      dockerfile_inline: |
+        FROM node:20-alpine
+        WORKDIR /app
+        COPY package*.json ./
+        RUN npm ci
+        COPY . .
+        EXPOSE 3000
+        ENV NODE_ENV=development
+        CMD ["npm", "run", "dev"]
+    ports:
+      - "3000:3000"
+    volumes:
+      # Mount source for hot-reload in dev mode
+      - .:/app
+      - /app/node_modules
+      # Persist the SQLite database across container restarts
+      - gigaclaw-data:/app/data
+    environment:
+      # Ollama runs on the host machine — Docker reaches it via host.docker.internal
+      - OLLAMA_BASE_URL=${OLLAMA_BASE_URL:-http://host.docker.internal:11434}
+      - NODE_ENV=development
+    env_file:
+      - .env
+    extra_hosts:
+      # Ensures host.docker.internal resolves on Linux (already works on macOS/Windows)
+      - "host.docker.internal:host-gateway"
+    stop_grace_period: 30s
+    healthcheck:
+      test: ["CMD", "wget", "-qO-", "http://localhost:3000/api/ping"]
+      interval: 15s
+      timeout: 5s
+      retries: 3
+      start_period: 60s
+    restart: unless-stopped
+
+  # Optional: self-hosted push notifications over LAN (no internet required)
+  # Enable with: docker compose -f docker-compose.local.yml --profile notifications up -d
+  ntfy:
+    image: binwiederhier/ntfy
+    container_name: gigaclaw-ntfy
+    ports:
+      - "8080:80"
+    command: serve --base-url http://localhost:8080
+    volumes:
+      - ntfy-data:/var/cache/ntfy
+    profiles:
+      - notifications
+    restart: unless-stopped
+
+volumes:
+  gigaclaw-data:
+  ntfy-data:

package/templates/docker-compose.yml

@@ -0,0 +1,64 @@
+services:
+  traefik:
+    image: traefik:v3
+    command:
+      - --providers.docker=true
+      - --providers.docker.exposedByDefault=false
+      - --entrypoints.web.address=:80
+      - --entrypoints.websecure.address=:443
+      ## Uncomment the following lines to enable TLS via Let's Encrypt
+      ## (requires LETSENCRYPT_EMAIL in .env):
+      # - --entrypoints.web.http.redirections.entrypoint.to=websecure
+      # - --entrypoints.web.http.redirections.entrypoint.scheme=https
+      # - --certificatesresolvers.letsencrypt.acme.email=${LETSENCRYPT_EMAIL}
+      # - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
+      # - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - traefik_certs:/letsencrypt
+    restart: unless-stopped
+
+  event-handler:
+    container_name: gigaclaw-event-handler
+    image: ${EVENT_HANDLER_IMAGE_URL:-gignaati/gigaclaw:event-handler-${GIGACLAW_VERSION:-latest}}
+    volumes:
+      - .:/app
+      - /app/node_modules
+      - /var/run/docker.sock:/var/run/docker.sock
+    labels:
+      - traefik.enable=true
+      # Set APP_HOSTNAME in .env to the domain from APP_URL (e.g., mybot.example.com)
+      - traefik.http.routers.event-handler.rule=Host(`${APP_HOSTNAME}`)
+      - traefik.http.routers.event-handler.entrypoints=web
+      - traefik.http.services.event-handler.loadbalancer.server.port=80
+      ## Uncomment the following lines to enable TLS via Let's Encrypt:
+      # - traefik.http.routers.event-handler.entrypoints=websecure
+      # - traefik.http.routers.event-handler.tls.certresolver=letsencrypt
+    stop_grace_period: 120s
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:80/api/ping"]
+      interval: 10s
+      timeout: 3s
+      retries: 3
+      start_period: 30s
+    restart: unless-stopped
+
+  runner:
+    image: myoung34/github-runner:latest
+    deploy:
+      replicas: ${RUNNER_REPLICAS:-2}
+    environment:
+      REPO_URL: https://github.com/${GH_OWNER}/${GH_REPO}
+      ACCESS_TOKEN: ${GH_TOKEN}
+      RUNNER_SCOPE: repo
+      LABELS: self-hosted
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - .:/project:ro
+    restart: unless-stopped
+
+volumes:
+  traefik_certs:

package/templates/instrumentation.js

@@ -0,0 +1,6 @@
+export async function register() {
+  if (process.env.NEXT_RUNTIME === 'nodejs') {
+    const { register } = await import('gigaclaw/instrumentation');
+    await register();
+  }
+}