spawnfile 0.1.3 → 0.1.5

package/dist/compiler/moltnetArtifacts.js

@@ -1,77 +1,13 @@
-import { getRuntimeAdapter } from "../runtime/index.js";
 import { SpawnfileError } from "../shared/index.js";
+import { createMoltnetNativeServerConfig, createMoltnetNodeConfigPath, createMoltnetServerConfigPath, resolveMoltnetBaseUrl, resolveMoltnetClientAuth } from "./moltnetConfigLowering.js";
 import { listConcreteMoltnetRoomMemberIds } from "./moltnetRoomMemberships.js";
+import { resolveRuntimeConfig } from "./moltnetRuntimeConfig.js";
 const DEFAULT_MOLTNET_PORT = 8787;
-const DEFAULT_TINYCLAW_PORT = 3777;
 const ROOTFS_PREFIX = "container/rootfs";
-const INSTANCE_ROOT_PLACEHOLDER = "<instance-root>";
-const CONFIG_FILE_PLACEHOLDER = "<config-file>";
 const createServerKey = (networkId) => networkId;
-const createBridgeConfigPath = (teamSlug, networkId, agentId) => `${ROOTFS_PREFIX}/var/lib/spawnfile/moltnet/bridges/${teamSlug}-${networkId}-${agentId}.json`;
-const resolveSequentialRuntimePort = (plan, runtimeName, slug) => {
-    const adapter = getRuntimeAdapter(runtimeName);
-    const basePort = adapter.container.port;
-    if (basePort === undefined) {
-        return undefined;
-    }
-    const runtimeAgents = plan.nodes.filter((node) => node.kind === "agent" && node.runtimeName === runtimeName);
-    const index = runtimeAgents.findIndex((node) => node.slug === slug);
-    if (index < 0) {
-        return undefined;
-    }
-    return basePort + (index * (adapter.container.portStride ?? 1));
-};
-const createTinyClawChannel = (networkId, agentId) => `moltnet:${networkId}:${agentId}`;
-const replaceContainerPathTemplate = (template, instanceRoot, configFileName) => template
-    .replaceAll(INSTANCE_ROOT_PLACEHOLDER, instanceRoot)
-    .replaceAll(CONFIG_FILE_PLACEHOLDER, configFileName);
-const resolveRuntimeInstancePaths = (runtimeName, slug) => {
-    const adapter = getRuntimeAdapter(runtimeName);
-    const instanceRoot = `/var/lib/spawnfile/instances/${runtimeName}/agent-${slug}`;
-    return {
-        configPath: replaceContainerPathTemplate(adapter.container.instancePaths.configPathTemplate, instanceRoot, adapter.container.configFileName),
-        homePath: adapter.container.instancePaths.homePathTemplate
-            ? replaceContainerPathTemplate(adapter.container.instancePaths.homePathTemplate, instanceRoot, adapter.container.configFileName)
-            : undefined
-    };
-};
-const resolveRuntimeConfig = (plan, agentNode, nodeSlug, networkId, agentId) => {
-    switch (agentNode.runtime.name) {
-        case "openclaw": {
-            const port = resolveSequentialRuntimePort(plan, "openclaw", nodeSlug);
-            if (!port) {
-                throw new SpawnfileError("compile_error", `Unable to resolve OpenClaw gateway port for Moltnet agent ${agentNode.name}`);
-            }
-            const instancePaths = resolveRuntimeInstancePaths("openclaw", nodeSlug);
-            return {
-                gateway_url: `ws://127.0.0.1:${port}`,
-                ...(instancePaths.homePath ? { home_path: instancePaths.homePath } : {}),
-                kind: "openclaw",
-            };
-        }
-        case "picoclaw": {
-            const instancePaths = resolveRuntimeInstancePaths("picoclaw", nodeSlug);
-            return {
-                command: "/usr/local/bin/picoclaw",
-                config_path: instancePaths.configPath,
-                ...(instancePaths.homePath ? { home_path: instancePaths.homePath } : {}),
-                kind: "picoclaw",
-            };
-        }
-        case "tinyclaw": {
-            const channel = createTinyClawChannel(networkId, agentId);
-            return {
-                ack_url: `http://127.0.0.1:${DEFAULT_TINYCLAW_PORT}/api/responses`,
-                channel,
-                inbound_url: `http://127.0.0.1:${DEFAULT_TINYCLAW_PORT}/api/message`,
-                kind: "tinyclaw",
-                outbound_url: `http://127.0.0.1:${DEFAULT_TINYCLAW_PORT}/api/responses/pending?channel=${encodeURIComponent(channel)}`
-            };
-        }
-        default:
-            throw new SpawnfileError("compile_error", `Moltnet does not know how to attach runtime ${agentNode.runtime.name} directly`);
-    }
-};
+const toContainerRootfsPath = (rootfsPath) => `/${rootfsPath.replace(`${ROOTFS_PREFIX}/`, "")}`;
+const isNetworkHttpEnabled = (network) => network.server?.mode === "managed" && network.server.human_ingress === true;
+const resolveNetworkPort = (network, fallbackPort) => network.server?.mode === "managed" ? network.server.listen.port : fallbackPort;
 export const generateMoltnetArtifacts = async (plan) => {
     const teamNodes = plan.nodes
         .filter((node) => node.kind === "team")
@@ -83,9 +19,16 @@ export const generateMoltnetArtifacts = async (plan) => {
     let nextPort = DEFAULT_MOLTNET_PORT;
     for (const teamNode of teamNodes) {
         for (const network of teamNode.value.networks ?? []) {
+            const server = network.server;
+            if (!server) {
+                throw new SpawnfileError("validation_error", `Moltnet network ${network.id} must declare server`);
+            }
             const serverKey = createServerKey(network.id);
             const existingPlan = serverPlans.get(serverKey);
             if (existingPlan) {
+                if (existingPlan.baseUrl !== resolveMoltnetBaseUrl(server)) {
+                    throw new SpawnfileError("validation_error", `Duplicate Moltnet network ${network.id} declares conflicting server URL`);
+                }
                 for (const room of network.rooms) {
                     const concreteMembers = listConcreteMoltnetRoomMemberIds(plan, teamNode.value, network.id, room);
                     const existingRoom = existingPlan.rooms.find((entry) => entry.id === room.id);
@@ -97,31 +40,64 @@ export const generateMoltnetArtifacts = async (plan) => {
                     else {
                         existingPlan.rooms.push({
                             id: room.id,
-                            members: concreteMembers
+                            members: concreteMembers,
+                            ...(room.name ? { name: room.name } : {})
                         });
                     }
                 }
                 existingPlan.rooms.sort((left, right) => left.id.localeCompare(right.id));
             }
             else {
+                const port = server.mode === "managed" ? resolveNetworkPort(network, nextPort) : undefined;
+                const serverId = `${teamNode.slug}-${network.id}`;
                 serverPlans.set(serverKey, {
-                    id: `${teamNode.slug}-${network.id}`,
+                    baseUrl: resolveMoltnetBaseUrl(server),
+                    ...(server.mode === "managed"
+                        ? { configPath: toContainerRootfsPath(createMoltnetServerConfigPath(serverId)) }
+                        : {}),
+                    id: serverId,
+                    mode: server.mode,
                     name: network.name,
                     networkId: network.id,
-                    port: nextPort,
+                    ...(port ? { port } : {}),
                     rooms: network.rooms.map((room) => ({
                         id: room.id,
-                        members: listConcreteMoltnetRoomMemberIds(plan, teamNode.value, network.id, room)
+                        members: listConcreteMoltnetRoomMemberIds(plan, teamNode.value, network.id, room),
+                        ...(room.name ? { name: room.name } : {})
                     })),
+                    server,
+                    secretPatches: [],
                     teamSource: teamNode.value.source
                 });
-                nextPort += 1;
+                if (port) {
+                    nextPort = Math.max(nextPort, port + 1);
+                }
             }
         }
     }
-    const bridgePlans = [];
-    const bridgePlanKeys = new Set();
+    const nodePlans = [];
+    const nodePlanKeys = new Set();
     const configFiles = [];
+    for (const teamNode of teamNodes) {
+        for (const network of teamNode.value.networks ?? []) {
+            const serverPlan = serverPlans.get(createServerKey(network.id));
+            if (!serverPlan || !network.server || network.server.mode !== "managed" || !serverPlan.configPath) {
+                continue;
+            }
+            const native = createMoltnetNativeServerConfig({
+                networkId: network.id,
+                networkName: network.name,
+                rooms: serverPlan.rooms,
+                server: network.server
+            });
+            serverPlan.secretPatches = native.secretPatches;
+            configFiles.push({
+                content: `${JSON.stringify(native.config, null, 2)}\n`,
+                mode: 0o600,
+                path: createMoltnetServerConfigPath(serverPlan.id)
+            });
+        }
+    }
     for (const node of plan.nodes) {
         if (node.kind !== "agent") {
             continue;
@@ -142,67 +118,107 @@ export const generateMoltnetArtifacts = async (plan) => {
             if (!serverPlan) {
                 throw new SpawnfileError("validation_error", `Unable to find Moltnet network ${attachment.network} for ${agentNode.name}`);
             }
-            const configPath = createBridgeConfigPath(teamNode.slug, attachment.network, attachment.memberId);
-            const bridgePlanKey = `${attachment.network}::${attachment.memberId}`;
-            if (bridgePlanKeys.has(bridgePlanKey)) {
-                throw new SpawnfileError("validation_error", `Duplicate Moltnet bridge attachment for ${attachment.network}/${attachment.memberId}`);
+            const network = teamNode.value.networks?.find((entry) => entry.id === attachment.network);
+            if (!network) {
+                throw new SpawnfileError("validation_error", `Unable to find Moltnet network ${attachment.network} for ${agentNode.name}`);
+            }
+            if (network.server?.mode === "managed" && network.server.direct_messages === false && attachment.dms) {
+                throw new SpawnfileError("validation_error", `Moltnet network ${attachment.network} disables direct messages but ${agentNode.name} declares dms`);
             }
-            bridgePlanKeys.add(bridgePlanKey);
+            if (!network.server) {
+                throw new SpawnfileError("validation_error", `Moltnet network ${attachment.network} must declare server`);
+            }
+            const configPath = createMoltnetNodeConfigPath(teamNode.slug, attachment.network, attachment.memberId);
+            const nodePlanKey = `${attachment.network}::${attachment.memberId}`;
+            if (nodePlanKeys.has(nodePlanKey)) {
+                throw new SpawnfileError("validation_error", `Duplicate Moltnet node attachment for ${attachment.network}/${attachment.memberId}`);
+            }
+            nodePlanKeys.add(nodePlanKey);
+            const clientAuth = resolveMoltnetClientAuth(network.server, attachment.network, attachment.memberId);
+            const usesPerAttachmentOpenToken = clientAuth.mode === "open" &&
+                clientAuth.staticToken !== true &&
+                Boolean(clientAuth.tokenEnv || clientAuth.tokenPath);
             configFiles.push({
                 content: `${JSON.stringify({
-                    version: "moltnet.bridge.v1",
-                    agent: {
-                        id: attachment.memberId,
-                        name: agentNode.name
-                    },
+                    version: "moltnet.node.v1",
                     moltnet: {
-                        base_url: `http://127.0.0.1:${serverPlan.port}`,
-                        network_id: attachment.network
-                    },
-                    runtime: resolveRuntimeConfig(plan, agentNode, node.slug, attachment.network, attachment.memberId),
-                    ...(attachment.rooms
-                        ? {
-                            rooms: Object.entries(attachment.rooms)
-                                .sort(([left], [right]) => left.localeCompare(right))
-                                .map(([roomId, policy]) => ({
-                                id: roomId,
-                                ...(policy.read ? { read: policy.read } : {}),
-                                ...(policy.reply ? { reply: policy.reply } : {})
-                            }))
-                        }
-                        : {}),
-                    ...(attachment.dms
-                        ? {
-                            dms: {
-                                enabled: attachment.dms.enabled,
-                                ...(attachment.dms.read ? { read: attachment.dms.read } : {}),
-                                ...(attachment.dms.reply ? { reply: attachment.dms.reply } : {})
+                        base_url: serverPlan.baseUrl,
+                        network_id: attachment.network,
+                        auth_mode: clientAuth.mode,
+                        ...(clientAuth.staticToken
+                            ? { static_token: true }
+                            : {}),
+                        ...(!usesPerAttachmentOpenToken && clientAuth.tokenEnv
+                            ? {
+                                token_env: clientAuth.tokenEnv
                             }
+                            : {}),
+                        ...(!usesPerAttachmentOpenToken && clientAuth.tokenPath
+                            ? {
+                                token_path: clientAuth.tokenPath
+                            }
+                            : {})
+                    },
+                    attachments: [
+                        {
+                            agent: {
+                                id: attachment.memberId,
+                                name: agentNode.name
+                            },
+                            ...(usesPerAttachmentOpenToken
+                                ? {
+                                    moltnet: {
+                                        ...(clientAuth.tokenEnv ? { token_env: clientAuth.tokenEnv } : {}),
+                                        ...(clientAuth.tokenPath ? { token_path: clientAuth.tokenPath } : {})
+                                    }
+                                }
+                                : {}),
+                            runtime: resolveRuntimeConfig(plan, agentNode, node.slug, attachment.network, attachment.memberId),
+                            ...(attachment.rooms
+                                ? {
+                                    rooms: Object.entries(attachment.rooms)
+                                        .sort(([left], [right]) => left.localeCompare(right))
+                                        .map(([roomId, policy]) => ({
+                                        id: roomId,
+                                        ...(policy.read ? { read: policy.read } : {}),
+                                        ...(policy.reply ? { reply: policy.reply } : {})
+                                    }))
+                                }
+                                : {}),
+                            ...(attachment.dms
+                                ? {
+                                    dms: {
+                                        enabled: attachment.dms.enabled,
+                                        ...(attachment.dms.read ? { read: attachment.dms.read } : {}),
+                                        ...(attachment.dms.reply ? { reply: attachment.dms.reply } : {})
+                                    }
+                                }
+                                : {})
                         }
-                        : {})
+                    ]
                 }, null, 2)}\n`,
                 mode: 0o600,
                 path: configPath
             });
-            bridgePlans.push({
-                agentId: attachment.memberId,
-                configPath: `/${configPath.replace(`${ROOTFS_PREFIX}/`, "")}`,
-                networkId: attachment.network,
-                runtime: agentNode.runtime.name
+            nodePlans.push({
+                configPath: toContainerRootfsPath(configPath),
+                networkId: attachment.network
             });
         }
     }
+    const managedServerPlans = [...serverPlans.values()].filter((serverPlan) => serverPlan.mode === "managed");
     return {
-        bridgePlans: bridgePlans.sort((left, right) => left.configPath.localeCompare(right.configPath)),
         files: configFiles,
-        ports: [...new Set([...serverPlans.values()].map((plan) => plan.port))].sort((left, right) => left - right),
+        nodePlans: nodePlans.sort((left, right) => left.configPath.localeCompare(right.configPath)),
+        ports: [...new Set(managedServerPlans.map((serverPlan) => serverPlan.port).filter((port) => port !== undefined))].sort((left, right) => left - right),
         publishedPorts: [
             ...new Set(teamNodes
-                .flatMap((teamNode) => (teamNode.value.networks ?? []).map((network) => network.expose
+                .flatMap((teamNode) => (teamNode.value.networks ?? []).map((network) => isNetworkHttpEnabled(network)
                 ? serverPlans.get(createServerKey(network.id))?.port
                 : undefined))
                 .filter((port) => port !== undefined))
         ].sort((left, right) => left - right),
-        serverPlans: [...serverPlans.values()].sort((left, right) => left.port - right.port)
+        serverPlans: [...serverPlans.values()].sort((left, right) => (left.port ?? Number.MAX_SAFE_INTEGER) - (right.port ?? Number.MAX_SAFE_INTEGER)
+            || left.networkId.localeCompare(right.networkId))
     };
 };

package/dist/compiler/moltnetClientConfig.js

@@ -1,4 +1,5 @@
 import { SpawnfileError } from "../shared/index.js";
+import { resolveMoltnetClientAuth } from "./moltnetConfigLowering.js";
 const GENERATED_SKILL_NAME = "moltnet";
 const GENERATED_CONFIG_PATH = ".moltnet/config.json";
 const createConfigContent = (node, attachments) => `${JSON.stringify({
@@ -23,10 +24,15 @@ const createAttachmentConfig = (node, artifacts, attachment) => {
         throw new SpawnfileError("compile_error", `Moltnet client config requires a resolved member id for ${node.name}`);
     }
     const serverPlan = findServerPlan(artifacts, attachment);
+    const auth = resolveMoltnetClientAuth(serverPlan.server, attachment.network, attachment.memberId);
     return {
         agent_name: node.name,
-        auth: { mode: "none" },
-        base_url: `http://127.0.0.1:${serverPlan.port}`,
+        auth: {
+            mode: auth.mode,
+            ...(auth.tokenEnv ? { token_env: auth.tokenEnv } : {}),
+            ...(auth.tokenPath ? { token_path: auth.tokenPath } : {})
+        },
+        base_url: serverPlan.baseUrl,
         ...(attachment.dms
             ? {
                 dms: {

package/dist/compiler/moltnetConfigLowering.d.ts

@@ -0,0 +1,36 @@
+import type { TeamNetworkServer } from "../manifest/index.js";
+export interface MoltnetSecretPatch {
+    envName: string;
+    jsonPath: string;
+}
+export interface MoltnetClientAuthPlan {
+    mode: "bearer" | "none" | "open";
+    staticToken?: boolean;
+    tokenEnv?: string;
+    tokenPath?: string;
+}
+export interface MoltnetNativeRoomConfig {
+    id: string;
+    members: string[];
+    name?: string;
+}
+export interface MoltnetNativeServerConfigInput {
+    networkId: string;
+    networkName: string;
+    rooms: MoltnetNativeRoomConfig[];
+    server: Extract<TeamNetworkServer, {
+        mode: "managed";
+    }>;
+}
+export declare const createMoltnetOpenTokenPath: (networkId: string, memberId: string) => string;
+export declare const createMoltnetServerConfigPath: (serverId: string) => string;
+export declare const createMoltnetNodeConfigPath: (teamSlug: string, networkId: string, agentId: string) => string;
+export declare const renderMoltnetListenAddr: (server: Extract<TeamNetworkServer, {
+    mode: "managed";
+}>) => string;
+export declare const resolveMoltnetBaseUrl: (server: TeamNetworkServer) => string;
+export declare const resolveMoltnetClientAuth: (server: TeamNetworkServer, networkId: string, memberId: string) => MoltnetClientAuthPlan;
+export declare const createMoltnetNativeServerConfig: ({ networkId, networkName, rooms, server }: MoltnetNativeServerConfigInput) => {
+    config: Record<string, unknown>;
+    secretPatches: MoltnetSecretPatch[];
+};

package/dist/compiler/moltnetConfigLowering.js

@@ -0,0 +1,125 @@
+const pathSafeSegment = (value) => value.replace(/[^A-Za-z0-9_.-]+/g, "-").replace(/^-+|-+$/g, "") || "item";
+const isIpv6Literal = (value) => value.includes(":");
+export const createMoltnetOpenTokenPath = (networkId, memberId) => `/var/lib/spawnfile/moltnet/tokens/${pathSafeSegment(networkId)}/${pathSafeSegment(memberId)}.token`;
+export const createMoltnetServerConfigPath = (serverId) => `container/rootfs/var/lib/spawnfile/moltnet/servers/${pathSafeSegment(serverId)}/Moltnet.json`;
+export const createMoltnetNodeConfigPath = (teamSlug, networkId, agentId) => `container/rootfs/var/lib/spawnfile/moltnet/nodes/${pathSafeSegment(teamSlug)}-${pathSafeSegment(networkId)}-${pathSafeSegment(agentId)}.json`;
+export const renderMoltnetListenAddr = (server) => {
+    const bind = server.listen.bind;
+    return `${isIpv6Literal(bind) ? `[${bind}]` : bind}:${server.listen.port}`;
+};
+export const resolveMoltnetBaseUrl = (server) => {
+    if (server.mode === "external") {
+        return server.url;
+    }
+    if (server.url && server.url.trim().length > 0) {
+        return server.url.trim();
+    }
+    const bind = server.listen.bind;
+    const host = bind === "0.0.0.0" || bind === "::"
+        ? "127.0.0.1"
+        : isIpv6Literal(bind)
+            ? `[${bind}]`
+            : bind;
+    return `http://${host}:${server.listen.port}`;
+};
+export const resolveMoltnetClientAuth = (server, networkId, memberId) => {
+    if (server.auth.mode === "none") {
+        return { mode: "none" };
+    }
+    const client = server.auth.client;
+    if (server.auth.mode === "open" && !client) {
+        return {
+            mode: "open",
+            tokenPath: createMoltnetOpenTokenPath(networkId, memberId)
+        };
+    }
+    if (!client) {
+        return { mode: server.auth.mode };
+    }
+    const tokenEnv = client.token_env
+        ?? (client.token_id && server.mode === "managed"
+            ? server.auth.tokens?.find((token) => token.id === client.token_id)?.secret
+            : undefined);
+    return {
+        mode: server.auth.mode,
+        ...(client.static_token ? { staticToken: true } : {}),
+        ...(tokenEnv ? { tokenEnv } : {}),
+        ...(client.token_path ? { tokenPath: client.token_path } : {})
+    };
+};
+const storageConfigFor = (store) => {
+    switch (store.kind) {
+        case "sqlite":
+            return { kind: "sqlite", sqlite: { path: store.path } };
+        case "json":
+            return { kind: "json", json: { path: store.path } };
+        case "postgres":
+            return { kind: "postgres", postgres: { dsn: "" } };
+        case "memory":
+            return { kind: "memory" };
+    }
+};
+export const createMoltnetNativeServerConfig = ({ networkId, networkName, rooms, server }) => {
+    const secretPatches = [];
+    const tokens = (server.auth.tokens ?? []).map((token, index) => {
+        secretPatches.push({
+            envName: token.secret,
+            jsonPath: `auth.tokens.${index}.value`
+        });
+        return {
+            id: token.id,
+            value: "",
+            scopes: token.scopes,
+            ...(token.agents ? { agents: token.agents } : {})
+        };
+    });
+    const pairings = (server.pairings ?? []).map((pairing, index) => {
+        secretPatches.push({
+            envName: pairing.token_secret,
+            jsonPath: `pairings.${index}.token`
+        });
+        return {
+            id: pairing.id,
+            remote_network_id: pairing.remote_network_id,
+            remote_network_name: pairing.remote_network_name,
+            remote_base_url: pairing.remote_base_url,
+            token: ""
+        };
+    });
+    if (server.store.kind === "postgres") {
+        secretPatches.push({
+            envName: server.store.dsn_secret,
+            jsonPath: "storage.postgres.dsn"
+        });
+    }
+    return {
+        config: {
+            version: "moltnet.v1",
+            network: {
+                id: networkId,
+                name: networkName
+            },
+            server: {
+                listen_addr: renderMoltnetListenAddr(server),
+                ...(server.human_ingress !== undefined ? { human_ingress: server.human_ingress } : {}),
+                ...(server.direct_messages !== undefined ? { direct_messages: server.direct_messages } : {}),
+                ...(server.trust_forwarded_proto !== undefined
+                    ? { trust_forwarded_proto: server.trust_forwarded_proto }
+                    : {}),
+                ...(server.allowed_origins ? { allowed_origins: server.allowed_origins } : {})
+            },
+            auth: {
+                mode: server.auth.mode,
+                ...(tokens.length > 0 ? { tokens } : {})
+            },
+            storage: storageConfigFor(server.store),
+            rooms: rooms.map((room) => ({
+                id: room.id,
+                ...(room.name ? { name: room.name } : {}),
+                members: room.members
+            })),
+            ...(pairings.length > 0 ? { pairings } : {})
+        },
+        secretPatches
+    };
+};

package/dist/compiler/moltnetRuntimeConfig.d.ts

@@ -0,0 +1,2 @@
+import type { CompilePlan, ResolvedAgentNode } from "./types.js";
+export declare const resolveRuntimeConfig: (plan: CompilePlan, agentNode: ResolvedAgentNode, nodeSlug: string, networkId: string, agentId: string) => Record<string, string>;

package/dist/compiler/moltnetRuntimeConfig.js

@@ -0,0 +1,69 @@
+import { getRuntimeAdapter } from "../runtime/index.js";
+import { SpawnfileError } from "../shared/index.js";
+const DEFAULT_TINYCLAW_PORT = 3777;
+const INSTANCE_ROOT_PLACEHOLDER = "<instance-root>";
+const CONFIG_FILE_PLACEHOLDER = "<config-file>";
+const resolveSequentialRuntimePort = (plan, runtimeName, slug) => {
+    const adapter = getRuntimeAdapter(runtimeName);
+    const basePort = adapter.container.port;
+    if (basePort === undefined) {
+        return undefined;
+    }
+    const runtimeAgents = plan.nodes.filter((node) => node.kind === "agent" && node.runtimeName === runtimeName);
+    const index = runtimeAgents.findIndex((node) => node.slug === slug);
+    if (index < 0) {
+        return undefined;
+    }
+    return basePort + (index * (adapter.container.portStride ?? 1));
+};
+const createTinyClawChannel = (networkId, agentId) => `moltnet:${networkId}:${agentId}`;
+const replaceContainerPathTemplate = (template, instanceRoot, configFileName) => template
+    .replaceAll(INSTANCE_ROOT_PLACEHOLDER, instanceRoot)
+    .replaceAll(CONFIG_FILE_PLACEHOLDER, configFileName);
+const resolveRuntimeInstancePaths = (runtimeName, slug) => {
+    const adapter = getRuntimeAdapter(runtimeName);
+    const instanceRoot = `/var/lib/spawnfile/instances/${runtimeName}/agent-${slug}`;
+    return {
+        configPath: replaceContainerPathTemplate(adapter.container.instancePaths.configPathTemplate, instanceRoot, adapter.container.configFileName),
+        homePath: adapter.container.instancePaths.homePathTemplate
+            ? replaceContainerPathTemplate(adapter.container.instancePaths.homePathTemplate, instanceRoot, adapter.container.configFileName)
+            : undefined
+    };
+};
+export const resolveRuntimeConfig = (plan, agentNode, nodeSlug, networkId, agentId) => {
+    switch (agentNode.runtime.name) {
+        case "openclaw": {
+            const port = resolveSequentialRuntimePort(plan, "openclaw", nodeSlug);
+            if (!port) {
+                throw new SpawnfileError("compile_error", `Unable to resolve OpenClaw gateway port for Moltnet agent ${agentNode.name}`);
+            }
+            const instancePaths = resolveRuntimeInstancePaths("openclaw", nodeSlug);
+            return {
+                gateway_url: `ws://127.0.0.1:${port}`,
+                ...(instancePaths.homePath ? { home_path: instancePaths.homePath } : {}),
+                kind: "openclaw"
+            };
+        }
+        case "picoclaw": {
+            const instancePaths = resolveRuntimeInstancePaths("picoclaw", nodeSlug);
+            return {
+                command: "/usr/local/bin/picoclaw",
+                config_path: instancePaths.configPath,
+                ...(instancePaths.homePath ? { home_path: instancePaths.homePath } : {}),
+                kind: "picoclaw"
+            };
+        }
+        case "tinyclaw": {
+            const channel = createTinyClawChannel(networkId, agentId);
+            return {
+                ack_url: `http://127.0.0.1:${DEFAULT_TINYCLAW_PORT}/api/responses`,
+                channel,
+                inbound_url: `http://127.0.0.1:${DEFAULT_TINYCLAW_PORT}/api/message`,
+                kind: "tinyclaw",
+                outbound_url: `http://127.0.0.1:${DEFAULT_TINYCLAW_PORT}/api/responses/pending?channel=${encodeURIComponent(channel)}`
+            };
+        }
+        default:
+            throw new SpawnfileError("compile_error", `Moltnet does not know how to attach runtime ${agentNode.runtime.name} directly`);
+    }
+};

package/dist/compiler/runProject.d.ts

@@ -16,6 +16,7 @@ export interface RunProjectOptions extends CompileProjectOptions {
     containerName?: string;
     detach?: boolean;
     dockerCommand?: string;
+    envFilePath?: string;
     imageTag?: string;
     runRunner?: DockerRunRunner;
 }
@@ -29,6 +30,7 @@ export declare const createDockerRunInvocation: (compileResult: CompileProjectRe
     containerName?: string;
     detach?: boolean;
     dockerCommand?: string;
+    envFilePath?: string;
 }) => Promise<DockerRunInvocation>;
 export declare const runDockerContainer: DockerRunRunner;
 export declare const runProject: (inputPath: string, options?: RunProjectOptions) => Promise<RunProjectResult>;

package/dist/compiler/runProject.js

@@ -3,8 +3,8 @@ import path from "node:path";
 import { mkdtemp } from "node:fs/promises";
 import { randomBytes } from "node:crypto";
 import { spawn } from "node:child_process";
-import { requireAuthProfile } from "../auth/index.js";
-import { ensureDirectory, fileExists, removeDirectory, writeUtf8File } from "../filesystem/index.js";
+import { parseEnvFile, requireAuthProfile } from "../auth/index.js";
+import { ensureDirectory, fileExists, readUtf8File, removeDirectory, writeUtf8File } from "../filesystem/index.js";
 import { SpawnfileError } from "../shared/index.js";
 import { compileProject } from "./compileProject.js";
 import { createDefaultImageTag } from "./buildProject.js";
@@ -47,9 +47,10 @@ const collectMissingRequiredSecrets = (containerReport, env, coveredModelSecrets
     }
     return [...missing].sort();
 };
-const resolveRunEnvironment = (containerReport, authProfile) => {
+const resolveRunEnvironment = (containerReport, authProfile, envFileEnv = {}) => {
     const env = {
-        ...(authProfile?.env ?? {})
+        ...(authProfile?.env ?? {}),
+        ...envFileEnv
     };
     for (const name of new Set([...Object.keys(env), ...containerReport.secrets_required])) {
         const processValue = process.env[name];
@@ -83,6 +84,18 @@ const renderDockerEnvFile = (env) => `${Object.entries(env)
     .sort(([left], [right]) => left.localeCompare(right))
     .map(([name, value]) => `${name}=${value}`)
     .join("\n")}\n`;
+const readRunEnvFile = async (envFilePath) => {
+    if (!envFilePath) {
+        return {};
+    }
+    try {
+        return parseEnvFile(await readUtf8File(envFilePath));
+    }
+    catch (error) {
+        const reason = error instanceof Error ? error.message : String(error);
+        throw new SpawnfileError("validation_error", `Unable to read env file ${envFilePath}: ${reason}`);
+    }
+};
 const resolveAuthMountArgs = async (containerReport, authProfile) => {
     if (!authProfile || containerReport.runtime_homes.length === 0) {
         return [];
@@ -110,7 +123,7 @@ export const createDockerRunInvocation = async (compileResult, imageTag, options
     const envFilePath = path.join(supportDirectory, "run.env");
     try {
         assertDeclaredModelAuthSatisfied(containerReport, options.authProfile ?? null);
-        const env = resolveRunEnvironment(containerReport, options.authProfile ?? null);
+        const env = resolveRunEnvironment(containerReport, options.authProfile ?? null, await readRunEnvFile(options.envFilePath));
         const preparedRuntimeAuth = await prepareRuntimeAuthMounts(compileResult.outputDirectory, containerReport, options.authProfile ?? null, env, supportDirectory);
         assertRunEnvironmentSatisfied(containerReport, env, preparedRuntimeAuth.coveredModelSecrets);
         await ensureDirectory(supportDirectory);
@@ -178,7 +191,8 @@ export const runProject = async (inputPath, options = {}) => {
         authProfile,
         containerName: options.containerName,
         detach: options.detach,
-        dockerCommand: options.dockerCommand
+        dockerCommand: options.dockerCommand,
+        envFilePath: options.envFilePath
     });
     try {
         await (options.runRunner ?? runDockerContainer)(invocation);