Skip to content

feat: bootstrap agent identities and automated install flow #37

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
EfrainGaray wants to merge 16 commits into from
Closed

feat: bootstrap agent identities and automated install flow #37

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
7cf809b
feat(enterprise): add full/lite nats control-plane package with nestj…
Mar 1, 2026
6239e84
fix(control-plane): make deploy stable on dev host and pass smoke checks
Mar 1, 2026
558448d
feat(ops): add make-driven backup/purge/install/oauth/smoke workflow
Mar 1, 2026
97bbe95
feat(cloudflare): add tunnel role and subdomain exposure workflow
Mar 1, 2026
50d9bbb
fix(cloudflare): reuse existing develop tunnel credentials and local1…
Mar 1, 2026
980d3d9
chore(cloudflare): migrate to dedicated tunnel and remove legacy loca…
Mar 1, 2026
6a46f59
fix(enterprise): add non-empty gateway token fallbacks for dev-main a…
Mar 1, 2026
38dc620
fix(ops): auto-load vault vars and harden control-plane deploy logs
Mar 1, 2026
e607c6e
docs: add detailed operator runbook with mermaid flows
Mar 1, 2026
821b748
feat: complete pending stage2 execution and multi-os automation
Mar 1, 2026
6fcf8c1
feat(ops): add codex auth-sync workflow and harden install validation
Mar 1, 2026
7652454
fix: address review findings in control-plane and gateway role
Mar 1, 2026
f680eb6
docs: rewrite README as ansible base protocol guide
Mar 1, 2026
7ccca6b
docs: rebrand suite narrative and rewrite core operational docs
Mar 2, 2026
c5ca81a
feat: seed agent identities and add automated install target
Mar 2, 2026
71d4bfc
fix: harden runtime permissions across auth-sync and workers
Mar 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
*.log
.ansible/
.vault_pass
backups/

# Secrets and credentials
*.env
Expand All @@ -13,3 +14,13 @@ vault.yml
id_rsa*
host_vars/
group_vars/

# Keep inventory vars tracked (except vault secrets)
!inventories/
!inventories/**/
!inventories/**/group_vars/
!inventories/**/group_vars/*.yml
!inventories/**/host_vars/
!inventories/**/host_vars/.gitkeep
inventories/**/group_vars/vault.yml
inventories/**/group_vars/vault.manual.refactor.yml
27 changes: 27 additions & 0 deletions AGENT_HANDOFF.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# Codex Agent Handoff

## Current State (2026-03-01)
- Enterprise install works end-to-end for `dev-main` + `andrea` profiles; control-plane Spins deployed via Docker Compose stacks under `/home/efra/openclaw-control-plane/` and managed via `make reinstall CONFIRM=1 ENV=dev LIMIT=zennook`.
- Postgres auth reconcilation now uses profile-specific admin credentials before flagging health check failures (`roles/openclaw_control_plane/tasks/profile.yml`).
- Smoke flow verifies queue + control API by checking `/tasks/{taskId}` until the task reaches a terminal status; `ops/smoke.sh` now retries and reports last status.
- OAuth login is manageable via `make oauth-login PROFILES="dev-main andrea" OAUTH_PROVIDER=openai-codex`, automatically sources `/etc/openclaw/secrets/<profile>.env`, and lists auth profiles when done (`ops/oauth-login.sh`).
- Secrets refactor pipeline adds `ops/secrets-refactor.sh`, `ops/validate-secrets.sh`, and the Makefile target `make secrets-refactor` (docs updated accordingly).

## Handoff Checklist
1. Confirm `/etc/openclaw/secrets/dev-main.env` and `/etc/openclaw/secrets/andrea.env` contain the required temp tokens; backups are stored under `backups/`.
2. Run `make reinstall CONFIRM=1 ENV=dev LIMIT=zennook` if the environment is dirty again; the playbooks already handle purge/install/smoke in one shot.
3. After OAuth login you still need to populate `auth-profiles.json` for each agent; run `openclaw --profile <profile> models auth list` to see active entries.
4. Verify Telegram tokens via `cat /etc/openclaw/secrets/dev-main.env` (mask the values in outputs). They are also referenced in `inventories/dev/group_vars/vault.yml` and each control-plane `.env` file.

## Next Steps for Codex agent
- Finish the implementation plan for Ansible multi-agent deployment (already captured elsewhere, but double-check architecture docs and inventory). Copy actionable instructions into the reserved roadmap file.
- When writing PRs, include `@codex` mention, request a full review, and ask for architecture implementation plan per earlier requirements.
- Keep `ops/oauth-login.sh` and `ops/smoke.sh` in sync with any profile additions (e.g., add new profile names to `PROFILES` in `Makefile`).

## Useful Commands
- `make secrets-refactor ENV=dev LIMIT=zennook`
- `make reinstall CONFIRM=1 ENV=dev LIMIT=zennook`
- `make oauth-login PROFILES="dev-main andrea" OAUTH_PROVIDER=openai-codex`
- `make smoke ENV=dev LIMIT=zennook`

Keep notes in this file before handing off to another Codex agent; update the `next steps` section if you take new actions.
73 changes: 73 additions & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
SHELL := /usr/bin/env bash

.DEFAULT_GOAL := help

ENV ?= dev
INVENTORY ?= inventories/$(ENV)/hosts.yml
LIMIT ?= zennook
PROFILES ?= dev-main andrea
OAUTH_PROVIDER ?= openai-codex
MODEL_REF ?= openai-codex/gpt-5.3-codex

.PHONY: help backup purge install auto-install cloudflare auth-sync oauth-login smoke reinstall secrets-refactor

help:
@echo "OpenClaw Ops Targets"
@echo ""
@echo " make backup Backup current OpenClaw + control-plane state"
@echo " make purge CONFIRM=1 Purge deployed state and containers"
@echo " make install Install/reconcile enterprise + control-plane"
@echo " make auto-install Automated install flow (auth-sync + install + smoke)"
@echo " make secrets-refactor Build manual secrets migration file + validate vault"
@echo " make cloudflare Reconcile Cloudflare tunnel/service only"
@echo " make auth-sync Sync Codex creds from /home/efra/.codex to OpenClaw profiles"
@echo " make oauth-login Alias to make auth-sync (legacy name)"
@echo " make smoke Run post-install smoke checks"
@echo " make reinstall CONFIRM=1 backup + purge + install + smoke"
@echo ""
@echo "Variables:"
@echo " ENV=$(ENV) INVENTORY=$(INVENTORY) LIMIT=$(LIMIT)"
@echo " PROFILES='$(PROFILES)' OAUTH_PROVIDER=$(OAUTH_PROVIDER) MODEL_REF=$(MODEL_REF)"
@echo " AUTO_PURGE=0 AUTO_BACKUP=0 (used by auto-install)"

backup:
@ENV="$(ENV)" INVENTORY="$(INVENTORY)" LIMIT="$(LIMIT)" ./ops/backup.sh

purge:
@if [[ "$(CONFIRM)" != "1" ]]; then echo "Use: make purge CONFIRM=1"; exit 1; fi
@ENV="$(ENV)" INVENTORY="$(INVENTORY)" LIMIT="$(LIMIT)" ./ops/purge.sh --yes

install:
@ENV="$(ENV)" INVENTORY="$(INVENTORY)" LIMIT="$(LIMIT)" ./ops/install.sh

auto-install:
@if [[ "$(AUTO_BACKUP)" == "1" ]]; then \
$(MAKE) backup ENV="$(ENV)" INVENTORY="$(INVENTORY)" LIMIT="$(LIMIT)"; \
fi
@if [[ "$(AUTO_PURGE)" == "1" ]]; then \
$(MAKE) purge CONFIRM=1 ENV="$(ENV)" INVENTORY="$(INVENTORY)" LIMIT="$(LIMIT)"; \
fi
@$(MAKE) auth-sync ENV="$(ENV)" INVENTORY="$(INVENTORY)" LIMIT="$(LIMIT)" PROFILES="$(PROFILES)" OAUTH_PROVIDER="$(OAUTH_PROVIDER)" MODEL_REF="$(MODEL_REF)"
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Reorder auto-install to run install before auth-sync

auto-install currently calls make auth-sync before make install, but ops/auth-sync.sh requires an existing openclaw account (id -u openclaw) and invokes /home/openclaw/.local/bin/openclaw to set models; on a fresh host (or after purging binaries/users), this fails before any provisioning starts, so the advertised automated install flow is not bootstrappable.

Useful? React with 👍 / 👎.

@$(MAKE) install ENV="$(ENV)" INVENTORY="$(INVENTORY)" LIMIT="$(LIMIT)"
@$(MAKE) smoke ENV="$(ENV)" INVENTORY="$(INVENTORY)" LIMIT="$(LIMIT)"

secrets-refactor:
@ENV="$(ENV)" INVENTORY="$(INVENTORY)" LIMIT="$(LIMIT)" ./ops/secrets-refactor.sh

cloudflare:
@ENV="$(ENV)" INVENTORY="$(INVENTORY)" LIMIT="$(LIMIT)" ./ops/cloudflare-reconcile.sh

auth-sync:
@ENV="$(ENV)" INVENTORY="$(INVENTORY)" LIMIT="$(LIMIT)" PROFILES="$(PROFILES)" OAUTH_PROVIDER="$(OAUTH_PROVIDER)" MODEL_REF="$(MODEL_REF)" ./ops/auth-sync.sh

oauth-login: auth-sync

smoke:
@ENV="$(ENV)" INVENTORY="$(INVENTORY)" LIMIT="$(LIMIT)" ./ops/smoke.sh

reinstall:
@if [[ "$(CONFIRM)" != "1" ]]; then echo "Use: make reinstall CONFIRM=1"; exit 1; fi
@$(MAKE) backup ENV="$(ENV)" INVENTORY="$(INVENTORY)" LIMIT="$(LIMIT)"
@$(MAKE) purge CONFIRM=1 ENV="$(ENV)" INVENTORY="$(INVENTORY)" LIMIT="$(LIMIT)"
@$(MAKE) install ENV="$(ENV)" INVENTORY="$(INVENTORY)" LIMIT="$(LIMIT)"
@$(MAKE) smoke ENV="$(ENV)" INVENTORY="$(INVENTORY)" LIMIT="$(LIMIT)"
Loading