What:
- bound CLAWDINATOR image artifact retention with S3 lifecycle, AMI pruning, and import provenance tags
- reduce the AWS fleet to Babelfish-only and make GitHub credentials opt-in per host
- disable the AMI build, nix-openclaw bump, and release workflows by moving them out of .github/workflows/
- update operator docs for the new explicit build and deploy model
Why:
- stop unbounded S3 and snapshot growth from image builds
- remove unattended resurrection paths and shut down the unused t3.large instances
- keep the remaining Babelfish host running without GitHub App credentials or sync timers
Tests:
- `nix shell nixpkgs#shellcheck nixpkgs#shfmt -c bash scripts/lint-shell.sh` (pass)
- `nix build .#nixosConfigurations.clawdinator-babelfish.config.system.build.toplevel .#nixosConfigurations.clawdinator-1.config.system.build.toplevel .#nixosConfigurations.clawdinator-2.config.system.build.toplevel` (pass)
- `AWS_PROFILE=homelab-admin TF_VAR_aws_region=eu-central-1 TF_VAR_ami_id=ami-0a9abe17feeee0079 TF_VAR_ssh_public_key="$(cat ~/.ssh/id_ed25519.pub)" nix shell nixpkgs#opentofu -c sh -lc 'tofu fmt -check && tofu validate'` (pass)
- live AWS apply: destroyed `clawdinator-1` and `clawdinator-2`, replaced Babelfish, and verified only `Fleet Deploy` remains active in GitHub Actions
What:
- update flake.lock nix-openclaw input from 2a9a3be to 8d7489b
- pull in openclaw pin bump that includes PR #17792 reasoning replay follower-id fix
Why:
- propagate the merged openclaw replay fix through nix-openclaw into clawdinators
- keep deployment source-of-truth aligned across the repo chain
Tests:
- nix flake lock --update-input nix-openclaw
- nix eval .#nixosConfigurations.clawdinator-1.config.system.configurationRevision --raw
- nix build .#openclaw-gateway (fails on darwin: attribute not provided for current system)
Terraform refresh calls GetAccelerateConfiguration (and other non-GetBucket* APIs). Grant s3:Get*/s3:Put* on the pr-intent bucket ARN so fleet deploy tofu apply can refresh bucket config.
Inline IAM user policies hit the 2048 byte size limit. Replace aws_iam_user_policy with an aws_iam_policy + aws_iam_user_policy_attachment for the CI user.
Grant CI user bucket-management read/write actions (GetBucket*/PutBucket*) on the public PR-intent bucket so fleet deploy can run tofu apply without AccessDenied.
After nixos-rebuild switch, write /var/lib/clawd/deploy/last-switch.{time,rev}.
clawdinator-version now optionally fetches OpenClaw commit date via GitHub API when gh is authenticated.
Expose pinned component revs via /etc/clawdinator/build-info.json and ship a clawdinator-version helper script (logic lives in scripts/, not inline in Nix).
This supports fleet consistency checks and maintainer introspection.
- Add release.yml: eval -> upload bootstrap -> deploy via SSM (canary order)
- Make image-build manual/weekly (base AMI lane)
- Add SSM permissions to CI IAM policy (requires tofu apply)
- Add scripts for SSM-based nixos-rebuild and docs for the two-lane model
- Import nix-openclaw nixosModules.openclaw-gateway
- Replace custom systemd gateway service with upstream module
- Let upstream module own /etc/clawd/openclaw.json generation
This reduces duplication between clawdinators and nix-openclaw and aligns config merge semantics.
Replace configFragments with a deep-merged config option type so host overrides (e.g. disabling telegram) don't drop sibling keys like channels.discord.
clawdinator-2: disable telegram; keep discord.
- Cancel in-progress image builds on new pushes (concurrency)
- Add services.clawdinator.configFragments for deep-merge tweaks
- Use configFragments in clawdinator-2 to disable telegram without clobbering discord
No host changes; intended to ship via next AMI build.
- Revert accidental /landpr deprecation language and restore model invocation
- Make distill-pr-intent skills non user-invocable (still available to the model)
- Add openclaw/ClawKeeper to repo seeds list for AMI snapshots
- Provision public S3 bucket (anonymous list/get) for PR intent artifacts
- Grant instance role PutObject and add NixOS systemd timer to publish /memory/pr-intent
- Default agent thinking level to high for GPT-5.2/Codex
- Make OpenTofu instance management explicit (manage_instances) to prevent accidental fleet destroy
Tests: not run (infra/Nix changes)
Why: keep fleet pi in sync with upstream fixes and model registry updates.
Notes:
- package-lock pins internal @mariozechner deps to 0.52.6 for determinism.
Tests:
- nix build pi-coding-agent derivation (darwin)
- bump nix-openclaw input for includeThreadStarter support
- disable thread starter injection for babelfish forum channel
Tests: not run (config change)
