What:
- bound CLAWDINATOR image artifact retention with S3 lifecycle, AMI pruning, and import provenance tags
- reduce the AWS fleet to Babelfish-only and make GitHub credentials opt-in per host
- disable the AMI build, nix-openclaw bump, and release workflows by moving them out of .github/workflows/
- update operator docs for the new explicit build and deploy model
Why:
- stop unbounded S3 and snapshot growth from image builds
- remove unattended resurrection paths and shut down the unused t3.large instances
- keep the remaining Babelfish host running without GitHub App credentials or sync timers
Tests:
- `nix shell nixpkgs#shellcheck nixpkgs#shfmt -c bash scripts/lint-shell.sh` (pass)
- `nix build .#nixosConfigurations.clawdinator-babelfish.config.system.build.toplevel .#nixosConfigurations.clawdinator-1.config.system.build.toplevel .#nixosConfigurations.clawdinator-2.config.system.build.toplevel` (pass)
- `AWS_PROFILE=homelab-admin TF_VAR_aws_region=eu-central-1 TF_VAR_ami_id=ami-0a9abe17feeee0079 TF_VAR_ssh_public_key="$(cat ~/.ssh/id_ed25519.pub)" nix shell nixpkgs#opentofu -c sh -lc 'tofu fmt -check && tofu validate'` (pass)
- live AWS apply: destroyed `clawdinator-1` and `clawdinator-2`, replaced Babelfish, and verified only `Fleet Deploy` remains active in GitHub Actions
- add lambda invoke IAM user + outputs
- update fleet control to invoke lambda directly
- wire new control access-key secrets
- update docs + secrets guidance
- run github-app-token service as clawdinator user
- add clawdinator-gh-refresh command + tools note
- move canned-response guardrails to workspace AGENTS
Documented verified local→AMI→host flow including:
- homelab-admin AWS creds via agenix
- CI run monitoring and AMI_ID extraction
- tofu redeploy via devenv
- post-deploy checks + GH auth status
- reminder about snapshot-seeded repos/workspace
What:
- switch messages.queue.byProvider to byChannel in host config and example
- remove legacy autoReply flag from discord channel config
- update AGENTS note for the new queue key
Why:
- moltbot schema rejects byProvider and autoReply keys
- keep deployment notes consistent with valid config
Tests:
- not run (infra config change; no automated tests)
