What:
- bound CLAWDINATOR image artifact retention with S3 lifecycle, AMI pruning, and import provenance tags
- reduce the AWS fleet to Babelfish-only and make GitHub credentials opt-in per host
- disable the AMI build, nix-openclaw bump, and release workflows by moving them out of .github/workflows/
- update operator docs for the new explicit build and deploy model
Why:
- stop unbounded S3 and snapshot growth from image builds
- remove unattended resurrection paths and shut down the unused t3.large instances
- keep the remaining Babelfish host running without GitHub App credentials or sync timers
Tests:
- `nix shell nixpkgs#shellcheck nixpkgs#shfmt -c bash scripts/lint-shell.sh` (pass)
- `nix build .#nixosConfigurations.clawdinator-babelfish.config.system.build.toplevel .#nixosConfigurations.clawdinator-1.config.system.build.toplevel .#nixosConfigurations.clawdinator-2.config.system.build.toplevel` (pass)
- `AWS_PROFILE=homelab-admin TF_VAR_aws_region=eu-central-1 TF_VAR_ami_id=ami-0a9abe17feeee0079 TF_VAR_ssh_public_key="$(cat ~/.ssh/id_ed25519.pub)" nix shell nixpkgs#opentofu -c sh -lc 'tofu fmt -check && tofu validate'` (pass)
- live AWS apply: destroyed `clawdinator-1` and `clawdinator-2`, replaced Babelfish, and verified only `Fleet Deploy` remains active in GitHub Actions
Expose pinned component revs via /etc/clawdinator/build-info.json and ship a clawdinator-version helper script (logic lives in scripts/, not inline in Nix).
This supports fleet consistency checks and maintainer introspection.
- Import nix-openclaw nixosModules.openclaw-gateway
- Replace custom systemd gateway service with upstream module
- Let upstream module own /etc/clawd/openclaw.json generation
This reduces duplication between clawdinators and nix-openclaw and aligns config merge semantics.
Replace configFragments with a deep-merged config option type so host overrides (e.g. disabling telegram) don't drop sibling keys like channels.discord.
clawdinator-2: disable telegram; keep discord.
- Cancel in-progress image builds on new pushes (concurrency)
- Add services.clawdinator.configFragments for deep-merge tweaks
- Use configFragments in clawdinator-2 to disable telegram without clobbering discord
No host changes; intended to ship via next AMI build.
- Provision public S3 bucket (anonymous list/get) for PR intent artifacts
- Grant instance role PutObject and add NixOS systemd timer to publish /memory/pr-intent
- Default agent thinking level to high for GPT-5.2/Codex
- Make OpenTofu instance management explicit (manage_instances) to prevent accidental fleet destroy
Tests: not run (infra/Nix changes)
What:
- add telegram allowFrom secret wiring in the Nix module + host configs
- enforce Telegram DM allowlist and disable group traffic
- drop public gateway ingress (SG + firewall)
- document telegram secret handling and update ops memory
Why:
- restrict Telegram access to a single maintainer
- remove unnecessary public exposure for the gateway port
- keep secret wiring explicit in docs
Tests:
- nix flake check
- package pi-coding-agent with a vendored lockfile
- add pi to toolchain and expose settings file via tmpfiles
- seed pi defaults to match local model choices
Tests: nix build --no-link --impure --expr 'let pkgs = import <nixpkgs> {}; in pkgs.callPackage ./nix/tools/pi-coding-agent.nix {}'
- run github-app-token service as clawdinator user
- add clawdinator-gh-refresh command + tools note
- move canned-response guardrails to workspace AGENTS
- Write GH CLI auth file (/var/lib/clawd/gh/hosts.yml) on token refresh
- Set GH_CONFIG_DIR for the gateway service
- Stop injecting GH_TOKEN into clawdinator service env
- Document GH CLI auth file in docs/SECRETS.md
- Change token refresh from hourly to every 45 min (tokens expire at 1h)
- Restart clawdinator service after token refresh so the process
picks up the new GH_TOKEN from the env file
- Root cause: bot reads GH_TOKEN at startup, never re-reads
- Add cron-jobs.json with heartbeat job (hourly)
- Add cronJobsFile option to clawdinator module
- Deploy cron jobs file to /etc/clawd/cron-jobs.json
- Configure cron.store to use deployed file
Service PATH only had coreutils/git/rsync. Toolchain (gh, curl, jq, etc.)
was in environment.systemPackages but not in the service's path, so the
gateway couldn't use them.
Adds toolchain.packages to systemd service path.
What:
- Add `triage` skill for Now/Next/Later priority summaries
- Add `gh-sync.sh` script to fetch PRs/issues from clawdbot org
- Add systemd timer for periodic GitHub sync (every 15 min)
- Add `memory/github/` directory for synced state
Why:
- Enable maintainer bot to surface clear recommendations
- ZFC-compliant: script does pure IO, AI does all reasoning
- Real-time-ish data via periodic sync to shared memory
Skill triggers: "triage", "priorities", "what's hot", "status"
Output: Now/Next/Later buckets with links + recommended actions
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
