From 821691f09040b5f39369827e84724b6a7f080e3f Mon Sep 17 00:00:00 2001 From: gdm257 Date: Fri, 6 Mar 2026 02:03:29 +0900 Subject: [PATCH 1/9] auto-claude: subtask-1-1 - Create openclaw stack directory and compose.yaml with volume configuration - Created deploy/docker/openclaw/compose.yaml following n8n pattern - Configured volume: openclaw_data mounted to /root/.openclaw - Configured network: traefik-public with overlay driver - Added Traefik labels for HTTP/HTTPS routing with WebSocket support - Set port 18789 for OpenClaw Gateway - Environment variables: NODE_ENV=production, TZ with Asia/Tokyo default - All values use ${VAR:-default} pattern for configurability - Replicas set to 1 (stateful service) Co-Authored-By: Claude Opus 4.6 --- deploy/docker/openclaw/compose.yaml | 39 +++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 deploy/docker/openclaw/compose.yaml diff --git a/deploy/docker/openclaw/compose.yaml b/deploy/docker/openclaw/compose.yaml new file mode 100644 index 0000000..9a08b78 --- /dev/null +++ b/deploy/docker/openclaw/compose.yaml @@ -0,0 +1,39 @@ +volumes: + data: + external: ${VOLUME_EXTERNAL:-false} + name: ${VOLUME_NAME:-openclaw_data} + driver: ${VOLUME_DRIVER:-local} + +networks: + public: + external: ${PUBLIC_NETWORK_EXTERNAL:-true} + name: ${PUBLIC_NETWORK_NAME:-traefik-public} + driver: ${PUBLIC_NETWORK_DRIVER:-overlay} + attachable: ${PUBLIC_NETWORK_ATTACHABLE:-true} + +services: + openclaw: + image: ${IMAGE_NAME:-openclaw/openclaw}:${IMAGE_VERSION:-latest} + networks: + - public + environment: + - NODE_ENV=${NODE_ENV:-production} + - GENERIC_TIMEZONE=${TZ:-Asia/Tokyo} + - TZ=${TZ:-Asia/Tokyo} + volumes: + - data:/root/.openclaw + deploy: + labels: + - "traefik.enable=${TRAEFIK_ENABLE:-true}" + - "traefik.http.services.openclaw.loadbalancer.server.port=18789" + - "traefik.http.routers.openclaw-http.rule=Host(`${APP_NAME:-openclaw}.${BASE_DOMAIN:-localhost}`)" + - "traefik.http.routers.openclaw-http.entrypoints=${TRAEFIK_HTTP_ENTRYPOINT:-http}" + - "traefik.http.routers.openclaw-http.middlewares=${TRAEFIK_HTTP_MIDDLEWARES:-https-redirect}" + - "traefik.http.routers.openclaw-http.service=openclaw" + - "traefik.http.routers.openclaw-https.rule=Host(`${APP_NAME:-openclaw}.${BASE_DOMAIN:-localhost}`)" + - "traefik.http.routers.openclaw-https.entrypoints=${TRAEFIK_HTTPS_ENTRYPOINT:-https}" + - "traefik.http.routers.openclaw-https.tls=${TRAEFIK_TLS:-true}" + - "traefik.http.routers.openclaw-https.tls.certresolver=${TRAEFIK_TLS_RESOLVER:-myresolver}" + - "traefik.http.routers.openclaw-https.middlewares=${TRAEFIK_HTTPS_MIDDLEWARES:-}" + - "traefik.http.routers.openclaw-https.service=openclaw" + replicas: ${REPLICAS:-1} From 20ed0e17b7c21e0480e23aa989631bbcb7e03b2b Mon Sep 17 00:00:00 2001 From: gdm257 Date: Fri, 6 Mar 2026 02:06:01 +0900 Subject: [PATCH 2/9] auto-claude: subtask-2-1 - Register OpenClaw stack in .doco-cd.yaml --- .doco-cd.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.doco-cd.yaml b/.doco-cd.yaml index dfd2fed..f5c81bb 100644 --- a/.doco-cd.yaml +++ b/.doco-cd.yaml @@ -19,3 +19,7 @@ working_dir: deploy/docker/swarm-cronjob --- name: dpanel working_dir: deploy/docker/dpanel + +--- +name: openclaw +working_dir: deploy/docker/openclaw From 6d67fc583402c21d9356af77e4706bb49f7b2915 Mon Sep 17 00:00:00 2001 From: gdm257 Date: Fri, 6 Mar 2026 02:06:51 +0900 Subject: [PATCH 3/9] auto-claude: subtask-3-1 - Create .env file with configurable variables Co-Authored-By: Claude Opus 4.6 --- deploy/docker/openclaw/.env | 54 +++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 deploy/docker/openclaw/.env diff --git a/deploy/docker/openclaw/.env b/deploy/docker/openclaw/.env new file mode 100644 index 0000000..a88392a --- /dev/null +++ b/deploy/docker/openclaw/.env @@ -0,0 +1,54 @@ +# OpenClaw Stack Environment Variables +# This file allows you to override default values for local development + +# Volume Configuration +VOLUME_EXTERNAL=false +VOLUME_DRIVER=local +VOLUME_NAME=openclaw_data + +# Network Configuration +PUBLIC_NETWORK_NAME=traefik-public +PUBLIC_NETWORK_EXTERNAL=true +PUBLIC_NETWORK_DRIVER=overlay +PUBLIC_NETWORK_ATTACHABLE=true + +# Container Configuration +APP_NAME=openclaw +IMAGE_NAME=openclaw/openclaw +IMAGE_VERSION=latest +REPLICAS=1 +TZ=Asia/Tokyo + +# Application Environment +NODE_ENV=production + +# Domain Configuration +# Root domain is "your-domain.tld" +# Base domain can be any your domain +# Service domain will be "APP_NAME.BASE_DOMAIN" by default +# Examples: +# BASE_DOMAIN=example.com +# BASE_DOMAIN=foo.example.com +# BASE_DOMAIN=foo.bar.example.com +ROOT_DOMAIN= +BASE_DOMAIN= + +# Traefik Configuration +TRAEFIK_ENABLE=true +TRAEFIK_HTTP_ENTRYPOINT=http +TRAEFIK_HTTPS_ENTRYPOINT=https +TRAEFIK_TLS=true +TRAEFIK_TLS_RESOLVER=myresolver +TRAEFIK_HTTP_MIDDLEWARES=https-redirect +TRAEFIK_HTTPS_MIDDLEWARES= + +# Optional: AI Model API Keys (configure via external secrets for production) +# OPENAI_API_KEY= +# ANTHROPIC_API_KEY= +# GOOGLE_API_KEY= + +# Optional: Channel Integration Tokens (configure via external secrets for production) +# TELEGRAM_BOT_TOKEN= +# DISCORD_BOT_TOKEN= +# SLACK_BOT_TOKEN= +# SLACK_APP_TOKEN= From 7ad483c8d5eaf47461eed3d22dec56fbae77496c Mon Sep 17 00:00:00 2001 From: gdm257 Date: Fri, 6 Mar 2026 02:07:45 +0900 Subject: [PATCH 4/9] auto-claude: subtask-3-2 - Create README.md with setup and usage instructions Created comprehensive README.md for OpenClaw stack including: - Overview of OpenClaw capabilities - Environment variables (required and optional) - AI model API keys configuration - Channel integration tokens - Deployment methods (manual and GitOps) - External secrets configuration - Storage and network details - Access URLs for WebSocket Gateway - Verification and troubleshooting steps Co-Authored-By: Claude Opus 4.6 --- deploy/docker/openclaw/README.md | 157 +++++++++++++++++++++++++++++++ 1 file changed, 157 insertions(+) create mode 100644 deploy/docker/openclaw/README.md diff --git a/deploy/docker/openclaw/README.md b/deploy/docker/openclaw/README.md new file mode 100644 index 0000000..ca8d123 --- /dev/null +++ b/deploy/docker/openclaw/README.md @@ -0,0 +1,157 @@ +# OpenClaw Stack + +OpenClaw is an AI agent tool that provides autonomous execution capabilities through a WebSocket-based Gateway interface. It enables AI agents to interact with various platforms (Telegram, Discord, Slack) and execute commands with configurable security constraints. + +## Quick Start + +```bash +# Deploy the stack +docker stack deploy -c compose.yaml openclaw + +# Verify deployment +docker service ls | grep openclaw +``` + +## Access + +- **WebSocket Gateway:** `wss://openclaw.${BASE_DOMAIN:-localhost}` (port 18789) +- **Web Interface:** `https://openclaw.${BASE_DOMAIN:-localhost}` (if available) + +## Environment Variables + +### Required + +| Variable | Description | Default | +|----------|-------------|---------| +| `BASE_DOMAIN` | Your base domain for Traefik routing | `localhost` | +| `NODE_ENV` | Application environment | `production` | +| `TZ` | Container timezone | `Asia/Tokyo` | + +### Optional: AI Model API Keys + +OpenClaw requires at least one AI model API key to function. Configure via external secrets or `.env`: + +```bash +# OpenAI (GPT models) +OPENAI_API_KEY=sk-... + +# Anthropic (Claude models) +ANTHROPIC_API_KEY=sk-ant-... + +# Google (Gemini models) +GOOGLE_API_KEY=... +``` + +### Optional: Channel Integrations + +OpenClaw can integrate with messaging platforms: + +```bash +# Telegram +TELEGRAM_BOT_TOKEN=... + +# Discord +DISCORD_BOT_TOKEN=... + +# Slack (both tokens required) +SLACK_BOT_TOKEN=... +SLACK_APP_TOKEN=... +``` + +## Deployment Methods + +### Method 1: Docker Stack (Manual) + +```bash +cd deploy/docker/openclaw +docker stack deploy -c compose.yaml openclaw +``` + +### Method 2: GitOps with doco-cd (Recommended) + +The stack is registered in `.doco-cd.yaml` and will deploy automatically: + +```bash +git add deploy/docker/openclaw/ +git commit -m "Add OpenClaw stack" +git push +``` + +### External Secrets (Recommended for Production) + +When using doco-cd, configure external secrets to inject API keys: + +```yaml +# In .doco-cd.yaml, under the openclaw stack entry: +external_secrets: + OPENAI_API_KEY: "infisical:::/openclaw/openai_api_key" + TELEGRAM_BOT_TOKEN: "infisical:::/openclaw/telegram_bot_token" +``` + +## Storage + +- **Volume:** `openclaw_data` +- **Mount Path:** `/root/.openclaw` +- **Contents:** Configuration, credentials, workspace data + +## Network + +- **Network:** `traefik-public` (external overlay) +- **Port:** 18789 (Gateway WebSocket, internal only - exposed via Traefik) + +## Traefik Routing + +This stack uses Traefik for SSL/TLS termination and routing: + +- **HTTP Router:** Redirects to HTTPS +- **HTTPS Router:** Terminates TLS with Let's Encrypt (certresolver: `myresolver`) +- **Service:** `openclaw` on port 18789 + +> [!NOTE] +> Traefik natively supports WebSocket. No additional configuration is required beyond the port specification. + +## Verification + +After deployment, verify: + +```bash +# Check service status +docker service ls | grep openclaw + +# Check logs +docker service logs openclaw_openclaw + +# Test WebSocket connection (requires wscat) +wscat -c wss://openclaw.${BASE_DOMAIN} +``` + +## Troubleshooting + +### Service not starting + +```bash +# Check logs for errors +docker service logs openclaw_openclaw --tail 100 + +# Verify volume exists +docker volume ls | grep openclaw_data + +# Verify network attachment +docker network inspect traefik-public | grep openclaw +``` + +### WebSocket connection failing + +- Verify Traefik is running and `traefik-public` network exists +- Check that `BASE_DOMAIN` is set correctly +- Ensure TLS certificates are valid (check Traefik dashboard) +- Verify service is healthy: `docker service ps openclaw_openclaw` + +### Missing API keys + +OpenClaw will start without API keys but will have limited functionality. Configure at least one AI model API key via external secrets or `.env` file. + +## Documentation + +- [OpenClaw GitHub](https://github.com/openclaw/openclaw) +- [WebSocket Client Testing](https://github.com/websockets/wscat) From a9f1b34b41ec248ed48db5db15e4a64a6e24df92 Mon Sep 17 00:00:00 2001 From: gdm257 Date: Fri, 6 Mar 2026 02:09:08 +0900 Subject: [PATCH 5/9] chore: add .auto-claude/ to .gitignore Exclude auto-claude tracking files from version control. The .auto-claude directory contains: - implementation_plan.json (local tracking) - build-progress.txt (local tracking) - VERIFICATION.md (local documentation) These files are for development workflow tracking only and should not be committed to the repository. Co-Authored-By: Claude Opus 4.6 --- .gitignore | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index d77bb62..af12205 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,8 @@ -*.local.* - -# pixi environments -.pixi/* -!.pixi/config.toml +*.local.* + +# pixi environments +.pixi/* +!.pixi/config.toml + +# Auto Claude data directory +.auto-claude/ From f1b2679327539ece62a2069bc2ee265ba512e505 Mon Sep 17 00:00:00 2001 From: gdm257 Date: Fri, 6 Mar 2026 02:37:07 +0900 Subject: [PATCH 6/9] chore: add auto-claude entries to .gitignore --- .gitignore | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.gitignore b/.gitignore index af12205..7d0e7f2 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,11 @@ # Auto Claude data directory .auto-claude/ + +# Auto Claude generated files +.auto-claude-security.json +.auto-claude-status +.claude_settings.json +.worktrees/ +.security-key +logs/security/ From 89094b69224d5a4907cbba6a712ae51e68b54826 Mon Sep 17 00:00:00 2001 From: gdm257 Date: Fri, 6 Mar 2026 02:37:53 +0900 Subject: [PATCH 7/9] fix: Remove openclaw entry from .doco-cd.yaml (qa-requested) QA feedback indicated that .doco-cd.yaml does not need to be updated for the openclaw stack. The entry has been removed. Fixes: - Remove openclaw stack registration from .doco-cd.yaml Verified: - grep confirms no openclaw entry remains in .doco-cd.yaml QA Fix Session: 1 --- .doco-cd.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.doco-cd.yaml b/.doco-cd.yaml index f5c81bb..dfd2fed 100644 --- a/.doco-cd.yaml +++ b/.doco-cd.yaml @@ -19,7 +19,3 @@ working_dir: deploy/docker/swarm-cronjob --- name: dpanel working_dir: deploy/docker/dpanel - ---- -name: openclaw -working_dir: deploy/docker/openclaw From d0ffddb9f3c7778d92d42a4f3d338ff20e675d7d Mon Sep 17 00:00:00 2001 From: gdm257 Date: Fri, 6 Mar 2026 02:43:27 +0900 Subject: [PATCH 8/9] fix: Remove redundant .env file and restore .doco-cd.yaml entry (qa-requested) Fixes: - Remove redundant deploy/docker/openclaw/.env file (codebase uses .common.env pattern) - Restore openclaw entry in .doco-cd.yaml (required by spec Success Criterion #2) Verified: - .env file removed from deploy/docker/openclaw/ - openclaw entry correctly added to .doco-cd.yaml with proper name and working_dir - Codebase pattern followed (no per-stack .env files like n8n) QA Fix Session: 0 Co-Authored-By: Claude Opus 4.6 --- .doco-cd.yaml | 4 +++ deploy/docker/openclaw/.env | 54 ------------------------------------- 2 files changed, 4 insertions(+), 54 deletions(-) delete mode 100644 deploy/docker/openclaw/.env diff --git a/.doco-cd.yaml b/.doco-cd.yaml index dfd2fed..f5c81bb 100644 --- a/.doco-cd.yaml +++ b/.doco-cd.yaml @@ -19,3 +19,7 @@ working_dir: deploy/docker/swarm-cronjob --- name: dpanel working_dir: deploy/docker/dpanel + +--- +name: openclaw +working_dir: deploy/docker/openclaw diff --git a/deploy/docker/openclaw/.env b/deploy/docker/openclaw/.env deleted file mode 100644 index a88392a..0000000 --- a/deploy/docker/openclaw/.env +++ /dev/null @@ -1,54 +0,0 @@ -# OpenClaw Stack Environment Variables -# This file allows you to override default values for local development - -# Volume Configuration -VOLUME_EXTERNAL=false -VOLUME_DRIVER=local -VOLUME_NAME=openclaw_data - -# Network Configuration -PUBLIC_NETWORK_NAME=traefik-public -PUBLIC_NETWORK_EXTERNAL=true -PUBLIC_NETWORK_DRIVER=overlay -PUBLIC_NETWORK_ATTACHABLE=true - -# Container Configuration -APP_NAME=openclaw -IMAGE_NAME=openclaw/openclaw -IMAGE_VERSION=latest -REPLICAS=1 -TZ=Asia/Tokyo - -# Application Environment -NODE_ENV=production - -# Domain Configuration -# Root domain is "your-domain.tld" -# Base domain can be any your domain -# Service domain will be "APP_NAME.BASE_DOMAIN" by default -# Examples: -# BASE_DOMAIN=example.com -# BASE_DOMAIN=foo.example.com -# BASE_DOMAIN=foo.bar.example.com -ROOT_DOMAIN= -BASE_DOMAIN= - -# Traefik Configuration -TRAEFIK_ENABLE=true -TRAEFIK_HTTP_ENTRYPOINT=http -TRAEFIK_HTTPS_ENTRYPOINT=https -TRAEFIK_TLS=true -TRAEFIK_TLS_RESOLVER=myresolver -TRAEFIK_HTTP_MIDDLEWARES=https-redirect -TRAEFIK_HTTPS_MIDDLEWARES= - -# Optional: AI Model API Keys (configure via external secrets for production) -# OPENAI_API_KEY= -# ANTHROPIC_API_KEY= -# GOOGLE_API_KEY= - -# Optional: Channel Integration Tokens (configure via external secrets for production) -# TELEGRAM_BOT_TOKEN= -# DISCORD_BOT_TOKEN= -# SLACK_BOT_TOKEN= -# SLACK_APP_TOKEN= From 0868f3ed11ad4d0e04778c336ef542836a2ae107 Mon Sep 17 00:00:00 2001 From: gdm257 Date: Fri, 6 Mar 2026 02:45:59 +0900 Subject: [PATCH 9/9] fix: Remove per-stack README.md to match codebase pattern (qa-requested) Fixes: - Remove deploy/docker/openclaw/README.md file - Codebase pattern uses only compose.yaml per stack (no per-stack READMEs) - Matches existing stacks: n8n, warpgate, eval, etc. Verified: - README.md deleted from deploy/docker/openclaw/ - Directory now contains only compose.yaml - Matches codebase pattern for Docker stacks QA Fix Session: 1 Co-Authored-By: Claude Opus 4.6 --- deploy/docker/openclaw/README.md | 157 ------------------------------- 1 file changed, 157 deletions(-) delete mode 100644 deploy/docker/openclaw/README.md diff --git a/deploy/docker/openclaw/README.md b/deploy/docker/openclaw/README.md deleted file mode 100644 index ca8d123..0000000 --- a/deploy/docker/openclaw/README.md +++ /dev/null @@ -1,157 +0,0 @@ -# OpenClaw Stack - -OpenClaw is an AI agent tool that provides autonomous execution capabilities through a WebSocket-based Gateway interface. It enables AI agents to interact with various platforms (Telegram, Discord, Slack) and execute commands with configurable security constraints. - -## Quick Start - -```bash -# Deploy the stack -docker stack deploy -c compose.yaml openclaw - -# Verify deployment -docker service ls | grep openclaw -``` - -## Access - -- **WebSocket Gateway:** `wss://openclaw.${BASE_DOMAIN:-localhost}` (port 18789) -- **Web Interface:** `https://openclaw.${BASE_DOMAIN:-localhost}` (if available) - -## Environment Variables - -### Required - -| Variable | Description | Default | -|----------|-------------|---------| -| `BASE_DOMAIN` | Your base domain for Traefik routing | `localhost` | -| `NODE_ENV` | Application environment | `production` | -| `TZ` | Container timezone | `Asia/Tokyo` | - -### Optional: AI Model API Keys - -OpenClaw requires at least one AI model API key to function. Configure via external secrets or `.env`: - -```bash -# OpenAI (GPT models) -OPENAI_API_KEY=sk-... - -# Anthropic (Claude models) -ANTHROPIC_API_KEY=sk-ant-... - -# Google (Gemini models) -GOOGLE_API_KEY=... -``` - -### Optional: Channel Integrations - -OpenClaw can integrate with messaging platforms: - -```bash -# Telegram -TELEGRAM_BOT_TOKEN=... - -# Discord -DISCORD_BOT_TOKEN=... - -# Slack (both tokens required) -SLACK_BOT_TOKEN=... -SLACK_APP_TOKEN=... -``` - -## Deployment Methods - -### Method 1: Docker Stack (Manual) - -```bash -cd deploy/docker/openclaw -docker stack deploy -c compose.yaml openclaw -``` - -### Method 2: GitOps with doco-cd (Recommended) - -The stack is registered in `.doco-cd.yaml` and will deploy automatically: - -```bash -git add deploy/docker/openclaw/ -git commit -m "Add OpenClaw stack" -git push -``` - -### External Secrets (Recommended for Production) - -When using doco-cd, configure external secrets to inject API keys: - -```yaml -# In .doco-cd.yaml, under the openclaw stack entry: -external_secrets: - OPENAI_API_KEY: "infisical:::/openclaw/openai_api_key" - TELEGRAM_BOT_TOKEN: "infisical:::/openclaw/telegram_bot_token" -``` - -## Storage - -- **Volume:** `openclaw_data` -- **Mount Path:** `/root/.openclaw` -- **Contents:** Configuration, credentials, workspace data - -## Network - -- **Network:** `traefik-public` (external overlay) -- **Port:** 18789 (Gateway WebSocket, internal only - exposed via Traefik) - -## Traefik Routing - -This stack uses Traefik for SSL/TLS termination and routing: - -- **HTTP Router:** Redirects to HTTPS -- **HTTPS Router:** Terminates TLS with Let's Encrypt (certresolver: `myresolver`) -- **Service:** `openclaw` on port 18789 - -> [!NOTE] -> Traefik natively supports WebSocket. No additional configuration is required beyond the port specification. - -## Verification - -After deployment, verify: - -```bash -# Check service status -docker service ls | grep openclaw - -# Check logs -docker service logs openclaw_openclaw - -# Test WebSocket connection (requires wscat) -wscat -c wss://openclaw.${BASE_DOMAIN} -``` - -## Troubleshooting - -### Service not starting - -```bash -# Check logs for errors -docker service logs openclaw_openclaw --tail 100 - -# Verify volume exists -docker volume ls | grep openclaw_data - -# Verify network attachment -docker network inspect traefik-public | grep openclaw -``` - -### WebSocket connection failing - -- Verify Traefik is running and `traefik-public` network exists -- Check that `BASE_DOMAIN` is set correctly -- Ensure TLS certificates are valid (check Traefik dashboard) -- Verify service is healthy: `docker service ps openclaw_openclaw` - -### Missing API keys - -OpenClaw will start without API keys but will have limited functionality. Configure at least one AI model API key via external secrets or `.env` file. - -## Documentation - -- [OpenClaw GitHub](https://github.com/openclaw/openclaw) -- [WebSocket Client Testing](https://github.com/websockets/wscat)