diff --git a/.claude/skills/init-onecli/SKILL.md b/.claude/skills/init-onecli/SKILL.md index 55b484207..20d8aed53 100644 --- a/.claude/skills/init-onecli/SKILL.md +++ b/.claude/skills/init-onecli/SKILL.md @@ -98,13 +98,13 @@ for i in $(seq 1 15); do done ``` -If it never becomes healthy, check if the gateway process is running: +If it never becomes healthy, check the gateway containers. The gateway is a Docker Compose stack (project `onecli`, compose file at `~/.onecli/docker-compose.yml`), **not** a host process — `ps aux | grep onecli` will not find it, and there is no `onecli start` command (removed in OneCLI 1.4.x). ```bash -ps aux | grep -i onecli | grep -v grep +docker ps -a --filter "label=com.docker.compose.project=onecli" --format '{{.Names}}\t{{.Status}}' ``` -If it's not running, try starting it manually: `onecli start`. If that fails, show the error and stop — the user needs to debug their OneCLI installation. +Both services have `restart: unless-stopped`, so they come back automatically once the Docker daemon is up. If Docker isn't running, start it (`open -a Docker` on macOS) and they'll restart on their own. To bring the stack up manually: `docker compose -f ~/.onecli/docker-compose.yml up -d`. If that fails, show the error and stop — the user needs to debug their OneCLI installation. ## Phase 3: Migrate existing credentials @@ -299,7 +299,7 @@ If an agent uses `git` or `gh`, add to `data/v2-sessions//.claud ## Troubleshooting -**"OneCLI gateway not reachable" in logs:** The gateway isn't running. Check with `curl -sf ${ONECLI_URL}/health`. Start it with `onecli start` if needed. +**"OneCLI gateway not reachable" in logs:** The gateway isn't running. Check with `curl -sf ${ONECLI_URL}/health`. The most common cause is that Docker itself is down (the gateway is a Compose stack) — start Docker (`open -a Docker` on macOS) and the containers restart automatically. To bring them up manually: `docker compose -f ~/.onecli/docker-compose.yml up -d`. **Container gets no credentials:** Verify `ONECLI_URL` is set in `.env` and the gateway has an Anthropic secret (`onecli secrets list`). diff --git a/CLAUDE.md b/CLAUDE.md index 1cf7e6ff7..b7f26a0d1 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -153,31 +153,17 @@ Key files: `src/container-restart.ts`, `src/container-runner.ts` (`killContainer API keys, OAuth tokens, and auth credentials are managed by the OneCLI gateway. Secrets are injected into per-agent containers at request time — none are passed in env vars or through chat context. The container agent sees this via the `onecli-gateway` container skill (`container/skills/onecli-gateway/SKILL.md`), which teaches it how the proxy works, how to handle auth errors, and to never ask for raw credentials. Host-side wiring: `src/onecli-approvals.ts`, `ensureAgent()` in `container-runner.ts`. Run `onecli --help`. -### Gotcha: auto-created agents start in `selective` secret mode +### Secret modes -When the host first spawns a session for a new agent group, `container-runner.ts:385` calls `onecli.ensureAgent({ name, identifier })`. The OneCLI `POST /api/agents` endpoint creates the agent in **`selective`** secret mode — meaning **no secrets are assigned to it by default**, even if the secrets exist in the vault and have host patterns that would otherwise match. - -Symptom: container starts, the proxy + CA cert are wired correctly, but the agent gets `401 Unauthorized` (or similar) from APIs whose credentials *are* in the vault. The credential just isn't in this agent's allow-list. - -The SDK does not expose `setSecretMode` — the only fix is the CLI (or the web UI at `http://127.0.0.1:10254`). +Auto-created agents default to `all` secret mode — every vault secret whose host pattern matches is injected automatically, so the common case needs no per-agent setup. If an agent is in `selective` mode it gets no secrets until you assign them, which shows up as a `401` from an API whose credential *is* in the vault. The SDK can't change this; use the CLI (or the web UI at `http://127.0.0.1:10254`): ```bash -# Find the agent (identifier is the agent group id) -onecli agents list - -# Flip to "all" so every vault secret with a matching host pattern gets injected -onecli agents set-secret-mode --id --mode all - -# Or, stay selective and assign specific secrets -onecli secrets list # find secret ids -onecli agents set-secrets --id --secret-ids , - -# Inspect what an agent currently has -onecli agents secrets --id # secrets assigned to this agent -onecli secrets list # all vault secrets (with host patterns) +onecli agents list # check secretMode +onecli agents set-secret-mode --id --mode all # inject all matching secrets +onecli agents set-secrets --id --secret-ids ... # or stay selective, assign specific ones ``` -If you've just enabled `mode all`, no container restart is needed — the gateway looks up secrets per request, so the next API call from the running container will see the new credentials. +No container restart needed — the gateway looks up secrets per request. ### Requiring approval for credential use diff --git a/container/agent-runner/src/upload-trace.ts b/container/agent-runner/src/upload-trace.ts index e7d9a702b..d14d8b4ef 100644 --- a/container/agent-runner/src/upload-trace.ts +++ b/container/agent-runner/src/upload-trace.ts @@ -80,11 +80,6 @@ export function uploadTrace(): string { ' or on the host at http://127.0.0.1:10254 — then Secrets → New secret,', ' paste the token, and set the host pattern to huggingface.co', '', - '3. Assign it to this agent — new agents start with no secrets attached.', - ' In the same dashboard, open this agent and set its secret mode to "all"; or from the host run:', - ' onecli agents list # find this agent\'s id', - ' onecli agents set-secret-mode --id --mode all', - '', 'Then run /upload-trace again — no restart needed.', ].join('\n'); }