docs(changelog): clarify the OneCLI gateway is a separate, operator-driven upgrade

The breaking notice said the onecli setup step enforces the pinned versions, which is only true for fresh installs — on an existing install, updating does not upgrade the running gateway. Clarify that the gateway is separate: /update-nanoclaw upgrades it when the pin moves, otherwise upgrade manually per docs/onecli-upgrades.md.
Merge pull request #2774 from nanocoai/feat/update-nanoclaw-onecli-pin
2026-06-18 18:29:35 +08:00 · 2026-06-15 20:25:42 +03:00 · 2026-06-15 20:09:01 +03:00 · 2026-06-15 19:37:23 +03:00 · 2026-06-15 16:04:28 +03:00 · 2026-06-15 15:32:04 +03:00
3 changed files with 25 additions and 1 deletions
@@ -89,6 +89,22 @@ pnpm exec tsc -p container/agent-runner/tsconfig.json --noEmit
 ./container/build.sh
 ```

+### Restart the host
+
+The image rebuild does not reload the **host**. Codex's host contribution
+(`src/providers/codex.ts`) registers the `/home/node/.codex` bind mount + env
+passthrough, and the running host only picks it up on restart. Skip this and the
+first Codex turn fails with `EACCES` writing `/home/node/.codex/config.toml` —
+with no mount, Docker auto-creates the dir root-owned and the non-root container
+user can't write to it.
+
+```bash
+# macOS (launchd)
+launchctl kickstart -k gui/$(id -u)/com.nanoclaw
+# Linux (systemd)
+systemctl --user restart nanoclaw
+```
+
 ### Validate

 ```bash
@@ -100,6 +116,8 @@ The registration tests import only the real barrels — they go red if a barrel

 ## Authenticate

+> **Run this in a separate, real terminal — it is interactive.** It prompts for ChatGPT-subscription vs OpenAI-API-key and then drives a browser/device login, so it needs a TTY to answer prompts.
+
 ```bash
 pnpm exec tsx setup/index.ts --step provider-auth codex
 ```
@@ -121,6 +121,7 @@ Bucket the upstream changed files:
 - **Host source** (`src/`): may conflict if user modified the same files
 - **Container** (`container/`): triggers container rebuild (+ typecheck if `agent-runner/src/` changed)
 - **Build/config** (`package.json`, `pnpm-lock.yaml`, `tsconfig*.json`): lockfile changes trigger dep install
+- **Version pins** (`versions.json`): a changed `onecli-gateway` / `onecli-cli` value requires upgrading the OneCLI gateway/CLI to match — see Step 5.5
 - **Other**: docs, tests, setup scripts, misc

 **Large drift check:** If the upstream commit count and age suggest the user has a lot of catching up to do, mention that `/migrate-nanoclaw` might be a better fit — it extracts customizations and reapplies them on clean upstream instead of merging. Offer it as an option but don't push.
@@ -215,6 +216,11 @@ If build fails:
 - Do not refactor unrelated code.
 - If unclear, ask the user before making changes.

+# Step 5.5: OneCLI upgrade (if pins moved)
+The OneCLI gateway and CLI are external components pinned in `versions.json`; when a pin moves, the running version must be upgraded to match or the new code may fail against it.
+
+If `git diff <backup-tag-from-step-1>..HEAD -- versions.json` shows the `onecli-gateway` or `onecli-cli` value changed, follow `docs/onecli-upgrades.md` before the service restart (Step 8). Otherwise skip.
+
 # Step 6: Breaking changes check
 After validation succeeds, check if the update introduced any breaking changes.

@@ -4,7 +4,7 @@ All notable changes to NanoClaw will be documented in this file.

 ## [Unreleased]

- [BREAKING] **`@onecli-sh/sdk` 0.5.0 -> 2.2.1 — requires a OneCLI server with the `/v1` API** (older servers 404 every SDK call). The sanctioned gateway and CLI versions are pinned in `versions.json`; the `onecli` setup step enforces them. **Migration:** [docs/onecli-upgrades.md](docs/onecli-upgrades.md).
+- [BREAKING] **`@onecli-sh/sdk` 0.5.0 -> 2.2.1 — requires a OneCLI server with the `/v1` API** (older servers 404 every SDK call). The sanctioned gateway and CLI versions are pinned in `versions.json`. **The gateway is a separate component — updating NanoClaw does not upgrade it for you:** `/update-nanoclaw` upgrades it when the pin moves, otherwise upgrade manually. **Migration:** [docs/onecli-upgrades.md](docs/onecli-upgrades.md).
 - **New agent provider: Codex (OpenAI) — run `/add-codex`.** Full runtime via `codex app-server` (planning, MCP tools, server-side history, resume). Trunk ships the seams and the skill; the payload installs from the `providers` branch (the skill, the setup picker, or `--step provider-auth codex`). Auth is vault-only — no credential ever enters a container.
 - **Setup can now select, install, and authenticate a non-default agent provider.** A provider registry feeds the setup picker, an installer pulls the provider's payload from its branch, a vault auth walkthrough runs (`--step provider-auth`), and the picked provider is set on the first agent (a DB property) before its first spawn. Default (Claude) installs are unaffected — picking Claude changes nothing.
 - **Provider choice is explicit per group — no install-wide default.** Provider is a DB property set via `ncl groups config update --provider` + restart; creation is provider-agnostic.
Author	SHA1	Message	Date
Koshkoshinsk	d1f94fcd24	docs(changelog): clarify the OneCLI gateway is a separate, operator-driven upgrade The breaking notice said the onecli setup step enforces the pinned versions, which is only true for fresh installs — on an existing install, updating does not upgrade the running gateway. Clarify that the gateway is separate: /update-nanoclaw upgrades it when the pin moves, otherwise upgrade manually per docs/onecli-upgrades.md.	2026-06-15 20:25:42 +03:00
gavrielc	dd60983f7f	Merge pull request #2774 from nanocoai/feat/update-nanoclaw-onecli-pin feat(update-nanoclaw): upgrade OneCLI gateway when its pinned version moves	2026-06-15 20:09:01 +03:00
Koshkoshinsk	096b8bf589	feat(update-nanoclaw): upgrade OneCLI gateway when its pinned version moves When an update moves the onecli-gateway/onecli-cli pin in versions.json, the running gateway must be upgraded to match — otherwise the new code's @onecli-sh/sdk calls fail (404 on /v1/agents) and agents can't spawn. update-nanoclaw never detected this, so the upgrade was silently skipped. Add a conditional step that follows docs/onecli-upgrades.md before restart when the pin moves.	2026-06-15 19:37:23 +03:00
omri-maya	5f5c28d18d	Merge pull request #2773 from nanocoai/docs/codex-fix-docs docs(add-codex): drop redundant TTY warning in auth note	2026-06-15 16:04:28 +03:00
Koshkoshinsk	b92d1f9343	docs(add-codex): drop redundant TTY warning in auth note The 'don't run via `!` prefix or Bash tool' sentence was redundant with the leading 'Run this in a separate, real terminal — it is interactive.' Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-15 15:32:04 +03:00
Daniel M	acbb1144b7	Merge pull request #2769 from nanocoai/docs/codex-interactive-host-restart docs(add-codex): flag interactive auth step + add host-restart step	2026-06-15 02:24:06 +03:00
Koshkoshinsk	028897f38f	docs(add-codex): flag interactive auth step + add host-restart step - Authenticate: run in a separate real terminal, not Claude Code's `!` prefix or an agent Bash tool — the provider-auth picker + browser/device login need an interactive TTY, so those prompts stall otherwise (CDX-002). - add a "Restart the host" step after the image rebuild so the host reloads Codex's /home/node/.codex mount + env; skipping it left the dir root-owned and the container hit EACCES writing config.toml (CDX-003). Refs CDX-002, CDX-003. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-15 01:58:30 +03:00