Merge pull request #1885 from ssimeonov/fix/container-home-permissions

fix(container): v2 -- make /home/node writable for mapped host UIDs

.claude/skills/add-wechat/SKILL.md

@@ -167,4 +167,4 @@ Otherwise, restart the service to pick up the new channel and wiring.
 - **supports-threads**: no (WeChat has no reply threads)
 - **typical-use**: Long-poll — the adapter holds a persistent connection to Tencent's iLink API and receives messages in real time. No webhook URL needed.
 - **default-isolation**: `shared` session mode per messaging group (DM or room). Use `strict` sender policy if you want only specific users to reach the agent; `public` opens it to anyone who messages the bot.
-- **post-install-wiring**: Use the `wire-dm.ts` helper (see the "Wire your first DM" section above) if running this skill standalone. If running inside `/new-setup`, `init-first-agent.ts` handles wiring — just pass the `platform-id` and `admin-user-id` captured above.
+- **post-install-wiring**: Use the `wire-dm.ts` helper (see the "Wire your first DM" section above) if running this skill standalone. If running as part of `bash nanoclaw.sh`, `init-first-agent.ts` handles wiring — just pass the `platform-id` and `admin-user-id` captured above.

.claude/skills/migrate-nanoclaw/diagnostics.md

@@ -45,8 +45,7 @@ rm /tmp/nanoclaw-diagnostics.json
 **No**: `rm /tmp/nanoclaw-diagnostics.json`
 
 **Never ask again**:
-1. Replace contents of `.claude/skills/setup/diagnostics.md` with `# Diagnostics — opted out`
-2. Replace contents of `.claude/skills/update-nanoclaw/diagnostics.md` with `# Diagnostics — opted out`
-3. Replace contents of `.claude/skills/migrate-nanoclaw/diagnostics.md` with `# Diagnostics — opted out`
-4. Remove the diagnostics sections from each corresponding SKILL.md
-5. `rm /tmp/nanoclaw-diagnostics.json`
+1. Replace contents of `.claude/skills/update-nanoclaw/diagnostics.md` with `# Diagnostics — opted out`
+2. Replace contents of `.claude/skills/migrate-nanoclaw/diagnostics.md` with `# Diagnostics — opted out`
+3. Remove the diagnostics sections from each corresponding SKILL.md
+4. `rm /tmp/nanoclaw-diagnostics.json`

.claude/skills/new-setup/SKILL.md

@@ -1,270 +0,0 @@
----
-name: new-setup
-description: End-to-end NanoClaw setup for any user regardless of technical background — from zero to a named agent reachable on a real messaging channel, with sensible defaults and every post-verification step skippable.
-allowed-tools: Bash(bash setup.sh) Bash(bash setup/probe.sh) Bash(bash setup/install-node.sh) Bash(bash setup/install-docker.sh) Bash(bash setup/install-telegram.sh) Bash(bash setup/install-telegram.sh:*) Bash(pnpm exec tsx setup/index.ts:*) Bash(pnpm exec tsx scripts/init-first-agent.ts:*) Bash(pnpm run chat) Bash(pnpm run chat:*) Bash(open -a Docker) Bash(sudo systemctl start docker) Bash(node --version) Bash(tail:*) Bash(head:*) Bash(grep:*)
----
-
-# NanoClaw setup
-
-Purpose of this skill is to take any user — technical or not — from zero to a named agent wired to a real messaging channel in the fewest steps possible.
-
-The flow has two halves:
-
-- **Steps 1–6 — required.** Prerequisites, credential, service start, end-to-end ping. These run straight through.
-- **Steps 7–12 — skippable.** Naming, channel wiring, QoL. Every step here is skippable: if the user says "skip", "not now", "later", or similar, move on without complaint. If they say they're done at any point, stop cleanly — don't push the remaining steps.
-
-Before each step, narrate to the user in your own words what's about to happen — one short, friendly sentence, no jargon. Don't read a scripted line; use the step context below to speak naturally.
-
-Each step is invoked as `pnpm exec tsx setup/index.ts --step <name>` and emits a structured status block Claude parses to decide what to do next.
-
-Start with a probe: a single upfront scan that snapshots every prerequisite and dependency. The rest of the flow reads this snapshot to decide what to run, skip, or ask about — no per-step re-checking. The probe is pure bash (`setup/probe.sh`) with no external deps so it runs correctly before Node has been installed.
-
-## Current state
-
-!`bash setup/probe.sh`
-
-## Flow
-
-Parse the probe block above. For each step below, consult the named probe fields and skip, ask, or run accordingly. The probe always returns a real snapshot — there is no "node not installed" fallback; `HOST_DEPS=missing` is how you know Node/pnpm haven't been bootstrapped yet.
-
-## Ordering and parallelism
-
-Run steps sequentially by default: invoke the step, wait for its status block, act on the result, move to the next.
-
-One permitted parallelism:
-
-- **Step 2 (container image build) and step 3 (OneCLI install)** are independent — they may start together in the background.
-- **Step 4 (auth) must NOT start until step 3 has completed.** Auth writes the secret into the OneCLI vault; if OneCLI isn't installed and healthy yet, the user gets asked for a credential the system can't store. Do not open an `AskUserQuestion` for step 4 while OneCLI is still installing.
-- Step 2's image build may continue running past step 4 — the image isn't consumed until step 6 (first CLI agent). Join before step 6.
-
-### 1. Node bootstrap
-
-Check probe results and skip if `HOST_DEPS=ok` — Node, pnpm, `node_modules`, and `better-sqlite3`'s native binding are already in place.
-
-If `HOST_DEPS=missing` and `node --version` fails (Node isn't installed at all), run `bash setup/install-node.sh` **before** `bash setup.sh` — the script handles both macOS (via `brew`) and Linux/WSL (NodeSource + apt). It's idempotent and short-circuits when node is already on PATH.
-
-Then run `bash setup.sh`. If Node is already present and only `HOST_DEPS=missing`, run `bash setup.sh` directly — deps just haven't been installed yet.
-
-Parse the status block:
-
-- `NODE_OK=false` → Node install didn't take effect (PATH issue, keg-only formula, etc.). Investigate `logs/setup.log`, resolve, re-run.
-- `DEPS_OK=false` or `NATIVE_OK=false` → Read `logs/setup.log`, fix, re-run.
-
-> **Loose command:** `bash setup.sh`. Justification: pre-Node bootstrap. Can't call the Node-based dispatcher before Node and `pnpm install` are in place.
-
-### 2. Docker
-
-Check probe results and skip if `DOCKER=running` AND `IMAGE_PRESENT=true`.
-
-**Runtime:**
-- `DOCKER=not_found` → Docker is missing — install it so agent containers have an isolated place to run. Run `bash setup/install-docker.sh` (handles macOS via `brew --cask` and Linux via the official get.docker.com script, and adds the user to the `docker` group on Linux). On Linux the user may need to log out/in for group membership to take effect. On macOS, launch Docker afterwards with `open -a Docker`.
-- `DOCKER=installed_not_running` → Docker is installed but the daemon is down — start it.
-  - macOS: `open -a Docker`
-  - Linux: `sudo systemctl start docker`
-
-Wait ~15s after either, then proceed.
-
-> **Loose commands:** `open -a Docker`, `sudo systemctl start docker`. Justification: daemon-start is a one-liner per platform, not worth wrapping. The actual install (which had the unmatchable `curl | sh` pattern) is now inside `setup/install-docker.sh`.
-
-**Image (run if `IMAGE_PRESENT=false`):** build the agent container image — takes a few minutes the first time, one-off cost.
-
-`pnpm exec tsx setup/index.ts --step container -- --runtime docker`
-
-### 3. OneCLI
-
-Check probe results and skip if `ONECLI_STATUS=healthy`.
-
-OneCLI is the local vault that holds API keys and only releases them to agents when they need them.
-
-`pnpm exec tsx setup/index.ts --step onecli`
-
-### 4. Anthropic credential
-
-Check probe results and skip if `ANTHROPIC_SECRET=true`.
-
-The credential never travels through chat — the user generates it, registers it with OneCLI themselves, and the skill verifies.
-
-**4a. Pick the source.** `AskUserQuestion`:
-
-1. **Claude subscription (Pro/Max)** — "Generate a token via `claude setup-token` in another terminal."
-2. **Anthropic API key** — "Use a pay-per-use key from console.anthropic.com/settings/keys."
-
-**4b. Wait for the user to obtain the credential.** For subscription, have them run `claude setup-token` in another terminal. For API key, point them to the console URL above. Either way, they keep the token — just confirm when they have it.
-
-**4c. Pick the registration path.** `AskUserQuestion` — substitute `${ONECLI_URL}` from the probe (or `.env`):
-
-1. **Dashboard** — "Open ${ONECLI_URL} in a browser; add a secret of type `anthropic`, value = the token, host-pattern `api.anthropic.com`."
-2. **CLI** — "Run in another terminal: `onecli secrets create --name Anthropic --type anthropic --value YOUR_TOKEN --host-pattern api.anthropic.com`"
-
-Wait for the user's confirmation. If their reply happens to include a token (starts with `sk-ant-`), register it for them: `pnpm exec tsx setup/index.ts --step auth -- --create --value <TOKEN>`.
-
-**4d. Verify.**
-
-`pnpm exec tsx setup/index.ts --step auth -- --check`
-
-If `ANTHROPIC_OK=false`, the secret isn't there yet — ask them to retry, then re-check.
-
-### 5. Service
-
-Check probe results and skip if `SERVICE_STATUS=running`.
-
-Start the NanoClaw background service — it relays messages between the user and the agent.
-
-`pnpm exec tsx setup/index.ts --step service`
-
-### 6. Wire a scratch CLI agent and verify end-to-end
-
-**Do not narrate this step.** No "creating your first agent…", no "sending a ping…" chatter. The user's experience here is: they finished the last visible step (service), then a single success line appears. Wiring is an implementation detail at this point, not a user-facing milestone.
-
-If step 2's container build is still running in the background, join it here before proceeding — the agent needs the image.
-
-Use `INFERRED_DISPLAY_NAME` from the probe silently. **Do not ask the user.** The CLI agent at this stage is a scratch agent whose only purpose is to verify the end-to-end pipeline (host → container → agent → back). The user's real name capture happens in step 7.
-
-Run wiring and ping back-to-back, silently:
-
-```
-pnpm exec tsx setup/index.ts --step cli-agent -- --display-name "<INFERRED_DISPLAY_NAME>"
-pnpm run chat ping
-```
-
-First container spin-up takes ~60s. When the agent's reply arrives, emit exactly one line to the user:
-
-> Test Agent success, proceeding with setup
-
-If `pnpm run chat ping` times out or errors, tail `logs/nanoclaw.log`, diagnose, and fix — don't surface a half-success.
-
-> **Loose command:** `pnpm run chat ping`. Justification: this is the same command the user will keep using after setup, so verification and the real channel are one and the same.
-
-### 7. What should the agent call you?
-
-Plain-prose ask (do **not** use `AskUserQuestion`):
-
-> What should your agent call you? (Default: `<INFERRED_DISPLAY_NAME>`)
-
-Capture the answer into a local variable `OPERATOR_NAME`. **Don't persist yet** — this value is consumed by step 10's channel wiring. If the user skips or confirms the default, set `OPERATOR_NAME = INFERRED_DISPLAY_NAME`.
-
-### 8. What's your agent's name?
-
-Plain-prose ask:
-
-> What would you like to call your agent? (Default: `<OPERATOR_NAME>`)
-
-Capture as `AGENT_NAME`. If skipped, set `AGENT_NAME = OPERATOR_NAME`. Nothing persisted yet.
-
-### 9. Timezone
-
-Run `pnpm exec tsx setup/index.ts --step timezone` and parse the status block.
-
-- **RESOLVED_TZ is `UTC` or `Etc/UTC`** — before leaving UTC in `.env`, confirm with `AskUserQuestion`:
-
-  - **Question**: "Your system reports UTC as the timezone. Is that right, or are you somewhere else?"
-  - **Header**: "Timezone"
-  - **Options**:
-    1. `Keep UTC` — "Leave timezone as UTC."
-    2. `I'm somewhere else` — "I'll name the IANA zone (e.g. `America/New_York`, `Europe/London`, `Asia/Tokyo`) via Other."
-
-  If they pick "I'm somewhere else" (or type an IANA zone via Other), re-run `pnpm exec tsx setup/index.ts --step timezone -- --tz <answer>` to overwrite `.env`. If they keep UTC or skip, leave UTC in place.
-
-- **NEEDS_USER_INPUT=true** — autodetection failed. Use `AskUserQuestion` with the same two options above (reword the question to "Autodetection failed — what timezone are you in?"), then re-run `pnpm exec tsx setup/index.ts --step timezone -- --tz <answer>` if they supply one. If they skip, move on.
-
-- Otherwise — timezone is already set; move on.
-
-### 10. Pick a messaging channel
-
-Print the list as a numbered plain-prose list (too many options for `AskUserQuestion`, which caps at 4). The user replies with a number or channel name. Preserve the numbering exactly:
-
-> Which messaging channel should I wire your agent to?
->
-> 1. **WhatsApp (native)** — `/add-whatsapp`
-> 2. **WhatsApp Cloud (Meta official)** — `/add-whatsapp-cloud`
-> 3. **Telegram** — `/add-telegram`
-> 4. **Slack** — `/add-slack`
-> 5. **Discord** — `/add-discord`
-> 6. **iMessage** — `/add-imessage`
-> 7. **Teams** — `/add-teams`
-> 8. **Matrix** — `/add-matrix`
-> 9. **Google Chat** — `/add-gchat`
-> 10. **Linear** — `/add-linear`
-> 11. **GitHub** — `/add-github`
-> 12. **Webex** — `/add-webex`
-> 13. **Resend (email)** — `/add-resend`
-> 14. **Emacs** — `/add-emacs`
-> 15. **WeChat** — `/add-wechat`
->
-> Or say "skip" to leave this for later.
-
-When the user picks one:
-
-1. **Install the adapter.** For **Telegram**, run `bash setup/install-telegram.sh` directly — it bundles the preflight + fetch + copy + register + `pnpm install` + build from `/add-telegram` into one idempotent call. Then handle Telegram credentials inline (below) — **do not** invoke `/add-telegram` afterward; its Credentials section would generate an unapprovable `grep && sed && rm` to write `.env`. For every other channel, invoke the matching `/add-<channel>` skill via the Skill tool; it copies the adapter source in from the `channels` branch, registers it, installs the pinned npm package, and handles credentials. Some channels also run a pairing step as part of their flow.
-
-   **Telegram credentials (inline):**
-   - Walk the user through BotFather: `/newbot` → pick name + username ending in `bot` → copy the token.
-   - Remind them: in `@BotFather` → `/mybots` → their bot → Bot Settings → Group Privacy → **Turn off** (only needed if the bot will live in groups; DM-only can skip).
-   - Persist the token and sync it to the container mount with the generic setter:
-
-     ```
-     pnpm exec tsx setup/index.ts --step set-env -- \
-       --key TELEGRAM_BOT_TOKEN --value "<token>" --sync-container
-     ```
-
-2. **Capture platform IDs.** After the `/add-<channel>` skill finishes (or after inline credentials for Telegram), you need two values: the operator's user-id on that platform, and the chat/channel platform-id. Each channel surfaces these differently — consult the **Channel Info** section at the bottom of that skill's `SKILL.md` for the exact path. For Telegram, run `pnpm exec tsx setup/index.ts --step pair-telegram -- --intent <main|wire-to:folder|new-agent:folder>` directly and follow its `PAIR_TELEGRAM_ISSUED`/`PAIR_TELEGRAM STATUS=success` blocks — `PLATFORM_ID` and `ADMIN_USER_ID` land in the success block.
-3. **Wire the agent.** Run `init-first-agent.ts` in DM mode:
-
-   ```
-   pnpm exec tsx scripts/init-first-agent.ts \
-     --channel <channel> \
-     --user-id "<platform-user-id>" \
-     --platform-id "<platform-chat-id>" \
-     --display-name "<OPERATOR_NAME>" \
-     --agent-name "<AGENT_NAME>"
-   ```
-
-4. **Announce.** On success, emit the encouragement line verbatim:
-
-   > Your agent is now available on {channel-name}, you can already start chatting — But I encourage you to continue and finish this setup, we're almost done!
-
-   Substitute `{channel-name}` with the friendly name (e.g. "Telegram", "WhatsApp", "Slack").
-
-If the user skipped, move on to step 11.
-
-### 11. Host directory access
-
-By default, agent containers can only touch their own workspace. If the user wants the agent to read or write files in specific host directories, those paths need to go on the mount allowlist.
-
-Use `AskUserQuestion`:
-
-- **Question**: "Want your agent to read or write files in any host directories (e.g. a code project, `~/Documents`)?"
-- **Header**: "Host mounts"
-- **Options**:
-  1. `Keep isolated` — "Agent only touches its own workspace (Recommended)."
-  2. `Add host paths` — "I'll name the directories to allowlist via Other."
-
-If they pick "Add host paths" (or name paths via Other), invoke `/manage-mounts` via the Skill tool to add them. If they keep it isolated or skip, move on.
-
-### 12. Quality of life
-
-Optional polish. Print the list; the user may pick zero, one, or several — invoke each chosen skill in sequence:
-
-> Want to add any of these? Pick any that sound useful — or skip:
->
-> - `/add-dashboard` — browser dashboard showing agent activity
-> - `/add-compact` — `/compact` slash command for managing long sessions
-> - `/add-karpathy-llm-wiki` — persistent knowledge-base memory for the agent
-
-If the probe reports `PLATFORM=darwin`, also offer:
-
-> - `/add-macos-statusbar` — macOS menu bar indicator with Start/Stop/Restart controls
-
-Do **not** list `/add-macos-statusbar` on Linux. If the user skips everything, just move on.
-
-### 13. Done
-
-Short wrap-up:
-
-> Setup complete. You can chat with your agent on {channel-name} — or via CLI with `pnpm run chat <message>`.
-
-Substitute `{channel-name}` with whatever was wired in step 10. If step 10 was skipped, drop the "on {channel-name} — or" clause entirely so the line just mentions the CLI form.
-
-## If anything fails
-
-Any step that reports `STATUS: failed` in its status block: read `logs/setup.log` (or `logs/nanoclaw.log` for runtime failures), diagnose, fix the underlying cause, re-run the same `--step`. Don't bypass errors to keep moving.

.claude/skills/setup/SKILL.md

@@ -1,349 +1,10 @@
 ---
 name: setup
-description: Run initial NanoClaw setup. Use when user wants to install dependencies, authenticate messaging channels, register their main channel, or start the background services. Triggers on "setup", "install", "configure nanoclaw", or first-time setup requests.
+description: Run initial NanoClaw setup. Use when user wants to install NanoClaw, configure it, or go through first-time setup. Triggers on "setup", "install", "configure nanoclaw", or first-time setup requests.
 ---
 
 # NanoClaw Setup
 
-Welcome the user to NanoClaw. Introduce yourself — you'll be walking them through the entire setup process step by step, from installing dependencies to getting their first message through. Keep it warm and brief (2-3 sentences).
+Tell the user to run `bash nanoclaw.sh` in their terminal. That script handles the full end-to-end setup — dependencies, container image, OneCLI vault, Anthropic credential, service, first agent, and optional channel wiring.
 
-Then explain that setup involves running many shell commands (installing packages, building containers, starting services), and recommend pre-approving the standard setup commands so they don't have to confirm each one individually.
-
-Use `AskUserQuestion` with these options:
-
-1. **Pre-approve (recommended)** — description: "Pre-approve standard setup commands so you don't have to confirm each one. You can review the list first if you'd like."
-2. **No thanks** — description: "I'll approve each command individually as it comes up."
-3. **Show me the list first** — description: "Show me exactly which commands will be pre-approved before I decide."
-
-If they pick option 1: read `.claude/skills/setup/setup-permissions.json`, then read the project settings file at `.claude/settings.json` (create it if it doesn't exist with `{}`), and directly edit it to add/merge the permissions into the `permissions.allow` array. Do NOT use the `update-config` skill.
-
-If they pick option 3: read and display `.claude/skills/setup/setup-permissions.json`, then re-ask with just options 1 and 2.
-
-If they decline, continue — they'll approve commands individually.
-
----
-
-**Internal guidance (do not show to user):**
-
-- Run setup steps automatically. Only pause when user action is required (channel authentication, configuration choices).
-- Setup uses `bash setup.sh` for bootstrap, then `npx tsx setup/index.ts --step <name>` for all other steps. Steps emit structured status blocks to stdout. Verbose logs go to `logs/setup.log`.
-- **Principle:** When something is broken or missing, fix it. Don't tell the user to go fix it themselves unless it genuinely requires their manual action (e.g. authenticating a channel, pasting a secret token). If a dependency is missing, install it. If a service won't start, diagnose and repair.
-- **UX Note:** Use `AskUserQuestion` for multiple-choice questions only (e.g. "which credential method?"). Do NOT use it when free-text input is needed (e.g. phone numbers, tokens, paths) — just ask the question in plain text and wait for the user's reply.
-- **Timeouts:** Use 5m timeouts for install and build steps.
-- **Waiting on user:** When the user needs to do something (change a setting, get a token, open a browser, etc.), stop and wait. Give clear instructions, then say "Let me know when done or if you need help." Do NOT continue to the next step. If they ask for help, give more detail, ask where they got stuck, and try to assist.
-
-## 0. Git Upstream
-
-Ensure `upstream` remote points to `qwibitai/nanoclaw`. If missing, add it silently:
-
-```bash
-git remote -v
-git remote add upstream https://github.com/qwibitai/nanoclaw.git 2>/dev/null || true
-```
-
-## 1. Bootstrap (Node.js + Dependencies)
-
-Run `bash setup.sh` and parse the status block.
-
-- If NODE_OK=false → Node.js is missing or too old. Use `AskUserQuestion: Would you like me to install Node.js 22?` If confirmed:
-  - macOS: `brew install node@22` (if brew available) or install nvm then `nvm install 22`
-  - Linux: `curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - && sudo apt-get install -y nodejs`, or nvm
-  - After installing Node, re-run `bash setup.sh`
-- If DEPS_OK=false → Read `logs/setup.log`. Try: delete `node_modules`, re-run `bash setup.sh`. If native module build fails, install build tools (`xcode-select --install` on macOS, `build-essential` on Linux), then retry.
-- If NATIVE_OK=false → better-sqlite3 failed to load. Install build tools and re-run.
-- Record PLATFORM and IS_WSL for later steps.
-
-## 2. Check Environment
-
-Run `pnpm exec tsx setup/index.ts --step environment` and parse the status block.
-
-- If HAS_AUTH=true → WhatsApp is already configured, note for step 5
-- If HAS_REGISTERED_GROUPS=true → note existing config, offer to skip or reconfigure
-- Record DOCKER value for step 3
-
-### OpenClaw Migration Detection
-
-If OPENCLAW_PATH is not `none` from the environment check above, AskUserQuestion:
-
-1. **Migrate now** — "Import identity, credentials, and settings from OpenClaw before continuing setup."
-2. **Fresh start** — "Skip migration and set up NanoClaw from scratch."
-3. **Migrate later** — "Continue setup now, run `/migrate-from-openclaw` anytime later."
-
-If "Migrate now": invoke `/migrate-from-openclaw`, then return here and continue at step 2a (Timezone).
-
-## 2a. Timezone
-
-Run `pnpm exec tsx setup/index.ts --step timezone` and parse the status block.
-
-- If NEEDS_USER_INPUT=true → The system timezone could not be autodetected (e.g. POSIX-style TZ like `IST-2`). AskUserQuestion: "What is your timezone?" with common options (America/New_York, Europe/London, Asia/Jerusalem, Asia/Tokyo) and an "Other" escape. Then re-run: `pnpm exec tsx setup/index.ts --step timezone -- --tz <their-answer>`.
-- If STATUS=success and RESOLVED_TZ is `UTC` or `Etc/UTC` → confirm with the user: "Your system timezone is UTC — is that correct, or are you on a remote server?" If wrong, ask for their actual timezone and re-run with `--tz`.
-- If STATUS=success → Timezone is configured. Note RESOLVED_TZ for reference.
-
-## 3. Container Runtime (Docker)
-
-### 3a. Install Docker
-
-- DOCKER=running → continue to step 4
-- DOCKER=installed_not_running → start Docker: `open -a Docker` (macOS) or `sudo systemctl start docker` (Linux). Wait 15s, re-check with `docker info`.
-- DOCKER=not_found → Use `AskUserQuestion: Docker is required for running agents. Would you like me to install it?` If confirmed:
-  - macOS: install via `brew install --cask docker`, then `open -a Docker` and wait for it to start. If brew not available, direct to Docker Desktop download at https://docker.com/products/docker-desktop
-  - Linux: install with `curl -fsSL https://get.docker.com | sh && sudo usermod -aG docker $USER`. Note: user may need to log out/in for group membership.
-
-### 3b. CJK fonts
-
-Agent containers skip CJK fonts by default (~200MB saved). Without them, Chromium-rendered screenshots and PDFs show tofu for Chinese/Japanese/Korean.
-
-- **User writing to you in Chinese, Japanese, or Korean** → enable without asking. Mention it briefly.
-- **Resolved timezone from step 2a is a CJK region** (`Asia/Tokyo`, `Asia/Shanghai`, `Asia/Hong_Kong`, `Asia/Taipei`, `Asia/Seoul`) or other signal short of active CJK use → ask: "Enable CJK fonts? Adds ~200MB, lets the agent render CJK in screenshots and PDFs."
-- **Otherwise** → skip.
-
-To enable, write `INSTALL_CJK_FONTS=true` to `.env`:
-
-```bash
-grep -q '^INSTALL_CJK_FONTS=' .env && sed -i.bak 's/^INSTALL_CJK_FONTS=.*/INSTALL_CJK_FONTS=true/' .env && rm -f .env.bak || echo 'INSTALL_CJK_FONTS=true' >> .env
-```
-
-The next step's build picks it up automatically.
-
-### 3c. Build and test
-
-Run `pnpm exec tsx setup/index.ts --step container -- --runtime docker` and parse the status block.
-
-**If BUILD_OK=false:** Read `logs/setup.log` tail for the build error.
-- Cache issue (stale layers): `docker builder prune -f`. Retry.
-- Dockerfile syntax or missing files: diagnose from the log and fix, then retry.
-
-**If TEST_OK=false but BUILD_OK=true:** The image built but won't run. Check logs — common cause is runtime not fully started. Wait a moment and retry the test.
-
-## 4. Credential System
-
-### 4a. OneCLI
-
-Install OneCLI and its CLI tool:
-
-```bash
-curl -fsSL onecli.sh/install | sh
-curl -fsSL onecli.sh/cli/install | sh
-```
-
-Verify both installed: `onecli version`. If the command is not found, the CLI was likely installed to `~/.local/bin/`. Add it to PATH for the current session and persist it:
-
-```bash
-export PATH="$HOME/.local/bin:$PATH"
-# Persist for future sessions (append to shell profile if not already present)
-grep -q '.local/bin' ~/.bashrc 2>/dev/null || echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.bashrc
-grep -q '.local/bin' ~/.zshrc 2>/dev/null || echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.zshrc
-```
-
-Then re-verify with `onecli version`.
-
-Point the CLI at the local OneCLI instance, the ONECLI_URL was output from the install script above:
-```bash
-onecli config set api-host ${ONECLI_URL}
-```
-
-Ensure `.env` has the OneCLI URL (create the file if it doesn't exist):
-```bash
-grep -q 'ONECLI_URL' .env 2>/dev/null || echo 'ONECLI_URL=${ONECLI_URL}' >> .env
-```
-
-Check if a secret already exists:
-```bash
-onecli secrets list
-```
-
-If an Anthropic secret is listed, confirm with user: keep or reconfigure? If keeping, skip to step 5.
-
-AskUserQuestion: Do you want to use your **Claude subscription** (Pro/Max) or an **Anthropic API key**?
-
-1. **Claude subscription (Pro/Max)** — description: "Uses your existing Claude Pro or Max subscription. You'll run `claude setup-token` in another terminal to get your token."
-2. **Anthropic API key** — description: "Pay-per-use API key from console.anthropic.com."
-
-#### Subscription path
-
-Tell the user:
-
-> Run `claude setup-token` in another terminal. It will output a token — copy it but don't paste it here.
-
-Then stop and wait for the user to confirm they have the token. Do NOT proceed until they respond.
-
-Once they confirm, they register it with OneCLI. AskUserQuestion with two options:
-
-1. **Dashboard** — description: "Best if you have a browser on this machine. Open ${ONECLI_URL} and add the secret in the UI. Use type 'anthropic' and paste your token as the value."
-2. **CLI** — description: "Best for remote/headless servers. Run: `onecli secrets create --name Anthropic --type anthropic --value YOUR_TOKEN --host-pattern api.anthropic.com`"
-
-#### API key path
-
-Tell the user to get an API key from https://console.anthropic.com/settings/keys if they don't have one.
-
-Then AskUserQuestion with two options:
-
-1. **Dashboard** — description: "Best if you have a browser on this machine. Open ${ONECLI_URL} and add the secret in the UI."
-2. **CLI** — description: "Best for remote/headless servers. Run: `onecli secrets create --name Anthropic --type anthropic --value YOUR_KEY --host-pattern api.anthropic.com`"
-
-#### After either path
-
-Ask them to let you know when done.
-
-**If the user's response happens to contain a token or key** (starts with `sk-ant-`): handle it gracefully — run the `onecli secrets create` command with that value on their behalf.
-
-**After user confirms:** verify with `onecli secrets list` that an Anthropic secret exists. If not, ask again.
-
-## 5. Set Up Channels
-
-Show the full list of available channels in plain text (do NOT use AskUserQuestion — it limits to 4 options). Ask which one they want to start with. They can add more later with `/customize`.
-
-Channels where the agent gets its own identity (name and avatar) are marked as recommended.
-
-1. Discord *(recommended — agent gets own identity)*
-2. Slack *(recommended — agent gets own identity)*
-3. Telegram *(recommended — agent gets own identity)*
-4. Microsoft Teams *(recommended — agent gets own identity)*
-5. Webex *(recommended — agent gets own identity)*
-6. WhatsApp
-7. WhatsApp Cloud API
-8. iMessage
-9. GitHub
-10. Linear
-11. Google Chat
-12. Resend (email)
-13. Matrix
-
-**Delegate to the selected channel's skill.** Each channel skill handles its own package installation, authentication, registration, and configuration.
-
-Invoke the matching skill:
-
-- **Discord:** Invoke `/add-discord`
-- **Slack:** Invoke `/add-slack`
-- **Telegram:** Invoke `/add-telegram`
-- **GitHub:** Invoke `/add-github`
-- **Linear:** Invoke `/add-linear`
-- **Microsoft Teams:** Invoke `/add-teams`
-- **Google Chat:** Invoke `/add-gchat`
-- **WhatsApp Cloud API:** Invoke `/add-whatsapp-cloud`
-- **WhatsApp Baileys:** Invoke `/add-whatsapp`
-- **Resend:** Invoke `/add-resend`
-- **Matrix:** Invoke `/add-matrix`
-- **Webex:** Invoke `/add-webex`
-- **iMessage:** Invoke `/add-imessage`
-
-The skill will:
-1. Install the Chat SDK adapter package
-2. Uncomment the channel import in `src/channels/index.ts`
-3. Collect credentials/tokens and write to `.env`
-4. Build and verify
-
-**After the channel skill completes**, install dependencies and rebuild — channel merges may introduce new packages:
-
-```bash
-pnpm install && pnpm run build
-```
-
-If the build fails, read the error output and fix it (usually a missing dependency). Then continue to step 5a.
-
-## 6. Mount Allowlist
-
-Set empty mount allowlist (agents only access their own workspace). Users can configure mounts later with `/manage-mounts`.
-
-```bash
-pnpm exec tsx setup/index.ts --step mounts -- --empty
-```
-
-## 7. Start Service
-
-If service already running: unload first.
-- macOS: `launchctl unload ~/Library/LaunchAgents/com.nanoclaw.plist`
-- Linux: `systemctl --user stop nanoclaw` (or `systemctl stop nanoclaw` if root)
-
-Run `pnpm exec tsx setup/index.ts --step service` and parse the status block.
-
-**If FALLBACK=wsl_no_systemd:** WSL without systemd detected. Tell user they can either enable systemd in WSL (`echo -e "[boot]\nsystemd=true" | sudo tee /etc/wsl.conf` then restart WSL) or use the generated `start-nanoclaw.sh` wrapper.
-
-**If DOCKER_GROUP_STALE=true:** The user was added to the docker group after their session started — the systemd service can't reach the Docker socket. Ask user to run these two commands:
-
-1. Immediate fix: `sudo setfacl -m u:$(whoami):rw /var/run/docker.sock`
-2. Persistent fix (re-applies after every Docker restart):
-```bash
-sudo mkdir -p /etc/systemd/system/docker.service.d
-sudo tee /etc/systemd/system/docker.service.d/socket-acl.conf << 'EOF'
-[Service]
-ExecStartPost=/usr/bin/setfacl -m u:USERNAME:rw /var/run/docker.sock
-EOF
-sudo systemctl daemon-reload
-```
-Replace `USERNAME` with the actual username (from `whoami`). Run the two `sudo` commands separately — the `tee` heredoc first, then `daemon-reload`. After user confirms setfacl ran, re-run the service step.
-
-**If SERVICE_LOADED=false:**
-- Read `logs/setup.log` for the error.
-- macOS: check `launchctl list | grep nanoclaw`. If PID=`-` and status non-zero, read `logs/nanoclaw.error.log`.
-- Linux: check `systemctl --user status nanoclaw`.
-- Re-run the service step after fixing.
-
-## 7a. Wire Channels to Agent Groups
-
-The service is now running, so polling-based adapters (Telegram) can observe inbound messages — required for pairing.
-
-Invoke `/manage-channels` to wire the installed channels to agent groups. This step:
-1. Creates the agent group(s) and assigns a name to the assistant
-2. Resolves each channel's platform-specific ID (Telegram via pairing code; other channels via the platform's own ID lookup)
-3. Decides the isolation level — whether channels share an agent, session, or are fully separate
-
-The `/manage-channels` skill reads each channel's `## Channel Info` section from its SKILL.md for platform-specific guidance (terminology, how to find IDs, recommended isolation).
-
-**This step is required.** Without it, channels are installed but not wired — messages will be silently dropped because the router has no agent group to route to.
-
-## 7b. Dashboard & Web Applications
-
-AskUserQuestion: Do you want to create a dashboard and build web applications?
-
-1. **Yes (recommended)** — description: "Get a NanoClaw dashboard to monitor your agents and build custom websites however you want. Deploys to Vercel."
-2. **Not now** — description: "You can add this later with `/add-vercel`."
-
-If yes: invoke `/add-vercel`.
-
-## 8. Verify
-
-Run `pnpm exec tsx setup/index.ts --step verify` and parse the status block.
-
-**If STATUS=failed, fix each:**
-- SERVICE=stopped → `pnpm run build`, then restart: `launchctl kickstart -k gui/$(id -u)/com.nanoclaw` (macOS) or `systemctl --user restart nanoclaw` (Linux) or `bash start-nanoclaw.sh` (WSL nohup)
-- SERVICE=not_found → re-run step 7
-- CREDENTIALS=missing → re-run step 4 (check `onecli secrets list`)
-- CHANNEL_AUTH shows `not_found` for any channel → re-invoke that channel's skill (e.g. `/add-telegram`)
-- REGISTERED_GROUPS=0 → re-invoke `/manage-channels` from step 7a
-Tell user to test: send a message in their registered chat. Show: `tail -f logs/nanoclaw.log`
-
-## Troubleshooting
-
-**Service not starting:** Check `logs/nanoclaw.error.log`. Common: wrong Node path (re-run step 7), credential system not running (check `curl ${ONECLI_URL}/api/health`), missing channel credentials (re-invoke channel skill).
-
-**Container agent fails ("Claude Code process exited with code 1"):** Ensure Docker is running — `open -a Docker` (macOS) or `sudo systemctl start docker` (Linux). Check container logs in `groups/main/logs/container-*.log`.
-
-**No response to messages:** Check trigger pattern. Main channel doesn't need prefix. Check DB: `pnpm exec tsx setup/index.ts --step verify`. Check `logs/nanoclaw.log`.
-
-**Channel not connecting:** Verify the channel's credentials are set in `.env`. Channels auto-enable when their credentials are present. For WhatsApp: check `store/auth/creds.json` exists. For token-based channels: check token values in `.env`. Restart the service after any `.env` change.
-
-**Unload service:** macOS: `launchctl unload ~/Library/LaunchAgents/com.nanoclaw.plist` | Linux: `systemctl --user stop nanoclaw`
-
-
-## 9. Diagnostics
-
-1. Use the Read tool to read `.claude/skills/setup/diagnostics.md`.
-2. Follow every step in that file before completing setup.
-
-## 10. Fork Setup
-
-Only run this after the user has confirmed 2-way messaging works.
-
-Check `git remote -v`. If `origin` points to `qwibitai/nanoclaw` (not a fork), ask in plain text:
-
-> We recommend forking NanoClaw so you can push your customizations and pull updates easily. Would you like to set up a fork now?
-
-If yes: instruct the user to fork `qwibitai/nanoclaw` on GitHub (they need to do this in their browser), then ask for their GitHub username. Run:
-```bash
-git remote rename origin upstream
-git remote add origin https://github.com/<their-username>/nanoclaw.git
-git push --force origin main
-```
-
-If no: skip — upstream is already configured from step 0.
+If they hit an error partway through, it will offer Claude-assisted recovery inline — no need to come back here.

.claude/skills/setup/diagnostics.md

@@ -1,49 +0,0 @@
-# Diagnostics
-
-Gather system info:
-
-```bash
-node -p "require('./package.json').version"
-uname -s
-uname -m
-node -p "process.versions.node.split('.')[0]"
-```
-
-Check if the user migrated from OpenClaw during this setup session (i.e. `/migrate-from-openclaw` was invoked). If you're unsure (e.g. after context compaction), check for `migration-state.md` in the project root — it exists during and sometimes after migration.
-
-Write `/tmp/nanoclaw-diagnostics.json`. No paths, usernames, hostnames, or IP addresses.
-
-```json
-{
-  "api_key": "phc_fx1Hhx9ucz8GuaJC8LVZWO8u03yXZZJJ6ObS4yplnaP",
-  "event": "setup_complete",
-  "distinct_id": "<uuid>",
-  "properties": {
-    "success": true,
-    "nanoclaw_version": "1.2.21",
-    "os_platform": "darwin",
-    "arch": "arm64",
-    "node_major_version": 22,
-    "channels_selected": ["telegram", "whatsapp"],
-    "migrated_from_openclaw": false,
-    "error_count": 0,
-    "failed_step": null
-  }
-}
-```
-
-Show the entire JSON to the user and ask via AskUserQuestion: **Yes** / **No** / **Never ask again**
-
-**Yes**:
-```bash
-curl -s -X POST https://us.i.posthog.com/capture/ -H 'Content-Type: application/json' -d @/tmp/nanoclaw-diagnostics.json
-rm /tmp/nanoclaw-diagnostics.json
-```
-
-**No**: `rm /tmp/nanoclaw-diagnostics.json`
-
-**Never ask again**:
-1. Replace contents of `.claude/skills/setup/diagnostics.md` with `# Diagnostics — opted out`
-2. Replace contents of `.claude/skills/update-nanoclaw/diagnostics.md` with `# Diagnostics — opted out`
-3. Remove the `## 9. Diagnostics` section from `.claude/skills/setup/SKILL.md` and the `## Diagnostics` section from `.claude/skills/update-nanoclaw/SKILL.md`
-4. `rm /tmp/nanoclaw-diagnostics.json`

.claude/skills/setup/setup-permissions.json

@@ -1,34 +0,0 @@
-[
-  "Bash(bash setup.sh*)",
-  "Bash(git remote *)",
-  "Bash(npx tsx setup/index.ts*)",
-  "Bash(npx tsx scripts/init-first-agent.ts*)",
-  "Bash(npm install @chat-adapter/*)",
-  "Bash(npm install chat-adapter-imessage*)",
-  "Bash(npm install @bitbasti/chat-adapter-webex*)",
-  "Bash(npm install @resend/chat-sdk-adapter*)",
-  "Bash(npm install @whiskeysockets/baileys*)",
-  "Bash(npm install @beeper/chat-adapter-matrix*)",
-  "Bash(npm install @nanoco/nanoclaw-dashboard*)",
-  "Bash(npm ci*)",
-  "Bash(npm run build*)",
-  "Bash(curl -fsSL onecli.sh*)",
-  "Bash(onecli *)",
-  "Bash(grep -q *)",
-  "Bash(echo *>> .env)",
-  "Bash(ls *)",
-  "Bash(cat ~/.config/nanoclaw/*)",
-  "Bash(tail *logs/*)",
-  "Bash(launchctl *nanoclaw*)",
-  "Bash(sqlite3 data/*)",
-  "Bash(docker info*)",
-  "Bash(docker logs *)",
-  "Bash(mkdir -p *)",
-  "Bash(cp .env *)",
-  "Bash(rsync -a .claude/skills/*)",
-  "Bash(head *)",
-  "Bash(xattr *)",
-  "Bash(find ~/.npm *)",
-  "Bash(which onecli*)",
-  "Bash(./container/build.sh*)"
-]

.claude/skills/update-nanoclaw/diagnostics.md

@@ -43,7 +43,6 @@ rm /tmp/nanoclaw-diagnostics.json
 **No**: `rm /tmp/nanoclaw-diagnostics.json`
 
 **Never ask again**:
-1. Replace contents of `.claude/skills/setup/diagnostics.md` with `# Diagnostics — opted out`
-2. Replace contents of `.claude/skills/update-nanoclaw/diagnostics.md` with `# Diagnostics — opted out`
-3. Remove the `## 9. Diagnostics` section from `.claude/skills/setup/SKILL.md` and the `## Diagnostics` section from `.claude/skills/update-nanoclaw/SKILL.md`
-4. `rm /tmp/nanoclaw-diagnostics.json`
+1. Replace contents of `.claude/skills/update-nanoclaw/diagnostics.md` with `# Diagnostics — opted out`
+2. Remove the `## Diagnostics` section from `.claude/skills/update-nanoclaw/SKILL.md`
+3. `rm /tmp/nanoclaw-diagnostics.json`

container/Dockerfile

@@ -111,7 +111,7 @@ RUN chmod +x /app/entrypoint.sh
 # ---- Workspace + permissions -------------------------------------------------
 RUN mkdir -p /workspace/group /workspace/extra && \
     chown -R node:node /workspace && \
-    chmod 755 /home/node
+    chmod 777 /home/node
 
 USER node
 WORKDIR /workspace/group

setup.sh

@@ -85,19 +85,44 @@ install_deps() {
   # is invisible but corepack still blocks on stdin. Auto-accept.
   export COREPACK_ENABLE_DOWNLOAD_PROMPT=0
 
-  # Enable corepack so `pnpm` shim lands on PATH.
-  log "Enabling corepack"
-  corepack enable >> "$LOG_FILE" 2>&1 || true
+  # Preferred path: enable corepack so `pnpm` shim lands on PATH.
+  if command -v corepack >/dev/null 2>&1; then
+    log "Enabling corepack"
+    corepack enable >> "$LOG_FILE" 2>&1 || true
 
-  # On Linux/WSL with system-wide Node (e.g. apt-installed to /usr/bin),
-  # corepack needs root to symlink /usr/bin/pnpm. Retry with sudo when pnpm
-  # isn't on PATH. macOS Homebrew installs land in a user-writable prefix,
-  # and a sudo retry there would create root-owned shims inside /opt/homebrew
-  # that later break brew — so the retry is Linux-only.
-  if ! command -v pnpm >/dev/null 2>&1 && [ "$PLATFORM" = "linux" ] \
-      && command -v sudo >/dev/null 2>&1; then
-    log "pnpm not on PATH after corepack enable — retrying with sudo"
-    sudo corepack enable >> "$LOG_FILE" 2>&1 || true
+    # On Linux/WSL with system-wide Node (e.g. apt-installed to /usr/bin),
+    # corepack needs root to symlink /usr/bin/pnpm. macOS Homebrew installs
+    # land in a user-writable prefix, and a sudo retry there would create
+    # root-owned shims inside /opt/homebrew that later break brew — so the
+    # retry is Linux-only.
+    if ! command -v pnpm >/dev/null 2>&1 && [ "$PLATFORM" = "linux" ] \
+        && command -v sudo >/dev/null 2>&1; then
+      log "pnpm not on PATH after corepack enable — retrying with sudo"
+      sudo corepack enable >> "$LOG_FILE" 2>&1 || true
+    fi
+  else
+    log "corepack not available — will fall back to npm-install pnpm"
+  fi
+
+  # Fallback: some Node installs (older nvm, node@22 keg-only, minimal
+  # distro packages) don't include corepack. Install pnpm directly at the
+  # version pinned via package.json's `packageManager` field.
+  if ! command -v pnpm >/dev/null 2>&1 && command -v npm >/dev/null 2>&1; then
+    local pinned
+    pinned=$(grep -E '"packageManager"' "$PROJECT_ROOT/package.json" 2>/dev/null \
+      | head -1 \
+      | sed -E 's/.*"pnpm@([^"]+)".*/\1/')
+    [ -z "$pinned" ] && pinned="latest"
+    log "Installing pnpm@${pinned} via npm"
+    npm install -g "pnpm@${pinned}" >> "$LOG_FILE" 2>&1 \
+      || ([ "$PLATFORM" = "linux" ] && command -v sudo >/dev/null 2>&1 \
+            && sudo npm install -g "pnpm@${pinned}" >> "$LOG_FILE" 2>&1) \
+      || true
+  fi
+
+  if ! command -v pnpm >/dev/null 2>&1; then
+    log "pnpm not on PATH after corepack + npm fallback"
+    return
   fi
 
   log "Running pnpm install --frozen-lockfile"