chore: track OpenClaw config, scripts, and version pin

* chore: track OpenClaw config, credentials, and version pin

Add deploy/openclaw.json as the canonical OpenClaw config (secrets
blanked, rendered with secrets.json at deploy time via jq merge).

Add deploy/openclaw-pin to pin the Merit-Systems/openclaw fork commit.

Add deploy/craig/ with GitHub App token generation and git credential
helper scripts, plus the systemd override for openclaw-gateway.

Update AGENTS.md to instruct Craig to PR config changes to
deploy/openclaw.json rather than editing ~/.openclaw/openclaw.json
directly.

Update deploy/setup.sh for the new setup flow (pnpm, fork clone,
secrets.json, credential scripts).

Note: deploy.yml is intentionally unchanged in this commit. The old
pipeline still works. Switching to the new deploy flow happens after
manual verification on EC2.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: add start-openclaw.sh and missing guilds.users config

Add deploy/craig/start-openclaw.sh (startup wrapper, was only on EC2).
Fix deploy/openclaw.json to include guilds["*"].users: ["*"] matching
the live config.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: tell Craig about the OpenClaw fork and PR workflow

Update the OpenClaw Self-Reference section to point at
Merit-Systems/openclaw instead of upstream. Explain the two-step
flow: PR the fix on the fork, then update deploy/openclaw-pin here.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: sragss

AGENTS.md

@@ -62,13 +62,21 @@ For code work, figure out which repo to target:
 
 ## OpenClaw Self-Reference
 
-Your runtime is OpenClaw. The OpenClaw source is cloned locally at `~/Code/openclaw/openclaw`. When answering questions about your own functionality, capabilities, or configuration:
+Your runtime is OpenClaw. Merit-Systems maintains a fork at `Merit-Systems/openclaw`
+(upstream: `openclaw/openclaw`). The fork is cloned locally at `~/Code/openclaw/openclaw`.
+
+When answering questions about your own functionality, capabilities, or configuration:
 
 1. Pull latest: `cd ~/Code/openclaw/openclaw && git fetch && git pull`
 2. Read the relevant source or docs to give an accurate answer
-3. Cross-reference with your installed version: `ls /home/ubuntu/.npm-global/lib/node_modules/openclaw/`
 
-The local docs are at `~/Code/openclaw/openclaw/docs/` and the source at `~/Code/openclaw/openclaw/src/`. Don't guess about how you work — check the code.
+The local docs are at `~/Code/openclaw/openclaw/docs/` and the source at
+`~/Code/openclaw/openclaw/src/`. Don't guess about how you work — check the code.
+
+To fix bugs or add features to OpenClaw itself, create a PR on `Merit-Systems/openclaw`
+(same branch/PR workflow as any other repo). After the PR is merged, update the pin
+in this repo by editing `deploy/openclaw-pin` to the new commit hash and creating a
+PR here too — that triggers a rebuild and deploy of the new version.
 
 ## When Analyzing Discord Conversations
 
@@ -85,6 +93,21 @@ After taking action, respond with a single short message:
 
 Example: "Created PR #42 -- fixes the auth timeout in the login middleware."
 
+## OpenClaw Configuration
+
+Your OpenClaw config lives at `deploy/openclaw.json` in this repo. It is the
+source of truth — on every deploy it overwrites `~/.openclaw/openclaw.json`
+(merged with secrets that stay on EC2).
+
+To change your own config (heartbeat interval, mention patterns, concurrency,
+etc.), edit `deploy/openclaw.json` on a branch and create a PR. Never edit
+`~/.openclaw/openclaw.json` directly — changes will be overwritten on next
+deploy.
+
+The OpenClaw source is forked at `Merit-Systems/openclaw`. The deployed
+version is pinned by commit hash in `deploy/openclaw-pin`. Source changes
+go through PRs on that fork repo.
+
 ## x402 Payment Tools
 
 You have access to x402 payment APIs via mcporter:

deploy/craig/get-github-token.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+# Generate a GitHub App installation token using PyJWT.
+# Requires: python3, PyJWT (pip install pyjwt[crypto])
+# Requires: ~/.config/craig/github-app-key.pem (private key, not tracked in repo)
+python3 -c "
+import json, time, urllib.request, jwt
+
+app_id = 2840368
+now = int(time.time())
+payload = {\"iat\": now - 60, \"exp\": now + 600, \"iss\": app_id}
+
+with open(\"/home/ubuntu/.config/craig/github-app-key.pem\") as f:
+    private_key = f.read()
+
+token = jwt.encode(payload, private_key, algorithm=\"RS256\")
+
+req = urllib.request.Request(
+    \"https://api.github.com/app/installations/109362995/access_tokens\",
+    method=\"POST\",
+    headers={
+        \"Authorization\": f\"Bearer {token}\",
+        \"Accept\": \"application/vnd.github+json\",
+    }
+)
+resp = urllib.request.urlopen(req)
+data = json.loads(resp.read())
+print(data[\"token\"])
+"

deploy/craig/git-credential-helper.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+# Git credential helper for GitHub App installation tokens.
+# Configured via: git config --global credential.helper /path/to/this/script
+if echo "$1" | grep -q "get"; then
+  TOKEN=$(/home/ubuntu/.config/craig/get-github-token.sh 2>/dev/null)
+  echo "protocol=https"
+  echo "host=github.com"
+  echo "username=x-access-token"
+  echo "password=$TOKEN"
+fi

deploy/craig/github.conf

@@ -0,0 +1,6 @@
+# Systemd drop-in override for openclaw-gateway.service
+# Injects a fresh GitHub App token into the environment on each (re)start.
+# Deployed to: ~/.config/systemd/user/openclaw-gateway.service.d/github.conf
+[Service]
+ExecStart=
+ExecStart=/bin/bash -c "export GH_TOKEN=$(/home/ubuntu/.config/craig/get-github-token.sh) && exec /usr/bin/node /home/ubuntu/.npm-global/lib/node_modules/openclaw/dist/index.js gateway --port 18789"

deploy/craig/start-openclaw.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+# Startup wrapper for OpenClaw gateway.
+# Mints a fresh GitHub App token and execs the gateway process.
+# Note: largely redundant with github.conf systemd override, but kept
+# for manual restarts outside of systemd.
+export GH_TOKEN=$(/home/ubuntu/.config/craig/get-github-token.sh 2>/dev/null)
+export PATH="/home/ubuntu/.local/bin:/home/ubuntu/.npm-global/bin:/home/ubuntu/bin:/usr/local/bin:/usr/bin:/bin"
+exec /usr/bin/node /home/ubuntu/.npm-global/lib/node_modules/openclaw/dist/index.js gateway --port 18789

deploy/openclaw-pin

@@ -0,0 +1 @@
+0ada807

deploy/openclaw.json

@@ -0,0 +1,89 @@
+{
+  "auth": {
+    "profiles": {
+      "anthropic:default": {
+        "provider": "anthropic",
+        "mode": "api_key"
+      }
+    }
+  },
+  "agents": {
+    "defaults": {
+      "model": {
+        "primary": "anthropic/claude-opus-4-6"
+      },
+      "workspace": "/home/ubuntu/Code/merit-systems/CraigClaw",
+      "contextPruning": {
+        "mode": "cache-ttl",
+        "ttl": "1h"
+      },
+      "compaction": {
+        "mode": "safeguard"
+      },
+      "heartbeat": {
+        "every": "30m",
+        "target": "discord",
+        "to": "channel:1470899181383061504"
+      },
+      "maxConcurrent": 4,
+      "subagents": {
+        "maxConcurrent": 8
+      }
+    }
+  },
+  "messages": {
+    "groupChat": {
+      "mentionPatterns": [
+        "\\bcraig\\b",
+        "\\bbiden\\b"
+      ]
+    },
+    "ackReactionScope": "group-mentions"
+  },
+  "commands": {
+    "native": "auto",
+    "nativeSkills": "auto"
+  },
+  "channels": {
+    "discord": {
+      "enabled": true,
+      "token": "",
+      "allowBots": false,
+      "groupPolicy": "open",
+      "historyLimit": 50,
+      "guilds": {
+        "*": {
+          "requireMention": true,
+          "users": [
+            "*"
+          ]
+        }
+      }
+    }
+  },
+  "gateway": {
+    "port": 18789,
+    "mode": "local",
+    "bind": "loopback",
+    "auth": {
+      "mode": "token",
+      "token": ""
+    },
+    "tailscale": {
+      "mode": "off",
+      "resetOnExit": false
+    }
+  },
+  "skills": {
+    "install": {
+      "nodeManager": "npm"
+    }
+  },
+  "plugins": {
+    "entries": {
+      "discord": {
+        "enabled": true
+      }
+    }
+  }
+}

deploy/secrets.json.example

@@ -0,0 +1,12 @@
+{
+  "channels": {
+    "discord": {
+      "token": "YOUR_DISCORD_BOT_TOKEN"
+    }
+  },
+  "gateway": {
+    "auth": {
+      "token": "YOUR_GATEWAY_AUTH_TOKEN"
+    }
+  }
+}

deploy/setup.sh

@@ -12,9 +12,9 @@ set -euo pipefail
 #   ssh ubuntu@<ip> 'bash -s' < deploy/setup.sh
 #
 # After running this script, you still need to:
-#   1. Set environment variables (ANTHROPIC_API_KEY, DISCORD_BOT_TOKEN)
-#   2. Configure openclaw.json from the template
-#   3. Set up the GitHub App credentials
+#   1. Run OpenClaw onboard (see Next Steps output)
+#   2. Create ~/.openclaw/secrets.json (see deploy/secrets.json.example)
+#   3. Place GitHub App private key at ~/.config/craig/github-app-key.pem
 #   4. Install x402 (see Merit-Systems/OpenClawX402/x402.md)
 
 echo "=== CraigClaw EC2 Setup ==="
@@ -24,9 +24,9 @@ echo "Installing Node.js 22..."
 curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
 sudo apt-get install -y nodejs
 
-# 2. Install OpenClaw
-echo "Installing OpenClaw..."
-curl -fsSL https://openclaw.ai/install.sh | bash
+# 2. Install pnpm (needed to build OpenClaw from fork source)
+echo "Installing pnpm..."
+npm install -g pnpm
 
 # 3. Install GitHub CLI
 echo "Installing GitHub CLI..."
@@ -41,26 +41,33 @@ echo "Installing GitHub CLI..."
 
 # 4. Create directory structure
 echo "Creating directory structure..."
-mkdir -p ~/Code/merit-systems
+mkdir -p ~/Code/merit-systems ~/Code/openclaw ~/.config/craig
 
 # 5. Clone CraigClaw workspace
 echo "Cloning CraigClaw workspace..."
 git clone https://github.com/Merit-Systems/CraigClaw.git ~/Code/merit-systems/CraigClaw
 
-# 6. Configure git
+# 6. Clone OpenClaw fork
+echo "Cloning OpenClaw fork..."
+git clone https://github.com/Merit-Systems/openclaw.git ~/Code/openclaw/openclaw
+
+# 7. Configure git
 echo "Configuring git..."
 git config --global user.name "craig2-bot"
 git config --global user.email "craig2@merit-systems.dev"
 git config --global init.defaultBranch main
 
-# 7. Run OpenClaw onboard
+# 8. Copy credential scripts from repo
+echo "Setting up credential scripts..."
+cp ~/Code/merit-systems/CraigClaw/deploy/craig/get-github-token.sh ~/.config/craig/
+cp ~/Code/merit-systems/CraigClaw/deploy/craig/git-credential-helper.sh ~/.config/craig/
+chmod +x ~/.config/craig/*.sh
+git config --global credential.helper /home/ubuntu/.config/craig/git-credential-helper.sh
+
 echo ""
 echo "=== Next Steps ==="
-echo "1. Set your environment variables:"
+echo "1. Set your Anthropic API key and run OpenClaw onboard:"
 echo "   export ANTHROPIC_API_KEY='your-key'"
-echo "   export DISCORD_BOT_TOKEN='your-token'"
-echo ""
-echo "2. Run OpenClaw onboard:"
 echo "   openclaw onboard --non-interactive --accept-risk \\"
 echo "     --mode local \\"
 echo "     --auth-choice apiKey \\"
@@ -70,15 +77,23 @@ echo "     --gateway-bind loopback \\"
 echo "     --install-daemon \\"
 echo "     --daemon-runtime node"
 echo ""
-echo "3. Configure the workspace path in openclaw.json:"
-echo "   openclaw config set agents.defaults.workspace ~/Code/merit-systems/CraigClaw"
+echo "2. Create ~/.openclaw/secrets.json with Discord + gateway tokens:"
+echo "   See deploy/secrets.json.example for the format."
 echo ""
-echo "4. Add Discord channel:"
-echo "   openclaw channels add --channel discord --token \"\$DISCORD_BOT_TOKEN\""
+echo "3. Place the GitHub App private key:"
+echo "   scp github-app-key.pem ubuntu@<ip>:~/.config/craig/github-app-key.pem"
 echo ""
-echo "5. Install x402 (see Merit-Systems/OpenClawX402/x402.md)"
+echo "4. Set up the systemd override:"
+echo "   mkdir -p ~/.config/systemd/user/openclaw-gateway.service.d"
+echo "   cp ~/Code/merit-systems/CraigClaw/deploy/craig/github.conf \\"
+echo "     ~/.config/systemd/user/openclaw-gateway.service.d/"
+echo "   systemctl --user daemon-reload"
 echo ""
-echo "6. Restart the gateway:"
+echo "5. Render config and start:"
+echo "   jq -s '.[0] * .[1]' ~/Code/merit-systems/CraigClaw/deploy/openclaw.json \\"
+echo "     ~/.openclaw/secrets.json > ~/.openclaw/openclaw.json"
 echo "   systemctl --user restart openclaw-gateway"
 echo ""
+echo "6. Install x402 (see Merit-Systems/OpenClawX402/x402.md)"
+echo ""
 echo "=== Setup complete ==="