Commit Graph

42 Commits

Author SHA1 Message Date
4b1f809937 ci: checkout playbooks and iac_modules from public repos
- Stop checking out the old private mono-repo `ai-workspace-infra`.
- Checkout the split public repositories `ai-workspace-infra/playbooks` and `ai-workspace-infra/iac_modules` separately.
- Remove `CODEX_GITHUB_PERSONAL_ACCESS_TOKEN` (`INFRA_REPO_TOKEN`) dependency from vault as it's no longer needed for public repos.
2026-06-25 10:14:15 +08:00
4231afc399 docs: refine latest verification (FQDN hostname both, litellm up on debian13, remaining items)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-24 22:00:03 +08:00
6df0990014 docs(operations): record acp-retry/litellm-uv/FQDN/non-empty fixes + verification status
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-24 21:58:21 +08:00
d3356a0ef0 docs(operations): end-to-end IaC<->Ansible dynamic-inventory workflow
Documents the YAML->generate.py->terraform->cmdb.json->ansible flow, the FQDN
inventory_hostname contract, the two execution models, the Vault-OIDC pipeline,
the non-empty/fail-fast checks, and the key fixes that make it work end to end.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-24 20:51:54 +08:00
607c995a9a ci+docs(vault): read LLM keys from kv/openclaw, SSH/infra/cloudflare from kv/CICD
DEEPSEEK/NVIDIA/OLLAMA_API_KEY live in kv/data/openclaw (not CICD); vault-action
reads them from that path in the same step. Policy grants read on both
kv/data/CICD and kv/data/openclaw.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-24 15:35:25 +08:00
5d852e0285 ci+docs(vault): read shared kv/CICD with existing key names
- VAULT_KV -> kv/data/CICD (shared CICD secrets), map existing keys to outputs:
  CODEX_GITHUB_PERSONAL_ACCESS_TOKEN->INFRA_REPO_TOKEN,
  SSH_PRIVATE_DEPLOY_KEY[_B64]->ANSIBLE_SSH_KEY[_B64],
  CLOUDFLARE_DNS_API_TOKEN direct; VULTR_API_KEY/LLM keys same name.
- docs: policy reads kv/data/CICD; field table maps existing keys; note the
  three LLM keys still need to be added to kv/CICD, and SSH_PUBLIC_DEPLOY_KEY
  must match hosts.yaml.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-24 15:31:00 +08:00
04d349073e ci+docs(vault): SSH key B64-preferred pattern + xworkspace-console Vault setup
- deploy job: read ANSIBLE_SSH_KEY_B64 (preferred) + ANSIBLE_SSH_KEY (fallback)
  from Vault, decode/write ~/.ssh/id_deploy and ssh-keygen -y self-check —
  matches the org SSH-deploy runbook (avoids multiline-key libcrypto errors).
- docs/operations/vault-github-actions.md: full Vault role/policy/jwt/KV setup
  for github-actions-xworkspace-console, mirroring the existing org records.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-24 15:21:01 +08:00
e74f2334e3 docs(setup): complete optional-parameters manual for curl|bash bootstrap
Expand the all-in-one setup guide (zh+en) into a full reference of the
bootstrap script's supported options, grouped by purpose: subcommands
(uninstall/--purge), public-exposure & security, unified auth-token chain,
runtime modes, offline package, performance/locks, source/version overrides.
Fix the inaccurate TOKEN var -> AI_WORKSPACE_AUTH_TOKEN (the real precedence
chain). Sourced from scripts/setup-ai-workspace-all-in-one.sh.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-24 11:26:01 +08:00
b2c8c5d875 ci+docs: on-host bootstrap deploy job + console serving/verification updates
- deploy-ai-workspace-iac.yaml: deploy job now ssh-es to each host and runs
  the official curl|bash bootstrap locally (host-side ansible -c local,
  offline-accelerated), instead of running all-in-one from the runner (which
  breaks on roles/agent_skills delegate_to: localhost). provision job kept as
  the batch-provision mode.
- docs/operations: record final console fix (local python static backend),
  caddy/public-access architecture, and debian13/ubuntu26.04/macOS verification.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-24 09:44:22 +08:00
e47b15a5f0 docs(operations): IaC + Ansible dynamic-inventory deploy verification & fixes
Records the IaC->inventory->deploy linkage, offline-package linkage
verification, the local-on-host execution finding, the 5 fixes applied to
playbooks, and the remaining console static-serve + pipeline TODOs.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-24 03:02:59 +08:00
2a227deddc docs: restructure docs to support full en/zh bilingual versions with language toggles 2026-06-23 14:43:54 +08:00
fa49b2fda1 docs: add version compatibility matrix and reference in README 2026-06-23 14:20:50 +08:00
df282ae735 feat: support specifying local offline package path via AI_WORKSPACE_OFFLINE_PACKAGE 2026-06-23 14:05:08 +08:00
61055887f8 docs: add official register_mainstream_models documentation with new routing design 2026-06-23 12:55:07 +08:00
3905f1ac6a docs: add openclaw litellm compat plan 2026-06-23 12:42:27 +08:00
7fd48bbf74 docs(macos): record TC-MAC-028..033 and refresh delivery plan
Document the six macOS issues found and fixed during end-to-end
verification of the all-in-one install: litellm dependency version-probe
SyntaxError (TC-028), prisma generator PATH (TC-029), QMD plist undefined
nodejs_version (TC-030), QMD better-sqlite3 Node ABI mismatch (TC-031),
XFCE/XRDP apt-on-macOS (TC-032), and litellm DATABASE_URL password
percent-encoding / P1013 (TC-033), each with its playbooks commit. Update
the fix-dimension summary and the runtime delivery plan status.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-22 13:25:12 +08:00
d0d5a79be8 feat(uninstall): print teardown plan and purge path status
`uninstall` / `uninstall --purge` previously removed services and (on
purge) `rm -rf`'d a hand-maintained list of paths with no output, so users
could not see what would be — or had been — deleted (TC-MAC-026).

Add a pre-flight `print_uninstall_summary` that lists the apps/services to
be removed (launchd agents on macOS; systemd units + docker containers on
Linux) and, when --purge is set, every target path with its current
[present]/[absent] status. Centralize the purge paths into a single
source-of-truth inventory and route deletions through a `purge_path`
helper that prints `removed:` / `absent (skipped):` per path. Document the
subcommands in the usage header. Behavior is otherwise unchanged.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-22 12:37:59 +08:00
b1b22bc447 docs(macos): update delivery plan and macOS compatibility test cases 2026-06-22 02:43:54 +00:00
87c9a18f61 fix(macos): litellm brew install via command (clone-path patch) + TC-MAC-019 2026-06-19 03:00:27 +00:00
5c9b5d2ed0 fix(macos): postgres brew install via command (clone-path patch) + docs
Add patch_playbook_postgres_macos() to rewrite the postgres macos.yml install
from the community.general.homebrew module (which can select a crashing stale
Intel Homebrew) to a brew command using the PATH brew, matching the playbooks
repo fix. Documents TC-MAC-018.
2026-06-18 12:55:51 +00:00
87bf91d655 fix(macos): use native PostgreSQL mode on Darwin (Linux keeps compose)
postgresql_deploy_mode defaults to compose (Docker) and the admin password is
generated via a /root password-file lookup, both of which fail on a native
macOS deploy (no Docker, /root not writable). The role already ships a native
path (macos.yml, Homebrew postgresql@16). In the script's Darwin block, set
postgresql_deploy_mode=native and pass postgresql_admin_password directly
(highest-precedence extra-var, bypassing the /root lookup). Linux unchanged.
Documents TC-MAC-017.
2026-06-18 12:47:41 +00:00
1492d13889 fix(macos): make vault admin bootstrap idempotent; drop diagnostic
Root cause of the repeated 'Bootstrap Vault admin userpass auth' failure was
not macOS-specific: init_vault_admin.sh derived entity_id by logging in as the
user, but the login MFA enforcement it creates makes that login MFA-gated on
re-runs (dev Vault persists across deploys), yielding 'missing entityID'.

patch_playbook_vault_macos() now rewrites init_vault_admin.sh to resolve
entity_id via the userpass entity-alias (creating entity+alias on first run),
matching the same fix landed in the playbooks repo. Removes the temporary
no_log/file-dump diagnostic. Documents TC-MAC-016.
2026-06-18 12:39:42 +00:00
5750d3d2ae fix(macos): provide jq and Homebrew PATH for vault admin bootstrap
vault : Bootstrap Vault admin userpass auth runs init_vault_admin.sh, which
require_cmd's vault/jq/curl/base64. macOS has no jq by default (the apt deps
task is Darwin-skipped) and ansible.builtin.script uses a minimal PATH without
/opt/homebrew/bin. Extend patch_playbook_vault_macos() to brew install jq and
add environment PATH to the bootstrap task. Idempotent; verified. TC-MAC-015.
2026-06-18 11:55:17 +00:00
6607d32920 fix(macos): skip common role Linux baseline on Darwin
The common role's 'Base | *' tasks (timedatectl timezone, /etc/hostname,
hostname, /etc/hosts, ssh hardening, fail2ban, file limits, firewall) all run
with become: true against Linux-only tooling/paths and fail on macOS — the
reported timedatectl failure is just the first. Add patch_playbook_common_macos()
(post-clone, Darwin-only) that appends an ansible_os_family != 'Darwin' guard to
the whole Base block. Idempotent; verified against the real role; Linux
unchanged. Documents TC-MAC-014.
2026-06-18 11:46:29 +00:00
11701c6037 fix(macos): patch vault role post-clone for macOS-standard dirs
The vault role's 'Ensure standalone Vault directories exist' task creates
/etc/vault.d and /opt/vault/data with owner: root and lacks the Darwin guard
its sibling tasks have, so it fails under macOS become=false. Unlike the
bridge dir (owned by the service user, fixable via -e), this owner: root is
hardcoded and not overridable, so the role logic must change.

Since the role lives in a separate playbooks repo, reuse the existing
post-clone patch mechanism (cf. patch_playbook_user_systemd): add
patch_playbook_vault_macos() that, on Darwin only, guards the directory task,
makes vault dirs/binary OS-conditional (macOS -> ~/Library/Application
Support/vault[/data], /opt/homebrew/bin/vault; Linux unchanged), and creates
the user-owned data dir in macos.yml. Idempotent; verified against the real
role. Documents TC-MAC-013.
2026-06-18 11:33:42 +00:00
470e5163f5 fix(macos): use Apple-standard app-data dir for xworkmate-bridge base
Switch the macOS bridge base dir to the Apple-standard per-user location
$HOME/Library/Application Support/cloud-neutral/xworkmate-bridge, while Linux
keeps /opt/cloud-neutral/xworkmate-bridge. Applied both as the Darwin -e
override in setup-ai-workspace-all-in-one.sh (the lever that reaches the
curl|bash path) and as an OS-conditional role default. Updates TC-MAC-012 and
the progress report with the not-pushed root cause of the 19:09 re-failure.
2026-06-18 11:14:18 +00:00
d094c27b86 docs: add progress report for TC-MAC-012 (macOS bridge base dir fix) 2026-06-18 11:03:26 +00:00
cf97344708 fix: relocate xworkmate-bridge base dir under $HOME on macOS
macOS deploys run with ansible_become=false, so the bridge role default
xworkmate_bridge_base_dir=/opt/cloud-neutral failed with EACCES creating
/opt/cloud-neutral. Inject a Darwin -e override pointing the base dir at
$HOME/.local/state/cloud-neutral/xworkmate-bridge, matching existing macOS
overrides for gateway_openclaw/agent_skills/xworkspace_console. Documents the
failure and fix as TC-MAC-012.
2026-06-18 10:59:10 +00:00
Haitao Pan
3e9d8f9dfe docs(ai-workspace): add DATA_MANAGEMENT_TLDR for backup, restore, migrate and uninstall 2026-06-17 14:26:29 +08:00
Haitao Pan
389acb30ee Fix offline installer release lookup 2026-06-16 09:16:25 +08:00
Haitao Pan
6f85f4d183 feat: aggregate prebuilt workspace releases 2026-06-15 21:59:35 +08:00
Haitao Pan
52d2243478 docs: add bounded concurrency optimization plan 2026-06-15 21:25:10 +08:00
Haitao Pan
23e091ee61 docs: add feature overview 2026-06-15 14:34:02 +08:00
Haitao Pan
3b6b03da95 feat: prefer idempotent offline runtime installs 2026-06-15 14:32:36 +08:00
Haitao Pan
7b76631884 docs: move repo details into docs 2026-06-15 14:27:44 +08:00
Haitao Pan
a842aab5be docs: add offline install todo 2026-06-15 13:52:16 +08:00
Haitao Pan
6924183e28 docs: add deployment todo checklist 2026-06-15 10:43:14 +08:00
Haitao Pan
65bb07ab06 feat: build offline AI Workspace installer packages 2026-06-14 13:50:36 +08:00
Haitao Pan
656ca02a14 feat: unified one-time deploy summary 2026-06-14 13:19:44 +08:00
Haitao Pan
8cb46863d2 docs: update all-in-one setup entrypoint 2026-06-14 12:23:25 +08:00
Haitao Pan
46b8227c26 update: docs/ARCHITECTURE.md 2026-06-10 10:46:24 +08:00
Haitao Pan
4723d19b2c Rebuild console with React Vite and Go 2026-06-07 13:01:06 +08:00