diff --git a/memory/memories.db-shm b/memory/memories.db-shm index 223df7c6a..e956f1044 100644 Binary files a/memory/memories.db-shm and b/memory/memories.db-shm differ diff --git a/memory/memories.db-wal b/memory/memories.db-wal index d413e7006..011f2fa48 100644 Binary files a/memory/memories.db-wal and b/memory/memories.db-wal differ diff --git a/skills/mac-server-setup/SKILL.md b/skills/mac-server-setup/SKILL.md index 8b56870fd..b3e987031 100644 --- a/skills/mac-server-setup/SKILL.md +++ b/skills/mac-server-setup/SKILL.md @@ -6,7 +6,9 @@ description: > Mac Studio, etc.) for server duty via SSH. Covers dev environment (Homebrew, nvim, tmux, node, bun, starship, gh), nvim config, server hardening (power mgmt, firewall, consumer service cleanup, Spotlight, - SMB, hostname), SSH key auth, git repos, and local SSH config. + SMB, hostname), SSH key auth, git repos, local SSH config, Signet + agent platform (install, launchd, tailnet binding), and OpenClaw + agent runtime (auth profiles, gateway config). Generates an idempotent setup script on the remote machine. Triggers: "set up mac server", "harden mac", "provision remote mac", "new client server setup", "mac server hardening", "openclaw server setup". @@ -165,7 +167,120 @@ README covers: what the server is, current state, what's next, who to contact. CHANGELOG is a dated record in plain language of each setup session. -### 7. Verify +### 7. Signet Agent Platform + +Signet is a portable agent identity system — persistent memory, +secrets vault, installable skills, and a web dashboard. The npm +package is `signetai`. Full install guide: https://signetai.sh/skill.md + +**What Signet provides:** +- Background daemon (port 3850) with memory database, context injection, + and session extraction pipeline +- Web dashboard for browsing memories, config, secrets, and status +- Encrypted secrets vault at `~/.agents/.secrets/` +- Built-in skills: `/remember`, `/recall`, `/memory-debug` +- Platform connectors for Claude Code, OpenClaw, and OpenCode + +**All agent data lives at `~/.agents/`:** +- `agent.yaml` — config manifest +- `AGENTS.md` — operational instructions +- `SOUL.md`, `IDENTITY.md`, `USER.md` — identity files +- `MEMORY.md` — auto-generated working memory summary +- `memory/memories.db` — SQLite database (source of truth) +- `skills/` — installed skills +- `.secrets/` — encrypted secret store + +**Install steps:** + +1. **Prerequisites**: Node.js >= 18 or Bun. If neither exists, install bun: + `curl -fsSL https://bun.sh/install | bash` +2. **Install signetai globally** (only two supported methods): + - Bun (preferred): `bun add -g signetai` + - npm: `npm install -g signetai` + - Never use sudo. Never clone the repo. Never use `npx signet init`. +3. **Install node runtime**: The bin shim uses `#!/usr/bin/env node`, + so node must be available even if bun is the primary runtime. If brew + isn't installed, download the node binary directly: + ``` + curl -fsSL https://nodejs.org/dist/v22.14.0/node-v22.14.0-darwin-arm64.tar.xz -o /tmp/node.tar.xz + tar xf /tmp/node.tar.xz -C /tmp/ + cp /tmp/node-v22.14.0-darwin-arm64/bin/node ~/.local/bin/node + ``` +4. **Verify install**: `signet --version` must succeed before proceeding. +5. **Run setup wizard**: `signet` (no args) on first run launches the + interactive wizard. It handles connectors, hooks, file generation, + and skill deployment. Do NOT try to set these up manually. +6. **Bind to tailnet**: By default the daemon binds to `localhost`. Set + `SIGNET_HOST=0.0.0.0` in `.zshrc` so the dashboard is accessible + across the tailnet. +7. **Create launchd plist** at `~/Library/LaunchAgents/ai.signet.daemon.plist`: + - ProgramArguments: `~/.bun/bin/bun` + `~/.bun/install/global/node_modules/signetai/dist/daemon.js` + - EnvironmentVariables: `SIGNET_PORT=3850`, `SIGNET_HOST=0.0.0.0`, + `SIGNET_PATH=~/.agents`, PATH including `~/.bun/bin` and `~/.local/bin` + - RunAtLoad: true, KeepAlive: true + - Logs to `~/.agents/logs/daemon.{out,err}.log` +8. **Load**: `launchctl load ~/Library/LaunchAgents/ai.signet.daemon.plist` +9. **Verify**: `lsof -i :3850 -P` should show `TCP *:3850 (LISTEN)`, + and `curl http://:3850/api/status` from operator machine. + +**Important — what the daemon does automatically (do NOT replicate):** +- Extracts memories from session transcripts via LLM pipeline +- Injects relevant context into every prompt via semantic search +- Watches `~/.agents/` for changes and syncs to harness configs +- Do NOT manually write to `~/.agents/memory/`, call recall before + every response, or manually summarize conversations + +**Troubleshooting:** +- Daemon won't start: `signet daemon logs`, `lsof -i :3850` +- No memories: daemon may still be processing — extraction is async +- Embeddings: Ollama is optional, falls back to keyword search (FTS5) +- Skills not found: `signet sync` reinstalls built-in templates + +Note: with KeepAlive enabled, `signet stop` won't work — launchd respawns +the process. Use `launchctl unload` to fully stop. + +### 8. OpenClaw Agent Runtime + +Install and configure OpenClaw for agent operation: + +1. **Install**: OpenClaw is typically installed via Homebrew + (`/opt/homebrew/bin/openclaw`). +2. **Configure**: Run `openclaw configure` for interactive setup, or + edit `~/.openclaw/openclaw.json` directly. +3. **Auth setup (non-interactive)**: The `openclaw models auth paste-token` + command uses interactive prompts that don't work through MCP. Instead, + write files directly: + - Write `~/.openclaw/agents/main/agent/auth-profiles.json`: + ```json + { + "version": 1, + "profiles": { + "anthropic:manual": { + "type": "token", + "provider": "anthropic", + "token": "" + } + } + } + ``` + - Add auth profile to `~/.openclaw/openclaw.json` under `auth.profiles`: + ```json + "auth": { + "profiles": { + "anthropic:manual": { + "provider": "anthropic", + "mode": "token" + } + } + } + ``` + - Verify: `openclaw models status` should show the profile. +4. **Gateway**: OpenClaw manages its own LaunchAgent + (`ai.openclaw.gateway`). Restart with `openclaw gateway restart`. + Check health with `openclaw health`. +5. **Talk to it**: `openclaw agent --agent main --session-id --message "hello"` + +### 9. Verify See [references/verification.md](references/verification.md) for the full checklist. @@ -227,3 +342,27 @@ full checklist. - **HTTPS git push on headless Mac**: Fails with "could not read Username: Device not configured". Fix: `gh auth login` then `gh auth setup-git` to install the credential helper. +- **Heredoc descriptions leak into content**: When using `cat >> file << 'DELIM'` + through SSH MCP, the tool's `description` parameter text can get appended + to the delimiter line (e.g. `DELIM # Write part 1`), corrupting the file. + Use `python3 -c` with string concatenation instead for multi-part file + writes — it's immune to this issue. +- **bun global binaries need PATH in non-login shells**: SSH MCP doesn't + source `.zshrc`, so `~/.bun/bin` isn't on PATH. Always export it: + `export BUN_INSTALL="$HOME/.bun" && export PATH="$BUN_INSTALL/bin:$HOME/.local/bin:$PATH"` +- **signet bin shim needs node**: Even though `signetai` runs on bun, + the npm bin shim (`bin/signet.js`) has `#!/usr/bin/env node`. Install + node alongside bun or the CLI won't start. A bare node binary in + `~/.local/bin` is sufficient. +- **Tailscale CLI vs app**: On macOS, Tailscale.app installs but the + `tailscale` CLI may not be in PATH. The binary lives at + `/Applications/Tailscale.app/Contents/MacOS/Tailscale`. `tailscale status` + works from there without needing brew or PATH changes. +- **OpenClaw interactive commands through MCP**: Commands like + `openclaw models auth paste-token` and `openclaw configure` use + `@clack/prompts` which require a TTY. Piping stdin doesn't bypass + the prompts cleanly. Write config files directly instead. +- **signet start hangs MCP**: `signet start` blocks until the daemon + is fully running, which can exceed the MCP SSH timeout. Background it + with `& disown` or just let it timeout — check `signet status` after + to confirm it started.