OpenClaw VM Configuration v3.0

Automated configuration and deployment system for OpenClaw VMs with comprehensive tooling for AI development, cloud deployment, file sharing, and personal productivity.

What's New in v3.0:

• 📋 Veritas Kanban — local-first Kanban board with AI agent orchestration and MCP server
• 🏗️ OCI Terraform + cloud-init infrastructure for Debian 12 and Ubuntu 24.04 ARM
• 🔒 14 critical/high security findings fixed (v2.0.1 audit)
• 🎯 Interactive installation with preset selection
• 📅 Personal productivity integrations (Calendar, Email, Tasks, Slack)
• ⚡ Smart dependency resolution

🚀 Quick Start

Installation

Recommended Method (Secure):

# One-line install (clone + run)
git clone https://github.com/nyldn/openclaw-config.git && cd openclaw-config/bootstrap && ./bootstrap.sh

Alternative One-Line (Download + Run):

curl -fsSL https://raw.githubusercontent.com/nyldn/openclaw-config/main/bootstrap/install.sh -o /tmp/openclaw-install.sh && bash /tmp/openclaw-install.sh

The installer will:

• ✅ Verify prerequisites (git, curl, bash)
• ✅ Show an interactive module selection menu
• ✅ Install only the components you choose
• ✅ Complete in ~5-15 minutes depending on selections
• ✅ Automatically run post-install setup and auth wizards

Non-Interactive Mode:

For automated installations (CI/CD, scripts):

# Install all modules without prompts
./bootstrap.sh --non-interactive

# Install specific modules only
./bootstrap.sh --only system-deps,nodejs,python

# Skip the post-install wizard
./bootstrap.sh --skip-setup

See docs/INSTALLATION.md for detailed installation options and customization.

Security Note: We no longer support curl | bash installation methods as they pose security risks. Always clone the repository first to review the code before execution.

📦 What's Included

Core AI Tools

• Claude Code CLI - Anthropic's Claude assistant
• OpenAI CLI - GPT-4 and GPT-3.5 access
• Gemini CLI - Run via npx @google/gemini-cli (see https://github.com/google-gemini/gemini-cli)
• Claude Octopus - Multi-AI orchestration system

Claude Code CLI install notes:

• macOS: brew install --cask claude-code
• Linux: curl -fsSL https://claude.ai/install.sh -o /tmp/claude-install.sh && bash /tmp/claude-install.sh
• Node.js 18+ only required for deprecated npm install flows
• ripgrep is usually included; if claude search fails, see Claude search troubleshooting Claude Octopus requires the Claude CLI; if it isn't installed yet, rerun later with: ./bootstrap.sh --only claude-cli,claude-octopus

Deployment Platforms

• Vercel CLI - Serverless and edge deployments
• Netlify CLI - Static sites and functions
• Supabase CLI - Backend-as-a-Service

File Sharing & Storage

• Google Drive MCP - Drive integration via MCP
• Dropbox MCP - Dropbox API access
• rclone - 50+ cloud storage backends
• GitHub MCP - Repository operations

Development Environment

• Python 3.9+ with virtual environment
• Node.js 20+ with npm
• System utilities - git, curl, jq, etc.
• Memory system - SQLite-based persistence
• Auto-updates - Daily automated updates for all components
• Veritas Kanban - Local-first Kanban board with AI agent orchestration, vk CLI, and MCP server

MCP Servers (11+ Total)

Core Servers:

• Google Drive - File operations and sharing
• Dropbox - Cloud storage access
• GitHub - Repository management
• Filesystem - Local file operations
• PostgreSQL - Database access (Supabase)
• Brave Search - Web search capabilities

Productivity Servers:

• Google Calendar - Event management and scheduling
• Email - IMAP/SMTP for reading and sending emails
• Todoist - Task and project management
• Slack - Team messaging and collaboration

Development Servers (NEW in v3.0):

• Veritas Kanban - Task management, board operations, and AI agent orchestration via MCP

Security Features (Enhanced in v2.0.1)

• Download Verification - All external downloads use secure-download.sh with SHA256 hash audit logging
• Secret Sanitization - Automatic redaction of API keys, tokens, passwords in logs
• Credential Encryption - AES-256-CBC encryption with 600,000 PBKDF2 iterations
• Pre-commit Hook - Prevents accidental commits of secrets
• Input Validation - Strict validation of module names, URLs, file paths; sed injection prevention
• Secure Temp Files - Uses mktemp instead of predictable paths across all modules
• Restrictive Permissions - 0600/0700 for sensitive directories and files
• .env Validation - Rejects command substitution, backticks, and shell constructs before sourcing
• Atomic Locking - mkdir-based locks prevent TOCTOU race conditions
• Localhost-Only Ports - Dev ports (3000, 5432, 8000) restricted to loopback in UFW
• Safe Auto-Updates - Security-only upgrades via unattended-upgrade; --ff-only git pulls

Shell Aliases (42+ Total)

• Deployment shortcuts (deploy-vercel, deploy-netlify, etc.)
• File sharing (share-dropbox, share-gdrive)
• Cloud sync (sync-dropbox, sync-gdrive, sync-s3)
• MCP management (mcp-list, mcp-reload, mcp-logs)
• Productivity helpers (productivity-setup, calendar-auth)

📁 Repository Structure

openclaw-config/
├── README.md                    # This file
├── docs/INSTALLATION.md        # Detailed installation guide
├── docs/guides/MIGRATION.md    # Migration guide for v1.x → v2.0
├── docs/guides/SECURITY.md     # Security policy and practices
├── bootstrap/                   # Bootstrap system
│   ├── bootstrap.sh            # Main installer (with interactive mode)
│   ├── install.sh              # Secure installation script
│   ├── manifest.yaml           # Module metadata (v2.0)
│   ├── checksums.yaml          # Download verification checksums
│   ├── modules/                # Installation modules (19 total)
│   │   ├── 01-system-deps.sh
│   │   ├── 02-python.sh
│   │   ├── 03-nodejs.sh
│   │   ├── 04-claude-cli.sh
│   │   ├── ...
│   │   ├── 18-ollama.sh
│   │   └── 19-veritas-kanban.sh  # NEW in v3.0
│   └── lib/                    # Shared utilities
│       ├── logger.sh           # With secret sanitization
│       ├── validation.sh       # Enhanced input validation
│       ├── network.sh
│       ├── interactive.sh      # NEW: Interactive menus
│       ├── dependency-resolver.sh  # NEW: Dependency resolution
│       ├── secure-download.sh  # NEW: Download verification
│       └── crypto.sh           # NEW: Credential encryption
├── deployment-tools/           # Deployment configuration
│   ├── mcp/
│   │   ├── mcp-servers-extended.json
│   │   ├── mcp-servers-full-stack.json
│   │   └── implementations/    # NEW: Custom MCP servers
│   │       ├── google-calendar-mcp.js
│   │       ├── email-mcp.js
│   │       ├── todoist-mcp.js
│   │       └── slack-mcp.js
│   ├── config/
│   │   └── productivity-credentials.template.env
│   └── docs/
│       └── PRODUCTIVITY_INTEGRATIONS.md  # NEW: 40-page guide
│       ├── QUICK-START.md
│       ├── openclaw-setup-plan.md
│       └── EMBRACE-WORKFLOW-RESULTS.md
└── reports/                    # Project documentation
    └── FEASIBILITY_REPORT.md

🎯 Features

Modular Architecture

• Individual modules for each component
• Incremental updates (only install what's changed)
• Dependency management between modules
• Rollback support for failed installations

Automated Maintenance

• Daily auto-updates for all components
• System packages, Python packages, Node.js packages
• CLI tools (Vercel, Netlify, Supabase)
• MCP servers and repository updates
• Automatic cleanup of unused packages
• Daily update reports and logs

Comprehensive Validation

• Post-installation health checks
• Module-specific validation
• System diagnostics (--doctor flag)
• Automated testing

Enterprise-Ready

• State tracking and version management
• Remote manifest for updates
• Non-interactive installation mode
• Logging and error reporting

Security First

• No credentials in repository
• Docker secrets support
• Token-based authentication
• Minimal privilege requirements

🔧 Usage

Installation Options

# Full installation (all modules)
./bootstrap.sh

# Verbose output
./bootstrap.sh --verbose

# Install specific modules
./bootstrap.sh --only deployment-tools

# Skip optional modules
./bootstrap.sh --skip gemini-cli

# Preview changes (dry run)
./bootstrap.sh --dry-run

# Non-interactive mode
./bootstrap.sh --non-interactive

Post-Installation

The installer launches a post-install wizard by default. If you skip it, run:

bash ~/openclaw-config/bootstrap/scripts/openclaw-setup.sh
bash ~/openclaw-config/bootstrap/scripts/openclaw-auth.sh --all

1. Configure API Keys

   nano ~/openclaw-workspace/.env

   Add your keys:

   ANTHROPIC_API_KEY=sk-ant-xxx
   OPENAI_API_KEY=sk-proj-xxx
   GOOGLE_API_KEY=xxx
   GITHUB_PAT=ghp_xxx
   SUPABASE_DB_URL=postgresql://xxx

2. Authenticate Services

   claude login
   vercel login
   netlify login
   supabase login

3. Reload Shell

   source ~/.zshrc

4. Test Installation

   ./bootstrap.sh --validate

5. Auto-Updates (Configured Automatically)

   Daily updates are configured to run at 3:00 AM:

   # Check update timer status
   systemctl --user status openclaw-auto-update.timer
   
   # View last update
   journalctl --user -u openclaw-auto-update.service
   
   # View today's update report
   cat /var/log/openclaw/update-report-$(date +%Y%m%d).txt
   
   # Run update manually now
   systemctl --user start openclaw-auto-update.service

   See AUTO_UPDATE_GUIDE.md for full documentation.

📚 Documentation

• Bootstrap System: bootstrap/README.md
• Auto-Update Guide: bootstrap/AUTO_UPDATE_GUIDE.md
• Quick Start Guide: deployment-tools/docs/QUICK-START.md
• Setup Plan: deployment-tools/docs/openclaw-setup-plan.md
• Workflow Results: deployment-tools/docs/EMBRACE-WORKFLOW-RESULTS.md

🚢 Deployment

Single VM

ssh user@vm-host 'curl -fsSL https://raw.githubusercontent.com/nyldn/openclaw-config/main/bootstrap/install.sh | bash'

Multiple VMs

for host in vm1 vm2 vm3; do
    ssh user@$host 'curl -fsSL https://raw.githubusercontent.com/nyldn/openclaw-config/main/bootstrap/install.sh | bash'
done

Custom Configuration

./bootstrap.sh --config config/custom.yaml
./bootstrap.sh --manifest-url https://internal.company.com/manifest.yaml

🛠️ Available Commands

After installation, you'll have access to 42+ shell aliases:

Deployment

deploy-vercel              # Deploy to Vercel
deploy-netlify             # Deploy to Netlify
deploy-supabase            # Deploy to Supabase
deploy                     # Auto-detect platform

File Sharing

share                      # Create shareable link
share-dropbox              # Upload to Dropbox
share-gdrive               # Upload to Google Drive

Cloud Sync

sync-dropbox               # Sync to Dropbox
sync-gdrive                # Sync to Google Drive
sync-s3                    # Sync to S3

MCP Management

mcp-list                   # List MCP servers
mcp-reload                 # Reload configuration
mcp-logs                   # View MCP logs
mcp-test                   # Test connections

Project Workflows

project-init               # Initialize new project
project-deploy             # Deploy current project
project-share              # Share project files

🔍 Requirements

• OS: Debian 10+ or Ubuntu 20.04+
• User: Non-root with sudo privileges
• Disk: 2GB+ free space
• Network: Internet connection
• Memory: 1GB+ RAM recommended

🤝 Contributing

1. Fork the repository
2. Create a feature branch
3. Add/modify modules in bootstrap/modules/
4. Test with ./bootstrap.sh --module your-module
5. Submit a pull request

🎉 Success Metrics

• Setup Time: ~5 minutes
• Components: 19 modules
• MCP Servers: 11+ configured
• Shell Aliases: 42 available
• Validation: 100% coverage

🔒 Security

Enhanced in v2.0.1 (14 findings fixed — 5 CRITICAL, 9 HIGH):

• ✅ No curl | bash installation (security vulnerability eliminated)
• ✅ SHA256 checksum verification for all downloads via centralized secure-download.sh
• ✅ Automatic secret sanitization in logs (15+ patterns)
• ✅ AES-256-CBC credential encryption with 600,000 PBKDF2 iterations
• ✅ Pre-commit hook prevents accidental secret commits
• ✅ Sed injection prevention — safe line-by-line file rewrites instead of interpolation
• ✅ .env validation rejects command substitution, backticks, and shell constructs before sourcing
• ✅ API keys passed via environment variables, never exposed in process lists
• ✅ Atomic mkdir-based locking prevents TOCTOU race conditions
• ✅ Dev ports (3000, 5432, 8000) restricted to localhost in UFW
• ✅ Safe auto-updates — security-only via unattended-upgrade; --ff-only git pulls
• ✅ Module sourcing validation — shebang and permission checks before execution
• ✅ Secure temporary file handling with mktemp (no predictable paths)
• ✅ Restrictive file permissions (0600/0700 for sensitive files)

Best Practices:

• API tokens via environment variables
• App-specific passwords for email
• 90-day token rotation recommended
• Minimum privilege scopes enforced
• See docs/guides/SECURITY.md for full security policy

📝 License

This project is licensed under the MIT License - see the LICENSE file for details.

🆘 Support

• Issues: https://github.com/nyldn/openclaw-config/issues
• Documentation: https://github.com/nyldn/openclaw-config/wiki
• Bootstrap Docs: bootstrap/README.md

📅 Changelog

v3.0.0 (2026-02-22)

📋 Veritas Kanban Integration:

• New bootstrap module 19-veritas-kanban.sh — installs Veritas Kanban local-first Kanban board with AI agent orchestration
• Automated setup: git clone, pnpm build, vk CLI linking, .env generation with random admin key, and Claude MCP config merging
• MCP server entries added to mcp-servers-extended.json and mcp-servers-full-stack.json
• Module includes full lifecycle: check, install, validate, rollback

🏗️ Infrastructure:

• OCI Terraform + cloud-init infrastructure for Debian 12 ARM deployment
• Ubuntu 24.04 Minimal ARM support from OCI catalog
• Aligned bootstrap with upstream openclaw/openclaw requirements

🔧 Improvements:

• 18 codebase improvements across security, UX, infrastructure, and tooling
• Interactive install wizard and CLI setup hardening
• Post-install onboarding system
• Manifest updated to v3.0.0 with veritas-kanban entry

v2.0.1 (2026-02-21)

🔒 Zero-Trust Security Audit — 14 Findings Fixed (5 CRITICAL, 9 HIGH):

CRITICAL Fixes:

• Sed injection prevention — Replaced unsafe sed interpolation with line-by-line file rewrites in openclaw-setup.sh and openclaw-auth.sh
• API key process list exposure — API keys now passed via environment variables, not CLI arguments (openclaw-auth.sh)
• Download verification — All external downloads routed through secure-download.sh with SHA256 audit logging (5 modules: nodejs, claude-cli, dev-tools, tailscale, ollama)
• .env sourcing validation — .env files validated for format and rejected if containing $(), backticks, ;, &&, || before source

HIGH Fixes:

• Hardcoded /tmp paths — Replaced with mktemp to prevent symlink attacks (network.sh, claude-octopus.sh, openclaw-validate.sh)
• TOCTOU lock race — File-based locking replaced with atomic mkdir-based locking (auto-update.sh)
• UFW port exposure — Dev ports (3000, 5432, 8000) restricted to 127.0.0.1/::1 (14-security.sh)
• Supabase download — Routed through download_with_verification() (10-deployment-tools.sh)
• Placeholder API keys — Replaced fake-looking placeholders with empty values (08-memory-init.sh)
• Module sourcing — Metadata extracted via grep instead of source; shebang and world-writable checks added (bootstrap.sh)
• PBKDF2 iterations — Increased from 10,000 to 600,000 per OWASP 2023 guidance (crypto.sh)
• Auto-update safety — Security-only upgrades via unattended-upgrade; git pull --ff-only prevents merge commits (auto-update.sh)

v2.0.0 (2026-02-01)

🎯 Major Features:

• Interactive Installation - Beautiful TUI with preset selection (Minimal, Developer, Full, Custom)
• Productivity Integrations - 4 new MCP servers: Google Calendar, Email, Todoist, Slack (30 tools total)
• Smart Dependencies - Automatic dependency resolution with topological sort
• OpenClaw Optional - No longer required; choose only what you need

🔒 Security Enhancements (20+ Fixes):

• Fixed all curl | bash vulnerabilities
• SHA256 checksum verification for downloads
• Secret sanitization in logs (API keys, tokens, passwords)
• AES-256-CBC credential encryption
• Pre-commit hook for secret detection
• Comprehensive input validation
• Secure temp directory handling

📦 New Components:

• 15-productivity-tools.sh module
• lib/interactive.sh - Interactive menu system
• lib/dependency-resolver.sh - Graph-based dependency resolution
• lib/secure-download.sh - Download verification
• lib/crypto.sh - Credential encryption
• 4 MCP server implementations
• Comprehensive 40-page productivity guide

📝 Documentation:

• Updated installation instructions (no more curl | bash)
• PRODUCTIVITY_INTEGRATIONS.md - Complete setup guide
• Enhanced manifest.yaml with categories and sizes
• docs/guides/MIGRATION.md for v1.x users
• docs/guides/SECURITY.md policy document

⚠️ Breaking Changes:

• Default installation is now interactive (use --non-interactive for scripts)
• OpenClaw no longer installed by default
• Removed insecure curl | bash installation method
• See docs/guides/MIGRATION.md for upgrade instructions

v1.2.0 (2026-02-01)

• Added auto-update system (module 11)
• Daily automated updates for all components
• Systemd timer for scheduled updates
• Update reports and comprehensive logging
• Repository auto-update from GitHub
• Package cleanup and maintenance

v1.1.0 (2026-02-01)

• Added deployment tools module
• Extended MCP server configuration (6 servers)
• 28+ new shell aliases
• Comprehensive deployment documentation
• GitHub, Filesystem, PostgreSQL, Brave Search MCP servers

v1.0.0 (2026-02-01)

• Initial release
• Core modules: system-deps, python, nodejs
• LLM CLI tools: Claude, OpenAI, Gemini
• GOTCHA framework structure
• Memory system initialization
• Update mechanism
• Validation and diagnostics

---

Built with ❤️ for the OpenClaw ecosystem

Powered by Claude Octopus 🐙 - Full Double Diamond Workflow