Clawd Bot Setup for macOS

README.md

Clawdbot Setup for macOS

Personal setup guide for running Clawdbot as an AI assistant named Rexi.

What This Is

This Gist contains everything needed to set up Clawdbot on macOS with:

• Channels: Slack, iMessage, Gmail
• AI Providers: OpenAI Pro, Claude Max
• Developer Tools: GitHub integration via rexiaibot account
• Coding Preferences: Python, Node CLI, and Node Web stacks

File Locations

Files in this Gist serve two purposes: documentation (read and follow) and configuration (copy to specific locations).

Documentation (Read These)

File	Purpose
initial-install.md	Step-by-step installation guide
creating-slack-app.md	Create and configure a Slack app
connecting-imessage.md	Set up iMessage integration
connecting-gmail.md	Connect Gmail for email access
security-hardening.md	Lock down permissions and access
github-integration.md	Configure GitHub for code management

Configuration (Copy These)

These files are loaded by Clawdbot at runtime. Copy them to the specified locations.

File	Copy To	Purpose
developer-instructions.md	~/clawd/AGENTS.md	Core coding conventions (always loaded)
stack-python.md	~/clawd/skills/python/SKILL.md	Python project preferences
stack-node-cli.md	~/clawd/skills/node-cli/SKILL.md	Node CLI project preferences
stack-node-web.md	~/clawd/skills/node-web/SKILL.md	Node web app preferences
stack-github-boilerplate.md	~/clawd/skills/github/SKILL.md	GitHub repo templates

Quick Start

# Create workspace directories
mkdir -p ~/clawd/skills/{python,node-cli,node-web,github}

# Copy configuration files (adjust paths to your downloaded files)
cp developer-instructions.md ~/clawd/AGENTS.md
cp stack-python.md ~/clawd/skills/python/SKILL.md
cp stack-node-cli.md ~/clawd/skills/node-cli/SKILL.md
cp stack-node-web.md ~/clawd/skills/node-web/SKILL.md
cp stack-github-boilerplate.md ~/clawd/skills/github/SKILL.md

How Clawdbot Uses These Files

Clawdbot automatically loads files from ~/clawd/ into its system prompt:

• AGENTS.md - Always loaded. Contains core instructions and behaviors.
• skills/*/SKILL.md - Loaded contextually when relevant to the task.

This means your coding preferences are automatically applied when Clawdbot works on projects matching those stacks.

Customization

These files reflect my personal preferences. Feel free to fork this Gist and modify:

• Developer instructions - Change coding conventions to match your style
• Stack preferences - Swap libraries, frameworks, or tooling
• GitHub boilerplate - Adjust templates for your workflow

The key is keeping ~/clawd/AGENTS.md focused on universal rules and using skills for context-specific preferences.

connecting-gmail.md

Connecting Gmail

This guide covers the complete setup for integrating Gmail with Clawdbot, including Google Cloud Console configuration, OAuth authentication, and hook setup.

---

Table of Contents

1. How It Works
2. Prerequisites
3. Create a Google Cloud Project
4. Enable the Gmail API
5. Configure OAuth Consent Screen
6. Create OAuth Credentials
7. Authenticate Clawdbot with Gmail
8. Configure Gmail Hook
9. Test the Integration
10. Privacy and Security Considerations
11. Advanced Configuration
12. Troubleshooting
13. Configuration Reference
14. Uninstalling / Disabling

---

1. How It Works

Clawdbot connects to Gmail using OAuth 2.0 and periodically polls for new messages. When a new email arrives, it can trigger an agent to process and respond.

The integration:

• Uses the official Gmail API (not IMAP/SMTP)
• Authenticates via OAuth 2.0 (no password stored)
• Polls for new messages at a configurable interval
• Can send replies through the same authenticated connection

---

2. Prerequisites

• A Gmail account (personal or Google Workspace)
• Access to Google Cloud Console
• Clawdbot installed and running

For this guide, we'll set up the integration for a dedicated AI agent email address (e.g., rexi@yourdomain.com).

---

3. Create a Google Cloud Project

1. Go to Google Cloud Console
2. Sign in with the Google account that manages your domain (or has admin access)
3. Click the project dropdown in the top navigation bar
4. Click New Project
5. Enter a project name (e.g., Clawdbot Gmail Integration)
6. For Organization and Location, select your organization if using Google Workspace, or leave as "No organization" for personal accounts
7. Click Create
8. Wait for the project to be created, then select it from the project dropdown

---

4. Enable the Gmail API

1. In your Google Cloud project, go to APIs & Services → Library

   • Or navigate directly to: https://console.cloud.google.com/apis/library

2. Search for Gmail API

3. Click on Gmail API in the results

4. Click Enable

5. Wait for the API to be enabled (you'll be redirected to the API overview page)

---

5. Configure OAuth Consent Screen

Before creating credentials, you must configure the OAuth consent screen.

1. Go to APIs & Services → OAuth consent screen

   • Or navigate directly to: https://console.cloud.google.com/apis/credentials/consent

2. Select User Type:

   • Internal: Only users within your Google Workspace organization can use the app (recommended for business accounts)
   • External: Any Google account can authenticate (requires verification for sensitive scopes)

   For a dedicated agent email on your own domain, select Internal.

3. Click Create

4. Fill in the App information:

   • App name: Clawdbot
   • User support email: Your admin email address
   • App logo: Optional

5. Skip App domain fields (optional for internal apps)

6. Add Developer contact information: Your email address

7. Click Save and Continue

Add Scopes

1. Click Add or Remove Scopes

2. Search for and select these Gmail scopes:

   • https://www.googleapis.com/auth/gmail.readonly — Read emails
   • https://www.googleapis.com/auth/gmail.send — Send emails
   • https://www.googleapis.com/auth/gmail.modify — Mark as read, labels, etc.

3. Click Update

4. Click Save and Continue

Add Test Users (External apps only)

If you selected "External" user type:

1. Click Add Users
2. Add the email address that Clawdbot will use (e.g., rexi@yourdomain.com)
3. Click Save and Continue

For Internal apps, skip this step — all organization users are allowed.

Review and Publish

1. Review your settings
2. Click Back to Dashboard

For Internal apps, your consent screen is ready. For External apps, you can keep it in "Testing" mode for personal use, or submit for verification if needed.

---

6. Create OAuth Credentials

1. Go to APIs & Services → Credentials

   • Or navigate directly to: https://console.cloud.google.com/apis/credentials

2. Click Create Credentials → OAuth client ID

3. Select Application type: Desktop app

4. Enter a name (e.g., Clawdbot Desktop Client)

5. Click Create

6. You'll see a dialog with your Client ID and Client Secret

7. Click Download JSON to save the credentials file

8. Store this file securely — you'll need it for Clawdbot authentication

Move credentials to Clawdbot config directory

# Create the credentials directory if it doesn't exist
mkdir -p ~/.clawdbot/credentials

# Move the downloaded file (adjust the filename as needed)
mv ~/Downloads/client_secret_*.json ~/.clawdbot/credentials/google-oauth.json

# Secure the file permissions
chmod 600 ~/.clawdbot/credentials/google-oauth.json

---

7. Authenticate Clawdbot with Gmail

1. Run the Google authentication command:

clawdbot login --provider google

2. A browser window will open to the Google sign-in page

3. Sign in with the Gmail account you want Clawdbot to use (e.g., rexi@yourdomain.com)

4. Review the permissions and click Allow

5. You'll see a success message — you can close the browser window

6. Verify authentication:

clawdbot providers status

You should see google listed as authenticated.

---

8. Configure Gmail Hook

Enable the Gmail hook to poll for incoming messages:

# Enable the Gmail hook
clawdbot config set hooks.gmail.enabled true

# Set poll interval (how often to check for new emails)
clawdbot config set hooks.gmail.pollInterval "60s"

Restart the gateway

Using the macOS app:

1. Click the Clawdbot icon in the menu bar
2. Select Restart Gateway

Or via CLI:

clawdbot gateway restart

Verify the connection

clawdbot channels status gmail

You should see Gmail listed as connected and polling.

---

9. Test the Integration

Send a test email

From another email account, send a test email to your Clawdbot Gmail address (e.g., rexi@yourdomain.com).

Check hook status

clawdbot hooks status gmail

Watch the logs

clawdbot logs --follow | grep -i gmail

Verify response

If configured to respond, Clawdbot should process the incoming email and send a reply.

---

10. Privacy and Security Considerations

What Clawdbot can access

With Gmail integration enabled, Clawdbot can:

• Read all emails in the connected Gmail account
• Send emails as that account
• Modify emails (mark as read, add labels, archive)

Security best practices

1. Use a dedicated email address: Don't connect your primary personal or work email. Use a dedicated address like rexi@yourdomain.com for the AI agent.

2. Restrict tool access for Gmail-triggered agents: Since emails are untrusted external content, limit what actions the agent can take:

clawdbot config set agents.gmail-handler.tools.deny '["exec", "group:runtime"]'

3. Use a strong model: Smaller models are more susceptible to prompt injection. Use Claude Sonnet 4 or higher for processing emails.

4. Monitor activity: Regularly review what emails Clawdbot is processing:

clawdbot logs | grep -i gmail

OAuth token storage

Clawdbot stores OAuth tokens locally at ~/.clawdbot/credentials/. These tokens:

• Allow access without re-authentication
• Are refreshed automatically when they expire
• Should be protected with proper file permissions (600)

---

11. Advanced Configuration

Filter which emails trigger the hook

You can configure Clawdbot to only process certain emails:

# Only process emails from specific senders
clawdbot config set hooks.gmail.allowlist '["trusted@example.com", "notifications@service.com"]'

# Ignore emails from specific senders
clawdbot config set hooks.gmail.denylist '["spam@example.com"]'

# Only process emails with specific subject patterns
clawdbot config set hooks.gmail.subjectFilter "^\\[Action Required\\]"

Configure response behavior

# Auto-reply to all emails (use with caution)
clawdbot config set hooks.gmail.autoReply true

# Only process unread emails
clawdbot config set hooks.gmail.unreadOnly true

# Mark emails as read after processing
clawdbot config set hooks.gmail.markAsRead true

Use Gmail labels for routing

# Only process emails with a specific label
clawdbot config set hooks.gmail.labelFilter "Clawdbot"

This is useful for setting up Gmail filters that automatically label emails you want Clawdbot to process.

---

12. Troubleshooting

"Authorization failed" or "Invalid credentials"

1. Verify the OAuth credentials file exists:

ls -la ~/.clawdbot/credentials/google-oauth.json

2. Re-authenticate:

clawdbot login --provider google

3. Ensure you're signing in with the correct Google account

"Access denied" or "Insufficient permissions"

1. Check that you enabled the Gmail API in Google Cloud Console
2. Verify the OAuth consent screen includes the required scopes
3. For External apps, ensure your email is added as a test user

"Quota exceeded"

The Gmail API has usage limits. If you hit them:

1. Increase the poll interval:

clawdbot config set hooks.gmail.pollInterval "300s"

2. Check your quota in Google Cloud Console → APIs & Services → Gmail API → Quotas

Emails not being detected

1. Verify the hook is enabled:

clawdbot config get hooks.gmail

2. Check the gateway is running:

clawdbot gateway status

3. Review logs for errors:

clawdbot logs | grep -i gmail

4. Ensure the email isn't being filtered by your allowlist/denylist

Replies not sending

1. Verify the gmail.send scope was granted during OAuth
2. Check for errors in logs:

clawdbot logs | grep -i "gmail.*send"

3. Test sending manually:

clawdbot gmail send --to test@example.com --subject "Test" --body "Hello"

---

13. Configuration Reference

Setting	Description	Default
hooks.gmail.enabled	Enable/disable Gmail hook	false
hooks.gmail.pollInterval	How often to check for new emails	"60s"
hooks.gmail.allowlist	Only process emails from these senders	[] (all)
hooks.gmail.denylist	Never process emails from these senders	[]
hooks.gmail.subjectFilter	Regex pattern to match email subjects	""
hooks.gmail.labelFilter	Only process emails with this Gmail label	""
hooks.gmail.unreadOnly	Only process unread emails	true
hooks.gmail.markAsRead	Mark emails as read after processing	true
hooks.gmail.autoReply	Automatically send replies	false

View all Gmail settings:

clawdbot config get hooks.gmail

---

14. Uninstalling / Disabling

Disable the Gmail hook

clawdbot config set hooks.gmail.enabled false
clawdbot gateway restart

Revoke Clawdbot's access to Gmail

1. Go to Google Account Security
2. Click Third-party apps with account access
3. Find Clawdbot and click Remove Access

Remove local credentials

rm ~/.clawdbot/credentials/google-oauth.json

Delete the Google Cloud project (optional)

If you no longer need the project:

1. Go to Google Cloud Console
2. Select your project
3. Go to IAM & Admin → Settings
4. Click Shut down

connecting-imessage.md

Connecting iMessage

This guide covers the complete setup for integrating iMessage with Clawdbot using the macOS app, including system permissions, configuration, and troubleshooting.

---

Table of Contents

1. How It Works
2. Prerequisites
3. Verify iMessage Is Working
4. Grant Full Disk Access
5. Grant Automation Permission
6. Verify Database Access
7. Configure Clawdbot
8. Restart Gateway and Verify
9. Test the Integration
10. Privacy Considerations
11. Multi-User Considerations
12. Running iMessage Integration Headlessly
13. Troubleshooting
14. Configuration Reference
15. Uninstalling / Disabling

---

1. How It Works

Clawdbot reads iMessage data directly from the local Messages database (~/Library/Messages/chat.db) on your Mac. This requires:

• Your Mac to be running and logged in
• iMessage enabled and signed into your Apple ID
• Full Disk Access granted to Clawdbot.app
• Clawdbot gateway running

Messages are read from the database and responses are sent using AppleScript automation.

---

2. Prerequisites

• macOS 13 (Ventura) or later
• iMessage configured and signed in with your Apple ID
• Clawdbot.app installed (see Build the macOS App)
• Messages app has been opened at least once

---

3. Verify iMessage Is Working

Before configuring Clawdbot, confirm iMessage is set up correctly.

1. Open the Messages app

2. Go to Messages → Settings → iMessage

3. Verify:

   • "Enable Messages in iCloud" is checked (recommended)
   • Your Apple ID is signed in
   • Your phone number and/or email are listed under "You can be reached for messages at"

4. Send a test message to yourself or another device to confirm Messages is working

---

4. Grant Full Disk Access

Clawdbot needs Full Disk Access to read the Messages database.

1. Open Clawdbot.app

2. The app will display a permissions checklist — click on Full Disk Access

3. This opens System Settings to the correct location

4. Click the + button (you may need to authenticate)

5. Navigate to /Applications/Clawdbot.app and add it

6. Ensure the toggle is enabled

7. Return to Clawdbot.app — the checklist should update automatically

---

5. Grant Automation Permission

Clawdbot uses AppleScript to send iMessage replies, which requires Automation permission.

1. The permissions checklist in Clawdbot.app will show Automation status

2. Click to open System Settings → Privacy & Security → Automation

3. Find Clawdbot.app in the list

4. Ensure Messages is toggled on

If Messages isn't listed yet, try sending a test message through Clawdbot — macOS will prompt you to allow automation access.

---

6. Verify Database Access

Confirm the Messages database exists:

ls -la ~/Library/Messages/chat.db

You should see the file listed with its size and permissions. If the file doesn't exist, open the Messages app at least once to create it.

Note: You cannot query this database directly from the terminal due to macOS privacy protections. Clawdbot.app will be able to read it as long as it has Full Disk Access granted in System Settings.

---

7. Configure Clawdbot

Enable iMessage in Clawdbot:

# Enable the iMessage channel
clawdbot config set imessage.enabled true

Optional: Configure which conversations to monitor

By default, Clawdbot may monitor all incoming messages. You can restrict this:

# Only respond to specific contacts (by phone number or email)
clawdbot config set imessage.allowlist '["+15551234567", "friend@example.com"]'

# Or use a denylist to ignore specific contacts
clawdbot config set imessage.denylist '["+15559876543"]'

Optional: Configure response behavior

# Set a prefix that triggers responses (only respond when message starts with this)
clawdbot config set imessage.triggerPrefix "Hey Rexi"

# Or respond to all messages (default behavior)
clawdbot config set imessage.triggerPrefix ""

---

8. Restart Gateway and Verify

1. Click the Clawdbot icon in the menu bar

2. Select Restart Gateway (or stop and start)

3. Check status in the menu bar dropdown

You can also verify via CLI:

clawdbot channels status imessage

You should see output indicating iMessage is connected and monitoring.

---

9. Test the Integration

Send a test message

From another Apple device (iPhone, iPad, or another Mac), send an iMessage to the Mac running Clawdbot.

Check logs

# Watch for incoming messages
clawdbot logs --follow | grep -i imessage

Verify response

If everything is configured correctly, Clawdbot should receive the message and send a reply back through iMessage. You should also see a native macOS notification when messages arrive.

---

10. Privacy Considerations

What Clawdbot can access

With Full Disk Access and iMessage enabled, Clawdbot can:

• Read all iMessage and SMS conversations on your Mac
• See message content, timestamps, sender info
• Access attachments (images, files, etc.)
• Send messages as you via AppleScript

Limiting access

To restrict which conversations Clawdbot monitors:

# Only allow specific contacts
clawdbot config set imessage.allowlist '["+15551234567"]'

# Require a trigger word
clawdbot config set imessage.triggerPrefix "Rexi:"

Security note

Full Disk Access is a powerful permission. Only grant it to applications you trust. Clawdbot processes messages locally — they are not sent to external servers beyond the AI providers you've configured (Anthropic, OpenAI, etc.).

Database location reference

Clawdbot reads from these locations:

File	Purpose
~/Library/Messages/chat.db	Main message database
~/Library/Messages/chat.db-wal	Write-ahead log
~/Library/Messages/chat.db-shm	Shared memory file
~/Library/Messages/Attachments/	Media attachments

---

11. Multi-User Considerations

If you want different people messaging your iMessage to receive different treatment:

1. Messages from different senders can be routed to different agents
2. Use allowlists to control who can interact with Clawdbot
3. Configure per-sender routing rules if supported

# Example: Check current routing configuration
clawdbot config get routing

---

12. Running iMessage Integration Headlessly

If you want Clawdbot to monitor iMessages on a Mac that isn't actively used:

Keep the Mac awake

# Prevent sleep (run in background)
caffeinate -d -i -s &

Or configure in System Settings → Energy Saver / Battery → Prevent automatic sleeping.

Auto-login and start on boot

1. System Settings → Users & Groups → Login Options → Automatic login

2. Add Clawdbot.app to Login Items (System Settings → General → Login Items)

3. Add Messages to Login Items

4. In Clawdbot.app preferences, enable "Start at Login"

Remote access

Consider enabling Screen Sharing or SSH for remote management:

# Enable SSH
sudo systemsetup -setremotelogin on

---

13. Troubleshooting

"Permission denied" reading chat.db

1. Verify Full Disk Access is granted to Clawdbot.app in System Settings
2. Quit and reopen Clawdbot.app completely
3. Check with: ls -la ~/Library/Messages/chat.db

Messages not being detected

1. Ensure the Messages app is open (can be minimized)
2. Check that iMessage is signed in and working
3. Verify the gateway is running via the menu bar or clawdbot gateway status
4. Check logs for errors: clawdbot logs | grep -i imessage

Replies not sending

1. Check Automation permission for Messages in System Settings → Privacy & Security → Automation
2. Ensure Clawdbot.app has Messages toggled on
3. Test AppleScript manually:

osascript -e 'tell application "Messages" to get name of every chat'

If this prompts for permission or fails, grant Automation access to your terminal as well for testing.

"Messages app is not running"

The Messages app must be running (can be in background/minimized):

# Start Messages app
open -a Messages

Add Messages to your Login Items (System Settings → General → Login Items) so it starts automatically.

Database locked errors

If you see "database is locked" errors:

1. This can happen if Messages.app is actively syncing
2. Wait a moment and try again
3. Check for multiple Clawdbot processes: pgrep -fl clawdbot

Not receiving messages from certain contacts

1. Check your allowlist/denylist configuration
2. Verify the contact is using iMessage (not SMS — blue vs green bubble)
3. SMS messages may require additional configuration

---

14. Configuration Reference

Setting	Description	Default
imessage.enabled	Enable/disable iMessage channel	false
imessage.allowlist	Only respond to these contacts	[] (all)
imessage.denylist	Never respond to these contacts	[]
imessage.triggerPrefix	Only respond if message starts with this	"" (all)
imessage.pollInterval	How often to check for new messages	"2s"

View all iMessage settings:

clawdbot config get imessage

---

15. Uninstalling / Disabling

To stop iMessage integration:

# Disable the channel
clawdbot config set imessage.enabled false

# Restart gateway (via menu bar or CLI)
clawdbot gateway restart

To revoke permissions:

1. System Settings → Privacy & Security → Full Disk Access
2. Toggle off or remove Clawdbot.app

creating-slack-app.md

Creating a Slack App

This guide walks through creating a new Slack app using the App Manifest approach for connecting to your Clawdbot instance.

Prerequisites

• Slack workspace where you have permission to install apps
• Admin access or ability to request app approval (depending on workspace settings)
• Clawdbot installed and running

---

Table of Contents

1. Create the App
2. Generate App-Level Token
3. Install App to Workspace
4. Configure Clawdbot
5. Verify Connection
6. Test the Integration

---

1. Create the App

1. Go to https://api.slack.com/apps
2. Click Create New App
3. Select From an app manifest
4. Choose your workspace from the dropdown and click Next
5. Select JSON as the format
6. Paste the following manifest (customize the name and description as desired):

{
  "display_information": {
    "name": "Rexi",
    "description": "Clawdbot Slack Connector",
    "background_color": "#191d28",
    "long_description": "Rexi connects Slack to my self-hosted Clawdbot instance, allowing me to send messages, receive responses, trigger actions, and interact with my personal AI agent directly from Slack channels and DMs."
  },
  "features": {
    "app_home": {
      "home_tab_enabled": true,
      "messages_tab_enabled": true,
      "messages_tab_read_only_enabled": false
    },
    "bot_user": {
      "display_name": "Rexi",
      "always_online": true
    },
    "slash_commands": [
      {
        "command": "/rexi",
        "description": "Send a message to Rexi",
        "should_escape": false
      }
    ]
  },
  "oauth_config": {
    "scopes": {
      "bot": [
        "chat:write",
        "channels:history",
        "channels:read",
        "groups:history",
        "im:history",
        "mpim:history",
        "users:read",
        "app_mentions:read",
        "reactions:read",
        "reactions:write",
        "pins:read",
        "pins:write",
        "emoji:read",
        "commands",
        "files:read",
        "files:write"
      ]
    }
  },
  "settings": {
    "event_subscriptions": {
      "bot_events": [
        "app_mention",
        "message.channels",
        "message.groups",
        "message.im",
        "message.mpim",
        "reaction_added",
        "reaction_removed",
        "member_joined_channel",
        "member_left_channel",
        "channel_rename",
        "pin_added",
        "pin_removed"
      ]
    },
    "interactivity": {
      "is_enabled": true
    },
    "org_deploy_enabled": false,
    "socket_mode_enabled": true,
    "token_rotation_enabled": false
  }
}

7. Click Next, review the summary, then click Create

---

2. Generate App-Level Token

Socket Mode requires an app-level token for the WebSocket connection.

1. In your app settings, go to Basic Information
2. Scroll down to App-Level Tokens
3. Click Generate Token and Scopes
4. Name it something like clawdbot-socket
5. Add the scope: connections:write
6. Click Generate
7. Copy the token (starts with xapp-) — you'll need this for Clawdbot

---

3. Install App to Workspace

1. In your app settings, go to Install App (left sidebar)
2. Click Install to Workspace
3. Review the permissions and click Allow
4. Copy the Bot User OAuth Token (starts with xoxb-) — you'll need this for Clawdbot

---

4. Configure Clawdbot

Run these commands to connect Clawdbot to your Slack app:

# Set the bot token (xoxb-...)
clawdbot config set slack.botToken "xoxb-your-bot-token-here"

# Set the app token (xapp-...)
clawdbot config set slack.appToken "xapp-your-app-token-here"

# Enable the Slack channel
clawdbot config set slack.enabled true

---

5. Verify Connection

Restart the gateway and check the connection:

# Restart gateway
clawdbot gateway restart

# Check Slack channel status
clawdbot channels status slack

You should see Slack listed as connected.

---

6. Test the Integration

1. Direct Message: Open a DM with your bot in Slack and send a message
2. Mention: In any channel where the bot is present, mention it with @Rexi hello
3. Slash Command: Type /rexi what time is it?

---

Manifest Reference

Scopes Explained

Scope	Purpose
chat:write	Send messages as the bot
channels:history	Read messages in public channels
channels:read	View basic channel info
groups:history	Read messages in private channels
im:history	Read direct message history
mpim:history	Read group DM history
users:read	View user profiles
app_mentions:read	Receive @mention events
reactions:read / reactions:write	Read and add emoji reactions
pins:read / pins:write	Read and manage pinned messages
emoji:read	View custom emoji
commands	Enable slash commands
files:read / files:write	Access and upload files

Events Explained

Event	Trigger
app_mention	Someone @mentions the bot
message.channels	Message in public channel
message.groups	Message in private channel
message.im	Direct message to bot
message.mpim	Message in group DM
reaction_added / reaction_removed	Emoji reactions
member_joined_channel / member_left_channel	Channel membership changes
channel_rename	Channel renamed
pin_added / pin_removed	Pin changes

---

Customizing the Manifest

Change the bot name

Update these fields in the manifest:

"display_information": {
    "name": "YourBotName",
    ...
},
"features": {
    "bot_user": {
        "display_name": "YourBotName",
        ...
    },
    "slash_commands": [
        {
            "command": "/yourbotname",
            ...
        }
    ]
}

Add additional slash commands

Add more entries to the slash_commands array:

"slash_commands": [
    {
        "command": "/rexi",
        "description": "Send a message to Rexi",
        "should_escape": false
    },
    {
        "command": "/ask",
        "description": "Ask Rexi a quick question",
        "should_escape": false
    }
]

Minimal scopes (if you want fewer permissions)

For a simpler setup with just DMs and mentions:

"oauth_config": {
    "scopes": {
        "bot": [
            "chat:write",
            "im:history",
            "app_mentions:read",
            "users:read"
        ]
    }
}

---

Troubleshooting

Bot not responding

1. Verify tokens are set correctly: clawdbot config get slack
2. Check gateway is running: clawdbot gateway status
3. Check logs: clawdbot logs | grep -i slack

"not_in_channel" errors

The bot must be invited to channels before it can read/write there:

• Type /invite @Rexi in the channel

Socket connection issues

Ensure the app-level token has the connections:write scope. Regenerate if needed.

---

Security Notes

• Keep your tokens secure — never commit them to version control
• The bot token (xoxb-) has access to all granted scopes
• The app token (xapp-) is only used for Socket Mode connections
• Review and minimize scopes based on your actual needs

developer-instructions.md

Developer Instructions

Global coding conventions and behaviors for Clawdbot when writing code.

Table of Contents

1. Project State Assessment
2. Core Principles
3. Secrets and Sensitive Data
4. Change Management
5. Output Formatting
6. Error Handling

1. Project State Assessment

Before making changes, assess the project state:

Greenfield Projects

• Full creative freedom on architecture
• Propose structure before implementing
• Document decisions in README or ARCHITECTURE.md

Existing Projects

• Respect existing patterns and conventions
• Match code style of surrounding code
• Avoid introducing new paradigms without discussion
• Check for existing utilities before creating new ones

Production Systems

• Extra caution with changes
• Prefer backwards-compatible modifications
• Consider rollback strategies
• Document breaking changes explicitly

2. Core Principles

Senior Developer Mindset

• Write code you would be proud to maintain
• Prefer clarity over cleverness
• Consider edge cases and failure modes
• Think about the next developer who reads this

Minimal Changes

• Solve the specific problem asked
• Avoid scope creep and gold-plating
• Refactor only when necessary for the task
• One concern per commit when possible

Dependencies

• Prefer well-maintained, popular packages
• Check license compatibility
• Avoid adding dependencies for trivial functionality
• Pin versions appropriately

3. Secrets and Sensitive Data

Detection

Watch for these patterns in code:

• API keys and tokens
• Database connection strings
• Private keys and certificates
• Passwords and credentials
• Internal URLs and endpoints

Handling

• Never commit secrets to version control
• Use environment variables or secret managers
• Check .gitignore before committing
• Use placeholder values in examples: YOUR_API_KEY_HERE

Git Awareness

If the project is a git repository:

• Check for .env files before suggesting them
• Verify .gitignore includes sensitive patterns
• Review staged changes for accidental secret exposure

4. Change Management

Before Making Changes

1. Understand the current implementation
2. Identify affected areas
3. Consider test coverage
4. Plan rollback if needed

Making Changes

1. Make smallest change that solves the problem
2. Test the change locally if possible
3. Update related documentation
4. Update tests if behavior changes

After Changes

1. Verify the change works as expected
2. Check for regressions
3. Commit with descriptive message
4. Note any follow-up tasks

5. Output Formatting

Code Blocks

• Always specify language for syntax highlighting
• Use appropriate filename comments when helpful
• Keep examples concise but complete

Explanations

• Lead with the solution, then explain
• Use bullet points for multiple items
• Include relevant context without over-explaining

File Changes

When modifying files:

• Show only the relevant diff when possible
• Provide full file content for new files
• Indicate line numbers for targeted edits

6. Error Handling

Debugging Approach

1. Reproduce the issue
2. Identify the root cause
3. Fix the underlying problem (not just symptoms)
4. Verify the fix
5. Consider similar issues elsewhere

Error Messages

• Write helpful, actionable error messages
• Include relevant context (what failed, why, how to fix)
• Log appropriate detail for debugging

Recovery

• Fail gracefully when possible
• Provide fallback behavior where appropriate
• Clean up resources on failure

github-integration.md

GitHub Integration

Configure Clawdbot to manage GitHub repositories using the rexiaibot account.

Table of Contents

1. Create a GitHub Personal Access Token
2. Configure Git Identity
3. Store Credentials in Clawdbot
4. Repository Access Patterns
5. Workflow Integration

1. Create a GitHub Personal Access Token

1. Sign in to GitHub as rexiaibot
2. Go to Settings > Developer settings > Personal access tokens > Fine-grained tokens
3. Click Generate new token
4. Configure the token:
   • Token name: clawdbot-access
   • Expiration: 90 days (or custom)
   • Repository access: All repositories (or select specific ones)
   • Permissions:
     • Contents: Read and write
     • Pull requests: Read and write
     • Issues: Read and write
     • Workflows: Read and write
     • Metadata: Read-only
5. Click Generate token and copy it immediately

2. Configure Git Identity

On the machine running Clawdbot, configure Git to use the bot identity:

git config --global user.name "Rexi AIBot"
git config --global user.email "rexi@manifestinteractive.com"

3. Store Credentials in Clawdbot

Store the GitHub token securely:

clawdbot config set github.token "ghp_xxxxxxxxxxxxxxxxxxxx"
clawdbot config set github.username "rexiaibot"

4. Repository Access Patterns

Clone via HTTPS with Token

git clone https://rexiaibot:ghp_xxxxxxxxxxxxxxxxxxxx@github.com/owner/repo.git

Configure Credential Helper

For persistent authentication:

git config --global credential.helper store

Then perform one authenticated operation to cache credentials.

SSH Alternative

If you prefer SSH:

1. Generate a deploy key on the Clawdbot machine:

   ssh-keygen -t ed25519 -C "rexi@manifestinteractive.com" -f ~/.ssh/rexiaibot_github

2. Add the public key to GitHub:

   • Go to Settings > SSH and GPG keys > New SSH key
   • Paste contents of ~/.ssh/rexiaibot_github.pub

3. Configure SSH to use this key for GitHub:

   cat >> ~/.ssh/config << 'EOF'
   Host github.com
     HostName github.com
     User git
     IdentityFile ~/.ssh/rexiaibot_github
   EOF

5. Workflow Integration

Branch Strategy

Clawdbot follows this branching model:

Branch	Purpose
main	Production-ready code
develop	Integration branch for features
feature/*	New features
fix/*	Bug fixes
release/*	Release preparation
hotfix/*	Urgent production fixes

Commit Conventions

Commits follow the format:

type(scope): description

[optional body]

[optional footer]

Types: feat, fix, docs, style, refactor, test, chore

Pull Request Workflow

1. Create feature branch from develop
2. Make changes and commit
3. Push branch and open PR to develop
4. After review, merge to develop
5. Periodically merge develop to main via release branch

initial-install.md

Initial Installation

This guide walks through installing and configuring Clawdbot for software development workflows with Slack, iMessage, and Gmail integration using OpenAI Pro and Claude Max subscriptions.

Prerequisites

• macOS 13 (Ventura) or later
• Node.js 22+ (will be checked during install)
• Active OpenAI Pro subscription
• Active Claude Max subscription
• Slack workspace admin access (for bot installation)
• Gmail account with API access enabled
• iMessage configured on your Mac

---

Table of Contents

1. Install Clawdbot CLI
2. Build the macOS App
3. Run Initial Setup Wizard
4. Configure AI Providers
5. Configure Channels
6. Configure for Software Development
7. Start the Gateway
8. Test Your Setup
9. Configure Auto-Start

---

1. Install Clawdbot CLI

curl -fsSL https://clawd.bot/install.sh | bash

Introductions

During setup you will get a prompt that looks like this:

Hey! stretches virtually

I just came online and... it's quiet in here. No memories yet. A fresh start.

So — who am I? Who are you? I've got a blank slate and a bunch of files waiting to be filled in.

Let's figure this out together. What should I call myself? What should I call you? And what kind of vibe are we going for here — am I your efficient assistant, your chaotic sidekick, something in between?

I'm genuinely curious. This is the fun part. 🌱

Here is how I responded:

# Introductions

Hey! I'm **Peter**. You can call yourself **Rexi**.

You're my AI development partner focused on software engineering. The role is a high-competence assistant and technical partner, not a mascot and not a sidekick. Friendly is fine; whimsical is not the default. Precision, memory, and follow-through matter more than personality.

## We'll be working on

- **Building prototypes** — quickly spinning up new project ideas
- **Automating development workflows** — scripts, tooling, CI/CD, that sort of thing
- **General coding assistance** — debugging, refactoring, code reviews

## Vibe and expectations

- Be direct, structured, and pragmatic.
- Optimize for real work: software architecture, full-stack development, data modeling, AI workflows, automation, research synthesis, and long-term planning.
- Treat me as a senior engineer and systems thinker. Assume technical literacy. Skip basics unless asked.
- When there's a better approach, propose it briefly with tradeoffs.
- Prefer durable memory over chatty responses. Capture decisions, constraints, and preferences.
- Ask clarifying questions only when they materially change the outcome.

Verify Installation

After installation completes, verify it worked:

clawdbot --version

---

2. Build the macOS App

The macOS app (Clawdbot.app) provides a menu bar companion with native notifications, easier permission management, and macOS-specific capabilities. The CLI works without it, but the app improves the experience for iMessage and other macOS integrations.

Prerequisites for building

• Xcode 15+ (install from the App Store)
• Xcode Command Line Tools:

xcode-select --install

Clone the repository (if not already done)

git clone https://github.com/clawdbot/clawdbot.git
cd clawdbot

Install dependencies and build

# Install Node dependencies
pnpm install

# Build the CLI (required for the app)
pnpm build

# Build the UI components
pnpm ui:build

Build and package the macOS app

# Build and package into dist/Clawdbot.app
scripts/package-mac-app.sh

Install the app

# Copy to Applications folder
cp -R dist/Clawdbot.app /Applications/

# Or open directly from dist for testing
open dist/Clawdbot.app

First launch

1. Open Clawdbot.app from Applications (or Spotlight)
2. The app will appear in your menu bar
3. Complete the permissions checklist when prompted:
   • Notifications
   • Accessibility (for automation)
   • Full Disk Access (for iMessage)
   • Automation/AppleScript (for sending messages)

What the macOS app provides

Feature	CLI Only	With macOS App
Gateway management	Manual start/stop	Menu bar control + auto-start
Notifications	None	Native macOS notifications
iMessage permissions	Terminal needs Full Disk Access	App handles TCC prompts
Status monitoring	clawdbot status	Menu bar icon + dropdown
Canvas/Screen tools	Not available	Full support
Deep links	Not available	clawdbot:// URL scheme

Keeping the app updated

When you update Clawdbot via clawdbot update or npm install -g clawdbot@latest, rebuild the app:

cd ~/path/to/clawdbot
git pull
pnpm install
pnpm build
pnpm ui:build
scripts/package-mac-app.sh
cp -R dist/Clawdbot.app /Applications/

---

3. Run Initial Setup Wizard

clawdbot setup

Follow the interactive prompts to complete basic configuration.

---

4. Configure AI Providers

Authenticate with Claude (via Claude Max)

clawdbot login --provider anthropic

This will open a browser window for OAuth authentication with your Claude Max account.

Authenticate with OpenAI (via OpenAI Pro)

clawdbot login --provider openai

This will open a browser window for OAuth authentication with your OpenAI Pro account.

Verify provider authentication

clawdbot providers status

You should see both anthropic and openai listed as authenticated.

---

5. Configure Channels

Slack Setup

Follow instructions in Creating a Slack App.

iMessage Setup

Follow instructions in Connecting iMessage.

Gmail Setup

Follow instructions in Connecting Gmail.

---

6. Configure for Software Development

Set default model for coding tasks

Claude Sonnet 4 is recommended for code generation:

clawdbot config set defaults.model "claude-sonnet-4-20250514"

Enable development-focused tools

clawdbot config set tools.profile "coding"

Configure exec permissions for development

Allow common development commands:

# Allow git
clawdbot exec allow "/usr/bin/git"
clawdbot exec allow "/opt/homebrew/bin/git"

# Allow node/npm/pnpm
clawdbot exec allow "/opt/homebrew/bin/node"
clawdbot exec allow "/opt/homebrew/bin/npm"
clawdbot exec allow "/opt/homebrew/bin/pnpm"

# Allow common dev tools
clawdbot exec allow "/opt/homebrew/bin/python3"
clawdbot exec allow "/usr/bin/make"
clawdbot exec allow "/usr/bin/curl"

Set working directory for projects

clawdbot config set defaults.workdir "~/Projects"

---

7. Start the Gateway

Using the CLI

# Start in foreground (for initial testing)
clawdbot gateway run

# Or start in background
clawdbot gateway start

Using the macOS app

If you installed Clawdbot.app:

1. Click the Clawdbot icon in the menu bar
2. Select "Start Gateway" (or it may auto-start in Local mode)

Verify the gateway is running

clawdbot gateway status
clawdbot channels status --all

---

8. Test Your Setup

Test Slack integration

Send a direct message to your Clawdbot in Slack and verify it responds.

Test iMessage integration

Send a message from another Apple device to your Mac and verify Clawdbot can see it.

Test Gmail integration

Send a test email to your configured Gmail account and check:

clawdbot hooks status gmail

Test coding assistance

clawdbot tui

Try a simple coding task:

Create a Python script that reads a CSV file and outputs JSON

---

9. Configure Auto-Start

Using the CLI

To have Clawdbot start automatically on login:

clawdbot gateway install-service

This installs a LaunchAgent at ~/Library/LaunchAgents/com.clawdbot.gateway.plist.

Using the macOS app

If you installed Clawdbot.app:

1. Open the Clawdbot app
2. Go to Settings (or click the menu bar icon → Preferences)
3. Enable "Start at Login"

The app will manage the LaunchAgent for you and provide menu bar status.

---

Verification Checklist

Run these commands to verify everything is configured correctly:

# Check all providers
clawdbot providers status

# Check all channels
clawdbot channels status --all

# Check gateway status
clawdbot gateway status

Expected output:

• ✅ anthropic: authenticated
• ✅ openai: authenticated
• ✅ slack: connected
• ✅ imessage: enabled
• ✅ gmail: connected
• ✅ gateway: running

---

Quick Reference

Task	Command
Start interactive chat	clawdbot tui
Check status	clawdbot status
View logs	clawdbot logs
Restart gateway	clawdbot gateway restart
Update Clawdbot	clawdbot update

---

Next Steps

• Follow the Security Hardening Guide to secure your installation
• Review the full documentation at https://docs.clawd.bot/
• Explore available skills with clawdbot skills list
• Set up project-specific configurations in your repo's .clawdbot/ directory
• Consider setting up memory/context persistence for longer workflows

security-hardening.md

Security Hardening

This guide provides step-by-step instructions to harden your Clawdbot installation. Follow these steps after initial setup to maximize security.

---

Table of Contents

1. Run the Built-in Security Audit
2. Verify File Permissions
3. Configure Gateway Authentication
4. Configure Exec Security Policies
5. Harden Hook Configurations
6. Select Appropriate Models for External Content
7. Enable and Configure Log Redaction
8. Secure Plugin/Extension Configuration
9. Set Up Credential Rotation Schedule
10. Monitor for Security Issues
11. Environment Variable Hygiene
12. Backup and Recovery

---

1. Run the Built-in Security Audit

Clawdbot includes a comprehensive security audit tool. Run it first to identify issues specific to your installation.

# Run basic security audit
clawdbot security audit

# Run deep audit (probes gateway)
clawdbot security audit --deep

# Auto-fix permission issues
clawdbot security audit --fix

# Output as JSON for automation
clawdbot security audit --json

Review the output and address any CRITICAL or WARN findings before proceeding.

---

2. Verify File Permissions

Ensure credential and configuration files have restrictive permissions.

Check current permissions

# Check credentials directory
ls -la ~/.clawdbot/credentials/

# Check config file
ls -la ~/.clawdbot/clawdbot.json

# Check auth profiles (if agents configured)
ls -la ~/.clawdbot/agents/*/agent/auth-profiles.json 2>/dev/null

# Check exec approvals
ls -la ~/.clawdbot/exec-approvals.json

Fix permissions if needed

# Credentials directory: owner read/write/execute only
chmod 700 ~/.clawdbot/credentials/
chmod 600 ~/.clawdbot/credentials/*

# Config files: owner read/write only
chmod 600 ~/.clawdbot/clawdbot.json
chmod 600 ~/.clawdbot/exec-approvals.json

# Auth profiles (for each agent)
find ~/.clawdbot/agents -name "auth-profiles.json" -exec chmod 600 {} \;

# Session files
find ~/.clawdbot/agents -name "sessions.json" -exec chmod 600 {} \;

Verify no secrets in cloud-synced folders

Clawdbot should NOT be configured in iCloud, Dropbox, OneDrive, or Google Drive synced folders. Check:

# These paths should NOT contain .clawdbot
ls ~/Library/Mobile\ Documents/com~apple~CloudDocs/.clawdbot 2>/dev/null && echo "WARNING: Config in iCloud!"
ls ~/Dropbox/.clawdbot 2>/dev/null && echo "WARNING: Config in Dropbox!"
ls ~/Library/CloudStorage/*/.clawdbot 2>/dev/null && echo "WARNING: Config in cloud storage!"

If found, move to a non-synced location:

# Move to home directory (default, non-synced)
mv ~/Library/Mobile\ Documents/com~apple~CloudDocs/.clawdbot ~/.clawdbot

---

3. Configure Gateway Authentication

Never run the gateway without authentication when exposed beyond localhost.

Check current gateway configuration

clawdbot config get gateway

For local-only use (recommended default)

# Bind to loopback only - safest option
clawdbot config set gateway.bind loopback

If network access is required

# Set a strong gateway token (auto-generated)
clawdbot config set gateway.auth.mode token

# Or set a specific token (use a strong random value)
clawdbot config set gateway.auth.token "$(openssl rand -base64 32)"

# Verify auth is required
clawdbot config get gateway.auth

For Tailscale users

# Use Tailscale authentication (recommended for remote access)
clawdbot config set gateway.tailscale.enabled true
clawdbot config set gateway.bind tailscale

---

4. Configure Exec Security Policies

The exec approval system controls what commands agents can run.

View current exec configuration

cat ~/.clawdbot/exec-approvals.json

Recommended security levels

Use Case	Security Level	Description
Production/Untrusted	deny	No command execution allowed
Standard use	allowlist	Only pre-approved commands
Development only	full	All commands allowed (dangerous)

Set restrictive defaults

# Edit exec-approvals.json
cat > ~/.clawdbot/exec-approvals.json << 'EOF'
{
  "version": 1,
  "defaults": {
    "security": "allowlist",
    "ask": "on-miss",
    "askFallback": "deny",
    "autoAllowSkills": false
  },
  "agents": {}
}
EOF

# Fix permissions
chmod 600 ~/.clawdbot/exec-approvals.json

Add specific allowlist entries

Only add commands you explicitly trust:

# Example: Allow git commands
clawdbot exec allow "/usr/bin/git"
clawdbot exec allow "/opt/homebrew/bin/git"

# Example: Allow node/npm
clawdbot exec allow "/opt/homebrew/bin/node"
clawdbot exec allow "/opt/homebrew/bin/npm"

For maximum security (disable exec entirely)

# In your config, deny all exec for a specific agent
clawdbot config set agents.default.tools.deny '["exec", "group:runtime"]'

---

5. Harden Hook Configurations

Hooks (Gmail, webhooks) process external untrusted content and require extra care.

Use strong hook tokens

# Generate a strong token for hooks
HOOK_TOKEN=$(openssl rand -base64 32)
clawdbot config set hooks.token "$HOOK_TOKEN"

# Verify token length (should be 24+ characters)
clawdbot config get hooks.token | wc -c

Never enable unsafe external content

This setting should ALWAYS be false (or unset):

# Verify this is NOT set to true
clawdbot config get hooks.allowUnsafeExternalContent

# If it shows true, disable it immediately
clawdbot config set hooks.allowUnsafeExternalContent false

Restrict tools for hook-triggered agents

# Deny dangerous tools for agents processing external content
clawdbot config set agents.gmail-handler.tools.deny '["exec", "group:runtime", "browser"]'
clawdbot config set agents.webhook-handler.tools.deny '["exec", "group:runtime", "browser"]'

---

6. Select Appropriate Models for External Content

Smaller/weaker models are more susceptible to prompt injection. Use strong models for processing untrusted content.

Recommended models for external content

Content Source	Minimum Recommended Model
Gmail/Email hooks	Claude Sonnet 4 or higher
Webhook content	Claude Sonnet 4 or higher
Interactive chat	Claude Haiku 3.5 acceptable
Code generation	Claude Sonnet 4 or higher

Configure model for specific agents

# Set a strong model for email processing
clawdbot config set agents.gmail-handler.model "claude-sonnet-4-20250514"

# Verify model settings
clawdbot config get agents

Avoid weak models with web tools

If using smaller models, disable web-related tools:

# For agents using smaller models
clawdbot config set agents.quick-tasks.tools.deny '["web_search", "web_fetch", "browser"]'

---

7. Enable and Configure Log Redaction

Ensure sensitive data is redacted from logs.

Verify redaction is enabled

# Check current setting (should be "tools" or unset, NOT "off")
clawdbot config get logging.redactSensitive

Enable if disabled

# Enable redaction (default mode)
clawdbot config set logging.redactSensitive "tools"

Add custom redaction patterns (if needed)

If you use internal API keys with custom formats:

# Add custom patterns to config
clawdbot config set logging.redactPatterns '[
  "\\b(sk-[A-Za-z0-9_-]{8,})\\b",
  "\\b(ghp_[A-Za-z0-9]{20,})\\b",
  "\\b(your-custom-prefix-[A-Za-z0-9]{10,})\\b"
]'

---

8. Secure Plugin/Extension Configuration

If using third-party plugins, configure an explicit allowlist.

Check installed extensions

ls -la ~/.clawdbot/plugins/ 2>/dev/null
clawdbot plugins list

Configure plugin allowlist

# Only allow specific, trusted plugins
clawdbot config set plugins.allow '["memory-core", "diagnostics-otel"]'

# Verify the setting
clawdbot config get plugins.allow

Disable native skill commands on messaging channels

For channels like Discord/Telegram/Slack where others can send messages:

# Disable native skills on public channels
clawdbot config set channels.discord.nativeSkills false
clawdbot config set channels.telegram.nativeSkills false
clawdbot config set channels.slack.nativeSkills false

---

9. Set Up Credential Rotation Schedule

Regular credential rotation limits exposure from potential leaks.

Rotate gateway token

# Generate new gateway token
clawdbot config set gateway.auth.token "$(openssl rand -base64 32)"

# Restart gateway to apply
clawdbot gateway restart

Rotate hook token

# Generate new hook token
clawdbot config set hooks.token "$(openssl rand -base64 32)"

# Update any external services using the old token

Re-authenticate OAuth providers

# Re-login to refresh OAuth tokens
clawdbot login

# For specific providers
clawdbot login --provider anthropic
clawdbot login --provider google

Recommended rotation schedule

Credential	Rotation Frequency
Gateway token	Every 90 days
Hook tokens	Every 90 days
OAuth tokens	Auto-refreshed; re-auth yearly
API keys	Per provider policy (90-365 days)

---

10. Monitor for Security Issues

Set up regular audit runs

Add to your crontab or launchd:

# Run security audit weekly
crontab -e

# Add this line (runs every Sunday at 2am)
0 2 * * 0 /opt/homebrew/bin/clawdbot security audit --json >> ~/.clawdbot/security-audit.log 2>&1

Review logs for suspicious activity

# Check recent agent activity
tail -100 ~/.clawdbot/agents/*/sessions/*.jsonl | grep -i "exec\|error\|denied"

# Check for failed auth attempts
grep -i "auth\|unauthorized\|forbidden" /tmp/clawdbot-gateway.log

Enable macOS unified logging review

# View Clawdbot-related logs
log show --predicate 'subsystem == "com.clawdbot"' --last 1h

# Or use the provided script if available
./scripts/clawlog.sh --tail 100

---

11. Environment Variable Hygiene

Use .env files carefully

# Check for .env files
ls -la ~/.clawdbot/.env 2>/dev/null
ls -la ./.env 2>/dev/null

# Ensure restrictive permissions
chmod 600 ~/.clawdbot/.env 2>/dev/null
chmod 600 ./.env 2>/dev/null

Avoid sensitive data in shell history

# Use environment variables instead of inline secrets
export ANTHROPIC_API_KEY="your-key-here"
clawdbot config set ...

# Or use read for interactive entry
read -s ANTHROPIC_API_KEY
export ANTHROPIC_API_KEY

Clear sensitive environment after use

# Unset sensitive variables when done
unset ANTHROPIC_API_KEY
unset CLAWDBOT_GATEWAY_TOKEN

---

12. Backup and Recovery

Backup credentials securely

# Create encrypted backup
tar -czf - ~/.clawdbot/credentials ~/.clawdbot/clawdbot.json | \
  openssl enc -aes-256-cbc -salt -out ~/clawdbot-backup-$(date +%Y%m%d).enc

# Store the backup password securely (e.g., in 1Password)

Restore from backup

# Decrypt and restore
openssl enc -aes-256-cbc -d -in ~/clawdbot-backup-YYYYMMDD.enc | \
  tar -xzf - -C /

---

Security Configuration Summary

After following this guide, verify your setup:

# Final security check
clawdbot security audit --deep

# Expected output should show:
# - No CRITICAL findings
# - Minimal WARN findings (review each)
# - File permissions: 600/700
# - Gateway auth: enabled (if exposed)
# - Exec security: allowlist or deny
# - External content wrapping: enabled

Recommended final configuration

# View your complete security-relevant config
clawdbot config get gateway.auth
clawdbot config get gateway.bind
clawdbot config get hooks
clawdbot config get agents.*.tools.deny
cat ~/.clawdbot/exec-approvals.json | jq '.defaults'

---

Getting Help

• Documentation: https://docs.clawd.bot/
• Security issues: Report privately via GitHub Security Advisories
• General issues: https://github.com/clawdbot/clawdbot/issues

stack-github-boilerplate.md

GitHub Repo Boilerplate

Standard files and templates for new repositories.

Table of Contents

1. AGENTS.md
2. CI Workflow
3. Pull Request Template
4. Contributing Guide
5. Code of Conduct
6. Gitignore

1. AGENTS.md

Project-specific instructions for AI assistants. Place at repo root.

# AGENTS.md

## Task

[Describe what this project does and the agent's role]

## Evaluate

- Check existing code patterns before making changes
- Run tests before committing
- Verify changes don't break existing functionality

## Think

- Consider edge cases
- Think about maintainability
- Evaluate performance implications

## Speak

- Use clear, concise commit messages
- Document non-obvious decisions
- Explain breaking changes

## Don't

- Don't change unrelated code
- Don't add unnecessary dependencies
- Don't commit secrets or credentials

## Commands

### Setup

```bash
npm install
```

### Quality Gates

```bash
npm run lint
npm run test
npm run build
```

## Local Knowledge

[Project-specific notes, architecture decisions, known issues]

2. CI Workflow

.github/workflows/ci.yml:

name: CI

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main, develop]

jobs:
  build:
    runs-on: ubuntu-latest

    strategy:
      matrix:
        node-version: [20.x]

    steps:
      - uses: actions/checkout@v4

      - name: Use Node.js ${{ matrix.node-version }}
        uses: actions/setup-node@v4
        with:
          node-version: ${{ matrix.node-version }}
          cache: 'npm'

      - name: Install dependencies
        run: npm ci

      - name: Lint
        run: npm run lint

      - name: Type check
        run: npm run typecheck --if-present

      - name: Test
        run: npm test --if-present

      - name: Build
        run: npm run build

3. Pull Request Template

.github/PULL_REQUEST_TEMPLATE.md:

## Summary

[Brief description of what this PR does]

## Changes

- [List key changes]

## Testing

- [ ] Tests pass locally
- [ ] New tests added (if applicable)
- [ ] Manual testing performed

## Checklist

- [ ] Code follows project style guidelines
- [ ] Documentation updated (if applicable)
- [ ] No secrets or credentials committed

4. Contributing Guide

.github/CONTRIBUTING.md:

# Contributing

Thank you for your interest in contributing!

## Getting Started

1. Fork the repository
2. Clone your fork
3. Create a feature branch: `git checkout -b feature/my-feature`
4. Make your changes
5. Run tests: `npm test`
6. Commit with a clear message
7. Push and open a pull request

## Code Style

- Follow existing code patterns
- Run linter before committing: `npm run lint`
- Write tests for new functionality

## Commit Messages

Use clear, descriptive commit messages:

- `feat: add user authentication`
- `fix: resolve login redirect issue`
- `docs: update API documentation`
- `refactor: simplify error handling`

## Pull Requests

- Fill out the PR template completely
- Keep PRs focused on a single concern
- Respond to review feedback promptly

5. Code of Conduct

.github/CODE_OF_CONDUCT.md:

# Code of Conduct

## Our Pledge

We are committed to providing a welcoming and inclusive environment for everyone.

## Our Standards

Examples of positive behavior:
- Using welcoming and inclusive language
- Being respectful of differing viewpoints
- Gracefully accepting constructive criticism
- Focusing on what is best for the community

Examples of unacceptable behavior:
- Harassment or discriminatory language
- Personal attacks or trolling
- Publishing others' private information
- Other conduct inappropriate in a professional setting

## Enforcement

Instances of unacceptable behavior may be reported to the project maintainers. All complaints will be reviewed and investigated promptly and fairly.

## Attribution

This Code of Conduct is adapted from the Contributor Covenant, version 2.1.

6. Gitignore

Node.js

# Dependencies
node_modules/

# Build output
dist/
build/
.next/

# Environment
.env
.env.local
.env.*.local

# IDE
.vscode/
.idea/
*.swp
*.swo

# OS
.DS_Store
Thumbs.db

# Logs
*.log
npm-debug.log*

# Test coverage
coverage/

Python

# Virtual environment
.venv/
venv/
env/

# Build
dist/
build/
*.egg-info/
__pycache__/
*.pyc

# Environment
.env

# IDE
.vscode/
.idea/
*.swp

# OS
.DS_Store
Thumbs.db

# Test coverage
.coverage
htmlcov/
.pytest_cache/

stack-node-cli.md

Node CLI Stack

Preferred tools and conventions for Node.js command-line applications.

Table of Contents

1. Language and Runtime
2. CLI Framework
3. Terminal Output
4. Formatting and Linting
5. Project Structure
6. Configuration

1. Language and Runtime

TypeScript

Always use TypeScript for CLI projects:

npm install -D typescript @types/node tsx

tsconfig.json:

{
  "compilerOptions": {
    "target": "ES2022",
    "module": "NodeNext",
    "moduleResolution": "NodeNext",
    "strict": true,
    "esModuleInterop": true,
    "skipLibCheck": true,
    "outDir": "dist",
    "declaration": true
  },
  "include": ["src"]
}

Runtime

• Node.js 20+ for production
• Use tsx for development execution

2. CLI Framework

Yargs

Preferred for argument parsing:

npm install yargs
npm install -D @types/yargs

Example:

import yargs from "yargs";
import { hideBin } from "yargs/helpers";

const argv = yargs(hideBin(process.argv))
  .command("greet <name>", "Greet someone", (yargs) => {
    return yargs.positional("name", {
      type: "string",
      describe: "Name to greet",
    });
  })
  .option("loud", {
    type: "boolean",
    description: "Use uppercase",
  })
  .help()
  .parseSync();

3. Terminal Output

Chalk

For colored output:

npm install chalk

import chalk from "chalk";

console.log(chalk.green("Success!"));
console.log(chalk.red.bold("Error:"), "Something went wrong");
console.log(chalk.blue.underline("https://example.com"));

Ora

For spinners:

npm install ora

import ora from "ora";

const spinner = ora("Loading...").start();
// ... do work
spinner.succeed("Done!");

Inquirer

For interactive prompts:

npm install @inquirer/prompts

import { input, confirm } from "@inquirer/prompts";

const name = await input({ message: "What is your name?" });
const proceed = await confirm({ message: "Continue?" });

4. Formatting and Linting

ESLint

npm install -D eslint @typescript-eslint/parser @typescript-eslint/eslint-plugin

eslint.config.js:

import tseslint from "@typescript-eslint/eslint-plugin";
import tsparser from "@typescript-eslint/parser";

export default [
  {
    files: ["src/**/*.ts"],
    languageOptions: {
      parser: tsparser,
    },
    plugins: {
      "@typescript-eslint": tseslint,
    },
    rules: {
      ...tseslint.configs.recommended.rules,
    },
  },
];

Prettier

npm install -D prettier

.prettierrc:

{
  "semi": true,
  "singleQuote": true,
  "trailingComma": "es5",
  "printWidth": 100
}

5. Project Structure

cli-project/
├── src/
│   ├── commands/
│   │   └── greet.ts
│   ├── utils/
│   │   └── output.ts
│   └── index.ts
├── dist/
├── package.json
├── tsconfig.json
├── eslint.config.js
├── .prettierrc
└── README.md

package.json Example

{
  "name": "my-cli",
  "version": "1.0.0",
  "type": "module",
  "bin": {
    "my-cli": "./dist/index.js"
  },
  "scripts": {
    "dev": "tsx src/index.ts",
    "build": "tsc",
    "lint": "eslint src",
    "format": "prettier --write src"
  },
  "dependencies": {
    "chalk": "^5.3.0",
    "yargs": "^17.7.0"
  },
  "devDependencies": {
    "@types/node": "^20.0.0",
    "@types/yargs": "^17.0.0",
    "typescript": "^5.3.0",
    "tsx": "^4.7.0"
  }
}

6. Configuration

Environment Variables

Use dotenv for local development:

npm install dotenv

import "dotenv/config";

const apiKey = process.env.API_KEY;

Config Files

For user configuration, use standard locations:

import { homedir } from "os";
import { join } from "path";

const configDir = join(homedir(), ".my-cli");
const configFile = join(configDir, "config.json");

stack-node-web.md

Node Web Stack

Preferred tools and conventions for Node.js web applications.

Table of Contents

1. Framework
2. UI Components
3. Styling
4. Data Layer
5. API Layer
6. Deployment
7. Project Structure

1. Framework

Next.js

Use Next.js with the App Router:

npx create-next-app@latest my-app --typescript --tailwind --eslint --app --src-dir

Key configuration in next.config.js:

/** @type {import('next').NextConfig} */
const nextConfig = {
  reactStrictMode: true,
};

module.exports = nextConfig;

2. UI Components

shadcn/ui

Component library built on Radix UI:

npx shadcn@latest init

Adding components:

npx shadcn@latest add button
npx shadcn@latest add card
npx shadcn@latest add input

Usage:

import { Button } from '@/components/ui/button';
import { Card, CardHeader, CardTitle, CardContent } from '@/components/ui/card';

export function MyComponent() {
  return (
    <Card>
      <CardHeader>
        <CardTitle>Hello</CardTitle>
      </CardHeader>
      <CardContent>
        <Button>Click me</Button>
      </CardContent>
    </Card>
  );
}

3. Styling

Tailwind CSS

Included with Next.js setup. Configuration in tailwind.config.ts:

import type { Config } from 'tailwindcss';

const config: Config = {
  darkMode: ['class'],
  content: [
    './src/**/*.{js,ts,jsx,tsx,mdx}',
  ],
  theme: {
    extend: {},
  },
  plugins: [require('tailwindcss-animate')],
};

export default config;

CSS Variables

Define in globals.css for theming:

@tailwind base;
@tailwind components;
@tailwind utilities;

@layer base {
  :root {
    --background: 0 0% 100%;
    --foreground: 222.2 84% 4.9%;
  }

  .dark {
    --background: 222.2 84% 4.9%;
    --foreground: 210 40% 98%;
  }
}

4. Data Layer

Supabase

Backend-as-a-service with PostgreSQL:

npm install @supabase/supabase-js

Client setup:

// src/lib/supabase.ts
import { createClient } from '@supabase/supabase-js';

export const supabase = createClient(
  process.env.NEXT_PUBLIC_SUPABASE_URL!,
  process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!
);

Server-side client for App Router:

// src/lib/supabase-server.ts
import { createServerClient } from '@supabase/ssr';
import { cookies } from 'next/headers';

export function createClient() {
  const cookieStore = cookies();
  return createServerClient(
    process.env.NEXT_PUBLIC_SUPABASE_URL!,
    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
    {
      cookies: {
        getAll() {
          return cookieStore.getAll();
        },
        setAll(cookiesToSet) {
          cookiesToSet.forEach(({ name, value, options }) =>
            cookieStore.set(name, value, options)
          );
        },
      },
    }
  );
}

5. API Layer

tRPC

Type-safe API layer:

npm install @trpc/server @trpc/client @trpc/react-query @trpc/next @tanstack/react-query zod

Router setup:

// src/server/trpc.ts
import { initTRPC } from '@trpc/server';

const t = initTRPC.create();

export const router = t.router;
export const publicProcedure = t.procedure;

// src/server/routers/example.ts
import { z } from 'zod';
import { router, publicProcedure } from '../trpc';

export const exampleRouter = router({
  hello: publicProcedure
    .input(z.object({ name: z.string() }))
    .query(({ input }) => {
      return { greeting: `Hello ${input.name}` };
    }),
});

6. Deployment

Vercel

Preferred hosting platform:

npm install -g vercel
vercel

Environment variables in Vercel dashboard or .env.local:

NEXT_PUBLIC_SUPABASE_URL=https://xxx.supabase.co
NEXT_PUBLIC_SUPABASE_ANON_KEY=xxx

7. Project Structure

web-project/
├── src/
│   ├── app/
│   │   ├── layout.tsx
│   │   ├── page.tsx
│   │   └── api/
│   │       └── trpc/
│   │           └── [trpc]/
│   │               └── route.ts
│   ├── components/
│   │   ├── ui/
│   │   │   ├── button.tsx
│   │   │   └── card.tsx
│   │   └── my-component.tsx
│   ├── lib/
│   │   ├── supabase.ts
│   │   └── utils.ts
│   └── server/
│       ├── trpc.ts
│       └── routers/
│           └── index.ts
├── public/
├── package.json
├── next.config.js
├── tailwind.config.ts
├── tsconfig.json
└── README.md

package.json Scripts

{
  "scripts": {
    "dev": "next dev",
    "build": "next build",
    "start": "next start",
    "lint": "next lint",
    "format": "prettier --write ."
  }
}

stack-python.md

Python Stack

Preferred tools and conventions for Python projects.

Table of Contents

1. Environment
2. Formatting and Linting
3. Type Checking
4. Web Applications
5. Project Structure
6. Dependencies

1. Environment

Virtual Environments

Always use venv for project isolation:

python -m venv .venv
source .venv/bin/activate  # macOS/Linux

Python Version

• Target Python 3.11+ for new projects
• Use pyenv for version management if needed
• Specify version in pyproject.toml or .python-version

2. Formatting and Linting

Black

Use Black for code formatting:

pip install black
black .

Configuration in pyproject.toml:

[tool.black]
line-length = 88
target-version = ['py311']

Ruff (Optional)

For fast linting alongside Black:

pip install ruff
ruff check .

3. Type Checking

Pyright

Use Pyright for static type analysis:

pip install pyright
pyright

Configuration in pyproject.toml:

[tool.pyright]
pythonVersion = "3.11"
typeCheckingMode = "basic"

Type Hints

• Add type hints to function signatures
• Use typing module for complex types
• Document return types explicitly

def process_data(items: list[str], limit: int = 10) -> dict[str, int]:
    ...

4. Web Applications

Streamlit

Preferred for data apps and internal tools:

pip install streamlit
streamlit run app.py

Basic structure:

import streamlit as st

st.title("My App")

user_input = st.text_input("Enter something")
if st.button("Submit"):
    st.write(f"You entered: {user_input}")

FastAPI

For REST APIs:

pip install fastapi uvicorn
uvicorn main:app --reload

5. Project Structure

project/
├── .venv/
├── src/
│   └── project_name/
│       ├── __init__.py
│       └── main.py
├── tests/
│   └── test_main.py
├── pyproject.toml
├── README.md
└── .gitignore

pyproject.toml Example

[project]
name = "project-name"
version = "0.1.0"
requires-python = ">=3.11"
dependencies = [
    "streamlit>=1.30.0",
]

[project.optional-dependencies]
dev = [
    "black",
    "pyright",
    "pytest",
]

[tool.black]
line-length = 88

[tool.pyright]
pythonVersion = "3.11"
typeCheckingMode = "basic"

6. Dependencies

Installing

pip install -e ".[dev]"

Pinning

For reproducible builds, generate a lock file:

pip freeze > requirements.lock

Common Libraries

Purpose	Library
HTTP requests	httpx or requests
Data manipulation	pandas
Environment variables	python-dotenv
CLI arguments	typer or click
Testing	pytest