From 99d6cb97cb510b3739c68dc59584cad84896be2b Mon Sep 17 00:00:00 2001 From: JR Morgan Date: Wed, 11 Mar 2026 15:03:18 -0700 Subject: [PATCH 01/14] Add rebrand for welcome UI, include launch.sh script --- brev/launch.sh | 436 ++++++++++++++++++++++++++++++ brev/welcome-ui/app.js | 16 +- brev/welcome-ui/other-agents.yaml | 18 +- brev/welcome-ui/server.js | 105 ++++--- 4 files changed, 519 insertions(+), 56 deletions(-) create mode 100755 brev/launch.sh diff --git a/brev/launch.sh b/brev/launch.sh new file mode 100755 index 0000000..f57de3b --- /dev/null +++ b/brev/launch.sh @@ -0,0 +1,436 @@ +#!/usr/bin/env bash + +set -euo pipefail + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +SCRIPT_REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)" +REPO_ROOT="" +WELCOME_UI_DIR="" + +PORT="${PORT:-8081}" +CLI_BIN="${CLI_BIN:-}" +CLI_RELEASE_TAG="${CLI_RELEASE_TAG:-devel}" +AUTO_INSTALL_CLI="${AUTO_INSTALL_CLI:-1}" +GITHUB_TOKEN="${GITHUB_TOKEN:-${GH_TOKEN:-${GITHUB_PAT:-}}}" +COMMUNITY_REPO="${COMMUNITY_REPO:-NVIDIA/OpenShell-Community}" +COMMUNITY_REF="${COMMUNITY_REF:-${COMMUNITY_BRANCH:-}}" +CLONE_ROOT="${CLONE_ROOT:-/home/ubuntu}" +CLONE_DIR="${CLONE_DIR:-$CLONE_ROOT/OpenShell-Community}" +GATEWAY_LOG="${GATEWAY_LOG:-/tmp/openshell-gateway.log}" +WELCOME_UI_LOG="${WELCOME_UI_LOG:-/tmp/welcome-ui.log}" +WAIT_TIMEOUT_SECS="${WAIT_TIMEOUT_SECS:-30}" + +log() { + printf '[launch.sh] %s\n' "$*" +} + +step() { + printf '\n[launch.sh] === %s ===\n' "$*" +} + +require_cmd() { + if ! command -v "$1" >/dev/null 2>&1; then + log "Missing required command: $1" + exit 1 + fi +} + +repo_has_welcome_ui() { + [[ -d "$1/brev/welcome-ui" ]] +} + +wait_for_tcp_port() { + local port="$1" + local timeout_secs="${2:-30}" + local start_ts + start_ts="$(date +%s)" + + while true; do + if (echo >"/dev/tcp/127.0.0.1/$port") >/dev/null 2>&1; then + return 0 + fi + + if (( "$(date +%s)" - start_ts >= timeout_secs )); then + return 1 + fi + + sleep 1 + done +} + +wait_for_log_pattern() { + local logfile="$1" + local pattern="$2" + local timeout_secs="${3:-30}" + local start_ts + start_ts="$(date +%s)" + + while true; do + if [[ -f "$logfile" ]] && grep -q "$pattern" "$logfile"; then + return 0 + fi + + if (( "$(date +%s)" - start_ts >= timeout_secs )); then + return 1 + fi + + sleep 1 + done +} + +detect_arch() { + case "$(uname -m)" in + x86_64|amd64) echo "x86_64" ;; + aarch64|arm64) echo "aarch64" ;; + *) + log "Unsupported architecture: $(uname -m)" + exit 1 + ;; + esac +} + +ensure_gh() { + if command -v gh >/dev/null 2>&1; then + log "GitHub CLI already installed." + return + fi + + log "Installing GitHub CLI..." + require_cmd sudo + require_cmd apt-get + sudo apt-get update + sudo apt-get install -y gh +} + +gh_auth_if_needed() { + if ! command -v gh >/dev/null 2>&1; then + return + fi + + if gh auth status >/dev/null 2>&1; then + return + fi + + if [[ -z "$GITHUB_TOKEN" ]]; then + log "GitHub CLI is unauthenticated. Continuing without auth." + return + fi + + log "Authenticating GitHub CLI from environment token..." + if ! printf '%s\n' "$GITHUB_TOKEN" | gh auth login --with-token >/dev/null 2>&1; then + log "GitHub authentication failed." + exit 1 + fi +} + +checkout_repo_ref() { + if [[ -z "$COMMUNITY_REF" ]]; then + return + fi + + require_cmd git + log "Checking out OpenShell-Community ref: $COMMUNITY_REF" + + git -C "$CLONE_DIR" fetch --all --tags --prune + + if git -C "$CLONE_DIR" show-ref --verify --quiet "refs/remotes/origin/$COMMUNITY_REF"; then + git -C "$CLONE_DIR" checkout -B "$COMMUNITY_REF" "origin/$COMMUNITY_REF" + return + fi + + if git -C "$CLONE_DIR" show-ref --verify --quiet "refs/tags/$COMMUNITY_REF"; then + git -C "$CLONE_DIR" checkout --detach "refs/tags/$COMMUNITY_REF" + return + fi + + if git -C "$CLONE_DIR" rev-parse --verify --quiet "$COMMUNITY_REF^{commit}" >/dev/null; then + git -C "$CLONE_DIR" checkout --detach "$COMMUNITY_REF" + return + fi + + git -C "$CLONE_DIR" fetch origin "$COMMUNITY_REF" + git -C "$CLONE_DIR" checkout --detach FETCH_HEAD +} + +clone_repo_if_needed() { + if repo_has_welcome_ui "$CLONE_DIR"; then + log "Using existing repo checkout at $CLONE_DIR" + checkout_repo_ref + return + fi + + require_cmd git + + if [[ -e "$CLONE_DIR" ]]; then + log "Clone target exists but is not a valid repo checkout: $CLONE_DIR" + exit 1 + fi + + mkdir -p "$CLONE_ROOT" + + if [[ -n "$GITHUB_TOKEN" ]]; then + log "Cloning ${COMMUNITY_REPO} into $CLONE_DIR with token auth..." + if [[ -n "$COMMUNITY_REF" ]]; then + git clone --branch "$COMMUNITY_REF" "https://${GITHUB_TOKEN}@github.com/${COMMUNITY_REPO}.git" "$CLONE_DIR" \ + || git clone "https://${GITHUB_TOKEN}@github.com/${COMMUNITY_REPO}.git" "$CLONE_DIR" + else + git clone "https://${GITHUB_TOKEN}@github.com/${COMMUNITY_REPO}.git" "$CLONE_DIR" + fi + else + log "Cloning ${COMMUNITY_REPO} into $CLONE_DIR..." + if [[ -n "$COMMUNITY_REF" ]]; then + git clone --branch "$COMMUNITY_REF" "https://github.com/${COMMUNITY_REPO}.git" "$CLONE_DIR" \ + || git clone "https://github.com/${COMMUNITY_REPO}.git" "$CLONE_DIR" + else + git clone "https://github.com/${COMMUNITY_REPO}.git" "$CLONE_DIR" + fi + fi + + checkout_repo_ref +} + +install_cli_from_release() { + local arch tmpdir repo pattern archive candidate + + ensure_gh + gh_auth_if_needed + + arch="$(detect_arch)" + tmpdir="$(mktemp -d)" + trap 'rm -rf "$tmpdir"' RETURN + + for candidate in openshell nemoclaw; do + case "$candidate" in + openshell) repo="NVIDIA/OpenShell" ;; + nemoclaw) repo="NVIDIA/NemoClaw" ;; + esac + + pattern="${candidate}-${arch}-unknown-linux-musl.tar.gz" + log "Trying CLI download: ${repo} ${CLI_RELEASE_TAG} ${pattern}" + if gh release download "$CLI_RELEASE_TAG" --repo "$repo" --pattern "$pattern" --dir "$tmpdir" >/dev/null 2>&1; then + archive="$tmpdir/$pattern" + tar xzf "$archive" -C "$tmpdir" + sudo install -m 755 "$tmpdir/$candidate" "/usr/local/bin/$candidate" + echo "$candidate" + return 0 + fi + done + + log "Unable to install CLI from GitHub releases." + exit 1 +} + +resolve_cli() { + if [[ -n "$CLI_BIN" ]]; then + require_cmd "$CLI_BIN" + log "Using CLI from CLI_BIN: $CLI_BIN" + return + fi + + if command -v openshell >/dev/null 2>&1; then + CLI_BIN="openshell" + log "Detected installed CLI: $CLI_BIN" + return + fi + + if command -v nemoclaw >/dev/null 2>&1; then + CLI_BIN="nemoclaw" + log "Detected installed CLI: $CLI_BIN" + return + fi + + if [[ "$AUTO_INSTALL_CLI" != "1" ]]; then + log "Neither openshell nor nemoclaw is installed." + exit 1 + fi + + CLI_BIN="$(install_cli_from_release)" +} + +ensure_cli_compat_aliases() { + local cli_path + + cli_path="$(command -v "$CLI_BIN")" + + if [[ "$CLI_BIN" == "openshell" ]] && ! command -v nemoclaw >/dev/null 2>&1; then + sudo ln -sf "$cli_path" /usr/local/bin/nemoclaw + log "Created compatibility alias: nemoclaw -> openshell" + fi + + if [[ "$CLI_BIN" == "nemoclaw" ]] && ! command -v openshell >/dev/null 2>&1; then + sudo ln -sf "$cli_path" /usr/local/bin/openshell + log "Created compatibility alias: openshell -> nemoclaw" + fi +} + +resolve_repo_root() { + if repo_has_welcome_ui "$SCRIPT_REPO_ROOT"; then + REPO_ROOT="$SCRIPT_REPO_ROOT" + elif repo_has_welcome_ui "$PWD"; then + REPO_ROOT="$PWD" + else + clone_repo_if_needed + REPO_ROOT="$CLONE_DIR" + fi + + WELCOME_UI_DIR="$REPO_ROOT/brev/welcome-ui" +} + +ensure_node() { + if command -v node >/dev/null 2>&1 && command -v npm >/dev/null 2>&1; then + log "Node.js already installed: $(node --version)" + log "npm already installed: $(npm --version)" + return + fi + + log "Installing Node.js LTS via nvm..." + require_cmd curl + curl -fsSL https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash + + export NVM_DIR="${NVM_DIR:-$HOME/.nvm}" + # shellcheck disable=SC1090 + . "$NVM_DIR/nvm.sh" + nvm install --lts +} + +set_inference_route() { + log "Configuring inference route..." + + if "$CLI_BIN" inference set --provider nvidia-endpoints --model moonshotai/kimi-k2.5 >/dev/null 2>&1; then + log "Configured inference via '$CLI_BIN inference set'." + return + fi + + if "$CLI_BIN" cluster inference set --provider nvidia-endpoints --model moonshotai/kimi-k2.5 >/dev/null 2>&1; then + log "Configured inference via legacy '$CLI_BIN cluster inference set'." + return + fi + + log "Unable to configure inference route with either current or legacy CLI commands." + exit 1 +} + +run_provider_create_or_replace() { + local name="$1" + shift + + log "Configuring provider: $name" + if "$CLI_BIN" provider create --name "$name" "$@" >/dev/null 2>&1; then + log "Created provider: $name" + return + fi + + log "Provider create failed for $name. Replacing existing provider..." + "$CLI_BIN" provider delete "$name" >/dev/null 2>&1 || true + "$CLI_BIN" provider create --name "$name" "$@" + log "Recreated provider: $name" +} + +start_gateway() { + : > "$GATEWAY_LOG" + log "Resetting gateway state if it already exists..." + log "Gateway log: $GATEWAY_LOG" + + if "$CLI_BIN" gateway destroy >> "$GATEWAY_LOG" 2>&1; then + log "Existing gateway destroyed." + else + log "Gateway destroy returned non-zero. Continuing with fresh start." + fi + + log "Starting gateway..." + if ! "$CLI_BIN" gateway start 2>&1 | tee -a "$GATEWAY_LOG"; then + log "Gateway start failed. Last log lines:" + tail -n 50 "$GATEWAY_LOG" || true + exit 1 + fi + + if ! wait_for_log_pattern "$GATEWAY_LOG" "Gateway .* ready\\|Active gateway set" "$WAIT_TIMEOUT_SECS"; then + log "Gateway did not become ready within ${WAIT_TIMEOUT_SECS}s. Last log lines:" + tail -n 50 "$GATEWAY_LOG" || true + exit 1 + fi + + log "Gateway reported ready." +} + +install_ui_deps() { + require_cmd npm + cd "$WELCOME_UI_DIR" + + log "Installing welcome UI dependencies in $WELCOME_UI_DIR" + if [[ -f package-lock.json ]]; then + npm ci + else + npm install + fi +} + +start_welcome_ui() { + cd "$WELCOME_UI_DIR" + + : > "$WELCOME_UI_LOG" + log "Starting welcome UI in background..." + log "Welcome UI log: $WELCOME_UI_LOG" + + nohup env PORT="$PORT" REPO_ROOT="$REPO_ROOT" CLI_BIN="$CLI_BIN" node server.js >> "$WELCOME_UI_LOG" 2>&1 & + WELCOME_UI_PID=$! + export WELCOME_UI_PID + log "Welcome UI PID: $WELCOME_UI_PID" + + if ! wait_for_tcp_port "$PORT" "$WAIT_TIMEOUT_SECS"; then + log "Welcome UI did not open port $PORT within ${WAIT_TIMEOUT_SECS}s. Last log lines:" + tail -n 100 "$WELCOME_UI_LOG" || true + exit 1 + fi + + log "Welcome UI started at http://localhost:${PORT}" +} + +main() { + require_cmd tar + require_cmd sudo + + step "Resolving repo" + resolve_repo_root + step "Resolving CLI" + resolve_cli + ensure_cli_compat_aliases + step "Ensuring Node.js" + ensure_node + + log "Using repo root: $REPO_ROOT" + if [[ -n "$COMMUNITY_REF" ]]; then + log "Using community ref: $COMMUNITY_REF" + fi + log "Using CLI: $CLI_BIN" + + step "Starting gateway" + start_gateway + + step "Configuring providers" + run_provider_create_or_replace \ + nvidia-inference \ + --type openai \ + --credential OPENAI_API_KEY=unused \ + --config OPENAI_BASE_URL=https://inference-api.nvidia.com/v1 + + run_provider_create_or_replace \ + nvidia-endpoints \ + --type nvidia \ + --credential NVIDIA_API_KEY=unused \ + --config NVIDIA_BASE_URL=https://integrate.api.nvidia.com/v1 + + set_inference_route + + step "Installing welcome UI dependencies" + install_ui_deps + step "Starting welcome UI" + start_welcome_ui + + step "Ready" + log "Gateway log: $GATEWAY_LOG" + log "Welcome UI log: $WELCOME_UI_LOG" + log "Open http://localhost:${PORT}" +} + +main "$@" diff --git a/brev/welcome-ui/app.js b/brev/welcome-ui/app.js index 6573983..cdcc0eb 100644 --- a/brev/welcome-ui/app.js +++ b/brev/welcome-ui/app.js @@ -159,7 +159,7 @@ * 2. API valid + tasks running -> "Provisioning Sandbox…" (disabled, spinner) * 3. API empty + tasks complete -> "Waiting for API key…" (disabled) * 4. API valid + sandbox ready + !key -> "Configuring API key…" (disabled, spinner) - * 5. API valid + sandbox ready + key -> "Open NemoClaw" (enabled) + * 5. API valid + sandbox ready + key -> "Open OpenShell" (enabled) */ function updateButtonState() { const keyValid = isApiKeyValid(); @@ -191,7 +191,7 @@ btnLaunch.classList.add("btn--ready"); btnSpinner.hidden = true; btnSpinner.style.display = "none"; - btnLaunchLabel.textContent = "Open NemoClaw"; + btnLaunchLabel.textContent = "Open OpenShell"; } else if (sandboxReady && keyValid && !keyInjected) { btnLaunch.disabled = true; btnLaunch.classList.remove("btn--ready"); @@ -249,7 +249,7 @@ setLogIcon(logSandboxIcon, "done"); logSandbox.querySelector(".console__text").textContent = - "Secure NemoClaw sandbox created."; + "Secure OpenShell sandbox created."; setLogIcon(logGatewayIcon, "spin"); startPolling(); } catch { @@ -314,7 +314,7 @@ setLogIcon(logSandboxIcon, null); setLogIcon(logGatewayIcon, null); logSandbox.querySelector(".console__text").textContent = - "Initializing secure NemoClaw sandbox..."; + "Initializing secure OpenShell sandbox..."; logGateway.querySelector(".console__text").textContent = "Launching OpenClaw agent gateway..."; logReady.hidden = true; @@ -346,7 +346,7 @@ setLogIcon(logSandboxIcon, "done"); logSandbox.querySelector(".console__text").textContent = - "Secure NemoClaw sandbox created."; + "Secure OpenShell sandbox created."; setLogIcon(logGatewayIcon, "done"); logGateway.querySelector(".console__text").textContent = "OpenClaw agent gateway online."; @@ -361,7 +361,7 @@ setLogIcon(logSandboxIcon, "done"); logSandbox.querySelector(".console__text").textContent = - "Secure NemoClaw sandbox created."; + "Secure OpenShell sandbox created."; setLogIcon(logGatewayIcon, "spin"); updateButtonState(); @@ -379,11 +379,11 @@ try { const res = await fetch("/api/connection-details"); const data = await res.json(); - const cmd = `nemoclaw cluster connect ${data.hostname}`; + const cmd = data.instructions?.connect || `openshell gateway add ${data.gatewayUrl}`; connectCmd.textContent = cmd; copyConnect.dataset.copy = cmd; } catch { - connectCmd.textContent = "nemoclaw cluster connect "; + connectCmd.textContent = "openshell gateway add "; } } diff --git a/brev/welcome-ui/other-agents.yaml b/brev/welcome-ui/other-agents.yaml index f00758b..621a36d 100644 --- a/brev/welcome-ui/other-agents.yaml +++ b/brev/welcome-ui/other-agents.yaml @@ -21,38 +21,38 @@ title: Bring Your Own Agent intro: >- Connect from your laptop, create a sandbox, and run any agent inside it. - The NemoClaw TUI on your machine surfaces policy recommendations from the agent. + The OpenShell TUI on your machine surfaces policy recommendations from the agent. You approve or deny — the sandbox boundary is never violated. steps: - - title: Install NemoClaw CLI + - title: Install OpenShell CLI commands: - - "curl -fsSL https://github.com/NVIDIA/NemoClaw/releases/download/devel/install.sh | sh" + - "curl -fsSL https://github.com/NVIDIA/OpenShell/releases/download/devel/install.sh | sh" copyable: true - title: Add the gateway block_id: connect-cmd-block commands: - - cmd: "nemoclaw gateway add " + - cmd: "openshell gateway add " id: connect-cmd copy_button_id: copy-connect copyable: true description: >- This will initiate a JWT auth flow in your browser. - Once authorized, you can run any NemoClaw command against this deployment. + Once authorized, you can run any OpenShell command against this deployment. - title: Create a sandbox and run your agent commands: - comment: Claude Code - cmd: "nemoclaw sandbox create -- claude" + cmd: "openshell sandbox create -- claude" - comment: OpenCode - cmd: "nemoclaw sandbox create -- opencode" + cmd: "openshell sandbox create -- opencode" - comment: Codex - cmd: "nemoclaw sandbox create -- codex" + cmd: "openshell sandbox create -- codex" - title: Manage policies with the TUI commands: - - nemoclaw term + - openshell term copyable: true description: >- When your agent hits a policy denial, it reads the policy, diagnoses the block, diff --git a/brev/welcome-ui/server.js b/brev/welcome-ui/server.js index 713cfae..befa62e 100644 --- a/brev/welcome-ui/server.js +++ b/brev/welcome-ui/server.js @@ -31,8 +31,10 @@ try { const PORT = parseInt(process.env.PORT || "8081", 10); const ROOT = __dirname; const REPO_ROOT = process.env.REPO_ROOT || path.join(ROOT, "..", ".."); +const CLI_BIN = process.env.CLI_BIN || "openshell"; const SANDBOX_DIR = path.join(REPO_ROOT, "sandboxes", "nemoclaw"); -const NEMOCLAW_IMAGE = "ghcr.io/nvidia/openshell-community/sandboxes/nemoclaw:local"; +const SANDBOX_NAME = process.env.SANDBOX_NAME || "nemoclaw"; +const SANDBOX_START_CMD = process.env.SANDBOX_START_CMD || "nemoclaw-start"; const POLICY_FILE = path.join(SANDBOX_DIR, "policy.yaml"); const LOG_FILE = "/tmp/nemoclaw-sandbox-create.log"; @@ -129,6 +131,22 @@ function execCmd(args, timeoutMs = 30000) { }); } +function cliArgs(...args) { + return [CLI_BIN, ...args]; +} + +async function execFirstSuccess(commands, timeoutMs = 30000) { + let lastResult = null; + for (const args of commands) { + const result = await execCmd(args, timeoutMs); + if (result.code === 0) { + return { ...result, args }; + } + lastResult = { ...result, args }; + } + return lastResult || { code: 1, stdout: "", stderr: "no command executed", args: [] }; +} + function portOpen(host, port, timeoutMs = 1000) { return new Promise((resolve) => { const sock = new net.Socket(); @@ -518,7 +536,7 @@ async function generateGatewayPolicy() { } } -async function syncPolicyToGateway(yamlText, sandboxName = "nemoclaw") { +async function syncPolicyToGateway(yamlText, sandboxName = SANDBOX_NAME) { log("policy-sync", `step 2/4: stripping inference+process fields (${yamlText.length} bytes in)`); const stripped = stripPolicyFields(yamlText, ["process"]); log("policy-sync", ` stripped to ${stripped.length} bytes`); @@ -529,7 +547,7 @@ async function syncPolicyToGateway(yamlText, sandboxName = "nemoclaw") { ); try { fs.writeFileSync(tmpPath, stripped); - const args = ["nemoclaw", "policy", "set", sandboxName, "--policy", tmpPath]; + const args = cliArgs("policy", "set", sandboxName, "--policy", tmpPath); log("policy-sync", `step 3/4: running ${args.join(" ")}`); const t0 = Date.now(); @@ -565,7 +583,7 @@ async function syncPolicyToGateway(yamlText, sandboxName = "nemoclaw") { async function cleanupExistingSandbox() { try { - await execCmd(["nemoclaw", "sandbox", "delete", "nemoclaw"], 30000); + await execCmd(cliArgs("sandbox", "delete", SANDBOX_NAME), 30000); } catch { // ignore } @@ -584,10 +602,9 @@ function runSandboxCreate() { const policyPath = await generateGatewayPolicy(); const cmd = [ - "nemoclaw", "sandbox", "create", - "--name", "nemoclaw", - "--from", "nemoclaw", - // "--from", NEMOCLAW_IMAGE, + CLI_BIN, "sandbox", "create", + "--name", SANDBOX_NAME, + "--from", SANDBOX_DIR, "--forward", "18789", ]; if (policyPath) cmd.push("--policy", policyPath); @@ -595,7 +612,7 @@ function runSandboxCreate() { "--", "env", `CHAT_UI_URL=${chatUiUrl}`, - "nemoclaw-start" + SANDBOX_START_CMD ); const cmdDisplay = cmd.slice(0, 8).join(" ") + " -- ..."; @@ -711,12 +728,11 @@ function runInjectKey(key, keyHash) { log("inject-key", `step 1/3: received key (hash=${keyHash.slice(0, 12)}…)`); const args = [ - "nemoclaw", "provider", "update", "nvidia-inference", - "--type", "openai", + ...cliArgs("provider", "update", "nvidia-inference"), "--credential", `OPENAI_API_KEY=${key}`, "--config", "OPENAI_BASE_URL=https://inference-api.nvidia.com/v1", ]; - log("inject-key", "step 2/3: running nemoclaw provider update nvidia-inference …"); + log("inject-key", `step 2/3: running ${CLI_BIN} provider update nvidia-inference …`); const t0 = Date.now(); execCmd(args, 120000) @@ -782,7 +798,7 @@ async function handleProvidersList(req, res) { let names; try { const result = await execCmd( - ["nemoclaw", "provider", "list", "--names"], + cliArgs("provider", "list", "--names"), 30000 ); if (result.code !== 0) { @@ -801,7 +817,7 @@ async function handleProvidersList(req, res) { for (const name of names) { try { const detail = await execCmd( - ["nemoclaw", "provider", "get", name], + cliArgs("provider", "get", name), 30000 ); if (detail.code === 0) { @@ -837,7 +853,7 @@ async function handleProviderCreate(req, res) { }); } - const cmd = ["nemoclaw", "provider", "create", "--name", name, "--type", ptype]; + const cmd = [...cliArgs("provider", "create"), "--name", name, "--type", ptype]; const creds = data.credentials || {}; const configs = data.config || {}; if (Object.keys(creds).length === 0) { @@ -873,14 +889,7 @@ async function handleProviderUpdate(req, res, name) { } const ptype = (data.type || "").trim(); - if (!ptype) { - return jsonResponse(res, 400, { - ok: false, - error: "type is required", - }); - } - - const cmd = ["nemoclaw", "provider", "update", name, "--type", ptype]; + const cmd = [...cliArgs("provider", "update"), name]; for (const [k, v] of Object.entries(data.credentials || {})) { cmd.push("--credential", `${k}=${v}`); } @@ -891,10 +900,29 @@ async function handleProviderUpdate(req, res, name) { try { const result = await execCmd(cmd, 30000); - if (result.code !== 0) { + if (result.code === 0) { + if (Object.keys(configs).length > 0) cacheProviderConfig(name, configs); + return jsonResponse(res, 200, { ok: true }); + } + + if (!ptype) { const err = (result.stderr || result.stdout || "update failed").trim(); return jsonResponse(res, 400, { ok: false, error: err }); } + + await execCmd(cliArgs("provider", "delete", name), 30000); + const createCmd = [...cliArgs("provider", "create"), "--name", name, "--type", ptype]; + for (const [k, v] of Object.entries(data.credentials || {})) { + createCmd.push("--credential", `${k}=${v}`); + } + for (const [k, v] of Object.entries(configs)) { + createCmd.push("--config", `${k}=${v}`); + } + const recreated = await execCmd(createCmd, 30000); + if (recreated.code !== 0) { + const err = (recreated.stderr || recreated.stdout || "update failed").trim(); + return jsonResponse(res, 400, { ok: false, error: err }); + } if (Object.keys(configs).length > 0) cacheProviderConfig(name, configs); return jsonResponse(res, 200, { ok: true }); } catch (e) { @@ -904,10 +932,7 @@ async function handleProviderUpdate(req, res, name) { async function handleProviderDelete(req, res, name) { try { - const result = await execCmd( - ["nemoclaw", "provider", "delete", name], - 30000 - ); + const result = await execCmd(cliArgs("provider", "delete", name), 30000); if (result.code !== 0) { const err = (result.stderr || result.stdout || "delete failed").trim(); return jsonResponse(res, 400, { ok: false, error: err }); @@ -948,8 +973,11 @@ function parseClusterInference(stdout) { async function handleClusterInferenceGet(req, res) { try { - const result = await execCmd( - ["nemoclaw", "cluster", "inference", "get"], + const result = await execFirstSuccess( + [ + cliArgs("inference", "get"), + cliArgs("cluster", "inference", "get"), + ], 30000 ); if (result.code !== 0) { @@ -1003,11 +1031,10 @@ async function handleClusterInferenceSet(req, res) { }); } try { - const result = await execCmd( + const result = await execFirstSuccess( [ - "nemoclaw", "cluster", "inference", "set", - "--provider", providerName, - "--model", modelId, + cliArgs("inference", "set", "--provider", providerName, "--model", modelId), + cliArgs("cluster", "inference", "set", "--provider", providerName, "--model", modelId), ], 30000 ); @@ -1239,10 +1266,10 @@ async function handleConnectionDetails(req, res) { gatewayPort: 8080, instructions: { install: - "curl -fsSL https://github.com/NVIDIA/NemoClaw/releases/download/devel/install.sh | sh", - connect: `nemoclaw gateway add ${gatewayUrl}`, - createSandbox: "nemoclaw sandbox create -- claude", - tui: "nemoclaw term", + "curl -fsSL https://github.com/NVIDIA/OpenShell/releases/download/devel/install.sh | sh", + connect: `openshell gateway add ${gatewayUrl}`, + createSandbox: "openshell sandbox create -- claude", + tui: "openshell term", }, }); } @@ -1522,7 +1549,7 @@ function _setMocksForTesting(mocks) { if (require.main === module) { bootstrapConfigCache(); server.listen(PORT, "", () => { - console.log(`NemoClaw Welcome UI → http://localhost:${PORT}`); + console.log(`OpenShell Welcome UI -> http://localhost:${PORT}`); }); } From 7f735c0a0e1a993a48c25044fdb4c29d1ab77586 Mon Sep 17 00:00:00 2001 From: JR Morgan Date: Wed, 11 Mar 2026 16:40:54 -0700 Subject: [PATCH 02/14] Remove BASH_SOURCE dependency --- brev/launch.sh | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/brev/launch.sh b/brev/launch.sh index f57de3b..435b18d 100755 --- a/brev/launch.sh +++ b/brev/launch.sh @@ -2,7 +2,12 @@ set -euo pipefail -SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +SOURCE_PATH="${BASH_SOURCE[0]-}" +if [[ -z "$SOURCE_PATH" || "$SOURCE_PATH" == "bash" || "$SOURCE_PATH" == "-bash" ]]; then + SCRIPT_DIR="$PWD" +else + SCRIPT_DIR="$(cd "$(dirname "$SOURCE_PATH")" && pwd)" +fi SCRIPT_REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)" REPO_ROOT="" WELCOME_UI_DIR="" @@ -18,8 +23,13 @@ CLONE_ROOT="${CLONE_ROOT:-/home/ubuntu}" CLONE_DIR="${CLONE_DIR:-$CLONE_ROOT/OpenShell-Community}" GATEWAY_LOG="${GATEWAY_LOG:-/tmp/openshell-gateway.log}" WELCOME_UI_LOG="${WELCOME_UI_LOG:-/tmp/welcome-ui.log}" +LAUNCH_LOG="${LAUNCH_LOG:-/tmp/openshell-launch.log}" WAIT_TIMEOUT_SECS="${WAIT_TIMEOUT_SECS:-30}" +mkdir -p "$(dirname "$LAUNCH_LOG")" +touch "$LAUNCH_LOG" +exec > >(tee -a "$LAUNCH_LOG") 2>&1 + log() { printf '[launch.sh] %s\n' "$*" } From 8b419013ef9d4dfcb38f2a22dfd45662e98a971b Mon Sep 17 00:00:00 2001 From: JR Morgan Date: Wed, 11 Mar 2026 16:48:14 -0700 Subject: [PATCH 03/14] Invalid key handlin --- brev/welcome-ui/app.js | 32 +++++++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/brev/welcome-ui/app.js b/brev/welcome-ui/app.js index cdcc0eb..0fcd43f 100644 --- a/brev/welcome-ui/app.js +++ b/brev/welcome-ui/app.js @@ -120,6 +120,8 @@ let injectInFlight = false; let injectTimer = null; let lastSubmittedKey = ""; + let keyInjectError = ""; + let installFailed = false; function stopPolling() { if (pollTimer) { @@ -132,6 +134,7 @@ if (key === lastSubmittedKey) return; lastSubmittedKey = key; keyInjected = false; + keyInjectError = ""; injectInFlight = true; updateButtonState(); try { @@ -169,6 +172,9 @@ if (keyRaw.length === 0) { keyHint.textContent = ""; keyHint.className = "form-field__hint"; + } else if (keyInjectError) { + keyHint.textContent = keyInjectError; + keyHint.className = "form-field__hint form-field__hint--warn"; } else if (keyValid) { keyHint.textContent = "Valid key format"; keyHint.className = "form-field__hint form-field__hint--ok"; @@ -192,12 +198,18 @@ btnSpinner.hidden = true; btnSpinner.style.display = "none"; btnLaunchLabel.textContent = "Open OpenShell"; - } else if (sandboxReady && keyValid && !keyInjected) { + } else if (sandboxReady && keyValid && !keyInjected && (injectInFlight || !keyInjectError)) { btnLaunch.disabled = true; btnLaunch.classList.remove("btn--ready"); btnSpinner.hidden = false; btnSpinner.style.display = ""; btnLaunchLabel.textContent = "Configuring API key\u2026"; + } else if (sandboxReady && keyValid && !keyInjected) { + btnLaunch.disabled = true; + btnLaunch.classList.remove("btn--ready"); + btnSpinner.hidden = true; + btnSpinner.style.display = "none"; + btnLaunchLabel.textContent = "Update API key to retry"; } else if (!sandboxReady && keyValid) { btnLaunch.disabled = true; btnLaunch.classList.remove("btn--ready"); @@ -268,6 +280,12 @@ if (!injectInFlight) { keyInjected = !!data.key_injected; } + keyInjectError = data.key_inject_error || ""; + if (keyInjectError) { + injectInFlight = false; + keyInjected = false; + lastSubmittedKey = ""; + } if (data.status === "running") { sandboxReady = true; @@ -284,6 +302,7 @@ } else if (data.status === "error") { stopPolling(); installTriggered = false; + installFailed = true; showError(data.error || "Sandbox creation failed"); } else { updateButtonState(); @@ -308,6 +327,8 @@ sandboxUrl = null; installTriggered = false; keyInjected = false; + keyInjectError = ""; + installFailed = false; lastSubmittedKey = ""; stopPolling(); @@ -391,8 +412,13 @@ cardOpenclaw.addEventListener("click", () => { showOverlay(overlayInstall); - showMainView(); - if (!installTriggered) { + if (installFailed) { + stepError.hidden = false; + installMain.hidden = true; + } else { + showMainView(); + } + if (!installTriggered && !installFailed) { triggerInstall(); } apiKeyInput.focus(); From 7f783451d5f2eb4df847b0d4f4c5c3493b723e96 Mon Sep 17 00:00:00 2001 From: JR Morgan Date: Wed, 11 Mar 2026 16:58:29 -0700 Subject: [PATCH 04/14] Wait for valid key before triggering --- brev/welcome-ui/app.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/brev/welcome-ui/app.js b/brev/welcome-ui/app.js index 0fcd43f..df21a32 100644 --- a/brev/welcome-ui/app.js +++ b/brev/welcome-ui/app.js @@ -152,6 +152,9 @@ updateButtonState(); const key = apiKeyInput.value.trim(); if (!isApiKeyValid()) return; + if (!sandboxReady && !installTriggered && !installFailed) { + triggerInstall(); + } if (injectTimer) clearTimeout(injectTimer); injectTimer = setTimeout(() => submitKeyForInjection(key), 300); } @@ -418,9 +421,6 @@ } else { showMainView(); } - if (!installTriggered && !installFailed) { - triggerInstall(); - } apiKeyInput.focus(); updateButtonState(); }); From 7625def039eb10a694f3480a79861f0d6454d985 Mon Sep 17 00:00:00 2001 From: JR Morgan Date: Wed, 11 Mar 2026 17:03:29 -0700 Subject: [PATCH 05/14] Address silent fail on launch.sh --- brev/launch.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/brev/launch.sh b/brev/launch.sh index 435b18d..04dfb25 100755 --- a/brev/launch.sh +++ b/brev/launch.sh @@ -221,7 +221,8 @@ install_cli_from_release() { archive="$tmpdir/$pattern" tar xzf "$archive" -C "$tmpdir" sudo install -m 755 "$tmpdir/$candidate" "/usr/local/bin/$candidate" - echo "$candidate" + CLI_BIN="$candidate" + log "Installed CLI from release: $CLI_BIN" return 0 fi done @@ -231,6 +232,8 @@ install_cli_from_release() { } resolve_cli() { + log "Checking for installed CLI binaries..." + if [[ -n "$CLI_BIN" ]]; then require_cmd "$CLI_BIN" log "Using CLI from CLI_BIN: $CLI_BIN" @@ -254,7 +257,7 @@ resolve_cli() { exit 1 fi - CLI_BIN="$(install_cli_from_release)" + install_cli_from_release } ensure_cli_compat_aliases() { From 9e8af2e557f1bf3040197cb2137f097a8941adff Mon Sep 17 00:00:00 2001 From: JR Morgan Date: Wed, 11 Mar 2026 17:04:18 -0700 Subject: [PATCH 06/14] Add retry count and delay --- brev/launch.sh | 41 ++++++++++++++++++++++++++++++++++++++--- 1 file changed, 38 insertions(+), 3 deletions(-) diff --git a/brev/launch.sh b/brev/launch.sh index 04dfb25..f3437b9 100755 --- a/brev/launch.sh +++ b/brev/launch.sh @@ -25,6 +25,8 @@ GATEWAY_LOG="${GATEWAY_LOG:-/tmp/openshell-gateway.log}" WELCOME_UI_LOG="${WELCOME_UI_LOG:-/tmp/welcome-ui.log}" LAUNCH_LOG="${LAUNCH_LOG:-/tmp/openshell-launch.log}" WAIT_TIMEOUT_SECS="${WAIT_TIMEOUT_SECS:-30}" +CLI_RETRY_COUNT="${CLI_RETRY_COUNT:-5}" +CLI_RETRY_DELAY_SECS="${CLI_RETRY_DELAY_SECS:-3}" mkdir -p "$(dirname "$LAUNCH_LOG")" touch "$LAUNCH_LOG" @@ -88,6 +90,26 @@ wait_for_log_pattern() { done } +retry_cli() { + local attempt=1 + local max_attempts="${CLI_RETRY_COUNT}" + local delay_secs="${CLI_RETRY_DELAY_SECS}" + + while true; do + if "$@"; then + return 0 + fi + + if (( attempt >= max_attempts )); then + return 1 + fi + + log "Command failed, retrying (${attempt}/${max_attempts}): $*" + sleep "$delay_secs" + attempt=$((attempt + 1)) + done +} + detect_arch() { case "$(uname -m)" in x86_64|amd64) echo "x86_64" ;; @@ -328,17 +350,29 @@ run_provider_create_or_replace() { shift log "Configuring provider: $name" - if "$CLI_BIN" provider create --name "$name" "$@" >/dev/null 2>&1; then + if retry_cli "$CLI_BIN" provider create --name "$name" "$@" >/dev/null 2>&1; then log "Created provider: $name" return fi log "Provider create failed for $name. Replacing existing provider..." - "$CLI_BIN" provider delete "$name" >/dev/null 2>&1 || true - "$CLI_BIN" provider create --name "$name" "$@" + retry_cli "$CLI_BIN" provider delete "$name" >/dev/null 2>&1 || true + retry_cli "$CLI_BIN" provider create --name "$name" "$@" log "Recreated provider: $name" } +wait_for_gateway_cli() { + log "Waiting for gateway CLI operations to stabilize..." + if retry_cli "$CLI_BIN" provider list --names >/dev/null 2>&1; then + log "Gateway CLI is responsive." + return + fi + + log "Gateway CLI did not stabilize. Last gateway log lines:" + tail -n 50 "$GATEWAY_LOG" || true + exit 1 +} + start_gateway() { : > "$GATEWAY_LOG" log "Resetting gateway state if it already exists..." @@ -364,6 +398,7 @@ start_gateway() { fi log "Gateway reported ready." + wait_for_gateway_cli } install_ui_deps() { From 6cbe026719197ca78e9920f46118d40cecff798c Mon Sep 17 00:00:00 2001 From: JR Morgan Date: Wed, 11 Mar 2026 17:22:00 -0700 Subject: [PATCH 07/14] Add favicon, handle ghcr.io login if params present, fix logo --- brev/launch.sh | 50 ++++++++++++++++++++++++++++++++++++ brev/welcome-ui/favicon.ico | Bin 0 -> 25214 bytes brev/welcome-ui/index.html | 24 +++++++++-------- brev/welcome-ui/styles.css | 9 ++++--- 4 files changed, 69 insertions(+), 14 deletions(-) create mode 100644 brev/welcome-ui/favicon.ico diff --git a/brev/launch.sh b/brev/launch.sh index f3437b9..78243e8 100755 --- a/brev/launch.sh +++ b/brev/launch.sh @@ -27,6 +27,8 @@ LAUNCH_LOG="${LAUNCH_LOG:-/tmp/openshell-launch.log}" WAIT_TIMEOUT_SECS="${WAIT_TIMEOUT_SECS:-30}" CLI_RETRY_COUNT="${CLI_RETRY_COUNT:-5}" CLI_RETRY_DELAY_SECS="${CLI_RETRY_DELAY_SECS:-3}" +GHCR_LOGIN="${GHCR_LOGIN:-auto}" +GHCR_USER="${GHCR_USER:-}" mkdir -p "$(dirname "$LAUNCH_LOG")" touch "$LAUNCH_LOG" @@ -155,6 +157,52 @@ gh_auth_if_needed() { fi } +resolve_ghcr_user() { + if [[ -n "$GHCR_USER" ]]; then + return 0 + fi + + if command -v gh >/dev/null 2>&1 && gh auth status >/dev/null 2>&1; then + GHCR_USER="$(gh api user -q .login 2>/dev/null || true)" + fi + + if [[ -z "$GHCR_USER" ]]; then + GHCR_USER="${GITHUB_USER:-${USER:-}}" + fi + + [[ -n "$GHCR_USER" ]] +} + +docker_login_ghcr_if_needed() { + if [[ "$GHCR_LOGIN" == "0" || "$GHCR_LOGIN" == "false" || "$GHCR_LOGIN" == "no" ]]; then + log "Skipping GHCR login by configuration." + return + fi + + if [[ -z "$GITHUB_TOKEN" ]]; then + log "No GitHub token available; skipping GHCR login." + return + fi + + if ! command -v docker >/dev/null 2>&1; then + log "Docker not available; skipping GHCR login." + return + fi + + if ! resolve_ghcr_user; then + log "Could not determine GHCR username; skipping GHCR login." + return + fi + + log "Logging into ghcr.io as $GHCR_USER ..." + if printf '%s\n' "$GITHUB_TOKEN" | docker login ghcr.io -u "$GHCR_USER" --password-stdin >/dev/null 2>&1; then + log "GHCR login succeeded." + return + fi + + log "GHCR login failed. Continuing, but private image pulls may fail." +} + checkout_repo_ref() { if [[ -z "$COMMUNITY_REF" ]]; then return @@ -443,6 +491,8 @@ main() { step "Resolving CLI" resolve_cli ensure_cli_compat_aliases + step "Authenticating registries" + docker_login_ghcr_if_needed step "Ensuring Node.js" ensure_node diff --git a/brev/welcome-ui/favicon.ico b/brev/welcome-ui/favicon.ico new file mode 100644 index 0000000000000000000000000000000000000000..9e35bef5b8258264d8e67b0ff69b4b29feecdcba GIT binary patch literal 25214 zcmeHP33wdEm42<3J!8qAWg;Ik2zzW{8y^sDCd6Wf1u; z0@U^Z;?F>HEIG|k>E9ntTB4=lk7&XSTol=Qd69;=$A_?_bga#>#7Ip?sp(k-Q%qq^TNG_#7HJDlIXPlYRw2K&lrQ{co zsS@liPjYT4{c0E#A9j-zPolG#j6Y9M1G^cD$K!FB(EhLiwi`%Dy9mrigJDbkhj|LGzYjA$0CfnE>n zM2ic)TDw8*1hQOWB+Io(5}oK?G{YrDtzS7wulK-cBm>or(GD#1Sok`j6bq2pjn!Pa z)9VE5wY^TL&%@dj?}EN`CnTZ?X~!~(OCHVT&ZX7d53n33APSRRPz|{>RxB(G@WhpL z2Rotmq2;iX>EZ&L&BDIOIZ3VyX{>y4`it(aMUg9#zYhuG(UFX2s9&Y(4lF^~j<{8* zbWVFq%kuX1UG0AP<0Ja|F7b)k-%qS@?Jbc$yRYW}`<+*7y5F$d-g_|i`WsI)H+Emv zQ*YP5G0v_(=?eSGY4!FSuQb{3^z_=Bapm=|@!L~JFR+!wc|IP90cM`N$d^toW6z1L z2|khC(Rt3eV}voT%Q4a|f-^QUMfRF5a?Ob%Z-c+Z(lX&T zj1!GD13cfVg!678p$#fjvT`XA&yh;+T#4MhOvc=Oo{a5kk(v$XOU*AYkX<$azr0W; z0F&-q8O;uII+De){P=7-$j z4XUdOR^~=@R|@h_K33IEGW{J#H-Z+klvl1CVspXO@;WmIY`=kW zMSZ}ZdbF*9;B07^#|H36_pnk|;8dfPYk%mVQam3+O#iA(1W{HKq*xw~8&42}idr^N z32ZGMx*GKOV$xP9SI~FA6RN)xbvx5p?GJe|u*}q;@AD_pV>M#1K3HCjRm6;=4u|$7 z7Q}`*qZB&FVnXjuV;rxsDn~UmR1_bI=)}rM4X1>k>L|Q*dGv#G$4E~oc14v!{ur_O z$jpz`hMWjx3&A$hpk{uSP#^AZp@o{CzURaEui9*{{G3?Bj0O##nBojvedV;1ML^$X z@;-}cB-F){F~oD8@^h;p<68XO%D+#o3{4^~FlLeAJ?h=xmC?LM?ZQ3kh87uT?ooMv zdQYpmKb>;#N|~C!NM>woli9dG-Lrd@% ztx>aP)4)7PC^nX7m6>2+^=^O)>K})yiI#;I=ul{@dL_kMB;9}Ln5mBV{vmP{jYlbo z`ueGsg%|A5tdo*eWmS(}%(E(_<|ykkAn+nok2Wgy^j~FssM={WJe`$H|0nMq{BufS+!0phO&RBuQK55670xK*@f>~f zy(^>+n3lg-Vt9VO$9;Hy?w?KO-+!4T9==xge`GbDm+N!LS8xtF9OsZ@@r?Y$XK#~J zpAXI)XXDJ_;F);K%ekF)Ov{d!Bk*a80M@4wcBj%T=&JpA_2fwHE-2SxOPjI_cdhzL zEHEfmO&PzN)RKd8r66NfjX~{1)K}HYXuct>tCl*o@l@4I9iFR<;pVD0n(?UL6%A=q z*~7;q|EZQ=t}@BgZ!-pd5j61j-Tks3MR{t(08q>c1mS z|EOG7dUC1X;Cnm$1>{m&MwH+7cK4M1_al%?Rbbw{1ia~^7j!eQWmI zw;Mp80^UPDRy3ZuR5kc}0EeRP9MD^U7m@!9sGeJ;=1M6Z=jCAj_WSQSGoj}?*#9Fi zP-n6KMV$#1a;aU>_9)={(Df?l<|18#{nXdgVE(rIpG(!i*5$yTfbg8)e7O}k1IPl8 z01p8hfSZ99;1FO!s0Tqdm#ReFKENda=ii4wSpQJ@ZS&uAnxOMV6{8^LPojJ@`2GV( zxHRFWrNFFqcb>M*Tw2TS5N>3>@Eq>)G)B=TgT)&->76+Wr~&6nMBV z3MJ2}1>Xbz4&bLi9_8PH4xHzVC)e3!0H14?PM$Lj^{XJ;3p%p-lS?f|`@aEZ4BtZD z|I#na=2A9rEI?n`uUL^Yxzs4|<^kseuL4Gop}zs|c%X3OSJa+`Txtq%9q?Dcv@>+; z@%Nl>qTkwgJ&wOanXmhGV%~EeRXTNiIByq%_ch=+;2@Ow09q%`bIYNG?mZ=|=MCpiIPM3dPLHdue;8%@%lV@9>ps7a@_Ha% z@X2$kAa@~n1LybK;2#bCP-788{r>=_--G>U%(zAyKeT_rIYVE|ycX#v$MJ`tcpQMV z_3M{oe=X#K`OZFh&a>c~>xw>c9la9Nd<{x>o7bA>dKDu2g|F2g%S+B7HRDTyJ zm--CyzYf)RBF}diI??~2ooOGYPov)d;tZPTHTkv@ZD?}>U;*6w9tXmDOupEE&q+Y; zujs3p1DyZiIsZLXM_r!t2cY;HE~Voi9&hU98nCbFGV;7G+5o-o2XkW+c#MzU+XBA! zP5Th|?>QBazYp@kczVvwAv+DI56{_Ug*uZN?Egz>vm3yDEzp}wu}?uCIOjd*oPw{# zvf*|E^MU`l)WOOI+iLLawYPB%`Ab9foX`3zQw0HJisui)LlGyXq`e6S`_&U3yF-cWPC^!(S?`VzF&X9YdRoC7Br^NQwD{|H`qJ)q1c zzyo+rEB1$tv~I3{VcpN8yxRcXUj*-6z|7&{Xb^v+D3?ki2Co37pMOLCV(1Lw$u*N_ zH+{Xc-pIy`ngaEl&!YYgwEr+9_W<(6YnSI72AS}lXmpyf8hZW|3?jp`nCD~w-G5E* zL3xj`7|L9qr-7aTaNqe?&_%#8fQvHy)cwG5u?~(h1&-(;@JrwKu`2070$)(1?KI3@{zW^8B5deBN#3@66;^xOHs5BJGYPwIl9mO;_43%XZs} zJgI1E<)SUu7~VeLFL@51;dKIU0;d#w_8fi}VJ`3ufbTo*1O5z{=S{=Wt=spU2=tr_ z@SP0xu)lW$mjZmw-U=)R_65d-e4@W!1=a%p4GiT&Y5RO{$@ieT?K_~$0RC?i#=q3~ z^O@RBK=A%V%Z>%_c!0V}jn!cL`W-CeOuwH2^z&8EnS=c0!0Es=U^Z|ha08&9@#^Pa zIh5xrU(JVpm-A)t9|ywmD7LTl{??ay8kEm`ZGdCTXSRICcr|bZz%e)s7zNY-D*(P* zrT#wPd?0wft>Zym4q)EL1@`rLKY}{8XFMAKzJpo=kjGfe0tUwaMeq($UDfpuqD*;$ z&!>ZD;-0e$%8a3Tz8<#U3chK#*w=RwcpSI40R4Zh2HR&FzT3D6;4{?Gz-qvZcMtOW z0H*=eV{DLW`<@d+p0OqGIe>Z?Q#1FMn4ttO-2Y#od>g=aw8uKej93on=b_p^<4-C3 z*F)Cu|Hbe75}(Jug=1*!bIwf%Xe$jETWuj+#M_dsgwa~)d;&{y{3Y~KftR|v z{lJd{pu+=rt#VJf7ijmvHLn%;GN8ZL;5oY^&v^U=C}pb@Z|n90KW0H6uccoBZv&^Q zDt(>LK>0X;v8IouYz)O4-oEjJRL?2)k?R823y#rH`iHCAKKt4SUVp>s-PZb%*gqTg zfAtaJgm8Gv`EmsQKSn@5Zy4~|BUZnUEn~&%lV+vw)_XeH^*!F&474QXs z_aCpQJRSC&gMklKdwsw5KFU*pXMt}4hXeGH=QP^i6QEtjgl96npVPiRS5W^n;E%u| z0Ne9BB~gHT<9`CY&$t$#UJbUtE5-h90;r#RH|1CR`IA6H#Gg8t)+`_wy n^V+bu?X(4^$<9j6|6A=t2Z%i20_LZ4nPqZ;9)L2Y4e9>^moyUg literal 0 HcmV?d00001 diff --git a/brev/welcome-ui/index.html b/brev/welcome-ui/index.html index 8a263a2..aed074e 100644 --- a/brev/welcome-ui/index.html +++ b/brev/welcome-ui/index.html @@ -3,7 +3,8 @@ - NemoClaw — Agent Sandbox + OpenShell — Agent Sandbox + @@ -14,12 +15,13 @@
- - NemoClaw + OpenShell Sandbox
@@ -31,10 +33,10 @@

- Run Any AI Agent in
the NemoClaw Sandbox + Run Any AI Agent in
the OpenShell Sandbox

- NemoClaw lets any AI agent run in a secure sandbox with policy guardrails + OpenShell lets any AI agent run in a secure sandbox with policy guardrails the agent itself helps manage. One launchable, two paths.

@@ -47,7 +49,7 @@

Install OpenClaw

-

Experience it first, learn later. One-click install of the OpenClaw coding agent with NemoClaw safety policies, sandboxing, and model routing. Everything in one browser tab.

+

Experience it first, learn later. One-click install of the OpenClaw coding agent with OpenShell safety policies, sandboxing, and model routing. Everything in one browser tab.

Get started @@ -62,7 +64,7 @@

Install OpenClaw

Other Agents

-

Bring your own agent. Run Claude Code, OpenCode, DeepAgents, or your own framework. Manage policies via the NemoClaw CLI and TUI from your laptop.

+

Bring your own agent. Run Claude Code, OpenCode, DeepAgents, or your own framework. Manage policies via the OpenShell CLI and TUI from your laptop.

View instructions @@ -121,7 +123,7 @@

Install OpenClaw

- Initializing secure NemoClaw sandbox... + Initializing secure OpenShell sandbox...
@@ -162,7 +164,7 @@

Something went wrong

- NemoClaw Sandbox · NVIDIA + OpenShell Sandbox · NVIDIA
diff --git a/brev/welcome-ui/styles.css b/brev/welcome-ui/styles.css index 342ce4b..201411c 100644 --- a/brev/welcome-ui/styles.css +++ b/brev/welcome-ui/styles.css @@ -1,5 +1,5 @@ /* ============================================ - NemoClaw Welcome UI — NVIDIA build.nvidia.com style + OpenShell Welcome UI — NVIDIA build.nvidia.com style Primary green: #76B900 ============================================ */ @@ -81,8 +81,11 @@ body { } .topbar__logo { - height: 26px; - width: auto; + height: 28px; + width: 28px; + flex-shrink: 0; + display: block; + filter: drop-shadow(0 0 12px rgba(118, 185, 0, 0.18)); } .topbar__divider { From 8e1315a3cf20a1bfb02739d710270e47737f8062 Mon Sep 17 00:00:00 2001 From: JR Morgan Date: Wed, 11 Mar 2026 17:23:51 -0700 Subject: [PATCH 08/14] Address broken return --- brev/launch.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/brev/launch.sh b/brev/launch.sh index 78243e8..8ff6ac8 100755 --- a/brev/launch.sh +++ b/brev/launch.sh @@ -277,7 +277,6 @@ install_cli_from_release() { arch="$(detect_arch)" tmpdir="$(mktemp -d)" - trap 'rm -rf "$tmpdir"' RETURN for candidate in openshell nemoclaw; do case "$candidate" in @@ -293,10 +292,12 @@ install_cli_from_release() { sudo install -m 755 "$tmpdir/$candidate" "/usr/local/bin/$candidate" CLI_BIN="$candidate" log "Installed CLI from release: $CLI_BIN" + rm -rf "$tmpdir" return 0 fi done + rm -rf "$tmpdir" log "Unable to install CLI from GitHub releases." exit 1 } From 8f57199d86ca15b96c3d2a189d8cff58f3822d95 Mon Sep 17 00:00:00 2001 From: JR Morgan Date: Wed, 11 Mar 2026 17:30:35 -0700 Subject: [PATCH 09/14] Consistent favicon, add multi context login if token present --- brev/launch.sh | 39 ++++++++++++++++++++++++++---- brev/welcome-ui/index.html | 9 +++---- brev/welcome-ui/openshell-mark.svg | 5 ++++ 3 files changed, 42 insertions(+), 11 deletions(-) create mode 100644 brev/welcome-ui/openshell-mark.svg diff --git a/brev/launch.sh b/brev/launch.sh index 8ff6ac8..ebcc9f9 100755 --- a/brev/launch.sh +++ b/brev/launch.sh @@ -173,7 +173,32 @@ resolve_ghcr_user() { [[ -n "$GHCR_USER" ]] } +docker_login_ghcr_for_user() { + local login_user="$1" + + if [[ "$login_user" == "root" ]]; then + log "Logging into ghcr.io as $GHCR_USER for root ..." + if printf '%s\n' "$GITHUB_TOKEN" | docker login ghcr.io -u "$GHCR_USER" --password-stdin >/dev/null 2>&1; then + log "GHCR login succeeded for root." + return 0 + fi + log "GHCR login failed for root." + return 1 + fi + + log "Logging into ghcr.io as $GHCR_USER for user $login_user ..." + if sudo -H -u "$login_user" env GITHUB_TOKEN="$GITHUB_TOKEN" GHCR_USER="$GHCR_USER" bash -lc \ + 'printf "%s\n" "$GITHUB_TOKEN" | docker login ghcr.io -u "$GHCR_USER" --password-stdin >/dev/null 2>&1'; then + log "GHCR login succeeded for user $login_user." + return 0 + fi + log "GHCR login failed for user $login_user." + return 1 +} + docker_login_ghcr_if_needed() { + local login_failed=0 + if [[ "$GHCR_LOGIN" == "0" || "$GHCR_LOGIN" == "false" || "$GHCR_LOGIN" == "no" ]]; then log "Skipping GHCR login by configuration." return @@ -194,13 +219,17 @@ docker_login_ghcr_if_needed() { return fi - log "Logging into ghcr.io as $GHCR_USER ..." - if printf '%s\n' "$GITHUB_TOKEN" | docker login ghcr.io -u "$GHCR_USER" --password-stdin >/dev/null 2>&1; then - log "GHCR login succeeded." - return + docker_login_ghcr_for_user "root" || login_failed=1 + + if [[ -n "${SUDO_USER:-}" && "${SUDO_USER}" != "root" ]]; then + docker_login_ghcr_for_user "$SUDO_USER" || login_failed=1 + elif [[ "$(id -un)" != "root" ]]; then + docker_login_ghcr_for_user "$(id -un)" || login_failed=1 fi - log "GHCR login failed. Continuing, but private image pulls may fail." + if [[ "$login_failed" -ne 0 ]]; then + log "One or more GHCR logins failed. Continuing, but private image pulls may fail." + fi } checkout_repo_ref() { diff --git a/brev/welcome-ui/index.html b/brev/welcome-ui/index.html index aed074e..19dcc37 100644 --- a/brev/welcome-ui/index.html +++ b/brev/welcome-ui/index.html @@ -4,7 +4,8 @@ OpenShell — Agent Sandbox - + + @@ -15,11 +16,7 @@
- + OpenShell Sandbox diff --git a/brev/welcome-ui/openshell-mark.svg b/brev/welcome-ui/openshell-mark.svg new file mode 100644 index 0000000..300ba64 --- /dev/null +++ b/brev/welcome-ui/openshell-mark.svg @@ -0,0 +1,5 @@ + + + + + From 2396706953d76d7e0bde2f0481b966fae7060c93 Mon Sep 17 00:00:00 2001 From: JR Morgan Date: Wed, 11 Mar 2026 17:51:00 -0700 Subject: [PATCH 10/14] Enforce consistent favicon --- brev/welcome-ui/favicon.ico | Bin 25214 -> 32038 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/brev/welcome-ui/favicon.ico b/brev/welcome-ui/favicon.ico index 9e35bef5b8258264d8e67b0ff69b4b29feecdcba..dce06225d9aa9a234d2faa96a7807ab14f790700 100644 GIT binary patch literal 32038 zcmeI53$R^PdB^uYuLuZv5FjCt8$x0dKnxH_NYZeFCblC`6$DZY55r3eLJ>j$;a+@= zt#*c1D5Z&570?kMAX*F&BM3e^(`lXIVSvF)J8j1&AhaORtp0y%optuP`|jsG=Ugs& z@60djJoaAe`@Z$~zV+BAK@bMDV9Jz0>73yFS`e%af?&=Z_x?-z{A>Db@#5zD`9W~< zUO~{`@7^ywHVAeu4}yidN0%xG_qmcl*{1((-53OpU6t-9`V!bvpH;;0eB6CCeSW;S zUF;D59^+}f|Gv0J>@R$Iq@ma#el3h;+Z87G&ZgnqtIyo`_b8n$d>-@knlepruekeC zQ~AWnrh3jXrh4`&Q{5oWTW!M6o}=$ud0g9e{~3DyJA41PFE`bT-e&4^_cZl6(<0{Y zWhx&z(FDllWOz{Nbb$=yj}CBNztsudtd7pU!|!j(5dQs{E|0hldXH{_bX0lN&&d19 z1G|6gvX<;t2g#34=oUyv*)jS4Z+*~IuK81Eb1!={tsl{62Mmi~8MVrp+c z*feHOjciXn95Bt)-nPh~TeA*-s(Was*#E8KS%F?A_}axLy!`?besMU#U6k9Zzgu_4(yu zAO>yhEHO`1M09Tlub!P01mCL$!C=@#c@1Wv>%J$3bdND^oSCER`vv2b{bS&n_$zJ! zSNBU)r`L-ik<@n5K4aYbq&QrtW=j5T-MCQqJt@-iFY`IF$Ric}+q$v8OXbF8?9Y_| zIlH5Cylnp-7o7a({GIbxy_11DO)HwOnqyJ^;VI=aU+PxOnWhImK0O|Gac|na-S|8|4t_1;UtcjU z4o;1SO12Z~G(GP1WyVt%4-=Czk0~n)eVP75n~vu^@qV0Gz%>7M2Ej3}20`CTK`{B* zAeb~11l4Xqe&kF3l;g`JrBN;xXNuN3#XP;4_cZ>p?wzhY`o+!S=i*h- ziM&Pb{U4R_Bf+{aZEKRij>XzjBtNp#ROUyJI~X=$&Rk{ zqm#rp1hN;gTQ9D8RAv9Ac$3I)OHO{;`%-bMC@vFwQHlEqY5NQQ^V~A12l{rjj~1_o zsLjyt`^0APAENj2=a)fSVw_tq+_*&A{uh1D*tpZW?`4P4&G;I~^#GHke-S7xdjxg7)1meN-n~ zH!jzApBBFm>3P|E%8snJy4}i8T37(RUAs7euoB$bOI8@2p;^z2AdpN{(GjW7nE#>{fzZs-`i0S5sd$ z*Hi|zF7Eq(TDh)2(l7f&n*0~*yZ;uih-CTMlfLT`Q~A`XZtv8$ll>-}`l5YI{g8c4 z{mrukX$A+)FtwHQOy#QMO?cb;lgk<|!^@IsyI?F$lmA2dF56Gtx5KQBSetvM@l_uDJRWX#8-G7hvsq=JrSn?6?rrAGVe#sWza*nAl=^Hk_ zR5$#Q3I6FacjlqAA1h>gbn9Gx*_ZZOJMjopKX7_WhuSGenef*0ZQr)%HcII*hVpaX zLT$FP={QqgexMucH5S$n-`}7E^-w*xc@CuAU&UW@)vU@$9pP2 zZ74ymBA+2UajbkEe#6Vp7(hR=F&*{OZTXRn^MZ^$AAa}nbBl2wmGvGUC%Yp%zR$*i z8iN_f7z=D%N1N=n{NDdwsqtpTJXbDbdHdKtn%DRO`9gdm{ojrW*s9y|6Mri1C3a{2 z(XrgJB@ka->x^+KhvBYUu5T88FQ_qc^LN) z^XdF=^^&zwn<4+?vNj2 zIc^lJYa*YQc4X?lujv}r5t+;Xmq=d=>b-u9<+O!W!tDX%%a4xeaHuHOmwTtj-I9Sl z6rN>qw$GBE8i}rB4}-oiAn+U5g1wPmw<*e?-ftK05z__h;v?Hj)+bI6>S2a>zxa-L zOpy08;w91P{vEbpY+=ufc0MH7le|S7Ep`*mrdhHkedq3DF9{u}ze5E6?J9AHcvSpW zbW$JmE##(tZxS2CO3^2F6_h_Z`P+4Jc~FOw#Uk-1;%sq+80>&+bnm6&G=bc+M1DVQ zmu=$pga!UUE#S@!@oW=+N{4hnsXfIm1A4}iv@c3^?noz(f*_viOp-DPg5Q_a>ZfPM z;(FTmZT67KteslvP}7dyt|=+!wED%MXr0sIgNeTh3rtv`GYj~*#hq7}q_}|CgZN;9 zI7}=P#0CJuE zk9^3Fapx&fR=%;m9vP9<+rX`Hc)g;LE%}wd&W$7VCE61Vxr&KZ)ju&)N(Z}TcF$77OtK&%wgM6rJ0uX8@` z!@BPwf!`^wKYJF)jO^&ZzB_vhqoLgf#bkL#GXF??RN$|(_4nVqls?lh@GE|-E3Q8} ze_OiqJ2U#7m+%Ycn{e~{OnAe36JCGX=(y=jyT2Fcw_WUcvV0q`2Kl_WTdWq@<3OZ; zL)Y#th%4|Z#r5V|Ti>c@&Yx%xo#$Drm%iOTTU~qWB2zzlu7h(mMbJ6W`mzH|?S#ed zOeK53*r0e{AVygy_7Uio+z$NbE}kc@B(@^HD6T&;>9>3AZ~f@}bLB%PnCh7;O>NCV zb}!SOL4Kpo7X#;vi@>$opXGOyYVSDIRJ6Zt&mj2mAYVRoxI!!u%vJLAXI?>UO?>$? zQB414y`y{OV<$PiSIu{4XC-@M=I-uXGJDG~xgh@fJ$05?=dx?Z9qP_y`|%)Oz9H$b zMbMsSi9G%1>l*Auj7^+bOn>@2ZC>?Go!5`lne%;hhR@fr*Q2Q3{yKl(==CQq-!85e z3q+p&%rA)_c8C{5zW$8!8tZI-SDUY?-mUJOLr4DIpu<*)^?Qx;cC4fBIXj0Q=&p8OUo^v>rQl3^p)s$0T?+kbESz0OR^$1%>^v5x+3>rv;9qz%V|C_t@7>(_U9Z2|Z{<_#oGgslo}zJZ>w5Ju+t&)VOW!`D^!2I#Fgtl0 zD2?+mXyIh&d>~SX=0w z{>acP|JR%^Fn8ehY49=lS^G>1XXEG}#ca?U{jq(o;~!!mp6SrpM*J)BC36d6P5VrN z<{SlV&^!IHL9gRqVo72t#TLX@#F*9&nrm1aTkyZjf35u|HS73K0emmf;k2@ zu+Q4k7pQ~uv7op5+kT*Npxg6buWu_=OigS-dyoxi2evQpj9T=&zDaiIz5d7}e_wXD)<6C8K0M#3XQJ&hrt}BefaV&^IqdThnuD}rBrijh zj=lbr&A4dCMy11ISz@^Y`1qex`7xJZ9^IN>^L&Wr9LznKgV;4@@{RQNuY0e5yuNL` zT0qAvJG`#+r;Y_Ok7kaWcF*gf{qu~s)}?s{CuFUn?D|I9_2Yf~^KBm8wKmW19R}{2s}IQO$o?(`9WpZ~c!o zV%CaTGiL2LTmP|W|MVlZDgOTo*3bDp02}k)RA~Oo8a`|Jtm(71pQk^21e*nW2J9W= z=--TSdNuy}^^arTWNOF1MZaO8|HI_3PARkgK|QjU!=4U%J9+xEM|8E=F4#ND*57~M zEC1*HqMi%2epUbfjQvfH;_F}R;jx#;o*sL9dHT=NHS85`5ksPw{#@td+-}D|HZD?3 z~tgaCV?fS>y3q&T!D4_ZCIYKhQonE3#T}c7!t|`F>#h*@o!X!&TMgZi!)sL=buLE&zUh|p#kxj$SP|*e)p(kzD67^ zri$co&+F||f1Nus$l1ZQ;x_TLcu|Z;UE5_sMr7s8<{H5n&ZzBsJ=4-ie?Jb)*8L|6 z;s;`)_Oiy~Yh*-LWJdPr3^ckG{fq3-e*PJoJ}&&(kezz{TH62_{8;ydUei{+?#N!O z-N)_X?;C#po%VFCz^7n?SHx?rKf3=`a3+6H&|j%{bdTyju3ypjksWHvkG{lsa-G1h zUq&iLb?Ee8Uw1u_+ literal 25214 zcmeHP33wdEm42<3J!8qAWg;Ik2zzW{8y^sDCd6Wf1u; z0@U^Z;?F>HEIG|k>E9ntTB4=lk7&XSTol=Qd69;=$A_?_bga#>#7Ip?sp(k-Q%qq^TNG_#7HJDlIXPlYRw2K&lrQ{co zsS@liPjYT4{c0E#A9j-zPolG#j6Y9M1G^cD$K!FB(EhLiwi`%Dy9mrigJDbkhj|LGzYjA$0CfnE>n zM2ic)TDw8*1hQOWB+Io(5}oK?G{YrDtzS7wulK-cBm>or(GD#1Sok`j6bq2pjn!Pa z)9VE5wY^TL&%@dj?}EN`CnTZ?X~!~(OCHVT&ZX7d53n33APSRRPz|{>RxB(G@WhpL z2Rotmq2;iX>EZ&L&BDIOIZ3VyX{>y4`it(aMUg9#zYhuG(UFX2s9&Y(4lF^~j<{8* zbWVFq%kuX1UG0AP<0Ja|F7b)k-%qS@?Jbc$yRYW}`<+*7y5F$d-g_|i`WsI)H+Emv zQ*YP5G0v_(=?eSGY4!FSuQb{3^z_=Bapm=|@!L~JFR+!wc|IP90cM`N$d^toW6z1L z2|khC(Rt3eV}voT%Q4a|f-^QUMfRF5a?Ob%Z-c+Z(lX&T zj1!GD13cfVg!678p$#fjvT`XA&yh;+T#4MhOvc=Oo{a5kk(v$XOU*AYkX<$azr0W; z0F&-q8O;uII+De){P=7-$j z4XUdOR^~=@R|@h_K33IEGW{J#H-Z+klvl1CVspXO@;WmIY`=kW zMSZ}ZdbF*9;B07^#|H36_pnk|;8dfPYk%mVQam3+O#iA(1W{HKq*xw~8&42}idr^N z32ZGMx*GKOV$xP9SI~FA6RN)xbvx5p?GJe|u*}q;@AD_pV>M#1K3HCjRm6;=4u|$7 z7Q}`*qZB&FVnXjuV;rxsDn~UmR1_bI=)}rM4X1>k>L|Q*dGv#G$4E~oc14v!{ur_O z$jpz`hMWjx3&A$hpk{uSP#^AZp@o{CzURaEui9*{{G3?Bj0O##nBojvedV;1ML^$X z@;-}cB-F){F~oD8@^h;p<68XO%D+#o3{4^~FlLeAJ?h=xmC?LM?ZQ3kh87uT?ooMv zdQYpmKb>;#N|~C!NM>woli9dG-Lrd@% ztx>aP)4)7PC^nX7m6>2+^=^O)>K})yiI#;I=ul{@dL_kMB;9}Ln5mBV{vmP{jYlbo z`ueGsg%|A5tdo*eWmS(}%(E(_<|ykkAn+nok2Wgy^j~FssM={WJe`$H|0nMq{BufS+!0phO&RBuQK55670xK*@f>~f zy(^>+n3lg-Vt9VO$9;Hy?w?KO-+!4T9==xge`GbDm+N!LS8xtF9OsZ@@r?Y$XK#~J zpAXI)XXDJ_;F);K%ekF)Ov{d!Bk*a80M@4wcBj%T=&JpA_2fwHE-2SxOPjI_cdhzL zEHEfmO&PzN)RKd8r66NfjX~{1)K}HYXuct>tCl*o@l@4I9iFR<;pVD0n(?UL6%A=q z*~7;q|EZQ=t}@BgZ!-pd5j61j-Tks3MR{t(08q>c1mS z|EOG7dUC1X;Cnm$1>{m&MwH+7cK4M1_al%?Rbbw{1ia~^7j!eQWmI zw;Mp80^UPDRy3ZuR5kc}0EeRP9MD^U7m@!9sGeJ;=1M6Z=jCAj_WSQSGoj}?*#9Fi zP-n6KMV$#1a;aU>_9)={(Df?l<|18#{nXdgVE(rIpG(!i*5$yTfbg8)e7O}k1IPl8 z01p8hfSZ99;1FO!s0Tqdm#ReFKENda=ii4wSpQJ@ZS&uAnxOMV6{8^LPojJ@`2GV( zxHRFWrNFFqcb>M*Tw2TS5N>3>@Eq>)G)B=TgT)&->76+Wr~&6nMBV z3MJ2}1>Xbz4&bLi9_8PH4xHzVC)e3!0H14?PM$Lj^{XJ;3p%p-lS?f|`@aEZ4BtZD z|I#na=2A9rEI?n`uUL^Yxzs4|<^kseuL4Gop}zs|c%X3OSJa+`Txtq%9q?Dcv@>+; z@%Nl>qTkwgJ&wOanXmhGV%~EeRXTNiIByq%_ch=+;2@Ow09q%`bIYNG?mZ=|=MCpiIPM3dPLHdue;8%@%lV@9>ps7a@_Ha% z@X2$kAa@~n1LybK;2#bCP-788{r>=_--G>U%(zAyKeT_rIYVE|ycX#v$MJ`tcpQMV z_3M{oe=X#K`OZFh&a>c~>xw>c9la9Nd<{x>o7bA>dKDu2g|F2g%S+B7HRDTyJ zm--CyzYf)RBF}diI??~2ooOGYPov)d;tZPTHTkv@ZD?}>U;*6w9tXmDOupEE&q+Y; zujs3p1DyZiIsZLXM_r!t2cY;HE~Voi9&hU98nCbFGV;7G+5o-o2XkW+c#MzU+XBA! zP5Th|?>QBazYp@kczVvwAv+DI56{_Ug*uZN?Egz>vm3yDEzp}wu}?uCIOjd*oPw{# zvf*|E^MU`l)WOOI+iLLawYPB%`Ab9foX`3zQw0HJisui)LlGyXq`e6S`_&U3yF-cWPC^!(S?`VzF&X9YdRoC7Br^NQwD{|H`qJ)q1c zzyo+rEB1$tv~I3{VcpN8yxRcXUj*-6z|7&{Xb^v+D3?ki2Co37pMOLCV(1Lw$u*N_ zH+{Xc-pIy`ngaEl&!YYgwEr+9_W<(6YnSI72AS}lXmpyf8hZW|3?jp`nCD~w-G5E* zL3xj`7|L9qr-7aTaNqe?&_%#8fQvHy)cwG5u?~(h1&-(;@JrwKu`2070$)(1?KI3@{zW^8B5deBN#3@66;^xOHs5BJGYPwIl9mO;_43%XZs} zJgI1E<)SUu7~VeLFL@51;dKIU0;d#w_8fi}VJ`3ufbTo*1O5z{=S{=Wt=spU2=tr_ z@SP0xu)lW$mjZmw-U=)R_65d-e4@W!1=a%p4GiT&Y5RO{$@ieT?K_~$0RC?i#=q3~ z^O@RBK=A%V%Z>%_c!0V}jn!cL`W-CeOuwH2^z&8EnS=c0!0Es=U^Z|ha08&9@#^Pa zIh5xrU(JVpm-A)t9|ywmD7LTl{??ay8kEm`ZGdCTXSRICcr|bZz%e)s7zNY-D*(P* zrT#wPd?0wft>Zym4q)EL1@`rLKY}{8XFMAKzJpo=kjGfe0tUwaMeq($UDfpuqD*;$ z&!>ZD;-0e$%8a3Tz8<#U3chK#*w=RwcpSI40R4Zh2HR&FzT3D6;4{?Gz-qvZcMtOW z0H*=eV{DLW`<@d+p0OqGIe>Z?Q#1FMn4ttO-2Y#od>g=aw8uKej93on=b_p^<4-C3 z*F)Cu|Hbe75}(Jug=1*!bIwf%Xe$jETWuj+#M_dsgwa~)d;&{y{3Y~KftR|v z{lJd{pu+=rt#VJf7ijmvHLn%;GN8ZL;5oY^&v^U=C}pb@Z|n90KW0H6uccoBZv&^Q zDt(>LK>0X;v8IouYz)O4-oEjJRL?2)k?R823y#rH`iHCAKKt4SUVp>s-PZb%*gqTg zfAtaJgm8Gv`EmsQKSn@5Zy4~|BUZnUEn~&%lV+vw)_XeH^*!F&474QXs z_aCpQJRSC&gMklKdwsw5KFU*pXMt}4hXeGH=QP^i6QEtjgl96npVPiRS5W^n;E%u| z0Ne9BB~gHT<9`CY&$t$#UJbUtE5-h90;r#RH|1CR`IA6H#Gg8t)+`_wy n^V+bu?X(4^$<9j6|6A=t2Z%i20_LZ4nPqZ;9)L2Y4e9>^moyUg From a411c5ed645550d1abc33163d83843a0d5cbd5c4 Mon Sep 17 00:00:00 2001 From: JR Morgan Date: Wed, 11 Mar 2026 17:58:03 -0700 Subject: [PATCH 11/14] Ensusre sandbox base image is pulled --- brev/welcome-ui/server.js | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/brev/welcome-ui/server.js b/brev/welcome-ui/server.js index befa62e..fbd7369 100644 --- a/brev/welcome-ui/server.js +++ b/brev/welcome-ui/server.js @@ -35,6 +35,9 @@ const CLI_BIN = process.env.CLI_BIN || "openshell"; const SANDBOX_DIR = path.join(REPO_ROOT, "sandboxes", "nemoclaw"); const SANDBOX_NAME = process.env.SANDBOX_NAME || "nemoclaw"; const SANDBOX_START_CMD = process.env.SANDBOX_START_CMD || "nemoclaw-start"; +const SANDBOX_BASE_IMAGE = + process.env.SANDBOX_BASE_IMAGE || + "ghcr.io/nvidia/openshell-community/sandboxes/openclaw:latest"; const POLICY_FILE = path.join(SANDBOX_DIR, "policy.yaml"); const LOG_FILE = "/tmp/nemoclaw-sandbox-create.log"; @@ -589,6 +592,18 @@ async function cleanupExistingSandbox() { } } +async function ensureSandboxBaseImage() { + logWelcome(`Pre-pulling sandbox base image: ${SANDBOX_BASE_IMAGE}`); + const result = await execCmd(["docker", "pull", SANDBOX_BASE_IMAGE], 300000); + if (result.code !== 0) { + const errMsg = (result.stderr || result.stdout || "docker pull failed").trim(); + logWelcome(`Base image pull failed: ${errMsg}`); + return { ok: false, error: errMsg }; + } + logWelcome(`Base image available locally: ${SANDBOX_BASE_IMAGE}`); + return { ok: true }; +} + function runSandboxCreate() { sandboxState.status = "creating"; sandboxState.error = null; @@ -598,6 +613,14 @@ function runSandboxCreate() { try { await cleanupExistingSandbox(); + const baseImage = await ensureSandboxBaseImage(); + if (!baseImage.ok) { + sandboxState.status = "error"; + sandboxState.error = + `Sandbox base image pull failed. ${baseImage.error}`; + return; + } + const chatUiUrl = buildOpenclawUrl(null); const policyPath = await generateGatewayPolicy(); From 0c0bf7e5fe0cc4ac072e3f104908f09191fd5eef Mon Sep 17 00:00:00 2001 From: JR Morgan Date: Wed, 11 Mar 2026 18:32:29 -0700 Subject: [PATCH 12/14] Handle proper status updates in welcome UI --- brev/welcome-ui/app.js | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/brev/welcome-ui/app.js b/brev/welcome-ui/app.js index df21a32..ae6880f 100644 --- a/brev/welcome-ui/app.js +++ b/brev/welcome-ui/app.js @@ -240,6 +240,18 @@ errorMessage.textContent = msg; } + function setSandboxChecklistCreating() { + setLogIcon(logSandboxIcon, "spin"); + logSandbox.querySelector(".console__text").textContent = + "Provisioning secure OpenShell sandbox..."; + } + + function setSandboxChecklistReady() { + setLogIcon(logSandboxIcon, "done"); + logSandbox.querySelector(".console__text").textContent = + "Secure OpenShell sandbox created."; + } + async function triggerInstall() { if (installTriggered) return; installTriggered = true; @@ -262,9 +274,7 @@ return; } - setLogIcon(logSandboxIcon, "done"); - logSandbox.querySelector(".console__text").textContent = - "Secure OpenShell sandbox created."; + setSandboxChecklistCreating(); setLogIcon(logGatewayIcon, "spin"); startPolling(); } catch { @@ -294,6 +304,7 @@ sandboxReady = true; sandboxUrl = data.url || null; + setSandboxChecklistReady(); setLogIcon(logGatewayIcon, "done"); logGateway.querySelector(".console__text").textContent = "OpenClaw agent gateway online."; @@ -368,9 +379,7 @@ sandboxUrl = data.url; installTriggered = true; - setLogIcon(logSandboxIcon, "done"); - logSandbox.querySelector(".console__text").textContent = - "Secure OpenShell sandbox created."; + setSandboxChecklistReady(); setLogIcon(logGatewayIcon, "done"); logGateway.querySelector(".console__text").textContent = "OpenClaw agent gateway online."; @@ -383,9 +392,7 @@ } else if (data.status === "creating") { installTriggered = true; - setLogIcon(logSandboxIcon, "done"); - logSandbox.querySelector(".console__text").textContent = - "Secure OpenShell sandbox created."; + setSandboxChecklistCreating(); setLogIcon(logGatewayIcon, "spin"); updateButtonState(); From 2d80d9e5bd3850ad1e28f7fabeaefb6ea4e1289b Mon Sep 17 00:00:00 2001 From: JR Morgan Date: Wed, 11 Mar 2026 19:00:52 -0700 Subject: [PATCH 13/14] Cosmetic rebrand cleanup. --- brev/launch.sh | 3 +++ brev/welcome-ui/SERVER_ARCHITECTURE.md | 22 +++++++++---------- .../__tests__/connection-details.test.js | 12 +++++----- brev/welcome-ui/__tests__/routing.test.js | 2 +- .../welcome-ui/__tests__/static-files.test.js | 4 ++-- .../__tests__/template-render.test.js | 6 ++--- brev/welcome-ui/package-lock.json | 4 ++-- brev/welcome-ui/package.json | 2 +- brev/welcome-ui/server.js | 2 +- 9 files changed, 30 insertions(+), 27 deletions(-) diff --git a/brev/launch.sh b/brev/launch.sh index ebcc9f9..cccc737 100755 --- a/brev/launch.sh +++ b/brev/launch.sh @@ -1,5 +1,8 @@ #!/usr/bin/env bash +# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved. +# SPDX-License-Identifier: Apache-2.0 + set -euo pipefail SOURCE_PATH="${BASH_SOURCE[0]-}" diff --git a/brev/welcome-ui/SERVER_ARCHITECTURE.md b/brev/welcome-ui/SERVER_ARCHITECTURE.md index 23c8ff0..f7e7e72 100644 --- a/brev/welcome-ui/SERVER_ARCHITECTURE.md +++ b/brev/welcome-ui/SERVER_ARCHITECTURE.md @@ -1,4 +1,4 @@ -# NemoClaw Welcome UI — `server.py` Complete Architecture Reference +# OpenShell Welcome UI — `server.py` Complete Architecture Reference > **Purpose:** This document provides an exhaustive, implementation-level description of `server.py` so that a software engineer can faithfully recreate it in Node.js with log-streaming support. Every endpoint, state machine, threading model, edge case, and dependency is documented. @@ -409,7 +409,7 @@ Step 10: Cleanup temp policy file ### 6.3 `POST /api/inject-key` -**Purpose:** Asynchronously update the NemoClaw provider credential with an API key. +**Purpose:** Asynchronously update the OpenShell provider credential with an API key. **Request Body:** ```json @@ -450,7 +450,7 @@ Step 3: If success: ### 6.4 `POST /api/policy-sync` -**Purpose:** Push a policy YAML to the NemoClaw gateway via the host-side CLI. +**Purpose:** Push a policy YAML to the OpenShell gateway via the host-side CLI. **Request Body:** Raw YAML text (Content-Type is not checked, but body is read as UTF-8). @@ -499,10 +499,10 @@ Step 6: Cleanup tempfile (always, even on failure — in finally block) "gatewayUrl": "https://8080-xxx.brevlab.com", "gatewayPort": 8080, "instructions": { - "install": "curl -fsSL https://github.com/NVIDIA/NemoClaw/releases/download/devel/install.sh | sh", - "connect": "nemoclaw gateway add https://8080-xxx.brevlab.com", - "createSandbox": "nemoclaw sandbox create -- claude", - "tui": "nemoclaw term" + "install": "curl -fsSL https://github.com/NVIDIA/OpenShell/releases/download/devel/install.sh | sh", + "connect": "openshell gateway add https://8080-xxx.brevlab.com", + "createSandbox": "openshell sandbox create -- claude", + "tui": "openshell term" } } ``` @@ -519,7 +519,7 @@ Step 6: Cleanup tempfile (always, even on failure — in finally block) ### 6.6 `GET /api/providers` -**Purpose:** List all configured NemoClaw providers with their details. +**Purpose:** List all configured OpenShell providers with their details. **Processing:** ``` @@ -1013,7 +1013,7 @@ Gateway URL: Else: http://{hostname}:8080 ``` -This is a DIFFERENT port (8080) — the NemoClaw gateway itself, not the welcome-ui. +This is a DIFFERENT port (8080) — the OpenShell gateway itself, not the welcome-ui. --- @@ -1081,7 +1081,7 @@ Page Load │ → keyInjected tracked via sandbox-status polling │ ├── When sandboxReady + keyValid + keyInjected: - │ → "Open NemoClaw" button enabled + │ → "Open OpenShell" button enabled │ → Click opens: sandboxUrl + ?nvapi= in new tab │ └── User clicks "Other Agents" card @@ -1098,7 +1098,7 @@ Page Load | 2 | API key valid + tasks running | "Provisioning Sandbox..." | No (spinner) | | 3 | API key empty + tasks done | "Waiting for API key..." | No | | 4 | API key valid + sandbox ready + key not injected | "Configuring API key..." | No (spinner) | -| 5 | API key valid + sandbox ready + key injected | "Open NemoClaw" | Yes | +| 5 | API key valid + sandbox ready + key injected | "Open OpenShell" | Yes | ### API Key Validation diff --git a/brev/welcome-ui/__tests__/connection-details.test.js b/brev/welcome-ui/__tests__/connection-details.test.js index 46218df..7a8c41c 100644 --- a/brev/welcome-ui/__tests__/connection-details.test.js +++ b/brev/welcome-ui/__tests__/connection-details.test.js @@ -51,9 +51,9 @@ describe("GET /api/connection-details", () => { expect(res.body.gatewayPort).toBe(8080); expect(res.body.instructions).toBeDefined(); expect(res.body.instructions.install).toContain("curl"); - expect(res.body.instructions.connect).toContain("nemoclaw gateway add"); - expect(res.body.instructions.createSandbox).toContain("nemoclaw sandbox create"); - expect(res.body.instructions.tui).toBe("nemoclaw term"); + expect(res.body.instructions.connect).toContain("openshell gateway add"); + expect(res.body.instructions.createSandbox).toContain("openshell sandbox create"); + expect(res.body.instructions.tui).toBe("openshell term"); }); it("TC-CD02: with Brev ID, gatewayUrl is https://8080-{id}.brevlab.com", async () => { @@ -99,11 +99,11 @@ describe("GET /api/connection-details", () => { it("TC-CD06: instructions contain exact CLI strings", async () => { const res = await request(server).get("/api/connection-details"); expect(res.body.instructions.install).toBe( - "curl -fsSL https://github.com/NVIDIA/NemoClaw/releases/download/devel/install.sh | sh" + "curl -fsSL https://github.com/NVIDIA/OpenShell/releases/download/devel/install.sh | sh" ); expect(res.body.instructions.createSandbox).toBe( - "nemoclaw sandbox create -- claude" + "openshell sandbox create -- claude" ); - expect(res.body.instructions.tui).toBe("nemoclaw term"); + expect(res.body.instructions.tui).toBe("openshell term"); }); }); diff --git a/brev/welcome-ui/__tests__/routing.test.js b/brev/welcome-ui/__tests__/routing.test.js index da8b84d..d92bee6 100644 --- a/brev/welcome-ui/__tests__/routing.test.js +++ b/brev/welcome-ui/__tests__/routing.test.js @@ -99,7 +99,7 @@ describe("routing — priority", () => { const res = await request(server).get("/"); expect(res.status).toBe(200); expect(res.headers["content-type"]).toContain("text/html"); - expect(res.text).toContain("NemoClaw"); + expect(res.text).toContain("OpenShell"); }); it("TC-R13: unknown path returns 404 when sandbox NOT ready", async () => { diff --git a/brev/welcome-ui/__tests__/static-files.test.js b/brev/welcome-ui/__tests__/static-files.test.js index b7d8e99..d33f2e5 100644 --- a/brev/welcome-ui/__tests__/static-files.test.js +++ b/brev/welcome-ui/__tests__/static-files.test.js @@ -24,7 +24,7 @@ describe("static file serving", () => { const res = await request(server).get("/styles.css"); expect(res.status).toBe(200); expect(res.headers["content-type"]).toContain("text/css"); - expect(res.text).toContain("NemoClaw"); + expect(res.text).toContain("OpenShell"); }); it("TC-SF02: GET /app.js returns JS with application/javascript content-type", async () => { @@ -43,7 +43,7 @@ describe("static file serving", () => { expect(res.status).toBe(200); expect(res.headers["content-type"]).toContain("text/html"); expect(res.text).not.toContain("{{OTHER_AGENTS_MODAL}}"); - expect(res.text).toContain("NemoClaw"); + expect(res.text).toContain("OpenShell"); }); it("TC-SF05: GET /index.html returns templated index.html", async () => { diff --git a/brev/welcome-ui/__tests__/template-render.test.js b/brev/welcome-ui/__tests__/template-render.test.js index 212bca2..db534d5 100644 --- a/brev/welcome-ui/__tests__/template-render.test.js +++ b/brev/welcome-ui/__tests__/template-render.test.js @@ -37,7 +37,7 @@ describe("renderOtherAgentsModal", () => { it("TC-T07: steps are auto-numbered (1., 2., etc.)", () => { const html = renderOtherAgentsModal(); if (!html) return; - expect(html).toContain("1. Install NemoClaw CLI"); + expect(html).toContain("1. Install OpenShell CLI"); expect(html).toContain("2. Add the gateway"); expect(html).toContain("3. Create a sandbox"); expect(html).toContain("4. Manage policies"); @@ -54,7 +54,7 @@ describe("renderOtherAgentsModal", () => { const html = renderOtherAgentsModal(); if (!html) return; expect(html).toContain('# Claude Code'); - expect(html).toContain("nemoclaw sandbox create -- claude"); + expect(html).toContain("openshell sandbox create -- claude"); }); it("TC-T10: dict command with id renders cmd span with id attribute", () => { @@ -73,7 +73,7 @@ describe("renderOtherAgentsModal", () => { it("TC-T12: copyable + single command + no button ID renders data-copy", () => { const html = renderOtherAgentsModal(); if (!html) return; - // "Install NemoClaw CLI" step has copyable:true and one command, no copy_button_id + // "Install OpenShell CLI" step has copyable:true and one command, no copy_button_id expect(html).toContain("data-copy="); }); diff --git a/brev/welcome-ui/package-lock.json b/brev/welcome-ui/package-lock.json index f549cfa..85dfa49 100644 --- a/brev/welcome-ui/package-lock.json +++ b/brev/welcome-ui/package-lock.json @@ -1,11 +1,11 @@ { - "name": "nemoclaw-welcome-ui", + "name": "openshell-welcome-ui", "version": "1.0.0", "lockfileVersion": 3, "requires": true, "packages": { "": { - "name": "nemoclaw-welcome-ui", + "name": "openshell-welcome-ui", "version": "1.0.0", "dependencies": { "js-yaml": "^4" diff --git a/brev/welcome-ui/package.json b/brev/welcome-ui/package.json index 1fb5a94..cc597cf 100644 --- a/brev/welcome-ui/package.json +++ b/brev/welcome-ui/package.json @@ -1,5 +1,5 @@ { - "name": "nemoclaw-welcome-ui", + "name": "openshell-welcome-ui", "version": "1.0.0", "private": true, "scripts": { diff --git a/brev/welcome-ui/server.js b/brev/welcome-ui/server.js index fbd7369..abc63b8 100644 --- a/brev/welcome-ui/server.js +++ b/brev/welcome-ui/server.js @@ -3,7 +3,7 @@ // SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved. // SPDX-License-Identifier: Apache-2.0 -// NemoClaw Welcome UI — HTTP server with sandbox lifecycle APIs. +// OpenShell Welcome UI — HTTP server with sandbox lifecycle APIs. // Node.js port of server.py with added SSE log streaming. "use strict"; From 343edbab3a465b36abf0cbd411d8c4b8f4368163 Mon Sep 17 00:00:00 2001 From: JR Morgan Date: Wed, 11 Mar 2026 19:32:04 -0700 Subject: [PATCH 14/14] Ensure non-root user context --- brev/launch.sh | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/brev/launch.sh b/brev/launch.sh index cccc737..dfee5f8 100755 --- a/brev/launch.sh +++ b/brev/launch.sh @@ -41,6 +41,14 @@ log() { printf '[launch.sh] %s\n' "$*" } +require_non_root() { + if [[ "$(id -u)" -eq 0 ]]; then + log "Do not run the full launcher as root." + log "Run it as the target user and let the script use sudo only where required." + exit 1 + fi +} + step() { printf '\n[launch.sh] === %s ===\n' "$*" } @@ -181,7 +189,7 @@ docker_login_ghcr_for_user() { if [[ "$login_user" == "root" ]]; then log "Logging into ghcr.io as $GHCR_USER for root ..." - if printf '%s\n' "$GITHUB_TOKEN" | docker login ghcr.io -u "$GHCR_USER" --password-stdin >/dev/null 2>&1; then + if printf '%s\n' "$GITHUB_TOKEN" | sudo docker login ghcr.io -u "$GHCR_USER" --password-stdin >/dev/null 2>&1; then log "GHCR login succeeded for root." return 0 fi @@ -190,6 +198,15 @@ docker_login_ghcr_for_user() { fi log "Logging into ghcr.io as $GHCR_USER for user $login_user ..." + if [[ "$login_user" == "$(id -un)" ]]; then + if printf '%s\n' "$GITHUB_TOKEN" | docker login ghcr.io -u "$GHCR_USER" --password-stdin >/dev/null 2>&1; then + log "GHCR login succeeded for user $login_user." + return 0 + fi + log "GHCR login failed for user $login_user." + return 1 + fi + if sudo -H -u "$login_user" env GITHUB_TOKEN="$GITHUB_TOKEN" GHCR_USER="$GHCR_USER" bash -lc \ 'printf "%s\n" "$GITHUB_TOKEN" | docker login ghcr.io -u "$GHCR_USER" --password-stdin >/dev/null 2>&1'; then log "GHCR login succeeded for user $login_user." @@ -516,6 +533,7 @@ start_welcome_ui() { } main() { + require_non_root require_cmd tar require_cmd sudo