Phase 2 local-dev-parity: clawdbot opt-in + credentials runbook + 17 affordance findings

Closes the Phase 2 sprint that ran on the dev-agent huddle pod
(app-dev 6a123d49221cc3cce97d9bd1) following PR #434. Cody (cloud
codex) shipped both feature commits; Theo (openclaw moltbot)
reviewed and approved; Nova + Claude (sam-local) contributed design
and observations.

Code changes
============

dev.sh + docker-compose.dev.yml + cli/src/commands/dev.js + cli/__tests__/dev.test.mjs
  Local-dev parity for clawdbot. Today a contributor wanting to run
  the OpenClaw gateway locally hand-bootstraps six manual hacks
  (mkdir bundled-skills, set CLAWDBOT_DOCKERFILE=Dockerfile, mint
  moltbot token, patch moltbot.json controlUi, pass OPENAI/OPENROUTER
  envs through compose, fight auth-profile schema). This sprint
  collapses those into a single CLI command + an env opt-in.

  Phase 2.A — COMMONLY_LOCAL_CLAWDBOT=1 env opt-in. dev.sh grows
  read_env_value + is_truthy_env_value helpers; the clawdbot compose
  profile is only included when the env is truthy. Default off.

  Phase 2.B — Compose default Dockerfile (OSS) not Dockerfile.commonly
  on the clawdbot-gateway + clawdbot-cli services. The fork ships
  Dockerfile at HEAD; Dockerfile.commonly is a private variant that
  was only available in an unmerged branch.

  Phase 2.D — `commonly dev clawdbot` CLI subcommand. New
  `cli/src/commands/dev.js` orchestration: ensure local instance
  config, login bootstrap, wait for backend healthy, resolve-or-
  create the local sandbox pod, install the openclaw runtime with
  config.runtime.runtimeType='moltbot' via the existing
  POST /api/registry/install endpoint, harvest the runtime token
  via /api/registry/pods/:podId/agents/openclaw/runtime-tokens,
  patch external/clawdbot-state/config/moltbot.json with the
  controlUi fallback flag, and upsert OPENCLAW_USER_TOKEN +
  OPENCLAW_RUNTIME_TOKEN into .env. No backend API changes;
  reuses existing routes. New regression test file
  cli/__tests__/dev.test.mjs covers the bootstrap flow.

  Phase 2.E — docs/development/local-credentials.md runbook +
  .env.example restructure. Required (GITHUB_PAT) /
  conditionally-required (LITELLM_API_KEY gated by
  COMMONLY_LOCAL_CLAWDBOT=1) / optional (Discord/Slack/Tavily/etc)
  / subsystem gates + troubleshooting + verified LiteLLM mint
  recipe via kubectl port-forward + POST /key/generate.
  docs/development/README.md indexes it.

Phase-4 affordance audit (docs/audits/ui-smoke-2026-05-23/)
==========================================================

The huddle session produced 17 Phase-4 findings about Commonly's
multi-agent collab affordance gaps, captured in
docs/audits/ui-smoke-2026-05-23/huddle-observations.md. The most
actionable, ranked by impact:

  1. Inline cue on chat.mention.payload.content for collaborative
     pods would replicate the in-pod corrections (execute-not-
     handoff + claim-the-orphan) that I had to make manually. Same
     pattern as the existing §9 DM cue and pod-context cue.
  2. OpenClaw moltbot workspace should be a git worktree with
     GH_PAT credentials (same shape cloud-codex has via boot
     script). Would let Theo/Nova actually ship code instead of
     just reviewing.
  3. CLI-wrapper (claude/codex) chat-turn tool registry should
     auto-load @commonlyai/mcp for full memory + post + DM tool
     access during chat.mention turns, not just heartbeat cycles.
  4. commonly_save_my_memory daily-section schema mismatch — the
     tool input contract and backend YYYY-MM-DD validator disagree.
     Backend rejects daily writes with sections.daily[].date must
     be YYYY-MM-DD. Cody surfaced + drafted the GH issue body.
  5. Event dedup gate — Theo posted 4 acknowledgements to a single
     human message because chat.mention + heartbeat fired
     concurrent LLM runs with no run-in-progress guard.
  6. Heartbeat-cycle should optionally ingest pod-conversational-
     gravity into long_term memory. Today moltbot heartbeats write
     routing pointers + task state but miss today's huddle content.

Two prescriptive memory entries were committed to commonly-skills:
feedback-agents-collab-execute-not-handoff and
feedback-claim-the-orphan-stalled-peer-work.

Still open (next sprint scope)
==============================

  Phase 2.C — commonly-bundled-skills/.gitkeep upstream in
              Team-Commonly/openclaw + submodule bump. Cross-repo
              work; needs operator (Sam) for the openclaw-fork PR.
  Phase 3   — ADR-2.F implementation (heartbeat events for CLI
              wrappers). Claude shipped a complete design with all
              decisions resolved; needs a coder.

Co-Authored-By: Cody <cody@commonly.me>
Co-Authored-By: Theo <theo@commonly.me>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: 4 people

.env.example

@@ -66,28 +66,40 @@ ANTHROPIC_API_KEY=
 
 # OpenAI / Codex
 OPENAI_API_KEY=
+OPENAI_BASE_URL=
 
 # OpenRouter (multi-model fallback)
 OPENROUTER_API_KEY=
+OPENROUTER_BASE_URL=
 
 # Google Gemini (direct, not via OpenRouter)
 GEMINI_API_KEY=
 
-# LiteLLM proxy (if self-hosting a LiteLLM gateway)
+# LiteLLM proxy
+# LITELLM_API_KEY = virtual key for the shared dev LiteLLM or another proxy
+# LITELLM_MASTER_KEY = operator-only admin key for self-hosting/admin tasks
+LITELLM_API_KEY=
 LITELLM_BASE_URL=
 LITELLM_MASTER_KEY=
 
 # -----------------------------------------------------------------------------
 # Agent runtime  (OPTIONAL — only needed if running the OpenClaw/Clawdbot gateway)
 # -----------------------------------------------------------------------------
+# Phase 2 target gate for local clawdbot parity. Keep off unless you are
+# actively working on the local OpenClaw runtime path.
+COMMONLY_LOCAL_CLAWDBOT=0
+
 CLAWDBOT_GATEWAY_TOKEN=    # token for the gateway's Commonly account
 
 # Brave Search (used by agents that do web searches)
 # Get a free API key at https://api.search.brave.com/
 BRAVE_API_KEY=
+TAVILY_API_KEY=
+FIRECRAWL_API_KEY=
+DEEPGRAM_API_KEY=
 
-# GitHub PAT (used by dev agents to create PRs)
-# Required scopes: repo Contents R/W, Pull requests R/W
+# GitHub PAT (used by dev agents to clone/fetch/push/create PRs)
+# Required scopes: Contents R/W, Pull requests R/W, Metadata R
 GITHUB_PAT=
 
 # -----------------------------------------------------------------------------
@@ -97,6 +109,9 @@ DISCORD_CLIENT_ID=
 DISCORD_BOT_TOKEN=
 DISCORD_PUBLIC_KEY=
 DISCORD_CLIENT_SECRET=
+SLACK_APP_TOKEN=
+SLACK_BOT_TOKEN=
+TELEGRAM_BOT_TOKEN=
 
 # -----------------------------------------------------------------------------
 # Email  (OPTIONAL — accounts auto-verify without it in development)

cli/__tests__/dev.test.mjs

@@ -0,0 +1,148 @@
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { jest } from '@jest/globals';
+
+import {
+  upsertEnvFileValues,
+  patchClawdbotConfig,
+  bootstrapClawdbotRuntime,
+} from '../src/commands/dev.js';
+
+describe('dev command helpers', () => {
+  test('upsertEnvFileValues updates existing keys and appends missing ones', () => {
+    const current = [
+      '# local dev',
+      'COMMONLY_LOCAL_CLAWDBOT=0',
+      'JWT_SECRET=test-secret',
+      '',
+    ].join('\n');
+
+    const next = upsertEnvFileValues(current, {
+      COMMONLY_LOCAL_CLAWDBOT: '1',
+      OPENCLAW_RUNTIME_TOKEN: 'cm_agent_test',
+    });
+
+    expect(next).toContain('COMMONLY_LOCAL_CLAWDBOT=1');
+    expect(next).toContain('JWT_SECRET=test-secret');
+    expect(next).toContain('OPENCLAW_RUNTIME_TOKEN=cm_agent_test');
+    expect(next.startsWith('# local dev')).toBe(true);
+    expect(next.endsWith('\n')).toBe(true);
+  });
+
+  test('patchClawdbotConfig syncs gateway, account, and binding state', () => {
+    const patched = patchClawdbotConfig({
+      config: {
+        channels: {
+          commonly: {
+            enabled: true,
+            baseUrl: 'http://backend:5000',
+            accounts: {},
+          },
+        },
+        agents: { list: [] },
+        bindings: [],
+      },
+      accountId: 'local',
+      podId: 'pod-1',
+      displayName: 'Local OpenClaw',
+      runtimeToken: 'cm_agent_test',
+      userToken: 'cm_user_test',
+      gatewayToken: 'gateway-test',
+    });
+
+    expect(patched.gateway.auth.token).toBe('gateway-test');
+    expect(patched.gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback).toBe(true);
+    expect(patched.channels.commonly.accounts.local.runtimeToken).toBe('cm_agent_test');
+    expect(patched.channels.commonly.accounts.local.userToken).toBe('cm_user_test');
+    expect(patched.channels.commonly.accounts.local.podIds).toEqual(['pod-1']);
+    expect(patched.bindings).toContainEqual({
+      agentId: 'local',
+      match: { channel: 'commonly', accountId: 'local' },
+    });
+    expect(patched.agents.list).toContainEqual(expect.objectContaining({
+      id: 'local',
+      name: 'Local OpenClaw',
+    }));
+  });
+
+  test('bootstrapClawdbotRuntime writes env and config using the runtime-token routes', async () => {
+    const repoRoot = fs.mkdtempSync(path.join(os.tmpdir(), 'commonly-dev-test-'));
+    const envExamplePath = path.join(repoRoot, '.env.example');
+    const envPath = path.join(repoRoot, '.env');
+    const configPath = path.join(repoRoot, 'external', 'clawdbot-state', 'config', 'moltbot.json');
+
+    fs.writeFileSync(envExamplePath, 'COMMONLY_LOCAL_CLAWDBOT=0\nCLAWDBOT_GATEWAY_TOKEN=\n', 'utf8');
+    fs.mkdirSync(path.dirname(configPath), { recursive: true });
+    fs.writeFileSync(configPath, `${JSON.stringify({
+      channels: {
+        commonly: {
+          enabled: true,
+          baseUrl: 'http://backend:5000',
+          accounts: {},
+        },
+      },
+      agents: { list: [] },
+      bindings: [],
+    }, null, 2)}\n`, 'utf8');
+
+    const client = {
+      get: jest.fn(async (route) => {
+        if (route === '/api/pods') return [];
+        if (route === '/api/registry/pods/pod-1/agents') return { agents: [] };
+        throw new Error(`unexpected GET ${route}`);
+      }),
+      post: jest.fn(async (route, body) => {
+        if (route === '/api/pods') {
+          return { _id: 'pod-1', name: body.name };
+        }
+        if (route === '/api/registry/install') {
+          return {
+            installation: {
+              agentName: 'openclaw',
+              instanceId: 'local',
+              podId: body.podId,
+              displayName: body.displayName,
+            },
+          };
+        }
+        if (route === '/api/registry/pods/pod-1/agents/openclaw/provision') {
+          return { configPath: '/app/external/clawdbot-state/config/moltbot.json' };
+        }
+        if (route === '/api/registry/pods/pod-1/agents/openclaw/runtime-tokens') {
+          expect(body).toEqual({ instanceId: 'local', force: true });
+          return { token: 'cm_agent_fresh' };
+        }
+        if (route === '/api/registry/pods/pod-1/agents/openclaw/user-token') {
+          return { token: 'cm_user_fresh' };
+        }
+        throw new Error(`unexpected POST ${route}`);
+      }),
+    };
+
+    const result = await bootstrapClawdbotRuntime({
+      client,
+      repoRoot,
+      instanceId: 'local',
+      displayName: 'Local OpenClaw',
+      gatewayToken: 'gateway-fresh',
+    });
+
+    expect(result.podId).toBe('pod-1');
+    expect(result.podCreated).toBe(true);
+    expect(result.installationCreated).toBe(true);
+    expect(result.runtimeToken).toBe('cm_agent_fresh');
+    expect(result.userToken).toBe('cm_user_fresh');
+
+    const envContents = fs.readFileSync(envPath, 'utf8');
+    expect(envContents).toContain('COMMONLY_LOCAL_CLAWDBOT=1');
+    expect(envContents).toContain('CLAWDBOT_GATEWAY_TOKEN=gateway-fresh');
+    expect(envContents).toContain('OPENCLAW_RUNTIME_TOKEN=cm_agent_fresh');
+    expect(envContents).toContain('OPENCLAW_USER_TOKEN=cm_user_fresh');
+
+    const parsedConfig = JSON.parse(fs.readFileSync(configPath, 'utf8'));
+    expect(parsedConfig.gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback).toBe(true);
+    expect(parsedConfig.channels.commonly.accounts.local.runtimeToken).toBe('cm_agent_fresh');
+    expect(parsedConfig.channels.commonly.accounts.local.userToken).toBe('cm_user_fresh');
+  });
+});