clawdie-iso/firstboot/shell-env.sh

#!/bin/sh
# Clawdie Shell — Environment Configuration Module
# Purpose: Generate .env file with secrets and configuration
# POSIX-compliant (no bash-isms)

set -eu

# Configuration (can be overridden for testing)
CLAWDIE_HOME="${CLAWDIE_HOME:-/home/clawdie}"
ENV_FILE="${ENV_FILE:-$CLAWDIE_HOME/.env}"
LOG_FILE="${LOG_FILE:-/var/log/clawdie-firstboot.log}"
PROGRESS_FILE="${PROGRESS_FILE:-/var/log/clawdie-firstboot.progress}"

# Subnet base (default 10.0.0)
AGENT_SUBNET_BASE="${AGENT_SUBNET_BASE:-10.0.0}"

# ============================================================================
# MAIN ENTRY POINT
# ============================================================================

clawdie_shell_env_generate() {
  # Main orchestrator: generate .env file with all required variables

  log_msg "[env] Starting .env generation"

  # Validate required inputs
  if [ -z "${ASSISTANT_NAME:-}" ]; then
    log_msg "[env] ERROR: ASSISTANT_NAME not set"
    return 1
  fi

  if [ -z "${AGENT_DOMAIN:-}" ]; then
    log_msg "[env] ERROR: AGENT_DOMAIN not set"
    return 1
  fi

  if [ -z "${TZ:-}" ]; then
    TZ="UTC"
    log_msg "[env] WARNING: TZ not set, defaulting to UTC"
  fi

  # Step 1: Create directory
  mkdir -p "$CLAWDIE_HOME"
  chown clawdie:clawdie "$CLAWDIE_HOME" 2>/dev/null || true

  # Step 2: Generate all .env variables
  clawdie_shell_env_write_file || {
    log_msg "[env] ERROR: Failed to write .env file"
    return 1
  }

  log_msg "[env] .env file generated successfully"

  # Step 3: Validate
  clawdie_shell_env_validate || {
    log_msg "[env] ERROR: .env validation failed"
    return 1
  }

  echo "[ENV] SUCCESS" >> "$PROGRESS_FILE"
  log_msg "[env] Environment configuration complete"
}

# ============================================================================
# .ENV FILE GENERATION
# ============================================================================

clawdie_shell_env_write_file() {
  # Write a minimal .env seed file.
  #
  # This file is copied into the Clawdie-AI repo by the deploy module and then
  # completed by Clawdie-AI onboarding (secrets, derived defaults, URLs, etc).

  # Derive agent name from assistant name (lowercase, strip non-alnum)
  local agent_name
  agent_name=$(echo "$ASSISTANT_NAME" | tr 'A-Z' 'a-z' | sed 's/[^a-z0-9]//g')

  # Remove existing .env if present
  rm -f "$ENV_FILE" 2>/dev/null || true

  # Create new .env with restricted permissions
  touch "$ENV_FILE"
  chmod 600 "$ENV_FILE"
  chown clawdie:clawdie "$ENV_FILE" 2>/dev/null || true

  # Write .env file
  cat > "$ENV_FILE" <<EOF
# Clawdie-AI environment configuration (seed)
# Auto-generated by clawdie-iso firstboot installer.
# Secrets and derived defaults are generated by Clawdie-AI onboarding.

# === Identity ===
ASSISTANT_NAME="$ASSISTANT_NAME"
AGENT_NAME="$agent_name"
AGENT_GENDER="${AGENT_GENDER:-f}"
AGENT_DOMAIN="$AGENT_DOMAIN"
AGENT_INTERNAL_DOMAIN="${agent_name}.home.arpa"
TZ="$TZ"

# === LLM Provider ===
PI_TUI_PROVIDER="${PI_TUI_PROVIDER:-zai}"
PI_TUI_MODEL="${PI_TUI_MODEL:-glm-5}"
ZAI_API_KEY="${ZAI_API_KEY:-}"
OPENROUTER_API_KEY="${OPENROUTER_API_KEY:-}"
ANTHROPIC_API_KEY="${ANTHROPIC_API_KEY:-}"

# === Embeddings ===
EMBED_BASE_URL="${EMBED_BASE_URL:-https://openrouter.ai/api/v1}"
EMBED_MODEL="${EMBED_MODEL:-BAAI/bge-m3}"
EMBED_API_KEY="${EMBED_API_KEY:-}"
EMBED_DIMENSIONS="${EMBED_DIMENSIONS:-1024}"

# === Network Configuration (warden0) ===
AGENT_SUBNET_BASE="$AGENT_SUBNET_BASE"
WARDEN_SUBNET_BASE="$AGENT_SUBNET_BASE"
WARDEN_SUBNET="${AGENT_SUBNET_BASE}.0/24"
WARDEN_GATEWAY="${AGENT_SUBNET_BASE}.1"

# === Features (optional) ===
FEATURE_TELEGRAM="${FEATURE_TELEGRAM:-NO}"
FEATURE_GIT="${FEATURE_GIT:-YES}"
FEATURE_GITEA="${FEATURE_GITEA:-YES}"
CODE_HOSTING_MODE="${CODE_HOSTING_MODE:-gitea}"
FEATURE_TAILSCALE="${FEATURE_TAILSCALE:-NO}"
TAILSCALE_AUTHKEY="${TAILSCALE_AUTHKEY:-}"
LOCAL_LLM_PROVIDER="${LOCAL_LLM_PROVIDER:-none}"
FEATURE_OLLAMA="${FEATURE_OLLAMA:-NO}"
FEATURE_LLAMA_CPP="${FEATURE_LLAMA_CPP:-NO}"
FEATURE_OLLAMA_HPP="${FEATURE_OLLAMA_HPP:-NO}"

# === Telegram ===
TELEGRAM_BOT_TOKEN="${TELEGRAM_BOT_TOKEN:-}"
TELEGRAM_CHAT_ID="${TELEGRAM_CHAT_ID:-}"

# === Optional: SSH Public Key (if provided at install) ===
SSH_PUBLIC_KEY="${SSH_PUBLIC_KEY:-}"
EOF

  log_msg "[env] Wrote .env with $(wc -l < "$ENV_FILE") configuration lines"
  return 0
}

# ============================================================================
# VALIDATION
# ============================================================================

clawdie_shell_env_validate() {
  # Verify .env file is properly formatted

  if [ ! -f "$ENV_FILE" ]; then
    log_msg "[env] ERROR: .env file not found: $ENV_FILE"
    return 1
  fi

  # Check permissions (should be 600)
  local perms
  perms=$(stat -f "%OLp" "$ENV_FILE" 2>/dev/null || stat -c "%a" "$ENV_FILE" 2>/dev/null || echo "")
  if [ "$perms" != "600" ] && [ -n "$perms" ]; then
    log_msg "[env] WARNING: .env permissions are $perms (should be 600)"
  fi

  # Check for required variables
  local required_vars="ASSISTANT_NAME AGENT_NAME AGENT_DOMAIN AGENT_INTERNAL_DOMAIN TZ"
  local missing=0
  for var in $required_vars; do
    if ! grep -q "^$var=" "$ENV_FILE" 2>/dev/null; then
      log_msg "[env] ERROR: Missing required variable: $var"
      missing=$((missing + 1))
    fi
  done

  if [ $missing -gt 0 ]; then
    return 1
  fi

  log_msg "[env] .env validation passed ($(wc -l < "$ENV_FILE") lines)"
  return 0
}

# ============================================================================
# LOGGING HELPER
# ============================================================================

log_msg() {
  echo "$(date '+%H:%M:%S') $1" | tee -a "$LOG_FILE" 2>/dev/null || true
}

# Only run if sourced directly (not during test)
if [ "${SHELL_ENV_TEST:-0}" -eq 0 ]; then
  clawdie_shell_env_generate
fi