freelance-pipeline: present-and-go OpenClaw delivery pipeline with safety bounds#2
Open
exodusubuntu-tech wants to merge 7 commits into
Open
freelance-pipeline: present-and-go OpenClaw delivery pipeline with safety bounds#2exodusubuntu-tech wants to merge 7 commits into
exodusubuntu-tech wants to merge 7 commits into
Conversation
- 00-bootstrap.sh: idempotent install of openssh/mosh/tmux/iperf3/nodejs/opencode-ai - connect.sh: mosh into PC over tailnet, ssh fallback - opencode-client.sh: launch OpenCode CLI against PC server with preflight check - health.sh: tailnet status, banner mode for ~/.bashrc, latency + iperf3 hints - README.md: one-paste install, perf checklist, direct-vs-DERP guidance Co-authored-by: exodusubuntu-tech <256017578+exodusubuntu-tech@users.noreply.github.com>
User clarified: this is OpenClaw (openclaw/openclaw, persistent self-hosted
agent with a token-authed dashboard on :18789), not OpenCode.
Changes:
- bootstrap: install nodejs (>=22 required), w3m for TUI dashboard
- bootstrap: drop client install on phone (OpenClaw is daemon-only on PC)
- config: PC settings now include OPENCLAW_PORT and OPENCLAW_TOKEN
- new openclaw-client.sh -> alias tn-claw with subcommands:
url | open | tui | tail | status | send | ssh
- health: probe :18789 instead of :4096; banner shows openclaw=up/down
- README: rewritten with topology, security/perf checklist, naming caveat
Idempotent installer that: - installs base pkgs + sshd + mosh + iperf3 + ufw - installs Tailscale, brings it up with --ssh --accept-routes - ensures Node >= 22 (NodeSource if missing) - installs OpenClaw via official installer (--no-onboard) - generates a 256-bit dashboard token and persists at ~/.openclaw/dashboard-token - writes a systemd --user unit binding to the tailnet IP, with linger enabled - locks ufw to only accept ssh/openclaw/mosh from the tailscale0 interface - prints the exact ~/.tailnet/config block to paste on the phone
Adds the missing 'survives reboot' pieces: - termux-boot/start-sshd: boot hook that grabs a wakelock, starts sshd, pre-warms a tmux session named 'tn', and writes a last-boot timestamp. - install-boot.sh: copies the hook into ~/.termux/boot/, prints the one-time manual steps (install Termux:Boot APK, open it once, disable battery optimization, reboot to verify). - acl-example.hujson: paste-ready Tailscale ACL template that limits the phone tag to ssh + 18789 + mosh range only. - README: adds Persistence table + Samsung One UI specifics (Never sleeping apps, Adaptive Battery off). - 00-bootstrap.sh: prints a follow-up hint to run install-boot.sh.
Tailscale Android uses VpnService, so the tun interface isn't visible to Termux processes. Old check (ip addr | grep '100\.') always reported 'Self IP: none' even when tunnel was working perfectly. Now we ping 100.100.100.100 (Tailscale MagicDNS resolver, only reachable inside the tailnet) and fall back to the old check for non-Android cases. Also: detect a common config typo where users write 'pop.os.tailxxxx.ts.net' instead of 'pop-os.tailxxxx.ts.net' and print a hint.
Adds:
- .kiro/steering/freelance-rules.md (inclusion: always)
Hard rules for hyper-modular structure (200-line file cap, 40-line
function cap), happy+error tests for every public function, and the
six-section README with one-line ./run bootstrap.
- freelance-pipeline/blueprint-template.md
Per-job document that ingests the raw client request and forces it into
EARS-notation acceptance criteria, typed API contracts (HTTP/CLI/module
exports/data formats), non-functional table, hot-path identification,
out-of-scope list, and a definition-of-done checklist.
- freelance-pipeline/deploy-claw-job.sh
Safety-bounded job runner with three guardrails:
1. Token cap (default 500k) -> exit 43, RESUME.md
2. Runtime cap (default 4h) -> exit 44, RESUME.md
3. Same-error-loop detector (default 3 repeats) -> exit 42, RESUME.md
Normalizes verifier output (line numbers, paths, hashes, timestamps)
before hashing so transient noise doesnt mask repeating failures.
Wraps the system envelope in Anthropic cache_control: ephemeral
markers when cache: true is set in the manifest, saving 60-80% on
input tokens for multi-step jobs.
- freelance-pipeline/patterns/{typescript,python,rust,go}.md
Per-language toolchain bias (pnpm+vitest+biome+zod, uv+ruff+pytest+pydantic,
cargo-nextest+clippy-pedantic+thiserror, stdlib-first+slog+golangci-lint).
Auto-applied when the blueprint detects the primary language.
- freelance-pipeline/jobs/example-auth-service.yaml
Reference job manifest with verifier commands per step.
- freelance-pipeline/README.md
Operator runbook.
This was referenced May 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request was generated by @kiro-agent 👻
Comment with /kiro fix to address specific feedback or /kiro all to address everything.
Learn about Kiro autonomous agent
What this is
A "present-and-go" pipeline for running paid coding jobs through OpenClaw with hard safety bounds and consistent delivery quality. Built on the live tailnet (Termux on Android + Pop!_OS desktop, both on Tailscale, OpenClaw daemon on the desktop).
Files
.kiro/steering/freelance-rules.mdinclusion: alwaysrules: hyper-modular code, happy+error tests for every public function, 1-click./runREADMEfreelance-pipeline/blueprint-template.mdfreelance-pipeline/deploy-claw-job.shfreelance-pipeline/patterns/{typescript,python,rust,go}.mdfreelance-pipeline/jobs/example-auth-service.yamlfreelance-pipeline/README.mdSafety bounds in
deploy-claw-job.shRESUME.mdRESUME.mdRESUME.mdRESUME.md, exit 130The error-loop detector hashes the normalized verifier output (numbers, absolute paths, hex hashes, dates collapsed) so transient noise doesn't disguise an identical failure as new progress.
Prompt caching
When
cache: truein the manifest, the system envelope (engineer persona + freelance rules + blueprint) is wrapped in Anthropiccache_control: ephemeralmarkers and shipped to OpenClaw viagateway call. For a multi-step job, that's typically 60–80 % input-token savings after the first step.What was tested locally
bash -nsyntax checkfreelance-pipeline/and.kiro/steering/inclusion: alwaysfront-matter so it loads on every workspace taskNot addressed in this PR
gateway callRPC method name varies by version; ifagent.runisn't the right name on the user's daemon, swap one line inclaw_call()tailnet-kit(PR tailnet-kit: Termux scripts for Tailscale + OpenCode mesh #1) carries the bind-fix for the OpenClaw daemon; merge that firstSteering note
User clarified earlier in conversation that the target is OpenClaw (not OpenCode). All artifacts here reference OpenClaw, port 18789,
openclaw gateway, and~/.openclaw/paths — consistent with the corrections already in PR #1.