devopsclaw

module
v0.0.0-...-ae9409a Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 24, 2026 License: MIT

README

DevOpsClaw

Production-grade AI DevOps platform. Single binary. Fleet-scale.

Platform


DevOpsClaw is a CLI-first DevOps automation platform written in Go. It connects to LLM providers, executes tools across infrastructure, manages fleet-wide deployments, runs versioned runbooks, and integrates with chat platforms — all from a single binary.

PicoClaw vs OpenClaw vs DevOpsClaw

All three projects share the same Go codebase lineage. DevOpsClaw is a production-hardened fork that adds fleet-scale infrastructure management on top of the original AI agent.

PicoClaw OpenClaw DevOpsClaw
Focus Ultra-lightweight AI assistant Community AI agent Production DevOps platform
Target Embedded / edge devices (64MB RAM) Developers, hobbyists DevOps / SRE / platform teams
Fleet management No No Yes — multi-node targeting, fan-out execution
Deployment strategies No No Yes — rolling, canary, blue-green with rollback
Relay / NAT traversal No No Yes — WSS tunnels, no inbound ports on nodes
Runbooks No No Yes — YAML-defined, versioned, audited workflows
RBAC No No Yes — tool-level permissions per user role
Audit trail No No Yes — append-only log of all operations
Browser automation No Basic Yes — headless Chrome via go-rod
Chat platforms Limited Full Full — Telegram, Discord, Slack, DingTalk, etc.
LLM providers Few 14+ 14+ with load balancing
Security sandbox Basic Basic Hardened — RBAC + workspace restriction + command blocklist
Observability No Basic Prometheus metrics, tracing, task history
Migration path devopsclaw migrate imports OpenClaw config

Why DevOpsClaw for production:

  • You manage servers. DevOpsClaw can register your fleet, execute commands across nodes, and deploy services with strategies — PicoClaw and OpenClaw cannot.
  • You need accountability. Every fleet execution, deployment, and runbook run is logged to an immutable audit trail.
  • You need access control. RBAC ensures your Telegram bot viewer can't run rm -rf / on production.
  • You're behind NAT. The relay lets nodes connect outbound — no VPNs, no port forwarding, no SSH bastion hosts.
  • You have runbooks in Notion/Google Docs. Move them to version-controlled YAML that actually executes and is audited.

Coming from OpenClaw? Run devopsclaw migrate to import your existing configuration and workspace.

Features

Category Capabilities
AI Agent Interactive chat, one-shot queries, tool calling, web search, memory
Fleet Management Multi-node targeting by tags/environment, fan-out execution, concurrency control
Deployments Rolling, canary, blue-green strategies with automatic rollback and health checks
Runbooks YAML-defined versioned workflows with shell steps, approval gates, variable capture
Relay NAT-safe WebSocket tunnels — nodes connect outbound, no inbound ports required
Browser Automation Headless Chrome via go-rod: navigate, click, screenshot, extract data
Chat Platforms Telegram, Discord, Slack, DingTalk, LINE, WeCom, QQ, Feishu, WhatsApp, OneBot
RBAC Tool-level permission enforcement per user role (admin, operator, viewer)
Audit Trail Append-only log of all fleet executions, deployments, runbook runs, browser actions
Observability Prometheus metrics, tracing, task history
Resilience Circuit breakers, rate limiting, retries, bulkheads
Security Sandbox Workspace-restricted file and command access, destructive command blocklist
Cron & Heartbeat Scheduled jobs and periodic agent-driven automation
Skills 35 built-in DevOps skills (AWS, Azure, GCP, Terraform, K8s, Docker, and more) plus registry install
LLM Providers OpenAI, Anthropic, DeepSeek, Gemini, Groq, Ollama, OpenRouter, Cerebras, VLLM, and 6 more

Installation

Build from source

git clone https://github.com/freitascorp/devopsclaw.git
cd devopsclaw
make build          # → build/devopsclaw
make install        # → ~/.local/bin/devopsclaw

Cross-compile

make build-all
# Outputs: linux/amd64, linux/arm64, linux/riscv64, darwin/arm64, windows/amd64

Docker

cp config/config.example.json config/config.json
# Edit config.json with your API keys

docker compose --profile gateway up -d              # Long-running bot
docker compose run --rm devopsclaw-agent -m "Hello" # One-shot

Prebuilt binaries

Download from Releases.

Quick Start

# 1. Initialize configuration and workspace
devopsclaw onboard

# 2. Edit ~/.devopsclaw/config.json — add at minimum one LLM provider:
{
  "model_list": [
    {
      "model_name": "gpt4",
      "model": "openai/gpt-5.2",
      "api_key": "sk-your-key"
    }
  ],
  "agents": { "defaults": { "model": "gpt4" } }
}

# 3. Run
devopsclaw agent -m "List all running Docker containers and their resource usage"

# Or start an interactive session
devopsclaw agent

DevOps Walkthrough: Managing 3 Servers

This end-to-end example shows how to set up DevOpsClaw to manage a small production environment: two web servers and one API server.

Scenario

Your laptop (control plane)         3 production servers
┌──────────────┐                    ┌──────────────────────┐
│  devopsclaw   │◄──── relay ──────►│ prod-web-1  10.0.1.10│
│  (your Mac)   │                   │ prod-web-2  10.0.1.11│
│              │                    │ prod-api-1  10.0.2.20│
└──────────────┘                    └──────────────────────┘

Step 1: Install DevOpsClaw everywhere

On your laptop and on each server:

# Build from source (or download a release binary)
git clone https://github.com/freitascorp/devopsclaw.git
cd devopsclaw && make build
sudo cp build/devopsclaw /usr/local/bin/

Step 2: Initialize on your laptop

devopsclaw onboard

Edit ~/.devopsclaw/config.json:

{
  "model_list": [
    {
      "model_name": "gpt4",
      "model": "openai/gpt-5.2",
      "api_key": "sk-your-key"
    }
  ],
  "agents": { "defaults": { "model": "gpt4" } },
  "relay": {
    "listen_addr": ":9443",
    "auth_token": "my-fleet-secret-token",
    "max_connections": 100
  }
}

Step 3: Start the relay

On a host reachable by all servers (can be your laptop if on the same network, or a small VPS):

devopsclaw relay start --addr :9443 --token my-fleet-secret-token

The relay brokers WebSocket connections. Servers connect outbound to it — no inbound ports, VPNs, or SSH tunnels needed on the servers.

Step 4: Connect each server to the relay

SSH into each server and start the agent daemon:

# On prod-web-1 (10.0.1.10)
devopsclaw agent-daemon \
  --relay ws://YOUR_RELAY_HOST:9443 \
  --node-id prod-web-1 \
  --token my-fleet-secret-token

# On prod-web-2 (10.0.1.11)
devopsclaw agent-daemon \
  --relay ws://YOUR_RELAY_HOST:9443 \
  --node-id prod-web-2 \
  --token my-fleet-secret-token

# On prod-api-1 (10.0.2.20)
devopsclaw agent-daemon \
  --relay ws://YOUR_RELAY_HOST:9443 \
  --node-id prod-api-1 \
  --token my-fleet-secret-token

Each server connects outbound to the relay and auto-registers itself. The relay records the server's IP from the connection.

Tip: Run agent-daemon as a systemd service so it survives reboots:

# /etc/systemd/system/devopsclaw-agent.service
[Unit]
Description=DevOpsClaw Fleet Agent
After=network-online.target
Wants=network-online.target

[Service]
ExecStart=/usr/local/bin/devopsclaw agent-daemon \
  --relay ws://YOUR_RELAY_HOST:9443 \
  --node-id prod-web-1 \
  --token my-fleet-secret-token
Restart=always
RestartSec=10

[Install]
WantedBy=multi-user.target

Step 5: Tag your nodes

Back on your laptop, add labels so you can target nodes by role/environment:

devopsclaw node register --name prod-web-1 --address 10.0.1.10 --tags env=prod,role=web
devopsclaw node register --name prod-web-2 --address 10.0.1.11 --tags env=prod,role=web
devopsclaw node register --name prod-api-1 --address 10.0.2.20 --tags env=prod,role=api

Verify:

devopsclaw node list
NODE                 ADDRESS                STATUS       LABELS                   LAST SEEN
────────────────────────────────────────────────────────────────────────────────────────────────
prod-web-1           10.0.1.10              ● online     env=prod,role=web        3s ago
prod-web-2           10.0.1.11              ● online     env=prod,role=web        5s ago
prod-api-1           10.0.2.20              ● online     env=prod,role=api        2s ago

Step 6: Run commands across your fleet

# Check uptime on all web servers
devopsclaw run "uptime" --tag role=web

# Check disk usage on every production server
devopsclaw fleet exec "df -h /" --tag env=prod

# Restart nginx on web servers, one at a time, 10s apart
devopsclaw fleet exec "systemctl restart nginx" --tag role=web --serial --delay 10s

# Check Docker containers on the API server
devopsclaw run "docker ps" --node prod-api-1

Step 7: Deploy a new version

devopsclaw deploy myapp:v2.1.0 "docker pull myapp:v2.1.0 && docker restart myapp" \
  --strategy rolling --tag role=web --rollback-on-fail --health-check /health

This deploys to web servers one batch at a time, checks /health after each batch, and rolls back automatically if any batch fails.

Step 8: Run a health check runbook

Copy an example runbook:

mkdir -p ~/.devopsclaw/runbooks
cp examples/runbooks/fleet-health-check.yaml ~/.devopsclaw/runbooks/

Run it:

devopsclaw runbook run fleet-health-check

Step 9: Ask the AI agent

DevOpsClaw's agent can use all of these tools naturally:

devopsclaw agent -m "Check disk usage on all prod servers and alert me if anything is above 80%"
devopsclaw agent -m "Deploy myapp v2.2.0 to the web tier with a canary strategy"
devopsclaw agent -m "Show me the error logs from prod-api-1 in the last hour"

Step 10: Review the audit trail

devopsclaw audit list --since 24h
devopsclaw audit export --since 720h > audit-30d.json  # compliance export

How node connectivity works

There are two ways nodes connect to DevOpsClaw:

Method How it works When to use
Relay + agent-daemon (recommended) Each server runs devopsclaw agent-daemon which opens an outbound WebSocket to the relay. Commands flow through the relay tunnel. The relay auto-captures the server's IP. Servers behind NAT, firewalls, cloud VPCs. No inbound ports needed.
Manual registration devopsclaw node register --name X --address IP records the node. Commands are sent directly to the address. Servers with direct IP reachability from the control machine.

Both methods can be combined — register a node manually to add tags and metadata, then also run agent-daemon on it for relay connectivity.

CLI Reference

devopsclaw [command] [flags]

Global flags:
  -d, --debug    Enable debug logging
      --json     Output in JSON format

Core Commands

Command Description
onboard Initialize config and workspace
agent Interactive AI agent session
agent -m "..." One-shot agent query
gateway Start the chat platform gateway (channels, health, cron)
status Show system status
version Print version, git commit, build time
migrate Run config migrations
completion Generate shell autocompletion (bash, zsh, fish, powershell)

Fleet & Execution

Command Description
run "cmd" --node <id> Execute on a specific node
run "cmd" --tag role=web Execute on nodes matching tags
run "cmd" --env prod Execute on all nodes in an environment
run "cmd" --dry-run Preview targeting without executing
fleet exec "cmd" --tag ... Fan-out with concurrency control
fleet exec "cmd" --serial --delay 5s Serial execution with delay
fleet exec "cmd" --parallel --max 10 Parallel with concurrency cap
fleet exec "cmd" --timeout 60s Custom execution timeout
fleet status Fleet summary (text)
fleet status --live Live TUI dashboard
fleet status --json Fleet summary as JSON

Node Management

Command Description
node register --name <id> --address <ip> Register a node with its IP/hostname
node register --name <id> --address <ip> --tags k=v,k=v Register with labels
node register --name <id> --groups staging Register with groups
node list List all nodes (alias: node ls)
node remove <id> Remove a node (alias: node rm)
node drain <id> Drain — stop accepting new commands

Deployments

Command Description
deploy svc:version "cmd" --strategy rolling Rolling deployment
deploy svc:version "cmd" --strategy canary Canary (small batch first)
deploy svc:version "cmd" --strategy blue-green Blue-green swap
deploy svc:version "cmd" --strategy serial One node at a time
deploy svc:version "cmd" --strategy all-at-once All nodes simultaneously
deploy ... --rollback-on-fail --rollback-cmd "..." Auto-rollback on failure
deploy ... --health-check /health Health check after each batch
deploy ... --max-unavailable 2 Max unavailable during rolling
deploy ... --dry-run Preview deployment plan

Runbooks

Command Description
runbook list List available runbooks (alias: runbook ls)
runbook show <name> Show runbook steps and metadata
runbook run <name> Execute a runbook
runbook run <name> --dry-run Preview execution

Audit

Command Description
audit list List recent events (default: 50)
audit list --user admin --since 2h Filter by user and time window
audit list --limit 200 Increase result limit
audit export --since 24h Export events as JSON

Relay & Browser

Command Description
relay start Start the WSS relay server
relay start --addr :9443 --token <secret> Custom address and auth token
relay start --max 500 Set max concurrent connections
agent-daemon Run as fleet node agent (connects outbound to relay)
browse --url <url> --task "..." AI-driven browser automation
browse --session <name> --task "..." Resume a saved browser session

Scheduling & Skills

Command Description
cron list List scheduled jobs
cron add ... Add a scheduled job
skills list List installed skills
skills install <name> Install a skill
skills remove <name> Remove a skill
skills search <query> Search skill registries
auth login --provider <name> Authenticate with a provider

Skills Library

DevOpsClaw ships with 35 built-in skills that teach the AI agent how to use real-world DevOps tools. Skills are markdown files that document CLI usage patterns, best practices, and common workflows — the agent reads them at startup and uses the knowledge during conversations.

devopsclaw skills list          # See all available skills
devopsclaw skills install <name> # Install from registry

Cloud Providers

Skill CLI Tools Coverage
aws aws EC2, S3, IAM, Lambda, ECS, RDS, CloudFormation, Route53, CloudWatch, Cost Explorer
azure az VMs, AKS, App Service, Storage, Key Vault, SQL, Networking, Resource Groups
gcp gcloud, gsutil, bq Compute, GKE, Cloud Run, Storage, IAM, Cloud SQL, Functions, BigQuery
cloudflare curl (CF API) DNS records, cache purge, Cloudflare Tunnels, firewall rules, zone settings

Infrastructure as Code

Skill CLI Tools Coverage
terraform terraform Plan/apply, state management, workspaces, modules, import, HCL patterns
pulumi pulumi Stacks, config, secrets, multi-language (TypeScript, Python, Go), state
ansible ansible, ansible-playbook Ad-hoc commands, playbooks, roles, inventory, Ansible Vault
packer packer AMI builds, multi-platform images, HCL templates, post-processors

Containers & Orchestration

Skill CLI Tools Coverage
docker docker, docker compose Containers, images, multi-stage builds, Compose, registries, cleanup
kubernetes kubectl Pods, deployments, services, RBAC, HPA, debugging, logs, port-forward
helm helm Charts, releases, repos, values overrides, common DevOps charts

CI/CD

Skill CLI Tools Coverage
github-actions gh Workflow runs, triggers, secrets, artifacts, reusable workflows
gitlab-ci glab Pipelines, jobs, merge requests, CI YAML authoring
jenkins curl (Jenkins API) Jobs, builds, queue, Jenkinsfile, credentials, plugins

Monitoring & Observability

Skill CLI Tools Coverage
prometheus promtool, PromQL Queries, targets, alerting rules, recording rules, federation
grafana curl (Grafana API) Dashboard CRUD, data sources, alerts, annotations, provisioning
datadog curl (DD API) Metrics, monitors, logs, events, dashboards, SLOs
elastic-stack curl (ES API) Index management, search queries, ILM policies, snapshots, Kibana

Security

Skill CLI Tools Coverage
vault vault KV secrets, dynamic credentials, transit encryption, PKI, policies
cert-manager kubectl, cmctl Issuers, certificates, Let's Encrypt, renewal, troubleshooting
trivy trivy Image scanning, filesystem scanning, IaC scanning, SBOM, CI gates

GitOps

Skill CLI Tools Coverage
argocd argocd App management, sync, rollback, projects, multi-cluster, SSO
flux flux Sources, kustomizations, Helm releases, image automation, alerts

Infrastructure & OS

Skill CLI Tools Coverage
linux-admin Core Linux utils Disk, memory, CPU, networking, SSH, users, packages, systemctl
systemd systemctl, journalctl Services, timers, journal, security hardening, dependencies
nginx nginx Reverse proxy, load balancer, SSL/TLS, WebSocket, rate limiting
git-ops git Branching, rebasing, bisect, tags, hooks, worktrees, submodules

Databases

Skill CLI Tools Coverage
postgres psql, pg_dump Queries, backups, replication, performance tuning, connection mgmt
redis redis-cli Data structures, persistence, memory analysis, replication, Sentinel

General Purpose

Skill CLI Tools Coverage
github gh Issues, PRs, repos, releases, gists
tmux tmux Sessions, windows, panes, scripting
hardware System utils CPU, memory, disk, GPU, sensors
weather Weather API Current conditions, forecasts
summarize Text summarization and analysis
skill-creator Meta-skill for creating new skills

Creating Custom Skills

Add a directory under workspace/skills/ with a SKILL.md file:

workspace/skills/my-tool/
  SKILL.md

SKILL.md format:

```skill
name: my-tool
description: Brief description of what this skill teaches the agent
metadata: {"emoji": "🔧", "requires": {"bins": ["my-tool"]}, "install": {"brew": "my-tool", "apt": "my-tool"}}
```

# My Tool

Documentation with CLI examples the agent can reference...

The agent loads all skills at startup. Use devopsclaw skills list to verify your skill is detected.


Configuration

Config file: ~/.devopsclaw/config.json

Run devopsclaw onboard to generate a starter config, or copy config/config.example.json.

LLM Providers

Add models to the model_list array using vendor/model format:

{
  "model_list": [
    {
      "model_name": "gpt4",
      "model": "openai/gpt-5.2",
      "api_key": "sk-..."
    },
    {
      "model_name": "claude",
      "model": "anthropic/claude-sonnet-4.6",
      "api_key": "sk-ant-..."
    },
    {
      "model_name": "local",
      "model": "ollama/llama3"
    }
  ],
  "agents": {
    "defaults": {
      "model": "gpt4",
      "max_tokens": 8192,
      "temperature": 0.7,
      "max_tool_iterations": 20
    }
  }
}
Supported Providers
Provider Prefix Default API Base
OpenAI openai/ https://api.openai.com/v1
Anthropic anthropic/ https://api.anthropic.com/v1
DeepSeek deepseek/ https://api.deepseek.com/v1
Google Gemini gemini/ https://generativelanguage.googleapis.com/v1beta
Groq groq/ https://api.groq.com/openai/v1
Ollama ollama/ http://localhost:11434/v1
OpenRouter openrouter/ https://openrouter.ai/api/v1
Cerebras cerebras/ https://api.cerebras.ai/v1
VLLM vllm/ http://localhost:8000/v1
Zhipu (GLM) zhipu/ https://open.bigmodel.cn/api/paas/v4
Qwen qwen/ https://dashscope.aliyuncs.com/compatible-mode/v1
Moonshot moonshot/ https://api.moonshot.cn/v1
NVIDIA nvidia/ https://integrate.api.nvidia.com/v1
Volcengine volcengine/ https://ark.cn-beijing.volces.com/api/v3

Any OpenAI-compatible endpoint works via custom api_base:

{
  "model_name": "custom",
  "model": "openai/my-model",
  "api_base": "https://my-proxy.example.com/v1",
  "api_key": "sk-..."
}
Load Balancing

Register the same model_name with multiple endpoints for automatic round-robin:

{
  "model_list": [
    { "model_name": "gpt4", "model": "openai/gpt-5.2", "api_key": "sk-key1", "api_base": "https://api1.example.com/v1" },
    { "model_name": "gpt4", "model": "openai/gpt-5.2", "api_key": "sk-key2", "api_base": "https://api2.example.com/v1" }
  ]
}

Fleet

{
  "fleet": {
    "store_path": "~/.devopsclaw/fleet"
  }
}

Register nodes and execute commands:

devopsclaw node register --name prod-web-1 --address 10.0.1.10 --tags env=prod,role=web,region=us-east-1
devopsclaw node register --name prod-api-1 --address 10.0.2.20 --tags env=prod,role=api
devopsclaw run "uptime" --tag role=web
devopsclaw fleet exec "docker ps" --tag env=prod --parallel --max 10
devopsclaw fleet status --live

Relay

The relay brokers WebSocket connections between the CLI and fleet nodes behind NAT/firewalls. Nodes connect outbound to the relay — no inbound ports required on nodes.

{
  "relay": {
    "listen_addr": ":9443",
    "auth_token": "my-secret-token",
    "max_connections": 100
  }
}
# On a publicly reachable host
devopsclaw relay start --addr :9443 --token my-secret-token

# On each fleet node
devopsclaw agent-daemon

Deployments

devopsclaw deploy myapp:v2.1.0 "docker pull myapp:v2.1.0 && docker restart myapp" \
  --strategy rolling --env prod --rollback-on-fail

devopsclaw deploy myapp:v2.1.0 "./deploy.sh" --strategy canary --tag role=web
devopsclaw deploy myapp:v2.1.0 "helm upgrade myapp" --strategy blue-green
devopsclaw deploy myapp:v2.1.0 "./deploy.sh" --dry-run

Strategies: rolling (default), canary, blue-green, all-at-once, serial. All deployments are audited.

Runbooks

Place YAML files in ~/.devopsclaw/runbooks/. See examples/runbooks/ for ready-to-use templates.

name: incident-db-high-connections
description: Investigate and mitigate high database connection count
tags: [incident, database, postgres]

steps:
  - name: Check connection count
    run: psql -h "$DB_HOST" -c "SELECT count(*), state FROM pg_stat_activity GROUP BY state;"
    env:
      DB_HOST: "${DB_HOST:-localhost}"
    capture: connection_count

  - name: Approval to kill idle connections
    run: "echo 'Will terminate idle connections older than 10 minutes'"
    requires_approval: true

  - name: Kill idle connections
    run: |
      psql -h "$DB_HOST" -c "SELECT pg_terminate_backend(pid)
        FROM pg_stat_activity WHERE state='idle'
        AND (now()-state_change) > interval '10 min';"

  - name: Notify team
    notify: slack
    message: "DB incident mitigated. Previous count: {{connection_count}}"

Step types: run (shell command), browse (browser automation), notify (channel notification)

Step options: capture (save output for {{variable}} interpolation), requires_approval, continue_on_error, timeout_sec, env (environment variables), target (fleet node targeting by tag/env/node)

Example runbooks included:

  • incident-db-high-connections.yaml — Postgres connection incident response
  • deploy-verify.yaml — Post-deployment health verification
  • fleet-health-check.yaml — Fleet-wide disk, memory, service, Docker, and TLS checks
  • cert-renewal.yaml — Let's Encrypt SSL certificate renewal

RBAC

{
  "rbac": {
    "enabled": true
  }
}

When enabled, the agent checks tool-level permissions before every execution. Users are resolved from their chat platform identity.

Role Access
admin All tools
operator Shell, deploy, fleet, runbooks, browser
viewer Read-only (status, list, read_file)

Unknown users are denied by default when RBAC is enabled.

Audit

Every fleet execution, deployment, runbook run, and browser action is logged to an append-only audit trail at ~/.devopsclaw/audit/.

devopsclaw audit list --user admin --since 2h --limit 100
devopsclaw audit export --since 720h > audit-30d.json

Events include: timestamp, user, action type, target, result status, node counts, and duration.

Chat Platforms

Enable platforms under channels. Start with devopsclaw gateway.

Telegram
  1. Message @BotFather/newbot → copy the token
  2. Get your user ID from @userinfobot
{
  "channels": {
    "telegram": {
      "enabled": true,
      "token": "YOUR_BOT_TOKEN",
      "allow_from": ["YOUR_USER_ID"]
    }
  }
}
Discord
  1. Create app at discord.com/developers
  2. Bot → enable MESSAGE CONTENT INTENT
  3. OAuth2 → URL Generator → scope bot → permissions: Send Messages, Read Message History
{
  "channels": {
    "discord": {
      "enabled": true,
      "token": "YOUR_BOT_TOKEN",
      "allow_from": ["YOUR_USER_ID"],
      "mention_only": false
    }
  }
}
Slack
{
  "channels": {
    "slack": {
      "enabled": true,
      "bot_token": "xoxb-...",
      "app_token": "xapp-...",
      "allow_from": []
    }
  }
}
DingTalk
{
  "channels": {
    "dingtalk": {
      "enabled": true,
      "client_id": "YOUR_CLIENT_ID",
      "client_secret": "YOUR_CLIENT_SECRET",
      "allow_from": []
    }
  }
}
LINE

Set webhook URL to https://your-domain/webhook/line.

{
  "channels": {
    "line": {
      "enabled": true,
      "channel_secret": "YOUR_CHANNEL_SECRET",
      "channel_access_token": "YOUR_CHANNEL_ACCESS_TOKEN",
      "webhook_host": "0.0.0.0",
      "webhook_port": 18791,
      "webhook_path": "/webhook/line",
      "allow_from": []
    }
  }
}
WeCom

Two modes: WeCom Bot (group chat webhook) or WeCom App (full-featured, private chat). See docs/wecom-app-configuration.md.

{
  "channels": {
    "wecom_app": {
      "enabled": true,
      "corp_id": "wwxxxxxxxxxxxxxxxx",
      "corp_secret": "YOUR_CORP_SECRET",
      "agent_id": 1000002,
      "token": "YOUR_TOKEN",
      "encoding_aes_key": "YOUR_ENCODING_AES_KEY",
      "webhook_host": "0.0.0.0",
      "webhook_port": 18792,
      "webhook_path": "/webhook/wecom-app",
      "allow_from": []
    }
  }
}
QQ
{
  "channels": {
    "qq": {
      "enabled": true,
      "app_id": "YOUR_APP_ID",
      "app_secret": "YOUR_APP_SECRET",
      "allow_from": []
    }
  }
}
Feishu / WhatsApp / OneBot

See config/config.example.json for full configuration templates.

Falls back to DuckDuckGo if no API key is set.

{
  "tools": {
    "web": {
      "brave": { "enabled": true, "api_key": "YOUR_KEY", "max_results": 5 },
      "tavily": { "enabled": false, "api_key": "", "max_results": 5 },
      "duckduckgo": { "enabled": true, "max_results": 5 }
    }
  }
}
Provider Free Tier Link
Brave Search 2,000 queries/month brave.com/search/api
Tavily 1,000 queries/month tavily.com
DuckDuckGo Unlimited (no key) Built-in

Voice Transcription

Telegram voice messages are automatically transcribed when a Groq-compatible model is configured:

{
  "model_list": [
    { "model_name": "groq-llama", "model": "groq/llama-4-scout-17b-16e-instruct", "api_key": "gsk_..." }
  ]
}

Heartbeat

Create ~/.devopsclaw/workspace/HEARTBEAT.md with natural language tasks the agent runs on a schedule:

- Check disk usage and alert if any partition exceeds 90%
- Pull latest changes from the staging repo and run tests
{
  "heartbeat": {
    "enabled": true,
    "interval": 30
  }
}

interval is in minutes (minimum: 5).

Security Sandbox

By default, the agent is restricted to its workspace directory.

{
  "agents": {
    "defaults": {
      "workspace": "~/.devopsclaw/workspace",
      "restrict_to_workspace": true
    }
  }
}

Sandboxed tools: read_file, write_file, list_dir, edit_file, append_file, exec

Always blocked: rm -rf /, format, mkfs, dd if=, shutdown, reboot, fork bombs

Disable with "restrict_to_workspace": false or DEVOPSCLAW_AGENTS_DEFAULTS_RESTRICT_TO_WORKSPACE=false.

Environment Variables

All config fields can be overridden with the prefix DEVOPSCLAW_:

Variable Description
DEVOPSCLAW_AGENTS_DEFAULTS_MODEL Default model name
DEVOPSCLAW_AGENTS_DEFAULTS_RESTRICT_TO_WORKSPACE Sandbox toggle
DEVOPSCLAW_HEARTBEAT_ENABLED Enable heartbeat
DEVOPSCLAW_HEARTBEAT_INTERVAL Heartbeat interval (minutes)
DEVOPSCLAW_FLEET_STORE_PATH Fleet state directory
DEVOPSCLAW_RELAY_LISTEN_ADDR Relay listen address (e.g., :9443)
DEVOPSCLAW_RELAY_AUTH_TOKEN Relay authentication token
DEVOPSCLAW_RELAY_MAX_CONNECTIONS Relay max concurrent connections
DEVOPSCLAW_RBAC_ENABLED Enable role-based access control

Architecture

cmd/devopsclaw/          Cobra CLI — all command entrypoints
pkg/
  agent/                 Core agent loop, context, memory, RBAC-gated tool execution
  audit/                 Append-only audit log (fleet, deploy, runbook, browse events)
  auth/                  OAuth 2.0, PKCE, token store
  browser/               Headless Chrome automation (go-rod)
  bus/                   Internal message bus
  channels/              Chat platform adapters (Telegram, Discord, Slack, etc.)
  config/                Configuration loading, defaults, migration
  constants/             Shared constants
  contracts/             Typed tool contracts with JSON Schema generation
  cron/                  Scheduled task service
  deploy/                Deployment strategies (rolling, canary, blue-green) with rollback
  devices/               Hardware device event monitoring
  fleet/                 Multi-node fleet management, targeting, fan-out execution
  health/                HTTP health/readiness server with fleet and relay endpoints
  heartbeat/             Periodic task execution
  logger/                Structured logging
  migrate/               Config migrations
  observability/         Prometheus metrics, tracing, task history
  providers/             LLM provider adapters and protocol implementations
  rbac/                  Role-based access control, tool-level permission enforcement
  relay/                 NAT-traversal WSS relay server and agent
  resilience/            Circuit breakers, rate limiting, retries, bulkheads
  routing/               Request routing and model selection
  runbook/               YAML-defined versioned workflow engine
  session/               Conversation session management
  skills/                Skill loading, installation, registry search (35 built-in)
  state/                 Persistent state management
  tools/                 Tool registry and execution (shell, file, web, etc.)
  tui/                   Terminal UIs (fleet dashboard) via Bubble Tea
  utils/                 Shared utilities
  voice/                 Voice transcription (Groq/Whisper)
examples/
  runbooks/              Example runbook YAML files
config/
  config.example.json    Full configuration template
workspace/
  AGENT.md               Agent behavior prompts
  IDENTITY.md            Agent identity
  SOUL.md                Agent personality
  USER.md                User preferences

Workspace Layout

~/.devopsclaw/
  config.json            Configuration
  workspace/
    sessions/            Conversation history
    memory/              Long-term memory
    state/               Persistent state
    cron/                Scheduled jobs
    skills/              35 built-in DevOps skills + custom skills
    HEARTBEAT.md         Periodic task prompts
  runbooks/              Runbook YAML files
  audit/                 Audit log files
  fleet/                 Fleet state

Development

make deps          # Download and verify dependencies
make build         # Build for current platform
make build-all     # Cross-compile all platforms
make test          # Run tests
make vet           # Static analysis
make lint          # Run golangci-lint
make fmt           # Format code
make check         # deps + fmt + vet + test
make install       # Install to ~/.local/bin
make uninstall     # Remove binary
make clean         # Remove build artifacts
make help          # Show all targets

Running Tests

make test
# or:
go test ./...

# Verbose with no cache:
go test ./... -v -count=1

# Single package:
go test ./pkg/fleet/... -v

Docker Development

docker compose --profile gateway up -d                    # Gateway mode
docker compose run --rm devopsclaw-agent -m "Hello"       # One-shot agent
docker compose down                                        # Stop all

Contributing

See CONTRIBUTING.md.

License

MIT

Directories

Path Synopsis
cmd
devopsclaw command
pkg
audit
Package audit provides an immutable, structured audit log for DevOpsClaw.
Package audit provides an immutable, structured audit log for DevOpsClaw.
browser
Package browser provides browser automation capabilities for DevOpsClaw using Rod.
Package browser provides browser automation capabilities for DevOpsClaw using Rod.
bus
constants
Package constants provides shared constants across the codebase.
Package constants provides shared constants across the codebase.
contracts
Package contracts provides typed, validated tool definitions that replace the existing map[string]interface{} tool contracts with compile-time safe schemas.
Package contracts provides typed, validated tool definitions that replace the existing map[string]interface{} tool contracts with compile-time safe schemas.
deploy
Package deploy provides deployment strategy orchestration for fleet-wide deployments.
Package deploy provides deployment strategy orchestration for fleet-wide deployments.
fleet
Package fleet — PostgreSQL-backed durable store for fleet HA deployments.
Package fleet — PostgreSQL-backed durable store for fleet HA deployments.
observability
Package observability provides structured metrics, tracing, and logging for production DevOpsClaw deployments.
Package observability provides structured metrics, tracing, and logging for production DevOpsClaw deployments.
rbac
RBAC middleware for tool execution in the agent loop.
RBAC middleware for tool execution in the agent loop.
relay
Package relay — High Availability support for relay servers.
Package relay — High Availability support for relay servers.
resilience
Package resilience provides production-grade reliability primitives: circuit breakers, retry with exponential backoff, rate limiting, bulkheads, and idempotency controls.
Package resilience provides production-grade reliability primitives: circuit breakers, retry with exponential backoff, rate limiting, bulkheads, and idempotency controls.
runbook
Package runbook provides YAML-defined, versioned, multi-step workflow execution.
Package runbook provides YAML-defined, versioned, multi-step workflow execution.
tui
Package tui – agent_chat.go Lightweight print-based renderer for one-shot / non-interactive mode.
Package tui – agent_chat.go Lightweight print-based renderer for one-shot / non-interactive mode.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL