From 29e45277452748541a8b8a81e4e0b34302f89f4a Mon Sep 17 00:00:00 2001 From: pieced-ci Date: Mon, 11 May 2026 19:25:51 +0000 Subject: [PATCH] Sync chart from pieced-operator 0.1.44 --- deploy/helm/pieced-operator/Chart.yaml | 4 +- .../pieced-operator/templates/catalog-cm.yaml | 378 ++++++++++++++++-- deploy/helm/pieced-operator/values.yaml | 2 +- 3 files changed, 342 insertions(+), 42 deletions(-) diff --git a/deploy/helm/pieced-operator/Chart.yaml b/deploy/helm/pieced-operator/Chart.yaml index 3cd4429..49e8080 100644 --- a/deploy/helm/pieced-operator/Chart.yaml +++ b/deploy/helm/pieced-operator/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: pieced-operator description: PieCed IT tenant lifecycle operator -version: 0.1.43 -appVersion: "0.1.43" +version: 0.1.44 +appVersion: "0.1.44" type: application diff --git a/deploy/helm/pieced-operator/templates/catalog-cm.yaml b/deploy/helm/pieced-operator/templates/catalog-cm.yaml index 5bc03ee..82f78eb 100644 --- a/deploy/helm/pieced-operator/templates/catalog-cm.yaml +++ b/deploy/helm/pieced-operator/templates/catalog-cm.yaml @@ -1,5 +1,18 @@ # The package catalog is deployed as a ConfigMap in the operator namespace. # To update packages, edit the catalog data below and upgrade the Helm release. +# +# Categories: +# - core — toggles platform-level OpenClaw behaviour (heartbeat, cron, +# active-memory, voice) via config_patch. No channel bindings, +# no skills. +# - channel — adds a messaging channel (Telegram, Discord, …). +# - skill — adds a ClawHub or pack: skill ref to the OpenClawInstance. +# +# Quiet hours are not exposed as a separate package — in OpenClaw they live +# under the heartbeat config (via the active-window setting and via +# HEARTBEAT.md content rules). When we expose a tenant-tunable time range +# in the portal, it will become additional fields on core-heartbeat rather +# than its own package. apiVersion: v1 kind: ConfigMap metadata: @@ -10,6 +23,126 @@ metadata: data: catalog.yaml: | packages: + + # ===================================================================== + # CORE — platform behaviour toggles. Patched into OCI config.raw via + # config_patch (deep-merged on top of the operator's safe defaults). + # ===================================================================== + + core-heartbeat: + name: Heartbeat (Proactive Checks) + category: core + description: > + Periodic agent run (default every 30 min) that lets the assistant + check inbox, calendar, and other configured sources and message + you proactively when something needs attention. Without this, the + assistant only responds when you message it first. + # OpenClaw treats an absent agents.defaults.heartbeat block as + # "no heartbeat scheduler". When core-heartbeat is enabled, this + # patch installs the every-30-minute cadence. The actual checklist + # the heartbeat reads lives in workspace HEARTBEAT.md (seeded + # separately via spec.workspaceFiles); without a HEARTBEAT.md the + # heartbeat fires harmlessly and replies HEARTBEAT_OK. + # + # Quiet hours: OpenClaw supports both a config-level active window + # under agents.defaults.heartbeat (skipped outside the window) and + # in-content rules inside HEARTBEAT.md. Neither is exposed in the + # portal yet — when added, they become extra fields on this + # package, not a separate core-quiet-hours package. + config_patch: + agents: + defaults: + heartbeat: + every: "30m" + + core-cron: + name: Scheduled Tasks (Cron) + category: core + description: > + Allow the assistant to run scheduled tasks (daily briefings, + recurring reminders, periodic reports). Off by default. When + off, the agent's cron tool stays available but no scheduled + job ever fires. + # Flips the cron scheduler on. Default base configRaw sets + # cron.enabled=false (see builder.go), so this overlay only + # writes true when the package is enabled. Job storage lives on + # the tenant PVC at ~/.openclaw/cron/jobs.json by default. + config_patch: + cron: + enabled: true + + core-active-memory: + name: Active Memory + category: core + description: > + Lets the assistant recall stable preferences, recurring habits, + and long-term context from past conversations during a chat. + Uses an extra sub-agent turn per inbound message to query the + memory store. Direct-message sessions only — group and channel + sessions stay deterministic. Trades a small amount of token + cost for continuity and personalisation. + # OpenClaw 2026.5.x ships Active Memory as a plugin under + # plugins.entries.active-memory with a two-gate activation model: + # (1) the plugin must be enabled, (2) the request must be an + # eligible direct-chat session. Scoped to "main" agent and + # "direct" chat types for safe-default behaviour. The recall + # model inherits the session's chat model when available; the + # modelFallback is used only when nothing else resolves and + # should be present in LiteLLM. Adjust as needed for the + # platform's default cheap model. + config_patch: + plugins: + entries: + active-memory: + enabled: true + config: + enabled: true + agents: ["main"] + allowedChatTypes: ["direct"] + modelFallback: "pieced-mini" + queryMode: "recent" + promptStyle: "balanced" + timeoutMs: 15000 + maxSummaryChars: 220 + persistTranscripts: false + logging: false + + core-voice: + name: Voice Interaction + category: core + description: > + Speech-to-text on incoming voice notes and text-to-speech on + replies. Routed through PieCed's LiteLLM gateway so audio cost + is tracked per-tenant alongside chat. + # PHASE A: catalog entry only. No config_patch yet — toggling + # this package stores customer intent but does not change the + # OCI config. PHASE B (next iteration) wires in chatterbox-tts + # and a whisper adapter (or speaches-server) behind LiteLLM and + # adds the config_patch below, roughly: + # + # config_patch: + # tools: + # media: + # audio: + # enabled: true + # models: + # - provider: openai + # model: pieced-whisper + # apiBase: http://litellm.inference.svc:4000/v1 + # messages: + # tts: + # auto: inbound + # provider: openai + # openai: + # model: pieced-tts + # voice: nova + + # ===================================================================== + # CHANNELS — messaging integrations. Each ships a Channels map that + # the builder copies into config.channels, env_vars for credentials, + # and bindings so messages route to the default agent. + # ===================================================================== + telegram: name: Telegram category: channel @@ -62,51 +195,218 @@ data: 2. Create app, add bot, copy token and app ID 3. Invite bot to server with messages scope - email: - name: Email (Gmail) - category: channel - description: Email integration via Gmail IMAP/SMTP - channels: - email: - enabled: true - settings: - provider: gmail - env_vars: - - name: EMAIL_ADDRESS - secret_key: address - vault_path_suffix: email - - name: EMAIL_APP_PASSWORD - secret_key: app-password - vault_path_suffix: email - bindings: - - match: - channel: email - egress_rules: - - host: imap.gmail.com - port: 993 - - host: smtp.gmail.com - port: 465 + # ===================================================================== + # SKILLS — ClawHub skill installs. Operator passes each entry through + # to OpenClawInstance.spec.skills, where the OpenClaw operator's init + # container fetches it before the agent starts. Bare "/" + # resolves through ClawHub by default. + # ===================================================================== - web-search: - name: Web Search + git-cli: + name: Git CLI category: skill - description: Web search via internal SearXNG + description: > + Standalone git command-line operations (clone, commit, branch, + diff, log, status). For private repositories, configure + credentials in your workspace. skills: - - "pack:openclaw/skills/web-search@latest" + - "openlang-cn/git-cli" + egress_rules: + - host: github.com + port: 443 + - host: gitlab.com + port: 443 + + github: + name: GitHub (gh CLI) + category: skill + description: > + Interact with GitHub repositories via the gh CLI — issues, PRs, + CI runs, releases, gists. Requires a personal access token. + skills: + - "steipete/github" + env_vars: + - name: GH_TOKEN + secret_key: token + vault_path_suffix: github + required: true + egress_rules: + - host: api.github.com + port: 443 + - host: github.com + port: 443 + - host: codeload.github.com + port: 443 + customer_instructions: | + 1. Open https://github.com/settings/tokens + 2. Generate a fine-grained personal access token with the + repo scopes you want the assistant to use. + 3. Copy the token (it is shown only once). + + gitea: + name: Gitea + category: skill + description: > + Interact with a Gitea instance — repositories, issues, PRs, + releases. Defaults to the PieCed-platform Gitea at + git.c5ai.ch; supply your own GITEA_URL if you host elsewhere. + skills: + - "ericxliu1990/gitea" + env_vars: + - name: GITEA_URL + default: "https://git.c5ai.ch" + - name: GITEA_TOKEN + secret_key: token + vault_path_suffix: gitea + required: true + egress_rules: + - host: git.c5ai.ch + port: 443 + customer_instructions: | + 1. Log in to your Gitea instance (default https://git.c5ai.ch). + 2. Go to Settings → Applications → Generate New Token. + 3. Grant the scopes you want the assistant to use (repo, issue, + user — minimum needed for most workflows). + 4. Copy the token. + + whisper-self-hosted: + name: Whisper (Self-Hosted Transcription) + category: skill + description: > + Transcribe audio files via the platform's self-hosted Whisper + ASR instance. Useful for ad-hoc transcription tasks initiated + from chat; channel-level voice intake is handled separately by + the Voice CORE feature. + skills: + - "xavjer/openclaw-self-hosted-whisper" + env_vars: + - name: WHISPER_URL + default: "http://whisper-asr.whisper-asr.svc.cluster.local:9000" + + searxng-local-search: + name: Web Search (SearXNG) + category: skill + description: > + Privacy-respecting web search via the platform's internal + SearXNG instance. Search the web, images, news, and more + without external API calls or trackers. + skills: + - "noblepayne/searxng-local-search" env_vars: - name: SEARXNG_URL default: "http://searxng.searxng.svc.cluster.local:8080" - egress_rules: [] - document-processing: - name: Document Processing + gog: + name: Google Workspace (Gog) category: skill - description: PDF, DOCX, spreadsheet processing + description: > + Bundled access to Gmail, Calendar, Drive, Docs, Sheets, and + Contacts via Google OAuth. Setup requires a Google Cloud + project and an OAuth client. NOTE: OAuth flow is not yet + self-service in the portal — contact PieCed support for + credentials onboarding. skills: - - "pack:openclaw/skills/document-processing@latest" - init_deps: - apt: - - pandoc - - libreoffice-writer-nogui - - ffmpeg - egress_rules: [] + - "steipete/gog" + env_vars: + - name: GOG_CLIENT_ID + secret_key: client-id + vault_path_suffix: gog + required: true + - name: GOG_CLIENT_SECRET + secret_key: client-secret + vault_path_suffix: gog + required: true + - name: GOG_REFRESH_TOKEN + secret_key: refresh-token + vault_path_suffix: gog + required: true + egress_rules: + - host: oauth2.googleapis.com + port: 443 + - host: www.googleapis.com + port: 443 + - host: gmail.googleapis.com + port: 443 + - host: calendar.googleapis.com + port: 443 + - host: drive.googleapis.com + port: 443 + - host: docs.googleapis.com + port: 443 + - host: sheets.googleapis.com + port: 443 + - host: people.googleapis.com + port: 443 + customer_instructions: | + Google Workspace integration uses OAuth and requires manual + onboarding for now. Please open a support ticket to start + the setup process — we will exchange the client credentials + and a refresh token offline, then enable this package on + your tenant. + disclaimer: > + By enabling Google Workspace integration you authorize PieCed + to access Gmail, Calendar, Drive, Docs, Sheets, and Contacts + on your behalf. Data flows through Google's APIs subject to + Google's terms. + + mail: + name: Email (IMAP / SMTP) + category: skill + description: > + Read, search, and manage email via IMAP; send via SMTP. Works + with Gmail (with an app password), Outlook, Fastmail, and any + standard IMAP/SMTP host. Replaces the previous Gmail-only + channel. + skills: + - "ivangdavila/mail" + env_vars: + - name: IMAP_HOST + secret_key: imap-host + vault_path_suffix: mail + required: true + - name: IMAP_USER + secret_key: imap-user + vault_path_suffix: mail + required: true + - name: IMAP_PASS + secret_key: imap-pass + vault_path_suffix: mail + required: true + - name: SMTP_HOST + secret_key: smtp-host + vault_path_suffix: mail + required: true + - name: SMTP_USER + secret_key: smtp-user + vault_path_suffix: mail + required: true + - name: SMTP_PASS + secret_key: smtp-pass + vault_path_suffix: mail + required: true + # The mail skill connects to tenant-supplied IMAP/SMTP servers on + # ports 993 / 465 / 587. The hostnames are not known at catalog + # time, so we open these ports to "world" rather than declaring + # FQDNs. Trade-off accepted for pilot — see catalog.EgressRule + # for the rule shape and rationale. + egress_rules: + - port: 993 + world: true + - port: 465 + world: true + - port: 587 + world: true + customer_instructions: | + 1. For Gmail: enable 2-Step Verification, then create an App + Password at https://myaccount.google.com/apppasswords and + use it as both IMAP and SMTP password. + 2. For Outlook/Microsoft 365 with MFA: generate an app + password under your account's security settings. + 3. For other providers: refer to their IMAP/SMTP documentation + for host names and ports. + 4. Typical IMAP_HOST values: imap.gmail.com, outlook.office365.com. + 5. Typical SMTP_HOST values: smtp.gmail.com, smtp.office365.com. + disclaimer: > + The assistant gains read/write access to the mailbox you + configure. Use a dedicated address rather than a personal + inbox if you want to limit scope. diff --git a/deploy/helm/pieced-operator/values.yaml b/deploy/helm/pieced-operator/values.yaml index b0cb7fc..b4fc6fb 100644 --- a/deploy/helm/pieced-operator/values.yaml +++ b/deploy/helm/pieced-operator/values.yaml @@ -1,6 +1,6 @@ image: repository: registry.c5ai.ch/pieced/pieced-operator - tag: "0.1.43" + tag: "0.1.44" pullPolicy: IfNotPresent imagePullSecrets: