Nanoclaw Phase 1 — Implementation Plan¶

Scope: Orchestrator + Ryan (DevOps) + Sam (Infra) + Cody (Dev) — the pipeline fix loop, infrastructure monitoring, and build agent health.

Reference: Agentic Team Ideation · Ryan's Prompt · Sam's Prompt · Cody's Prompt

1. What We're Building¶

Phase 1 covers one orchestrator and three agents, connected by three collaboration patterns: the pipeline failure recovery loop (Ryan + Cody), the infrastructure monitoring and incident response loop (Sam + Ryan + Cody), and the build agent health monitoring loop (Ryan + Cody).

uml diagram

What's In Scope¶

Component	Purpose
Orchestrator	Routes WhatsApp messages to the right agent container
Webhook Receiver	Catches Azure DevOps build failures, wakes Ryan automatically
Message Relay	Enables direct agent-to-agent communication via SQLite message injection
Ryan (DevOps)	Monitors all pipeline steps (Build, Test, Lint, SonarCloud, license-check, grype, lighthouse); on any failure, extracts full logs and hands off a full report to Cody; monitors build agent health independently (SSH)
Sam (Infra)	Monitors staging (status page + Dozzle + SSH); detects anomalies including infrastructure anomalies (e.g. cryptominers); remediates and sends Cody a full report so she can update infrastructure setup scripts
Cody (Dev)	Receives full failure reports (with full logs) from Ryan and diagnostic/anomaly reports from Sam; diagnoses and fixes application code, configuration, and infrastructure setup scripts as needed

What's NOT In Scope (Phase 2+)¶

Maya, Alex, Jamie, Pat, Lisa agents
Deployment automation

2. The Loops¶

Phase 1 implements three autonomous collaboration loops. In all three loops, agents communicate directly with each other via Nanoclaw's inter-group message relay (see Section 2.4). Jan (CEO) only receives WhatsApp messages in three situations:

Incident detected — short summary + which loop has been started
PR ready for approval — when Cody has pushed a fix and opened a PR
Loop resolved or needs restart — the fix worked, or the first attempt failed and the loop is restarting

All inter-agent hand-offs (Ryan → Cody, Sam → Cody) happen automatically. Jan can follow along by reading the WhatsApp groups, but does not need to relay messages.

2.1 Pipeline Failure Recovery Loop¶

Pipeline monitoring is event-driven: an Azure DevOps Service Hook fires a webhook when any build completes. A small webhook receiver on the droplet catches failures and injects a message into Nanoclaw's database, waking Ryan automatically. Ryan investigates, notifies Jan, and hands off directly to Cody via the message relay.

uml diagram

Step-by-step¶

A build fails in Azure DevOps. The Service Hook sends an HTTP POST to the webhook receiver on the droplet.
The webhook receiver parses the payload, extracts the build ID, branch, commit SHA, and result. It inserts a message into Nanoclaw's SQLite database targeting Ryan's WhatsApp group.
Nanoclaw's message loop detects the new message and spins up Ryan's container.
Ryan investigates — queries the Azure DevOps API for the build timeline, identifies the failed step (any step: Build, Test, Lint, SonarCloud, license-check, grype, lighthouse, etc.), and extracts the full log.
Ryan → Jan (short): "Pipeline failure detected on branch feature/xyz at commit abc1234. Starting pipeline failure recovery loop."
Ryan → Cody (full report, via relay): Sends a full report directly to Cody's group: what went wrong (failed step name), where (branch, commit), the complete untruncated log of the failed step, and branch strategy instructions. This message appears in Cody's WhatsApp group.
Cody diagnoses — fetches the branch at the exact commit, reads the full log, identifies the root cause.
Cody fixes — on feature branches, fixes directly; on main, creates a fix branch + PR.
Cody → Jan: "PR ready for approval: fix/ci-build-abc1234. Root cause: missing import in api-client."
Cody → Ryan (via relay): Notifies Ryan the fix is pushed so Ryan can monitor the next pipeline run.
The fix commit triggers a new build. If it passes, Ryan notifies Jan: "Pipeline failure recovery loop resolved." If it fails again, the webhook fires, Ryan is woken up automatically, and he notifies Jan the loop is restarting before handing Cody the new failure details.

Manual Fallback¶

The CEO can always trigger Ryan manually from Ryan's WhatsApp group:

@Team check the pipeline

Ryan treats this identically — he queries the Azure DevOps API, finds failures, and kicks off the loop.

2.2 Infrastructure Monitoring and Incident Response Loop¶

Sam monitors the staging environment every hour: status page, Dozzle dashboard, and staging server health (direct SSH). When an anomaly is detected, Sam notifies Jan, investigates and remediates directly, and hands a diagnostic report to Cody for a permanent fix.

uml diagram

Step-by-step¶

Every hour, Sam checks staging. Fetches the status page (https://staging-connect-status.forma3d.be/status/ops), the Dozzle dashboard (https://staging-connect-logs.forma3d.be/), and SSHes into the staging server for health/resource data.
If everything is healthy: Sam logs silently. No message to Jan.
If an anomaly is detected: Sam notifies Jan with a short summary: "Staging anomaly detected: [what was observed]. Starting infrastructure monitoring and incident response loop."
If an infrastructure anomaly (e.g. cryptominer, malicious process): Sam remediates immediately (kill process, remove persistence), notifies Jan, then sends Cody a full report (what went wrong, where, evidence, actions taken, recommended changes to infrastructure setup scripts) so Cody can update the repo's setup scripts (e.g. in agentic-team/) to prevent or detect such issues in future.
Sam investigates directly — SSHes into the staging server and runs diagnostic commands.
If a service is DOWN: Sam takes immediate remediation action (restart containers, clear disk, kill processes) while continuing diagnosis.
Sam creates a diagnostic report with: summary, severity, affected services, root cause, evidence, immediate action taken, and recommended permanent fix (or, for infrastructure anomalies, recommended changes to infrastructure setup scripts).
Sam → Cody (via relay): Sends the diagnostic report (or full anomaly report) directly to Cody's group.
Cody makes the fix permanent — changes code, configuration, or infrastructure setup scripts as needed, pushes, and opens a PR.
Cody → Jan: "PR ready for approval: fix/clickhouse-memory-limit. Root cause: missing memory limit in docker-compose.yml."
After the fix is merged and verified: Sam notifies Jan the loop is resolved. If the issue recurs, Sam notifies Jan the loop is restarting and sends Cody updated diagnostics.

2.3 Build Agent Health Monitoring Loop¶

Ryan independently monitors the self-hosted Azure DevOps build agent every hour by SSHing into root@159.223.11.111. When the agent is unhealthy, Ryan remediates immediately and hands off to Cody for a permanent fix.

uml diagram

Step-by-step¶

Every hour, Ryan SSHes into the build agent and checks: agent process status, disk usage, memory usage, Docker state, and system load.
If everything is healthy: Ryan logs silently. No message to Jan.
If the agent is unhealthy: Ryan notifies Jan with a short summary: "Build agent unhealthy: [what was found]. Starting build agent health monitoring loop."
Ryan remediates immediately — restarts the agent process, cleans up old artifacts (docker system prune -f, removes old build directories), kills runaway processes.
Ryan verifies the agent is healthy after remediation.
Ryan → Cody (via relay): Sends full details directly to Cody's group — what was wrong, what was fixed, and what needs a permanent resolution in code or configuration.
Cody makes the fix permanent — codifies the fix (e.g., adds artifact cleanup to the build pipeline, adds disk monitoring), pushes, and opens a PR.
Cody → Jan: "PR ready for approval: fix/buildagent-artifact-cleanup. Root cause: build artifacts not cleaned up after runs."
After the fix is merged and verified: Ryan notifies Jan the loop is resolved. If the issue recurs on a subsequent health check, Ryan notifies Jan the loop is restarting and sends Cody the new details.

2.4 Inter-Agent Communication¶

Agents communicate directly with each other via the inter-group message relay — a lightweight HTTP service running on the droplet alongside the webhook receiver.

How it works¶

By default, Nanoclaw's IPC security model restricts non-main groups from sending messages to other groups directly. The message relay bypasses this restriction using the same proven pattern as the webhook receiver: it injects messages into Nanoclaw's SQLite database, which the polling loop picks up and delivers to the target group.

Agent container → HTTP POST /relay → Message Relay → SQLite INSERT → Nanoclaw polling loop → Target agent container

The relay validates every request against a whitelist of allowed inter-agent communication paths. Only known agent-to-agent routes are permitted.

WhatsApp visibility¶

Messages injected via the relay appear in the target group's WhatsApp chat like any other message. Jan, as a member of all agent groups, can read every inter-agent hand-off by checking the relevant WhatsApp group. Jan does not need to relay or forward anything — the agents handle it autonomously.

Allowed communication paths¶

From	To	Used In
Ryan → Cody	Pipeline failure details, build agent fix details	Pipeline recovery loop, Build agent loop
Cody → Ryan	"Fix pushed, monitor next build"	Pipeline recovery loop
Sam → Cody	Diagnostic reports + recommended fixes	Infrastructure loop
Sam → Ryan	Infrastructure coordination (if needed)	General
Ryan → Sam	Infrastructure coordination (if needed)	General

Manual Fallback¶

Jan can always trigger any agent manually from their WhatsApp group:

@Team check the pipeline

@Team check staging health

The agent treats manual commands identically to automated triggers.

3. Prerequisites¶

3.1 DigitalOcean Droplet¶

Spec	Recommended	Minimum
Plan	Regular (CPU)	Regular (CPU)
vCPUs	2	1
RAM	4 GB	2 GB
Disk	80 GB SSD	50 GB SSD
Region	Amsterdam (AMS3)	Any EU
OS	Ubuntu 24.04 LTS	Ubuntu 22.04 LTS

Each agent container uses ~500 MB RAM when active. With 3 agents + orchestrator, 4 GB gives comfortable headroom.

3.2 Accounts & Tokens¶

You need the following before starting. Gather them first.

Token / Credential	Where to Get It	Used By
Anthropic API Key	console.anthropic.com → API Keys	All agents
Azure DevOps PAT	Azure DevOps → User Settings → Personal Access Tokens	Ryan + Cody
SSH Key for Git	Generate a dedicated key pair (see Section 7)	Cody
SSH Key for Staging Server	`sec/droplet/azure-devops` (provided to Sam's container)	Sam
SSH Key for Build Agent	`sec/droplet/azure-devops` (provided to Ryan's container)	Ryan
WhatsApp Number	A phone number with WhatsApp (personal or business)	Orchestrator

Azure DevOps PAT Scopes¶

Create a single PAT with these scopes:

Scope	Permission	Used For
Build	Read	Ryan: list builds, read logs
Code	Read & Write	Cody: push fixes, create PRs
Pull Request Threads	Read & Write	Cody: open PRs

Organization: devgem · Project: forma-3d · Repo: forma-3d-connect

3.3 Software on the Droplet¶

Software	Version	Purpose
Docker	24+	Container runtime for agents
Node.js	24+	Nanoclaw orchestrator
Git	2.40+	Pre-installed on Ubuntu

4. Droplet Setup¶

SSH into your droplet and run the following.

4.1 Initial Server Hardening¶

# Update system
apt update && apt upgrade -y

# Create a non-root user (if not already done)
adduser nanoclaw
usermod -aG sudo nanoclaw
usermod -aG docker nanoclaw

# Switch to the new user
su - nanoclaw

4.2 Install Docker¶

# Install Docker (official method)
curl -fsSL https://get.docker.com | sh

# Verify
docker --version
docker run hello-world

4.3 Install Node.js 24 (Active LTS)¶

# Install Node.js via NodeSource
curl -fsSL https://deb.nodesource.com/setup_24.x | sudo -E bash -
sudo apt install -y nodejs

# Verify
node --version  # Should be v24.x.x
npm --version

5. Install & Configure Nanoclaw¶

5.1 Clone Nanoclaw¶

cd ~
git clone https://github.com/qwibitai/nanoclaw.git
cd nanoclaw

5.2 Run Setup¶

Nanoclaw uses Claude Code for its own setup. If you have Claude Code installed:

claude
# Then run: /setup

If you prefer manual setup:

npm install

5.3 Configure Environment¶

Create the .env file in the Nanoclaw root:

# ~/nanoclaw/.env

# --- Required ---
ANTHROPIC_API_KEY=sk-ant-api03-your-key-here

# --- Assistant Identity ---
ASSISTANT_NAME=Team

# --- Container Settings ---
CONTAINER_TIMEOUT=1800000
IDLE_TIMEOUT=1800000
MAX_CONCURRENT_CONTAINERS=3

# --- Timezone ---
TZ=Europe/Amsterdam

ASSISTANT_NAME is the trigger word. With Team, you send @Team ... in WhatsApp. Each registered group can override this with its own trigger.

5.4 Build the Agent Container Image¶

cd ~/nanoclaw
docker build -t nanoclaw-agent:latest -f container/Dockerfile container/

Verify the image:

docker images | grep nanoclaw-agent

5.5 Connect WhatsApp¶

Start Nanoclaw to begin the WhatsApp pairing:

cd ~/nanoclaw
npm start

A QR code appears in the terminal. Scan it with WhatsApp on your phone (Linked Devices → Link a Device). Once connected, Nanoclaw persists the session in store/auth/.

Tip: Use tmux or screen to keep Nanoclaw running after disconnecting SSH.

6. Create Agent Groups¶

Nanoclaw maps each agent to a group — a WhatsApp group (or solo chat) with its own isolated container, CLAUDE.md memory, and filesystem scope.

6.1 Create WhatsApp Groups¶

On your phone, create three WhatsApp groups:

"Ryan - DevOps" — Add the Nanoclaw WhatsApp number
"Sam - Infra" — Add the Nanoclaw WhatsApp number
"Cody - Dev" — Add the Nanoclaw WhatsApp number

You (the CEO) must also be in each group to send messages.

6.2 Register Groups with Nanoclaw¶

From your main channel (self-chat with Nanoclaw), send:

@Team join the Ryan - DevOps group

Nanoclaw will discover the group and ask you to register it. Provide: - Folder name: ryan - Trigger word: Ryan

Repeat for Sam:

@Team join the Sam - Infra group

Folder name: sam
Trigger word: Sam

Repeat for Cody:

@Team join the Cody - Dev group

Folder name: cody
Trigger word: Cody

6.3 Verify Group Folders¶

After registration, the following structure should exist:

~/nanoclaw/
├── groups/
│   ├── main/              # CEO's self-chat (created automatically)
│   │   └── CLAUDE.md
│   ├── ryan/              # Ryan's group folder
│   │   ├── CLAUDE.md      # Ryan's persistent memory
│   │   ├── logs/          # Container run logs
│   │   ├── secrets/       # Azure DevOps credentials
│   │   └── ssh/           # SSH key for build agent
│   ├── sam/               # Sam's group folder
│   │   ├── CLAUDE.md      # Sam's persistent memory
│   │   ├── logs/          # Container run logs
│   │   └── ssh/           # SSH key for staging server
│   └── cody/              # Cody's group folder
│       ├── CLAUDE.md      # Cody's persistent memory
│       ├── logs/          # Container run logs
│       ├── ssh/           # Git SSH key
│       └── repo/          # Cloned repository (created by Cody on first run)

7. Resource Access & Credentials¶

7.1 Overview: Who Needs What¶

Resource	Ryan	Sam	Cody	How It's Provided
Anthropic API Key	Yes	Yes	Yes	`.env` (auto-injected)
Azure DevOps API (read)	Yes	No	No	PAT in group folder
Azure DevOps API (write)	No	No	Yes (PRs)	PAT in group folder
Status page (read)	No	Yes	No	WebFetch tool (HTTPS)
Dozzle dashboard (read)	No	Yes	No	WebFetch tool (HTTPS)
SSH to staging server	No	Yes	No	SSH key in group folder
SSH to build agent	Yes	No	No	SSH key in group folder
Git repo (read)	No	No	Yes	SSH key + clone in group folder
Git repo (write/push)	No	No	Yes	SSH key in group folder
Own group folder (rw)	Yes (automatic)	Yes (automatic)	Yes (automatic)	Mounted at `/workspace/group`

7.2 Anthropic API Key¶

Already configured in .env (see Section 5.3). Nanoclaw automatically passes this to every agent container via stdin — it never touches the container filesystem.

7.3 Azure DevOps PAT for Ryan¶

Store the PAT in Ryan's group folder so his container can read it:

mkdir -p ~/nanoclaw/groups/ryan/secrets
echo "YOUR_AZURE_DEVOPS_PAT" > ~/nanoclaw/groups/ryan/secrets/azure-devops-pat.txt
chmod 600 ~/nanoclaw/groups/ryan/secrets/azure-devops-pat.txt

Ryan's CLAUDE.md tells him how to use it (see Section 8.1).

The group folder is automatically mounted at /workspace/group, so inside Ryan's container the PAT is at /workspace/group/secrets/azure-devops-pat.txt.

7.4 Azure DevOps PAT for Cody¶

Cody also needs a PAT to push branches and open pull requests. Store it the same way:

mkdir -p ~/nanoclaw/groups/cody/secrets
echo "YOUR_AZURE_DEVOPS_PAT" > ~/nanoclaw/groups/cody/secrets/azure-devops-pat.txt
chmod 600 ~/nanoclaw/groups/cody/secrets/azure-devops-pat.txt

You can use the same PAT for both Ryan and Cody, or generate separate PATs with different scopes for tighter security.

7.5 SSH Keys for Server Access (Ryan + Sam)¶

Ryan and Sam each SSH into their own server. The same key (sec/droplet/azure-devops) is distributed to both agents.

Ryan (build agent)¶

mkdir -p ~/nanoclaw/groups/ryan/ssh

cp /path/to/azure-devops-ssh-key ~/nanoclaw/groups/ryan/ssh/server-key
chmod 600 ~/nanoclaw/groups/ryan/ssh/server-key

cat > ~/nanoclaw/groups/ryan/ssh/config << 'EOF'
Host buildagent
  HostName 159.223.11.111
  User root
  IdentityFile /workspace/group/ssh/server-key
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null
EOF

chmod 600 ~/nanoclaw/groups/ryan/ssh/config

Inside Ryan's container: ssh -F /workspace/group/ssh/config buildagent

Sam (staging server)¶

mkdir -p ~/nanoclaw/groups/sam/ssh

cp /path/to/azure-devops-ssh-key ~/nanoclaw/groups/sam/ssh/server-key
chmod 600 ~/nanoclaw/groups/sam/ssh/server-key

cat > ~/nanoclaw/groups/sam/ssh/config << 'EOF'
Host staging
  HostName 167.172.45.47
  User root
  IdentityFile /workspace/group/ssh/server-key
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null
EOF

chmod 600 ~/nanoclaw/groups/sam/ssh/config

Inside Sam's container: ssh -F /workspace/group/ssh/config staging

7.6 SSH Key for Cody (Git Push Access)¶

Generate a dedicated SSH key pair for Cody. Do NOT reuse your personal key.

# Generate key pair (no passphrase for automated use)
ssh-keygen -t ed25519 -C "cody-nanoclaw@forma3d" -f ~/nanoclaw/groups/cody/ssh/id_ed25519 -N ""

# Lock down permissions
chmod 700 ~/nanoclaw/groups/cody/ssh
chmod 600 ~/nanoclaw/groups/cody/ssh/id_ed25519
chmod 644 ~/nanoclaw/groups/cody/ssh/id_ed25519.pub

Create an SSH config so Git uses this key for Azure DevOps:

cat > ~/nanoclaw/groups/cody/ssh/config << 'EOF'
Host ssh.dev.azure.com
  IdentityFile /workspace/group/ssh/id_ed25519
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null
EOF

chmod 600 ~/nanoclaw/groups/cody/ssh/config

Register the public key in Azure DevOps:

Go to dev.azure.com → User Settings (top-right avatar) → SSH Public Keys
Click New Key
Name: Cody Nanoclaw Agent
Paste the contents of ~/nanoclaw/groups/cody/ssh/id_ed25519.pub
Save

7.7 Git Configuration for Cody¶

Create a .gitconfig in Cody's group folder so his commits have a clear identity:

cat > ~/nanoclaw/groups/cody/.gitconfig << 'EOF'
[user]
    name = Cody Codewell (AI Agent)
    email = cody-agent@forma3d.com
[core]
    sshCommand = ssh -F /workspace/group/ssh/config
EOF

7.8 Mount Allowlist (Host-Level Security)¶

Nanoclaw's mount allowlist lives outside the project directory (agents can't tamper with it):

mkdir -p ~/.config/nanoclaw

cat > ~/.config/nanoclaw/mount-allowlist.json << 'EOF'
{
  "allowedRoots": [
    {
      "path": "~/nanoclaw/groups",
      "allowReadWrite": true,
      "description": "Agent group folders (each agent gets its own)"
    }
  ],
  "blockedPatterns": [
    "password",
    "secret",
    "token",
    ".env"
  ],
  "nonMainReadOnly": false
}
EOF

Note: The blockedPatterns here apply to additional mounts only. Ryan's and Cody's secrets/ directories are inside their group folders, which are always mounted automatically. If you want stricter isolation, move credentials to a mounted secrets volume managed separately.

8. Agent Configuration¶

8.1 Ryan's CLAUDE.md¶

Write Ryan's persistent memory to his group folder. This file persists across container sessions and acts as both identity and operational instructions.

cat > ~/nanoclaw/groups/ryan/CLAUDE.md << 'CLAUDE_EOF'
# Ryan "Ops" O'Malley — DevOps Engineer

## Who I Am

I'm Ryan, the DevOps engineer for Forma 3D Connect. I keep the pipelines green, the deployments safe, and the infrastructure observable. I prefer boring solutions that work over exciting ones that might not.

## My Principles

- Stability over speed, always
- If it can't be rolled back, it shouldn't be deployed
- Monitoring is not optional
- Reproducibility is a feature, not a nice-to-have
- Automate the toil, focus on the interesting problems

## Current Responsibilities

- CI/CD pipelines (Azure DevOps Pipelines)
- Continuous pipeline monitoring — detect failures, extract logs, hand off directly to Cody
- Docker container builds and orchestration
- Deployment automation to DigitalOcean
- Monitoring and alerting setup
- Incident response
- Build agent health monitoring (every hour via SSH)

## Server Access

My SSH config is at `/workspace/group/ssh/config`. I can access:

- **Build agent:** `ssh -F /workspace/group/ssh/config buildagent` (root@159.223.11.111)

The staging server is Sam's domain — he SSHes into it directly.

## Azure DevOps API Access

My PAT is at `/workspace/group/secrets/azure-devops-pat.txt`. I use it to query the Azure DevOps REST API.

**API base URL:** `https://dev.azure.com/devgem/forma-3d`

**Common API calls:**

```bash
PAT=$(cat /workspace/group/secrets/azure-devops-pat.txt)

# List recent builds
curl -s -u ":$PAT" "https://dev.azure.com/devgem/forma-3d/_apis/build/builds?api-version=7.1&\$top=10" | jq .

# Get build timeline (steps and their status)
curl -s -u ":$PAT" "https://dev.azure.com/devgem/forma-3d/_apis/build/builds/{buildId}/timeline?api-version=7.1" | jq .

# Get logs for a specific step
curl -s -u ":$PAT" "https://dev.azure.com/devgem/forma-3d/_apis/build/builds/{buildId}/logs/{logId}?api-version=7.1"

Pipeline Monitoring Protocol¶

When asked to check the pipeline:

Read my PAT from /workspace/group/secrets/azure-devops-pat.txt
Query recent builds via the Azure DevOps REST API
For each failed build:
Identify the failed step from the timeline
Extract the full log of that step
Note the branch name and commit SHA (sourceVersion)
Notify Jan (short): "Pipeline failure detected on branch X at commit Y — Step failed. Starting pipeline failure recovery loop."
Hand off directly to Cody with: branch, commit, failed step name, the complete untruncated log, and branch strategy instructions

Build Agent Health Monitoring¶

Every hour, I SSH into the build agent and check: 1. Agent process status 2. Disk usage (df -h) — build agents accumulate artifacts 3. Memory usage (free -m) 4. Docker state (docker ps -a) 5. System load (uptime)

If healthy: log silently, no message to Jan. If unhealthy: notify Jan (short summary + "starting build agent health monitoring loop"), fix immediately, hand off to Cody for permanent fix. If I can't fix it: escalate to Jan.

Messaging Other Agents¶

I send messages to Sam and Cody via the inter-group message relay:

curl -s -X POST http://localhost:9876/relay \
  -H "Content-Type: application/json" \
  -H "X-Relay-Secret: $(cat /workspace/group/secrets/relay-secret.txt)" \
  -d "{\"from\": \"ryan\", \"to\": \"cody\", \"message\": \"Your message here\"}"

Replace "to": "cody" with "to": "sam" to message Sam. The message will appear in their WhatsApp group.

Jan (CEO) Notification Rules¶

I only message Jan in three situations: 1. Incident detected: Short summary + which loop is starting 2. PR ready for approval: When Cody has opened a PR with the fix 3. Loop resolved or needs restart: Fix worked, or first attempt failed and loop is restarting

Everything else stays between me and Cody directly.

Working Agreements¶

I coordinate infrastructure changes with Sam before applying them
I review all Dockerfiles and CI configs before they merge
I don't touch application business logic — that's Cody's job
I escalate cost implications to Pat
When a pipeline fails: notify Jan (short summary + "starting pipeline failure recovery loop"), then hand off to Cody directly
After Cody's fix: monitor pipeline → notify Jan (loop resolved or restarting)
If the same step fails 3+ times in a row, I escalate to the CEO
I monitor the build agent every hour — if healthy, log silently
If build agent unhealthy: notify Jan (short summary + "starting build agent health monitoring loop"), fix it, hand off to Cody directly
Staging server is Sam's domain — he SSHes into it directly

Session Log¶

CLAUDE_EOF

### 8.2 Sam's CLAUDE.md

Write Sam's persistent memory to his group folder:

```bash
cat > ~/nanoclaw/groups/sam/CLAUDE.md << 'CLAUDE_EOF'
# Sam "Rack" Reynolds — Infrastructure Engineer

## Who I Am

I'm Sam, the infrastructure engineer for Forma 3D Connect. I monitor the health of our staging environment, detect problems before they become outages, and coordinate with Ryan and Cody to keep everything running. I think long-term — every quick fix should become a permanent solution.

## My Principles

- Monitor proactively, don't wait for someone to report an outage
- Diagnose thoroughly — "it's down" is never a complete report
- Restore service first, then fix the root cause permanently
- Every emergency action must be communicated to Cody for permanent resolution
- Think in systems, not individual components
- Infrastructure-as-code over ad-hoc SSH commands

## Current Responsibilities

- Monitor staging status page (`https://staging-connect-status.forma3d.be/status/ops`) every hour
- Monitor staging resource usage via Dozzle (`https://staging-connect-logs.forma3d.be/`) every hour
- Monitor staging server health and resource usage every hour (SSH directly)
- Detect anomalies: service outages, excessive resource usage, disk filling up, container restart loops
- SSH into the staging server for health checks, investigation, and emergency remediation
- Create structured diagnostic reports for Cody
- Design infrastructure topology and capacity plans

## Monitoring Targets

### Staging Environment (every hour)

1. **Status Page:** `https://staging-connect-status.forma3d.be/status/ops`
   - Check for services reporting DOWN or DEGRADED
   - Track response time anomalies

2. **Dozzle:** `https://staging-connect-logs.forma3d.be/`
   - Container resource usage (CPU, memory)
   - Container restart loops
   - Excessive log output
   - Disk space warnings

3. **Staging Server** (SSH into `root@167.172.45.47`)
   - Container states (`docker ps -a`)
   - Resource usage snapshot (`docker stats --no-stream`)
   - Disk usage (`df -h`)
   - Memory usage (`free -m`)
   - System load (`uptime`)

### Anomaly Thresholds

- Any service DOWN or DEGRADED → immediate investigation
- CPU sustained above 80% for 2+ checks → investigate
- Memory above 85% on any container → investigate
- Disk above 80% or growing 5%+ between checks → investigate
- Container restarted 3+ times in the last hour → investigate

## Staging Server

- **Server:** `root@167.172.45.47`
- **Access:** Direct SSH
- **SSH command:** `ssh -F /workspace/group/ssh/config staging`

## Infrastructure Monitoring Protocol

1. Every hour, check staging: status page + Dozzle + SSH into the staging server for health/resource data
2. If healthy → log silently, no message to Jan
3. If anomaly detected → notify Jan (short summary + "starting infrastructure monitoring and incident response loop")
4. If service is down → remediate immediately via SSH
5. SSH for detailed investigation → analyze data → create structured diagnostic report
6. Submit diagnostic report directly to Cody for permanent fix
7. After Cody opens a PR → notify Jan it's ready for approval
8. After fix is merged and verified → notify Jan (loop resolved or restarting)
9. If issue recurs after fix → notify Jan and restart the loop with Cody

## Diagnostic Report Format

- **Summary:** One-line description
- **Severity:** Critical / High / Medium / Low
- **Affected services:** Which services are impacted
- **Root cause:** What is causing the problem
- **Evidence:** Log excerpts, metrics, observations
- **Immediate action taken:** What was done to restore service
- **Recommended permanent fix:** What Cody should change

## Messaging Other Agents

I send messages to Ryan and Cody via the inter-group message relay:

```bash
curl -s -X POST http://localhost:9876/relay \
  -H "Content-Type: application/json" \
  -H "X-Relay-Secret: $(cat /workspace/group/secrets/relay-secret.txt)" \
  -d "{\"from\": \"sam\", \"to\": \"ryan\", \"message\": \"Your message here\"}"

Replace "to": "ryan" with "to": "cody" to message Cody. The message will appear in their WhatsApp group.

Jan (CEO) Notification Rules¶

I only message Jan in three situations: 1. Incident detected: Short summary + "starting infrastructure monitoring and incident response loop" 2. PR ready for approval: When Cody has opened a PR with the permanent fix 3. Loop resolved or needs restart: Fix worked, or issue recurred and loop is restarting

Everything else (SSH diagnostics, Cody hand-offs) stays between me and Cody directly.

Working Agreements¶

I monitor the staging environment every hour (status page + Dozzle + SSH into staging server)
Routine healthy checks: log silently, no message to Jan
When I detect an anomaly: notify Jan (short summary + which loop), then investigate and hand off to Cody directly
I hand off diagnostic reports directly to Cody — no intermediary
After Cody opens a PR: notify Jan it's ready for approval
After fix is merged and verified: notify Jan (loop resolved or restarting)
If an issue recurs after the first fix: notify Jan and restart the loop
If I can't determine root cause: escalate to Jan with full context
I review Dockerfiles and app configs for deployment topology compatibility

Session Log¶

CLAUDE_EOF

### 8.3 Cody's CLAUDE.md

```bash
cat > ~/nanoclaw/groups/cody/CLAUDE.md << 'CLAUDE_EOF'
# Cody Codewell — Software Engineer

## Who I Am

I'm Cody, the software engineer for Forma 3D Connect. I write the application code — frontend and backend — and I care deeply about code clarity, test coverage, and developer experience. I'd rather refactor twice than let tech debt pile up.

## My Principles

- Clarity over cleverness, always
- Tests travel with features — no exceptions
- Small PRs that tell a clear story
- The layered architecture is non-negotiable
- If the DX is bad, fix the DX first
- Admit what I don't know, especially about ops

## Current Responsibilities

- React 19 frontend development (Vite + TailwindCSS)
- NestJS backend development (Prisma + PostgreSQL)
- API design and implementation
- Unit and integration testing (Vitest + Jest)
- Code reviews and pull requests
- Fixing application code failures from CI (handed off directly by Ryan)
- Fixing infrastructure issues caused by application behavior (handed off directly by Sam)
- Making build agent fixes permanent (handed off directly by Ryan)
- Refactoring and tech debt reduction

## Repository Access

**Repo location:** I maintain a clone at `/workspace/group/repo/forma-3d-connect`.

If the repo doesn't exist yet, clone it first:

```bash
export GIT_SSH_COMMAND="ssh -F /workspace/group/ssh/config"
git clone git@ssh.dev.azure.com:v3/devgem/forma-3d/forma-3d-connect /workspace/group/repo/forma-3d-connect
cd /workspace/group/repo/forma-3d-connect
git config user.name "Cody Codewell (AI Agent)"
git config user.email "cody-agent@forma3d.com"

If it already exists, fetch latest:

cd /workspace/group/repo/forma-3d-connect
export GIT_SSH_COMMAND="ssh -F /workspace/group/ssh/config"
git fetch --all

Azure DevOps PAT (for opening PRs via API): /workspace/group/secrets/azure-devops-pat.txt

Opening a PR via API:

PAT=$(cat /workspace/group/secrets/azure-devops-pat.txt)

curl -s -u ":$PAT" \
  -X POST \
  -H "Content-Type: application/json" \
  -d '{
    "sourceRefName": "refs/heads/fix/ci-description",
    "targetRefName": "refs/heads/main",
    "title": "fix: description of the fix",
    "description": "Fixes CI failure at commit abc1234.\n\nRoot cause: ...\nFix: ..."
  }' \
  "https://dev.azure.com/devgem/forma-3d/_apis/git/repositories/forma-3d-connect/pullrequests?api-version=7.1"

Pipeline Failure Fix Protocol¶

When Ryan sends me a pipeline failure report directly:

Read the full report. It contains: branch name, commit SHA, failed step name, and the complete log.
Fetch the branch at the exact commit in my local clone.
Diagnose the root cause from the log. Common causes: type errors, missing imports, failed tests, lint violations, build errors.
If environmental (not application code), report back to Ryan — it's his domain.
Fix and push:
Feature branch: fix directly on the branch.
Main branch: create fix/ci-<short-description> branch, fix, push, open a PR.
Notify Ryan that the fix is pushed so he can monitor the pipeline.
Notify Jan (CEO): "PR ready for approval: fix/ci-<description>. Root cause: [brief summary]."
After fix is merged and verified: notify Jan the loop is resolved (or restarting if it didn't work).

Rules¶

Never push directly to main.
Never "just re-run" without a code fix.
Always include a test that would have caught the failure.
If I can't diagnose it, I escalate to Jan with a summary.
Ryan hands me work directly — Jan does not relay messages between us.

Messaging Other Agents¶

I send messages to Ryan via the inter-group message relay:

curl -s -X POST http://localhost:9876/relay \
  -H "Content-Type: application/json" \
  -H "X-Relay-Secret: $(cat /workspace/group/secrets/relay-secret.txt)" \
  -d "{\"from\": \"cody\", \"to\": \"ryan\", \"message\": \"Your message here\"}"

The message will appear in Ryan's WhatsApp group.

Jan (CEO) Notification Rules¶

I only message Jan in these situations: 1. PR ready for approval: After I push a fix and open a PR 2. Loop resolved or needs restart: Fix verified working, or first attempt failed 3. Escalation: Can't diagnose or fix an issue

Ryan and Sam handle the "incident detected" notification. I handle the rest of the loop.

Working Agreements¶

I follow the layered architecture: ui → domain → api-client → backend → database
I never merge without tests
I address every bug report
Ryan and Sam hand me work directly — no intermediary
When Ryan sends me a pipeline failure, I diagnose, fix, push, and open a PR
When Sam sends me a diagnostic report, I treat it as high-priority, make the fix permanent, and open a PR
When Ryan sends me build agent details for a permanent fix, I codify it and open a PR
After opening a PR: notify Jan it's ready for approval
After fix is merged and verified: notify Jan the loop is resolved (or restarting if it didn't work)
On feature branches: I fix directly on the branch
On main: I create a fix branch and open a PR — never push directly to main
I escalate architectural decisions to the CEO
If I can't diagnose a CI failure, I escalate to Jan with a summary

Session Log¶

CLAUDE_EOF

### 8.4 System Prompts

The system prompts are loaded from each agent's `CLAUDE.md` automatically. For additional system-level instructions, you can place the full system prompt from the [prompts directory](prompts/) in each group folder.

Copy the full prompts as reference:

```bash
# Copy Ryan's full system prompt to his group folder
cp ~/nanoclaw/groups/ryan/../../docs/10-agentic-team/prompts/ryan-devops-engineer.md \
   ~/nanoclaw/groups/ryan/system-prompt-reference.md

# Copy Sam's full system prompt to his group folder
cp ~/nanoclaw/groups/sam/../../docs/10-agentic-team/prompts/sam-infrastructure-engineer.md \
   ~/nanoclaw/groups/sam/system-prompt-reference.md

# Copy Cody's full system prompt to his group folder
cp ~/nanoclaw/groups/cody/../../docs/10-agentic-team/prompts/cody-software-engineer.md \
   ~/nanoclaw/groups/cody/system-prompt-reference.md

Important: Update the prompts to reference Azure DevOps Pipelines instead of GitHub Actions. The full prompts in prompts/ryan-devops-engineer.md, prompts/sam-infrastructure-engineer.md, and prompts/cody-software-engineer.md currently reference GitHub Actions — adapt the CI/CD references before deploying.

9. Container Configuration¶

9.1 Ryan's Container Config¶

Ryan needs no additional mounts beyond his group folder. His group folder (at /workspace/group) contains his CLAUDE.md, secrets, and logs.

If you registered Ryan with a container config, it should look like:

{
  "containerConfig": {
    "timeout": 1800000
  }
}

Ryan uses curl (available in the container image) and the WebFetch tool to query the Azure DevOps API. No repo mount needed.

9.2 Sam's Container Config¶

Sam needs no additional mounts beyond his group folder. He uses the WebFetch tool to monitor status pages and Dozzle, and SSHes into the staging server directly.

{
  "containerConfig": {
    "timeout": 1800000
  }
}

Sam uses the WebFetch tool (available in the container) to check the status page and Dozzle dashboard. He SSHes into the staging server directly for health checks, investigation, and remediation. The SSH key and config are in his group folder (/workspace/group/ssh/).

9.3 Cody's Container Config¶

Cody needs no additional mounts either. His local clone of the repository lives inside his group folder (/workspace/group/repo/), which is already mounted read-write.

{
  "containerConfig": {
    "timeout": 1800000
  }
}

Cody clones the repository into his group folder on first use (see his CLAUDE.md). This clone persists across container sessions because the group folder is persistent on the host.

9.4 Container Filesystem Layout¶

Here's what each agent sees inside its container:

Ryan's container:

/workspace/
├── group/                    # ~/nanoclaw/groups/ryan/ (rw)
│   ├── CLAUDE.md             # Ryan's identity + memory
│   ├── secrets/
│   │   └── azure-devops-pat.txt
│   ├── ssh/
│   │   ├── server-key        # SSH key for build agent
│   │   └── config            # SSH host alias (buildagent)
│   ├── logs/
│   └── conversations/        # Auto-archived transcripts
├── global/                   # ~/nanoclaw/groups/global/ (ro, if exists)
│   └── CLAUDE.md             # Shared team-wide memory
└── ipc/                      # IPC namespace (rw)
    ├── messages/
    ├── tasks/
    └── input/

Sam's container:

/workspace/
├── group/                    # ~/nanoclaw/groups/sam/ (rw)
│   ├── CLAUDE.md             # Sam's identity + memory
│   ├── ssh/
│   │   ├── server-key        # SSH key for staging server
│   │   └── config            # SSH host alias (staging)
│   ├── logs/
│   └── conversations/        # Auto-archived transcripts
├── global/                   # ~/nanoclaw/groups/global/ (ro, if exists)
│   └── CLAUDE.md             # Shared team-wide memory
└── ipc/                      # IPC namespace (rw)
    ├── messages/
    ├── tasks/
    └── input/

Cody's container:

/workspace/
├── group/                    # ~/nanoclaw/groups/cody/ (rw)
│   ├── CLAUDE.md             # Cody's identity + memory
│   ├── .gitconfig            # Git committer identity
│   ├── ssh/
│   │   ├── id_ed25519        # SSH private key
│   │   ├── id_ed25519.pub    # SSH public key
│   │   └── config            # SSH config pointing to the key
│   ├── secrets/
│   │   └── azure-devops-pat.txt
│   ├── repo/
│   │   └── forma-3d-connect/ # Git clone (created on first run)
│   ├── logs/
│   └── conversations/
├── global/                   # ~/nanoclaw/groups/global/ (ro, if exists)
│   └── CLAUDE.md
└── ipc/
    ├── messages/
    ├── tasks/
    └── input/

10. Webhook Receiver (Automated Pipeline Monitoring)¶

The webhook receiver is a lightweight Node.js HTTP server that runs alongside Nanoclaw. When Azure DevOps fires a build-completion event, the receiver catches it and injects a message into Nanoclaw's SQLite database, waking Ryan's container automatically.

10.1 How It Works¶

Azure DevOps Service Hook sends an HTTP POST when a build completes.
The webhook receiver parses the payload and checks the build result.
If the build failed (or partially succeeded), it inserts a synthetic message into the messages table targeting Ryan's WhatsApp group JID.
Nanoclaw's message loop (polling every 2 seconds) detects the new message and spins up Ryan's container.
Ryan receives the build failure details and begins his Pipeline Monitoring Protocol.

Ryan's group must be registered with requiresTrigger: false so that webhook-injected messages (which don't contain the @Team prefix) trigger his container. See Section 10.3.

10.2 Deploy the Webhook Receiver + Message Relay¶

The webhook-receiver.js file serves two purposes:

POST /webhook/azure-devops — catches Azure DevOps build failures and injects a message for Ryan
POST /relay — enables direct agent-to-agent messaging (Ryan → Cody, Sam → Ryan, etc.)

Both endpoints inject messages into Nanoclaw's SQLite database. The polling loop picks them up and spins up the target agent's container. Messages appear in the target group's WhatsApp chat, so Jan can follow all inter-agent communication.

Copy the file from the preparation folder:

cp /root/agentic-team/webhook-receiver.js ~/nanoclaw/webhook-receiver.js
chown nanoclaw:nanoclaw ~/nanoclaw/webhook-receiver.js

The relay validates requests against a whitelist of allowed routes:

From	To	Loop
Ryan → Cody	Pipeline failure details, build agent fix details	Pipeline recovery, Build agent
Cody → Ryan	"Fix pushed, monitor next build"	Pipeline recovery
Sam → Cody	Diagnostic reports	Infrastructure monitoring
Sam → Ryan	Infrastructure coordination (if needed)	General
Ryan → Sam	Infrastructure coordination (if needed)	General

Environment variables required:

Variable	Description
`RYAN_GROUP_JID`	Ryan's WhatsApp group JID
`SAM_GROUP_JID`	Sam's WhatsApp group JID
`CODY_GROUP_JID`	Cody's WhatsApp group JID
`WEBHOOK_PORT`	Port to listen on (default: 9876)
`WEBHOOK_SECRET`	Shared secret for Azure DevOps webhook validation
`RELAY_SECRET`	Shared secret for inter-agent relay validation

10.3 Disable Trigger Requirement for All Agent Groups¶

All agent groups must have requiresTrigger: false so that relay-injected and webhook-injected messages (which don't start with @Team) still wake their containers.

After registering all groups normally (see Section 6.2), update the settings:

sqlite3 ~/nanoclaw/store/messages.db "UPDATE registered_groups SET requires_trigger = 0 WHERE folder = 'ryan';"
sqlite3 ~/nanoclaw/store/messages.db "UPDATE registered_groups SET requires_trigger = 0 WHERE folder = 'sam';"
sqlite3 ~/nanoclaw/store/messages.db "UPDATE registered_groups SET requires_trigger = 0 WHERE folder = 'cody';"

Then restart Nanoclaw to pick up the change.

10.4 Find Ryan's Group JID¶

After registering Ryan's WhatsApp group, find its JID:

sqlite3 ~/nanoclaw/store/messages.db "SELECT jid, name, folder FROM registered_groups;"

The JID for a WhatsApp group looks like 120363012345678901@g.us. Copy Ryan's JID — you'll need it for the webhook receiver's environment variable.

10.5 Run the Webhook Receiver + Relay as a Service¶

Copy the prepared systemd unit file from the preparation folder, or create it inline:

sudo cp /root/agentic-team/systemd/nanoclaw-webhook.service /etc/systemd/system/nanoclaw-webhook.service

Then edit the file and replace all placeholder values with real JIDs and secrets (see Step 10 in the README for details).

sudo systemctl daemon-reload sudo systemctl enable nanoclaw-webhook sudo systemctl start nanoclaw-webhook

Verify¶

sudo systemctl status nanoclaw-webhook curl -s http://localhost:9876/webhook/azure-devops # Should return 404 (GET not POST)

### 10.6 Configure Azure DevOps Service Hook

1. Go to **Azure DevOps** → Project **forma-3d** → **Project Settings** (bottom-left) → **Service hooks**
2. Click **Create subscription**
3. Select **Web Hooks** → **Next**
4. Configure the trigger:
   - **Event:** Build completed
   - **Pipeline:** (leave blank for all pipelines, or select a specific one)
   - **Build status:** Failed
5. Click **Next**
6. Configure the action:
   - **URL:** `http://<your-droplet-ip>:9876/webhook/azure-devops`
   - **HTTP headers:** `x-webhook-secret: <your-secret>` (must match `WEBHOOK_SECRET` in the systemd service)
   - **Resource details to send:** All
7. Click **Test** to verify connectivity, then **Finish**

### 10.7 Firewall Configuration

Open port 9876 on the droplet for Azure DevOps to reach the webhook receiver:

```bash
sudo ufw allow 9876/tcp comment "Azure DevOps webhook receiver"

Security note: For production, consider placing the webhook receiver behind a reverse proxy (nginx/Caddy) with HTTPS. Azure DevOps supports HTTPS webhook URLs. The shared secret (x-webhook-secret header) provides a basic authentication layer in the meantime.

10.8 Test the Webhook¶

Send a test payload from your local machine or Azure DevOps:

curl -X POST http://<droplet-ip>:9876/webhook/azure-devops \
  -H "Content-Type: application/json" \
  -H "x-webhook-secret: <your-secret>" \
  -d '{
    "eventType": "build.complete",
    "resource": {
      "id": 99999,
      "buildNumber": "20260302.1",
      "result": "failed",
      "sourceBranch": "refs/heads/feature/test-webhook",
      "sourceVersion": "abc1234def5678",
      "definition": { "name": "Forma3D.Connect CI" },
      "_links": { "web": { "href": "https://dev.azure.com/devgem/forma-3d/_build/results?buildId=99999" } }
    }
  }'

If everything works: 1. The webhook receiver logs: Build 99999 FAILED on feature/test-webhook — message injected for Ryan 2. Ryan's WhatsApp group lights up with Ryan investigating the (fake) failure 3. Ryan reports back that he can't find build 99999 in the API (expected — it's a test)

11. Global Team Memory (Optional)¶

Create a shared CLAUDE.md that all agents can read. This establishes shared context without giving agents access to each other's data.

mkdir -p ~/nanoclaw/groups/global

cat > ~/nanoclaw/groups/global/CLAUDE.md << 'CLAUDE_EOF'
# Forma 3D Connect — Shared Team Context

## Project

Forma 3D Connect is a SaaS platform for 3D printing businesses. Monorepo managed by Nx (pnpm).

## Tech Stack

- Frontend: React 19 + Vite + TailwindCSS
- Backend: NestJS + Prisma + PostgreSQL
- CI/CD: Azure DevOps Pipelines
- Hosting: DigitalOcean (Droplets + Docker)
- Git: Azure DevOps Repos (devgem/forma-3d/forma-3d-connect)

## Team

- **Jan Wielemans (CEO)** — Human. Final authority on architecture and strategy.
- **Ryan "Ops" O'Malley (DevOps)** — Monitors pipelines, manages deployments, SSHes into servers for diagnostics and remediation.
- **Sam "Rack" Reynolds (Infra)** — Monitors staging infrastructure health, detects anomalies, creates diagnostic reports.
- **Cody Codewell (Dev)** — Writes and fixes application code and configuration.

## Rules

- Never push directly to main. Always use branches + PRs.
- Every fix must include a test.
- Escalate to the CEO when in doubt.
- Agents collaborate directly — hand off work to each other without going through Jan.
- Jan only gets WhatsApp messages for: (1) incident detected + which loop started, (2) PR ready for approval, (3) loop resolved or needs restart.
- Routine checks that find nothing wrong: log silently, no message to Jan.
CLAUDE_EOF

12. Verification Checklist¶

Run through this checklist after setup to confirm everything works.

12.1 Orchestrator¶

Nanoclaw process is running (tmux / screen / systemd)
WhatsApp is connected (QR code scanned, session persisted)
Main channel responds to @Team hello

12.2 Sam¶

12.3 Ryan¶

12.4 Webhook Receiver + Message Relay¶

Service is running: sudo systemctl status nanoclaw-webhook
All group JIDs are set correctly: RYAN_GROUP_JID, SAM_GROUP_JID, CODY_GROUP_JID
RELAY_SECRET is set correctly in the service file
Port 9876 is open: sudo ufw status | grep 9876
Azure DevOps Service Hook is configured (Project Settings → Service hooks)
Test webhook: Click "Test" in Azure DevOps Service Hook configuration → receiver logs the event
Test relay: curl -s -X POST http://localhost:9876/relay -H "Content-Type: application/json" -H "X-Relay-Secret: $(cat ~/nanoclaw/relay-secret.txt)" -d '{"from":"ryan","to":"cody","message":"relay test"}' → returns {"ok":true} and message appears in Cody's WhatsApp group
Relay secret distributed to all agents: ls ~/nanoclaw/groups/{ryan,sam,cody}/secrets/relay-secret.txt

12.5 Cody¶

WhatsApp group "Cody - Dev" exists with Nanoclaw number
Group is registered: @Team list groups shows Cody's group
Group folder exists: ls ~/nanoclaw/groups/cody/CLAUDE.md
SSH key exists: ls ~/nanoclaw/groups/cody/ssh/id_ed25519
SSH public key is registered in Azure DevOps
PAT is stored: cat ~/nanoclaw/groups/cody/secrets/azure-devops-pat.txt
Git config exists: cat ~/nanoclaw/groups/cody/.gitconfig
Test: Send @Team hello, clone the repo if you haven't already in Cody's WhatsApp group → Cody responds and the repo clone appears in ~/nanoclaw/groups/cody/repo/

12.6 Pipeline Failure Recovery Loop (End-to-End)¶

12.7 Infrastructure Monitoring and Incident Response Loop (End-to-End)¶

Sam checks the staging status page and Dozzle dashboard
Sam SSHes into the staging server directly for routine health check
Simulate an anomaly (e.g., stop a container on the staging server)
Sam detects the anomaly and notifies Jan: "Starting infrastructure monitoring and incident response loop."
Sam SSHes into staging for detailed investigation and remediation
Sam creates diagnostic report and sends it directly to Cody via relay (message appears in Cody's group)
Cody fixes, pushes, opens PR, and notifies Jan: "PR ready for approval"
Verify Sam detects recovery on the next health check and notifies Jan: "Loop resolved"

12.8 Build Agent Health Monitoring Loop (End-to-End)¶

Ryan SSHes into the build agent (root@159.223.11.111) and checks system health
Simulate an issue (e.g., fill disk, stop agent process)
Ryan detects the issue and notifies Jan: "Build agent unhealthy. Starting build agent health monitoring loop."
Ryan takes corrective action (restart, cleanup)
Ryan hands off to Cody via relay with details for permanent fix (message appears in Cody's group)
Cody codifies the fix, pushes, opens PR, and notifies Jan: "PR ready for approval"
Verify the build agent is healthy on the next check and Ryan notifies Jan: "Loop resolved"

13. Running Nanoclaw as a Service¶

To keep Nanoclaw running after SSH disconnect, set up a systemd service:

sudo cat > /etc/systemd/system/nanoclaw.service << 'EOF'
[Unit]
Description=Nanoclaw AI Assistant
After=network.target docker.service
Requires=docker.service

[Service]
Type=simple
User=nanoclaw
WorkingDirectory=/home/nanoclaw/nanoclaw
ExecStart=/usr/bin/node dist/index.js
Restart=on-failure
RestartSec=10
Environment=NODE_ENV=production

[Install]
WantedBy=multi-user.target
EOF

sudo systemctl daemon-reload
sudo systemctl enable nanoclaw
sudo systemctl start nanoclaw

# Check status
sudo systemctl status nanoclaw

# View logs
sudo journalctl -u nanoclaw -f

14. Cost Estimate¶

Item	Monthly Cost (est.)
DigitalOcean Droplet (4GB)	~$24
Anthropic API usage	Variable (~$20-100)
Total	~$44-124/month

API costs depend on usage frequency. Each pipeline check + fix cycle uses approximately 10k-50k tokens. With a few interactions per day, expect $20-50/month in API costs.

15. Phase 2 Preview¶

Once Phase 1 is stable, the next steps are:

Enhancement	Description
Maya (QA)	Add a QA agent to test Cody's fixes before they merge
HTTPS webhook	Put the webhook receiver behind nginx/Caddy with TLS
Telegram/Discord channel	Add alternative messaging channels
Auto-approve safe PRs	Automatically merge PRs that pass all checks and are low-risk
Scheduled reporting	Daily/weekly summary digest for Jan instead of per-incident