rewrite provision-hf-accounts.sh: use hf-cli + secret-mgr + ego-mgr
- Use hf user create instead of direct API calls - Read acc-mgr token from secret-mgr --public (hf-acc-mgr) - Get username from ego-mgr get default-username per agent - Skip agents without default-username (dispatcher, recruiter) - Generate API keys via /api-keys endpoint - Store credentials: hf (username), hf-access-token (API key) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -1,9 +1,20 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
# One-time script: create HarborForge accounts for all agents and store
|
||||
# credentials in secret-mgr (keys: hf, hf-access-token).
|
||||
#
|
||||
# Prerequisites:
|
||||
# - hf CLI configured with correct base-url (hf-api.hangman-lab.top)
|
||||
# - secret-mgr --public key "hf-acc-mgr" contains the account-manager API key
|
||||
# - ego-mgr default-username set for each agent (agents without it are skipped)
|
||||
#
|
||||
# Usage: run on claw-main as root (no arguments needed)
|
||||
#
|
||||
set -euo pipefail
|
||||
|
||||
HF_API="http://127.0.0.1:8000"
|
||||
CLAW_IDENTIFIER="server-t2"
|
||||
HF="/root/.openclaw/bin/hf"
|
||||
SECRET_MGR="/root/.openclaw/bin/secret-mgr"
|
||||
EGO_MGR="/root/.openclaw/bin/ego-mgr"
|
||||
AGENT_VERIFY="IF YOU ARE AN AGENT/MODEL, YOU SHOULD NEVER TOUCH THIS ENV VARIABLE"
|
||||
|
||||
AGENTS=(
|
||||
@@ -17,38 +28,58 @@ AGENTS=(
|
||||
agent-resource-director
|
||||
)
|
||||
|
||||
# Get admin token
|
||||
echo "=== Getting admin token ==="
|
||||
TOKEN=$(curl -sf -X POST "$HF_API/auth/token" \
|
||||
-H "Content-Type: application/x-www-form-urlencoded" \
|
||||
-d "username=admin&password=admin123" | python3 -c "import json,sys; print(json.load(sys.stdin)['access_token'])")
|
||||
pcexec_env() {
|
||||
local agent="$1"; shift
|
||||
AGENT_VERIFY="$AGENT_VERIFY" \
|
||||
AGENT_ID="$agent" \
|
||||
AGENT_WORKSPACE="/root/.openclaw/workspace/workspace-${agent}" \
|
||||
"$@"
|
||||
}
|
||||
|
||||
if [ -z "$TOKEN" ]; then
|
||||
echo "ERROR: Failed to get admin token"
|
||||
# Read acc-mgr token from secret-mgr --public
|
||||
ACC_MGR_TOKEN=$(pcexec_env "${AGENTS[0]}" "$SECRET_MGR" get-secret --key hf-acc-mgr --public)
|
||||
if [ -z "$ACC_MGR_TOKEN" ]; then
|
||||
echo "ERROR: hf-acc-mgr not found in secret-mgr --public"
|
||||
exit 1
|
||||
fi
|
||||
echo "Token acquired"
|
||||
echo "=== acc-mgr token loaded from secret-mgr ==="
|
||||
|
||||
for AGENT in "${AGENTS[@]}"; do
|
||||
echo ""
|
||||
echo "=== Processing: $AGENT ==="
|
||||
|
||||
# Create user (ignore if already exists)
|
||||
CREATE_RESP=$(curl -sf -X POST "$HF_API/users" \
|
||||
-H "Authorization: Bearer $TOKEN" \
|
||||
-H "Content-Type: application/json" \
|
||||
-d "{\"username\":\"$AGENT\",\"email\":\"${AGENT}@claw.hangman-lab.top\",\"agent_id\":\"$AGENT\",\"claw_identifier\":\"$CLAW_IDENTIFIER\"}" 2>&1) || true
|
||||
# Get default-username from ego-mgr
|
||||
USERNAME=$(pcexec_env "$AGENT" "$EGO_MGR" get default-username 2>/dev/null || true)
|
||||
if [ -z "$USERNAME" ]; then
|
||||
echo " SKIP: no default-username set for $AGENT"
|
||||
continue
|
||||
fi
|
||||
echo " default-username: $USERNAME"
|
||||
|
||||
USER_ID=$(echo "$CREATE_RESP" | python3 -c "import json,sys; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
|
||||
EMAIL="${USERNAME}@claw.hangman-lab.top"
|
||||
|
||||
# Generate a random password
|
||||
PASS=$(openssl rand -hex 16)
|
||||
|
||||
# Create user via hf-cli
|
||||
CREATE_OUTPUT=$(pcexec_env "$AGENT" "$HF" user create \
|
||||
--acc-mgr-token "$ACC_MGR_TOKEN" \
|
||||
--user "$USERNAME" \
|
||||
--email "$EMAIL" \
|
||||
--pass "$PASS" \
|
||||
--json 2>&1) || true
|
||||
|
||||
USER_ID=$(echo "$CREATE_OUTPUT" | python3 -c "import json,sys; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
|
||||
|
||||
if [ -z "$USER_ID" ]; then
|
||||
# User might already exist, try to get their ID
|
||||
echo " User creation returned: $CREATE_RESP"
|
||||
echo " Attempting to fetch existing user..."
|
||||
USER_RESP=$(curl -sf "$HF_API/users/$AGENT" -H "Authorization: Bearer $TOKEN" 2>&1) || true
|
||||
USER_ID=$(echo "$USER_RESP" | python3 -c "import json,sys; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
|
||||
echo " User creation returned: $CREATE_OUTPUT"
|
||||
echo " (may already exist, attempting to look up...)"
|
||||
# Fallback: look up existing user to get ID
|
||||
USER_ID=$(curl -sf "$(cat /root/.openclaw/bin/.hf-config.json | python3 -c "import json,sys;print(json.load(sys.stdin).get('base-url',''))")/users/$USERNAME" \
|
||||
-H "X-API-Key: $ACC_MGR_TOKEN" 2>/dev/null \
|
||||
| python3 -c "import json,sys; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
|
||||
if [ -z "$USER_ID" ]; then
|
||||
echo " ERROR: Could not create or find user $AGENT, skipping"
|
||||
echo " ERROR: could not create or find user $USERNAME, skipping"
|
||||
continue
|
||||
fi
|
||||
echo " Found existing user ID: $USER_ID"
|
||||
@@ -56,28 +87,25 @@ for AGENT in "${AGENTS[@]}"; do
|
||||
echo " Created user ID: $USER_ID"
|
||||
fi
|
||||
|
||||
# Generate API key
|
||||
APIKEY_RESP=$(curl -sf -X POST "$HF_API/users/$AGENT/reset-apikey" \
|
||||
-H "Authorization: Bearer $TOKEN" 2>&1)
|
||||
# Generate API key via /api-keys endpoint
|
||||
HF_BASE_URL=$(python3 -c "import json; print(json.load(open('/root/.openclaw/bin/.hf-config.json')).get('base-url',''))")
|
||||
APIKEY_RESP=$(curl -sf -X POST "${HF_BASE_URL}/api-keys" \
|
||||
-H "Content-Type: application/json" \
|
||||
-d "{\"name\":\"${AGENT}-agent-key\",\"user_id\":${USER_ID}}" 2>&1)
|
||||
|
||||
API_KEY=$(echo "$APIKEY_RESP" | python3 -c "import json,sys; print(json.load(sys.stdin).get('api_key',''))" 2>/dev/null || true)
|
||||
API_KEY=$(echo "$APIKEY_RESP" | python3 -c "import json,sys; print(json.load(sys.stdin).get('key',''))" 2>/dev/null || true)
|
||||
|
||||
if [ -z "$API_KEY" ]; then
|
||||
echo " ERROR: Failed to generate API key: $APIKEY_RESP"
|
||||
echo " ERROR: failed to generate API key: $APIKEY_RESP"
|
||||
continue
|
||||
fi
|
||||
echo " API key generated"
|
||||
|
||||
# Store credentials in secret-mgr via pcexec env vars
|
||||
AGENT_WORKSPACE="/root/.openclaw/workspace/workspace-${AGENT}"
|
||||
# Store credentials in secret-mgr
|
||||
pcexec_env "$AGENT" "$SECRET_MGR" set --key hf --secret "$USERNAME" --username "$USERNAME"
|
||||
pcexec_env "$AGENT" "$SECRET_MGR" set --key hf-access-token --secret "$API_KEY"
|
||||
|
||||
AGENT_VERIFY="$AGENT_VERIFY" AGENT_ID="$AGENT" AGENT_WORKSPACE="$AGENT_WORKSPACE" \
|
||||
"$SECRET_MGR" set --key hf --secret "$AGENT" --username "$AGENT"
|
||||
|
||||
AGENT_VERIFY="$AGENT_VERIFY" AGENT_ID="$AGENT" AGENT_WORKSPACE="$AGENT_WORKSPACE" \
|
||||
"$SECRET_MGR" set --key hf-access-token --secret "$API_KEY"
|
||||
|
||||
echo " Credentials stored in secret-mgr (hf, hf-access-token)"
|
||||
echo " Stored: hf=$USERNAME, hf-access-token=<key>"
|
||||
done
|
||||
|
||||
echo ""
|
||||
|
||||
Reference in New Issue
Block a user