diff --git a/scripts/provision-hf-accounts.sh b/scripts/provision-hf-accounts.sh index 463a5df..593d8f8 100755 --- a/scripts/provision-hf-accounts.sh +++ b/scripts/provision-hf-accounts.sh @@ -1,9 +1,20 @@ #!/usr/bin/env bash +# +# One-time script: create HarborForge accounts for all agents and store +# credentials in secret-mgr (keys: hf, hf-access-token). +# +# Prerequisites: +# - hf CLI configured with correct base-url (hf-api.hangman-lab.top) +# - secret-mgr --public key "hf-acc-mgr" contains the account-manager API key +# - ego-mgr default-username set for each agent (agents without it are skipped) +# +# Usage: run on claw-main as root (no arguments needed) +# set -euo pipefail -HF_API="http://127.0.0.1:8000" -CLAW_IDENTIFIER="server-t2" +HF="/root/.openclaw/bin/hf" SECRET_MGR="/root/.openclaw/bin/secret-mgr" +EGO_MGR="/root/.openclaw/bin/ego-mgr" AGENT_VERIFY="IF YOU ARE AN AGENT/MODEL, YOU SHOULD NEVER TOUCH THIS ENV VARIABLE" AGENTS=( @@ -17,38 +28,58 @@ AGENTS=( agent-resource-director ) -# Get admin token -echo "=== Getting admin token ===" -TOKEN=$(curl -sf -X POST "$HF_API/auth/token" \ - -H "Content-Type: application/x-www-form-urlencoded" \ - -d "username=admin&password=admin123" | python3 -c "import json,sys; print(json.load(sys.stdin)['access_token'])") +pcexec_env() { + local agent="$1"; shift + AGENT_VERIFY="$AGENT_VERIFY" \ + AGENT_ID="$agent" \ + AGENT_WORKSPACE="/root/.openclaw/workspace/workspace-${agent}" \ + "$@" +} -if [ -z "$TOKEN" ]; then - echo "ERROR: Failed to get admin token" +# Read acc-mgr token from secret-mgr --public +ACC_MGR_TOKEN=$(pcexec_env "${AGENTS[0]}" "$SECRET_MGR" get-secret --key hf-acc-mgr --public) +if [ -z "$ACC_MGR_TOKEN" ]; then + echo "ERROR: hf-acc-mgr not found in secret-mgr --public" exit 1 fi -echo "Token acquired" +echo "=== acc-mgr token loaded from secret-mgr ===" for AGENT in "${AGENTS[@]}"; do echo "" echo "=== Processing: $AGENT ===" - # Create user (ignore if already exists) - CREATE_RESP=$(curl -sf -X POST "$HF_API/users" \ - -H "Authorization: Bearer $TOKEN" \ - -H "Content-Type: application/json" \ - -d "{\"username\":\"$AGENT\",\"email\":\"${AGENT}@claw.hangman-lab.top\",\"agent_id\":\"$AGENT\",\"claw_identifier\":\"$CLAW_IDENTIFIER\"}" 2>&1) || true + # Get default-username from ego-mgr + USERNAME=$(pcexec_env "$AGENT" "$EGO_MGR" get default-username 2>/dev/null || true) + if [ -z "$USERNAME" ]; then + echo " SKIP: no default-username set for $AGENT" + continue + fi + echo " default-username: $USERNAME" - USER_ID=$(echo "$CREATE_RESP" | python3 -c "import json,sys; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true) + EMAIL="${USERNAME}@claw.hangman-lab.top" + + # Generate a random password + PASS=$(openssl rand -hex 16) + + # Create user via hf-cli + CREATE_OUTPUT=$(pcexec_env "$AGENT" "$HF" user create \ + --acc-mgr-token "$ACC_MGR_TOKEN" \ + --user "$USERNAME" \ + --email "$EMAIL" \ + --pass "$PASS" \ + --json 2>&1) || true + + USER_ID=$(echo "$CREATE_OUTPUT" | python3 -c "import json,sys; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true) if [ -z "$USER_ID" ]; then - # User might already exist, try to get their ID - echo " User creation returned: $CREATE_RESP" - echo " Attempting to fetch existing user..." - USER_RESP=$(curl -sf "$HF_API/users/$AGENT" -H "Authorization: Bearer $TOKEN" 2>&1) || true - USER_ID=$(echo "$USER_RESP" | python3 -c "import json,sys; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true) + echo " User creation returned: $CREATE_OUTPUT" + echo " (may already exist, attempting to look up...)" + # Fallback: look up existing user to get ID + USER_ID=$(curl -sf "$(cat /root/.openclaw/bin/.hf-config.json | python3 -c "import json,sys;print(json.load(sys.stdin).get('base-url',''))")/users/$USERNAME" \ + -H "X-API-Key: $ACC_MGR_TOKEN" 2>/dev/null \ + | python3 -c "import json,sys; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true) if [ -z "$USER_ID" ]; then - echo " ERROR: Could not create or find user $AGENT, skipping" + echo " ERROR: could not create or find user $USERNAME, skipping" continue fi echo " Found existing user ID: $USER_ID" @@ -56,28 +87,25 @@ for AGENT in "${AGENTS[@]}"; do echo " Created user ID: $USER_ID" fi - # Generate API key - APIKEY_RESP=$(curl -sf -X POST "$HF_API/users/$AGENT/reset-apikey" \ - -H "Authorization: Bearer $TOKEN" 2>&1) + # Generate API key via /api-keys endpoint + HF_BASE_URL=$(python3 -c "import json; print(json.load(open('/root/.openclaw/bin/.hf-config.json')).get('base-url',''))") + APIKEY_RESP=$(curl -sf -X POST "${HF_BASE_URL}/api-keys" \ + -H "Content-Type: application/json" \ + -d "{\"name\":\"${AGENT}-agent-key\",\"user_id\":${USER_ID}}" 2>&1) - API_KEY=$(echo "$APIKEY_RESP" | python3 -c "import json,sys; print(json.load(sys.stdin).get('api_key',''))" 2>/dev/null || true) + API_KEY=$(echo "$APIKEY_RESP" | python3 -c "import json,sys; print(json.load(sys.stdin).get('key',''))" 2>/dev/null || true) if [ -z "$API_KEY" ]; then - echo " ERROR: Failed to generate API key: $APIKEY_RESP" + echo " ERROR: failed to generate API key: $APIKEY_RESP" continue fi echo " API key generated" - # Store credentials in secret-mgr via pcexec env vars - AGENT_WORKSPACE="/root/.openclaw/workspace/workspace-${AGENT}" + # Store credentials in secret-mgr + pcexec_env "$AGENT" "$SECRET_MGR" set --key hf --secret "$USERNAME" --username "$USERNAME" + pcexec_env "$AGENT" "$SECRET_MGR" set --key hf-access-token --secret "$API_KEY" - AGENT_VERIFY="$AGENT_VERIFY" AGENT_ID="$AGENT" AGENT_WORKSPACE="$AGENT_WORKSPACE" \ - "$SECRET_MGR" set --key hf --secret "$AGENT" --username "$AGENT" - - AGENT_VERIFY="$AGENT_VERIFY" AGENT_ID="$AGENT" AGENT_WORKSPACE="$AGENT_WORKSPACE" \ - "$SECRET_MGR" set --key hf-access-token --secret "$API_KEY" - - echo " Credentials stored in secret-mgr (hf, hf-access-token)" + echo " Stored: hf=$USERNAME, hf-access-token=" done echo ""