feat: add one-command copilot finalize flow

2026-02-19 12:47:36 -06:00 · 2026-02-19 12:47:36 -06:00 · 558bbf47f6
commit 558bbf47f6
parent 93f97d0e81
7 changed files with 189 additions and 79 deletions
--- a/openclaw-setup-copilot/AGENTS.md
+++ b/openclaw-setup-copilot/AGENTS.md
@ -20,6 +20,7 @@ When you copy this folder to the target work machine:
 - Do not run install commands here.
 - Do not run `scripts/install_copilot_guardrails.sh` here.
 - Do not run `scripts/finalize_copilot_setup.sh` here.
 - Do not run provider/model mutation commands here.
 - Use this copy only for editing docs/scripts before transfer.
@ -31,13 +32,8 @@ When you copy this folder to the target work machine:
 Required setup order:
 1. `bash ./setup/setup_openclaw_copilot.sh`
-2. `copilot auth login`
+2. `bash ./scripts/finalize_copilot_setup.sh`
-3. `bash ./scripts/install_copilot_guardrails.sh`
+3. `openclaw status --deep`
 4. `openclaw hooks enable boot-md`
 5. `openclaw hooks enable command-logger`
 6. `openclaw hooks enable session-memory`
 7. `openclaw gateway restart`
 8. `openclaw status --deep`
 Required verification:
 - `openclaw models status` shows `github-copilot/*` routing.
@ -58,12 +54,8 @@ Create a reliable OpenClaw setup that uses GitHub Copilot CLI Enterprise as the
 ## Setup Flow (target computer only)
 1. Run `setup/setup_openclaw_copilot.sh` for Copilot-first baseline.
-2. Authenticate Copilot CLI with enterprise account.
+2. Run `scripts/finalize_copilot_setup.sh` to complete auth + profiles + guardrails in one command.
-3. Refresh OpenClaw model catalog.
+3. Verify gateway/model health.
 4. Lock OpenClaw model routing to Copilot models.
 5. Install guardrails with `scripts/install_copilot_guardrails.sh`.
 6. Enable recommended hooks (`boot-md`, `command-logger`, `session-memory`).
 7. Start gateway and verify Telegram/channel health.
 ## Copilot CLI Install and Auth
--- a/openclaw-setup-copilot/README.md
+++ b/openclaw-setup-copilot/README.md
@ -38,6 +38,7 @@ Everything else is organized by purpose:
 - `docs/context/TOOLS.md`: command reference
 - `docs/operations/troubleshooting.md`: failure recovery runbook
 - `setup/setup_openclaw_copilot.sh`: primary Copilot Enterprise setup
 - `scripts/finalize_copilot_setup.sh`: one-command auth + model/profile + guardrail finalize
 - `config/copilot-policy-guard.config.json`: Copilot routing/provider policy guard config
 - `config/copilot-auth-watchdog.config.json`: Copilot auth watchdog config
 - `config/model-profiles.config.json`: paid/free profile routing definitions
@ -68,24 +69,20 @@ Quick path (copy/paste):
 ```bash
 bash ./setup/setup_openclaw_copilot.sh
-copilot auth login
+bash ./scripts/finalize_copilot_setup.sh
 bash ./scripts/install_copilot_guardrails.sh
 openclaw hooks enable boot-md
 openclaw hooks enable command-logger
 openclaw hooks enable session-memory
 openclaw gateway restart
 openclaw status --deep
 ```
 Order and dependency (important):
 1. `setup/setup_openclaw_copilot.sh` installs tooling only (`openclaw`, `copilot`, Node).
-2. `copilot auth login` must succeed before Copilot models can be used.
+2. `scripts/finalize_copilot_setup.sh` handles login, model discovery, profile selection, guardrails, hooks, and gateway restart.
-3. Only after login should you run model routing and guardrails.
+3. If browser auth cannot complete inside finalize flow, run `copilot auth login`, then rerun finalize.
 Why:
 - OpenClaw installation does not require Copilot login.
 - `github-copilot/*` model selection and policy checks do require Copilot auth.
 - Finalize script prevents users from forgetting model/profile/guardrail wiring after login.
 1. Primary Copilot setup:
@ -94,22 +91,29 @@ Why:
 bash ./setup/setup_openclaw_copilot.sh
 ```
-2. Authenticate Copilot CLI:
+2. Finalize in one command (recommended):
 ```bash
 bash ./scripts/finalize_copilot_setup.sh
 ```
 What finalize does:
 - Opens `copilot auth login` if needed
 - Refreshes model catalog
 - Auto-picks paid/free profiles from available Copilot models
 - Installs all guardrails
 - Enables recommended hooks
 - Restarts gateway
 3. Verify:
 ```bash
 copilot auth login
 copilot auth status
 ```
 3. Refresh/list OpenClaw models:
 ```bash
 openclaw models refresh
 openclaw models list
 openclaw models status
 openclaw status --deep
 ```
-If login is missing/expired, Copilot model discovery and usage will fail.
+If login is missing/expired, finalize will prompt for login and retry setup.
 ### How To Choose Copilot Models (and Why It Matters)
@ -229,7 +233,7 @@ Expected schedule config shape:
 Important behavior difference vs Max:
 - Copilot `config/model-profiles.config.json` starts with empty model IDs in this template copy.
- `bash ./scripts/install_copilot_guardrails.sh` runs `configure_copilot_guardrails_defaults.sh`, detects available `github-copilot/*` models, and writes concrete `paid`/`free` models into `config/model-profiles.config.json`.
+- `bash ./scripts/finalize_copilot_setup.sh` (or `bash ./scripts/install_copilot_guardrails.sh`) runs `configure_copilot_guardrails_defaults.sh`, detects available `github-copilot/*` models, and writes concrete `paid`/`free` models into `config/model-profiles.config.json`.
 - Until that step runs on the target machine (after `copilot auth login`), schedule/profile switching has no concrete model IDs to apply.
 Quick verify commands:
--- a/openclaw-setup-copilot/docs/operations/AI_SETUP_HANDOFF.md
+++ b/openclaw-setup-copilot/docs/operations/AI_SETUP_HANDOFF.md
@ -20,14 +20,9 @@ Constraints:
 Run in this order:
 1) bash ./setup/setup_openclaw_copilot.sh
-2) copilot auth login
+2) bash ./scripts/finalize_copilot_setup.sh
-   - pause and wait for user to complete browser login
+   - if prompted, pause and wait for user to complete browser login
-3) bash ./scripts/install_copilot_guardrails.sh
+3) openclaw status --deep
 4) openclaw hooks enable boot-md
 5) openclaw hooks enable command-logger
 6) openclaw hooks enable session-memory
 7) openclaw gateway restart
 8) openclaw status --deep
 After setup, verify and report:
 - copilot auth status is healthy
@ -55,7 +50,7 @@ If any check fails, fix it and rerun verification.
 ## Manual User Actions Expected
- Complete enterprise login in browser when `copilot auth login` opens auth flow.
+- Complete enterprise login in browser when `finalize_copilot_setup.sh` opens `copilot auth login`.
 - Approve enterprise/SSO/MFA prompts as required.
 ## One-Line Start (for human)
--- a/openclaw-setup-copilot/docs/operations/WORK_SETUP_CHECKLIST.md
+++ b/openclaw-setup-copilot/docs/operations/WORK_SETUP_CHECKLIST.md
@ -37,16 +37,32 @@ which copilot
 copilot --version
 ```
-## 3) Authenticate Copilot CLI (Enterprise account)
+## 3) Finalize setup in one command (recommended)
 ```bash
 bash ./scripts/finalize_copilot_setup.sh
 ```
 Expected:
 - Authenticated with enterprise-linked account
 - Copilot models discovered
 - Guardrails installed + running
 - Hooks enabled (`boot-md`, `command-logger`, `session-memory`)
 - Gateway restarted
 If this step succeeds, you can skip to step 10.
 ## 4) Manual fallback path (advanced, only if step 3 fails)
 If finalize fails due auth/browser flow, run:
 ```bash
 copilot auth login
 copilot auth status
 ```
-Expected: authenticated with your enterprise-linked GitHub account.
+Then continue below.
-
+## 5) Start/verify OpenClaw gateway
 ## 4) Start/verify OpenClaw gateway
 ```bash
 openclaw gateway restart
@ -55,7 +71,7 @@ openclaw status --deep
 Expected: gateway reachable.
-## 5) Discover available models
+## 6) Discover available models
 ```bash
 openclaw models refresh || true
@ -79,7 +95,7 @@ Why this matters:
 - Lower quota burn by not overusing heavyweight models
 - Better uptime through fallback failover
-## 6) Set Copilot primary + fallbacks
+## 7) Set Copilot primary + fallbacks
 Replace models below with names from your `openclaw models list` output if needed.
@ -102,7 +118,7 @@ Expected:
 - Fallback chain includes only free-tier or low-cost models
 - Only `github-copilot/*` appears if strict enterprise policy is required
-## 7) Optional strict provider lock (Copilot-only)
+## 8) Optional strict provider lock (Copilot-only)
 Run if your enterprise policy requires only Copilot provider traffic:
@ -121,7 +137,9 @@ openclaw models list
 openclaw models status
 ```
-## 8) Configure + install Copilot guardrails (recommended)
+## 9) Configure + install Copilot guardrails (recommended)
 If step 3 already succeeded, this is already done.
 This one command auto-detects your available Copilot models, picks low-cost defaults, applies policy, and installs launchd guards:
@ -151,7 +169,9 @@ Why this matters:
 - Work-hours/off-hours profile schedule is auto-enforced
 - Protects enterprise quota and keeps routine latency low
-## 9) Enable recommended hooks
+## 10) Enable recommended hooks
 If step 3 already succeeded, hooks were already enabled.
 ```bash
 openclaw hooks enable boot-md
@ -160,7 +180,7 @@ openclaw hooks enable session-memory
 openclaw hooks list
 ```
-## 10) Persona/startup docs sanity
+## 11) Persona/startup docs sanity
 Confirm these files exist in workspace root:
@ -168,7 +188,7 @@ Confirm these files exist in workspace root:
 ls -la AGENTS.md docs/context/BOOT.md docs/context/SOUL.md docs/context/IDENTITY.md docs/context/USER.md docs/context/TOOLS.md docs/operations/troubleshooting.md
 ```
-## 11) Telegram/channel check (if used)
+## 12) Telegram/channel check (if used)
 Telegram account rule:
 - No new personal Telegram account is required.
@ -181,7 +201,7 @@ openclaw status --deep
 Expected: channel `OK` and gateway reachable.
-## 12) First chat checks
+## 13) First chat checks
 In your chat surface:
@ -190,7 +210,7 @@ In your chat surface:
 Expected: response is fast and uses a `github-copilot/*` model.
-## 13) Daily operations
+## 14) Daily operations
 ```bash
 openclaw status --deep
@ -198,7 +218,7 @@ openclaw models status
 copilot auth status
 ```
-## 14) Fast failure recovery
+## 15) Fast failure recovery
 ```bash
 openclaw gateway restart
--- a/openclaw-setup-copilot/docs/operations/troubleshooting.md
+++ b/openclaw-setup-copilot/docs/operations/troubleshooting.md
@ -179,8 +179,7 @@ Fixes:
 - For a quick manual switch without live push:
  - `bash ./scripts/model_profile_switch.sh free --no-live`
 - If `profiles.paid.primary` / `profiles.free.primary` are empty, run:
-  - `copilot auth login`
+  - `bash ./scripts/finalize_copilot_setup.sh`
  - `bash ./scripts/install_copilot_guardrails.sh`
  This populates `config/model-profiles.config.json` and restages launchd runtime configs.
 ## 12) Copilot auth watchdog alerting repeatedly
--- a/openclaw-setup-copilot/scripts/finalize_copilot_setup.sh
+++ b/openclaw-setup-copilot/scripts/finalize_copilot_setup.sh
@ -0,0 +1,100 @@
 #!/usr/bin/env bash
 set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 ROOT_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
 log_info() { echo "[finalize] $*"; }
 log_warn() { echo "[finalize] WARN: $*" >&2; }
 log_err() { echo "[finalize] ERROR: $*" >&2; }
 require_cmd() {
  local cmd="$1"
  if ! command -v "$cmd" >/dev/null 2>&1; then
    log_err "Missing required command: $cmd"
    exit 1
  fi
 }
 copilot_authed() {
  copilot auth status >/dev/null 2>&1
 }
 refresh_models() {
  openclaw models refresh >/dev/null 2>&1 || true
 }
 copilot_model_count() {
  openclaw models list 2>/dev/null \
    | awk 'NR>1 && /^github-copilot\// {count++} END {print count+0}'
 }
 require_cmd openclaw
 require_cmd copilot
 require_cmd jq
 if ! copilot_authed; then
  log_warn "Copilot auth is not active."
  if [[ -t 0 ]]; then
    log_info "Launching interactive login: copilot auth login"
    copilot auth login
  else
    log_err "Non-interactive shell cannot complete browser login."
    log_err "Run: copilot auth login"
    exit 1
  fi
 fi
 if ! copilot_authed; then
  log_err "Copilot auth still not active after login."
  log_err "Run 'copilot auth status' and resolve auth issues, then retry."
  exit 1
 fi
 log_info "Refreshing model catalog..."
 refresh_models
 count="$(copilot_model_count)"
 if [[ "$count" -eq 0 ]]; then
  log_warn "No github-copilot models detected yet. Restarting gateway and retrying once."
  openclaw gateway restart >/dev/null 2>&1 || true
  sleep 1
  refresh_models
  count="$(copilot_model_count)"
 fi
 if [[ "$count" -eq 0 ]]; then
  log_err "No github-copilot models available to configure."
  log_err "Check entitlement/auth, then rerun this script."
  openclaw models list || true
  exit 1
 fi
 log_info "Detected $count Copilot model(s). Installing guardrails + model profiles..."
 bash "$SCRIPT_DIR/install_copilot_guardrails.sh"
 log_info "Enabling recommended hooks..."
 openclaw hooks enable boot-md >/dev/null 2>&1 || true
 openclaw hooks enable command-logger >/dev/null 2>&1 || true
 openclaw hooks enable session-memory >/dev/null 2>&1 || true
 log_info "Restarting gateway..."
 openclaw gateway restart >/dev/null 2>&1 || true
 log_info "Final status checks:"
 copilot auth status || true
 openclaw models status || true
 for label in \
  ai.openclaw.model-budget-guard \
  ai.openclaw.copilot-policy-guard \
  ai.openclaw.copilot-auth-watchdog \
  ai.openclaw.copilot-model-schedule-guard; do
  if launchctl print "gui/$(id -u)/$label" >/dev/null 2>&1; then
    echo "[finalize] launchd OK: $label"
  else
    echo "[finalize] launchd WARN: $label not loaded"
  fi
 done
 log_info "Done. Copilot setup is fully configured."
--- a/openclaw-setup-copilot/setup/setup_openclaw_copilot.sh
+++ b/openclaw-setup-copilot/setup/setup_openclaw_copilot.sh
@ -2,6 +2,8 @@
 set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 RED='\033[0;31m'
@ -76,32 +78,30 @@ else
  log_info "Copilot CLI already installed ($(copilot --version 2>/dev/null || echo present))."
 fi
 FINALIZE_SCRIPT="$SCRIPT_DIR/../scripts/finalize_copilot_setup.sh"
 if [[ -x "$FINALIZE_SCRIPT" ]]; then
  if copilot auth status >/dev/null 2>&1; then
    log_info "Copilot auth already active. Running finalize flow now..."
    if ! bash "$FINALIZE_SCRIPT"; then
      log_warn "Finalize flow failed. Re-run manually after checking auth/models:"
      echo "   bash ./scripts/finalize_copilot_setup.sh"
    fi
  else
    log_warn "Final setup step still needed after login:"
    echo "   bash ./scripts/finalize_copilot_setup.sh"
  fi
 fi
 echo ""
 log_info "Setup complete (Copilot-first)."
 echo ""
 echo "Next steps (target machine):"
-echo "1. Authenticate Copilot CLI with enterprise account:"
+echo "1. Run one-command finalize (recommended):"
 echo "   bash ./scripts/finalize_copilot_setup.sh"
 echo "2. If finalize cannot open browser login, authenticate first:"
 echo "   copilot auth login"
 echo "   copilot auth status"
-echo "2. Start/verify OpenClaw gateway:"
+echo "   bash ./scripts/finalize_copilot_setup.sh"
-echo "   openclaw gateway restart"
+echo "3. Verify:"
 echo "   openclaw status --deep"
-echo "3. Discover and set Copilot models:"
+echo "   openclaw models status"
 echo "   openclaw models refresh || true"
 echo "   openclaw models list"
 echo "   openclaw models set github-copilot/<your-fast-default>"
 echo "4. Configure fallbacks:"
 echo "   openclaw models fallbacks clear"
 echo "   openclaw models fallbacks add github-copilot/<free-or-low-cost-fallback-1>"
 echo "   openclaw models fallbacks add github-copilot/<free-or-low-cost-fallback-2>"
 echo "5. Optional strict provider lock:"
 echo "   openclaw config set --json providers.github-copilot.enabled true"
 echo "   openclaw config set --json providers.openai.enabled false"
 echo "   openclaw config set --json providers.anthropic.enabled false"
 echo "   openclaw config set --json providers.openrouter.enabled false"
 echo "6. Install Copilot guardrails (recommended):"
 echo "   bash ./scripts/install_copilot_guardrails.sh"
 echo "7. Ensure recommended hooks are enabled:"
 echo "   openclaw hooks enable boot-md"
 echo "   openclaw hooks enable command-logger"
 echo "   openclaw hooks enable session-memory"