Latest state, not working at all

k8s/AGENTS.md

@@ -71,6 +71,17 @@ ssh -t moritz@haumdaucher.de "sudo df -h"
     kubectl apply -f <folder>/<file>.yaml
     ```
 
+### Post-Implementation Verification
+> [!IMPORTANT]
+> **Verification Workflow**:
+> After a new implementation or configuration change, always:
+> 1.  Run `kubectl apply -f <file>.yaml`.
+> 2.  Run `kubectl rollout restart deployment <deployment-name> -n <namespace>` if applying a ConfigMap/Secret that a deployment depends on.
+> 3.  Wait for 30 seconds to allow pods to roll over.
+> 4.  Check logs using `kubectl logs -n <namespace> -l <label> --tail=100`.
+>
+> The agent **must always ask the user** for permission to execute this verification workflow after making changes.
+
 ### Operational Tasks
 *   **Cleanup Error Pods**:
     ```bash

k8s/openclaw/AGENTS.md

@@ -4,90 +4,66 @@ This document provides a comprehensive technical reference for AI agents to mana
 
 ## 🏗️ Architecture & Configuration Lifecycle
 
-### 1. Source    *   **Telegram**: Configured with `dmPolicy: "allowlist"` for users `306373425` and `255114390`.
-    *   **Skills**: Enabled `nano-banana-pro` (Gemini image generation). Installed `uv` persistently into the PVC.
-    *   **Configuration**: Streamlined `openclaw.secret.yaml`. Consolidated JSON into `ConfigMap`.
-    *   **Status**: **Fully Functional** (Secure: Basic Auth + Gateway Token + Multi-LLM + Image Gen).
-json`
+### 1. Status
+*   **Telegram**: Configured with `dmPolicy: "allowlist"` for users `306373425` and `255114390`.
+*   **Skills**: Integrated `gog` (Workspace), `nano-banana-pro` (Image Gen), and various utility skills.
+*   **Authentication**: Multi-provider setup with Gemini CLI OAuth (Primary) and Gemini API Key (Backup).
+*   **Ollama**: Removed from the deployment.
 
 ### 2. Bootstrap Process
 OpenClaw uses an `initContainer` to bootstrap the configuration:
 1. The `openclaw-bootstrap-config` volume is mounted at `/mnt/config`.
 2. The `initContainer` copies `/mnt/config/openclaw.json` to the persistent data volume at `/mnt/data/openclaw.json`.
-3. The main `openclaw` container identifies the persistent volume at `/home/node/.openclaw`.
+3. The `initContainer` provisions authentication tokens (e.g., `google-gemini-cli.json`) from environment variables/secrets.
+4. The main `openclaw` container identifies the persistent volume at `/home/node/.openclaw`.
 
-### 3. Applying Changes
-To update the configuration:
-1. Modify the `openclaw.json` block in [openclaw.secret.yaml](file:///Users/moritz/src/infrapuzzle/k8s/openclaw/openclaw.secret.yaml).
-2. Apply the manifest: `kubectl apply -f openclaw/openclaw.secret.yaml`
-3. **Rotate Deployment**: You MUST restart the pod to trigger the `initContainer` bootstrap:
+### 3. Gemini OAuth Setup & Sync
+This deployment uses a **local-to-remote** sync for Gemini OAuth:
+1. **Local Login**: The user runs `openclaw models auth login --provider google-gemini-cli` on their local machine.
+2. **Credential Capture**: This generates `~/.gemini/oauth_creds.json` locally.
+3. **Secret Update**: The JSON content from that file is copied into the `gemini-oauth-token` field of `openclaw.secret.yaml`.
+4. **Provisioning**: The `initContainer` in the K8s manifest reads the `GEMINI_OAUTH_TOKEN` env var (populated from the secret) and writes it to `/home/node/.openclaw/auth/google-gemini-cli.json`.
+
+### 4. Applying Changes
+To update the configuration or rotate tokens:
+1. Modify the relevant fields in [openclaw.secret.yaml](file:///Users/moritz/src/infrapuzzle/k8s/openclaw/openclaw.secret.yaml).
+2. Apply the manifest: `kubectl apply -f k8s/openclaw/openclaw.secret.yaml`
+3. **Rotate Deployment**: You MUST restart the pod to trigger the `initContainer` bootstrap and inject new env vars:
    `kubectl rollout restart deployment openclaw -n openclaw`
 
 ---
 
 ## 🔧 Configuration Reference (`openclaw.json`)
 
-### `gateway`
-Controls the main server behavior and security.
-- `trustedProxies`: List of IPs to trust for `X-Forwarded-For` headers (e.g., `["127.0.0.1"]`).
-- `controlUi.dangerouslyDisableDeviceAuth`: Set to `true` to allow login via token/password without device identity verification (useful for initial setup).
-- `port`: Default `18789`. Controlled via `OPENCLAW_GATEWAY_PORT` env var in the manifest.
-
-### `agents.defaults`
-Global defaults for all agents launched by the gateway.
-- `model.primary`: The default LLM (e.g., `google/gemini-flash-latest`).
-- `model.fallbacks`: List of model IDs to use if the primary fail.
-- `contextTokens`: Maximum context window (e.g., `200000`).
-
 ### `models.providers`
-Definition of external LLM sources.
-- **`ollama`**:
-  - `baseUrl`: `http://127.0.0.1:11434` (proxied via sidecar).
-  - `apiKey`: Required for discovery (e.g., `ollama-local`).
-  - `models`: Array of model objects with `id`, `contextWindow`, etc.
-- **`google`**: Built-in provider. Uses `GEMINI_API_KEY` environment variable.
+- **`google`**: Built-in provider. Uses `GEMINI_API_KEY`. See [GEMINI_AUTH_GUIDE.md](file:///Users/moritz/src/infrapuzzle/k8s/openclaw/GEMINI_AUTH_GUIDE.md).
+- **`google-gemini-cli`**: OAuth-based provider (Primary). Uses provisioned tokens.
+### `agents.defaults`
+- `model.primary`: `google-gemini-cli/gemini-3-flash-preview`
+- `model.fallbacks`: `["google/gemini-flash-latest"]`
 
-### `channels`
-Messaging platform integrations.
-- **`telegram`**:
-  - `enabled`: `true` | `false`.
-  - `dmPolicy`: `pairing` (default) | `allowlist` (skip approval).
-  - `allowFrom`: Array of numeric user IDs (e.g., `["306373425"]`) allowed to DM the bot.
+> [!IMPORTANT]
+> Gemini 3 requires `previewFeatures: true` in `~/.gemini/settings.json`, which is automatically provisioned by the `initContainer`. A **rollout restart** is required after any manifest change.
 
-### `plugins` (Extensions)
-Platform extensions (e.g., WhatsApp, Telegram).
-- `entries.<pluginId>.enabled`: Enable/disable specific extension logic.
-- `entries.<pluginId>.config`: Plugin-specific settings object.
+### `plugins`
+- `google-gemini-cli-auth`: MUST be enabled for the primary provider to function.
 
-### `skills`
-Modular tool capabilities.
-- `entries.<skillKey>.env`: Environment variables injected into the skill run.
-
-### 💡 Special Requirements
-- **`nano-banana-pro`**: Requires the `uv` tool. It is installed at `/home/node/.openclaw/bin/uv` (on the PVC) and included in the system `PATH`.
+---
 
 ## 🚨 Startup & Troubleshooting
 
 ### Investigating Issues
-You can execute commands directly inside the running pod to inspect the environment or file system:
 ```bash
-# Get the pod name
-kubectl get pods -n openclaw
+# Check config
+kubectl exec -it -n openclaw deployment/openclaw -c openclaw -- cat /home/node/.openclaw/openclaw.json
 
-# Execute a command (e.g., check config)
-kubectl exec -it -n openclaw <pod-name> -c openclaw -- cat /home/node/.openclaw/openclaw.json
-
-# Check environment variables
-kubectl exec -it -n openclaw <pod-name> -c openclaw -- env | grep OPENCLAW
+# Check auth tokens
+kubectl exec -it -n openclaw deployment/openclaw -c openclaw -- ls -la /home/node/.openclaw/auth/
 ```
 
 ### Applying Configuration Changes
-Any change to `openclaw.secret.yaml` (ConfigMap or Deployment) requires a rollout restart to take effect:
 ```bash
 kubectl apply -f k8s/openclaw/openclaw.secret.yaml
 kubectl rollout restart deployment openclaw -n openclaw
-```
-Always verify the rollout status:
-```bash
 kubectl rollout status deployment openclaw -n openclaw
 ```