feat: OpenClaw guided onboarding with Tailscale and OrbStack agents

[marcusquinn]

Summary

• Add comprehensive OpenClaw guided setup to onboarding wizard with business discovery, deployment tier selection, channel setup, and security hardening
• Create Tailscale subagent for secure mesh networking (VPN, Serve/Funnel, VPS access)
• Create OrbStack subagent for Docker/Linux VM management on macOS
• Rewrite OpenClaw subagent with 3 deployment tiers, security-first guidance, and aidevops cross-integration

Changes

New Files

• .agents/services/networking/tailscale.md — Tailscale mesh VPN agent (install, Serve/Funnel, ACLs, VPS integration)
• .agents/tools/containers/orbstack.md — OrbStack container runtime agent (Docker, Linux VMs, OpenClaw containers)

Modified Files

• .agents/tools/ai-assistants/openclaw.md — Rewritten with deployment tiers (native/OrbStack/VPS), security hardening from upstream docs, Tailscale integration, aidevops cross-references, when-to-use-which decision tree
• .agents/aidevops/onboarding.md — New OpenClaw guided setup flow: business discovery conversation, deployment tier picker, channel setup with security-first defaults, security audit walkthrough, aidevops-vs-OpenClaw decision tree. Also adds Containers & Networking service catalog sections.
• .agents/scripts/onboarding-helper.sh — New detection functions: check_containers() (OrbStack, Docker), check_networking() (Tailscale), check_openclaw() (OpenClaw gateway + config). New guide entries for openclaw, tailscale, orbstack. Updated JSON output.
• .agents/subagent-index.toon — Updated count 41→43, added services/networking/ and tools/containers/ entries
• .agents/AGENTS.md — Added Containers, Networking, Personal AI to progressive disclosure table

Testing

• shellcheck passes (only SC1091 info for sourced file, already disabled)
• onboarding-helper.sh status correctly detects OrbStack (partial), Tailscale (not installed), OpenClaw (not installed)
• onboarding-helper.sh json includes new sections with correct structure
• onboarding-helper.sh guide openclaw|tailscale|orbstack all produce correct output

Summary by CodeRabbit

Release Notes

• New Features

  • Integrated container orchestration (OrbStack) and secure mesh networking (Tailscale) into platform
  • Expanded OpenClaw with multi-tier deployment options (local, containerized, remote) and enhanced security features
  • Improved setup verification with additional status checks

• Documentation

  • Added comprehensive guides for new services and deployment configurations
  • Enhanced onboarding workflows with multi-tier deployment guidance

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[coderabbitai]

Warning

Rate limit exceeded

@marcusquinn has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 18 minutes and 51 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

Walkthrough

This PR expands the DevOps framework with three new integrated services: OrbStack (container runtime for macOS), Tailscale (mesh VPN networking), and OpenClaw (AI assistant). Updates include new documentation, multi-tier deployment guidance, shell script utilities for status checking, and expanded onboarding workflows across agent infrastructure.

Changes

Cohort / File(s)	Summary
Agent Infrastructure & Routing .agents/AGENTS.md, .agents/subagent-index.toon	Added three new rows to the Orchestration agents table for Containers (OrbStack), Networking (Tailscale), and Personal AI (OpenClaw). Updated subagent index categories from [41] to [43] with corresponding service routing entries.
Service Documentation .agents/services/networking/tailscale.md, .agents/tools/containers/orbstack.md	Two new comprehensive guides covering Tailscale installation, ACL configuration, VPN workflows, SSH access, and Cloudflare integration; OrbStack quick reference, Docker operations, Linux VM usage, OpenClaw integration, resource management, and troubleshooting.
AI Assistant Expansion .agents/tools/ai-assistants/openclaw.md	Substantially expanded documentation introducing three deployment tiers (Native Local, OrbStack Container, Remote VPS) with detailed setup instructions, security baseline configs, Tailscale integration, channel setup workflows, DM access policies, sandboxing guidance, and aidevops interoperability guidance.
Onboarding Workflow .agents/aidevops/onboarding.md	Replaced "Personal AI Assistant (Mobile Access)" with broader "Containers & VMs" section. Added multi-tier deployment flows with guided setup steps, verification hooks, security auditing commands, and updated Step 4/5 workflow to prioritize OrbStack and Tailscale in the recommended setup order.
Onboarding Helper Script .agents/scripts/onboarding-helper.sh	Added three new status-check functions (check_containers, check_networking, check_openclaw) integrated into show_status. Extended JSON output with containers, networking, and openclaw groups. Updated help text and service listings across guides and status displays.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant OnboardingHelper as Onboarding Helper
    participant DeploymentTier as Deployment Tier
    participant ContainerRuntime as Container Runtime
    participant Networking as Networking
    participant OpenClaw as OpenClaw
    participant Verification as Verification

    User->>OnboardingHelper: Initiate onboarding
    OnboardingHelper->>User: Present deployment tier options
    activate DeploymentTier
    User->>DeploymentTier: Select tier (Native/OrbStack/VPS)
    deactivate DeploymentTier

    alt OrbStack Tier Selected
        DeploymentTier->>ContainerRuntime: Install OrbStack
        ContainerRuntime-->>OnboardingHelper: Installation complete
    else Remote VPS Tier
        DeploymentTier->>ContainerRuntime: Configure remote runtime
        ContainerRuntime-->>OnboardingHelper: Configuration complete
    else Native Local Tier
        OnboardingHelper->>ContainerRuntime: Use local environment
    end

    OnboardingHelper->>Networking: Install & configure Tailscale
    activate Networking
    Networking-->>OnboardingHelper: Network ready
    deactivate Networking

    OnboardingHelper->>OpenClaw: Deploy OpenClaw per tier
    activate OpenClaw
    OpenClaw->>OpenClaw: Execute Security Hardening
    OpenClaw-->>OnboardingHelper: OpenClaw deployed
    deactivate OpenClaw

    OnboardingHelper->>Verification: Run verification checks
    activate Verification
    Verification->>ContainerRuntime: check_containers()
    Verification->>Networking: check_networking()
    Verification->>OpenClaw: check_openclaw()
    Verification-->>User: All systems verified ✓
    deactivate Verification

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• refactor: rename moltbot to openclaw branding #265: OpenClaw onboarding and documentation additions in this PR build directly on the Moltbot→OpenClaw rename and architecture updates from that prior work.
• feat: add content summaries to subagent routing table #157: Both PRs modify the AGENTS.md subagent routing infrastructure; this PR adds new service rows while that PR introduced structural table enhancements (Contains column).

Poem

🐳 Containers sailing with OrbStack's might,
🔗 Tailscale weaves networking tight,
🤖 OpenClaw spreads AI's light,
Three tools unite in onboarding's flight—
DevOps dreams now crystallized right! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main objective: introducing OpenClaw guided onboarding integrated with Tailscale and OrbStack agents. It is specific, concise, and directly corresponds to the primary changes across all modified and new files.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/openclaw-onboarding-integration

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 61 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Mon Feb 9 21:46:53 UTC 2026: Code review monitoring started
Mon Feb 9 21:46:54 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 61

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 61
• VULNERABILITIES: 0

Generated on: Mon Feb 9 21:46:56 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.agents/scripts/onboarding-helper.sh:
- Around line 445-452: The oc_ver assignment and gateway check should mirror the
orb fix: make oc_ver reliably fall back to "unknown" without using the
ineffective "|| echo" after a pipeline (e.g., capture version into oc_ver then
if [ -z "$oc_ver" ]; then oc_ver="unknown"; fi), and remove the redundant
redirection in the gateway status check by replacing "openclaw gateway status
&>/dev/null 2>&1" with a single combined redirect like "openclaw gateway status
&>/dev/null". Update the symbols oc_ver, openclaw --version, openclaw gateway
status, and print_service accordingly.
- Around line 396-402: The orb_ver assignment can be empty when `orb version`
fails because the fallback only covers awk errors; update the logic around the
orb_ver variable (the `orb_ver=$(orb version ... | head -1 | awk '{print $2}' ||
echo "unknown")` pipeline) to robustly handle command failure and empty output:
capture `orb version` output first, check if it's non-empty before extracting
the field (or check the extracted value with -z) and set orb_ver to "unknown" on
failure, then use that safe orb_ver when calling print_service ("OrbStack",
"ready"/"partial", "v${orb_ver}, ...") so you never emit "v, running".

🧹 Nitpick comments (3)

.agents/services/networking/tailscale.md (1)

46-48: macOS daemon management via sudo tailscaled & is fragile.

Backgrounding with & won't survive terminal close or reboot. Consider documenting brew services start tailscale for persistent daemon management, or note that users should add a launchd plist. The current instruction works for a quick test but isn't production-grade.

.agents/tools/containers/orbstack.md (1)

186-191: Docker socket mount is a security-sensitive operation — consider a brief note.

Mounting /var/run/docker.sock grants the container full Docker daemon access (effectively root). This is required for Coolify but worth a one-line security note for users unfamiliar with the implications.

.agents/scripts/onboarding-helper.sh (1)

422-422: Redundant 2>&1 after &>/dev/null on Line 422.

Same redundant redirect pattern as noted above.

Proposed fix

-    if tailscale status &>/dev/null 2>&1; then
+    if tailscale status &>/dev/null; then

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 61 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Mon Feb 9 21:53:10 UTC 2026: Code review monitoring started
Mon Feb 9 21:53:10 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 61

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 61
• VULNERABILITIES: 0

Generated on: Mon Feb 9 21:53:13 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud