Run initial NanoClaw setup. Use when user wants to install dependencies, authenticate WhatsApp, register their main channel, or start the background services. Triggers on "setup", "install", "configure nanoclaw", or first-time setup requests.
Run all commands automatically. Only pause when user action is required (scanning QR codes).
npm install
Check if Apple Container is installed:
which container && container --version || echo "Not installed"
If not installed, tell the user:
Apple Container is required for running agents in isolated environments.
- Download the latest
.pkgfrom
container system start to start the serviceLet me know when you've completed these steps.
Wait for user confirmation, then verify:
container system start
container --version
Note: NanoClaw automatically starts the Apple Container system when it launches, so you don't need to start it manually after reboots.
Ask the user:
Do you want to use your Claude subscription (Pro/Max) or an Anthropic API key?
Ask the user:
Want me to grab the OAuth token from your current Claude session?
If yes:
TOKEN=$(cat ~/.claude/.credentials.json 2>/dev/null | jq -r '.claudeAiOauth.accessToken // empty')
if [ -n "$TOKEN" ]; then
echo "CLAUDE_CODE_OAUTH_TOKEN=$TOKEN" > .env
echo "Token configured: ${TOKEN:0:20}...${TOKEN: -4}"
else
echo "No token found - are you logged in to Claude Code?"
fi
If the token wasn't found, tell the user:
Run
claudein another terminal and log in first, then come back here.
Ask if they have an existing key to copy or need to create one.
Copy existing:
grep "^ANTHROPIC_API_KEY=" /path/to/source/.env > .env
Create new:
echo 'ANTHROPIC_API_KEY=' > .env
Tell the user to add their key from https://console.anthropic.com/
Verify:
KEY=$(grep "^ANTHROPIC_API_KEY=" .env | cut -d= -f2)
[ -n "$KEY" ] && echo "API key configured: ${KEY:0:10}...${KEY: -4}" || echo "Missing"
Build the NanoClaw agent container:
./container/build.sh
This creates the nanoclaw-agent:latest image with Node.js, Chromium, Claude Code CLI, and agent-browser.
Verify the build succeeded (the container images command may not work due to a plugin issue, so we verify by running a simple test):
echo '{}' | container run -i --entrypoint /bin/echo nanoclaw-agent:latest "Container OK" || echo "Container build failed"
USER ACTION REQUIRED
Run the authentication script:
npm run auth
Tell the user:
A QR code will appear. On your phone:
- Open WhatsApp
- Tap Settings → Linked Devices → Link a Device
- Scan the QR code
Wait for the script to output "Successfully authenticated" then continue.
If it says "Already authenticated", skip to the next step.
Ask the user:
What trigger word do you want to use? (default:
Andy)Messages starting with
@TriggerWordwill be sent to Claude.
If they choose something other than Andy, update it in these places:
groups/CLAUDE.md - Change "# Andy" and "You are Andy" to the new namegroups/main/CLAUDE.md - Same changes at the topdata/registered_groups.json - Use @NewName as the trigger when registering groupsStore their choice - you'll use it when creating the registered_groups.json and when telling them how to test.
Ask the user:
Do you want to use your personal chat (message yourself) or a WhatsApp group as your main control channel?
For personal chat:
Send any message to yourself in WhatsApp (the "Message Yourself" chat). Tell me when done.
For group:
Send any message in the WhatsApp group you want to use as your main channel. Tell me when done.
After user confirms, start the app briefly to capture the message:
timeout 10 npm run dev || true
Then find the JID from the database:
# For personal chat (ends with @s.whatsapp.net)
sqlite3 store/messages.db "SELECT DISTINCT chat_jid FROM messages WHERE chat_jid LIKE '%@s.whatsapp.net' ORDER BY timestamp DESC LIMIT 5"
# For group (ends with @g.us)
sqlite3 store/messages.db "SELECT DISTINCT chat_jid FROM messages WHERE chat_jid LIKE '%@g.us' ORDER BY timestamp DESC LIMIT 5"
Create/update data/registered_groups.json using the JID from above and the assistant name from step 5:
{
"JID_HERE": {
"name": "main",
"folder": "main",
"trigger": "@ASSISTANT_NAME",
"added_at": "CURRENT_ISO_TIMESTAMP"
}
}
Ensure the groups folder exists:
mkdir -p groups/main/logs
Ask the user:
Do you want the agent to be able to access any directories outside the NanoClaw project?
Examples: Git repositories, project folders, documents you want Claude to work on.
Note: This is optional. Without configuration, agents can only access their own group folders.
If no, create an empty allowlist to make this explicit:
mkdir -p ~/.config/nanoclaw
cat > ~/.config/nanoclaw/mount-allowlist.json << 'EOF'
{
"allowedRoots": [],
"blockedPatterns": [],
"nonMainReadOnly": true
}
EOF
echo "Mount allowlist created - no external directories allowed"
Skip to the next step.
If yes, ask follow-up questions:
Ask the user:
Which directories do you want to allow access to?
You can specify:
- A parent folder like
~/projects(allows access to anything inside)- Specific paths like
~/repos/my-appList them one per line, or give me a comma-separated list.
For each directory they provide, ask:
Should
[directory]be read-write (agents can modify files) or read-only?Read-write is needed for: code changes, creating files, git commits Read-only is safer for: reference docs, config examples, templates
Ask the user:
Should non-main groups (other WhatsApp chats you add later) be restricted to read-only access even if read-write is allowed for the directory?
Recommended: Yes - this prevents other groups from modifying files even if you grant them access to a directory.
Create the allowlist file based on their answers:
mkdir -p ~/.config/nanoclaw
Then write the JSON file. Example for a user who wants ~/projects (read-write) and ~/docs (read-only) with non-main read-only:
cat > ~/.config/nanoclaw/mount-allowlist.json << 'EOF'
{
"allowedRoots": [
{
"path": "~/projects",
"allowReadWrite": true,
"description": "Development projects"
},
{
"path": "~/docs",
"allowReadWrite": false,
"description": "Reference documents"
}
],
"blockedPatterns": [],
"nonMainReadOnly": true
}
EOF
Verify the file:
cat ~/.config/nanoclaw/mount-allowlist.json
Tell the user:
Mount allowlist configured. The following directories are now accessible:
~/projects(read-write)~/docs(read-only)Security notes:
- Sensitive paths (
.ssh,.gnupg,.aws, credentials) are always blocked- This config file is stored outside the project, so agents cannot modify it
- Changes require restarting the NanoClaw service
To grant a group access to a directory, add it to their config in
data/registered_groups.json:"containerConfig": { "additionalMounts": [ { "hostPath": "~/projects/my-app", "containerPath": "my-app", "readonly": false } ] }
Generate the plist file with correct paths automatically:
NODE_PATH=$(which node)
PROJECT_PATH=$(pwd)
HOME_PATH=$HOME
cat > ~/Library/LaunchAgents/com.nanoclaw.plist << EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.nanoclaw</string>
<key>ProgramArguments</key>
<array>
<string>${NODE_PATH}</string>
<string>${PROJECT_PATH}/dist/index.js</string>
</array>
<key>WorkingDirectory</key>
<string>${PROJECT_PATH}</string>
<key>RunAtLoad</key>
<true/>
<key>KeepAlive</key>
<true/>
<key>EnvironmentVariables</key>
<dict>
<key>PATH</key>
<string>/usr/local/bin:/usr/bin:/bin:${HOME_PATH}/.local/bin</string>
<key>HOME</key>
<string>${HOME_PATH}</string>
</dict>
<key>StandardOutPath</key>
<string>${PROJECT_PATH}/logs/nanoclaw.log</string>
<key>StandardErrorPath</key>
<string>${PROJECT_PATH}/logs/nanoclaw.error.log</string>
</dict>
</plist>
EOF
echo "Created launchd plist with:"
echo " Node: ${NODE_PATH}"
echo " Project: ${PROJECT_PATH}"
Build and start the service:
npm run build
mkdir -p logs
launchctl load ~/Library/LaunchAgents/com.nanoclaw.plist
Verify it's running:
launchctl list | grep nanoclaw
Tell the user (using the assistant name they configured):
Send
@ASSISTANT_NAME helloin your registered chat.
Check the logs:
tail -f logs/nanoclaw.log
The user should receive a response in WhatsApp.
Service not starting: Check logs/nanoclaw.error.log
Container agent fails with "Claude Code process exited with code 1":
container system startcat groups/main/logs/container-*.log | tail -50No response to messages:
@AssistantName at start of message)data/registered_groups.jsonlogs/nanoclaw.log for errorsWhatsApp disconnected:
npm run auth to re-authenticatelaunchctl kickstart -k gui/$(id -u)/com.nanoclawUnload service:
launchctl unload ~/Library/LaunchAgents/com.nanoclaw.plist