OpenClaw: documents from local path, rebuild workaround, forgejo-cli

- Documents (SOUL/TOOLS/AGENTS) from path input to openclaw-documents-repo
- Flake: openclaw-documents.url = path to local clone (no SSH under sudo)
- Remove in-repo openclaw-documents; add docs/openclaw-documents.md
- openclaw.nix: activation backup + force for openclaw.json (TODO to remove)
- home.nix: add forgejo-cli
- .gitignore: openclaw-documents-repo; drop SOUL/TOOLS ignores
- AGENTS.md: OpenClaw docs ref
- TODO: remove OpenClaw activation/force bloat

Made-with: Cursor

nixos/home/danny/home.nix

@@ -189,6 +189,7 @@
     wget          # downloader
     # azure-cli   # TODO: remove this Azure cli tool
     gh            # github cli tool
+    forgejo-cli   # forgejo/codeberg cli (provides fj)
     git           # version control
     jujutsu       # Git alternative
     gnupg         # GNU privacy guard (GPG)

nixos/home/danny/openclaw-documents/AGENTS.md

@@ -1,7 +0,0 @@
-# Agent instructions
-
-Instructions for the AI assistant (OpenClaw) when acting on your behalf.
-
-- Prefer terminal and scripting for automation; use GUI only when necessary.
-- Prefer tools and skills provided by enabled plugins; suggest enabling a plugin if a task needs it.
-- Do not store secrets or tokens in the repo; use ~/.secrets/ or environment.

nixos/home/danny/openclaw.nix

@@ -1,11 +1,13 @@
 # OpenClaw (AI assistant gateway) – Telegram, launchd, documents.
+# Documents (SOUL.md, TOOLS.md, etc.) come from a separate repo via the flake input
+# openclaw-documents (see flake.nix; override with e.g. github:you/openclaw-documents).
 # Secrets (not in repo):
 #   ~/.secrets/telegram-bot-token
 #   ~/.secrets/openclaw-gateway-token   (one line, gateway auth token)
 #   nixos/home/danny/openclaw-allow-from.nix  (gitignored; copy from .example)
 # After editing, run: darwin-rebuild switch --flake . (from ~/dotfiles/nixos)
 
-{ config, lib, ... }:
+{ config, lib, pkgs, openclaw-documents, ... }:
 
 let
   # Telegram user IDs from gitignored file so we don't commit them
@@ -15,7 +17,8 @@ in
 {
   programs.openclaw = {
     enable = true;
-    documents = ./openclaw-documents;
+    # Flake input: use .source (in-repo and separate-repo flakes expose source = ./.)
+    documents = openclaw-documents.source or openclaw-documents.outPath or openclaw-documents;
 
     config = { };
 
@@ -44,14 +47,29 @@ in
     executable = true;
   };
 
-  # Prepend wrapper to launchd so OPENCLAW_GATEWAY_TOKEN is set from file at runtime
-  launchd.agents."com.steipete.openclaw.gateway" = lib.mkForce (
-    (config.launchd.agents."com.steipete.openclaw.gateway" or { }) // {
-      config = (config.launchd.agents."com.steipete.openclaw.gateway".config or { }) // {
-        ProgramArguments = [
-          (config.home.homeDirectory + "/.local/bin/openclaw-gateway-wrapper")
-        ] ++ (config.launchd.agents."com.steipete.openclaw.gateway".config.ProgramArguments or [ ]);
-      };
-    }
-  );
+  # TODO: Remove this bloat (see dotfiles TODO.md). Back up as target user so HM can overwrite.
+  home.activation.backupOpenclawBeforeSwitch = lib.hm.dag.entryBefore [ "linkGeneration" ] ''
+    OPENCLAW="${config.home.homeDirectory}/.openclaw"
+    USER="${config.home.username}"
+    if [ -d "$OPENCLAW" ]; then
+      for f in "$OPENCLAW"/workspace/*.md "$OPENCLAW"/openclaw.json; do
+        [ -e "$f" ] && [ ! -L "$f" ] && (sudo -u "$USER" mv -n "$f" "$f.backup" 2>/dev/null || true)
+      done
+    fi
+  '';
+  home.file.".openclaw/openclaw.json".force = true;
+
+  # Override launchd agent to run wrapper so OPENCLAW_GATEWAY_TOKEN is set from file at runtime.
+  # Do not reference config.launchd.agents."..." here (causes infinite recursion).
+  launchd.agents."com.steipete.openclaw.gateway" = lib.mkForce {
+    enable = true;
+    config = {
+      ProgramArguments = [
+        (config.home.homeDirectory + "/.local/bin/openclaw-gateway-wrapper")
+        "${pkgs.openclaw}/bin/openclaw-gateway"
+      ];
+      RunAtLoad = true;
+      KeepAlive = true;
+    };
+  };
 }