Neuro-Rift · Neuro-Rift · Feb 27, 2026 · Feb 27, 2026 · coderabbitai · Feb 27, 2026
diff --git a/BOOT.md b/BOOT.md
@@ -1,58 +1,80 @@
-# NeuroRift + OpenClaw Boot Sequence
+# NeuroRift + OpenClaw Boot Sequence (Stabilized)
 
-This runbook initializes NeuroRift as a primary OpenClaw agent and loads proactive monitoring.
+This runbook initializes NeuroRift as a primary OpenClaw agent with strict sandboxing, approval controls, heartbeat discipline, and deterministic Docker runtime.
 
-## 1) Preflight
+## 1) Preflight (mandatory)
 
-1. Export provider and channel secrets:
-   - `OPENAI_API_KEY`
-   - `ANTHROPIC_API_KEY` or `CLAUDE_API_KEY`
-   - `ZAI_API_KEY` or `Z_AI_API_KEY`
-   - `OPENCLAW_DISCORD_WEBHOOK_URL` (optional)
-   - `OPENCLAW_TELEGRAM_BOT_TOKEN` + `OPENCLAW_TELEGRAM_CHAT_ID` (optional)
-2. Confirm services:
-   - NeuroRift FastAPI bridge on `:8766`
-   - OpenClaw WebSocket gateway on `:18789`
+Export required runtime env:
+- `OPENCLAW_CONFIG_PATH`
+- `OPENCLAW_STATE_DIR`
+- `OLLAMA_HOST`
+- `NEURORIFT_BRIDGE_URL`
 
-## 2) Start NeuroRift FastAPI bridge
+Export provider/channel secrets as needed:
+- `OPENAI_API_KEY`
+- `ANTHROPIC_API_KEY` or `CLAUDE_API_KEY`
+- `ZAI_API_KEY` or `Z_AI_API_KEY`
+- `OPENCLAW_DISCORD_WEBHOOK_URL` (optional)
+- `OPENCLAW_TELEGRAM_BOT_TOKEN` + `OPENCLAW_TELEGRAM_CHAT_ID` (optional)
+
+Run cross-device doctor checks:
 
 ```bash
-python3 modules/web/bridge_server.py
+python3 scripts/openclaw_doctor.py
 ```
 
-Health check:
+## 2) Start deterministic Docker runtime
 
 ```bash
-curl -s http://127.0.0.1:8766/health
+docker compose up -d --build gateway neurorift-core rust-engine web-ui ollama sandbox-runner
 ```
 
-## 3) Start OpenClaw gateway
+Verify service health:
+
+```bash
+docker compose ps
+```
 
-Use your OpenClaw runtime with the unified config:
+## 3) Start NeuroRift FastAPI bridge
 
 ```bash
-openclaw gateway --config ./openclaw.json5
+python3 modules/web/bridge_server.py
 ```
 
-## 4) Start the adapter bridge
+Health check:
 
 ```bash
+curl -s http://127.0.0.1:8766/health
+```
+
+## 4) Start OpenClaw gateway and adapter
+
+```bash
+openclaw gateway --config ./openclaw.json5
 python3 integrations/openclaw/openclaw_gateway_adapter.py
 ```
 
-The adapter maps NeuroRift internal calls into OpenClaw RPC methods:
-- `run_terminal_cmd -> exec`
-- `read_file -> read`
-- `write_file -> write`
-- `process_state -> process`
+Adapter policy guarantees:
+- Terminal-only execution path for operator actions.
+- Sandbox workdir enforced at `/workspace`.
+- Tool allow/deny lists enforced.
+- High-risk operations forwarded for Discord/Telegram approval, timeout auto-deny.
 
-## 5) Load HEARTBEAT checklist
+## 5) HEARTBEAT discipline
 
-Review and execute `HEARTBEAT.md` at startup and once every shift.
+Read `HEARTBEAT.md` at startup and every configured interval.
+- No action needed → emit `HEARTBEAT_OK` only.
+- Action needed → generate structured task and log decision.
 
 ## 6) Validate end-to-end flow
 
 1. Send a recon request from Discord/Telegram/WhatsApp/Signal.
-2. Verify the request opens an `isolated` session.
-3. Confirm high-risk commands trigger approval forwarder messages.
-4. Confirm scheduled job appears in CronService (`weekly-attack-surface-recon`).
+2. Verify request is processed with isolated session identity.
+3. Confirm response returns to originating channel with mention/group policy preserved.
+4. Confirm high-risk commands trigger approval forwarder events.
+5. Confirm CronService scheduling guard prevents same-second loops.
+6. Follow diagnostic events from control stream with:
+
+```bash
+openclaw logs.follow
+```
diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
@@ -1,56 +1,45 @@
-# ──────────────────────────────────────────────────────────────────────────────
-# NeuroRift × OpenClaw — Development Override
-#
-# Usage:
-#   docker compose -f docker-compose.yml -f docker-compose.dev.yml up --build
-#
-# Changes vs production:
-#   - Source code is volume-mounted for hot reload
-#   - Python bridge uses uvicorn --reload
-#   - Next.js runs in dev mode (npm run dev)
-#   - Extra ports exposed for debugging
-# ──────────────────────────────────────────────────────────────────────────────
-
 name: neurorift
 
 services:
-
-  neurorift:
+  neurorift-core:
     build:
-      target: base # stop at base stage, skip entrypoint switch
+      target: base
     volumes:
-      # Mount source directly for live reloads
       - ./modules:/app/modules
       - ./utils:/app/utils
       - ./prompts:/app/prompts
       - ./configs:/app/configs
       - ./ai_wrapper:/app/ai_wrapper
     environment:
-      LOG_LEVEL: "debug"
+      LOG_LEVEL: debug
     ports:
-      - "127.0.0.1:8766:8766" # expose for local debugging
+      - "127.0.0.1:8766:8766"
     command: >
       uvicorn modules.web.bridge_server:app --host 0.0.0.0 --port 8766 --reload --log-level debug
 
-  openclaw:
+  rust-engine:
     ports:
-      - "127.0.0.1:8765:8765" # expose for local debugging
+      - "127.0.0.1:8765:8765"
     environment:
-      RUST_LOG: "debug"
+      RUST_LOG: debug
+
+  gateway:
+    ports:
+      - "127.0.0.1:18789:18789"
 
   web-ui:
     build:
-      target: builder # use builder stage with full dev tooling
+      target: builder
     volumes:
       - ./web-ui:/app
-      - /app/node_modules # anonymous volume to prevent host override
-      - /app/.next # prevent stale build cache from host
+      - /app/node_modules
+      - /app/.next
     ports:
       - "3000:3000"
     environment:
-      NODE_ENV: "development"
+      NODE_ENV: development
     command: npm run dev
 
   ollama:
     ports:
-      - "127.0.0.1:11434:11434" # expose Ollama locally in dev for direct testing
+      - "127.0.0.1:11434:11434"