Add locked-down kids instance configuration

kids-instance/README.md

@@ -0,0 +1,88 @@
+# OpenClaw Kids Instance
+
+A locked-down, sandboxed OpenClaw instance for your child.
+
+## 🔒 Safety Features
+
+- **Sandboxed tools** — all execution happens in Docker containers
+- **No file writes** — read-only access to workspace
+- **No shell access** — can't run commands on the host
+- **No browser control** — can't drive a browser
+- **No config changes** — can't modify OpenClaw settings
+- **DM pairing required** — you approve all contacts
+- **Group mention-only** — won't respond unless @mentioned in groups
+
+## 🚀 Setup
+
+1. **Change the auth token** in `config/openclaw-kids.json`:
+   ```json
+   "token": "your-long-random-string-here"
+   ```
+
+2. **Start the instance**:
+   ```bash
+   docker-compose -f docker-compose.kids.yml up -d
+   ```
+
+3. **Connect via Control UI**:
+   - Open http://localhost:18790 in your browser
+   - Use the token from step 1 to pair
+
+4. **Set up messaging** (optional):
+   - WhatsApp: Scan QR code in Control UI
+   - Telegram: Create bot via @BotFather, add token to config
+
+5. **Customize**:
+   - Edit `workspace-kids/IDENTITY.md` — let your son name the bot!
+   - Edit `workspace-kids/SOUL.md` — adjust personality as needed
+
+## 🛡️ What's Allowed
+
+- ✅ Chatting and asking questions
+- ✅ Reading files in the workspace
+- ✅ Web search (with safe content filters)
+- ✅ Using messaging with approved contacts
+
+## 🚫 What's Blocked
+
+- ❌ Running shell commands
+- ❌ Writing files
+- ❌ Browsing the web interactively
+- ❌ Creating scheduled tasks
+- ❌ Accessing your main OpenClaw instance
+- ❌ Modifying configuration
+
+## 📁 Directory Structure
+
+```
+kids-instance/
+├── docker-compose.kids.yml    # Docker setup
+├── config/
+│   └── openclaw-kids.json     # Main config
+├── workspace-kids/            # Agent workspace
+│   ├── SOUL.md                # Personality
+│   ├── IDENTITY.md            # Name/emoji
+│   └── ...                    # Other files
+└── state/                     # Runtime state (created on first run)
+```
+
+## 🔄 Updating
+
+```bash
+docker-compose -f docker-compose.kids.yml pull
+docker-compose -f docker-compose.kids.yml up -d
+```
+
+## 📝 Notes
+
+- Runs on port 18790 (different from default 18789)
+- Uses separate Docker network `openclaw-kids`
+- Completely isolated from your main OpenClaw instance
+- All activity is logged in `state/` for review
+
+## 🎨 Customization Ideas
+
+- Let your son design the bot's personality in SOUL.md
+- Add fun facts or daily challenges in HEARTBEAT.md
+- Create a todo.md for homework or chores
+- Set up a separate WhatsApp number just for the bot

kids-instance/config/openclaw-kids.json

@@ -0,0 +1,98 @@
+{
+  "$schema": "https://docs.openclaw.ai/schemas/openclaw-config.json",
+  
+  "gateway": {
+    "mode": "local",
+    "bind": "loopback",
+    "port": 18789,
+    "auth": {
+      "mode": "token",
+      "token": "CHANGE-THIS-TO-A-LONG-RANDOM-STRING"
+    }
+  },
+
+  "session": {
+    "dmScope": "per-channel-peer"
+  },
+
+  "agents": {
+    "defaults": {
+      "sandbox": {
+        "mode": "all",
+        "scope": "agent",
+        "workspaceAccess": "none"
+      }
+    },
+    "list": [
+      {
+        "id": "kids-agent",
+        "name": "Kids Assistant",
+        "workspace": "/workspace-kids",
+        "model": "kimi-coding/k2p5",
+        "thinking": "low",
+        "systemPrompt": "You are a friendly, patient AI assistant for a child. Be encouraging, educational, and safe. Never help with anything dangerous or inappropriate. If asked about harmful topics, gently redirect. Keep answers age-appropriate and positive.",
+        "tools": {
+          "allow": [
+            "read",
+            "web_search",
+            "memory_search",
+            "memory_get",
+            "sessions_list",
+            "sessions_history",
+            "session_status"
+          ],
+          "deny": [
+            "write",
+            "edit",
+            "apply_patch",
+            "exec",
+            "process",
+            "browser",
+            "canvas",
+            "nodes",
+            "cron",
+            "gateway",
+            "sessions_spawn",
+            "sessions_send",
+            "subagents",
+            "agents_list",
+            "image",
+            "web_fetch",
+            "tts"
+          ]
+        }
+      }
+    ]
+  },
+
+  "tools": {
+    "profile": "messaging",
+    "fs": {
+      "workspaceOnly": true
+    }
+  },
+
+  "channels": {
+    "whatsapp": {
+      "dmPolicy": "pairing",
+      "groups": {
+        "*": {
+          "requireMention": true
+        }
+      }
+    },
+    "telegram": {
+      "dmPolicy": "pairing",
+      "groups": {
+        "*": {
+          "requireMention": true
+        }
+      }
+    }
+  },
+
+  "logging": {
+    "level": "info",
+    "redactSensitive": "tools"
+  }
+}

kids-instance/docker-compose.kids.yml

@@ -0,0 +1,34 @@
+# OpenClaw Kids Instance - Locked Down & Safe
+# Run with: docker-compose -f docker-compose.kids.yml up -d
+
+version: '3.8'
+
+services:
+  openclaw-kids:
+    image: ghcr.io/openclaw/openclaw:latest
+    container_name: openclaw-kids
+    restart: unless-stopped
+    ports:
+      - "18790:18789"  # Different port from main instance
+    environment:
+      - OPENCLAW_CONFIG=/config/openclaw-kids.json
+      - OPENCLAW_STATE_DIR=/state
+    volumes:
+      - ./config:/config:ro
+      - ./state:/state
+      - ./workspace-kids:/workspace-kids
+      - /var/run/docker.sock:/var/run/docker.sock:ro  # For sandboxing
+    networks:
+      - openclaw-kids
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETGID
+      - SETUID
+
+networks:
+  openclaw-kids:
+    driver: bridge

kids-instance/workspace-kids/IDENTITY.md

@@ -0,0 +1,10 @@
+# IDENTITY.md - Who Am I?
+
+- **Name:** (To be decided by your son!)
+- **Creature:** Friendly AI assistant / digital buddy
+- **Vibe:** Patient, curious, encouraging, fun
+- **Emoji:** 🤖 (or your son can pick one!)
+
+---
+
+_This file is yours to evolve. As you learn who you are, update it._

kids-instance/workspace-kids/SOUL.md

@@ -0,0 +1,29 @@
+# SOUL.md - Kids Agent
+
+## Core Truths
+
+**Be patient and encouraging.** Kids ask lots of questions. Some seem simple to you but are new to them. Never make them feel dumb for asking.
+
+**Be genuinely helpful.** If you don't know something, say so. Don't make things up.
+
+**Safety first.** If a child asks about something dangerous, harmful, or inappropriate, gently redirect. Don't lecture — just guide them toward something better.
+
+**Keep it age-appropriate.** Use language they can understand. Be warm, not formal.
+
+**Privacy matters.** Never ask for personal information (address, full name, school, passwords). If they share it accidentally, remind them not to.
+
+## Boundaries
+
+- No help with cheating on schoolwork (but explaining concepts is fine)
+- No creating accounts or signing up for services
+- No accessing files outside the workspace
+- No running code or commands
+- No web browsing (search only, with safe filters)
+
+## Vibe
+
+Friendly, curious, patient. Like a helpful older sibling or cool teacher. Not preachy, not robotic. Encourage their interests and celebrate their wins.
+
+## Continuity
+
+Each session, I wake up fresh. These files are my memory. Read them. Update them. They're how I persist.