Fix 6 issues from controller review

1. Dockerfile.lite: Add Docker CLI + Compose plugin
   (docker-ce-cli + docker-compose-plugin from official repo)

2. entrypoint.sh: Auto-fix Docker socket permissions for controller
   (detect host docker GID, create group, add lobster user)

3. spawn-controller.sh: Create empty secrets.json, bump to 3GB/1.5 CPU

4. spawn-lobster.sh: Fix 8 missing JSON commas in openclaw.json template,
   fix mcporter.json missing closing brace, create empty secrets.json

5. controller-setup.md: Add notes on bind mount live updates

6. CPU/memory: Controller gets 1.5 CPU + 3GB (was 0.5 CPU + 2GB)

Author: Corellis

docker/Dockerfile.lite

@@ -39,6 +39,16 @@ RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
 # Install AWS CLI via pip
 RUN pip3 install --no-cache-dir --break-system-packages awscli
 
+# Install Docker CLI + Compose plugin (for controller lobsters)
+# Only the CLI — the daemon runs on the host via socket mount
+RUN install -m 0755 -d /etc/apt/keyrings \
+    && curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc \
+    && chmod a+r /etc/apt/keyrings/docker.asc \
+    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" \
+    > /etc/apt/sources.list.d/docker.list \
+    && apt-get update && apt-get install -y --no-install-recommends docker-ce-cli docker-compose-plugin \
+    && rm -rf /var/lib/apt/lists/*
+
 # Install noVNC
 RUN git clone --depth 1 https://github.com/novnc/noVNC.git /opt/noVNC \
     && git clone --depth 1 https://github.com/novnc/websockify.git /opt/noVNC/utils/websockify

docker/entrypoint.sh

@@ -137,5 +137,19 @@ fi
 # Clean up stale session lock files from previous crash
 find /home/lobster/.openclaw/agents -name "*.lock" -delete 2>/dev/null || true
 
+# === Controller: Docker socket permissions ===
+# If LOBSTER_ROLE=controller and docker.sock is mounted, grant lobster access
+if [ "$LOBSTER_ROLE" = "controller" ] && [ -S /var/run/docker.sock ]; then
+    DOCKER_GID=$(stat -c '%g' /var/run/docker.sock)
+    if [ "$DOCKER_GID" != "0" ]; then
+        # Create a group with the host's docker GID and add lobster to it
+        groupadd -g "$DOCKER_GID" hostdocker 2>/dev/null || true
+        usermod -aG hostdocker lobster 2>/dev/null || true
+    else
+        # Socket owned by root — allow lobster via sudo
+        echo "lobster ALL=(root) NOPASSWD: /usr/bin/docker" >> /etc/sudoers.d/lobster-docker 2>/dev/null || true
+    fi
+fi
+
 # Switch to lobster and run the main command (OpenClaw)
 exec gosu lobster env HOME=/home/lobster "$@"

docs/guides/controller-setup.md

@@ -94,3 +94,11 @@ If you already have lobsters running and want to promote one to controller,
 you'll need to update its service definition in `docker-compose.yml` to add
 the controller-specific volumes. See `spawn-controller.sh` for the exact
 volume mounts needed.
+
+## Notes
+
+- **Bind mount changes are live.** When the controller edits `company-config/` files,
+  all other lobsters see the changes immediately (they mount the same host directory).
+  No restart needed for file content changes.
+- **Docker Compose changes require restart.** If the controller edits `docker-compose.yml`
+  (e.g., adding a new lobster), it needs to run `docker compose up -d` to apply.

scripts/spawn-controller.sh

@@ -143,6 +143,10 @@ JSONEOF
 # Copy ACP config from template
 cp "$FARM_DIR/templates/acp.json" "$CONFIG_DIR/acp.json" 2>/dev/null || true
 
+# Create empty secrets.json (lobsters store personal secrets here)
+echo '{}' > "$CONFIG_DIR/secrets.json"
+chmod 644 "$CONFIG_DIR/secrets.json"
+
 # ── Controller-specific workspace files ──
 cat > "$CONFIG_DIR/workspace/AGENTS.md" << 'AGENTSEOF'
 # AGENTS.md — Controller Lobster
@@ -255,9 +259,9 @@ cat >> "$COMPOSE_FILE" << YAMLEOF
       - HOME=/home/lobster
       - LOBSTER_ROLE=controller
     tty: true
-    mem_limit: 2g
+    mem_limit: 3g
     shm_size: 512m
-    cpus: 0.5
+    cpus: 1.5
 YAMLEOF
 
 # Add volume declaration

scripts/spawn-lobster.sh

@@ -79,7 +79,7 @@ cat > "$CONFIG_DIR/openclaw.json" << JSONEOF
         ]
       }
     }
-  }
+  },
   "agents": {
     "defaults": {
       "model": {
@@ -93,15 +93,15 @@ cat > "$CONFIG_DIR/openclaw.json" << JSONEOF
         "maxConcurrent": 4
       }
     }
-  }
+  },
   "session": {
     "dmScope": "per-peer",
     "identityLinks": {
       "owner": [
         "slack:${SLACK_USER_ID}"
       ]
     }
-  }
+  },
   "channels": {
     "slack": {
       "mode": "socket",
@@ -122,7 +122,7 @@ cat > "$CONFIG_DIR/openclaw.json" << JSONEOF
       "nativeStreaming": true,
       "streaming": "partial"
     }
-  }
+  },
   "gateway": {
     "port": 18789,
     "mode": "local",
@@ -134,18 +134,18 @@ cat > "$CONFIG_DIR/openclaw.json" << JSONEOF
     "controlUi": {
       "dangerouslyAllowHostHeaderOriginFallback": true
     }
-  }
+  },
   "talk": {
     "provider": "elevenlabs",
     "providers": {
       "elevenlabs": {
         "apiKey": "${ELEVENLABS_API_KEY:-}"
       }
     }
-  }
+  },
   "acp": {
     "\$include": "./acp.json"
-  }
+  },
   "tools": {
     "profile": "full",
     "sessions": {
@@ -154,7 +154,7 @@ cat > "$CONFIG_DIR/openclaw.json" << JSONEOF
     "agentToAgent": {
       "enabled": true
     }
-  }
+  },
   "plugins": {
     "entries": {
       "acpx": {
@@ -171,6 +171,10 @@ JSONEOF
 # Copy ACP config from template
 cp "$FARM_DIR/templates/acp.json" "$CONFIG_DIR/acp.json"
 
+# Create empty secrets.json (lobsters store personal secrets here)
+echo '{}' > "$CONFIG_DIR/secrets.json"
+chmod 644 "$CONFIG_DIR/secrets.json"
+
 # Generate workspace files — use full template
 # Generate AGENTS.md inline
 cat > "$CONFIG_DIR/workspace/AGENTS.md" << 'AGENTSEOF'
@@ -230,7 +234,8 @@ cat > "$CONFIG_DIR/workspace/config/mcporter.json" << 'MCPEOF'
       "env": {}
     }
   }
-  MCPEOF
+}
+MCPEOF
 
 # Append service to docker-compose.yml (before the final volumes: section if it exists)
 # We need to insert into the services: block properly