{ "schemaVersion": "1.0", "item": { "slug": "ambit-cli", "name": "Ambit Cli", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/ToxicPine/ambit-cli", "canonicalUrl": "https://clawhub.ai/ToxicPine/ambit-cli", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/ambit-cli", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=ambit-cli", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "slug": "ambit-cli", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-29T23:11:41.906Z", "expiresAt": "2026-05-06T23:11:41.906Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=ambit-cli", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=ambit-cli", "contentDisposition": "attachment; filename=\"ambit-cli-0.1.0.zip\"", "redirectLocation": null, "bodySnippet": null, "slug": "ambit-cli" }, "scope": "item", "summary": "Item download looks usable.", "detail": "Yavira can redirect you to the upstream package for this item.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/ambit-cli" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/ambit-cli", "agentPageUrl": "https://openagent3.xyz/skills/ambit-cli/agent", "manifestUrl": "https://openagent3.xyz/skills/ambit-cli/agent.json", "briefUrl": "https://openagent3.xyz/skills/ambit-cli/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "What Ambit Is", "body": "Ambit deploys apps to the cloud in a way that makes them completely unreachable from the public internet. Only devices enrolled in the user's private Tailscale network can connect to them. From the outside world's perspective, the app does not exist — there is no IP address to find, no port to scan.\n\nThis matters because putting a database, dashboard, or internal tool on the normal internet forces you to build login pages, configure firewalls, and harden the app against strangers. Ambit skips all of that. Access control is handled at the network level: if a device is on the Tailscale network, it can reach the app; if it isn't, the connection is refused before the app ever sees it.\n\nEach private network you create is called an ambit. Every app deployed to it gets a human-readable address under that network's name — so http://my-app.lab means the my-app application on the lab ambit. These addresses work automatically for any device enrolled in the user's Tailscale account." }, { "title": "Installation", "body": "If ambit is not already installed, run it directly via Nix:\n\nnpx @cardelli/ambit" }, { "title": "How It Works", "body": "graph LR\n A[Your Device
on Tailscale] -->|Tailscale tunnel| B[Ambit Router
Fly.io VM]\n B -->|Flycast / private IPv6| C[Your App
no public IP]\n\nAmbit creates a router on Fly.io that joins the user's Tailscale network and advertises the private IPv6 subnet for that ambit. It also sets up split DNS so that *. queries resolve to the right app. Apps deployed with ambit deploy get a private Flycast address on the network and never receive a public IP." }, { "title": "Prerequisites", "body": "flyctl installed and authenticated (fly auth login)\nTailscale installed and connected (tailscale up)\nAccept-routes enabled (sudo tailscale set --accept-routes)\nA Tailscale API access token (tskey-api-...) — create one at https://login.tailscale.com/admin/settings/keys" }, { "title": "ambit create ", "body": "Creates a new private network. This is the first command to run when setting up a new ambit. It deploys a router on Fly.io, connects it to the user's Tailscale network, and configures split DNS so apps on the network are reachable by name.\n\nambit create lab\nambit create lab --org my-org --region sea\nambit create lab --self-approve\n\nFlags:\n\n--org — Fly.io organization slug\n--region — Fly.io region (default: iad)\n--api-key — Tailscale API access token (prompted interactively if omitted)\n--tag — Tailscale ACL tag for the router (default: tag:ambit-)\n--self-approve — Approve subnet routes via Tailscale API instead of requiring autoApprovers in the ACL policy\n-y, --yes — Skip confirmation prompts\n--json — Output as JSON\n\nWhat it does:\n\nValidates Fly.io auth and the Tailscale API key\nChecks that the tag (default tag:ambit-, or custom via --tag) exists in Tailscale ACL tagOwners\nChecks autoApprovers config (unless --self-approve)\nCreates a Fly.io app on the custom network\nSets secrets: TAILSCALE_API_TOKEN, NETWORK_NAME, TAILSCALE_TAGS\nDeploys the router container\nWaits for the device to join the tailnet\nConfigures split DNS (*. → router)\nEnables accept-routes locally if possible\n\nBefore running, the user must add the router's tag in their Tailscale ACL settings at https://login.tailscale.com/admin/acls/visual/tags. The tag defaults to tag:ambit- but can be overridden with --tag.\n\nAnd optionally (or use --self-approve to skip this):\n\n\"autoApprovers\": { \"routes\": { \"fdaa:X:XXXX::/48\": [\"tag:ambit-\"] } }" }, { "title": "ambit deploy --network ", "body": "Deploys an app onto a private network. This is the safe alternative to fly deploy: it always passes --no-public-ips and --flycast, runs pre-flight checks on the fly.toml for dangerous settings, and audits the result to verify no public IPs were allocated.\n\nThere are three mutually exclusive deployment modes:\n\nConfig mode (default) — uses a local fly.toml:\n\nambit deploy my-app --network lab\nambit deploy my-app --network lab --config ./custom.toml\n\nImage mode — deploys a Docker image without fly.toml:\n\nambit deploy my-app --network lab --image registry.fly.io/my-app:latest\nambit deploy my-app --network lab --image registry.fly.io/my-app:latest --main-port 3000\n\nTemplate mode — fetches a template from a GitHub repository and deploys it:\n\nambit deploy my-browser --network lab --template ToxicPine/ambit-templates/chromatic\nambit deploy my-browser --network lab --template ToxicPine/ambit-templates/chromatic@v1.0\nambit deploy my-shell --network lab --template ToxicPine/ambit-templates/wetty\n\nFlags:\n\n--network — Target network (required)\n--org — Fly.io organization\n--region — Primary region\n--config — Explicit path to fly.toml (config mode)\n--image — Docker image to deploy (image mode)\n--main-port — Internal port for HTTP service in image mode (default: 80, \"none\" to skip)\n--template — GitHub template reference (template mode)\n-y, --yes — Skip confirmation\n--json — Output as JSON\n\nTemplate reference format:\n\nowner/repo/path Fetch from the default branch\nowner/repo/path@tag Fetch a tagged release\nowner/repo/path@branch Fetch a specific branch\nowner/repo/path@commit Fetch a specific commit\n\nThe template must contain a fly.toml (and typically a Dockerfile). The template is fetched from GitHub's tarball API, the target subdirectory is extracted, pre-flight scanned, and deployed. The temp directory is cleaned up automatically." }, { "title": "ambit list", "body": "Lists all discovered routers across all networks.\n\nambit list\nambit list --org my-org --json\n\nShows: network name, app name, region, machine state, private IP, subnet, and Tailscale device status." }, { "title": "ambit status", "body": "Shows detailed router status. Run without --network to see all routers, or with --network to focus on one.\n\nambit status\nambit status --network lab\n\nDetailed view includes: machine state, SOCKS5 proxy address, Tailscale IP, online status, advertised routes, and split DNS config." }, { "title": "ambit destroy --network ", "body": "Tears down a router and cleans up all associated resources. Apps deployed on the network are NOT deleted — only the router is removed. The user will need to manually remove ACL policy entries for the network tag.\n\nambit destroy --network lab\nambit destroy --network lab --yes\n\nWhat it does:\n\nFinds the router app for the network\nClears split DNS configuration\nRemoves the Tailscale device\nDestroys the Fly.io app" }, { "title": "ambit doctor", "body": "Health check for the local environment and router infrastructure. Run this whenever something seems wrong — it checks the most common failure points and gives remediation hints.\n\nambit doctor\nambit doctor --network lab\n\nChecks:\n\nTailscale CLI installed\nTailscale connected (BackendState = Running)\nAccept-routes enabled\nRouter(s) exist and machines are running\nRouter(s) visible in tailnet" }, { "title": "Templates", "body": "Ready-to-deploy templates are available at ToxicPine/ambit-templates:\n\nTemplateDescriptionToxicPine/ambit-templates/chromaticHeadless Chrome exposing Chrome DevTools Protocol on port 9222 — for AI agents or scripts that need a browser on the private network.ToxicPine/ambit-templates/wettyA cloud devshell with a web terminal, persistent home directory, passwordless sudo, and auto start/stop.ToxicPine/ambit-templates/opencodeA private OpenCode web workspace — Nix-based environment with persistent home and auto start/stop.\n\nambit deploy my-browser --network lab --template ToxicPine/ambit-templates/chromatic\nambit deploy my-shell --network lab --template ToxicPine/ambit-templates/wetty\nambit deploy my-code --network lab --template ToxicPine/ambit-templates/opencode" }, { "title": "First-Time Setup", "body": "# 1. Add tag to Tailscale ACL policy in the web UI\n# 2. Create the router\nambit create lab --self-approve\n\n# 3. Deploy an app\nambit deploy my-app --network lab\n\n# 4. App is now reachable as http://my-app.lab from any device on the tailnet\n\n# 5. Invite people to your tailnet:\n# https://login.tailscale.com/admin/users\n# 6. Control their access:\n# https://login.tailscale.com/admin/acls/visual/general-access-rules" }, { "title": "Deploy from a Template", "body": "ambit deploy my-browser --network lab --template ToxicPine/ambit-templates/chromatic\n# → headless Chrome at my-browser.lab:9222, reachable via CDP" }, { "title": "Debugging Connectivity", "body": "ambit doctor --network lab # Check all the common failure points\nambit status --network lab # Detailed router state" }, { "title": "Tearing Down", "body": "ambit destroy --network lab\n# Then remove from Tailscale ACL:\n# tagOwners: tag:ambit-lab\n# autoApprovers: routes for tag:ambit-lab" }, { "title": "Troubleshooting", "body": "SymptomFix\"Tag not configured in tagOwners\"Add \"tag:ambit-\": [\"autogroup:admin\"] to Tailscale ACL tagOwners.\"autoApprovers not configured\"Either configure autoApprovers in the ACL or re-run with --self-approve.Router deployed but not reachableRun ambit doctor. Check that accept-routes is enabled locally.\"Timeout waiting for device\"Check router logs. Most common cause: expired or invalid Tailscale API key.Apps not resolving as .Verify split DNS is configured: ambit status --network . Check the router is online in the tailnet.\"Flyctl not found\"Install from https://fly.io/docs/flyctl/install/" } ], "body": "Ambit CLI\nWhat Ambit Is\n\nAmbit deploys apps to the cloud in a way that makes them completely unreachable from the public internet. Only devices enrolled in the user's private Tailscale network can connect to them. From the outside world's perspective, the app does not exist — there is no IP address to find, no port to scan.\n\nThis matters because putting a database, dashboard, or internal tool on the normal internet forces you to build login pages, configure firewalls, and harden the app against strangers. Ambit skips all of that. Access control is handled at the network level: if a device is on the Tailscale network, it can reach the app; if it isn't, the connection is refused before the app ever sees it.\n\nEach private network you create is called an ambit. Every app deployed to it gets a human-readable address under that network's name — so http://my-app.lab means the my-app application on the lab ambit. These addresses work automatically for any device enrolled in the user's Tailscale account.\n\nInstallation\n\nIf ambit is not already installed, run it directly via Nix:\n\nnpx @cardelli/ambit\n\nHow It Works\ngraph LR\n A[Your Device
on Tailscale] -->|Tailscale tunnel| B[Ambit Router
Fly.io VM]\n B -->|Flycast / private IPv6| C[Your App
no public IP]\n\n\nAmbit creates a router on Fly.io that joins the user's Tailscale network and advertises the private IPv6 subnet for that ambit. It also sets up split DNS so that *. queries resolve to the right app. Apps deployed with ambit deploy get a private Flycast address on the network and never receive a public IP.\n\nPrerequisites\nflyctl installed and authenticated (fly auth login)\nTailscale installed and connected (tailscale up)\nAccept-routes enabled (sudo tailscale set --accept-routes)\nA Tailscale API access token (tskey-api-...) — create one at https://login.tailscale.com/admin/settings/keys\nCommands\nambit create \n\nCreates a new private network. This is the first command to run when setting up a new ambit. It deploys a router on Fly.io, connects it to the user's Tailscale network, and configures split DNS so apps on the network are reachable by name.\n\nambit create lab\nambit create lab --org my-org --region sea\nambit create lab --self-approve\n\n\nFlags:\n\n--org — Fly.io organization slug\n--region — Fly.io region (default: iad)\n--api-key — Tailscale API access token (prompted interactively if omitted)\n--tag — Tailscale ACL tag for the router (default: tag:ambit-)\n--self-approve — Approve subnet routes via Tailscale API instead of requiring autoApprovers in the ACL policy\n-y, --yes — Skip confirmation prompts\n--json — Output as JSON\n\nWhat it does:\n\nValidates Fly.io auth and the Tailscale API key\nChecks that the tag (default tag:ambit-, or custom via --tag) exists in Tailscale ACL tagOwners\nChecks autoApprovers config (unless --self-approve)\nCreates a Fly.io app on the custom network\nSets secrets: TAILSCALE_API_TOKEN, NETWORK_NAME, TAILSCALE_TAGS\nDeploys the router container\nWaits for the device to join the tailnet\nConfigures split DNS (*. → router)\nEnables accept-routes locally if possible\n\nBefore running, the user must add the router's tag in their Tailscale ACL settings at https://login.tailscale.com/admin/acls/visual/tags. The tag defaults to tag:ambit- but can be overridden with --tag.\n\nAnd optionally (or use --self-approve to skip this):\n\n\"autoApprovers\": { \"routes\": { \"fdaa:X:XXXX::/48\": [\"tag:ambit-\"] } }\n\nambit deploy --network \n\nDeploys an app onto a private network. This is the safe alternative to fly deploy: it always passes --no-public-ips and --flycast, runs pre-flight checks on the fly.toml for dangerous settings, and audits the result to verify no public IPs were allocated.\n\nThere are three mutually exclusive deployment modes:\n\nConfig mode (default) — uses a local fly.toml:\n\nambit deploy my-app --network lab\nambit deploy my-app --network lab --config ./custom.toml\n\n\nImage mode — deploys a Docker image without fly.toml:\n\nambit deploy my-app --network lab --image registry.fly.io/my-app:latest\nambit deploy my-app --network lab --image registry.fly.io/my-app:latest --main-port 3000\n\n\nTemplate mode — fetches a template from a GitHub repository and deploys it:\n\nambit deploy my-browser --network lab --template ToxicPine/ambit-templates/chromatic\nambit deploy my-browser --network lab --template ToxicPine/ambit-templates/chromatic@v1.0\nambit deploy my-shell --network lab --template ToxicPine/ambit-templates/wetty\n\n\nFlags:\n\n--network — Target network (required)\n--org — Fly.io organization\n--region — Primary region\n--config — Explicit path to fly.toml (config mode)\n--image — Docker image to deploy (image mode)\n--main-port — Internal port for HTTP service in image mode (default: 80, \"none\" to skip)\n--template — GitHub template reference (template mode)\n-y, --yes — Skip confirmation\n--json — Output as JSON\n\nTemplate reference format:\n\nowner/repo/path Fetch from the default branch\nowner/repo/path@tag Fetch a tagged release\nowner/repo/path@branch Fetch a specific branch\nowner/repo/path@commit Fetch a specific commit\n\n\nThe template must contain a fly.toml (and typically a Dockerfile). The template is fetched from GitHub's tarball API, the target subdirectory is extracted, pre-flight scanned, and deployed. The temp directory is cleaned up automatically.\n\nambit list\n\nLists all discovered routers across all networks.\n\nambit list\nambit list --org my-org --json\n\n\nShows: network name, app name, region, machine state, private IP, subnet, and Tailscale device status.\n\nambit status\n\nShows detailed router status. Run without --network to see all routers, or with --network to focus on one.\n\nambit status\nambit status --network lab\n\n\nDetailed view includes: machine state, SOCKS5 proxy address, Tailscale IP, online status, advertised routes, and split DNS config.\n\nambit destroy --network \n\nTears down a router and cleans up all associated resources. Apps deployed on the network are NOT deleted — only the router is removed. The user will need to manually remove ACL policy entries for the network tag.\n\nambit destroy --network lab\nambit destroy --network lab --yes\n\n\nWhat it does:\n\nFinds the router app for the network\nClears split DNS configuration\nRemoves the Tailscale device\nDestroys the Fly.io app\nambit doctor\n\nHealth check for the local environment and router infrastructure. Run this whenever something seems wrong — it checks the most common failure points and gives remediation hints.\n\nambit doctor\nambit doctor --network lab\n\n\nChecks:\n\nTailscale CLI installed\nTailscale connected (BackendState = Running)\nAccept-routes enabled\nRouter(s) exist and machines are running\nRouter(s) visible in tailnet\nTemplates\n\nReady-to-deploy templates are available at ToxicPine/ambit-templates:\n\nTemplate\tDescription\nToxicPine/ambit-templates/chromatic\tHeadless Chrome exposing Chrome DevTools Protocol on port 9222 — for AI agents or scripts that need a browser on the private network.\nToxicPine/ambit-templates/wetty\tA cloud devshell with a web terminal, persistent home directory, passwordless sudo, and auto start/stop.\nToxicPine/ambit-templates/opencode\tA private OpenCode web workspace — Nix-based environment with persistent home and auto start/stop.\nambit deploy my-browser --network lab --template ToxicPine/ambit-templates/chromatic\nambit deploy my-shell --network lab --template ToxicPine/ambit-templates/wetty\nambit deploy my-code --network lab --template ToxicPine/ambit-templates/opencode\n\nCommon Workflows\nFirst-Time Setup\n# 1. Add tag to Tailscale ACL policy in the web UI\n# 2. Create the router\nambit create lab --self-approve\n\n# 3. Deploy an app\nambit deploy my-app --network lab\n\n# 4. App is now reachable as http://my-app.lab from any device on the tailnet\n\n# 5. Invite people to your tailnet:\n# https://login.tailscale.com/admin/users\n# 6. Control their access:\n# https://login.tailscale.com/admin/acls/visual/general-access-rules\n\nDeploy from a Template\nambit deploy my-browser --network lab --template ToxicPine/ambit-templates/chromatic\n# → headless Chrome at my-browser.lab:9222, reachable via CDP\n\nDebugging Connectivity\nambit doctor --network lab # Check all the common failure points\nambit status --network lab # Detailed router state\n\nTearing Down\nambit destroy --network lab\n# Then remove from Tailscale ACL:\n# tagOwners: tag:ambit-lab\n# autoApprovers: routes for tag:ambit-lab\n\nTroubleshooting\nSymptom\tFix\n\"Tag not configured in tagOwners\"\tAdd \"tag:ambit-\": [\"autogroup:admin\"] to Tailscale ACL tagOwners.\n\"autoApprovers not configured\"\tEither configure autoApprovers in the ACL or re-run with --self-approve.\nRouter deployed but not reachable\tRun ambit doctor. Check that accept-routes is enabled locally.\n\"Timeout waiting for device\"\tCheck router logs. Most common cause: expired or invalid Tailscale API key.\nApps not resolving as .\tVerify split DNS is configured: ambit status --network . Check the router is online in the tailnet.\n\"Flyctl not found\"\tInstall from https://fly.io/docs/flyctl/install/" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/ToxicPine/ambit-cli", "publisherUrl": "https://clawhub.ai/ToxicPine/ambit-cli", "owner": "ToxicPine", "version": "0.1.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/ambit-cli", "downloadUrl": "https://openagent3.xyz/downloads/ambit-cli", "agentUrl": "https://openagent3.xyz/skills/ambit-cli/agent", "manifestUrl": "https://openagent3.xyz/skills/ambit-cli/agent.json", "briefUrl": "https://openagent3.xyz/skills/ambit-cli/agent.md" } }