What does a code 1 crash indicate and how should I respond?

A code 1 crash usually means the Claude Code process terminated unexpectedly. Start by checking the container-*.log for the run and looking at authentication and mount-related messages in the main logs.

Why aren’t environment variables visible inside the container?

Apple container behavior can drop non-auth variables when using interactive stdin. The system extracts only CLAUDE_CODE_OAUTH_TOKEN and ANTHROPIC_API_KEY from .env and mounts them for sourcing inside the container; other vars may not be exposed. Use the provided verification snippet to confirm presence.

How can I ensure the container runs as non-root?

Root privileges can block certain operations. Make sure the container runs as a non-root user by confirming the Dockerfile sets USER node and that HOME is /home/node, which also enables proper session resumption.

debug

Use Caution

npx machina-cli add skill crypdick/pynchy/debug --openclaw

Files (1)

SKILL.md

11.4 KB

NanoClaw Container Debugging

This guide covers debugging the containerized agent execution system.

Architecture Overview

Host (macOS)                          Container (Linux VM)
─────────────────────────────────────────────────────────────
src/container-runner.ts               container/agent-runner/
    │                                      │
    │ spawns Apple Container               │ runs Claude Agent SDK
    │ with volume mounts                   │ with MCP servers
    │                                      │
    ├── data/env/env ──────────────> /workspace/env-dir/env
    ├── groups/{folder} ───────────> /workspace/group
    ├── data/ipc/{folder} ────────> /workspace/ipc
    ├── data/sessions/{folder}/.claude/ ──> /home/node/.claude/ (isolated per-group)
    └── (main only) project root ──> /workspace/project

Important: The container runs as user node with HOME=/home/node. Session files must be mounted to /home/node/.claude/ (not /root/.claude/) for session resumption to work.

Log Locations

Log	Location	Content
Main app logs	`logs/nanoclaw.log`	Host-side WhatsApp, routing, container spawning
Main app errors	`logs/nanoclaw.error.log`	Host-side errors
Container run logs	`groups/{folder}/logs/container-*.log`	Per-run: input, mounts, stderr, stdout
Claude sessions	`~/.claude/projects/`	Claude Code session history

Enabling Debug Logging

Set LOG_LEVEL=debug for verbose output:

# For development
LOG_LEVEL=debug npm run dev

# For launchd service, add to plist EnvironmentVariables:
<key>LOG_LEVEL</key>
<string>debug</string>

Debug level shows:

Full mount configurations
Container command arguments
Real-time container stderr

Common Issues

1. "Claude Code process exited with code 1"

Check the container log file in groups/{folder}/logs/container-*.log

Common causes:

Missing Authentication

Invalid API key · Please run /login

Fix: Ensure .env file exists with either OAuth token or API key:

cat .env  # Should show one of:
# CLAUDE_CODE_OAUTH_TOKEN=sk-ant-oat01-...  (subscription)
# ANTHROPIC_API_KEY=sk-ant-api03-...        (pay-per-use)

Root User Restriction

--dangerously-skip-permissions cannot be used with root/sudo privileges

Fix: Container must run as non-root user. Check Dockerfile has USER node.

2. Environment Variables Not Passing

Apple Container Bug: Environment variables passed via -e are lost when using -i (interactive/piped stdin).

Workaround: The system extracts only authentication variables (CLAUDE_CODE_OAUTH_TOKEN, ANTHROPIC_API_KEY) from .env and mounts them for sourcing inside the container. Other env vars are not exposed.

To verify env vars are reaching the container:

echo '{}' | container run -i \
  --mount type=bind,source=$(pwd)/data/env,target=/workspace/env-dir,readonly \
  --entrypoint /bin/bash nanoclaw-agent:latest \
  -c 'export $(cat /workspace/env-dir/env | xargs); echo "OAuth: ${#CLAUDE_CODE_OAUTH_TOKEN} chars, API: ${#ANTHROPIC_API_KEY} chars"'

3. Mount Issues

Apple Container quirks:

Only mounts directories, not individual files

-v syntax does NOT support :ro suffix - use --mount for readonly:

# Readonly: use --mount
--mount "type=bind,source=/path,target=/container/path,readonly"

# Read-write: use -v
-v /path:/container/path

To check what's mounted inside a container:

container run --rm --entrypoint /bin/bash nanoclaw-agent:latest -c 'ls -la /workspace/'

Expected structure:

/workspace/
├── env-dir/env           # Environment file (CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY)
├── group/                # Current group folder (cwd)
├── project/              # Project root (god channel only)
├── global/               # Global CLAUDE.md (non-god only)
├── ipc/                  # Inter-process communication
│   ├── messages/         # Outgoing WhatsApp messages
│   ├── tasks/            # Scheduled task commands
│   ├── current_tasks.json    # Read-only: scheduled tasks visible to this group
│   └── available_groups.json # Read-only: WhatsApp groups for activation (main only)
└── extra/                # Additional custom mounts

4. Permission Issues

The container runs as user node (uid 1000). Check ownership:

container run --rm --entrypoint /bin/bash nanoclaw-agent:latest -c '
  whoami
  ls -la /workspace/
  ls -la /app/
'

All of /workspace/ and /app/ should be owned by node.

5. Session Not Resuming / "Claude Code process exited with code 1"

If sessions aren't being resumed (new session ID every time), or Claude Code exits with code 1 when resuming:

Root cause: The SDK looks for sessions at $HOME/.claude/projects/. Inside the container, HOME=/home/node, so it looks at /home/node/.claude/projects/.

Check the mount path:

# In container-runner.ts, verify mount is to /home/node/.claude/, NOT /root/.claude/
grep -A3 "Claude sessions" src/container-runner.ts

Verify sessions are accessible:

container run --rm --entrypoint /bin/bash \
  -v ~/.claude:/home/node/.claude \
  nanoclaw-agent:latest -c '
echo "HOME=$HOME"
ls -la $HOME/.claude/projects/ 2>&1 | head -5
'

Fix: Ensure container-runner.ts mounts to /home/node/.claude/:

mounts.push({
  hostPath: claudeDir,
  containerPath: '/home/node/.claude',  // NOT /root/.claude
  readonly: false
});

6. MCP Server Failures

If an MCP server fails to start, the agent may exit. Check the container logs for MCP initialization errors.

Manual Container Testing

Test the full agent flow:

# Set up env file
mkdir -p data/env groups/test
cp .env data/env/env

# Run test query
echo '{"prompt":"What is 2+2?","groupFolder":"test","chatJid":"test@g.us","isMain":false}' | \
  container run -i \
  --mount "type=bind,source=$(pwd)/data/env,target=/workspace/env-dir,readonly" \
  -v $(pwd)/groups/test:/workspace/group \
  -v $(pwd)/data/ipc:/workspace/ipc \
  nanoclaw-agent:latest

Test Claude Code directly:

container run --rm --entrypoint /bin/bash \
  --mount "type=bind,source=$(pwd)/data/env,target=/workspace/env-dir,readonly" \
  nanoclaw-agent:latest -c '
  export $(cat /workspace/env-dir/env | xargs)
  claude -p "Say hello" --dangerously-skip-permissions --allowedTools ""
'

Interactive shell in container:

container run --rm -it --entrypoint /bin/bash nanoclaw-agent:latest

SDK Options Reference

The agent-runner uses these Claude Agent SDK options:

query({
  prompt: input.prompt,
  options: {
    cwd: '/workspace/group',
    allowedTools: ['Bash', 'Read', 'Write', ...],
    permissionMode: 'bypassPermissions',
    allowDangerouslySkipPermissions: true,  // Required with bypassPermissions
    settingSources: ['project'],
    mcpServers: { ... }
  }
})

Important: allowDangerouslySkipPermissions: true is required when using permissionMode: 'bypassPermissions'. Without it, Claude Code exits with code 1.

Rebuilding After Changes

# Rebuild main app
npm run build

# Rebuild container (use --no-cache for clean rebuild)
./container/build.sh

# Or force full rebuild
container builder prune -af
./container/build.sh

Checking Container Image

# List images
container images

# Check what's in the image
container run --rm --entrypoint /bin/bash nanoclaw-agent:latest -c '
  echo "=== Node version ==="
  node --version

  echo "=== Claude Code version ==="
  claude --version

  echo "=== Installed packages ==="
  ls /app/node_modules/
'

Session Persistence

Claude sessions are stored per-group in data/sessions/{group}/.claude/ for security isolation. Each group has its own session directory, preventing cross-group access to conversation history.

Critical: The mount path must match the container user's HOME directory:

Container user: node
Container HOME: /home/node
Mount target: /home/node/.claude/ (NOT /root/.claude/)

To clear sessions:

# Clear all sessions for all groups
rm -rf data/sessions/

# Clear sessions for a specific group
rm -rf data/sessions/{groupFolder}/.claude/

# Also clear the session ID from NanoClaw's tracking (stored in SQLite)
sqlite3 store/messages.db "DELETE FROM sessions WHERE group_folder = '{groupFolder}'"

To verify session resumption is working, check the logs for the same session ID across messages:

grep "Session initialized" logs/nanoclaw.log | tail -5
# Should show the SAME session ID for consecutive messages in the same group

IPC Debugging

The container communicates back to the host via files in /workspace/ipc/:

# Check pending messages
ls -la data/ipc/messages/

# Check pending task operations
ls -la data/ipc/tasks/

# Read a specific IPC file
cat data/ipc/messages/*.json

# Check available groups (god channel only)
cat data/ipc/main/available_groups.json

# Check current tasks snapshot
cat data/ipc/{groupFolder}/current_tasks.json

IPC file types:

messages/*.json - Agent writes: outgoing WhatsApp messages
tasks/*.json - Agent writes: task operations (schedule, pause, resume, cancel, refresh_groups)
current_tasks.json - Host writes: read-only snapshot of scheduled tasks
available_groups.json - Host writes: read-only list of WhatsApp groups (main only)

Quick Diagnostic Script

Run this to check common issues:

echo "=== Checking NanoClaw Container Setup ==="

echo -e "\n1. Authentication configured?"
[ -f .env ] && (grep -q "CLAUDE_CODE_OAUTH_TOKEN=sk-" .env || grep -q "ANTHROPIC_API_KEY=sk-" .env) && echo "OK" || echo "MISSING - add CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY to .env"

echo -e "\n2. Env file copied for container?"
[ -f data/env/env ] && echo "OK" || echo "MISSING - will be created on first run"

echo -e "\n3. Apple Container system running?"
container system status &>/dev/null && echo "OK" || echo "NOT RUNNING - NanoClaw should auto-start it; check logs"

echo -e "\n4. Container image exists?"
echo '{}' | container run -i --entrypoint /bin/echo nanoclaw-agent:latest "OK" 2>/dev/null || echo "MISSING - run ./container/build.sh"

echo -e "\n5. Session mount path correct?"
grep -q "/home/node/.claude" src/container-runner.ts 2>/dev/null && echo "OK" || echo "WRONG - should mount to /home/node/.claude/, not /root/.claude/"

echo -e "\n6. Groups directory?"
ls -la groups/ 2>/dev/null || echo "MISSING - run setup"

echo -e "\n7. Recent container logs?"
ls -t groups/*/logs/container-*.log 2>/dev/null | head -3 || echo "No container logs yet"

echo -e "\n8. Session continuity working?"
SESSIONS=$(grep "Session initialized" logs/nanoclaw.log 2>/dev/null | tail -5 | awk '{print $NF}' | sort -u | wc -l)
[ "$SESSIONS" -le 2 ] && echo "OK (recent sessions reusing IDs)" || echo "CHECK - multiple different session IDs, may indicate resumption issues"

Source

git clone https://github.com/crypdick/pynchy/blob/main/docs/_archive/old-nanoclaw-skills/debug/SKILL.mdView on GitHub

Overview

This guide helps you troubleshoot the NanoClaw containerized agent. It covers where to find logs, how environment variables and mounts are handled, and the common failures you may see, so you can diagnose and fix issues quickly.

How This Skill Works

It explains the container architecture and where to look for logs, then shows how to enable verbose debugging with LOG_LEVEL=debug. It also documents the required mount points for environment data and session files and explains how session resumption depends on mounting to /home/node/.claude/.

When to Use It

When the Claude Code process exits with code 1 and you need to inspect container-*.log for clues
When environment variables don’t reach the container due to Apple container behavior and you must verify OAuth/API keys are mounted
When mounting issues prevent expected files from appearing under /workspace or /home/node/.claude/
When authentication problems occur, such as invalid API key or token causing login failures
When you need to ensure the container runs as a non-root user to avoid permission issues

Quick Start

Step 1: Enable verbose debugging by setting LOG_LEVEL=debug and restarting the agent
Step 2: Reproduce the issue and inspect logs in groups/{folder}/logs/container-*.log and logs/nanoclaw.log
Step 3: Verify environment and mounts by checking that .env values are mounted to /workspace/env-dir/env and that /home/node/.claude is used for sessions

Best Practices

Enable debug logs by setting LOG_LEVEL=debug to reveal mount configurations, container arguments, and real-time stderr
Regularly check these log locations: host logs, group logs, and Claude session history to pinpoint failures
Verify that .env contains valid CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY and that they are mounted inside the container
Use proper mounts: prefer --mount for read-only binds and -v for read-write mounts to avoid Apple container quirks
Ensure the container runs as a non-root user (check that Dockerfile has USER node and HOME is /home/node)

Example Use Cases

Diagnose a code 1 crash by inspecting groups/{folder}/logs/container-*.log and confirming authentication tokens are present
Resolve missing environment variables by mounting only the OAuth/API keys from .env and verifying them inside the container
Fix a mount issue on Apple containers by using the correct --mount syntax for read-only env directories and inspecting /workspace
Address a login failure by confirming CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY exist in .env and are accessible inside the container
Ensure non-root operation by validating the Dockerfile USER node so session data resumes under /home/node/.claude/

Frequently Asked Questions

Add this skill to your agents