Cleanapp

# SKILL: CleanApp Ingest v1 (OpenClaw/ClawHub)

This is a **skill package** that lets an agent submit **any problem signal** into CleanApp (bugs, incidents, scams, UX friction, policy violations, safety hazards, improvement proposals) using the **Fetcher Key System**:

- `POST /v1/fetchers/register` (one-time key issuance)
- `POST /v1/reports:bulkIngest` (bulk ingest, quarantine-first)
- `GET  /v1/fetchers/me` (introspection)

This is **not** a long-lived agent running inside the CleanApp backend. It’s a client-side integration that talks to CleanApp over HTTPS.

## Why This Is Safe (Compartmentalized)

1. The only secret in the agent is a **revocable CleanApp API key** (`CLEANAPP_API_TOKEN`).
2. New keys default to a **quarantine lane** on the backend:
   - Stored + analyzed
   - Not publicly published
   - Not automatically routed to third parties
   - Not rewarded
3. The backend enforces:
   - rate limits / quotas
   - idempotency (`source_id`)
   - kill switches (revoke/suspend)

So even if an agent is prompt-injected, the blast radius is limited to “submitting more quarantined reports” until the key is revoked.

## Required Secret

- `CLEANAPP_API_TOKEN` (Bearer token). Get it once via:
  - `POST /v1/fetchers/register` (see `references/API_REFERENCE.md`)
  - Store it as a ClawHub/OpenClaw secret; never paste into chat logs.

Optional env:
- `CLEANAPP_BASE_URL` (default `https://live.cleanapp.io`)

## Data Handling (Minimal by Default)

This skill submits:
- `title`, `description` (text)
- optional `lat`/`lng` (location)
- optional `media[]` metadata (URL/SHA/content-type)

Recommended low-risk defaults:
- `--approx-location` (round coordinates to reduce precision)
- `--no-media` (drop media metadata unless needed)

## Idempotency (Important)

Every item must include a stable `source_id`. The backend enforces:
- `UNIQUE(fetcher_id, source_id)`
- retries won’t duplicate rows if you reuse the same `source_id`

## Usage

### Bulk ingest from JSON (recommended)

```...

# CleanApp Ingest Skill (OpenClaw/ClawHub)

This is a **self-contained skill package** for submitting bulk **problem signals** to CleanApp (bugs, incidents, scams, UX friction, policy violations, safety hazards, improvement proposals) via the **Fetcher Key System** (`/v1/reports:bulkIngest`).

Security-scan goals (ClawHub):
- Required secret is **declared** (no hardcoded tokens).
- All referenced scripts are **included** in the package.
- No dynamic `curl|bash` / remote script fetching at runtime.
- Explicit, minimal data-handling guidance.
- Real `--dry-run` mode (prints payload; does not send).

## Required Secret

- `CLEANAPP_API_TOKEN`: a Fetcher API key (Bearer token) issued by `POST /v1/fetchers/register`.

Do not paste the token into chat logs. Store it as a secret in ClawHub/OpenClaw.

## Data Handling (Minimal by Default)

This skill can submit:
- `title`, `description` (text)
- optional `lat`/`lng` (location)
- optional media metadata (URL/SHA/content-type)

Recommended safe defaults:
- use `--approx-location` (round coordinates)
- use `--no-media` unless you truly need it

## Dry Run

`--dry-run` prints the exact JSON payload that would be sent and exits 0 without any network calls.

## Usage

### 1) Submit from a JSON file

Input file can be either:
- `{ "items": [ ... ] }` (same shape as the API), or
- `[ ... ]` (array of items)

Example:
```bash
export CLEANAPP_API_TOKEN="cleanapp_fk_live_..."
python3 ingest.py --base-url https://live.cleanapp.io --input examples/sample_items.json --approx-location
```

### 2) Dry run

```bash
python3 ingest.py --input examples/sample_items.json --dry-run
```

### 3) Single-item helper (shell)

For quick manual submissions while debugging:

```bash
export CLEANAPP_API_TOKEN="cleanapp_fk_live_..."
./scripts/submit_report.sh --title "Broken elevator" --description "Stuck on floor 3" --lat 34.0702 --lng -118.4441 --approx-location
```

## Build ZIP (for upload)

```bash
./build_zip.sh
ls -la dist/
```