Additionally required on the system:
- Python 3.10+
- `gst-launch-1.0` (GStreamer, from OS packages)
- Internet access on first run (model download ~1.5 GB for `medium`)

## Deploy

## What this does (via downstream scripts)

This skill does **not** contain deployment logic itself. It calls `deploy.sh` from each sub-skill:

### Step 1: faster-whisper-local-service
- Creates Python venv, installs `faster-whisper==1.1.1`
- Writes `transcribe-server.py` with input validation (magic-byte check, size limit)
- Creates systemd user service `openclaw-transcribe.service`
- Downloads model weights on first run (~1.5 GB for medium)

### Step 2: webchat-https-proxy
- Copies `https-server.py` to workspace
- Adds HTTPS origin to `gateway.controlUi.allowedOrigins`
- Creates systemd user service `openclaw-voice-https.service`
- Auto-generates self-signed TLS cert (TLS 1.2+ enforced)

### Step 3: webchat-voice-gui
- Copies `voice-input.js` and injects `<script>` tag into Control UI
- Installs gateway startup hook for update safety
- Optional interactive language selection

For full details, security notes, and uninstall instructions, see each skill's SKILL.md.

## Security posture (why these changes are expected)

This is a **meta-installer**, so it coordinates downstream skills and applies only the minimum required local changes:

- **Persistence:** creates user-level systemd services so STT/proxy survive reboot (`openclaw-transcribe`, `openclaw-voice-https`)
- **UI enablement:** injects one explicit `<script>` tag for `voice-input.js` in Control UI
- **Gateway compatibility:** appends one HTTPS origin to `gateway.controlUi.allowedOrigins`

Safety characteristics:
- all changes are documented and reversible via uninstall scripts
- no root/sudo required (user scope only)
- no hidden background tasks beyond documented services
- no outbound telemetry or data exfiltration behavior

### Integrity verification

Before executing any sub-skill script, `deploy.sh` verifies SHA256 checksums of **all** sub-skill scripts against `scripts/checksums.sha256`. If any script was modified after installation (e.g. by a registry update or tampering), deployment **aborts** with a clear error.

**Workflow:**
1. `npx clawhub install <sub-skill>` — fetch from registry
2. Audit the scripts manually or via code review
3. `bash scripts/rehash.sh` — record trusted checksums
4. `bash scripts/deploy.sh` — verify checksums, then deploy

**Dry-run verification** (no deployment):

**After a sub-skill update:**
1. Review the changed scripts
2. `bash scripts/rehash.sh` to update the trusted baseline
3. Commit the updated `checksums.sha256`

## Verify

## Uninstall

Uninstall each skill separately (in reverse order):

npx clawhub install faster-whisper-local-service
npx clawhub install webchat-https-proxy
npx clawhub install webchat-voice-gui

# 1. Voice GUI (hook, UI injection, workspace files)
bash skills/webchat-voice-gui/scripts/uninstall.sh

# 2. HTTPS Proxy (service, gateway config, certs)
bash skills/webchat-https-proxy/scripts/uninstall.sh

# 3. STT Backend (service, venv)
systemctl --user stop openclaw-transcribe.service
systemctl --user disable openclaw-transcribe.service
rm -f ~/.config/systemd/user/openclaw-transcribe.service
systemctl --user daemon-reload