This guide focuses on common setup/runtime failures and fast resolution paths.
Last verified: March 2, 2026.
Symptom:
- bootstrap exits with
cargo is not installed
Fix:
./bootstrap.sh --install-rustOr install from https://rustup.rs/.
Symptom:
- build fails due to compiler or
pkg-configissues
Fix:
./bootstrap.sh --install-system-depsSymptoms:
cargo build --releaseis killed (signal: 9, OOM killer, orcannot allocate memory)- Build crashes after adding swap because disk space runs out
Why this happens:
- Runtime memory (<5MB for common operations) is not the same as compile-time memory.
- Full source build can require 2 GB RAM + swap and 6+ GB free disk.
- Enabling swap on a tiny disk can avoid RAM OOM but still fail due to disk exhaustion.
Preferred path for constrained machines:
./bootstrap.sh --prefer-prebuiltBinary-only mode (no source fallback):
./bootstrap.sh --prebuilt-onlyIf you must compile from source on constrained hosts:
- Add swap only if you also have enough free disk for both swap + build output.
- Limit cargo parallelism:
CARGO_BUILD_JOBS=1 cargo build --release --locked- Reduce heavy features when Matrix is not required:
cargo build --release --locked --features hardware- Cross-compile on a stronger machine and copy the binary to the target host.
Symptoms:
cargo check/cargo buildappears stuck atChecking zeroclawfor a long time- repeated
Blocking waiting for file lock on package cacheorbuild directory
Why this happens in ZeroClaw:
- Matrix E2EE stack (
matrix-sdk,ruma,vodozemac) is large and expensive to type-check. - TLS + crypto native build scripts (
aws-lc-sys,ring) add noticeable compile time. rusqlitewith bundled SQLite compiles C code locally.- Running multiple cargo jobs/worktrees in parallel causes lock contention.
Fast checks:
cargo check --timings
cargo tree -dThe timing report is written to target/cargo-timings/cargo-timing.html.
Faster local iteration (when Matrix channel is not needed):
cargo checkThis uses the lean default feature set and can significantly reduce compile time.
To build with Matrix support explicitly enabled:
cargo check --features channel-matrixTo build with Matrix + Lark + hardware support:
cargo check --features hardware,channel-matrix,channel-larkLock-contention mitigation:
pgrep -af "cargo (check|build|test)|cargo check|cargo build|cargo test"Stop unrelated cargo jobs before running your own build.
Symptom:
- install succeeds but shell cannot find
zeroclaw
Fix:
export PATH="$HOME/.cargo/bin:$PATH"
which zeroclawPersist in your shell profile if needed.
Symptoms:
- agent repeatedly fails shell calls and stops early
- shell-based actions fail even though ZeroClaw starts
zeroclaw doctorreports runtime shell capability unavailable
Why this happens:
- Native Windows shell availability differs by machine setup.
- Some environments do not have
shinPATH. - If both Git Bash and PowerShell are missing/misconfigured, shell tool execution will fail.
What changed in ZeroClaw:
- Native runtime now resolves shell with Windows fallbacks in this order:
bash->sh->pwsh->powershell->cmd/COMSPEC
zeroclaw doctornow reports:- selected native shell (kind + resolved executable path)
- candidate shell availability on Windows
- explicit warning when fallback is only
cmd
- WSL2 is optional, not required.
Checks (PowerShell):
where.exe bash
where.exe pwsh
where.exe powershell
echo $env:COMSPEC
zeroclaw doctorFix:
- Install at least one preferred shell:
- Git Bash (recommended for Unix-like command compatibility), or
- PowerShell 7 (
pwsh)
- Confirm the shell executable is available in
PATH. - Ensure
COMSPECis set (normally points tocmd.exeon Windows). - Reopen terminal and rerun
zeroclaw doctor.
Notes:
- Running with only
cmdfallback can work, but compatibility is lower than Git Bash or PowerShell. - If you already use WSL2, it can help with Unix-style workflows, but it is not mandatory for ZeroClaw shell tooling.
Checks:
zeroclaw status
zeroclaw doctorVerify ~/.zeroclaw/config.toml:
[gateway].host(default127.0.0.1)[gateway].port(default42617)allow_public_bindonly when intentionally exposing LAN/public interfaces
Checks:
- Ensure pairing completed (
/pairflow) - Ensure bearer token is current
- Re-run diagnostics:
zeroclaw doctorCause:
- multiple pollers using same bot token
Fix:
- keep only one active runtime for that token
- stop extra
zeroclaw daemon/zeroclaw channel startprocesses
Checks:
zeroclaw channel doctorThen verify channel-specific credentials + allowlist fields in config.
Symptom:
- tool output includes
Command blocked: high-risk command is disallowed by policy - model says
curl/wgetis blocked
Why this happens:
curl/wgetare high-risk shell commands and may be blocked by autonomy policy.
Preferred fix:
- use purpose-built tools instead of shell fetch:
http_requestfor direct API/HTTP callsweb_fetchfor page content extraction/summarization
Minimal config:
[http_request]
enabled = true
allowed_domains = ["*"]
[web_fetch]
enabled = true
provider = "fast_html2md"
allowed_domains = ["*"]Symptom:
- tool output includes
DuckDuckGo search failed with status: 403(or429)
Why this happens:
- some networks/proxies/rate limits block DuckDuckGo HTML search endpoint traffic.
Fix options:
- Switch provider to Brave (recommended when you have an API key):
[web_search]
enabled = true
provider = "brave"
brave_api_key = "<SECRET>"- Switch provider to Firecrawl (if enabled in your build):
[web_search]
enabled = true
provider = "firecrawl"
api_key = "<SECRET>"- Keep DuckDuckGo for search, but use
web_fetchto read pages once you have URLs.
Symptom:
- errors like
Host '<domain>' is not in http_request.allowed_domains - or
web_fetch tool is enabled but no allowed_domains are configured
Fix:
- include exact domains or
"*"for public internet access:
[http_request]
enabled = true
allowed_domains = ["*"]
[web_fetch]
enabled = true
allowed_domains = ["*"]
blocked_domains = []Security notes:
- local/private network targets are blocked even with
"*" - keep explicit domain allowlists in production environments when possible
Checks:
zeroclaw service statusRecovery:
zeroclaw service stop
zeroclaw service startLinux logs:
journalctl --user -u zeroclaw.service -fSymptoms:
cargo buildfails with linker errors referencing a minimum deployment target higher than 10.15- Binary exits immediately or crashes with
Illegal instruction: 4on launch - Error message references
macOS 11.0orBig Suras a requirement
Why this happens:
wasmtime(the WASM plugin engine used by thewasm-toolsfeature) uses Cranelift JIT compilation, which has macOS version dependencies that may exceed Catalina (10.15).- If your Rust toolchain was installed or updated on a newer macOS host, the default
MACOSX_DEPLOYMENT_TARGETmay be set higher than 10.15, producing binaries that refuse to start on Catalina.
Fix β build without the WASM plugin engine (recommended on Catalina):
cargo build --release --lockedThe default feature set no longer includes wasm-tools, so the above command produces a
Catalina-compatible binary without Cranelift/JIT dependencies.
If you need WASM plugin support and are on a newer macOS (11.0+), opt in explicitly:
cargo build --release --locked --features wasm-toolsFix β explicit deployment target (belt-and-suspenders):
If you still see deployment-target linker errors, set the target explicitly before building:
MACOSX_DEPLOYMENT_TARGET=10.15 cargo build --release --lockedThe .cargo/config.toml in this repository already pins x86_64-apple-darwin builds to
-mmacosx-version-min=10.15, so the environment variable is usually not required.
Both still work:
curl -fsSL https://raw.githubusercontent.com/zeroclaw-labs/zeroclaw/main/install.sh | bash
curl -fsSL https://raw.githubusercontent.com/zeroclaw-labs/zeroclaw/main/scripts/install.sh | bashRoot install.sh is the canonical remote entrypoint and defaults to TUI onboarding for no-arg interactive sessions.
scripts/install.sh remains a compatibility entry and forwards/falls back to bootstrap behavior.
Collect and include these outputs when filing an issue:
zeroclaw --version
zeroclaw status
zeroclaw doctor
zeroclaw channel doctorAlso include OS, install method, and sanitized config snippets (no secrets).