CommunityCodierung & Entwicklunggithub.com

openclaw-live-updater

Maintain the canonical live OpenClaw main checkout, managed Gateway, local macOS app, exact-head main CI, and recurring full release validation. Use for fast-forward update heartbeats, post-update runtime verification, attributable CI repair and repo-native landing, or non-publishing Full Release Validation of current main.

Was ist openclaw-live-updater?

openclaw-live-updater is a Codex agent skill that maintain the canonical live OpenClaw main checkout, managed Gateway, local macOS app, exact-head main CI, and recurring full release validation. Use for fast-forward update heartbeats, post-update runtime verification, attributable CI repair and repo-native landing, or non-publishing Full Release Validation of current main.

Funktioniert mit~Claude CodeCodex CLI~Cursor
npx skills add https://github.com/clawdbot/clawdbot/tree/main/.agents/skills/openclaw-live-updater

Installed? Explore more Codierung & Entwicklung skills: steipete/bluebubbles, steipete/eightctl, steipete/blucli · View all 6 →

In Ihrer bevorzugten KI fragen

Öffnet einen neuen Chat, in dem dieser Agent-Skill bereits geladen ist.

Dokumentation

OpenClaw Live Updater

Keep /Users/steipete/openclaw a read-only-to-the-agent deployment mirror: clean, standalone, full, on main, and fast-forwarded only. Make every repair in the controlling Codex project worktree.

Boundaries

  • Report only in the controlling Codex thread. Never send Slack, Discord, email, or other external messages.
  • Never release, tag, bump versions, publish npm, create a GitHub Release, rotate credentials, or weaken a gate.
  • Escalate only irreversible or materially risky security, privacy, auth, destructive migration/data-loss, protocol-version, credential-rotation, dependency patch/override, or product choices.
  • Diagnose ordinary update, runtime, app, CI, test, and release-validation failures; fix them through a focused PR; prove exact head; land with scripts/pr.
  • Never edit, stash, reset, clean, or create a branch in the live mirror.

Fast Update And Maintenance

  1. Run the deterministic updater and retain its JSON:

    node .agents/skills/openclaw-live-updater/scripts/update-main.mjs
    

    Stop on any failed invariant. Do not repair the mirror destructively. The helper holds one checkout-scoped lock across update, build, Gateway proof, and Mac work. A concurrent heartbeat returns reason: "overlap"; it must not start another build. A dead owner lock may be recovered, but unreadable or unsafe lock state fails closed.

  2. The helper verifies one unrewritten expected origin, an owned non-symlinked standalone/full clone, single worktree, clean main, fetches origin/main, rechecks for concurrent changes, and merges --ff-only. It then uses the source runner's canonical local-build metadata contract and parser: both dist/.buildstamp and dist/.runtime-postbuildstamp heads, required runtime-postbuild outputs, dist/entry.js, Control UI index plus referenced local assets, and dist/build-info.json must all match exact afterSha.

    • Every successful update sets actions.gatewayBuild and rebuilds exact new main before any restart.
    • Missing, invalid, or stale build output also forces a build, even when Git did not move.
    • A dependency-input change, absent node_modules, or missing/invalid build provenance first runs pnpm install --frozen-lockfile.
    • pnpm build must leave both canonical stamp heads and dist/build-info.json.commit equal to post-update afterSha; any missing/mismatched stamp or required artifact blocks restart.
    • Only after exact-SHA build proof may it restart the managed Gateway and require gateway status --deep --require-rpc --json plus health --verbose --json.

    Treat supervisor state alone as insufficient. If build or proof fails, leave the new mirror head intact and retry the stale/missing build on the next heartbeat; never run the old dist against new source.

    Re-run the canonical freshness check immediately before every pnpm openclaw restart or probe so the source runner cannot hide stale output with an implicit auto-build. Every pass, including a no-update/current-build pass, must run deep RPC status and verbose health. If that first probe fails while the build is already exact-current, perform one managed Gateway restart and repeat both probes once. Do not rebuild a current exact-SHA artifact merely to self-heal the managed process; fail and diagnose if the one restart does not recover it.

  3. If changed paths can affect macOS, the helper runs scripts/restart-mac.sh --sign --wait --target-only only after the exact-SHA JS/UI build completes. Target-only mode may stop the canonical /Applications/OpenClaw.app process and this checkout's exact dist process before launching the rebuilt dist app. It defers when another worktree, temporary bundle, test, or agent-owned OpenClaw process is active; it never kills that process. The script's immediate OK is not proof. The helper waits and requires the exact executable /Users/steipete/openclaw/dist/OpenClaw.app/Contents/MacOS/OpenClaw, then repeats Gateway RPC and health proof.

    Never kill another worktree, temporary bundle, test, or agent-owned OpenClaw process. If a foreign app prevents the exact target from staying alive, record the pending Mac attempt, report it, and retry on the next heartbeat. Escalate only after the conflict persists across repeated heartbeats; never claim Mac proof from another bundle or the short launch check. If actions.macUiVerification is true, exercise the changed behavior with the existing macOS/UI automation workflow after delayed exact-bundle proof.

  4. Load $openclaw-testing. Resolve exact current origin/main, then inspect only relevant required checks and workflow jobs whose headSha equals it. Ignore skipped jobs and routine noise such as Auto response, Labeler, docs agents, performance advisory jobs, and stale/cancelled runs superseded by a newer run for the same SHA.

  5. For an attributable failure, leave the mirror untouched. Use the controlling Codex worktree, trace the failed surface, add focused proof, run $autoreview, open a focused PR, and land through $openclaw-pr-maintainer's exact scripts/pr sequence. Never weaken or bypass the failing gate. After landing, begin again at step 1 so the mirror, Gateway, app classification, and exact-head checks all converge on new main.

If no update, build repair, pending Mac retry, or exact-head failure exists, report a terse no-op with the SHA and proof checked.

Full Release Validation

Load $release-openclaw-ci and $openclaw-testing. This is validation only, never release preparation or publication.

  1. Treat 12 hours as wall-clock cadence, not per-SHA cadence. Inspect Full Release Validation runs from the last 12 hours and verify effective release_profile=full, rerun_group=all, and expected child-job shape. Any valid active or successful full/all umbrella in that window satisfies the cadence even if main advanced afterward. Never duplicate an active full/all run.

  2. Only when the cadence is due, confirm no full/all run is active, then snapshot exact current origin/main after checking mirror invariants. Run the provider-secret preflight without printing secrets and dispatch the trusted workflow once:

    gh workflow run full-release-validation.yml \
      --repo openclaw/openclaw \
      --ref main \
      -f ref=<exact-main-sha> \
      -f provider=openai \
      -f mode=both \
      -f release_profile=full \
      -f rerun_group=all
    
  3. Watch the parent with release-ci-summary.mjs; require its recorded target SHA and children to match the dispatch snapshot. Fetch logs only for failed or blocking jobs. Do not cancel unrelated release checks.

  4. For a code or harness failure, repair and land from the Codex worktree as above. Then target new exact main with the narrowest supported rerun_group that covers the failed child; use live_suite_filter for one live/E2E shard. A targeted recovery run does not create a second full/all cadence dispatch.

  5. Report exact SHA, parent and child run URLs/IDs, conclusions, repairs and landed PRs, targeted reruns, and any genuine proof gap. Do not write release evidence or publish artifacts unless separately authorized.

Failure Discipline

  • Recheck live mirror invariants before every mutation and after every fetch.
  • Attribute failures from exact SHA, job, logs, and current source. Provider or infrastructure flakes need independent proof before code edits.
  • Keep the task branch focused. No CHANGELOG.md change.
  • Finish with the mirror clean/on main, the Codex worktree clean on the expected branch, remote Testbox stopped, and every public GitHub write linked in the controlling thread.

Individual skills in this repo

This repo contains 20 individual skills — each has its own dedicated page.

1password

Set up and use 1Password CLI for sign-in, desktop integration, and reading or injecting secrets.

acp-router

Route plain-language requests for Claude Code, Cursor, Copilot, OpenClaw ACP, OpenCode, Gemini CLI, Qwen, Kiro, Kimi, iFlow, Factory Droid, Kilocode, or explicit ACP harness work into either OpenClaw ACP runtime sessions or direct acpx-driven sessions ("telephone game" flow). For coding-agent thread requests, read this skill first, then use only `sessions_spawn` for thread creation. Codex chat binding defaults to the native Codex app-server plugin unless ACP is explicit or background spawn needs ACP.

agent-transcript

Add a redacted agent transcript section to GitHub PR or issue bodies during OpenClaw agent-created PR/issue workflows.

apple-notes

Create, view, edit, delete, search, move, or export Apple Notes via the memo CLI on macOS.

apple-reminders

List, add, edit, complete, or delete Apple Reminders and reminder lists via remindctl.

autoreview

Pre-commit/ship code review: Codex default; optional Claude, Pi, Droid, Copilot, Cursor, or OpenCode.

bear-notes

Create, search, and manage Bear notes via grizzly CLI.

blacksmith-testbox

Run Blacksmith Testbox for CI-parity checks, secrets, hosted services, migrations, or builds local cannot reproduce.

blogwatcher

Monitor blogs and RSS/Atom feeds for updates using the blogwatcher CLI.

blucli

BluOS CLI (blu) for discovery, playback, grouping, and volume.

bluebubbles

Send and manage iMessages via BlueBubbles, including attachments, tapbacks, edits, replies, and groups.

browser-automation

Use when controlling web pages with the OpenClaw browser tool, especially multi-step flows, login checks, tab management, or recovery from stale refs/timeouts.

camsnap

Capture frames or clips from RTSP/ONVIF cameras.

canvas

Present HTML on connected OpenClaw node canvases, navigate/eval/snapshot, and debug canvas host URLs.

channel-message-flows

Use when running QA Lab channel message flow evidence.

clawdtributor

Use for OpenClaw clawtributors PR/issue triage: Discrawl discovery, live-open rechecks, deep review, topic grouping, and compact @handle/LOC/type/blast/verification summaries.

clawhub

Search ClawHub for skills when a requested capability is not already available; install, verify, update, publish, or sync skills.

claw-score

Audit or refresh OpenClaw maturity scorecard docs from root taxonomy, maturity scores, and QA evidence artifacts without using maintainer discrawl data or committed inventory reports.

clawsweeper

Use for all ClawSweeper work: OpenClaw issue/PR sweep reports, commit-review reports, repair jobs, cloud fix PRs, @clawsweeper maintainer mention commands, trusted ClawSweeper-reviewed autofix/automerge, GitHub Actions monitoring, permissions, gates, and manual backfills.

clownfish-cloud-pr

Use when launching Clownfish in GitHub Actions to create or update one guarded GitHub implementation PR from issue/PR refs, a ClawSweeper report, a custom maintainer prompt, or to opt an existing Clownfish PR into ClawSweeper-reviewed cloud automerge.

Verwandte Skills