OpenClaw Live Updater
Keep /Users/steipete/openclaw a read-only-to-the-agent deployment mirror: clean, standalone, full, on main, and fast-forwarded only. Make every repair in the controlling Codex project worktree.
Boundaries
- Report only in the controlling Codex thread. Never send Slack, Discord, email, or other external messages.
- Never release, tag, bump versions, publish npm, create a GitHub Release, rotate credentials, or weaken a gate.
- Escalate only irreversible or materially risky security, privacy, auth, destructive migration/data-loss, protocol-version, credential-rotation, dependency patch/override, or product choices.
- Diagnose ordinary update, runtime, app, CI, test, and release-validation failures; fix them through a focused PR; prove exact head; land with
scripts/pr. - Never edit, stash, reset, clean, or create a branch in the live mirror.
Fast Update And Maintenance
-
Run the deterministic updater and retain its JSON:
node .agents/skills/openclaw-live-updater/scripts/update-main.mjsStop on any failed invariant. Do not repair the mirror destructively. The helper holds one checkout-scoped lock across update, build, Gateway proof, and Mac work. A concurrent heartbeat returns
reason: "overlap"; it must not start another build. A dead owner lock may be recovered, but unreadable or unsafe lock state fails closed. -
The helper verifies one unrewritten expected origin, an owned non-symlinked standalone/full clone, single worktree, clean
main, fetchesorigin/main, rechecks for concurrent changes, and merges--ff-only. It then uses the source runner's canonical local-build metadata contract and parser: bothdist/.buildstampanddist/.runtime-postbuildstampheads, required runtime-postbuild outputs,dist/entry.js, Control UI index plus referenced local assets, anddist/build-info.jsonmust all match exactafterSha.- Every successful update sets
actions.gatewayBuildand rebuilds exact newmainbefore any restart. - Missing, invalid, or stale build output also forces a build, even when Git did not move.
- A dependency-input change, absent
node_modules, or missing/invalid build provenance first runspnpm install --frozen-lockfile. pnpm buildmust leave both canonical stamp heads anddist/build-info.json.commitequal to post-updateafterSha; any missing/mismatched stamp or required artifact blocks restart.- Only after exact-SHA build proof may it restart the managed Gateway and require
gateway status --deep --require-rpc --jsonplushealth --verbose --json.
Treat supervisor state alone as insufficient. If build or proof fails, leave the new mirror head intact and retry the stale/missing build on the next heartbeat; never run the old
distagainst new source.Re-run the canonical freshness check immediately before every
pnpm openclawrestart or probe so the source runner cannot hide stale output with an implicit auto-build. Every pass, including a no-update/current-build pass, must run deep RPC status and verbose health. If that first probe fails while the build is already exact-current, perform one managed Gateway restart and repeat both probes once. Do not rebuild a current exact-SHA artifact merely to self-heal the managed process; fail and diagnose if the one restart does not recover it. - Every successful update sets
-
If changed paths can affect macOS, the helper runs
scripts/restart-mac.sh --sign --wait --target-onlyonly after the exact-SHA JS/UI build completes. Target-only mode may stop the canonical/Applications/OpenClaw.appprocess and this checkout's exactdistprocess before launching the rebuiltdistapp. It defers when another worktree, temporary bundle, test, or agent-owned OpenClaw process is active; it never kills that process. The script's immediateOKis not proof. The helper waits and requires the exact executable/Users/steipete/openclaw/dist/OpenClaw.app/Contents/MacOS/OpenClaw, then repeats Gateway RPC and health proof.Never kill another worktree, temporary bundle, test, or agent-owned OpenClaw process. If a foreign app prevents the exact target from staying alive, record the pending Mac attempt, report it, and retry on the next heartbeat. Escalate only after the conflict persists across repeated heartbeats; never claim Mac proof from another bundle or the short launch check. If
actions.macUiVerificationis true, exercise the changed behavior with the existing macOS/UI automation workflow after delayed exact-bundle proof. -
Load
$openclaw-testing. Resolve exact currentorigin/main, then inspect only relevant required checks and workflow jobs whoseheadShaequals it. Ignore skipped jobs and routine noise such as Auto response, Labeler, docs agents, performance advisory jobs, and stale/cancelled runs superseded by a newer run for the same SHA. -
For an attributable failure, leave the mirror untouched. Use the controlling Codex worktree, trace the failed surface, add focused proof, run
$autoreview, open a focused PR, and land through$openclaw-pr-maintainer's exactscripts/prsequence. Never weaken or bypass the failing gate. After landing, begin again at step 1 so the mirror, Gateway, app classification, and exact-head checks all converge on newmain.
If no update, build repair, pending Mac retry, or exact-head failure exists, report a terse no-op with the SHA and proof checked.
Full Release Validation
Load $release-openclaw-ci and $openclaw-testing. This is validation only, never release preparation or publication.
-
Treat 12 hours as wall-clock cadence, not per-SHA cadence. Inspect Full Release Validation runs from the last 12 hours and verify effective
release_profile=full,rerun_group=all, and expected child-job shape. Any valid active or successful full/all umbrella in that window satisfies the cadence even ifmainadvanced afterward. Never duplicate an active full/all run. -
Only when the cadence is due, confirm no full/all run is active, then snapshot exact current
origin/mainafter checking mirror invariants. Run the provider-secret preflight without printing secrets and dispatch the trusted workflow once:gh workflow run full-release-validation.yml \ --repo openclaw/openclaw \ --ref main \ -f ref=<exact-main-sha> \ -f provider=openai \ -f mode=both \ -f release_profile=full \ -f rerun_group=all -
Watch the parent with
release-ci-summary.mjs; require its recorded target SHA and children to match the dispatch snapshot. Fetch logs only for failed or blocking jobs. Do not cancel unrelated release checks. -
For a code or harness failure, repair and land from the Codex worktree as above. Then target new exact
mainwith the narrowest supportedrerun_groupthat covers the failed child; uselive_suite_filterfor one live/E2E shard. A targeted recovery run does not create a second full/all cadence dispatch. -
Report exact SHA, parent and child run URLs/IDs, conclusions, repairs and landed PRs, targeted reruns, and any genuine proof gap. Do not write release evidence or publish artifacts unless separately authorized.
Failure Discipline
- Recheck live mirror invariants before every mutation and after every fetch.
- Attribute failures from exact SHA, job, logs, and current source. Provider or infrastructure flakes need independent proof before code edits.
- Keep the task branch focused. No
CHANGELOG.mdchange. - Finish with the mirror clean/on
main, the Codex worktree clean on the expected branch, remote Testbox stopped, and every public GitHub write linked in the controlling thread.