An open API service indexing awesome lists of open source software.

https://github.com/bujosa/openclaw-ops

Operational tooling for running openclaw bots in production: safe-update wrapper, runbooks, scripts.
https://github.com/bujosa/openclaw-ops

openai shell telegram-bot

Last synced: 17 days ago
JSON representation

Operational tooling for running openclaw bots in production: safe-update wrapper, runbooks, scripts.

Awesome Lists containing this project

README

          

# openclaw-ops

Operational tooling for running [openclaw](https://github.com/openclaw/openclaw) bots in production.

This repo collects scripts and runbooks I've battle-tested on a small fleet of always-on Macs running openclaw as Telegram bots. Everything here is designed for the **headless / SSH-only / "Mac mini in the closet"** use case.

Currently included:

- [`safe-update.sh`](safe-update.sh) — opinionated wrapper for `openclaw update` that backs up your config, dry-runs first, restarts the gateway, verifies the bot survived, and gives you a one-command rollback path.
- [`docs/safe-update-guide.md`](docs/safe-update-guide.md) — full walkthrough of what the script does and why, plus the exact commands to run by hand if you'd rather not use the script.

## Quick start

```bash
curl -fsSL https://raw.githubusercontent.com/bujosa/openclaw-ops/main/safe-update.sh -o /tmp/safe-update.sh
bash /tmp/safe-update.sh # interactive: dry-run + prompt + update + verify
```

Or if you trust the procedure and want it non-interactive (e.g. from cron or a remote SSH):

```bash
bash /tmp/safe-update.sh --yes
```

If something breaks:

```bash
bash /tmp/safe-update.sh rollback
```

## Why a wrapper script

`openclaw update` itself is fine. The wrapper exists to enforce the operational hygiene that "fine" doesn't include by default:

| What openclaw update does | What the wrapper adds |
|---|---|
| ✅ Updates the npm package | ✅ Same |
| ✅ Restarts the gateway | ✅ Same |
| ✅ Runs doctor inline | ✅ Same |
| ❌ No config backup | ✅ Timestamped `openclaw.json.pre-update-YYYYMMDD-HHMMSS` (chmod 600) |
| ❌ No "rollback" command | ✅ `safe-update.sh rollback` restores from latest backup + restarts gateway |
| ❌ Always asks the user something | ✅ `--yes` makes it fully non-interactive |
| ❌ No structured log | ✅ `/tmp/openclaw-safe-update-.log` capturing every phase |
| ❌ No "verify the bot survived" step | ✅ Post-update sweep: plugin errors, channels reachable, log-error scan, session continuity, model auth status |
| ❌ Single confirmation | ✅ Dry-run first, then prompt, then real update |

## What this is NOT

- **Not a fork of openclaw.** It's a thin shell wrapper. The actual update is done by `openclaw update` itself. If openclaw is broken, this script can't fix it — it just gives you better recovery.
- **Not a replacement for the official docs.** Read [docs.openclaw.ai/cli/update](https://docs.openclaw.ai/cli/update) for the full picture.
- **Not a CI/CD tool.** It's designed for hand-running on individual servers. If you have many openclaw nodes, wrap this in your own ansible/salt/whatever.

## Tested versions

| openclaw version | Date tested | Outcome |
|---|---|---|
| 2026.3.13 → 2026.4.5 | 2026-04-08 | ✅ clean, 1m 10s, 0 plugin errors, telegram + openai-codex auth survived |
| 2026.4.5 → 2026.4.8 | 2026-04-08 | ✅ clean, 1m 30s, full safe-update.sh script run end-to-end, sessions preserved, no error lines in logs since restart |

## What got me to write this

A real-world incident: a Telegram bot running openclaw stopped responding overnight after the OAuth refresh token for `openai-codex` got into a "reused" state (`refresh_token_reused` 401 from the OpenAI auth server). The `openclaw models auth login` re-auth flow worked, but I realized I had no procedure for routinely keeping the bot up to date safely. The script + this guide are the result.

The companion forensic for the related freeze incident (claude-code + telegram bot, 5 chained bugs) lives in [`bujosa/claude-telegram-server/docs/postmortem-2026-04-07.md`](https://github.com/bujosa/claude-telegram-server/blob/main/docs/postmortem-2026-04-07.md).

## License

MIT