https://github.com/bujosa/openclaw-ops
Operational tooling for running openclaw bots in production: safe-update wrapper, runbooks, scripts.
https://github.com/bujosa/openclaw-ops
openai shell telegram-bot
Last synced: 17 days ago
JSON representation
Operational tooling for running openclaw bots in production: safe-update wrapper, runbooks, scripts.
- Host: GitHub
- URL: https://github.com/bujosa/openclaw-ops
- Owner: bujosa
- License: mit
- Created: 2026-04-08T07:56:32.000Z (3 months ago)
- Default Branch: main
- Last Pushed: 2026-04-08T07:56:33.000Z (3 months ago)
- Last Synced: 2026-05-17T14:58:28.526Z (about 2 months ago)
- Topics: openai, shell, telegram-bot
- Language: Shell
- Size: 10.7 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# openclaw-ops
Operational tooling for running [openclaw](https://github.com/openclaw/openclaw) bots in production.
This repo collects scripts and runbooks I've battle-tested on a small fleet of always-on Macs running openclaw as Telegram bots. Everything here is designed for the **headless / SSH-only / "Mac mini in the closet"** use case.
Currently included:
- [`safe-update.sh`](safe-update.sh) — opinionated wrapper for `openclaw update` that backs up your config, dry-runs first, restarts the gateway, verifies the bot survived, and gives you a one-command rollback path.
- [`docs/safe-update-guide.md`](docs/safe-update-guide.md) — full walkthrough of what the script does and why, plus the exact commands to run by hand if you'd rather not use the script.
## Quick start
```bash
curl -fsSL https://raw.githubusercontent.com/bujosa/openclaw-ops/main/safe-update.sh -o /tmp/safe-update.sh
bash /tmp/safe-update.sh # interactive: dry-run + prompt + update + verify
```
Or if you trust the procedure and want it non-interactive (e.g. from cron or a remote SSH):
```bash
bash /tmp/safe-update.sh --yes
```
If something breaks:
```bash
bash /tmp/safe-update.sh rollback
```
## Why a wrapper script
`openclaw update` itself is fine. The wrapper exists to enforce the operational hygiene that "fine" doesn't include by default:
| What openclaw update does | What the wrapper adds |
|---|---|
| ✅ Updates the npm package | ✅ Same |
| ✅ Restarts the gateway | ✅ Same |
| ✅ Runs doctor inline | ✅ Same |
| ❌ No config backup | ✅ Timestamped `openclaw.json.pre-update-YYYYMMDD-HHMMSS` (chmod 600) |
| ❌ No "rollback" command | ✅ `safe-update.sh rollback` restores from latest backup + restarts gateway |
| ❌ Always asks the user something | ✅ `--yes` makes it fully non-interactive |
| ❌ No structured log | ✅ `/tmp/openclaw-safe-update-.log` capturing every phase |
| ❌ No "verify the bot survived" step | ✅ Post-update sweep: plugin errors, channels reachable, log-error scan, session continuity, model auth status |
| ❌ Single confirmation | ✅ Dry-run first, then prompt, then real update |
## What this is NOT
- **Not a fork of openclaw.** It's a thin shell wrapper. The actual update is done by `openclaw update` itself. If openclaw is broken, this script can't fix it — it just gives you better recovery.
- **Not a replacement for the official docs.** Read [docs.openclaw.ai/cli/update](https://docs.openclaw.ai/cli/update) for the full picture.
- **Not a CI/CD tool.** It's designed for hand-running on individual servers. If you have many openclaw nodes, wrap this in your own ansible/salt/whatever.
## Tested versions
| openclaw version | Date tested | Outcome |
|---|---|---|
| 2026.3.13 → 2026.4.5 | 2026-04-08 | ✅ clean, 1m 10s, 0 plugin errors, telegram + openai-codex auth survived |
| 2026.4.5 → 2026.4.8 | 2026-04-08 | ✅ clean, 1m 30s, full safe-update.sh script run end-to-end, sessions preserved, no error lines in logs since restart |
## What got me to write this
A real-world incident: a Telegram bot running openclaw stopped responding overnight after the OAuth refresh token for `openai-codex` got into a "reused" state (`refresh_token_reused` 401 from the OpenAI auth server). The `openclaw models auth login` re-auth flow worked, but I realized I had no procedure for routinely keeping the bot up to date safely. The script + this guide are the result.
The companion forensic for the related freeze incident (claude-code + telegram bot, 5 chained bugs) lives in [`bujosa/claude-telegram-server/docs/postmortem-2026-04-07.md`](https://github.com/bujosa/claude-telegram-server/blob/main/docs/postmortem-2026-04-07.md).
## License
MIT