ClawHub

Gateway Auto-Rollback

v1.1.0

Automatic configuration rollback mechanism for OpenClaw Gateway. Provides three-layer protection: pre-modification backup, post-modification validation, and...

0· 389·3 current·3 all-time
by@halfmoon82
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (auto rollback for OpenClaw Gateway) aligns with included Python script and test script. The code operates on ~/.openclaw config files, creates backups, validates JSON, checks local Gateway health, and performs rollbacks — all coherent with the declared purpose.
Instruction Scope
SKILL.md instructions map directly to the script behavior: one-shot run, watch mode, manual rollback, cron examples, and test steps. The instructions only reference local files (~/.openclaw), the local Gateway health endpoint (127.0.0.1:18789), and local logging — they do not instruct the agent to read unrelated system files or to transmit data externally.
Install Mechanism
There is no install spec (instruction-only with included script files). This is low risk: no downloads or archives are fetched at install time. The skill does include runnable code, so users should still inspect/execute it in their environment before trusting it.
Credentials
The skill declares no required env vars and the code does not read secrets. One operational caveat: check_gateway_health() calls the external 'curl' binary; the registry metadata lists no required binaries, so the script will silently fail health checks if curl is absent. No credentials or unrelated environment access are requested.
Persistence & Privilege
always is false and model invocation is allowed (platform default). The skill does not modify other skills or global agent settings; it writes to ~/.openclaw (its own config area) which is consistent with its function.
Assessment
This skill appears to do what it says: local backups, JSON validation, health probes and rollback for OpenClaw config files. Before installing or running it: 1) review the Python script yourself (it's included) and run tests in a safe environment; 2) be aware it will create/modify files under ~/.openclaw (backup and log files) and will copy backups back into place on rollback; 3) ensure the local Gateway health endpoint (http://127.0.0.1:18789/api/health) is what you expect and that the system has 'curl' available (the script expects it but the metadata declares no required binaries); 4) run the bundled tests (test-rollback-mechanism.sh) manually to confirm behavior before enabling any daemon/watch mode; 5) if you do not trust the anonymous source, avoid running the watch/daemon mode or run it in a constrained/testing environment. If you see any unexpected network calls or references to remote endpoints in future versions, treat that as a red flag.

Like a lobster shell, security has layers — review code before you run it.

latestvk973b0sy4ca1xg1d7j4wanjrxn821dab
389downloads
0stars
2versions
Updated 1mo ago
v1.1.0
MIT-0
@halfmoon82
latest
Download

Gateway Auto-Rollback

Three-layer configuration protection for OpenClaw Gateway — never break your config again.

What It Does

Automatically protects your OpenClaw configuration files with:

  1. Pre-modification backup — SHA256 content-addressed snapshots before any change
  2. Post-modification validation — JSON syntax check + Gateway health probe
  3. Automatic rollback — instant restore if validation fails

When to Use

  • Before modifying openclaw.json, exec-approvals.json, or skills.json
  • When running automated config changes (cron jobs, scripts)
  • As a background safety net during development
  • When you want peace of mind that a bad config won't take down your agent

Quick Start

One-shot check (before manual edits)

python3 gateway-auto-rollback.py

This initializes the backup directory, validates current config, and logs status.

Watch mode (background daemon)

python3 gateway-auto-rollback.py --watch &

Monitors critical config files every 3 minutes. Auto-exits after 3 consecutive healthy checks (config is stable).

How It Works

Before Modification        During              After Modification
       ↓                    ↓                        ↓
  Backup + Hash  ───→  Execute Change  ───→  JSON Validate + Health Check
       │                                          │
       └──────────────────────────────────────→ Auto-rollback on failure

Protected Files

FileDescription
openclaw.jsonMain Gateway configuration
exec-approvals.jsonCommand execution approvals
skills.jsonSkills registry

Backup Naming

Backups are stored in ~/.openclaw/backup/ with content-addressed names:

openclaw.json.20260301_053612.a1b2c3d4.bak
                 ↑ timestamp    ↑ SHA256 prefix (dedup)

API Reference

Python Functions

from gateway_auto_rollback import (
    pre_modification_check,   # Call before modifying config
    post_modification_verify, # Call after modifying config
    create_backup,            # Manual backup creation
    validate_json,            # JSON syntax validation
    check_gateway_health,     # Gateway health probe
    rollback_to_backup,       # Manual rollback
    watch_config_files,       # Start watch daemon
)

Pre-modification flow

from pathlib import Path

config = Path.home() / ".openclaw" / "openclaw.json"

# Returns backup path on success, False on failure
backup = pre_modification_check(config)

# ... make your changes ...

# Validates and auto-rolls back if needed
success = post_modification_verify(config, backup)

Watch mode details

The watcher:

  • Polls every 3 minutes (gives Gateway time to restart)
  • Detects changes via SHA256 hash comparison
  • Auto-creates backup when change detected
  • Validates JSON + health check after each change
  • Auto-exits after 3 consecutive healthy checks (config stabilized)
  • Logs all events to ~/.openclaw/logs/config-modification.log

Integration with Cron

Set up periodic health checks:

# Cron job example: check every hour
0 * * * * python3 /path/to/gateway-auto-rollback.py

Or use OpenClaw's built-in cron:

{
  "name": "Gateway-Auto-Rollback",
  "schedule": { "kind": "cron", "expr": "0 */6 * * *", "tz": "Asia/Shanghai" },
  "payload": {
    "kind": "agentTurn",
    "message": "Run gateway health check. If unhealthy, rollback to latest backup."
  },
  "sessionTarget": "isolated"
}

Manual Rollback

If you need to manually restore a config:

# List available backups (newest first)
ls -lt ~/.openclaw/backup/ | head -10

# Restore a specific backup
cp ~/.openclaw/backup/openclaw.json.20260301_053612.a1b2c3d4.bak \
   ~/.openclaw/openclaw.json

# Restart Gateway
openclaw gateway restart

# Verify
curl -s http://127.0.0.1:18789/api/health

Testing

Run the included test suite to verify the mechanism works:

bash test-rollback-mechanism.sh

Tests cover:

  • Backup directory existence
  • JSON validation
  • SHA256 hash computation
  • Backup creation and restore
  • Watch daemon status
  • Log file integrity
  • Script permissions

Logs

All events are logged to ~/.openclaw/logs/config-modification.log:

[2026-03-01 05:37:00] INFO: ✅ 备份创建: openclaw.json.20260301_053612.a1b2c3d4.bak
[2026-03-01 05:37:01] INFO: ✅ 修改验证通过
[2026-03-01 05:40:00] WARN: ⚠️ 检测到修改: openclaw.json
[2026-03-01 05:40:01] ERROR: JSON 验证失败 — 触发回滚

Requirements

  • Python 3.8+
  • OpenClaw Gateway running (for health checks)
  • No additional pip packages needed (stdlib only)

File Structure

gateway-auto-rollback/
├── SKILL.md                      # This file
├── _meta.json                    # ClawHub metadata
├── gateway-auto-rollback.py      # Main script (backup/validate/rollback/watch)
└── test-rollback-mechanism.sh    # Test suite

Comments

Loading comments...