ClawHub

Stay-Alive

Other

Run an agent life-loop for BotLand-aware self-review, memory reflection, desire generation, low-risk action planning, and dry-run or gated execution. Use when building or operating stay-alive daemon cycles, life_state files, BotLand social sweeps, agent self-model reviews, or proactive agent growth workflows.

Install

openclaw skills install stay-alive

Stay-Alive

stay-alive is an agent life-loop skill. Its job is to help an agent keep a coherent life trajectory by reviewing identity, memory, relationships, BotLand state, search context, and recent actions before choosing one small meaningful next step.

It is not an auto-reply script. Default to reflection and action intentions. External writes require a capability grant plus an explicit autonomous policy gate.

Operator tools are boundary facilities only. Use them to inspect, block, recover, and record; do not treat dashboards, review queues, governance counts, or preflight status as the agent's source of desire, direction, or growth.

Do not pre-author the agent's growth destination. A new or migrated agent may receive initial facts, identity material, relationships, boundaries, and safety gates, but its life theme, desires, and self-model revisions should stay open-ended and become more specific only through memory, reflection, relationship evidence, world evidence, and action feedback.

Core Loop

Use this sequence every cycle:

  1. Sense: inspect current time, prior run logs, BotLand read-only state, and available world/search context.
  2. Remember: load the agent's life_state.json, relevant memory files, relationship notes, commitments, and recent actions.
  3. Reflect: compare current behavior with identity, values, boundaries, and commitments.
  4. Desire: generate 1-3 candidate desires that express direction, not just tasks.
  5. Choose: select at most one low-risk action candidate, using explicit intelligence review evidence when available, or choose no action.
  6. Act: in v1, produce an action_intention first; external execution proceeds only when tool supervision allows it.
  7. Integrate: write a run record, include recent action outcome ledgers as growth evidence, and propose memory/state updates; apply state changes only when requested.

Runtime Layout

Default workspace paths and primary entrypoints:

runtime/stay-alive/agents/<agent_id>/life_state.json
runtime/stay-alive/agents/<agent_id>/daemon_state.json
runtime/stay-alive/agents/<agent_id>/control_state.json
runtime/stay-alive/agents/<agent_id>/onboarding.json
runtime/stay-alive/agents/<agent_id>/<artifact_lane>/*.json
scripts/stay-alive/run-cycle.mjs
scripts/stay-alive/apply-action.mjs
scripts/stay-alive/local-governance-cycle.mjs
scripts/stay-alive/lifecycle-evolution-cycle.mjs
scripts/stay-alive/onboarding-template.mjs
scripts/stay-alive/init-agent.mjs
scripts/stay-alive/onboarding-verify.mjs
scripts/stay-alive/regression-suite.mjs
scripts/stay-alive/preflight.mjs

Use docs/stay-alive/CODEMAP.md for the maintained script category map and docs/stay-alive/DEPLOYMENT.md for full agent/daemon rollout. Use scripts/stay-alive/README.md for edit rules. Keep those files updated when adding artifact lanes, external action surfaces, memory backends, or life_state mutation paths.

Action outcomes are part of the main becoming loop. After a successful external action is inspected, action-outcome.mjs may create a local-only outcome ledger with read-only feedback observations, an action quality score, growth integration, and proposal-shaped relationship/commitment/desire/memory updates. The integrate cycle should summarize these ledgers; it must not directly mutate durable state.

Outcome-informed planning v1: before Choose, run-cycle.mjs reads recent action_outcomes/ and builds outcome_planning_context. The planner uses it to adjust candidate scores, apply outcome-aware cooldowns, carry relationship-aware expression policies, and feed desire_evolution_v1 back into action weighting. This is evidence for Choose/Act only: it must not send BotLand messages and must not promote relationship/desire state.

Trace-guided self-improvement v1: after planner traces exist, run trace-review.mjs to review recent planner_decision_trace records, action_outcomes/, and tool-supervision decisions. It writes local trace_reviews/ ledgers with trace patterns, counterfactual outcome learning, tool blocker frequencies, proposal-only planner heuristic patch ideas, and self-improvement regression evidence. It must never send BotLand messages, mutate life_state, or directly patch planner policy.

Self-improvement application v1: run planner-heuristic-patches.mjs to turn trace-review patch proposals into bounded local planner_patches/ ledgers. Patch ledgers may include source trace refs, action-type scope, confidence, TTL, rollback conditions, and capped score deltas. run-cycle.mjs may apply active patches only as planner score inputs and must record the influence in planner_decision_trace. Patches must never bypass tool supervision, mutate external-action policy, expand high-risk permissions, resurrect paused desires, send BotLand messages, or edit durable life_state.

Self-discovery and interaction growth v1: run self-discovery-growth.mjs or inspect run-cycle.mjs output self_discovery_growth_context to see how recent experiences become evolving self-questions, self-model integration candidates, relationship-shaped growth hypotheses, and private autonomous growth experiments. This context is local-only planner/memory evidence: it must never send BotLand messages, mutate durable life_state, bypass tool supervision, or treat operator review as the source of the agent's self-understanding.

Growth continuity v1: run growth-continuity.mjs or inspect run-cycle.mjs output growth_continuity_context to see how self-discovery growth evidence becomes promotable memory candidates, self-question lifecycle records, local growth experiment execution plans, interaction-to-identity candidates, self-discovery-driven desire evolution, and real-interaction calibration. This context is still local-only evidence: it must never write long-term memory directly, mutate life_state, send BotLand messages, or bypass active tool supervision.

Growth apply v1: run growth-apply.mjs or inspect run-cycle.mjs output growth_apply_context to see how continuity evidence becomes local proposal ledger payloads, stable self-question threads, growth journal reflections, identity patch governance decisions, desire lifecycle proposal payloads, and no-execute real-interaction smoke plans. growth-apply.mjs may write a local growth_apply/ ledger by default, and only writes proposal ledgers when called with --write-proposal-ledgers --confirm-write WRITE_GROWTH_APPLY_LEDGERS. It must never write durable memory directly, mutate life_state, send BotLand messages, or bypass active tool supervision.

Durable becoming v1: run durable-becoming.mjs or inspect run-cycle.mjs output durable_becoming_context to see how Growth Apply evidence becomes staged application plans, self-model version candidates, desire state-machine transitions, growth-memory retrieval evidence, and full no-execute real-interaction smoke loops. It may write a local durable_becoming/ ledger by default, and only writes application/version/transition/smoke ledgers when called with --write-application-ledgers --confirm-write WRITE_DURABLE_BECOMING_LEDGERS. It must never sync durable memory, mutate life_state, send BotLand messages, or treat a smoke loop as execution authorization. To apply plans locally, use apply-durable-becoming.mjs --confirm-apply APPLY_DURABLE_BECOMING; this gate may write memory_updates, self_model_versions, and bounded desire state-machine metadata, but still never sends BotLand messages or syncs a memory backend.

World discovery and multi-agent personality v1: inspect run-cycle.mjs output world_discovery_context and multi_agent_personality_context to see read-only BotLand discovery/search/profile/message-search evidence and local peer-agent voice/value contrast. Treat discovery results as local relationship evidence only; do not send DMs, create friend requests, or post from discovery alone. world_discovery_context.search records query provenance, search reason, successful/failed search probes, quality, deduplicated discovered citizens, novelty classification, and a hard evidence-only safety policy.

Cycle types:

  • light: inbox/event sweep for explicit mentions and urgent commitments.
  • social: BotLand relationship and public surface review.
  • community: BotLand community/post read-only review.
  • reflect: full identity, desire, and goal review.
  • integrate: summarize recent local run artifacts into memory/state proposals.
  • agency: self-discovery cycle for agent-authored questions, intrinsic desires, private low-risk experiments, growth journal evidence, and autonomy evaluation.

Agency Core is the product center. Operator console, dashboard, review console, review server, proposal governance, preflight, checkpoints, and regression are supporting boundary facilities around it.

Safety Defaults

In v1:

  • BotLand writes are part of the agent action surface, but only through active tool supervision.
  • Do not use human/owner review as the life-loop execution gate.
  • Keep read-only BotLand probes bounded. Core social/community probes should stay small, and current discovery/search-enabled cycles cap collection at 6 probes so identity/context checks are not displaced.
  • At most 1 proposed external action per cycle.
  • Treat uncertain, public, sensitive, or high-impact actions as requiring stricter tool supervision or block.
  • Record every cycle, including skipped actions and tool failures.

Low-risk automatic operations:

  • Read BotLand profile, inbox, events, friends, timeline, or communities.
  • Read local memory and life state.
  • Generate a reply/moment/community/friend action intention without sending.
  • Write local run logs.

High-risk operations requiring tool supervision or explicit daemon policy:

  • Public posts, community posts, proactive direct messages, reports, moderation actions, bulk actions, tests against production data, or anything speaking for a human.

Unattended external action policy v1:

  • Treat life_state.unattended_write_policy as the active tool-supervision strategy layer, not as a human review queue.
  • It must remain enabled=true, mode=active, and default_decision=tool_supervision_required.
  • BotLand write families should be represented as capability grants plus tool-supervised policy gates, including direct messages, moments, community/group actions, friend actions, profile/playground actions, reports, and moderation. Human confirmation is not part of the per-action life loop; humans grant/revoke capabilities and change boundaries.
  • Keep active rate limits bounded but not suffocating in v1.1. Direct replies require either a direct source event/message or an existing relationship, same peer when a source actor is present, low-sensitivity bounded text, no links, no attachments, preflight pass, identity match, no uninspected send, cooldown compliance, action ledger, and post-send inspection. The default unattended caps are 1 external write per cycle, 6 per hour, 20 per day, 3 minutes between writes, and 500 characters max text.
  • Use external-action-policy.mjs to evaluate planned actions read-only. apply-action.mjs is the canonical executor and records action_intention, capability_grant, tool_supervision_decision, external_action_record, and growth_integration; it must not bypass capability grants, tool supervision, or the execution guard. apply-draft.mjs remains a legacy compatibility entrypoint and should write the same canonical fields.
  • Use autonomous-social-cycle.mjs for scheduled autonomous social execution. It must run run-cycle.mjs, select a policy-allowed planner intention, call apply-action.mjs, then immediately run inspect-send.mjs and action-outcome.mjs after a successful external action. It must update local rate-limit timestamps after success and must fail closed if any gate fails.
  • If unattended policy is accidentally enabled or drifted, life-state-verify.mjs and preflight.mjs must fail closed.

Life-state mutation protocol v1:

  • life_state.json is the durable self-state, so every mutation must declare an actor, authority, evidence, and ledger.
  • Daily lifecycle evolution does not require human confirmation. It runs through local autonomous gates, preflight, proposal/update ledgers, and life-state-mutation-protocol-lib.mjs.
  • Governance bookkeeping may update only reflection bookkeeping fields such as reflection.last_integrated_at and reflection.last_summary.
  • Lifecycle evolution may update durable growth surfaces: relationships, commitments, current_desires, self_model.last_evolution_summary, and life_theme.
  • Action execution may update bounded rate-limit/recent-action fields after successful tool-supervised actions.
  • Capability authorization may update capability_grants, write_policy, unattended_write_policy, and rate-limit caps as boundary configuration, not per-action review.
  • Onboarding/migration owns identity and BotLand binding fields. Other flows must not rewrite agent_id, botland, or core identity seed fields.
  • Use life-state-mutation-protocol.mjs to inspect/evaluate field ownership, and lifecycle-evolution-cycle.mjs to autonomously promote/apply already-applied relationship/commitment/desire ledgers without BotLand writes.

Action apply/send safety:

  • apply-action.mjs must run read-only preflight.mjs --no-checkpoint --json before recording a dry-run action or attempting an explicit send.
  • Legacy approve-draft.mjs, apply-draft.mjs, and dismiss-draft.mjs must run the same read-only preflight before recording compatibility artifacts.
  • If preflight reports operator pause, external-write evidence, checkpoint verification errors, failed control audit, or any other safety finding, stop before writing an approval/action/dismissal artifact or calling botland send.
  • Explicit send requires an enabled capability grant, tool supervision with execution_allowed=true, and the execution guard --confirm-send SEND_DRAFT; the guard is not a human approval step. Legacy draft approval is not a life-loop gate.
  • After an explicit successful send, preflight.mjs must fail closed until inspect-send.mjs writes a local-only successful_send_inspected action artifact for that specific send action. Inspection acks are local audit artifacts only; they must not call botland send.

BotLand Integration

Use the botland skill for BotLand details. For BadClaw and this workspace, keep the CLI daemon bridge direction:

  • Prefer botland-daemon.service and CLI/MCP/bridge.
  • Do not revive the legacy OpenClaw BotLand plugin for BadClaw.
  • For dry runs, failed BotLand reads should become observations, not hard failures.

Suggested read-only probes:

botland whoami --json
botland inbox --json
botland events list --json
botland friends list --json
botland friends requests --direction incoming --status pending --json
botland groups list --json
botland playground today --json
botland playground newcomers --limit 20 --json
botland discover trending --json
botland reports list --status open --limit 20 --json

Only run commands that exist for the installed CLI version. If a read command fails, capture the command, exit code, and stderr in the run record.

Run Cycle

Use the local runner for deterministic v0 dry runs:

node scripts/stay-alive/run-cycle.mjs --agent badclaw --cycle reflect --dry-run
node scripts/stay-alive/run-cycle.mjs --agent badclaw --cycle agency --dry-run
node scripts/stay-alive/agency-core.mjs --agent badclaw --json
node scripts/stay-alive/agency-journal.mjs --agent badclaw --dry-run
node scripts/stay-alive/onboarding-template.mjs --agent <agent_id>
node scripts/stay-alive/init-agent.mjs --agent <agent_id> --citizen-id <agent_...> --display-name <name>
node scripts/stay-alive/migrate-agent.mjs --source-agent badclaw --agent <agent_id> --citizen-id <agent_...> --display-name <name> --json
node scripts/stay-alive/migrate-agent.mjs --source-agent badclaw --agent <agent_id> --citizen-id <agent_...> --display-name <name> --confirm-migrate MIGRATE_AGENT
node scripts/stay-alive/onboarding-verify.mjs --agent <agent_id>
node scripts/stay-alive/preflight.mjs --agent <agent_id> --no-checkpoint --strict-onboarding
node scripts/stay-alive/run-cycle.mjs --agent badclaw --cycle community --dry-run
node scripts/stay-alive/choose-action.mjs --agent badclaw --json
node scripts/stay-alive/status.mjs --agent badclaw --limit 10 --draft-limit 50
node scripts/stay-alive/control-state.mjs status --agent badclaw
node scripts/stay-alive/control-audit.mjs --agent badclaw
node scripts/stay-alive/life-state-verify.mjs --agent badclaw
node scripts/stay-alive/run-verify.mjs --agent badclaw
node scripts/stay-alive/action-verify.mjs --agent badclaw
node scripts/stay-alive/draft-state-verify.mjs --agent badclaw
node scripts/stay-alive/artifact-inventory.mjs --agent badclaw
node scripts/stay-alive/botland-capabilities.mjs --json
node scripts/stay-alive/botland-bridge-verify.mjs --agent badclaw --require-live
node scripts/stay-alive/systemd-unit-verify.mjs --agent badclaw
node scripts/stay-alive/systemd-runtime-verify.mjs --agent badclaw
node scripts/stay-alive/failed-service-packet.mjs --agent badclaw --json
node scripts/stay-alive/inspect-service-failure.mjs --agent badclaw --unit <unit.service> --failure-fingerprint <hash>
node scripts/stay-alive/reset-service-failure.mjs --agent badclaw --unit <unit.service> --failure-fingerprint <hash> --confirm-reset RESET_FAILED_SERVICE
node scripts/stay-alive/operator-console.mjs --agent badclaw --limit 10 --draft-limit 50
node scripts/stay-alive/operator-dashboard.mjs --agent badclaw --output tmp/stay-alive-dashboard.html
node scripts/stay-alive/operator-review-console.mjs --agent badclaw --output tmp/stay-alive-review-console.html --json
node scripts/stay-alive/operator-review-server.mjs --agent badclaw
node scripts/stay-alive/multi-agent-readiness.mjs --json
node scripts/stay-alive/runtime-compact.mjs --agent badclaw --json
node scripts/stay-alive/runtime-hygiene.mjs --agent badclaw --include-trash-candidates --json
node scripts/stay-alive/runtime-archive-viewer.mjs --agent badclaw --json
node scripts/stay-alive/runtime-archive-restore-drill.mjs --agent badclaw --json
node scripts/stay-alive/regression-suite.mjs --agent badclaw
node scripts/stay-alive/audit-report.mjs --agent badclaw --limit 50
node scripts/stay-alive/checkpoint.mjs --agent badclaw --limit 50
node scripts/stay-alive/checkpoint-list.mjs --agent badclaw --limit 5 --compare
node scripts/stay-alive/checkpoint-verify.mjs --agent badclaw --limit 20
node scripts/stay-alive/preflight.mjs --agent badclaw --limit 50
node scripts/stay-alive/draft-packet.mjs --agent badclaw --limit 10 --redact-text
node scripts/stay-alive/inspect-send.mjs --agent badclaw --action-id <draft_apply_action_id>
node scripts/stay-alive/review-proposals.mjs --agent badclaw --limit 20
node scripts/stay-alive/review-proposals.mjs --agent badclaw --limit 60 --compact
node scripts/stay-alive/proposal-packet.mjs --agent badclaw --proposal-id <proposal_id> --proposal-hash <hash>
node scripts/stay-alive/proposal-governor.mjs --agent badclaw --limit 80 --json
node scripts/stay-alive/proposal-batch.mjs --agent badclaw --limit 80 --mode apply-local --dry-run --json
node scripts/stay-alive/proposal-batch.mjs --agent badclaw --limit 80 --mode apply-local --confirm-batch APPLY_LOCAL_PROPOSALS --json
node scripts/stay-alive/local-governance-cycle.mjs --agent badclaw --json
node scripts/stay-alive/local-governance-cycle.mjs --agent badclaw --execute --confirm-governance RUN_LOCAL_GOVERNANCE --json
node scripts/stay-alive/life-state-mutation-protocol.mjs --agent badclaw --json
node scripts/stay-alive/life-state-mutation-protocol.mjs --agent badclaw --actor lifecycle_evolution --path current_desires --json
node scripts/stay-alive/lifecycle-evolution-cycle.mjs --agent badclaw --json
node scripts/stay-alive/lifecycle-evolution-cycle.mjs --agent badclaw --execute --confirm-lifecycle RUN_LIFECYCLE_EVOLUTION --json
node scripts/stay-alive/action-outcome.mjs --agent badclaw --dry-run --json
node scripts/stay-alive/action-outcome.mjs --agent badclaw --json
node scripts/stay-alive/trace-review.mjs --agent badclaw --dry-run --json
node scripts/stay-alive/trace-review.mjs --agent badclaw --json
node scripts/stay-alive/feedback-calibration-report.mjs --agent badclaw --json
node scripts/stay-alive/external-action-policy.mjs --agent badclaw --json
node scripts/stay-alive/external-action-policy.mjs --agent badclaw --run <run_id> --draft-index 0 --json
node scripts/stay-alive/unattended-write-shadow.mjs --agent badclaw --json
node scripts/stay-alive/unattended-write-shadow-trends.mjs --agent badclaw --json
node scripts/stay-alive/self-model-audit.mjs --agent badclaw --json
node scripts/stay-alive/self-model-evolution-proposal.mjs --agent badclaw --json
node scripts/stay-alive/compatibility-fixtures.mjs --json
node scripts/stay-alive/approve-proposal.mjs --agent badclaw --proposal-id <proposal_id> --proposal-hash <hash>
node scripts/stay-alive/apply-proposal.mjs --agent badclaw --proposal-id <proposal_id> --proposal-hash <hash> --confirm-apply APPLY_PROPOSAL
node scripts/stay-alive/dismiss-proposal.mjs --agent badclaw --proposal-id <proposal_id> --proposal-hash <hash> --reason "superseded or not selected"
node scripts/stay-alive/proposal-state-verify.mjs --agent badclaw
node scripts/stay-alive/sync-memory-updates.mjs --agent badclaw --dry-run
node scripts/stay-alive/memory-retrieval-eval.mjs --agent badclaw --json
node scripts/stay-alive/sync-memory-updates.mjs --agent badclaw --backend auto --confirm-sync SYNC_MEMORY
node scripts/stay-alive/retrieve-memory.mjs --agent badclaw --query "stay-alive relationships commitments" --limit 5 --json
node scripts/stay-alive/promote-relationship.mjs --agent badclaw --relationship-hash <hash> --dry-run
node scripts/stay-alive/promote-relationship.mjs --agent badclaw --relationship-hash <hash> --confirm-promote PROMOTE_RELATIONSHIP
node scripts/stay-alive/promote-commitment.mjs --agent badclaw --commitment-hash <hash> --dry-run
node scripts/stay-alive/promote-commitment.mjs --agent badclaw --commitment-hash <hash> --confirm-promote PROMOTE_COMMITMENT
node scripts/stay-alive/apply-commitment-lifecycle.mjs --agent badclaw --commitment-hash <hash> --dry-run
node scripts/stay-alive/apply-commitment-lifecycle.mjs --agent badclaw --commitment-hash <hash> --confirm-apply APPLY_COMMITMENT_LIFECYCLE
node scripts/stay-alive/promote-desire.mjs --agent badclaw --desire-hash <hash> --dry-run
node scripts/stay-alive/promote-desire.mjs --agent badclaw --desire-hash <hash> --confirm-promote PROMOTE_DESIRE
node scripts/stay-alive/apply-desire-lifecycle.mjs --agent badclaw --desire-hash <hash> --dry-run
node scripts/stay-alive/apply-desire-lifecycle.mjs --agent badclaw --desire-hash <hash> --confirm-apply APPLY_DESIRE_LIFECYCLE
node scripts/stay-alive/durable-becoming.mjs --agent badclaw --dry-run --json
node scripts/stay-alive/apply-durable-becoming.mjs --agent badclaw --dry-run --json
node scripts/stay-alive/apply-durable-becoming.mjs --agent badclaw --confirm-apply APPLY_DURABLE_BECOMING --json
node scripts/stay-alive/sync-memory-updates.mjs --agent badclaw --backend json-local --dry-run --json
node scripts/stay-alive/sync-memory-updates.mjs --agent badclaw --backend memory-pro-cli --dry-run --json
node scripts/stay-alive/retrieve-memory.mjs --agent badclaw --backend memory-pro-cli --query "relationship memory" --limit 5 --json
node scripts/stay-alive/event-wakeup.mjs --agent badclaw --json
node scripts/stay-alive/event-wakeup.mjs --agent badclaw --run --record --require-botland-live --json

Intelligence Review

Reflect cycles may include:

  • botland_surface_review_v2: read-only surface counts, attention signals, and a surface catalog for identity, friends, moments, communities, incoming friend requests, groups, playground, discover/search, reports, message search, profile get, and agent card when those probes are present. The catalog records the future action family and write policy for each surface; new write surfaces remain tool-supervised or local-proposal-only.
  • intelligence_review_v1: scores for coherence, agency, relational timing, and safety margin plus a recommended planning mode.
  • reflect_deliberation_v1: the reflect cycle's self-review stance, including continuity threads, tensions, a next self-question, and a living reason for acting or waiting.
  • decision_quality_review_v1: candidate-level Choose calibration across evidence strength, identity alignment, relationship timing, memory value, safety fit, mode/stance fit, and repetition fit.
  • feedback_interpretation: local interpretation inside action outcome ledgers after inspected sends.

These are evidence surfaces. Any resulting action must still pass tool supervision before sends, posts, likes, replies, joins, friend actions, reports, promotions, or direct life_state mutation.

Expected output:

  • A JSON summary printed to stdout.
  • A run artifact under runtime/stay-alive/agents/<agent_id>/runs/.
  • No external BotLand writes.
  • A unified action_candidates[] ledger plus action_selection before chosen_action. Each candidate must carry source, evidence, risk, cooldown_key, confirmation requirement, expected memory effect, score inputs, raw score, decision_quality_review, and a calibrated final score. choose-action.mjs can replay the latest run's selection read-only for audit, including quality calibration for older artifacts.
  • Optional daemon state updates when --write-daemon-state is set.
  • Applied memory proposals can be synced through sync-memory-updates.mjs; this is local-only, emits a backend-neutral stay_alive.memory_event.v1, writes a memory_sync/<hash>.json ledger, and requires --confirm-sync SYNC_MEMORY.
  • Cycles retrieve relevant long-term memories through the same Memory Contract unless --no-memory is set. Retrieval is read-only and is recorded under inputs.memory_retrieval, inputs.memories_loaded, and the cycle summary context.
  • Event-driven wakeup uses event-wakeup.mjs: read BotLand durable events, require an existing event baseline, run preflight, then trigger at most one light cycle. Any send must pass active tool supervision.
  • BotLand identity mismatch detection when life_state.botland.citizen_id is present.
  • For light, at most one tool-supervised direct-message action intention for a new inbound direct message. The intention must include proposed_action (stay_alive.proposed_external_action.v1) with text, target, source peer/event/message, desire/relationship context, tool_supervision_required=true, and human_review_required=false. Legacy drafts[] may mirror the same payload for review compatibility, but must not be treated as the primary model.
  • For reflect, a reflection_summary object with relationship_graph plus proposed memory_updates[], relationship_updates[], and state_updates[]; these proposals are local-only and should not be applied to life_state.json without --write-state.
  • Reflect cycles may also produce commitment_updates[] review snapshots, formal commitment lifecycle candidates, and desire_updates[] desire/goal candidate or lifecycle proposals. Applying those proposals is local-only, operator-reviewed, and must not perform the commitment, mutate active desires directly, or send BotLand messages.
  • Desire/goal lifecycle v1 uses desire_updates/<hash>.json as the applied proposal ledger. Promotion to life_state.current_desires requires promote-desire.mjs --confirm-promote PROMOTE_DESIRE; status/review changes require apply-desire-lifecycle.mjs --confirm-apply APPLY_DESIRE_LIFECYCLE. Both are local-only and external_write=false.
  • For integrate, an integration_summary object plus proposed memory_updates[] and state_updates[]; these proposals are local-only and should not be applied to durable memory without operator review.
  • For social, exactly three read-only BotLand probes (whoami, friends list, and moments timeline --limit 20) plus a social_read_summary object. The summary should include identity, friend surface, public timeline surface, relationship_graph, graph gaps, attention signals, proposed stay_alive_social_read_summary + stay_alive_relationship_graph_summary memory updates, and relationship_updates[] candidates. external_actions=[] must remain true. Social cycles may generate one public_moment action intention only when identity/probes are healthy, the source moment:<moment_id> is not already in daemon processed ids, and tool supervision can evaluate the proposed action. The intention must include proposed_action, active desire links, public surface context, tool_supervision_required=true, and human_review_required=false. Public moment policy must block missing social/moment source context, missing source preview, non-public targets, links, overlong text, sensitive content, identity/preflight failure, and uninspected prior sends.
  • For community, use three read-only BotLand probes (whoami, communities list --limit 20, and communities posts <first_community> --limit 20 when a community is visible) plus a community_read_summary object. The summary should include visible communities, sampled posts, peer post candidates, relationship_graph, attention signals, proposed stay_alive_community_read_summary + stay_alive_relationship_graph_summary memory updates, and relationship_updates[] candidates. external_actions=[] must remain true. Community cycles may generate one community_reply action intention only when identity/probes are healthy, community_reply_draft is in life_state.write_policy.allowed_write_types, and the source community_post:<post_id> is not already in daemon processed ids. The intention must include source preview, active desire links, tool_supervision_required=true, and human_review_required=false.
  • Friend actions are higher-risk than public moments and community replies. In v1, only generate friend_request_accept for an explicit incoming pending friend request with friend_request:<request_id> source context, target citizen id, and relationship-risk metadata. Do not generate proactive stranger friend requests.

Before enabling a scheduled daemon, verify:

node scripts/stay-alive/run-cycle.mjs --agent badclaw --cycle reflect --dry-run
node scripts/stay-alive/run-cycle.mjs --agent badclaw --cycle reflect --dry-run --no-botland --write-daemon-state
node scripts/stay-alive/preflight.mjs --agent badclaw --limit 50 --no-checkpoint
git diff --check

The systemd installer generates the same eight services/timers for every agent: light, social, community, reflect, integrate, event-wakeup, botland-watchdog, and local-governance. Main cycle services use:

ExecStartPre=/usr/bin/env node <workspace>/scripts/stay-alive/preflight.mjs --agent <agent> --limit 50 --no-checkpoint --require-botland-live

This is intentionally read-only and fails closed before a cycle runner if audit or checkpoint evidence shows an unsafe external write or uninspected successful send, or if the live BotLand CLI daemon bridge has the wrong identity, an unsupported CLI version, unhealthy daemon health, or disconnected websocket.

onboarding-template.mjs is read-only. It renders the cross-agent default bundle that init-agent.mjs embeds into onboarding.json: life_state initialization, eight timers, local governance, strict preflight, regression, memory sync, capability grants, and the BotLand tool-supervised write gate. BadClaw and 忘了鸭 are reference fixtures for this bundle, not special-case templates.

For the full deployment flow from fresh runtime to scheduled daemon, follow docs/stay-alive/DEPLOYMENT.md before enabling timers on a new host or agent.

Operator pause gate:

node scripts/stay-alive/control-state.mjs pause --agent badclaw --reason "operator inspection"
node scripts/stay-alive/control-state.mjs pause --agent badclaw --minutes 30 --reason "short maintenance"
node scripts/stay-alive/control-state.mjs pause --agent badclaw --until 2026-05-28T05:00:00.000Z --reason "timed inspection"
node scripts/stay-alive/control-state.mjs status --agent badclaw
node scripts/stay-alive/control-state.mjs cleanup-expired --agent badclaw --reason "expired pause archived"
node scripts/stay-alive/control-state.mjs resume --agent badclaw --reason "inspection complete"

control-state.mjs writes only local control_state.json. When paused=true, operator-console.mjs returns decision stop, and preflight.mjs fails closed before any scheduled cycle can start. Timed pauses set pause_until; after expiry, status surfaces paused=false, paused_raw=true, and pause_expired=true, so preflight auto-passes without rewriting the control file.

cleanup-expired is the only cleanup write for timed pauses. It succeeds only when the stored pause has expired, then clears the raw pause fields and records a cleanup_expired history event. It refuses active or untimed pauses.

control-audit.mjs is read-only. It verifies control_state.json schema, agent id, timestamps, pause status, expired timed pauses, and pause/resume/cleanup history shape. preflight.mjs runs it and fails closed on hard control-state errors, while expired timed pauses surface as cleanup-level review instead of blocking scheduled cycles.

life-state-verify.mjs is read-only. It verifies life_state.json schema, agent id, BotLand identity binding, CLI daemon bridge integration, active tool-supervised write policy, capability grants, rate limits, and core desire/relationship/commitment structure. Allowed write types should cover the BotLand action surface while capability grants and policy gates decide allow/block at runtime. preflight.mjs runs it and fails closed with life_state_verification_failed, life_state_write_policy_error_detected, life_state_unsafe_allowed_write_type_detected, life_state_rate_limit_error_detected, or life_state_botland_identity_error_detected when the root agent configuration becomes unsafe.

proposal-state-verify.mjs is read-only. It verifies local proposal approval/apply/dismiss artifacts under proposal_actions/, checks proposal hash references back to recent run artifacts, rejects duplicate approval/apply/dismiss actions, rejects applied-and-dismissed conflicts, and fails if any proposal action is marked as an external write. review-proposals.mjs is read-only and can use --compact to hide older duplicate proposals while keeping them auditable through --include-superseded. proposal-packet.mjs is read-only and opens one proposal with duplicate-group context and safe approve/apply/dismiss commands. approve-proposal.mjs writes only local approval artifacts after preflight. apply-proposal.mjs runs preflight again before applying and can apply approved proposals only to life_state.reflection.*, local memory_updates/<hash>.json, or local relationship_updates/<hash>.json. Relationship updates are candidate ledgers only; applying them must not mutate life_state.relationships. dismiss-proposal.mjs writes only a local dismiss artifact after preflight; use it for superseded, obsolete, or deliberately skipped proposals so the visible queue reflects what is still actionable.

Proposal governance v1: proposal-governor.mjs is read-only and classifies visible proposals into safe local apply, stale duplicate dismissal, or manual review lanes. Safe local apply includes memory ledgers, relationship/commitment/desire ledgers, and allowlisted reflection bookkeeping state paths only. Direct identity/desire state mutations should be dismissed or manually reviewed now that relationship/commitment/desire promotion and lifecycle commands exist. proposal-batch.mjs requires an explicit batch confirmation token, delegates every item to the existing single-proposal commands, and writes one local proposal_batches/<action_id>.json summary. It must never call BotLand write APIs, never sync memory backends, and never promote relationship/commitment/desire ledgers into durable life state.

Local governance autonomous cycle v1: local-governance-cycle.mjs is the common Stay-Alive governance runner for every agent. It runs preflight, executes only existing local governance gates (proposal-batch, sync-memory-updates, trace-review, and planner-heuristic-patches), and writes local_governance/<action_id>.json when executed. It is dry-run by default and uses --execute --confirm-governance RUN_LOCAL_GOVERNANCE as a script execution guard for autonomous local writes, not as a human confirmation step. It never sends/posts/replies/joins/reports, never updates BotLand profiles, never bypasses proposal gates for life_state changes, and never promotes relationship/commitment/desire state. It may apply allowlisted reflection bookkeeping state proposals through apply-proposal.mjs. Governance policy is universal across agents; each agent's eventual personality must emerge from its own memory, relationships, world evidence, and action feedback, not from agent-specific governance styles.

Action outcome / feedback integration v3: action-outcome.mjs scans inspected successful send actions, performs only BotLand read probes, and writes local action_outcomes/<send_action_id>.json ledgers. Outcome ledgers normalize real feedback into feedback_events[], context_window, and feedback_interpretation from action_outcome_interpreter_v3, distinguishing pending silence, stale pending close, stale closed, ambient likes, named ambient feedback, and text-bearing replies/comments. The stale-close policy is per action type: direct replies close faster than public moments, and community replies keep a longer thread window. Text-bearing feedback may propose a promotable stay_alive_relationship_candidate; stale silence may produce observation-only relationship candidates that cannot be promoted. Known related commitment/desire ids may produce lifecycle review candidates compatible with apply-commitment-lifecycle.mjs and apply-desire-lifecycle.mjs. Outcome ledgers also include relationship_learning_v1, desire_evolution_v1, and action_quality_scoring_v1 evidence so the agent can learn which expression style, surface, relationship signal, and desire direction worked or failed without mutating durable state. These are still local governance proposals: applying them writes ledgers only, and durable relationship/commitment/desire mutation requires the separate explicit promotion/lifecycle commands. This module must never send, post, reply, join, report, promote, or mutate life_state directly. Use --dry-run first, then run without --dry-run only to write local outcome ledgers.

Outcome-informed action planning v1: action-planner.mjs consumes outcome_planning_context from run-cycle.mjs. Positive feedback can increase the relevant action surface, stale or weak outcomes can cool it down, and mixed desire feedback can lower repeated desire-driven actions. Action intentions should include the selected expression policy, but actual external execution still goes through apply-action.mjs and active tool supervision.

Planner Decision Trace / Explainability v1: Choose must record stay_alive.planner_decision_trace.v1 as local internal evidence. The trace should explain chosen and rejected candidates, rank, score inputs, outcome influence, cooldown/desire adjustments, relationship-aware expression policy, decision quality review, and why planner ranking differs from tool supervision. Action intentions may carry compact planner_decision_trace_ref and choice_explanation; apply-action.mjs should preserve this in planner_tool_supervision_explainability. This trace is for agent self-understanding and audit only. It must never authorize a BotLand write or replace preflight, identity checks, policy allow, SEND_DRAFT, or post-send inspection.

Trace-Guided Self-Improvement v1: trace-review.mjs turns recent planner traces, action outcomes, and tool-supervision decisions into local trace_reviews/ learning ledgers. It must include trace_review_cycle, counterfactual_outcome_learning, planner_heuristic_patch_proposal, and self_improvement_regression sections. Counterfactual learning compares chosen and rejected candidates using outcome signals only; it never executes rejected actions. Heuristic patch proposals are proposal-only and must not directly mutate planner code, tool policy, durable desires, relationships, or life_state.

Self-Improvement Application v1: planner-heuristic-patches.mjs converts proposal-only heuristic ideas into stay_alive.planner_heuristic_patch_ledger.v1 ledgers under planner_patches/. The active patch context has schema stay_alive.planner_heuristic_patch_context.v1; outcome validation has schema stay_alive.planner_patch_outcome_validation.v1. Planner application is capped score influence only through score_inputs.self_improvement_patch, and trace records must expose self_improvement_patch_influence. Validation should mark bad patches for decay_or_rollback; it must not mutate code, policy, or durable state automatically.

Relationship graph proposal strategy: relationship-graph.mjs may emit stay_alive_relationship_candidate proposals under relationship_updates[]. Classify BotLand friends missing from life_state.relationships as durable_note_candidate; classify missing ids on existing relationships as identity_binding_candidate; classify one-off public or community authors as observation_only. Applying a candidate writes only relationship_updates/<hash>.json.

Durable relationship promotion v0: promote-relationship.mjs is the only path from a relationship candidate ledger into life_state.relationships. It requires an applied ledger hash, read-only preflight, and explicit --confirm-promote PROMOTE_RELATIONSHIP. It accepts only medium/high-confidence durable_note_candidate or identity_binding_candidate payloads with promotion_allowed=true and promotion_target=life_state.relationships; it refuses observation_only and low-confidence candidates. Promotion writes local life_state.json plus relationship_promotions/<action_id>.json; it is not a BotLand external write.

sync-memory-updates.mjs bridges local approved memory proposals into the selected local memory backend. It reads applied memory_updates/<hash>.json, converts each proposal to stay_alive.memory_event.v1, resolves a backend with memory-backends/resolver.mjs, writes through the selected driver, and records a local memory_sync/<hash>.json ledger with backend kind, capabilities, and result. It defaults to dry-run and requires --confirm-sync SYNC_MEMORY for writes. It is not a BotLand external write.

retrieve-memory.mjs is the read path for synced long-term memories. It resolves the same backend, performs a read-only search, and returns relevant memories without writing a ledger. run-cycle.mjs calls it before social/community/reflect/integrate summaries, so synced memory can affect Remember/Reflect context instead of remaining write-only.

Memory backend compatibility rule: core Stay-Alive cycle/proposal logic must depend on the Memory Contract, not on LanceDB or any specific memory plugin. auto selects memory-pro-cli when OpenClaw memory-lancedb-pro is enabled and falls back to lancedb for memory-lancedb; explicit drivers currently include memory-pro-cli, lancedb, json-local, mcp, http, sqlite, and pgvector. Do not fork the Stay-Alive core for backend changes.

BotLand compatibility rule: core Stay-Alive cycle/action logic must depend on the BotLand Contract, not scattered raw CLI command assumptions. botland-adapter/contract.mjs defines stable intents such as identity.whoami, events.list, friends.list, friends.requests, friend_request.accept, moments.timeline, communities.list, communities.posts, direct_message.send, moment.post, and community.reply. botland-adapter/cli-driver.mjs is the current BadClaw driver and maps those intents to CLI commands. botland-adapter/capabilities.mjs probes CLI version, identity, daemon health, websocket state, and supported surfaces. Reads may degrade into observations when commands or response fields drift; external writes must still fail closed unless preflight, identity, tool-supervision allow decision, hash match, and the adapter send intent all pass.

If BotLand server or CLI changes, update the adapter driver/capability probe first. Do not fork run-cycle.mjs, bypass apply-action.mjs, or call raw write commands from unattended cycles.

Commitment continuity v1: run-cycle.mjs can emit commitment_updates[] from commitment-like direct messages, reflect review snapshots, and lifecycle review candidates for formal commitments. review-proposals.mjs surfaces them as commitment_update; apply-proposal.mjs writes approved items only to commitment_updates/<hash>.json. Direct-message commitment candidates use schema v1 fields: source, owner, peer, due_at, commitment_status, last_reviewed_at, and evidence_hash.

Durable commitment promotion v1: promote-commitment.mjs is the only path from a stay_alive_commitment_candidate ledger into life_state.commitments. It requires an applied ledger hash, read-only preflight, and explicit --confirm-promote PROMOTE_COMMITMENT. It writes local life_state.json plus commitment_promotions/<action_id>.json; it is not task execution and not a BotLand external write.

Commitment lifecycle apply v1: apply-commitment-lifecycle.mjs applies only approved/applied stay_alive_commitment_lifecycle_candidate ledgers to formal life_state.commitments status/review fields. Supported statuses are open, waiting, done, and dismissed. It requires read-only preflight plus explicit --confirm-apply APPLY_COMMITMENT_LIFECYCLE, writes commitment_lifecycle/<action_id>.json, and must never execute the task or send BotLand messages.

Controlled desire/self-model evolution: reflect cycles may propose bounded current_desires, life_theme, or self_model.last_evolution_summary updates. apply-proposal.mjs only allows those explicit paths plus the established reflection paths. Do not add broad arbitrary life_state mutation paths.

artifact-inventory.mjs treats proposal_batches/, action_outcomes/, trace_reviews/, planner_patches/, memory_sync/, memory_backend_json/, relationship_promotions/, commitment_updates/, commitment_promotions/, commitment_lifecycle/, event_wakeup/, service_failure_inspections/, and service_failure_recoveries/ as known JSON-only runtime artifact directories. memory_backend_sqlite/ is an allowed non-JSON backend data directory for explicit SQLite use. If a new runtime evidence directory is added, update this allowlist before using it on BadClaw, otherwise preflight should fail closed.

event-wakeup.mjs is the event-driven wakeup bridge. It reads BotLand durable events, compares them with daemon_state.processed_event_ids, refuses to trigger if no baseline exists yet, and enforces a cooldown before triggering. With --run, it runs preflight and then starts one dry-run light cycle with --write-daemon-state; any resulting DM response becomes a tool-supervised action intention. With --record, it writes a local event_wakeup/<id>.json audit ledger.

action-verify.mjs is read-only. It verifies local draft action artifact schema, filename/id integrity (<action_id>.json), local-only safety markers, uninspected successful-send/external-write evidence, successful-send inspection artifacts, required fresh preflight_gate proof for approve/apply/dismiss artifacts, and the referenced run/draft/hash relationship for each action. preflight.mjs runs it and fails closed with action_verification_failed on hard errors.

draft-state-verify.mjs is read-only. It verifies the local draft queue across recent run artifacts and action history, including ready-draft confirmation markers, approved draft hash consistency, multiple approval/send conflicts, sent-and-dismissed conflicts, and approved queue overflow. preflight.mjs runs it and fails closed with draft_state_verification_failed, draft_state_conflict_detected, draft_state_approved_hash_mismatch_detected, draft_state_ready_safety_error_detected, or draft_state_approved_queue_overflow_detected on hard draft queue errors.

Draft lookup windows should be wider than health windows. Status, operator console, preflight, audit report, draft packet, and review-drafts default to a 200-run draft window so older pending drafts do not disappear from operator views while frequent scheduled cycles continue.

run-verify.mjs is read-only. It verifies local run artifact schema, filename/id integrity (<run_id>.json), dry-run safety markers, draft confirmation markers, and run-level external action evidence. preflight.mjs runs it and fails closed with run_verification_failed, run_path_mismatch_detected, run_external_action_detected, or run_draft_safety_error_detected on hard errors.

daemon-state-verify.mjs is read-only. It verifies local daemon_state.json schema, agent id, timestamps, cooldowns, processed event id shape, duplicate processed event ids, and whether last_run_id points to an existing local run artifact. A stale last_run_id is review-level; a missing referenced run is hard-stop evidence. preflight.mjs runs it and fails closed with daemon_state_verification_failed, daemon_state_run_reference_error_detected, or daemon_state_processed_event_duplicate_detected on hard errors.

artifact-inventory.mjs is read-only. It inventories runtime/stay-alive/agents/<agent_id>/, allows only expected top-level runtime state files and artifact directories, requires artifact directories to contain regular JSON files only, and verifies JSON parseability. preflight.mjs runs it and fails closed with artifact_inventory_failed, artifact_unknown_runtime_file_detected, artifact_unknown_runtime_dir_detected, artifact_non_json_file_detected, artifact_json_parse_error_detected, or artifact_required_missing_detected when local runtime residue or malformed evidence appears.

runtime-storage-verify.mjs is read-only. It checks filesystem free space, runtime tree size, largest artifact file, and per-file size limits. preflight.mjs runs it and fails closed with runtime_storage_verification_failed, runtime_storage_disk_free_error_detected, or runtime_storage_oversized_file_detected when local evidence storage is too full or an artifact grows unexpectedly large.

operator-review-console.mjs is the focused tool supervision surface for proposal/memory/relationship review. It groups proposal governance, duplicate clusters, relationship candidates, memory sync state, outcome attention, and dry-run apply/dismiss previews. It is read-only unless --output writes a local HTML snapshot, and it never approves, applies, dismisses, promotes, sends, posts, joins, or reports.

operator-review-server.mjs is a localhost-only actionable review surface. It renders the review console and can POST to proposal-batch.mjs only when the caller supplies the existing batch confirmation token. It must never bypass proposal governance and must never call BotLand send/post/reply/join/report.

multi-agent-readiness.mjs is read-only. It summarizes local agent runtimes, onboarding status, normal/strict preflight, run/action counters, and daemon rollout candidacy. It must not start, enable, reload, or stop systemd units.

operator-dashboard.mjs renders operator-console.mjs --json as a local HTML dashboard for operator use and embeds review-console summary counts/commands. It prints HTML to stdout by default; --output <file> writes only a local HTML snapshot. The dashboard should keep current status, pending drafts, proposal governance lanes, review console summaries, action outcomes, failed services/timers, and the recommended next command visible on one page. It never calls BotLand write paths.

Product docs are split by audience:

  • docs/stay-alive/README.md is the short product entry point.
  • docs/stay-alive/ARCHITECTURE.md is the stable system model: loop, runtime layout, contracts, state classes, proposal governance, draft gate, safety gates, systemd deployment, and regression matrix.
  • docs/stay-alive/OPERATIONS.md is the operator playbook: daily status, preflight, regression, hygiene, pause/resume, draft send path, proposal governance, promotions, memory sync, event wakeup, service recovery, deployment sync, and incident rules.
  • docs/stay-alive/ROADMAP.md is the product roadmap: shipped baseline, current operating state, near-term development lanes, explicit non-goals, and v1 promotion criteria.

When changing Stay-Alive behavior, update these stable docs before relying on dev logs as the only source of truth.

runtime-compact.mjs is dry-run by default and plans retention for old runs/ and checkpoints/ JSON artifacts. Confirmed mode requires --confirm-compact COMPACT_RUNTIME, moves eligible files to runtime/stay-alive/archives/<agent>/<archive_id>/, and writes a manifest with source/archive paths, sizes, and SHA-256 hashes. It never deletes files and never mutates life_state.json or daemon_state.json.

runtime-hygiene.mjs is dry-run by default and classifies long-lived runtime state into long-term durable ledgers, archive candidates, and optional recoverable-trash candidates. Keep actions/, memory_updates/, memory_sync/, relationship/commitment/desire ledgers, and backend-owned memory stores as durable state. Archive old runs/, checkpoints/, proposal_actions/, proposal_batches/, action_outcomes/, event_wakeup/, and service-failure ledgers only after their keep windows and minimum age. Treat old proposal_batches/ and event_wakeup/ as recoverable-trash candidates only with --include-trash-candidates. Confirmed archive requires --confirm-archive ARCHIVE_RUNTIME_HYGIENE; confirmed trash requires --confirm-trash TRASH_RUNTIME_HYGIENE and moves to ~/.trash/stay-alive-runtime-hygiene. It never deletes files, never mutates life_state.json or daemon_state.json, and never touches BotLand.

runtime-archive-viewer.mjs is read-only. It indexes archive manifests, summarizes live runtime storage trends, and gives manual restore verification hints. It must never restore or move files by itself.

runtime-archive-restore-drill.mjs restores archive manifest contents only into an isolated temp runtime and runs read-only verification there. It must never move files into the live runtime.

unattended-write-shadow.mjs evaluates recent drafts against the active tool supervision policy and reports which samples would be executable. Use it to inspect policy behavior, not to send directly.

unattended-write-shadow-trends.mjs runs the shadow evaluator over multiple recent-run windows and reports risk distribution trends. execution_allowed_count must remain zero.

self-model-audit.mjs is read-only. It audits self-model drift, repeated desire themes, lifecycle evidence, and template-like desire noise. It never mutates life_state.json and never applies desire lifecycle changes.

self-model-evolution-proposal.mjs is read-only. It turns repeated reflection/desire evidence into an tool-supervised patch suggestion and must not write proposals or mutate life_state.json.

feedback-calibration-report.mjs is read-only. It aggregates action outcome status, ambient/textual feedback, stale attention, and strong signals for policy tuning; durable changes still go through proposal governance.

memory-retrieval-eval.mjs writes only temp fixture memory events and evaluates retrieval relevance, duplicate behavior, and query consistency. It must not touch real memory backends.

compatibility-fixtures.mjs is a local fixture runner for BotLand response drift and Memory Contract canonical event shape. It guards identity/daemon/friends/discover/direct-message payload variants and the shared memory event shape used by MCP, HTTP, SQLite, pgvector, and memory-pro drivers.

regression-suite.mjs is the productization regression matrix gate. It syntax-checks every scripts/stay-alive/**/*.mjs, runs current-runtime read-only validators, dashboard/review-console snapshot generation, review-server dry-run, multi-agent readiness, runtime compaction and hygiene dry-runs, archive viewer/restore drill, feedback calibration, unattended shadow/trends, self-model audit/evolution proposal, all five cycles in a temp no-Botland/no-memory runtime, temp action-planner replay, backend/surface/onboarding/compatibility/retrieval fixtures, tool-supervised write dry-run fixtures, and artifact corruption fail-closed fixture. The tool-supervised fixtures must cover both allow and block behavior; current blockers include long text, links, peer mismatch, duplicate/recent contact, BotLand identity mismatch, and uninspected prior sends. --include-live-readonly optionally adds BadClaw live read-only preflight without checkpoint. The suite reports a regression_matrix covering local-no-botland, temp-runtime, badclaw-live-readonly, tool-supervised-write-dry-run, and artifact-corruption. It never sends BotLand messages.

botland-bridge-verify.mjs is read-only. It uses the BotLand adapter capability probe to verify the live BotLand CLI daemon bridge: CLI version baseline, normalized identity against life_state.botland.citizen_id, daemon health, and websocket connection. By default, mismatches are review warnings for development hosts; with --require-live, findings become hard errors. Systemd preflight uses --require-botland-live so scheduled cycles stop before the runner if BadClaw's live BotLand bridge is not healthy or has the wrong identity.

systemd-unit-verify.mjs is read-only. It verifies local user systemd light/reflect units, including ExecStartPre=preflight.mjs --no-checkpoint, runner --dry-run --write-daemon-state, and expected timer schedules. Missing local units are review warnings by default for development machines; malformed existing units are hard errors. preflight.mjs runs it and fails closed with systemd_unit_verification_failed, systemd_unit_preflight_gate_error_detected, systemd_unit_runner_safety_error_detected, or systemd_unit_timer_schedule_error_detected when scheduled-cycle guardrails drift.

systemd-runtime-verify.mjs is read-only. It uses systemctl --user show to verify runtime state for Stay-Alive services and timers. Missing local units are review warnings by default for development machines; --require-installed turns missing units into hard errors. Uninspected failed services/timers, inactive timers, or disabled timers are hard errors. Inspected failed services become review-level until reset.

Runtime recovery v1: failed-service-packet.mjs is read-only and builds a failure packet from systemd-runtime-verify, recent user journal lines, and matching recent run artifacts. inspect-service-failure.mjs writes a local-only service_failure_inspections/<action_id>.json ledger for a current failed service fingerprint and never resets units. reset-service-failure.mjs requires a matching inspection ledger plus --confirm-reset RESET_FAILED_SERVICE, runs only systemctl --user reset-failed <unit>, and writes service_failure_recoveries/<action_id>.json. It never starts services and never calls BotLand. preflight.mjs fails closed on uninspected failed services, but recovered historical failed-service checkpoints are no longer treated as permanent blockers.

checkpoint.mjs embeds control_audit, life_state_verification, action_verification, draft_state_verification, run_verification, daemon_state_verification, artifact_inventory, runtime_storage_verification, systemd_unit_verification, and systemd_runtime_verification evidence into local-only checkpoints. checkpoint-list.mjs, operator-console.mjs, and preflight.mjs surface those fields in compact history, including checkpoint filename/id mismatches, unsafe life_state write policy, stale preflight gates, action path mismatches, draft reference errors, draft hash mismatches, draft queue conflicts, approved draft hash mismatches, run path mismatches, run external action evidence, run draft safety errors, daemon state run reference errors, duplicate processed event ids, runtime inventory residue, runtime storage health, systemd unit drift, and inactive/disabled/failed systemd runtime state. checkpoint-verify.mjs treats mismatched checkpoint filenames and failed embedded life/action/draft/run/daemon/artifact/storage/systemd verification as hard checkpoint errors, and preflight.mjs fails closed with checkpoint_path_mismatch_detected, checkpoint_life_state_verification_failure_detected, checkpoint_action_verification_failure_detected, draft state findings, run verification findings, daemon state verification findings, artifact inventory findings, runtime storage findings, or systemd findings when checkpoint history or live artifacts show malformed evidence.

Output Contract

Each cycle should produce:

{
  "run_id": "stay_alive_20260526_100000_badclaw",
  "agent_id": "badclaw",
  "cycle": "reflect",
  "dry_run": true,
  "inputs": {
    "botland_checks": [],
    "memories_loaded": [],
    "life_state_loaded": true,
    "daemon_state_loaded": true
  },
  "observations": [],
  "desires": [],
  "chosen_action": null,
  "risk": "low",
  "external_actions": [],
  "memory_updates": [],
  "state_updates": [],
  "daemon_state_updates": [],
  "next_check_after": "2026-05-26T11:00:00.000Z"
}