Gateway Auto-Rollback
Three-layer configuration protection for OpenClaw Gateway — never break your config again.
What It Does
Automatically protects your OpenClaw configuration files with:
- 1. Pre-modification backup — SHA256 content-addressed snapshots before any change
- Post-modification validation — JSON syntax check + Gateway health probe
- Automatic rollback — instant restore if validation fails
When to Use
- - Before modifying
openclaw.json, exec-approvals.json, or �INLINECODE2 - When running automated config changes (cron jobs, scripts)
- As a background safety net during development
- When you want peace of mind that a bad config won't take down your agent
Quick Start
One-shot check (before manual edits)
CODEBLOCK0
This initializes the backup directory, validates current config, and logs status.
Watch mode (background daemon)
CODEBLOCK1
Monitors critical config files every 3 minutes. Auto-exits after 3 consecutive healthy checks (config is stable).
How It Works
CODEBLOCK2
Protected Files
| File | Description |
|---|
| INLINECODE3 | Main Gateway configuration |
| INLINECODE4 |
Command execution approvals |
|
skills.json | Skills registry |
Backup Naming
Backups are stored in ~/.openclaw/backup/ with content-addressed names:
CODEBLOCK3
API Reference
Python Functions
CODEBLOCK4
Pre-modification flow
CODEBLOCK5
Watch mode details
The watcher:
- - Polls every 3 minutes (gives Gateway time to restart)
- Detects changes via SHA256 hash comparison
- Auto-creates backup when change detected
- Validates JSON + health check after each change
- Auto-exits after 3 consecutive healthy checks (config stabilized)
- Logs all events to �INLINECODE7
Integration with Cron
Set up periodic health checks:
CODEBLOCK6
Or use OpenClaw's built-in cron:
CODEBLOCK7
Manual Rollback
If you need to manually restore a config:
CODEBLOCK8
Testing
Run the included test suite to verify the mechanism works:
CODEBLOCK9
Tests cover:
- - Backup directory existence
- JSON validation
- SHA256 hash computation
- Backup creation and restore
- Watch daemon status
- Log file integrity
- Script permissions
Logs
All events are logged to ~/.openclaw/logs/config-modification.log:
CODEBLOCK10
Requirements
- - Python 3.8+
- OpenClaw Gateway running (for health checks)
- No additional pip packages needed (stdlib only)
File Structure
CODEBLOCK11
Gateway 自动回滚
为 OpenClaw Gateway 提供三层配置保护 — 再也不会破坏你的配置。
功能说明
自动保护你的 OpenClaw 配置文件,具备以下能力:
- 1. 修改前备份 — 在任何变更前创建基于 SHA256 内容寻址的快照
- 修改后验证 — JSON 语法检查 + Gateway 健康探测
- 自动回滚 — 验证失败时即时恢复
使用场景
- - 修改 openclaw.json、exec-approvals.json 或 skills.json 之前
- 运行自动化配置变更时(定时任务、脚本)
- 作为开发过程中的后台安全网
- 当你希望确保错误配置不会导致代理宕机时
快速开始
一次性检查(手动编辑前)
bash
python3 gateway-auto-rollback.py
初始化备份目录,验证当前配置,并记录状态。
监控模式(后台守护进程)
bash
python3 gateway-auto-rollback.py --watch &
每 3 分钟监控关键配置文件。连续 3 次健康检查通过后自动退出(配置已稳定)。
工作原理
修改前 修改中 修改后
↓ ↓ ↓
备份 + 哈希 ───→ 执行变更 ───→ JSON 验证 + 健康检查
│ │
└────────────────────────────────────────→ 失败时自动回滚
受保护文件
| 文件 | 描述 |
|---|
| openclaw.json | 主 Gateway 配置 |
| exec-approvals.json |
命令执行审批 |
| skills.json | 技能注册表 |
备份命名规则
备份存储在 ~/.openclaw/backup/ 目录下,使用内容寻址命名:
openclaw.json.20260301_053612.a1b2c3d4.bak
↑ 时间戳 ↑ SHA256 前缀(去重)
API 参考
Python 函数
python
from gatewayautorollback import (
premodificationcheck, # 修改配置前调用
postmodificationverify, # 修改配置后调用
create_backup, # 手动创建备份
validate_json, # JSON 语法验证
checkgatewayhealth, # Gateway 健康探测
rollbacktobackup, # 手动回滚
watchconfigfiles, # 启动监控守护进程
)
修改前流程
python
from pathlib import Path
config = Path.home() / .openclaw / openclaw.json
成功时返回备份路径,失败时返回 False
backup = pre
modificationcheck(config)
... 进行你的修改 ...
验证并在需要时自动回滚
success = post
modificationverify(config, backup)
监控模式详情
监控器:
- - 每 3 分钟 轮询一次(给 Gateway 重启留出时间)
- 通过 SHA256 哈希比较检测变更
- 检测到变更时自动创建备份
- 每次变更后验证 JSON + 健康检查
- 连续 3 次健康检查通过后 自动退出(配置已稳定)
- 所有事件记录到 ~/.openclaw/logs/config-modification.log
与 Cron 集成
设置定期健康检查:
bash
Cron 任务示例:每小时检查一次
0
python3 /path/to/gateway-auto-rollback.py
或使用 OpenClaw 内置的 cron:
json
{
name: Gateway-Auto-Rollback,
schedule: { kind: cron, expr: 0 /6 , tz: Asia/Shanghai },
payload: {
kind: agentTurn,
message: 运行 Gateway 健康检查。如果不健康,回滚到最新备份。
},
sessionTarget: isolated
}
手动回滚
如果需要手动恢复配置:
bash
列出可用备份(最新的在前)
ls -lt ~/.openclaw/backup/ | head -10
恢复特定备份
cp ~/.openclaw/backup/openclaw.json.20260301_053612.a1b2c3d4.bak \
~/.openclaw/openclaw.json
重启 Gateway
openclaw gateway restart
验证
curl -s http://127.0.0.1:18789/api/health
测试
运行附带的测试套件以验证机制是否正常工作:
bash
bash test-rollback-mechanism.sh
测试覆盖:
- - 备份目录存在性
- JSON 验证
- SHA256 哈希计算
- 备份创建和恢复
- 监控守护进程状态
- 日志文件完整性
- 脚本权限
日志
所有事件记录到 ~/.openclaw/logs/config-modification.log:
[2026-03-01 05:37:00] INFO: ✅ 备份创建: openclaw.json.20260301_053612.a1b2c3d4.bak
[2026-03-01 05:37:01] INFO: ✅ 修改验证通过
[2026-03-01 05:40:00] WARN: ⚠️ 检测到修改: openclaw.json
[2026-03-01 05:40:01] ERROR: JSON 验证失败 — 触发回滚
要求
- - Python 3.8+
- OpenClaw Gateway 运行中(用于健康检查)
- 无需额外 pip 包(仅使用标准库)
文件结构
gateway-auto-rollback/
├── SKILL.md # 本文件
├── _meta.json # ClawHub 元数据
├── gateway-auto-rollback.py # 主脚本(备份/验证/回滚/监控)
└── test-rollback-mechanism.sh # 测试套件
