gateway-guard

# Gateway Guard ## Description Ensures OpenClaw gateway auth consistency and can auto-prompt "continue" when a run error (Unhandled stop reason: error) appears in gateway logs. Use when checking or fixing gateway token/password mismatch, device_token_mismatch errors, or before delegating to sub-agents. Ensures OpenClaw gateway auth consistency and can auto-prompt "continue" when a run error (Unhandled stop reason: error) appears in gateway logs. Use when checking or fixing gateway token/password mismatch, device_token_mismatch errors, or before delegating to sub-agents. # Gateway Guard Keeps OpenClaw gateway authentication in sync with `openclaw.json`. Use when the user or agent sees gateway auth issues, `device_token_mismatch`, or needs to ensure the gateway is running with the correct token/password before spawning sub-agents. **Metadata:** This skill uses `always: false` in `_meta.json`. It is **not** forced into every agent run; the orchestrator invokes it when needed (e.g. before delegating to sub-agents). Optional persistence (LaunchAgent) is installed only when you run the install scripts; see "Before installing" below. ## Before installing - **Backup `openclaw.json`** — The script may add or correct `gateway.auth` (token/password) when missing or wrong. Make a copy before running `ensure --apply`. - **Test read-only first** — Run `python3 scripts/gateway_guard.py status --json` and `python3 scripts/gateway_guard.py ensure --json` (without `--apply`) to see what it would do before allowing restarts or config writes. - **Understand `continue` delivery** — The watcher can run `openclaw agent --message continue --deliver` when a run error appears in `gateway.log`. Confirm that automatically sending that message is acceptable in your environment. - **LaunchAgent is optional** — Persistence (watcher every 30s) is installed only if you run `install_watcher.sh`. The installer copies the plist from the skill directory into `~/Library/LaunchAgents` and runs `launchctl load`; only run it if you accept that. The plist **is included** in this package: `scripts/com.openclaw.gateway-guard.watcher.plist` (and `scripts/com.openclaw.gateway-guard.continue-on-error.plist`). Ensure `OPENCLAW_HOME` and `OPENCLAW_BIN` resolve to your intended paths before installing the watcher. - **Try in a non-production environment first** if you are unsure. ## Package contents (file manifest) Included in this skill so installers do not error: - `scripts/gateway_guard.py` — Main script (status, ensure, continue-on-error, watch). - `scripts/install_watcher.sh` — Installs the single combined LaunchAgent (token sync + continue-on-error). - `scripts/install_continue_on_error.sh` — Redirects to `install_watcher.sh`. - `scripts/com.openclaw.gateway-guard.watcher.plist` — LaunchAgent plist template (install_watcher.sh copies and substitutes paths). - `scripts/com.openclaw.gateway-guard.continue-on-error.plist` — Legacy plist (optional; install_watcher.sh replaces with the combined watcher). ## Usage - User or logs report "Gateway auth issue", "device_token_mismatch", or "unauthorized" - Before running the router and `sessions_spawn` (orchestrator flow): check gateway status first - After installing or updating OpenClaw: verify gateway and config match - When the TUI disconnects or won't connect: fix auth and restart gateway - **Run error (Unhandled stop reason: error):** run `continue-on-error --loop` (e.g. via LaunchAgent or cron) so the guard auto-sends "continue" to the agent when this appears in `gateway.log` ```bash python3 <skill-dir>/scripts/gateway_guard.py status [--json] python3 <skill-dir>/scripts/gateway_guard.py ensure [--apply] [--wait] [--json] python3 <skill-dir>/scripts/ensure_gateway_then.sh [command ...] python3 <skill-dir>/scripts/gateway_guard.py continue-on-error [--once] [--loop] [--interval 30] [--json] ``` - **status** — Report whether the running gateway's auth matches `openclaw.json`. Exit 0 if ok, 1 if mismatch. - **ensure** — Same check; if mismatch and `--apply`, restart the gateway with credentials from config. Writes `gateway.auth` to `openclaw.json` **only when it is missing or wrong** (never overwrites correct config). Use **`--wait`** after `--apply` to block until the gateway port is open (up to 30s), so clients can connect immediately after. - **ensure_gateway_then.sh** — Detect and connect automatically: ensures the gateway is running (starts it if needed, waits for port), then runs your command. Example: `ensure_gateway_then.sh openclaw tui` or `ensure_gateway_then.sh` (just ensure and wait). - **continue-on-error** — When `gateway.log` contains **Unhandled stop reason: error** (run error), send **continue** to the agent via `openclaw agent --message continue --deliver`. Use `--once` to check once and exit, or `--loop` to run every `--interval` seconds. Cooldown 90s between triggers. State: `logs/gateway-guard.continue-state.json`. - **watch** — Single combined daemon (one LaunchAgent). Each run: (0) **token sync** — `ensure --apply` so gateway auth matches config (prevents device_token_mismatch); (1) gateway back → what-just-happened summary; (2) continue-on-error check. **Install one daemon:** `bash <skill-dir>/scripts/install_watcher.sh` (or `install_continue_on_error.sh`). This unloads the old separate what-just-happened and continue-on-error LaunchAgents and loads `com.openclaw.gateway-guard.watcher` so users only need one. For periodic gateway recovery (check every 10s, restart if not ok), use the separate **gateway-watchdog** skill. ## Behavior - Reads `openclaw.json` → `gateway.auth` (token or password) and `gateway.port`. - Compares with the process listening on that port (and optional guard state file). - If `ensure --apply`: restarts gateway via `openclaw gateway stop` then `openclaw gateway --port N --auth token|password --token|--password SECRET`. - If token is missing in config (token mode only): generates a token, writes it to config once, then proceeds. Does not overwrite config when it is already correct. - **continue-on-error:** Tails `OPENCLAW_HOME/logs/gateway.log` for the string `Unhandled stop reason: error`. When found (and not in cooldown), runs `openclaw agent --message continue --deliver` so the agent receives "continue" and can resume. Run `install_continue_on_error.sh` to install a LaunchAgent that checks every 30s. If the error appears in the TUI but the watcher never triggers, the gateway may not be writing run errors to `gateway.log` — ensure run/stream errors are logged there. ## JSON output (for orchestration) - **status --json** / **ensure --json**: `ok`, `secretMatchesConfig`, `running`, `pid`, `reason`, `recommendedAction`, `configPath`, `authMode`, `gatewayPort`. When not ok, `recommendedAction` is "run gateway_guard.py ensure --apply and restart client session". ## Requirements - OpenClaw `openclaw.json` with `gateway.auth` (mode `token` or `password`) and `gateway.port`. - **CLI / system:** `openclaw` CLI on PATH (for `ensure --apply` and continue-on-error); `lsof` and `ps` (macOS/Unix); `launchctl` on macOS when using the LaunchAgent install scripts. - **Environment (optional):** `OPENCLAW_HOME` — OpenClaw home directory (default: `~/.openclaw`). `OPENCLAW_BIN` — Path or name of `openclaw` binary (default: `openclaw`). ## Privileged actions (what you accept) This skill may: **read and modify `openclaw.json`** (including writing `gateway.auth` when missing or wrong); **write state and log files** under `OPENCLAW_HOME/logs/`; **restart the gateway** via the OpenClaw CLI; and, if the watcher is installed, **invoke `openclaw agent --message continue --deliver`** automatically when a run error is detected. These are privileged local actions; run only if you accept them.