Skip to content

feat: add local backup CLI#40163

Merged
gumadeiras merged 16 commits intoopenclaw:mainfrom
shichangs:codex/backup-cli
Mar 8, 2026
Merged

feat: add local backup CLI#40163
gumadeiras merged 16 commits intoopenclaw:mainfrom
shichangs:codex/backup-cli

Conversation

@shichangs
Copy link
Contributor

@shichangs shichangs commented Mar 8, 2026
edited
Loading

Summary

  • Problem: OpenClaw had only ad-hoc documentation for backups, but no first-class CLI backup workflow.
  • Why it matters: reset and uninstall can remove local state, credentials, sessions, and workspaces, so recoverability depended on manual operator steps.
  • What changed: added openclaw backup create, openclaw backup verify, optional openclaw backup create --verify, docs, archive manifest validation, atomic archive writes, and backup guidance in destructive flows.
  • What did NOT change (scope boundary): this PR does not add backup restore yet.

Change Type (select all)

  • Feature
  • Docs
  • Bug fix
  • Refactor
  • Security hardening
  • Chore/infra

Scope (select all touched areas)

  • Memory / storage
  • UI / DX
  • Gateway / orchestration
  • Skills / tool execution
  • Auth / tokens
  • Integrations
  • API / contracts
  • CI/CD / infra

Linked Issue/PR

  • Closes #
  • Related #

User-visible / Behavior Changes

  • New openclaw backup create command to archive local state/config/credentials/workspace into a timestamped .tar.gz.
  • New openclaw backup verify <archive> command to validate backup structure and embedded manifest.json.
  • New openclaw backup create --verify option to self-check an archive immediately after writing it.
  • Backup archives are now written atomically through a temp file + rename, so failed runs do not strand partial final archives.
  • reset and uninstall now recommend running openclaw backup create before state-destructive flows.
  • Default backup output now falls back out of the source tree when the current working directory is inside backed-up state.

Security Impact (required)

  • New permissions/capabilities? (Yes/No) Yes
  • Secrets/tokens handling changed? (Yes/No) No
  • New/changed network calls? (Yes/No) No
  • Command/tool execution surface changed? (Yes/No) Yes
  • Data access scope changed? (Yes/No) Yes
  • If any Yes, explain risk + mitigation:

This adds a local CLI capability that reads user state/config/workspace paths and writes a backup tarball. Mitigations:

  • output paths inside backed-up source trees are rejected
  • symlink/canonical-path containment is checked before writing
  • final archive writes are atomic via temp file + rename
  • existing archive files are never overwritten
  • archive contents are rooted under a generated backup root and described by a manifest
  • backup verify validates manifest/payload consistency

Repro + Verification

Environment

  • OS: macOS
  • Runtime/container: local Node 22
  • Model/provider: N/A
  • Integration/channel (if any): N/A
  • Relevant config (redacted): temp home/state dirs in tests; custom config path for external-workspace coverage

Steps

  1. Run openclaw backup create --output <dir>.
  2. Inspect the generated .tar.gz and embedded manifest.json.
  3. Run openclaw backup verify <archive>.
  4. Run openclaw reset --dry-run or openclaw uninstall --dry-run and confirm backup guidance is shown for state-destructive scopes.

Expected

  • Backup archive is created with canonicalized payload paths and manifest metadata.
  • Verification succeeds for valid archives and fails for malformed archives.
  • Failed writes do not leave a final partial archive behind.
  • Destructive flows point users at the backup command first.

Actual

  • Matches expected in targeted test coverage.

Evidence

  • Failing test/log before + passing after
  • Trace/log snippets
  • Screenshot/recording
  • Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

  • Verified scenarios:
    • backup archive creation for default state layout
    • backup archive creation when workspace is outside state
    • backup archive verification for valid and malformed archives
    • backup guidance emitted by reset and uninstall for state-destructive flows
    • create-time verification via --verify
    • failed archive creation does not leave a final partial archive behind
  • Edge cases checked:
    • cwd inside backed-up source tree
    • dry-run with an already-existing target path
    • manifest references missing payload
    • archive missing manifest
    • symlink/canonical-path containment on macOS temp paths
    • temp archive cleanup on failure
  • What you did not verify:
    • restore flow, because it is intentionally out of scope
    • full repo tsc, due to unrelated existing failures outside this PR

Review Conversations

  • I replied to or resolved every bot review conversation I addressed in this PR.
  • I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

  • Backward compatible? (Yes/No) Yes
  • Config/env changes? (Yes/No) No
  • Migration needed? (Yes/No) No
  • If yes, exact upgrade steps:

Failure Recovery (if this breaks)

  • How to disable/revert this change quickly:
    • do not use the new backup commands
    • revert this PR to restore previous behavior
  • Files/config to restore:
    • none required; this feature is additive
  • Known bad symptoms reviewers should watch for:
    • backup output path accidentally resolving inside state/workspace trees
    • verify passing malformed archives
    • destructive-flow guidance showing for non-destructive scopes
    • partial final archives left behind after failed writes

Risks and Mitigations

  • Risk: archive verification only validates manifest/payload structure, not file-level checksums.
    • Mitigation: keep restore out of scope for now; follow up with stronger integrity metadata if maintainers want it.
  • Risk: backup now surfaces a larger local-data packaging capability.
    • Mitigation: keep it explicit CLI-only, local-only, non-overwriting, atomically written, and guarded against self-inclusion.

Testing

  • AI-assisted
  • pnpm exec vitest run src/commands/backup.atomic.test.ts src/commands/backup.test.ts src/commands/backup-verify.test.ts src/commands/reset.test.ts src/commands/uninstall.test.ts src/cli/program/register.backup.test.ts src/cli/program/command-registry.test.ts src/cli/program/preaction.test.ts src/cli/program/register.maintenance.test.ts
  • pnpm exec tsc -p tsconfig.json --noEmit was attempted earlier, but the repo currently fails on unrelated pre-existing errors in extensions/tlon and existing agent/provider tests

@openclaw-barnacle openclaw-barnacle bot added docs Improvements or additions to documentation cli CLI command changes commands Command implementations size: L labels Mar 8, 2026
@greptile-apps
Copy link
Contributor

greptile-apps bot commented Mar 8, 2026

Greptile Summary

This PR adds a first-class openclaw backup create CLI command that archives local state, config, credentials, and workspace directories into a timestamped .tar.gz with an embedded manifest.json. The implementation integrates cleanly with the existing command registry and preaction hooks (config-guard bypass, lazy module loading), and the path de-duplication / coverage-detection logic works correctly.

Key concern: The tar.c archive creation writes directly to the final outputPath. If it fails mid-stream (disk full, I/O error, etc.), a corrupt/partial archive is left at outputPath. On the next run assertOutputPathReady refuses to overwrite it, leaving users stuck until they manually remove the file. Writing to a temp path and atomically renaming on success would fix this.

The self-inclusion guard, overwrite prevention, dry-run mode, and JSON output suppression in the banner are all implemented correctly.

Confidence Score: 3/5

  • Safe to merge after addressing the partial-archive-on-failure scenario to avoid leaving users in an unrecoverable retry loop.
  • The overall design and test coverage are solid, but the direct write to outputPath in the tar.c call means any mid-archive failure leaves a corrupt file that blocks future retries. This is a meaningful recoverability issue for a feature that is itself about recoverability and should be fixed with atomic write-then-rename semantics.
  • src/commands/backup.ts — the tar.c archive creation block (lines 240–258) needs atomic write-then-rename to handle mid-archive failures safely.

Last reviewed commit: 20c606d

greptile-apps[bot]
greptile-apps bot reviewed Mar 8, 2026
View reviewed changes
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 8, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 92f02cb482

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@shichangs
Copy link
Contributor Author

shichangs commented Mar 8, 2026

@joshavant @gumadeiras this touches core CLI command wiring, local state/storage handling, and DX/docs around destructive flows.

Could one of you take a review when you have a slot?

What is in scope now:

  • openclaw backup create
  • openclaw backup verify
  • openclaw backup create --verify
  • backup guidance surfaced in reset / uninstall

What is intentionally out of scope:

  • restore flow

Targeted coverage is in the PR body. If the shape looks right, this should be ready to merge after review.

@gumadeiras gumadeiras self-assigned this Mar 8, 2026
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 8, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8e661396e9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 8, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0f32d5a73d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@openclaw-barnacle openclaw-barnacle bot added the agents Agent runtime and tooling label Mar 8, 2026
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 8, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 71955ffe5b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@openclaw-barnacle openclaw-barnacle bot removed the agents Agent runtime and tooling label Mar 8, 2026
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 8, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a4be741e5f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@gumadeiras gumadeiras merged commit 0ecfd37 into openclaw:main Mar 8, 2026
23 of 26 checks passed
@gumadeiras
Copy link
Member

gumadeiras commented Mar 8, 2026

Merged via squash.

Thanks @shichangs!

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 8, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ed46625ae2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@github-actions github-actions bot mentioned this pull request Mar 8, 2026
Open
GordonSH-oss pushed a commit to GordonSH-oss/openclaw that referenced this pull request Mar 9, 2026
@shichangs @gumadeiras @GordonSH-oss
feat: add local backup CLI (openclaw#40163)
5ca03bf 
Merged via squash.

Prepared head SHA: ed46625
Co-authored-by: shichangs <46870204+shichangs@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
@github-actions github-actions bot mentioned this pull request Mar 9, 2026
Open
@shichangs shichangs mentioned this pull request Mar 9, 2026
Open
20 tasks
@simonsbot simonsbot mentioned this pull request Mar 10, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@gumadeiras gumadeiras

Labels

cli CLI command changes commands Command implementations docs Improvements or additions to documentation size: XL

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shichangs @gumadeiras