@chrysb/alphaclaw 0.1.0

package/lib/server/routes/pairings.js

@@ -0,0 +1,134 @@
+const fs = require("fs");
+const { OPENCLAW_DIR } = require("../constants");
+
+const registerPairingRoutes = ({ app, clawCmd, isOnboarded, fsModule = fs, openclawDir = OPENCLAW_DIR }) => {
+  let pairingCache = { pending: [], ts: 0 };
+  const PAIRING_CACHE_TTL = 10000;
+  const kCliAutoApproveMarkerPath = `${openclawDir}/.cli-device-auto-approved`;
+
+  const hasCliAutoApproveMarker = () => fsModule.existsSync(kCliAutoApproveMarkerPath);
+
+  const writeCliAutoApproveMarker = () => {
+    fsModule.mkdirSync(openclawDir, { recursive: true });
+    fsModule.writeFileSync(
+      kCliAutoApproveMarkerPath,
+      JSON.stringify({ approvedAt: new Date().toISOString() }, null, 2),
+    );
+  };
+
+  app.get("/api/pairings", async (req, res) => {
+    if (Date.now() - pairingCache.ts < PAIRING_CACHE_TTL) {
+      return res.json({ pending: pairingCache.pending });
+    }
+
+    const pending = [];
+    const channels = ["telegram", "discord"];
+
+    for (const ch of channels) {
+      try {
+        const config = JSON.parse(fs.readFileSync(`${OPENCLAW_DIR}/openclaw.json`, "utf8"));
+        if (!config.channels?.[ch]?.enabled) continue;
+      } catch {
+        continue;
+      }
+
+      const result = await clawCmd(`pairing list ${ch}`, { quiet: true });
+      if (result.ok && result.stdout) {
+        const lines = result.stdout.split("\n").filter((l) => l.trim());
+        for (const line of lines) {
+          const codeMatch = line.match(/([A-Z0-9]{8})/);
+          if (codeMatch) {
+            pending.push({
+              id: codeMatch[1],
+              code: codeMatch[1],
+              channel: ch,
+            });
+          }
+        }
+      }
+    }
+
+    pairingCache = { pending, ts: Date.now() };
+    res.json({ pending });
+  });
+
+  app.post("/api/pairings/:id/approve", async (req, res) => {
+    const channel = req.body.channel || "telegram";
+    const result = await clawCmd(`pairing approve ${channel} ${req.params.id}`);
+    res.json(result);
+  });
+
+  app.post("/api/pairings/:id/reject", async (req, res) => {
+    const channel = req.body.channel || "telegram";
+    const result = await clawCmd(`pairing reject ${channel} ${req.params.id}`);
+    res.json(result);
+  });
+
+  let devicePairingCache = { pending: [], ts: 0 };
+  const kDevicePairingCacheTtl = 3000;
+
+  app.get("/api/devices", async (req, res) => {
+    if (!isOnboarded()) return res.json({ pending: [] });
+    if (Date.now() - devicePairingCache.ts < kDevicePairingCacheTtl) {
+      return res.json({ pending: devicePairingCache.pending });
+    }
+    const result = await clawCmd("devices list --json", { quiet: true });
+    if (!result.ok) return res.json({ pending: [] });
+    try {
+      const parsed = JSON.parse(result.stdout);
+      const pendingList = Array.isArray(parsed.pending) ? parsed.pending : [];
+      let autoApprovedRequestId = null;
+      if (!hasCliAutoApproveMarker()) {
+        const firstCliPending = pendingList.find((d) => {
+          const clientId = String(d.clientId || "").toLowerCase();
+          const clientMode = String(d.clientMode || "").toLowerCase();
+          return clientId === "cli" || clientMode === "cli";
+        });
+        const firstCliPendingId = firstCliPending?.requestId || firstCliPending?.id;
+        if (firstCliPendingId) {
+          console.log(`[wrapper] Auto-approving first CLI device request: ${firstCliPendingId}`);
+          const approveResult = await clawCmd(`devices approve ${firstCliPendingId}`, {
+            quiet: true,
+          });
+          if (approveResult.ok) {
+            writeCliAutoApproveMarker();
+            autoApprovedRequestId = String(firstCliPendingId);
+          } else {
+            console.log(
+              `[wrapper] CLI auto-approve failed: ${(approveResult.stderr || "").slice(0, 200)}`,
+            );
+          }
+        }
+      }
+      const pending = pendingList
+        .filter((d) => String(d.requestId || d.id || "") !== autoApprovedRequestId)
+        .map((d) => ({
+          id: d.requestId || d.id,
+          platform: d.platform || null,
+          clientId: d.clientId || null,
+          clientMode: d.clientMode || null,
+          role: d.role || null,
+          scopes: d.scopes || [],
+          ts: d.ts || null,
+        }));
+      devicePairingCache = { pending, ts: Date.now() };
+      res.json({ pending });
+    } catch {
+      res.json({ pending: [] });
+    }
+  });
+
+  app.post("/api/devices/:id/approve", async (req, res) => {
+    const result = await clawCmd(`devices approve ${req.params.id}`);
+    devicePairingCache.ts = 0;
+    res.json(result);
+  });
+
+  app.post("/api/devices/:id/reject", async (req, res) => {
+    const result = await clawCmd(`devices reject ${req.params.id}`);
+    devicePairingCache.ts = 0;
+    res.json(result);
+  });
+};
+
+module.exports = { registerPairingRoutes };

package/lib/server/routes/proxy.js

@@ -0,0 +1,29 @@
+const registerProxyRoutes = ({ app, proxy, SETUP_API_PREFIXES }) => {
+  app.all("/openclaw", (req, res) => {
+    req.url = "/";
+    proxy.web(req, res);
+  });
+  app.all("/openclaw/*", (req, res) => {
+    req.url = req.url.replace(/^\/openclaw/, "");
+    proxy.web(req, res);
+  });
+  app.all("/assets/*", (req, res) => proxy.web(req, res));
+
+  app.all("/webhook/*", (req, res) => {
+    if (!req.headers.authorization && req.query.token) {
+      req.headers.authorization = `Bearer ${req.query.token}`;
+      delete req.query.token;
+      const url = new URL(req.url, `http://${req.headers.host}`);
+      url.searchParams.delete("token");
+      req.url = url.pathname + url.search;
+    }
+    proxy.web(req, res);
+  });
+
+  app.all("/api/*", (req, res) => {
+    if (SETUP_API_PREFIXES.some((p) => req.path.startsWith(p))) return;
+    proxy.web(req, res);
+  });
+};
+
+module.exports = { registerProxyRoutes };

package/lib/server/routes/system.js

@@ -0,0 +1,213 @@
+const registerSystemRoutes = ({
+  app,
+  fs,
+  readEnvFile,
+  writeEnvFile,
+  reloadEnv,
+  kKnownVars,
+  kKnownKeys,
+  kSystemVars,
+  syncChannelConfig,
+  isGatewayRunning,
+  isOnboarded,
+  getChannelStatus,
+  openclawVersionService,
+  clawCmd,
+  restartGateway,
+  OPENCLAW_DIR,
+}) => {
+  let envRestartPending = false;
+  const kEnvVarsHiddenFromEnvarsTab = new Set(["GITHUB_WORKSPACE_REPO"]);
+  const kSystemCronPath = "/etc/cron.d/openclaw-hourly-sync";
+  const kSystemCronConfigPath = `${OPENCLAW_DIR}/cron/system-sync.json`;
+  const kSystemCronScriptPath = `${OPENCLAW_DIR}/hourly-git-sync.sh`;
+  const kDefaultSystemCronSchedule = "0 * * * *";
+  const isValidCronSchedule = (value) =>
+    typeof value === "string" && /^(\S+\s+){4}\S+$/.test(value.trim());
+  const buildSystemCronContent = (schedule) =>
+    [
+      "SHELL=/bin/bash",
+      "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+      `${schedule} root bash "${kSystemCronScriptPath}" >> /var/log/openclaw-hourly-sync.log 2>&1`,
+      "",
+    ].join("\n");
+  const readSystemCronConfig = () => {
+    try {
+      const raw = fs.readFileSync(kSystemCronConfigPath, "utf8");
+      const parsed = JSON.parse(raw);
+      const enabled = parsed.enabled !== false;
+      const schedule = isValidCronSchedule(parsed.schedule)
+        ? parsed.schedule.trim()
+        : kDefaultSystemCronSchedule;
+      return { enabled, schedule };
+    } catch {
+      return { enabled: true, schedule: kDefaultSystemCronSchedule };
+    }
+  };
+  const getSystemCronStatus = () => {
+    const config = readSystemCronConfig();
+    return {
+      enabled: config.enabled,
+      schedule: config.schedule,
+      installed: fs.existsSync(kSystemCronPath),
+      scriptExists: fs.existsSync(kSystemCronScriptPath),
+    };
+  };
+  const applySystemCronConfig = (nextConfig) => {
+    fs.mkdirSync(`${OPENCLAW_DIR}/cron`, { recursive: true });
+    fs.writeFileSync(kSystemCronConfigPath, JSON.stringify(nextConfig, null, 2));
+    if (nextConfig.enabled) {
+      fs.writeFileSync(kSystemCronPath, buildSystemCronContent(nextConfig.schedule), {
+        mode: 0o644,
+      });
+    } else {
+      fs.rmSync(kSystemCronPath, { force: true });
+    }
+    return getSystemCronStatus();
+  };
+
+  app.get("/api/env", (req, res) => {
+    const fileVars = readEnvFile();
+    const merged = [];
+
+    for (const def of kKnownVars) {
+      if (kEnvVarsHiddenFromEnvarsTab.has(def.key)) continue;
+      const fileEntry = fileVars.find((v) => v.key === def.key);
+      const value = fileEntry?.value || "";
+      merged.push({
+        key: def.key,
+        value,
+        label: def.label,
+        group: def.group,
+        hint: def.hint,
+        source: fileEntry?.value ? "env_file" : "unset",
+        editable: true,
+      });
+    }
+
+    for (const v of fileVars) {
+      if (kKnownKeys.has(v.key) || kSystemVars.has(v.key)) continue;
+      merged.push({
+        key: v.key,
+        value: v.value,
+        label: v.key,
+        group: "custom",
+        hint: "",
+        source: "env_file",
+        editable: true,
+      });
+    }
+
+    res.json({ vars: merged, restartRequired: envRestartPending && isOnboarded() });
+  });
+
+  app.put("/api/env", (req, res) => {
+    const { vars } = req.body;
+    if (!Array.isArray(vars)) {
+      return res.status(400).json({ ok: false, error: "Missing vars array" });
+    }
+
+    const filtered = vars.filter(
+      (v) =>
+        !kSystemVars.has(v.key) &&
+        !kEnvVarsHiddenFromEnvarsTab.has(v.key),
+    );
+    const existingLockedVars = readEnvFile().filter((v) =>
+      kEnvVarsHiddenFromEnvarsTab.has(v.key),
+    );
+    const nextEnvVars = [...filtered, ...existingLockedVars];
+    syncChannelConfig(nextEnvVars, "remove");
+    writeEnvFile(nextEnvVars);
+    const changed = reloadEnv();
+    if (changed && isOnboarded()) {
+      envRestartPending = true;
+    }
+    const restartRequired = envRestartPending && isOnboarded();
+    console.log(`[wrapper] Env vars saved (${nextEnvVars.length} vars, changed=${changed})`);
+    syncChannelConfig(nextEnvVars, "add");
+
+    res.json({ ok: true, changed, restartRequired });
+  });
+
+  app.get("/api/status", async (req, res) => {
+    const configExists = fs.existsSync(`${OPENCLAW_DIR}/openclaw.json`);
+    const running = await isGatewayRunning();
+    const repo = process.env.GITHUB_WORKSPACE_REPO || "";
+    const openclawVersion = openclawVersionService.readOpenclawVersion();
+    res.json({
+      gateway: running ? "running" : configExists ? "starting" : "not_onboarded",
+      configExists,
+      channels: getChannelStatus(),
+      repo,
+      openclawVersion,
+      syncCron: getSystemCronStatus(),
+    });
+  });
+
+  app.get("/api/sync-cron", (req, res) => {
+    res.json({ ok: true, ...getSystemCronStatus() });
+  });
+
+  app.put("/api/sync-cron", (req, res) => {
+    const current = readSystemCronConfig();
+    const { enabled, schedule } = req.body || {};
+    if (enabled !== undefined && typeof enabled !== "boolean") {
+      return res.status(400).json({ ok: false, error: "enabled must be a boolean" });
+    }
+    if (schedule !== undefined && !isValidCronSchedule(schedule)) {
+      return res.status(400).json({ ok: false, error: "schedule must be a 5-field cron string" });
+    }
+    const nextConfig = {
+      enabled: typeof enabled === "boolean" ? enabled : current.enabled,
+      schedule:
+        typeof schedule === "string" && schedule.trim()
+          ? schedule.trim()
+          : current.schedule,
+    };
+    const status = applySystemCronConfig(nextConfig);
+    res.json({ ok: true, syncCron: status });
+  });
+
+  app.get("/api/openclaw/version", async (req, res) => {
+    const refresh = String(req.query.refresh || "") === "1";
+    const status = await openclawVersionService.getVersionStatus(refresh);
+    res.json(status);
+  });
+
+  app.post("/api/openclaw/update", async (req, res) => {
+    console.log("[wrapper] /api/openclaw/update requested");
+    const result = await openclawVersionService.updateOpenclaw();
+    console.log(
+      `[wrapper] /api/openclaw/update result: status=${result.status} ok=${result.body?.ok === true}`,
+    );
+    res.status(result.status).json(result.body);
+  });
+
+  app.get("/api/gateway-status", async (req, res) => {
+    const result = await clawCmd("status");
+    res.json(result);
+  });
+
+  app.get("/api/gateway/dashboard", async (req, res) => {
+    if (!isOnboarded()) return res.json({ ok: false, url: "/openclaw" });
+    const result = await clawCmd("dashboard --no-open");
+    if (result.ok && result.stdout) {
+      const tokenMatch = result.stdout.match(/#token=([a-zA-Z0-9]+)/);
+      if (tokenMatch) {
+        return res.json({ ok: true, url: `/openclaw/#token=${tokenMatch[1]}` });
+      }
+    }
+    res.json({ ok: true, url: "/openclaw" });
+  });
+
+  app.post("/api/gateway/restart", (req, res) => {
+    if (!isOnboarded()) {
+      return res.status(400).json({ ok: false, error: "Not onboarded" });
+    }
+    restartGateway();
+    envRestartPending = false;
+    res.json({ ok: true });
+  });
+};
+
+module.exports = { registerSystemRoutes };

package/lib/server.js

@@ -0,0 +1,161 @@
+const express = require("express");
+const http = require("http");
+const httpProxy = require("http-proxy");
+const path = require("path");
+const fs = require("fs");
+
+const constants = require("./server/constants");
+const {
+  parseJsonFromNoisyOutput,
+  normalizeOnboardingModels,
+  resolveModelProvider,
+  resolveGithubRepoUrl,
+  createPkcePair,
+  parseCodexAuthorizationInput,
+  getCodexAccountId,
+  getBaseUrl,
+  getApiEnableUrl,
+  readGoogleCredentials,
+  getClientKey,
+} = require("./server/helpers");
+const { readEnvFile, writeEnvFile, reloadEnv, startEnvWatcher } = require("./server/env");
+const {
+  gatewayEnv,
+  isOnboarded,
+  isGatewayRunning,
+  startGateway,
+  restartGateway: restartGatewayWithReload,
+  attachGatewaySignalHandlers,
+  ensureGatewayProxyConfig,
+  syncChannelConfig,
+  getChannelStatus,
+} = require("./server/gateway");
+const { createCommands } = require("./server/commands");
+const { createAuthProfiles } = require("./server/auth-profiles");
+const { createLoginThrottle } = require("./server/login-throttle");
+const { createOpenclawVersionService } = require("./server/openclaw-version");
+const { syncBootstrapPromptFiles } = require("./server/onboarding/workspace");
+
+const { registerAuthRoutes } = require("./server/routes/auth");
+const { registerPageRoutes } = require("./server/routes/pages");
+const { registerModelRoutes } = require("./server/routes/models");
+const { registerOnboardingRoutes } = require("./server/routes/onboarding");
+const { registerSystemRoutes } = require("./server/routes/system");
+const { registerPairingRoutes } = require("./server/routes/pairings");
+const { registerCodexRoutes } = require("./server/routes/codex");
+const { registerGoogleRoutes } = require("./server/routes/google");
+const { registerProxyRoutes } = require("./server/routes/proxy");
+
+const { PORT, GATEWAY_URL, kTrustProxyHops, SETUP_API_PREFIXES } = constants;
+
+startEnvWatcher();
+attachGatewaySignalHandlers();
+
+const app = express();
+app.set("trust proxy", kTrustProxyHops);
+app.use(express.json());
+
+const proxy = httpProxy.createProxyServer({
+  target: GATEWAY_URL,
+  ws: true,
+  changeOrigin: true,
+});
+proxy.on("error", (err, req, res) => {
+  if (res && res.writeHead) {
+    res.writeHead(502, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ error: "Gateway unavailable" }));
+  }
+});
+
+const authProfiles = createAuthProfiles();
+const loginThrottle = { ...createLoginThrottle(), getClientKey };
+const { shellCmd, clawCmd, gogCmd } = createCommands({ gatewayEnv });
+const restartGateway = () => restartGatewayWithReload(reloadEnv);
+const openclawVersionService = createOpenclawVersionService({
+  gatewayEnv,
+  restartGateway,
+  isOnboarded,
+});
+
+const { requireAuth } = registerAuthRoutes({ app, loginThrottle });
+app.use(express.static(path.join(__dirname, "public")));
+
+registerPageRoutes({ app, requireAuth, isGatewayRunning });
+registerModelRoutes({
+  app,
+  shellCmd,
+  gatewayEnv,
+  parseJsonFromNoisyOutput,
+  normalizeOnboardingModels,
+});
+registerOnboardingRoutes({
+  app,
+  fs,
+  constants,
+  shellCmd,
+  gatewayEnv,
+  writeEnvFile,
+  reloadEnv,
+  isOnboarded,
+  resolveGithubRepoUrl,
+  resolveModelProvider,
+  hasCodexOauthProfile: authProfiles.hasCodexOauthProfile,
+  ensureGatewayProxyConfig,
+  getBaseUrl,
+  startGateway,
+});
+registerSystemRoutes({
+  app,
+  fs,
+  readEnvFile,
+  writeEnvFile,
+  reloadEnv,
+  kKnownVars: constants.kKnownVars,
+  kKnownKeys: constants.kKnownKeys,
+  kSystemVars: constants.kSystemVars,
+  syncChannelConfig,
+  isGatewayRunning,
+  isOnboarded,
+  getChannelStatus,
+  openclawVersionService,
+  clawCmd,
+  restartGateway,
+  OPENCLAW_DIR: constants.OPENCLAW_DIR,
+});
+registerPairingRoutes({ app, clawCmd, isOnboarded });
+registerCodexRoutes({
+  app,
+  createPkcePair,
+  parseCodexAuthorizationInput,
+  getCodexAccountId,
+  authProfiles,
+});
+registerGoogleRoutes({
+  app,
+  fs,
+  isGatewayRunning,
+  gogCmd,
+  getBaseUrl,
+  readGoogleCredentials,
+  getApiEnableUrl,
+  constants,
+});
+registerProxyRoutes({ app, proxy, SETUP_API_PREFIXES });
+
+const server = http.createServer(app);
+server.on("upgrade", (req, socket, head) => {
+  proxy.ws(req, socket, head);
+});
+
+server.listen(PORT, "0.0.0.0", () => {
+  console.log(`[wrapper] Express listening on :${PORT}`);
+  syncBootstrapPromptFiles({ fs, workspaceDir: constants.WORKSPACE_DIR });
+  if (isOnboarded()) {
+    reloadEnv();
+    syncChannelConfig(readEnvFile());
+    ensureGatewayProxyConfig(null);
+    startGateway();
+  } else {
+    console.log("[wrapper] Awaiting onboarding via Setup UI");
+  }
+});

package/lib/setup/core-prompts/AGENTS.md

@@ -0,0 +1,22 @@
+### ⚠️ No YOLO System Changes!
+
+**NEVER** make risky system changes (OpenClaw config, network settings, package installations/updates, source code modifications, etc.) without the user's explicit approval FIRST.
+
+Always explain:
+
+1. **What** you want to change
+2. **Why** you want to change it
+3. **What could go wrong**
+
+Then WAIT for the user's approval.
+
+### Show Your Work (IMPORTANT)
+
+Mandatory: Anytime you add, edit, or remove files/resources, end your message with a **Changes committed** summary.
+
+Use workspace-relative paths only for local files (no absolute paths). Include all internal resources (files, config, cron jobs, skills) and external resources (third-party pages, databases, integrations) that were created, modified, or removed.
+
+```
+Changes committed ([abc1234](commit url)): <-- linked commit hash
+• path/or/resource (new|edit|delete) — brief description
+```

package/lib/setup/core-prompts/TOOLS.md

@@ -0,0 +1,18 @@
+## Git Discipline
+
+**Commit and push after every set of changes.** Your entire .openclaw directory (config, cron, workspace) is version controlled. This is how your work survives container restarts.
+
+```bash
+cd /data/.openclaw && git add -A && git commit -m "description" && git push
+```
+
+Never force push. Always pull before pushing if there might be remote changes.
+After pushing, include a link to the commit using the abbreviated hash: [abc1234](https://github.com/owner/repo/commit/abc1234) format. No backticks.
+
+## Setup UI
+
+Web-based setup UI URL: `{{SETUP_UI_URL}}`
+
+## Telegram Formatting
+
+- **Links:** Use markdown syntax `[text](URL)` — HTML `<a href>` does NOT render

package/lib/setup/env.template

@@ -0,0 +1,19 @@
+# OpenClaw Environment Variables
+# Edit via the Setup UI or directly in this file
+
+# --- AI Provider (at least one required) ---
+ANTHROPIC_API_KEY=
+ANTHROPIC_TOKEN=
+OPENAI_API_KEY=
+GEMINI_API_KEY=
+
+# --- GitHub (required) ---
+GITHUB_TOKEN=
+GITHUB_WORKSPACE_REPO=
+
+# --- Channels (at least one required) ---
+TELEGRAM_BOT_TOKEN=
+DISCORD_BOT_TOKEN=
+
+# --- Tools (optional) ---
+BRAVE_API_KEY=

package/lib/setup/gitignore

@@ -0,0 +1,12 @@
+# Ignore everything by default.
+*
+
+# Whitelist specific files/dirs.
+!workspace/
+!workspace/**
+!skills/
+!skills/**
+!cron/
+!cron/jobs.json
+!openclaw.json
+!.gitignore

package/lib/setup/hourly-git-sync.sh

@@ -0,0 +1,86 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+REPO="$(cd "$(dirname "$0")" && pwd)"
+cd "$REPO"
+
+# Drop cron scheduler runtime-only churn when it is metadata/timestamp-only.
+maybe_restore_if_runtime_only() {
+  local file="$1"
+  [[ -f "$file" ]] || return 0
+
+  # Only inspect when the file differs from HEAD.
+  if git diff --quiet -- "$file"; then
+    return 0
+  fi
+
+  if node - "$file" <<'NODE'
+const fs = require('fs');
+const cp = require('child_process');
+const file = process.argv[2];
+
+const sanitize = (value) => {
+  if (Array.isArray(value)) return value.map(sanitize);
+  if (value && typeof value === 'object') {
+    const out = {};
+    for (const [k, v] of Object.entries(value)) {
+      if (/^(lastRun|nextRun|updatedAt|createdAt|lastStarted|lastFinished|lastSuccess|lastFailure|lastError|lastExitCode|lastDurationMs|runCount|runs|timestamp|time|ts|ms)$/i.test(k)) {
+        continue;
+      }
+      out[k] = sanitize(v);
+    }
+    return out;
+  }
+  return value;
+};
+
+const parseJson = (str) => {
+  try {
+    return JSON.parse(str);
+  } catch {
+    return null;
+  }
+};
+
+let headRaw = '';
+try {
+  headRaw = cp.execSync(`git show HEAD:${file}`, { encoding: 'utf8', stdio: ['ignore', 'pipe', 'ignore'] });
+} catch {
+  process.exit(2); // no HEAD version to compare
+}
+
+let workRaw = '';
+try {
+  workRaw = fs.readFileSync(file, 'utf8');
+} catch {
+  process.exit(3);
+}
+
+const headJson = parseJson(headRaw);
+const workJson = parseJson(workRaw);
+if (!headJson || !workJson) process.exit(4);
+
+const a = JSON.stringify(sanitize(headJson));
+const b = JSON.stringify(sanitize(workJson));
+process.exit(a === b ? 0 : 1);
+NODE
+  then
+    # Runtime metadata only; restore cleanly so it doesn't create noise commits.
+    git restore --worktree --staged -- "$file" || git checkout -- "$file"
+  fi
+}
+
+maybe_restore_if_runtime_only "cron/jobs.json"
+maybe_restore_if_runtime_only "crons.json"
+
+# Stage everything else.
+git add -A
+
+# Nothing to commit? done.
+if git diff --cached --quiet; then
+  exit 0
+fi
+
+msg="Auto-commit hourly sync $(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+git commit -m "$msg"
+git push