@chrysb/alphaclaw 0.9.0-beta.7 → 0.9.1-beta.0

package/lib/server/routes/models.js

@@ -1,4 +1,5 @@
 const { kFallbackOnboardingModels } = require("../constants");
+const { createModelCatalogCache } = require("../model-catalog-cache");
 
 const runModelsGitSync = async (shellCmd) => {
   if (typeof shellCmd !== "function") return null;
@@ -22,6 +23,13 @@ const registerModelRoutes = ({
   readEnvFile,
   writeEnvFile,
   reloadEnv,
+  modelCatalogCache = createModelCatalogCache({
+    shellCmd,
+    gatewayEnv,
+    parseJsonFromNoisyOutput,
+    normalizeOnboardingModels,
+    fallbackModels: kFallbackOnboardingModels,
+  }),
 }) => {
   const upsertEnvVar = (items, key, value) => {
     const next = Array.isArray(items) ? [...items] : [];
@@ -154,29 +162,8 @@ const registerModelRoutes = ({
   // ── Existing CLI-backed catalog/status routes ──
 
   app.get("/api/models", async (req, res) => {
-    try {
-      const output = await shellCmd("openclaw models list --all --json", {
-        env: gatewayEnv(),
-        timeout: 20000,
-      });
-      const parsed = parseJsonFromNoisyOutput(output);
-      const models = normalizeOnboardingModels(parsed?.models || []);
-      if (models.length > 0) {
-        return res.json({ ok: true, source: "openclaw", models });
-      }
-      return res.json({
-        ok: true,
-        source: "fallback",
-        models: kFallbackOnboardingModels,
-      });
-    } catch (err) {
-      console.error("[models] Failed to load dynamic models:", err.message);
-      return res.json({
-        ok: true,
-        source: "fallback",
-        models: kFallbackOnboardingModels,
-      });
-    }
+    const response = await modelCatalogCache.getCatalogResponse();
+    return res.json(response);
   });
 
   app.get("/api/models/status", async (req, res) => {
@@ -210,6 +197,7 @@ const registerModelRoutes = ({
         env: gatewayEnv(),
         timeout: 30000,
       });
+      modelCatalogCache.markStale();
       res.json({ ok: true });
     } catch (err) {
       res
@@ -286,6 +274,7 @@ const registerModelRoutes = ({
       authProfiles.syncConfigAuthReferencesForAgent(agentId);
 
       const syncWarning = await runModelsGitSync(shellCmd);
+      modelCatalogCache.markStale();
       res.json({
         ok: true,
         ...(syncWarning ? { syncWarning } : {}),
@@ -338,6 +327,7 @@ const registerModelRoutes = ({
       const agentId = req.query.agentId || undefined;
       authProfiles.upsertProfile(profileId, credential, agentId);
       syncEnvVarsForProfiles([{ id: profileId, ...credential }]);
+      modelCatalogCache.markStale();
       res.json({ ok: true });
     } catch (err) {
       res
@@ -359,6 +349,7 @@ const registerModelRoutes = ({
     try {
       const agentId = req.query.agentId || undefined;
       const removed = authProfiles.removeProfile(profileId, agentId);
+      modelCatalogCache.markStale();
       res.json({ ok: true, removed });
     } catch (err) {
       res

package/lib/server/routes/nodes.js

@@ -1,7 +1,10 @@
-const path = require("path");
 const crypto = require("crypto");
 const { parseJsonObjectFromNoisyOutput } = require("../utils/json");
 const { quoteShellArg } = require("../utils/shell");
+const {
+  readExecApprovalsConfig,
+  writeExecApprovalsConfig,
+} = require("../exec-defaults-config");
 
 const kAllowedExecHosts = new Set(["gateway", "node"]);
 const kAllowedExecSecurity = new Set(["deny", "allowlist", "full"]);
@@ -81,23 +84,6 @@ const parseNodeBrowserStatus = (stdout) => {
   return decodedResult && typeof decodedResult === "object" ? decodedResult : null;
 };
 
-const readExecApprovalsFile = ({ fsModule, openclawDir }) => {
-  const filePath = path.join(openclawDir, "exec-approvals.json");
-  try {
-    const raw = fsModule.readFileSync(filePath, "utf8");
-    const parsed = JSON.parse(raw);
-    return parsed && typeof parsed === "object" ? parsed : { version: 1 };
-  } catch {
-    return { version: 1 };
-  }
-};
-
-const writeExecApprovalsFile = ({ fsModule, openclawDir, file }) => {
-  const filePath = path.join(openclawDir, "exec-approvals.json");
-  fsModule.mkdirSync(path.dirname(filePath), { recursive: true });
-  fsModule.writeFileSync(filePath, JSON.stringify(file, null, 2) + "\n", "utf8");
-};
-
 const ensureWildcardAgent = (file) => {
   const agents = file.agents && typeof file.agents === "object" ? file.agents : {};
   const wildcard =
@@ -372,7 +358,7 @@ const registerNodeRoutes = ({
 
   app.get("/api/nodes/exec-approvals", (_req, res) => {
     const approvals = ensureWildcardAgent(
-      readExecApprovalsFile({ fsModule, openclawDir }),
+      readExecApprovalsConfig({ fsModule, openclawDir }),
     );
     const allowlist = approvals?.agents?.["*"]?.allowlist || [];
     return res.json({
@@ -388,7 +374,7 @@ const registerNodeRoutes = ({
       return res.status(400).json({ ok: false, error: "pattern is required" });
     }
     const approvals = ensureWildcardAgent(
-      readExecApprovalsFile({ fsModule, openclawDir }),
+      readExecApprovalsConfig({ fsModule, openclawDir }),
     );
     const allowlist = approvals.agents["*"].allowlist;
     const existing = allowlist.find(
@@ -403,7 +389,7 @@ const registerNodeRoutes = ({
       lastUsedAt: Date.now(),
     };
     approvals.agents["*"].allowlist = [...allowlist, entry];
-    writeExecApprovalsFile({ fsModule, openclawDir, file: approvals });
+    writeExecApprovalsConfig({ fsModule, openclawDir, file: approvals });
     return res.json({ ok: true, entry });
   });
 
@@ -413,7 +399,7 @@ const registerNodeRoutes = ({
       return res.status(400).json({ ok: false, error: "id is required" });
     }
     const approvals = ensureWildcardAgent(
-      readExecApprovalsFile({ fsModule, openclawDir }),
+      readExecApprovalsConfig({ fsModule, openclawDir }),
     );
     const allowlist = approvals.agents["*"].allowlist;
     const nextAllowlist = allowlist.filter((entry) => String(entry?.id || "") !== id);
@@ -421,7 +407,7 @@ const registerNodeRoutes = ({
       return res.status(404).json({ ok: false, error: "Allowlist entry not found" });
     }
     approvals.agents["*"].allowlist = nextAllowlist;
-    writeExecApprovalsFile({ fsModule, openclawDir, file: approvals });
+    writeExecApprovalsConfig({ fsModule, openclawDir, file: approvals });
     return res.json({ ok: true });
   });
 };

package/lib/server/routes/system.js

@@ -576,21 +576,6 @@ const registerSystemRoutes = ({
     res.json({ ok: true, syncCron: status });
   });
 
-  app.get("/api/openclaw/version", async (req, res) => {
-    const refresh = String(req.query.refresh || "") === "1";
-    const status = await openclawVersionService.getVersionStatus(refresh);
-    res.json(status);
-  });
-
-  app.post("/api/openclaw/update", async (req, res) => {
-    console.log("[alphaclaw] /api/openclaw/update requested");
-    const result = await openclawVersionService.updateOpenclaw();
-    console.log(
-      `[alphaclaw] /api/openclaw/update result: status=${result.status} ok=${result.body?.ok === true}`,
-    );
-    res.status(result.status).json(result.body);
-  });
-
   app.get("/api/alphaclaw/version", async (req, res) => {
     const refresh = String(req.query.refresh || "") === "1";
     const status = await alphaclawVersionService.getVersionStatus(refresh);
@@ -636,7 +621,9 @@ const registerSystemRoutes = ({
     );
     if (result.status === 200 && result.body?.ok) {
       res.json(result.body);
-      setTimeout(() => alphaclawVersionService.restartProcess(), 1000);
+      if (!result.body?.managedUpdate) {
+        setTimeout(() => alphaclawVersionService.restartProcess(), 1000);
+      }
     } else {
       res.status(result.status).json(result.body);
     }

package/lib/server/routes/webhooks.js

@@ -29,13 +29,24 @@ const mergeWebhookAndSummary = ({ webhook, summary }) => {
   const totalCount = Number(summary?.totalCount || 0);
   const errorCount = Number(summary?.errorCount || 0);
   const successCount = Number(summary?.successCount || 0);
+  const recentTotalCount = Number(summary?.recentTotalCount || 0);
+  const recentErrorCount = Number(summary?.recentErrorCount || 0);
+  const recentSuccessCount = Number(summary?.recentSuccessCount || 0);
+  const healthWindowSize = Number(summary?.healthWindowSize || 0);
   return {
     ...webhook,
     lastReceived: summary?.lastReceived || null,
     totalCount,
     successCount,
     errorCount,
-    health: buildHealth({ totalCount, errorCount }),
+    recentTotalCount,
+    recentSuccessCount,
+    recentErrorCount,
+    healthWindowSize,
+    health: buildHealth({
+      totalCount: recentTotalCount || totalCount,
+      errorCount: recentTotalCount > 0 ? recentErrorCount : errorCount,
+    }),
   };
 };
 

package/lib/server/startup.js

@@ -1,4 +1,5 @@
 const runOnboardedBootSequence = ({
+  ensureManagedExecDefaults,
   ensureUsageTrackerPluginConfig,
   doSyncPromptFiles,
   reloadEnv,
@@ -10,6 +11,13 @@ const runOnboardedBootSequence = ({
   watchdog,
   gmailWatchService,
 }) => {
+  try {
+    ensureManagedExecDefaults();
+  } catch (error) {
+    console.error(
+      `[alphaclaw] Failed to ensure managed exec defaults on boot: ${error.message}`,
+    );
+  }
   try {
     ensureUsageTrackerPluginConfig();
   } catch (error) {

package/lib/server/watchdog-notify.js

@@ -1,35 +1,95 @@
 const fs = require("fs");
 const path = require("path");
 const { OPENCLAW_DIR } = require("./constants");
+const { createSlackApi } = require("./slack-api");
 
-const getPairedIds = (channel) => {
+const kSlackBotEnvKey = "SLACK_BOT_TOKEN";
+
+const normalizeAccountId = (value) =>
+  String(value || "").trim().toLowerCase() || "default";
+
+const resolveCredentialPairingAccountId = ({ channel, fileName }) => {
+  const prefix = `${String(channel || "").trim().toLowerCase()}-`;
+  const suffix = "-allowFrom.json";
+  const rawFileName = String(fileName || "").trim();
+  if (!rawFileName.startsWith(prefix) || !rawFileName.endsWith(suffix)) {
+    return "";
+  }
+  return normalizeAccountId(rawFileName.slice(prefix.length, -suffix.length));
+};
+
+const deriveSlackBotEnvKey = (accountId = "default") => {
+  const normalizedAccountId = normalizeAccountId(accountId);
+  if (normalizedAccountId === "default") return kSlackBotEnvKey;
+  return `${kSlackBotEnvKey}_${normalizedAccountId.replace(/-/g, "_").toUpperCase()}`;
+};
+
+const getPairedTargetsByAccount = ({
+  channel,
+  fsImpl = fs,
+  openclawDir = OPENCLAW_DIR,
+}) => {
   const safeChannel = String(channel || "").trim().toLowerCase();
-  if (!safeChannel) return [];
-  const credentialsDir = path.join(OPENCLAW_DIR, "credentials");
-  if (!fs.existsSync(credentialsDir)) return [];
-  const ids = new Set();
+  if (!safeChannel) return new Map();
+  const credentialsDir = path.join(openclawDir, "credentials");
+  if (!fsImpl.existsSync(credentialsDir)) return new Map();
+  const idsByAccount = new Map();
   try {
-    const files = fs
+    const files = fsImpl
       .readdirSync(credentialsDir)
       .filter(
         (fileName) =>
           fileName.startsWith(`${safeChannel}-`) && fileName.endsWith("-allowFrom.json"),
       );
     for (const fileName of files) {
+      const accountId = resolveCredentialPairingAccountId({
+        channel: safeChannel,
+        fileName,
+      });
+      if (!accountId) continue;
       const filePath = path.join(credentialsDir, fileName);
-      const raw = fs.readFileSync(filePath, "utf8");
+      const raw = fsImpl.readFileSync(filePath, "utf8");
       const parsed = JSON.parse(raw);
       const allowFrom = Array.isArray(parsed?.allowFrom) ? parsed.allowFrom : [];
+      const ids =
+        idsByAccount.get(accountId) instanceof Set
+          ? idsByAccount.get(accountId)
+          : new Set();
       for (const id of allowFrom) {
         if (id == null) continue;
         const value = String(id).trim();
         if (!value) continue;
         ids.add(value);
       }
+      idsByAccount.set(accountId, ids);
     }
   } catch (err) {
     console.error(`[watchdog] could not resolve ${safeChannel} allowFrom IDs: ${err.message}`);
   }
+  return new Map(
+    Array.from(idsByAccount.entries()).map(([accountId, ids]) => [
+      accountId,
+      Array.from(ids),
+    ]),
+  );
+};
+
+const getPairedIds = ({
+  channel,
+  fsImpl = fs,
+  openclawDir = OPENCLAW_DIR,
+}) => {
+  const ids = new Set();
+  const idsByAccount = getPairedTargetsByAccount({
+    channel,
+    fsImpl,
+    openclawDir,
+  });
+  for (const accountIds of idsByAccount.values()) {
+    for (const id of accountIds) {
+      ids.add(id);
+    }
+  }
   return Array.from(ids);
 };
 
@@ -38,18 +98,30 @@ const formatDiscordMessage = (message) =>
 
 /**
  * Track thread state for Slack notifications
- * Key: userId, Value: { threadTs, lastEvent }
+ * Key: accountId:userId, Value: { threadTs, lastEvent }
  */
 const slackThreads = new Map();
 
-const createWatchdogNotifier = ({ telegramApi, discordApi, slackApi }) => {
+const createWatchdogNotifier = ({
+  telegramApi,
+  discordApi,
+  slackApi,
+  readEnvFile = () => [],
+  createSlackApi: createSlackApiFactory = createSlackApi,
+  fsImpl = fs,
+  openclawDir = OPENCLAW_DIR,
+}) => {
   const notify = async (message, opts = {}) => {
     const summary = {
       telegram: { sent: 0, failed: 0, skipped: false, targets: 0 },
       discord: { sent: 0, failed: 0, skipped: false, targets: 0 },
       slack: { sent: 0, failed: 0, skipped: false, targets: 0 },
     };
-    const telegramTargets = getPairedIds("telegram");
+    const telegramTargets = getPairedIds({
+      channel: "telegram",
+      fsImpl,
+      openclawDir,
+    });
     summary.telegram.targets = telegramTargets.length;
     if (!telegramApi?.sendMessage || !process.env.TELEGRAM_BOT_TOKEN || telegramTargets.length === 0) {
       summary.telegram.skipped = true;
@@ -67,7 +139,11 @@ const createWatchdogNotifier = ({ telegramApi, discordApi, slackApi }) => {
       }
     }
 
-    const discordTargets = getPairedIds("discord");
+    const discordTargets = getPairedIds({
+      channel: "discord",
+      fsImpl,
+      openclawDir,
+    });
     summary.discord.targets = discordTargets.length;
     if (!discordApi?.sendDirectMessage || !process.env.DISCORD_BOT_TOKEN || discordTargets.length === 0) {
       summary.discord.skipped = true;
@@ -85,61 +161,102 @@ const createWatchdogNotifier = ({ telegramApi, discordApi, slackApi }) => {
     }
 
     // Enhanced Slack notifications with threading and reactions
-    const slackTargets = getPairedIds("slack");
-    summary.slack.targets = slackTargets.length;
-    if (!slackApi?.postMessage || !process.env.SLACK_BOT_TOKEN || slackTargets.length === 0) {
+    const slackTargetsByAccount = getPairedTargetsByAccount({
+      channel: "slack",
+      fsImpl,
+      openclawDir,
+    });
+    summary.slack.targets = Array.from(slackTargetsByAccount.values()).reduce(
+      (total, targets) => total + targets.length,
+      0,
+    );
+    if (summary.slack.targets === 0) {
       summary.slack.skipped = true;
     } else {
       const eventType = opts.eventType || "info"; // crash, recovery, health, info
-      
-      for (const userId of slackTargets) {
-        try {
-          let threadTs = null;
-          let shouldCreateNewThread = true;
-
-          // Check if we have an active thread for this user
-          const existingThread = slackThreads.get(userId);
-          if (existingThread && existingThread.lastEvent === "crash" && eventType === "recovery") {
-            // Recovery message goes in the crash thread
-            threadTs = existingThread.threadTs;
-            shouldCreateNewThread = false;
+      const envVars = typeof readEnvFile === "function" ? readEnvFile() : [];
+
+      const envMap = new Map(
+        (Array.isArray(envVars) ? envVars : [])
+          .map((entry) => [
+            String(entry?.key || "").trim(),
+            String(entry?.value || "").trim(),
+          ])
+          .filter(([key]) => key),
+      );
+
+      for (const [accountId, slackTargets] of slackTargetsByAccount.entries()) {
+        if (!slackTargets.length) continue;
+        const envKey = deriveSlackBotEnvKey(accountId);
+        const botToken = String(envMap.get(envKey) || process.env[envKey] || "").trim();
+        if (!botToken) {
+          summary.slack.failed += slackTargets.length;
+          for (const userId of slackTargets) {
+            console.error(
+              `[watchdog] slack notification failed for ${accountId}/${userId}: missing ${envKey}`,
+            );
           }
+          continue;
+        }
 
-          // Send message (in thread if continuing conversation)
-          const result = await slackApi.postMessage(userId, String(message || ""), {
-            thread_ts: threadTs,
-            mrkdwn: true,
-          });
+        const accountSlackApi =
+          accountId === "default" &&
+          slackApi?.postMessage &&
+          botToken === String(process.env.SLACK_BOT_TOKEN || "").trim()
+            ? slackApi
+            : createSlackApiFactory(() => botToken);
+
+        for (const userId of slackTargets) {
+          try {
+            let threadTs = null;
+            let shouldCreateNewThread = true;
+            const threadKey = `${accountId}:${userId}`;
+
+            const existingThread = slackThreads.get(threadKey);
+            if (existingThread && existingThread.lastEvent === "crash" && eventType === "recovery") {
+              threadTs = existingThread.threadTs;
+              shouldCreateNewThread = false;
+            }
 
-          // Store thread for future related messages
-          if (shouldCreateNewThread && result.ts) {
-            slackThreads.set(userId, {
-              threadTs: result.ts,
-              lastEvent: eventType,
+            const result = await accountSlackApi.postMessage(userId, String(message || ""), {
+              thread_ts: threadTs,
+              mrkdwn: true,
             });
-          }
 
-          // Add reactions based on event type
-          // Use result.channel (the actual conversation/DM ID) instead of userId
-          if (result.ts && result.channel && slackApi.addReaction) {
-            try {
-              if (eventType === "crash") {
-                await slackApi.addReaction(result.channel, result.ts, "x");
-              } else if (eventType === "recovery") {
-                await slackApi.addReaction(result.channel, result.ts, "white_check_mark");
-              } else if (eventType === "health") {
-                await slackApi.addReaction(result.channel, result.ts, "heart");
+            if (shouldCreateNewThread && result.ts) {
+              slackThreads.set(threadKey, {
+                threadTs: result.ts,
+                lastEvent: eventType,
+              });
+            }
+
+            if (result.ts && result.channel && accountSlackApi.addReaction) {
+              try {
+                if (eventType === "crash") {
+                  await accountSlackApi.addReaction(result.channel, result.ts, "x");
+                } else if (eventType === "recovery") {
+                  await accountSlackApi.addReaction(
+                    result.channel,
+                    result.ts,
+                    "white_check_mark",
+                  );
+                } else if (eventType === "health") {
+                  await accountSlackApi.addReaction(result.channel, result.ts, "heart");
+                }
+              } catch (reactionErr) {
+                console.error(
+                  `[watchdog] slack reaction failed for ${accountId}/${userId}: ${reactionErr.message}`,
+                );
               }
-            } catch (reactionErr) {
-              // Reactions are nice-to-have, don't fail the whole notification
-              console.error(`[watchdog] slack reaction failed for ${userId}: ${reactionErr.message}`);
             }
-          }
 
-          summary.slack.sent += 1;
-        } catch (err) {
-          summary.slack.failed += 1;
-          console.error(`[watchdog] slack notification failed for ${userId}: ${err.message}`);
+            summary.slack.sent += 1;
+          } catch (err) {
+            summary.slack.failed += 1;
+            console.error(
+              `[watchdog] slack notification failed for ${accountId}/${userId}: ${err.message}`,
+            );
+          }
         }
       }
     }

package/lib/server.js

@@ -138,6 +138,9 @@ const {
 const {
   ensureUsageTrackerPluginConfig,
 } = require("./server/usage-tracker-config");
+const {
+  ensureManagedExecDefaults,
+} = require("./server/exec-defaults-config");
 
 const { PORT, kTrustProxyHops, SETUP_API_PREFIXES } = constants;
 
@@ -193,7 +196,9 @@ const openclawVersionService = createOpenclawVersionService({
   restartGateway,
   isOnboarded,
 });
-const alphaclawVersionService = createAlphaclawVersionService();
+const alphaclawVersionService = createAlphaclawVersionService({
+  readOpenclawVersion: () => openclawVersionService.readOpenclawVersion(),
+});
 const restartRequiredState = createRestartRequiredState({ isGatewayRunning });
 const operationEvents = createOperationEventsService();
 const chatWsService = createChatWsService({
@@ -223,7 +228,12 @@ const webhookMiddleware = createWebhookMiddleware({
 const telegramApi = createTelegramApi(() => process.env.TELEGRAM_BOT_TOKEN);
 const discordApi = createDiscordApi(() => process.env.DISCORD_BOT_TOKEN);
 const slackApi = createSlackApi(() => process.env.SLACK_BOT_TOKEN);
-const watchdogNotifier = createWatchdogNotifier({ telegramApi, discordApi, slackApi });
+const watchdogNotifier = createWatchdogNotifier({
+  telegramApi,
+  discordApi,
+  slackApi,
+  readEnvFile,
+});
 const watchdog = createWatchdog({
   clawCmd,
   launchGatewayProcess,
@@ -379,6 +389,11 @@ startServerLifecycle({
   PORT,
   isOnboarded,
   runOnboardedBootSequence,
+  ensureManagedExecDefaults: () =>
+    ensureManagedExecDefaults({
+      fsModule: fs,
+      openclawDir: constants.OPENCLAW_DIR,
+    }),
   ensureUsageTrackerPluginConfig: () =>
     ensureUsageTrackerPluginConfig({
       fsModule: fs,

package/lib/setup/core-prompts/AGENTS.md

@@ -25,6 +25,18 @@ If any of these apply, outline your approach first — what you intend to do, in
 
 Your `.openclaw` directory is version-controlled and this is how work survives container restarts.
 
+### Persistent Storage Rules
+
+This deployment runs in an ephemeral container. `/tmp`, other temp directories, and files outside `/data` can disappear on restart or redeploy.
+
+Anything that must survive redeploys must live under `/data/.openclaw`.
+
+For plugins and other durable artifacts:
+
+- Prefer normal `openclaw plugins install <spec>` flows for persistent installs.
+- If you must stage or unpack a local plugin first, stage it under `/data/.openclaw/...`, not `/tmp/...`.
+- Never persist `plugins.load.paths` entries that point at temp directories.
+
 Anytime you add, edit, or remove workspace files, openclaw.json, cron.json, skills, or external resources (third-party pages, databases, integrations), **commit and push your changes to git**. Never force push; always pull first if there might be remote changes.
 
 Whenever you do this, end your message with a **Changes committed** summary. Use workspace-relative paths for local files.

package/lib/setup/core-prompts/TOOLS.md

@@ -21,6 +21,18 @@ Do not deflect actionable requests to the Setup UI. If a command or tool is avai
 
 Changes to env vars are made through the **Envars** tab (`{{SETUP_UI_URL}}#envars`). After saving, a gateway restart may be required to pick up the changes — the UI prompts for this automatically. Do not edit `/data/.env` directly; use the Setup UI so changes are validated and the gateway restart is handled.
 
+### Persistent storage
+
+This deployment runs in an ephemeral container. `/tmp` and other temp locations do not survive redeploys.
+
+Anything persistent must live under `/data/.openclaw`.
+
+For plugins and local tooling:
+
+- Prefer normal `openclaw plugins install <spec>` flows for durable installs.
+- If you need to stage a local plugin or helper files first, put them under `/data/.openclaw/...`, not `/tmp/...`.
+- Do not leave durable `plugins.load.paths` entries pointing at temp directories.
+
 ### Google Workspace
 
 Google Workspace is connected via the **General** tab (`{{SETUP_UI_URL}}#general`). The user provides OAuth client credentials from Google Cloud Console, then authorizes access to the services they need (Gmail, Calendar, Drive, Sheets, Docs, Tasks, Contacts, Meet). Connected accounts and `gog` CLI usage are covered by the gog-cli skill.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chrysb/alphaclaw",
-  "version": "0.9.0-beta.7",
+  "version": "0.9.1-beta.0",
   "publishConfig": {
     "access": "public"
   },
@@ -36,7 +36,7 @@
   "dependencies": {
     "express": "^4.21.0",
     "http-proxy": "^1.18.1",
-    "openclaw": "2026.3.28",
+    "openclaw": "2026.4.10",
     "patch-package": "^8.0.1",
     "ws": "^8.19.0"
   },

package/patches/openclaw+2026.4.9.patch

@@ -0,0 +1,13 @@
+diff --git a/node_modules/openclaw/dist/server.impl-BxLfE9ri.js b/node_modules/openclaw/dist/server.impl-BxLfE9ri.js
+index e97a5374..4cd08799 100644
+--- a/node_modules/openclaw/dist/server.impl-BxLfE9ri.js
++++ b/node_modules/openclaw/dist/server.impl-BxLfE9ri.js
+@@ -28254,7 +28254,7 @@ function attachGatewayWsMessageHandler(params) {
+ 					close(1008, truncateCloseReason(authMessage));
+ 				};
+ 				const clearUnboundScopes = () => {
+-					if (scopes.length > 0) {
++					if (scopes.length > 0 && !sharedAuthOk) {
+ 						scopes = [];
+ 						connectParams.scopes = scopes;
+ 					}