clawchef 0.1.11 → 0.1.13

package/src/openclaw/remote-provider.ts

@@ -29,6 +29,17 @@ interface RemoteOperationResponse {
 const DEFAULT_TIMEOUT_MS = 60_000;
 const DEFAULT_OPERATION_PATH = "/v1/clawchef/operation";
 
+function timestamp(): string {
+  const now = new Date();
+  const year = now.getFullYear();
+  const month = String(now.getMonth() + 1).padStart(2, "0");
+  const day = String(now.getDate()).padStart(2, "0");
+  const hours = String(now.getHours()).padStart(2, "0");
+  const minutes = String(now.getMinutes()).padStart(2, "0");
+  const seconds = String(now.getSeconds()).padStart(2, "0");
+  return `${year}-${month}-${day} ${hours}:${minutes}:${seconds}`;
+}
+
 function parseResponseBody(raw: string): RemoteOperationResponse {
   if (!raw.trim()) {
     return {};
@@ -84,9 +95,18 @@ function assertRemoteConfig(remote: Partial<OpenClawRemoteConfig>): OpenClawRemo
 export class RemoteOpenClawProvider implements OpenClawProvider {
   private readonly stagedMessages = new Map<string, StagedMessage[]>();
   private readonly remoteConfig: Partial<OpenClawRemoteConfig>;
+  private readonly verboseEnabled: boolean;
 
-  constructor(remoteConfig: Partial<OpenClawRemoteConfig>) {
+  constructor(remoteConfig: Partial<OpenClawRemoteConfig>, verboseEnabled = false) {
     this.remoteConfig = remoteConfig;
+    this.verboseEnabled = verboseEnabled;
+  }
+
+  private debug(message: string): void {
+    if (!this.verboseEnabled) {
+      return;
+    }
+    process.stdout.write(`[${timestamp()}] [DEBUG] ${message}\n`);
   }
 
   private async perform(
@@ -96,6 +116,7 @@ export class RemoteOpenClawProvider implements OpenClawProvider {
     dryRun: boolean,
   ): Promise<RemoteOperationResponse> {
     if (dryRun) {
+      this.debug(`REMOTE DRY-RUN op=${operation}`);
       return { ok: true };
     }
 
@@ -109,6 +130,8 @@ export class RemoteOpenClawProvider implements OpenClawProvider {
       recipe_version: config.version,
       payload,
     };
+    const startedAt = Date.now();
+    this.debug(`REMOTE START op=${operation} url=${operationUrl(remote)}`);
 
     try {
       const response = await fetch(operationUrl(remote), {
@@ -130,8 +153,11 @@ export class RemoteOpenClawProvider implements OpenClawProvider {
         throw new ClawChefError(`Remote operation failed for ${operation}: ${parsed.message ?? "unknown error"}`);
       }
 
+      this.debug(`REMOTE DONE op=${operation} status=${response.status} (${Date.now() - startedAt}ms)`);
+
       return parsed;
     } catch (err) {
+      this.debug(`REMOTE FAIL op=${operation} (${Date.now() - startedAt}ms)`);
       if (err instanceof ClawChefError) {
         throw err;
       }
@@ -192,6 +218,10 @@ export class RemoteOpenClawProvider implements OpenClawProvider {
     await this.perform(config, "configure_channel", { channel }, dryRun);
   }
 
+  async applyConfigPatch(config: OpenClawSection, patch: Record<string, unknown>, dryRun: boolean): Promise<void> {
+    await this.perform(config, "apply_config_patch", { patch }, dryRun);
+  }
+
   async bindChannelAgent(config: OpenClawSection, channel: ChannelDef, agent: string, dryRun: boolean): Promise<void> {
     await this.perform(
       config,

package/src/orchestrator.ts

@@ -8,7 +8,7 @@ import { validateReply } from "./assertions.js";
 import { ClawChefError } from "./errors.js";
 import { Logger } from "./logger.js";
 import { createProvider } from "./openclaw/factory.js";
-import type { Recipe, RunOptions } from "./types.js";
+import type { ChannelDef, Recipe, RunOptions } from "./types.js";
 import type { RecipeOrigin } from "./recipe.js";
 
 async function exists(filePath: string): Promise<boolean> {
@@ -27,6 +27,34 @@ function truncateForLog(text: string, maxLength = 500): string {
   return `${text.slice(0, maxLength)}... [truncated ${text.length - maxLength} chars]`;
 }
 
+function toPosixPath(value: string): string {
+  return value.replaceAll("\\", "/");
+}
+
+function wildcardToRegExp(pattern: string): RegExp {
+  const escaped = toPosixPath(pattern)
+    .replace(/[.+^${}()|[\]\\]/g, "\\$&")
+    .replace(/\*\*/g, "___DOUBLE_STAR___")
+    .replace(/\*/g, "[^/]*")
+    .replace(/___DOUBLE_STAR___/g, ".*");
+  return new RegExp(`^${escaped}$`);
+}
+
+function matchesFilePatterns(patterns: string[], relativePath: string): boolean {
+  if (patterns.length === 0) {
+    return true;
+  }
+  const normalized = toPosixPath(relativePath);
+  return patterns.some((pattern) => wildcardToRegExp(pattern).test(normalized));
+}
+
+function matchesAnyFilePattern(patterns: string[], candidates: string[]): boolean {
+  if (patterns.length === 0) {
+    return true;
+  }
+  return candidates.some((candidate) => matchesFilePatterns(patterns, candidate));
+}
+
 function renderTemplateString(input: string, vars: Record<string, string>, allowMissing: boolean): string {
   return input.replace(/\$\{([^}]+)\}/g, (_match, rawKey: string) => {
     const key = String(rawKey).trim();
@@ -84,6 +112,15 @@ function isHttpUrl(value: string): boolean {
   }
 }
 
+function shouldAutoDisableTelegramChannel(channel: ChannelDef): boolean {
+  if (channel.channel !== "telegram") {
+    return false;
+  }
+  const emptyToken = channel.token !== undefined && channel.token.trim().length === 0;
+  const emptyBotToken = channel.bot_token !== undefined && channel.bot_token.trim().length === 0;
+  return emptyToken || emptyBotToken;
+}
+
 function isNotFoundError(err: unknown): boolean {
   return typeof err === "object" && err !== null && "code" in err && (err as { code?: string }).code === "ENOENT";
 }
@@ -182,36 +219,42 @@ export async function runRecipe(
 ): Promise<void> {
   const provider = createProvider(options);
   const remoteMode = options.provider === "remote";
+  const filesOnlyScope = options.scope === "files";
+  const fileFilterEnabled = filesOnlyScope && options.filePatterns.length > 0;
   const workspacePaths = new Map<string, string>();
   const preserveExistingState = options.scope !== "full";
 
   logger.info(`Running recipe: ${recipe.name}`);
-  const versionResult = await provider.ensureVersion(
-    recipe.openclaw,
-    options.dryRun,
-    options.silent,
-    preserveExistingState,
-  );
-  logger.info(`OpenClaw version ready: ${recipe.openclaw.version}`);
-
-  if (versionResult.installedThisRun) {
-    logger.info("OpenClaw was installed in this run; skipping factory reset");
-  } else if (preserveExistingState) {
-    logger.info("Keeping existing OpenClaw state; skipping factory reset");
-  } else {
-    const confirmed = await confirmFactoryReset(options);
-    if (!confirmed) {
-      throw new ClawChefError("Aborted by user before factory reset");
+  if (!filesOnlyScope) {
+    const versionResult = await provider.ensureVersion(
+      recipe.openclaw,
+      options.dryRun,
+      options.silent,
+      preserveExistingState,
+    );
+    logger.info(`OpenClaw version ready: ${recipe.openclaw.version}`);
+
+    if (versionResult.installedThisRun) {
+      logger.info("OpenClaw was installed in this run; skipping factory reset");
+    } else if (preserveExistingState) {
+      logger.info("Keeping existing OpenClaw state; skipping factory reset");
+    } else {
+      const confirmed = await confirmFactoryReset(options);
+      if (!confirmed) {
+        throw new ClawChefError("Aborted by user before factory reset");
+      }
+      await provider.factoryReset(recipe.openclaw, options.dryRun);
+      logger.info("Factory reset completed");
     }
-    await provider.factoryReset(recipe.openclaw, options.dryRun);
-    logger.info("Factory reset completed");
-  }
 
-  const pluginSpecs = Array.from(new Set([...(recipe.openclaw.plugins ?? []), ...options.plugins].map((v) => v.trim())))
-    .filter((v) => v.length > 0);
-  for (const pluginSpec of pluginSpecs) {
-    await provider.installPlugin(recipe.openclaw, pluginSpec, options.dryRun);
-    logger.info(`Plugin preinstalled: ${pluginSpec}`);
+    const pluginSpecs = Array.from(new Set([...(recipe.openclaw.plugins ?? []), ...options.plugins].map((v) => v.trim())))
+      .filter((v) => v.length > 0);
+    for (const pluginSpec of pluginSpecs) {
+      await provider.installPlugin(recipe.openclaw, pluginSpec, options.dryRun);
+      logger.info(`Plugin preinstalled: ${pluginSpec}`);
+    }
+  } else {
+    logger.info("Scope files: only syncing root/workspace assets and files");
   }
 
   const root = recipe.openclaw.root;
@@ -252,6 +295,11 @@ export async function runRecipe(
       } else {
         const assetFiles = await collectLocalAssetFiles(resolvedAssets.value);
         for (const assetFile of assetFiles) {
+          const patternCandidates = [assetFile.relativePath, `root/${assetFile.relativePath}`];
+          if (fileFilterEnabled && !matchesAnyFilePattern(options.filePatterns, patternCandidates)) {
+            logger.debug(`Filtered root asset: ${assetFile.relativePath}`);
+            continue;
+          }
           const target = path.resolve(openclawRootPath, assetFile.relativePath);
           if (!options.dryRun) {
             await mkdir(path.dirname(target), { recursive: true });
@@ -263,6 +311,11 @@ export async function runRecipe(
     }
 
     for (const file of root.files ?? []) {
+      const patternCandidates = [file.path, `root/${file.path}`];
+      if (fileFilterEnabled && !matchesAnyFilePattern(options.filePatterns, patternCandidates)) {
+        logger.debug(`Filtered root file: ${file.path}`);
+        continue;
+      }
       const target = path.resolve(openclawRootPath, file.path);
       const targetDir = path.dirname(target);
 
@@ -297,8 +350,10 @@ export async function runRecipe(
     if (!options.dryRun && !remoteMode) {
       await mkdir(absPath, { recursive: true });
     }
-    await provider.createWorkspace(recipe.openclaw, { ...ws, path: absPath }, options.dryRun);
-    logger.info(`Workspace created: ${ws.name}`);
+    if (!filesOnlyScope) {
+      await provider.createWorkspace(recipe.openclaw, { ...ws, path: absPath }, options.dryRun);
+      logger.info(`Workspace created: ${ws.name}`);
+    }
 
     if (!ws.assets?.trim()) {
       continue;
@@ -328,6 +383,15 @@ export async function runRecipe(
 
     const assetFiles = await collectLocalAssetFiles(resolvedAssets.value);
     for (const assetFile of assetFiles) {
+      const patternCandidates = [
+        assetFile.relativePath,
+        `${ws.name}/${assetFile.relativePath}`,
+        `workspace-${ws.name}/${assetFile.relativePath}`,
+      ];
+      if (fileFilterEnabled && !matchesAnyFilePattern(options.filePatterns, patternCandidates)) {
+        logger.debug(`Filtered workspace asset: ${ws.name}/${assetFile.relativePath}`);
+        continue;
+      }
       if (provider.materializeFile) {
         const content = await readFile(assetFile.absolutePath, "utf8");
         await provider.materializeFile(
@@ -349,28 +413,58 @@ export async function runRecipe(
     }
   }
 
-  for (const agent of recipe.agents ?? []) {
-    const workspacePath = workspacePaths.get(agent.workspace);
-    if (!workspacePath) {
-      throw new ClawChefError(`Agent references missing workspace: ${agent.workspace}`);
+  if (!filesOnlyScope) {
+    const pendingChannelBindings: Array<{ channel: ChannelDef; agent: string }> = [];
+
+    for (const agent of recipe.agents ?? []) {
+      const workspacePath = workspacePaths.get(agent.workspace);
+      if (!workspacePath) {
+        throw new ClawChefError(`Agent references missing workspace: ${agent.workspace}`);
+      }
+      await provider.createAgent(recipe.openclaw, agent, workspacePath, options.dryRun);
+      logger.info(`Agent created: ${agent.workspace}/${agent.name}`);
     }
-    await provider.createAgent(recipe.openclaw, agent, workspacePath, options.dryRun);
-    logger.info(`Agent created: ${agent.workspace}/${agent.name}`);
-  }
 
-  for (const channel of recipe.channels ?? []) {
-    const effectiveChannel = channel.agent?.trim() && !channel.account?.trim()
-      ? { ...channel, account: channel.agent.trim() }
-      : channel;
-
-    await provider.configureChannel(recipe.openclaw, effectiveChannel, options.dryRun);
-    logger.info(`Channel configured: ${effectiveChannel.channel}${effectiveChannel.account ? `/${effectiveChannel.account}` : ""}`);
-    if (effectiveChannel.agent?.trim()) {
-      await provider.bindChannelAgent(recipe.openclaw, effectiveChannel, effectiveChannel.agent, options.dryRun);
-      logger.info(
-        `Channel bound to agent: ${effectiveChannel.channel}${effectiveChannel.account ? `/${effectiveChannel.account}` : ""} -> ${effectiveChannel.agent}`,
-      );
+    for (const channel of recipe.channels ?? []) {
+      const effectiveChannel = channel.agent?.trim() && !channel.account?.trim()
+        ? { ...channel, account: channel.agent.trim() }
+        : channel;
+      const autoDisabledTelegram = shouldAutoDisableTelegramChannel(effectiveChannel);
+
+      await provider.configureChannel(recipe.openclaw, effectiveChannel, options.dryRun);
+      if (autoDisabledTelegram) {
+        logger.info(
+          `Telegram channel disabled due to empty bot token: ${effectiveChannel.channel}${effectiveChannel.account ? `/${effectiveChannel.account}` : ""}`,
+        );
+        continue;
+      }
+
+      logger.info(`Channel configured: ${effectiveChannel.channel}${effectiveChannel.account ? `/${effectiveChannel.account}` : ""}`);
+      if (effectiveChannel.agent?.trim()) {
+        pendingChannelBindings.push({ channel: effectiveChannel, agent: effectiveChannel.agent });
+      }
     }
+
+    if (pendingChannelBindings.length > 0) {
+      if (provider.bindChannelAgents) {
+        await provider.bindChannelAgents(recipe.openclaw, pendingChannelBindings, options.dryRun);
+      } else {
+        for (const binding of pendingChannelBindings) {
+          await provider.bindChannelAgent(recipe.openclaw, binding.channel, binding.agent, options.dryRun);
+        }
+      }
+
+      for (const binding of pendingChannelBindings) {
+        logger.info(
+          `Channel bound to agent: ${binding.channel.channel}${binding.channel.account ? `/${binding.channel.account}` : ""} -> ${binding.agent}`,
+        );
+      }
+    }
+  }
+
+  if (!filesOnlyScope && recipe.openclaw.config_patch) {
+    await provider.applyConfigPatch(recipe.openclaw, recipe.openclaw.config_patch, options.dryRun);
+    logger.info("OpenClaw config patch applied");
   }
 
   for (const workspace of recipe.workspaces ?? []) {
@@ -380,6 +474,15 @@ export async function runRecipe(
     }
 
     for (const file of workspace.files ?? []) {
+      const patternCandidates = [
+        file.path,
+        `${workspace.name}/${file.path}`,
+        `workspace-${workspace.name}/${file.path}`,
+      ];
+      if (fileFilterEnabled && !matchesAnyFilePattern(options.filePatterns, patternCandidates)) {
+        logger.debug(`Filtered workspace file: ${workspace.name}/${file.path}`);
+        continue;
+      }
       if (provider.materializeFile) {
         let content = file.content;
         if (content === undefined && file.content_from) {
@@ -436,64 +539,66 @@ export async function runRecipe(
     }
   }
 
-  for (const agent of recipe.agents ?? []) {
-    for (const skill of agent.skills ?? []) {
-      await provider.installSkill(recipe.openclaw, agent.workspace, agent.name, skill, options.dryRun);
-      logger.info(`Skill installed: ${agent.workspace}/${agent.name} -> ${skill}`);
+  if (!filesOnlyScope) {
+    for (const agent of recipe.agents ?? []) {
+      for (const skill of agent.skills ?? []) {
+        await provider.installSkill(recipe.openclaw, agent.workspace, agent.name, skill, options.dryRun);
+        logger.info(`Skill installed: ${agent.workspace}/${agent.name} -> ${skill}`);
+      }
     }
-  }
 
-  for (const conv of recipe.conversations ?? []) {
-    for (const msg of conv.messages) {
-      await provider.sendMessage(recipe.openclaw, conv, msg.content, options.dryRun);
+    for (const conv of recipe.conversations ?? []) {
+      for (const msg of conv.messages) {
+        await provider.sendMessage(recipe.openclaw, conv, msg.content, options.dryRun);
 
-      const shouldRun = conv.run ?? Boolean(msg.expect);
-      if (shouldRun) {
-        if (options.dryRun) {
-          logger.info(`dry-run: skipping execution and output assertions: ${conv.workspace}/${conv.agent}`);
-          continue;
-        }
-        const reply = await provider.runAgent(recipe.openclaw, conv, options.dryRun);
-        if (msg.expect) {
-          try {
-            validateReply(reply, msg.expect);
-            logger.info(`Output assertions passed: ${conv.workspace}/${conv.agent}`);
-          } catch (err) {
-            logger.warn(
-              `Assertion failed reply (truncated): ${truncateForLog(reply)}`,
-            );
-            throw err;
+        const shouldRun = conv.run ?? Boolean(msg.expect);
+        if (shouldRun) {
+          if (options.dryRun) {
+            logger.info(`dry-run: skipping execution and output assertions: ${conv.workspace}/${conv.agent}`);
+            continue;
           }
-        } else {
-          logger.info(`Agent executed: ${conv.workspace}/${conv.agent}`);
+          const reply = await provider.runAgent(recipe.openclaw, conv, options.dryRun);
+          if (msg.expect) {
+            try {
+              validateReply(reply, msg.expect);
+              logger.info(`Output assertions passed: ${conv.workspace}/${conv.agent}`);
+            } catch (err) {
+              logger.warn(
+                `Assertion failed reply (truncated): ${truncateForLog(reply)}`,
+              );
+              throw err;
+            }
+          } else {
+            logger.info(`Agent executed: ${conv.workspace}/${conv.agent}`);
+          }
+          logger.debug(`Agent output: ${reply}`);
         }
-        logger.debug(`Agent output: ${reply}`);
       }
+      logger.info(`Preset messages sent: ${conv.workspace}/${conv.agent}`);
     }
-    logger.info(`Preset messages sent: ${conv.workspace}/${conv.agent}`);
-  }
 
-  await provider.startGateway(recipe.openclaw, options.gatewayMode, options.dryRun);
-  if (options.gatewayMode === "none") {
-    logger.info("Gateway start skipped by gateway mode: none");
-  } else {
-    logger.info(`Gateway started (${options.gatewayMode})`);
-  }
-
-  for (const channel of recipe.channels ?? []) {
-    const effectiveChannel = channel.agent?.trim() && !channel.account?.trim()
-      ? { ...channel, account: channel.agent.trim() }
-      : channel;
-    if (!effectiveChannel.login) {
-      continue;
+    await provider.startGateway(recipe.openclaw, options.gatewayMode, options.dryRun);
+    if (options.gatewayMode === "none") {
+      logger.info("Gateway start skipped by gateway mode: none");
+    } else {
+      logger.info(`Gateway started (${options.gatewayMode})`);
     }
-    if (!options.dryRun && !input.isTTY) {
-      throw new ClawChefError(
-        `Channel login for ${effectiveChannel.channel} requires an interactive terminal session`,
-      );
+
+    for (const channel of recipe.channels ?? []) {
+      const effectiveChannel = channel.agent?.trim() && !channel.account?.trim()
+        ? { ...channel, account: channel.agent.trim() }
+        : channel;
+      if (!effectiveChannel.login) {
+        continue;
+      }
+      if (!options.dryRun && !input.isTTY) {
+        throw new ClawChefError(
+          `Channel login for ${effectiveChannel.channel} requires an interactive terminal session`,
+        );
+      }
+      await provider.loginChannel(recipe.openclaw, effectiveChannel, options.dryRun);
+      logger.info(`Channel login completed: ${effectiveChannel.channel}${effectiveChannel.account ? `/${effectiveChannel.account}` : ""}`);
     }
-    await provider.loginChannel(recipe.openclaw, effectiveChannel, options.dryRun);
-    logger.info(`Channel login completed: ${effectiveChannel.channel}${effectiveChannel.account ? `/${effectiveChannel.account}` : ""}`);
   }
 
   logger.info("Recipe execution completed");

package/src/recipe.ts

@@ -7,7 +7,7 @@ import YAML from "js-yaml";
 import { recipeSchema } from "./schema.js";
 import { ClawChefError } from "./errors.js";
 import { deepResolveTemplates } from "./template.js";
-import type { Recipe, RunOptions } from "./types.js";
+import type { ChannelDef, Recipe, RunOptions } from "./types.js";
 
 export type RecipeOrigin =
   | {
@@ -73,6 +73,42 @@ const CHANNEL_SECRET_FIELDS = ["token", "bot_token", "access_token", "app_token"
 
 const TEMPLATE_TOKEN_RE = /\$\{[A-Za-z_][A-Za-z0-9_]*\}/;
 
+function assertNoInlineSecretsInObject(value: unknown, pathLabel: string): void {
+  if (Array.isArray(value)) {
+    for (let i = 0; i < value.length; i += 1) {
+      assertNoInlineSecretsInObject(value[i], `${pathLabel}[${i}]`);
+    }
+    return;
+  }
+  if (!value || typeof value !== "object") {
+    return;
+  }
+
+  for (const [key, nestedValue] of Object.entries(value)) {
+    const nextPath = `${pathLabel}.${key}`;
+    if (
+      typeof nestedValue === "string" &&
+      /(token|password|secret|api[_-]?key|webhook)/i.test(key) &&
+      nestedValue.trim().length > 0 &&
+      !TEMPLATE_TOKEN_RE.test(nestedValue)
+    ) {
+      throw new ClawChefError(
+        `Inline secret in ${nextPath} is not allowed. Use \${var} and pass it via --var or CLAWCHEF_VAR_*`,
+      );
+    }
+    assertNoInlineSecretsInObject(nestedValue, nextPath);
+  }
+}
+
+function hasExplicitEmptyTelegramToken(channel: ChannelDef): boolean {
+  if (channel.channel !== "telegram") {
+    return false;
+  }
+  const emptyToken = channel.token !== undefined && channel.token.trim().length === 0;
+  const emptyBotToken = channel.bot_token !== undefined && channel.bot_token.trim().length === 0;
+  return emptyToken || emptyBotToken;
+}
+
 function assertNoInlineSecrets(recipe: Recipe): void {
   const bootstrap = recipe.openclaw.bootstrap;
   if (bootstrap) {
@@ -89,6 +125,10 @@ function assertNoInlineSecrets(recipe: Recipe): void {
     }
   }
 
+  if (recipe.openclaw.config_patch) {
+    assertNoInlineSecretsInObject(recipe.openclaw.config_patch, "openclaw.config_patch");
+  }
+
   for (const channel of recipe.channels ?? []) {
     for (const field of CHANNEL_SECRET_FIELDS) {
       const value = channel[field];
@@ -162,6 +202,21 @@ function collectVars(recipe: Recipe, cliVars: Record<string, string>, requiredKe
 }
 
 function projectRecipeForScope(recipe: Recipe, options: RunOptions): Recipe {
+  if (options.scope === "files") {
+    return {
+      ...recipe,
+      openclaw: {
+        ...recipe.openclaw,
+        version: "0.0.0",
+        bootstrap: undefined,
+        plugins: [],
+      },
+      channels: [],
+      agents: [],
+      conversations: [],
+    };
+  }
+
   if (options.scope !== "workspace") {
     return recipe;
   }
@@ -291,6 +346,10 @@ function semanticValidate(recipe: Recipe): void {
         return /(token|password|secret|api[_-]?key|webhook)/i.test(key) && String(value).trim().length > 0;
       });
 
+    if (hasExplicitEmptyTelegramToken(channel)) {
+      continue;
+    }
+
     if (!hasAuth) {
       throw new ClawChefError(
         `channels[] entry for ${channel.channel} requires at least one auth input (for example token/bot_token/access_token/token_file/use_env)`,
@@ -819,7 +878,7 @@ export async function loadRecipe(recipePath: string, options: RunOptions): Promi
 
     assertNoInlineSecrets(projected);
 
-    const requiredKeys = options.scope === "workspace" ? new Set<string>() : undefined;
+    const requiredKeys = options.scope === "workspace" || options.scope === "files" ? new Set<string>() : undefined;
     const vars = collectVars(projected, options.vars, requiredKeys);
     const rendered = deepResolveTemplates(projected, vars, options.allowMissing);
     const secondParse = recipeSchema.safeParse(rendered);

package/src/schema.ts

@@ -78,6 +78,7 @@ const openClawSchema = z
     install: z.enum(["auto", "always", "never"]).optional(),
     plugins: z.array(z.string().min(1)).optional(),
     root: openClawRootSchema.optional(),
+    config_patch: z.record(z.unknown()).optional(),
     bootstrap: openClawBootstrapSchema.optional(),
     commands: openClawCommandsSchema.optional(),
   })
@@ -117,10 +118,10 @@ const channelSchema = z
     login_mode: z.enum(["interactive"]).optional(),
     login_account: z.string().min(1).optional(),
     name: z.string().min(1).optional(),
-    token: z.string().min(1).optional(),
+    token: z.string().optional(),
     token_file: z.string().min(1).optional(),
     use_env: z.boolean().optional(),
-    bot_token: z.string().min(1).optional(),
+    bot_token: z.string().optional(),
     access_token: z.string().min(1).optional(),
     app_token: z.string().min(1).optional(),
     webhook_url: z.string().min(1).optional(),

package/src/types.ts

@@ -1,6 +1,6 @@
 export type InstallPolicy = "auto" | "always" | "never";
 export type OpenClawProvider = "command" | "mock" | "remote";
-export type RunScope = "full" | "files" | "workspace";
+export type RunScope = "full" | "stateful" | "files" | "workspace";
 export type GatewayMode = "service" | "run" | "none";
 
 export interface OpenClawRemoteConfig {
@@ -64,6 +64,7 @@ export interface OpenClawSection {
   install?: InstallPolicy;
   plugins?: string[];
   root?: OpenClawRootDef;
+  config_patch?: Record<string, unknown>;
   bootstrap?: OpenClawBootstrap;
   commands?: OpenClawCommandOverrides;
 }
@@ -151,6 +152,7 @@ export interface Recipe {
 export interface RunOptions {
   vars: Record<string, string>;
   plugins: string[];
+  filePatterns: string[];
   scope: RunScope;
   workspaceName?: string;
   gatewayMode: GatewayMode;