clawon 0.1.17 → 0.1.18

package/README.md

@@ -23,6 +23,7 @@ npx clawon local backup
 npx clawon local backup --tag "before migration"
 npx clawon local backup --include-memory-db  # Include SQLite memory index
 npx clawon local backup --include-sessions   # Include chat history
+npx clawon local backup --include-secrets    # Include credentials and auth files
 npx clawon local backup --no-secret-scan     # Skip secret scanning
 npx clawon local backup --max-snapshots 10   # Keep only 10 most recent
 
@@ -45,6 +46,7 @@ npx clawon local schedule on
 npx clawon local schedule on --every 6h --max-snapshots 10
 npx clawon local schedule on --include-memory-db
 npx clawon local schedule on --include-sessions
+npx clawon local schedule on --include-secrets
 
 # Disable local schedule
 npx clawon local schedule off
@@ -116,6 +118,7 @@ npx clawon activity                     # Recent events
 npx clawon discover    # Show exactly which files would be backed up
 npx clawon discover --include-memory-db  # Include SQLite memory index
 npx clawon discover --include-sessions   # Include chat history
+npx clawon discover --include-secrets    # Preview with credentials included
 npx clawon discover --scan               # Scan for secrets in discovered files
 npx clawon schedule status  # Show active schedules
 npx clawon status      # Connection status, workspace, and file count
@@ -149,15 +152,15 @@ These are **always excluded**, even if they match an include pattern:
 |---------|-----|
 | `credentials/**` | API keys, tokens, auth files |
 | `openclaw.json` | May contain credentials |
-| `agents/*/auth.json` | Authentication data |
-| `agents/*/auth-profiles.json` | Auth profiles |
+| `agents/*/agent/auth.json` | Authentication data |
+| `agents/*/agent/auth-profiles.json` | Auth profiles |
 | `agents/*/sessions/**` | Chat history (large, use `--include-sessions` to include) |
 | `memory/lancedb/**` | Vector database (binary, large) |
 | `memory/*.sqlite` | SQLite databases (use `--include-memory-db` to include) |
 | `*.lock`, `*.wal`, `*.shm` | Database lock files |
 | `node_modules/**` | Dependencies |
 
-**Credentials never leave your machine.** The entire `credentials/` directory and `openclaw.json` are excluded by default. You can verify this by running `npx clawon discover` before any backup.
+**Credentials are excluded by default.** The `credentials/` directory, `openclaw.json`, and agent auth files are excluded unless you use `--include-secrets` (local backups only). You can verify what gets included by running `npx clawon discover` (or `npx clawon discover --include-secrets`) before any backup.
 
 ## Secret Scanning
 

package/dist/index.js

@@ -4708,8 +4708,8 @@ var INCLUDE_PATTERNS = [
 var EXCLUDE_PATTERNS = [
   "credentials/**",
   "openclaw.json",
-  "agents/*/auth.json",
-  "agents/*/auth-profiles.json",
+  "agents/*/agent/auth.json",
+  "agents/*/agent/auth-profiles.json",
   "agents/*/sessions/**",
   "memory/lancedb/**",
   "memory/*.sqlite",
@@ -4725,13 +4725,24 @@ function matchGlob(filePath, pattern) {
   let regexPattern = pattern.replace(/\./g, "\\.").replace(/\*\*\//g, "(.*/)?").replace(/\*\*/g, ".*").replace(/\*/g, "[^/]*");
   return new RegExp(`^${regexPattern}$`).test(filePath);
 }
-function shouldInclude(relativePath, includeMemoryDb = false, includeSessions = false) {
+var SECRET_PATTERNS = [
+  "credentials/**",
+  "openclaw.json",
+  "agents/*/agent/auth.json",
+  "agents/*/agent/auth-profiles.json"
+];
+function shouldInclude(relativePath, includeMemoryDb = false, includeSessions = false, includeSecrets = false) {
   if (includeMemoryDb && matchGlob(relativePath, "memory/*.sqlite")) {
     return true;
   }
   if (includeSessions && matchGlob(relativePath, "agents/*/sessions/**")) {
     return true;
   }
+  if (includeSecrets) {
+    for (const pattern of SECRET_PATTERNS) {
+      if (matchGlob(relativePath, pattern)) return true;
+    }
+  }
   for (const pattern of EXCLUDE_PATTERNS) {
     if (matchGlob(relativePath, pattern)) return false;
   }
@@ -4740,7 +4751,7 @@ function shouldInclude(relativePath, includeMemoryDb = false, includeSessions =
   }
   return false;
 }
-function discoverFiles(baseDir, includeMemoryDb = false, includeSessions = false) {
+function discoverFiles(baseDir, includeMemoryDb = false, includeSessions = false, includeSecrets = false) {
   const files = [];
   function walk(dir, relativePath = "") {
     if (!fs2.existsSync(dir)) return;
@@ -4751,7 +4762,7 @@ function discoverFiles(baseDir, includeMemoryDb = false, includeSessions = false
       if (entry.isDirectory()) {
         walk(fullPath, relPath);
       } else if (entry.isFile()) {
-        if (shouldInclude(relPath, includeMemoryDb, includeSessions)) {
+        if (shouldInclude(relPath, includeMemoryDb, includeSessions, includeSecrets)) {
           const stats = fs2.statSync(fullPath);
           files.push({
             path: relPath,
@@ -4764,7 +4775,7 @@ function discoverFiles(baseDir, includeMemoryDb = false, includeSessions = false
   walk(baseDir);
   return files;
 }
-async function createLocalArchive(files, openclawDir, outputPath, tag, includeMemoryDb, includeSessions, trigger) {
+async function createLocalArchive(files, openclawDir, outputPath, tag, includeMemoryDb, includeSessions, includeSecrets, trigger) {
   const meta = {
     version: 2,
     created: (/* @__PURE__ */ new Date()).toISOString(),
@@ -4772,6 +4783,7 @@ async function createLocalArchive(files, openclawDir, outputPath, tag, includeMe
     file_count: files.length,
     ...includeMemoryDb ? { include_memory_db: true } : {},
     ...includeSessions ? { include_sessions: true } : {},
+    ...includeSecrets ? { include_secrets: true } : {},
     ...trigger ? { trigger } : {}
   };
   const metaPath = path2.join(openclawDir, "_clawon_meta.json");
@@ -4941,7 +4953,11 @@ program.command("login").description("Connect to Clawon with your API key").opti
     process.exit(1);
   }
 });
-program.command("backup").description("Backup your OpenClaw workspace to the cloud").option("--dry-run", "Show what would be backed up without uploading").option("--tag <label>", "Add a label to this backup").option("--include-memory-db", "Include SQLite memory index").option("--include-sessions", "Include chat history (sessions)").option("--scheduled", "Internal: triggered by cron (suppresses interactive output)").option("--no-secret-scan", "Skip secret scanning before backup").action(async (opts) => {
+program.command("backup").description("Backup your OpenClaw workspace to the cloud").option("--dry-run", "Show what would be backed up without uploading").option("--tag <label>", "Add a label to this backup").option("--include-memory-db", "Include SQLite memory index").option("--include-sessions", "Include chat history (sessions)").option("--include-secrets", "Include credentials and auth files in backup").option("--scheduled", "Internal: triggered by cron (suppresses interactive output)").option("--no-secret-scan", "Skip secret scanning before backup").action(async (opts) => {
+  if (opts.includeSecrets) {
+    console.error("--include-secrets is not supported for cloud backups yet. Use local backups, or wait for --encrypt support.");
+    process.exit(1);
+  }
   const cfg = readConfig();
   if (!cfg) {
     console.error("\u2717 Not logged in. Run: clawon login --api-key <key>");
@@ -5275,12 +5291,12 @@ program.command("delete [id]").description("Delete a snapshot").option("--oldest
     process.exit(1);
   }
 });
-program.command("discover").description("Preview which files would be included in a backup").option("--include-memory-db", "Include SQLite memory index").option("--include-sessions", "Include chat history (sessions)").option("--scan", "Run secret scanning on discovered files").action(async (opts) => {
+program.command("discover").description("Preview which files would be included in a backup").option("--include-memory-db", "Include SQLite memory index").option("--include-sessions", "Include chat history (sessions)").option("--include-secrets", "Include credentials and auth files").option("--scan", "Run secret scanning on discovered files").action(async (opts) => {
   if (!fs2.existsSync(OPENCLAW_DIR)) {
     console.error(`\u2717 OpenClaw directory not found: ${OPENCLAW_DIR}`);
     process.exit(1);
   }
-  const files = discoverFiles(OPENCLAW_DIR, !!opts.includeMemoryDb, !!opts.includeSessions);
+  const files = discoverFiles(OPENCLAW_DIR, !!opts.includeMemoryDb, !!opts.includeSessions, !!opts.includeSecrets);
   if (files.length === 0) {
     console.log("No files matched the include patterns.");
     return;
@@ -5315,7 +5331,7 @@ Total: ${files.length} files (${(totalSize / 1024).toFixed(1)} KB)`);
     console.log(`  Scanned ${scanResult.filesScanned} files in ${scanResult.durationMs}ms (${scanResult.rulesLoaded} rules loaded)`);
   }
   const cfg = readConfig();
-  trackCliEvent(cfg?.profileId || "anonymous", "cli_discover", { file_count: files.length, include_memory_db: !!opts.includeMemoryDb, include_sessions: !!opts.includeSessions });
+  trackCliEvent(cfg?.profileId || "anonymous", "cli_discover", { file_count: files.length, include_memory_db: !!opts.includeMemoryDb, include_sessions: !!opts.includeSessions, include_secrets: !!opts.includeSecrets });
 });
 var schedule = program.command("schedule").description("Manage scheduled cloud backups");
 schedule.command("on").description("Enable scheduled cloud backups via cron").option("--every <interval>", "Backup interval: 1h, 6h, 12h, 24h", "12h").action(async (opts) => {
@@ -5462,7 +5478,7 @@ Total: ${files.length} files`);
 });
 var local = program.command("local").description("Local backup and restore (no cloud required)");
 var localSchedule = local.command("schedule").description("Manage scheduled local backups");
-localSchedule.command("on").description("Enable scheduled local backups via cron").option("--every <interval>", "Backup interval: 1h, 6h, 12h, 24h", "12h").option("--max-snapshots <n>", "Keep only the N most recent local backups").option("--include-memory-db", "Include SQLite memory index").option("--include-sessions", "Include chat history (sessions)").action(async (opts) => {
+localSchedule.command("on").description("Enable scheduled local backups via cron").option("--every <interval>", "Backup interval: 1h, 6h, 12h, 24h", "12h").option("--max-snapshots <n>", "Keep only the N most recent local backups").option("--include-memory-db", "Include SQLite memory index").option("--include-sessions", "Include chat history (sessions)").option("--include-secrets", "Include credentials and auth files in backup").action(async (opts) => {
   assertNotWindows();
   const interval = opts.every;
   if (!VALID_INTERVALS.includes(interval)) {
@@ -5472,7 +5488,7 @@ localSchedule.command("on").description("Enable scheduled local backups via cron
   const cfg = readConfig();
   const wasEnabled = cfg?.schedule?.local?.enabled;
   const cronExpr = INTERVAL_CRON[interval];
-  const args = "local backup --scheduled" + (opts.includeMemoryDb ? " --include-memory-db" : "") + (opts.includeSessions ? " --include-sessions" : "") + (opts.maxSnapshots ? ` --max-snapshots ${opts.maxSnapshots}` : "");
+  const args = "local backup --scheduled" + (opts.includeMemoryDb ? " --include-memory-db" : "") + (opts.includeSessions ? " --include-sessions" : "") + (opts.includeSecrets ? " --include-secrets" : "") + (opts.maxSnapshots ? ` --max-snapshots ${opts.maxSnapshots}` : "");
   const command = resolveCliCommand(args);
   addCronEntry(CRON_MARKER_LOCAL, cronExpr, command);
   const maxSnapshots = opts.maxSnapshots ? parseInt(opts.maxSnapshots, 10) : null;
@@ -5483,7 +5499,8 @@ localSchedule.command("on").description("Enable scheduled local backups via cron
         intervalHours: parseInt(interval),
         ...maxSnapshots ? { maxSnapshots } : {},
         ...opts.includeMemoryDb ? { includeMemoryDb: true } : {},
-        ...opts.includeSessions ? { includeSessions: true } : {}
+        ...opts.includeSessions ? { includeSessions: true } : {},
+        ...opts.includeSecrets ? { includeSecrets: true } : {}
       }
     }
   });
@@ -5492,8 +5509,9 @@ localSchedule.command("on").description("Enable scheduled local backups via cron
   if (maxSnapshots) console.log(`  Max snapshots: ${maxSnapshots}`);
   if (opts.includeMemoryDb) console.log(`  Memory DB: included`);
   if (opts.includeSessions) console.log(`  Sessions: included`);
+  if (opts.includeSecrets) console.log(`  Secrets: included`);
   console.log(`  Log: ${SCHEDULE_LOG}`);
-  const firstRunArgs = "local backup" + (opts.includeMemoryDb ? " --include-memory-db" : "") + (opts.includeSessions ? " --include-sessions" : "") + (opts.maxSnapshots ? ` --max-snapshots ${opts.maxSnapshots}` : "");
+  const firstRunArgs = "local backup" + (opts.includeMemoryDb ? " --include-memory-db" : "") + (opts.includeSessions ? " --include-sessions" : "") + (opts.includeSecrets ? " --include-secrets" : "") + (opts.maxSnapshots ? ` --max-snapshots ${opts.maxSnapshots}` : "");
   console.log("\nRunning first backup now...\n");
   try {
     execSync(resolveCliCommand(firstRunArgs), { stdio: "inherit" });
@@ -5505,7 +5523,8 @@ localSchedule.command("on").description("Enable scheduled local backups via cron
     interval_hours: parseInt(interval),
     max_snapshots: maxSnapshots,
     include_memory_db: !!opts.includeMemoryDb,
-    include_sessions: !!opts.includeSessions
+    include_sessions: !!opts.includeSessions,
+    include_secrets: !!opts.includeSecrets
   });
 });
 localSchedule.command("off").description("Disable scheduled local backups").action(async () => {
@@ -5524,18 +5543,31 @@ localSchedule.command("off").description("Disable scheduled local backups").acti
   const cfg = readConfig();
   trackCliEvent(cfg?.profileId || "anonymous", "schedule_disabled", { type: "local" });
 });
-local.command("backup").description("Save a local backup of your OpenClaw workspace").option("--tag <label>", "Add a label to this backup").option("--include-memory-db", "Include SQLite memory index").option("--include-sessions", "Include chat history (sessions)").option("--scheduled", "Internal: triggered by cron (suppresses interactive output)").option("--no-secret-scan", "Skip secret scanning before backup").option("--max-snapshots <n>", "Keep only the N most recent local backups").action(async (opts) => {
+local.command("backup").description("Save a local backup of your OpenClaw workspace").option("--tag <label>", "Add a label to this backup").option("--include-memory-db", "Include SQLite memory index").option("--include-sessions", "Include chat history (sessions)").option("--include-secrets", "Include credentials and auth files in backup").option("--scheduled", "Internal: triggered by cron (suppresses interactive output)").option("--no-secret-scan", "Skip secret scanning before backup").option("--max-snapshots <n>", "Keep only the N most recent local backups").action(async (opts) => {
   if (!fs2.existsSync(OPENCLAW_DIR)) {
     console.error(`\u2717 OpenClaw directory not found: ${OPENCLAW_DIR}`);
     process.exit(1);
   }
   try {
     if (!opts.scheduled) console.log("Discovering files...");
-    let files = discoverFiles(OPENCLAW_DIR, !!opts.includeMemoryDb, !!opts.includeSessions);
+    let files = discoverFiles(OPENCLAW_DIR, !!opts.includeMemoryDb, !!opts.includeSessions, !!opts.includeSecrets);
     if (files.length === 0) {
       console.error("\u2717 No files found to backup");
       process.exit(1);
     }
+    if (opts.includeSecrets && !opts.scheduled) {
+      const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+      const confirmed = await new Promise((resolve) => {
+        rl.question("\u26A0  --include-secrets will back up API keys, tokens, and auth files. Continue? [y/N] ", (answer) => {
+          rl.close();
+          resolve(answer.trim().toLowerCase() === "y");
+        });
+      });
+      if (!confirmed) {
+        console.log("Backup aborted.");
+        process.exit(0);
+      }
+    }
     let secretsFound = 0;
     let secretsFilesSkipped = 0;
     const scanSkipped = !opts.secretScan;
@@ -5575,7 +5607,7 @@ local.command("backup").description("Save a local backup of your OpenClaw worksp
     const filename = `backup-${timestamp}.tar.gz`;
     const filePath = path2.join(BACKUPS_DIR, filename);
     if (!opts.scheduled) console.log("Creating archive...");
-    await createLocalArchive(files, OPENCLAW_DIR, filePath, opts.tag, opts.includeMemoryDb, opts.includeSessions, opts.scheduled ? "scheduled" : "manual");
+    await createLocalArchive(files, OPENCLAW_DIR, filePath, opts.tag, opts.includeMemoryDb, opts.includeSessions, opts.includeSecrets, opts.scheduled ? "scheduled" : "manual");
     const archiveSize = fs2.statSync(filePath).size;
     if (!opts.scheduled) {
       console.log(`
@@ -5606,6 +5638,7 @@ local.command("backup").description("Save a local backup of your OpenClaw worksp
       total_bytes: totalSize,
       include_memory_db: !!opts.includeMemoryDb,
       include_sessions: !!opts.includeSessions,
+      include_secrets: !!opts.includeSecrets,
       type: "local",
       trigger: opts.scheduled ? "scheduled" : "manual",
       rotated_count: rotatedCount,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clawon",
-  "version": "0.1.17",
+  "version": "0.1.18",
   "description": "Backup and restore your OpenClaw workspace",
   "type": "module",
   "bin": {