npm - openclaw-workspace-sync - Versions diffs - 2.3.0 → 2.3.1 - Mend

openclaw-workspace-sync 2.3.0 → 2.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.src.md CHANGED Viewed

@@ -1,31 +1,108 @@
-# OpenClaw Workspace Cloud Sync Plugin
+# OpenClaw Workspace Sync & Backup Plugin
-Sync your OpenClaw agent workspace with cloud storage via [rclone](https://rclone.org/).
+Sync and back up your OpenClaw agent workspace to cloud storage via [rclone](https://rclone.org/).
-Supports **Dropbox, Google Drive, OneDrive, S3/R2/Minio**, and [70+ cloud providers](https://rclone.org/overview/).
+**Sync** your workspace to Dropbox, Google Drive, OneDrive, S3, or [70+ providers](https://rclone.org/overview/) with mailbox, mirror, or bisync modes. **Back up** your entire agent system — workspace, config, sessions, memory — as encrypted snapshots to S3, R2, B2, or any rclone backend.
-## How it works
+## What's included
-<p align="center">
-  <img src="https://raw.githubusercontent.com/ashbrener/openclaw-workspace-sync/main/docs/how-it-works.png" alt="How it works — Local Machine syncs to Cloud Provider syncs to Remote Gateway" width="600" />
-</p>
+| Feature | What it does | Cost |
+|---------|-------------|------|
+| [**Sync**](#sync) | Live mirror of your workspace to/from cloud storage. Three modes: mailbox (safest), mirror, bisync. | Zero LLM cost — pure file ops |
+| [**Encrypted Backup**](#encrypted-backups) | Streaming encrypted snapshots of your entire agent system to your own bucket. Automatic retention. | Zero LLM cost, zero extra disk |
+Both features use rclone under the hood and share provider credentials. You can use sync alone, backup alone, or both together with different providers — e.g. sync to Dropbox for daily access, backup to R2 for disaster recovery.
+## Install
+```bash
+openclaw plugins install openclaw-workspace-sync
+```
-The remote gateway workspace is the **source of truth**. Changes made by the agent flow down to your local machine through cloud storage. You can send files to the agent through an optional inbox.
+Or clone into your extensions directory:
-**Zero LLM cost.** All sync operations are pure rclone file operations — they never wake the bot or trigger LLM calls.
+```bash
+cd ~/.openclaw/extensions
+git clone https://github.com/ashbrener/openclaw-workspace-sync workspace-sync
+cd workspace-sync && npm install --omit=dev
+```
-## Architecture
+## Quick start
+```bash
+# Interactive setup wizard (recommended)
+openclaw workspace-sync setup
+```
+The setup wizard guides you through:
+1. Checking/installing rclone
+2. Selecting cloud provider
+3. Choosing sync mode
+4. Dropbox app folder option (for scoped access)
+5. Background sync interval
+6. OAuth authorization
+7. First sync
+Or configure manually — see [Configuration](#configuration) below.
+## Configuration
+Add to your `openclaw.json`. The `sync` and `backup` blocks are independent — use one or both:
+```json
+{
+  "plugins": {
+    "entries": {
+      "openclaw-workspace-sync": {
+        "enabled": true,
+        "config": {
+          "sync": {
+            "provider": "dropbox",
+            "mode": "mailbox",
+            "remotePath": "",
+            "localPath": "/",
+            "interval": 180,
+            "onSessionStart": true,
+            "exclude": [".git/**", "node_modules/**", "*.log"]
+          },
+          "backup": {
+            "enabled": true,
+            "provider": "s3",
+            "bucket": "my-backups",
+            "prefix": "habibi/",
+            "interval": 86400,
+            "encrypt": true,
+            "passphrase": "${BACKUP_PASSPHRASE}",
+            "include": ["workspace", "config", "cron", "memory"],
+            "retain": 7
+          }
+        }
+      }
+    }
+  }
+}
+```
+> **Flat format still works.** Putting `provider`, `mode`, etc. at the config root (without `sync`) is supported for backwards compatibility. The nested `{ sync, backup }` format is recommended for clarity.
+---
+## Sync
+Live workspace mirroring via rclone. The remote gateway workspace is the **source of truth**. Changes made by the agent flow down to your local machine through cloud storage. You can send files to the agent through an optional inbox.
+<p align="center">
+  <img src="https://raw.githubusercontent.com/ashbrener/openclaw-workspace-sync/main/docs/how-it-works.png" alt="How it works — Local Machine syncs to Cloud Provider syncs to Remote Gateway" width="600" />
+</p>
 <p align="center">
   <img src="https://raw.githubusercontent.com/ashbrener/openclaw-workspace-sync/main/docs/architecture.png" alt="Plugin architecture — CLI, Hooks, and Sync Manager feed into rclone wrapper" width="600" />
 </p>
-## Sync modes (breaking change in v2.0)
+### Sync modes (breaking change in v2.0)
 **`mode` is now required.** Previous versions used bidirectional bisync implicitly. Starting with v2.0, you must explicitly set `"mode"` in your config. The plugin will refuse to start and log an error until `mode` is set. This prevents accidental data loss from an unexpected sync direction.
-The plugin supports three sync modes. Choose the one that fits your workflow:
 | Mode | Direction | Description |
 |------|-----------|-------------|
 | `mailbox` | Push + inbox/outbox | Workspace pushes to cloud; users drop files in `_outbox` to send them to the agent. **Safest.** |
@@ -34,7 +111,7 @@ The plugin supports three sync modes. Choose the one that fits your workflow:
 **Upgrading from a previous version?** If you were using bisync before, add `"mode": "bisync"` to your config to preserve the existing behavior. For the safest option, use `"mode": "mailbox"`.
-### `mailbox` mode (recommended)
+#### `mailbox` mode (recommended)
 The agent workspace is the source of truth. Each sync cycle:
@@ -72,7 +149,7 @@ On startup, the plugin bootstraps both directories:
 Because the push explicitly excludes `_inbox/**` and `_outbox/**`, there is no risk of sync loops or accidental overwrites. Files only flow in one direction through each channel.
-#### Inbox notifications (optional)
+##### Inbox notifications (optional)
 By default, mailbox mode is silent — files land in `_inbox` without waking the agent. This keeps costs at zero.
@@ -95,7 +172,7 @@ This wakes the agent on its next heartbeat. The agent sees the message and can p
 }
 ```
-### `mirror` mode
+#### `mirror` mode
 The agent workspace is the source of truth. Every sync cycle copies the latest workspace state down to your local folder. Local files outside the workspace are never sent up.
@@ -117,7 +194,7 @@ flowchart LR
 This is safe: even if something goes wrong, only your local copy is affected — the workspace stays untouched.
-### `ingest` option (mirror mode only)
+##### `ingest` option (mirror mode only)
 Want to send files to the agent while using mirror mode? Enable the `ingest` option. This creates a local `inbox/` folder (sibling to the sync folder) that syncs one-way **up** to the workspace. Drop a file in the inbox — it appears on the remote workspace. The inbox is separate from the mirror, so there is no risk of overwriting workspace files.
@@ -133,7 +210,7 @@ When enabled, a local `inbox/` folder syncs its contents to `<remotePath>/inbox/
 > For a more robust file-exchange pattern, consider `mailbox` mode instead. Mailbox uses `rclone move` to drain files (deleting from the source after transfer), which prevents duplicates and is easier to reason about.
-### `bisync` mode (advanced)
+#### `bisync` mode (advanced)
 Full bidirectional sync using rclone bisync. Changes on either side propagate to the other.
@@ -164,136 +241,7 @@ Use this only if you understand the trade-offs:
 If you are running on a container platform, `mailbox` mode is strongly recommended.
-## Before your first sync
-Getting the initial state right prevents data loss. Each mode has different requirements:
-### `mailbox` mode — starting state
-The first sync **pushes** your local workspace to the cloud. This means rclone makes cloud match local exactly — any files on cloud that don't exist locally will be **deleted**.
-**Recommended starting state:** Local workspace is the source of truth (the agent has been writing here), or local and remote are already identical.
-**If remote is the source of truth** (e.g. you've been syncing manually or switching from another mode), pull first:
-```bash
-rclone sync <remote>:<path> /data/workspace/ --config <config-path> \
-  --exclude '**/.DS_Store' --exclude '**/.git/**' \
-  --exclude '**/__pycache__/**' --exclude '**/node_modules/**' \
-  --verbose
-```
-Then verify local matches remote before enabling the plugin.
-### `mirror` mode — starting state
-The first sync **pulls** from cloud to local. Local can be empty, stale, or corrupted — the pull simply overwrites it. **No preparation needed.**
-### `bisync` mode — starting state
-The first sync requires `--resync`, which copies everything from both sides to the other. Any stale or unwanted files on either side will propagate.
-**Recommended starting state:** Both sides are identical, or one side is empty and the other has the data you want. Verify both before running `--resync`.
-### General first-sync checklist
-1. Run a `--dry-run` first to see what would happen: `openclaw workspace-sync sync --dry-run`
-2. Check the output for unexpected deletions
-3. If everything looks right, run the actual sync
-4. Only then enable periodic sync (`interval` in config)
-> For maintenance, recovery, and common problems, see [TROUBLESHOOTING.md](./TROUBLESHOOTING.md).
-## Setup sequence
-Getting sync right depends on doing things in the right order. Follow these steps:
-1. **Configure the plugin** in `openclaw.json` with your provider credentials and `mode`
-2. **Verify the remote** is accessible: `openclaw workspace-sync status`
-3. **Run a dry-run first** to see what would happen: `openclaw workspace-sync sync --dry-run`
-4. **Run the first sync**: `openclaw workspace-sync sync`
-   - In `mailbox` mode, this pushes the workspace and drains the `_outbox`
-   - In `mirror` mode, this pulls the current workspace down
-   - In `bisync` mode, this requires `--resync` to establish the baseline
-5. **Enable periodic sync** by setting `interval` in your config
-Take care when changing config (switching `remotePath`, `localPath`, or `mode`) — always disable periodic sync first, verify the new paths, then re-enable.
-## Install
-```bash
-openclaw plugins install openclaw-workspace-sync
-```
-Or clone into your extensions directory:
-```bash
-cd ~/.openclaw/extensions
-git clone https://github.com/ashbrener/openclaw-workspace-sync workspace-sync
-cd workspace-sync && npm install --omit=dev
-```
-## Quick start
-```bash
-# Interactive setup wizard (recommended)
-openclaw workspace-sync setup
-```
-The setup wizard guides you through:
-1. Checking/installing rclone
-2. Selecting cloud provider
-3. Choosing sync mode
-4. Dropbox app folder option (for scoped access)
-5. Background sync interval
-6. OAuth authorization
-7. First sync
-Or configure manually — see [Configuration](#configuration) below.
-## Configuration
-Add to your `openclaw.json`:
-```json
-{
-  "plugins": {
-    "entries": {
-      "openclaw-workspace-sync": {
-        "enabled": true,
-        "config": {
-          "sync": {
-            "provider": "dropbox",
-            "mode": "mailbox",
-            "remotePath": "",
-            "localPath": "/",
-            "interval": 60,
-            "timeout": 1800,
-            "onSessionStart": true,
-            "onSessionEnd": false,
-            "exclude": [".git/**", "node_modules/**", "*.log"]
-          },
-          "backup": {
-            "enabled": true,
-            "provider": "s3",
-            "bucket": "my-backups",
-            "prefix": "habibi/",
-            "interval": 86400,
-            "encrypt": true,
-            "passphrase": "${BACKUP_PASSPHRASE}",
-            "include": ["workspace", "config", "cron", "memory"],
-            "retain": 7
-          }
-        }
-      }
-    }
-  }
-}
-```
-> **Flat format still works.** Putting `provider`, `mode`, etc. at the config root (without `sync`) is supported for backwards compatibility. The nested `{ sync, backup }` format is recommended for clarity.
-### Config reference
+### Sync config reference
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
@@ -316,93 +264,7 @@ Add to your `openclaw.json`:
 Default excludes: `**/.DS_Store`
-### Provider-specific options
-**Dropbox with app folder (recommended for security):**
-```json
-{
-  "provider": "dropbox",
-  "remotePath": "",
-  "dropbox": {
-    "appFolder": true,
-    "appKey": "your-app-key",
-    "appSecret": "your-app-secret",
-    "token": "{\"access_token\":\"...\"}"
-  }
-}
-```
-With `appFolder: true`, set `remotePath` to `""`. The app folder root is your sync root — do not repeat the app folder name in `remotePath` or rclone will fail with "directory not found."
-**Google Drive:**
-```json
-{
-  "provider": "gdrive",
-  "remotePath": "openclaw-sync",
-  "gdrive": {
-    "token": "{\"access_token\":\"...\"}",
-    "teamDrive": "0ABcDeFgHiJ",
-    "rootFolderId": "folder-id"
-  }
-}
-```
-`teamDrive` and `rootFolderId` are optional — omit them for personal Google Drive.
-**OneDrive:**
-```json
-{
-  "provider": "onedrive",
-  "remotePath": "openclaw-sync",
-  "onedrive": {
-    "token": "{\"access_token\":\"...\"}",
-    "driveId": "drive-id",
-    "driveType": "business"
-  }
-}
-```
-`driveType` can be `personal`, `business`, or `sharepoint`. Both fields are optional.
-**S3 / Cloudflare R2 / Minio:**
-```json
-{
-  "provider": "s3",
-  "remotePath": "openclaw-sync",
-  "s3": {
-    "endpoint": "https://s3.us-east-1.amazonaws.com",
-    "bucket": "your-bucket",
-    "region": "us-east-1",
-    "accessKeyId": "AKID...",
-    "secretAccessKey": "SECRET..."
-  }
-}
-```
-**Any rclone backend (SFTP, B2, Mega, pCloud, etc.):**
-```json
-{
-  "provider": "custom",
-  "remotePath": "openclaw-sync",
-  "custom": {
-    "rcloneType": "sftp",
-    "rcloneOptions": {
-      "host": "example.com",
-      "user": "deploy",
-      "key_file": "/path/to/key"
-    }
-  }
-}
-```
-The `custom` provider accepts any [rclone backend type](https://rclone.org/overview/) and passes `rcloneOptions` directly to the rclone config. This gives you config-driven access to all 70+ providers without manually editing `rclone.conf`.
-## CLI commands
+### Sync CLI commands
 ```bash
 # Interactive setup wizard
@@ -432,9 +294,9 @@ openclaw workspace-sync authorize --provider gdrive
 openclaw workspace-sync list
 ```
-## Auto-sync
+### Auto-sync
-### Session hooks
+#### Session hooks
 Sync automatically when sessions start or end. These run during existing agent activity and incur zero LLM cost:
@@ -445,7 +307,7 @@ Sync automatically when sessions start or end. These run during existing agent a
 }
 ```
-### Periodic background sync
+#### Periodic background sync
 Set `interval` to enable automatic background sync (in seconds):
@@ -460,72 +322,54 @@ The gateway runs sync in the background at this interval. Minimum interval is 60
 In `mailbox` mode, periodic sync pushes the workspace to the cloud and drains the `_outbox`. In `mirror` mode, periodic sync pulls the latest workspace state down to local. In `bisync` mode, it runs a full bidirectional sync.
-### External cron (alternative)
+#### External cron (alternative)
 ```bash
 # Add to crontab (crontab -e)
 */5 * * * * openclaw workspace-sync sync >> /var/log/openclaw-sync.log 2>&1
 ```
-## Supported providers
+### Before your first sync
-| Provider | Config value | Auth method | Config-driven |
-|----------|-------------|-------------|---------------|
-| Dropbox | `dropbox` | OAuth token | Full (token, appKey, appSecret, appFolder) |
-| Google Drive | `gdrive` | OAuth token | Full (token, teamDrive, rootFolderId) |
-| OneDrive | `onedrive` | OAuth token | Full (token, driveId, driveType) |
-| S3/R2/Minio | `s3` | Access keys | Full (endpoint, bucket, region, credentials) |
-| Any rclone backend | `custom` | Varies | Full (rcloneType + rcloneOptions) |
-All providers are fully config-driven — no manual `rclone.conf` editing needed. The `custom` provider gives access to all [70+ rclone backends](https://rclone.org/overview/) (SFTP, B2, Mega, pCloud, Azure Blob, etc.).
+Getting the initial state right prevents data loss. Each mode has different requirements:
-## Manual setup (without wizard)
+#### `mailbox` mode — starting state
-If you prefer to skip the interactive wizard, configure the plugin in `openclaw.json` and use the CLI:
+The first sync **pushes** your local workspace to the cloud. This means rclone makes cloud match local exactly — any files on cloud that don't exist locally will be **deleted**.
-```bash
-# 1. Authorize with your cloud provider
-openclaw workspace-sync authorize --provider dropbox
+**Recommended starting state:** Local workspace is the source of truth (the agent has been writing here), or local and remote are already identical.
-# 2. Run a dry-run to preview what will sync
-openclaw workspace-sync sync --dry-run
+**If remote is the source of truth** (e.g. you've been syncing manually or switching from another mode), pull first:
-# 3. Run the first sync
-openclaw workspace-sync sync
+```bash
+rclone sync <remote>:<path> /data/workspace/ --config <config-path> \
+  --exclude '**/.DS_Store' --exclude '**/.git/**' \
+  --exclude '**/__pycache__/**' --exclude '**/node_modules/**' \
+  --verbose
 ```
-The plugin handles rclone installation, config generation, and token storage automatically based on your `openclaw.json` settings.
+Then verify local matches remote before enabling the plugin.
-## Dropbox app folder access (recommended)
+#### `mirror` mode — starting state
-For better security, create a scoped Dropbox app that only accesses a single folder:
+The first sync **pulls** from cloud to local. Local can be empty, stale, or corrupted — the pull simply overwrites it. **No preparation needed.**
-1. Go to [Dropbox App Console](https://www.dropbox.com/developers/apps)
-2. Click **Create app** > **Scoped access** > **App folder**
-3. Name it (e.g., `openclaw-sync`)
-4. In **Settings** tab, add a **Redirect URI**: `http://localhost:53682/`
-   - This is required for rclone's OAuth flow to work. Without it, Dropbox returns "Invalid redirect_uri" during authorization.
-5. In **Permissions** tab, enable:
-   - `files.metadata.read` / `files.metadata.write`
-   - `files.content.read` / `files.content.write`
-6. Copy **App key** and **App secret** from Settings
+#### `bisync` mode — starting state
-> **Important:** When using an app folder scoped app, set `"remotePath": ""` (empty string) in your config. The app folder **is** the root — rclone sees it as `/`. If you set `remotePath` to your app folder name (e.g., `"openclaw-sync"`), rclone will look for a subfolder *inside* the app folder with that name and fail with "directory not found."
+The first sync requires `--resync`, which copies everything from both sides to the other. Any stale or unwanted files on either side will propagate.
-Benefits:
-- Token only accesses one folder, not your entire Dropbox
-- If token is compromised, blast radius is limited
-- Clean separation — sync folder lives under `Apps/<your-app-name>/`
+**Recommended starting state:** Both sides are identical, or one side is empty and the other has the data you want. Verify both before running `--resync`.
-### Dropbox rate limiting
+#### General first-sync checklist
-Dropbox enforces API rate limits (`too_many_requests`). If your workspace has many files (10k+), each sync cycle can consume a large number of API calls just for checking. To avoid hitting limits:
+1. Run a `--dry-run` first to see what would happen: `openclaw workspace-sync sync --dry-run`
+2. Check the output for unexpected deletions
+3. If everything looks right, run the actual sync
+4. Only then enable periodic sync (`interval` in config)
-- **Set `interval` high enough** for the sync to complete between cycles. A workspace with ~40k files takes ~2 minutes to scan. An `interval` of 180 (3 min) is the minimum; 300 (5 min) is safer.
-- **Use `exclude` patterns liberally** — skip `node_modules`, `.git`, `__pycache__`, build output, and anything you don't need synced. Fewer files = fewer API calls.
-- **If you see `too_many_requests` errors** in the logs, increase the interval and add more excludes.
+> For maintenance, recovery, and common problems, see [TROUBLESHOOTING.md](./TROUBLESHOOTING.md).
-## Understanding sync safety
+### Sync safety
 Cloud sync involves two copies of your data. When things go wrong, one side can overwrite the other. Here is what to keep in mind:
@@ -545,7 +389,7 @@ Cloud sync involves two copies of your data. When things go wrong, one side can
 > For recovery procedures, mode switching, and maintenance tips, see [TROUBLESHOOTING.md](./TROUBLESHOOTING.md).
-## Important: `--resync` is destructive (bisync only)
+#### Important: `--resync` is destructive (bisync only)
 **Never use `--resync` unless you know exactly what it does.** The `--resync` flag tells rclone to throw away its knowledge of what has changed and do a full reconciliation — it copies every file that exists on either side to the other side. This means:
@@ -560,15 +404,15 @@ Normal bisync (without `--resync`) only transfers files that changed since the l
 openclaw workspace-sync sync --resync
 ```
-## Troubleshooting
+### Sync troubleshooting
-### Token expired
+#### Token expired
 ```bash
 openclaw workspace-sync authorize
 ```
-### Conflicts (bisync only)
+#### Conflicts (bisync only)
 Files modified on both sides get a `.conflict` suffix. The winner is determined by `conflictResolve` (default: `newer`). To find conflict files:
@@ -576,7 +420,7 @@ Files modified on both sides get a `.conflict` suffix. The winner is determined
 find <workspace>/shared -name "*.conflict"
 ```
-### Stale lock files
+#### Stale lock files
 The plugin automatically handles stale rclone lock files. If a sync is interrupted (timeout, crash, kill), the next run detects the stale lock, clears it, and retries. Lock files older than 15 minutes are treated as expired by rclone's `--max-lock` flag.
@@ -586,7 +430,7 @@ If you still see lock errors, you can manually clear them:
 rclone deletefile ~/.cache/rclone/bisync/<lockfile>.lck
 ```
-### Sync times out
+#### Sync times out
 Increase the `timeout` config (in seconds). The default is 1800 (30 min). For large workspaces:
@@ -596,28 +440,21 @@ Increase the `timeout` config (in seconds). The default is 1800 (30 min). For la
 }
 ```
-### Permission errors
+#### Permission errors
 ```bash
 chmod -R 755 <workspace>/shared
 ```
-## Deployment recommendations
-If you are running OpenClaw on a cloud container (Fly.io, Railway, Render) or a VPS:
+#### Dropbox rate limiting
-- **Use a separate persistent volume for the workspace.** Container root filesystems are ephemeral — a redeploy wipes everything. Mount a dedicated volume (e.g., Fly.io volumes, EBS, DigitalOcean block storage) at your workspace path so data survives deploys and restarts.
-- **Enable daily volume snapshots.** Most cloud providers offer automated snapshots (Fly.io does this by default with 5-day retention). If something goes wrong — a bad sync, accidental deletion, or a failed reorganization — a recent snapshot lets you restore in minutes instead of rebuilding from scratch.
-- **Test your restore process.** A backup you have never restored is a backup you do not have. Create a volume from a snapshot at least once to confirm the process works and you know the steps.
-These recommendations apply regardless of whether you use this plugin. Cloud sync adds convenience but is not a substitute for proper backups.
+Dropbox enforces API rate limits (`too_many_requests`). If your workspace has many files (10k+), each sync cycle can consume a large number of API calls just for checking. To avoid hitting limits:
-## Security notes
+- **Set `interval` high enough** for the sync to complete between cycles. A workspace with ~40k files takes ~2 minutes to scan. An `interval` of 180 (3 min) is the minimum; 300 (5 min) is safer.
+- **Use `exclude` patterns liberally** — skip `node_modules`, `.git`, `__pycache__`, build output, and anything you don't need synced. Fewer files = fewer API calls.
+- **If you see `too_many_requests` errors** in the logs, increase the interval and add more excludes.
-- **Token storage**: rclone tokens are stored in `rclone.conf` with `0600` permissions
-- **Sensitive files**: Don't sync secrets, API keys, or credentials
-- **Encryption**: Consider [rclone crypt](https://rclone.org/crypt/) for sensitive data
-- **App folder**: Use Dropbox app folder access for minimal permissions
+---
 ## Encrypted backups
@@ -653,32 +490,6 @@ flowchart TD
 > **Disk-constrained?** Because backups stream directly, you don't need any free disk space for the backup itself. Only the restore downloads to a staging directory.
-### Configuration
-Add `sync` and `backup` blocks to your plugin config. The backup provider can differ from your sync provider — sync to Dropbox for live mirror, backup to S3 for disaster recovery:
-```json
-{
-  "sync": {
-    "provider": "dropbox",
-    "mode": "mailbox",
-    "remotePath": "",
-    "interval": 180
-  },
-  "backup": {
-    "enabled": true,
-    "provider": "s3",
-    "bucket": "my-backups",
-    "prefix": "habibi/",
-    "interval": 86400,
-    "encrypt": true,
-    "passphrase": "${BACKUP_PASSPHRASE}",
-    "include": ["workspace", "config", "cron", "memory"],
-    "retain": { "daily": 7, "weekly": 4 }
-  }
-}
-```
 ### Backup config reference
 | Key | Type | Default | Description |
@@ -714,7 +525,7 @@ Add `sync` and `backup` blocks to your plugin config. The backup provider can di
 Default: `["workspace", "config", "cron", "memory"]`
-### CLI commands
+### Backup CLI commands
 ```bash
 # Create a backup now
@@ -740,7 +551,7 @@ openclaw workspace-sync backup status
 By default, `restore` extracts to a staging directory (`~/.openclaw/.backup-restore/`), not directly over your live workspace. This lets you inspect the contents before copying them into place. Use `--to` to control where files land.
-### Provider examples
+### Backup provider examples
 **Cloudflare R2 (free tier: 10GB):**
@@ -801,6 +612,148 @@ By default, `restore` extracts to a staging directory (`~/.openclaw/.backup-rest
 }
 ```
+---
+## Provider-specific options
+These provider blocks work for both sync and backup. Place them inside the `sync` or `backup` config block as needed.
+**Dropbox with app folder (recommended for security):**
+```json
+{
+  "provider": "dropbox",
+  "remotePath": "",
+  "dropbox": {
+    "appFolder": true,
+    "appKey": "your-app-key",
+    "appSecret": "your-app-secret",
+    "token": "{\"access_token\":\"...\"}"
+  }
+}
+```
+With `appFolder: true`, set `remotePath` to `""`. The app folder root is your sync root — do not repeat the app folder name in `remotePath` or rclone will fail with "directory not found."
+**Google Drive:**
+```json
+{
+  "provider": "gdrive",
+  "remotePath": "openclaw-sync",
+  "gdrive": {
+    "token": "{\"access_token\":\"...\"}",
+    "teamDrive": "0ABcDeFgHiJ",
+    "rootFolderId": "folder-id"
+  }
+}
+```
+`teamDrive` and `rootFolderId` are optional — omit them for personal Google Drive.
+**OneDrive:**
+```json
+{
+  "provider": "onedrive",
+  "remotePath": "openclaw-sync",
+  "onedrive": {
+    "token": "{\"access_token\":\"...\"}",
+    "driveId": "drive-id",
+    "driveType": "business"
+  }
+}
+```
+`driveType` can be `personal`, `business`, or `sharepoint`. Both fields are optional.
+**S3 / Cloudflare R2 / Minio:**
+```json
+{
+  "provider": "s3",
+  "remotePath": "openclaw-sync",
+  "s3": {
+    "endpoint": "https://s3.us-east-1.amazonaws.com",
+    "bucket": "your-bucket",
+    "region": "us-east-1",
+    "accessKeyId": "AKID...",
+    "secretAccessKey": "SECRET..."
+  }
+}
+```
+**Any rclone backend (SFTP, B2, Mega, pCloud, etc.):**
+```json
+{
+  "provider": "custom",
+  "remotePath": "openclaw-sync",
+  "custom": {
+    "rcloneType": "sftp",
+    "rcloneOptions": {
+      "host": "example.com",
+      "user": "deploy",
+      "key_file": "/path/to/key"
+    }
+  }
+}
+```
+The `custom` provider accepts any [rclone backend type](https://rclone.org/overview/) and passes `rcloneOptions` directly to the rclone config. This gives you config-driven access to all 70+ providers without manually editing `rclone.conf`.
+### Supported providers
+| Provider | Config value | Auth method | Config-driven |
+|----------|-------------|-------------|---------------|
+| Dropbox | `dropbox` | OAuth token | Full (token, appKey, appSecret, appFolder) |
+| Google Drive | `gdrive` | OAuth token | Full (token, teamDrive, rootFolderId) |
+| OneDrive | `onedrive` | OAuth token | Full (token, driveId, driveType) |
+| S3/R2/Minio | `s3` | Access keys | Full (endpoint, bucket, region, credentials) |
+| Any rclone backend | `custom` | Varies | Full (rcloneType + rcloneOptions) |
+All providers are fully config-driven — no manual `rclone.conf` editing needed. The `custom` provider gives access to all [70+ rclone backends](https://rclone.org/overview/) (SFTP, B2, Mega, pCloud, Azure Blob, etc.).
+### Dropbox app folder access (recommended)
+For better security, create a scoped Dropbox app that only accesses a single folder:
+1. Go to [Dropbox App Console](https://www.dropbox.com/developers/apps)
+2. Click **Create app** > **Scoped access** > **App folder**
+3. Name it (e.g., `openclaw-sync`)
+4. In **Settings** tab, add a **Redirect URI**: `http://localhost:53682/`
+   - This is required for rclone's OAuth flow to work. Without it, Dropbox returns "Invalid redirect_uri" during authorization.
+5. In **Permissions** tab, enable:
+   - `files.metadata.read` / `files.metadata.write`
+   - `files.content.read` / `files.content.write`
+6. Copy **App key** and **App secret** from Settings
+> **Important:** When using an app folder scoped app, set `"remotePath": ""` (empty string) in your config. The app folder **is** the root — rclone sees it as `/`. If you set `remotePath` to your app folder name (e.g., `"openclaw-sync"`), rclone will look for a subfolder *inside* the app folder with that name and fail with "directory not found."
+Benefits:
+- Token only accesses one folder, not your entire Dropbox
+- If token is compromised, blast radius is limited
+- Clean separation — sync folder lives under `Apps/<your-app-name>/`
+---
+## Deployment recommendations
+If you are running OpenClaw on a cloud container (Fly.io, Railway, Render) or a VPS:
+- **Use a separate persistent volume for the workspace.** Container root filesystems are ephemeral — a redeploy wipes everything. Mount a dedicated volume (e.g., Fly.io volumes, EBS, DigitalOcean block storage) at your workspace path so data survives deploys and restarts.
+- **Enable daily volume snapshots.** Most cloud providers offer automated snapshots (Fly.io does this by default with 5-day retention). If something goes wrong — a bad sync, accidental deletion, or a failed reorganization — a recent snapshot lets you restore in minutes instead of rebuilding from scratch.
+- **Test your restore process.** A backup you have never restored is a backup you do not have. Create a volume from a snapshot at least once to confirm the process works and you know the steps.
+- **Use encrypted backups for off-site disaster recovery.** Volume snapshots protect against accidental deletes, but not against provider outages or account issues. Streaming encrypted backups to a separate provider (e.g., R2, B2) gives you a fully independent recovery path.
+## Security notes
+- **Token storage**: rclone tokens are stored in `rclone.conf` with `0600` permissions
+- **Sensitive files**: Don't sync secrets, API keys, or credentials
+- **Encryption**: Backups support AES-256 client-side encryption. For sync, consider [rclone crypt](https://rclone.org/crypt/) for sensitive data.
+- **App folder**: Use Dropbox app folder access for minimal permissions
+- **Passphrase safety**: Use environment variables (`${BACKUP_PASSPHRASE}`) — never hardcode passphrases in config files
 ## Development
 ```bash