squad-openclaw 2026.2.2003 → 2026.2.2004

package/README.md

@@ -31,7 +31,7 @@ These directories are **completely blocked** from all filesystem operations (rea
 
 | Path | Reason |
 |---|---|
-| `~/.openclaw/squad-ceo-data/squad-relay.json` | Contains ed25519 private key for relay device identity |
+| `~/.openclaw/squad-ceo-data/relay/squad-relay.json` | Contains ed25519 private key for relay device identity |
 | `~/.openclaw/*.bak` | Backup files at the top level contain unredacted config (tokens, keys) that would bypass redaction |
 
 ### Layer 2: Redacted Files (hardcoded, non-configurable)
@@ -60,7 +60,7 @@ Operators can customize via the `fs.allowedRoots` config option.
 These files/directories cannot be written to, even if they fall within `allowedRoots`:
 
 - `~/.openclaw/openclaw.json` — operator configuration (read-only with redaction)
-- `~/.openclaw/squad-ceo-data/squad-relay.json` — relay device private key
+- `~/.openclaw/squad-ceo-data/relay/squad-relay.json` — relay device private key
 - All blocked directories above (credentials, devices, identity)
 - All `.bak` files at `~/.openclaw/` top level
 

package/dist/index.d.ts

@@ -21,11 +21,11 @@
  * │  REDACTED on read (sensitive fields replaced with "[REDACTED]"):       │
  * │    • ~/.openclaw/openclaw.json → channel.*.botToken                    │
  * │    • ~/.openclaw/openclaw.json → gateway.auth.*                        │
- * │    • squad-ceo-data/squad-relay.json → deviceKeys.privateKeyPem        │
+ * │    • squad-ceo-data/relay/squad-relay.json → deviceKeys.privateKeyPem   │
  * │                                                                         │
  * │  WRITE-PROTECTED (no writes, deletes, or renames):                      │
  * │    • ~/.openclaw/openclaw.json                                          │
- * │    • squad-ceo-data/squad-relay.json                                    │
+ * │    • squad-ceo-data/relay/squad-relay.json                               │
  * │    • All blocked directories above                                      │
  * │                                                                         │
  * │  The bundle is NOT minified to allow security auditing of the           │

package/dist/index.js

@@ -370,7 +370,7 @@ var SENSITIVE_BLOCKED_DIRS = [
   path2.join(OPENCLAW_DIR, "identity")
 ];
 var SENSITIVE_BLOCKED_FILES = [
-  path2.join(OPENCLAW_DIR, "squad-ceo-data", "squad-relay.json")
+  path2.join(OPENCLAW_DIR, "squad-ceo-data", "relay", "squad-relay.json")
 ];
 function isSensitivePath(resolvedPath) {
   for (const blocked of SENSITIVE_BLOCKED_DIRS) {
@@ -1220,6 +1220,11 @@ import fs5 from "fs";
 import path5 from "path";
 import { fileURLToPath } from "url";
 var PACKAGE_NAME = "squad-openclaw";
+var CONFIG_PATH = path5.join(
+  process.env.HOME ?? "/root",
+  ".openclaw",
+  "openclaw.json"
+);
 function getCurrentVersion() {
   const thisFile = fileURLToPath(import.meta.url);
   const pkgPath = path5.resolve(path5.dirname(thisFile), "..", "package.json");
@@ -1279,6 +1284,18 @@ function registerVersionMethods(api) {
       try {
         const before = getCurrentVersion();
         let updateOutput = "";
+        let configBackup = null;
+        try {
+          configBackup = fs5.readFileSync(CONFIG_PATH, "utf-8");
+        } catch {
+        }
+        try {
+          execSync2("openclaw doctor --fix 2>&1", {
+            timeout: 3e4,
+            encoding: "utf-8"
+          });
+        } catch {
+        }
         try {
           updateOutput = execSync2(
             `openclaw plugins update ${PACKAGE_NAME} 2>&1`,
@@ -1291,6 +1308,12 @@ function registerVersionMethods(api) {
               { timeout: 12e4, encoding: "utf-8" }
             );
           } catch (npmErr) {
+            if (configBackup) {
+              try {
+                fs5.writeFileSync(CONFIG_PATH, configBackup, "utf-8");
+              } catch {
+              }
+            }
             const msg = npmErr instanceof Error ? npmErr.message : String(npmErr);
             respond(false, {
               error: `Update failed: ${msg}`,
@@ -1423,7 +1446,7 @@ function readOperatorToken() {
     return null;
   }
 }
-var RELAY_DATA_DIR = path6.join(os.homedir(), ".openclaw", "squad-ceo-data");
+var RELAY_DATA_DIR = path6.join(os.homedir(), ".openclaw", "squad-ceo-data", "relay");
 var RELAY_STATE_PATH = path6.join(RELAY_DATA_DIR, "squad-relay.json");
 function readRelayState() {
   try {
@@ -1460,7 +1483,7 @@ function loadOrCreateRelayDeviceKeys() {
 }
 function writeDeviceInfoFile(keys) {
   const stateDir = process.env.OPENCLAW_STATE_DIR || path6.join(os.homedir(), ".openclaw");
-  const infoPath = path6.join(stateDir, "squad-ceo-data", "relay-device-info.json");
+  const infoPath = path6.join(stateDir, "squad-ceo-data", "relay", "relay-device-info.json");
   const info = {
     deviceId: keys.deviceId,
     publicKey: keys.publicKey,

package/openclaw.plugin.json

@@ -10,7 +10,7 @@
         "type": "array",
         "items": { "type": "string" },
         "default": ["~/.openclaw"],
-        "description": "Restrict filesystem operations to these directories. Defaults to [\"~/.openclaw\"]. Hardcoded blocks on credentials/, devices/, identity/, squad-relay.json, and .bak files always apply."
+        "description": "Restrict filesystem operations to these directories. Defaults to [\"~/.openclaw\"]. Hardcoded blocks on credentials/, devices/, identity/, relay/squad-relay.json, and .bak files always apply."
       },
       "relay.enabled": {
         "type": "boolean",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "squad-openclaw",
-  "version": "2026.2.2003",
+  "version": "2026.2.2004",
   "description": "Entity registry, filesystem tools, and version management plugin for OpenClaw gateway",
   "type": "module",
   "main": "./dist/index.js",