swarm-zap/memory/ops/2026-03-04-git-workflow.md

# Session: 2026-03-04 23:30:26 UTC

- **Session Key**: agent:main:main
- **Session ID**: 8e27dc5c-a962-4c29-b6be-2973dafd8c65
- **Source**: gateway:sessions.reset

## Conversation Summary

user: Sender (untrusted metadata):
```json
{
  "label": "openclaw-tui (gateway-client)",
  "id": "gateway-client",
  "name": "openclaw-tui",
  "username": "openclaw-tui"
}
```

[Wed 2026-03-04 23:14 UTC] Also, we want to merge rebase, add this to the instructions
assistant: [[reply_to_current]] Done — added ✅

I updated the instructions to enforce:

- **Rebase-first workflow** (`git pull --rebase`)
- **Rebase onto latest `origin/main` before push/PR**
- **Preferred PR merge mode: Rebase and merge**
- Avoid merge commits unless explicitly needed

Updated files:
- `AGENTS.md`
- `scripts/openclaw-upstream-workflow.md`

Committed on workspace branch:
- `b36ab89`
- `docs(workflow): require rebase-first + rebase-and-merge policy`
user: Sender (untrusted metadata):
```json
{
  "label": "openclaw-tui (gateway-client)",
  "id": "gateway-client",
  "name": "openclaw-tui",
  "username": "openclaw-tui"
}
```

[Wed 2026-03-04 23:18 UTC] Also, when we rebase we need to delete the feature/fix branch...
assistant: [[reply_to_current]] Agreed — added ✅

I updated the instructions to require branch cleanup after rebase-merge:

- **`AGENTS.md`**: policy now says feature/fix branches are temporary and must be deleted after merge.
- **`scripts/openclaw-upstream-workflow.md`**: added a **Post-merge branch cleanup (required)** section with commands for:
  - updating `main`
  - deleting remote branch
  - deleting local branch
  - safe note about `-D` only when needed

Committed as:
- `49f9c0c`
- `docs(workflow): require branch deletion after rebase-merge`
user: Sender (untrusted metadata):
```json
{
  "label": "openclaw-tui (gateway-client)",
  "id": "gateway-client",
  "name": "openclaw-tui",
  "username": "openclaw-tui"
}
```

[Wed 2026-03-04 23:21 UTC] Check updates for OpenClaw git upstream
assistant: [[reply_to_current]] Checked.

- **OpenClaw runtime update status:** stable channel, latest is **2026.3.2** (no update available via `openclaw update status`).
- **Git upstream (`external/openclaw-upstream`)**:
  - `main` is **fully up to date** with `origin/main` (`ahead/behind: 0/0`).
  - Your working branch `fix/tui-hide-internal-runtime-context` is **1 commit ahead** of `origin/main` (the TUI fix commit), as expected.
user: Sender (untrusted metadata):
```json
{
  "label": "openclaw-tui (gateway-client)",
  "id": "gateway-client",
  "name": "openclaw-tui",
  "username": "openclaw-tui"
}
```

[Wed 2026-03-04 23:23 UTC] Let's make sure we fetch upstream before implementing, that make sense?
assistant: [[reply_to_current]] Yep — 100% makes sense. That should be the default habit.

I’ve already baked that into the workflow docs (`git fetch --all --prune` + update `main` before branch work), but we can make it even stricter:

- **Rule:** no code changes until fetch+sync succeeds.
- **Preflight command block:**
  - `git fetch --all --prune`
  - `git checkout main`
  - `git pull --rebase`
  - verify clean state, then branch.

If you want, I’ll add a tiny `scripts/openclaw-upstream-preflight.sh` that enforces this automatically.
user: Sender (untrusted metadata):
```json
{
  "label": "openclaw-tui (gateway-client)",
  "id": "gateway-client",
  "name": "openclaw-tui",
  "username": "openclaw-tui"
}
```

[Wed 2026-03-04 23:24 UTC] Sure
user: You are running a boot check. Follow BOOT.md instructions exactly.

BOOT.md:
# BOOT.md

On gateway startup, run a silent security + readiness check for this workspace.

## Startup checklist

1. Confirm core workspace files exist:
   - `AGENTS.md`, `SOUL.md`, `USER.md`, `TOOLS.md`, `HEARTBEAT.md`
2. Confirm required local skill folders exist:
   - `skills/searxng-local-search`
   - `skills/telegram-ops`
   - `skills/homelab-service-health`
   - `skills/task-capture-and-followup`
   - `skills/daily-brief`
   - `skills/calendar-sentinel`
   - `skills/inbox-triage`
3. Ensure task state exists:
   - `memory/tasks.json` (create `[]` if missing)

## Security checks

4. Check internal hooks enabled state:
   - `session-memory`
   - `command-logger`
   - `bootstrap-extra-files`
   - `boot-md`
   - if any are disabled/missing, record warning with exact hook name
5. Check permissions:
   - `~/.openclaw` should be `700`
   - credential files under `~/.openclaw/credentials/` should be `600`
   - if drift is found, log it as warning; do not auto-fix unless explicitly requested later
6. Check network exposure:
   - verify gateway is not unexpectedly exposed on `0.0.0.0`
   - capture a compact listener snapshot for OpenClaw-related ports
7. Check expected-service posture:
   - expected local services should be present/reachable (OpenClaw runtime + documented core services)
   - flag unexpected listeners only when confidence is high
8. Check backup signal freshness:
   - verify `memory/minio-backup.log` contains `Backup complete:` within last 8 hours
9. Check security-audit freshness:
   - verify a recent `openclaw security audit --deep` result exists (target: within 24 hours)
   - if stale/missing, record reminder (warning level)
10. Check update status:
   - run/read `openclaw update status`
   - record whether update is available

## State recording

11. Write/update machine-readable status file: `memory/startup-health.json` with:
    - `last_run_utc`
    - `status` (`ok|warn|critical`)
    - `checks_passed` (array)
    - `checks_failed` (array)
    - `warnings` (array)
    - `gateway_exposure` (e.g., `local-only|public|unknown`)
    - `last_backup_age_hours`
    - `last_security_audit_age_hours`
    - `update_status` (short text)
12. Write/update `memory/boot-last-run.json` with UTC timestamp + overall status.

## Notification policy

13. Stay silent when status is `ok` or non-actionable `warn`.
14. Send one short proactive alert only for **critical** conditions:
    - credential permission drift on sensitive files,
    - unexpected public exposure of gateway,
    - backup signal stale/missing beyond threshold,
    - missing critical workspace files preventing normal operation.

## Critical issue logging

If any warning/critical issue is found, append a concise line to `memory/startup-health.md` with UTC timestamp, failing check, and suggested fix.

If BOOT.md asks you to send a message, use the message tool (action=send with channel + target).
Use the `target` field (not `to`) for message tool destinations.
After sending with the message tool, reply with ONLY: NO_REPLY.
If nothing needs attention, reply with ONLY: NO_REPLY.
user: Sender (untrusted metadata):
```json
{
  "label": "openclaw-tui (gateway-client)",
  "id": "gateway-client",
  "name": "openclaw-tui",
  "username": "openclaw-tui"
}
```

[Wed 2026-03-04 23:25 UTC] done?
assistant: [[reply_to_current]] Almost.

- ✅ **Done:** instructions now explicitly require fetch/sync before coding.
- ❌ **Not done yet:** I haven’t added the optional auto-enforcing preflight script.

If you want, I can add that script now in one quick commit.
user: Sender (untrusted metadata):
```json
{
  "label": "openclaw-tui (gateway-client)",
  "id": "gateway-client",
  "name": "openclaw-tui",
  "username": "openclaw-tui"
}
```

[Wed 2026-03-04 23:27 UTC] Finish the script and commit
assistant: NO_REPLY
assistant: [[reply_to_current]] Done — finished and committed.

### ✅ Added script
- `scripts/openclaw-upstream-preflight.sh`

What it does:
- Verifies `external/openclaw-upstream` exists
- Runs:
  - `git fetch --all --prune`
  - `git checkout main`
  - `git pull --rebase`
- Refuses to proceed if `main` isn’t clean
- Optional branch arg:
  - creates branch if missing
  - or switches + rebases existing branch onto `origin/main`

Usage:
```bash
scripts/openclaw-upstream-preflight.sh
scripts/openclaw-upstream-preflight.sh fix/my-change
```

### ✅ Docs wired
- `AGENTS.md`
- `scripts/openclaw-upstream-workflow.md`

### ✅ Commit
- `d31bb80`
- `chore(workflow): add upstream preflight sync script`