docs: improve safe-mode agent instructions for token updates and OAuth re-auth

[dfrysinger]

Summary

During a safe-mode recovery session, two documentation gaps caused extended debugging:

Issue 1: Token Updates - Missing habitat-parsed.env

Current state: TOOLS.md mentions /etc/habitat-parsed.env in Key Paths but doesn't explain its role.

Problem: When Discord bot tokens are regenerated, the safe-mode agent only updated ~/.openclaw/openclaw.full.json. However, recovery scripts read tokens from /etc/habitat-parsed.env, causing repeated fallback to safe mode.

Proposed fix: Add a section explaining:

• Both files must be updated when tokens change
• habitat-parsed.env is the source of truth for safe-mode-recovery.sh
• Step-by-step commands for updating both files

Issue 2: OAuth Re-auth - Hidden tmux session

Current state: TOOLS.md shows using tmux new-session -d for the OAuth wizard.

Problem: The -d flag creates a detached (hidden) session. The user couldn't see the wizard on their RDP desktop, and the callback flow failed because the terminal wasn't visible.

Proposed fix:

• Clarify that the terminal must be VISIBLE on DISPLAY=:10
• Use xfce4-terminal or xterm instead of detached tmux
• Add warning about the -d flag

Files affected

• /usr/local/bin/setup-safe-mode-workspace.sh (generates TOOLS.md)
• Or wherever safe-mode workspace templates are stored

Context

This came from a real debugging session where the safe-mode agent spent ~45 minutes troubleshooting these issues. Clear documentation would have resolved them in minutes.

Happy to provide full updated TOOLS.md content if helpful.

[dfrysinger]

Additional Gap: Clearing the Safe Mode Flag

The current documentation is missing a critical step: after fixing the underlying issue, you MUST clear the safe mode flag or recovery will keep running in a loop.

The flag:

/var/lib/init-status/safe-mode   # or safe-mode-<group> for session isolation

The problem: Even after fixing tokens/OAuth, if this flag exists:

1. Health check runs via gateway-e2e-check.sh
2. Any failure (including deleted agents still in state machine) triggers recovery
3. Recovery rebuilds config from habitat-parsed.env
4. Your fixes may get overwritten → loop repeats

Proposed addition to TOOLS.md:

# REQUIRED after any fix - clear the safe mode flag
sudo rm -f /var/lib/init-status/safe-mode
echo 0 | sudo tee /var/lib/init-status/recovery-attempts

# Also reset state machine if it has stale agent expectations
openclaw-state.sh set --state RUNNING --reason "Manual recovery complete"

This should be prominently documented as part of the exit procedure, not buried in a code block.

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[clawsweeper]

Closing this as not actionable in this repository after Codex automated review.

The requested safe-mode recovery documentation is valid operational feedback, but the named recovery generator, habitat token source, recovery scripts, and safe-mode flag workflow are not present in current openclaw/openclaw. Current main only owns generic workspace TOOLS.md templates and normal OAuth/auth-profile docs, so the actionable fix belongs in the external safe-mode installer/operations surface that generates that recovery workspace rather than in this repository.

Best possible solution:

Close this issue in openclaw/openclaw and move the requested instructions to the owner of the safe-mode installer/operations script that generates the recovery workspace. If safe-mode recovery becomes an OpenClaw-supported feature later, add a dedicated public docs page and template contract in this repo instead of putting habitat-specific recovery steps into the generic TOOLS.md template.

What I checked:

• Issue discussion targets external safe-mode recovery artifacts: Issue docs: improve safe-mode agent instructions for token updates and OAuth re-auth #37659 and its follow-up describe updating a generated safe-mode workspace TOOLS.md plus habitat/init-status recovery files and scripts; related OAuth renewal doesn't update auth-profiles.provisioned.json, causing recovery loops #38336 similarly discusses build-full-config.sh and safe-mode-recovery.sh. Those artifacts do not map to files in current openclaw/openclaw.
• Requested safe-mode artifacts are absent from the repo: A targeted search of current main found no repo-owned safe-mode recovery generator or habitat/init-status/provisioned-auth workflow terms; tracked matching files are only generic workspace/docs/tool files. (631552c55409)
• Core TOOLS template is generic local notes: The repo-owned TOOLS.md template is a generic local-notes template for cameras, SSH aliases, voices, speakers, and device nicknames, not safe-mode recovery steps. Public docs: docs/reference/templates/TOOLS.md. (docs/reference/templates/TOOLS.md:8, 631552c55409)
• Dev TOOLS template is also generic: The dev template says it is for user notes about external tools and conventions and does not define safe-mode recovery, token-source repair, OAuth re-auth visibility, or recovery flag cleanup. Public docs: docs/reference/templates/TOOLS.dev.md. (docs/reference/templates/TOOLS.dev.md:9, 631552c55409)
• Workspace bootstrap loads repo templates only: OpenClaw workspace bootstrap resolves templates from the packaged template directory and loads them by name; the repo-owned template surface is docs/reference/templates, not the external safe-mode generator named in the issue. (src/agents/workspace.ts:102, 631552c55409)
• OAuth docs describe current core auth storage, not the external recovery contract: The OAuth concept doc describes auth-profiles.json as the OpenClaw token sink and storage model; it does not document a provisioned golden copy, habitat token source, visible safe-mode OAuth re-auth, or clearing a safe-mode recovery flag. Public docs: docs/concepts/oauth.md. (docs/concepts/oauth.md:52, 631552c55409)

So I’m closing this as outside the OpenClaw source repository rather than keeping it open as core work.

Codex Review notes: model gpt-5.5, reasoning high; reviewed against 631552c55409.