Proposal: Improved Backup Design with Configurable Exclusion Rules and Service-Aware Archiving

[JIRBOY]

Summary

Propose an improved backup architecture for OpenClaw that addresses current issues with file locking, symlink handling, exclusion rule configurability, and backup size optimization.

Problem Statement

The current openclaw backup create command has several known issues:

• Bug: openclaw backup create fails with ENOENT when session file is cleaned up during backup #67417: Fails with ENOENT when session files are cleaned up during backup (race condition)
• [Bug]: openclaw backup create --verify fails with duplicate entry path when workspace contains symlinks #57515: Duplicate path errors when workspace contains symlinks
• [Feature]: Exclude node_modules from extensions in backup archive #64144: No way to exclude node_modules or other large directories from extensions
• No configurable exclusion rules — users cannot customize what gets backed up
• No service awareness — gateway remains running during backup, causing SQLite locks

Proposed Architecture

1. Service-Aware Backup Lifecycle

1. Detect locked files (SQLite, WAL files)
2. If locked → openclaw gateway stop
3. Create tar.gz archive
4. Restore → openclaw gateway start
5. If user rejects service control → fall back to best-effort with warning

This solves #67417 by eliminating the race condition between backup enumeration and session cleanup.

2. Configurable Exclusion Rules

Exclusion rules should be stored in a config file, not hardcoded:

{
  "excluded_extensions": ["log", "tmp", "pyc", "bak", "swp"],
  "excluded_folders": [
    "node_modules", ".git", "__pycache__", ".venv",
    "extensions", "browser", "delivery-queue", "flows",
    "skills-backup"
  ],
  "excluded_files": [".DS_Store", "Thumbs.db"]
}

Why this matters: Every OpenClaw installation is different. Some users have 100+ skills, some run in environments with node_modules or browser caches. Without configurability, backups either include gigabytes of rebuildable data or exclude things users actually need.

3. Symlink-Aware Traversal

Skip symbolic links and junction points entirely using FileAttributes.ReparsePoint (Windows) or lstat checks (Unix). This prevents:

• Duplicate paths in the archive ([Bug]: openclaw backup create --verify fails with duplicate entry path when workspace contains symlinks #57515)
• Infinite recursion through circular symlinks
• Unintentional backup of linked directories (e.g., projects -> /d/Research/Projects)

4. Output Format

Use tar.gz for universal compatibility:

• Zero external dependencies on most platforms
• Paths stored as absolute (e.g., C:\Users\...\) for disaster recovery
• Restore command: tar -xzf backup.tar.gz
• Compressed size typically 4-10x smaller than raw data

5. Two Backup Modes

Mode	What It Includes	Typical Size	Use Case
config-only	openclaw.json, credentials, cron jobs, skills, devices	< 5 MB	Quick migration, config backup
full	Config + workspace + memory + persona files	10-50 MB	Disaster recovery

Reference Implementation

I built a standalone tool implementing this design:

• Repository: JIRBOY/openclaw-backup
• Stack: .NET 8, zero external dependencies (System.Formats.Tar + GZipStream)
• Features: Service management (gateway stop/start), UAC auto-elevation, XML-configurable exclusions, backup rotation, dry-run mode
• Real-world results on a typical installation:
  • Naive scan: 13,400 files, 256 MB
  • With exclusion rules: 1,995 files, 8.6 MB compressed

Related Issues

• Bug: openclaw backup create fails with ENOENT when session file is cleaned up during backup #67417 — ENOENT race condition (solved by service-aware backup)
• [Bug]: openclaw backup create --verify fails with duplicate entry path when workspace contains symlinks #57515 — Symlink duplicate paths (solved by symlink-aware traversal)
• [Feature]: Exclude node_modules from extensions in backup archive #64144 — Exclude node_modules (solved by configurable exclusions)
• [Feature]: Backup & Restore for settings and migration #26515 — Backup & Restore for settings (addressed by config-only mode)
• Add backup/restore utility for config, cron jobs, and session history #13616 — Backup/restore utility (addressed by full mode)

Impact

This would give OpenClaw users:

1. Reliable backups — no more ENOENT failures or locked file errors
2. Smaller archives — configurable exclusions prevent bloated backups
3. Cross-platform restore — tar.gz works everywhere
4. Disaster recovery confidence — knowing that a single archive can restore the entire setup

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open. Current main has first-class backup create/verify plus a narrow hard-coded prune for installed plugin extensions/*/node_modules, but the central proposal is still not implemented: no configurable exclusion policy, no service-aware gateway quiesce lifecycle, no general live-file retry/skip behavior on main, and no restore/import/full-mode surface.

Reproducibility: not applicable. as one reproduction because this is a design proposal. Source, docs, tests, changelog, and related-item inspection give high-confidence proof that the requested configurable exclusions, service lifecycle, live-file resilience, and restore/full-mode surfaces remain absent.

Next step
This is valid but too broad and product-sensitive for an automated fix PR; maintainers need to decide the exclusion config shape, restore/import scope, and gateway quiesce behavior before implementation.

Review details

Best possible solution:

Keep this as the broader backup design tracker and split maintainer-approved follow-ups for exclusion config/API, archive filtering and symlink/volatile-file semantics, optional service quiescence, and restore/import disaster-recovery behavior coordinated with #13616, #54242, #67417, and #72251.

Do we have a high-confidence way to reproduce the issue?

Not applicable as one reproduction because this is a design proposal. Source, docs, tests, changelog, and related-item inspection give high-confidence proof that the requested configurable exclusions, service lifecycle, live-file resilience, and restore/full-mode surfaces remain absent.

Is this the best way to solve the issue?

No, not as one automated patch or a direct port of the standalone implementation. The maintainable path is to preserve the current TypeScript backup primitives while maintainers define the public exclusion config, quiesce semantics, and restore/import contract first.

Acceptance criteria:

• pnpm test src/infra/backup-create.test.ts src/commands/backup.test.ts src/commands/backup-verify.test.ts src/commands/backup.atomic.test.ts src/commands/backup.create-verify.test.ts src/cli/program/register.backup.test.ts
• pnpm exec oxfmt --check --threads=1 src/infra/backup-create.ts src/infra/backup-create.test.ts src/commands/backup-shared.ts src/cli/program/register.backup.ts docs/cli/backup.md

What I checked:

• Backup options remain coarse: BackupCreateOptions exposes output, dryRun, includeWorkspace, onlyConfig, verify, json, and nowMs only; there is no exclusion config, quiesce/service flag, restore/import mode, or retry control. (src/infra/backup-create.ts:26, 0fbf4636f52c)
• Archive filter is hard-coded and narrow: The only tar filter is buildExtensionsNodeModulesFilter, which skips node_modules under the state extensions/ tree; the tar call has no configurable exclusions, retry loop, or service lifecycle handling. (src/infra/backup-create.ts:284, 0fbf4636f52c)
• CLI exposes create and verify only: openclaw backup registers create with output/json/dry-run/verify/only-config/no-include-workspace and verify; no restore/import/list/exclude/quiesce command or option exists. (src/cli/program/register.backup.ts:20, 0fbf4636f52c)
• Docs document partial pruning only: Backup docs describe installed plugin node_modules pruning plus --no-include-workspace and --only-config; they do not document user-defined exclusions, gateway stop/start, restore/import, or live-file resilience. Public page: https://docs.openclaw.ai/cli/backup. (docs/cli/backup.md:56, 0fbf4636f52c)
• Tests cover partial behavior: Tests cover symlinked workspace de-duplication and the hard-coded plugin dependency filter, but not configurable exclusions, gateway quiescence, restore/import, or volatile-file retry/skip behavior on main. (src/infra/backup-create.test.ts:111, 0fbf4636f52c)
• Partial fix is recorded separately: The changelog records the installed plugin extensions/*/node_modules pruning as the fix for [Feature]: Exclude node_modules from extensions in backup archive #64144, which addresses one size problem but not the broader design request. (CHANGELOG.md:1024, 0fbf4636f52c)

Likely related people:

• vincentkoc: Current-main blame for the central backup source, CLI, docs, and tests maps through the current checkout to Vincent Koc, and local log shows recent backup test/runtime-dependency maintenance in this area. (role: recent maintainer; confidence: medium; commits: 76c327c0964a, bf6116af3fe9, c9e12cbd32ee; files: src/infra/backup-create.ts, src/infra/backup-create.test.ts, src/cli/program/register.backup.ts)
• shichangs: Local history identifies commit 0ecfd37 as the merged feat: add local backup CLI (#40163) change that introduced the current backup create/verify surface. (role: introduced backup CLI behavior; confidence: high; commits: 0ecfd37b4465; files: src/infra/backup-create.ts, src/commands/backup-shared.ts, src/commands/backup.ts)
• steipete: Local backup-path history shows multiple April backup docs/test refactors and release-adjacent maintenance by Peter Steinberger. (role: backup test/docs maintainer and release owner; confidence: medium; commits: 93801281938b, 9d26b1056ff4, 508ca72fc7f4; files: src/commands/backup.test.ts, src/commands/backup-verify.test.ts, docs/cli/backup.md)
• abnershang: Provided issue context shows an open live-file backup race PR by abnershang touching the same archiving behavior and explicitly referencing this broader design. (role: adjacent follow-up owner; confidence: medium; commits: 463428dd3d2c; files: src/infra/backup-create.ts, src/infra/backup-create.test.ts)

Remaining risk / open question:

• The exclusion config shape, restore/import scope, and gateway quiesce semantics are still product decisions rather than small mechanical repairs.
• Backup/restore work packages credentials and may stop or restart services, so any implementation slice needs explicit security and operations review.
• The open fix(backup): retry on tar EOF race and skip known volatile files #72251 live-file PR may land one race-family slice before this broader design is settled.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 0fbf4636f52c.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Keep this issue open. Current main has a new narrow partial for skipping installed plugin extensions/*/node_modules, but the central design remains unimplemented: there is still no user-configurable exclusion policy, no general recursive backup filter beyond that one hard-coded path class, no service-aware gateway quiesce lifecycle, no live-file retry/skip behavior on main, and no restore/import/full-mode command surface. The related #72251 remains an open partial PR for one live tar EOF race and does not supersede the broader backup design.

Required change / next step:

This is valid but too broad and product-sensitive for an automated single fix PR: it spans backup config/API/CLI design, archive semantics, service lifecycle behavior, and restore/import scope, while an open PR already handles one narrower race.

Review details

Best possible solution:

Keep the issue open as the broader backup design tracker, preserve the shipped plugin dependency pruning, and split follow-up work into maintainer-approved slices: a documented exclusion policy surface, live-file resilience, explicit quiesce/service semantics, and restore/import disaster-recovery behavior coordinated with #13616, #67417, #54242, and #72251.

Acceptance criteria:

• pnpm test src/infra/backup-create.test.ts src/commands/backup.test.ts src/commands/backup-verify.test.ts src/commands/backup.atomic.test.ts src/commands/backup.create-verify.test.ts src/cli/program/register.backup.test.ts
• pnpm exec oxfmt --check --threads=1 src/infra/backup-create.ts src/infra/backup-create.test.ts src/commands/backup-shared.ts src/cli/program/register.backup.ts docs/cli/backup.md

What I checked:

• Backup options remain coarse: BackupCreateOptions only exposes output, dryRun, includeWorkspace, onlyConfig, verify, json, and nowMs; there is no exclude config, exclude CLI option, mode selector, quiesce/service lifecycle flag, or retry option in the public create path. (src/infra/backup-create.ts:26, acae48b790fa)
• Only hard-coded plugin dependency pruning exists: Current main adds buildExtensionsNodeModulesFilter, which skips nested node_modules only under the state extensions/ tree, then passes that filter to a single tar.c call. This addresses [Feature]: Exclude node_modules from extensions in backup archive #64144-style bloat but is not a configurable exclusion system and does not add retries or service control. (src/infra/backup-create.ts:284, acae48b790fa)
• CLI surface is still create and verify only: The registered backup command exposes create with --output, --json, --dry-run, --verify, --only-config, and --no-include-workspace, plus verify; there is no restore/import/list command, exclusion option, full/config mode selector, or quiesce flag. (src/cli/program/register.backup.ts:20, acae48b790fa)
• Docs document the partial filter, not configurable exclusions: The backup docs now say installed plugin source/manifests are included while nested plugin node_modules dependency trees are skipped, and the size guidance still points users to --no-include-workspace or --only-config rather than user-defined exclusion rules. Public docs: docs/cli/backup.md. (docs/cli/backup.md:56, acae48b790fa)
• Tests cover the partial filter only: The new backup tests verify the hard-coded plugin node_modules predicate and a real archive that omits those entries while preserving plugin files; the searched backup tests do not cover configurable exclusion policy, gateway quiescence, restore/import, or live-file retry/skip behavior on main. (src/infra/backup-create.test.ts:111, acae48b790fa)
• Partial fix is unreleased current-main work: The changelog has an Unreleased entry for skipping installed plugin extensions/*/node_modules and git diff v2026.4.26..HEAD shows only that backup-code/docs/test delta after the latest release tag. (CHANGELOG.md:357, acae48b790fa)

Likely related people:

• steipete: Available local blame/log for the current backup create, planner, CLI registration, and docs paths points to Peter Steinberger in the current grafted history, and the latest release/changelog maintenance also runs through that maintainer path. (role: recent maintainer; confidence: medium; commits: a972c9ec4547, be8c24633aaa, acae48b790fa; files: src/infra/backup-create.ts, src/commands/backup-shared.ts, src/cli/program/register.backup.ts)
• abnershang: Provided PR context shows an open backup live-file resilience PR that references this issue and touches the same backup archiving behavior, covering one race-family slice but not the full design. (role: adjacent follow-up owner; confidence: medium; commits: 463428dd3d2c, bb5c06195190; files: src/infra/backup-create.ts, src/infra/backup-create.test.ts)

Remaining risk / open question:

• Implicit gateway stop/start during backup is product-sensitive, especially because existing docs warn against chaining gateway stop/start as a restart substitute on macOS; any quiesce mode needs explicit maintainer design.
• fix(backup): retry on tar EOF race and skip known volatile files #72251 may resolve one live EOF failure if it lands, but configurable exclusions, deleted-file races, restore/import, and service-aware lifecycle semantics would still need separate decisions.
• A configurable exclusion system could make archives smaller while also making restores incomplete if manifest, verify, docs, and defaults are not designed together.

Codex review notes: model gpt-5.5, reasoning high; reviewed against acae48b790fa.