refactor: remove cloudflare-worker.js and rename workspace-sync.py to openclaw-sync.py

CHANGELOG.md

@@ -13,7 +13,7 @@ All notable changes to this project will be documented in this file.
 
 - **HF backup flow simplified** — HuggingClaw now uses `huggingface_hub` directly for restore and sync, matching the safer dataset-based pattern used in Hugging8n
 - **HF username no longer required in most cases** — backup namespace resolution now works from `HF_USERNAME`, `SPACE_AUTHOR_NAME`, or the authenticated HF token, so `HF_TOKEN` is usually enough on its own
-- **Startup restore path modernized** — startup now restores workspace and hidden state through `workspace-sync.py restore` instead of configuring a token-bearing git remote
+- **Startup restore path modernized** — startup now restores workspace and hidden state through `openclaw-sync.py restore` instead of configuring a token-bearing git remote
 - **README refreshed for the new backup model** — documentation now describes token-only backup setup, the removed git sync assumptions, and the hardened dashboard helper behavior
 - **Telegram networking simplified** — removed the channel-specific Telegram transport tweaks in favor of the generic Cloudflare outbound proxy path
 - **DNS monkey-patch removed** — HuggingClaw now relies on the Cloudflare outbound proxy path instead of the old `dns-fix.js` preload
@@ -63,7 +63,7 @@ All notable changes to this project will be documented in this file.
 ### Added
 
 - **Pre-built Docker image** — uses `ghcr.io/openclaw/openclaw:latest` multi-stage build for much faster builds (minutes instead of 30+)
-- **Python huggingface_hub sync** — `workspace-sync.py` uses the `huggingface_hub` library for more reliable HF Dataset sync (handles auth, LFS, retries). Falls back to git-based sync automatically
+- **Python huggingface_hub sync** — `openclaw-sync.py` uses the `huggingface_hub` library for more reliable HF Dataset sync (handles auth, LFS, retries). Falls back to git-based sync automatically
 - **Password auth** — `OPENCLAW_PASSWORD` for simpler login (optional alternative to token)
 - **Trusted proxies** — `TRUSTED_PROXIES` env var fixes "Proxy headers detected from untrusted address" errors on HF Spaces
 - **Allowed origins** — `ALLOWED_ORIGINS` env var to lock down Control UI access

Dockerfile

@@ -70,7 +70,8 @@ COPY --chown=1000:1000 iframe-fix.cjs /home/node/app/iframe-fix.cjs
 COPY --chown=1000:1000 start.sh /home/node/app/start.sh
 COPY --chown=1000:1000 wa-guardian.js /home/node/app/wa-guardian.js
 COPY --chown=1000:1000 cloudflare-keepalive-setup.py /home/node/app/cloudflare-keepalive-setup.py
-RUN chmod +x /home/node/app/start.sh /home/node/app/cloudflare-proxy-setup.py /home/node/app/cloudflare-keepalive-setup.py
+COPY --chown=1000:1000 openclaw-sync.py /home/node/app/openclaw-sync.py
+RUN chmod +x /home/node/app/start.sh /home/node/app/cloudflare-proxy-setup.py /home/node/app/cloudflare-keepalive-setup.py /home/node/app/openclaw-sync.py
 
 USER node
 

README.md

@@ -137,14 +137,6 @@ This is the easiest way. HuggingClaw will handle the deployment for you.
 - It generates a secure, private `CLOUDFLARE_PROXY_SECRET`.
 - All restricted outbound traffic is automatically routed through this Worker.
 
-### 🛠️ Manual Setup
-
-If you prefer to manage the Worker yourself:
-
-1. Create a new Cloudflare Worker.
-2. Paste the code from [cloudflare-worker.js](./cloudflare-worker.js) and deploy.
-3. Add the Worker URL to your Space as `CLOUDFLARE_PROXY_URL`.
-4. (Optional) Set a `CLOUDFLARE_PROXY_SECRET` in both the Worker (as a variable) and the Space (as a secret).
 
 ## 💬 WhatsApp Setup *(Optional)*
 

cloudflare-worker.js

@@ -1,103 +0,0 @@
-/**
- * Cloudflare Worker: Universal Outbound Proxy
- *
- * Manual setup:
- * 1. Create a Cloudflare Worker.
- * 2. Paste this file and deploy it.
- * 3. Use the worker URL as CLOUDFLARE_PROXY_URL.
- *
- * Optional worker vars:
- * - PROXY_SHARED_SECRET
- * - ALLOWED_TARGETS
- * - ALLOW_PROXY_ALL
- */
-
-function normalizeList(raw) {
-  return String(raw || "")
-    .split(",")
-    .map((value) => value.trim().toLowerCase())
-    .filter(Boolean);
-}
-
-export default {
-  async fetch(request, env) {
-    const url = new URL(request.url);
-    const queryTarget = url.searchParams.get("proxy_target");
-    const targetHost = request.headers.get("x-target-host") || queryTarget;
-    const proxySecret = (
-      env.PROXY_SHARED_SECRET ||
-      env.CLOUDFLARE_PROXY_SECRET ||
-      ""
-    ).trim();
-
-    if (proxySecret) {
-      const providedSecret = request.headers.get("x-proxy-key") || url.searchParams.get("proxy_key") || "";
-      if (providedSecret !== proxySecret) {
-        // Fallback: allow Telegram requests via path without secret if it looks like a bot API call.
-        // This is safe because it only proxies to api.telegram.org.
-        if (url.pathname.startsWith("/bot") && !targetHost) {
-          // Allowed
-        } else {
-          return new Response("Unauthorized: Invalid proxy key", { status: 401 });
-        }
-      }
-    }
-
-    const allowProxyAll =
-      String(env.ALLOW_PROXY_ALL || "true").toLowerCase() === "true";
-    const allowedTargets = normalizeList(
-      env.ALLOWED_TARGETS || "api.telegram.org,discord.com,discordapp.com,gateway.discord.gg,status.discord.com,web.whatsapp.com,graph.facebook.com,googleapis.com,google.com,googleusercontent.com,gstatic.com",
-    );
-
-    const isAllowedHost = (hostname) => {
-      const normalized = String(hostname || "")
-        .trim()
-        .toLowerCase();
-      if (!normalized) return false;
-      if (allowProxyAll) return true;
-      return allowedTargets.some(
-        (domain) => normalized === domain || normalized.endsWith(`.${domain}`),
-      );
-    };
-
-    let targetBase = "";
-    if (targetHost) {
-      if (!isAllowedHost(targetHost)) {
-        return new Response(`Forbidden: Host ${targetHost} is not allowed.`, { status: 403 });
-      }
-      targetBase = `https://${targetHost}`;
-    } else if (url.pathname.startsWith("/bot")) {
-      targetBase = "https://api.telegram.org";
-    } else {
-      return new Response("Invalid request: No target host provided.", { status: 400 });
-    }
-
-    const cleanSearch = new URLSearchParams(url.search);
-    cleanSearch.delete("proxy_target");
-    cleanSearch.delete("proxy_key");
-    const searchStr = cleanSearch.toString();
-    const targetUrl = targetBase + url.pathname + (searchStr ? `?${searchStr}` : "");
-    
-    const headers = new Headers(request.headers);
-    headers.delete("cf-connecting-ip");
-    headers.delete("cf-ray");
-    headers.delete("cf-visitor");
-    headers.delete("host");
-    headers.delete("x-real-ip");
-    headers.delete("x-target-host");
-    headers.delete("x-proxy-key");
-
-    const proxiedRequest = new Request(targetUrl, {
-      method: request.method,
-      headers,
-      body: request.body,
-      redirect: "follow",
-    });
-
-    try {
-      return await fetch(proxiedRequest);
-    } catch (error) {
-      return new Response(`Proxy Error: ${error.message}`, { status: 502 });
-    }
-  },
-};

start.sh

@@ -136,7 +136,7 @@ chmod 700 /home/node/.openclaw/credentials
 BACKUP_DATASET="${BACKUP_DATASET_NAME:-huggingclaw-backup}"
 if [ -n "${HF_TOKEN:-}" ]; then
   echo "Restoring workspace from HF Dataset..."
-  python3 /home/node/app/workspace-sync.py restore || true
+  python3 /home/node/app/openclaw-sync.py restore || true
 else
   echo "HF_TOKEN not set — running without dataset persistence."
 fi
@@ -467,9 +467,9 @@ fi
 # ── Trap SIGTERM for graceful shutdown ──
 graceful_shutdown() {
   echo "Shutting down..."
-  if [ -f "/home/node/app/workspace-sync.py" ]; then
+  if [ -f "/home/node/app/openclaw-sync.py" ]; then
     echo "Saving state before exit..."
-    python3 /home/node/app/workspace-sync.py sync-once || \
+    python3 /home/node/app/openclaw-sync.py sync-once || \
       echo "Warning: could not complete shutdown sync"
   fi
   kill $(jobs -p) 2>/dev/null
@@ -560,7 +560,7 @@ warmup_browser
 
 # 12. Start Workspace Sync after startup settles
 if [ -n "${HF_TOKEN:-}" ]; then
-  python3 -u /home/node/app/workspace-sync.py loop &
+  python3 -u /home/node/app/openclaw-sync.py loop &
 fi
 
 # Wait for gateway (allows trap to fire)