Upload Dockerfile

Dockerfile

@@ -0,0 +1,989 @@
+# 核心鏡像選擇
+FROM node:24-slim
+
+# 1. 基礎依賴補全 (合併了 layer 減少體積)
+# 注意：code-server 通過官方安裝腳本安裝，nginx 用於反向代理
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git openssh-client build-essential python3 python3-pip \
+    g++ make ca-certificates curl wget nginx \
+    && rm -rf /var/lib/apt/lists/*
+
+# 1.1. 安裝 code-server（瀏覽器版 VS Code，自帶 terminal）
+# 使用官方安裝腳本，自動適配架構和最新版本
+RUN curl -fsSL https://code-server.dev/install.sh | sh
+
+# 2. 安裝 GitHub CLI (gh) — 使用官方 APT 倉庫，避免社區版 API 相容性問題
+RUN mkdir -p -m 755 /etc/apt/keyrings \
+    && out=$(mktemp) && wget -nv -O$out https://cli.github.com/packages/githubcli-archive-keyring.gpg \
+    && cat $out | tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null \
+    && chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg \
+    && mkdir -p -m 755 /etc/apt/sources.list.d \
+    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
+       | tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends gh \
+    && rm -rf /var/lib/apt/lists/* \
+    && gh --version
+
+# 3. 安裝 HF 數據交互工具
+RUN pip3 install --no-cache-dir huggingface_hub --break-system-packages
+
+# 4. 構建環境與 Git 協議優化
+RUN update-ca-certificates && \
+    git config --global http.sslVerify false && \
+    git config --global url."https://github.com/".insteadOf ssh://git@github.com/
+
+# 5. OpenClaw 核心安裝
+RUN npm install -g openclaw@latest --unsafe-perm
+
+# 6. 安裝 ClawHub CLI
+RUN npm install -g clawhub --unsafe-perm \
+    && clawhub -V || true
+
+# 6.2. 安裝 Playwright 完整包（openclaw browser 高級功能必需：snapshot/screenshot/PDF/navigate）
+# 注意：必須安裝完整 playwright，而非 playwright-core；openclaw 在其 node_modules 內已含 playwright-core
+RUN npm install -g playwright --unsafe-perm
+
+# 6.3. 安裝 Chromium 及系統依賴庫（使用 Playwright 官方腳本，一步搞定 100+ 依賴）
+RUN npx playwright install chromium --with-deps
+
+# 7. 安裝釘釘和企業微信插件
+RUN openclaw plugins install @dingtalk-real-ai/dingtalk-connector
+RUN openclaw plugins install @wecom/wecom-openclaw-plugin
+
+# 7.1. 預安裝微信個人號插件本體（腾讯官方 iLink 協議）
+# 注意：插件本體在構建時安裝，掃碼登錄在運行時進行（二維碼會打印到 HF Logs）
+RUN openclaw plugins install @tencent-weixin/openclaw-weixin || true
+
+# 8. 環境變量默認值
+ENV PORT=7860 \
+    OPENCLAW_GATEWAY_MODE=local \
+    HOME=/root \
+    PYTHONUNBUFFERED=1
+
+# 9. 寫入 Python 同步引擎
+RUN cat <<'EOF' > /usr/local/bin/sync.py
+import os, sys, tarfile, shutil
+from huggingface_hub import HfApi, hf_hub_download
+from datetime import datetime, timedelta
+
+api = HfApi()
+repo_id = os.getenv("HF_DATASET")
+token = os.getenv("HF_TOKEN")
+
+OPENCLAW_LOCAL  = "/root/.openclaw"
+SCATTER_REMOTE_PREFIX = "openclaw/"   # 散裝文件在 Dataset 中的前綴
+
+# ── 通用工具函數 ──────────────────────────────────────────────────────────────
+
+def _parse_skip_list(env_var):
+    """解析逗號分隔的跳過列表，返回規範化路徑集合（支持多級子目錄）。"""
+    raw = os.getenv(env_var, "").strip()
+    if not raw:
+        return set()
+    return {s.strip().strip("/") for s in raw.split(",") if s.strip()}
+
+def _is_skipped(rel_path, skip_set):
+    """
+    判斷 rel_path（相對於 /root/.openclaw 的路徑）是否應跳過。
+    支持精確匹配及前綴匹配（即跳過某目錄下所有子路徑）。
+    """
+    rel = rel_path.strip("/")
+    for skip in skip_set:
+        if rel == skip or rel.startswith(skip + "/"):
+            return True
+    return False
+
+def _walk_local(base_dir, skip_set=None):
+    """
+    遞歸遍歷 base_dir 下所有文件，返回 (local_abs_path, rel_to_base) 列表。
+    rel_to_base 是相對於 base_dir 的路徑（不含前導斜杠）。
+    skip_set 中的路徑是相對於 OPENCLAW_LOCAL 的路徑。
+    """
+    results = []
+    if not os.path.isdir(base_dir):
+        return results
+    for dirpath, dirnames, filenames in os.walk(base_dir):
+        for fname in filenames:
+            abs_path = os.path.join(dirpath, fname)
+            rel_to_base = os.path.relpath(abs_path, base_dir)
+            if skip_set is not None:
+                # 計算相對於 OPENCLAW_LOCAL 的路徑用於 skip 匹配
+                rel_to_openclaw = os.path.relpath(abs_path, OPENCLAW_LOCAL)
+                if _is_skipped(rel_to_openclaw, skip_set):
+                    continue
+            results.append((abs_path, rel_to_base))
+    return results
+
+# ── restore() ────────────────────────────────────────────────────────────────
+
+def restore():
+    if not repo_id or not token:
+        print("Skip Restore: HF_DATASET or HF_TOKEN not set")
+        return
+    try:
+        all_files = list(api.list_repo_files(repo_id=repo_id, repo_type="dataset", token=token))
+
+        # ── 1. 恢復 tar.gz 備份 ──────────────────────────────────────────────
+        # 備份範圍：/root/.openclaw 下所有文件及文件夾（保持完整目錄結構）
+        # tar 包內 arcname 直接對應 .openclaw/ 下的相對路徑，解壓目標為 /root/.openclaw/
+        now = datetime.now()
+        for i in range(5):
+            day = (now - timedelta(days=i)).strftime("%Y-%m-%d")
+            name = f"backup_{day}.tar.gz"
+            if name in all_files:
+                print(f"Downloading {name}...")
+                path = hf_hub_download(repo_id=repo_id, filename=name, repo_type="dataset", token=token)
+                os.makedirs(OPENCLAW_LOCAL, exist_ok=True)
+                with tarfile.open(path, "r:gz") as tar:
+                    tar.extractall(path=OPENCLAW_LOCAL)
+                print(f"Success: Restored from {name}")
+
+                # ── RESTORE_SKIP：解壓後刪除指定條目，讓後續腳本用默認值重新生成 ──
+                # 格式：逗號分隔，填寫相對於 /root/.openclaw 的路徑
+                # 支持多級子目錄，例如：RESTORE_SKIP=agents/main/sessions,cron,extensions/foo/bar
+                # 若路徑不存在則忽略，不影響腳本繼續運行
+                # 留空或不設置 = 全部恢復（默認行為）
+                # 注意：用完後清空此變量，否則每次重啟都會跳過恢復
+                skip_set = _parse_skip_list("RESTORE_SKIP")
+                for entry in skip_set:
+                    target = os.path.join(OPENCLAW_LOCAL, entry)
+                    if os.path.isdir(target):
+                        shutil.rmtree(target)
+                        print(f"Restore skip (RESTORE_SKIP): removed dir  {entry}")
+                    elif os.path.isfile(target):
+                        os.remove(target)
+                        print(f"Restore skip (RESTORE_SKIP): removed file {entry}")
+                    else:
+                        print(f"Restore skip (RESTORE_SKIP): not found, skipped {entry}")
+                break
+
+        # ── 2. 恢復散裝文件 ──────────────────────────────────────────────────
+        # 備份範圍：/root/.openclaw 下所有文件及文件夾（保持完整目錄結構）
+        # Dataset 中存儲路徑：openclaw/<相對於 .openclaw 的路徑>
+        scatter_files = [f for f in all_files if f.startswith(SCATTER_REMOTE_PREFIX)]
+        if scatter_files:
+            os.makedirs(OPENCLAW_LOCAL, exist_ok=True)
+            for remote_path in scatter_files:
+                rel = remote_path[len(SCATTER_REMOTE_PREFIX):]
+                if not rel:
+                    continue
+                local_path = os.path.join(OPENCLAW_LOCAL, rel)
+                print(f"Restoring file: {rel}")
+                dl = hf_hub_download(repo_id=repo_id, filename=remote_path, repo_type="dataset", token=token)
+                os.makedirs(os.path.dirname(local_path), exist_ok=True)
+                shutil.copy2(dl, local_path)
+            print(f"Scatter restore: {len(scatter_files)} file(s) restored.")
+        else:
+            print("No scatter files found in Dataset, skipping scatter restore.")
+
+    except Exception as e:
+        print(f"Restore Error: {e}")
+
+# ── restore_workspace() ───────────────────────────────────────────────────────
+
+def restore_workspace():
+    """
+    從 HuggingFace Dataset 的 openclaw/ 前綴下拉取最新文件到本地 /root/.openclaw/。
+    與 restore() 的區別：
+      - 不處理 tar.gz 備份
+      - 專門用於"用戶在 Dataset 網頁上編輯了文件後，讓容器立刻感知更新"的場景
+      - 由後台定時循環每 30 分鐘自動調用一次
+      - 也可以通過釘釘發指令手動觸發：python3 /usr/local/bin/sync.py restore_workspace
+    衝突保護邏輯：
+      - Dataset 上的版本始終優先（網頁手動編輯的版本會覆蓋本地）
+      - 這與 backup() 的邏輯相反：backup() 是本地新則上傳，restore_workspace() 是遠端新則下載
+      - 若本地文件比遠端更新（本地有未備份的修改），跳過下載，保留本地版本
+    """
+    if not repo_id or not token:
+        print("Skip restore_workspace: HF_DATASET or HF_TOKEN not set")
+        return
+    try:
+        all_files = list(api.list_repo_files(
+            repo_id=repo_id, repo_type="dataset", token=token
+        ))
+        scatter_files = [f for f in all_files if f.startswith(SCATTER_REMOTE_PREFIX)]
+        if not scatter_files:
+            print("restore_workspace: No scatter files found in Dataset, skipping.")
+            return
+        os.makedirs(OPENCLAW_LOCAL, exist_ok=True)
+        updated = 0
+        skipped = 0
+        for remote_path in scatter_files:
+            rel = remote_path[len(SCATTER_REMOTE_PREFIX):]
+            if not rel:
+                continue
+            local_path = os.path.join(OPENCLAW_LOCAL, rel)
+            try:
+                remote_info = api.list_repo_tree(
+                    repo_id=repo_id, repo_type="dataset", token=token,
+                    path_in_repo=SCATTER_REMOTE_PREFIX.rstrip("/"), recursive=True
+                )
+                remote_mtime = None
+                for item in remote_info:
+                    if hasattr(item, "path") and item.path == remote_path:
+                        if item.last_commit and item.last_commit.date:
+                            remote_mtime = item.last_commit.date.timestamp()
+                        break
+                if remote_mtime and os.path.exists(local_path):
+                    local_mtime = os.path.getmtime(local_path)
+                    if local_mtime >= remote_mtime:
+                        skipped += 1
+                        continue
+            except Exception:
+                pass
+            dl = hf_hub_download(
+                repo_id=repo_id, filename=remote_path,
+                repo_type="dataset", token=token
+            )
+            os.makedirs(os.path.dirname(local_path), exist_ok=True)
+            shutil.copy2(dl, local_path)
+            print(f"restore_workspace: updated {rel}")
+            updated += 1
+        print(f"restore_workspace: {updated} updated, {skipped} already up-to-date.")
+    except Exception as e:
+        print(f"restore_workspace Error: {e}")
+
+# ── backup() ──────────────────────────────────────────────────────────────────
+
+def backup():
+    if not repo_id or not token:
+        print("Skip Backup: HF_DATASET or HF_TOKEN not set")
+        return
+
+    # ── 1. tar.gz 打包備份 ───────────────────────────────────────────────────
+    # 備份範圍：/root/.openclaw 下所有文件及文件夾（完整目錄結構）
+    # tar 包解壓目標為 /root/.openclaw/，arcname 對應其內部相對路徑
+    #
+    # BACKUP_TAR_SKIP：tar.gz 備份時跳過的文件/目錄（相對於 /root/.openclaw）
+    # 格式：逗號分隔，支持多級子目錄
+    # 例如：BACKUP_TAR_SKIP=agents/main/sessions,cron,extensions/foo/bar
+    # 留空或不設置 = 備份全部
+    try:
+        tar_skip_set = _parse_skip_list("BACKUP_TAR_SKIP")
+        day = datetime.now().strftime("%Y-%m-%d")
+        name = f"backup_{day}.tar.gz"
+        with tarfile.open(name, "w:gz") as tar:
+            for abs_path, rel_to_base in _walk_local(OPENCLAW_LOCAL, skip_set=tar_skip_set):
+                arcname = rel_to_base  # 相對於 .openclaw/
+                tar.add(abs_path, arcname=arcname)
+        api.upload_file(path_or_fileobj=name, path_in_repo=name, repo_id=repo_id, repo_type="dataset", token=token)
+        print(f"Backup {name} Success.")
+    except Exception as e:
+        print(f"Backup tar.gz Error: {e}")
+
+    # ── 2. 散裝文件備份（逐個上傳，跳過 Dataset 上更新的文件）────────────────
+    # 備份範圍：/root/.openclaw 下所有文件及文件夾（保持完整目錄結構）
+    # Dataset 中存儲路徑：openclaw/<相對於 .openclaw 的路徑>
+    #
+    # BACKUP_SCATTER_SKIP：散裝備份時跳過的文件/目錄（相對於 /root/.openclaw）
+    # 格式：逗號分隔，支持多級子目錄
+    # 例如：BACKUP_SCATTER_SKIP=agents/main/sessions,cron,workspace/tmp
+    # 留空或不設置 = 備份全部
+    #
+    # 核心改動：原來逐個 upload_file 每個文件產生1個commit，
+    # 很快觸發 HF 免費帳號 128 commits/小時限制。
+    # 改為：把需要上傳的文件複製到臨時目錄，再用 upload_folder 一次性
+    # 合成單個 commit 上傳，徹底解決 429 rate limit 問題。
+    try:
+        scatter_skip_set = _parse_skip_list("BACKUP_SCATTER_SKIP")
+
+        # 獲取 Dataset 上已有文件的最後修改時間（用於跳過 Dataset 更新的文件）
+        remote_mtimes = {}
+        try:
+            repo_info = api.list_repo_tree(
+                repo_id=repo_id, repo_type="dataset", token=token,
+                path_in_repo=SCATTER_REMOTE_PREFIX.rstrip("/"), recursive=True
+            )
+            for item in repo_info:
+                if hasattr(item, "path") and hasattr(item, "last_commit"):
+                    rel = item.path[len(SCATTER_REMOTE_PREFIX):]
+                    if item.last_commit and item.last_commit.date:
+                        remote_mtimes[rel] = item.last_commit.date.timestamp()
+        except Exception:
+            pass
+
+        # 把需要上傳的文件複製到臨時目錄，保持目錄結構，再一次性 upload_folder
+        import tempfile
+        with tempfile.TemporaryDirectory() as tmpdir:
+            uploaded = 0
+            skipped = 0
+            for abs_path, rel_to_base in _walk_local(OPENCLAW_LOCAL, skip_set=scatter_skip_set):
+                local_mtime = os.path.getmtime(abs_path)
+                remote_mtime = remote_mtimes.get(rel_to_base)
+                if remote_mtime and remote_mtime > local_mtime:
+                    print(f"Scatter skip (Dataset newer): {rel_to_base}")
+                    skipped += 1
+                    continue
+                dst = os.path.join(tmpdir, rel_to_base)
+                os.makedirs(os.path.dirname(dst), exist_ok=True)
+                shutil.copy2(abs_path, dst)
+                uploaded += 1
+
+            if uploaded > 0:
+                # upload_folder 將 tmpdir 下所有文件合成單個 commit 上傳
+                # path_in_repo 指定遠端存放前綴（openclaw/）
+                api.upload_folder(
+                    folder_path=tmpdir,
+                    path_in_repo=SCATTER_REMOTE_PREFIX.rstrip("/"),
+                    repo_id=repo_id,
+                    repo_type="dataset",
+                    token=token,
+                    commit_message=f"Scatter backup {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}",
+                )
+                print(f"Scatter backup: {uploaded} file(s) uploaded in single commit, {skipped} skipped (Dataset newer).")
+            else:
+                print(f"Scatter backup: nothing to upload ({skipped} skipped, Dataset newer).")
+    except Exception as e:
+        print(f"Scatter Backup Error: {e}")
+
+if __name__ == "__main__":
+    if len(sys.argv) > 1 and sys.argv[1] == "backup":
+        backup()
+    elif len(sys.argv) > 1 and sys.argv[1] == "restore_workspace":
+        restore_workspace()
+    else:
+        restore()
+EOF
+
+# 10. 寫入 providers JSON 生成腳本
+RUN cat <<'EOF' > /usr/local/bin/build_providers.py
+import os, json
+
+def get(name):
+    return os.environ.get(name, "")
+
+providers = {}
+for i in range(1, 6):
+    pname   = get(f"provide{i}")
+    baseurl = get(f"baseUrl{i}")
+    apikey  = get(f"apiKey{i}")
+    api     = get(f"provide{i}_api1")
+    if not pname or not baseurl or not api:
+        continue
+    models = []
+    for m in range(1, 6):
+        mid   = get(f"provide{i}_models_id{m}")
+        mname = get(f"provide{i}_models_name{m}")
+        inp   = get(f"provide{i}_models_input{m}")
+        if not mid:
+            continue
+        input_val = ["text", "image"] if "image" in inp.lower() else ["text"]
+        models.append({
+            "id": mid,
+            "name": mname,
+            "input": input_val,
+            "reasoning": False,
+            "contextWindow": 2000000,
+            "maxTokens": 2000000,
+            "cost": {"input": 0, "output": 0, "cacheRead": 0, "cacheWrite": 0}
+        })
+    if not models:
+        continue
+    providers[pname] = {
+        "baseUrl": baseurl,
+        "apiKey": apikey,
+        "api": api,
+        "models": models
+    }
+
+entries = []
+for k, v in providers.items():
+    block = json.dumps({k: v}, indent=4, ensure_ascii=False)
+    inner = block.strip()[1:-1].strip()
+    indented = "\n".join("    " + line for line in inner.split("\n"))
+    entries.append(indented)
+
+print(",\n".join(entries))
+EOF
+
+# 11. 寫入啟動控制邏輯
+RUN cat <<'EOF' > /usr/local/bin/start-openclaw
+#!/bin/bash
+set -e
+
+mkdir -p /root/.openclaw/sessions
+
+# 執行恢復邏輯
+python3 /usr/local/bin/sync.py restore
+
+# provider1 model2~5 fallback 到自身 model1
+provide1_models_id2="${provide1_models_id2:-$provide1_models_id1}"
+provide1_models_name2="${provide1_models_name2:-$provide1_models_name1}"
+provide1_models_api2="${provide1_models_api2:-$provide1_models_api1}"
+provide1_models_input2="${provide1_models_input2:-$provide1_models_input1}"
+provide1_models_id3="${provide1_models_id3:-$provide1_models_id1}"
+provide1_models_name3="${provide1_models_name3:-$provide1_models_name1}"
+provide1_models_api3="${provide1_models_api3:-$provide1_models_api1}"
+provide1_models_input3="${provide1_models_input3:-$provide1_models_input1}"
+provide1_models_id4="${provide1_models_id4:-$provide1_models_id1}"
+provide1_models_name4="${provide1_models_name4:-$provide1_models_name1}"
+provide1_models_api4="${provide1_models_api4:-$provide1_models_api1}"
+provide1_models_input4="${provide1_models_input4:-$provide1_models_input1}"
+provide1_models_id5="${provide1_models_id5:-$provide1_models_id1}"
+provide1_models_name5="${provide1_models_name5:-$provide1_models_name1}"
+provide1_models_api5="${provide1_models_api5:-$provide1_models_api1}"
+provide1_models_input5="${provide1_models_input5:-$provide1_models_input1}"
+
+# provider2 model2~5 fallback 到自身 model1
+provide2_models_id2="${provide2_models_id2:-$provide2_models_id1}"
+provide2_models_name2="${provide2_models_name2:-$provide2_models_name1}"
+provide2_models_api2="${provide2_models_api2:-$provide2_models_api1}"
+provide2_models_input2="${provide2_models_input2:-$provide2_models_input1}"
+provide2_models_id3="${provide2_models_id3:-$provide2_models_id1}"
+provide2_models_name3="${provide2_models_name3:-$provide2_models_name1}"
+provide2_models_api3="${provide2_models_api3:-$provide2_models_api1}"
+provide2_models_input3="${provide2_models_input3:-$provide2_models_input1}"
+provide2_models_id4="${provide2_models_id4:-$provide2_models_id1}"
+provide2_models_name4="${provide2_models_name4:-$provide2_models_name1}"
+provide2_models_api4="${provide2_models_api4:-$provide2_models_api1}"
+provide2_models_input4="${provide2_models_input4:-$provide2_models_input1}"
+provide2_models_id5="${provide2_models_id5:-$provide2_models_id1}"
+provide2_models_name5="${provide2_models_name5:-$provide2_models_name1}"
+provide2_models_api5="${provide2_models_api5:-$provide2_models_api1}"
+provide2_models_input5="${provide2_models_input5:-$provide2_models_input1}"
+
+# provider3 model2~5 fallback 到自身 model1
+provide3_models_id2="${provide3_models_id2:-$provide3_models_id1}"
+provide3_models_name2="${provide3_models_name2:-$provide3_models_name1}"
+provide3_models_api2="${provide3_models_api2:-$provide3_models_api1}"
+provide3_models_input2="${provide3_models_input2:-$provide3_models_input1}"
+provide3_models_id3="${provide3_models_id3:-$provide3_models_id1}"
+provide3_models_name3="${provide3_models_name3:-$provide3_models_name1}"
+provide3_models_api3="${provide3_models_api3:-$provide3_models_api1}"
+provide3_models_input3="${provide3_models_input3:-$provide3_models_input1}"
+provide3_models_id4="${provide3_models_id4:-$provide3_models_id1}"
+provide3_models_name4="${provide3_models_name4:-$provide3_models_name1}"
+provide3_models_api4="${provide3_models_api4:-$provide3_models_api1}"
+provide3_models_input4="${provide3_models_input4:-$provide3_models_input1}"
+provide3_models_id5="${provide3_models_id5:-$provide3_models_id1}"
+provide3_models_name5="${provide3_models_name5:-$provide3_models_name1}"
+provide3_models_api5="${provide3_models_api5:-$provide3_models_api1}"
+provide3_models_input5="${provide3_models_input5:-$provide3_models_input1}"
+
+# provider4 model2~5 fallback 到自身 model1
+provide4_models_id2="${provide4_models_id2:-$provide4_models_id1}"
+provide4_models_name2="${provide4_models_name2:-$provide4_models_name1}"
+provide4_models_api2="${provide4_models_api2:-$provide4_models_api1}"
+provide4_models_input2="${provide4_models_input2:-$provide4_models_input1}"
+provide4_models_id3="${provide4_models_id3:-$provide4_models_id1}"
+provide4_models_name3="${provide4_models_name3:-$provide4_models_name1}"
+provide4_models_api3="${provide4_models_api3:-$provide4_models_api1}"
+provide4_models_input3="${provide4_models_input3:-$provide4_models_input1}"
+provide4_models_id4="${provide4_models_id4:-$provide4_models_id1}"
+provide4_models_name4="${provide4_models_name4:-$provide4_models_name1}"
+provide4_models_api4="${provide4_models_api4:-$provide4_models_api1}"
+provide4_models_input4="${provide4_models_input4:-$provide4_models_input1}"
+provide4_models_id5="${provide4_models_id5:-$provide4_models_id1}"
+provide4_models_name5="${provide4_models_name5:-$provide4_models_name1}"
+provide4_models_api5="${provide4_models_api5:-$provide4_models_api1}"
+provide4_models_input5="${provide4_models_input5:-$provide4_models_input1}"
+
+# provider5 model2~5 fallback 到自身 model1
+provide5_models_id2="${provide5_models_id2:-$provide5_models_id1}"
+provide5_models_name2="${provide5_models_name2:-$provide5_models_name1}"
+provide5_models_api2="${provide5_models_api2:-$provide5_models_api1}"
+provide5_models_input2="${provide5_models_input2:-$provide5_models_input1}"
+provide5_models_id3="${provide5_models_id3:-$provide5_models_id1}"
+provide5_models_name3="${provide5_models_name3:-$provide5_models_name1}"
+provide5_models_api3="${provide5_models_api3:-$provide5_models_api1}"
+provide5_models_input3="${provide5_models_input3:-$provide5_models_input1}"
+provide5_models_id4="${provide5_models_id4:-$provide5_models_id1}"
+provide5_models_name4="${provide5_models_name4:-$provide5_models_name1}"
+provide5_models_api4="${provide5_models_api4:-$provide5_models_api1}"
+provide5_models_input4="${provide5_models_input4:-$provide5_models_input1}"
+provide5_models_id5="${provide5_models_id5:-$provide5_models_id1}"
+provide5_models_name5="${provide5_models_name5:-$provide5_models_name1}"
+provide5_models_api5="${provide5_models_api5:-$provide5_models_api1}"
+provide5_models_input5="${provide5_models_input5:-$provide5_models_input1}"
+
+# google model2~5 fallback
+google_model2="${google_model2:-$google_model1}"
+google_model3="${google_model3:-$google_model1}"
+google_model4="${google_model4:-$google_model1}"
+google_model5="${google_model5:-$google_model1}"
+
+# primary_model / primary_imageModel fallback
+primary_model="${primary_model:-${provide1}/${provide1_models_id1}}"
+primary_imageModel="${primary_imageModel:-${provide1}/${provide1_models_id1}}"
+
+PROVIDERS_JSON=$(python3 /usr/local/bin/build_providers.py)
+
+# ── 動態 Channel 配置：DINGTALK 變量未設置時只寫入 disabled 配置，避免健康檢查拋出未捕獲異常崩潰進程 ──
+if [ -n "${DINGTALK_clientId}" ] && [ -n "${DINGTALK_clientSecret}" ]; then
+    DINGTALK_CHANNEL_JSON='"dingtalk-connector": {
+      "enabled": true,
+      "clientId": "${DINGTALK_clientId}",
+      "clientSecret": "${DINGTALK_clientSecret}"
+    },'
+else
+    DINGTALK_CHANNEL_JSON='"dingtalk-connector": {
+      "enabled": false
+    },'
+fi
+
+cat > /root/.openclaw/openclaw.json <<EOT
+{
+  "models": {
+    "mode": "merge",
+    "providers": {
+${PROVIDERS_JSON}
+    }
+  },
+  "agents": {
+    "defaults": {
+      "model": {
+        "primary": "${primary_model}"
+      },
+      "imageModel": {
+        "primary": "${primary_imageModel}"
+      },
+      "models": {
+        "${provide1}/${provide1_models_id1}": {},
+        "${provide1}/${provide1_models_id2}": {},
+        "${provide1}/${provide1_models_id3}": {},
+        "${provide1}/${provide1_models_id4}": {},
+        "${provide1}/${provide1_models_id5}": {},
+        "${provide2}/${provide2_models_id1}": {},
+        "${provide2}/${provide2_models_id2}": {},
+        "${provide2}/${provide2_models_id3}": {},
+        "${provide2}/${provide2_models_id4}": {},
+        "${provide2}/${provide2_models_id5}": {},
+        "${provide3}/${provide3_models_id1}": {},
+        "${provide3}/${provide3_models_id2}": {},
+        "${provide3}/${provide3_models_id3}": {},
+        "${provide3}/${provide3_models_id4}": {},
+        "${provide3}/${provide3_models_id5}": {},
+        "${provide4}/${provide4_models_id1}": {},
+        "${provide4}/${provide4_models_id2}": {},
+        "${provide4}/${provide4_models_id3}": {},
+        "${provide4}/${provide4_models_id4}": {},
+        "${provide4}/${provide4_models_id5}": {},
+        "${provide5}/${provide5_models_id1}": {},
+        "${provide5}/${provide5_models_id2}": {},
+        "${provide5}/${provide5_models_id3}": {},
+        "${provide5}/${provide5_models_id4}": {},
+        "${provide5}/${provide5_models_id5}": {},
+        "google/${google_model1}": {},
+        "google/${google_model2}": {},
+        "google/${google_model3}": {},
+        "google/${google_model4}": {},
+        "google/${google_model5}": {}
+      }
+    }
+  },
+  "gateway": {
+    "mode": "local",
+    "bind": "lan",
+    "port": ${PORT},
+    "trustedProxies": [
+      "0.0.0.0/0",
+      "10.0.0.0/8",
+      "172.16.0.0/12",
+      "192.168.0.0/16"
+    ],
+    "auth": {
+      "mode": "token",
+      "token": "${OPENCLAW_PASSWORD}"
+    },
+    "controlUi": {
+      "allowInsecureAuth": true,
+      "dangerouslyAllowHostHeaderOriginFallback": true
+    }
+  },
+  "cron": {
+    "enabled": true,
+    "store": "/root/.openclaw/cron/jobs.json",
+    "maxConcurrentRuns": 1
+  },
+  "plugins": {
+    "allow": ["dingtalk-connector", "wecom-openclaw-plugin", "openclaw-weixin"],
+    "entries": {
+      "dingtalk-connector": {
+        "enabled": true
+      },
+      "wecom-openclaw-plugin": {
+        "enabled": true
+      },
+      "openclaw-weixin": {
+        "enabled": true
+      }
+    }
+  },
+  "skills": {
+    "entries": {
+      "liang-tavily-search": {
+        "enabled": true,
+        "apiKey": "${TAVILY_API_KEY}"
+      }
+    }
+  },
+  "channels": {
+${DINGTALK_CHANNEL_JSON}
+    "wecom": {
+      "enabled": true,
+      "botId": "${WECOM_BOT_ID}",
+      "secret": "${WECOM_SECRET}",
+      "dmPolicy": "open",
+      "groupPolicy": "open",
+      "messageType": "markdown",
+      "debug": false,
+      "allowFrom": ["*"]
+    }
+  },
+  "browser": {
+    "enabled": true,
+    "headless": true,
+    "noSandbox": true,
+    "defaultProfile": "openclaw",
+    "executablePath": "/root/.cache/ms-playwright/chromium-1208/chrome-linux64/chrome",
+    "ssrfPolicy": {
+      "dangerouslyAllowPrivateNetwork": true
+    }
+  }}
+EOT
+
+# 生成 cron jobs 定義文件（僅在不存在時寫入，避免覆蓋用戶在運行時添加的 job）
+# KEEP_ALIVE_MODEL：指定 keep-alive job 使用的模型，格式為 provider/model-id
+# 例如：KEEP_ALIVE_MODEL=google/gemini-flash-lite
+# 留空或不設置則由 openclaw 默認模型執行
+mkdir -p /root/.openclaw/cron
+if [ ! -f /root/.openclaw/cron/jobs.json ]; then
+python3 - << 'PYEOF'
+import os, json
+
+enable_keep_alive = os.environ.get("ENABLE_KEEP_ALIVE", "false").strip().lower() in ("true", "1", "yes")
+
+if enable_keep_alive:
+    payload = {
+        "kind": "agentTurn",
+        "message": "curl -s -o /dev/null -w '%{http_code}' -X OPTIONS https://heiyu-mo-openclaw.hf.space/",
+        "lightContext": True
+    }
+    keep_alive_model = os.environ.get("KEEP_ALIVE_MODEL", "").strip()
+    if keep_alive_model:
+        payload["model"] = keep_alive_model
+
+    jobs = {
+        "version": 1,
+        "jobs": [{
+            "id": "0f174587-f3cd-4ea6-90ef-887c845fdea0",
+            "name": "keep-alive",
+            "enabled": True,
+            "createdAtMs": 1772522542926,
+            "updatedAtMs": 1772594582735,
+            "schedule": {"kind": "every", "everyMs": 3600000, "anchorMs": 1772522542926},
+            "sessionTarget": "isolated",
+            "wakeMode": "now",
+            "payload": payload,
+            "delivery": {"mode": "none", "channel": "last"},
+            "state": {
+                "nextRunAtMs": 1772598143029,
+                "lastRunAtMs": 1772594543029,
+                "lastRunStatus": "ok",
+                "lastStatus": "ok",
+                "lastDurationMs": 39706,
+                "lastDelivered": False,
+                "deliveryStatus": "not-delivered",
+                "consecutiveErrors": 0
+            }
+        }]
+    }
+    model_info = f"model={keep_alive_model}" if keep_alive_model else "model=default"
+    print(f"Cron jobs.json initialized. keep-alive enabled, {model_info}")
+else:
+    jobs = {"version": 1, "jobs": []}
+    print("Cron jobs.json initialized. keep-alive disabled")
+
+with open("/root/.openclaw/cron/jobs.json", "w") as f:
+    json.dump(jobs, f, separators=(",", ":"))
+PYEOF
+else
+echo "Cron jobs.json already exists, skipping init."
+fi
+
+# 增量備份循環（每 30 分鐘後台運行）
+(while true; do sleep 1800; python3 /usr/local/bin/sync.py backup; done) &
+
+# Workspace 同步循環（每 30 分鐘後台運行）
+(while true; do sleep 1800; python3 /usr/local/bin/sync.py restore_workspace; done) &
+
+# 把 HF Space Secrets 裡的 GEMINI key 寫入 auth-profiles.json
+mkdir -p /root/.openclaw/agents/main/agent
+python3 - << 'PYEOF'
+import os, json
+
+auth_file = "/root/.openclaw/agents/main/agent/auth-profiles.json"
+
+if os.path.exists(auth_file):
+    with open(auth_file) as f:
+        data = json.load(f)
+    for pid, profile in data.get("profiles", {}).items():
+        if profile.get("type") == "api_key" and "token" in profile and "key" not in profile:
+            profile["key"] = profile.pop("token")
+else:
+    data = {"profiles": {}, "lastGood": {}}
+
+key_names = [
+    ("GEMINI_API_KEY_1", "google:key1"),
+    ("GEMINI_API_KEY_2", "google:key2"),
+    ("GEMINI_API_KEY_3", "google:key3"),
+    ("GEMINI_API_KEY_4", "google:key4"),
+    ("GEMINI_API_KEY_5", "google:key5"),
+]
+first_profile_id = None
+for env_name, profile_id in key_names:
+    key_val = os.environ.get(env_name, "").strip()
+    if not key_val:
+        continue
+    data["profiles"][profile_id] = {
+        "type": "api_key",
+        "provider": "google",
+        "key": key_val
+    }
+    if first_profile_id is None:
+        first_profile_id = profile_id
+
+if first_profile_id:
+    data["lastGood"]["google"] = first_profile_id
+
+with open(auth_file, "w") as f:
+    json.dump(data, f, indent=2)
+
+print(f"auth-profiles.json written: {len([k for k in data['profiles'] if k.startswith('google:')])} google key(s)")
+PYEOF
+
+openclaw doctor --fix || true
+
+# 安裝 liang-tavily-search skill 到 workspace/skills（最高優先級加載路徑）
+# 僅在尚未安裝時執行，避免每次重啟都重複安裝
+TAVILY_SKILL_DIR="/root/.openclaw/workspace/skills/liang-tavily-search"
+if [ ! -d "$TAVILY_SKILL_DIR" ]; then
+    echo "Installing liang-tavily-search skill to workspace/skills..."
+    mkdir -p /root/.openclaw/workspace/skills
+    # clawhub 在指定 cwd 下安裝到 ./skills，指向 workspace 目錄
+    (cd /root/.openclaw/workspace && clawhub install liang-tavily-search) || \
+        echo "Warning: liang-tavily-search skill install failed, continuing anyway."
+else
+    echo "liang-tavily-search skill already installed, skipping."
+fi
+
+# 探測 Playwright 下載的 Chromium 實際路徑，並動態修正 openclaw.json 中的 executablePath
+# （Playwright 版本升級時 chromium-XXXX 目錄號可能變化）
+CHROMIUM_EXEC=$(find /root/.cache/ms-playwright -name "chrome" -path "*/chrome-linux64/chrome" 2>/dev/null | head -1)
+if [ -n "$CHROMIUM_EXEC" ]; then
+    echo "Detected Chromium at: $CHROMIUM_EXEC"
+    # 用 Python 就地修正 executablePath，避免 sed 處理特殊字符問題
+    python3 - "$CHROMIUM_EXEC" << 'PYEOF'
+import sys, json, os
+path = sys.argv[1]
+cfg_file = "/root/.openclaw/openclaw.json"
+if not os.path.exists(cfg_file):
+    print("openclaw.json not found, skip executablePath patch")
+    sys.exit(0)
+with open(cfg_file) as f:
+    data = json.load(f)
+browser = data.get("browser", {})
+if browser.get("executablePath") != path:
+    browser["executablePath"] = path
+    data["browser"] = browser
+    with open(cfg_file, "w") as f:
+        json.dump(data, f, indent=2)
+    print(f"executablePath updated to: {path}")
+else:
+    print("executablePath already correct, no change needed")
+PYEOF
+else
+    echo "Warning: Chromium executable not found under /root/.cache/ms-playwright, browser tool may need manual executablePath config"
+fi
+
+# 微信個人號接入：gateway 啟動後後台執行掃碼登錄
+# 二維碼通過 qrcode-terminal 打印到 stdout（HF Space Logs 可直接看到）
+# 若已登錄過（存在 session），插件會跳過掃碼直接完成；首次部署需在 Logs 裡掃碼
+# ENABLE_WEIXIN：設為 false 可跳過（默認啟用）
+# 注意：v2.x 插件通過 Gateway WebSocket 接入，需等 gateway 就緒後再執行 login
+if [ "${ENABLE_WEIXIN:-true}" != "false" ]; then
+    echo "====== WeChat (微信) ClawBot Setup ======"
+    echo "If QR code appears below in logs (~30s), scan it with WeChat to bind your account."
+    echo "========================================="
+    (
+        sleep 30  # 等待 gateway 完全啟動
+        openclaw channels login --channel openclaw-weixin 2>&1 || \
+            echo "WeChat login step finished (or skipped if already configured)."
+    ) &
+    echo "====== WeChat Login initiated in background ======"
+fi
+
+# 後台啟動 Gateway，待其就緒後自動批准最新的設備配對請求
+# 解決 "bind: lan" 模式下 browser 工具首次連接需要配對審批的問題
+# 注意：新版 openclaw (2026.4.x) approve --latest 已改為 preview-only，
+#       必須先 list --json 取得 requestId，再用精確 ID 執行 approve
+(
+    echo "Waiting for Gateway to become ready before approving device pairs..."
+    sleep 45
+    for i in $(seq 1 5); do
+        REQUEST_ID=$(openclaw devices list --json 2>/dev/null | python3 -c "
+import sys, json
+try:
+    data = json.load(sys.stdin)
+    pending = [d for d in data if d.get('status') == 'pending']
+    if pending:
+        print(pending[-1]['requestId'])
+except Exception:
+    pass
+" 2>/dev/null)
+        if [ -n "$REQUEST_ID" ]; then
+            if openclaw devices approve "$REQUEST_ID" 2>/dev/null; then
+                echo "Approved device pair request: $REQUEST_ID"
+                break
+            fi
+        fi
+        echo "No pending device pairs yet (attempt $i/5), retrying in 5s..."
+        sleep 5
+    done
+) &
+
+exec openclaw gateway run --port $PORT
+EOF
+
+RUN chmod +x /usr/local/bin/start-openclaw
+
+# 12. code-server + nginx 啟動包裝腳本
+# ─────────────────────────────────────────────────────────────────────────────
+# 架構說明：
+#   HF Space 對外只暴露單一端口 $PORT（默認 7860），因此：
+#   - nginx            監聽 $PORT（對外，由本腳本在運行時寫入配置）
+#   - openclaw gateway 監聽 7862（內部，通過覆蓋 PORT=7862 傳給 start-openclaw）
+#   - code-server      監聽 13337（內部）
+#   nginx 路由：/ide/ -> code-server:13337（nginx 剝離 /ide/ 前綴），/ -> gateway:7862
+#
+# 關鍵設計：
+#   start-openclaw 原腳本完全不修改，末尾是 `exec openclaw gateway run --port $PORT`。
+#   此處以普通後台進程方式（非 exec）啟動它，並覆蓋 PORT=7862 使 gateway 監聽內部端口。
+#   start-openclaw 腳本內所有後台任務（備份循環、微信登錄、設備配對審批等）均在
+#   `exec openclaw gateway run` 前通過 & 後台啟動，因此全部照常運行，不受影響。
+#
+# code-server 說明：
+#   code-server 已移除 --base-path 參數（多年前即廢棄），
+#   subpath 反向代理通過 nginx location /ide/ + proxy_pass 末尾帶 / 實現路徑剝離。
+#   登錄後 302 重定向通過 proxy_redirect 重寫回 /ide/ 前綴，否則會跳到 / 而非 /ide/。
+#
+# nginx 配置注意：
+#   nginx 配置文件不支持 bash 變量語法（${}），
+#   所有動態端口值通過 sed 替換佔位符在運行時寫入。
+RUN cat <<'EOF' > /usr/local/bin/start-openclaw-code-server
+#!/bin/bash
+set -e
+
+# HuggingFace Space 對外端口（由 HF 平台注入，默認 7860）
+LISTEN_PORT="${PORT:-7860}"
+# openclaw gateway 內部端口（避免與 nginx 對外端口衝突）
+GATEWAY_PORT=7862
+# code-server 內部端口
+CODE_SERVER_PORT=13337
+
+echo "=== start-openclaw-code-server ==="
+echo "External listen port    : ${LISTEN_PORT}"
+echo "Gateway internal port   : ${GATEWAY_PORT}"
+echo "code-server internal port: ${CODE_SERVER_PORT}"
+
+# ── 1. 後台啟動原版 start-openclaw（覆蓋 PORT 使 gateway 監聽內部端口）──────
+# start-openclaw 內所有邏輯（恢復備份、寫配置、後台備份循環、微信登錄、設備配對審批等）
+# 全部照常執行，僅 gateway 監聽端口從 $PORT 改為內部 $GATEWAY_PORT
+mkdir -p /root/.openclaw/logs
+PORT=${GATEWAY_PORT} bash /usr/local/bin/start-openclaw 2>&1 | tee /root/.openclaw/logs/openclaw-main.log &
+echo "start-openclaw launched in background (gateway port=${GATEWAY_PORT})"
+
+# ── 2. 等待 gateway 內部就緒（最多 120 秒）──────────────────────────────────
+echo "Waiting for openclaw gateway on internal port ${GATEWAY_PORT}..."
+for i in $(seq 1 60); do
+  if curl -fsS http://127.0.0.1:${GATEWAY_PORT}/ >/dev/null 2>&1; then
+    echo "Gateway is up after $((i * 2))s."
+    break
+  fi
+  sleep 2
+done
+
+# ── 3. 啟動 code-server（後台，僅本機監聽）──────────────────────────────────
+# 注意：code-server 已移除 --base-path 參數，subpath 由 nginx 的 proxy_pass 末尾 / 處理
+# PASSWORD 通過環境變量傳入（code-server 官方支持的方式）
+mkdir -p /root/.openclaw/logs /root/.code-server
+
+export PASSWORD="${CODE_SERVER_PASSWORD:-changeme123!}"
+code-server \
+  --bind-addr 127.0.0.1:${CODE_SERVER_PORT} \
+  --auth password \
+  --disable-telemetry \
+  --disable-update-check \
+  --user-data-dir /root/.code-server \
+  --extensions-dir /root/.code-server/extensions \
+  /root/.openclaw \
+  >> /root/.openclaw/logs/code-server.log 2>&1 &
+echo "code-server launched (port=${CODE_SERVER_PORT})"
+
+# ── 4. 生成 nginx 配置並啟動 ────────────────────────────────────────────────
+# nginx 不支持 bash 變量語法，所有動態值通過 sed 替換佔位符寫入
+rm -f /etc/nginx/sites-enabled/default /etc/nginx/conf.d/default.conf
+
+cat > /etc/nginx/conf.d/openclaw-ide.conf <<'NGINX'
+server {
+    listen PLACEHOLDER_LISTEN_PORT;
+    server_name _;
+    client_max_body_size 100M;
+
+    access_log /dev/stdout;
+    error_log  /dev/stderr warn;
+
+    # IDE（code-server）：nginx 剝離 /ide/ 前綴後轉發到 code-server 根路徑
+    # proxy_pass 末尾帶 / 是關鍵：nginx 自動將 /ide/xxx 重寫為 /xxx 再轉發
+    # proxy_redirect：code-server 登錄後發 302 跳轉到 /，需重寫回 /ide/ 否則會進入 openclaw
+    location /ide/ {
+        proxy_pass http://127.0.0.1:PLACEHOLDER_CODE_SERVER_PORT/;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_redirect / /ide/;
+        proxy_read_timeout 86400;
+    }
+
+    # 其餘請求：代理到 openclaw gateway
+    location / {
+        proxy_pass http://127.0.0.1:PLACEHOLDER_GATEWAY_PORT/;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 86400;
+    }
+}
+NGINX
+
+sed -i \
+  "s/PLACEHOLDER_LISTEN_PORT/${LISTEN_PORT}/g;
+   s/PLACEHOLDER_CODE_SERVER_PORT/${CODE_SERVER_PORT}/g;
+   s/PLACEHOLDER_GATEWAY_PORT/${GATEWAY_PORT}/g" \
+  /etc/nginx/conf.d/openclaw-ide.conf
+
+echo "nginx config:"
+cat /etc/nginx/conf.d/openclaw-ide.conf
+
+nginx -t
+echo "Starting nginx (foreground)..."
+exec nginx -g 'daemon off; error_log /dev/stderr warn;'
+EOF
+
+RUN chmod +x /usr/local/bin/start-openclaw-code-server
+
+EXPOSE 7860
+
+# IDE（code-server）訪問方式（Space 啟動後）：
+#   主界面（OpenClaw）: https://<your-space>.hf.space/
+#   IDE（VS Code）    : https://<your-space>.hf.space/ide/
+#                       密碼由環境變量 CODE_SERVER_PASSWORD 控制
+#                       默認：changeme123!  ← 建議在 HF Space Secrets 中覆蓋
+CMD ["/usr/local/bin/start-openclaw-code-server"]