fix: improve SSH service stability and backup.py error handling

README.md

@@ -24,18 +24,44 @@ This setup is designed to provide the following:
 - Store OpenClaw config/workspace under `/root/.openclaw`
 - Restore state automatically from a Hugging Face Dataset on startup
 - Run scheduled backups of OpenClaw data to a Hugging Face Dataset via `cron` (as `root` user)
+- Incremental backup + dynamic strategy + AES-256-CBC encryption + large file splitting
+- Backup watchdog (auto-triggers backup when cron fails)
+- SSH service with auto-healing watchdog + host key generation
+- CCMR (Claude Code Model Router) with 10 platform API key support
+- Multi-dataset restore (restore from a different dataset)
 - Preinstall `python3`, `uv`, `vim`, `neovim`, `chromium` (via Chrome for Testing archive), `gh`, `hf`, `opencode`, `codex`, `claude` (Claude Code CLI), `@larksuite/cli` (with `npx skills add larksuite/cli -y -g`), and `sshx` in the image for interactive terminal use
 
 ## Repository Layout
 
 - `Dockerfile`: Runtime image for the Space
 - `scripts/openclaw-entrypoint.sh`: Main startup flow (restore, config generation, cron setup, gateway start)
-- `openclaw_hf/backup.py`: Backup/restore implementation
+- `scripts/hf-entrypoint.sh`: HF Spaces container entrypoint (PID 1, manages supervisord + SSH + PM2 + BT Panel)
+- `scripts/supervisord.conf`: Supervisord config, manages cron, backup-watchdog, openclaw-gateway, ccmr-gateway
+- `openclaw_hf/backup.py`: Backup/restore implementation (full/incremental, encryption, split, dynamic strategy, resume)
 - `scripts/openclaw-backup-cron.sh`: Cron entrypoint for backup jobs
+- `scripts/openclaw-backup-watchdog.sh`: Backup watchdog, auto-triggers backup when overdue
+- `scripts/openclaw-backup-health.sh`: Backup health check & auto-repair
 - `scripts/openclaw-restore.sh`: Startup restore entrypoint
-- `scripts/openclaw-gateway-restart`: Kill running `openclaw-gateway` processes
+- `scripts/openclaw-gateway-ctl`: Gateway process management (start/stop/restart/reload)
+- `scripts/openclaw-env-sync.sh`: Sync environment variables from HF API
+- `scripts/update-env-from-secrets.sh`: Fetch latest env vars from HF API
+- `scripts/bt_install_panel_custom.sh`: BT Panel installation script
 - `scripts/bootstrap-hf.sh`: Interactive bootstrap for Space/Dataset creation, upload, and Space variables/secrets setup (macOS/Linux)
 - `scripts/bootstrap-hf.ps1`: Interactive bootstrap for Space/Dataset creation, upload, and Space variables/secrets setup (Windows PowerShell)
+- `scripts/rebuild-space.sh`: Force push latest code to Space and trigger rebuild
+- `scripts/delete-backups.sh`: Batch cleanup old backups from Dataset
+- `scripts/delete-hf.py`: HF resource deletion tool (Space/Dataset/files/storage)
+- `scripts/find-largest-backup.py`: Find best backup in Dataset
+- `scripts/ssh_service_watchdog.sh`: SSH service watchdog (process monitor + auto-recovery)
+- `scripts/check_ssh_health.sh`: SSH health check (used by Docker HEALTHCHECK)
+- `scripts/ssh-agent-autostart.sh`: SSH agent auto-start and key loading
+- `scripts/optimize_ssh.sh`: SSH configuration optimization
+- `scripts/save-env.sh`: Save environment to `/etc/profile.d`
+- `scripts/hf-storage.sh` / `scripts/hf-storage.py`: HuggingFace storage utilities
+- `scripts/ccmr-setup.sh`: CCMR configuration generation
+- `scripts/ccmr-wrapper.sh`: CCMR Supervisor wrapper (hot-reload + crash recovery)
+- `scripts/server.js`: PID 1 keep-alive HTTP server
+- `pm2/ecosystem.config.js`: PM2 configuration (optional extension)
 - `tests/test_backup.py`: Unit tests for the backup module
 - `tests/test_entrypoint_config.py`: Unit tests for gateway config generation behavior
 
@@ -63,31 +89,36 @@ In that case, you can still configure from inside the container (for example via
 
 ## Common Optional Variables
 
-- `OPENCLAW_LLM_MODEL` (unset by default; used only when custom model preconfiguration is enabled)
-- `OPENCLAW_LLM_PROVIDER` (default: `thirdparty`)
-- `OPENCLAW_LLM_API` (default: `openai-completions`)
-- `OPENCLAW_VERSION` (used by Docker install step; bootstrap prompts for it and defaults to the latest version detected from npm registry, fallback `latest`)
-- `OPENCLAW_STATE_DIR` (default: `/root/.openclaw`)
-- `OPENCLAW_USER` (default: `root`, runtime user for gateway and cron jobs)
-- `OPENCLAW_GROUP` (default: `root`, runtime group for gateway and cron jobs)
-- `OPENCLAW_CONFIG_PATH` (default: `/root/.openclaw/openclaw.json`)
-- `OPENCLAW_WORKSPACE_DIR` (default: `/root/.openclaw/workspace`)
-- `OPENCLAW_BACKUP_CRON` (default: `*/30 * * * *`, backup every 30 minutes)
-- `OPENCLAW_BACKUP_SOURCE_DIR` (default: `/root/.openclaw`, backup/restore base directory for `openclaw-state`)
-- `OPENCLAW_BACKUP_ROOT_CONFIG_DIR` (default: `/root/.config`, additional backup/restore directory for `root-config`)
-- `OPENCLAW_BACKUP_ROOT_CODEX_DIR` (default: `/root/.codex`, additional backup/restore directory for `root-codex`)
-- `OPENCLAW_BACKUP_ROOT_CLAUDE_DIR` (default: `/root/.claude`, additional backup/restore directory for `root-claude`)
-- `OPENCLAW_BACKUP_ROOT_AGENTS_DIR` (default: `/root/.agents`, additional backup/restore directory for `root-agents`)
-- `OPENCLAW_BACKUP_ROOT_SSH_DIR` (default: `/root/.ssh`, additional backup/restore directory for `root-ssh`)
-- `OPENCLAW_BACKUP_ROOT_ENV_DIR` (default: `/root/.env.d`, additional backup/restore directory for `root-env`)
-- `OPENCLAW_BACKUP_ROOT_NPM_DIR` (default: `/root/.npm`, additional backup/restore directory for `root-npm`)
-- `OPENCLAW_BACKUP_ROOT_LARK_CLI_DIR` (default: `/root/.lark-cli`, additional backup/restore directory for `root-lark-cli`)
-- `OPENCLAW_BACKUP_PATH_PREFIX` (default: `backups`)
-- `OPENCLAW_BACKUP_KEEP_COUNT` (default: `24`, keep newest N timestamped backup archives; older ones are auto-deleted)
-- `OPENCLAW_SSHX_AUTO_START` (default: `false`; set `true` to auto-run `sshx` in background on startup)
-- `OPENCLAW_GATEWAY_AUTH_MODE` (default: `token`, optional: `password`)
-- `OPENCLAW_GATEWAY_CONTROLUI_ALLOW_INSECURE_AUTH` (default: `false`)
-- `OPENCLAW_GATEWAY_CONTROLUI_DANGEROUSLY_DISABLE_DEVICE_AUTH` (default: `false`; set `true` to bypass pairing, strongly discouraged on public networks)
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `OPENCLAW_VERSION` | `latest` | OpenClaw version for Docker install |
+| `OPENCLAW_GATEWAY_PORT` | `18789` | Gateway listen port |
+| `OPENCLAW_GATEWAY_BIND` | `lan` | Gateway bind mode (`lan`/`local`) |
+| `OPENCLAW_STATE_DIR` | `/root/.openclaw` | OpenClaw state directory |
+| `OPENCLAW_USER` | `root` | Runtime user for gateway and cron |
+| `OPENCLAW_GROUP` | `root` | Runtime group |
+| `OPENCLAW_CONFIG_PATH` | `/root/.openclaw/openclaw.json` | Gateway config path |
+| `OPENCLAW_WORKSPACE_DIR` | `/root/.openclaw/workspace` | Workspace directory |
+| `OPENCLAW_BACKUP_CRON` | `*/10 * * * *` | Backup cron expression |
+| `OPENCLAW_BACKUP_SOURCE_DIR` | `/root/.openclaw` | Backup/restore base directory |
+| `OPENCLAW_BACKUP_ROOT_*_DIR` | Various | Extra backup dirs (config, codex, claude, agents, ssh, env, npm, lark-cli) |
+| `OPENCLAW_BACKUP_PATH_PREFIX` | `backups` | Backup path prefix |
+| `OPENCLAW_BACKUP_KEEP_COUNT` | `24` | Number of backups to keep |
+| `OPENCLAW_BACKUP_ENCRYPTION_ENABLED` | `false` | Enable AES-256-CBC encryption |
+| `OPENCLAW_BACKUP_SPLIT_SIZE` | `500M` | Large file split volume size |
+| `OPENCLAW_INCREMENTAL_BACKUP` | `true` | Enable incremental backup |
+| `OPENCLAW_DYNAMIC_BACKUP` | `true` | Enable dynamic backup strategy |
+| `OPENCLAW_FULL_BACKUP_INTERVAL_HOURS` | `1` | Force full backup interval |
+| `OPENCLAW_MAX_INCREMENTAL_BACKUPS` | `15` | Max incremental backups before full |
+| `OPENCLAW_RESTORE_TIMEOUT` | `5400` | Restore timeout (seconds, 90 min) |
+| `WATCHDOG_INTERVAL` | `600` | Backup watchdog check interval (s) |
+| `MAX_BACKUP_AGE_MINUTES` | `30` | Max backup age (minutes) |
+| `FORCE_BACKUP_INTERVAL` | `14400` | Force backup interval (seconds) |
+| `OPENCLAW_SSHX_AUTO_START` | `false` | Auto-start `sshx` on boot |
+| `OPENCLAW_GATEWAY_AUTH_MODE` | `token` | Auth mode (`token`/`password`) |
+| `ROOT_PASSWORD` | `lauer3912` | SSH root password |
+| `CCMR_ENABLED` | `false` | Enable Claude Code Model Router |
+| `CCMR_PORT` | `8080` | CCMR gateway port |
 
 ## Quick Deployment
 
@@ -201,33 +232,64 @@ api.restart_space(repo_id=repo_id)
 
 For this project, if you need stable dashboard access without cold starts, use paid hardware and set sleep time to `Never`.
 
+## SSH Service
+
+The container has a comprehensive SSH service guarding system to ensure continuous availability:
+
+- **Auto-start**: Entrypoint generates host keys, cleans stale PID files, starts sshd
+- **SSH Watchdog** (`ssh_service_watchdog.sh`): Monitors sshd every 30s, auto-recovers on failure
+- **Multi-level repair**: Config corruption → backup config → minimal config → auto-reinstall openssh-server
+- **Exponential backoff**: Gradually increases wait time on consecutive failures
+- **Health check** (`check_ssh_health.sh`): Used by Docker HEALTHCHECK
+- **SSH Agent auto-load**: Auto-starts ssh-agent and loads keys from `/root/.ssh/`
+- **Root password**: Set via `ROOT_PASSWORD` environment variable
+
+## CCMR (Claude Code Model Router)
+
+CCMR gateway is integrated and managed by Supervisord with hot-reload support:
+
+- **Auto-config**: Set `CCMR_*_API_KEY` env vars to enable
+- **10 API Key slots**: DeepSeek, Qwen, Kimi, GLM, MiniMax (CN/Global), MiMo (SGP/CN/AMS/PAYG)
+- **File hot-reload**: Edit `/root/.env.d/ccmr.env` and changes apply immediately without restart
+- **Crash recovery**: Supervisord auto-restarts CCMR process
+
 ## Backup/Restore Flow
 
-- Startup restore: on container startup, it fetches `latest-backup.json` from the Dataset to locate the latest backup and restore:
-  - `openclaw-state` -> `OPENCLAW_BACKUP_SOURCE_DIR` (default `/root/.openclaw`)
-  - `root-config` -> `OPENCLAW_BACKUP_ROOT_CONFIG_DIR` (default `/root/.config`, restored only when present in archive)
-  - `root-codex` -> `OPENCLAW_BACKUP_ROOT_CODEX_DIR` (default `/root/.codex`, restored only when present in archive)
-  - `root-claude` -> `OPENCLAW_BACKUP_ROOT_CLAUDE_DIR` (default `/root/.claude`, restored only when present in archive)
-  - `root-agents` -> `OPENCLAW_BACKUP_ROOT_AGENTS_DIR` (default `/root/.agents`, restored only when present in archive)
-  - `root-ssh` -> `OPENCLAW_BACKUP_ROOT_SSH_DIR` (default `/root/.ssh`, restored only when present in archive)
-  - `root-env` -> `OPENCLAW_BACKUP_ROOT_ENV_DIR` (default `/root/.env.d`, restored only when present in archive)
-  - `root-npm` -> `OPENCLAW_BACKUP_ROOT_NPM_DIR` (default `/root/.npm`, restored only when present in archive)
-  - `root-lark-cli` -> `OPENCLAW_BACKUP_ROOT_LARK_CLI_DIR` (default `/root/.lark-cli`, restored only when present in archive)
-- Scheduled backup: cron runs based on `OPENCLAW_BACKUP_CRON`
-- Shutdown backup: when the container receives a stop signal, one final backup is uploaded before exit
-- Each backup upload includes:
-  - `backups/openclaw-backup-<timestamp>.tar.gz`
-    - archive root `openclaw-state/`
-    - archive root `root-config/` (included when `OPENCLAW_BACKUP_ROOT_CONFIG_DIR` exists)
-    - archive root `root-codex/` (included when `OPENCLAW_BACKUP_ROOT_CODEX_DIR` exists)
-    - archive root `root-claude/` (included when `OPENCLAW_BACKUP_ROOT_CLAUDE_DIR` exists)
-    - archive root `root-agents/` (included when `OPENCLAW_BACKUP_ROOT_AGENTS_DIR` exists)
-    - archive root `root-ssh/` (included when `OPENCLAW_BACKUP_ROOT_SSH_DIR` exists)
-    - archive root `root-env/` (included when `OPENCLAW_BACKUP_ROOT_ENV_DIR` exists)
-    - archive root `root-npm/` (included when `OPENCLAW_BACKUP_ROOT_NPM_DIR` exists)
-    - archive root `root-lark-cli/` (included when `OPENCLAW_BACKUP_ROOT_LARK_CLI_DIR` exists)
-  - `latest-backup.json`
-- Retention: after upload, only the newest `OPENCLAW_BACKUP_KEEP_COUNT` timestamped archives are kept (default `24`); older timestamped archives are deleted automatically
+### Restore
+
+**Automatic restore on startup** (always runs on container restart/rebuild):
+
+- `openclaw-state` -> `OPENCLAW_BACKUP_SOURCE_DIR` (default `/root/.openclaw`)
+- `root-config` -> `OPENCLAW_BACKUP_ROOT_CONFIG_DIR` (default `/root/.config`)
+- `root-codex` -> `OPENCLAW_BACKUP_ROOT_CODEX_DIR` (default `/root/.codex`)
+- `root-claude` -> `OPENCLAW_BACKUP_ROOT_CLAUDE_DIR` (default `/root/.claude`)
+- `root-agents` -> `OPENCLAW_BACKUP_ROOT_AGENTS_DIR` (default `/root/.agents`)
+- `root-ssh` -> `OPENCLAW_BACKUP_ROOT_SSH_DIR` (default `/root/.ssh`)
+- `root-env` -> `OPENCLAW_BACKUP_ROOT_ENV_DIR` (default `/root/.env.d`)
+- `root-npm` -> `OPENCLAW_BACKUP_ROOT_NPM_DIR` (default `/root/.npm`)
+- `root-lark-cli` -> `OPENCLAW_BACKUP_ROOT_LARK_CLI_DIR` (default `/root/.lark-cli`)
+
+Multi-dataset restore: set `OPENCLAW_RESTORE_DATASET_REPO` to restore from a different dataset.
+
+### Backup
+
+- **Scheduled backup**: Runs based on `OPENCLAW_BACKUP_CRON` (default every 10 min)
+- **Incremental backup** (default on): Only backs up changed files after a full backup
+- **Dynamic strategy** (default on): Auto-adjusts compression and splitting based on file size and change rate
+- **AES-256-CBC encryption**: Optional, allows secure storage on public datasets
+- **Large file splitting**: Default 500MB per volume, avoids upload failures
+- **Resume support**: Creates checkpoint files during upload, allows resume on interruption
+- **Shutdown backup**: Final backup before container exit on stop signal
+- **Retention**: Keeps newest `OPENCLAW_BACKUP_KEEP_COUNT` (default 24) archives, auto-deletes older ones
+
+### Backup Watchdog
+
+`openclaw-backup-watchdog.sh` acts as the **last line of defense**:
+
+- Auto-triggers backup when no backup for `MAX_BACKUP_AGE_MINUTES` (default 30 min)
+- Force backup every `FORCE_BACKUP_INTERVAL` (default 4 hours)
+- File lock prevents concurrent execution
+- Automatic backoff on consecutive failures
 
 ## Use sshx Inside the Container
 

README_zh.md

@@ -26,6 +26,11 @@ pinned: false
 - OpenClaw 配置和工作目录存储在 `/root/.openclaw`
 - 启动时自动从 Hugging Face Dataset 恢复状态
 - 通过 `cron` 定时备份 OpenClaw 数据到 Hugging Face Dataset
+- 增量备份 + 动态备份策略 + AES-256-CBC 加密 + 大文件分卷
+- 备份看门狗（兜底保障，cron 失效时自动触发备份）
+- SSH 服务自动守护（看门狗监控自愈 + 自动生成主机密钥）
+- CCMR（Claude Code Model Router）支持，自动配置 10 个平台 API Key
+- 多数据集恢复支持（可从不同 Dataset 恢复）
 - 预装工具：`python3`、`uv`、`vim`、`neovim`、`chromium`（Chrome for Testing）、`gh`、`hf`、`opencode`、`codex`、`claude`（Claude Code CLI）、`@larksuite/cli`、`sshx`
 - 内置 DDNS-GO，支持动态 DNS 更新（非关键功能，安装失败不影响构建）
 
@@ -33,15 +38,33 @@ pinned: false
 
 - `Dockerfile`: Space 运行时镜像
 - `scripts/openclaw-entrypoint.sh`: 主启动流程（恢复、配置生成、cron 设置、gateway 启动）
-- `scripts/hf-entrypoint.sh`: HF Spaces 容器入口（管理 supervisord + PM2）
-- `scripts/supervisord.conf`: Supervisord 配置，管理 cron 和 openclaw-gateway
-- `openclaw_hf/backup.py`: 备份/恢复实现
+- `scripts/hf-entrypoint.sh`: HF Spaces 容器入口（PID 1，管理 supervisord + SSH + PM2 + BT Panel）
+- `scripts/supervisord.conf`: Supervisord 配置，管理 cron、backup-watchdog、openclaw-gateway、ccmr-gateway
+- `openclaw_hf/backup.py`: 备份/恢复实现（全量/增量、加密、分卷、动态策略、断点续传）
 - `scripts/openclaw-backup-cron.sh`: Cron 备份任务入口
+- `scripts/openclaw-backup-watchdog.sh`: 备份看门狗，兜底保障自动触发备份
+- `scripts/openclaw-backup-health.sh`: 备份健康检查与自动修复
 - `scripts/openclaw-restore.sh`: 启动恢复入口
-- `scripts/openclaw-gateway-restart`: 重启 openclaw-gateway 进程
-- `scripts/bt_install_panel.sh`: BT Panel 安装脚本
+- `scripts/openclaw-gateway-ctl`: Gateway 进程管理（start/stop/restart/reload）
+- `scripts/openclaw-env-sync.sh`: 从 HF API 同步环境变量
+- `scripts/update-env-from-secrets.sh`: 从 HF API 获取最新环境变量
+- `scripts/bt_install_panel_custom.sh`: BT Panel 安装脚本
 - `scripts/bootstrap-hf.sh`: 交互式引导脚本（macOS/Linux）
 - `scripts/bootstrap-hf.ps1`: 交互式引导脚本（Windows PowerShell）
+- `scripts/rebuild-space.sh`: 强制推送最新代码到 Space 并触发重建
+- `scripts/delete-backups.sh`: 批量清理 Dataset 中的旧备份
+- `scripts/delete-hf.py`: HF 资源删除工具（Space/Dataset/文件/存储）
+- `scripts/find-largest-backup.py`: 查找 Dataset 中最佳备份
+- `scripts/ssh_service_watchdog.sh`: SSH 服务看门狗（进程监控 + 自动恢复）
+- `scripts/check_ssh_health.sh`: SSH 健康检查脚本（Docker HEALTHCHECK 使用）
+- `scripts/ssh-agent-autostart.sh`: SSH Agent 自动启动和加载密钥
+- `scripts/optimize_ssh.sh`: SSH 配置优化
+- `scripts/save-env.sh`: 保存环境变量到 `/etc/profile.d`
+- `scripts/hf-storage.sh` / `scripts/hf-storage.py`: HuggingFace 公共存储工具
+- `scripts/ccmr-setup.sh`: CCMR 配置生成脚本
+- `scripts/ccmr-wrapper.sh`: CCMR Supervisor 启动包装（文件热加载 + 崩溃恢复）
+- `scripts/server.js`: PID 1 存活 HTTP 服务
+- `pm2/ecosystem.config.js`: PM2 配置文件（可选扩展）
 - `tests/test_backup.py`: 备份模块单元测试
 - `tests/test_entrypoint_config.py`: Gateway 配置生成行为单元测试
 
@@ -60,7 +83,30 @@ pinned: false
 
 - `BT_PANEL_PORT`（默认: `7860`）: BT Panel 监听端口
 - `BT_PANEL_USERNAME`（默认: `btadmin`）: BT Panel 用户名，**必须以小写字母开头，只能包含小写字母和数字，长度 3-32 位**
-- `BT_PANEL_PASSWORD`: BT Panel 密码，留空则使用默认随机密码
+- `BT_PANEL_PASSWORD`: BT Panel 密码，留空则自动生成
+- `BT_PANEL_SAFE_PATH`: BT Panel 安全入口路径（默认: `lauer3912`）
+- `BT_PANEL_TIMEZONE`（默认: `Asia/Shanghai`）: BT Panel 时区
+
+## SSH 服务
+
+容器内置 SSH 服务守护体系，确保 SSH 持续可用：
+
+- **自动启动**: 入口点自动生成主机密钥、清理残留 PID、启动 sshd
+- **SSH 看门狗** (`ssh_service_watchdog.sh`): 每 30 秒监控 sshd 进程，异常时自动恢复
+- **多级修复**: 配置损坏→使用备份配置→生成最小配置→自动重装 openssh-server
+- **指数退避**: 连续失败时逐步增加等待时间，避免频繁重试
+- **健康检查** (`check_ssh_health.sh`): 配合 Docker HEALTHCHECK 使用
+- **SSH Agent 自动加载**: 自动启动 ssh-agent 并加载 `/root/.ssh/` 下的私钥
+- **ROOT 密码**: 通过 `ROOT_PASSWORD` 环境变量设置
+
+## CCMR（Claude Code Model Router）
+
+集成 CCMR 网关，通过 Supervisor 管理，支持热加载：
+
+- **自动配置**: 设置 `CCMR_*_API_KEY` 环境变量即可启用
+- **10 个 API Key 支持**: DeepSeek、通义千问、Kimi、智谱 GLM、MiniMax（CN/Global）、MiMo（SGP/CN/AMS/PAYG）
+- **文件热加载**: 编辑 `/root/.env.d/ccmr.env` 后立即生效，无需重启
+- **崩溃恢复**: Supervisor 自动重启 CCMR 进程
 
 ## 可选 LLM 变量（全有或全无）
 
@@ -84,15 +130,28 @@ pinned: false
 | `OPENCLAW_GROUP` | `root` | 运行时用户组 |
 | `OPENCLAW_CONFIG_PATH` | `/root/.openclaw/openclaw.json` | Gateway 配置文件路径 |
 | `OPENCLAW_WORKSPACE_DIR` | `/root/.openclaw/workspace` | 工作目录 |
-| `OPENCLAW_BACKUP_CRON` | `*/30 * * * *` | 备份 cron 表达式（默认每 30 分钟） |
+| `OPENCLAW_BACKUP_CRON` | `*/10 * * * *` | 备份 cron 表达式（默认每 10 分钟） |
 | `OPENCLAW_BACKUP_SOURCE_DIR` | `/root/.openclaw` | 备份/恢复基础目录 |
 | `OPENCLAW_BACKUP_ROOT_*_DIR` | 各有默认值 | 额外备份目录（config、codex、claude、agents、ssh、npm、lark-cli） |
 | `OPENCLAW_BACKUP_PATH_PREFIX` | `backups` | 备份路径前缀 |
 | `OPENCLAW_BACKUP_KEEP_COUNT` | `24` | 保留的最新备份数量 |
+| `OPENCLAW_BACKUP_ENCRYPTION_ENABLED` | `false` | 启用 AES-256-CBC 加密备份 |
+| `OPENCLAW_BACKUP_SPLIT_SIZE` | `500M` | 大文件分卷大小 |
+| `OPENCLAW_INCREMENTAL_BACKUP` | `true` | 启用增量备份 |
+| `OPENCLAW_DYNAMIC_BACKUP` | `true` | 启用动态备份策略 |
+| `OPENCLAW_FULL_BACKUP_INTERVAL_HOURS` | `1` | 强制全量备份间隔 |
+| `OPENCLAW_MAX_INCREMENTAL_BACKUPS` | `15` | 增量备份次数上限 |
+| `OPENCLAW_RESTORE_TIMEOUT` | `5400` | 恢复超时（秒，默认 90 分钟） |
+| `WATCHDOG_INTERVAL` | `600` | 备份看门狗检查间隔（秒） |
+| `MAX_BACKUP_AGE_MINUTES` | `30` | 备份最大间隔（分钟） |
+| `FORCE_BACKUP_INTERVAL` | `14400` | 强制备份间隔（秒） |
 | `OPENCLAW_SSHX_AUTO_START` | `false` | 设为 `true` 启动时自动后台运行 `sshx` |
 | `OPENCLAW_GATEWAY_AUTH_MODE` | `token` | 认证模式（`token`/`password`） |
 | `OPENCLAW_GATEWAY_CONTROLUI_ALLOW_INSECURE_AUTH` | `false` | 允许不安全认证 |
 | `OPENCLAW_GATEWAY_CONTROLUI_DANGEROUSLY_DISABLE_DEVICE_AUTH` | `false` | 禁用设备配对（**强烈不建议在公网开启**） |
+| `ROOT_PASSWORD` | `lauer3912` | SSH root 用户密码 |
+| `CCMR_ENABLED` | `false` | 启用 Claude Code Model Router |
+| `CCMR_PORT` | `8080` | CCMR 网关端口 |
 
 ## 快速部署
 
@@ -145,21 +204,42 @@ Space URL 构成：
 
 ## 备份/恢复流程
 
-- **启动恢复**：容器启动时从 Dataset 获取 `latest-backup.json` 来定位最新备份并恢复：
-  - `openclaw-state` -> `OPENCLAW_BACKUP_SOURCE_DIR`（默认 `/root/.openclaw`）
-  - `root-config` -> `OPENCLAW_BACKUP_ROOT_CONFIG_DIR`（默认 `/root/.config`）
-  - `root-codex` -> `OPENCLAW_BACKUP_ROOT_CODEX_DIR`（默认 `/root/.codex`）
-  - `root-claude` -> `OPENCLAW_BACKUP_ROOT_CLAUDE_DIR`（默认 `/root/.claude`）
-  - `root-agents` -> `OPENCLAW_BACKUP_ROOT_AGENTS_DIR`（默认 `/root/.agents`）
-  - `root-ssh` -> `OPENCLAW_BACKUP_ROOT_SSH_DIR`（默认 `/root/.ssh`）
-  - `root-env` -> `OPENCLAW_BACKUP_ROOT_ENV_DIR`（默认 `/root/.env.d`）
-  - `root-npm` -> `OPENCLAW_BACKUP_ROOT_NPM_DIR`（默认 `/root/.npm`）
-  - `root-lark-cli` -> `OPENCLAW_BACKUP_ROOT_LARK_CLI_DIR`（默认 `/root/.lark-cli`）
-
-- **定时备份**：根据 `OPENCLAW_BACKUP_CRON` 执行
+### 恢复流程
+
+**启动时从 Dataset 自动恢复**，容器重启或重建时必定执行：
+
+- `openclaw-state` -> `OPENCLAW_BACKUP_SOURCE_DIR`（默认 `/root/.openclaw`）
+- `root-config` -> `OPENCLAW_BACKUP_ROOT_CONFIG_DIR`（默认 `/root/.config`）
+- `root-codex` -> `OPENCLAW_BACKUP_ROOT_CODEX_DIR`（默认 `/root/.codex`）
+- `root-claude` -> `OPENCLAW_BACKUP_ROOT_CLAUDE_DIR`（默认 `/root/.claude`）
+- `root-agents` -> `OPENCLAW_BACKUP_ROOT_AGENTS_DIR`（默认 `/root/.agents`）
+- `root-ssh` -> `OPENCLAW_BACKUP_ROOT_SSH_DIR`（默认 `/root/.ssh`）
+- `root-env` -> `OPENCLAW_BACKUP_ROOT_ENV_DIR`（默认 `/root/.env.d`）
+- `root-npm` -> `OPENCLAW_BACKUP_ROOT_NPM_DIR`（默认 `/root/.npm`）
+- `root-lark-cli` -> `OPENCLAW_BACKUP_ROOT_LARK_CLI_DIR`（默认 `/root/.lark-cli`）
+
+支持多数据集恢复：设置 `OPENCLAW_RESTORE_DATASET_REPO` 可以从不同 Dataset 恢复。
+
+### 备份流程
+
+- **定时备份**：根据 `OPENCLAW_BACKUP_CRON`（默认每 10 分钟）执行
+- **增量备份**（默认开启）：全量备份后只备份变化文件，大幅减少数据量
+- **动态备份策略**（默认开启）：根据文件大小和变化率自动调整压缩级别和分卷策略
+- **AES-256-CBC 加密**：可选开启，加密后的备份可安全存储在公开 Dataset
+- **大文件分卷**：默认 500MB 分卷，避免单文件过大导致上传失败
+- **断点续传**：上传过程中创建 checkpoint 文件，中断后可恢复
 - **关机备份**：容器收到停止信号时，执行最后一次备份后再退出
 - **保留策略**：上传后只保留最新的 `OPENCLAW_BACKUP_KEEP_COUNT`（默认 24 个）带时间戳的备份归档，自动删除更旧的
 
+### 备份看门狗
+
+`openclaw-backup-watchdog.sh` 作为备份系统的**兜底保障**：
+
+- 即使 cron 失效，看门狗也会在超过 `MAX_BACKUP_AGE_MINUTES`（默认 30 分钟）无备份时自动触发
+- 每 `FORCE_BACKUP_INTERVAL`（默认 4 小时）强制执行一次备份
+- 使用文件锁防止并发执行
+- 连续失败时自动退避
+
 ## 在容器内使用 sshx
 
 `sshx` 已预装在镜像中。
@@ -200,21 +280,35 @@ python3 -m unittest discover -s tests -p 'test_*.py'
 
 ## 架构说明
 
-容器启动顺序：
+容器启动顺序（`hf-entrypoint.sh` 作为 PID 1）：
 
 ```
-PID 1 (bt-panel)
-└── supervisord
-    ├── cron
-    └── openclaw-gateway (via openclaw-entrypoint.sh)
-        └── node hf-server.js (PID 1 替代)
+PID 1 (node hf-server.js)
+├── supervisord (后台)
+│   ├── cron
+│   ├── backup-watchdog
+│   ├── openclaw-gateway (via openclaw-entrypoint.sh)
+│   │   └── openclaw (gateway 进程管理器)
+│   └── ccmr-gateway (via ccmr-wrapper.sh, 启用时)
+├── sshd
+├── ssh_service_watchdog.sh (SSH 看门狗)
+├── PM2 (可选，ecosystem.config.js 有配置时)
+└── BT Panel
 ```
 
-进程管理使用 **Supervisord** 而非 PM2，原因：
+进程管理使用 **Supervisord** 管理后台服务，原因：
 - Supervisord 是为"进程管理者"设计的，适合 PID 1 下运行
 - 信号传递正确，SIGTERM 能正确传递给子进程
 - 相比 PM2 更轻量，职责单一
 
+关键启动步骤：
+1. `supervisord` 后台启动，管理 cron/backup-watchdog/openclaw-gateway/ccmr-gateway
+2. 生成 SSH 主机密钥，启动 sshd + SSH 看门狗
+3. 等待 openclaw-gateway 完成备份恢复
+4. 可选启动 PM2 管理附加进程
+5. 启动 BT Panel
+6. `node hf-server.js` 作为 PID 1 前台进程接管容器生命周期
+
 ## License
 
 MIT. See `LICENSE`.

scripts/hf-entrypoint.sh

@@ -67,7 +67,7 @@ fi
 
 # 1. 确保SSH服务启动
 if ! pgrep -x "sshd" > /dev/null 2>&1; then
-    local _sshd_bin=""
+    _sshd_bin=""
     if [ -x "/usr/sbin/sshd" ]; then
         _sshd_bin="/usr/sbin/sshd"
     elif [ -x "/usr/bin/sshd" ]; then

scripts/rebuild-space.sh

@@ -0,0 +1,171 @@
+#!/usr/bin/env bash
+# ============================================================
+# OpenClaw HF Space 使用最新代码重建脚本
+#
+# 用法:
+#   ./rebuild-space.sh <SPACE_REPO_ID> [HF_TOKEN]
+#
+# 示例:
+#   ./rebuild-space.sh GGSheng/page hf_xxxxx
+#
+#   方式1：直接提供参数
+#   ./scripts/rebuild-space.sh GGSheng/page hf_xxxxx
+#
+#   方式2：设置环境变量
+#   export SPACE_REPO_ID="GGSheng/page"
+#   export HF_TOKEN="hf_xxxxx"
+#   ./scripts/rebuild-space.sh
+#
+#   方式3：使用缓存的 token（默认从 ~/.cache/huggingface/token 读取）
+#   ./scripts/rebuild-space.sh GGSheng/page
+#
+# 环境变量 (可选):
+#   SPACE_REPO_ID  - Space 仓库 ID (如 GGSheng/page)
+#   HF_TOKEN       - Hugging Face API Token
+#   HF_TOKEN_FILE  - Token 文件路径 (默认 ~/.cache/huggingface/token)
+#
+# 说明:
+#   此脚本用于将本地最新代码强制推送到 Hugging Face Space 并触发重建
+#   - 自动创建 Space（如果不存在）
+#   - 覆盖 Space 中的所有文件
+#   - 排除 .git, logs, scripts, docs, tests 等非必要文件
+#   - 推送完成后自动请求 Space 重启以使更改生效
+#
+# 注意事项:
+#   1. 确保 HF_TOKEN 有 write 权限
+#   2. Space 必须使用 Docker SDK
+#   3. 推送后 Space 会自动重启（需等待构建完成）
+#   4. 此操作会覆盖 Space 中的现有文件
+# ============================================================
+
+update_readme_title() {
+  local new_title="$1"
+  local readme_file="$REPO_ROOT/README.md"
+  local temp_file
+
+  if [[ ! -f "$readme_file" ]]; then
+    return 0
+  fi
+
+  temp_file="$(mktemp)"
+  if sed "s/^title:.*/title: $new_title/" "$readme_file" > "$temp_file"; then
+    mv "$temp_file" "$readme_file"
+  else
+    rm -f "$temp_file"
+  fi
+}
+
+restore_readme_title() {
+  local original_title="$1"
+  local readme_file="$REPO_ROOT/README.md"
+  local temp_file
+
+  if [[ ! -f "$readme_file" ]]; then
+    return 0
+  fi
+
+  temp_file="$(mktemp)"
+  if sed "s/^title:.*/title: $original_title/" "$readme_file" > "$temp_file"; then
+    mv "$temp_file" "$readme_file"
+  else
+    rm -f "$temp_file"
+  fi
+}
+
+SPACE_REPO_ID="${1:-${SPACE_REPO_ID:-}}"
+HF_TOKEN="${2:-${HF_TOKEN:-}}"
+
+if [[ -z "$SPACE_REPO_ID" ]]; then
+  echo "Usage: $0 <SPACE_REPO_ID> [HF_TOKEN]"
+  echo ""
+  echo "Examples:"
+  echo "  $0 GGSheng/page hf_xxxxx"
+  echo "  SPACE_REPO_ID=GGSheng/page HF_TOKEN=hf_xxxxx $0"
+  echo "  $0 GGSheng/page"
+  echo ""
+  echo "Environment variables:"
+  echo "  SPACE_REPO_ID   - Space repo ID (e.g. GGSheng/page)"
+  echo "  HF_TOKEN        - Hugging Face API Token"
+  echo "  HF_TOKEN_FILE   - Token file path (default: ~/.cache/huggingface/token)"
+  exit 1
+fi
+
+if [[ -z "$HF_TOKEN" ]]; then
+  HF_TOKEN_FILE="${HF_TOKEN_FILE:-$HOME/.cache/huggingface/token}"
+  if [[ -f "$HF_TOKEN_FILE" ]]; then
+    HF_TOKEN="$(cat "$HF_TOKEN_FILE")"
+  fi
+fi
+
+if [[ -z "$HF_TOKEN" ]]; then
+  echo "Error: HF_TOKEN is required. Provide as 2nd arg, set HF_TOKEN env var, or ensure ~/.cache/huggingface/token exists."
+  exit 1
+fi
+
+SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd -- "$SCRIPT_DIR/.." && pwd)"
+
+SPACE_NAME="${SPACE_REPO_ID##*/}"
+
+echo "============================================"
+echo "OpenClaw HF Space Rebuild Script"
+echo "============================================"
+echo "Space: $SPACE_REPO_ID"
+echo "Repo:  $REPO_ROOT"
+echo ""
+
+cd "$REPO_ROOT"
+
+echo "[1/5] Logging into Hugging Face..."
+echo "$HF_TOKEN" | hf auth login --token "$HF_TOKEN"
+
+echo ""
+echo "[2/5] Saving original README title..."
+original_readme_title="$(sed -n 's/^title: *//p' "$REPO_ROOT/README.md" | head -n 1)"
+update_readme_title "$SPACE_NAME"
+
+restore_readme_on_exit() {
+  restore_readme_title "${original_readme_title:-HF Space}"
+}
+trap restore_readme_on_exit EXIT
+
+echo ""
+echo "[3/5] Ensuring Space exists..."
+hf repos create "$SPACE_REPO_ID" --repo-type space --space-sdk docker --exist-ok
+
+echo ""
+echo "[4/5] Uploading files to Space..."
+upload_output=$(hf upload "$SPACE_REPO_ID" . --repo-type space \
+  --exclude '.git/**' \
+  --exclude '.git' \
+  --exclude '.github/**' \
+  --exclude 'logs/**' \
+  --exclude '*.log' \
+  --exclude 'docs/**' \
+  --exclude 'tests/**' \
+  --exclude 'LICENSE' \
+  --exclude '.dockerignore' \
+  --exclude '.python-version' \
+  --commit-message "fix: improve SSH service stability and backup.py error handling" 2>&1)
+upload_exit_code=$?
+
+if [ $upload_exit_code -ne 0 ]; then
+  echo "Error: Upload failed:"
+  echo "$upload_output"
+  exit 1
+fi
+
+echo ""
+echo "[5/5] Requesting Space restart..."
+restart_output=$(hf spaces restart "$SPACE_REPO_ID" 2>&1)
+restart_exit_code=$?
+
+if [ $restart_exit_code -ne 0 ]; then
+  echo "Warning: Restart request failed:"
+  echo "$restart_output"
+fi
+
+echo ""
+echo "============================================"
+echo "Done! Space updated: https://huggingface.co/spaces/$SPACE_REPO_ID"
+echo "============================================"