Remove Telegram env vars, clean up README and .env.example

- Remove TELEGRAM_BOT_TOKEN/BOT_NAME/ALLOW_USER from sync_hf.py
(can be configured in Control UI instead)
- Remove duplicate Configuration table and Local Development section
- Add OpenClaw full env var support statement in README and .env.example
- Remove CSP headers claim from Security section

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.env.example

@@ -135,3 +135,67 @@ OPENROUTER_API_KEY=sk-or-v1-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 # OPENCLAW_HTTP_PROXY=
 # OPENCLAW_HTTPS_PROXY=
 # OPENCLAW_NO_PROXY=
+
+
+# ═══════════════════════════════════════════════════════════════════════════
+#  OpenClaw 官方环境变量
+# ═══════════════════════════════════════════════════════════════════════════
+#
+#  HuggingClaw 启动 OpenClaw 时透传整个环境（env=os.environ.copy()），
+#  因此 OpenClaw 官方文档中列出的 **所有** 环境变量在 HF Spaces / Docker 中
+#  设置后均可直接生效。
+#  官方完整列表见：https://openclawdoc.com/docs/reference/environment-variables
+#
+#  常见类别（仅列举部分）：
+#    API Keys: OPENAI_API_KEY, ANTHROPIC_API_KEY, GOOGLE_API_KEY, MISTRAL_API_KEY,
+#              COHERE_API_KEY, OPENROUTER_API_KEY
+#    Server:   OPENCLAW_API_PORT, OPENCLAW_WS_PORT, OPENCLAW_METRICS_PORT,
+#              OPENCLAW_HOST, OPENCLAW_TLS_*
+#    App:      OPENCLAW_CONFIG, OPENCLAW_DATA_DIR, OPENCLAW_LOG_LEVEL,
+#              OPENCLAW_LOG_FORMAT, OPENCLAW_LOG_FILE, OPENCLAW_ENV
+#    Memory:   OPENCLAW_MEMORY_BACKEND, OPENCLAW_REDIS_URL, OPENCLAW_SQLITE_PATH
+#    Network:  OPENCLAW_HTTP_PROXY, OPENCLAW_HTTPS_PROXY, OPENCLAW_NO_PROXY,
+#              OPENCLAW_OUTBOUND_MODE
+#    Secrets:  OPENCLAW_SECRETS_BACKEND, OPENCLAW_SECRETS_KEY, VAULT_ADDR, VAULT_TOKEN
+#    Ollama:   OLLAMA_HOST, OLLAMA_NUM_PARALLEL, OLLAMA_KEEP_ALIVE
+#    Browser:  OPENCLAW_BROWSER_EXECUTABLE, OPENCLAW_BROWSER_HEADLESS
+#
+# ═══════════════════════════════════════════════════════════════════════════
+#
+# ═══════════════════════════════════════════════════════════════════════════
+#  HuggingClaw 新增变量一览（仅本仓库脚本使用）
+# ═══════════════════════════════════════════════════════════════════════════
+#
+# ─── 安全 / 控制台 ───────────────────────────────────────────────────────
+#   OPENCLAW_PASSWORD         [推荐] 控制台密码，未设则默认 huggingclaw
+#
+# ─── 持久化 (HuggingFace Dataset) ───────────────────────────────────────
+#   HF_TOKEN                  [必填] HF 访问令牌，需具备写入权限
+#   OPENCLAW_DATASET_REPO     [必填] 备份用 Dataset 仓库，如 your-name/openclaw-data
+#   AUTO_CREATE_DATASET       [可选] 是否自动创建仓库，默认 true
+#   SYNC_INTERVAL             [可选] 备份间隔（秒），默认 120
+#   HF_HUB_DOWNLOAD_TIMEOUT   [可选] 下载超时（秒），默认 300
+#   HF_HUB_UPLOAD_TIMEOUT     [可选] 上传超时（秒），默认 600
+#
+# ─── LLM / 对话 API（至少配置其一以启用 AI 对话）────────────────────────
+#   OPENAI_API_KEY            [推荐] OpenAI 或兼容端点 API Key
+#   OPENAI_BASE_URL           [可选] 兼容 API 基地址，默认 https://api.openai.com/v1
+#   OPENROUTER_API_KEY        [可选] OpenRouter，200+ 模型、免费额度
+#   ANTHROPIC_API_KEY         [可选] Anthropic Claude
+#   GOOGLE_API_KEY            [可选] Google / Gemini
+#   MISTRAL_API_KEY           [可选] Mistral
+#   COHERE_API_KEY            [可选] Cohere
+#   OPENCLAW_DEFAULT_MODEL    [可选] 默认模型 ID
+#
+# ─── 消息渠道 ─────────────────────────────────────────────────────────
+#   Telegram、WhatsApp 等消息渠道均可在 Control UI 中配置，无需环境变量。
+#
+# ─── HuggingFace Spaces 运行时（HF 自动注入，一般无需手动设）────────────
+#   SPACE_HOST                当前 Space 域名，如 xxx.hf.space
+#   SPACE_ID                  仓库 ID，如 username/HuggingClaw
+#
+# ─── 性能与运行 ───────────────────────────────────────────────────────
+#   NODE_MEMORY_LIMIT         [可选] Node 堆内存上限(MB)，默认 512
+#   TZ                        [可选] 时区，如 Asia/Shanghai
+#
+# ════════════���══════════════════════════════════════════════════════════════

README.md

@@ -42,7 +42,14 @@ tags:
   <br/><br/>
 
   [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
-  [![HF Spaces](https://img.shields.io/badge/%F0%9F%A4%97-HuggingFace%20Spaces-blue)](https://huggingface.co/spaces/tao-shen/HuggingClaw)
+  [![Hugging Face](https://img.shields.io/badge/🤗-Hugging%20Face-yellow)](https://huggingface.co)
+  [![HF Spaces](https://img.shields.io/badge/Spaces-HuggingFace-blue)](https://huggingface.co/spaces/tao-shen/HuggingClaw)
+  [![OpenClaw](https://img.shields.io/badge/OpenClaw-Powered-orange)](https://github.com/openclaw/openclaw)
+  [![Docker](https://img.shields.io/badge/Docker-Ready-2496ED?logo=docker)](https://www.docker.com/)
+  [![OpenAI Compatible](https://img.shields.io/badge/OpenAI--compatible-API-green)](https://openclawdoc.com/docs/reference/environment-variables)
+  [![WhatsApp](https://img.shields.io/badge/WhatsApp-Enabled-25D366?logo=whatsapp)](https://www.whatsapp.com/)
+  [![Telegram](https://img.shields.io/badge/Telegram-Enabled-26A5E4?logo=telegram)](https://telegram.org/)
+  [![Free Tier](https://img.shields.io/badge/Free%20Tier-16GB%20RAM-brightgreen)](https://huggingface.co/spaces)
 </div>
 
 ---
@@ -90,45 +97,14 @@ Messaging integrations (Telegram, WhatsApp) can be configured directly inside th
 
 ## Configuration
 
-HuggingClaw is configured entirely through **environment variables**. A fully documented template is provided in [`.env.example`](.env.example).
+HuggingClaw supports **all OpenClaw environment variables** — it passes the entire environment to the OpenClaw process (`env=os.environ.copy()`), so any variable from the [OpenClaw docs](https://openclawdoc.com/docs/reference/environment-variables) (API Keys, Server, Memory, Network, Ollama, Secrets Manager, etc.) works out of the box in HF Spaces.
 
-| Category | Variables | Purpose |
-|----------|-----------|---------|
-| **Security** | `OPENCLAW_PASSWORD` | Protect the Control UI with a password |
-| **Persistence** | `HF_TOKEN`, `OPENCLAW_DATASET_REPO`, `AUTO_CREATE_DATASET`, `SYNC_INTERVAL` | Auto-backup to HF Dataset |
-| **LLM (OpenAI-compatible)** | `OPENAI_API_KEY`, `OPENAI_BASE_URL`, `OPENROUTER_API_KEY`, `ANTHROPIC_API_KEY`, `GOOGLE_API_KEY`, `MISTRAL_API_KEY`, `COHERE_API_KEY`, `OPENCLAW_DEFAULT_MODEL` | Power AI conversations ([OpenClaw env reference](https://openclawdoc.com/docs/reference/environment-variables)) |
-| **Performance** | `NODE_MEMORY_LIMIT` | Tune Node.js memory usage |
-| **Locale** | `TZ` | Set timezone for logs |
-
-For local development, copy the template and fill in your values:
-
-```bash
-cp .env.example .env
-# Edit .env with your values
-```
-
-## Local Development
-
-```bash
-git clone https://huggingface.co/spaces/tao-shen/HuggingClaw
-cd HuggingClaw
-
-# Configure
-cp .env.example .env
-# Edit .env — at minimum set HF_TOKEN and OPENCLAW_DATASET_REPO
-
-# Build and run
-docker build -t huggingclaw .
-docker run --rm -p 7860:7860 --env-file .env huggingclaw
-```
-
-Open `http://localhost:7860` in your browser.
+HuggingClaw adds a few variables of its own for persistence and deployment: `HF_TOKEN`, `OPENCLAW_DATASET_REPO`, `AUTO_CREATE_DATASET`, `SYNC_INTERVAL`, `OPENCLAW_PASSWORD`, `OPENCLAW_DEFAULT_MODEL`, etc. For the full list, see [`.env.example`](.env.example).
 
 ## Security
 
 - **Password-protected** — the Control UI requires a password to connect and manage the instance
 - **Secrets stay server-side** — API keys and tokens are never exposed to the browser
-- **CSP headers** — Content Security Policy restricts script and resource loading
 - **Private backups** — the Dataset repo is created as private by default
 
 > **Tip:** Change the default password from `huggingclaw` to something unique by setting the `OPENCLAW_PASSWORD` secret.

scripts/sync_hf.py

@@ -57,11 +57,6 @@ APP_DIR       = Path("/app/openclaw")
 # Use ".openclaw" - directly read/write the .openclaw folder in dataset
 DATASET_PATH = ".openclaw"
 
-# Telegram credentials (backward-compatible; prefer configuring via Control UI)
-TELEGRAM_BOT_TOKEN  = os.environ.get("TELEGRAM_BOT_TOKEN", "")
-TELEGRAM_BOT_NAME   = os.environ.get("TELEGRAM_BOT_NAME", "")
-TELEGRAM_ALLOW_USER = os.environ.get("TELEGRAM_ALLOW_USER", "")
-
 # OpenAI-compatible API (OpenAI, OpenRouter, or any compatible endpoint)
 OPENAI_API_KEY = os.environ.get("OPENAI_API_KEY", "")
 OPENAI_BASE_URL = os.environ.get("OPENAI_BASE_URL", "https://api.openai.com/v1").rstrip("/")
@@ -146,14 +141,12 @@ class OpenClawFullSync:
             print("[SYNC] Persistence disabled - skipping restore")
             self._ensure_default_config()
             self._patch_config()
-            self._ensure_telegram_credentials()
             return
 
         if not self.dataset_exists:
             print(f"[SYNC] Dataset {HF_REPO_ID} does not exist - starting fresh")
             self._ensure_default_config()
             self._patch_config()
-            self._ensure_telegram_credentials()
             return
 
         print(f"[SYNC] ▶ Restoring ~/.openclaw from dataset {HF_REPO_ID} ...")
@@ -165,8 +158,7 @@ class OpenClawFullSync:
             if not openclaw_files:
                 print(f"[SYNC] No {DATASET_PATH}/ folder in dataset. Starting fresh.")
                 self._ensure_default_config()
-                self._ensure_telegram_credentials()
-                return
+                    return
 
             print(f"[SYNC] Found {len(openclaw_files)} files under {DATASET_PATH}/ in dataset")
 
@@ -194,7 +186,7 @@ class OpenClawFullSync:
             print(f"[SYNC] ✗ Restore failed: {e}")
             traceback.print_exc()
 
-        # Patch config & telegram after restore
+        # Patch config after restore
         self._patch_config()
         self._ensure_telegram_credentials()
         self._debug_list_files()
@@ -435,36 +427,6 @@ class OpenClawFullSync:
             print(f"[SYNC] Failed to patch config: {e}")
             traceback.print_exc()
 
-    def _ensure_telegram_credentials(self):
-        """Configure Telegram bot token and allowed users."""
-        creds_dir = OPENCLAW_HOME / "credentials"
-        creds_dir.mkdir(parents=True, exist_ok=True)
-
-        if TELEGRAM_BOT_TOKEN:
-            bot_file = creds_dir / "telegram-bot-token.json"
-            with open(bot_file, "w") as f:
-                json.dump({"token": TELEGRAM_BOT_TOKEN, "bot": TELEGRAM_BOT_NAME}, f, indent=2)
-            print(f"[SYNC] Telegram bot configured: {TELEGRAM_BOT_NAME}")
-
-        allow_file = creds_dir / "telegram-allowFrom.json"
-        if not allow_file.exists():
-            with open(allow_file, "w") as f:
-                json.dump([TELEGRAM_ALLOW_USER], f, indent=2)
-            print(f"[SYNC] Created telegram-allowFrom.json for {TELEGRAM_ALLOW_USER}")
-        else:
-            try:
-                with open(allow_file, "r") as f:
-                    data = json.load(f)
-                if not isinstance(data, list):
-                    data = [TELEGRAM_ALLOW_USER]
-                elif TELEGRAM_ALLOW_USER not in data:
-                    data.append(TELEGRAM_ALLOW_USER)
-                with open(allow_file, "w") as f:
-                    json.dump(data, f, indent=2)
-            except Exception:
-                with open(allow_file, "w") as f:
-                    json.dump([TELEGRAM_ALLOW_USER], f, indent=2)
-
     def _debug_list_files(self):
         print(f"[SYNC] Local ~/.openclaw tree:")
         try: