fix: restore tree dropped by 6d224861; land stem95su gdrive-sync (10m) [ci skip]

6d224861 came from a --no-checkout worktree whose empty index made the
commit drop every file except two. This restores 05b50d2b's full tree and
correctly adds stacks/stem95su/gdrive-sync.tf + the service-catalog stem95su
entry. Forward-only (parent=6d224861, no force-push); [ci skip] since the
live infra was never applied from the broken commit.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

stacks/openclaw/.terraform.lock.hcl

@@ -0,0 +1,172 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/cloudflare/cloudflare" {
+  version     = "4.52.7"
+  constraints = "~> 4.0"
+  hashes = [
+    "h1:pPItIWii5oymR+geZB219ROSPuSODPLTlM4S/u8xLvM=",
+    "zh:0c904ce31a4c6c4a5b3bf7ff1560e77c0cc7e2450c8553ded8e8c90398e1418b",
+    "zh:36183d310c36373fe4cb936b83c595c6fd3b0a94bc7827f28e5789ccbf59752e",
+    "zh:556a568a6f0235e8f41647de9e4d3a1e7b1d6502df8b19b54ec441f1c653ea10",
+    "zh:633ebbd5b0245e75e500ef9be4d9e62288f97e8da3baaa51323892a786d90285",
+    "zh:6acfe60cf52a65ba8f044f748548d2119e7f4fd7f8ebcb14698960d87c68f529",
+    "zh:890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f",
+    "zh:904acc31ebb9d6ef68c792074b30532ee61bf515f19e0a3c75b46f126cca1f13",
+    "zh:a1d0a81246afc8750286d3f6fe7a8fbe6460dd2662407b28dbfbabb612e5fa9d",
+    "zh:a41a36fe253fc365fe2b7ffc749624688b2693b4634862fda161179ab100029f",
+    "zh:a7ef269e77ffa8715c8945a2c14322c7ff159ea44c15f62505f3cbb2cae3b32d",
+    "zh:b01aa3bed30610633b762df64332b26f8844a68c3960cebcb30f04918efc67fe",
+    "zh:b069cc2cd18cae10757df3ae030508eac8d55de7e49eda7a5e3e11f2f7fe6455",
+    "zh:b2d2c6313729ebb7465dceece374049e2d08bda34473901be9ff46a8836d42b2",
+    "zh:db0e114edaf4bc2f3d4769958807c83022bfbc619a00bdf4c4bd17faa4ab2d8b",
+    "zh:ecc0aa8b9044f664fd2aaf8fa992d976578f78478980555b4b8f6148e8d1a5fe",
+  ]
+}
+
+provider "registry.terraform.io/gavinbunney/kubectl" {
+  version     = "1.19.0"
+  constraints = "~> 1.14"
+  hashes = [
+    "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=",
+    "zh:1dec8766336ac5b00b3d8f62e3fff6390f5f60699c9299920fc9861a76f00c71",
+    "zh:43f101b56b58d7fead6a511728b4e09f7c41dc2e3963f59cf1c146c4767c6cb7",
+    "zh:4c4fbaa44f60e722f25cc05ee11dfaec282893c5c0ffa27bc88c382dbfbaa35c",
+    "zh:51dd23238b7b677b8a1abbfcc7deec53ffa5ec79e58e3b54d6be334d3d01bc0e",
+    "zh:5afc2ebc75b9d708730dbabdc8f94dd559d7f2fc5a31c5101358bd8d016916ba",
+    "zh:6be6e72d4663776390a82a37e34f7359f726d0120df622f4a2b46619338a168e",
+    "zh:72642d5fcf1e3febb6e5d4ae7b592bb9ff3cb220af041dbda893588e4bf30c0c",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:a1da03e3239867b35812ee031a1060fed6e8d8e458e2eaca48b5dd51b35f56f7",
+    "zh:b98b6a6728fe277fcd133bdfa7237bd733eae233f09653523f14460f608f8ba2",
+    "zh:bb8b071d0437f4767695c6158a3cb70df9f52e377c67019971d888b99147511f",
+    "zh:dc89ce4b63bfef708ec29c17e85ad0232a1794336dc54dd88c3ba0b77e764f71",
+    "zh:dd7dd18f1f8218c6cd19592288fde32dccc743cde05b9feeb2883f37c2ff4b4e",
+    "zh:ec4bd5ab3872dedb39fe528319b4bba609306e12ee90971495f109e142d66310",
+    "zh:f610ead42f724c82f5463e0e71fa735a11ffb6101880665d93f48b4a67b9ad82",
+  ]
+}
+
+provider "registry.terraform.io/goauthentik/authentik" {
+  version     = "2024.12.1"
+  constraints = "~> 2024.10"
+  hashes = [
+    "h1:roBMd+gi+TGgikH/bMzEI8JfvJiMAQWt+8FmokCrQIs=",
+    "zh:090260dc7889ea822ec1d899344e1ee23eba5290461989c0796149c9511f2316",
+    "zh:13c2655ff824b0dc4b9bb832b5ca6d41dba97cb280330258c5fef4115e236209",
+    "zh:166a73c3a810c9c895d68a8ff968158f339f8a2c1c03e20ec9fc5ed99cc64e20",
+    "zh:203777eae1cdc711233315499643180604cff2324411b186b7cf07fdbe16f655",
+    "zh:3b2f18c9a8d28dac74dc6bbf168c946855ab9c68f053578d4630c50d5eaf30a0",
+    "zh:4822275985f6b74b6196c47112316a4252db22cf4ceaef7c9ab4c66d488abf2f",
+    "zh:53ea97562666c8a5a2f6d63d418a302a7f8ee4b7bb7da35dedaa89aa5708b7f0",
+    "zh:56b8a230901e3550c92a1d3f58ee9dafe9853f30fe4315af3ab28ae63262e15d",
+    "zh:6293ab7b1fd8206a0c853591f50186aca4a1eff117b2a773e10760a23a2c83e9",
+    "zh:9433970f79fb92d8aae3ee436db5630ab312c78b6dc9df9c1db3273a18f8aaa1",
+    "zh:95df406214f79b3b98222d7c7fe8fc319a3d90b7a9d53e1d5abbda5dfb8b9436",
+    "zh:a85880da0552a42c8f449390fbd7d8b03541d1a13e04bba9f1404fa658754260",
+    "zh:a95f6e9bd62c67e70eba1b1a14728856b9a6a28cd1e5e3be54a7718882c87e7f",
+    "zh:dd599b51c5beb34a4c6feece244fde07d2558d69929449ab1fd39a5ebe738781",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version = "3.1.1"
+  hashes = [
+    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
+    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
+    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
+    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
+    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
+    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
+    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
+    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
+    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
+    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
+    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
+    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
+    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/kubernetes" {
+  version = "3.1.0"
+  hashes = [
+    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
+    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
+    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
+    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
+    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
+    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
+    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
+    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
+    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
+    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
+    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.9.0"
+  hashes = [
+    "h1:UlBuNVuCGJ39tTv2c5gz2NRZnQbXfbIWbTzWcth5o74=",
+    "zh:161ad0bd9a75768c82f53fb6e7172a9d8be2d4889b012645a34795031aaf1bf1",
+    "zh:19dc9a5b17729725ccfc4f45b0500af0ee5bc6b6b160c7adb8f2bf617d2c80ea",
+    "zh:269eda8fe42daa7974d5a34d166c3ba9defe80cde86c01e4dadcfdf2e1f05e5f",
+    "zh:373f7c65566f8f2cc7f45d698654feb9d988996957e1266a69ca00c52d6d16d0",
+    "zh:5599d16804c41c83009ec621b6d6b6f74e102f5827678a4750f8809055546b61",
+    "zh:583be0440469a22bff70dcfa56593b01566860b29607437264adb51060cf46fc",
+    "zh:5f211d8ec3f2e1f414870d9584bfe26e6995560ef81c748f8447a48164767398",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:7b547fd16216761ef86efc3ed516ac5ac0c5c42b7c7eb24a08cef2d93f69ed5e",
+    "zh:7e7c0679daf2a382151d05068c8c3f0dae6b7b7dccf818827b73dd08638df2ef",
+    "zh:8089dec888a8038b9b4fb23b3df7e1057293dbc5b60b42cc47ff690d69d4b61b",
+    "zh:c51f15a031edfd6f23ce8ced3446ca7f8d8d647e2499890d7d5d10d5016d7257",
+    "zh:c94784f005708890dc6895afd53636ec00ec1e430b15d41e5aebfb1d4b39bd04",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/vault" {
+  version     = "4.8.0"
+  constraints = "~> 4.0"
+  hashes = [
+    "h1:GPfhH6dr1LY0foPBDYv9bEGifx7eSwYqFcEAOWOUxLk=",
+    "h1:aHqgWQhDBMeZO9iUKwJYMlh4q+xNMUlMIcjRbF4d02Y=",
+    "zh:269ab13433f67684012ae7e15876532b0312f5d0d2002a9cf9febb1279ce5ea6",
+    "zh:4babc95bf0c40eb85005db1dc2ca403c46be4a71dd3e409db3711a56f7a5ca0e",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:86e27c1c625ecc24446a11eeffc3ac319b36c2b4e51251db8579256a0dbcf136",
+    "zh:a32f31da94824009e26b077374440b52098aecb93c92ff55dc3d31dd37c4ea25",
+    "zh:be0a18c6c0425518bab4fbffd82078b82036a88503b5d76064de551c9f646cbf",
+    "zh:be5a77fdfd36863ebeec79cd12b1d13322ffad6821d157a0b279789fa06b5937",
+    "zh:be8317d142a3caad74c7d936039ae27076a1b2b8312ef5208e2871a5f525977c",
+    "zh:c94a84895a3d9954b80e983eed4603330a5cdbbd8eef5b3c99278c2d1402ef3c",
+    "zh:de1fb712784dd8415f011ca5346a34f87fab6046c730557615247e511dbc7d98",
+    "zh:e3eafae7da550f86cae395d6660b2a0e93ec8d2b0e0e5ef982ec762e961fc952",
+    "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83",
+  ]
+}
+
+provider "registry.terraform.io/telmate/proxmox" {
+  version     = "3.0.2-rc07"
+  constraints = "3.0.2-rc07"
+  hashes = [
+    "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=",
+    "zh:2ee860cd0a368b3eaa53f4a9ea46f16dab8a97929e813ea6ef55183f8112c2ca",
+    "zh:415965fd915bae2040d7f79e45f64d6e3ae61149c10114efeac1b34687d7296c",
+    "zh:6584b2055df0e32062561c615e3b6b2c291ca8c959440adda09ef3ec1e1436bd",
+    "zh:65dcfad71928e0a8dd9befc22524ed686be5020b0024dc5cca5184c7420eeb6b",
+    "zh:7253dc29bd265d33f2791ac4f779c5413f16720bb717de8e6c5fcb2c858648ea",
+    "zh:7ec8993da10a47606670f9f67cfd10719a7580641d11c7aa761121c4a2bd66fb",
+    "zh:999a3f7a9dcf517967fc537e6ec930a8172203642fb01b8e1f78f908373db210",
+    "zh:a50e6df7280eb6584a5fd2456e3f5b6df13b2ec8a7fa4605511e438e1863be42",
+    "zh:b25b329a1e42681c509d027fee0365414f0cc5062b65690cfc3386aab16132ae",
+    "zh:c028877fdb438ece48f7bc02b65bbae9ca7b7befbd260e519ccab6c0cbb39f26",
+    "zh:cf0eaa3ea9fcc6d62793637947f1b8d7c885b6ad74695ab47e134e4ff132190f",
+    "zh:d5ade3fae031cc629b7c512a7b60e46570f4c41665e88a595d7efd943dde5ab2",
+    "zh:f388c15ad1ecfc09e7361e3b98bae9b627a3a85f7b908c9f40650969c949901c",
+    "zh:f415cc6f735a3971faae6ac24034afdb9ee83373ef8de19a9631c187d5adc7db",
+  ]
+}

stacks/openclaw/files/exporter.py

@@ -0,0 +1,264 @@
+#!/usr/bin/env python3
+"""OpenClaw / Codex usage exporter.
+
+Reads ~/.openclaw/agents/*/sessions/*.jsonl (assistant messages with usage)
+and ~/.openclaw/agents/*/agent/auth-state.json (OAuth profiles), then exposes
+Prometheus text-format metrics on :9099/metrics. Stdlib only — no pip install
+needed at startup.
+
+Metrics (all cumulative-since-session-start; use Prometheus increase()/rate()
+for windowed views):
+
+  openclaw_codex_messages_total{provider,model,session_kind}    counter
+  openclaw_codex_input_tokens_total{provider,model}             counter
+  openclaw_codex_output_tokens_total{provider,model}            counter
+  openclaw_codex_cache_read_tokens_total{provider,model}        counter
+  openclaw_codex_cache_write_tokens_total{provider,model}       counter
+  openclaw_codex_message_errors_total{provider,model,reason}    counter
+  openclaw_codex_active_sessions{kind}                          gauge
+  openclaw_codex_oauth_expiry_seconds{provider,account}         gauge
+  openclaw_codex_last_run_timestamp                             gauge
+  openclaw_codex_exporter_scrape_duration_ms                    gauge
+"""
+import glob
+import json
+import os
+import re
+import time
+from datetime import datetime
+from http.server import BaseHTTPRequestHandler, HTTPServer
+from threading import Lock
+
+OPENCLAW_HOME = os.environ.get("OPENCLAW_HOME", "/home/node/.openclaw")
+PORT = int(os.environ.get("METRICS_PORT", "9099"))
+CACHE_SEC = float(os.environ.get("CACHE_SEC", "5"))
+SKIP_FRAGMENTS = (".broken.", ".reset.", ".deleted.", ".bak.")
+SESSION_RE = re.compile(r"^([0-9a-f-]{36})\.jsonl$")
+
+_lock = Lock()
+_cache = {"text": "", "ts": 0.0}
+
+
+def _esc(value: str) -> str:
+    return str(value).replace("\\", "\\\\").replace('"', '\\"').replace("\n", "\\n")
+
+
+def _line(name: str, labels: dict, value) -> str:
+    if labels:
+        rendered = ",".join(f'{k}="{_esc(v)}"' for k, v in sorted(labels.items()))
+        return f"{name}{{{rendered}}} {value}"
+    return f"{name} {value}"
+
+
+def _kind_for(session_id: str, sessions_index: dict) -> str:
+    for key, val in sessions_index.items():
+        if val.get("sessionId") != session_id:
+            continue
+        if key.startswith("agent:main:cron:"):
+            return "cron"
+        if key.startswith("telegram:slash:"):
+            return "telegram-slash"
+        if key.startswith("agent:main:"):
+            return "main"
+        surface = (val.get("origin") or {}).get("surface")
+        if surface:
+            return surface
+        return key.split(":", 1)[0]
+    return "unknown"
+
+
+def _parse_ts(value):
+    if isinstance(value, (int, float)):
+        return float(value)
+    if isinstance(value, str):
+        try:
+            return datetime.fromisoformat(value.replace("Z", "+00:00")).timestamp()
+        except ValueError:
+            return 0.0
+    return 0.0
+
+
+def _build_text() -> str:
+    start = time.monotonic()
+    out = []
+
+    sessions_index: dict = {}
+    for sp in glob.glob(os.path.join(OPENCLAW_HOME, "agents/*/sessions/sessions.json")):
+        try:
+            with open(sp) as f:
+                sessions_index.update(json.load(f))
+        except Exception:
+            pass
+
+    msg_count: dict = {}
+    in_tok: dict = {}
+    out_tok: dict = {}
+    cr_tok: dict = {}
+    cw_tok: dict = {}
+    err_count: dict = {}
+    latest_ts = 0.0
+
+    for jsonl in glob.glob(os.path.join(OPENCLAW_HOME, "agents/*/sessions/*.jsonl")):
+        bn = os.path.basename(jsonl)
+        if any(s in bn for s in SKIP_FRAGMENTS):
+            continue
+        m = SESSION_RE.match(bn)
+        if not m:
+            continue
+        sid = m.group(1)
+        kind = _kind_for(sid, sessions_index)
+        try:
+            with open(jsonl) as f:
+                for line in f:
+                    line = line.strip()
+                    if not line:
+                        continue
+                    try:
+                        obj = json.loads(line)
+                    except Exception:
+                        continue
+                    if obj.get("type") != "message":
+                        continue
+                    msg = obj.get("message") or {}
+                    if msg.get("role") != "assistant":
+                        continue
+                    provider = msg.get("provider") or "unknown"
+                    model = msg.get("model") or "unknown"
+                    usage = msg.get("usage") or {}
+                    ts = _parse_ts(obj.get("timestamp"))
+                    if ts > latest_ts:
+                        latest_ts = ts
+                    if msg.get("stopReason") == "error":
+                        reason = (msg.get("errorMessage") or "unknown")[:80]
+                        ek = (provider, model, reason)
+                        err_count[ek] = err_count.get(ek, 0) + 1
+                        continue
+                    mk = (provider, model, kind)
+                    msg_count[mk] = msg_count.get(mk, 0) + 1
+                    pm = (provider, model)
+                    in_tok[pm] = in_tok.get(pm, 0) + (usage.get("input") or 0)
+                    out_tok[pm] = out_tok.get(pm, 0) + (usage.get("output") or 0)
+                    cr_tok[pm] = cr_tok.get(pm, 0) + (usage.get("cacheRead") or 0)
+                    cw_tok[pm] = cw_tok.get(pm, 0) + (usage.get("cacheWrite") or 0)
+        except Exception:
+            pass
+
+    out.append("# HELP openclaw_codex_messages_total Cumulative assistant messages")
+    out.append("# TYPE openclaw_codex_messages_total counter")
+    for (p, mdl, k), c in msg_count.items():
+        out.append(_line("openclaw_codex_messages_total",
+                         {"provider": p, "model": mdl, "session_kind": k}, c))
+
+    for name, src, hlp in [
+        ("openclaw_codex_input_tokens_total", in_tok, "Cumulative input tokens"),
+        ("openclaw_codex_output_tokens_total", out_tok, "Cumulative output tokens"),
+        ("openclaw_codex_cache_read_tokens_total", cr_tok, "Cumulative cache-read tokens"),
+        ("openclaw_codex_cache_write_tokens_total", cw_tok, "Cumulative cache-write tokens"),
+    ]:
+        out.append(f"# HELP {name} {hlp}")
+        out.append(f"# TYPE {name} counter")
+        for (p, mdl), c in src.items():
+            out.append(_line(name, {"provider": p, "model": mdl}, c))
+
+    out.append("# HELP openclaw_codex_message_errors_total Cumulative assistant errors")
+    out.append("# TYPE openclaw_codex_message_errors_total counter")
+    for (p, mdl, r), c in err_count.items():
+        out.append(_line("openclaw_codex_message_errors_total",
+                         {"provider": p, "model": mdl, "reason": r}, c))
+
+    out.append("# HELP openclaw_codex_active_sessions Active sessions in sessions.json")
+    out.append("# TYPE openclaw_codex_active_sessions gauge")
+    kc: dict = {}
+    for k in sessions_index:
+        if k.startswith("agent:main:cron:"):
+            kk = "cron"
+        elif k.startswith("telegram:slash:"):
+            kk = "telegram-slash"
+        elif k.startswith("agent:main:"):
+            kk = "main"
+        else:
+            kk = k.split(":", 1)[0]
+        kc[kk] = kc.get(kk, 0) + 1
+    for k, c in kc.items():
+        out.append(_line("openclaw_codex_active_sessions", {"kind": k}, c))
+
+    if latest_ts:
+        out.append("# HELP openclaw_codex_last_run_timestamp Unix ts of newest assistant message")
+        out.append("# TYPE openclaw_codex_last_run_timestamp gauge")
+        out.append(_line("openclaw_codex_last_run_timestamp", {}, latest_ts))
+
+    out.append("# HELP openclaw_codex_oauth_expiry_seconds Seconds until OAuth token expires")
+    out.append("# TYPE openclaw_codex_oauth_expiry_seconds gauge")
+    now = time.time()
+    for af in glob.glob(os.path.join(OPENCLAW_HOME, "agents/*/agent/auth-profiles.json")):
+        try:
+            with open(af) as f:
+                data = json.load(f)
+        except Exception:
+            continue
+        # Schema: {"version": 1, "profiles": {"<id>": {...}}}.
+        # `expires` is Unix milliseconds.
+        for profile in (data.get("profiles") or {}).values():
+            exp_ms = profile.get("expires")
+            if not isinstance(exp_ms, (int, float)):
+                continue
+            exp_ts = exp_ms / 1000.0
+            out.append(_line(
+                "openclaw_codex_oauth_expiry_seconds",
+                {
+                    "provider": profile.get("provider", "unknown"),
+                    "account": profile.get("email") or profile.get("account") or "unknown",
+                    "plan": profile.get("chatgptPlanType") or "unknown",
+                },
+                max(0, exp_ts - now),
+            ))
+
+    out.append("# HELP openclaw_codex_exporter_scrape_duration_ms Last scrape duration ms")
+    out.append("# TYPE openclaw_codex_exporter_scrape_duration_ms gauge")
+    out.append(_line("openclaw_codex_exporter_scrape_duration_ms", {},
+                     (time.monotonic() - start) * 1000))
+
+    return "\n".join(out) + "\n"
+
+
+class Handler(BaseHTTPRequestHandler):
+    def do_GET(self):
+        if self.path == "/healthz":
+            self.send_response(200)
+            self.send_header("Content-Type", "text/plain")
+            self.end_headers()
+            self.wfile.write(b"ok\n")
+            return
+        if self.path != "/metrics":
+            self.send_response(404)
+            self.end_headers()
+            return
+        with _lock:
+            now = time.time()
+            if now - _cache["ts"] > CACHE_SEC:
+                try:
+                    _cache["text"] = _build_text()
+                except Exception as exc:  # noqa: BLE001
+                    _cache["text"] = (
+                        f'openclaw_codex_exporter_errors_total{{kind="scrape"}} 1\n'
+                        f'# scrape error: {_esc(str(exc))[:200]}\n'
+                    )
+                _cache["ts"] = now
+            body = _cache["text"].encode()
+        self.send_response(200)
+        self.send_header("Content-Type", "text/plain; version=0.0.4; charset=utf-8")
+        self.send_header("Content-Length", str(len(body)))
+        self.end_headers()
+        self.wfile.write(body)
+
+    def log_message(self, *args, **kwargs):
+        pass
+
+
+def main():
+    print(f"openclaw exporter listening on :{PORT}", flush=True)
+    HTTPServer(("0.0.0.0", PORT), Handler).serve_forever()
+
+
+if __name__ == "__main__":
+    main()

stacks/openclaw/files/memory-sync.py

@@ -0,0 +1,90 @@
+"""claude-memory → OpenClaw memory-core sync.
+
+Pulls memories from the central claude-memory REST API, writes per-category
+Markdown files into /workspace/memory/projects/claude-memory-sync/
+which memory-core picks up via its QMD backend.
+
+Runs inside the openclaw pod (piped via `kubectl exec -i -- python3 -`).
+Uses MEMORY_API_URL + MEMORY_API_KEY env vars already set on the pod.
+
+Filters out is_sensitive=true memories. Also one-shot deletes the stale
+metaclaw-export.json from a prior export attempt.
+"""
+
+import json
+import os
+import pathlib
+import sys
+import time
+import urllib.request
+
+
+def main() -> int:
+    api_url = os.environ["MEMORY_API_URL"].rstrip("/")
+    api_key = os.environ["MEMORY_API_KEY"]
+
+    req = urllib.request.Request(
+        f"{api_url}/api/memories?limit=10000",
+        headers={"Authorization": f"Bearer {api_key}"},
+    )
+    with urllib.request.urlopen(req, timeout=30) as r:
+        data = json.load(r)
+
+    raw = data.get("memories", [])
+    mems = [m for m in raw if not m.get("is_sensitive", False)]
+    sensitive_count = len(raw) - len(mems)
+
+    by_cat: dict[str, list[dict]] = {}
+    for m in mems:
+        by_cat.setdefault(m.get("category") or "uncategorized", []).append(m)
+
+    # Write under /workspace/memory/ — memory-core's QMD backend auto-indexes
+    # this path on every reindex. /home/node/.openclaw/memory/ is the
+    # SQLite index location, not a content source.
+    out_dir = pathlib.Path("/workspace/memory/projects/claude-memory-sync")
+    out_dir.mkdir(parents=True, exist_ok=True)
+
+    stamp = time.strftime("%Y-%m-%d %H:%M UTC", time.gmtime())
+    for cat, items in sorted(by_cat.items()):
+        items.sort(key=lambda x: x.get("id", 0))
+        lines = [
+            f"# {cat.title()} memories",
+            "",
+            f"_Synced from claude-memory at {stamp}. {len(items)} memories._",
+            "",
+        ]
+        for m in items:
+            content = m.get("content") or ""
+            first_line = content.splitlines()[0] if content else ""
+            title = first_line.lstrip("# ").strip()[:120] or f"#{m['id']}"
+            lines.extend([
+                f"## #{m['id']} — {title}",
+                "",
+                f"- Tags: `{m.get('tags', '')}`",
+                f"- Importance: {float(m.get('importance', 0.5)):.2f}",
+                f"- Created: {m.get('created_at', '?')}",
+                f"- Updated: {m.get('updated_at', '?')}",
+                "",
+                content,
+                "",
+                "---",
+                "",
+            ])
+        (out_dir / f"{cat}.md").write_text("\n".join(lines))
+
+    # One-shot: nuke the stale 2026-02-28 export sitting next to memory-core.
+    stale = pathlib.Path("/home/node/.openclaw/memory/metaclaw-export.json")
+    if stale.exists():
+        stale.unlink()
+        print("[sync] deleted stale metaclaw-export.json")
+
+    total = sum(len(v) for v in by_cat.values())
+    print(
+        f"[sync] wrote {total} memories across {len(by_cat)} categories to "
+        f"{out_dir} (skipped {sensitive_count} sensitive)"
+    )
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())

stacks/openclaw/files/openclaw-task.sh

@@ -0,0 +1,184 @@
+#!/usr/bin/env bash
+# openclaw-task — manage long-running tmux tasks on devvm
+#
+# Canonical source: infra/stacks/openclaw/files/openclaw-task.sh
+# Installed to /usr/local/bin/openclaw-task on devvm so non-interactive
+# SSH (e.g. `ssh devvm openclaw-task list`) finds it on the default PATH.
+#
+# Sessions are prefixed `openclaw-task-` to avoid colliding with the
+# user's own tmux work. Persistent transcripts live in
+# ~/openclaw-tasks/<id>.log via `tmux pipe-pane`. Sessions and logs
+# survive OpenClaw pod restarts (they live on devvm, not in the pod).
+
+set -euo pipefail
+
+# Use full paths because non-interactive SSH does not source ~/.profile
+# or ~/.bashrc (see memory id=740).
+TMUX_BIN=/usr/bin/tmux
+CLAUDE_BIN=/usr/local/bin/claude   # installed as symlink to /home/wizard/.local/bin/claude
+
+PREFIX=openclaw-task-
+TASK_DIR=${OPENCLAW_TASK_DIR:-$HOME/openclaw-tasks}
+mkdir -p "$TASK_DIR"
+
+die() { echo "openclaw-task: $*" >&2; exit 1; }
+
+session_name() { printf 'openclaw-task-%s' "$1"; }
+
+require_session() {
+  local name="$1"
+  "$TMUX_BIN" has-session -t "$name" 2>/dev/null || die "no session '$name' (use 'openclaw-task list')"
+}
+
+usage() {
+  cat <<EOF
+openclaw-task — manage long-running tmux tasks on devvm
+
+USAGE
+  openclaw-task new <id> <command...>      spawn detached tmux session
+  openclaw-task claude <id> [prompt...]    spawn interactive claude in a session;
+                                             if prompt given, send-keys it + Enter
+  openclaw-task send <id> <keys...>        tmux send-keys passthrough (you must
+                                             pass 'Enter' literal for newline)
+  openclaw-task capture <id> [lines]       last <lines> of pane (default 1000)
+  openclaw-task log <id>                   cat the persistent pipe-pane log
+  openclaw-task tail <id>                  tail -f the persistent log
+  openclaw-task list                       all openclaw task ids (one per line)
+  openclaw-task status <id>                'running' or 'ended'
+  openclaw-task kill <id>                  kill session (log file kept)
+  openclaw-task purge <id>                 kill + delete log file
+
+EXAMPLES
+  openclaw-task new build-foo "cd ~/code/foo && make all 2>&1"
+  openclaw-task claude diag-frigate
+  openclaw-task send diag-frigate "investigate gpu crashloop" Enter
+  openclaw-task capture diag-frigate 200
+  openclaw-task list
+EOF
+}
+
+cmd_new() {
+  [ $# -lt 2 ] && die "usage: openclaw-task new <id> <command...>"
+  local id="$1"; shift
+  local name; name=$(session_name "$id")
+  if "$TMUX_BIN" has-session -t "$name" 2>/dev/null; then
+    die "session '$name' already exists"
+  fi
+  local log="$TASK_DIR/$id.log"
+  : > "$log"
+  # Start an idle interactive bash so pipe-pane can attach BEFORE the
+  # user's command runs. If we passed the command directly to
+  # new-session, its first lines beat pipe-pane to the pane and never
+  # land in the log.
+  "$TMUX_BIN" new-session -d -s "$name" bash --norc -i
+  "$TMUX_BIN" pipe-pane -o -t "$name" "cat >> '$log'"
+  sleep 0.2
+  "$TMUX_BIN" send-keys -t "$name" "$*" Enter
+  # Auto-exit propagating the command's status so the tmux session
+  # ends when the command does.
+  "$TMUX_BIN" send-keys -t "$name" 'exit $?' Enter
+  printf 'session: %s\nlog: %s\n' "$name" "$log"
+}
+
+cmd_claude() {
+  [ $# -lt 1 ] && die "usage: openclaw-task claude <id> [prompt...]"
+  local id="$1"; shift
+  local name; name=$(session_name "$id")
+  if "$TMUX_BIN" has-session -t "$name" 2>/dev/null; then
+    die "session '$name' already exists (use 'send' to add prompts)"
+  fi
+  local log="$TASK_DIR/$id.log"
+  : > "$log"
+  # sleep+exec lets pipe-pane attach before claude prints its banner.
+  "$TMUX_BIN" new-session -d -s "$name" bash -c "sleep 0.3; exec '$CLAUDE_BIN'"
+  "$TMUX_BIN" pipe-pane -o -t "$name" "cat >> '$log'"
+  if [ $# -gt 0 ]; then
+    # Wait for claude to come up before sending the prompt
+    sleep 2
+    "$TMUX_BIN" send-keys -t "$name" "$*" Enter
+  fi
+  printf 'session: %s\nlog: %s\n' "$name" "$log"
+}
+
+cmd_send() {
+  [ $# -lt 2 ] && die "usage: openclaw-task send <id> <keys...>"
+  local id="$1"; shift
+  local name; name=$(session_name "$id")
+  require_session "$name"
+  "$TMUX_BIN" send-keys -t "$name" "$@"
+}
+
+cmd_capture() {
+  [ $# -lt 1 ] && die "usage: openclaw-task capture <id> [lines]"
+  local id="$1"
+  local lines="${2:-1000}"
+  local name; name=$(session_name "$id")
+  require_session "$name"
+  "$TMUX_BIN" capture-pane -t "$name" -p -S "-$lines"
+}
+
+cmd_log() {
+  [ $# -lt 1 ] && die "usage: openclaw-task log <id>"
+  local id="$1"
+  local log="$TASK_DIR/$id.log"
+  [ -f "$log" ] || die "no log file for '$id' (looked at $log)"
+  cat "$log"
+}
+
+cmd_tail() {
+  [ $# -lt 1 ] && die "usage: openclaw-task tail <id>"
+  local id="$1"
+  local log="$TASK_DIR/$id.log"
+  [ -f "$log" ] || die "no log file for '$id' (looked at $log)"
+  tail -n 100 -f "$log"
+}
+
+cmd_list() {
+  "$TMUX_BIN" list-sessions -F '#{session_name}' 2>/dev/null \
+    | grep "^$PREFIX" \
+    | sed "s|^$PREFIX||" \
+    || true
+}
+
+cmd_status() {
+  [ $# -lt 1 ] && die "usage: openclaw-task status <id>"
+  local id="$1"
+  local name; name=$(session_name "$id")
+  if "$TMUX_BIN" has-session -t "$name" 2>/dev/null; then
+    echo running
+  else
+    echo ended
+  fi
+}
+
+cmd_kill() {
+  [ $# -lt 1 ] && die "usage: openclaw-task kill <id>"
+  local id="$1"
+  local name; name=$(session_name "$id")
+  require_session "$name"
+  "$TMUX_BIN" kill-session -t "$name"
+}
+
+cmd_purge() {
+  [ $# -lt 1 ] && die "usage: openclaw-task purge <id>"
+  local id="$1"
+  local name; name=$(session_name "$id")
+  "$TMUX_BIN" kill-session -t "$name" 2>/dev/null || true
+  rm -f "$TASK_DIR/$id.log"
+  echo "purged: $id"
+}
+
+case "${1:-help}" in
+  new)     shift; cmd_new "$@" ;;
+  claude)  shift; cmd_claude "$@" ;;
+  send)    shift; cmd_send "$@" ;;
+  capture) shift; cmd_capture "$@" ;;
+  log)     shift; cmd_log "$@" ;;
+  tail)    shift; cmd_tail "$@" ;;
+  list)    shift; cmd_list "$@" ;;
+  status)  shift; cmd_status "$@" ;;
+  kill)    shift; cmd_kill "$@" ;;
+  purge)   shift; cmd_purge "$@" ;;
+  help|-h|--help) usage ;;
+  *)       usage; exit 2 ;;
+esac

stacks/openclaw/providers.tf

@@ -0,0 +1,53 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+terraform {
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "~> 4.0"
+    }
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = "~> 4"
+    }
+    authentik = {
+      source  = "goauthentik/authentik"
+      version = "~> 2024.10"
+    }
+    # kubectl (gavinbunney) — workaround for hashicorp/kubernetes
+    # `kubernetes_manifest` panics on Kyverno CRDs. See beads code-e2dp.
+    # Declared for all stacks but only used where opted-in.
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = "~> 1.14"
+    }
+    proxmox = {
+      source  = "telmate/proxmox"
+      version = "3.0.2-rc07"
+    }
+  }
+}
+
+variable "kube_config_path" {
+  type    = string
+  default = "~/.kube/config"
+}
+
+provider "kubernetes" {
+  config_path = var.kube_config_path
+}
+
+provider "helm" {
+  kubernetes = {
+    config_path = var.kube_config_path
+  }
+}
+
+provider "vault" {
+  address          = "https://vault.viktorbarzin.me"
+  skip_child_token = true
+}
+
+provider "kubectl" {
+  config_path      = var.kube_config_path
+  load_config_file = true
+}

stacks/openclaw/secrets

@@ -0,0 +1 @@
+../../secrets

stacks/openclaw/terragrunt.hcl

@@ -0,0 +1,13 @@
+include "root" {
+  path = find_in_parent_folders()
+}
+
+dependency "platform" {
+  config_path  = "../platform"
+  skip_outputs = true
+}
+
+dependency "vault" {
+  config_path  = "../vault"
+  skip_outputs = true
+}