How-To: Minimal Agent (Repo Sync from Azure DevOps)

This guide shows how to create a minimal OpenClaw agent that pulls/fetches a curated set of ConnectSoft repos from Azure DevOps, reports a summary to a channel, and runs on a schedule.

Goals and constraints

• Repo allowlist only (fail closed).
• No secrets in chat/config.
• No push/publish.
• Work inside a bounded workspace root.

1) Prepare local folders (remote workstation)

Recommended layout:

• C:\\OpenClaw\\workspaces\\connectsoft\\repos\\ (git clones)
• C:\\OpenClaw\\workspaces\\connectsoft\\runs\\ (run logs / summaries)

2) Create a repo allowlist file

Create a JSON file owned by you (not by the agent) with the repos you approve.

Example: C:\\OpenClaw\\workspaces\\connectsoft\\repos-allowlist.json

[
  {
    "name": "ConnectSoft.CompanyDocumentation",
    "cloneUrl": "https://dev.azure.com/<org>/<project>/_git/ConnectSoft.CompanyDocumentation"
  },
  {
    "name": "ConnectSoft.LibraryTemplate",
    "cloneUrl": "https://dev.azure.com/<org>/<project>/_git/ConnectSoft.LibraryTemplate"
  }
]

Warning

Keep credentials out of this file. Use Windows Credential Manager or SSH keys for git auth.

3) Create the minimal “RepoSync” skill (scripted)

Implement a small script that:

• loads the allowlist
• clones missing repos
• runs git fetch --prune for existing repos
• writes a single run summary file (paths + SHAs)

Example skeleton (PowerShell) at:

C:\\OpenClaw\\workspaces\\connectsoft\\scripts\\repo-sync.ps1

param(
  [Parameter(Mandatory=$true)][string]$AllowlistPath,
  [Parameter(Mandatory=$true)][string]$ReposRoot,
  [Parameter(Mandatory=$true)][string]$RunsRoot
)

$runId = (Get-Date).ToString("yyyyMMdd-HHmmss")
$runDir = Join-Path $RunsRoot "repo-sync-$runId"
New-Item -ItemType Directory -Force -Path $runDir | Out-Null

$allow = Get-Content $AllowlistPath | ConvertFrom-Json
$report = @()

foreach ($r in $allow) {
  $repoPath = Join-Path $ReposRoot $r.name
  if (!(Test-Path $repoPath)) {
    git clone $r.cloneUrl $repoPath | Out-Null
  }

  Push-Location $repoPath
  git fetch --prune | Out-Null
  $sha = (git rev-parse HEAD).Trim()
  Pop-Location

  $report += [PSCustomObject]@{
    name = $r.name
    path = $repoPath
    headSha = $sha
  }
}

$reportPath = Join-Path $runDir "report.json"
$report | ConvertTo-Json -Depth 5 | Out-File -Encoding utf8 $reportPath

Write-Output "Repo sync complete. Report: $reportPath"

Important

This script intentionally uses fetch (safe) and avoids pull/rebase unless you add an approval gate.

4) Define a minimal OpenClaw agent

OpenClaw agent definitions live in config (~/.openclaw/openclaw.json).

At minimum you want:

• an agent ID (e.g., connectsoft-repo-sync)
• a bounded workspace (where it is allowed to operate)
• limited tools (ideally only exec + safe web/doc tools)

See: OpenClaw configuration.

Note

Keep the agent’s instruction concise and operational. The logic belongs in the script/skill, not in a 500-line prompt.

5) Pick a channel and lock it down (pairing/allowlist)

Configure a channel with a safe DM policy (default is pairing).

From the configuration reference, supported patterns include:

• dmPolicy: "pairing" (default)
• dmPolicy: "allowlist" with allowFrom: [...]

Reference: Configuration reference.

WhatsApp (already connected)

If WhatsApp is already connected, the critical part is restricting who can message the bot.

Minimal example (conceptual):

{
  channels: {
    whatsapp: {
      enabled: true,
      dmPolicy: "pairing",        // or "allowlist"
      allowFrom: ["+15555550123"] // required for allowlist/open; optional for pairing
    }
  }
}

Recommended ConnectSoft default:

• Use dmPolicy: "pairing" while you’re validating the setup.
• Switch to dmPolicy: "allowlist" once stable, and keep allowFrom tight.

Optional group safety pattern (mention gating):

{
  channels: {
    whatsapp: {
      groups: { "*": { requireMention: true } }
    }
  },
  agents: {
    list: [
      {
        id: "connectsoft-repo-sync",
        groupChat: { mentionPatterns: ["@openclaw", "openclaw"] }
      }
    ]
  }
}

6) Add a scheduled job (cron)

OpenClaw has built-in cron job support.

Reference: Cron Jobs.

Recommended defaults:

• run in an isolated session target
• write a run log per execution
• keep retention bounded

7) End-to-end run (manual smoke test)

Run the script manually first:

powershell -ExecutionPolicy Bypass -File C:\\OpenClaw\\workspaces\\connectsoft\\scripts\\repo-sync.ps1 `
  -AllowlistPath C:\\OpenClaw\\workspaces\\connectsoft\\repos-allowlist.json `
  -ReposRoot C:\\OpenClaw\\workspaces\\connectsoft\\repos `
  -RunsRoot C:\\OpenClaw\\workspaces\\connectsoft\\runs

Then verify:

• repos updated
• run report exists and includes SHAs
• no credentials leaked to output

8) What “done” looks like

• You can ask the agent in-channel: “sync repos” and it runs the script.
• A cron schedule runs it nightly.
• Every run produces a report with:
• repo list
• local paths
• HEAD SHAs
• report location

Related

• Repo Sync from Azure DevOps (ConnectSoft)
• Workstation Bootstrap (Remote Windows)
• Skills and Tools (OpenClaw + MCP)