Repo Sync from Azure DevOps (ConnectSoft)¶
This document defines the standard way for OpenClaw assistants to pull and refresh ConnectSoft repositories from Azure DevOps on the remote workstation.
Goals¶
- Keep local repos up-to-date for context (docs + code) and build/scaffold workflows.
- Avoid accidental writes to production branches.
- Make sync reproducible and auditable.
Recommended folder layout¶
Use a stable root and keep “runs” separate from cloned repos:
C:\\OpenClaw\\workspaces\\connectsoft\\repos\\(git clones)C:\\OpenClaw\\workspaces\\connectsoft\\runs\\(temp outputs per run)C:\\OpenClaw\\workspaces\\connectsoft\\indexes\\(semantic index artifacts)
Repo allowlist¶
Start small, expand only when needed:
ConnectSoft.CompanyDocumentationConnectSoft.LibraryTemplate- other canonical templates/libraries you explicitly approve
Important
The assistant must refuse to clone/sync repos not on the allowlist.
Credential-safe setup¶
Do not embed credentials in prompts, config files, or scripts checked into git.
Options (choose what matches your org policy):
- PAT stored in Windows Credential Manager (recommended for HTTPS flows)
- SSH keys (if ADO is configured for SSH)
Warning
Never paste a PAT into chat. Treat it like a password.
Recommended sync script shape¶
Implement repo sync as a small script (PowerShell or bash) that:
- reads a repo allowlist (names + clone URLs)
- clones missing repos into
...\\repos\\ - runs
git fetch --prune - prints a concise summary per repo
Tip
Keep repo sync separate from “generate code” runs. Sync first, then run assistants against pinned SHAs.
Sync behavior (policy)¶
- Default action is
git fetch+ fast status reporting. - Pull/rebase/merge requires explicit approval.
- Always log:
- repo name
- remote URL (sanitized)
- branch
- old/new commit SHA