docs: 局域网访问 Control UI 解决方案 + heartbeat 优化 + 日志归档

- nginx SSL 证书权限修复 (self-signed.key: 600 → 640, group → www-data)
- Control UI 允许 HTTPS origin + dangerouslyDisableDeviceAuth
- HEARTBEAT.md 简化为 cron 任务说明，避免重复检查
- 归档 3/31, 4/01, 4/03 memory 日志

HEARTBEAT.md

@@ -1,23 +1,7 @@
 # HEARTBEAT.md
-
+# 系统健康检查 — 频率见 cron 任务 990700ff（每天 00:00/06:00/12:00/18:00）
-# 白天系统健康检查
+# ⚠️ 不要在此处配置周期检查，避免与 cron 冲突重复报告
-# 时区：Asia/Hong_Kong
+# 保留此文件仅作任务说明，heartbeat 轮询时如无额外任务则回复 HEARTBEAT_OK
-# 目标：本机
-# 规则：08:30-23:00 每 30 分钟检查一次；若 CPU 或内存 > 80%，主动在当前聊天报警；
-
-- Track in `memory/heartbeat-state.json`.
-- **Scheduled Tasks**:
-  - 6:00 AM
-  - 12:00 PM
-  - 6:00 PM
-  - 00:00 AM
-- **Monitoring Script**:
-  - Run `/home/sinlee/monitor.sh` at scheduled times
-  - Ensure script formats output for Telegram
-- **Behavior**:
-  - At scheduled times, trigger monitor.sh to collect metrics
-  - Send results directly to Telegram topic #3834524994
-- After each check, update `memory/heartbeat-state.json` with last check time and task results.
 
 ---
 # 旧版 HEARTBEAT.md 内容（仅供参考）

memory/2026-03-30.md

@@ -61,3 +61,38 @@
 - Client-side observation from my side: push transferred about 87 MB over ~59 seconds before process ended with SIGKILL, suggesting execution timeout / client-side session kill rather than a clean Git rejection from Gitea.
 - Current recommended approach: retry `git push` with a much longer execution timeout; if it still fails, inspect for large initial pack / session timeout issues rather than SSH key problems.
 - At last user message, user explicitly asked to continue and I began a long-timeout push attempt; final result was not yet known before compaction.
+## 2026-03-30 Memory Flush (continued)
+
+- Jellyfin media library cleanup work progressed substantially.
+- Confirmed anime library path: `/mnt/nas/media/anime`; target series path for 《画江湖之不良人》: `/mnt/nas/media/anime/画江湖之不良人`.
+- Renamed unrecognized folder `extras_unorganized` -> `Season 07` and renamed 12 episode files to Jellyfin format `画江湖之不良人 - S07E01..12`.
+- Additional anime cleanup completed:
+  - `宅男腐女恋爱真难`: reorganized top-level episode files into `Season 01/宅男腐女恋爱真难 - S01E01..11`.
+  - `间谍过家家`: standardized to
+    - `Season 01/间谍过家家 - S01E01..25`
+    - `Season 02/间谍过家家 - S02E01..12` (mapped original files `26..37` to season-relative numbering)
+    - `Season 03/间谍过家家 - S03E01..13`.
+- TV library actual path discovered as `/mnt/nas/media/tvshows` (not `/mnt/nas/media/tv shows`).
+- Found `爱情公寓（电影特别篇待整理）` in TV library was actually a movie file `爱情公寓 (2018).mp4`; moved it into movie library as `/mnt/nas/media/movies/爱情公寓 (2018)/爱情公寓 (2018).mp4`.
+- Movie library cleanup decisions from user:
+  - Keep `名侦探柯南剧场版1-19` together as a summary/collection directory.
+  - `豆瓣 TOP250` should not stay as a grouping folder; found empty and removed.
+  - In `咒术回战 0 剧场版 (2021)`, keep the larger video file and delete the smaller duplicate; larger `mp4` kept, smaller `mkv` deleted.
+- Performed broad movie naming normalization toward Jellyfin-friendly `电影名 (年份)/电影名 (年份).ext` for a batch of obvious single-movie directories, including examples such as:
+  - `Kaze Tachinu The Wind Rises (2013)`
+  - `Kiki's Delivery Service (1989)`
+  - `Nausicaa of the Valley of the Wind (1984)`
+  - `Planetarian ~Snow Globe~ (2021)`
+  - `保你平安 (2022)`
+  - multiple Detective Conan movies
+  - `憨豆特工 (2003)` / `憨豆特工2 (2011)`
+  - `火锅艺术家 (2025)`
+  - `罗小黑传奇2 (2025)`
+  - `爱情公寓 (2018)`
+- Latest full rescan of movie library found remaining issues are mostly concentrated in:
+  - many directories already roughly correct, but inner video filenames still use release/raw scene names and should be renamed to match directory name;
+  - Conan movie folders using `.rmvb` caused false “empty directory” impressions in earlier scan;
+  - `名侦探柯南剧场版1-19` remains as a collection directory and is effectively non-useful to Jellyfin but intentionally kept per user preference;
+  - `罗小黑传奇2 (2025)` appears to be a residual shell with only `.nfo`, while the main movie is in English-titled directory `The Legend of Hei 2 (2025)`;
+  - several especially messy movie directory names still need manual cleanup, including examples like `大笑江湖..BD (2010)`, `沿路而下..BD (2021)`, `芬奇.官方中英双字.Finch..HD (2021)`, `疾速追杀.特效中英双字.John.Wick..BD (2014)`, `梦幻天堂·龙网.天书奇谭.4K纪念版.重映 (2021)`.
+- User’s latest request before compaction: “再扫一遍电影库”. Current pending next step is to continue movie-library cleanup by batch-renaming inner video files to match normalized folder names, skipping collection folders and separately handling especially dirty names/residual directories.

memory/2026-03-31.md

@@ -0,0 +1,45 @@
+## 2026-03-31 Memory Flush
+
+- User asked to find the previously configured server health scheduled task and change it from hourly to four times daily at 00:00, 06:00, 12:00, and 18:00.
+- Investigation confirmed the active mechanism is not system crontab; current user crontab is empty and the effective scheduler is OpenClaw's built-in cron task.
+- Relevant reporting script exists at `/home/sinlee/.openclaw/workspace/scripts/server-health-report.sh`.
+- HEARTBEAT.md already reflected four scheduled times, but user wanted the real task verified.
+- Confirmed OpenClaw cron task ID `990700ff-be06-44c5-be10-19eaf3ed0af9` is already scheduled as `0 6,12,18,0 * * *`, i.e. exactly 00:00 / 06:00 / 12:00 / 18:00 daily.
+- Task currently targets Telegram chat `-1003834524994`, topic `4`.
+- Noted minor inconsistency: task display/name still says `Server health report every 30m`, but actual schedule is already the four-times-daily one.
+# 2026-03-31 星期二 (Asia/Hong_Kong)
+
+## Telegram forum topic 群消息免艾特配置已验证可用
+- 用户已完成新版 OpenClaw Telegram 群/topic 配置调整。
+- 当前在 Telegram 群“龙虾指挥部” topic 4 中，机器人已经可以在**不被 @ 提及**的情况下正常回复。
+- 相关现有配置特征：
+  - `channels.telegram.groups.-1003834524994.requireMention = false`
+  - `channels.telegram.groups.-1003834524994.topics.4.requireMention = false`
+  - `channels.telegram.groupPolicy = allowlist`
+  - `channels.telegram.groupAllowFrom` 已包含用户 `975333652`
+- 说明新版 2026.3.23-2 下，群/topic 的免艾特响应链路已经打通。
+
+## Telegram 图片接收失败根因已定位
+- 用户反馈机器人“收不到图片”。
+- 排查日志后确认：**不是 Telegram 消息没到，而是 OpenClaw 在下载 Telegram 图片文件时被 URL fetch 安全策略拦截**。
+- 关键现象：日志中出现类似
+  - `blocked URL fetch (url-fetch) target=https://api.telegram.org/file/bot... reason=Blocked: resolves to private/internal/special-use IP address`
+- 当前判断：
+  - 文字链路正常；
+  - 媒体链路在下载 `api.telegram.org/file/...` 时被安全检查阻断；
+  - 高概率与宿主机 DNS/hosts/代理解析结果，或当前版本 URL 安全判定过严有关。
+- 用户明确希望走“方案 2”（通过 OpenClaw 配置放行/修复），后续应继续根据本地新版文档核对是否存在正式支持的 URL fetch 放行键名，再决定是否修改配置。
+
+## 夜间风扇变快排查结论
+- 2026-03-31 凌晨用户反馈主机风扇转速明显加快。
+- 排查结果：**OpenClaw 本身不是主因**。
+- 当时资源占用最高的进程：
+  - `ffmpeg`（Jellyfin 转码路径）约 `101% CPU`
+  - `baidunetdisk` 约 `21% CPU`
+  - `qemu-system-x86_64` 约 `7% CPU`
+  - OpenClaw 自身约 `0.4% CPU`
+- 系统整体负载并未爆满：
+  - `load average` 约 `1.59 / 1.47 / 1.76`
+  - 主机有 `16 CPU`
+  - CPU 平均空闲仍约 `89.91%`
+- 结论：更像是 **Jellyfin 正在进行实时转码/媒体处理**，带动风扇升速，而不是整机高压或 OpenClaw 失控。

memory/2026-04-01.md

@@ -0,0 +1,18 @@
+## 2026-04-01 Memory Flush
+
+- Completed anime library cleanup for 《仙逆》:
+  - Organized into seasons: Season 01 (001-050), Season 02 (051-099), Season 03 (100-134)
+  - Special: Season 00 for 劇場版
+  - Extras folder for duplicate/纯享版 files
+  - Renamed all video files to Jellyfin format: 《仙逆》 - S##E##.ext
+  - Handled duplicate file for episode 134 by keeping largest version in Season 03 and moving others to Extras
+
+- Movie library status after previous cleanup:
+  - Remaining anomaly: only the intentional collection folder 《名侦探柯南剧场版1-19》
+  - All other movies normalized to Jellyfin-friendly 电影名 (年份)/电影名 (年份).ext format
+  - Special cases like .rmvb files in Conan movies have been renamed appropriately
+
+- Current tasks completed per user requests:
+  - Fixed Jellyfin media naming for 《画江湖之不良人》 Season 07
+  - Audited and normalized anime, TV shows, and movies libraries
+  - Processed user-requested anime 《仙逆》 with same season/episode treatment

memory/2026-04-03-browser-relay-setup.md

@@ -0,0 +1,210 @@
+# Session: 2026-04-03 15:45:12 UTC
+
+- **Session Key**: agent:main:main
+- **Session ID**: 563eb943-3f05-4ecb-8f1b-e6782ce8c41f
+- **Source**: telegram
+
+## Conversation Summary
+
+assistant: 找到问题了！**配置文件里完全没有 `browser` 配置**，所以 Relay Server 没启动。
+
+需要在 `openclaw.json` 里添加：
+
+```json
+"browser": {
+  "enabled": true
+}
+```
+
+要我帮你加上吗？加完重启 Gateway，18792 就会启动了。
+user: Conversation info (untrusted metadata):
+```json
+{
+  "message_id": "779",
+  "sender_id": "975333652",
+  "sender": "星",
+  "timestamp": "Fri 2026-04-03 23:30 GMT+8"
+}
+```
+
+Sender (untrusted metadata):
+```json
+{
+  "label": "星 (975333652)",
+  "id": "975333652",
+  "name": "星",
+  "username": "zhuimanxing"
+}
+```
+
+加上 然后直接重启
+user: Conversation info (untrusted metadata):
+```json
+{
+  "message_id": "780",
+  "sender_id": "975333652",
+  "sender": "星",
+  "timestamp": "Fri 2026-04-03 23:31 GMT+8"
+}
+```
+
+Sender (untrusted metadata):
+```json
+{
+  "label": "星 (975333652)",
+  "id": "975333652",
+  "name": "星",
+  "username": "zhuimanxing"
+}
+```
+
+再检查一下
+assistant: 配置已经更新了，但 18792 还是没有启动。让我查一下文档，看看还需要什么配置：
+user: Conversation info (untrusted metadata):
+```json
+{
+  "message_id": "782",
+  "sender_id": "975333652",
+  "sender": "星",
+  "timestamp": "Fri 2026-04-03 23:35 GMT+8"
+}
+```
+
+Sender (untrusted metadata):
+```json
+{
+  "label": "星 (975333652)",
+  "id": "975333652",
+  "name": "星",
+  "username": "zhuimanxing"
+}
+```
+
+查到什么了, 怎么又没有后续的反馈?
+assistant: 抱歉，刚才在查文档。总结一下发现：
+
+文档说 **`chrome` 配置文件是内置的**，默认指向 `http://127.0.0.1:18792`。但 Relay Server 还是没启动。
+
+可能需要显式设置 `defaultProfile: "chrome"`。让我加上试试：
+user: Conversation info (untrusted metadata):
+```json
+{
+  "message_id": "784",
+  "sender_id": "975333652",
+  "sender": "星",
+  "timestamp": "Fri 2026-04-03 23:36 GMT+8"
+}
+```
+
+Sender (untrusted metadata):
+```json
+{
+  "label": "星 (975333652)",
+  "id": "975333652",
+  "name": "星",
+  "username": "zhuimanxing"
+}
+```
+
+加了吗, 重启了吗, 重启了那现在什么状态?
+assistant: 配置加了，重启了，但 **18792 还是没有启动**。
+user: Conversation info (untrusted metadata):
+```json
+{
+  "message_id": "786",
+  "sender_id": "975333652",
+  "sender": "星",
+  "timestamp": "Fri 2026-04-03 23:37 GMT+8"
+}
+```
+
+Sender (untrusted metadata):
+```json
+{
+  "label": "星 (975333652)",
+  "id": "975333652",
+  "name": "星",
+  "username": "zhuimanxing"
+}
+```
+
+怎么又断开了, 行不行, 没明确的解决方案, 就看看本地的文档, 或者查询一下网络
+assistant: 文档说浏览器插件需要两个条件都满足：`plugins.entries.browser.enabled` + `browser.enabled=true`。让我加上：
+assistant: 找到了！这是个已知问题 — **startup deadlock**：
+assistant: **找到根因了！** 这是 OpenClaw 的一个已知 bug — **startup deadlock**（启动死锁）：
+
+1. `browser start` → 需要扩展已连接
+2. 扩展连接 → 需要 relay 服务（18792）运行
+3. relay 服务 → 需要 `browser start` 才创建
+
+**死循环，谁也启动不了。**
+
+让我看看有没有更新版本修复了这个问题：
+user: Conversation info (untrusted metadata):
+```json
+{
+  "message_id": "790",
+  "sender_id": "975333652",
+  "sender": "星",
+  "timestamp": "Fri 2026-04-03 23:41 GMT+8"
+}
+```
+
+Sender (untrusted metadata):
+```json
+{
+  "label": "星 (975333652)",
+  "id": "975333652",
+  "name": "星",
+  "username": "zhuimanxing"
+}
+```
+
+估计没有吧, 最新的就是04.01, 没别的解决方案吗
+user: Conversation info (untrusted metadata):
+```json
+{
+  "message_id": "791",
+  "sender_id": "975333652",
+  "sender": "星",
+  "timestamp": "Fri 2026-04-03 23:44 GMT+8"
+}
+```
+
+Sender (untrusted metadata):
+```json
+{
+  "label": "星 (975333652)",
+  "id": "975333652",
+  "name": "星",
+  "username": "zhuimanxing"
+}
+```
+
+怎么又没有反馈了
+assistant: 抱歉，刚才在翻文档和搜索。总结一下：
+
+**问题已确认：这是 OpenClaw 的已知 bug**（GitHub issue #32532）
+
+`browser start` → 要求扩展已连接 → 扩展要连 relay → relay 要 `browser start` 才创建 → **死循环**
+
+当前版本 2026.4.2 已是最新，bug 还没修。
+
+---
+
+**两个可行方案：**
+
+**方案 A：用 OpenClaw 托管浏览器（最简单）**
+- 不需要扩展，不需要 relay
+- 配置里改 `defaultProfile` 为 `openclaw`，重启即可
+- 缺点：不能用你已登录的 Chrome 会话
+
+**方案 B：用 CDP 直连模式（推荐）**
+- Chrome 启动时加 `--remote-debugging-port=9222`
+- 配置里加一个 remote CDP profile 指向 `ws://127.0.0.1:9222`
+- 优点：能用你自己的 Chrome，包括已登录状态
+- 缺点：每次启动 Chrome 要加参数
+
+---
+
+你想用哪个方案？我可以直接帮你配置。

memory/2026-04-03-late-night-checkin.md

@@ -0,0 +1,14 @@
+# Session: 2026-04-03 15:46:22 UTC
+
+- **Session Key**: agent:main:main
+- **Session ID**: 8c84ac3b-ae73-443a-b719-977b959c4117
+- **Source**: telegram
+
+## Conversation Summary
+
+assistant: ✅ New session started · model: main/mimo-v2-omni (default: main/openclaw-main)
+user: A new session was started via /new or /reset. Run your Session Startup sequence - read the required files before responding to the user. Then greet the user in your configured persona, if one is provided. Be yourself - use your defined voice, mannerisms, and mood. Keep it to 1-3 sentences and ask what they want to do. If the runtime model differs from default_model in the system prompt, mention the default model. Do not mention internal steps, files, tools, or reasoning.
+Current time: Friday, April 3rd, 2026 — 11:45 PM (Asia/Hong_Kong) / 2026-04-03 15:45 UTC
+assistant: Hey Lee 👋 快午夜了，今天有什么需要帮忙的？
+
+顺便说一下，当前用的是 `mimo-v2-omni` 模型，默认模型是 `openclaw-main`。

memory/2026-04-03-remote-access-fix.md

@@ -0,0 +1,60 @@
+# 2026-04-03/04 局域网访问 OpenClaw Control UI
+
+## 问题
+局域网其他设备无法访问 OpenClaw 的 Web UI（Control UI）。
+
+## 原因
+1. **nginx SSL 证书权限问题**：本机 nginx 反代（`/etc/nginx/sites-enabled/reverse-proxy`）配置了 HTTPS → OpenClaw，但自签证书私钥 `/etc/ssl/self-signed.key` 权限为 `600 root:root`，nginx 以 `www-data` 运行无法读取。
+2. **Control UI 安全限制**：非 localhost 的 HTTP 访问会被 device identity 检查拦截。
+
+## 解决方案
+
+### 1. 修复 SSL 证书权限
+```bash
+sudo chmod 640 /etc/ssl/self-signed.key
+sudo chgrp www-data /etc/ssl/self-signed.key
+sudo systemctl restart nginx
+```
+
+### 2. openclaw.json 配置
+`gateway.controlUi` 段添加：
+```json
+{
+  "allowedOrigins": [
+    "http://localhost:18789",
+    "http://127.0.0.1:18789",
+    "http://192.168.2.110:18789",
+    "http://192.168.2.110",
+    "https://192.168.2.110",
+    "https://192.168.2.110:443"
+  ],
+  "allowInsecureAuth": true,
+  "dangerouslyDisableDeviceAuth": true
+}
+```
+
+### 3. nginx 反代配置
+文件：`/etc/nginx/sites-enabled/reverse-proxy`
+```nginx
+server {
+    listen 192.168.2.110:443 ssl;
+    ssl_certificate     /etc/ssl/self-signed.crt;
+    ssl_certificate_key /etc/ssl/self-signed.key;
+
+    location / {
+        proxy_pass http://127.0.0.1:18789;
+        proxy_set_header Host $host;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 86400;
+        proxy_send_timeout 86400;
+    }
+}
+```
+
+## 访问方式
+- 局域网：`https://192.168.2.110/`（自签证书，浏览器需手动信任）
+- 首次连接需要 `openclaw devices approve`（或已启用 `dangerouslyDisableDeviceAuth` 则跳过）

memory/heartbeat-state.json

@@ -2,20 +2,18 @@
   "lastChecks": {
     "system": 1774867856,
     "health": 1774753106,
-    "heartbeat_monitor": 1774875089
+    "heartbeat_monitor": 1774875089,
+    "heartbeat": 1774880923
   },
   "lastProactiveHealthSummary": 1774859157,
   "lastTaskRun": {
-    "time": "2026-03-30T18:51:00+08:00",
+    "time": "2026-03-31T12:00:00+08:00",
-    "script": "/home/sinlee/monitor.sh",
+    "script": "/home/sinlee/.openclaw/workspace/scripts/server-health-report.sh",
-    "result": "CPU=10.7 MEM=28.6 DISK=5 LOAD=16h UPTIME=38m"
+    "result": "CPU=8.5 MEM=27.5 DISK=11 LOAD=1.14 UPTIME=8d9h46m"
   },
   "lastCheck": 1774871484,
   "lastResult": {
-    "timestamp": 1774875089,
+    "cpu": 8.5,
-    "cpu": null,
+    "memory": 27.5
-    "memory": null,
-    "exitCode": 0,
-    "output": "CPU=10.3 MEM=28.1 DISK=5 LOAD=18h UPTIME=38m"
   }
 }