docs: RFC design document for periodic git-sync of .openclaw state directory

[Copilot]

Summary

• Problem: No mechanism to continuously back up ~/.openclaw/ state to a remote git repository
• Why it matters: Users want versioned, periodic, off-machine backup of config, sessions, and state — recoverable and diffable
• What changed: Added extensions/git-sync/DESIGN.md — a full RFC covering architecture, tech choices, security model, config schema, error handling, and open questions for review
• What did NOT change: No runtime code, no new dependencies, no config changes — this is a design doc only

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

User-visible / Behavior Changes

None. Design document only — no runtime changes.

Security Impact (required)

• New permissions/capabilities? No
• Secrets/tokens handling changed? No
• New/changed network calls? No
• Command/tool execution surface changed? No
• Data access scope changed? No

The design doc proposes hardcoded exclusion of credentials/, *.key, *.pem, *.p12 from git sync — flagged as an open question for reviewers.

Repro + Verification

Environment

• N/A (documentation only)

Steps

1. Read extensions/git-sync/DESIGN.md

Expected

• Comprehensive RFC covering: dual-mode architecture (plugin + standalone CLI), simple-git as sole runtime dep, setInterval + git status --porcelain change detection, config schema, security model, error recovery matrix, 7 open questions

Actual

• As expected

Evidence

• N/A — no runtime changes to test

Human Verification (required)

• Verified scenarios: Document renders correctly, references accurate plugin SDK types (OpenClawPluginService, registerService, registerCli), config schema follows existing patterns (diffs, memory-lancedb)
• Edge cases checked: Verified simple-git is not already in dependency tree; confirmed credentials/ exclusion strategy aligns with existing backup command behavior
• What you did not verify: No runtime code to verify

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? Yes
• Config/env changes? No
• Migration needed? No

Failure Recovery (if this breaks)

• Delete extensions/git-sync/DESIGN.md

Risks and Mitigations

None. Documentation only.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.