system-health-check

System health validator — checks skill files, paths, permissions, binaries, backup freshness, and encryption. Produces pass/fail reports.

# System Health Check

This skill validates the entire OpenClaw Greek Accounting system in a single command. It checks skill file integrity, directory structure, file permissions, required dependencies, backup freshness, encryption status, and process lock health. Designed to run daily via cron or manually before critical operations.


## Setup

```bash
export OPENCLAW_DATA_DIR="/data"
which jq openssl || sudo apt install jq openssl
```

Read-only validation skill. Checks file presence, directory structure, permissions, and backup freshness. Never modifies any data.


## Core Philosophy

- **Fast & Non-Destructive**: Read-only checks — never modifies any data
- **Comprehensive**: Covers every layer from skill files to encryption status
- **Actionable Output**: Every failure includes a specific remediation command
- **Cron-Friendly**: Exit code 0 for all-pass, exit code 1 for any failure
- **English Output**: Plain English report suitable for accounting assistants and system admins

## OpenClaw Commands

### Full Health Check
```bash
# Run all checks
openclaw health-check --all

# Run all checks with verbose output
openclaw health-check --all --verbose

# Run all checks and write report to /data/reports/system/
openclaw health-check --all --save-report
```

### Individual Check Categories
```bash
# Check skill files only
openclaw health-check --skills

# Check directory structure against canonical data map
openclaw health-check --directories

# Check file permissions on sensitive directories
openclaw health-check --permissions

# Check required binaries and dependencies
openclaw health-check --dependencies

# Check backup freshness and integrity
openclaw health-check --backups

# Check for stale process locks
openclaw health-check --locks

# Check encryption status on sensitive directories
openclaw health-check --encryption

# Check data integrity hashes
openclaw health-check --integrity
```

### Scheduled Checks
```bash
# Quick check — skills + directories + locks (for hourly cron)
openclaw health-check --quick

# Standard check — everything except full integrity hash verification (for daily cron)
openclaw health-check --standard

# Deep check — all checks including full hash verification (for weekly cron)
openclaw health-check --deep
```

## Check Specifications

### 1. Skill File Validation

Verifies all 19 operational skills and the canonical data map are present and well-formed.

```yaml
Skill_File_Checks:
  presence:
    description: "Every skill folder contains a SKILL.md file"
    expected_count: 20
    check: "ls skills/*/SKILL.md"
    
  frontmatter:
    description: "Every SKILL.md has valid YAML frontmatter with required fields"
    required_fields: ["name", "description", "version", "author", "tags", "metadata"]
    check: "Parse frontmatter block between --- delimiters"
    
  evals:
    description: "Every operational skill has an EVALS.json file"
    expected_count: 19
    excluded: ["canonical-data-map"]
    check: "ls skills/*/EVALS.json, validate JSON syntax"
    
  evals_content:
    description: "Each EVALS.json contains at least 5 test cases"
    minimum_cases: 5
    check: "Parse JSON, count array length"

  skill_inventory:
    - "canonical-data-map"
    - "accounting-workflows"
    - "greek-compliance-aade"
    - "cli-deadline-monitor"
    - "greek-email-processor"
    - "greek-individual-taxes"
    - "openclaw-greek-accounting-meta"
    - "aade-api-monitor"
    - "greek-banking-integration"
    - "greek-document-ocr"
    - "efka-api-integration"
    - "dashboard-greek-accounting"
    - "client-data-management"
    - "user-authentication-system"
    - "conversational-ai-assistant"
    - "greek-financial-statements"
    - "client-communication-engine"
    - "system-integrity-and-backup"
    - "analytics-and-advisory-intelligence"
    - "memory-feedback"
```

### 2. Directory Structure Validation

Checks all canonical directories exist under `/data/` as specified in the canonical data map (Skill 00).

```yaml
Directory_Checks:
  top_level:
    required:
      - "/data/incoming/"
      - "/data/processing/"
      - "/data/clients/"
      - "/data/compliance/"
      - "/data/banking/"
      - "/data/ocr/"
      - "/data/efka/"
      - "/data/reports/"
      - "/data/exports/"
      - "/data/imports/"
      - "/data/dashboard/"
      - "/data/auth/"
      - "/data/backups/"
      - "/data/gdpr-exports/"
      - "/data/memory/"
      - "/data/system/"

  subdirectories:
    incoming:
      - "/data/incoming/invoices/"
      - "/data/incoming/receipts/"
      - "/data/incoming/statements/"
      - "/data/incoming/government/"
      - "/data/incoming/payroll/"
      - "/data/incoming/tax-documents/"
      - "/data/incoming/contracts/"
      - "/data/incoming/other/"
    processing:
      - "/data/processing/ocr/"
      - "/data/processing/classification/"
      - "/data/processing/reconciliation/"
      - "/data/processing/compliance/"
    system:
      - "/data/system/logs/"
      - "/data/system/logs/audit/"
      - "/data/system/process-locks/"
      - "/data/system/integrity/"

  unexpected_directories:
    description: "Flag any top-level directory under /data/ not in the canonical map"
    action: "WARN — may indicate a skill creating non-canonical paths"
```

### 3. File Permission Checks

Validates OS-level file permissions on sensitive directories.

```yaml
Permission_Checks:
  restricted_directories:
    - path: "/data/auth/"
      expected_mode: "700"
      description: "Auth directory must be restricted to service user"
    - path: "/data/auth/users/*/credentials.json"
      expected_mode: "600"
      description: "Credential files must not be world-readable"
      
  sensitive_directories:
    - path: "/data/clients/"
      expected_mode: "700"
      description: "Client data directory should be restricted"
    - path: "/data/backups/"
      expected_mode: "700"
      description: "Backup directory should be restricted"
      
  note: "Permission checks may report SKIP on systems where the OpenClaw agent runs as root or in a container without OS-level permission enforcement."
```

### 4. Dependency Checks

Verifies required binaries and environment variables are available.

```yaml
Dependency_Checks:
  required_binaries:
    - name: "jq"
      check: "which jq"
      used_by: "All skills — JSON processing"
    - name: "curl"
      check: "which curl"
      used_by: "AADE monitor, email processor, EFKA, memory-feedback"
    - name: "openssl"
      check: "which openssl"
      used_by: "System integrity, backup encryption"

  required_env_vars:
    - name: "OPENCLAW_DATA_DIR"
      description: "Root data directory path"
      default: "/data/"
      
  optional_env_vars:
    - name: "OPENCLAW_ENCRYPTION_KEY"
      description: "Master encryption key for data-at-rest"
      warn_if_missing: true
    - name: "GITHUB_TOKEN"
      description: "GitHub PAT for memory-feedback PR workflow"
      warn_if_missing: true
    - name: "SMTP_HOST"
      description: "Mail server for client communications"
      warn_if_missing: true
```

### 5. Backup Freshness

Checks that backups are current per the schedule defined in Skill 17.

```yaml
Backup_Checks:
  weekly_full:
    description: "Full backup should exist from within the last 7 days"
    location: "/data/backups/"
    pattern: "full_*.tar.enc"
    max_age_days: 7
    severity: "HIGH if missing"
    
  daily_incremental:
    description: "Incremental backup should exist from within the last 24 hours"
    location: "/data/backups/"
    pattern: "incremental_*.tar.enc"
    max_age_hours: 26
    severity: "MEDIUM if missing (allows 2-hour grace period)"
    
  verification:
    description: "Last backup verification should be within 7 days"
    check: "Look for verification report in /data/reports/system/"
    severity: "MEDIUM if stale"
```

### 6. Process Lock Health

Detects stale process locks that may indicate crashed operations.

```yaml
Lock_Checks:
  location: "/data/system