vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 05:20:43 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
openclaw/qa/convex-credential-broker
History
Patrick Erichsen 84e8e09725 Add WhatsApp live QA lane (#77704) 
* feat(qa): add whatsapp live lane

* ci: add gated whatsapp and discord qa live lanes

* ci: honor qa live env gates in release selection

* test: update qa live workflow gate assertion

* ci: split live QA release gates
2026-05-05 12:09:28 -07:00
..
convex
Add WhatsApp live QA lane (#77704)
2026-05-05 12:09:28 -07:00
.gitignore
convex.json
package.json
README.md
test(qa): validate Discord Convex credential payloads (#70910)
2026-04-23 20:35:54 -07:00

README.md

QA Convex Credential Broker (v1)

Standalone Convex project for shared qa-lab live credentials with lease locking.

This broker exposes:

  • POST /qa-credentials/v1/acquire
  • POST /qa-credentials/v1/heartbeat
  • POST /qa-credentials/v1/release
  • POST /qa-credentials/v1/admin/add
  • POST /qa-credentials/v1/admin/remove
  • POST /qa-credentials/v1/admin/list

The implementation matches the contract documented in docs/help/testing.md for --credential-source convex.

Policy baked in

  • Pool partitioning: by kind only
  • Selection: least-recently-leased (round-robin behavior)
  • Secrets: separate maintainer/CI secrets
  • Outage behavior: callers fail fast
  • Lease event retention: 2 days (hourly cleanup cron)
  • Admin event retention: 30 days (hourly cleanup cron)
  • App-level encryption: not included in v1

Quick start

  1. Create a Convex deployment and authenticate your CLI.
  2. From this folder:
cd qa/convex-credential-broker
npm install
npx convex dev
  1. Deploy:
npx convex deploy
  1. In Convex deployment environment variables, set:
  • OPENCLAW_QA_CONVEX_SECRET_MAINTAINER
  • OPENCLAW_QA_CONVEX_SECRET_CI

Client URL policy:

  • OPENCLAW_QA_CONVEX_SITE_URL must use https:// in normal use.
  • Local development may use loopback http:// only when OPENCLAW_QA_ALLOW_INSECURE_HTTP=1.

Manage credentials from qa-lab CLI

Maintainers can manage rows without using the Convex dashboard:

pnpm openclaw qa credentials add \
  --kind telegram \
  --payload-file qa/telegram-credential.json

pnpm openclaw qa credentials add \
  --kind discord \
  --payload-file qa/discord-credential.json

pnpm openclaw qa credentials list --kind telegram

pnpm openclaw qa credentials remove --credential-id <credential-id>

Admin endpoints require OPENCLAW_QA_CONVEX_SECRET_MAINTAINER.

Local request examples

Replace <site-url> with your Convex site URL and <token> with a configured secret.

Acquire:

curl -sS -X POST "<site-url>/qa-credentials/v1/acquire" \
  -H "authorization: Bearer <token>" \
  -H "content-type: application/json" \
  -d '{
    "kind":"telegram",
    "ownerId":"local-dev",
    "actorRole":"maintainer",
    "leaseTtlMs":1200000,
    "heartbeatIntervalMs":30000
  }'

Heartbeat:

curl -sS -X POST "<site-url>/qa-credentials/v1/heartbeat" \
  -H "authorization: Bearer <token>" \
  -H "content-type: application/json" \
  -d '{
    "kind":"telegram",
    "ownerId":"local-dev",
    "actorRole":"maintainer",
    "credentialId":"<credential-id>",
    "leaseToken":"<lease-token>",
    "leaseTtlMs":1200000
  }'

Release:

curl -sS -X POST "<site-url>/qa-credentials/v1/release" \
  -H "authorization: Bearer <token>" \
  -H "content-type: application/json" \
  -d '{
    "kind":"telegram",
    "ownerId":"local-dev",
    "actorRole":"maintainer",
    "credentialId":"<credential-id>",
    "leaseToken":"<lease-token>"
  }'

Admin add (maintainer token only):

curl -sS -X POST "<site-url>/qa-credentials/v1/admin/add" \
  -H "authorization: Bearer <maintainer-token>" \
  -H "content-type: application/json" \
  -d '{
    "kind":"telegram",
    "actorId":"local-maintainer",
    "payload":{
      "groupId":"-100123",
      "driverToken":"driver-token",
      "sutToken":"sut-token"
    }
  }'

For kind: "telegram", broker admin/add validates that payload includes:

  • groupId as a numeric chat id string
  • non-empty driverToken
  • non-empty sutToken

For kind: "discord", broker admin/add validates that payload includes:

  • guildId as a Discord snowflake string
  • channelId as a Discord snowflake string
  • non-empty driverBotToken
  • non-empty sutBotToken
  • sutApplicationId as a Discord snowflake string

Admin list (default redacted):

curl -sS -X POST "<site-url>/qa-credentials/v1/admin/list" \
  -H "authorization: Bearer <maintainer-token>" \
  -H "content-type: application/json" \
  -d '{
    "kind":"telegram",
    "status":"all"
  }'

Admin remove (soft disable, fails when lease is active):

curl -sS -X POST "<site-url>/qa-credentials/v1/admin/remove" \
  -H "authorization: Bearer <maintainer-token>" \
  -H "content-type: application/json" \
  -d '{
    "credentialId":"<credential-id>",
    "actorId":"local-maintainer"
  }'
Reference in New Issue View Git Blame Copy Permalink