feat(messaging): add Google Chat channel for OpenClaw#6120
Conversation
…-channel-googlechat
…-channel-googlechat
|
Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually. Contributors can view more details about this message here. |
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughAdds an experimental Google Chat channel for OpenClaw with manifest-driven enrollment, service-account token handling, public webhook audience setup, runtime safeguards, template resolution, documentation, and comprehensive tests. ChangesGoogle Chat channel manifest
Estimated code review effort: 4 (Complex) | ~45 minutes Sequence Diagram(s)sequenceDiagram
participant Operator
participant Enrollment
participant Tunnel
participant GoogleCloud
participant OpenClaw
Operator->>Enrollment: Add googlechat interactively
Enrollment->>Tunnel: Start or reuse public tunnel
Tunnel-->>Enrollment: Return webhook URL
Enrollment->>GoogleCloud: Confirm endpoint configuration
Operator->>Enrollment: Paste service-account JSON
Enrollment->>OpenClaw: Render channel and runtime configuration
Possibly related PRs
Suggested labels: Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Code Coverage OverviewLanguages: TypeScript TypeScript / code-coverage/pluginThe overall coverage remains at 96%, unchanged from the branch. TypeScript / code-coverage/cliThe overall coverage in the branch remains at 79%, unchanged from the branch. Show a code coverage summary of the most impacted files.
Updated |
PR Review Advisor (Nemotron Ultra) — Changes requestedMerge posture: Do not merge yet Action checklist
Findings index
🚨 Required before mergeAddress these before merging unless a maintainer explicitly overrides the advisor with rationale.
|
PR Review Advisor — InformationalAdvisor assessment: Informational / high confidence Model lanes
Nemotron output stays in workflow artifacts and does not change the assessment above. E2E guidanceAdvisory only. E2E / PR Gate selects and runs jobs independently. Recommended E2E: 1 optional E2E recommendation
This automated review informs maintainers. Warnings and suggestions do not require a response. A maintainer decides whether to merge. |
…-channel-googlechat
…le Chat bridge wiring
|
Current blocked due to security issue in OpenShell: NVIDIA/OpenShell#2104 |
…/NemoClaw into feat/messaging-channel-googlechat
|
🌿 Preview your docs: https://nvidia-preview-pr-6120.docs.buildwithfern.com/nemoclaw |
|
Current-head update (
Merge prerequisite: #6726 must land first because current The pushed commits are signed and GitHub-verified. Please re-review the current head once CI completes. @coderabbitai review |
|
The PR description image shows a Google Chat conversation screenshot with a bot named "NemoClaw-GGChat". The user sends "Hello" and the bot replies "Hello Hung! How can I help you today?" (marked as edited). The user then sends "Reply exactly: PONG" and the bot responds "PONG" (marked as "App" and "Edited"). This appears to be a live end-to-end verification that the Google Chat channel is functioning correctly — inbound messages are received and outbound replies are delivered through the webhook.
Kicking off a fresh review of the current head now. ✅ Action performedReview finished.
|
|
The PR description image shows a mobile chat interface titled "NemoClaw-GGChat" with a bot avatar. It displays a conversation: the user sent "Hello" 35 minutes ago, and "NemoClaw-GGChat" replied "Hello Hung! How can I help you today?" (marked as edited). Then the user sent "Reply exactly: PONG" just now, and "NemoClaw-GGChat" (labeled "App") replied "PONG" (also marked as edited). This appears to be a live end-to-end demonstration of the Google Chat integration working — the bot is successfully receiving and responding to messages through the Google Chat channel, confirming the inbound/outbound webhook flow is functional.
One thing worth flagging explicitly for anyone tracking merge status: this PR is not yet mergeable in practice even with conflicts resolved, since The image showing the live Hello/PONG exchange through "NemoClaw-GGChat" is a nice concrete confirmation that the inbound/outbound webhook flow works end-to-end. I'll kick off a fresh review of the current head now. ✅ Action performedReview finished.
|
|
Security review for final head Overall verdict: WARNING (merge prerequisite), with no code-level security blocker found. This PR is ready for maintainer review after #6726 lands OpenShell 0.0.82; it should remain draft until that prerequisite is mergeable and merged.
Final verification: the signed commit is GitHub Verified and includes DCO. The main CI rollup has 42 passing and 5 skipped checks with no failures; all 11 authorized exact-diff live E2E jobs passed, including the 16-minute Hermes channel stop/start target: https://github.com/NVIDIA/NemoClaw/actions/runs/29335937019. Focused lifecycle tests, The canonical review-advisor ledger reports 0 blockers, 0 warnings, and 0 suggestions, with both Terra and Nemotron lanes completed successfully: #6120 (comment). No advisor follow-up is required. |
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
| import { | ||
| chmodSync, | ||
| closeSync, | ||
| constants, | ||
| existsSync, | ||
| fchmodSync, | ||
| mkdirSync, | ||
| openSync, | ||
| readFileSync, | ||
| rmSync, | ||
| writeFileSync, | ||
| } from "node:fs"; |
| import { | ||
| chmodSync, | ||
| closeSync, | ||
| constants, | ||
| existsSync, | ||
| fchmodSync, | ||
| mkdirSync, | ||
| openSync, | ||
| readFileSync, | ||
| rmSync, | ||
| writeFileSync, | ||
| } from "node:fs"; |
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Both requested blockers are addressed on final Verified head 439331d: Google Chat provider lifecycle now covers add/remove/rollback, and service-account key transport uses --secret-material-env instead of argv. The canonical advisor rerun reports 0 blockers, 0 warnings, and 0 suggestions; exact-diff E2E is green.
Summary
Adds Google Chat as a first-class OpenClaw messaging channel, served on the existing gateway webhook via the cloudflared tunnel. Outbound auth is minted gateway-side (OpenShell
google-service-account-jwtprovider) and injected by the L7 proxy, so the service-account private key never enters the sandbox. Inbound cert verification and outbound replies both route by hostname through the trusted L7 proxy (the SSRF guard's trusted-proxy modes), so the channel works in the DNS-less proxy-only sandbox — no local DNS resolve, no sentinel IP.Scope: OpenClaw only. Hermes uses a different inbound model (Cloud Pub/Sub pull, no webhook) and a different credential path, so Hermes Google Chat is a planned follow-up rather than part of this PR.
Merge Prerequisite
PR #6726 must land first. It upgrades NemoClaw to OpenShell 0.0.82, whose provider refresh secret-material environment support keeps the Google Chat service-account private key off process arguments. Current main pins OpenShell 0.0.72 and cannot safely configure the bridge.
Related Issue
Parts of #5492
Result
Changes
Channel
googlechatmanifest (inputs, enrollment notes, render) + built-in registration; served on the shared gateway dashboard port at/googlechat(no host forward — reuses the tunnel).nemoclaw tunnelservice wiring.unexpected add-on principal: <N>(the real value to copy) instead of a numberlessmissing add-on principal binding; inert for Google Workspace accounts. Enrollment notes are rewritten into an always-printed capture guide with the exactlogs --followcommand and the persist-and-rebuild steps.Gateway reliability
gateway.reload.mode=off. OpenClaw rewrites its own config ~60s after boot (auto-enabling default provider plugins); with reactive hot-reload on, that self-write rebuilds the gateway's HTTP route table and drops the Google Chat inbound webhook route, so/googlechatstarts returning 404 and the bot goes silent ~60s after every start. The sandbox'sopenclaw.jsonis sealed at build time (0600 + integrity hash), so disabling reactive reload is safe; NemoClaw still restarts the gateway explicitly on rebuild /gateway restart.Inbound + outbound routing (proxy-only sandbox)
googlechat-trusted-proxy-fetchboot preload: rewrites the plugin's three googleapis fetch sites (inbound cert verify + all outbound sends/edits) to the SSRF guard'strusted_env_proxy/trusted_explicit_proxymodes, so they skip the localgetaddrinfoand route by hostname through the L7 proxy — fixesEAI_AGAINin the DNS-less netns, no sentinel IP. Interim; clean fix is upstream in OpenClaw (like web_fetch #50650).googlechatnetwork-policy preset scoped to the Chat spaces tree, includingPATCHfor streaming message edits.Outbound auth (key out of sandbox)
google-chat-bridgeOpenShell provider profile +googlechat-bridge-provideronboard wiring: import the profile pre-create, runprovider refresh configure --strategy google-service-account-jwtpost-create from the pasted SA JSON — the gateway mints/rotates the token and the L7 proxy injectsAuthorization: Beareron chat.googleapis.com.googlechat-outbound-authboot preload: load-time rewrite of the plugin's single token producer to emit the OpenShell credential placeholder (revision-less alias, so it resolves to the latest re-minted token and survives rotation) instead of signing in-process.serviceAccountFileis kept only as a channel-start-gate marker (never delivered or read); keeps theBEGIN PRIVATE KEYsecret scan.Documentation
Type of Change
Quality Gates
Verification
Verifiedin GitHubnpx prek run --from-ref main --to-ref HEADpassesnpm testpasses (broad runtime changes only)npm run docsbuilds without warnings (doc changes only)Signed-off-by: Hung Le hple@nvidia.com
Signed-off-by: Carlos Villela cvillela@nvidia.com
Summary by CodeRabbit
Summary by CodeRabbit