Problem Statement
Rotating a Telegram bot token requires re-running nemoclaw onboard so the OpenShell provider is updated with the new credential. This test validates that token rotation works without sandbox recreation.
Proposed Design
In nightly/PR:
- Provision two bot tokens (A is invalid token and B is valid one):
- TELEGRAM_BOT_TOKEN_A
- TELEGRAM_BOT_TOKEN_B
- Export TELEGRAM_BOT_TOKEN=$TELEGRAM_BOT_TOKEN_A and run nemoclaw onboard (or bash install.sh --non-interactive) for first install.
- Verify the sandbox reaches Ready state and the provider -telegram-bridge exists
openshell sandbox listopenshell provider get "${NEMOCLAW_SANDBOX_NAME}-telegram-bridge"
- From inside the sandbox, call the Telegram getMe API — assert HTTP 4xx status code. (The sandbox holds a placeholder token; the OpenShell L7 proxy rewrites it to the real credential on egress, so the 4xx confirms the gateway is routing with invalid token A.).
- Export TELEGRAM_BOT_TOKEN=$TELEGRAM_BOT_TOKEN_B and re-run nemoclaw onboard, choosing "Y" to reuse the existing sandbox. This triggers upsertMessagingProviders which issues openshell provider updates with the new credential.
- From inside the sandbox, call getMe again — assert HTTP 200 and that the response reflects bot B's identity (not bot A). This confirms the gateway now rewrites the placeholder to token B.
Alternatives Considered
No response
Category
enhancement: feature
Checklist
Problem Statement
Rotating a Telegram bot token requires re-running nemoclaw onboard so the OpenShell provider is updated with the new credential. This test validates that token rotation works without sandbox recreation.
Proposed Design
In nightly/PR:
openshell sandbox listopenshell provider get "${NEMOCLAW_SANDBOX_NAME}-telegram-bridge"Alternatives Considered
No response
Category
enhancement: feature
Checklist