Conversation
- Part 1: pnpm workspace, tsconfig, biome, .env.example - Part 2: API with Hono + Drizzle (SQLite) + better-auth - DB schema (bots, channels, credentials, pools) - AES-256-GCM crypto module - Config Generator (core module) - Bot CRUD, Channel, Pool routes - Config Generator unit tests - Part 3: Web with React + Ant Design + Vite - Login/Register pages - Bot list + create - Bot detail with channels and config preview - packages/shared: Zod schemas for bots, channels, config Co-authored-by: lefarcen <lefarcen@users.noreply.github.com>
- Fix AppBindings type consistency across all routes - Fix Database type redeclaration in db/index.ts - Replace non-null assertions with optional chains and type guards - Fix import sorting and formatting issues - All typecheck, lint, and tests pass Co-authored-by: lefarcen <lefarcen@users.noreply.github.com>
- Generate openapi.json from API routes - Configure @hey-api/openapi-ts with plugins - Generate SDK (types.gen.ts, sdk.gen.ts, client.gen.ts) - Fix better-auth baseURL config - Add SQLite db files to .gitignore - Add openapi.json to biome ignore list Co-authored-by: lefarcen <lefarcen@users.noreply.github.com>
… webhook route management on the API side."
…ck workspace connections.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
… refactor web app structure for improved authentication and bot management
… gateway forwarding, and update Slack webhook route creation to always include a route.
…age to ensure accurate signature verification and handle retries.
…rkspace API routes and middleware.
…responses, enhancing the local Slack testing documentation.
ℹ️ Recent review infoConfiguration used: defaults Review profile: CHILL Plan: Free 📒 Files selected for processing (4)
🚧 Files skipped from review as they are similar to previous changes (2)
📝 WalkthroughWalkthroughAdds a full-stack monorepo: a Hono-based API with DB schema, migrations, auth, Slack integration and OpenClaw pool config generation; a React + Vite frontend with generated API client and UI primitives; shared Zod schemas, CI/ tooling configs, docs, and Docker/Postgres compose. Changes
Sequence Diagram(s)sequenceDiagram
participant Slack as Slack
participant API as API (/api/slack/events)
participant DB as Database
participant Gateway as Gateway Pod
Slack->>API: POST event (raw body + headers)
API->>DB: lookup webhook_route by team_id -> get botChannel & signing secret
API->>API: verify Slack signature (timestamp + signature)
API->>DB: resolve pool and gateway assignment for botChannel
API->>Gateway: forward event (preserve headers + body)
Gateway-->>API: 200/ok
API-->>Slack: 200/ok
sequenceDiagram
participant Internal as Internal API (/api/internal/pools/{id}/config)
participant DB as Database
participant Crypto as Crypto (encrypt/decrypt)
participant Validator as OpenClaw Validator
Internal->>DB: fetch pool, bots, channels, credentials
Internal->>Crypto: decrypt channel credentials
Internal->>Internal: build OpenClaw config (agents, channels, bindings, gateway)
Internal->>Validator: validate config against schema
Internal->>DB: increment pool.configVersion
Internal-->>Caller: return validated OpenClawConfig
Estimated code review effort🎯 4 (Complex) | ⏱️ ~75 minutes Poem
Note 🎁 Summarized by CodeRabbit FreeYour organization is on the Free plan. CodeRabbit will generate a high-level summary and a walkthrough for each pull request. For a comprehensive line-by-line review, please upgrade your subscription to CodeRabbit Pro by visiting https://app.coderabbit.ai/login. Comment |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 6970dbfe7c
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| app.openapi(getPoolConfigRoute, async (c) => { | ||
| const { poolId } = c.req.valid("param"); | ||
| try { | ||
| const config = await generatePoolConfig(db, poolId); | ||
| return c.json(config, 200); |
There was a problem hiding this comment.
Require auth before returning generated pool config
This handler returns generatePoolConfig(...) directly without validating any token/session, and that generated payload includes decrypted Slack credentials (botToken and signingSecret) from apps/api/src/lib/config-generator.ts; because this endpoint sits outside the /v1/* auth middleware, any client that can reach the API can pull live channel secrets for a known/guessable pool ID (for example, default).
Useful? React with 👍 / 👎.
| // Increment used count | ||
| await db | ||
| .update(inviteCodes) | ||
| .set({ usedCount: sql`${inviteCodes.usedCount} + 1` }) | ||
| .where(eq(inviteCodes.id, invite.id)); |
There was a problem hiding this comment.
Stop consuming invite quota during validation
The invite check endpoint is used by the UI to validate a code before proceeding (apps/web/src/pages/invite.tsx), but this code increments usedCount on every successful validation; users can exhaust maxUses just by retrying/refreshing validation without completing onboarding, which prematurely invalidates otherwise usable invite codes.
Useful? React with 👍 / 👎.
| await db | ||
| .delete(gatewayAssignments) | ||
| .where(eq(gatewayAssignments.botId, botId)); | ||
|
|
||
| await db |
There was a problem hiding this comment.
Remove webhook routes when deleting a bot
Bot deletion only drops the gateway assignment and soft-deletes the bot record, but it does not clean up related bot_channels/webhook_routes; since Slack connect enforces global uniqueness via webhook_routes (apps/api/src/routes/channel-routes.ts), a workspace tied to a deleted bot remains blocked as “already connected,” so users cannot reconnect that workspace to a replacement bot.
Useful? React with 👍 / 👎.
| .min(1) | ||
| .max(100), | ||
| systemPrompt: z.string().optional(), | ||
| modelId: z.string().default("gpt-4o"), |
There was a problem hiding this comment.
Align default modelId with model catalog IDs
The default modelId here is gpt-4o, but the platform model list uses provider-qualified IDs such as openai/gpt-4o (apps/api/src/lib/models.ts); creating bots without an explicit model stores an ID that doesn't match available models, which can surface as an unknown selection in the dashboard and propagate an invalid model identifier into generated config.
Useful? React with 👍 / 👎.
…uired fields, add default agent model, set gateway bind to loopback, and update schema and docs.
Summary
apps/api,apps/web, andpackages/sharedopenapi-tsKey Components
apps/api): Auth, bot/channel/invite/model/pool routes, Slack events, OpenClaw config generatorapps/web): Auth pages, workspace layout, bot config, channel management, invite flowpackages/shared): Zod schemas and TypeScript typesSummary by CodeRabbit
New Features
Infrastructure
Documentation