GitHub

PR #847: Add user profile caching@OpenClaw review this for performance and caching best practices[OpenClaw responds in 3 seconds]## Code Review Summary✅ **Good:**- Cache invalidation logic is solid- TTL values are reasonable (15 min)- Error handling includes cache failures⚠️ **Concerns:**1. **Cache stampede risk (High Priority)**   Lines 34-42: When cache expires, multiple requests will hit DB simultaneously.   Recommendation: Implement cache locking or probabilistic early expiration.   2. **Memory usage (Medium Priority)**   Current implementation caches full user objects. For 100K active users,   this could consume 2-3GB RAM. Consider caching only essential fields.   3. **Missing tests (Medium Priority)**   Cache invalidation logic (lines 56-78) lacks test coverage.   Suggested test cases:   - User update triggers cache clear   - Cache expires after TTL   - Concurrent access handling4. **Monitoring gap (Low Priority)**   No metrics for cache hit rate. Recommend adding instrumentation.**Related PRs:**- #623: Similar caching implementation for posts (merged 3 months ago)- #401: Discussion about cache stampede prevention (see comments)**Suggestion:** Review Redis documentation on distributed locking before merge.

GitHub Actions Workflow Failed: backend-tests.yml[OpenClaw auto-comment on commit]## Build Failure Analysis**Workflow:** backend-tests.yml  **Commit:** a3f5d9c  **Failed Step:** Run integration tests  **Duration:** 12m 34s (usual: 8m)  **Root Cause:**Test `test_payment_processing` failed with timeout after 30s.**Analysis:**This test has failed 4 out of last 10 runs (40% flake rate).Pattern: Always fails when running after `test_user_deletion` (order-dependent).**Why:**Line 156 in test_user_deletion.py doesn't clean up Stripe test customer.Subsequent tests hit Stripe rate limit (100 requests/sec).**Fix:**```python# test_user_deletion.py, line 160def test_user_deletion(self):    user = create_test_user()    stripe_customer = create_stripe_customer(user)        delete_user(user.id)        # ADD THIS:    cleanup_stripe_customer(stripe_customer.id)  # Clean up test data

@pytest.fixturedef stripe_customer():    customer = create_stripe_customer()    yield customer    cleanup_stripe_customer(customer.id)  # Auto cleanup

Your developer reads this, implements the fix, and re-runs CI. Passes. What would have taken 45 minutes of log digging and debugging took 3 seconds of AI analysis.**3. Engineering Manager: Team Velocity Tracking****Scenario:** You manage a team of 12 engineers across 3 product squads. Leadership asks: "How's velocity trending?" "Why did sprint 23 miss goals?" "Who's overloaded?" You spend hours manually analyzing GitHub data - PRs merged, review times, contribution patterns.**How OpenClaw helps:**Connect OpenClaw to your GitHub organization:- **Velocity dashboards**: "Show me team velocity for Q1"  - AI analyzes PRs, commits, issues closed  - Visualizes trends: Sprint 22 (87 story points) vs Sprint 23 (63 story points, -27%)  - Identifies causes: 2 engineers on PTO, 1 major incident consumed 3 days- **Bottleneck identification**: "Why are PRs taking longer to merge?"  - AI finds: Average PR review time increased from 4 hours to 18 hours  - Root cause: Senior engineer (top reviewer) switched to new project  - Reviews now distributed across junior engineers who take longer  - Recommendation: Cross-train junior engineers or hire senior reviewer- **Contribution analysis**: "Show me contribution distribution this month"  - Top contributors: Alice (47 PRs), Bob (38 PRs), Carol (12 PRs)  - Carol's low number explained: Focused on one large refactoring PR (2000 lines)  - Identifies risk: Alice is a single point of failure for payments module- **Burnout detection**: "Is anyone overworked?"  - AI analyzes commit patterns, PR frequency, review workload  - Flags: Dave has 68 commits this week (avg: 25), working weekends  - Flags: Eve has reviewed 43 PRs this week (avg: 15), blocking vacation  - Suggests: Redistribute review responsibilities- **Sprint planning**: "Can we complete these 8 stories in the next sprint?"  - AI analyzes historical complexity of similar stories  - Estimates: Based on past sprints, this is 42 story points  - Team capacity: 38 points (2 engineers out, 1 holiday)  - Recommendation: Move 2 stories to backlog**Impact:**- Data-driven sprint planning (estimates 20% more accurate)- Early warning of team burnout (prevent attrition)- Identify skill gaps before they become blockers- Leadership reports generated in 2 minutes instead of 2 hours- Better resource allocation across teams**Real example:**

You share this with leadership in your monthly review. What would have taken 3 hours of spreadsheet analysis took 30 seconds.**4. Security Team: Vulnerability Scanning****Scenario:** You're on the security team for a company with 150 repositories. Dependabot creates 40-60 PRs per week for dependency updates. You need to triage which are critical, which can wait, and which are safe to auto-merge. Manually reviewing each takes too long.**How OpenClaw helps:**Integrate OpenClaw with GitHub Security features:- **Dependabot triage**: "@OpenClaw analyze Dependabot PR #1234"  - AI reviews the update: `axios 0.27.2 → 1.6.5`  - CVE analysis: Fixes CVE-2023-45857 (High severity, CVSS 8.2)  - Exploit status: Exploit code publicly available  - Production impact: `axios` used in 12 services  - Breaking changes: None (patch version)  - Test coverage: All 47 axios-dependent tests pass  - **Recommendation:** Merge immediately and deploy to production- **Secret scanning**: "Check last 50 commits for exposed secrets"  - AI scans commit history and file changes  - Finds: AWS access key in `.env.example` (commit a3f5d9c)  - Severity: Low (example file, not real key)  - Finds: Stripe test API key in test fixtures (commit b7e2c1f)  - Severity: Low (test mode key, limited scope)  - Finds: Generic API password in `config.py` (commit 9d4f8a2)  - **Severity: CRITICAL** - Production credentials  - **Action:** Rotate credentials immediately, notify DevOps, audit access logs- **Code vulnerability detection**: "Review PR #456 for security issues"  - Identifies SQL injection vulnerability:    ```python    # UNSAFE: User input directly in query    query = f"SELECT * FROM users WHERE email = '{user_email}'"    ```  - Suggests fix:    ```python    # SAFE: Parameterized query    query = "SELECT * FROM users WHERE email = ?"    cursor.execute(query, (user_email,))    ```  - Explains risk: Attacker could inject `' OR '1'='1` to dump all users  - Links to OWASP guidelines- **License compliance**: "Are all dependencies using approved licenses?"  - AI scans package.json, requirements.txt, go.mod  - Finds issue: New dependency `fancy-ui-lib` uses GPL-3.0 license  - Company policy: Only MIT, Apache-2.0, BSD allowed  - **Risk:** GPL-3.0 requires open-sourcing your code  - Recommendation: Find alternative library or get legal approval- **Access control audit**: "Review who has admin access to critical repos"  - AI analyzes GitHub organization permissions  - Finds: 7 users with admin on `backend-api` repo  - Company policy: Max 3 admins per repo  - Identifies: 2 ex-employees still have access (offboarding failure)  - Identifies: 1 contractor with admin (should be write-only)  - **Action:** Remove 4 users, demote 1 to write**Impact:**- Dependabot PRs triaged in 10 seconds instead of 10 minutes- Critical vulnerabilities identified before merge (zero-day protection)- Secret leaks caught in commits (before they reach main)- License violations prevented (avoid legal issues)- Access control continuously audited (reduce attack surface)- Security team focuses on high-impact work instead of manual reviews**Real example:**

You review the analysis, agree with the recommendation, and merge. A vulnerability that could have led to account takeover is patched in 15 minutes instead of sitting in the Dependabot queue for days.**5. Junior Developer: Code Learning and Best Practices****Scenario:** You're a junior developer who joined 3 months ago. You're assigned a task: "Add password reset functionality." You're not sure where to start. The codebase has 80,000 lines. You don't want to bother senior engineers with "dumb questions."**How OpenClaw helps:**Use OpenClaw to learn the codebase:- **Architecture understanding**: "How does authentication work in this codebase?"  - AI explains: Uses JWT tokens, stored in cookies  - Points to files: `auth/jwt.py`, `middleware/auth.py`  - Shows flow: Login → Generate JWT → Store in cookie → Middleware validates  - Links to docs: "JWT Best Practices" in team wiki- **Code examples**: "Show me an example of sending emails"  - AI finds: `notifications/email_sender.py`  - Shows usage:    ```python    from notifications import send_email        send_email(        to=user.email,        template='welcome',        context={'name': user.name}    )    ```  - Explains: Uses SendGrid, templates in `templates/email/`- **Implementation guidance**: "How should I implement password reset?"  - AI suggests architecture:    1. User requests reset → Generate secure token → Send email    2. User clicks link → Validate token → Allow password change    3. Store tokens in `password_reset_tokens` table (expires in 1 hour)  - Security recommendations:    - Use `secrets.token_urlsafe(32)` for tokens (not UUID)    - Hash tokens before storing (don't store plain text)    - Rate limit requests (max 3 per hour per email)  - Points to similar code: Email verification in `auth/verify_email.py`- **Code review before submitting**: "Review my implementation for issues"  - AI analyzes your code  - Finds: Token expiration not enforced (security risk)  - Finds: No rate limiting (abuse vector)  - Finds: Email not validated (could send to invalid addresses)  - Suggests: Add input validation, expiration check, rate limit decorator- **Testing guidance**: "What tests should I write?"  - AI suggests test cases:    - Valid reset flow (happy path)    - Expired token (should reject)    - Invalid token (should reject)    - Multiple reset requests (rate limit)    - Token already used (should reject)  - Provides test template:    ```python    def test_password_reset_valid_token(self):        user = create_user()        token = create_reset_token(user)                response = reset_password(token, new_password='newpass123')                assert response.status_code == 200        assert user.check_password('newpass123')    ```**Impact:**- Ramp-up time reduced from 6 months to 2 months- Fewer "how do I..." questions to senior engineers- Code quality improves (fewer bugs, better architecture)- Confidence increases (junior devs ship features independently)- Learning accelerates (instant feedback instead of waiting for code review)**Real example:**

# api/users.py (lines 45-52)@app.route('/api/users')def get_users():    users = User.query.all()  # Fetches ALL users (problem!)    return jsonify([user.to_dict() for user in users])

from flask import request@app.route('/api/users')def get_users():    # Get pagination params from query string    page = request.args.get('page', 1, type=int)    per_page = request.args.get('per_page', 20, type=int)        # Validate    per_page = min(per_page, 100)  # Max 100 per page        # Query with pagination    pagination = User.query.paginate(        page=page,        per_page=per_page,        error_out=False    )        return jsonify({        'users': [user.to_dict() for user in pagination.items],        'total': pagination.total,        'page': page,        'per_page': per_page,        'pages': pagination.pages,        'has_next': pagination.has_next,        'has_prev': pagination.has_prev    })

GET /api/users?page=1&per_page=20  → First 20 usersGET /api/users?page=2&per_page=20  → Next 20 users

{  "users": [{"id": 1, "name": "Alice"}, ...],  "total": 1543,  "page": 1,  "per_page": 20,  "pages": 78,  "has_next": true,  "has_prev": false}

def test_users_pagination(self):    # Create 50 users    users = [create_user() for _ in range(50)]        # First page    response = client.get('/api/users?page=1&per_page=20')    data = response.json()        assert len(data['users']) == 20    assert data['total'] == 50    assert data['pages'] == 3    assert data['has_next'] is True

You implement the solution, add tests, and submit a PR. Your first feature ships without needing to interrupt a senior engineer.**6. Open Source Maintainer: Issue Triage and Community Management****Scenario:** You maintain a popular open source project with 15,000 stars and 200+ contributors. You receive 30-50 new issues per week. Most are duplicates, missing information, or questions (not bugs). You spend 10+ hours per week triaging issues instead of building features.**How OpenClaw helps:**Integrate OpenClaw with your GitHub repository:- **Automatic issue triage**: When a new issue is opened, OpenClaw:  - Checks for duplicates: "This looks similar to #1234 (closed) and #2456 (open)"  - Validates information: "Missing: Steps to reproduce, expected vs actual behavior"  - Categorizes: Applies labels (bug/feature/question/documentation)  - Assigns priority: Based on keywords ("production down" = P0)  - Suggests owner: "This is in the auth module, assign to @alice"- **Response generation**: For common issues, OpenClaw auto-responds:  - "How do I install this?" → Links to installation docs  - "Is this supported on Python 3.12?" → Checks compatibility matrix  - "Getting error X" → Searches similar issues, suggests solutions- **Duplicate detection**: "Is this a duplicate of #1234?"  - AI compares issue descriptions  - Finds: Both mention "TypeError in parse_config"  - Confirms: Yes, same root cause  - Auto-replies: "Duplicate of #1234. See that thread for workaround. Closing."- **Information extraction**: For bug reports, AI parses:  - Environment: Python 3.11, macOS 14.2, version 2.4.0  - Steps to reproduce: 1) Install package 2) Run command 3) Error appears  - Error message: `AttributeError: 'NoneType' object has no attribute 'get'`  - Expected vs actual: Expected success, got error- **Community management**: AI helps with:  - First-time contributor welcome messages  - Stale issue cleanup ("No activity in 90 days, closing")  - Thank you messages when PRs are merged  - Code of conduct enforcement (flags hostile comments)**Impact:**- Issue triage time drops from 10 hours/week to 2 hours/week- Response time improves (users get answers in minutes, not days)- Duplicate rate decreases (better search and detection)- Contributor satisfaction increases (faster, more helpful responses)- More time for feature development and community building**Real example:**

pip install --user yourpackageyourpackage init --config-dir ~/.yourpackage

sudo yourpackage init

pip install --upgrade yourpackage

The user upgrades, it works, and they leave a ⭐️ review. Total maintainer time: 0 minutes. OpenClaw handled it.**7. Tech Lead: Architecture Review and Technical Debt****Scenario:** You're a tech lead responsible for architecture decisions and managing technical debt. Your team ships features fast, but code quality is slipping. You need to identify architectural problems, refactoring opportunities, and technical debt before they become critical issues.**How OpenClaw helps:**Use OpenClaw for continuous architecture review:- **Code smell detection**: "Analyze the codebase for code smells"  - AI scans all files and identifies:    - God classes: `UserService` has 47 methods (should be split)    - Duplicate code: Password validation logic copied in 5 places    - Long methods: `process_payment()` is 340 lines (should be <50)    - Deep nesting: 7 levels of if/else in `calculate_tax()`    - Circular dependencies: `models.py` imports `utils.py` imports `models.py`- **Architecture debt quantification**: "How much technical debt do we have?"  - AI calculates:    - Total debt: ~480 hours of refactoring work    - High priority (blocking): 120 hours (broken windows)    - Medium priority (slowing): 240 hours (maintenance burden)    - Low priority (cosmetic): 120 hours (nice-to-have)  - Recommends: Allocate 20% of sprint capacity to debt reduction- **Refactoring opportunities**: "What should we refactor next?"  - AI prioritizes by impact:    1. **Extract PaymentService** (40 hours, high impact)       - Currently: Payment logic in UserController, OrderController, SubscriptionController       - Problems: Duplicate code, hard to test, inconsistent error handling       - Benefit: Centralized logic, easier testing, consistent behavior    2. **Remove jQuery dependency** (20 hours, medium impact)       - Currently: jQuery used for 3 AJAX calls       - Problems: 87KB bundle size for minimal usage       - Benefit: -87KB bundle, use fetch API instead- **Dependency analysis**: "What are our most risky dependencies?"  - AI analyzes package.json:    - **High risk:** `old-crypto-lib` (unmaintained for 3 years, 2 known CVEs)    - **Medium risk:** `experimental-ui-kit` (pre-1.0, breaking changes every month)    - **Low risk:** `lodash` (well-maintained, stable API)  - Recommends: Replace `old-crypto-lib` with native Web Crypto API- **Performance bottlenecks**: "Find performance issues in the API"  - AI analyzes code and identifies:    - N+1 queries in `/api/users` (fetches each user's posts individually)    - Synchronous file I/O blocking event loop (use async)    - Unindexed database queries (missing indexes on `created_at`)    - Large bundle size (moment.js adds 300KB, use date-fns)- **Breaking change impact**: "If we change the User API, what breaks?"  - AI traces dependencies:    - 12 internal services call User API    - 3 external partners (need migration timeline)    - 8 frontend components (need updates)  - Recommends: Versioned API (`/api/v2/users`) for backward compatibility**Impact:**- Technical debt doesn't spiral out of control- Refactoring is prioritized by ROI (not gut feel)- Architecture stays clean as the codebase grows- Performance issues caught before they impact users- Breaking changes are planned, not surprises**Real example:**

auth/  login.py (handles login logic + JWT + validation)  register.py (handles registration + email + JWT)  oauth.py (handles 4 OAuth providers)

auth/  services/    auth_service.py (high-level auth operations)    jwt_service.py (JWT generation/validation)    password_service.py (hashing/verification)  providers/    google_oauth.py    facebook_oauth.py    github_oauth.py  repositories/    user_repository.py (database abstraction)  validators/    email_validator.py    password_validator.py

You review this analysis, agree with the priorities, and add the refactoring tasks to your sprint backlog. What would have taken 4 hours of manual code review took 30 seconds.**8. Release Manager: Release Notes and Changelog Automation****Scenario:** You manage releases for a SaaS product that ships every 2 weeks. Each release requires:- Generating release notes from commits- Categorizing changes (features, fixes, breaking changes)- Writing customer-friendly descriptions- Updating changelog- Coordinating with marketing for announcementThis takes 3-4 hours per release. You want to automate it.**How OpenClaw helps:**Integrate OpenClaw with your release process:- **Automated release notes**: "Generate release notes for v2.5.0"  - AI analyzes all commits since v2.4.0  - Categorizes by type (feat/fix/docs/chore)  - Groups by area (auth, payments, API, UI)  - Writes customer-friendly descriptions:    - ❌ "refactor: extract PaymentService"    - ✅ "Improved payment processing reliability and performance"- **Breaking change detection**: "Are there breaking changes in v2.5.0?"  - AI scans commits for:    - API endpoint changes (method, URL, parameters)    - Database schema changes (migrations)    - Configuration changes (new env vars required)    - Dependency major version bumps  - Finds: User API now requires `email` field (was optional)  - Generates migration guide:    ```    BREAKING CHANGE: User API requires email        Before:    POST /api/users {"name": "Alice"}        After:    POST /api/users {"name": "Alice", "email": "alice@example.com"}        Migration: Update all API clients to include email field.    ```- **Changelog generation**: "Update CHANGELOG.md for v2.5.0"  - AI generates formatted changelog:    ```markdown    ## [2.5.0] - 2026-04-10        ### Added    - Two-factor authentication support    - Export data as CSV    - Dark mode for dashboard        ### Fixed    - Payment processing timeout on slow connections    - Email notifications not sent for failed charges    - Mobile responsive layout on iPad        ### Changed    - Improved search performance (3x faster)    - Updated dependencies (security patches)        ### Breaking Changes    - User API now requires email field    ```- **Version bump recommendation**: "Should this be a major, minor, or patch release?"  - AI follows semantic versioning:    - MAJOR: Breaking changes (API changed)    - MINOR: New features (backward-compatible)    - PATCH: Bug fixes only  - Analysis: 1 breaking change + 3 new features + 7 bug fixes  - **Recommendation:** MAJOR version bump (2.5.0 → 3.0.0)- **Marketing copy generation**: "Write a product announcement for v3.0.0"  - AI generates customer-facing copy:    ```    🎉 Introducing v3.0.0: Secure, Fast, and Beautiful        We're excited to announce our biggest release yet!        🔒 Enhanced Security: Two-factor authentication keeps your account safe    📊 Export Your Data: Download your data as CSV with one click    🌙 Dark Mode: Easy on the eyes for late-night work sessions    ⚡️ Faster Search: Find what you need 3x faster        Plus: 7 bug fixes and performance improvements.        Upgrade today: [link]        Note: This release includes breaking changes to the User API.    See migration guide: [link]    ```**Impact:**- Release notes generation time: 3 hours → 5 minutes- Consistent, professional release notes every time- Breaking changes never missed (automated detection)- Marketing team gets announcement copy automatically- Changelog always up-to-date**Real example:**

🚀 v3.1.0 is live!✨ Bulk actions for users🪝 Webhook integrations📊 API rate limit dashboard⚡️ 40% faster performance🐛 8 bug fixesUpgrade now: [link]

We're excited to announce v3.1.0!This release focuses on power user workflows and integrations.Bulk Actions: Manage hundreds of users at once. Export, delete, or emailmultiple users with one click.Webhooks: Integrate with Zapier, Slack, or your custom systems. Get real-timenotifications when events happen.API Dashboard: See your API usage in real-time. No surprises when you hit limits.Plus: 40% faster dashboard, 8 bug fixes, and security updates.Fully backward-compatible. Upgrade today![CTA Button: Upgrade Now]

git checkout v3.0.0python manage.py migrate auth 0012  # Rollback migrationssystemctl restart yourapp

You copy the release notes to GitHub, the marketing copy to your blog, and schedule the release. What would have taken 4 hours took 2 minutes.### Features Deep Dive**Pull Request Reviews**Automatic code review on every PR:- Comment on the PR with @OpenClaw to trigger review- AI analyzes changed files, not entire repo (fast)- Identifies bugs, security issues, performance problems- Suggests improvements and alternative approaches- Links to relevant documentation and past PRs- Configurable: Set team-specific rules and conventions**Issue Auto-Triage**Intelligent issue management:- New issues auto-labeled (bug/feature/question)- Duplicate detection (links to existing issues)- Missing information detection (asks for logs, environment)- Auto-assigns to team members based on expertise- Priority suggestions (based on keywords like "production down")- Response templates for common questions**Commit Message Generation**Better commit messages automatically:- Analyzes staged changes- Generates descriptive commit message- Follows conventional commits format- Includes context (why, not just what)- Detects breaking changes- Works with git hooks or manual invocation**Code Search and Navigation**Conversational codebase access:- Natural language queries ("where is user authentication?")- Semantic search (understands concepts, not just keywords)- Cross-reference navigation ("what calls this function?")- Dependency tracking ("what depends on this module?")- Architecture visualization (generates diagrams)- Historical context ("why was this implemented this way?")**CI/CD Integration**GitHub Actions intelligence:- Failed workflow analysis (what went wrong?)- Flaky test detection (unreliable tests identified)- Performance regression alerts (build times increasing)- Cost optimization (reduce Actions minutes usage)- Deployment validation (check for best practices)- Auto-retry failed jobs (when appropriate)**Security Scanning**Proactive security:- Dependency vulnerability scanning (CVE detection)- Secret detection (API keys, passwords in code)- Code vulnerability analysis (SQL injection, XSS)- License compliance checking (GPL, MIT, etc.)- Access control auditing (who has admin?)- Compliance reporting (SOC 2, GDPR, HIPAA)**Repository Analytics**Data-driven insights:- Team velocity tracking (PRs, commits, issues)- Contribution analysis (who's doing what?)- Bottleneck identification (where are delays?)- Code quality trends (improving or degrading?)- Dependency health (outdated packages?)- Test coverage evolution (coverage increasing?)**Automated Changelogs**Release automation:- Generate release notes from commits- Categorize changes (features, fixes, breaking)- Customer-friendly descriptions- Breaking change detection- Semantic versioning recommendations- Marketing copy generation**Multi-Repository Support**Works across your entire organization:- Connect unlimited repositories- Cross-repo code search- Organization-wide analytics- Consistent conventions across repos- Centralized configuration- Team-based permissions**GitHub App or OAuth**Flexible integration:- GitHub App (recommended for orgs)- OAuth (simpler for individuals)- Fine-grained permissions- Repository-level access control- Secure token management- Works with GitHub Enterprise---## Setup Option 1: HeraClaw Cloud (Recommended)**Time required:** 60 seconds**Technical skill:** None**Cost:** Included in HeraClaw Cloud subscription**Best for:** 95% of users, all team sizes**Why HeraClaw Cloud?**- No GitHub App creation required- No OAuth configuration needed- No webhook endpoint setup- No server infrastructure to maintain- No SSL certificates to manage- No uptime monitoring needed- Professional support included- Automatic updates and security patches- 99.9% uptime SLA- Enterprise-grade security- Instant PR reviews (no GitHub App approval workflow)**Steps:****1. Sign up for HeraClaw Cloud**- Visit cloud.getopenclaw.ai- Click "Sign In" (no credit card required)- Create your account (takes 60 seconds)**2. Navigate to Integrations**- Click "Integrations" in the left sidebar- Find "GitHub" in the list- Click "Connect to GitHub"**3. Authorize GitHub Access**- GitHub OAuth screen appears- Select repositories to grant access:  - All repositories (easiest)  - Only select repositories (more control)- Review permissions:  - Read code (for analysis)  - Read/write issues (for auto-triage)  - Read/write pull requests (for reviews)  - Read actions (for CI/CD integration)- Click "Authorize"**4. Configure Features (Optional)**- Back in HeraClaw dashboard- Enable/disable features:  - ✅ Auto-review PRs  - ✅ Auto-triage issues  - ✅ Generate commit messages  - ✅ Analyze CI failures  - ❌ Auto-merge dependabot (optional)- Set review rules:  - Review all PRs, or only when @mentioned  - Auto-comment or wait for request  - Severity threshold (comment on high/medium/all issues)- Save configuration**5. Test the Integration**- Open any pull request- Add comment: `@OpenClaw review this PR`- Wait 3-5 seconds- OpenClaw comments with code review**6. Invite Your Team**- In HeraClaw dashboard, go to Team- Invite team members (email)- They can interact with OpenClaw on GitHub- No additional GitHub setup needed**That's it!** You're up and running.**What You Get with HeraClaw Cloud:**✅ **Instant Setup** - No GitHub App creation or OAuth flows✅ **Automatic Updates** - We handle GitHub API changes✅ **Professional Support** - Email, chat, and phone support✅ **99.9% Uptime** - SLA-backed reliability✅ **Enterprise Security** - SOC 2, GDPR, HIPAA available✅ **Unlimited Repositories** - Connect as many as you need✅ **Advanced Features** - Multi-repo search, org-wide analytics✅ **No Maintenance** - We manage servers, scaling, monitoring✅ **Instant PR Reviews** - No GitHub App installation approval needed**Pricing:** See cloud.getopenclaw.ai/pricing (starts with affordable team plans)**Get Started:** [Start with HeraClaw Cloud →](https://cloud.getopenclaw.ai/auth/signin)---## Setup Option 2: Self-Hosted (Advanced)**Time required:** 45-60 minutes (first time), 20-30 minutes (if experienced)**Technical skill:** Advanced**Cost:** VPS hosting ($20-100/month) + your time**Best for:** DevOps engineers, technical teams, compliance requirements**Who should self-host?**✅ DevOps engineers who enjoy infrastructure✅ Organizations with strict data residency requirements✅ Teams already running Kubernetes/Docker infrastructure✅ Companies that cannot use third-party SaaS✅ Technical enthusiasts with homelab setups**Who should NOT self-host?**❌ Small teams without DevOps expertise❌ Anyone who values time over cost savings❌ Teams without 24/7 on-call coverage❌ Organizations without security/compliance teams**Prerequisites:**- OpenClaw installed and running (Mac/Linux/VPS)- Terminal/SSH access to your OpenClaw server- GitHub organization admin permissions (or repo admin)- Understanding of OAuth 2.0 and webhooks- Public URL with SSL certificate (for webhooks)- Basic networking knowledge (ports, firewalls, reverse proxies)### Detailed Self-Hosted Setup**Step 1: Create a GitHub App**1. Go to GitHub Settings:   - For personal account: github.com/settings/apps   - For organization: github.com/organizations/YOUR_ORG/settings/apps2. Click "New GitHub App"3. Fill in app details:   - **GitHub App name:** "OpenClaw Assistant" (must be unique across GitHub)   - **Homepage URL:** Your OpenClaw URL or company website   - **Webhook URL:** `https://your-openclaw-domain.com/api/github/webhook`   - **Webhook secret:** Generate a secure random string (save it)     ```bash     openssl rand -hex 32     ```4. Set permissions (Repository permissions):   - **Actions:** Read (for CI/CD analysis)   - **Checks:** Write (for PR checks)   - **Contents:** Read (for code analysis)   - **Issues:** Write (for auto-triage)   - **Metadata:** Read (required)   - **Pull requests:** Write (for PR reviews)   - **Commit statuses:** Write (for PR status)   - **Deployments:** Read (for deployment tracking)5. Set permissions (Organization permissions, if applicable):   - **Members:** Read (for team analysis)6. Subscribe to events:   - ✅ Check run   - ✅ Commit comment   - ✅ Issue comment   - ✅ Issues   - ✅ Pull request   - ✅ Pull request review   - ✅ Pull request review comment   - ✅ Push   - ✅ Workflow run7. Where can this GitHub App be installed?   - Select "Only on this account" (or "Any account" for public apps)8. Click "Create GitHub App"**Step 2: Generate Private Key**1. After creating the app, scroll to "Private keys"2. Click "Generate a private key"3. A `.pem` file downloads4. **Save this file securely** - you'll need it for OpenClaw config5. Move it to your OpenClaw server:   ```bash   scp github-app-private-key.pem user@openclaw-server:/etc/openclaw/github-app-key.pem   chmod 600 /etc/openclaw/github-app-key.pem

integrations:  github:    enabled: true        # GitHub App credentials    appId: 123456  # From GitHub App settings (General → App ID)    installationId: 12345678  # From installation URL    privateKeyPath: "/etc/openclaw/github-app-key.pem"    webhookSecret: "your-webhook-secret-here"        # Features    features:      autoReviewPRs: true  # Auto-review all PRs      autoTriageIssues: true  # Auto-triage new issues      ciAnalysis: true  # Analyze failed CI runs      commitMessages: true  # Generate commit messages      security: true  # Scan for vulnerabilities        # Review settings    review:      # When to review      trigger: "mention"  # Options: "all", "mention", "label"      mentionKeyword: "@OpenClaw"  # Trigger phrase            # What to review      checks:        - "security"  # Security vulnerabilities        - "performance"  # Performance issues        - "bugs"  # Potential bugs        - "style"  # Code style        - "tests"  # Test coverage            # Severity threshold      commentOn: "medium"  # Options: "all", "medium", "high", "critical"            # Auto-approve      autoApprove: false  # Don't auto-approve (human review required)      autoApproveDependabot: true  # Exception: auto-approve Dependabot patches        # Issue triage settings    issues:      autoLabel: true  # Auto-apply labels      autoAssign: true  # Auto-assign to team members      autoDuplicate: true  # Detect duplicates      autoRespond: true  # Respond to common questions            # Team assignments (map labels to GitHub users)      assignments:        "backend": "@alice"        "frontend": "@bob"        "devops": "@carol"        "security": "@dave"        # CI/CD settings    ci:      analyzeFailures: true  # Auto-analyze failed runs      commentOnPR: true  # Comment on PR when CI fails      suggestFixes: true  # Suggest how to fix      detectFlaky: true  # Detect flaky tests        # Rate limiting (GitHub API has rate limits)    rateLimit:      requestsPerHour: 5000  # GitHub's default      burstAllowance: 100  # Allow bursts

server {    listen 443 ssl;    server_name your-openclaw-domain.com;        ssl_certificate /etc/letsencrypt/live/your-domain/fullchain.pem;    ssl_certificate_key /etc/letsencrypt/live/your-domain/privkey.pem;        location /api/github/webhook {        proxy_pass http://localhost:8080;  # OpenClaw port        proxy_set_header Host $host;        proxy_set_header X-Real-IP $remote_addr;        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;        proxy_set_header X-Forwarded-Proto $scheme;    }}

your-openclaw-domain.com {    reverse_proxy /api/github/webhook localhost:8080}

ngrok http 8080# Use the generated URL (https://abc123.ngrok.io) as webhook URL

# If running as a servicesudo systemctl restart openclaw# If running directlyopenclaw gateway start# Check logsopenclaw gateway logs --follow

✓ GitHub integration enabled✓ App ID: 123456✓ Installation ID: 12345678✓ Private key loaded✓ Webhook endpoint: /api/github/webhook✓ Listening for events: pull_request, issues, check_run, ...

integrations:  github:    instances:      main_org:        appId: 123456        installationId: 12345678        privateKeyPath: "/etc/openclaw/main-org-key.pem"        webhookSecret: "secret1"            client_org:        appId: 789012        installationId: 87654321        privateKeyPath: "/etc/openclaw/client-org-key.pem"        webhookSecret: "secret2"        # Different config for this org        features:          autoReviewPRs: false  # Manual review only

integrations:  github:    review:      customRules:        # Require tests for all PRs        - name: "test_coverage"          check: "tests_added"          severity: "error"          message: "All PRs must include tests"                # No console.log in production code        - name: "no_console_log"          pattern: "console\.log\("          exclude: ["test/**", "scripts/**"]          severity: "warning"          message: "Remove console.log before merging"                # Require JIRA ticket in PR title        - name: "jira_ticket"          check: "pr_title_matches"          pattern: "^[A-Z]+-[0-9]+:"          severity: "error"          message: "PR title must start with JIRA ticket (e.g., ENG-123: Fix bug)"

integrations:  github:    repositories:      # Backend repo: strict security checks      "your-org/backend-api":        review:          checks:            - "security"  # High priority            - "performance"            - "bugs"          commentOn: "medium"        security:          scanDependencies: true          blockVulnerabilities: "high"  # Block merge if high CVE            # Frontend repo: focus on performance and accessibility      "your-org/frontend":        review:          checks:            - "performance"            - "accessibility"            - "style"          commentOn: "all"        ci:          analyzeFailures: true          detectFlaky: true            # Docs repo: minimal checks      "your-org/documentation":        review:          checks:            - "style"          commentOn: "high"        autoApprove: true  # Auto-approve docs changes

integrations:  github:    notifications:      # Slack notifications      slack:        enabled: true        webhookUrl: "https://hooks.slack.com/services/..."        channel: "#github-activity"        events:          - "pr_opened"          - "security_vulnerability"          - "ci_failure"            # Email notifications      email:        enabled: true        recipients:          - "team@company.com"        events:          - "security_vulnerability"          - "breaking_change"            # Webhook notifications (to your system)      webhook:        enabled: true        url: "https://your-system.com/api/github-events"        events:          - "*"  # All events

integrations:  github:    access:      # Only these GitHub users can trigger reviews      allowedUsers:        - "alice"        - "bob"        - "carol"            # Only users in these GitHub teams      allowedTeams:        - "engineering"        - "devops"            # Repository-level overrides      repositories:        "your-org/public-repo":          allowedUsers: "*"  # Anyone (public repo)

integrations:  github:    performance:      # Cache code analysis results      cache:        enabled: true        ttl: 3600  # 1 hour        backend: "redis"  # or "memory"        redisUrl: "redis://localhost:6379/0"            # Parallel analysis      parallel:        enabled: true        maxWorkers: 4  # Analyze 4 files concurrently            # Skip large files      skipFilesLargerThan: 1000000  # 1MB (e.g., minified JS)

# Test webhook URL is accessiblecurl -I https://your-openclaw-domain.com/api/github/webhook# Should return 200 or 405 (method not allowed is fine)# Check GitHub webhook delivery# GitHub App Settings → Advanced → Recent Deliveries# Look for failed deliveries and error messages# Verify webhook secret matches# config.yaml webhookSecret should match GitHub App webhook secret# Check firewallsudo ufw status  # Ubuntusudo firewall-cmd --list-all  # CentOS# Ensure port 443 is open

# Verify private key file exists and is readablels -l /etc/openclaw/github-app-key.pem# Should be: -rw------- (600 permissions)chmod 600 /etc/openclaw/github-app-key.pem# Verify App ID# GitHub App Settings → General → App ID (should match config)# Verify Installation ID# GitHub → Settings → Installations → Click your app# URL: github.com/settings/installations/12345678# 12345678 is your installation ID# Verify app is installed# GitHub repo → Settings → Integrations & services# Your app should be listed

# Verify trigger setting in config.yamlintegrations:  github:    review:      trigger: "mention"  # Must be "mention" for @-trigger      mentionKeyword: "@OpenClaw"  # Match your GitHub App name

# Check GitHub App events# GitHub App Settings → Permissions & events# Ensure subscribed to:# - Issue comment# - Pull request review comment# Check logs for mention detectionopenclaw gateway logs | grep -i "mention"

# Check current rate limit statuscurl -H "Authorization: Bearer YOUR_TOKEN" \     https://api.github.com/rate_limit# Shows:# - Limit: 5000 requests/hour (for GitHub Apps)# - Remaining: X# - Reset: Unix timestamp

# Enable caching to reduce API callsintegrations:  github:    performance:      cache:        enabled: true        ttl: 3600            # Use conditional requests      useETags: true            # Reduce parallel workers      parallel:        maxWorkers: 2  # Instead of 4

# Enable CI analysisintegrations:  github:    features:      ciAnalysis: true        ci:      analyzeFailures: true      commentOnPR: true

# Verify GitHub App permissions# GitHub App Settings → Permissions & events# Repository permissions:# - Actions: Read ✓# - Checks: Write ✓# Verify event subscriptions:# - Check run ✓# - Workflow run ✓

integrations:  github:    performance:      # Only analyze changed files in PRs      analyzeChangedFilesOnly: true            # Skip large files      skipFilesLargerThan: 1000000  # 1MB            # Use shallow clones      shallowClone: true      cloneDepth: 1            # Limit context      maxFilesPerReview: 50      maxLinesPerFile: 5000

# Store private key in secure locationsudo mkdir -p /etc/openclawsudo mv github-app-private-key.pem /etc/openclaw/sudo chmod 600 /etc/openclaw/github-app-private-key.pemsudo chown openclaw:openclaw /etc/openclaw/github-app-private-key.pem# Never commit to gitecho "/etc/openclaw/*.pem" >> .gitignore# Use secrets management (recommended)# Store in HashiCorp Vault, AWS Secrets Manager, etc.

integrations:  github:    webhookSecret: "your-secret-here"  # Required!    validateWebhooks: true  # Always true

# Force HTTPSserver {    listen 80;    server_name your-openclaw-domain.com;    return 301 https://$server_name$request_uri;}server {    listen 443 ssl;    server_name your-openclaw-domain.com;        # Strong SSL configuration    ssl_protocols TLSv1.2 TLSv1.3;    ssl_ciphers HIGH:!aNULL:!MD5;    ssl_prefer_server_ciphers on;        # ...}

# Every 90 days:# 1. Generate new private key in GitHub App settings# 2. Download new .pem file# 3. Update OpenClaw config# 4. Restart OpenClaw# 5. Revoke old key in GitHub

logging:  audit:    enabled: true    logFile: "/var/log/openclaw/audit.log"    logLevel: "info"    includeGitHubEvents: true    includeAPIcalls: true        # What to log    events:      - "pr_reviewed"      - "issue_triaged"      - "webhook_received"      - "api_call"      - "error"

# Firewall: Only allow necessary portssudo ufw default deny incomingsudo ufw default allow outgoingsudo ufw allow 22/tcp    # SSHsudo ufw allow 80/tcp    # HTTP (redirect to HTTPS)sudo ufw allow 443/tcp   # HTTPSsudo ufw enable# Fail2ban: Prevent brute forcesudo apt install fail2ban# Configure to ban IPs with repeated failed requests

# Keep OpenClaw updatedopenclaw update# Keep system updatedsudo apt update && sudo apt upgrade  # Ubuntu/Debiansudo yum update  # CentOS# Subscribe to security notifications# GitHub: Watch the OpenClaw repo for releases# Email: Subscribe to security mailing list