Summary

• Problem: OpenClaw runs as a long-lived gateway process with SQLite and local filesystem storage — incompatible with serverless/ephemeral compute.
• What changed: Added an Azure Functions deployment option: HTTP-triggered webhook handler, Azure Table Storage memory provider, Blob Storage session store, and Bicep template for one-click provisioning on Consumption Plan.
• What did NOT change: Core gateway, existing SQLite provider, CLI, channel plugins, or any existing behavior. This is purely additive.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

User-visible / Behavior Changes

• New azure-function/ directory with standalone Azure Function App project
• New infra/main.bicep for Azure resource provisioning
• New AzureTableMemoryProvider class in src/memory/memory-provider-azure.ts implementing MemorySearchManager
• New dependencies: @azure/[email protected], @azure/[email protected]

Security Impact (required)

• New permissions/capabilities? Yes — Azure Function managed identity gets Key Vault Secrets User role
• Secrets/tokens handling changed? Yes — GITHUB_TOKEN stored in Key Vault, referenced via @Microsoft.KeyVault() URI
• New/changed network calls? Yes — Azure Table/Blob Storage SDK calls; Telegram webhook validation
• Command/tool execution surface changed? No
• Data access scope changed? No
• Mitigation: HTTPS-only, TLS 1.2 minimum, RBAC-based Key Vault access (no access policies), no public blob access, webhook secret validation on inbound requests. CodeQL scan clean.

Repro + Verification

Environment

• OS: Linux (CI runner)
• Runtime/container: Node 24 / Vitest 4.x
• Model/provider: N/A (mocked)
• Integration/channel: Telegram webhook (mocked)

Steps

1. pnpm install
2. pnpm test src/memory/memory-provider-azure.test.ts — 21 tests
3. pnpm check — format + typecheck + lint

Expected

• All 21 new tests pass, all 139 existing memory tests unaffected, pnpm check clean

Actual

• ✅ Confirmed

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

21 unit tests covering: search scoring/filtering, readFile with line slicing, upsert/delete operations, meta get/set, embedding cache hit/miss, probes, sync no-op, ensureTables, and missing env var error.

Human Verification (required)

• Verified: All 21 new tests pass, all 139 existing memory tests pass, pnpm check (format + tsgo + oxlint) passes
• Edge cases checked: Missing AZURE_STORAGE_CONNECTION_STRING throws, empty search query returns [], minScore filtering, maxResults capping, cache miss returns undefined
• Not verified: Actual Azure deployment (requires Azure subscription + real Telegram bot token)

Compatibility / Migration

• Backward compatible? Yes — purely additive, no existing code paths changed
• Config/env changes? Yes — new env vars required only for Azure deployment (AZURE_STORAGE_CONNECTION_STRING, TELEGRAM_BOT_TOKEN, etc.)
• Migration needed? No

Failure Recovery (if this breaks)

• Remove azure-function/, infra/main.bicep, src/memory/memory-provider-azure.ts and its test
• Remove @azure/data-tables and @azure/storage-blob from package.json
• No existing functionality affected

Risks and Mitigations

• Risk: Azure SDK dependencies increase install size for non-Azure users
  • Mitigation: They're tree-shakeable and only imported by the Azure provider — no impact on existing code paths
• Risk: Azure Table Storage keyword search is naive (no FTS/vector)
  • Mitigation: Provider reports vector.enabled=false and fts.enabled=false in status; documented as expected behavior for serverless tier

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.