|
|
|
|
@@ -254,6 +254,86 @@ data:
|
|
|
|
|
2. Create app, add bot, copy token and app ID
|
|
|
|
|
3. Invite bot to server with messages scope
|
|
|
|
|
|
|
|
|
|
# Threema via the central PieCed gateway (pieced-threema-gateway in
|
|
|
|
|
# `threema-gateway` namespace). Differs from a typical channel
|
|
|
|
|
# package in two important ways:
|
|
|
|
|
#
|
|
|
|
|
# 1. No customer-supplied secret. The token + HMAC secret used
|
|
|
|
|
# by the openclaw-channel-threema-relay plugin are minted by
|
|
|
|
|
# the relay's /admin/tokens endpoint when the portal enables
|
|
|
|
|
# the package, then written to the same vault path suffix
|
|
|
|
|
# below. So `secret_key` here lists the keys the plugin reads;
|
|
|
|
|
# the WRITER is the portal (POST /api/tenants/:name/threema),
|
|
|
|
|
# not a customer wizard step.
|
|
|
|
|
#
|
|
|
|
|
# 2. Cross-namespace egress to `threema-gateway:8080`. The new
|
|
|
|
|
# `namespace` field on egress_rules emits a Cilium toEndpoints
|
|
|
|
|
# rule scoped to that namespace; in-cluster traffic to a
|
|
|
|
|
# sibling namespace would otherwise be blocked by the
|
|
|
|
|
# cluster-wide tenant isolation policy.
|
|
|
|
|
#
|
|
|
|
|
# The matching cross-namespace INGRESS rule (relay → OpenClaw 18789)
|
|
|
|
|
# is added by the builder when it sees `channels: { threema: ... }`
|
|
|
|
|
# in any enabled package.
|
|
|
|
|
threema:
|
|
|
|
|
name: Threema
|
|
|
|
|
category: channel
|
|
|
|
|
description: Threema messaging via the PieCed central gateway
|
|
|
|
|
channels:
|
|
|
|
|
threema:
|
|
|
|
|
enabled: true
|
|
|
|
|
env_vars:
|
|
|
|
|
- name: THREEMA_RELAY_URL
|
|
|
|
|
default: "http://pieced-threema-gateway.threema-gateway.svc:8080"
|
|
|
|
|
- name: THREEMA_RELAY_TOKEN
|
|
|
|
|
secret_key: token
|
|
|
|
|
vault_path_suffix: threema-relay
|
|
|
|
|
- name: THREEMA_RELAY_HMAC_SECRET
|
|
|
|
|
secret_key: hmac-secret
|
|
|
|
|
vault_path_suffix: threema-relay
|
|
|
|
|
bindings:
|
|
|
|
|
- match:
|
|
|
|
|
channel: threema
|
|
|
|
|
egress_rules:
|
|
|
|
|
- namespace: threema-gateway
|
|
|
|
|
port: 8080
|
|
|
|
|
# OpenClaw 2026.5.x loads external plugins from
|
|
|
|
|
# /data/extensions/<dir>/openclaw.plugin.json. Three gates must
|
|
|
|
|
# be open for the runtime to register an external plugin:
|
|
|
|
|
# 1. plugins.enabled: true — feature flag
|
|
|
|
|
# 2. plugins.allow contains the id — security allowlist
|
|
|
|
|
# 3. plugins.entries.<id>.enabled: true — per-plugin toggle
|
|
|
|
|
# Cedric's personal instance.yaml hand-codes the same three gates
|
|
|
|
|
# for his direct `openclaw-channel-threema` plugin; this patch
|
|
|
|
|
# generates them automatically for every tenant that enables
|
|
|
|
|
# threema. The init container that copies the plugin onto the
|
|
|
|
|
# PVC is emitted by the operator (plugin_image below).
|
|
|
|
|
config_patch:
|
|
|
|
|
plugins:
|
|
|
|
|
enabled: true
|
|
|
|
|
allow:
|
|
|
|
|
- "threema"
|
|
|
|
|
entries:
|
|
|
|
|
threema:
|
|
|
|
|
enabled: true
|
|
|
|
|
config: {}
|
|
|
|
|
plugin_image:
|
|
|
|
|
repository: registry.c5ai.ch/pieced/openclaw-channel-threema-relay
|
|
|
|
|
tag: "0.1.0"
|
|
|
|
|
target_dir: openclaw-channel-threema-relay
|
|
|
|
|
customer_instructions: |
|
|
|
|
|
1. Once enabled, register the Threema IDs you want to receive
|
|
|
|
|
messages from under "Authorized Users → threema".
|
|
|
|
|
2. PieCed will route messages between those Threema IDs and
|
|
|
|
|
your assistant via the central gateway — no Gateway account
|
|
|
|
|
of your own required.
|
|
|
|
|
3. Each Threema ID can only belong to one PieCed tenant. If a
|
|
|
|
|
registration fails, that ID is already claimed elsewhere.
|
|
|
|
|
disclaimer: >
|
|
|
|
|
Messages are end-to-end encrypted at the Threema boundary by
|
|
|
|
|
the PieCed central gateway. Inbound and outbound message
|
|
|
|
|
counts are logged per tenant for billing.
|
|
|
|
|
|
|
|
|
|
# =====================================================================
|
|
|
|
|
# SKILLS — ClawHub skill installs. Operator passes each entry through
|
|
|
|
|
# to spec.skills on the OpenClawInstance.
|
|
|
|
|
|
