Webhook Pipeline — Architecture & Rules
Overview
Webhooks flow from external services → hooks.twill.biz (Cloudflare tunnel) → webhook-proxy.py on port 18802 → OpenClaw agent turns.
GitHub / Fireflies / Gmail
↓
hooks.twill.biz (Cloudflare named tunnel: morty-webhook)
↓
webhook-proxy.py (port 18802, PM2-managed)
↓
OpenClaw /hooks/agent (port 18789)
↓
Agent turn → Slack channel
Webhook Sources
GitHub (Twill-AI org)
- App:
twill-overthinker| App ID:2927474| Installation ID:111855820 - Events: Issues (opened+assigned), issue_comment, pull_request_review_comment, workflow_run
- Secret:
/data/.openclaw/github_webhook_secret.txt - Signature: HMAC-SHA256 on
X-Hub-Signature-256
GitHub Event Routing
| Event | Condition | Action |
|---|---|---|
workflow_run failure | Vault repo (Morty021/twill-brain) | Short alert → rex-reliability only |
workflow_run failure | Any other repo | Alert → tech-syncs |
workflow_run success | Vault repo | Silent (Rex cron monitors) |
workflow_run success | deploy-twill-infra on staging | Release notes → tech-syncs |
workflow_run success | Any other | Silent |
issues opened/assigned | Any Twill-AI repo | Agent turn for context |
issue_comment | Any | Agent turn if @Morty021 mentioned |
pull_request_review_comment | Any | Agent turn if @Morty021 mentioned |
Hard rule: Morty021/twill-brain CI results NEVER go to #tech-syncs (C078KS0R05B).
Fireflies
- Event:
Transcription completed - Secret: Loaded from env
FIREFLIES_WEBHOOK_SECRET - Routing by meeting type:
- Tech Sync / Product Sync → Tech Sync agent → tech-syncs post-call summary
- All others → stored in vault
02-Meetings/silently
- Health endpoint:
http://localhost:18802/fireflies/health
Future (planned)
- Gmail push notifications — not yet implemented
- Stripe/payment webhooks — not yet
Proxy Script
Location: /data/.openclaw/workspace/scripts/webhook-proxy.py
Port: 18802
Process manager: PM2 (cloudflare-tunnel + github-proxy)
Start script: /data/.openclaw/workspace/scripts/start-github-tunnel.sh
Health check
curl http://localhost:18802/health
# → {"ok": true, "service": "webhook-proxy", "bot": "Morty021", ...}External reachability
curl https://hooks.twill.biz/healthRestart if down
bash /data/.openclaw/workspace/scripts/start-github-tunnel.shCloudflare Tunnel
- Tunnel name:
morty-webhook - Tunnel token:
/data/.openclaw/cloudflare_tunnel_token.txt - Routes:
hooks.twill.biz → localhost:18802 - Managed by: PM2 process
cloudflare-tunnel - Binary:
/data/.openclaw/cloudflared
The PM2 Watchdog cron (5eb95d1f) checks this every 5 minutes and auto-restarts if down.
OpenClaw Hooks Endpoint
- URL:
http://127.0.0.1:18789/hooks/agent - Auth:
Authorization: Bearer hooks_sEupMqT7CFd2kuNr7BxO28zbseYjd24Z - Payload:
{
"message": "Agent prompt here",
"name": "Label for the turn",
"wakeMode": "now",
"deliver": true,
"channel": "slack",
"to": "CHANNEL_ID",
"timeoutSeconds": 120
}tech-syncs Rules (Hard)
#tech-syncs (C078KS0R05B) receives:
- ✅ Post-call summaries from Tech Sync / Product Sync meetings (Fireflies webhook)
- ✅ Staging release notes (
deploy-twill-infraon staging branch) - ❌ NEVER: Vault CI (twill-brain) events
- ❌ NEVER: Infrastructure alerts, cron status, health checks
- ❌ NEVER: Email digests, CRM updates, reliability reports
#rex-reliability (C0AK282411V) receives:
- ✅ Vault CI failures/fixes
- ✅ All health check results
- ✅ Weekly reliability summary
- ✅ Infrastructure alerts