[codex] Add ClawHub staging deploy workflow

[Patrick-Erichsen]

Summary

• Add a staging deploy workflow for https://staging.hub.openclaw.ai that skips cleanly until required Staging environment values are configured.
• Add a deploy-prep script that rewrites Vercel API routing, CLI discovery metadata, and robots.txt for staging deploys.
• Document the remaining Convex, Vercel, DNS, GitHub environment, and OAuth setup that still requires dashboard access.

Validation

• bun run format:check
• bunx vitest run scripts/prepare-deploy-config.test.ts src/lib/site.test.ts
• bun run lint
• bunx tsc --noEmit
• bun run deploy:prepare-config -- --target staging --convex-site-url https://staging.convex.site --dry-run

Notes

The workflow is intentionally no-op until the GitHub Staging environment has CONVEX_DEPLOY_KEY, Vercel credentials, and staging Convex URL variables configured.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clawhub	Ready	Preview, Comment	May 8, 2026 2:25am

[clawsweeper]

Codex review: needs real behavior proof before merge.

Summary
The PR adds a Staging GitHub Actions deploy workflow, a Bun deploy-prep script with tests, staging deploy specs, and staging host recognition.

Reproducibility: not applicable. this is an operational workflow addition rather than a reported bug. Source review and PR-runtime evidence are the relevant checks.

Real behavior proof
Needs stronger real behavior proof before merge: The Vercel preview only proves the branch built; please add redacted terminal/log output for the staging workflow or deploy-prep path, then update the PR body for a fresh review or ask a maintainer to comment @clawsweeper re-review.

Next step before merge
This needs contributor runtime proof and maintainer operational approval for staging secrets, Vercel, Convex, DNS, and OAuth setup before merge.

Security
Cleared: The diff is security-sensitive because it adds a secret-bearing deploy workflow, but it uses the Staging environment, read-only GitHub permissions, and no pull_request trigger; I found no concrete supply-chain or secret-handling defect.

Review details

Best possible solution:

Land the staging workflow only after maintainer review confirms the intended environment setup and the PR includes redacted runtime proof for the no-op and configured deploy paths.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is an operational workflow addition rather than a reported bug. Source review and PR-runtime evidence are the relevant checks.

Is this the best way to solve the issue?

Unclear: the implementation direction is plausible, but the staging deploy path is secret- and dashboard-dependent and needs real runtime proof before it can be judged as the best maintained solution.

What I checked:

• Current main does not implement the PR: A source search on current main found no staging workflow, deploy-prep script, staging host, or deploy:prepare-config script entry. (a292a60a3683)
• PR adds a new secret-bearing staging workflow: The proposed workflow runs on main pushes and manual dispatch, checks Staging environment values, deploys Convex/Vercel, seeds fixtures, and runs HTTP/UI smoke tests. (.github/workflows/deploy-staging.yml:3, a45b4c970bad)
• PR adds deploy-time config rewriting: The new script rewrites vercel.json, .well-known discovery metadata, and robots.txt for production or staging targets. (scripts/prepare-deploy-config.ts:88, a45b4c970bad)
• Existing production deploy is separate: Current main has only the manual Production deploy workflow; it waits for Vercel production status rather than providing a staging deploy path. (.github/workflows/deploy.yml:3, a292a60a3683)
• Real behavior proof is not yet sufficient: The PR body lists validation commands and Vercel shows a Ready preview, but neither shows logs/output from the new staging workflow or deploy-prep path. (a45b4c970bad)

Likely related people:

• vincentkoc: Current production deploy workflow history points to this author on the central deploy automation file. (role: deploy workflow owner; confidence: medium; commits: 343781a66811; files: .github/workflows/deploy.yml)
• Patrick-Erichsen: Recent merged docs/spec work touched the ClawHub specs area that this PR extends, separate from authoring this PR. (role: recent deploy/spec maintainer; confidence: medium; commits: 86898837fb3a; files: specs/deploy.md, specs/ci.md)
• steipete: Recent commits updated site/auth and Vercel configuration surfaces adjacent to the staging host and deployment behavior. (role: recent site and Vercel-adjacent maintainer; confidence: medium; commits: bec936236118, e8deec13a26b; files: src/lib/site.ts, vercel.json)

Remaining risk / open question:

• No redacted terminal/log output currently proves the new staging workflow or deploy-prep script ran successfully after the change.
• The workflow depends on external Staging environment, Convex, Vercel, DNS, and OAuth setup that cannot be fully verified from repository source alone.

Codex review notes: model gpt-5.5, reasoning high; reviewed against a292a60a3683.