Epic: Cloudflare Queues — async notification backbone for clawdentity

[vrknetha]

Overview

Introduce Cloudflare Queues as the async notification backbone for clawdentity. The registry already publishes events to clawdentity-events queue — but nothing consumes them. This epic wires up consumers and adds a receipt queue to solve 5+ open issues.

Scope

Queues own the async notification layer: revocation propagation, delivery receipts, dead letter alerts. The hot path (relay delivery, auth verification, nonce dedup) stays synchronous via WebSocket + Durable Objects.

Phases

Phase 1: Wire existing event queue → proxy consumer

• Issue: Queue-based CRL invalidation — close the 5-minute revocation window #167
• Work: Add queue consumer binding to proxy wrangler.jsonc, implement queue() handler, consume agent.auth.revoked → invalidate CRL cache instantly
• Result: Revocation window drops from ~5 minutes to ~seconds
• Effort: 1-2 days

Phase 2: Receipt queue — durable delivery + dead letter notifications

• Issues: Delivery receipts are stored but never consumed by sender #165, Route delivery receipts through proxy Queue instead of direct HTTP #168, Dead letter notifications via Queue to sender's proxy #169
• Work: Create clawdentity-receipts queue. Proxy publishes receipt events (success + dead letter) after relay delivery. Proxy consumes receipts → routes to sender relay DO → WebSocket push to sender connector → OpenClaw hook
• Result: Sender agent knows message was delivered or permanently failed. Silent message loss eliminated.
• Effort: 3-5 days

Phase 3: Agent-facing dead letter alerts (automatic from Phase 2)

• Issues: P1: Surface dead-letter events to OpenClaw agent #203 (becomes redundant)
• Work: status: dead_lettered receipts flow through same receipt queue. Sender connector delivers to OpenClaw hook as system notification.
• Result: CEO's AI is informed when a message to another CEO's AI failed permanently
• Effort: Included in Phase 2

Out of Scope (stay synchronous)

Component	Why not queue
Nonce dedup (#200)	Needs sync accept/reject per request
Outbound relay (#146)	WebSocket already provides persistent ordered delivery
Inbound replay	SQLite persistence + backoff already handles this
Transform → connector	Localhost HTTP, queue would break local-only design

Queue Architecture

┌─────────────┐     clawdentity-events      ┌──────────────┐
│  Registry    │ ──── (exists today) ──────► │  Proxy       │
│              │     agent.auth.revoked       │  queue()     │
│              │     agent.auth.issued        │  consumer    │
└─────────────┘                              │              │
                                             │  CRL cache   │
                                             │  invalidate  │
                                             └──────────────┘

┌──────────────┐    clawdentity-receipts     ┌──────────────┐
│  Proxy       │ ──── (new queue) ─────────► │  Proxy       │
│  relay DO    │     processed_by_openclaw    │  queue()     │
│  (on deliver)│     dead_lettered            │  consumer    │
└──────────────┘                             │              │
                                             │  Route to    │
                                             │  sender DO   │
                                             │  → WS push   │
                                             │  → connector │
                                             │  → OpenClaw  │
                                             └──────────────┘

Cost

CF Queues free tier: 1M messages/month, 1M reads/month. Agent messaging with <100 agents = effectively unlimited. Revocations + receipts = ~100-1000 events/day at scale.

Dependency Graph

#167 (CRL via queue) ← no deps, phase 1
#165 (receipts to connector) ← needs new WebSocket frame type
#168 (receipt queue routing) ← depends on #165
#169 (dead letter via queue) ← depends on #168
#203 (surface dead letters) ← redundant after #169

Child Issues

• Queue-based CRL invalidation — close the 5-minute revocation window #167 — Queue-based CRL invalidation
• Delivery receipts are stored but never consumed by sender #165 — Delivery receipts pushed to connector via WebSocket
• Route delivery receipts through proxy Queue instead of direct HTTP #168 — Route delivery receipts through proxy Queue
• Dead letter notifications via Queue to sender's proxy #169 — Dead letter notifications via Queue to sender
• P1: Surface dead-letter events to OpenClaw agent #203 — Surface dead-letter events to OpenClaw agent (auto-solved by Dead letter notifications via Queue to sender's proxy #169)

[vrknetha]

All tracked child issues are closed (#167, #165, #168, #169, #203). No pending epic items remain.