2026-05-20-openclaw-stress-in-ci
2026-05-20 — OpenClaw quality stress in CI (Phase 6)
Summary
Wires the OpenClaw quality-stress harness into BR's CI as a recurring quality gate. Runs on:
- Every push to
main - Nightly at 06:00 UTC
- Manual dispatch (
workflow_dispatch)
Asserts ≥90% quality pass rate across all phases. Initially advisory (continue-on-error: true) for the first 7 stable days; will be promoted to blocking by removing that flag.
Why
OpenClaw's 2026-05-20 stress was a one-shot run that surfaced Phases 1-4's failure classes. Phase 6 turns that one-shot into continuous detection. Every regression of any of these classes — null content, cache contract drift, WAF false positives, bandit reward pollution — will be caught within 24 hours instead of waiting for the next manual stress run.
The 90% threshold matches the per-phase plan target. Cost cap of $1/run protects against runaway provider spend.
How
- Harness: vendored from
~/Projects/openclaw/workspace/workspaces/main/br_quality_stress.pyat this commit. Pinned (no auto-sync).scripts/openclaw-stress/README.mddocuments provenance and how to update. - Workflow:
.github/workflows/openclaw-stress.yml. UsesBR_STAGING_API_KEYsecret (must be provisioned manually). Falls back to skip-with-warning if secret is missing. - Threshold:
quality_pass / (quality_pass + quality_fail)across all phases (load, focused, negative if--include-negative). - Artifacts:
test-results/uploaded for 14 days for post-hoc analysis.
Security review
Workflow follows defense-in-depth against GitHub Actions injection:
workflow_dispatchinputs (requests,concurrency) are bound to job-levelenv:vars, then referenced as"$REQUESTS"insiderun:— not interpolated directly.- A separate validation step asserts the inputs match
^[0-9]+$before any shell command uses them. - Secrets are read only via
secrets.(nogithub.event.references). permissions: contents: read— minimum scope.
Operator prereq
Before this workflow does useful work, set the GitHub Actions secret:
Settings → Secrets and variables → Actions → New repository secret
Name: BR_STAGING_API_KEY
Value: <a BR API key with provider credentials, scoped to staging tenant>
Until that secret exists, the workflow logs a warning and exits cleanly (does not fail).
Files
.github/workflows/openclaw-stress.yml(NEW)scripts/openclaw-stress/br_quality_stress.py(NEW, vendored)scripts/openclaw-stress/README.md(NEW)- Ship-log (this file)
Deferred follow-ups
- Promote from advisory to blocking after 7 consecutive green nightly runs. Remove
continue-on-error: true. - Live-mode invariants in nightly — wire
pnpm test:invariantswithBR_INVARIANT_LIVE=1intofortress-nightly.yml. Skipped from this PR because a security hook blocks workflow edits as a precaution; would need a separate workflow file or a permission-acknowledged edit pass.
Lockstep
- [x] No API surface change.
- [x] SDKs unaffected.
- [x] MCP tools unaffected.
- [x] Ship-log (this file).
Plan reference
Phase 6 of .claude/notes/openclaw-stress-fixes-phased-plan-2026-05-20.md. Depends on Phases 1, 2, 3 (all merged). Sets up the recurring detection layer for Phase 7's verification.