auth-store-debug
$
npx mdskill add vercel-labs/vercel-openclaw/auth-store-debugDiagnose auth and store failures in Vercel deployments.
- Resolves login issues, authorization errors, and session persistence problems.
- Integrates with admin logs, Redis, memory stores, and Vercel auth.
- Analyzes request methods, environment flags, and metadata shapes.
- Outputs sanitized evidence without exposing secrets or session keys.
SKILL.md
.github/skills/auth-store-debugView on GitHub ↗
---
name: auth-store-debug
description: "Auth and store debugging for vercel-openclaw: admin-secret mode, Sign in with Vercel, session cookies, CSRF, LOCAL_READ_ONLY, Redis vs memory store, keyspace namespacing, and metadata shape migrations. Use when login, route authorization, Redis persistence, or metadata state is suspect."
---
# Auth Store Debug
Use this skill when request authorization, session behavior, store persistence, or metadata shape is the likely problem.
## Evidence First
Collect:
- Auth mode and Vercel/local environment from admin/preflight surfaces.
- Request method, route, status, and whether bearer or cookie auth was used.
- `GET /api/admin/logs` filtered for `auth.`, `store.`, `session.`, `preflight.`.
- Store backend reported by deployment contract.
- Sanitized metadata shape when needed. Never print secrets, session keys, Redis URLs, or cookies.
## Critical Splits
- Deployment Protection auth vs app auth.
- Bearer admin-secret auth vs encrypted session cookie auth.
- CSRF applies to cookie-based mutations, not bearer mutations.
- `LOCAL_READ_ONLY=1` intentionally blocks admin mutations locally.
- Redis connects only on deployed Vercel runtimes; local/CI use memory store even if Redis envs exist.
- `OPENCLAW_INSTANCE_ID` changes namespace and does not migrate old state.
## Fix Boundaries
- Auth: `src/server/auth/{admin-auth,admin-secret,session,vercel-auth,route-auth}.ts`.
- Store: `src/server/store/{store,redis-store,memory-store,keyspace}.ts`, `src/shared/types.ts`.
- Routes: only the affected route handler.
- Docs/env contract: `.env.example`, `README.md`, `CONTRIBUTING.md`, `CLAUDE.md`.
## Verification
```bash
node scripts/verify.mjs --steps=test,typecheck
pnpm check:verify-contract
lat check
```
Run `pnpm check:verify-contract` when env vars, auth mode docs, or operator instructions change.
More from vercel-labs/vercel-openclaw
- admin-ui-debugAdmin UI and operator surface debugging for vercel-openclaw: command shell design, admin actions, request core, status panels, launch verification UI, channel readiness UI, and local read-only production-data workflows. Use when the root admin UI, controls, visual state, or operator copy is wrong.
- channel-debug-coreChannel webhook triage for vercel-openclaw Slack/Telegram/Discord/WhatsApp issues: prove deployment state, collect admin readiness endpoints, build evidence-first handoff before fixes.
- channel-forward-parityWebhook route parity audit for channel delivery changes: ensure terminal paths log, record lastForward, classify failures, and refresh stale sandbox port URLs.
- cron-watchdog-debugCron and watchdog debugging for vercel-openclaw: Vercel Cron auth, persisted OpenClaw jobs, cron wake keys, token refresh, restore oracle, hot spare, and watchdog reports. Use when scheduled OpenClaw jobs fail to wake or run, watchdog status is wrong, cron persistence is suspect, or /api/cron/watchdog behavior changes.
- discord-deliveryDiscord channel specialist workflow: debug interaction webhooks, Ed25519 signatures, deferred replies, workflow forwarding to /discord-webhook, integration reconcile, and token expiry.
- firewall-ai-gateway-debugFirewall and Vercel AI Gateway debugging for vercel-openclaw: network policy allowlists, OIDC token refresh, AI Gateway transform rules, firewall learning/enforcement, and sandbox.update networkPolicy calls. Use when model calls, egress, token refresh, or firewall policy application fails.
- gateway-proxy-debugGateway and proxy debugging for vercel-openclaw: /gateway routing, HTML injection, WebSocket rewrite, gateway-token handoff, waiting page, status heartbeat, sandbox port URL cache, and proxy auth. Use when the OpenClaw UI, WebSockets, gateway proxying, or waiting-page flow breaks.
- lat-md>-
- launch-verify-debugLaunch verification and remote smoke debugging for vercel-openclaw: preflight, queue ping, ensureRunning, chatCompletions, wakeFromSleep, restorePrepared, channelReadiness, NDJSON progress, and vclaw create readiness. Use when launch verification, vclaw create validation, or remote smoke checks fail.
- openclaw-bootstrap-debugOpenClaw bootstrap, bundle, config, and restore-asset debugging for vercel-openclaw: openclaw.bundle sidecars, plugin discovery, channel catalog, restart scripts, config hashes, dynamic resume files, and fast restore. Use when setup, gateway boot, plugin loading, or bundle-sidecar compatibility fails.