#17970: Copilot/refactor serverless azure function

## Summary Describe the problem and fix in 2–5 bullets: - Problem: - Why it matters: - What changed: - What did NOT change (scope boundary): ## Change Type (select all) - [ ] Bug fix - [ ] Feature - [ ] Refactor - [ ] Docs - [ ] Security hardening - [ ] Chore/infra ## Scope (select all touched areas) - [ ] Gateway / orchestration - [ ] Skills / tool execution - [ ] Auth / tokens - [ ] Memory / storage - [ ] Integrations - [ ] API / contracts - [ ] UI / DX - [ ] CI/CD / infra ## Linked Issue/PR - Closes # - Related # ## User-visible / Behavior Changes List user-visible changes (including defaults/config). If none, write `None`. ## Security Impact (required) - New permissions/capabilities? (`Yes/No`) - Secrets/tokens handling changed? (`Yes/No`) - New/changed network calls? (`Yes/No`) - Command/tool execution surface changed? (`Yes/No`) - Data access scope changed? (`Yes/No`) - If any `Yes`, explain risk + mitigation: ## Repro + Verification ### Environment - OS: - Runtime/container: - Model/provider: - Integration/channel (if any): - Relevant config (redacted): ### Steps 1. 2. 3. ### Expected - ### Actual - ## Evidence Attach at least one: - [ ] Failing test/log before + passing after - [ ] Trace/log snippets - [ ] Screenshot/recording - [ ] Perf numbers (if relevant) ## Human Verification (required) What you personally verified (not just CI), and how: - Verified scenarios: - Edge cases checked: - What you did **not** verify: ## Compatibility / Migration - Backward compatible? (`Yes/No`) - Config/env changes? (`Yes/No`) - Migration needed? (`Yes/No`) - If yes, exact upgrade steps: ## Failure Recovery (if this breaks) - How to disable/revert this change quickly: - Files/config to restore: - Known bad symptoms reviewers should watch for: ## Risks and Mitigations List only real risks for this PR. Add/remove entries as needed. If none, write `None`. - Risk: - Mitigation: <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR adds a complete Azure Functions serverless deployment option for OpenClaw, including a Telegram webhook handler (`azure-function/`), an Azure Table Storage memory provider (`src/memory/memory-provider-azure.ts`), an Azure Blob Storage session store, Bicep infrastructure-as-code, comprehensive docs, and tests. - **Webhook handler** (`azure-function/src/functions/webhook.ts`): Implements a POST-triggered Azure Function that validates Telegram webhook headers and processes updates via grammy. Contains two issues: (1) authentication validation runs *after* body parsing (should be before to reject unauthenticated requests early), and (2) dead health-check code inside the POST handler that's unreachable because `/healthz` has its own route registration. - **Memory provider** (`src/memory/memory-provider-azure.ts`): Implements `MemorySearchManager` using Azure Table Storage with keyword-based search, chunk/file/meta CRUD, and embedding cache. Previously flagged OData filter injection concerns remain. The provider is not yet wired into the search-manager factory. - **Session store** (`azure-function/src/storage/session-store-azure.ts`): Clean Blob Storage session persistence implementation with proper 404 handling and idempotent container creation. - **Infrastructure** (`infra/main.bicep`): Well-structured Bicep template provisioning Storage, Key Vault (with RBAC), Function App, and App Insights with appropriate security defaults. - **Tests**: Comprehensive unit tests for the memory provider with proper Azure SDK mocking. - **Docs and README updates**: Adds Azure deployment guide and cross-references from existing docs. <h3>Confidence Score: 3/5</h3> - PR is mostly additive with no changes to existing logic, but the webhook has an auth ordering bug that should be fixed before merging. - Score of 3 reflects that this is a large, additive PR with well-structured code and good test coverage, but the webhook authentication ordering issue (body parsed before validation) is a real logic bug that should be corrected. The dead health-check code is minor but indicates incomplete cleanup. The previously-flagged OData injection concerns in the memory provider also remain unaddressed. - Pay close attention to `azure-function/src/functions/webhook.ts` (auth ordering bug and dead code) and `src/memory/memory-provider-azure.ts` (previously flagged OData filter injection concerns). _{Last reviewed commit: a35d2a5} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->