@dion-jy/rondo

 

OpenClaw plugin that syncs cron job data to Rondo Dashboard.

Setup

1. Install the plugin:

   openclaw plugins install @dion-jy/rondo
   openclaw gateway restart

2. Open rondo-ui.vercel.app and sign in with Google

3. Click Link Device and copy the link

4. Link your device (choose one):

• Chat: Send /rondo link <URL> in Telegram/WhatsApp
• Terminal: Run openclaw rondo link <URL>

5. Done! Your cron jobs will appear on the dashboard.

Commands

| Command | Description | |---------|-------------| | /rondo link <URL> | Link this device to your web account | | /rondo status | Check linking status |

Features

• Automatic cron job & run history sync
• ACP agent session tracking
• Orphan job cleanup
• Multi-tenant via device linking
• Managed Web Push via server-side trigger/Edge Function
• Legacy plugin-triggered push remains supported for existing installs

Architecture

┌─────────────────────┐     outbound push     ┌───────────┐
│  OpenClaw Gateway   │ ──────────────────────▶│ Supabase  │
│  (rondo plugin)     │   every 5min (REST)    │  (cloud)  │
│  reads jobs.json    │                        └─────┬─────┘
│  reads runs/*.jsonl │                              │
└─────────────────────┘                              │ fetch
                                              ┌──────▼──────┐
                                              │  Rondo UI   │
                                              │  (Vercel)   │
                                              └─────────────┘

No inbound ports, no tunnels — outbound HTTPS only.

Managed Push

Default path for new installs:

1. Install plugin 2. /rondo link 3. Browser notification permission + Web Push subscribe in Rondo UI 4. Server-side trigger delivers background push on terminal cron runs

The plugin does not need push secrets for this managed path. Push secrets stay server-side in Supabase Vault / Edge secrets.

Legacy compatibility

Existing installs that already use plugin-triggered push can keep working:

• pushTriggerMode=legacy
• pushNotifyUrl
• pushNotifySharedSecret

If these are omitted, the plugin defaults to managed mode and only performs sync.

Upgrading

If you are upgrading from an older version, run the following migration in your Supabase SQL Editor to add newer columns. These are idempotent and safe to re-run:

-- sql/004_plugin_version.sql
ALTER TABLE cron_jobs ADD COLUMN IF NOT EXISTS plugin_version text;

> Note: Even without running this migration, the plugin will work — it automatically detects missing columns and excludes them from sync payloads. Running the migration simply enables the extra metadata.

Upgrade steps

1. openclaw plugins update @dion-jy/rondo 2. openclaw gateway restart 3. (Optional) Run the SQL above in Supabase to enable plugin_version tracking

No manual file edits under ~/.openclaw/plugins/ are needed or supported.

Configuration

| Key | Default | Description | |-----|---------|-------------| | syncIntervalMs | 300000 (5 min) | Sync interval in milliseconds | | pushTriggerMode | auto | managed for server-side push only, legacy for plugin-trigger push, off to disable push handoff | | pushNotifyUrl | — | Legacy plugin-trigger push endpoint | | pushNotifySharedSecret | — | Legacy plugin-trigger shared secret |

Deprecated but still accepted for backward compatibility:

• supabaseUrl
• supabaseKey
• userId
• supabaseAuthEmail

Zero-config install guarantee (important)

Users should be able to install/update the plugin and use it immediately.

• ✅ SUPABASE_URL and anon key are bundled in plugin source (src/config.ts)
• ✅ No manual patching in runtime paths (e.g. ~/.openclaw/plugins/...) should be required
• ❌ Never ship service_role key in plugin code
• ✅ Any key rotation must be released via npm version update, then users run plugin update

Security requirement: RLS

Because anon key is public by design, Supabase Row Level Security (RLS) policies must enforce user-scoped access. Without proper RLS, anon clients may read/write unintended rows.

Maintainer release checklist

1. Update src/config.ts (SUPABASE_URL, SUPABASE_ANON_KEY) if rotated 2. Confirm service_role is not referenced anywhere in distributed user config 3. Validate RLS SQL is up to date (sql/002_user_id_rls.sql, sql/003_enforce_user_scope.sql) 4. Validate managed push SQL/Edge assets (sql/007_push_notification_events.sql, sql/008_managed_push.sql, supabase/functions/push-notify) 5. Bump package.json version 6. Publish via release or tag (v*) 7. Verify fresh install works without manual file edits

Automated Publishing

The package is automatically published to npm when:

• Option A: A GitHub Release is published
• Option B: A tag matching v* is pushed (e.g. git tag v2.2.0 && git push --tags)

Setup

Add an NPM_TOKEN repository secret (Settings → Secrets → Actions):

1. Create a granular access token on npmjs.com with publish permission for @dion-jy/rondo 2. Add it as NPM_TOKEN in the repo's Actions secrets

The workflow validates the package name and checks that the tag version matches package.json before publishing. If the version is already published, the job exits gracefully.

Related

• Rondo UI — Vercel dashboard for monitoring
• OpenClaw — AI agent orchestration platform

License

MIT