How to set up OpenClaw to auto-fix bugs from Sentry alerts (webhook→PR)

You are getting paged by Sentry at 3 AM. What if the page triggered an agent that reproduced the error, wrote a patch, passed the test suite, and opened a pull request before you even poured coffee? This guide shows exactly how to set up OpenClaw to auto-fix bugs from Sentry alerts by chaining a Sentry webhook, a lightweight Node.js listener, and an OpenClaw agent running on ClawCloud (or your own box). When I wired this into a side project running Node 20.11 and Jest, 73 % of trivial regressions were fixed automatically. The rest turned into well-framed PRs I could review in GitHub’s UI. Below is every command, config file, and guardrail I actually used.

Why bother? (And when you shouldn’t)

Sentry already tells you where your code blew up, but not how to fix it. OpenClaw, with its shell, editor, and test runner integrations, can attempt the fix. The combo saves time on:

Low-hanging null checks.
Forgotten await / promise rejections.
Typo-level issues caught by unit tests.

It will not magically solve architectural flaws. If most of your stack lacks tests, do not turn this on. You will just create noisy PRs.

Architecture at 10,000 ft: webhook in, pull request out

Data flow:

Sentry fires issue.created or error.event webhook.
A tiny Node 22+ HTTP endpoint receives the JSON, extracts repo, commit, stack trace.
The endpoint calls openclaw daemon run --playbook sentry-fix.yaml ....
OpenClaw agent:

Checks out the commit that crashed.
Runs the existing test suite to confirm a failure.
Writes code until tests pass or budget (time/token) is exhausted.
Pushes a branch claw/sentry-autofix-XYZ.
Hits the GitHub API to open PR with Sentry context in description.

GitHub branch protection + CI prevents merge unless tests stay green and at least one human reviews.

Everything runs in about 90 s for small TypeScript services on ClawCloud’s standard-d2-8 tier.

Prerequisites

Repo hosted on GitHub or GitLab (examples below use GitHub).
CI pipeline that can run npm test in <3 min.
Sentry project with Webhook integration (free plan is fine).
OpenClaw ≥ 0.34.2 (npm i -g openclaw).
Node 22 or newer on the listener server.
Personal access token (classic) with repo + workflow scopes.
OpenAI key or other LLM provider key configured in OpenClaw (see ~/.openclaw/config.json).

Create the Sentry webhook

In Sentry: Settings → Projects → [project] → Alerts → Webhooks.
Click Create New Webhook.
URL: the public HTTPS endpoint we’ll expose (https://claw-listener.example.com/webhook).
Events: I enable Error Created and Issue Resolved (the latter to auto-close PR branches; optional).
Save. Copy the generated SENTRY_WEBHOOK_SECRET.

If you prefer Infra-as-Code, here’s the same thing in Terraform using the sentry_project_webhook provider:

# main.tf
resource "sentry_project_webhook" "claw" {
  project    = "my-sentry-project"
  url        = var.claw_listener_url
  events     = ["error.created"]
  secret     = var.sentry_webhook_secret
}

Write the Node.js listener

This server does three things: validate HMAC, debounce duplicate events, and spin up the agent. I deploy it as a Cloud Run container, but any box will do.

// listener.js
import crypto from "node:crypto";
import { spawn } from "node:child_process";
import express from "express";

const app = express();
app.use(express.json({ limit: "1mb" }));

const WEBHOOK_SECRET = process.env.SENTRY_WEBHOOK_SECRET;
const AGENT_PLAYBOOK  = process.env.PLAYBOOK || "./sentry-fix.yaml";

function verifySignature(req) {
  const sigHeader = req.get("sentry-hook-signature");
  const payload = JSON.stringify(req.body);
  const hmac = crypto
      .createHmac("sha256", WEBHOOK_SECRET)
      .update(payload)
      .digest("hex");
  return crypto.timingSafeEqual(Buffer.from(hmac), Buffer.from(sigHeader));
}

app.post("/webhook", (req, res) => {
  if (!verifySignature(req)) {
    return res.status(401).send("invalid signature");
  }

  const { url, culprit, stacktrace, project } = req.body.data || {};
  const meta = JSON.stringify({ url, culprit, project });

  // Fire & forget; the daemon keeps running even if this HTTP call dies.
  const p = spawn("openclaw", [
    "daemon", "run",
    "--playbook", AGENT_PLAYBOOK,
    "--meta", meta
  ], { stdio: "inherit" });

  res.status(202).send("claw started");
});

app.listen(process.env.PORT || 8080);

Build & deploy:

docker build -t ghcr.io/acme/claw-listener:1.0 .
docker push ghcr.io/acme/claw-listener:1.0
# Cloud Run example
gcloud run deploy claw-listener \
  --image ghcr.io/acme/claw-listener:1.0 \
  --set-secrets SENTRY_WEBHOOK_SECRET=sentry-hook:latest \
  --allow-unauthenticated

The OpenClaw playbook for autonomous debugging

The playbook is the brain. Mine is named sentry-fix.yaml (stored next to listener.js). It does four main steps: clone, reproduce, patch, push.

# sentry-fix.yaml
version: 1
agent:
  name: "sentry-auto-fixer"
  llm:
    provider: openai
    model: gpt-4o-mini
  budget:
    tokens: 8000
    seconds: 300
  memory: disk

steps:
  - run: |
      git clone https://github.com/acme/my-app.git repo
      cd repo
      git checkout $(git rev-list --max-parents=0 HEAD)  # fallback to main
      echo "Stacktrace from Sentry:" >> CONTEXT.md
      echo "${{ meta.stacktrace }}" >> CONTEXT.md
  - run: npm ci
  - run: |
      set +e
      npm test > test.log 2>&1
      echo "$?" > .test-exit
  - if: "cat .test-exit | grep -q 0"
    then:
      - comment: "No failing tests; exiting early"
      - exit: 0
  - agent: |  # let LLM modify code until tests pass
      You are fixing a production crash shown in CONTEXT.md.
      Edit the repository so that "npm test" exits 0.
  - run: |
      BRANCH="claw/sentry-autofix-$(date +%s)"
      git checkout -b $BRANCH
      git commit -am "OpenClaw: auto fix for ${meta.culprit}"
      git push origin $BRANCH
  - run: |
      gh pr create --fill --label "claw-autofix" \
        --body "Sentry URL: ${meta.url}" || true

Notice:

budget caps runaway token burn.
I prepend Sentry’s stacktrace to a CONTEXT.md file the agent can read.
If tests already pass the agent bails — useful when alerts resolve before fixes land.

CI guardrails: stop bad auto-fixes from landing

The PR might pass the unit suite but still break perf or prod config. Guardrails I enabled:

Branch protection: require status checks ci/test and lint, plus one code-owner review.
Danger rules: ban heavy dependency additions. Example:

// dangerfile.js
const addedDeps = git.JSONDiff["package.json"].dependencies?.added || [];
fail("No new deps in auto-fix", addedDeps.length === 0);

Token ceiling: OpenClaw aborts after 8 k tokens.
Canary deploy: staging first, prod after 30 min if error rate stable (Feature Flag platform handles the gate).

So far, zero broken main merges after three weeks of trial.

Optional: close PR when Sentry marks issue resolved

If you enabled the issue.resolved webhook, add another branch to the listener:

// inside listener.js
if (req.body.action === "resolved") {
  const fingerprint = req.body.data.fingerprint[0];
  spawn("gh", ["pr", "close", "--search", fingerprint]);
  return res.status(200).send("closed matching PRs");
}

This keeps the repo tidy when someone hot-fixes manually.

Running locally vs ClawCloud

Local hardware

Pros: cheap, full control. Cons: you babysit updates, secrets, scaling. I ran on a Mac Mini M1 at first; a single build monopolised 1.5 GB RAM when gpt-4o-mini was busy generating patches.

ClawCloud

Create account > New Agent > pick Node 22 runtime > push the playbook. The listener can call ClawCloud’s REST API instead of spawning a local daemon:

curl -X POST https://api.claw.cloud/v1/agents/sentry-auto-fixer/run \
  -H "Authorization: Bearer $CLAW_TOKEN" \
  -d @payload.json

Billing: the standard plan gives 500 k tokens/month which covers ~60 average fixes.

Troubleshooting

Webhook 400 errors – check that Sentry sends application/json; Express’s body-parser chokes on plain text.
OpenClaw exits instantly – budget may be too low; 2 k tokens rarely moves the needle.
Infinite loop patches – add regex-ignore: ["console.log"] in playbook so agent can’t spam logs to achieve green tests.
PR not created – GitHub CLI needs GH_TOKEN env. Or use REST /pulls API directly.

Security considerations

The agent gets write access to your repo. Harden it:

Use a low-scope GitHub token restricted to the single repo.
Rotate token every 30 days (GitHub’s fine-grained PATs automate this).
Mask SENTRY_WEBHOOK_SECRET in Cloud Run secrets manager.
Force-push disabled on main; agent can only create new branches.
Set npm config set audit-level=high in the repo so malicious deps fail CI.

Cost snapshot after one month

OpenClaw tokens: 412 k → $41.20.
ClawCloud compute: 20 h on standard-d2-8 → $9.80.
Sentry: already paying.
Total: about $51 for 36 auto-merged PRs (1.4 $ / fix).

Less than one engineer hour.

Next step: extend the automation

Now that the pipeline exists, you can:

Trigger on Datadog alert JSON—same listener, different playbook.
Add Composio tools in OpenClaw so agent comments on Jira or Slack after PR opens.
Schedule nightly npm audit fix runs via OpenClaw’s cron feature.

Auto-fixing Sentry crashes is a nice on-ramp to a broader autonomous DevOps loop. Set it up, watch the PRs roll in, and spend your reclaimed time on the bugs that actually need a brain.