fix(security): use providers for messaging credential injection

.github/workflows/e2e-brev.yaml

@@ -19,6 +19,10 @@ name: e2e-brev
 #                              through $(cmd), backticks, quote breakout, ${VAR} expansion,
 #                              process table leak checks, and SANDBOX_NAME validation.
 #                              Requires running sandbox.
+#   messaging-providers      — 20+ tests validating PR #1081: provider creation, credential
+#                              isolation, openclaw.json config patching, network reachability,
+#                              and L7 proxy token rewriting for Telegram + Discord. Creates
+#                              its own sandbox (e2e-msg-provider). (~15 min)
 #   all                      — Runs credential-sanitization + telegram-injection (NOT full,
 #                              which destroys the sandbox the security tests need).
 #
@@ -41,6 +45,7 @@ on:
           - full
           - credential-sanitization
           - telegram-injection
+          - messaging-providers
           - all
       use_launchable:
         description: "Use CI launchable (true) or bare brev create + brev-setup.sh (false)"

.github/workflows/nightly-e2e.yaml

@@ -7,6 +7,8 @@
 #   cloud-experimental-e2e   Experimental cloud inference test (main script skips embedded
 #                            check-docs + final cleanup; follow-up steps run check-docs,
 #                            skip/05-network-policy.sh, then cleanup.sh --verify with if: always()).
+#   messaging-providers-e2e  Validates messaging credential provider/placeholder/L7-proxy chain
+#                            for Telegram + Discord. Uses fake tokens. See PR #1081.
 #   gpu-e2e                  Local Ollama inference on a GPU self-hosted runner.
 #                            Controlled by the GPU_E2E_ENABLED repository variable.
 #                            Set vars.GPU_E2E_ENABLED to "true" in repo settings to enable.
@@ -161,6 +163,39 @@ jobs:
           path: /tmp/nemoclaw-e2e-cloud-experimental-install.log
           if-no-files-found: ignore
 
+  # ── Messaging Providers E2E ──────────────────────────────────
+  # Validates the full provider/placeholder/L7-proxy chain for messaging
+  # credentials (Telegram, Discord). Uses fake tokens by default — the L7
+  # proxy rewrites placeholders and the real API returns 401, proving the
+  # chain works. See: PR #1081
+  messaging-providers-e2e:
+    if: github.repository == 'NVIDIA/NemoClaw'
+    runs-on: ubuntu-latest
+    timeout-minutes: 45
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Run messaging providers E2E test
+        env:
+          NVIDIA_API_KEY: ${{ secrets.NVIDIA_API_KEY }}
+          NEMOCLAW_NON_INTERACTIVE: "1"
+          NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE: "1"
+          NEMOCLAW_SANDBOX_NAME: "e2e-msg-provider"
+          NEMOCLAW_RECREATE_SANDBOX: "1"
+          GITHUB_TOKEN: ${{ github.token }}
+          TELEGRAM_BOT_TOKEN: "test-fake-telegram-token-e2e"
+          DISCORD_BOT_TOKEN: "test-fake-discord-token-e2e"
+        run: bash test/e2e/test-messaging-providers.sh
+
+      - name: Upload install log on failure
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: install-log-messaging-providers
+          path: /tmp/nemoclaw-e2e-install.log
+          if-no-files-found: ignore
+
   # ── GPU E2E (Ollama local inference) ──────────────────────────
   # Enable by setting repository variable GPU_E2E_ENABLED=true
   # (Settings → Secrets and variables → Actions → Variables)
@@ -213,8 +248,8 @@ jobs:
 
   notify-on-failure:
     runs-on: ubuntu-latest
-    needs: [cloud-e2e, cloud-experimental-e2e, gpu-e2e]
-    if: ${{ always() && (needs.cloud-e2e.result == 'failure' || needs.cloud-experimental-e2e.result == 'failure' || needs.gpu-e2e.result == 'failure') }}
+    needs: [cloud-e2e, cloud-experimental-e2e, messaging-providers-e2e, gpu-e2e]
+    if: ${{ always() && (needs.cloud-e2e.result == 'failure' || needs.cloud-experimental-e2e.result == 'failure' || needs.messaging-providers-e2e.result == 'failure' || needs.gpu-e2e.result == 'failure') }}
     permissions:
       issues: write
     steps: