1
Production Architecture & Runtime Sovereignty
EvoClass-AI007 Lesson 4
04:22

The Production Backbone: Gateway & Runtime

Transitioning Autonomous Agents from a local sandbox to a production environment requires a shift in architectural priorities. At the center of this ecosystem is the Gateway, which serves as the control plane for all incoming data across various Surfaces and Channels. The Gateway ensures that the Agent Runtime—the engine where the actual "thinking" happens—remains isolated and stable. To achieve high availability, the architecture employs a Local-First RAG (Retrieval-Augmented Generation) approach, ensuring that data sovereignty is maintained by keeping sensitive information on-site rather than relying solely on third-party cloud black boxes.

The Markdown-First Philosophy

The OpenClaw ecosystem operates on a Markdown-First Philosophy, meaning the system’s "truth" is stored in human-readable, version-controlled files rather than opaque databases.

  • openclaw.json: The global entry point. Dictates network settings (WebSocket API port), identity authentication, and model routing.
  • SOUL.md: Defines the "Soul" of the agent—its core identity, tone, and behavioral boundaries.
  • AGENTS.md: Acts as the structural blueprint, detailing engineering architecture and construction commands.
Reference Card: openclaw.json
"gateway_settings": { "port": 18789, "auth": "Environmental_Injection" }, "runtime_manifests": { "identity": "./configs/SOUL.md", "workflow": "./configs/AGENTS.md", "memory": "Local-First (Semantic Snapshots)" }
Type a command...
Question 1
Which file acts as the global configuration entry point, managing WebSocket ports and model routing?
SOUL.md
openclaw.json
AGENTS.md
HEARTBEAT.md
Question 2
Why does OpenClaw prioritize a "Markdown-First Philosophy"?
To make the system run faster on GPUs.
To ensure configuration is human-readable and version-controllable.
To replace the need for the Agent Runtime.
Challenge: Production Hardening
Secure the Gateway and Credentials.
Scenario: You are hardening a production server. You notice that the Gateway is communicating over port 18789 without authentication, and the API keys are hardcoded inside AGENTS.md.
Task
List the two critical security steps required to fix this based on production guidelines.
1. RCE Prevention: Secure the WebSocket API (Port 18789) in openclaw.json using proper authentication or environmental injection to prevent Remote Code Execution.

2. Credential Hardening: Remove hardcoded keys from AGENTS.md and move them to environment variables. AGENTS.md should only contain architecture and workflow logic.