生产架构与运行时主权

生产核心：网关与运行时

将自主代理从本地沙箱环境迁移至生产环境，需要转变架构优先级。在这个生态系统的核心是网关，它作为所有来自不同表面和渠道的入站数据的控制平面。网关确保代理运行时——即实际“思考”发生的引擎——保持隔离且稳定。为实现高可用性，该架构采用本地优先检索增强生成（Local-First RAG）（检索增强生成）方法，确保通过将敏感信息保留在本地而非完全依赖第三方云黑盒来维护数据主权。

Markdown 首先哲学

OpenClaw 生态系统基于 Markdown 首先哲学，意味着系统的“真相”存储在人类可读、版本控制的文件中，而非不透明的数据库中。

openclaw.json：全局入口点。定义网络设置（WebSocket API 端口）、身份认证及模型路由。
SOUL.md：定义代理的“灵魂”——其核心身份、语气及行为边界。
AGENTS.md：充当结构蓝图，详细说明工程架构与构建指令。

参考卡片：openclaw.json

"gateway_settings": { "port":18789, "auth":"Environmental_Injection" }, "runtime_manifests": { "identity":"./configs/SOUL.md", "workflow":"./configs/AGENTS.md", "memory":"Local-First (语义快照)" }

Type a command...

Question 1

Which file acts as the global configuration entry point, managing WebSocket ports and model routing?

SOUL.md

openclaw.json

AGENTS.md

HEARTBEAT.md

Question 2

Why does OpenClaw prioritize a "Markdown-First Philosophy"?

To make the system run faster on GPUs.

To ensure configuration is human-readable and version-controllable.

To replace the need for the Agent Runtime.

Challenge: Production Hardening

Secure the Gateway and Credentials.

Scenario: You are hardening a production server. You notice that the Gateway is communicating over port 18789 without authentication, and the API keys are hardcoded inside AGENTS.md.

Task

List the two critical security steps required to fix this based on production guidelines.

1. RCE Prevention: Secure the WebSocket API (Port 18789) in openclaw.json using proper authentication or environmental injection to prevent Remote Code Execution.

2. Credential Hardening: Remove hardcoded keys from AGENTS.md and move them to environment variables. AGENTS.md should only contain architecture and workflow logic.