生產架構與執行時期主權

生產核心：網關與執行環境

將自主代理從本地沙盒環境遷移至生產環境，需要改變架構設計的優先順序。在這個生態系的核心是網關，作為各個表面與通路所有進來資料的控制平面。網關確保代理執行環境——實際「思考」發生的引擎——保持隔離且穩定。為達成高可用性，此架構採用本地優先的 RAG （檢索增強生成）方法，確保資料主權透過將敏感資訊保留在本地，而非僅依賴第三方雲端黑箱來維持。

Markdown 首要哲學

OpenClaw 生態系運作於 Markdown 首要哲學之下，意指系統的「真相」儲存在可讀、可版本控管的檔案中，而非封閉的資料庫內。

openclaw.json：全域入口點。定義網路設定（WebSocket API 埠）、身分驗證與模型路由。
SOUL.md：定義代理的「靈魂」——其核心身分、語氣與行為界線。
AGENTS.md：扮演結構藍圖的角色，詳細說明工程架構與建置指令。

參考卡：openclaw.json

"gateway_settings": { "port":18789, "auth":"Environmental_Injection" }, "runtime_manifests": { "identity":"./configs/SOUL.md", "workflow":"./configs/AGENTS.md", "memory":"Local-First (語義快照)" }

Type a command...

Question 1

Which file acts as the global configuration entry point, managing WebSocket ports and model routing?

SOUL.md

openclaw.json

AGENTS.md

HEARTBEAT.md

Question 2

Why does OpenClaw prioritize a "Markdown-First Philosophy"?

To make the system run faster on GPUs.

To ensure configuration is human-readable and version-controllable.

To replace the need for the Agent Runtime.

Challenge: Production Hardening

Secure the Gateway and Credentials.

Scenario: You are hardening a production server. You notice that the Gateway is communicating over port 18789 without authentication, and the API keys are hardcoded inside AGENTS.md.

Task

List the two critical security steps required to fix this based on production guidelines.

1. RCE Prevention: Secure the WebSocket API (Port 18789) in openclaw.json using proper authentication or environmental injection to prevent Remote Code Execution.

2. Credential Hardening: Remove hardcoded keys from AGENTS.md and move them to environment variables. AGENTS.md should only contain architecture and workflow logic.