ClawFlint (Kubernetes Edition)

Your AI agent, live in 30 seconds.

ClawFlint is a managed OpenClaw deployment platform. Deploy AI assistants on Telegram, Discord, and WhatsApp — no code, no servers, no config files.

This is the Kubernetes edition — each bot runs in an isolated K8s pod with its own storage, secrets, network policies, and resource limits. Built for production-grade multi-tenant hosting with auto-scaling.

The platform handles provisioning, channel connections, AI proxy billing, and a full admin panel — so users focus on their agent, not infrastructure.

Don't want to self-host? Use the fully managed version at clawflint.com — same platform, zero infrastructure to manage.

---

Features

• One-click deploy — Choose a plan, pick an AI model, connect a channel, done
• 10+ AI models — Claude Sonnet 4.6, GPT-5.2, Gemini 3 Flash, Mistral, Groq, OpenRouter, xAI, and more
• 3 messaging channels — Telegram (instant), Discord, WhatsApp (QR pairing via Evolution API)
• 15+ service integrations — Brave Search, Perplexity, Firecrawl, ElevenLabs, and others as optional agent capabilities
• Browser tool — Chromium sidecar with residential proxy support (Decodo/Smartproxy, 65M+ IPs)
• AI API proxy — Bundled credits with token counting, usage tracking, and spending caps
• BYOK mode — Bring your own API keys for any supported provider
• Kubernetes isolation — Each bot gets its own pod, secrets, network policy, and resource limits
• Admin panel — Full OpenClaw Control UI proxied through the dashboard with WebSocket support
• Real-time deploys — Server-Sent Events stream deploy progress to the browser
• Agent templates — Pre-built personas to get started faster
• AES-256-GCM encryption — All API keys and tokens encrypted at rest

---

Tech Stack

Layer	Technology
Framework	Next.js 16 (App Router, Turbopack)
Language	TypeScript (strict)
Runtime	Bun
Styling	Tailwind CSS v4 (CSS-first config)
UI	shadcn/ui (new-york style, zinc)
Auth	WorkOS AuthKit (Google OAuth, email, SSO-ready)
Database	Neon (serverless PostgreSQL) + Drizzle ORM
Payments	Stripe Subscriptions
Orchestration	DigitalOcean Kubernetes (DOKS)
Background Jobs	Inngest (cron + event-driven)
Email	Resend
Rate Limiting	Upstash Redis
WhatsApp	Evolution API (self-hosted, QR pairing)
DNS	Cloudflare (wildcard subdomains)
Hosting	Railway or Render

---

Architecture

┌─────────────────────────────────────────────────────────┐
│                    ClawFlint (Next.js)                   │
│                                                         │
│  Dashboard ─── API Routes ─── Stripe Webhooks           │
│       │             │              │                    │
│       ▼             ▼              ▼                    │
│  WorkOS Auth    K8s Client    Inngest Jobs              │
│                     │         (health, cleanup,         │
│                     │          provisioning)            │
└─────────────────────┼──────────────────────────────────┘
                      │
              ┌───────▼───────┐
              │  DOKS Cluster  │
              │  (namespace:   │
              │   clawflint)   │
              ├───────────────┤
              │  Per-bot pod:  │
              │  ┌───────────┐│
              │  │ OpenClaw   ││
              │  │ (main)    ││
              │  ├───────────┤│
              │  │ Chromium   ││
              │  │ (sidecar) ││
              │  ├───────────┤│
              │  │ gost proxy ││
              │  │ (sidecar) ││
              │  └───────────┘│
              │  + Secret     │
              │  + Service    │
              │  + Ingress    │
              └───────────────┘

Per-Bot Kubernetes Resources

Each deployed bot creates:

• Deployment — 3 containers: OpenClaw + Chromium sidecar + gost auth-proxy sidecar
• Service — ClusterIP on port 18789
• Secret — Encrypted env vars (API keys, tokens)
• Ingress — nginx with WebSocket support and trusted-proxy auth

Key Architecture Decisions

1. Kubernetes over VPS — Pods start in <10s vs minutes, built-in isolation, no warm pool
2. Chromium sidecar over Browserbase — OpenClaw expects a static cdpUrl; sidecar provides it at localhost:9222
3. gost proxy sidecar — Chromium can't do authenticated SOCKS5/HTTP proxies natively; gost handles auth
4. Admin panel reverse proxy — Next.js proxies HTTP, injects <base href> and WebSocket redirect script, WS traffic goes direct to nginx ingress
5. SSE for deploy progress — Simpler than WebSockets for one-way streaming
6. AES-256-GCM — All sensitive data encrypted at rest with a 32-byte key

Security

• Pod SecurityContext: runAsNonRoot, readOnlyRootFilesystem, drop ALL capabilities
• NetworkPolicy: default deny ingress between bot pods
• Per-bot K8s Secrets (not shared)
• Rate limiting on all API routes (Upstash Redis)
• Input validation with Zod on all endpoints
• Audit logging for admin actions
• CSRF protection via WorkOS session cookies

---

Getting Started

Prerequisites

• Bun v1.1+
• Node.js v20+ (for some tooling)
• A Neon PostgreSQL database
• A WorkOS account (for auth)
• A Stripe account (for payments)

Installation

# Clone the repo
git clone https://github.com/engmsaleh/deploy-claw.git
cd deploy-claw

# Install dependencies
bun install

# Copy environment variables
cp .env.example .env.local

Environment Variables

Fill in .env.local with your values. See .env.example for the complete list. Key groups:

Group	Variables	Notes
App	NEXT_PUBLIC_APP_URL	Your public URL
Auth	WORKOS_CLIENT_ID, WORKOS_API_KEY, NEXT_PUBLIC_WORKOS_REDIRECT_URI, WORKOS_COOKIE_PASSWORD	Cookie password must be 32+ chars
Database	DATABASE_URL	Neon PostgreSQL connection string
Stripe	STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET, STRIPE_*_PRICE_ID	Create products/prices first
Kubernetes	KUBECONFIG_BASE64	Base64-encoded token-based kubeconfig
Encryption	ENCRYPTION_KEY	32-byte hex string for AES-256-GCM
Email	RESEND_API_KEY, RESEND_FROM_ADDRESS	Transactional email
Rate Limiting	UPSTASH_REDIS_REST_URL, UPSTASH_REDIS_REST_TOKEN	Serverless Redis
WhatsApp	EVOLUTION_API_URL, EVOLUTION_API_KEY	Self-hosted Evolution API
Inngest	INNGEST_EVENT_KEY, INNGEST_SIGNING_KEY	Background jobs
AI Providers	ANTHROPIC_API_KEY, OPENAI_API_KEY, GOOGLE_AI_API_KEY	For bundled credits
Admin	SUPER_ADMIN_EMAILS	Comma-separated admin emails
Browser	DECODO_USERNAME, DECODO_PASSWORD	Residential proxy (optional)

Database Setup

# Run migrations
bunx drizzle-kit push

# (Optional) Seed with agent templates
bun run scripts/seed.ts

Stripe Setup

# Create Stripe products and prices
bun run scripts/setup-stripe-plans.ts

This creates the Starter ($19/mo), Pro ($39/mo), and Power ($79/mo) plans. Copy the generated price IDs into your .env.local.

Development

# Start the dev server (port 3001)
bun dev

# Run tests
bun test

# Type check + lint + test
bun validate

---

Deployment

Docker

# Build
docker build -t clawflint .

# Run
docker run -p 3000:3000 --env-file .env.local clawflint

Railway

The included railway.json configures:

• Build: Docker image
• Health check: /api/health
• Auto-restart with up to 10 retries

CI/CD

The GitHub Actions pipeline (.github/workflows/deploy.yml):

1. Builds a Docker image with Depot (fast remote builds)
2. Pushes to GitHub Container Registry (GHCR)
3. Triggers a Railway redeploy

Set these in your GitHub repo:

• Secrets: RAILWAY_TOKEN
• Variables: DEPOT_PROJECT_ID, NEXT_PUBLIC_APP_URL, NEXT_PUBLIC_POSTHOG_KEY (optional), NEXT_PUBLIC_POSTHOG_HOST (optional)

---

Kubernetes Cluster Setup

ClawFlint needs a Kubernetes cluster to deploy bot pods. The codebase is tested with DigitalOcean Kubernetes (DOKS), but any K8s cluster should work.

Requirements

1. A K8s cluster with at least 2GB allocatable memory
2. nginx-ingress controller installed with:
   • allow-snippet-annotations: "true"
   • annotations-risk-level: Critical
3. A wildcard DNS record (*.yourdomain.com) pointing to the ingress load balancer
4. A token-based kubeconfig (not exec-based), base64-encoded as KUBECONFIG_BASE64

OpenClaw Container

• Image: ghcr.io/openclaw/openclaw:latest (~1.67GB)
• Memory: 512Mi request, 1200Mi limit
• CPU: 100m request, 1000m limit
• Port: 18789 (gateway, binds to localhost)
• Requires NODE_OPTIONS=--max-old-space-size=768

---

Project Structure

src/
├── app/
│   ├── (auth)/              # Login page
│   ├── (marketing)/         # Landing, pricing, legal pages
│   ├── api/                 # API route handlers
│   │   ├── admin/           # Admin endpoints
│   │   ├── instances/       # Bot CRUD, channels, proxy, admin panel
│   │   ├── proxy/v1/        # AI API proxy (bundled credits)
│   │   ├── stripe/          # Checkout, webhooks, portal
│   │   └── webhooks/        # Evolution API (WhatsApp)
│   ├── dashboard/           # Main dashboard UI
│   └── deploy/              # Deploy wizard
├── components/
│   ├── dashboard/           # Agent cards, channels, usage
│   ├── deploy/              # Wizard steps
│   ├── landing/             # Marketing components
│   ├── layout/              # Shell, sidebar, navbar
│   └── ui/                  # shadcn/ui primitives
├── lib/
│   ├── auth/                # WorkOS helpers
│   ├── billing/             # Subscription logic
│   ├── db/                  # Drizzle schema + client
│   ├── email/               # Resend templates
│   ├── encryption/          # AES-256-GCM
│   ├── inngest/             # Background job definitions
│   ├── k8s/                 # Client, deploy, manifests, health
│   ├── proxy/               # AI proxy, token counting, rate limiting
│   ├── security/            # Admin guards, audit, gateway tokens
│   ├── stripe/              # Client, checkout, webhooks
│   └── whatsapp/            # Evolution API client + webhooks
├── hooks/                   # React hooks
└── types/                   # TypeScript types
tests/
├── unit/                    # Vitest unit tests
├── fixtures/                # Test data
├── helpers/                 # Test utilities
└── mocks/                   # API mocks
drizzle/
└── migrations/              # SQL migration files

---

Database Schema

Table	Purpose
users	User profiles (synced from WorkOS)
subscriptions	Stripe subscription state
instances	Bot instances with K8s deployment refs
channels	Connected messaging channels per instance
usageLogs	AI API token usage per request
spendingCaps	Per-instance spending limits
agentTemplates	Pre-built agent personas
checkoutContexts	Stripe checkout session metadata
auditLogs	Admin action audit trail
fleetConfig	Global fleet configuration

---

Pricing Plans

Plan	Price	Agents	Channels	AI Credits
Trial	Free (24hr)	1	Telegram only	50 messages
Starter	$19/mo	1	1	BYOK only
Pro	$39/mo	2 (up to 5)	3	~200 messages
Power	$79/mo	3 (up to 10)	3	~800 messages

Extra agents: $9/mo each (Pro & Power only).

---

Scripts

Command	Description
bun dev	Start dev server on port 3001
bun build	Production build
bun start	Start production server
bun test	Run all tests
bun test:unit	Run unit tests only
bun test:coverage	Run tests with coverage
bun validate	Type check + lint + tests
bun lint	ESLint

---

Contributing

1. Fork the repo
2. Create a feature branch (git checkout -b feature/my-feature)
3. Make your changes
4. Run bun validate to ensure everything passes
5. Commit with a descriptive message
6. Push and open a pull request

Conventions

• Package manager: bun (never npm/yarn/pnpm)
• File naming: kebab-case for files, PascalCase for components
• Imports: Always use @/ prefix (maps to src/)
• Styling: Tailwind v4 CSS-first config (@theme in globals.css)
• No default exports except pages, layouts, and route handlers
• Validation: Zod schemas for all API inputs
• Error responses: { error: string, details?: unknown }

---

License

MIT

---

Acknowledgments

• OpenClaw — The AI agent runtime that powers every bot
• shadcn/ui — UI component library
• Drizzle ORM — Type-safe database toolkit
• WorkOS — Authentication
• Inngest — Background jobs