Lobu is an open-source multi-tenant gateway for OpenClaw. One sandbox and filesystem per user/channel. Shared memory across contexts. Agents never see secrets.

OpenClaw is a full agent runtime (~800k LOC) but it's single-tenant by design — every user shares the same filesystem and bash session. Lobu rewrites only the gateway layer (~40k LOC) to be multi-tenant and keeps OpenClaw's Pi harness untouched inside each worker.

Embedded mode uses just-bash + Nix for reproducible packages. Each user gets an isolated virtual filesystem and bash session at ~50MB per instance — tested at 300 concurrent instances on a single machine, no Docker needed.

Embed OpenClaw-powered agents into your product, or give your team agents without managing a separate instance per person.

• REST API — programmatic agent creation, control, and state.
• Slack — multi-channel/DM agents with rich interactivity.
• Telegram — long-polling bot with interactive workflows.
• WhatsApp — WhatsApp Business Cloud API.
• Discord — channel + DM bot support.
• Teams — Microsoft Teams bot.

Scaffold and run via the CLI. Lobu boots as a single Node process; you bring your own Postgres (pgvector required — managed instance or local via brew services start postgresql).

npx @lobu/cli@latest init my-bot
cd my-bot
# edit .env to set DATABASE_URL
npx @lobu/cli@latest run

Runtime configuration is managed through the web app or the same org-scoped REST API used by the CLI:

npx @lobu/cli@latest login
npx @lobu/cli@latest org set my-org
npx @lobu/cli@latest agent list

Local lobu.toml projects are still useful for lobu validate and lobu apply workflows.

Single-process Node app. Run it however you run Node — node, pm2, systemd, or another process supervisor. The app needs DATABASE_URL (Postgres + pgvector) reachable from its environment; no orchestrator is required and there is no Helm chart to install.

• Local dev (contributing to Lobu itself): clone, make setup, make dev (boots embedded gateway + workers + Vite HMR on :8787).
• Production: bun run --cwd packages/server build:server, then node packages/server/dist/server.bundle.mjs under your process supervisor of choice.

flowchart LR
  Slack[Slack] <--> GW[Gateway]
  Telegram[Telegram] <--> GW
  WhatsApp[WhatsApp] <--> GW
  Discord[Discord] <--> GW
  API[REST API] <--> GW

  GW <--> PG[(Postgres)]
  GW -->|spawn| W[Worker]

  subgraph Sandbox
    W
  end

  W -.->|HTTP proxy| GW
  W -.->|MCP proxy| GW
  GW -->|domain filter| Internet((Internet))
  GW -->|scoped tokens| MCP[MCP Servers]

Every Lobu agent ships with tools for autonomous execution and persistence:

• Productivity: Google Calendar, Slack, Jira, Notion
• Development: GitHub, GitLab, Postgres, Docker
• Knowledge: Wikipedia, Brave Search, YouTube, PDF Search

• Gateway as single egress. All worker traffic — internet and MCP — routes through the gateway. Workers have no direct network access; domain filtering controls which services they reach.
• MCP proxy. Gateway resolves ${env:VAR} secrets and routes to upstream MCP servers. OAuth for third-party APIs stays in Lobu — workers never see tokens.
• Multi-platform, multi-tenant. One instance serves Slack, Telegram, WhatsApp, Discord, Teams, and the REST API. Each channel/DM gets its own runtime, model, tools, credentials, and Nix packages.
• OpenClaw runtime. Workers run OpenClaw Pi Agent with per-agent model selection. Supports OpenClaw skills and IDENTITY.md / SOUL.md / USER.md workspace files.
• Multi-provider auth. 16 LLM providers (OpenAI, Gemini, Groq, DeepSeek, Mistral, …) via a config-driven registry. API keys stay on the gateway.

Lobu is the infrastructure layer for autonomous agents. Frameworks like LangChain or CrewAI help you write agent logic; Lobu is the delivery layer that runs those agents at scale — sandboxing, persistence, and messaging connectivity.

• Worker egress through the gateway proxy — HTTP_PROXY=http://localhost:8118 with allowlist/blocklist + LLM egress judge. On Linux production hosts the worker spawn uses systemd-run --user --scope with IPAddressDeny=any to enforce egress at the kernel level; in dev (macOS) the proxy is best-effort.
• Secrets stay in gateway — provider credentials and ${env:} substitution; OAuth lives in Lobu. Workers never see real keys.
• Threat model: single-tenant local isolation — just-bash and isolated-vm are policy + best-effort sandboxes, not security boundaries for hostile code. See docs/SECURITY.md before exposing Lobu to untrusted users.
• Nix system packages — per-agent reproducible tooling and skill policy.

Lobu is open source, but deploying production-grade agents usually means tuning soul, identity, and integrations. I offer hands-on implementation for:

• Employee AI assistants — persistent sandboxed agents on Slack wired into internal tools and docs.
• Automated customer support — multi-step ticket handling with human-in-the-loop.
• Autonomous workflows — long-running, scheduled background jobs with persistent state.
• Managed infrastructure — private Lobu deployments with updates and scaling.
• Custom tooling & skills — bespoke MCP servers, Nix runtimes, and OpenClaw skills.

I'm a second-time technical founder. Previously founded rakam.io (enterprise analytics PaaS), acquired by LiveRamp (NYSE: RAMP).