Lobu is an open-source multi-tenant gateway for OpenClaw: one sandbox and filesystem per user/channel, shared memory across contexts, and agents that never see secrets. OpenClaw is a full agent runtime (~800k LOC) but it's single-tenant by design — every user shares the same filesystem and bash session. Lobu rewrites only the gateway layer (~40k LOC) to be multi-tenant and keeps OpenClaw's Pi harness untouched inside each worker.

Embedded mode uses just-bash + Nix for reproducible packages: each user gets an isolated virtual filesystem and bash session at ~50MB per instance — tested at 300 concurrent instances on a single machine, no Docker needed. Embed OpenClaw-powered agents into your product, or give your team agents without managing a separate instance per person.

Scaffold and run via the CLI. Lobu boots as a single Node process with a zero-config embedded Postgres by default (or bring your own — pgvector required — via DATABASE_URL).

npx @lobu/cli@latest init my-bot
cd my-bot
npx @lobu/cli@latest run                      # boots the stack and applies your agent
npx @lobu/cli@latest chat -c local "hello"    # talk to it

lobu run (embedded) auto-applies your lobu.config.ts, so the scaffolded agent is usable immediately. To use an external Postgres, set DATABASE_URL in .env; to push later config changes, run lobu apply. The same agents are reachable over a REST API and every chat platform — see Channels.

flowchart LR
  Slack[Slack] <--> GW[Gateway]
  Telegram[Telegram] <--> GW
  WhatsApp[WhatsApp] <--> GW
  Discord[Discord] <--> GW
  API[REST API] <--> GW

  GW <--> PG[(Postgres)]
  GW -->|spawn| W[Worker]

  subgraph Sandbox
    W
  end

  W -.->|HTTP proxy| GW
  W -.->|MCP proxy| GW
  GW -->|domain filter| Internet((Internet))
  GW -->|scoped tokens| MCP[MCP Servers]

Every Lobu agent ships with tools for autonomous execution and persistence:

One instance serves Slack, Telegram, WhatsApp, Discord, Teams, Google Chat, and a REST API . Each channel/DM gets its own runtime, model, tools, credentials, and Nix packages. Webhook is the default transport (Telegram also supports polling).

• Productivity: Google Calendar, Slack, Jira, Notion
• Development: GitHub, GitLab, Postgres, Docker
• Knowledge: Wikipedia, Brave Search, YouTube, PDF Search

• OpenClaw runtime. Workers run OpenClaw Pi Agent with per-agent model selection, OpenClaw skills, and IDENTITY.md / SOUL.md / USER.md workspace files.
• Multi-provider auth. 16 LLM providers (OpenAI, Gemini, Groq, DeepSeek, Mistral, …) via a config-driven registry. API keys stay on the gateway.

Lobu is the infrastructure layer for autonomous agents. Frameworks like LangChain or CrewAI help you write agent logic; Lobu is the delivery layer that runs those agents at scale — sandboxing, persistence, and messaging connectivity.

Runtime configuration is managed through the web app or the same org-scoped REST API used by the CLI:

npx @lobu/cli@latest login
npx @lobu/cli@latest org set my-org
npx @lobu/cli@latest agent list

Local lobu.config.ts projects are still useful for lobu validate and lobu apply workflows.

Single-process Node remains the simplest deployment: run it with node, pm2, systemd, or another process supervisor. The app needs DATABASE_URL (Postgres + pgvector) reachable from its environment.

• Local dev (contributing to Lobu itself): clone, make setup, make dev (boots embedded gateway + workers + Vite HMR on :8787).
• Production (VM/bare metal): bun run --cwd packages/server build:server, then node packages/server/dist/server.bundle.mjs under your process supervisor of choice.
• Production (Docker): a single self-hosting image — see docs/DOCKER.md.
• Production (Kubernetes): use the public Helm chart in charts/lobu:

  helm install lobu oci://ghcr.io/lobu-ai/charts/lobu \
    --namespace lobu --create-namespace \
    -f your-values.yaml

  See charts/lobu/values.yaml for the full set of tunables. At minimum supply an ingress host, a secretName Secret containing DATABASE_URL + ENCRYPTION_KEY + BETTER_AUTH_SECRET + provider API keys, and a database.existingSecret.

• Worker egress through the gateway proxy — HTTP_PROXY=http://localhost:8118 with allowlist/blocklist + LLM egress judge. On Linux production hosts the worker spawn uses systemd-run --user --scope with IPAddressDeny=any to enforce egress at the kernel level; in dev (macOS) the proxy is best-effort.
• Secrets stay in gateway — provider credentials and ${env:} substitution; OAuth lives in Lobu. Workers never see real keys.
• Threat model: single-tenant local isolation — just-bash and isolated-vm are policy + best-effort sandboxes, not security boundaries for hostile code. See docs/SECURITY.md before exposing Lobu to untrusted users.
• Nix system packages — per-agent reproducible tooling and skill policy.

Lobu is open source, but deploying production-grade agents usually means tuning soul, identity, and integrations. I offer hands-on implementation for:

• Employee AI assistants — persistent sandboxed agents on Slack wired into internal tools and docs.
• Automated customer support — multi-step ticket handling with human-in-the-loop.
• Autonomous workflows — long-running, scheduled background jobs with persistent state.
• Managed infrastructure — private Lobu deployments with updates and scaling.
• Custom tooling & skills — bespoke MCP servers, Nix runtimes, and OpenClaw skills.

I'm a second-time technical founder. Previously founded rakam.io (enterprise analytics PaaS), acquired by LiveRamp (NYSE: RAMP).