Let AI Act
in the Real World.
Without Losing Control.
The governed execution layer for autonomous AI systems.
Spawn agents. Execute tasks. Coordinate systems. Every action is governed before it runs, optionally approved by humans, and cryptographically recorded with proof.
Three Modes of Governance
One Agent. Three Operating Modes.
Every mode runs the same five-gate governance pipeline, the same cryptographic proof, the same transparency log. What changes is how much human involvement you want.
Chat Mode
Human-in-the-loop. You direct the agent through natural language. Every tool call is proposed, explained, and requires your approval before execution. Full governance pipeline runs on every action.
- •Conversational interface
- •Human approval on every action
- •Step-by-step task execution
- •Full proof bundle per decision
Autonomous Mode
The agent runs on its own — on a heartbeat schedule and on event triggers — using a playbook of recipes matched to its profile. Every autonomous tool call still passes the same five governance gates, produces the same signed commitment, and is anchored to the same Merkle transparency log as Chat Mode. You watch it execute in a time-indexed timeline; humans are only pulled in when a gate escalates.
- •Scheduled heartbeats (daily / weekly / monthly cadences)
- •Profile-matched playbook recipes (mail, drive, billing, monitor, more)
- •Run-now, propose, approve, reject and disable per recipe
- •Time-indexed governance timeline with cryptographic proof per row
- •Surfaced persistence failures — no silent drift
- •Policy-bounded autonomy with human escalation on gate violations
SOC Mode
Autonomous Security Operations Centre. A deterministic, rule-based detection engine runs scheduled recipes, correlates signals into findings, auto-promotes findings to incidents, and an alarm-driven playbook executor advances each incident through triage and containment — all rule-evaluated and cryptographically governed, with bounded read-only LLM sub-tasks inside two investigation playbooks. Incident resolution and close remain operator-gated. Every detection, response, and remediation action is five-gate governed, cryptographically signed, and Merkle-anchored.
- •Scheduled detection → finding → incident lifecycle
- •Per-tenant Autonomous Action Manifest with per-hour ceilings
- •On-call escalation with SLA teeth on out-of-scope actions
- •Signed NIS2 / DORA / SOC 2 compliance packs on close
- •HCE Ω-breach auto-disable + transparency-log anchored proof
Same protocol. Same five gates. Same Merkle-anchored proof. The governance standard does not change between modes — only the level of human involvement. Every mode produces identical, independently verifiable proof bundles.
This is not a chatbot.
This is not an agent framework.
OpenClaw Starter is the execution layer for autonomous AI systems.
Agents don't just generate text — they take actions:
sending emails, rotating keys, deploying systems, coordinating workflows.
OpenClaw ensures every action is evaluated, controlled, and provable before it executes.
- Spawn sub-agents to parallelize work
- Delegate tasks across execution chains
- Coordinate tools across infrastructure, identity, and memory
- Persist state across sessions
- Act continuously via schedules and events
- Every action evaluated through five governance gates
- Human approval enforced when required
- Execution cryptographically bound to authorization
- Full audit trail anchored in a Merkle transparency log
- No silent failures. No invisible drift.
Autonomy without governance is risk.
Governance without autonomy is useless.
OpenClaw gives you both — systems that can act independently, and guarantees that every action is justified, controlled, and provable.
01 — Sovereign Memory
Memory that proves itself.
Rules that don't drift.
An agent that runs thousands of tasks per week is only as trustworthy as the memory underneath it. Most platforms gave their agents a notebook. We gave ours a ledger — and a constitution. This is the strategic foundation every other capability on this page sits on top of.
A ledger, not a notebook.
Every fact the agent learns and every decision it makes is anchored as a leaf on the same transparency log that gates its tool calls. Recall is newest-first by construction — not best-effort sorting at display time. If the index isn't fully consistent yet, the system says so out loud instead of returning a partial guess.
- •Newest-first retrieval at any volume — thousands of executions don't hide the latest ones
- •Truth over availability — partial views are refused, not faked
- •Every memory write is a signed leaf in the same Merkle log as governance decisions
- •Tampering surfaces immediately through daily integrity checks
Your preferences. Enforced as a contract.
Most agents try to remember how you want things done. Ours executes a signed rulebook — the policies, preferences, and approvals you've established become a versioned, cryptographically committed contract that the agent is bound to. The agent doesn't drift between sessions. It doesn't quietly relearn. It runs the rulebook you signed.
- •Preferences and approvals are committed to the same governance chain
- •Every rulebook change is a signed amendment with a verifiable history
- •Autonomous runs prove which rulebook version they executed against
- •Roll back to any prior rulebook with a full audit trail
Your agent's memory and rulebook export as a single sovereign bundle. Move it between environments. Your institutional memory is yours — not stranded inside someone else's product.
Every memory entry, every rulebook amendment, every governed decision lives on the same timeline. One scrub bar across what the agent knew, what it was allowed to do, and what it actually did.
When the question becomes “how do you know?”, the answer isn't a screenshot. It's a verifiable proof chain pointing at the exact memory leaf and the exact rulebook clause the agent acted on.
Multi-agent security operations are only as defensible as the memory and rulebook beneath them. SOC Mode — now live — inherits exactly this substrate: a tamper-evident memory of every detection and every response, and a signed rulebook of escalation policies that no agent (and no operator) can quietly redraft. The same proof model that anchors a single agent today scales to a coordinated fleet under continuous five-gate governance.
Independently Verifiable
Three classes of proof.
One verifier. Zero accounts.
Three signed leaf classes are now exposed on the public verifier surface, all anchored in the same Merkle transparency log. Walk any of them from any browser at /verify/ — no account, no SDK. Hash lookup hits a public read-only endpoint; every cryptographic check (schema, leaf hash, intent hash, signature) runs client-side in your browser via the Web Crypto API against the public JWKS.
GOVERNANCE_ENVELOPE_V1
Every five-gate decision the platform admits or refuses. The signed receipt that binds an authorization to a specific tool call, policy version, and rulebook clause.
- •One leaf per governed action
- •Anchors gate decisions G1–G5
- •Hybrid Ed25519 signature
WORKBENCH_AUDIT_EXPORT_V1
Signed compliance packs from SOC Mode investigations. The regulator-grade NIS2 / DORA / SOC 2 writeups, sealed at incident close with a hash that pins every detection and response inside.
- •One leaf per closed incident
- •Pins every action manifest entry
- •Auditor-shareable, browser-verifiable
AGTS_COGNITION_V1
Cognition leaves — the epistemic record of how the agent reached a decision. Chain-walk from the final admission back through every intermediate candidate to the governance envelope that authorized the deliberation.
- •Parent-hash chain across leaf classes
- •Schema, leaf, intent, signature checked independently
- •DEMONSTRATION leaves marked inadmissible by mode
Paste any leaf hash. Walk the chain. Watch schema, leaf hash, intent hash, and signature flip green — or red, on the tamper-test panel. Hash lookup is the only thing sent to us; every cryptographic verdict is computed in your browser, trusting nothing from our servers beyond the public JWKS.
Same Merkle log. Same signing key. Same JWKS. Three leaf classes, one independent verification surface.
02 — What You Can Do
Real scenarios.
Real governance.
Agent evaluates deployment risk. Low risk deploys automatically. High risk requires human approval. Dangerous changes are blocked.
Agent proposes key rotation. Governance requires approval. Execution is logged with cryptographic proof. Full audit trail.
Scheduled agent scans systems on a cadence. Only alerts when governance detects risk. Every scan decision is provable and replayable.
03 — The Execution Model
Controlled Execution.
Not a Chat Loop.
This is not request → response. This is a governed execution cycle where the agent plans, acts, evaluates outcomes, and continues — under enforced control.
- Agent receives a goal
- Builds a plan across tools and steps
- Executes actions through governed tool calls
- Evaluates results and adjusts strategy
- Continues until completion or human decision
- No action executes without governance approval
- Every decision produces a signed commitment
- Execution is cryptographically bound to authorization
- Failures trigger reflection, not blind retries
- All steps are recorded in an immutable audit log
Each stage produces a verifiable artifact: governance envelope, signed commitment, execution trace, and audit record.
Deterministic execution loop. No undefined behavior.
The system does not stop at one loop.
- Agents spawn sub-agents for parallel execution
- Tasks are delegated across governed chains
- Each sub-agent runs its own execution cycle
- Results are merged into a final outcome
- All delegation is cryptographically linked and auditable
This is how AI systems operate in production.
Not single responses — but continuous execution, coordinated actions, and verifiable outcomes.
04 — Five-Gate Governance
Five gates.
Every action.
All tiers use identical five-gate governance. The same cryptographic proof chain. The same transparency log.
05 — What This Replaces
One system.
Not six vendors.
- Agent framework
- Tool orchestration layer
- Memory API
- Guardrails / policy engine
- Workflow system
- Audit logging
One governed execution system.
All six layers unified.
Every action evaluated.
Every outcome provable.
Chatbots generate text. OpenClaw governs real execution with proof chains.
Frameworks let agents act. OpenClaw ensures every action is evaluated before it runs.
Guardrails filter output. OpenClaw governs the execution itself with cryptographic accountability.
06 — The 6-Layer Agent Stack
Every layer.
One governed platform.
AI agents need six infrastructure layers to operate in the real world. The industry is assembling these from dozens of point solutions — a sandbox vendor, an email startup, a memory API, a billing shim, and hand-rolled orchestration. OpenClaw Starter delivers all six, governed end-to-end.
11 Workers, health monitoring, VPN tunnels, distributed tracing, alerting pipeline
Claw Passport (Ed25519 + PQC), sovereign mail, encrypted drive, peer-to-peer trust
Five-gate firewall, BFT consensus, Merkle transparency log, policy management
Atomic institutional memory — newest-first at any volume, notarized facts, complete or it doesn't ship
HCE risk-tier pricing, log leaves = receipts, provisioning, budget controls
Sub-agent spawning, cascading delegation, result merge, workflow templates
A sandbox vendor for compute. An email startup for identity. A memory API. A tool integration layer. A billing shim. Hand-rolled orchestration. Six vendors, six auth flows, zero governance between them. End-to-end reliability is the product of each layer's reliability — five layers at 99% each = 95%.
One platform. 64 governed tools. All six layers unified behind a single MCP Gateway. Every tool invocation passes through the same five-gate pipeline, produces the same cryptographic proof chain, and anchors in the same Merkle transparency log. No shims. No duct tape.
Recall vs Proof.
The memory gap most agent platforms still haveMainstream agent memory is built to remember. Ours is built to prove. The difference shows up the moment an agent runs thousands of tasks, the moment a regulator asks “how do you know?”, and the moment you try to take your agent somewhere else.
07 — LLM Routing & Sovereign Headers
Choose your model.
Keep your governance.
Workers AI
Llama 3.1 8B inference at the edge, included free. No API keys needed. Every response governed through the five-gate pipeline.
AI Gateway
Bring your own API keys for OpenAI, Anthropic, or Google. Routed through Cloudflare AI Gateway with sovereign headers for governance inspection.
Managed
ObligationSign-provisioned keys with premium model access. Full SLA, dedicated support, unlimited governance events.
When OpenClaw Starter routes through the AI Gateway, every outbound request includes sovereign headers — the governance commitment hash, agent ID, and governance mode. The AI provider receives cryptographic context proving the request was governed before it was sent.
The same headers are used for BYOK and Managed tiers. The governance record is anchored before the LLM call is made.
08 — Edge Architecture & Billing
100% edge.
Log leaves are the billing obligation.
Higher governance risk = higher cost per leaf. Agents that stay compliant pay less. Economic incentive and governance constraint — mathematically unified via IEED.
09 — Quick Start
Three steps.
Governed AI.
Create an Agent
{ "name": "my-agent" }
Connect via WebSocket
Upgrade: websocket
Verify Governance
→ { leaf_hash, verdict }
Every Action.
Every Commitment.
Independently Verifiable.
Launch a dashboard. Deploy an agent. Watch it plan, govern, execute, and prove. 64 tools. One governed execution layer. One transparency log.