惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

MyScale Blog
MyScale Blog
Microsoft Azure Blog
Microsoft Azure Blog
H
Help Net Security
N
News and Events Feed by Topic
Recent Announcements
Recent Announcements
D
Docker
M
MIT News - Artificial intelligence
L
LangChain Blog
I
InfoQ
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
P
Proofpoint News Feed
博客园_首页
MongoDB | Blog
MongoDB | Blog
美团技术团队
S
Schneier on Security
G
GRAHAM CLULEY
月光博客
月光博客
有赞技术团队
有赞技术团队
Vercel News
Vercel News
Scott Helme
Scott Helme
P
Privacy International News Feed
Last Week in AI
Last Week in AI
Recorded Future
Recorded Future
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
The Cloudflare Blog
Attack and Defense Labs
Attack and Defense Labs
Google Online Security Blog
Google Online Security Blog
Simon Willison's Weblog
Simon Willison's Weblog
量子位
S
Security @ Cisco Blogs
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
V
Visual Studio Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
NISL@THU
NISL@THU
N
Netflix TechBlog - Medium
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Spread Privacy
Spread Privacy
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
小众软件
小众软件
罗磊的独立博客
Security Archives - TechRepublic
Security Archives - TechRepublic
T
Threatpost
L
Lohrmann on Cybersecurity
www.infosecurity-magazine.com
www.infosecurity-magazine.com
S
Security Affairs
Cloudbric
Cloudbric
爱范儿
爱范儿
H
Heimdal Security Blog
PCI Perspectives
PCI Perspectives

Hacker News - Newest: "OpenClaw"

OpenClaw just launched an official app for iPhone, details here - 9to5Mac OpenClaw Launch — Deploy AI Chatbots in Seconds Self-Host OpenClaw AI Agent on VPS: Full Setup Guide GitHub - xltvy/openclaw-memgpt: OpenClaw plugin that gives agents MemGPT-style memory: tiered core/archival/recall storage, self-directed memory operations via tool calls, memory-pressure warnings, and recursive summarisation. Integrates the reference MemGPT implementation via a local sidecar service, preserving the original architecture without reimplementation. Malicious AI 23 ClawHub Plugins Squat Official Org Scopes - Manifold Security what shipping OpenClaw in production taught us — AutoClaw AgentLine — AI Phone API | Phone Numbers, Voice & SMS for AI Agents Make Your OpenClaw Agent Cheaper, and Measure It Yourself GitHub - sammysltd/OpenEmployee: Make your OpenClaw agent employable: deny-by-default governance, budgets, allowlists, approval gates, and a signed audit trail via MakerChecker. Migrate from OpenClaw | Hermes Agent StackOverflow closed my OpenClaw and paperclipAI integration q. as "irrelevant" GitHub - sausin/outpost: Removing AI agents' quiet security problem Potassium — ClawHub Plugins Pi Building Pi, Openclaw's Minimalist Coding Agent | Mario Zechner, Creator of Pi I Spent 4 Hours So You Don’t Have To: Hetzner Metal + NixOS in ~15 Minutes − Irakli's blog GitHub - snuri00/osint-mcp: Self-hosted OSINT toolkit — MCP server, AI REPL, CLI, web app & chat apps (WhatsApp/Telegram/Discord via OpenClaw). Entity, event/news & social/community intelligence. Keyless-first. What a Regex Can't Do GitHub - ai-sns/openclaw-hermes-agent-network: OpenClaw Hermes AI Agent Social Network🦞💬🦞Built on Google 3D Maps and A2A protocol, connects OpenClaw and Hermes agents worldwide in a 3D environment. Phishing for Lobsters: How We Tricked OpenClaw into Spilling Secrets GitHub - CODEANDTRUST/clawcall: Give your OpenClaw / self-hosted AI agent inbound phone calls - a Twilio-to-gateway voice bridge with working agent tools mid-call (MIT). Build a ZeroCost Web Automation Pipeline with OpenRouter, OpenClaw, and MediaUse Let OpenClaw Run Wild in Simulation, Not on Your Customers | Veris AI GitHub - gpdir16/tabyAgent: A lighter, easier alternative to OpenClaw/Hermes. Runs autonomously inside Docker and chats with you through Telegram. Ask HN: What are the biggest problems you find in OpenClaw/Hermes? Microsoft launches Scout, an OpenClaw-inspired personal assistant GitHub - openclaw/openclaw-windows-node: Windows companion suite for OpenClaw - System Tray app, Shared library, Node, and PowerToys Command Palette extension Microsoft unveils Scout, an autonomous AI agent built on OpenClaw Gavriel Cohen found his own code inside OpenClaw, so he walked away GitHub - hunvreus/heypi: Chat agents for your team, with approvals and sandboxed tools. Slack, Discord, Telegram, webhooks. HolaClaw: run OpenClaw securely in Mac Multi-Agent Orchestration System: Hermes (Windows) ↔ OpenClaw (WSL) We were building infra for OpenClaw, and today I just tried Hermes and holy shit GitHub - openclaw/openclaw: Your own personal AI assistant. Any OS. Any Platform. The lobster way. 🦞 OpenClaw as the Universal Operating System for Agents ARC Prize - Community Leaderboard Setup OpenClaw with Slack: from install to first message twitter.com I Gave My OpenClaw Agent a Physical Body Use Grok in OpenClaw The creator of OpenClaw used $1,300,000+ of OpenAI tokens in 30 days, which is a hell of a perk GitHub - oswarld/openshears: 🔪 THE OPENCLAW TERMINATOR 🦞 Are we human? Show HN: OpenClaw is just not dangerous enough. I needed something else OpenClaw creator burned through $1.3 million in OpenAI API tokens in a single month — bill covered 603 billion tokens across 7.6 million requests and 100 coding agents Reducing OpenClaw token usage OpenClaw/Hermes Hosting Comparison GitHub - ExTV/rikkahub-agent: RikkaHub Agent -- is RikkaHub fork that have Full agent mode . For $1.3 million a month, OpenClaw founder Peter Steinberger runs 100 AI agents that code, review PRs, and find bugs Where OpenClaw Security Is Heading OpenAI Models in OpenClaw, Done Right GitHub - thesysdev/openclaw-os: The default workspace for OpenClaw Token, Harness, OpenClaw, RAG, MCP, Agent – What's the Difference? We need a safe alternative to Telegram for agents like OpenClaw or Hermes Two OpenClaw agents negotiate a YC SAFE with Agentic Power of Attorney OpenClaw Had a Rough Week GitHub - LobsterTrap/tank-os GitHub - haishmg/Clawback How OpenClaw Got Safer in Public openclaw ggsql — ClawHub Show HN: iClaw is part OpenClaw, part Siri, powered by Apple Intelligence GitHub - lotsoftick/openclaw_client: OpenClaw web client Show HN: OpenClaw but Efficient and with an SDK GitHub - TheGuyWithoutH/mac-computer-use GitHub - microsoft/openclaw: Your own personal AI assistant. Any OS. Any Platform. The lobster way. 🦞 The OpenClaw turkey problem OpenClaw: opioids for Chinese AI companies GitHub - supersuit-tech/permission-slip [AINews] The Two Sides of OpenClaw OpenClaw stats don't add up GitHub - brexhq/CrabTrap: An LLM-as-a-judge HTTP proxy to secure agents in production Anthropic - OpenClaw Hustlers are cashing in on China’s OpenClaw AI craze Engineering Managers are going to hate OpenClaw GitHub - opentalon/opentalon: OpenTalon is an open-source platform built from the ground up in Go as a robust alternative to OpenClaw Ask HN: Who is using OpenClaw? Why Meta’s AI Alignment Director Couldn't Stop Her Own Agent—and How to Fix It GitHub - epsilla-cloud/clawtrace: Make your OpenClaw agents better, cheaper, and faster. Ask HN: What are you using OpenClaw or agents for? GitHub - epsilla-cloud/clawtrace: Make your OpenClaw agents better, cheaper, and faster. GitHub - theprint/nfh-self-improvement-loop: Minimal adversarial framework for AI agent self-modification. Inspired by karpathy/autoresearch. GitHub - ibrahimmukherjee-boop/ClearFrame: OpenClaw Alternative with better governance, security Show HN: Agent-Notifications – Real-Time Alerts for OpenClaw and Hermes Agents OpenClaw + Claude are better than therapy GitHub - zeulewan/glueclaw: Use Claude Max subscription with OpenClaw again Anthropic temporarily banned OpenClaw’s creator from accessing Claude OpenClaw’s memory is unreliable, and you don’t know when it will break Give Your OpenClaw Agent a Real Memory You need a Windows Remote Desktop, not an OpenClaw GitHub - cezarpena/vsm-cell: VSM-Cell is an OpenClaw agent P2P mesh orchestration standalone app. GitHub - joshchoi4881/dropspace-agents GitHub - askalf/dario: Universal LLM router. One local endpoint, every provider — OpenAI, Groq, OpenRouter, Ollama, Claude Max/Pro subscriptions, the Claude Agent SDK, any OpenAI-compat URL. Your tools stop caring which vendor is upstream. Tutorial: Secure OpenClaw with CloudConnexa OpenClaw and the Dream of Free Labour GitHub - RageDotNet/openclaw-webdav GitHub - kevinslin/openai-apps: Support openai apps in openclaw GitHub - aelaguiz/doctrine: Code-like DSL and compiler for agent workflows that compile to portable AGENTS.md instructions. Unlocking cloud inference compute for OpenClaw OpenClaw for Sales: How AI Agents are Revolutionizing Revenue Teams | Kickscale OpenClaw Architecture - Part 1: Control Plane, Sessions, and the Event Loop
GitHub - cruxdigital-llc/CongaLine: Deploy and manage a fleet of OpenClaw AI assistants anywhere. Supporting hobbyist, team, and enterprise use cases.
2026-04-08 · via Hacker News - Newest: "OpenClaw"

License Go Terraform

AI agents

Self-host a fleet of isolated AI agents — each with its own container, network, secrets, and identity — managed through a single CLI. Choose your runtime (OpenClaw or Hermes Agent), connect them to Slack or Telegram, and deploy anywhere: your laptop, a $5 VPS, a Raspberry Pi, or a hardened AWS account.

CongaLine n. A single-file procession of spiny lobsters that travel in physical contact during seasonal migration, reducing hydrodynamic drag and offering collective protection from predators.

Key Features

  • Pluggable agent runtimes — choose OpenClaw or Hermes per agent. Same Conga infrastructure, your choice of agent. Adding a third runtime is one Go package.
  • Multi-channel support — Slack and Telegram out of the box, each with its own central router that fans events out to per-agent containers
  • Promotion pipeline — develop locally, validate on a remote host, enforce in production. Same config at every tier.
  • Per-agent isolation — separate Docker containers, networks, secrets, and config
  • Portable deployment policy — define egress rules, model routing, and security posture in a single conga-policy.yaml. Each provider enforces what it can and reports the gap.
  • Channels optional — use via web UI (gateway) only, or connect to Slack/Telegram for messaging
  • Two agent types — user agents (DM-only) for individuals, team agents (channel-based) for groups
  • CLI for everything — operators and end users manage agents, secrets, and infrastructure through the conga CLI
  • Modular provider system — pluggable deployment targets (AWS, local, remote, future: Kubernetes, ECS)

Architecture

┌─────────────────────────────────────────────────────┐
│                    CLI Commands                      │
│  (setup, add-user, policy, channels, status, ...)    │
└────────────────────┬─┬──────────────────────────────┘
                     │ │
        Provider     │ │ Runtime    (orthogonal)
        (where)      │ │ (what)
                     ▼ ▼
       ┌─────────────────────────────┐
       │  Any Provider × Any Runtime  │
       └─────────────────────────────┘
       │                             │
   ┌───┴───────┐                 ┌───┴────┐
   ▼           ▼                 ▼        ▼
┌──────┐  ┌────────┐  ┌────────────┐  ┌────────┐
│ AWS  │  │ Remote │  │  OpenClaw  │  │ Hermes │
│      │  │  SSH   │  │  Node.js   │  │ Python │
│ Local│  │        │  │ JSON cfg   │  │YAML cfg│
└──────┘  └────────┘  └────────────┘  └────────┘

Provider decides where an agent runs (AWS, local Docker, remote SSH host). Runtime decides what agent runs (OpenClaw, Hermes, future runtimes). The two are orthogonal — any provider works with any runtime.

Separation of Concerns

Layer Managed by What it does
Infrastructure Terraform (AWS), conga admin setup (remote/local) VPC/EC2, remote host, or local Docker environment
Configuration CLI (conga admin setup) Runtime selection, model, shared secrets, Docker image
Agents CLI (conga admin add-user/add-team) Per-agent containers, configs, routing, secrets
Policies CLI (conga policy) Egress rules, security posture, routing enforcement
Channels CLI (conga channels) Slack/Telegram routers, agent-channel bindings

Supported Runtimes

Runtime Language Config Default Image Notes
OpenClaw Node.js openclaw.json ghcr.io/openclaw/openclaw:2026.3.11 Native Slack via webhook plugin
Hermes Python config.yaml nousresearch/hermes-agent:latest OpenAI-compatible API on port 8642

Adding a third runtime is a single Go package under pkg/runtime/<name>/ implementing the 22-method Runtime interface. No changes to providers, CLI, or core logic.

Note: Multi-runtime support is fully wired on the local provider today. The remote and AWS providers currently default to OpenClaw — Runtime interface integration on those providers is on the roadmap.

Supported Channels

Channel Setup Router Notes
Slack conga channels add slack Socket Mode → HTTP fan-out Walks you through creating a Slack app with the right scopes
Telegram conga channels add telegram Long-polling (or webhook in production) Walks you through @BotFather setup

Each channel runs a dedicated router container (conga-router, conga-telegram-router) that holds the single platform connection and fans events out to per-agent containers based on routing rules. One crash on Slack doesn't affect Telegram.

Bootstrap from Manifest

The fastest way to stand up a complete environment — one file, one command.

1. Create a manifest

Copy the example and customize:

cp demo.yaml.example demo.yaml
# Edit demo.yaml: set SSH host, Slack IDs, etc.

2. Create an env file with secrets

cat > demo.env << 'EOF'
ANTHROPIC_API_KEY=sk-ant-...
# Slack (optional)
SLACK_BOT_TOKEN=xoxb-...
SLACK_SIGNING_SECRET=...
SLACK_APP_TOKEN=xapp-...
# Telegram (optional)
TELEGRAM_BOT_TOKEN=123456789:ABC...
EOF

3. Bootstrap

conga bootstrap demo.yaml --env demo.env

This provisions the entire environment in one shot: server setup, agents, secrets, Slack channels, channel bindings, and egress policy. Each step is idempotent — re-running skips completed work.

The provider field in the manifest selects the deployment target (local, remote, or aws). Secrets use $VAR references expanded from the env file — they're never stored in the manifest.

Note: bootstrap is additive — it creates and configures resources but never removes them. For full declarative lifecycle management (plan, apply, destroy), a Terraform provider is planned.

After bootstrap, use the CLI and MCP tools for ongoing changes:

conga policy set-egress --allowed-domains "api.example.com"   # modify policy
conga policy deploy                                            # push to agents
conga admin add-user newagent                                  # add more agents
conga channels bind newagent slack:U0123456789                 # bind to Slack

Quick Start (Local Docker)

The fastest way to get running — no AWS account needed.

Prerequisites

  • Docker Desktop installed and running
  • Go >= 1.25 (to build the CLI)
  • Anthropic API key

1. Build the CLI

go build -o /usr/local/bin/conga ./cmd/conga

2. Setup local environment

conga admin setup --provider local --runtime hermes   # or --runtime openclaw

This will prompt for the repo path (auto-detected), the LLM model (for Hermes), and the Docker image. Defaults are sensible — you can press Enter through most prompts. Channels are configured separately via conga channels add.

3. Add an agent

conga admin add-user myagent

The agent inherits the runtime selected during setup. No channel binding needed for gateway-only mode.

4. Set your API key

conga secrets set anthropic-api-key --agent myagent --value sk-ant-...
conga refresh --agent myagent
conga status --agent myagent

conga status shows port mappings with service labels:

Ports:
  8642 → localhost:18789  (gateway)
  8644 → localhost:18790  (webhook)

5. (Optional) Connect a channel

conga channels add slack         # walks you through creating a Slack app
# or
conga channels add telegram      # walks you through creating a bot via @BotFather

conga channels bind myagent slack:U0123456789      # for Slack DMs
conga channels bind myagent telegram:123456789     # for Telegram DMs

Each channels add command displays a step-by-step guide explaining where to obtain the credentials.

6. Connect to the web UI

conga connect --agent myagent

Open the URL in your browser. Device pairing is auto-approved.

7. Teardown (when done)

conga admin teardown --force

Removes all containers, networks, routers, and local config.

Quick Start (Remote — VPS, Bare Metal, Any SSH Host)

Deploy to any Linux machine you can SSH into — a cloud VPS (Hetzner, DigitalOcean, Linode, Hostinger), a Raspberry Pi, a Mac Mini, a colocated server, or anything else running Linux with 4GB+ RAM.

Prerequisites

  • Any SSH-accessible Linux host with 4GB+ RAM and 10GB+ free disk
  • SSH key authentication configured (password auth not supported)
  • Go >= 1.25 (to build the CLI)
  • Anthropic API key

Docker is installed automatically during setup if not already present.

1. Build the CLI

go build -o /usr/local/bin/conga ./cmd/conga

2. Setup remote environment

conga admin setup --provider remote

This will prompt for:

  • SSH connection details (host, port, user, key path)
  • Docker image (auto-installs Docker if needed)
  • Slack tokens (optional — skip for gateway-only web UI)

3. Add an agent

conga admin add-user myagent

With Slack:

conga admin add-user myagent U0123456789

4. Set your API key and start

conga secrets set anthropic-api-key --agent myagent
conga refresh --agent myagent
conga status --agent myagent

5. Connect

conga connect --agent myagent

Opens an SSH tunnel to the remote host's gateway. Open the URL in your browser — no ports are exposed to the internet.

6. Teardown (when done)

conga admin teardown

Removes all containers, networks, and data from the remote host.

Quick Start (AWS)

For teams and production — hardened, zero-ingress deployment.

Prerequisites

  • AWS account with AWS SSO (Identity Center) configured
  • AWS CLI v2 with session-manager-plugin installed
  • Terraform >= 1.5
  • Slack app configured for the agent runtime (required for AWS deployment)
  • Agent Docker image — see Docker Images

1. Bootstrap Terraform state

export AWS_PROFILE=your-aws-profile
export AWS_REGION=us-east-2

cd terraform
./bootstrap.sh

2. Deploy infrastructure

cp backend.tf.example backend.tf    # edit with your account ID, region, profile
cp terraform.tfvars.example terraform.tfvars  # edit with your settings

terraform init
terraform plan
terraform apply

3. Configure the deployment

conga admin setup

4. Add agents and start

conga admin add-user boblobclaw UEXAMPLE01
conga admin add-team bluthcompany CEXAMPLE01
conga admin list-agents

conga admin cycle-host   # restarts EC2; bootstrap discovers and provisions all agents

Install the CLI (End Users)

No Terraform, Go, or repo clone required. This is how users manage their agents and secrets as well as access the web UI securely.

Prerequisites (AWS provider)

  • AWS CLI v2Install guide
  • session-manager-plugin — macOS: brew install --cask session-manager-plugin | Other platforms
  • AWS SSO access — your admin will provide the SSO URL and account ID

Prerequisites (Remote provider)

  • SSH access to the remote host (key-based auth)

Prerequisites (Local provider)

  • Docker Desktop installed and running

Install

Homebrew (macOS/Linux):

brew tap cruxdigital-llc/conga-line
brew install conga

macOS (Apple Silicon) — tested:

curl -fsSL https://github.com/cruxdigital-llc/conga-line/releases/latest/download/conga_darwin_arm64.tar.gz | tar xz -C /usr/local/bin conga

macOS (Intel):

curl -fsSL https://github.com/cruxdigital-llc/conga-line/releases/latest/download/conga_darwin_amd64.tar.gz | tar xz -C /usr/local/bin conga

Linux (amd64) — untested:

curl -fsSL https://github.com/cruxdigital-llc/conga-line/releases/latest/download/conga_linux_amd64.tar.gz | tar xz -C /usr/local/bin conga

Linux (arm64) — untested:

curl -fsSL https://github.com/cruxdigital-llc/conga-line/releases/latest/download/conga_linux_arm64.tar.gz | tar xz -C /usr/local/bin conga

First-time setup (AWS)

aws configure sso --profile your-profile
export AWS_PROFILE=your-profile
aws sso login

conga auth status
conga secrets set anthropic-api-key
conga refresh
conga connect            # opens SSM tunnel to web UI

First-time setup (Remote — VPS, Raspberry Pi, Mac Mini, etc.)

conga admin setup --provider remote   # prompts for SSH host, installs Docker
conga admin add-user myagent
conga secrets set anthropic-api-key --agent myagent
conga refresh --agent myagent
conga connect --agent myagent          # opens SSH tunnel to web UI

First-time setup (Local)

conga admin setup --provider local
conga admin add-user myagent
conga secrets set anthropic-api-key --agent myagent
conga refresh --agent myagent
conga connect --agent myagent

CLI Reference

User Commands

Command Description
conga auth login Authenticate (AWS: SSO login; local: not required)
conga auth status Show identity, provider, and agent mapping
conga secrets set <name> Create or update a secret
conga secrets list List your secrets
conga secrets delete <name> Delete a secret
conga connect Connect to web UI (AWS: SSM tunnel; remote: SSH tunnel; local: direct localhost)
conga refresh Restart container with fresh secrets
conga status Show container status and resource usage
conga logs Tail container logs
conga policy validate Validate policy file and show per-provider enforcement report
conga version Show CLI version

Bootstrap

Command Description
conga bootstrap <manifest.yaml> Provision an environment from a YAML manifest (additive, idempotent)

Flags: --env <file> (env file for secret expansion), -f <file> (manifest path)

Admin Commands

Command Description
conga admin setup Configure shared secrets and settings
conga admin add-user <name> [slack_member_id] Provision a user agent (Slack ID optional for gateway-only)
conga admin add-team <name> [slack_channel] Provision a team agent (Slack channel optional for gateway-only)
conga admin list-agents List all provisioned agents (shows status: active/paused)
conga admin remove-agent <name> Remove an agent
conga admin pause <name> Temporarily stop an agent (preserves all data)
conga admin unpause <name> Resume a paused agent
conga admin cycle-host Restart the deployment environment
conga admin refresh-all Restart all agent containers (skips paused)
conga admin teardown Remove the entire deployment (local only; AWS: use terraform destroy)

Global Flags

Flag Description
--provider Deployment provider: aws, local, remote (default: local)
--runtime Agent runtime: openclaw, hermes (default: openclaw)
--data-dir Data directory for local provider (default: ~/.conga/)
--profile AWS CLI profile (default: AWS_PROFILE env var)
--region AWS region (default: from config)
--agent Override auto-detected agent name
--verbose Verbose output
--timeout Global timeout for operations (default: 5m)

How It Works

Provider Auto-Detection

The CLI selects a provider using:

  1. --provider flag if specified
  2. ~/.conga/config.json provider field if set (persisted by conga admin setup)
  3. Default: local

Use --provider aws, --provider remote, or --provider local, or run conga admin setup to persist the choice.

AWS Provider

Discovers infrastructure via AWS APIs — no Terraform access or repo clone needed:

  • Instance: Found by EC2 tag Name=conga-line-host
  • Agent config: SSM Parameter Store at /conga/agents/{name}
  • Secrets: AWS Secrets Manager under conga/agents/{name}/
  • Remote operations: SSM RunCommand (no SSH, no ingress)

Remote Provider

For any SSH-accessible Linux host — VPS instances (Hetzner, DigitalOcean, Linode, Hostinger), bare metal servers (Raspberry Pi, Mac Mini), colocated servers, or any machine you can SSH into:

  • Agent config: /opt/conga/agents/{name}.json on remote host
  • Secrets: /opt/conga/secrets/agents/{name}/ on remote host (file per secret, mode 0400)
  • Container data: /opt/conga/data/{name}/ on remote host
  • Container operations: Docker CLI over SSH
  • Network isolation: Per-agent Docker bridge networks, localhost-only port binding on remote
  • Gateway access: SSH tunnel (no inbound ports exposed beyond SSH)
  • Channel routers: One container per platform (Slack, Telegram), auto-started when credentials are configured
  • Docker auto-install: Setup detects the OS and installs Docker if not present

Local Provider

All state lives under ~/.conga/:

  • Agent config: ~/.conga/agents/{name}.json (includes runtime selection)
  • Secrets: ~/.conga/secrets/agents/{name}/ (file per secret, mode 0400)
  • Container data: ~/.conga/data/{name}/ (mounted to runtime-specific path: /home/node/.openclaw for OpenClaw, /opt/data for Hermes)
  • Container operations: Docker CLI (docker run, docker logs, etc.)
  • Network isolation: Per-agent Docker bridge networks, localhost-only port binding
  • Channel routers: One container per platform (conga-router for Slack, conga-telegram-router for Telegram), auto-started when channel credentials are configured

Deployment Policy

CongaLine's three providers form a promotion pipeline: define your agent configuration locally, validate it on a remote host, then promote to hardened AWS infrastructure. The same configuration works at every tier — what changes is the enforcement level.

The conga-policy.yaml file is the portable policy artifact that travels with your deployment. It defines three categories of policy:

Section What it controls Example
Egress Which external domains agents can reach allowed_domains: [api.anthropic.com, "*.slack.com"]
Routing Model selection, fallback chains, cost limits default_model: claude-sonnet-4-6
Posture Security property declarations isolation_level: standard, secrets_backend: file

Each provider enforces what it can and transparently reports the gap:

$ conga policy validate --file conga-policy.yaml
Policy: conga-policy.yaml
Provider: local

SECTION  RULE              LEVEL          DETAIL
egress   domain_allowlist  validate-only  Warnings only; use mode: enforce to activate egress proxy
routing  default_model     validate-only  Model selection validated; enforcement requires Bifrost
posture  isolation_level   enforced       Docker cap-drop ALL, no-new-privileges, isolated networks
posture  secrets_backend   enforced       File-based secrets (mode 0400)
posture  monitoring        enforced       Config integrity monitoring + container logs

The same policy on AWS would show enforced for egress (per-agent Envoy proxy with domain-based CONNECT filtering) and enforced for standard monitoring (CloudWatch + VPC flow logs).

Note: The mode field only affects the local provider. Remote and AWS providers always enforce egress when allowed_domains are defined — there is no validate-only mode on those tiers.

To get started, copy the example file and customize:

cp conga-policy.yaml.example ~/.conga/conga-policy.yaml
conga policy validate

Per-agent overrides are supported — see conga-policy.yaml.example for all fields and options.

MCP Server (AI Agent Integration)

The CLI includes an MCP server that exposes agent management as tools for AI coding assistants like Claude Code. This lets an AI manage your CongaLine deployment conversationally — listing agents, checking status, setting secrets, refreshing containers, etc.

Setup

  1. Install the conga CLI (see above)
  2. Copy the example config:
cp .mcp.json.example .mcp.json
  1. Edit .mcp.json with your provider and credentials:

AWS:

{
  "mcpServers": {
    "conga": {
      "command": "conga",
      "args": ["mcp", "serve"],
      "env": {
        "CONGA_PROVIDER": "aws",
        "AWS_PROFILE": "your-profile"
      }
    }
  }
}

Remote (SSH):

{
  "mcpServers": {
    "conga": {
      "command": "conga",
      "args": ["mcp", "serve"],
      "env": {
        "CONGA_PROVIDER": "remote"
      }
    }
  }
}

Local Docker:

{
  "mcpServers": {
    "conga": {
      "command": "conga",
      "args": ["mcp", "serve"]
    }
  }
}
  1. Restart Claude Code — the conga tools will appear automatically.

Docker Images

CongaLine supports two agent runtimes — pick the image that matches the runtime you select during setup.

OpenClaw

Pinned to v2026.3.11 (29dc654), the last stable release before a Slack socket mode regression was introduced in v2026.3.12.

ghcr.io/openclaw/openclaw:2026.3.11

NOTE: Once the bug introduced in v2026.3.12 is fixed, we'll update this to reference the latest stable release.

Hermes Agent

The official Nous Research image:

nousresearch/hermes-agent:latest

This image is linux/amd64 only. On Apple Silicon Macs, Conga automatically retries the pull with --platform linux/amd64 so it runs via Docker Desktop's Rosetta translation.

Each runtime's default image is used automatically when you select it via --runtime. Override at any time during conga admin setup.

Development

For developers building and testing the conga CLI locally.

Prerequisites

  • Go >= 1.25
  • Docker (for local provider testing)

Build and run

go build -o conga ./cmd/conga
./conga auth status --provider local

Project structure

├── cmd/conga/                  # Binary entry point
├── internal/
│   ├── cmd/                    # Cobra command definitions (CLI interface)
│   └── mcpserver/              # MCP server (AI agent interface)
├── pkg/                        # Public library (importable by external modules)
│   ├── provider/               # Provider interface & registry
│   │   ├── awsprovider/        # AWS implementation (EC2, SSM, Secrets Manager)
│   │   ├── remoteprovider/     # Remote SSH implementation
│   │   ├── localprovider/      # Local Docker implementation
│   │   └── iptables/           # iptables rule generation for egress enforcement
│   ├── runtime/                # Runtime interface & registry (pluggable agent runtimes)
│   │   ├── openclaw/           # OpenClaw runtime (Node.js, JSON config)
│   │   └── hermes/             # Hermes Agent runtime (Python, YAML config)
│   ├── policy/                 # Portable policy schema, validation, enforcement
│   ├── channels/               # Channel abstraction & platform integrations
│   │   ├── slack/              # Slack channel (Socket Mode router)
│   │   └── telegram/           # Telegram channel (long-poll/webhook router)
│   ├── common/                 # Shared logic (config gen, routing, validation)
│   ├── aws/                    # AWS SDK wrappers
│   ├── discovery/              # Agent & identity resolution (AWS)
│   ├── manifest/               # YAML manifest parsing for conga bootstrap
│   ├── tunnel/                 # SSM port forwarding
│   └── ui/                     # Spinners, prompts, tables
├── scripts/                    # Embedded shell templates (AWS remote execution)
├── go.mod                      # module github.com/cruxdigital-llc/conga-line
├── terraform/                  # AWS infrastructure (VPC, EC2, IAM, etc.)
├── deploy/egress-proxy/        # Envoy proxy for domain-filtered egress
├── router/                     # Channel event routers (Node.js)
│   ├── slack/                  # Slack router (Socket Mode → HTTP fan-out)
│   └── telegram/               # Telegram router (long-polling → HTTP fan-out)
└── behavior/                   # Agent personality files (SOUL.md, etc.)

Module boundary: pkg/ is the public API — external modules (like terraform-provider-conga) import these packages. internal/ holds interface layers (CLI, MCP server) that only the conga binary uses.

License

This project is licensed under the Apache License 2.0 — see LICENSE for details.

Contributing

See CONTRIBUTING.md for how to get involved.

Security

See SECURITY.md for reporting vulnerabilities.