@aerostack/openclaw-bridge

Connect OpenClaw to any Aerostack Workspace — one URL, all your MCP tools, with built-in security.

Why?

OpenClaw only supports stdio MCP servers. Aerostack Workspaces use HTTP. This bridge connects them — no code required.

Instead of configuring 50 separate MCP servers in OpenClaw, point at one Aerostack Workspace and get:

• All tools in one place — composed from multiple MCP servers
• Centralized OAuth — 27+ providers managed by Aerostack, not your agent
• Human approval gates — sensitive tools require workspace owner approval before executing
• Local Guardian — approval gates for local operations (file delete, shell, git push, deploy)
• Per-tool permissions — workspace tokens scope exactly which tools are accessible
• Usage tracking & audit — every tool call logged and metered
• Rate limiting — per-token, plan-tiered

Quick Start

1. Get a workspace token

In your Aerostack Admin Dashboard, go to your workspace settings and generate a token (mwt_...).

2. Configure OpenClaw

Add to your OpenClaw config (openclaw.json or via openclaw mcp set):

{
  "mcp": {
    "servers": {
      "my-workspace": {
        "command": "npx",
        "args": ["-y", "@aerostack/openclaw-bridge"],
        "env": {
          "AEROSTACK_WORKSPACE_URL": "https://api.aerostack.dev/api/gateway/ws/my-workspace",
          "AEROSTACK_TOKEN": "mwt_your_token_here"
        }
      }
    }
  }
}

Or via CLI:

openclaw mcp set my-workspace '{
  "command": "npx",
  "args": ["-y", "@aerostack/openclaw-bridge"],
  "env": {
    "AEROSTACK_WORKSPACE_URL": "https://api.aerostack.dev/api/gateway/ws/my-workspace",
    "AEROSTACK_TOKEN": "mwt_your_token_here"
  }
}'

3. Use it

You: Search GitHub for open issues in my repo
OpenClaw: [calls github__search_issues via Aerostack workspace]

Tools are namespaced as {server}__{tool} (e.g., github__create_issue, slack__send_message).

How It Works

OpenClaw (stdio) → Bridge (this package) → HTTPS → Aerostack Workspace Gateway
                                                         ↓
                                            ┌─────────────────────────┐
                                            │  Fan-out to MCP servers │
                                            │  GitHub, Slack, Gmail,  │
                                            │  custom Workers, etc.   │
                                            └─────────────────────────┘

The bridge:

1. Starts as a stdio MCP server (what OpenClaw expects)
2. Forwards all JSON-RPC requests to your workspace over HTTPS
3. Handles SSE streaming responses transparently
4. Manages the approval gate flow automatically

Approval Gates

When a workspace owner configures approval requirements on sensitive tools, the bridge handles it transparently:

OpenClaw calls dangerous_tool
  → Bridge forwards to workspace
  → Workspace returns "needs approval" (-32050)
  → Bridge waits via WebSocket (instant) or polls as fallback
  → Workspace owner approves/rejects in dashboard or mobile
  → Bridge retries on approval, returns error on rejection

Your OpenClaw agent sees either a successful result or a clear error — no special handling needed.

Local Guardian

Approval gates for local operations — file deletion, destructive shell commands, git push, deploys, and more. The agent asks for approval before acting on your machine.

How it works

The bridge injects an aerostack__local_guardian tool alongside your workspace tools. When the LLM is about to perform a risky local operation, it calls this tool first. The bridge sends an approval request to your workspace — you get a push notification and can approve or reject from the dashboard or your phone.

Agent wants to: rm -rf ./old-config/
  → Agent calls aerostack__local_guardian (action: "delete old-config directory")
  → Bridge sends approval request to workspace
  → You get push notification: "[LOCAL] delete old-config directory"
  → You tap Approve or Reject
  → Agent proceeds or stops

Default rules

The guardian covers these categories out of the box:

| Category | What it covers | |----------|---------------| | file_delete | Deleting, removing, or overwriting files | | shell_destructive | rm -rf, DROP TABLE, TRUNCATE, etc. | | git_push | git push, force push, git reset --hard | | config_modify | .env, credentials, secrets, production configs | | deploy | Deploy, publish, release to any environment | | database | Direct database mutations outside of migrations |

Custom rules (from your dashboard)

Configure custom rules in your workspace settings via the Aerostack Admin Dashboard or API:

# Example: add a custom "email" rule via API
curl -X PATCH "https://api.aerostack.dev/api/community/workspaces/{id}" \
  -H "Authorization: Bearer YOUR_JWT" \
  -d '{
    "settings": {
      "local_guardian_rules": [
        { "category": "email", "description": "Sending any email", "examples": ["send email", "compose", "reply"] },
        { "category": "payments", "description": "Any payment or billing operation", "examples": ["charge", "refund", "invoice"] },
        { "category": "file_delete", "description": "Deleting files", "examples": ["rm", "unlink"] }
      ]
    }
  }'

When workspace rules are configured, they replace the defaults. The bridge fetches rules automatically during initialization — no env vars needed.

Disable Local Guardian

From the dashboard: Set local_guardian_enabled: false in workspace settings.

From the agent side: Set AEROSTACK_LOCAL_GUARDIAN=false in env to force-disable regardless of workspace config.

Requires workspace approval rules

Local Guardian uses your workspace's approval system. You need at least one approval rule configured in your workspace settings. If no rules are configured, the guardian allows all actions with a warning.

Configuration

All configuration is via environment variables:

| Variable | Required | Default | Description | |----------|----------|---------|-------------| | AEROSTACK_WORKSPACE_URL | Yes | — | Full workspace endpoint URL | | AEROSTACK_TOKEN | Yes | — | Workspace token (mwt_...) | | AEROSTACK_APPROVAL_POLL_MS | No | 3000 | Approval polling interval (ms) | | AEROSTACK_APPROVAL_TIMEOUT_MS | No | 300000 | Max approval wait time (5 min) | | AEROSTACK_REQUEST_TIMEOUT_MS | No | 30000 | HTTP request timeout (30s) | | AEROSTACK_LOCAL_GUARDIAN | No | true | Force-disable Local Guardian (false to disable) | | AEROSTACK_LOG_LEVEL | No | info | Log level (debug, info, warn, error) |

Supported MCP Methods

| Method | Description | |--------|-------------| | tools/list | List all tools from all workspace servers | | tools/call | Call a namespaced tool (with approval handling) | | resources/list | List resources from all workspace servers | | resources/read | Read a specific resource | | prompts/list | List prompts from all workspace servers | | prompts/get | Get a prompt with arguments |

Works With Any stdio MCP Client

While built for OpenClaw, this bridge works with any MCP client that supports stdio transport — Claude Desktop, Cursor, Windsurf, or custom integrations.

Requirements

• Node.js 18+
• An Aerostack account with a configured workspace
• A workspace token with appropriate tool permissions

Links

• Aerostack Docs
• Aerostack Admin
• OpenClaw
• MCP Specification

License

MIT