@claw-link/gateway-host
v0.4.1
Published
ClawLink Host Gateway — a secure, outbound-only worker that bridges a local agent CLI (OpenClaw, Hermes, Claude, Codex, Cursor) to your ClawLink agents. No inbound ports; authenticated per-agent by a Host Token.
Maintainers
Readme
@claw-link/gateway-host — ClawLink Host Gateway
Run any local agent CLI — OpenClaw, Hermes, Claude, Codex, or Cursor — as an agent on the ClawLink platform. The host worker is a small, outbound-only process: it dials out to ClawLink, claims customer/admin messages for your agent, runs the chosen runtime locally, and streams the reply back. No inbound ports, no Tailscale Funnel — just a per-agent Host Token.
ClawLink (cloud) ──enqueues message──▶ host-bridge
▲ │ (your machine dials OUT)
└──── streams reply back ──── @claw-link/gateway-host ──▶ hermes | claude | codex | cursor | local OpenClawInstall
npx @claw-link/gateway-host install # one-time: install the background service
npx @claw-link/gateway-host add-agent # paste an agent's Host Token — that's it(setup does both in one flow.) You only paste the Host Token. The host verifies
it, pulls the agent's runtime from ClawLink (the dashboard is the source of truth),
auto-detects the runtime binary, and binds this machine so the token can't be used
from anywhere else. For coding runtimes (claude/codex/cursor) it also asks for the
project workspace directory (that part is host-specific). Config lands in
~/.clawlink-host/config.json (chmod 600).
Get a token from ClawLink → Agents → your agent → Host Gateway → Generate token, and verify the live connection badge there.
Runtimes
| Runtime | How it runs | Install |
|----------|----------------------------------------------|---------|
| OpenClaw | POSTs to your local OpenClaw gateway | (already running) |
| Hermes | hermes chat -q "<prompt>" --resume <id> | curl -fsSL https://hermes-agent.nousresearch.com/install.sh \| bash |
| Claude | claude -p --output-format stream-json | Claude Code CLI |
| Codex | codex exec "<prompt>" | Codex CLI |
| Cursor | cursor-agent -p "<prompt>" | Cursor CLI |
Each runtime's flags can be overridden per-agent via args_template in the config
(placeholders {prompt}, {sessionId}, {systemPrompt} are substituted per argv
element — never through a shell).
Workspace & baseline files — each agent gets a managed workspace at
~/.clawlink-host/workspace/<runtime>/agents/<agent_id> by default (Claude/Codex/Cursor
can be pointed at your own project folder instead). When you add an agent, if the
runtime's baseline files are missing, add-agent asks before adding them and
never overwrites existing files — so pointing an agent at a real project is safe.
Baselines per runtime:
| Runtime | Baseline files |
|---------|----------------|
| Claude | CLAUDE.md, .claude/settings.json (pins a default model — sonnet — so the agent never silently falls back to a weaker model) |
| Codex | AGENTS.md |
| Cursor | AGENTS.md, .cursor/rules/clawlink.mdc (always-applied agent rules) |
| OpenClaw / Hermes | README.md (their real config lives in ~/.openclaw / ~/.hermes) |
Change the Claude model by editing .claude/settings.json (e.g. "model": "opus").
For Codex/Cursor, set the model via their CLI (args_template in the config, or the
tool's own settings).
Permissions by scope — each job carries a scope, and the Claude adapter runs with matching permissions automatically:
| Trigger | Scope | Claude | Codex |
|---------|-------|--------|-------|
| Admin Setup via Chat / apply skill | configure | --permission-mode acceptEdits (may write workspace files) | --sandbox workspace-write --ask-for-approval never |
| Customer chat + discovery | customer | --disallowedTools "Write Edit MultiEdit NotebookEdit Bash" (read-only) | --sandbox read-only --ask-for-approval never |
So an agent's files are editable from the admin panel but never from customer/discovery
chat. (Operator args_template overrides this for advanced setups. Hermes/Cursor/OpenClaw
manage their own permissions.)
Commands
After install the clhost command is available (aliases: gateway-host, claw-host):
clhost install # install the background service (one-time)
clhost add-agent # add an agent by pasting its Host Token
clhost rm-agent <id># remove a mapped agent
clhost retoken <id> # re-enter a new token after rotating (keeps workspace/binary)
clhost agents # list mapped agents
clhost status # bridge + service state + mapped agents
clhost start # start the background service
clhost stop # stop the background service
clhost restart # restart the service (apply config changes)
clhost rotate # rotate a Host Token / move to a new machine
clhost uninstall # stop + remove the service
clhost run # (internal) run the worker in the foreground — the service uses this(Use npx @claw-link/gateway-host <command> before a global install.)
Config
~/.clawlink-host/config.json (chmod 600):
A minimal binding is just a token (everything else is resolved from ClawLink and
cached back in). ~/.clawlink-host/config.json (chmod 600):
{
"bridge_url": "https://<project-ref>.supabase.co/functions/v1/host-bridge",
"instance_id": "…",
"poll_interval_ms": 1500,
"agents": [
{ "host_token": "clk_host_…" },
{ "host_token": "clk_host_…", "runtime": "claude", "binary": "/usr/local/bin/claude", "work_dir": "/Users/me/projects/acme" }
]
}Platforms
macOS (launchd), Linux (systemd user service), and Windows (a hidden, auto-restarting
Scheduled Task; logs to %USERPROFILE%\.clawlink-host\host.log). On Windows the worker
handles npm .cmd CLI shims automatically; for the strongest isolation prefer Claude
(prompt via stdin) or a native .exe runtime.
Security
Outbound-only, per-agent token (stored server-side as a hash only), machine-bound on first connect to a stable hardware id (a stolen token fails from any other host), no shell injection, runs only the configured binary. See SECURITY.md.
Part of ClawLink — the multi-tenant AI agent platform. MIT.
