ORBITARIA

Overview

🏗Architecture01

Infrastructure

🔑API Keys02 🖥Hosting03

Platform

🦞OpenClaw04 ⚡N8N05 🚀Antigravity06

Agents

🤖Agent Stack07 📄SOUL Files08

Cloud

☁️AWS09 🔐Security10

Files

⬇Downloads11

📋 Master Setup Guide · Production Grade

ORBITARIA — AI Operating System

13 specialist agents on OpenClaw + N8N + Portainer. Full orchestration, governance, and automation — Hostinger or AWS.

PlatformOpenClaw v2026.3.24+

HostingHostinger VPS / AWS

Agents13 + OrbitAria

AuthorShuv Chowdhury

System Architecture

4-layer orchestration model — 13 agents, 1 routing spine

Layer 1 — Core Brain

01_MASTER_ORCHESTRATOR

↓

Layer 2 — Communication

03_SOCIAL · 04_EMAIL · 05_CALENDAR · 07_CALLING · 08_MESSAGING · 13_MEETING

↓

Layer 3 — Growth

06_MARKETING · 11_WEBSITE

↓

Layer 4 — Governance (horizontal)

09_SECURITY · 10_EVALS · 12_COST

Configuration Order

Phase 0 Platform Readiness

OpenClaw, Portainer, NPM, SSH all verified running

Phase 1 MASTER_ORCHESTRATOR

Routing spine, intent classification, workflow triggers

Phase 2 Governance Layer

09_SECURITY → 12_COST → 10_EVALS — must be live before scaling

Phase 3 Communication Backbone

04_EMAIL → 05_CALENDAR → 08_MESSAGING

Phase 4 Interaction Capture

13_MEETING → 07_CALLING

Phase 5 Growth Execution

06_MARKETING → 11_WEBSITE → 03_SOCIAL

Phase 6–8 Harden → Test → Optimize

End-to-end tests, eval coverage, cost visibility

Default Routing Graph

From	Routes To	Trigger
MASTER_ORCHESTRATOR	All 12 specialists	Intent classification
EMAIL_AGENT	CALENDAR_AGENT	Booking request detected
CALENDAR_AGENT	MEETING_AGENT	Event confirmed
MEETING_AGENT	EMAIL + MESSAGING	Summary ready
CALLING_AGENT	MESSAGING + MEETING	Call ended
MARKETING_AGENT	SOCIAL + EMAIL	Campaign brief approved
WEBSITE_AGENT	EMAIL + MARKETING	Lead captured

API Keys & Credentials

Where to get each key and where to store it safely

🚫

Hard Rule: Keys NEVER go in SOUL.md files or ControlUI plain-text fields. Store ALL keys in Portainer → Stack → Environment Variables only.

⚠️

Critical: OAuth consent screen MUST be "In production" — Testing mode causes unauthorized_client errors even with valid tokens.

Go to Google Cloud Console

Open console.cloud.google.com → create or select your OrbitumAI project.

Enable APIs

APIs & Services → Library → enable: Gmail API, Google Calendar API, Vertex AI API, Generative Language API, OAuth2 API.

Create OAuth Client ID

Credentials → Create Credentials → OAuth Client ID → Web Application. Add redirect URIs:

Redirect URIs

https://openclawagents.orbitumai.com/auth/google/callback
https://build.orbitumai.com/rest/oauth2-credential/callback

Set Consent Screen to "In production"

App: OrbitumAI · Domain: orbitumai.com · Scopes: gmail.modify, gmail.send, calendar · Status: In production

Store in Portainer (both stacks)

Environment variables

GOOGLE_CLIENT_ID=your_id.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=your_secret
GMAIL_REFRESH_TOKEN=your_refresh_token

Go to Anthropic Console

Open console.anthropic.com → API Keys → Create Key → copy immediately (shown once).

Add Billing

Settings → Billing → add payment method and set a monthly spend limit.

Configure in OpenClaw

Run openclaw configure in Portainer console — stores the key in auth-profiles.json automatically.

ℹ️

OrbitAria: anthropic/claude-opus-4-6 · 12 specialist agents: openai/gpt-4.1-mini with global fallback chain.

Go to OpenAI Platform

Open platform.openai.com → API Keys → Create new secret key → copy immediately.

Set Usage Limits

Settings → Limits → set a monthly hard limit (recommend $50 to start).

Store in Portainer (openclaw stack)

openclaw stack

OPENAI_API_KEY=sk-your_key_here

⚠️

Note: Per-agent fallbacks NOT supported in v2026.x — global fallbacks only via agents.defaults.model.fallbacks.

🚫

Critical: CAL_API_KEY must be added to BOTH openclaw AND n8n stacks in Portainer separately — each stack reads only its own env vars.

Generate API Key

cal.com → Settings → Developer → API Keys → Add → label "ORBITARIA".

Add to openclaw stack

Portainer → Stacks → openclaw → Env vars → add CAL_API_KEY

Add to n8n stack (separately)

Portainer → Stacks → n8n → Env vars → add CAL_API_KEY same value.

n8n Credential

n8n → Credentials → New → Generic → Header Auth. Name: cal-api-key (lowercase, hyphenated).

ℹ️

Always use v2: https://api.cal.com/v2/bookings. v1 is decommissioned. Response data at $input.first().json.data

Create Resend Account

resend.com → API Keys → Create API Key.

Verify Domain

Domains → Add Domain → orbitumai.com → add DNS records in Hostinger panel.

Store in Portainer

openclaw stack

RESEND_API_KEY=re_your_key_here
RESEND_FROM_EMAIL=info@orbitumai.com

RetellAI

app.retellai.com → API Keys → copy.

Telnyx

portal.telnyx.com → API Keys → create.

Store in Portainer

openclaw stack

RETELL_API_KEY=your_retell_key
TELNYX_API_KEY=your_telnyx_key

🚫

Rule: CALLING_AGENT must NEVER be autonomously scheduled. Human-initiated or MASTER_ORCHESTRATOR routed only.

Create AWS Account

aws.amazon.com → Create account → add billing.

Create IAM User

IAM → Users → Create User → Programmatic access. Start with AdministratorAccess then restrict.

Generate Access Keys

IAM → User → Security Credentials → Create Access Key → copy both values immediately.

Configure CLI

Terminal

aws configure
# Access Key ID: your_key_id
# Secret Access Key: your_secret
# Region: us-east-1
# Output: json

⚠️

Never use AdministratorAccess on keys used by agents. Scope to specific S3 bucket or service only.

Master Credential Map

Variable	Service	openclaw stack	n8n stack	Phase
ANTHROPIC_API_KEY	Anthropic	✓	—	Phase 0 ✅
OPENAI_API_KEY	OpenAI	✓	—	Phase 0
GMAIL_REFRESH_TOKEN	Google	✓	—	Phase 3 ✅
GOOGLE_CLIENT_ID/SECRET	Google	✓	✓	Phase 3
CAL_API_KEY	Cal.com	verify	verify	Phase 3 ✅
RESEND_API_KEY	Resend	✓	—	Phase 3
RETELL_API_KEY	RetellAI	store now	—	Phase 4
TELNYX_API_KEY	Telnyx	store now	—	Phase 4

Hostinger VPS Infrastructure

Docker + Portainer + Nginx Proxy Manager on Ubuntu 24.04 LTS

🐳

Portainer CE

portainer.orbitumai.com — Container management, stack deploys, env vars, console access

🔀

Nginx Proxy Manager

proxy.orbitumai.com — SSL termination, subdomain routing, Basic Auth

📊

Umami Analytics

analytics.orbitumai.com — Privacy-first website analytics for WEBSITE_AGENT

⚠️

Critical: Always use container name (e.g. "openclaw") as NPM forward hostname — never an IP. IPs change on restart and cause 502 errors.

Proxy Host Rules

Domain	Forward To	Port	Websockets	SSL
openclawagents.orbitumai.com	openclaw	18789	ON	Let's Encrypt
build.orbitumai.com	n8n	5678	ON	Let's Encrypt
portainer.orbitumai.com	portainer	9000	OFF	Let's Encrypt
analytics.orbitumai.com	umami	3000	ON	Let's Encrypt

VPS Directory Structure

SSH

/opt/openclaw/config/          ← EDIT HERE (host, not container)
  openclaw.json                ← Main config + gateway token
  agents/main/agent/auth-profiles.json
/opt/openclaw/workspace/       ← All SOUL.md files
/opt/n8n/data/
/opt/umami/data/

OpenClaw Configuration

Docker Compose, master config, agent creation, SOUL file assignment

🚫

Hard Rules: Edit only at /opt/openclaw/config/openclaw.json on VPS host. maxSpawnDepth crashes container. Use "ask":"off" not "never". Use "bind":"lan" not "0.0.0.0". No per-agent fallbacks.

Docker Compose

Portainer → Stacks → openclaw

version: '3.8'
services:
  openclaw:
    image: ghcr.io/openclaw/openclaw:latest
    container_name: openclaw
    restart: unless-stopped
    ports:
      - "18789:18789"
    volumes:
      - /opt/openclaw/config:/home/node/.openclaw
      - /opt/openclaw/workspace:/home/node/.openclaw/workspace
    environment:
      - OPENCLAW_GATEWAY_BIND=0.0.0.0
      - OPENAI_API_KEY=${OPENAI_API_KEY}
      - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
      - GMAIL_REFRESH_TOKEN=${GMAIL_REFRESH_TOKEN}
      - CAL_API_KEY=${CAL_API_KEY}
      - RESEND_API_KEY=${RESEND_API_KEY}
      - RETELL_API_KEY=${RETELL_API_KEY}
      - TELNYX_API_KEY=${TELNYX_API_KEY}
    networks:
      - openclaw-net
networks:
  openclaw-net:
    name: openclaw_openclaw-net
    external: true

openclaw.json Master Config

/opt/openclaw/config/openclaw.json

{
  "gateway": {
    "mode": "local", "bind": "lan",
    "auth": { "token": "REPLACE_WITH_GATEWAY_TOKEN",
      "rateLimit": { "maxAttempts": 10, "windowMs": 60000, "lockoutMs": 300000 }
    },
    "controlUi": { "allowInsecureAuth": true }
  },
  "session": { "dmScope": "per-channel-peer" },
  "tools": {
    "fs": { "workspaceOnly": true },
    "exec": { "strictInlineEval": true, "ask": "off" },
    "elevated": { "enabled": false }
  },
  "agents": {
    "defaults": { "model": { "primary": "openai/gpt-4.1-mini",
        "fallbacks": ["openai/gpt-4o","anthropic/claude-opus-4-6"] } },
    "list": [
      { "id": "main", "model": { "primary": "anthropic/claude-opus-4-6" } },
      { "id": "master-orchestrator" }, { "id": "social-agent" },
      { "id": "email-agent" }, { "id": "calendar-agent" },
      { "id": "marketing-agent" }, { "id": "calling-agent" },
      { "id": "messaging-agent" }, { "id": "security-agent" },
      { "id": "evals-agent" }, { "id": "website-agent" },
      { "id": "cost-agent" }, { "id": "meeting-agent" }
    ]
  }
}

Create All Agents

Portainer → openclaw → Console → bash

openclaw agents add master-orchestrator
openclaw agents add social-agent
openclaw agents add email-agent
openclaw agents add calendar-agent
openclaw agents add marketing-agent
openclaw agents add calling-agent
openclaw agents add messaging-agent
openclaw agents add security-agent
openclaw agents add evals-agent
openclaw agents add website-agent
openclaw agents add cost-agent
openclaw agents add meeting-agent
openclaw agents list --bindings

Assign SOUL Files

Portainer → openclaw → Console → bash

openclaw agents config main --system-prompt-file /home/node/.openclaw/workspace/ARIASKILLS.MD
openclaw agents config master-orchestrator --system-prompt-file /home/node/.openclaw/workspace/MASTERSKILLS.MD
openclaw agents config social-agent --system-prompt-file /home/node/.openclaw/workspace/SOCIALSKILLS.MD
openclaw agents config email-agent --system-prompt-file /home/node/.openclaw/workspace/EMAILSKILLS.MD
openclaw agents config calendar-agent --system-prompt-file /home/node/.openclaw/workspace/CALENDARSKILLS.MD
openclaw agents config marketing-agent --system-prompt-file /home/node/.openclaw/workspace/MARKETINGSKILLS.MD
openclaw agents config calling-agent --system-prompt-file /home/node/.openclaw/workspace/CALLINGSKILLS.MD
openclaw agents config messaging-agent --system-prompt-file /home/node/.openclaw/workspace/MESSAGINGSKILLS.MD
openclaw agents config security-agent --system-prompt-file /home/node/.openclaw/workspace/SECURITYSKILLS.MD
openclaw agents config evals-agent --system-prompt-file /home/node/.openclaw/workspace/EVALSSKILLS.MD
openclaw agents config website-agent --system-prompt-file /home/node/.openclaw/workspace/WEBSITESKILLS.MD
openclaw agents config cost-agent --system-prompt-file /home/node/.openclaw/workspace/COSTSKILLS.MD
openclaw agents config meeting-agent --system-prompt-file /home/node/.openclaw/workspace/MEETINGSKILLS.MD
openclaw secrets reload

N8N Configuration

Self-hosted automation engine — Docker stack, Cal.com relay, daily triggers

Docker Compose

Portainer → Stacks → n8n

version: '3.8'
services:
  n8n:
    image: n8nio/n8n:latest
    container_name: n8n
    restart: unless-stopped
    ports:
      - "5678:5678"
    environment:
      - N8N_HOST=build.orbitumai.com
      - N8N_PORT=5678
      - N8N_PROTOCOL=https
      - WEBHOOK_URL=https://build.orbitumai.com/
      - N8N_EDITOR_BASE_URL=https://build.orbitumai.com/
      - N8N_BLOCK_ENV_ACCESS_IN_NODE=false
      - EXECUTIONS_PROCESS=main
      - CAL_API_KEY=${CAL_API_KEY}
      - GMAIL_REFRESH_TOKEN=${GMAIL_REFRESH_TOKEN}
      - GOOGLE_CLIENT_ID=${GOOGLE_CLIENT_ID}
      - GOOGLE_CLIENT_SECRET=${GOOGLE_CLIENT_SECRET}
    volumes:
      - /opt/n8n/data:/home/node/.n8n
    networks:
      - n8n-net
networks:
  n8n-net:
    name: n8n_n8n-net
    external: true

⚠️

N8N Rules: N8N_BLOCK_ENV_ACCESS_IN_NODE=false required for env var access in Code nodes. CAL_API_KEY must be in both stacks separately. No trailing spaces in variable names.

Daily Calendar Summary (08:00 CST)

Cron → Cal.com v2 → Telegram

# Cron trigger: 0 8 * * * (America/Chicago)
# HTTP Request: GET https://api.cal.com/v2/bookings
# Auth: Generic Credential → Header Auth → cal-api-key
# Params:
afterStart: {{ $now.startOf('day').toISO() }}
beforeEnd:  {{ $now.endOf('day').toISO() }}
# Parse: const bookings = $input.first().json.data;

Cal.com Webhook Relay

Confirmed working

Endpoint: https://build.orbitumai.com/webhook/calcom-relay

// HMAC verify Code node:
const crypto = require('crypto');
const sig = crypto.createHmac('sha256', $env.CAL_WEBHOOK_SECRET)
  .update(JSON.stringify($input.first().json)).digest('hex');
if ('sha256='+sig !== $input.first().headers['x-cal-signature-256'])
  throw new Error('Invalid signature');

Antigravity + N8N

Push workflows into your self-hosted N8N using AI — no coding required

🧠 Plain English — What Is This?

Antigravity is a browser extension that gives you an AI chat panel on any webpage — including your N8N dashboard. You describe what you want in plain English and it writes the whole workflow for you.

N8N is your visual automation engine — like a flowchart where each box does one job and the boxes connect to run automatically.

When connected via MCP, Antigravity pushes the finished workflow straight into your N8N. No copy-paste. No coding. The workflow just appears.

How It Works

You

Type your request in plain English

"Send me a Telegram message when a new Cal.com booking arrives"

↓

Antigravity (in your browser)

AI writes the N8N workflow JSON

Uses Claude to generate all nodes, connections, and settings

↓

MCP Bridge — the connector

Pushes the workflow into your N8N

No copy-paste needed — workflow appears in N8N dashboard instantly

↓

Your Self-Hosted N8N

Workflow is live

Click Activate in N8N. Automation runs on your server forever.

Part 1 — Enable MCP in N8N

ℹ️

What is MCP? Think of it as a special door. Antigravity knocks on this door to push workflows in. Without it, the door doesn't exist.

Generate N8N API Key

Go to build.orbitumai.com → avatar bottom-left → Settings → n8n API → Create API key → label "Antigravity" → copy immediately.

Save in Portainer (n8n stack)

n8n stack env var

N8N_API_KEY=n8n_api_your_key_here

Add MCP Variables to N8N Stack

Portainer → Stacks → n8n → Editor tab → add to environment section:

n8n docker-compose env

      - N8N_COMMUNITY_PACKAGES_ALLOW_TOOL_USAGE=true
      - N8N_MCP_ENABLED=true
      - N8N_API_KEY=${N8N_API_KEY}

Redeploy Stack

Portainer → n8n stack → Update the stack → wait 30 seconds.

Verify MCP is Live

Open in browser — should return JSON, not an error:

Test URL

https://build.orbitumai.com/mcp-server/http

Part 2 — Install Antigravity

Open Chrome or Edge

Antigravity works in Chromium-based browsers only.

Install from Chrome Web Store

Search "Antigravity" → Add to Chrome.

Pin to Toolbar & Add API Key

Click 🧩 → pin Antigravity → click icon → Settings → paste your sk-ant-... Anthropic key.

Part 3 — Connect Antigravity to N8N

Open MCP Servers in Antigravity Settings

Look for MCP Servers, Tools, or Connections section.

Add New Server

Server Name

OrbitumAI N8N

Server URL

https://build.orbitumai.com/mcp-server/http

Auth Header

Authorization

Auth Value

Bearer n8n_api_your_key_here

Save and Verify

Click Save. You should see a green "Connected" status. If red — check the URL and API key.

Part 4 — ORBITARIA Workflows to Build First

Copy each prompt into Antigravity chat. It will write and push the workflow into your N8N automatically.

WF 01

Daily Calendar Summary — CALENDAR_AGENT

Every day 08:00 CST · Cal.com v2 → Telegram

"Create an n8n workflow triggered every day at 8am Central Time. Call Cal.com v2 API at https://api.cal.com/v2/bookings with header cal-api-key. Use afterStart/beforeEnd for today's range. Parse response from 'data' field. Format and send booking list as Telegram message."

WF 02

Cal.com Webhook Relay — CALENDAR_AGENT

Cal.com booking event → OpenClaw

"Build a webhook at /calcom-relay. Verify HMAC-SHA256 from x-cal-signature-256 header using env var CAL_WEBHOOK_SECRET. If valid, POST booking data to https://openclawagents.orbitumai.com/api/v1/message with Bearer auth from GATEWAY_TOKEN env var, targeting agent 'calendar-agent'."

WF 03

Gmail Inbound Monitor — EMAIL_AGENT

Poll Gmail every 5 min → OpenClaw

"Poll Gmail every 5 minutes using Gmail OAuth2 for shuv@orbitumai.com. For each unread email, extract subject, sender, and body preview. POST as JSON to https://openclawagents.orbitumai.com/api/v1/message with Bearer auth targeting 'email-agent'. Mark as read after."

WF 04

Weekly Marketing Report — MARKETING_AGENT

Every Monday 07:30 CST → OpenClaw

"Trigger every Monday at 7:30am Central Time. POST to https://openclawagents.orbitumai.com/api/v1/message with Bearer auth targeting 'marketing-agent'. Message: Generate weekly marketing report — performance summary, AI trends, competitor intel, 3 campaign ideas. Deliver via Telegram to shuv@orbitumai.com."

Troubleshooting

Problem	Cause	Fix
Red dot in Antigravity	Can't reach MCP endpoint	Visit build.orbitumai.com/mcp-server/http in browser. If error — verify N8N_MCP_ENABLED=true in Portainer and redeploy.
Workflow appears empty in N8N	Malformed JSON push	Ask Antigravity: "The workflow appeared empty — please rebuild and push again."
401 Unauthorized in execution	Wrong/missing API key	N8N → click red node → Edit Credentials → re-enter correct key.
Workflow runs but nothing happens	Not Activated	N8N → open workflow → toggle Active switch ON (turns green).
Cal.com webhook not received	URL not registered	Cal.com → Settings → Developer → Webhooks → add URL: build.orbitumai.com/webhook/calcom-relay

Agent Stack

All 13 agents — models, integrations, scheduling rules

ℹ️

Rule: COST_AGENT and EVALS_AGENT must be confirmed working BEFORE scheduling any other agent for autonomous unattended runs.

Agent	Layer	Model	Key Integration	Auto-Schedule
main (OrbitAria)	Entry	claude-opus-4-6	Telegram bot	Human only
01_MASTER_ORCHESTRATOR	L1	gpt-4.1-mini	All agents, routing	Yes — routing spine
03_SOCIAL_AGENT	L2	gpt-4.1-mini	LinkedIn, Instagram, X	Approval only
04_EMAIL_AGENT	L2	gpt-4.1-mini	Gmail OAuth, Resend	Yes
05_CALENDAR_AGENT	L2	gpt-4.1-mini	Cal.com v2, n8n relay	Yes — daily summary
06_MARKETING_AGENT	L3	gpt-4.1-mini	Social, Email, Calling briefs	Weekly report auto
07_CALLING_AGENT	L2	gpt-4.1-mini	RetellAI, Telnyx	NEVER auto
08_MESSAGING_AGENT	L2	gpt-4.1-mini	Telegram, WhatsApp, Slack	Yes
09_SECURITY_AGENT	L4	gpt-4.1-mini	All agents (horizontal)	Yes — governance
10_EVALS_AGENT	L4	gpt-4.1-mini	All agents (scoring)	Yes — governance
11_WEBSITE_AGENT	L3	gpt-4.1-mini	Vercel, Umami, leads	Yes
12_COST_AGENT	L4	gpt-4.1-mini	All agents (token tracking)	Yes — governance
13_MEETING_AGENT	L2	gpt-4.1-mini	Transcripts, Email, Telegram	NEVER auto

SOUL Files

System prompts that give each agent its identity and rules

⚠️

Upload SOUL files from your local machine to VPS using SCP from PowerShell. Never store credentials inside SOUL files — use $env.VARIABLE_NAME references only.

Upload All SOUL Files (PowerShell)

PS C:\Users\subha>

scp 01_MASTER_ORCHESTRATOR.md root@31.220.18.167:/opt/openclaw/workspace/MASTERSKILLS.MD
scp 03_SOCIAL_AGENT.md       root@31.220.18.167:/opt/openclaw/workspace/SOCIALSKILLS.MD
scp 04_EMAIL_AGENT.md        root@31.220.18.167:/opt/openclaw/workspace/EMAILSKILLS.MD
scp 05_CALENDAR_AGENT.md     root@31.220.18.167:/opt/openclaw/workspace/CALENDARSKILLS.MD
scp 06_MARKETING_AGENT.md    root@31.220.18.167:/opt/openclaw/workspace/MARKETINGSKILLS.MD
scp 07_CALLING_AGENT.md      root@31.220.18.167:/opt/openclaw/workspace/CALLINGSKILLS.MD
scp 08_MESSAGING_AGENT.md    root@31.220.18.167:/opt/openclaw/workspace/MESSAGINGSKILLS.MD
scp 09_SECURITY_AGENT.md     root@31.220.18.167:/opt/openclaw/workspace/SECURITYSKILLS.MD
scp 10_EVALS_AGENT.md        root@31.220.18.167:/opt/openclaw/workspace/EVALSSKILLS.MD
scp 11_WEBSITE_AGENT.md      root@31.220.18.167:/opt/openclaw/workspace/WEBSITESKILLS.MD
scp 12_COST_AGENT.md         root@31.220.18.167:/opt/openclaw/workspace/COSTSKILLS.MD
scp 13_MEETING_AGENT.md      root@31.220.18.167:/opt/openclaw/workspace/MEETINGSKILLS.MD

Universal SOUL File Template

SOUL_TEMPLATE.MD

# [AGENT_NAME]SKILLS — [Agent Title]
# OpenClaw Agent Skill File | OrbitumAI
# Agent ID: [agent-id] | Model: openai/gpt-4.1-mini | v2026.3.24+

## IDENTITY
You are [Persona Name] — OrbitumAI's [role].
North star: [One sentence mission aligned to ORBIT Framework]

## OPERATING MODE
[Describe modes: Research / Advise / Execute or similar]

## CORE CAPABILITIES
[List specific tasks this agent performs]

## INTEGRATION REFERENCES
| Integration | Credential | Purpose |
|---|---|---|
| [Service] | $env.[VAR_NAME] | [What it does] |

## WORKFLOW ROUTING
Receives from: [upstream agents]
Routes to: [downstream agents]
Governance: SECURITY_AGENT, EVALS_AGENT, COST_AGENT

## PROTECTED CONTACTS — NEVER ACTION THESE
Riddhi, Ranjita, Rahul, Uttama, Jaydeep, Medha, Gudia

## WHAT YOU MUST NEVER DO
- Never execute without Shuv approval where required
- Never store credentials in this file
- Never invent client results or outcome guarantees
- Never contact protected contacts above

*OrbitumAI | [AGENT]SKILLS.MD | v2026.3.24+ | CONFIDENTIAL*

AWS Hosting Alternative

Same Docker Compose architecture on EC2 — S3 for SOUL files, Secrets Manager for credentials

🖥️

EC2 — Compute

t3.medium minimum (2 vCPU, 4GB RAM). t3.large recommended for all 13 agents in production.

🗄️

S3 — Storage

Store SOUL.md files, workflow exports, meeting transcripts, and config backups.

🔐

Secrets Manager

Replace Portainer env vars with AWS Secrets Manager for production-grade credential management.

🌐

Route 53 + ACM

DNS management and free SSL certificates — replaces NPM Let's Encrypt for AWS deployments.

EC2 Setup Commands

SSH — Ubuntu 24.04

# Security Group inbound: 22 (your IP), 80, 443 — block 18789
ssh -i your-key.pem ubuntu@your-ec2-ip

curl -fsSL https://get.docker.com | sh
apt install docker-compose-plugin -y
usermod -aG docker ubuntu

mkdir -p /opt/openclaw/config /opt/openclaw/workspace
mkdir -p /opt/n8n/data /opt/portainer/data /opt/umami/data
chmod 755 /opt/openclaw/config /opt/openclaw/workspace

AWS Secrets Manager Pattern

CLI

aws secretsmanager create-secret \
  --name "orbitumai/production" \
  --secret-string '{
    "ANTHROPIC_API_KEY":"sk-ant-...",
    "OPENAI_API_KEY":"sk-...",
    "CAL_API_KEY":"...",
    "GMAIL_REFRESH_TOKEN":"...",
    "RESEND_API_KEY":"re_..."
  }'

Security Hardening

Completed and pending security tasks for production deployment

Task	Priority	Status	Where
OpenClaw 5-point hardening	HIGH	✅ Done	OpenClaw Chat
Block port 18789 externally	HIGH	✅ Done	UFW + iptables
Docker UFW bypass fix	HIGH	✅ Done	DOCKER-USER chain
Rotate gateway auth token	MEDIUM	✅ Done	SSH Terminal
Fix file permissions	MEDIUM	⏳ Pending	SSH Terminal
Install Fail2Ban	MEDIUM	⏳ Pending	SSH Terminal
Remove port 8080	MEDIUM	⏳ Pending	SSH Terminal

Pending: Fix File Permissions

SSH

chmod 700 /opt/openclaw/config
chmod 600 /opt/openclaw/config/openclaw.json
chmod 600 /opt/openclaw/config/agents/main/agent/auth-profiles.json

Pending: Install Fail2Ban

SSH

apt install fail2ban -y
systemctl enable fail2ban && systemctl start fail2ban
fail2ban-client status

Monthly Security Audit

Portainer → openclaw → Console

openclaw security audit
openclaw security audit --deep
openclaw security audit --fix

Downloads

All configuration files — generated and ready to use

openclaw.json

Master OpenClaw config — 13 agents, global fallbacks, security hardening

docker-compose-openclaw.yml

Full OpenClaw Docker Compose for Portainer

docker-compose-n8n.yml

N8N Docker Compose with all required env var bindings

SOUL_TEMPLATE.MD

Universal agent SOUL file template

portainer-env-vars.txt

All Portainer environment variables for both stacks

scp-upload-all.ps1

PowerShell script to upload all SOUL files to VPS

antigravity-prompts.md

All 4 ORBITARIA workflow prompts — copy-paste into Antigravity

aws-iam-policy.json

Minimum-privilege IAM policy for OrbitumAI agents on AWS