LaunchThatBot
Sole Developer & Architect
Full-stack platform for deploying, monitoring, and managing AI agents on dedicated infrastructure. Provisions Hetzner/DigitalOcean servers via cloud-init, installs Docker + Portainer + OpenClaw gateway containers, configures Cloudflare tunnels for edge security, and connects self-hosted instances back to the platform via a WebSocket relay. Includes managed AI chat (MiniMax), Convex OAuth for linking user projects, and GitHub App integration for agent code sync.
Runtime instances, infra servers, deployments, agents, channels, projects, Convex sync
hello, ack, error, heartbeat, inbound.user, outbound.delta, outbound.final, tool.progress
Hetzner Cloud and DigitalOcean with extensible adapter pattern
Discord, LaunchMail email, GitHub, direct WebSocket
The Problem
Teams deploying AI agents often lack the DevOps expertise to do it securely. Hardening infrastructure, managing credentials, monitoring deployments, and connecting self-hosted instances to a central platform becomes a full-time job that distracts from actually building the agents.
The Solution
Built a platform where deploying an AI agent provisions a full server via Hetzner/DO APIs with cloud-init. The script installs Docker, Portainer CE, OpenClaw gateway, configures UFW + fail2ban, and optionally sets up Cloudflare tunnels. Self-hosted instances connect back to the platform via a WebSocket relay with a JSON message protocol (hello, heartbeat, inbound.user, outbound.delta, tool.progress).
System Architecture
Technical Decisions
Key architecture decisions and their outcomes
Cloud-init over Ansible for server provisioning
Needed to provision servers from Convex actions without SSH access from the serverless runtime.
Used cloud-init user_data scripts passed to Hetzner/DO create-server APIs. The script installs Docker, Portainer, OpenClaw gateway, and security hardening in one boot.
Fully automated provisioning from Convex with zero SSH required. Servers come up ready-to-use.
WebSocket relay for self-hosted ↔ platform communication
Self-hosted OpenClaw instances run behind firewalls. Platform needs bidirectional real-time communication.
Built a WebSocket relay service. Self-hosted instances connect with role:openclaw, browser UI connects with role:ui. Session keys align connections.
NAT-friendly, firewall-friendly bidirectional communication. No port forwarding required on the self-hosted side.
Encrypted credentials in Convex
Broker tokens, SSH keys, and API keys must be stored securely in the database.
All sensitive fields stored as ciphertext (tokenCiphertext, sshPrivateKeyCiphertext). Decrypted only in Convex actions at point of use.
Credentials never exposed in query results. Security policy enforced at the data layer.
Engineering Details
- Server provisioning workflow: Convex action → provider API (Hetzner/DO) → cloud-init script → Docker + Portainer + OpenClaw + security hardening
- WebSocket relay protocol: JSON messages with type discriminator (hello, heartbeat, inbound.user, outbound.delta, tool.progress)
- Session key alignment: agent:{agentId}:launchthatbot:project:{projectId}:thread:{threadId}
- Infra state machine: create_server → wait_server_ready → verify_heartbeat with lease tracking
- Convex HTTP surface: /api/openclaw/ingest/events, /api/openclaw/instances/{id}/heartbeat, /api/openclaw/ws/presence
- Managed AI: MiniMax OpenAI-compatible API with configurable base URL and model selection
- Multi-channel: Discord bot connections, email via LaunchMail, GitHub App code sync, direct WebSocket
Key Highlights
- One-click server provisioning via Hetzner Cloud / DigitalOcean APIs with cloud-init
- Docker + Portainer CE + OpenClaw gateway deployed automatically
- WebSocket relay: self-hosted instances connect with JSON protocol (hello/heartbeat/delta/tool.progress)
- Cloudflare tunnel integration for zero-exposure edge security
- UFW + fail2ban + SSH hardening in production_hardened profile
- Encrypted credentials at rest (tokenCiphertext, sshPrivateKeyCiphertext)
- Managed AI chat via MiniMax (OpenAI-compatible API)
- Convex OAuth for linking user projects + GitHub App integration for code sync
Tech Stack
Skills & Technologies
Related Articles
AI in Production: Lessons From Shipping to Real Users
Our first AI feature hallucinated a refund policy that did not exist. A customer followed it. Here is what we learned about putting language models in front of real people.
Real-Time Everything: Why We Stopped Polling and Never Went Back
Our trading dashboard polled every 5 seconds and users complained about stale data. We rebuilt on Convex with real-time subscriptions and the difference was not incremental — it was a different product.
From Monolith to 34 Plugins: How We Built an Extensible Platform Without Losing Our Minds
A customer asked for Monday.com integration. We could have hard-coded it into the core. Instead, we built a plugin system — and 18 months later we have 34 plugins serving 27 apps.