LaunchThatBot
Sole Developer & Architect
Full-stack platform for deploying, monitoring, and managing AI agents on dedicated infrastructure. Provisions Hetzner/DigitalOcean servers via cloud-init, installs Docker + Portainer + OpenClaw gateway containers, configures Cloudflare tunnels for edge security, and connects self-hosted instances back to the platform via a WebSocket relay. Includes managed AI chat (MiniMax), Convex OAuth for linking user projects, and GitHub App integration for agent code sync.
Runtime instances, infra servers, deployments, agents, channels, projects, Convex sync
hello, ack, error, heartbeat, inbound.user, outbound.delta, outbound.final, tool.progress
Hetzner Cloud and DigitalOcean with extensible adapter pattern
Discord, LaunchMail email, GitHub, direct WebSocket
The Problem
Teams deploying AI agents often lack the DevOps expertise to do it securely. Hardening infrastructure, managing credentials, monitoring deployments, and connecting self-hosted instances to a central platform becomes a full-time job that distracts from actually building the agents.
The Solution
Built a platform where deploying an AI agent provisions a full server via Hetzner/DO APIs with cloud-init. The script installs Docker, Portainer CE, OpenClaw gateway, configures UFW + fail2ban, and optionally sets up Cloudflare tunnels. Self-hosted instances connect back to the platform via a WebSocket relay with a JSON message protocol (hello, heartbeat, inbound.user, outbound.delta, tool.progress).
Technical Decisions
Key architecture decisions and their outcomes
Cloud-init over Ansible for server provisioning
Needed to provision servers from Convex actions without SSH access from the serverless runtime.
Used cloud-init user_data scripts passed to Hetzner/DO create-server APIs. The script installs Docker, Portainer, OpenClaw gateway, and security hardening in one boot.
Fully automated provisioning from Convex with zero SSH required. Servers come up ready-to-use.
WebSocket relay for self-hosted ↔ platform communication
Self-hosted OpenClaw instances run behind firewalls. Platform needs bidirectional real-time communication.
Built a WebSocket relay service. Self-hosted instances connect with role:openclaw, browser UI connects with role:ui. Session keys align connections.
NAT-friendly, firewall-friendly bidirectional communication. No port forwarding required on the self-hosted side.
Encrypted credentials in Convex
Broker tokens, SSH keys, and API keys must be stored securely in the database.
All sensitive fields stored as ciphertext (tokenCiphertext, sshPrivateKeyCiphertext). Decrypted only in Convex actions at point of use.
Credentials never exposed in query results. Security policy enforced at the data layer.
Engineering Details
- Server provisioning workflow: Convex action → provider API (Hetzner/DO) → cloud-init script → Docker + Portainer + OpenClaw + security hardening
- WebSocket relay protocol: JSON messages with type discriminator (hello, heartbeat, inbound.user, outbound.delta, tool.progress)
- Session key alignment: agent:{agentId}:launchthatbot:project:{projectId}:thread:{threadId}
- Infra state machine: create_server → wait_server_ready → verify_heartbeat with lease tracking
- Agent trajectory logging: step-level tool call recording with latency, token count, and success/failure per step
- Multi-agent planning: context summarization and routing for hand-off between specialized agents (code, deploy, debug)
- Guardrails: input sanitization against prompt injection, output filtering for PII, confidence-gated responses
- Convex HTTP surface: /api/openclaw/ingest/events, /api/openclaw/instances/{id}/heartbeat, /api/openclaw/ws/presence
- Managed AI: MiniMax OpenAI-compatible API with configurable base URL and model selection
- Multi-channel: Discord bot connections, email via LaunchMail, GitHub App code sync, direct WebSocket
Key Highlights
- One-click server provisioning via Hetzner Cloud / DigitalOcean APIs with cloud-init
- Docker + Portainer CE + OpenClaw gateway deployed automatically
- WebSocket relay: self-hosted instances connect with JSON protocol (hello/heartbeat/delta/tool.progress)
- Cloudflare tunnel integration for zero-exposure edge security
- UFW + fail2ban + SSH hardening in production_hardened profile
- Encrypted credentials at rest (tokenCiphertext, sshPrivateKeyCiphertext)
- Managed AI chat via MiniMax (OpenAI-compatible API)
- Agent trajectory logging with step-level tool call recording for evaluation and debugging
- Multi-agent planning with context summarization for hand-off between specialized agents
- Guardrails layer with input sanitization, output filtering, and PII redaction
- Convex OAuth for linking user projects + GitHub App integration for code sync
Tech Stack
Skills & Technologies
Related Articles
AI in Production: Lessons From Shipping to Real Users
Our first AI feature hallucinated a refund policy that did not exist. A customer followed it. Here is what we learned about putting language models in front of real people.
Real-Time Everything: Why We Stopped Polling and Never Went Back
Our trading dashboard polled every 5 seconds and users complained about stale data. We rebuilt on Convex with real-time subscriptions and the difference was not incremental — it was a different product.
From Monolith to 34 Plugins: How We Built an Extensible Platform Without Losing Our Minds
A customer asked for Monday.com integration. We could have hard-coded it into the core. Instead, we built a plugin system — and 18 months later we have 34 plugins serving 27 apps.
The Engineering Patterns Behind a 34-Plugin Platform
Every system in the LaunchThat ecosystem uses classical software engineering patterns — Strategy, Observer, Adapter, State Machine — and formal data structures. Here is how GoF patterns, SOLID principles, and CS fundamentals show up in production code.
Observability Across Five Production Systems
Monitoring, tracing, and instrumentation look different in every system we run. Here is what we actually measure, how we measure it, and what those measurements have caught — across Kubernetes infrastructure, integration pipelines, high-performance APIs, browser automation, and AI agents.
Building an Eval Framework for AI Compliance Scanning
AI scanners find accessibility violations that deterministic tools miss — but how do you know the AI is not hallucinating? We built an evaluation harness that measures precision and recall against axe-core ground truth, gates every prompt change with regression tests, and tracks quality drift in ClickHouse.
AI Safety and Guardrails in Production Systems
Our first AI feature hallucinated a compliance finding that did not exist. A client acted on it. Here is how we built input sanitization, output filtering, confidence scoring, and human-in-the-loop escalation to make AI output trustworthy.