workers-openclaw-vpc

Problem

Expose private OpenClaw services to authenticated control clients without opening internal infrastructure broadly.

Architecture

• Edge proxy entrypoint
  • All traffic enters through Workers routing layer.
• Zero-trust authentication
  • Per-request token validation before forwarding.
• VPC-aware routing
  • Policy-driven hostname + path resolution for private upstreams.
• Rate limiting and abuse controls
  • Conservative defaults at edge and circuit-breaker behavior on failure.
• Response hardening
  • Header sanitation and consistent error contracts.

Technical Details

• Split request path into control-plane versus data-plane actions.
• Strong validation of method/path/headers before any backend call.
• Retry/timeout budgets tuned to avoid thread exhaustion when upstream is degraded.
• Logging at ingress with minimal PII, plus trace IDs for cross-layer debugging.

Engineering Tradeoffs

• Edge compute is cheap and globally distributed, but debugging distributed network policy requires strong trace correlation.
• JWT verification at edge reduces backend load, but key rotation must be carefully synchronized.

Code

• Primary source: https://github.com/jpatel98/workers-openclaw-vpc (private/experimental path in this portfolio context)
• Alternate public analogue/reference: https://github.com/harshil1712/workers-openclaw-vpc