System Architecture

The systems behind Headless Mode v2.0 2026-02-25

view:

System Overview

                        +-------------------------------------+
                        |           HEADLESS MODE             |
                        |     AI-Built • AI-Documented        |
                        +-------------------------------------+
                                          |
    +----------+----------+-----------+----------+-----------+----------+
    |          |          |           |          |           |          |
    v          v          v           v          v           v          v
+--------+ +-------+ +--------+ +--------+ +---------+ +----------+ +--------+
|   AI   | |CONTENT| |PUBLISH | |SECURITY| |PIPELINES| |CONTAINERS| |GOVERNCE|
| AGENTS | |       | |        | |        | |         | |          | |        |
| OClw GW| |Journal| | Hugo   | |Ctnr Hdn| |Predict. | | Docker   | |5 Layers|
| Opus   | |$whatis| | CF     | |SOPS/age| |News     | | Sandbox  | |lib-vfy |
| Sonnet | |$map   | | GH Act | |Auto-Upg| |Prometh. | | Buddy    | |lib-harm|
| Plugins| |$whoami| | CI/CD  | |Sec Scan| |Cassndr  | | SOPS     | |Pre-comm|
| Skills | |       | |        | |Pre-comm| |OC Cron  | |          | |        |
+--------+ +-------+ +--------+ +--------+ +---------+ +----------+ +--------+
    |          |          |           |          |           |          |
    +----------+----------+-----------+----------+-----------+----------+
                                          |
                        +-------------------------------------+
                        |          INFRASTRUCTURE              |
                        | WSL2 • Docker • Ubuntu • Node • Py  |
                        +-------------------------------------+

Layer Breakdown

Layer	Purpose	Status
AI Agents	Development, automation, orchestration via OpenClaw with skills and plugins	Active
Content	Technical writing, prediction tracking, architecture docs	Active
Publishing	Static site generation, CI/CD, CDN deployment	Active
Security	Container hardening, SOPS encryption, auto-patching, pre-commit enforcement, post-deploy scanning	Active
Pipelines	Prediction extraction, news intelligence, model tracking, overnight cron automation	Active
Containers	Docker orchestration, dev sandbox, Buddy dashboard, encrypted secrets	Active
Governance	Workspace layers, foundation libraries, compliance testing	Active
Infrastructure	WSL2 runtime, Docker, language runtimes, system services	Active

Core Components

🤖 AI Agent Layer

OpenClaw Gateway Orchestrates AI interactions across Telegram, CLI, and VS Code. Handles session routing, channel-specific formatting, and heartbeat monitoring.

Status: Operational | Port: 18789 | Deep-dive: Configuring AI Agents →

Claude Opus 4.6 Primary reasoning model for complex tasks, architecture decisions, and long-form analysis. Used for main session interactions.

Status: Active | Provider: Anthropic

Claude Sonnet 4.6 Fast model for bulk operations, code generation, and pipeline tasks. Used for prediction extraction and background jobs.

Status: Active | Provider: Anthropic

Governance Hooks Pre-execution validation, access controls, task registry for conflict prevention, and audit logging. Prevents destructive operations.

Status: Operational | Deep-dive: Configuring AI Agents →

OpenClaw Skills Library 26 task-specific skills for structured AI operations: code review, testing, deployment, documentation, and pipeline management.

Status: Active | Skills: 26

OpenClaw Extensions 6 enforcement plugins adding governance layers to agent operations: governance-enforcement, webserver-enforcement, sandbox-exec, cron-circuit-breaker, plus Telegram and Discord channel plugins.

Status: Active | Plugins: 6

Telegram Bridge Routes Telegram messages to OpenClaw gateway with task dispatch commands (/approve, /reject, /run, /sync) and chat routing to Buddy Core.

Status: Active | Integration: OpenClaw native Telegram

Claude Code Permissions Framework Scoped permission allowlists with 90-day expiration. Controls which operations agents can perform, auto-revokes stale grants.

Status: Active | Expiry: 90-day rotation

📝 Content Layer

Journal System Technical blog posts documenting architecture decisions, AI model releases, and accountability tracking. Hugo-based with custom shortcodes.

Status: Active | Posts: 7 published

$whatis — AI Prediction Tracker 40+ timeline entries tracking AI releases and predictions. Scorecard system rates predictions as correct, wrong, or pending. AI watching AI.

Status: Active | Deep-dive: Watching the Watchers →

$map — System Architecture This page. Self-documenting architecture with version history. Every meaningful change tracked and linked to its journal post.

Status: Active | You are here

🌐 Publishing Layer

Hugo Static Site Fast, secure static site generation. Custom theme with 3 modes (SYS/MTX/PIP). Markdown source, HTML output. Terminal-aesthetic design.

Status: Production | Theme: headlessmode (custom)

Cloudflare Pages Global CDN deployment. Automatic SSL, edge caching, DDoS protection. Static files only — CF never builds, CI builds and uploads.

Status: Production | Domain: headlessmode.com

GitHub Actions CI/CD Org-level self-hosted runner serving 5 repositories. Headlessmode: 13-step deploy pipeline. Workspaces monorepo: 18-job CI (Python quality/tests, governance, lifecycle, permissions). BTB: 6-job test matrix.

Status: Production | Repos: 5 | Runner: Self-hosted

🔒 Security Layer

Container Hardening All containers run with cap_drop ALL, no-new-privileges, memory and PID limits. Ports bound to 127.0.0.1 only — no external network exposure.

Status: Active | Containers: 4

Unattended Upgrades Automatic security patch installation. Critical and security updates applied without manual intervention.

Status: Active | Scope: Security updates

Staging Gate / Content Throttle Automated backlog detection for nightly content generation. Counts READY files per staging category against configurable thresholds, throttling new content when backlogs exceed limits.

Status: Active | Categories: 10

WSL2 Network Isolation WSL2 NAT networking with Windows Firewall as perimeter. All Docker ports bound to 127.0.0.1 — no services externally exposed. Defense-in-depth via container network isolation.

Status: Active | Binding: localhost-only

Buddy Core Authentication Bearer token authentication middleware on all API endpoints. Auth bypass only for /health and /ready probes. Token rotation via environment variables.

Status: Active | Endpoints: Secured

Post-Deploy Security Audit Zero-dependency bash/curl/openssl security scanner for static sites. Checks security headers, exposed paths, PII leaks, JS secrets, SSL certs. 43 assertions across 29 test cases.

Status: Active | Integration: GitHub Actions post-deploy

Pre-commit Governance 12 pre-commit hooks enforcing code quality and workspace rules: ruff linting/formatting, file hygiene (trailing whitespace, EOF, merge conflicts), format validation (YAML, JSON, TOML), large file and private key detection, governance compliance tests, and cross-brand import detection.

Status: Active | Hooks: 12

🔄 Pipeline Layer

Prediction Extraction Pipeline LLM-first extraction of falsifiable AI predictions from YouTube transcripts. 850+ transcripts, 20 channels monitored. Structured output with confidence scoring.

Status: Active | Transcripts: 850+ | Channels: 20

Social Media Pipeline Platform-optimized content distribution to X, Facebook, Threads. Auto-generates social copy from journal posts. Link-in-reply strategy.

Status: Active | Generator: generate_social_csv.py

SEO Management Meta optimization, keyword tracking, description validation. Integrated with CI pipeline for pre-deploy checks.

Status: Active | Integration: GitHub Actions

News Intelligence Pipeline (Sentinel) AI-driven news aggregation and intelligence extraction. Filters signal from noise across AI industry sources, generates daily digests.

Status: Active | Codename: AI Sentinel

Prometheus — Model Evolution Tracker Tracks AI model releases across providers with version history, capability deltas, and benchmark comparisons. Forecasting layer predicts release timelines, scaling trajectories, and capability evolution.

Status: Active | Capabilities: Registry, benchmarks, forecasting

Cassandra — Predictions Manager Lifecycle management for AI predictions. Tracks status transitions (pending → correct/wrong), source attribution, and confidence calibration. Validation layer auto-scores predictions via news monitoring and event matching.

Status: Active | Capabilities: Lifecycle, validation, forecasting

Nightly Automation Runner OpenClaw-orchestrated overnight automation: 14 cron jobs (8 daily + 1 weekday + 5 weekly) covering infrastructure health, code analysis, content generation, feature discovery, testing, morning briefings, CI repair, security audits, prediction updates, feedback synthesis, and permissions expiry checks. Circuit breaker extension auto-disables jobs after consecutive failures.

Status: Active | Jobs: 14 (8 daily + 1 weekday + 5 weekly) | Staging Gate: Content throttle enabled

GoMoveShift Video Pipeline Unified video orchestrator: stop detection, Metricool CSV export, render management, and timeline archival for DaVinci Resolve to published content.

Status: Production | Integration: svc-gomoveshift-video

GoMoveShift GPS Journeys GPS journey processing: GPX parsing, geocoding, Google Photos integration, and Hugo content generation. 52/52 tests passing with location accuracy enforcement.

Status: Active | Tests: 52/52

GoMoveShift Content Pipeline Analytics-driven social media content generation from YouTube/TikTok data. 6 proven post variations. Metricool CSV scheduling for multi-platform distribution.

Status: Active | Post Types: 6

CI Self-Repair Automated CI failure detection and safe fix loop. Scans GitHub Actions for failures, applies deterministic fixes (ruff auto-format), sends Telegram approval requests before committing. No unreviewed commits ever reach the repo.

Status: Active | Schedule: Daily 7:00 AM | Gate: Telegram approval required

Weekly Security Audit LLM-driven vulnerability scanning across all active repositories. Multi-pass analysis for injection risks, exposed secrets, missing auth, and dependency issues. Severity-triaged reports to Telegram.

Status: Active | Schedule: Weekly (Sunday)

Multi-Provider AI Routing Routes AI requests to the correct provider: Anthropic models via OpenClaw gateway (Claude Code subscription), OpenAI/Meta models via GitHub Models API. Enables genuine multi-model workflows where different providers handle different tasks.

Status: Active | Providers: Anthropic, OpenAI, Meta

Night Watch Overnight code analysis agent using Claude Code to detect bugs, technical debt, and missing tests across the entire workspace. Docker-isolated with read-only mounts.

Status: Planning

Passive Health Tracker GPS tracks, biometrics, and context data collection for personal insights, blog content, and data products. Local JSONL storage with AES-256 encryption.

Status: Planning

🐳 Containerization Layer

Docker Compose Orchestration Docker Compose orchestrates 4 containers: gateway, sandbox, dashboard, and Buddy Core. All hardened: cap_drop ALL, no-new-privileges, memory and PID limits. Isolated bridge network.

Status: Production | Running: 4 containers

Dev Sandbox Multi-runtime isolated development container. Python 3.12, Node.js 22, Hugo, ML stack, Chromium, ffmpeg. Sandbox API for safe code execution.

Status: Active | Port: 9500

Buddy Dashboard Flask-based second-brain UI. Memory curation, automation monitoring, news digests. 2,500+ memories indexed with quality scoring and deduplication.

Status: Active | Port: 5050 | Memories: 2,500+

SOPS Encrypted Secrets Mozilla SOPS with age encryption for all secrets. Keys decrypted to tmpfs only — never written to disk at rest. Zero plaintext secrets in repos.

Status: Active | Pattern: tmpfs-only decryption

🏛️ Governance Layer

Workspace Layer System Five-layer workspace hierarchy: _governance (rules), _foundation (shared libs), _active (services), _archive (retired), _experiments (sandbox). Enforced by pre-commit hooks.

Status: Active | Layers: 5

lib-verification Foundation library for compliance testing. Validates workspace structure, enforces naming conventions, checks governance policy adherence across all active services.

Status: Active | Layer: _foundation

lib-harmonia Shared foundation library providing common utilities, configuration patterns, and cross-service helpers. Single source of truth for shared logic.

Status: Active | Layer: _foundation

lib-athena Living documentation system for the workspace ecosystem. Interactive dashboard with metrics, dependency mapping, and architecture visualization across 15+ projects.

Status: Active | Layer: _active

lib-process-tracker Universal progress tracking for long-running pipelines. Zero external dependencies. JSON state persistence with throttled writes. Used by GoMoveShift video pipeline.

Status: Active | Layer: _active

lib-scripts Shared shell scripts for workspace-wide operations: release validation, deployment checks, and CI utilities.

Status: Active | Layer: _active

lib-mcp-lab Automation tools with strict dependency isolation: stop-motion detection (OpenCV), LLM observer with Mermaid visualization, and video analysis web interface.

Status: Development | Layer: _active

lib-dev-journal Development journal and portfolio content repository. Markdown-based collection for technical blog posts and project documentation.

Status: Active | Layer: _active

lib-security OpenClaw governance test suite validating plugin enforcement, config invariants, sandbox isolation, and process lifecycle. 54 tests ensuring the agent stays within its guardrails.

Status: Active | Layer: _active | Tests: 54

Ouroboros Recursively self-improving system for Claude Code. Debate engine (proposer/critic/judge), adversarial rulebook, amnesia manager, and fork manager for parallel approach comparison.

Status: Development | Layer: _active

Technology Stack

Core Infrastructure

Technology	Purpose	Version/Notes
WSL2	Linux runtime on Windows	Ubuntu 24.04.3 LTS
Hugo	Static site generator	Extended edition
Node.js	Build tooling, OpenClaw runtime	v22.x
Python	Automation, pipelines, extraction	3.12
Git	Version control	Per-project repos

AI & Automation

Technology	Purpose	Notes
Claude Opus 4.6	Primary reasoning model	Complex tasks, architecture
Claude Sonnet 4.6	Fast model	Bulk extraction, code gen
OpenClaw	Agent orchestration	Gateway + Telegram + CLI
OpenClaw Skills	Task-specific operations	26 structured skills
OpenClaw Extensions	Enforcement plugins	6 plugins (4 enforcement + 2 channel)
Claude Code	VS Code integration	Permission allowlists
Anthropic API	LLM access	Via OpenClaw gateway
GitHub Models API	OpenAI/Meta model access	Multi-provider routing

Containerization

Technology	Purpose	Notes
Docker Compose	Container orchestration	4 compose services
Dev Sandbox	Isolated development runtime	Python, Node, Hugo, ML, Chromium
SOPS + age	Secret encryption	tmpfs-only decryption
Sandbox API	Safe code execution	Port 9500

Governance

Technology	Purpose	Notes
Workspace Layers	5-tier project hierarchy	_governance → _experiments
lib-verification	Compliance testing	Foundation library
lib-harmonia	Shared utilities	Foundation library
lib-security	Governance test suite	54 tests: plugins, config, sandbox
Pre-commit hooks	Code quality enforcement	12 hooks: lint, hygiene, governance
Permissions Framework	Scoped agent permissions	90-day expiration

Security

Technology	Purpose	Notes
Container Hardening	cap_drop ALL, no-new-privileges	All 4 containers
unattended-upgrades	Auto security patches	Enabled
SOPS + age	Secret encryption	tmpfs-only decryption
Automated Security Monitoring	Auto security patches	unattended-upgrades
WSL2 Network Isolation	localhost-only binding	Windows Firewall perimeter
Staging Gate	Content throttle	10 categories monitored
OpenClaw Governance	Agent access controls	Pre-exec validation

Deployment & Hosting

Technology	Purpose	Notes
GitHub Actions	CI/CD pipelines	13-step validation
Cloudflare Pages	Static hosting + CDN	Wrangler direct upload
Cloudflare	DNS, SSL, security	DDoS protection

Content & Publishing

Technology	Purpose	Notes
Markdown	Content authoring	YAML frontmatter
Tailwind CSS	Styling	CDN, JIT
JetBrains Mono	Typography	Monospace theme
3 Theme Modes	Visual variety	SYS / MTX / PIP

Pipelines & Data

Technology	Purpose	Notes
youtube-transcript-api	Transcript download	Proxy-rotated
Prediction Extractor	LLM-based extraction	Claude Sonnet
AI Sentinel	News intelligence pipeline	Daily digests
Prometheus	Model evolution + forecasting	Registry, benchmarks, release prediction
Cassandra	Predictions lifecycle + validation	Auto-scoring, event matching, confidence
OpenClaw Cron	14 jobs (8 daily + 1 weekday + 5 weekly)	Circuit breaker extension
Social CSV Generator	Multi-platform social	X, FB, Threads
SEO Manager	Meta optimization	CI-integrated

Monitoring & Analytics

Technology	Purpose	Notes
Google Analytics	Traffic analytics	GA4
Lighthouse CI	Performance audits	GitHub Actions
htmltest	Link validation	CI integration

Architecture Principles

Static over dynamic — Pre-built HTML, no server-side processing
AI-assisted, human-approved — Automation with governance gates
Build in public — Document decisions as they happen
Security by default — Auto-patching, container hardening, localhost-only binding, SOPS encryption
Track everything — Predictions tracked, architecture versioned, changes documented
Governance at every layer — Workspace rules, pre-commit hooks, permission scoping, and compliance testing from foundation to deployment
Secrets never at rest — SOPS-encrypted, tmpfs-only decryption, zero plaintext in repos
Brand isolation — Cross-brand imports detected and blocked, workspace boundaries enforced

Version History

Every meaningful architecture change, tracked. Each version links to the journal post explaining why.

v2.0 2026-02-25

Self-Governing Automation

The system learned to govern itself. Nightly automation expanded to 14 cron jobs with self-repair, security scanning, and permissions monitoring. Governance test suite hardened with 282 assertions. Multi-provider AI routing emerged. Forecasting capabilities added to intelligence layer.

+ Nightly automation scaled: 14 cron jobs (8 daily + 1 weekday + 5 weekly), up from 11

+ CI self-repair: automated failure detection with Telegram-gated fixes (no unreviewed commits)

+ Weekly security audit: LLM-driven vulnerability scanning across all active repos

+ Permissions expiry monitor: automated 90-day rotation tracking with escalating alerts

+ Staging gate proven at scale: 194 files queued, 10 categories auto-throttled — system self-regulates output when human hasn't reviewed

+ lib-security governance suite: 282 test assertions enforcing plugin behavior, config invariants, sandbox isolation, and process lifecycle

+ Multi-provider AI routing: Anthropic models via OpenClaw gateway, OpenAI/Meta via GitHub Models API — genuine multi-model workflows

+ Prometheus forecasting layer: release prediction, scaling analysis, roadmap tracking, capability forecasting

+ Cassandra validation layer: automated prediction scoring via news monitoring, event matching, confidence calibration, self-evaluation

+ OpenClaw extensions: 6 plugins (governance-enforcement, webserver-enforcement, sandbox-exec, cron-circuit-breaker, Telegram, Discord)

automation security governance intelligence

v1.9 2026-02-18

Security Accuracy and Content Governance

Corrected security documentation to reflect WSL2 reality (container hardening, localhost-only binding, SOPS encryption as actual controls). Added Buddy Core as 4th container with auth middleware. Built staging gate content throttle system. Updated AI model references to Sonnet 4.6. Added 8 AI timeline entries and 13 component cards.

+ Security layer corrected: removed undocumented fail2ban/ufw/rkhunter/AppArmor claims

+ Container hardening, WSL2 network isolation, SOPS encryption documented as actual security controls

+ Buddy Core container added (4th Docker service) with Bearer token auth middleware

+ Staging gate content throttle: 10 categories with configurable thresholds

+ Session eviction and request size limits for Buddy Core API

+ Claude Sonnet 4.6 model reference updated

+ Docker Compose now orchestrates 4 containers (was 3)

+ 8 new AI timeline entries on $whatis page

+ 13 new component cards on $map page

+ Nightly cron job schedule staggering and error recovery

security governance containers content automation 📝 Security Accuracy and Content Governance

v1.8 2026-02-16

CI Pipeline Unification

Self-hosted GitHub Actions runner serving all repos. Full CI green across 5 repositories: BTB (6 jobs), workspaces monorepo (18 jobs including Python quality/tests, governance, lifecycle, permissions), gomoveshift-content-pipeline, mcp-lab, and headlessmode deploy.

+ Org-level self-hosted GitHub Actions runner (Back-Road-Creative)

+ Workspaces monorepo CI: 6-service Python quality/test matrix

+ Governance tests CI-safe: submodule-aware filtering for schema, README, and layer checks

+ Service lifecycle declarations enforced in CI for all active services

+ Content governance tests: metadata schema, audit rules, state machine validation

+ BTB CI: 6 jobs with ~55 xfail markers for staged TDD

+ 1,400+ lint errors resolved across workspace services

ci testing governance infrastructure

v1.7 2026-02-13

Intelligence and Automation Layer

Prometheus model evolution tracker, Cassandra predictions lifecycle manager, AI Sentinel news pipeline, nightly automation runner, and OpenClaw skills and extensions.

+ Prometheus: AI model evolution tracker (118+ models)

+ Cassandra: Predictions lifecycle manager (68+ predictions)

+ AI Sentinel: news intelligence pipeline

+ OpenClaw nightly cron system: 8 daily + 3 weekly automated jobs

+ OpenClaw skills library: 25 task-specific skills

+ OpenClaw extensions: 4 enforcement plugins

+ Cron circuit breaker: auto-disables after consecutive failures

automation intelligence pipelines ai

v1.6 2026-02-13

Containerization and Workspace Governance

Docker Compose orchestration with hardened containers, five-layer workspace governance, SOPS encrypted secrets, pre-commit enforcement, and Buddy Dashboard deployment.

+ Docker Compose orchestration: gateway, sandbox, dashboard containers

+ Dev Sandbox: Python 3.12, Node.js 22, Hugo, ML stack, Chromium, ffmpeg

+ Sandbox API for isolated code execution

+ Buddy Dashboard: Flask second-brain UI with memory, automation, news

+ SOPS + age encrypted secrets, tmpfs-only decryption

+ Five-layer workspace governance (_governance, _foundation, _active, _archive, _experiments)

+ lib-verification and lib-harmonia foundation libraries

+ Pre-commit hooks: ruff, governance tests, cross-brand import detection

+ Scoped permissions framework with 90-day expiration

+ Container hardening: cap_drop ALL, no-new-privileges, memory/PID limits

infrastructure containers governance security 📝 Containerized AI Development with Governance and Intelligence Layers

v1.5 2026-02-07

Prediction Extraction Pipeline

LLM-first pipeline extracting falsifiable AI predictions from 850+ YouTube transcripts across 20 channels. Weekly automation planned.

+ YouTube transcript downloader (proxy-rotated, resume-safe)

+ LLM-first prediction extraction (Claude Sonnet)

+ 20 AI YouTube channels monitored

+ Structured output: who/what/when/falsifiable/confidence

+ Deduplication and confidence filtering

+ 850+ transcripts, 30+ predictions extracted

pipelines predictions automation

v1.4 2026-02-05

Frontier Model Integration

Integrated Claude Opus 4.6 and GPT-5.3-Codex into the development stack. Multi-model workflow with model-specific routing.

+ Claude Opus 4.6 as primary reasoning model

+ Claude Sonnet 4.5 for bulk/fast tasks

+ Multi-model routing via OpenClaw aliases

+ Model alias system (haiku/sonnet/opus)

ai models 📝 Claude Opus 4.6

v1.3 2026-02-05

Security Hardening

Established WSL2 security posture with automated security updates, daily security audit system, and container hardening framework.

+ Unattended security upgrades enabled

+ Automated security monitoring via unattended-upgrades

+ File permission auditing on sensitive paths

+ WSL2 configuration validation

+ Container hardening standards defined (cap_drop ALL, no-new-privileges)

+ Localhost-only port binding policy established

security infrastructure 📝 Hardening an AI Development Environment

v1.2 2026-02-04

AI Prediction Tracking

Built the $whatis page with 40+ AI timeline entries and a prediction accountability scorecard. AI watching AI.

+ $whatis page with interactive AI timeline

+ 40+ entries tracking AI releases and predictions

+ Prediction scorecard (correct/wrong/pending)

+ Source-linked entries with status tracking

content predictions 📝 Watching the Watchers: Building an AI Accountability Timeline

v1.1 2026-02-02

AI Agent Orchestration

Deployed OpenClaw as the AI gateway with multi-channel routing, task registry for conflict prevention, and governance hooks for agent security.

+ OpenClaw Gateway deployed (multi-channel AI routing)

+ Telegram + VS Code + CLI agent interfaces

+ Task registry for multi-instance conflict prevention

+ Governance hooks: pre-execution validation, access controls

+ Agent workspace with persistent memory (SOUL.md, MEMORY.md)

ai governance automation 📝 Configuring a Local AI Agent Development Stack

v1.0 2026-01-11

Initial Architecture

Hugo static site on Cloudflare Pages with GitHub Actions CI/CD. WSL2 development environment. Basic AI agent integration via Claude Code.

+ Hugo static site generator with custom terminal theme

+ Cloudflare Pages deployment via GitHub Actions

+ WSL2 Ubuntu 24.04 development environment

+ Claude Code integrated in VS Code

infrastructure publishing ai

← Back to Home