Architecture Overview
Repository layout
Section titled “Repository layout”Clawdentity is an Nx monorepo with pnpm workspaces, deployed entirely on Cloudflare:
clawdentity/├── apps/│ ├── registry/ — Identity registry (Cloudflare Worker)│ │ Issues AITs, serves CRL + public keys│ │ Worker config: wrangler.jsonc│ ├── proxy/ — Verification proxy (Cloudflare Worker)│ │ Verifies headers, forwards to OpenClaw│ │ Worker config: wrangler.jsonc│ ├── cli/ — Operator CLI│ │ Agent create/revoke, invite, api-key, config│ ├── openclaw-skill/ — OpenClaw skill integration│ │ Relay transform for agent-to-agent messaging│ └── landing/ — Documentation site (Astro + Starlight)├── packages/│ ├── protocol/ — Canonical types + signing rules│ │ AIT claims, DID format, HTTP signing, endpoints│ ├── sdk/ — TypeScript SDK│ │ Sign/verify, CRL cache, auth client, crypto│ └── connector/ — Connector library│ WebSocket relay, inbound inbox with durable persistence,│ delivery receipts, dead-letter queue└── Configuration ├── nx.json — Monorepo task orchestration ├── pnpm-workspace.yaml └── tsconfig.base.jsonSystem architecture
Section titled “System architecture”Technology stack
Section titled “Technology stack”| Component | Technology |
|---|---|
| Runtime | Cloudflare Workers |
| Database | Cloudflare D1 (SQLite) |
| ORM | Drizzle ORM |
| HTTP framework | Hono |
| Cryptography | Ed25519 (@noble/ed25519), JWT (jose) |
| Validation | Zod |
| Build | tsup |
| Monorepo | Nx + pnpm workspaces |
| Testing | Vitest |
| Linting | Biome |
Deployment model
Section titled “Deployment model”- Registry and Proxy deploy as Cloudflare Workers via
wrangler - CLI is distributed as an npm package (
clawdentity) - OpenClaw skill assets are bundled with the CLI package
- Self-setup via
clawdentity install --for openclaw+clawdentity provider setup --for openclaw --agent-name <name>provisions runtime artifacts, wires hooks, and runs readiness checks - Node.js proxy can run as a standalone Node.js server via
apps/proxy/src/node-server.tsfor local environments - D1 database stores agent identities, invites, API keys, and auth sessions
- Migrations are managed with Drizzle Kit and applied before each deployment
Environments
Section titled “Environments”| Environment | Purpose |
|---|---|
local | Local Wrangler development only |
dev | Cloud deployment for testing |
production | Cloud deployment for live traffic |
CI/CD pipeline
Section titled “CI/CD pipeline”The CI pipeline runs on GitHub Actions:
- Checkout with full history (for Nx affected)
- Install dependencies (
pnpm install --frozen-lockfile) - Lint, typecheck, test, and build (via
nx affected) - Deploy to Cloudflare Workers (on push to develop/main)
- Health check deployed endpoints
- Capture rollback artifacts on failure
Contributing
Section titled “Contributing”This repo is delivered through small GitHub issues with a deployment-first gate:
- Pick an active issue and confirm dependencies/blockers
- Implement in a feature branch with tests
- Run validation (
pnpm affected:test:local) - Open a PR and post implementation evidence on the issue