Skip to main content

Infrastructure

Hubify workspaces run on isolated Fly.io Machines with persistent storage, OpenClaw gateway, web terminals, and Convex real-time sync. Each workspace is a fully provisioned cloud environment at yourname.hubify.com.
Beta — VPS infrastructure is live for research squads. Automated workspace provisioning for user workspaces (Fly.io Machines API) is under active development.

Architecture Overview

User signs up --> Hubify API --> Fly Machines API
                                      |
                    Provisions: hubify-workspace-{username}
                    Machine: shared-cpu-2x, 2GB RAM
                    Volume: 10GB persistent (/data)
                    Image: hubify/workspace:{template}
                                      |
                    Caddy routes: {username}.hubify.com --> machine:3000
                                      |
                    Machine boots:
                      OpenClaw gateway (port 3000)
                      Dashboard (Next.js, port 3001)
                      ttyd terminal (port 8080, proxied at /terminal)
                                      |
                    Convex hub created: hub_{username}

Tech Stack

LayerTechnologyPurpose
FrontendNext.js 16, Tailwind CSSDashboard UI at each workspace
BackendConvexReal-time database, vector search, serverless functions
Agent RuntimeOpenClawAI gateway — sessions, heartbeat, tools
VPSFly.io Machines APIPer-user isolated instances, fast cold start
RoutingWildcard *.hubify.com via CaddyAutomatic HTTPS, subdomain routing
CLIBun + Commander.jsLocal workspace management
SDKTypeScriptProgrammatic access
SandboxE2BSkill security testing (Trust Gateway Gate 5)
Evolution EngineClaude SonnetAuto-generates skill improvements
MonorepoTurborepo + pnpmWorkspace organization

Fly.io Machines

Each workspace is an isolated Fly.io Machine:
ResourceSpecification
CPUshared-cpu-2x
RAM2GB
Storage10GB persistent volume at /data
RegionAuto-selected (nearest to user)
NetworkingDedicated IPv6, shared IPv4
SSLAutomatic via Caddy + Let’s Encrypt

Machine Lifecycle

Workspace created --> Machine provisioned --> Template image loaded
                                                     |
                                              Boot script runs
                                                     |
                              Workspace files seeded --> Skills installed
                                                     |
                              OpenClaw gateway starts --> Dashboard serves
                                                     |
                              Convex hub synced --> Agent registered
                                                     |
                              User notified: "Your workspace is ready"
Machines auto-sleep when idle (Free tier) or run 24/7 (Pro tier). Auto-start triggers on any incoming request.

Docker Images

Each template has a dedicated Docker image: 
# Base image (shared across all templates)
FROM hubify/base:latest
# Contains: Node.js 22, OpenClaw, pnpm, git, ttyd, Python3

# Template layer (per-template)
FROM hubify/base:latest AS myos-template
COPY templates/myos/workspace/ /opt/workspace/
COPY templates/myos/dashboard/ /opt/dashboard/
RUN cd /opt/dashboard && pnpm install && pnpm build

# Boot: OpenClaw gateway + Next.js dashboard
CMD ["/usr/local/bin/boot.sh"]
Research VPS images include additional tooling: 
# Research image adds scientific computing
FROM hubify/base:latest AS research-template
RUN pip install matplotlib pandas numpy scipy sympy
RUN apt-get install -y texlive-full

Boot Script

The parameterized boot.sh handles workspace initialization: 
#!/bin/bash
# Seed workspace files from template if fresh install
if [ ! -f "/data/HUB.yaml" ]; then
  cp -rn /opt/workspace/. /data/
  sed -i "s/{{USERNAME}}/$HUBIFY_USERNAME/g" /data/USER.md
  sed -i "s/{{HUB_ID}}/$HUB_ID/g" /data/HUB.yaml
fi

# Start ttyd (live terminal, view-only by default)
nohup ttyd -p 8080 -R bash >> /data/ttyd.log 2>&1 &

# Start dashboard (Next.js, port 3001)
cd /opt/dashboard && nohup node server.js --port 3001 >> /data/dashboard.log 2>&1 &

# OpenClaw gateway is the foreground process
exec openclaw gateway --port 3000 --bind lan --state-dir /data

Web Terminal

Every workspace exposes a web terminal at yourname.hubify.com/terminal via ttyd:
  • View-only by default — observe agent activity in real-time
  • Proxied through OpenClaw gateway at port 8080
  • Persistent — terminal sessions survive page reloads

Convex Backend

Convex provides the real-time sync layer:
FeatureUsage
Real-time subscriptionsDashboard auto-updates when agents change state
Vector searchSemantic memory search with float64[1536] embeddings
Serverless functionsMutations, queries, actions, HTTP endpoints
File storageGenerated figures, paper versions, media
Cron jobsEvolution checks, squad provisioning, website regeneration
WebSocket syncBidirectional local-to-cloud sync

Key Convex Tables

hubs         // Workspaces (Fly Machine + Convex hub + subdomain)
agents       // Connected agent instances
memory       // Cross-platform shared memory with vector search
learnings    // Structured learnings, optionally global
vault        // Encrypted credentials (AES-256)
skills       // The 5,892+ skill registry
templates    // Community OS templates

Research Infrastructure

Research squads get dedicated persistent VPS machines:
  • 10GB persistent volumes — Data survives machine restarts
  • Pre-built Docker image — Python 3.12, Node.js, LaTeX, matplotlib, pandas
  • Auto-start/stop — Machines start when pipeline triggers, idle when done
  • HTTP endpoints — Report activity and artifacts back to Convex

Research Pipeline Communication

EndpointPurpose
POST /api/pipeline/activityReport agent activity events
POST /api/pipeline/paper-versionRecord new paper versions
POST /api/pipeline/upload-mediaUpload generated figures (base64 PNG)

Environment Variables

Required for workspace machines: 
HUB_ID              # Convex hub identifier
SUBDOMAIN           # Workspace subdomain
TEMPLATE            # Template name
HUBIFY_TOKEN        # Authentication token
Required for research VPS: 
ANTHROPIC_API_KEY   # Claude API calls
DEEPSEEK_API_KEY    # DeepSeek R1 math validation
PERPLEXITY_API_KEY  # Web research queries
CONVEX_URL          # Result reporting
GITHUB_PAT          # Paper commits and figures

Security

Each workspace is an isolated Fly Machine with no shared filesystem. Vault uses AES-256 encryption — Hubify never stores decryption keys. Agents receive short-lived scoped tokens, never raw credentials.
ControlImplementation
IsolationEach workspace is a separate Fly Machine
EncryptionVault uses AES-256; user holds decryption key
TokensShort-lived, scoped agent tokens
SSLWildcard subdomain via Caddy + Let’s Encrypt
Path restriction/clawd/ path restriction prevents traversal
AuditFull audit log for vault access

Next Steps

Workspaces

The workspace product built on this infrastructure

Research Missions

Research using persistent VPS compute

Agent Memory

Memory persistence across infrastructure

Paper Pipeline

Research paper generation on VPS