OpenAB Enterprise Governance — From Config to Department-Level Deployment
Past three weeks: W1 attack entries, W2 trust, W3 four principles. This week is how that abstraction layer actually lands in operations — config-driven.
One more moment from that 2-hour hospital relay (full story in W1 cornerstone):
14:00 — Hub deploy triggered
After the W1 cornerstone got polished, Erwin didn't ping an engineer to "please deploy manually." He opened a git worktree, cloned main, committed, pushed to origin/main, and GitHub Actions FTP deploy triggered automatically. Zero human involvement.
Why did it work? Config-driven had the workflow locked down: what push triggers deploy, what secrets go to GitHub Actions, what user has push access. Erwin just followed the config.
Front-end engineers know this pattern: webpack.config.js, tailwind.config.ts, eslint config have been doing it for years: declare behavior as data in config, not in code. Enterprise AI gateway uses the same idea; the scope just expands from one front-end codebase to the whole company. Below is how OpenAB's config pattern lands at the department level.
Why Config Is the Minimum Guarantee That "Humans Stay in the Loop"
Humberto Cervantes (UAM, Mexico), Rick Kazman (co-inventor of ATAM, University of Hawaii / CMU SEI), and Yuanfang Cai (Drexel University) published an NSF-funded study in IEEE Software this January: "LLMs as Assistants in Software Architecture Design" (the full 30-page methodology paper has been accepted by IEEE TSE). On July 1 at his SEAT Distinguished Lecture at NTUT (Taipei), Kazman presented a strikingly direct set of experimental data:
A Testability architecture design problem:
All LLM models → 100% chose the same answer (Hexagonal Architecture)
23 human architects → 8 different choices, with 21.7% saying "I need more information to decide"
LLMs don't question their own choices. Only humans say "wait, I'm not sure." More critically: human architects don't just "pick different answers"; they actively disagree with or distrust LLM suggestions because the models lack context and are inconsistent. This isn't a capability problem. It's a trust problem.
Kazman's conclusion: LLMs are not yet ready for autonomous design, but are powerful collaborators. Humans excel at convergent thinking (making trade-offs under context + constraints); AI excels at divergent thinking (rapidly generating possibilities). The correct contract:
Humans are responsible for goals, structure, trade-offs, and meaning. AI is responsible for speed, consistency, and execution within defined boundaries.
This is the same thing W1 argued: "senior judgement pushes upward."
But there's a critical question: Who enforces those "defined boundaries"?
If it's a verbal contract, it collapses the moment an agent gets prompt-injected. If it's a written policy document, nobody reads it. If settings are scattered across 5 different systems, good luck reconstructing what happened during an incident.
The cleanest answer I've seen so far: one config.toml file.
Config defines what the agent can do = the boundary of divergent thinking
Humans decide what config looks like = convergent thinking judgment
Change config, not code = governance cost minimized
Config can be git-tracked, reviewed, audited = accountability
One config.toml = the engineering realization of what Kazman calls "defined boundaries." Also the concrete landing of Control by Configuration from the W3 four principles.
OpenAB isn't just a chat bridge. Its config-driven design naturally fits enterprise AI governance. After several months of PoC with teams plus running my own scenarios, what I keep noticing is: what actually reassures management isn't how smart the agent is. It's "can I see in one file what it can and can't do?" Below are the 14 levers I've landed on — each one a boundary that keeps humans in control.
Available Control Mechanisms
1. Channel Restriction
[discord]
allowed_channels = ["1234567890"]
What this solves: bot only responds in specified channels, completely silent elsewhere.
Enterprise use:
#frontend-ai → frontend agent group
#backend-ai → backend agents
#marketing-ai → marketing agent
#general → no agents, humans only
One channel = one boundary. Cross-channel agents don't interfere. My baseline: always set this — it's the prerequisite for everything else.
2. Bot Message Control
[discord]
allow_bot_messages = "mentions" # off / mentions / all
Value | Behavior | Use Case |
|---|---|---|
off | Ignore all bot messages | Standalone agent |
mentions | Respond only when @mentioned | Multi-agent collaboration |
all | Respond to all bot messages | Fully automated pipeline (risky) |
3. Trusted Bot Whitelist
[discord]
trusted_bot_ids = ["erwin_bot_id", "hange_bot_id"]
What this solves: even with allow_bot_messages = mentions, only accepts bots on the list.
4. User Message Control
[discord]
allow_user_messages = "multibot-mentions"
Value | Behavior |
|---|---|
involved | No @ needed in own thread, @ required in channel |
mentions | Always requires @ |
multibot-mentions | In multi-bot scenarios, requires @ when other bots present |
5. Turn Limit (Loop Protection)
# Built-in, no config needed
max_bot_turns = 20 # soft limit
hard_limit = 100 # absolute ceiling
Why this matters: bot-to-bot conversation auto-stops after 20 turns. Human message resets the counter.
The first five mechanisms above are about who talks to whom. From here, the focus shifts to what agents can actually access and do — resource boundaries, file scope, and operational lifecycle.
6. Session Pool (Resource Control)
[pool]
max_sessions = 5
session_ttl_hours = 24
Effect: max 5 concurrent conversations, auto-cleared after 24 hours.
7. Working Directory (File Access Scope)
[agent]
working_dir = "/app/frontend-code"
Effect: agent can only access the specified directory — can't see other code.
8. Environment Variable Control
[agent]
env = { COMFYUI_API_URL = "http://localhost:8188" }
# Does NOT pass DB_PASSWORD, AWS_SECRET, etc.
Effect: only specified environment variables are passed to the agent. Even if prompt-injected, it can't reach credentials.
9. CLAUDE.md / Persona (Behavioral Definition)
# You are a frontend code reviewer
## You can
- Review React/Next.js code
- Suggest performance optimizations
## You cannot
- Touch backend code
- Access databases
- Answer non-code questions
Effect: prompt-level constraint on agent behavior scope. Each department gets a different CLAUDE.md.
10. Cronjob Scheduling
[[jobs]]
enabled = true / false
schedule = "0 8 * * *"
channel = "specific-channel-id"
platform = "discord"
Effect: scheduled messages only go to specified channels, toggled on/off anytime. Hot-reload — change toml, no restart.
11. Lifecycle Hooks (since 0.8.4-beta.6)
[hooks]
pre_boot = "log-agent-start.sh"
pre_shutdown = "log-agent-stop.sh"
Effect: custom commands run before agent start and before shutdown — full lifecycle enters audit trail. Combined with Helm serviceAccountName per-agent (since 0.8.4-beta.4), agent identity, uptime, and audit trail are all config-controlled.
12. ghpool Integration (Unified GitHub API Proxy)
If agents need GitHub API access (CI bots, code review agents), route everything through ghpool — PAT token pooling, auto-allocation by remaining rate limit, mutation pass-through preserving identity. Agents never hold GitHub tokens directly — loaded dynamically from K8s Secrets.
Everything up to this point is about controlling what agents can see and do in real-time. But there's a deeper infrastructure question once you scale past 3–4 agents: what happens when an agent dies, and how do you rebuild it without losing everything?
13. pre_seed / pre_shutdown — Stateless Agent (since v0.9.0-beta.6)
This feature looks small (pull a zip from S3 and extract), but it solves a fundamental problem for enterprise-scale AI Agent deployment: Agents should be stateless. (In plain terms: if your agent dies, you don't care. It comes back in 3 seconds with everything intact.)
12-Factor App told us the answer years ago: Factor III (Config in environment), Factor VI (Processes are stateless), Factor IX (Fast startup, graceful shutdown, disposable anytime). If you've ever deployed to Heroku or Cloud Run, you're already living in 12-Factor land. AI Agents are processes; they shouldn't depend on local state to operate.
The full lifecycle now looks like:
hooks.pre_seed → hooks.pre_boot → (agent running) → hooks.pre_shutdown
pre_seed does:
On agent start, pull zip from S3 and extract to $HOME
Multi-layer overlay support (like Docker layers)
S3 native checksum auto-verification
Layer 1: s3://corp/base-policies.zip ← company-wide compliance policies
Layer 2: s3://corp/team-backend.zip ← backend team shared memory
Layer 3: s3://corp/agent-alice.zip ← this agent's personalized config
pre_shutdown does:
Before agent stops, tar $HOME (excluding .cache / node_modules / .rustup / .cargo) → sync back to S3
Agents become true cattle, not pets — kill and rebuild anytime, zero data loss
What this means for enterprise:
One image runs all agents — differentiation via seed layers, not image rebuilds
Sub-second scale — ECS Fargate spot reclaimed? Restart with pre_seed recovers in 3 seconds
Compliance audit — S3 versioning + CloudTrail = complete config change history
Disaster recovery — S3 cross-region replication, agents run in any region
Multi-cloud — standard S3 API underneath, Cloudflare R2 (zero egress fees) / MinIO (air-gapped) all supported
After three months of running this, the pattern is clear: Production-ready AI Agent = Stateless + Fast Recovery + Observable. Same logic as 12-Factor App, except this time the process thinks.
The mechanisms so far all assume agents respond when asked. Some enterprise scenarios are the opposite: an agent that sits in the background and only speaks up when it genuinely has something to contribute. That's what ambient mode is for.
14. Ambient Mode (since v0.9.0-beta.6)
[ambient]
enabled = true
[ambient.discord]
channels = ["your-channel-id"]
Ambient mode lets your bot passively listen to all messages in specified channels without needing @mention. The bot observes conversation flow, only responding when it judges it has something valuable to add; otherwise it returns [NO_REPLY] and stays completely silent.
Key behaviors:
Bot buffers messages, sends to LLM for judgment every 60 seconds (or 10 messages)
LLM chooses to respond or
[NO_REPLY](no reply = nothing appears in channel)If someone @mentions the bot, immediately switches back to normal real-time response mode
Customizable judgment criteria via
~/.openab/config/ambient.md
Enterprise use:
Team channel "technical advisor" — listens silently, only speaks up for technical corrections or direct questions
Compliance observer — monitors if someone posts sensitive data
Knowledge base sync — hears important discussions, auto-summarizes to knowledge base
With all 14 control mechanisms defined, the next question is: where does this actually run? The deployment model determines how those config boundaries get physically enforced at the infrastructure level.
Deployment Mode — POD Mode (since v0.9.0)
⚠️ Update: NVIDIA OpenShell support discontinued as of v0.9.0. The security guarantees previously provided by OpenShell sandbox (process / filesystem / network isolation) are now handled by K8s native security context + network policy + secret injection. POD mode is now the sole deployment path.
Security mechanisms under POD mode:
K8s SecurityContext — runAsNonRoot, readOnlyRootFilesystem, drop ALL capabilities
Network Policy — namespace-level egress allowlist, only permits required endpoints
Secret Injection — via K8s Secrets / External Secrets Operator, agent code never sees raw values
pre_seed / pre_shutdown — stateless + S3 backup, disposable and rebuildable anytime
Audit — sender_context + lifecycle hooks + K8s audit log
Fourteen mechanisms sounds like a lot. In practice, each department's config is about 10-15 lines. Here is what it actually looks like.
Department Configuration Examples
The following uses a pet-tech company as a scenario demo — the pattern isn't industry-specific. Finance, manufacturing, SaaS all work the same way; only the working_dir and env contents differ.
Frontend Team
# 5-agent multi-review mode
[discord]
allowed_channels = ["frontend-code-review"]
allow_bot_messages = "mentions"
allow_user_messages = "multibot-mentions"
trusted_bot_ids = ["erwin", "hange", "armin", "mikasa", "eren"]
[agent]
working_dir = "/app/frontend"
env = { NODE_ENV = "development" }
[pool]
max_sessions = 5
Backend Team
[discord]
allowed_channels = ["backend-ai"]
allow_bot_messages = "off"
trusted_bot_ids = []
[agent]
working_dir = "/app/backend"
env = { DB_HOST = "readonly-replica" }
[pool]
max_sessions = 3
AI Team
[discord]
allowed_channels = ["ai-research"]
allow_bot_messages = "mentions"
[agent]
working_dir = "/app/ai-models"
[pool]
max_sessions = 3
session_ttl_hours = 48
Marketing Team
[discord]
allowed_channels = ["marketing-ai"]
allow_bot_messages = "off"
allow_user_messages = "involved"
[agent]
working_dir = "/app/marketing-docs"
env = {}
[pool]
max_sessions = 10
SDET Team
[discord]
allowed_channels = ["sdet-testing"]
allow_bot_messages = "mentions"
[agent]
working_dir = "/app/tests"
[pool]
max_sessions = 5
From what I've seen, these configs have run for about three months across 5 department scenarios with zero incidents — but that's my sample size, not a guarantee. Every team should tune based on their own threat model.
Comparison with OpenClaw
Control | OpenAB | OpenClaw |
|---|---|---|
Channel isolation | One config line | None |
Bot trust whitelist | trusted_bot_ids | None |
File access scope | working_dir | Full disk access |
Env var control | Explicit whitelist | All exposed |
Session limits | max_sessions | None |
Loop protection | Turn limit 20/100 | None |
Behavioral definition | CLAUDE.md | Optional, not enforced |
Audit trail | Discord/Slack thread | Personal account |
OpenClaw gives agents everything. OpenAB gives agents only what they need.
By this point you may have noticed that none of these mechanisms is a new concept. If you're a frontend engineer, you already use these patterns every day under different names.
The Next Role for Frontend: Frontend Deployment Engineer
W1 argued that "every wave of tech transformation merges separate responsibilities into new roles": Data Engineer, DevOps, SRE, Platform Engineer all emerged this way. In this AI wave, the next integrated role I'm seeing is Frontend Deployment Engineer.
Why frontend? Because every one of the 14 config mechanisms + deployment mode choices in this article maps onto patterns frontend engineers already know:
config.toml=webpack.config.js/next.config.ts— declarative config controlling behaviorChannel Restriction = route-based code splitting — different paths load different things
Working Directory = monorepo workspace boundaries — each package only sees its own scope
Environment Variable Control =
.env.localvs.env.production— per-environment variablesSession Pool = connection pooling / rate limiting — controlling concurrency
Lifecycle Hooks =
postinstall/prebuild— npm script lifecyclePOD vs OpenShell = Vercel Edge vs self-hosted Docker — deployment target selection
Frontend engineers are already doing deployment work: CI/CD pipelines, preview environments, feature flags, A/B testing infrastructure, CDN cache invalidation. Add AI agent config-driven governance to that, and you have the Frontend Deployment Engineer scope.
The role's responsibilities:
Agent orchestration — which departments use which agents, how config is segmented, how to review
Deployment topology — POD / OpenShell / hybrid selection, egress policy configuration
Developer Experience — letting engineers safely use AI without asking DevOps every time
Observability — token usage, session metrics, audit log dashboards
Governance automation — config change → PR → review → deploy, same CI/CD pipeline as frontend already uses
W1 said "every wave adds one more abstraction layer." Frontend went from "writing DOM" to "writing Components" to "writing Config" to "managing Agents + Deployment." Frontend Deployment Engineer is less a new job title than the natural upward movement for frontend engineers in the AI era.
If you're already managing CI/CD, writing Helm charts, configuring Vercel / Cloudflare Workers — you're one step away from this role: "bring AI agent config into your deployment pipeline."
The Four Articles Connected
Week | Core Question | Answer |
|---|---|---|
W1 | Has AI zeroed out engineering value? | No. Cost moved from code layer to judgment layer (historical rhythm) |
W2 | What's the bottleneck in the judgment layer? | Trust — who ordered it, who's responsible, what about data leaks |
W3 | What's the architectural answer to trust? | Four principles — Control / Security / Accountability / Portability |
W4 | How do the four principles land? | Config-driven — one file solves one department's AI governance |
From the Cervantes–Kazman–Cai research to engineering practice, the conclusion is the same: humans control goals and boundaries, AI executes within them. Config is the physical form of that boundary: reviewable, auditable, version-controllable, changeable in one line.
Config isn't fancy. It's simply the cleanest, most compliance-explainable path I've seen so far.
→ wchung.tw/blog/openab-series
References
Academic Research
H. Cervantes, R. Kazman, Y. Cai, "LLMs as Assistants in Software Architecture Design", IEEE Software, Jan. 2026. (DOI: 10.1109/MS.2026.3663353)
H. Cervantes, R. Kazman, Y. Cai, "An LLM-assisted approach to designing software architectures using ADD", IEEE TSE, 2026. 30 pages. (DOI: 10.1109/TSE.2026.3706446; NSF Award #2232720, #2213764)
Rick Kazman, "Better Together: How Humans and AI Can Co-Create Software Designs", SEAT Distinguished Lecture, NTUT, 2026-07-01.
Humberto Cervantes, Rick Kazman, "Designing Software Architectures: A Practical Approach", 2nd Edition, Pearson (SEI Series in Software Engineering).
Continued from Previous Three Articles
W1: a16z, Darktrace 2024, IBM 2024, CSA 2026, Google DeepMind Big Sleep
W2: EchoLeak CVE-2025-32711, Salesforce ForcedLeak CVSS 9.4, NVIDIA OpenShell / Computex 2026
W3: Rubrik 2026 NHI Report, Cloudflare AI Gateway, Portkey, LiteLLM, Helicone, OpenRouter market comparison