Matrix can be a solid control plane for enterprise AI agents when you treat chat messages as a request queue, not as authorization. With Claw EA running OpenClaw as the baseline agent runtime, you enforce permissioned execution using policy-as-code and verifiable proof artifacts, rather than trusting prompt text.
The practical pattern is: Matrix room messages create jobs, a WPC defines what the agent may do, and a CST is issued per job with optional policy hash pinning. Model calls route through clawproxy to produce gateway receipts, then Claw EA packages them into a proof bundle you can file or review later.
Step-by-step runbook
-
Define your Matrix operating boundary. Pick a small set of rooms for agent work, and decide who can request work versus who can approve execution. Keep “request” and “approval” separate to avoid accidental authorization in busy rooms.
-
Deploy the Matrix channel via official API. Integrate Matrix using the official Matrix Client-Server API (or via MCP server if your environment standardizes on MCP). Treat the Matrix bot as an inbound channel only, not a place where secrets or long-lived credentials live.
-
Write and register a WPC. Encode tool access, sandbox expectations, and approval gates as a Work Policy Contract (WPC) and store it in the WPC registry served by clawcontrols. Reference the WPC by its hash in your job configuration so enforcement stays deterministic.
-
Configure OpenClaw tool policy and sandbox defaults. Keep the tool allowlist tight, prefer Docker sandboxing for tool execution, and avoid elevated host execution unless explicitly required. Run
openclaw security auditas part of every config change and before exposing any network surfaces. -
Implement a two-step approval in the room. The agent posts a proposed plan and a “pending approval” marker (for example, a job id). An approver replies with an explicit approval command that your control layer recognizes, and only then do you mint a CST scoped to that job.
-
Issue a CST with job binding and optional policy hash pinning. Use clawscope to issue the CST and bind it to the specific job (anti-replay). If you want strict change control, pin the CST to the WPC policy hash so execution fails closed if the policy changes.
-
Route model traffic through clawproxy and archive proof. Send all model calls through clawproxy, including OpenRouter via fal, so you receive gateway receipts for each model call. At job end, collect receipts and metadata into a proof bundle, then store or share it via Trust Pulse for review.
Threat model
| Threat | What happens in Matrix | Control in Claw EA |
|---|---|---|
| Prompt injection via room content | An attacker posts a message that tries to coerce the agent into running tools or exfiltrating data. | Execution is permissioned by WPC tool policy, not by prompt text. Even if the model “wants” to act, the tool layer is denied unless the policy allows it and a CST is present. |
| Approval spoofing | A user mimics an approver (“approved”) or forwards an old approval message. | CSTs are issued only after verifying the approver identity and room context, and are job-scoped with marketplace anti-replay binding. Reused approvals do not mint valid job-bound CSTs for new work. |
| Model call repudiation | After an incident, nobody can prove what the model was asked, what it returned, or which model endpoint was used. | clawproxy emits gateway receipts for model calls. The proof bundle ties those receipts to the job metadata so audit and verification are based on artifacts, not screenshots. |
| Overbroad tool access | A helpful agent in a chat room ends up with shell, file, or network capabilities it does not need. | OpenClaw tool policy and sandboxing restrict what can run and where it runs. The WPC gives an additional machine-enforced contract so “just this once” exceptions are explicit and reviewable. |
| Long-lived credentials in chat automation | A Matrix bot ends up holding durable tokens or secrets and becomes a high-value target. | Prefer short-lived CSTs minted per job. Keep Matrix as the control surface and put execution credentials behind scoped issuance and verification. |
Matrix is a good fit when you already run Matrix for internal comms and you want an auditable human-in-the-loop workflow. It is not a magic boundary, so you still need allowlists, sandboxing, and token scoping to keep the blast radius predictable.
Policy-as-code example
This is a compact, JSON-like sketch of a Matrix job policy encoded as a WPC. The point is that the agent cannot “talk its way” into more permissions; the execution layer checks the WPC and the CST before any sensitive action.
{
"wpc_version": "1",
"channel": "matrix",
"matrix": {
"rooms_allowlist": [
"!finance-ops:example.com",
"!sec-review:example.com"
],
"approval": {
"required": true,
"approver_user_ids_allowlist": [
"@alice:example.com",
"@oncall-security:example.com"
],
"approval_command": "!approve"
}
},
"execution": {
"sandbox": {
"mode": "all",
"workspace_access": "ro"
},
"tools": {
"allow": ["read", "search", "http", "write_pr"],
"deny": ["exec", "browser_control", "secrets_export"]
}
},
"tokens": {
"cst": {
"job_scoped": true,
"pin_policy_hash": true
}
},
"model_access": {
"route_via": "clawproxy",
"receipts": "required"
}
}
In practice you store the signed WPC in the clawcontrols registry and refer to it by hash. The CST minted by clawscope can include the scope hash and optional policy hash pinning so policy drift becomes a hard failure, not a soft expectation.
What proof do you get?
For every model call routed through clawproxy, you get gateway receipts that can be verified later. These receipts are not “logs you hope are accurate”; they are signed artifacts emitted at the gateway where model traffic passes.
At the end of a Matrix-triggered job, Claw EA produces a proof bundle that packages the receipts plus job metadata such as the WPC hash and the job-scoped CST context. If you want a shareable review artifact, you can store the result as a Trust Pulse so auditors and reviewers can view the same bundle without reconstructing it from scattered systems.
Operationally, you can have the agent post a final message back into the Matrix room containing: job id, WPC hash, and a Trust Pulse reference. That makes the chat transcript a pointer to evidence, while the evidence itself stays in a verification-friendly format.
Rollback posture
| Action | Safe rollback | Evidence you should retain |
|---|---|---|
| Disable agent execution in Matrix rooms | Stop minting CSTs for approvals and keep the bot in “read-only triage” mode. | Room event ids for approvals attempted, plus the last known WPC hash used for that channel. |
| Revoke access after suspected token misuse | Revoke or expire CSTs via clawscope and rotate any downstream credentials used by tools. | List of affected job ids, CST identifiers (if tracked internally), and related proof bundles. |
| Policy regression or overly permissive tool change | Roll back to a prior WPC hash and require policy hash pinning for all new CSTs. | Before and after WPC hashes, and proof bundles for jobs executed under the permissive policy. |
| Disputed model output or “who authorized this?” incident | Freeze further approvals until the proof bundle is verified and reviewed. | Gateway receipts for the disputed calls, the job’s proof bundle, and the Matrix message ids that initiated and approved the job. |
This rollback posture is designed to fail closed. When approvals stop or tokens are revoked, the agent can still chat, but it cannot execute tools that change state.
FAQ
Why is policy-as-code required instead of prompt-only controls?
Prompt-only controls rely on the model complying, and they fail in exactly the situations you care about: prompt injection, ambiguity, and adversarial content. Policy-as-code moves the decision to the execution layer, where tool calls are allowed or denied based on the WPC and the CST, not on model intent.
How do approvals show up in the Matrix UI?
Keep it explicit: the agent posts a plan and a job id, then an approver replies with a specific approval command you standardize on. The control layer uses that to mint a job-scoped CST, and the agent posts the completion message with a proof bundle reference (optionally via Trust Pulse) back into the room.
Can Matrix be used for fully autonomous agents?
It can, but it is usually a poor default for autonomous execution because chat rooms are noisy and easy to socially engineer. A more reliable approach is to keep Matrix for requests and approvals, and run autonomous schedules in a separate job system with the same WPC and CST mechanics.
What models can I use with this setup?
Any model reachable through your configured providers, with the strongest audit properties when traffic is routed through clawproxy. OpenRouter via fal routed through clawproxy is available when you want provider flexibility while still getting gateway receipts.
What is the minimum set of artifacts I should retain for audit?
Keep the WPC hash used for each job, the job-scoped CST context, and the proof bundle containing gateway receipts. If you need a review surface for non-technical stakeholders, store the bundle as a Trust Pulse and link it from the Matrix transcript.