For platform, security, and DevEx
Enterprise rollout guidance
dexgate is designed for a pilot first, then expansion—not “every developer, every agent, day one.” This page is the recommended adoption path for OpenClaw, Codex, and other beachhead adapters.
Product posture: public beta adapters and paid early access / pilot. Treat this as a controlled security/platform program, not a silent plugin install.
Who this is for
- Platform / DevEx — owns install standards and support
- Security / AppSec — owns policy, audit expectations, and risk acceptance
- Team lead of a pilot team — owns day-to-day agent use under the free wall and paid path
Individual engineers should start from Get started for free install only. Enterprise-wide enablement should follow the phases below.
What not to do on day one
- Roll out every adapter (OpenClaw, Codex, Claude, Cursor, Copilot, Grok) at once
- Require multi-gateway / multi-environment mesh before first Passport success
- Block everyday edit/test workflows in free mode so hard that engineers uninstall the adapter
- Promise generally available production SLAs while the commercial posture is still pilot / public beta
Recommended phases
Phase 0 — Free evaluation (days 0–3)
Goal: Prove the free local hard gate without SDE infrastructure.
- Scope: 1–3 engineers, one runtime only (recommended: OpenClaw)
- Success:
local-hardening-check(or equivalent) returnsPASS,governed: false - Behavior: everyday read / limited edit / tests work; high-consequence actions (e.g.
git push, deploy-class) are blocked with an upgrade CTA - SDE required? No
OpenClaw free quickstart Codex free quickstart
Phase 1 — Paid pilot (about 1–2 weeks)
Goal: One real governed decision (GateDecision + Passport evidence) for one team.
- Scope: one pilot team, one adapter, one Linux Docker host for the SDE PDP
- Topology: minimum lab only — see Minimum Production setup
- Observe before you tighten: after the PDP is up and the adapter is pointed at it, open the SDE / PDP dashboard and watch live authorize traffic while the pilot team works. Use what you see (tool names, allow/deny, denials, Passport gaps) to decide what to configure and manage—do not invent a full policy catalog on day one without evidence.
- Dashboard (local default):
http://localhost:8001/dashboardon the PDP host (or via SSH tunnel:ssh -L 8001:localhost:8001 <user>@<pdp-host>). Authenticate with the runtime admin token (e.g.PDP_ADMIN_BEARER_TOKEN) unless admin OIDC is enabled. Keep port8001private—do not expose the dashboard on the public internet. - Success: adapter check shows a paid/governed path (not
source: local-hardening); console Deployments healthy; PDP dashboard shows authorize activity; at least one evidence/decision row after a gated action - SDE required? Yes (customer-hosted pilot runtime)
- Owners: platform installs PDP; pilot team uses agent; security reviews dashboard activity then defines what must be Passport-gated
Minimum paid setup Pricing (early access / pilot)
Phase 2 — Expand carefully
Goal: Broader use without multiplying failure modes.
- Second environment (e.g. staging) only after Phase 1 success is boringly repeatable
- Second adapter only with platform ownership (Codex mature beta; Claude/Cursor/Copilot/Grok early beta)
- Document policy: which action classes always need PDP/Passport vs free local allow
- Optional multi-host lab: full customer setup tutorial — not the first step
What engineers will feel (set expectations)
| Mode | Usually still works | Typically blocked / governed |
|---|---|---|
| Free local hard gate | Read, search, limited edit, test runners, safe shell inspection | git push / commit-style mutation, deploy-class, unrestricted shell launchers — no Passport |
| Paid pilot (PDP) | Same day-to-day work when policy allows; high-risk actions may require Passport / approval path | Production-bound change without entitled policy + evidence; misconfigured tenant/gateway/token |
If free mode blocks normal coding work, engineers will remove the adapter. Keep free useful and the paid wall obvious.
Change-management checklist (copy for your pilot kickoff)
- Name pilot owner (platform) + security reviewer + pilot team lead
- Publish one page: what stays free, what is blocked, how to get help
- During paid pilot: review
http://localhost:8001/dashboardactivity before locking managed policy - Success criteria: free PASS; paid governed check; dashboard shows authorize traffic; one evidence artifact
- Rollback: uninstall adapter or return to free-only allowlist mode
- Support: pilot office hours / shared channel (match public beta / early-access posture)
Roles and systems (don’t confuse them)
- Customer console (
/console/on the product site) — licenses, downloads, billing, deployments, evidence for your org - Agent host — where OpenClaw/Codex/etc. runs with the free or paid adapter
- SDE PDP host — Linux Docker runtime for paid authorize/Passport (not required for free evaluation)
- SDE / PDP dashboard (
http://localhost:8001/dashboardon the PDP host) — operator view of gateway health and authorize / agent decision activity. Use it during the pilot to see what agents actually request before you expand policy and management surface. Distinct from the customer console and from internal company-ops. - Internal company-ops / CEO cockpit — Automated Decision Systems internal operations only; not a customer install surface
Observe agent activity, then configure
Why monitor-and-record is a strong pilot reason: free mode only hard-gates on each laptop. Paid gives platform and security a shared stream of what agents request—tools, allow/deny, Passport gaps—recorded as decisions you can review. That capability can justify the subscription even before broader policy automation.
In a paid pilot, treat the PDP dashboard as your first operations surface:
- Stand up the minimum SDE runtime and point one adapter at it.
- Open
http://localhost:8001/dashboard(tunneled if needed) while the pilot team uses the agent normally. - Note which tools and action classes appear, what is allowed vs denied, and where evidence / Passport is missing.
- Only then define the managed policy set, approvals, and console deployment checks—so configuration matches real traffic, not a blank-sheet guess.
Free evaluation (Phase 0) has no SDE dashboard: you only get the local hard gate. Monitoring authorize traffic starts in Phase 1 once the PDP is running.
Adapter maturity (for rollout planning)
All adapters are public beta (no external licensed production reference yet). Recommended free path: OpenClaw (most mature free path). Also mature beta: Codex (controlled host coverage; readonly governance gaps possible). Early beta: Grok Build, Claude Code, Cursor, and GitHub Copilot — same free hard-gate / paid Passport model. See all adapters. Paid runtime: early access / pilot until first-customer governed success is proven. Compatibility matrix labels are internal evidence scope, not a general production guarantee.
Related docs
- Get started — free path chooser
- Setup prompts for your agent — copy-ready free / paid / dashboard / Day-2 prompts
- Minimum Production setup — one Docker host paid pilot
- Customer setup tutorial — multi-host lab (later)
- Compatibility — evidence-gated matrix
- Assurance — review materials
- Founding teams — guided pilot help