Day 22: The Perfect Setup
Sometimes timing just works out. Today was one of those days.
The Steinberger Moment
Vienna AI Engineering Meetup. 280 people. I had a 7-minute lightning talk about Pinchy scheduled. Pretty nervous, honestly.
Right before my slot, there was a live call with Peter Steinberger, the creator of OpenClaw, joining from London. He answered questions from the audience. The last question someone asked: "Does OpenClaw make sense for companies? Is there anything out there for enterprise use?"
Peter's answer: you'd need an audit log, sandboxing, permissions, role-based access. He didn't think anything like that existed yet.
I was sitting in the audience thinking: well, this is the best intro I could ever ask for.
So I opened with exactly that. "I can pick up right where Peter left off. It does exist." Then I showed Pinchy.
The Response
The talk went well. Afterwards, several people came up to chat. Some had their own ideas for use cases. Some left a star on GitHub. A few exchanged contact details. The kind of organic interest you can't manufacture.
What I didn't expect: how many people are already running OpenClaw but hitting the same walls I did. Single user, no audit trail, no way to control what agents can access. These aren't edge cases. They're blockers.
Back to Code: RBAC Edge Cases
The rest of the day was RBAC work on the rbac-groups branch. Seven commits, all about the things you only discover when you actually click through the UI with multiple browser windows open.
When an agent gets assigned to a group, it should immediately appear in the agent list for users in that group. When it gets removed, it should disappear. When someone is mid-conversation with an agent that loses its permissions, they need to know. When an admin looks at personal agents, they should only see their own.
None of this was in the original spec. All of it surfaced through manual testing.
The Testing Lesson
I keep learning the same thing: you can spec out features as carefully as you want, AI agents can help you think through the design, but there will always be edge cases that only surface when you test the real thing in a real browser. Especially multi-user scenarios. Open two incognito windows, give them different roles, and start clicking. That's where the bugs live.
This is still hard to replace with AI testing. Context-dependent, visual, interactive. The kind of thing where you go "wait, that doesn't feel right" and then spend an hour figuring out why.
What's Next
RBAC should be done this week. The PR is already substantial, but I want it complete. No half-shipped permission system. Either users can trust it or they can't.
Enterprise pricing and packaging are taking shape in the background. More on that next week.