- Full container, volume, and DB-level isolation per user
- API enforcement: all queries scoped by authenticated userId
- Admins cannot see other users' keys or chat history
- Container-to-container communication blocked by default
- Team workspaces explicitly out of scope
- Per-user OpenClaw containers (on-demand, scale to zero)
- Users bring their own API keys/subscriptions
- ContainerLifecycleService manages Docker containers dynamically
- User containers NOT in docker-compose — created at runtime
- 11 task phases with clear dependencies
- Config update strategy: DB change → container restart
