OpenWork Labs Railway Deploy (labs.brainforge.ai)
This guide describes the hosted OpenWork Labs runtime. The current source repo for that deployment is brainforge-work, not apps/openwork in this monorepo.
Scope: standalone OpenWork host stack (no Platform reverse-proxy coupling).
User-facing URL: Platform defaults to https://work.brainforge.ai for the sidebar Work link and /openwork redirect when env overrides are unset (OPENWORK_LABS_URL / NEXT_PUBLIC_OPENWORK_LABS_URL). labs.brainforge.ai should be treated as a separate or legacy hostname unless the active Work repo says otherwise.
1) Service source and deploy path
- Service source repo:
brainforge-work - Runtime image:
packaging/docker/Dockerfile.railway(inbrainforge-work) - Related web image:
packaging/docker/Dockerfile.web(inbrainforge-work)
The container starts with start-openwork-host.sh, which enforces the host contract:
- OpenWork API/UI on
:8787 - OpenCode internal on
127.0.0.1:4096 - Writable workspace and sidecar/data directories
2) Required env + storage contract
Required environment variables
OPENWORK_TOKEN(client bearer token)OPENWORK_HOST_TOKEN(host/admin token)
Required persistent volume
Attach a Railway volume at /data.
Set these variables so state survives deploys:
OPENWORK_WORKSPACE=/data/workspaceOPENWORK_DATA_DIR=/data/openwork-orchestratorOPENWORK_SIDECAR_DIR=/data/sidecars
Recommended variables
OPENWORK_APPROVAL_MODE=manual(default)OPENWORK_CORS_ORIGINS=*(tighten later if needed)OPENWORK_ENABLE_OPENCODE_ROUTER=0(default; enable only when required)
3) Provision steps (Railway)
From brainforge-work/packaging/docker:
# one-time link (if needed)
railway link
# deploy
railway upSet variables with Railway CLI (or dashboard):
railway variables set \
OPENWORK_TOKEN=<token> \
OPENWORK_HOST_TOKEN=<host_token> \
OPENWORK_WORKSPACE=/data/workspace \
OPENWORK_DATA_DIR=/data/openwork-orchestrator \
OPENWORK_SIDECAR_DIR=/data/sidecars4) Domain wiring (labs.brainforge.ai)
- Add custom domain to the OpenWork Labs Railway service.
- In DNS, point
labs.brainforge.aito the Railway target (CNAME) shown by Railway. - Wait for domain verification + TLS issuance.
5) Health and smoke checks
From brainforge-work/packaging/docker:
OPENWORK_BASE_URL=https://labs.brainforge.ai \
OPENWORK_TOKEN=<token> \
./smoke-check.shExpected checks:
GET /healthreturns 200GET /statusreturns 200GET /uireturns 200GET /workspaceswith bearer token returns 200
6) Manual post-deploy checklist
- Volume attached at
/data - Required env vars set (token + host token + data/workspace paths)
- Domain verified and TLS active for
labs.brainforge.ai - Smoke script passes against production domain
- Save deployment URL, service ID, and timestamp in Linear issue notes
6a) Full monorepo workspace (OpenCode indexing)
OpenWork/OpenCode see whatever directory you pass as the workspace. To get Cursor-like access across the whole Brainforge monorepo (not only apps/platform):
- Hosted (Railway): Ensure
OPENWORK_WORKSPACEpoints at a checkout of the repository root (e.g./data/workspacecontainsapps/,knowledge/,.cursor/, etc.). Clone or sync the full repo into that volume; submodules are optional but include them if agents need that code. - CLI / remote worker (per OpenWork get started): Run
openwork start --workspace /path/to/brainforge-ai --approval auto
from a machine that has the full tree. The printed OpenWork URL and Owner Token pair with the desktop app for remote workspaces.
Indexing/search behavior is owned by the OpenCode engine inside that workspace; a larger tree increases cold start and disk use—plan volume size accordingly.
7) Secrets handling
- Keep all tokens in 1Password (Brainforge AI Team vault).
- Inject via Railway variables.
- Never commit real token values to git.