feat(memory): migrate openclawd vaults into collective layout

shared/long-term/decisions/openclawd-infra-baseline.md

@@ -0,0 +1,46 @@
+# OpenClaw Infra Baseline (Imported)
+
+- imported_from: `/Users/lingyuzeng/openclawd/vaults/memory/infra.md`
+- imported_at_utc: `2026-03-10T07:53:38Z`
+- note: migrated from openclawd/vaults to collective-memory-repo.
+
+---
+
+# memory/infra.md
+
+## OpenClaw Cluster Baseline (2026-03-10)
+
+- Control Plane / Gateway: **mac-5** (唯一 Gateway)
+- Node Hosts: **mac-6**, **mac-7**
+- **mac-8 已下线**，不再参与当前集群调度
+- Node Roles:
+  - mac-6: Executor / Build
+  - mac-7: Browser / Web Verify
+
+## Access & Ingress
+
+- Unified ingress via Caddy HTTPS/WSS.
+- Known endpoints in docs/notes:
+  - `https://mac5.hs.jmsu.top:8443`
+  - `wss://mac5.hs.jmsu.top:8443`
+  - runtime summary may use `bot.jmsu.top:443` (confirm active deployment before operations)
+
+## Node Lifecycle
+
+`openclaw node run/install -> Pending -> openclaw devices approve <request-id> -> Online -> openclaw nodes run ...`
+
+## Operating Rules
+
+1. Never run Gateway on mac-6/mac-7.
+2. Remote commands must go through `openclaw nodes run`.
+3. Keep node allowlist/approvals least-privileged by role.
+4. For failures, check: unauthorized / pairing required / origin not allowed / trusted proxy / approval required.
+
+## Memory Gateway Design (qmd-memory-gateway)
+
+- Consistency model: query-time sync (`fetch -> workspace sync -> qmd update/embed -> query`).
+- Workspace isolation by branch/profile, with per-workspace lock.
+- Keep a **single gateway on mac-5** as default topology to avoid multi-writer index drift.
+- Consider per-machine gateway only if:
+  - cross-machine latency becomes a bottleneck, and
+  - each machine can own an isolated branch/workspace and independent qmd cache/index.