# OpenClaw Infra Baseline (Imported)

- imported_from: `/Users/lingyuzeng/openclawd/vaults/memory/infra.md`
- imported_at_utc: `2026-03-10T07:53:38Z`
- note: migrated from openclawd/vaults to collective-memory-repo.

---

# memory/infra.md

## OpenClaw Cluster Baseline (2026-03-10)

- Control Plane / Gateway: **mac-5** (唯一 Gateway)
- Node Hosts: **mac-6**, **mac-7**
- **mac-8 已下线**，不再参与当前集群调度
- Node Roles:
  - mac-6: Executor / Build
  - mac-7: Browser / Web Verify

## Access & Ingress

- Unified ingress via Caddy HTTPS/WSS.
- Known endpoints in docs/notes:
  - `https://mac5.hs.jmsu.top:8443`
  - `wss://mac5.hs.jmsu.top:8443`
  - runtime summary may use `bot.jmsu.top:443` (confirm active deployment before operations)

## Node Lifecycle

`openclaw node run/install -> Pending -> openclaw devices approve <request-id> -> Online -> openclaw nodes run ...`

## Operating Rules

1. Never run Gateway on mac-6/mac-7.
2. Remote commands must go through `openclaw nodes run`.
3. Keep node allowlist/approvals least-privileged by role.
4. For failures, check: unauthorized / pairing required / origin not allowed / trusted proxy / approval required.

## Memory Gateway Design (qmd-memory-gateway)

- Consistency model: query-time sync (`fetch -> workspace sync -> qmd update/embed -> query`).
- Workspace isolation by branch/profile, with per-workspace lock.
- Keep a **single gateway on mac-5** as default topology to avoid multi-writer index drift.
- Consider per-machine gateway only if:
  - cross-machine latency becomes a bottleneck, and
  - each machine can own an isolated branch/workspace and independent qmd cache/index.