OpenClaw complete install guide:
zero-to-production AI Agent runtime on bare-metal Mac

Bare metal differs from a disposable cloud desktop because you own the full machine state. There is no noisy neighbor on NVMe, but there is also nobody else to absorb a bad power policy or a midnight OS patch window. Teams that treat the Gateway like a one-off script often discover silent disconnects when aggressive sleep cuts TCP sessions, or when logs land on the system volume until a burst job fills the disk.

Before you install OpenClaw, treat the items below as pre-flight acceptance, not postmortem notes.

• Sleep and scheduling: confirm nothing will suspend long-lived connections; the Gateway expects stable heartbeats.
• Disk and caches: carve paths for global npm or pnpm caches and for Gateway logs so they never compete with build artifacts on the same volume.
• Network egress: verify outbound HTTPS and the listener port in any upstream firewall; multi-region nodes add DNS latency and TLS RTT that do not show up in CPU graphs.
• Secrets handling: split model-provider API keys, channel OAuth material, and local keychain policy so secrets never echo through launchctl debug output.
• Observability: prepare log stream predicates and on-disk paths; otherwise you only know the PID exists.

Capacity planning for a Gateway is less about peak CPU and more about steady-state memory plus tail latency on disk. Apple Silicon nodes give predictable single-tenant performance, but you still need headroom for Node garbage collection spikes during model warm-up and for concurrent channel fan-out. Capture a week of samples before you promise an SLA to downstream chat surfaces.

Security posture also shifts on bare metal. You are not inside a vendor-hardened appliance image; you inherit macOS defaults until you harden them. Patch cadence, admin SSH keys, and filevault policy should live in the same runbook as the Gateway upgrade path so operators do not improvise under pressure.

Bare metal pays off when variance drops: eliminate the behaviors that pause agents before you chase faster chips.

The same OpenClaw commands behave differently across carriers. Laptops drag GUI session and sleep risk. Time-shared Mac clouds may cap custom daemons. Bare metal gives isolation but pushes daemonization to you. Use the matrix in reviews when someone asks why you are not just running the Gateway on a spare laptop.

When the goal is iOS or macOS CI sidecars, customer-facing bot gateways, or always-on agent control planes, bare metal is usually the simplest way to align latency, isolation, and audit in one decision.

Pick bare metal when you need repeatable cold boots, predictable CPU scheduling for mixed Node and native workloads, and a single owner for patching. Pick a laptop only for interactive bring-up. Pick a time-shared cloud when policy forbids physical custody but accept the extra variance in I/O and daemon policy.

OpenClaw ships through the Node ecosystem. Upstream changes the minimum runtime from time to time, so read the setup page before you paste commands. The sequence below is structural, not a frozen recipe.

If the repository or docs move, trust the pages below first.

https://docs.openclaw.ai/start/setup

https://www.npmjs.com/package/openclaw

1. Verify architecture: run uname -m and expect arm64; if you see x86_64, confirm you are not accidentally installing under Rosetta.
2. Install Node: nvm, fnm, or the official pkg are all fine; match the documented minimum major and keep node and npm from the same prefix.
3. Global CLI: npm install -g openclaw@latest, then validate with which openclaw and openclaw --version.
4. Initialize workspace: run openclaw init or the documented onboard flow inside a dedicated directory, not your Downloads folder.
5. Inject secrets: follow the doc layout for provider keys and channel tokens; never commit plaintext secrets to git.
6. Foreground proof: run openclaw gateway start or the documented equivalent until traffic flows, only then move to launchd.

#!/bin/sh
node -v
npm -v
which openclaw
openclaw --version

If the shell cannot find openclaw, check whether your global bin directory is on PATH for non-interactive launchd sessions, and whether sudo mixed permissions split installs between roots.

After install, snapshot the resolved dependency tree for support tickets. Store the output of npm ls -g --depth=0 alongside the OpenClaw version string so upgrades are diffable.

Do not anchor production on an interactive SSH session; closing the session kills the subtree. On macOS, launchd is the durable supervisor. LaunchAgents run in the login context; LaunchDaemons run as root and need tighter audit. The steps below assume a per-user agent.

1. Pick a listener port: confirm it is free with lsof -nP -iTCP before you bake it into config.
2. Author the plist: unique Label; ProgramArguments must use the absolute path from which openclaw; add EnvironmentVariables for PATH and optional NODE_EXTRA_CA_CERTS when a corporate MITM is present.
3. Stdout and stderr: set StandardOutPath and StandardErrorPath to rotatable files.
4. Load: launchctl load -w ~/Library/LaunchAgents/ai.openclaw.gateway.plist.
5. Reload safely: after edits, unload then load so you do not orphan an old listener on the same port.
6. Health check: use curl or the doc probe before you shift real traffic.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
 "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0"><dict>
  <key>Label</key><string>ai.openclaw.gateway</string>
  <key>ProgramArguments</key><array>
    <string>/opt/homebrew/bin/openclaw</string>
    <string>gateway</string><string>start</string>
  </array>
  <key>RunAtLoad</key><true/>
  <key>KeepAlive</key><true/>
</dict></plist>

The plist path for openclaw must match the machine you are on; Homebrew on Apple Silicon differs from nvm shims, and launchd will not fix that for you.

Document the exact launchctl print output for a healthy instance so on-call engineers can compare labels, last exit status, and throttle counters during incidents.

Triage in three buckets: process missing, process up but no listener, listener up but upstream refuses. Each bucket has a different fix path.

• Node major gate: follow the Setup page; below-minimum runtimes may exit without a friendly error.
• Bind address: loopback-only listeners look down to remote probes; align with security groups.
• Log sinks: without stdout redirection under launchd you return to a black box; always set file paths.

When incidents repeat, add a lightweight synthetic check that exercises the same TLS path and token scopes your users hit, not just TCP open. That shrinks mean time to innocence for network teams.

1. Pin versions: record node, openclaw, and channel SDKs in the change record.
2. Cold boot drill: reboot from a clean session and confirm launchd brings the listener up within SLA.
3. Rotate secrets: practice model key and channel token rotation without hand-editing plist secrets.
4. Backup and rollback: include config trees and certificates; keep the last known-good plist.
5. Capacity sampling: seven days of CPU, memory, and disk write amplification to judge unified memory tier.
6. Doc alignment: re-read Setup and release notes before each maintenance window.

Self-built laptops and time-shared clouds often fail on sleep, neighbor contention, and unclear daemon ownership. Teams that need stable iOS or macOS build sidecars, AI agent gateways, and auditable access paths usually land on CALMVPS Apple Silicon bare-metal rental because it keeps long-lived processes, disk layout, and uplink behavior under one predictable envelope, with monthly elasticity on the pricing page.