Why does onboard hang over SSH?

TTY-less sessions may block on prompts; pre-export required API keys and use non-interactive flags documented for your OpenClaw version.

Should I use npm or pnpm for first install?

Either works if globally consistent; pin the package manager store path in your runbook to match upgrade playbooks.

When do I run openclaw doctor?

Immediately after first daemon start and after any toolchain change—duplicate LaunchAgents are common on re-run installs.

AI / Automation April 17, 2026

2026-04-17 OpenClaw `onboard` & `install-daemon` on Headless Leased Cloud Mac

MacXCode Engineering Team April 17, 2026 ~15 min read

OpenClaw’s 2026 npm distribution continues to emphasize CLI-first workflows: install globally, run openclaw onboard, and let the tool scaffold LaunchAgents for the gateway. On a leased Apple Silicon Mac that you only touch through SSH, the happy path is still easy—until prompts assume a GUI, environment variables are missing, or Node is two majors behind upstream recommendations. This 2026-04-17 guide walks through prerequisites, pinned installs, daemon creation, and verification on HK / JP / KR / SG / US nodes. After it boots clean, continue with gateway upgrade & rollback, secrets via launchd, and health probes before exposing webhooks.

Prerequisites: Accounts, Ports, and Policy

Outbound HTTPS — model and channel endpoints must be reachable from your region; document allowlists for corporate tenants.
Local bind — default gateway listeners often sit on 127.0.0.1:18789; pair with nginx ingress for public traffic.
User context — install under the same POSIX user that will own CI or operator sessions; avoid split-home layouts.

Node Version Pin (22 LTS vs 24)

Upstream release notes for recent OpenClaw builds recommend Node 24 where available, with Node 22.16+ as a supported floor. On macOS Sonoma / Sequoia builders, use your org-approved installer (fnm, nvm, or pkg) but pin the version in infra-as-code. Record node -v and npm -v in the same artifact bundle as your openclaw.json redaction.

node -v && npm -v && which node

Do not mix system /usr/bin/node with Homebrew Node for different terminals—launchd inherits a minimal PATH; set absolute paths in plist EnvironmentVariables if needed.

SSH Sessions & Non-Interactive Discipline

Export provider keys before onboarding: many flows read OPENAI_API_KEY-style variables or custom bridge tokens. For fully non-interactive installs, combine export VAR=… in the same shell invocation as openclaw onboard or source a secured dotfile with 0400 perms. If the CLI still prompts, check upstream docs for --yes-style flags available in your semver.

Install the CLI (Pinned, Not Drifting)

Match production to an explicit version string, e.g. 2026.4.x from npm metadata, not bare @latest on the first host in a region.

npm install -g openclaw@2026.4.15

After install, run openclaw --version and store stdout in your CMDB—future diffing depends on this baseline.

Run `openclaw onboard --install-daemon`

The onboard subcommand typically walks model selection, workspace defaults, and daemon installation. On headless hosts, pre-create ~/.openclaw with correct ownership if your security baseline requires specific ACLs. When --install-daemon completes, you should see a plist reference under ~/Library/LaunchAgents with a label such as ai.openclaw.gateway (exact names vary by version—always read the emitted path).

Signal	Healthy	Unhealthy
CLI exit code	0 with “installed daemon” summary	Non-zero with EACCES on plist directory
Files	Plist + log directory created	Partial ~/.openclaw without LaunchAgents entry
Ports	curl to documented localhost port succeeds	Address already in use from stale process

`launchd` Verification & Duplicate Detection

Bootstrap the agent for the current GUI-less session with launchctl bootstrap gui/$UID … / kickstart patterns consistent with your macOS version. Immediately run openclaw doctor as covered in duplicate LaunchAgents recovery—re-running onboard on the same host without unloading first is a common way to stack duplicate plists.

Health Checks, Logs, and When to Add Nginx

Use the lightweight curl checks from readiness probes: loop 127.0.0.1 until HTTP 200, then attach nginx TLS termination. Tail ~/.openclaw/logs (path may differ if OPENCLAW_STATE_DIR is set) during first channel handshake to catch auth misconfigurations early.

Once the first node is stable, clone the playbook to secondary regions via pricing instead of overloading one Mac with both heavy Xcode lanes and always-on AI gateways. If you need mesh access instead of public ingress, review Tailscale mesh before opening ports. Teams evaluating terminal agents should read our Codex CLI vs Claude Code M4 benchmark for Terminal-Bench and token-efficiency numbers on the same lease profile.

FAQ: First Install on Cloud Macs

Question	Answer
Can I run onboard from tmux?	Yes—ensure the same environment block is loaded; tmux panes often forget launchd-injected vars.
What if port 18789 conflicts?	Stop old gateways, unload stale plists, then rerun doctor; document custom ports in nginx upstreams.
Is Docker easier?	Different trade-offs—see Docker vs native; this article targets npm-native daemons.

Bottom line: pin Node, pin npm semver, export secrets before SSH, install daemon once cleanly, verify with doctor + curl, then harden with the upgrade and ingress runbooks—not the reverse order.

Dedicated M4 for OpenClaw + Xcode sidecars

SSH-first · HK · JP · KR · SG · US

Lease a builder Deployment help

Prerequisites: Accounts, Ports, and Policy

Node Version Pin (22 LTS vs 24)

SSH Sessions & Non-Interactive Discipline

Install the CLI (Pinned, Not Drifting)

Run openclaw onboard --install-daemon

launchd Verification & Duplicate Detection

Health Checks, Logs, and When to Add Nginx

Related Runbooks & Fleet Scaling

FAQ: First Install on Cloud Macs

Dedicated M4 for OpenClaw + Xcode sidecars

Run `openclaw onboard --install-daemon`

`launchd` Verification & Duplicate Detection