OpenClaw Workspace, openclaw.json, and ~/.openclaw State Isolation on Shared Rented Mac mini (2026)
Platform engineers who park OpenClaw on a single rented Apple Silicon Mac mini from VmMac quickly learn that “it works in my shell” is not the same as “it works under launchd for two squads.” The fragile seam is almost never the model card—it is the workspace root, the checked-in openclaw.json contract, and the per-user state tree historically rooted under ~/.openclaw. When staging experiments write caches beside production tokens, or when WorkingDirectory drifts after a deploy, gateways read the wrong file and your incident looks like “LLM regression.” This 2026 matrix names boundaries, pairs with staging vs production launchd isolation, secrets and plist hygiene, and multi-account isolation so VmMac hosts in Hong Kong, Japan, Korea, Singapore, and the United States stay boringly aligned.
Start from install & deploy, use help for access semantics, and open pricing when leadership agrees the cheapest fix is a second mini instead of another week of shared-state archaeology.
Workspace Boundary: Repository Root vs Runtime Checkout
Treat the OpenClaw workspace as the directory your automation checks out: it should contain openclaw.json, skills manifests, and any repo-local wrappers you expect code review to cover. Treat anything generated at runtime—large caches, downloaded weights mirrors, scratchpads—as out of git unless you have an explicit artifact policy.
On VmMac you often symlink nothing at all: clarity beats cleverness. If engineers clone into ~/src/openclaw-tenant-a but launchd still points at last month’s ~/build/openclaw, you will chase ghosts. Document the canonical absolute path per tenant in the same page that lists SSH bastions.
- Git holds intent—defaults, feature flags, audited tool lists.
- Disk holds entropy—caches, transcripts you redact later, temp exports.
- Plists hold glue—environment, cwd, user session, log paths.
openclaw.json as a Contract: Versioning, Reviews, and Secret Shapes
openclaw.json should read like an API schema: stable keys, explicit defaults, comments only where your JSON dialect allows. During review, reject diffs that smuggle long-lived API keys inline—those belong in the vault plane described in secrets hygiene, not in a file every intern can cherry-pick.
Tag releases so you can answer “what config ran in Tokyo at 03:14?” without SSH. If you must hotfix a region, branch, deploy, and merge—temporary snowflakes on shared hosts always outlive their owners.
tools allowlists, they need different files or different users—never toggling the same path twice per day by hand.
~/.openclaw and Friends: What Must Never Collide
Use a matrix to decide what lives under the home state prefix versus the workspace.
| Artifact | Workspace | Home state |
|---|---|---|
| Gateway route tables / pinned tool manifests | Yes—reviewed JSON | No—avoid split-brain |
| Session cookies, device pairing blobs | No—never commit | Yes—chmod tightly |
| Structured logs | Optional templates | Yes—large, rotated |
| Per-developer overrides | Never on shared CI hosts | Personal laptop only |
When someone asks “can we just delete ~/.openclaw to reset?” your answer should reference a runbook section, not improvisation—deletion fixes poisoned caches and breaks legitimate pairing if you skip export steps.
Multi-Tenant Matrix on One Mac mini
VmMac excels at dedicated metal, but finance sometimes forces sharing. Rank options honestly:
| Pattern | Isolation strength | Operational load |
|---|---|---|
| Separate physical hosts per tenant | Highest | Lowest drama |
| Separate macOS users on one host | High | Medium—disk quotas + VNC discipline |
| Same user, different directories | Low—human error magnet | High—constant audits |
If you are forced into the third row, at least enforce disjoint LaunchAgent labels, disjoint localhost ports, and nightly automation that diffs active plists against git. Better: follow staging isolation until finance approves another mini.
launchd WorkingDirectory, EnvironmentVariables, and Path Precedence
WorkingDirectory is not decorative—it defines how relative paths inside openclaw.json resolve and which node_modules tree loads. Pair it with explicit EnvironmentVariables for anything you would export in ~/.zshrc on a laptop. After edits, always validate with launchctl print gui/$UID/com.example.openclaw (adjust domain) before declaring victory.
cd somewhere before running OpenClaw, your plist is incomplete.
Across Hong Kong, Japan, Korea, Singapore, and the United States, keep plist templates identical; put regional endpoints in small env files referenced by absolute paths so diffs stay readable during audits.
Incident Runbook: State Poisoning vs Real Model Regressions
- Capture
pwdof the running gateway fromlaunchctl printoutput. - Hash
openclaw.jsonin that cwd and compare to the git tag you think you deployed. - List size and mtime of the state directory subtree; look for exploding SQLite or JSONL.
- Disable new traffic, drain queues, snapshot logs.
- Move poisoned state aside—not delete—so postmortems keep evidence.
- Replay the failing request against a clean VmMac canary host.
- Document whether the fix was config, disk, or model before closing the ticket.
Most false “model quality” drops we see in 2026 are actually stale tool allowlists or expired OAuth refresh tokens sitting beside each other in the same state tree—your LLM is fine; your filesystem is not.
FAQ: OpenClaw workspace and state on rented Mac mini
Should openclaw.json live in git on a shared rented Mac mini? Yes for schema and non-secret defaults, but never as the only home for secrets—pair repo files with a single documented secret plane and per-tenant state prefixes so staging cannot read production tokens from disk.
What belongs in ~/.openclaw versus the workspace checkout? Keep durable machine-local caches, device pairing, and sensitive runtime material under the home state tree; keep team-reviewed config in the workspace while ensuring launchd sets WorkingDirectory explicitly.
How do we isolate two teams on one VmMac host without mixing OpenClaw state? Prefer separate macOS users or separate hosts; if you must share, use disjoint OPENCLAW_HOME-style prefixes, non-overlapping LaunchAgent labels, and distinct localhost ports per our staging isolation runbook.
Does launchd WorkingDirectory change which openclaw.json is read? Relative paths resolve from WorkingDirectory and the user environment; ambiguous cwd is the top cause of staging reading production workspace copies—pin absolute paths in plists after validation.
How do Hong Kong, Japan, Korea, Singapore, and United States hosts stay aligned? Store the same git revision of openclaw.json while allowing only intentional regional env overrides; diff plists monthly and reject ad-hoc per-host edits without tickets.
Why a Second VmMac Mac mini Is Cheaper Than Shared-State Surgery
Splitting tenants onto another mini converts ambiguous chmod puzzles into network-routable boundaries you can explain to security. The marginal rental shows up cleanly in COGS; the marginal engineer week of forensic merges does not.
When leadership pushes back, show incident count from the last quarter where root cause was “wrong cwd” or “shared cache.” If that number is nonzero, physics agrees—you needed another host.
Clone State, Not Mystery
Rent a second VmMac Mac mini for staging OpenClaw workspaces so production ~/.openclaw never sees experimental caches.
