Who this is for: teams that want Jenkins to call OpenClaw on a remote Mac for composer or npm preflight, then post a build summary without waking the whole CI farm. 2026 practice per docs.openclaw.ai: Node 22 LTS baseline, Node 24 pilots after clean doctor, secrets at mode 600, and health probes in launchd. See build node guide and help (public, no login).
  • Opaque failures: Jenkins marks the stage green while dependency pulls would still fail on Apple Silicon paths.
  • Signature drift: proxies rewrite JSON bodies so HMAC checks never match the bytes Jenkins signed.
  • Idle gateways: without health checks, the controller retries into a dead listener and floods operators with noise.

Environment and minimal privilege preparation

Install Node 22 LTS for the OpenClaw service user; try Node 24 only when openclaw doctor is clean. Install via official curl or npm install -g openclaw, run openclaw onboard, then fix PATH or port warnings.

Store Jenkins secrets and Git creds under ~/.config/openclaw/ at mode 600. Use a read-only automation user, bind admin HTTP to 127.0.0.1, and terminate TLS on nginx or Caddy.

Control Why it matters Minimal pattern
Node major Doctor checks assume the same runtime as onboarding Pin NODE_BINARY in the launchd plist; avoid nvm-only paths
Health route Detect crashes before Jenkins queues retries curl -fsS from LaunchAgent every minute; restart on non-zero
Secrets Leaked tokens let anyone forge builds One secret per Jenkins job family; rotate on any paste into tickets

Least privilege. The Mac account only receives webhooks, clones, runs dry-runs, and POSTs summaries—never the Jenkins controller. Prefer single-purpose SSH keys.

Jenkins Generic Webhook and signature verification parameters

With Generic Webhook Trigger, POST JSON to your TLS URL plus a secret path token. Expose jobName, buildNumber, gitUrl, branch, status so the Mac avoids scraping HTML.

Verify using either a static X-Webhook-Secret header or HMAC-SHA256 of the raw body. Keep JSON compact—no pretty print—then log build URLs only after auth succeeds.

1
Create the POST URL with a random token segment and allow list Jenkins controller egress IPs on the proxy.
2
Define JSON variables in the plugin UI and test with Build Now → Replay to capture a sample payload.
3
Store the signing secret beside other OpenClaw env files at mode 600.
4
Verify before parse: compute digest on raw bytes, reject mismatches with HTTP 401 and no body echo.
5
Replay once from Jenkins UI and confirm OpenClaw logs show the same buildNumber you triggered.
# Pseudocode: read RAW_BODY from the request stream before JSON.parse
# expected = "sha256=" + HMAC_SHA256(secret, RAW_BODY)
# constant-time compare expected with header X-Signature

OpenClaw side: receive hooks and composer or npm preflight command templates

After auth, OpenClaw runs a script: mkdir /var/tmp/jenkins-openclaw/$BUILD_ID, shallow clone gitUrl, run validators. Never reuse one mutable tree.

# PHP / Composer (adjust PHP binary path for launchd)
composer validate --no-check-publish --no-interaction
composer install --dry-run --no-interaction --no-ansi

# Node / npm (fail fast if lockfile missing)
npm ci --dry-run 2>/dev/null || npm install --dry-run --ignore-scripts

Truncate logs to a few KB; return JSON with ok, buildNumber, logExcerpt. For Packagist-heavy PHP CI see Composer mirror matrix.

Version your command templates like Pipeline libraries so doctor upgrades stay auditable.

Build summary feedback (HTTP or Webhook) and failure retry

POST compact JSON to a Jenkins notification URL, inbound webhook step, or HTTP notifier. Include result, durationMs, and a short markdown blurb for the build page.

Retry three times with two, four, eight second sleeps; use curl --max-time 25. Log HTTP status plus retry count with the OpenClaw job id.

Common error FAQ

Every signature check fails

Proxy rewrote the body or line endings. Disable buffering that re-encodes JSON, keep Content-Type: application/json, hash the raw socket buffer.

Jenkins logs 502 Bad Gateway

Process died, plist missing after reboot, or bad TLS. Run openclaw doctor, check launchctl, curl health via the same hostname Jenkins uses.

composer: command not found under launchd

PATH is shorter than your interactive shell. Export absolute paths to composer and php inside the plist EnvironmentVariables block or invoke php /path/to/composer.phar.

Preflight passes but full build still fails

Dry-run skips lifecycle scripts, native modules, or signing steps. Treat preflight as a fast gate, not a replacement for the main pipeline matrix.

Summary

Stable order: align Node and doctor, lock down secrets, verify Jenkins bytes before JSON, isolate workdirs, run composer or npm dry-runs, then POST summaries with bounded retries.

Rent a remote Mac for a 24/7 OpenClaw gateway—no laptop sleep, stable TLS for Jenkins. Public pages: home, purchase, help, blog.

MacPull hosts remote Mac Mini nodes so OpenClaw gateways stay online for Jenkins-driven preflight and summary loops.

Keep your OpenClaw + Jenkins gateway always on

Rent a remote Mac Mini for a persistent OpenClaw listener, TLS-friendly Jenkins webhooks, and healthy launchd automation. Browse home, purchase, help, and blog without signing in.

Home Purchase Help Blog