2026 OpenClaw MeshMac: Linear Webhook → Shared Build Broadcast & Summary Back

Gateway installation and health check

Only the gateway should accept Linear POST webhooks. Builders join or leave the mesh without rotating URLs or secrets; mesh_node_id labels workers, not extra ingress. Follow the multi-node deployment guide for roles and keep Linear API and chat calls on the gateway.

1. Step 1. Install OpenClaw on the gateway, set OPENCLAW_CONFIG_ROOT, and run under LaunchDaemon (or equivalent) so the process survives reboots while pool Macs update Xcode.
2. Step 2. Publish https://… on the gateway hostname you will paste into Linear; put the webhook path on its own reverse-proxy location with a sensible max body size (TLS edge notes).
3. Step 3. Validate readiness with openclaw doctor, log checks, and a GET /health (or merged probe from skills prewarm and health probes) so balancers drain bad instances during deploys.
4. Step 4. Log correlation_id, route, and queue latency; size concurrent webhooks using gateway rate limits and session concurrency. See shared build notify webhooks and the OpenClaw hub for related patterns.

Per-project paths: per-project config and logs.

Linear signature verification

Verify first, parse second. Linear signs the exact raw body; middleware that parses JSON early breaks HMAC checks under load.

1. Step 1. Create the webhook in Linear, copy the signing secret once, store it under 0440 per secrets and least privilege (for example /etc/openclaw/secrets.d/linear/webhook.secret).
2. Step 2. Buffer bytes, compute HMAC-SHA256 per Linear’s docs, and compare the Linear-Signature header in constant time; reject replays with a tight timestamp window when the platform exposes one.
3. Step 3. Answer 401 on bad signatures; log redacted metadata only (same hygiene as Teams webhook build status).
4. Step 4. Return 200 only after the enqueue is durable so Linear retries do not fan out duplicate jobs; ordering hints in task queue sync. Optional: LinearWebhookClient on the gateway.

Chaining with shared build scripts

Normalize each verified payload into a task any pool Mac can run: repo, ref, issue id, actor, labels, plus an idempotency_key from Linear delivery metadata. Node A may be busy while node B runs the same script—no second public webhook.

1. Step 1. Whitelist the transitions that should build (for example a column or ci label). Return 200 quickly for ignored events.
2. Step 2. Push the task to your shared queue (Redis, RabbitMQ, OpenClaw tasks per task queue retry steps) with linear_issue_id, team, requester, and idempotency key.
3. Step 3. Run one version-locked entrypoint everywhere (skill version lock; worktree locks when needed).
4. Step 4. Emit “build finished” with mesh_node_id, duration, log snippet, artifacts. The gateway broadcasts to chat using your existing hooks (Slack, Google Chat, Teams).
5. Step 5. Post the summary comment via Linear GraphQL from the gateway (scoped API key, rotate per token rotation): emoji, sha, node, run link, two-line OpenClaw summary.

If Linear also triggers GitHub Actions, split lanes with runner routing so queues do not fight for disk.

Failure retry and notifications

Pools multiply flaky outcomes; keep one notification story. Split inbound (Linear → you) from outbound (you → chat / Linear API).

1. Step 1. Ack fast after durable enqueue; let Linear retry their edge. Keep handler timeouts inside gateway concurrency budgets.
2. Step 2. Chat webhooks: exponential backoff + jitter on 429/5xx, cap retries, dedupe on idempotency_key + state (~72h) per Teams dedupe.
3. Step 3. Linear GraphQL: log errors[], backoff on rate limits, do not loop on 401—fix the key first.
4. Step 4. If both chat and Linear updates fail, page via IM alerts. Plan gateway failover with load balance and failover.

FAQ

Signatures passed in curl tests but fail in production

You are probably not sending the exact bytes your framework receives—copy raw body handling from staging, disable gzip re-encoding on the edge, and confirm no WAF strips headers. Re-run verification against captured bodies from the gateway access log (redacted).

Duplicate builds fire when I move a card quickly between columns

Debounce state transitions in your mapper or require a stable “ready for build” label. Combine issue id, column id, and a short time bucket inside the idempotency key so human jitter does not enqueue twice.

Comments never appear on the Linear issue despite green builds

Verify the API key still has comment permission for that team, confirm you target the correct issueId from the webhook payload, and inspect GraphQL errors for schema drift after Linear API updates.

Only one Mac should talk to Linear—really?

Yes for secrets and auditability. Builders should be dumb, fast, and replaceable; the gateway owns verification, API tokens, and chat URLs. That separation is what makes adding a fourth or fifth MeshMac node a capacity change instead of a security review.