Organized AI / Orchestration Deep Dive

How the Claw Agents
Actually Work

Each Claw agent — its runtime, its loop, its trigger, why it lives where it does. Three machines on a Tailscale mesh. No M3 Ultra, no public cloud endpoints yet.

claws-mac-mini100.82.244.127infra server
jordans-mac-mini100.86.248.8dev / Claude Code
macbook-pro-5100.116.140.93mobile / monitor
01 / Foundation

Network Topology

All three machines connected over Tailscale — private WireGuard mesh. No public IPs, no port forwarding. Every agent-to-agent call uses fixed Tailscale IPs directly.

Three-machine Tailscale mesh
┌────────────────────────────────────────────────┐ │ claws-mac-mini (M4 Mac Mini) │ │ 100.82.244.127 │ │ OpenClaw :18789 │ │ Paperclip :3100 │ │ Hermes :7700 │ │ NoClaw :11434 (TBD) │ └──────────────────────└───────────────────────┘ │ Tailscale ┌─────────┼─────────┐ ┌─────────────────────┐ ┌──────────────────────┐ │ jordans-mac-mini │ │ macbook-pro-5 │ │ 100.86.248.8 │ │ 100.116.140.93 │ │ Claude Code (kata) │ │ monitor + submit │ │ monorepo checkout │ │ light dev work │ └─────────────────────┘ └──────────────────────┘
MachineTailscale IPHardwareRoleAgents
claws-mac-mini100.82.244.127M4 Mac MiniAlways-on infraOpenClaw, Paperclip, Hermes, NoClaw
jordans-mac-mini100.86.248.8M4 Mac MiniDev machineClaude Code (kata-managed)
macbook-pro-5100.116.140.93MacBook M1 ProMobile / monitorBrowser, CLI job submission

Why two M4 Minis: claws-mac-mini is always-on and must never be interrupted by dev work. Separating infra from dev prevents a runaway Claude Code session from taking down the gateway monitoring it.

02 / Foundation

Runtime vs Surface — The Core Distinction

Every Claw agent has a runtime (process that runs on a machine) and a surface (HTTP endpoint it exposes). The monorepo contains surfaces. Runtimes live on machines.

Runtime vs Surface
Agent Runtime (machine + port) Surface (monorepo) ─────────────────────────────────────────────────────────────────── OpenClaw claws-mac-mini :18789 apps/openclaw-gateway/ NoClaw claws-mac-mini :11434 none — Tailscale-internal only NanoClaw IS the Worker, no separate runtime apps/nano-claw/ ExoClaw IS the Worker, no separate runtime apps/exo-claw/ Hermes claws-mac-mini :7700 apps/hermes-worker/ Claude Code jordans-mac-mini (kata CLI) none — acts ON the repo Paperclip claws-mac-mini :3100 apps/clawdbot-dashboard/

The deciding question: Does this agent need state between requests? Yes → persistent process on claws-mac-mini. No → stateless CF Worker in apps/. Claude Code builds the repo and has no surface.

03 / Foundation

What Lives Where and Why

Full annotated map
organized-ai/ (primary checkout on jordans-mac-mini) ├── apps/ │ ├── openclaw-gateway/ OpenClaw HTTP surface (optional on Tailscale-only) │ ├── nano-claw/ NanoClaw IS this Worker │ ├── exo-claw/ ExoClaw IS this Worker │ ├── hermes-worker/ thin CF receiver for Hermes daemon │ └── clawdbot-dashboard/ Paperclip React UI → CF Pages ├── packages/ shared code, used by all Workers ─── External (not in repo) ───────────────────────────── claws-mac-mini (100.82.244.127) OpenClaw :18789 session manager, inter-agent bus Paperclip :3100 control plane, tickets, budgets Hermes :7700 cron, messaging, skill loop NoClaw :11434 local inference (TBD) jordans-mac-mini (100.86.248.8) Claude Code kata-managed, builds+deploys monorepo macbook-pro-5 (100.116.140.93) browser → Paperclip dashboard, CLI job submission
04 / Foundation

How Agents Communicate Over Tailscale

Three communication patterns with real IPs
PATTERN A — HTTP over Tailscale (synchronous) POST http://100.82.244.127:18789/job ← from macbook or Paperclip POST http://100.82.244.127:7700/trigger ← to Hermes daemon PATTERN B — SSH + tmux sentinel OpenClaw (claws) → ssh jordaaan@100.86.248.8 drive run "kata enter worker-deploy --issue=87 && claude ..." drive poll --sentinel __DONE_cc87 PATTERN C — Heartbeat (Paperclip scheduler) Every N min: Paperclip checks queue → any unassigned tickets? → POST http://100.82.244.127:18789/dispatch (loopback)
05 / Claw Agents

OpenClaw — The Gateway

OpenClaw
Session Manager · Inter-Agent Bus · Auth Layer
claws-mac-mini · 100.82.244.127:18789
How it works

Long-running HTTP server on claws-mac-mini. Maintains a session registry of active agent sessions. Authenticates requests, finds/creates the right session, routes to the correct agent, tracks the result. Does not reason or generate text. Traffic controller with memory.

Its loop

Event-driven, idle on :18789 waiting for inbound Tailscale HTTP. On request: authenticate → parse intent → check registry → route to agent on correct machine via SSH or HTTP → return job ID → update registry.

OpenClaw request lifecycle
POST http://100.82.244.127:18789/job ← from Paperclip { agentType: "claude-code", task: "ticket #87", budget: 200 } │ ▼ OpenClaw on claws-mac-mini authenticate ✓ → create session → build context │ └─ SSH to 100.86.248.8: drive run "kata enter worker-deploy --issue=87" drive poll --sentinel __DONE_cc87 (blocks until kata exit fires on jordans-mac-mini) POST callback → Paperclip :3100
Why runtime on claws-mac-mini

Must be alive before Claude Code starts and after it finishes. Running it on jordans-mac-mini (dev machine) would let a CC crash or reboot kill the gateway monitoring the session.

06 / Claw Agents

NoClaw — Local Inference

NoClaw
Local LLM · No Cloud Dependency · Tailscale Internal Only · Role TBD
claws-mac-mini · 100.82.244.127:11434
What it is

Local inference process on claws-mac-mini — Ollama or MLX on the M4 chip. No external API. Role not fully defined yet. Candidate uses: intent classification before OpenClaw routes, cheap summarization, fallback when API budgets are tight.

Why no monorepo surface

Speaks only inward via Tailscale. Never needs to be reachable from the internet. No CF Worker, no wrangler.toml, no apps/ entry. Its only potential monorepo presence: a thin packages/noclaw-client for other agents to call it.

Why co-located with OpenClaw on claws-mac-mini

If used for pre-routing classification, co-location means a loopback call instead of a cross-machine Tailscale hop. The M4 chip handles MLX inference natively with no additional hardware.

What's still TBD

NoClaw's exact role is open. Pattern (local inference, Tailscale-internal, no monorepo surface) is settled. Model choice (Ollama vs MLX) and specific tasks are decided when you're ready.

07 / Claw Agents

NanoClaw — Tracking & Observability

NanoClaw
Event Ingestion · CAPI · sGTM · CF Worker · Globally Deployed
apps/nano-claw/ → Cloudflare Edge (not on Tailscale network)
How it works

Pure event processor. Receives tracking events (GA4, Meta CAPI, GTM server-side), validates via packages/tracking-utils, enriches from CF-IPCountry header, fans out to GA4 MP + Meta CAPI + D1. Zero state, no LLM, no reasoning.

Why it's in apps/ not packages/

NanoClaw IS its Worker — entire logic in src/index.ts, imports edge-safe packages, compiles to a single esbuild bundle. Deployed via wrangler deploy. It has a wrangler.toml (a deployment target), not a library. Only Claw agent that runs completely outside the Tailscale network.

NanoClaw event pipeline
POST /track { event: "purchase", value: 249.00 } │ ▼ apps/nano-claw/src/index.ts (CF Worker, global edge) import { validatePurchaseEvent } from '@org/tracking-utils' import { PurchaseEvent } from '@org/shared-types' └ both inlined by esbuild at deploy — no runtime npm validate ✓ → enrich geo → ctx.waitUntil(Promise.all([ sendToGA4(), sendToMetaCAPI(), logToD1() ])) → return 200 immediately
08 / Claw Agents

ExoClaw — External Interface

ExoClaw
Public API Surface · Webhook Receiver · External Auth · CF Worker
apps/exo-claw/ → CF Edge → forwards to Tailscale :18789
How it works

Boundary agent between public internet and private Tailscale mesh. External services call ExoClaw, never OpenClaw directly. Authenticates, rate-limits (KV counter), transforms request format, forwards to OpenClaw via Cloudflare Tunnel.

Why separate from OpenClaw

Security boundary. OpenClaw manages live CC sessions with elevated privileges. ExoClaw has intentionally narrow permissions. If ExoClaw gets probed, claws-mac-mini:18789 stays invisible. The Tailscale IPs never appear in responses.

Why no runtime on the machines

ExoClaw's logic is entirely stateless: auth check, rate-limit counter in KV, request transformation, forward. A CF Worker handles this perfectly. Putting it on claws-mac-mini would require managing TLS, port-forwarding, and DDoS exposure manually.

09 / Supporting Cast

Hermes — The Messenger

Hermes
Self-Improving Agent · Copy · Messaging · Cron · Skill Loop
claws-mac-mini · 100.82.244.127:7700
How it works

Only Claw-adjacent agent with a closed learning loop. Creates skills from experience, maintains persistent memory (MEMORY.md, FTS5 session search), handles copy generation, messaging, and scheduled reports. Runs two concurrent loops: reactive (HTTP on :7700) and cron (scheduled jobs).

Why split: daemon + Worker

Daemon on claws-mac-mini needs persistent disk state: ~/.hermes/skills/, MEMORY.md, SQLite. Not possible in a stateless CF Worker. But apps/hermes-worker/ is a thin CF receiver for edge-speed inbound HTTP that forwards to :7700 via Cloudflare Tunnel.

10 / Supporting Cast

Claude Code — The Builder

Claude Code
Coding Agent · kata-Managed · Edits & Deploys the Monorepo
jordans-mac-mini · 100.86.248.8 (spawned by OpenClaw via SSH)
How it works

Receives a task from Paperclip (via OpenClaw via SSH), enters a kata mode on jordans-mac-mini, works through structured phases. Edits monorepo files, runs turbo build, wrangler deploy, verifies health. kata stop hook blocks exit until all phases pass.

Why it runs on jordans-mac-mini

Needs the full dev environment: monorepo checkout, pnpm, Wrangler, git credentials. Runs here NOT on claws-mac-mini so infra processes are never on the same machine as active code editing. A runaway CC session can't take down the gateway monitoring it.

11 / Supporting Cast

Paperclip — The Company

Paperclip
Control Plane · Org Chart · Budgets · Heartbeats · Tickets
claws-mac-mini · 100.82.244.127:3100
How it works

Company-level coordinator. Holds the org chart, ticket system, budget ledger, and heartbeat scheduler. Does not code or generate text. Coordination database with a scheduler and a React dashboard. Co-located with OpenClaw on claws-mac-mini for loopback-speed communication.

Why only dashboard is in repo

Paperclip Node.js server needs PostgreSQL, a scheduler, and always-on availability. Can't be a CF Worker. The apps/clawdbot-dashboard/ React UI deploys to CF Pages and calls Paperclip via OpenClaw or direct Tailscale from macbook-pro-5.

12 / Orchestration

Authority Model

Who can tell whom what
YOU (Jordan) │ macbook-pro-5 (100.116.140.93) monitor · approve · submit jobs │ ┌─────────────────────┐ │ PAPERCLIP :3100 │ assign to ALL agents │ claws-mac-mini │ sees ALL tickets + costs └──────────└──────────┘ │ loopback ┌─────────────────────┐ │ OPENCLAW :18789 │ route · auth · dispatch └─────────────────────┘ │ │ │ SSH :7700 :11434 │ │ │ Claude Hermes NoClaw jordans claws claws
13 / Orchestration

kata’s Role — The Contract Layer

kata runs on jordans-mac-mini inside Claude Code's session. Makes CC's output trustworthy enough for Paperclip to close a ticket.

With vs without kata
WITHOUT kata: Paperclip assigns → OpenClaw spawns CC → CC writes code → exits Sentinel: __DONE_cc87:0 → Paperclip marks DONE ✓ Reality: tests never ran. deploy never happened. DONE is meaningless. WITH kata: CC tries to exit → Stop hook: tasks_complete? tests_pass? committed? BLOCKED. CC fixes failures, commits, pushes. kata exit → __DONE_cc87:0 OpenClaw reports COMPLETE → Paperclip DONE ✓ This time it actually means done.
14 / Full Picture

Everything on the Tailscale Network

Complete stack
YOU macbook-pro-5 100.116.140.93 │ Tailscale claws-mac-mini 100.82.244.127 (always-on) Paperclip :3100 NoClaw :11434 Hermes :7700 OpenClaw :18789 ◄─── all agents route here │ └── SSH ──► jordans-mac-mini 100.86.248.8 Claude Code (kata-managed) monorepo + wrangler deploy │ kata phases + stop hook │ organized-ai/ (monorepo) apps/openclaw-gateway CF Worker apps/nano-claw CF Worker apps/exo-claw CF Worker apps/hermes-worker CF Worker apps/clawdbot-dashboard CF Pages │ Cloudflare Edge (300+ locations)

One sentence: claws-mac-mini is the always-on infra server. jordans-mac-mini is the dev machine where Claude Code runs kata-managed sessions and deploys Workers. macbook-pro-5 monitors and submits. Everything talks over Tailscale IPs. The monorepo only contains what Wrangler deploys.