fix #90668: [Bug]: macOS node mode can silently self-reconnect in a healthy direct gateway session (#90815)

clawsweeper[bot] · zhangguiping-xydt · Takhoffman · web-flow · commit 9cbf18293bb4 · 2026-06-06T02:44:59.000Z
Summary: - Adds a macOS node-mode TLS session cache keyed by gateway URL and TLS pin parameters, with Swift tests for reuse and rebuild behavior. - PR surface: Other +78. Total +78 across 2 files. - Reproducibility: yes. The source path is clear: current main supplies a fresh TLS session identity into `Gat ... inked macOS WSS proof demonstrates repeated connected callbacks before the cache and one callback after it. Automerge notes: - PR branch already contained follow-up commit before automerge: fix(macos): make TLS session cache lint-safe - PR branch already contained follow-up commit before automerge: fix #90668: [Bug]: macOS node mode can silently self-reconnect in a h… Validation: - ClawSweeper review passed for head 1496eac. - Required merge gates passed before the squash merge. Prepared head SHA: 1496eac Review: #90815 (comment) Co-authored-by: 张贵萍0668001030 <zhang.guiping@xydigit.com> Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com> Co-authored-by: clawsweeper[bot] <274271284+clawsweeper[bot]@users.noreply.github.com> Approved-by: takhoffman Co-authored-by: takhoffman <781889+takhoffman@users.noreply.github.com>
diff --git a/apps/macos/Sources/OpenClaw/NodeMode/MacNodeModeCoordinator.swift b/apps/macos/Sources/OpenClaw/NodeMode/MacNodeModeCoordinator.swift
@@ -2,6 +2,43 @@ import Foundation
 import OpenClawKit
 import OSLog
 
+struct MacNodeGatewayTLSSessionCache {
+    private struct Key: Equatable {
+        let url: URL
+        let required: Bool
+        let expectedFingerprint: String?
+        let allowTOFU: Bool
+        let storeKey: String?
+
+        init(url: URL, params: GatewayTLSParams) {
+            self.url = url
+            self.required = params.required
+            self.expectedFingerprint = params.expectedFingerprint
+            self.allowTOFU = params.allowTOFU
+            self.storeKey = params.storeKey
+        }
+    }
+
+    private var cachedKey: Key?
+    private var cachedBox: WebSocketSessionBox?
+
+    mutating func sessionBox(url: URL, params: GatewayTLSParams) -> WebSocketSessionBox {
+        let key = Key(url: url, params: params)
+        if let cachedKey = self.cachedKey, cachedKey == key, let cachedBox = self.cachedBox {
+            return cachedBox
+        }
+        let box = WebSocketSessionBox(session: GatewayTLSPinningSession(params: params))
+        self.cachedKey = key
+        self.cachedBox = box
+        return box
+    }
+
+    mutating func invalidate() {
+        self.cachedKey = nil
+        self.cachedBox = nil
+    }
+}
+
 @MainActor
 final class MacNodeModeCoordinator {
     static let shared = MacNodeModeCoordinator()
@@ -11,6 +48,7 @@ final class MacNodeModeCoordinator {
     private let runtime: MacNodeRuntime
     private let session: GatewayNodeSession
     private var autoRepairedTLSFingerprintsByStoreKey: [String: String] = [:]
+    private var tlsSessionCache = MacNodeGatewayTLSSessionCache()
 
     private init() {
         let session = GatewayNodeSession()
@@ -268,16 +306,21 @@ final class MacNodeModeCoordinator {
     }
 
     private func buildSessionBox(url: URL, connectionMode: AppState.ConnectionMode) -> WebSocketSessionBox? {
-        guard url.scheme?.lowercased() == "wss" else { return nil }
+        guard url.scheme?.lowercased() == "wss" else {
+            self.tlsSessionCache.invalidate()
+            return nil
+        }
         let stableID = Self.tlsPinStoreKey(for: url)
         let stored = GatewayTLSStore.loadFingerprint(stableID: stableID)
         guard let params = Self.tlsParams(
             for: url,
             connectionMode: connectionMode,
             root: OpenClawConfigFile.loadDict(),
             storedFingerprint: stored)
-        else { return nil }
-        let session = GatewayTLSPinningSession(params: params)
-        return WebSocketSessionBox(session: session)
+        else {
+            self.tlsSessionCache.invalidate()
+            return nil
+        }
+        return self.tlsSessionCache.sessionBox(url: url, params: params)
     }
 }
diff --git a/apps/macos/Tests/OpenClawIPCTests/MacNodeModeCoordinatorTests.swift b/apps/macos/Tests/OpenClawIPCTests/MacNodeModeCoordinatorTests.swift
@@ -89,6 +89,41 @@ struct MacNodeModeCoordinatorTests {
         #expect(params.allowTOFU == false)
     }
 
+    @Test func `tls session cache reuses session box for unchanged params`() throws {
+        let url = try #require(URL(string: "wss://gateway.example.com"))
+        var cache = MacNodeGatewayTLSSessionCache()
+        let params = try #require(MacNodeModeCoordinator.tlsParams(
+            for: url,
+            connectionMode: .remote,
+            root: ["gateway": ["remote": ["tlsFingerprint": "sha256:configured"]]],
+            storedFingerprint: "stored"))
+
+        let first = cache.sessionBox(url: url, params: params)
+        let second = cache.sessionBox(url: url, params: params)
+
+        #expect(ObjectIdentifier(first.session) == ObjectIdentifier(second.session))
+    }
+
+    @Test func `tls session cache rebuilds session box when params change`() throws {
+        let url = try #require(URL(string: "wss://gateway.example.com"))
+        var cache = MacNodeGatewayTLSSessionCache()
+        let firstParams = try #require(MacNodeModeCoordinator.tlsParams(
+            for: url,
+            connectionMode: .remote,
+            root: ["gateway": ["remote": ["tlsFingerprint": "sha256:configured"]]],
+            storedFingerprint: "stored"))
+        let secondParams = try #require(MacNodeModeCoordinator.tlsParams(
+            for: url,
+            connectionMode: .remote,
+            root: ["gateway": ["remote": ["tlsFingerprint": "sha256:rotated"]]],
+            storedFingerprint: "stored"))
+
+        let first = cache.sessionBox(url: url, params: firstParams)
+        let second = cache.sessionBox(url: url, params: secondParams)
+
+        #expect(ObjectIdentifier(first.session) != ObjectIdentifier(second.session))
+    }
+
     @Test func `auto repairs trusted tailscale serve pin mismatch`() throws {
         let url = try #require(URL(string: "wss://gateway.example.ts.net"))
         let failure = GatewayTLSValidationFailure(
