feat: atomic config management with validation and crash-loop rollback

[aronchick]

Problem

When openclaw.json is modified with invalid values, the gateway crashes on reload/restart and enters a crash loop. There is no rollback mechanism, no pre-apply validation that catches unresolvable env vars, and no fallback to a known-good state.

This is the #1 cause of gateway outages for users who have AI agents modifying their config — which is most OpenClaw users.

Real Incident (2026-02-16)

1. A sub-agent replaced API keys in openclaw.json with ${ENV_VAR} references (e.g. ${OPENAI_API_KEY})
2. The gateway restarted, but the env vars were not in the process environment
3. All API calls failed — keys were literal strings like "${OPENAI_API_KEY}"
4. The gateway entered a crash loop requiring manual intervention to restore config
5. In a separate incident, 20 Antfarm agents were added to agents.list, hijacking Telegram message routing

The meta-problem: AI agents modifying config files are the most common cause of crash loops. Agents don't always understand the runtime environment, and a single bad write can take down the entire gateway with no automated recovery.

Current State

OpenClaw already has:

• Config validation via Zod schema (validation.ts)
• Backup rotation (backup-rotation.ts — keeps 5 .bak files)
• Env var substitution (env-substitution.ts)

What's missing:

• Pre-write validation that checks env var references actually resolve
• A "last-known-good" config that's only updated after successful gateway startup
• Crash-loop detection with automatic rollback
• A dry-run/diff mode for config changes

Proposed Solution

Phase 1: Last-Known-Good + Crash-Loop Revert (highest impact, simplest)

• On successful gateway startup (healthy for >10s), save config as openclaw.json.last-known-good
• On crash loop (>3 crashes in 60s), auto-revert to last-known-good
• Log the failed config for debugging

Phase 2: Validation + Dry-Run

• openclaw config diff — show pending changes
• openclaw config apply --dry-run — validate without applying
• Pre-write check that all ${VAR} references resolve to actual env values
• API key format validation (correct prefixes, not just non-empty)

Phase 3: Atomic Transactions

• openclaw config apply --rollback-on-failure — auto-revert if startup fails within N seconds
• Transactional config changes: fully applied or fully rolled back
• Env var resolution checking at write time

Why This Matters

Every OpenClaw user running AI agents (sub-agents, Antfarm workflows, cron-based automation) is one bad config write away from a crash loop that requires SSH access to fix. The gateway should be self-healing, not fragile.

The existing .bak rotation helps with accidental overwrites but does NOT help with crash loops — all 5 backups can be bad configs if the agent keeps writing.

[MzaGuille]

The atomic rollback proposal is great as a safety net (airbags), but I think we need to address the root cause of why agents crash the config in the first place.

The Core Problem: Variable Intelligence
Currently, we give the keys to the car (openclaw.json write access) to whatever model the user happens to be running.

• If they run Claude 3.5 Sonnet or Opus, it might read the docs and drive safely.
• If they run a local Llama 7B or a smaller quantized model, it's like letting a drunk intern manage production. They hallucinate parameters, invent syntax, or use env vars that don't exist.

Even with local docs in /app/docs, most agents don't know they exist or how to traverse them effectively without explicit prompting.

Proposed Addition: The "SysAdmin Agent"
Instead of just validating after the crash, we should decouple "Chat Intelligence" from "System Administration".

OpenClaw should ship with a specialized "Configuration Agent" (or a deterministic Skill) that acts as the gatekeeper.

1. Encapsulated Knowledge: This agent knows the exact schema for the current version. It doesn't need to "read" docs to know that allowFrom expects an array.
2. Deterministic Execution: The user's LLM asks the SysAdmin Agent: "Change the model to GPT-4". The SysAdmin Agent executes this via code/Zod validation, not by generating raw JSON text.
3. Safe Interface: It exposes high-level intents (config.setModel, config.addKey) rather than raw file editing (fs.write).

If we rely solely on the user's LLM to edit the raw JSON correctly, we will always be fighting against the model's hallucinations. A deterministic layer in the middle solves the "dumb model" problem.

cc @steipete @mariozechner

[aronchick]

New Crash Case (2026-02-18)

Adding another real-world crash to this issue:

Validation Error: channels.telegram.allowFrom: channels.telegram.dmPolicy="open" requires channels.telegram.allowFrom to include "*"

Impact: Process died during config change attempt, no graceful degradation.

This reinforces the need for Phase 1 (last-known-good + crash-loop revert) as the highest priority fix.

SafeMode Auto-Fix Addition

Consider adding constrained auto-fix as Phase 1.5:

• For deterministic validation errors (like this dmPolicy/allowFrom case), auto-apply the obvious fix
• Safety constraints: max 3 fixes, no security settings, user acknowledgment required
• Example: dmPolicy="open" missing allowFrom=["*"] → auto-add "*" to allowFrom

This would handle 95% of common validation errors automatically while maintaining safety.

[aronchick]

@MzaGuille I completely agree with the SysAdmin Agent concept, i love the "drunk interns" analogy :)

The beauty is that atomic config management + SysAdmin Agent are complementary, not competing approaches:

Schema

First, we should really publish a jsonschema for all tools to use. For example, here's ours:

https://docs.expanso.io/schemas/pipeline.schema.json

Simple, and it means both OpenClaw and OTHER tools can use it.

Integration Approach

Then, we do defense in depth:

Layer 1: SysAdmin Agent (Prevention)

• Deterministic config.setModel(), config.addKey() operations
• Schema-aware, no hallucinations
• All config changes flow through validated code paths
• Eliminates direct fs.write() to openclaw.json

Layer 2: Atomic Safety Net (Recovery)

• Even deterministic code can have bugs or edge cases
• last-known-good + crash-loop detection as the final failsafe
• Triggers when the SysAdmin Agent itself has issues

OpenClaw Doctor Integration

IF something leaks through, then we need OpenClaw doctor fallback.

What I'm envisioning:

• OpenClaw Doctor becomes the SysAdmin Agent runtime
• On first startup, if crash-looping detected → Doctor takes over temporarily
• Provides a constrained "safe mode" CLI: doctor config.setModel('gpt-4')
• Only after successful startup does it hand control back to normal agents

Phased Implementation

Phase 0: Publish our schema
Phase 1: SysAdmin Agent skill (high-level config operations)
Phase 2: Atomic safety net (crash-loop detection + rollback)
Phase 3: Doctor integration (safe mode recovery)

The key insight: prevention (SysAdmin Agent) + recovery (atomic rollback) gives us defense in depth. Raw JSON editing becomes a "break glass" operation that only happens in emergencies.

Does this align with what you're thinking? The SysAdmin Agent handles 95% of config operations safely, atomic rollback catches the remaining 5% edge cases.

I should also add that we should publish the OpenClaw schema on

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[aronchick]

I don't have any updates other than I think this would be a great feature