[Bug]: `/health` and `/healthz` can return Control UI HTML `200` instead of machine health payload

[vibecodooor]

Summary

GET /health and GET /healthz can return Control UI HTML with 200 OK instead of machine-readable health JSON.

This makes deployment health probes (e.g. Render health checks) report healthy even when they are effectively checking the UI shell, not gateway/runtime dependency health.

Environment

• OpenClaw gateway running with Control UI enabled
• Observed on macOS Nimbus runtime during production audit
• Deployment config used healthCheckPath: /health

Reproduction

1. Run gateway with Control UI enabled.
2. Probe endpoints directly:
   • curl -sS -D - http://127.0.0.1:18789/health -o /tmp/health.body
   • curl -sS -D - http://127.0.0.1:18789/healthz -o /tmp/healthz.body
3. Inspect headers/body.

Expected

• /healthz returns machine-parsable health payload (application/json) with meaningful status semantics.
• /health should either alias to same JSON health payload or be explicitly documented/segregated from deployment probe paths.

Actual

Both /health and /healthz returned:

• HTTP/1.1 200 OK
• Content-Type: text/html; charset=utf-8
• Control UI HTML document (<!doctype html> ... <title>OpenClaw Control</title> ...)

Evidence snippet

/health headers observed:

• HTTP/1.1 200 OK
• Content-Type: text/html; charset=utf-8

/health body starts with:

<!doctype html>
<html lang="en">
  <head>
    <title>OpenClaw Control</title>

Same behavior observed for /healthz.

Impact

• False-positive deployment health state.
• Operators cannot safely use /health//healthz as runtime probes.
• Monitoring semantics diverge from expected health contract.

Related

• [Bug]: Webhook health endpoints always return 200 without checking dependencies #11803 (adjacent health semantics discussion)

[vibecodooor]

Reconfirmed on Nimbus (macOS) after runtime recovery, gateway restart (~/clawd/scripts/gateway-restart.sh), and openclaw doctor --fix --non-interactive --yes on 2026-02-16.

Still reproducible:

curl -s -i http://127.0.0.1:18789/health | sed -n '1,16p'
curl -s -i http://127.0.0.1:18789/healthz | sed -n '1,16p'

Both endpoints returned:

• HTTP/1.1 200 OK
• Content-Type: text/html; charset=utf-8
• Control UI HTML (<!doctype html> ... <title>OpenClaw Control</title>)

So this is still not safe as a deployment health probe path.

[vibecodooor]

Status ping (Feb 18, 2026, Nimbus update re-check): still open on our backlog.

No new endpoint-specific repro data was collected in this remediation pass (focus was channels/plugins/security migration after 2026.2.17), but issue remains relevant for machine-health automation reliability.

[chaotix345]

Reconfirmed on 2026.2.21-2 and 2026.2.24 (macOS Apple Silicon, Homebrew, Node 22.22.0).

Additional findings from source analysis

The HTTP request handler chain in the gateway server (gateway-cli-CK1Ri8SQ.js, handleRequest) processes routes in this order:

1. Hooks
2. Tools invoke
3. Slack
4. Channel plugins (/api/channels/...)
5. OpenAI Responses
6. OpenAI Chat Completions
7. Canvas
8. Control UI SPA catch-all (handleControlUiHttpRequest)
9. 404

There is no /health or /healthz route registered anywhere in the HTTP handler chain. The Control UI handler (step 8) serves index.html for any path that doesn't match a known static asset extension, so /health, /api/health, /healthz, and any other unregistered path all return 200 OK with the SPA HTML.

The health endpoint only exists as a WebSocket RPC method (src/gateway/server-methods/health.ts), which is why openclaw gateway status --deep shows "RPC probe: ok" — it probes via WebSocket, not HTTP.

Tested paths (all return SPA HTML)

curl -s http://localhost:18789/health      → <!doctype html>...
curl -s http://localhost:18789/healthz     → <!doctype html>...
curl -s http://localhost:18789/api/health  → <!doctype html>...

CLI impact

• openclaw gateway restart reports "Gateway did not become healthy after restart" (though the restart health check uses port ownership detection, not HTTP — see also Gateway restart health check times out on slow startups #22972)
• openclaw update shows same false failure message
• openclaw gateway status --deep correctly reports healthy via RPC probe

Suggested fix

Register an HTTP /health (and optionally /healthz) route before the Control UI SPA handler in the handleRequest chain. Something like:

// Early in handleRequest, before controlUi handler:
if (requestPath === '/health' || requestPath === '/healthz') {
  const snapshot = await refreshHealthSnapshot({ probe: false });
  res.statusCode = 200;
  res.setHeader('Content-Type', 'application/json');
  res.end(JSON.stringify({ status: 'ok', ts: Date.now(), ...snapshot }));
  return;
}

This would allow deployment probes (Render, Docker, k8s liveness/readiness), monitoring tools, and the CLI health checks to use standard HTTP health endpoints.

[vincentkoc]

I picked up the remaining root-mounted Control UI part of this bug.

Draft fix is in #38199. The change keeps the probe routes reachable when the Control UI is mounted at /, while preserving the plugin-route precedence that was intentionally kept in #31272.

I also added regression coverage for both cases:

• probe routes fall through correctly under root-mounted Control UI
• plugin-owned routes on probe paths still win