[Bug]:v2026.2.26 Upgrade Cascade Failure: Symlink Rejection, OOM Compilation, Web UI 404s, and Missing `ui.js` Scripts

[a86582751]

Summary

Upgrading from v2026.2.22-2 to v2026.2.26 on a standard 2-Core 2GB server (the default configuration for Alibaba Cloud 1-click deployments) triggers a forensic nightmare: strict path validation rejects pnpm global symlinks -> bypassing this causes OOM compiling node-llama-cpp -> surviving that leads to a gateway exit 1 crash due to new strict bind security -> bypassing that results in a permanent 404 Not Found for the Control UI due to unmounted routes -> and finally, attempting to build the missing UI assets fails because scripts/ui.js is absent from the published NPM package.

Steps to reproduce

(Tested on the standard Alibaba Cloud 1-click deployment: 2C2G, Alibaba Cloud Linux 3)

1. The Symlink Rejection & OOM Trap:

• Upgrade to v2026.2.26 via pnpm install -g. Gateway refuses to start, throwing unsafe plugin manifest path for all built-in plugins (like memory-core) because the validator rejects pnpm's .local/share/pnpm/global/... symlinks.
• Attempt to bypass this via physical directories (pnpm config set node-linker hoisted) triggers a source build of node-llama-cpp, instantly causing an OOM Killed crash on 2GB RAM.
• Workaround: Manually copy plugins to ~/.openclaw/extensions/ and strictly use "allow": ["memory-core", "qqbot", "dingtalk", "wecom"] to isolate plugin issues.

2. The Bind Security Gateway Crash:

• After fixing plugins, the gateway main process instantly crashes (exit 1) in a systemd restart loop.
• journalctl reveals the culprit: a new strict security check: Error: non-loopback Control UI requires gateway.controlUi.allowedOrigins.
• Workaround: Explicitly configure allowedOrigins (adding 127.0.0.1, localhost, and the public IP) and stack bypass flags (dangerouslyAllowHostHeaderOriginFallback: true). The gateway finally boots and successfully listens on port 10162 (ss -ltnp confirmed).

3. The "Ghost Routing" 404 Not Found:

• Accessing the Control UI via http://<IP>:10162/b338e969?token=... returns Not Found.
• A curl -L trace proves the server correctly issues a 302 redirect to .../b338e969/?token=..., but the destination is an absolute 404.
• Suspecting a missing built-in UI extension (since channels.webchat now throws unknown channel id), we added "lobster" to the plugin allowlist and explicitly enabled it in entries. Still 404.
• Conclusion: The gateway is running perfectly in "API/WS + Canvas" mode, but the actual Control UI frontend routes are simply absent/unmounted.

4. The 503 Error & Missing Build Scripts:

• Attempting to manually point the UI route to existing assets via jq '.gateway.controlUi.root = ".../node_modules/openclaw/assets"', the 404 turns into a 503 Control UI assets not found (proving the route can exist but lacks built UI artifacts).
• Run pnpm ui:build in the global openclaw package directory to generate the assets.
• Final Failure: It fails with Cannot find module '.../scripts/ui.js' because the script is missing from the release payload. Dead end.

Expected behavior

1. The path validator must support pnpm global symlink installations.
2. node-llama-cpp should not force a RAM-heavy build on low-resource cloud machines if the user relies on API providers.
3. If gateway.bind = "lan" lacks allowedOrigins, it should gracefully 403 the UI, not crash the entire gateway (exit 1).
4. The Control UI should work out-of-the-box, or scripts/ui.js MUST be included in the NPM package so users can build the assets.

Actual behavior

• Gateway refuses pnpm symlinks.
• 2C2G servers crash (OOM) compiling unused C++ dependencies.
• Gateway exit 1 crash loop on 0.0.0.0 binds without origins.
• Control UI is permanently broken (404/503) due to missing frontend routes and missing build scripts (ui.js).

OpenClaw version

2026.2.26 (Upgraded from 2026.2.22-2)

Operating system

Alibaba Cloud Linux 3.21.04 (Standard 2 Core 2GB RAM instance)

Install method

pnpm install -g（pnpm install -g openclaw@latest --ignore-scripts=false）

Logs, screenshots, and evidence

1. **The Gateway Exit 1 Crash (Bind Security):**

Gateway failed to start: Error: non-loopback Control UI requires gateway.controlUi.allowedOrigins (set explicit origins), or set gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback=true to use Host-header origin fallback mode

2. **The 404 Ghost Routing Trace:**

$ curl -s -I "http://127.0.0.1:10162/${BASE}?token=${TOKEN}" | grep -i '^location'
Location: /b338e969/?token=adce37bf...
$ curl -s -o /dev/null -w "%{http_code}\n" "http://127.0.0.1:10162/b338e969/?token=${TOKEN}"
404

3. **The Missing UI Script Failure:**

$ pnpm ui:build
> openclaw@2026.2.26 ui:build
> node scripts/ui.js build

Error: Cannot find module '/home/admin/.local/share/pnpm/global/5/node_modules/openclaw/scripts/ui.js'

Impact and severity

• Affected users/systems: Any user deploying via the default Alibaba Cloud 1-click deployment (2C2G), users utilizing pnpm, and anyone accessing the gateway via raw IP (non-loopback).
• Severity: Fatal / Blocks workflow. It is physically impossible to cleanly run the Control UI on v2026.2.26 in this standard environment.
• Frequency: Always. Highly deterministic cascade failure.
• Consequence: Users are forced to abandon the upgrade and restore their servers to v2026.2.22-2 via cloud snapshots to regain UI access and stability.

Additional information

I don't know how to code; all the steps above, including this article, were completed under the guidance of GPT and Gemini. It really took me a lot of time (until 3 a.m.); I hope developers take this seriously.