gateway restart/update can fail to come back when respawn reuses unstable package-manager paths

[RichardCao]

Summary

Message-triggered restart / update.run can occasionally fail to bring the gateway back after shutdown.

What is happening

The gateway run loop already tries to do a full fresh-process restart after SIGUSR1, but restartGatewayProcessWithFreshPid() currently respawns the child with process.execArgv + process.argv.slice(1).

That is brittle when the running process was launched from a package-manager-managed realpath, especially pnpm versioned paths like:
node_modules/.pnpm/openclaw@<version>/node_modules/openclaw/dist/entry.js

During self-update, that versioned realpath may be replaced or removed. The parent exits cleanly, but the child can then be spawned against an entrypoint that is no longer stable, which matches the observed "message channel restart/update ran, process went down, did not come back" behavior.

Why this matters

This is most visible on message-triggered flows because the restart/update is initiated from the running gateway itself, so there is no external operator retrying the command.

Expected behavior

Gateway self-restart should respawn via a stable wrapper/symlinked CLI entrypoint that survives package updates, not by blindly reusing the current argv path.

Proposed fix

Before detached respawn:

• detect pnpm versioned OpenClaw realpaths and rewrite them back to the stable node_modules/openclaw/openclaw.mjs wrapper
• otherwise, if the package root is known, respawn through <packageRoot>/openclaw.mjs
• keep current argv unchanged for dev/source entrypoints such as src/entry.ts

Validation

I have a fix prepared locally on top of the latest green main commit:

• green base: 52a0aa06723fbad5e7c2b0fc07fe04eef433d1c7
• targeted tests: pnpm exec vitest run src/infra/process-respawn.test.ts
• targeted lint: pnpm exec oxlint --type-aware src/infra/process-respawn.ts src/infra/process-respawn.test.ts

Full-repo tsc currently reports unrelated pre-existing test typing errors around fetch mocks, so I am not using that as the gating signal for this issue.

[Ryce]

Analysis: Respawn uses brittle execArgv — gateway cannot recover when launch environment is stale

The bug is in restartGatewayProcessWithFreshPid: it respawns using process.execArgv plus the original arguments. This assumes the launch environment (node path, npm path, any execArgv flags) is still valid after the update. When a package manager update replaces node_modules or changes the installation path, the original execArgv may point to a now-invalid binary, and the respawn silently fails — leaving the gateway in a dead state with no recovery path.

Why this is particularly dangerous for automated restarts

For cron-triggered or heartbeat-triggered restarts, the failure is silent. The gateway process that initiated the restart believes the respawn succeeded, and the old gateway is gone. The user loses their agent mid-workflow with no notification, no crash dump, and no way to recover from the snapshot because the gateway that would restore from it is also dead.

This is the exact failure mode KeepMyClaw is designed for: the system cannot self-report accurately at the moment it most needs to.

KeepMyClaw angle

An encrypted snapshot at the respawn boundary is the authoritative recovery record.

1. Pre-restart snapshot (taken before SIGUSR1 fires): captures the complete gateway process state — process tree, environment variables, loaded modules, open connections, in-flight sessions. This survives the respawn failure.

2. Post-restart verification snapshot: if the gateway comes back, the snapshot proves the state was preserved correctly. If it does not come back, the pre-restart snapshot is the recovery point.

3. The execArgv divergence proof: a snapshot of the respawn attempt captures what execArgv was used versus what the new process actually received — proves whether the failure was a stale path or something else.

Without snapshots: the gateway silently fails to restart, the user has no idea until they notice their agent is offline, and there is no ground-truth record of what was running before the failure.

Specific diagnostic value

• For users: proof of what was running before the failed restart (sessions, cron jobs, open connections)
• For OpenClaw: confirms whether the failure is in the respawn mechanism versus the post-restart initialization
• The occasional nature of the failure is the key signal — it fires when the update changed the environment. Snapshots taken during the next failed restart prove exactly what changed.

IC: https://www.keepmyclaw.com?ref=ic_52313_hawtsauce

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 9, 2026, 12:54 AM ET / 04:54 UTC.

Summary
Codex review failed: codex execution failed.

Reproducibility: unclear. The review failed before ClawSweeper could establish a reproduction path.

Ways to help us reproduce this

• Add a screenshot or short recording showing the behavior.
• Add expected vs actual behavior.

Next step
Review did not complete, so no work-lane recommendation was made.

Review details

Best possible solution:

Retry the Codex review after fixing the execution failure.

Do we have a high-confidence way to reproduce the issue?

Unclear. The review failed before ClawSweeper could establish a reproduction path.

Is this the best way to solve the issue?

Unclear. Retry the review first so ClawSweeper can evaluate the actual issue and fix direction.

AGENTS.md: unclear because the file could not be read completely.

Remaining risk / open question:

• No close action taken because the review did not complete.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 6fcc9457020e.

Label changes

Label changes:

• add issue-rating: 🦪 silver shellfish: Current issue advisory state selects this label.
• add clawsweeper:needs-info: Current issue advisory state selects this label.
• remove P1: Current review triage priority is none.
• remove clawsweeper:fix-shape-clear: Current issue advisory state no longer selects this label.
• remove clawsweeper:queueable-fix: Current issue advisory state no longer selects this label.
• remove clawsweeper:source-repro: Current issue advisory state no longer selects this label.
• remove impact:crash-loop: Current review selected no impact labels.
• remove issue-rating: 🦞 diamond lobster: Current issue advisory state no longer selects this label.

Evidence reviewed

What I checked:

• failure reason: codex execution failed.
• codex failure detail: Codex review failed for this issue with exit 1.
• codex stdout: Per-item Codex failure; continuing with the rest of the shard.

Likely related people:

• unknown: Codex failed before it could trace repository history. (role: review did not complete; confidence: low)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.