doctor: false positive cleanup hint for active gateway LaunchAgent plist

[daniel-knox]

Bug Description

openclaw doctor suggests removing the active gateway LaunchAgent plist as a "cleanup hint," even when that plist is the currently running gateway service.

Steps to Reproduce

1. Install OpenClaw on macOS with LaunchAgent-managed gateway (standard setup)
2. Run openclaw doctor
3. Observe output includes:

◇  Cleanup hints
│  - launchctl bootout gui/$UID/ai.openclaw.gateway
│  - rm ~/Library/LaunchAgents/ai.openclaw.gateway.plist

4. Following these hints kills the running gateway

Expected Behavior

Doctor should detect that ai.openclaw.gateway is the active gateway service (via launchctl list or PID check) and NOT suggest removing it. The cleanup hint should only appear for genuinely orphaned/stale plists.

Actual Behavior

Doctor always suggests removing the plist, even when it is the live service keeping the gateway running. Following the hint causes downtime until the plist is recreated and the service reloaded.

Additional Issue: SecretRef exit code

openclaw doctor also exits with code 1 when it encounters exec:keychain: SecretRef values in the config:

Error: channels.telegram.botToken: unresolved SecretRef "exec:keychain:telegram-bot:KnoxyTheSecondBot".
Resolve this command against an active gateway runtime snapshot before reading it.

This is expected behavior - keychain secrets are resolved at gateway runtime, not by the doctor CLI. Doctor should either:

• Skip SecretRef validation for exec: sources, or
• Attempt resolution and treat failure as a warning (not an error/non-zero exit)

Environment

• OpenClaw: 2026.3.13
• macOS: 26.3.1 (Apple Silicon)
• Service management: launchd (LaunchAgent)

[Hollychou924]

Analysis: doctor false positive — active LaunchAgent plist flagged as stale

This is a false positive in the doctor cleanup hint logic. The doctor command detects a LaunchAgent plist in ~/Library/LaunchAgents/ and suggests cleanup, but doesn't verify whether the plist's referenced binary/service is actually running before flagging it.

Root cause (likely)

The doctor cleanup hint for LaunchAgent plists is probably based on file existence alone — it finds the plist file at ~/Library/LaunchAgents/com.openclaw.gateway.plist (or similar) and flags it without checking:

1. Whether the LaunchAgent is actually loaded by launchd (launchctl list | grep openclaw)
2. Whether the gateway process it references is currently running
3. Whether the plist was created intentionally by the user via openclaw gateway install (the standard autostart flow)

How to verify

# Check if the LaunchAgent is actually loaded and running:
launchctl list | grep openclaw

# If this returns a PID (non-zero first field), the agent is active:
# 12345    0    com.openclaw.gateway

If launchctl list shows the agent running with a valid PID, and openclaw gateway status confirms the gateway is healthy, the doctor hint is a false positive.

Expected behavior

The doctor cleanup hint for LaunchAgent plists should only trigger when:

• The plist exists AND
• The LaunchAgent is not currently loaded by launchd (i.e., launchctl list com.openclaw.gateway returns non-zero), OR
• The plist references a binary that no longer exists at the specified path

Fix

In the doctor launchagent check, add a launchctl list <label> call before emitting the cleanup hint. If the agent is running and healthy, suppress the hint (or change it from 'cleanup' to 'info').

[cristbc]

Confirming on 2026.4.14 — sibling-service variant adds a new data point

Hit this today running openclaw doctor --fix on macOS. We're on the latest stable 2026.4.14, so the bug is alive through at least three minor releases after the original report.

Our trigger is slightly different from @daniel-knox's case, and I think it's useful as a second data point. In the original report, doctor flagged the active gateway plist itself (ai.openclaw.gateway.plist) for cleanup. In our case, doctor flagged a completely unrelated sibling LaunchAgent plist — a weekly backup runner — and the cleanup hint still named ai.openclaw.gateway. So the false-positive trigger is broader than the reported case: it's not just "doctor thinks the live gateway is stale," it's "doctor thinks any plist that invokes the openclaw binary is a gateway, and then the cleanup hint always names the canonical gateway regardless of which plist actually tripped detection."

Reproducing the sibling-plist variant

On macOS, create any non-gateway LaunchAgent whose ProgramArguments calls the openclaw binary for an unrelated purpose. Example from our system:

<!-- ~/Library/LaunchAgents/com.ccfleet.openclaw-backup.plist -->
<key>Label</key><string>com.ccfleet.openclaw-backup</string>
<key>ProgramArguments</key>
<array>
  <string>/opt/homebrew/bin/openclaw</string>
  <string>backup</string>
  <string>create</string>
  <string>--output</string>
  <string>/Users/orphu/Backups</string>
  <string>--verify</string>
</array>
<!-- StartCalendarInterval only. No KeepAlive. No Sockets. No port binding. -->

Then run openclaw doctor --fix. Doctor flags com.ccfleet.openclaw-backup.plist as "another gateway-like service" and emits a cleanup hint naming ai.openclaw.gateway. Pasting the hint literally would bootout gui/$UID/ai.openclaw.gateway and rm ~/Library/LaunchAgents/ai.openclaw.gateway.plist — i.e., take down the live gateway to "clean up" a backup plist that has nothing to do with gateways.

Two bugs, same root cause in src/daemon/inspect.ts

A local investigation turned up two independent defects. File/line numbers below are from a read against a recent build — please verify against repo HEAD.

1. detectMarker — substring match is too loose on darwin (around line 56).
The darwin scanner does a substring check for "openclaw" anywhere in a LaunchAgent plist's contents. Any plist that merely invokes the openclaw binary in ProgramArguments trips the match, even if the plist's Label is unrelated and its purpose is something other than serving as a gateway. The systemd scanner on linux uses a stricter rule requiring both "openclaw" and "gateway" tokens together — the darwin path is asymmetric, which is why this reproduces on macOS but not linux.

2. renderGatewayServiceCleanupHints — hint emits hardcoded label (around lines 29–52).
Regardless of which plist was detected, the cleanup hint always prints:

launchctl bootout gui/$UID/ai.openclaw.gateway
rm ~/Library/LaunchAgents/ai.openclaw.gateway.plist

— naming the canonical gateway label, not the Label of whatever plist actually tripped detection. In @daniel-knox's case this is confusingly self-referential. In our case it's actively dangerous.

Suggested fixes

Fix A — tighten the darwin heuristic. Either strict-match Label == ai.openclaw.gateway, or require both "openclaw" and "gateway" tokens present (mirroring the systemd path's rule).

Fix B — parameterize the cleanup hint. Emit bootout gui/$UID/${detectedLabel} and rm ${detectedPlistPath} instead of the hardcoded canonical strings. Even if a false positive slips through Fix A, the hint would at least name the real detection target.

Either fix alone prevents the most dangerous footgun (pasting a hint that kills the live gateway). Both together is the right correction.

Environment

• OpenClaw 2026.4.14
• macOS 15.x (Apple Silicon)
• Installed via npm install -g openclaw@2026.4.14
• Detected plist: ~/Library/LaunchAgents/com.ccfleet.openclaw-backup.plist (user-scope)
• Active gateway: ai.openclaw.gateway, healthy, port 18789 bound on loopback
• Linux hosts using systemd do NOT reproduce — the stricter match rule masks it there

Happy to send a PR

If maintainers confirm this tracks with the intended fix direction, I can send a PR with Fix A + Fix B plus a fixture-based regression test that installs a plist like the one above and asserts detectMarker returns false.

Related older reports covering the same bug class: #15331, #15849, #23846, #4454, #10158.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 10, 2026, 1:01 AM ET / 05:01 UTC.

Summary
Codex review failed: codex execution failed.

Reproducibility: unclear. The review failed before ClawSweeper could establish a reproduction path.

Ways to help us reproduce this

• Add a screenshot or short recording showing the behavior.
• Include the exact command, prompt, or workflow that triggered it.
• Add expected vs actual behavior.

Next step
Review did not complete, so no work-lane recommendation was made.

Review details

Best possible solution:

Retry the Codex review after fixing the execution failure.

Do we have a high-confidence way to reproduce the issue?

Unclear. The review failed before ClawSweeper could establish a reproduction path.

Is this the best way to solve the issue?

Unclear. Retry the review first so ClawSweeper can evaluate the actual issue and fix direction.

AGENTS.md: unclear because the file could not be read completely.

Remaining risk / open question:

• No close action taken because the review did not complete.

Codex review notes: model gpt-5.5, reasoning high; reviewed against b4cdd9211957.

Label changes

Label changes:

• add issue-rating: 🦪 silver shellfish: Current issue advisory state selects this label.
• add clawsweeper:needs-info: Current issue advisory state selects this label.
• remove P2: Current review triage priority is none.
• remove clawsweeper:no-new-fix-pr: Current issue advisory state no longer selects this label.
• remove clawsweeper:fix-shape-clear: Current issue advisory state no longer selects this label.
• remove clawsweeper:needs-maintainer-review: Current issue advisory state no longer selects this label.
• remove clawsweeper:needs-product-decision: Current issue advisory state no longer selects this label.
• remove clawsweeper:source-repro: Current issue advisory state no longer selects this label.
• remove clawsweeper:linked-pr-open: Current issue advisory state no longer selects this label.
• remove impact:auth-provider: Current review selected no impact labels.
• remove impact:crash-loop: Current review selected no impact labels.
• remove issue-rating: 🦞 diamond lobster: Current issue advisory state no longer selects this label.

Evidence reviewed

What I checked:

• failure reason: codex execution failed.
• codex failure detail: Codex review failed for this issue with exit 1.
• codex stdout: Per-item Codex failure; continuing with the rest of the shard.

Likely related people:

• unknown: Codex failed before it could trace repository history. (role: review did not complete; confidence: low)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.