Bug: macOS gateway install --force resolves SecretRef values into plaintext LaunchAgent plist and triggers token mismatch loop

[beto-sudo]

Summary

openclaw gateway install --force resolves every SecretRef in openclaw.json and writes the resolved values as plaintext into the macOS LaunchAgent plist (~/Library/LaunchAgents/ai.openclaw.gateway.plist).

This defeats the purpose of moving secrets out of openclaw.json and into ~/.openclaw/.env using ${ENV:...} references.

It also appears to cause a confusing warning loop where openclaw doctor --fix and openclaw gateway restart report:

Config token differs from service token. Run openclaw gateway install --force to sync the token

…but running install --force just re-embeds the resolved values into the plist again.

Why this is a problem

• Secrets that were intentionally externalized to ~/.openclaw/.env are copied back into a persistent service definition as plaintext.
• This undermines the security/privacy model of SecretRef usage in openclaw.json.
• It creates a circular remediation path:
  • OpenClaw warns that the service token differs from the config token.
  • The suggested fix is openclaw gateway install --force.
  • That command hardcodes the resolved secret values into the LaunchAgent plist.
  • The warning can still persist even though the gateway itself is healthy.

In practice, the gateway continues to work (RPC probe: ok), so the mismatch warning appears functionally cosmetic but still sends the user into an infinite loop of “fix” steps.

Steps to reproduce

1. Move secrets from openclaw.json into ~/.openclaw/.env.
2. Use SecretRef / env references in openclaw.json, e.g.:

{
  "gateway": {
    "token": "${ENV:OPENCLAW_GATEWAY_TOKEN}"
  }
}

3. Run:

openclaw gateway install --force

4. Inspect the LaunchAgent plist:

plutil -p ~/Library/LaunchAgents/ai.openclaw.gateway.plist

5. Observe that all resolved secrets (for example OPENCLAW_GATEWAY_TOKEN, ANTHROPIC_API_KEY, TELEGRAM_BOT_TOKEN, etc.) appear as plaintext values in the plist.
6. Run:

openclaw gateway restart

7. Observe the warning:

Config token differs from service token. Run openclaw gateway install --force to sync the token

8. Repeat install --force and/or doctor --fix; the warning can continue indefinitely.

Expected behavior

One of these should happen instead:

1. openclaw gateway install should preserve SecretRef indirection and configure the LaunchAgent to load environment values at runtime, rather than serializing the resolved values into the plist.
2. The LaunchAgent should reference ~/.openclaw/.env (or another env source) so secrets remain external to the plist.
3. The “config token differs from service token” check should compare effective/resolved values correctly and avoid warning when the runtime values already match.

Actual behavior

• SecretRef values are resolved during gateway install --force.
• The resolved values are embedded into ~/Library/LaunchAgents/ai.openclaw.gateway.plist as plaintext.
• Subsequent restart/doctor flows can warn that the config token differs from the service token even though the gateway is functioning normally.

Environment

• OpenClaw: 2026.3.23 (ccfeecb)
• macOS: 26.3.1 (arm64)
• Node: 25.5.0
• Gateway service type: LaunchAgent

Suggested direction

This feels like both a security bug and a service-install/runtime parity bug.

A robust fix would likely be:

• keep secrets in .env / external secret sources,
• have the LaunchAgent load them at runtime,
• and make the token consistency check compare effective values rather than the serialized plist representation.

Happy to provide sanitized examples of the generated plist if helpful.

[SudheerDev-AIML]

Hi
I'd like to work on this. Will investigate the gateway install --force plist generation and SecretRef resolution logic and submit a fix.

[dgaedcke]

Confirming this on 2026.3.23-2 (arm64, macOS, Node 25.8.1).

Additional observation: openclaw update re-embeds the token into the plist every time it runs (as part of its post-update service restart step), so the token mismatch loop re-triggers on every update cycle — not just on manual install --force. This makes the bug worse in practice, since users who keep OpenClaw up to date hit it repeatedly.

Workaround in use: Running openclaw gateway install --force once after each update clears the stale plist and the gateway comes up healthy (RPC probe: ok, no port conflict). We've scheduled a daily cron to do this automatically until a proper fix lands.

The cosmetic warning persists even after the workaround, but the gateway functions correctly.

[joshavant]

Thanks @beto-sudo for reporting this and documenting the failure mode.

Part of this is now addressed by #58141 (merged): the restart/doctor drift-loop symptom caused by SecretRef drift-check resolution behavior is fixed.

What is still open: the gateway install --force path concern about plaintext projection into LaunchAgent plist is not addressed by #58141.

Keeping this issue open for the remaining install-path work.

[scbailey-build]

Additional reproducer vector and a value-drift symptom, on 2026.4.9 / macOS 15 / Node 25.6.1 (Homebrew):

npm install -g openclaw@latest also triggers the plist rewrite

The plist rewrite isn't limited to openclaw gateway install --force or openclaw update. A bare npm install -g openclaw@latest also clobbers ~/Library/LaunchAgents/ai.openclaw.gateway.plist with resolved plaintext values in EnvironmentVariables. The postinstall hook (or whatever invokes the service-registration routine) appears to run the same install projection.

This is how I hit it: my Node binary got orphaned during a prior upgrade, the global openclaw package directory was gutted, LaunchAgent crash-looped for ~29 hours with MODULE_NOT_FOUND. I ran npm install -g openclaw@latest to recover — the reinstall succeeded, gateway came back healthy, but the plist was rewritten: my previously-configured FILE:~/.openclaw/secrets.json:KEY refs were replaced with resolved plaintext values.

The FILE:… SecretRef format is also affected

The existing issue body shows the ${ENV:…} form. My plist originally used the file-source form instead:

<key>NOTION_API_KEY</key>
<string>FILE:~/.openclaw/secrets.json:NOTION_API_KEY</string>

After npm install -g openclaw@latest ran, all of those were replaced with the resolved string values. So the install projection appears to flatten both SecretRef shapes, not just ${ENV:…}.

Value drift on resolve — a separate data-integrity symptom

The install also appears to snapshot from a stale source. My post-install plist has INSTANTLY_API_KEY ending in ...sBwdavVfqxvp, but ~/.openclaw/secrets.json currently has the key ending in ...leiHBygQTdd (both values rotated months ago in my case). Same for gateway.auth.token: plist 02dfa5… vs secrets.json 022329…. So the install isn't just regressing to plaintext — it's regressing to a historical snapshot of plaintext that doesn't match the current secrets source. This makes naive "just re-run secrets configure" remediation unsafe, because the values the user is reconciling against aren't the ones currently in effect at launchd.

openclaw secrets audit --json confirms 9 plaintext findings in openclaw.json and 6 legacy-residue findings after the reinstall, all newly introduced by the install projection.

Suggested test case for whoever takes the install-path fix

In addition to the ${ENV:…} case in the reproducer above, please also cover:

1. FILE:<path>:<key> format preservation on install/reinstall.
2. Structured JSON SecretRef objects ({"source":"file","provider":"filemain","id":"/…"}) in nested plist-bound keys.
3. npm install -g openclaw (not just gateway install --force / openclaw update) as a repro path.
4. An assertion that resolved values at launchd time match the live secrets source — i.e. no stale snapshots.

Happy to test a candidate fix on my setup if useful.

[clawsweeper]

Thanks for the context here. I did a careful shell check against current main, and this is already implemented.

Current main implements the remaining macOS LaunchAgent plist projection fix: service environment values are loaded through an owner-only state-dir env file wrapper instead of being serialized into the LaunchAgent plist, service audit/doctor understands file-sourced values, and update/npm refresh paths use the same service install repair flow.

Best possible solution:

Close this as implemented on main. Keep the owner-only launchd env-file wrapper plus doctor repair behavior, and track any broader service-identity or zero-plaintext-at-rest redesign in focused follow-up discussions rather than keeping this plist-specific umbrella open.

What I checked:

• LaunchAgent install writes env outside plist: installLaunchAgent prepares service env through a generated wrapper/env-file pair, passes only prepared.inlineEnvironment to the plist renderer, and the normal prepared path leaves inline plist environment undefined. (src/daemon/launchd.ts:661, db40ec404a91)
• Owner-only env file implementation: LaunchAgent service env entries are sorted, written to service-env/<label>.env, chmodded 0600, and executed via a generated wrapper chmodded 0700 in a private 0700 directory. (src/daemon/launchd.ts:131, db40ec404a91)
• Regression test for no plist secret: The launchd test asserts the generated plist does not contain EnvironmentVariables or the secret value, while the env file contains the env exports and has owner-only permissions. (src/daemon/launchd.test.ts:478, db40ec404a91)
• Durable .env/config values are tracked, not embedded: The install-plan builder reads durable .env and config service env values, records managed keys, deletes their literal values from the service environment, then applies generated service env; tests cover .env and config keys being tracked without literal embedding. (src/commands/daemon-install-helpers.ts:212, db40ec404a91)
• Audit no longer treats file-sourced token as embedded: LaunchAgent command parsing merges wrapper env-file values with source metadata, and service audit ignores OPENCLAW_GATEWAY_TOKEN when its source is file-only; tests cover env-file-backed tokens and managed env repair signals. (src/daemon/service-audit.ts:374, db40ec404a91)
• Update path refreshes service env: The updater refreshes managed gateway service metadata via gateway install --force after package update, and package-manager update verification runs doctor --non-interactive --fix with update mode set. (src/cli/update-cli/update-command.ts:364, db40ec404a91)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Codex review notes: model gpt-5.5, reasoning high; reviewed against db40ec404a91; fix evidence: release 2026.4.27, commit db40ec404a91.

[steipete]

Partial fix landed on main in 67f1266.

The LaunchAgent plaintext projection path for durable state-dir .env / config service env values is fixed: install now marker-tracks durable runtime-managed keys and removes their inline values from service metadata, and doctor repairs older inline copies. This covers the OPENCLAW_GATEWAY_TOKEN / env-managed stale plist drift class called out here.

Keeping this issue open because the report also asks about broader SecretRef forms and install/update vectors beyond durable .env/config service env projection, plus the issue discussion mentions FILE/structured refs and other non-token secrets. Those should get separate proof before closing the whole report.

Proof for the landed part:

• src/commands/daemon-install-helpers.test.ts covers durable env keys being omitted from service metadata.
• src/daemon/service-audit.test.ts and src/commands/doctor-gateway-services.test.ts cover legacy inline managed env detection/repair.
• Blacksmith focused tests, OPENCLAW_TESTBOX=1 pnpm check:changed, and Docker pnpm test:docker:doctor-switch passed.