[Bug]: openclaw backup create --verify fails with duplicate entry path when workspace contains symlinks

[MilongWong]

Bug type

Behavior bug

Summary

openclaw backup create --verify fails with Error: Archive contains duplicate entry path when the workspace directory contains symbolic links pointing to paths already included in the backup.

Steps to reproduce

1. Create a symlink inside the workspace: ln -s /some/path ~/.openclaw/workspace/linkname
2. Run openclaw backup create --verify
3. Observe error

Expected behavior

Backup should handle symlinks correctly (either dereference or exclude duplicate paths), and --verify should pass.

Actual behavior

tar archives both the symlink target and its canonical path, producing duplicate entries. Verify fails with:

Error: Archive contains duplicate entry path: 2026-03-30T05-34-18.705Z-openclaw-backup/payload/posix/home/openclaw/.openclaw/workspace

OpenClaw version

2026.3.28 (f9b1079)

Operating system

Ubuntu 24.04 on WSL2 (Windows 11)

Install method

npm global

Model

zai/glm-5

Provider / routing chain

openclaw -> zai

Logs, screenshots, and evidence

$ openclaw backup create --verify

🦞 OpenClaw 2026.3.28 (f9b1079)

Error: Archive contains duplicate entry path: 2026-03-30T05-34-18.705Z-openclaw-backup/payload/posix/home/openclaw/.openclaw/workspace

Symlink in question:

$ ls -la ~/.openclaw/workspace/screenshots/xiaolong
lrwxrwxrwx 1 openclaw openclaw 64 Mar 24 17:39 /home/openclaw/.openclaw/workspace/screenshots/xiaolong -> /home/openclaw/projects/xiaolong-data-collector/data/screenshots

Impact and severity

• Affected: All users with symlinks inside ~/.openclaw/workspace/
• Severity: Medium — blocks --verify, making automated L2 backups unusable in cron
• Frequency: Always reproducible when workspace contains symlinks
• Workaround: Remove symlinks from workspace, or skip --verify

Additional information

Related issues: #54242 (hardlink target in backup), #44361 (Windows tar path mismatch)

[steipete]

Closing this as implemented after Codex review.

Current main already canonicalizes and de-duplicates backup sources before archive creation, includes a regression test for symlinked workspaces not duplicating state, and the same implementation is present in released tag v2026.4.23.

What I checked:

• Backup planning de-duplicates canonical paths: resolveBackupPlanFromPaths() resolves each candidate through canonicalizeExistingPath(), drops repeated canonicalPath values, and marks paths already covered by an included asset as covered before building archive entries. (src/commands/backup-shared.ts:160, c65aa1d2a6e5)
• Regression test covers symlinked workspace/state overlap: The test orders coverage checks by canonical path so symlinked workspaces do not duplicate state creates a symlinked workspace path and asserts the workspace is skipped as covered by the state backup. (src/commands/backup.test.ts:121, c65aa1d2a6e5)
• Docs describe canonicalized, non-duplicated workspace sources: The backup CLI docs state that config, credentials, or a workspace already inside the state directory are canonicalized and not duplicated as separate top-level backup sources. Public docs: docs/cli/backup.md. (docs/cli/backup.md:49, c65aa1d2a6e5)
• Verifier still intentionally rejects duplicate archive paths: backupVerifyCommand() still throws Archive contains duplicate entry path when the tarball actually contains duplicates, so the intended fix is preventing duplicate source inclusion during planning/archive creation. (src/commands/backup-verify.ts:295, c65aa1d2a6e5)
• Released tag contains the same fix and regression test: The released tag v2026.4.23 contains the same canonical-path de-duplication logic in src/commands/backup-shared.ts and the same symlinked-workspace regression test in src/commands/backup.test.ts. (src/commands/backup-shared.ts:160, 899e927dab9e)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review notes: reviewed against c65aa1d2a6e5; fix evidence: release v2026.4.23, commit 899e927dab9e.