Auto-update is not atomic: config/plugin version mismatch causes repeated crash loops

[allanjeng]

Summary

Auto-update consistently causes gateway crash loops because it is not atomic — config or plugin manifests get updated to require a newer version while the binary remains at the old version (or vice versa). This has caused 3 separate overnight outages in 6 days on our setup.

Environment

• macOS 15.x (arm64, Mac mini)
• Node: v22.22.0
• OpenClaw: experienced across v2026.3.13 → v2026.3.23-2 → v2026.3.24 → v2026.3.28
• LaunchAgent plist with KeepAlive: true

Crash Pattern

Every auto-update follows the same failure mode:

1. Auto-update triggers during stableDelayHours window
2. npm i -g openclaw@latest runs, updates packages
3. Gateway receives SIGTERM for restart
4. On restart, version mismatch between config/plugins and binary
5. Gateway fails to start → crash loop → launchd eventually SIGKILL with reason "inefficient"
6. Manual openclaw update required to recover

Incident 1 (Mar 25): Entrypoint change

• v2026.3.13 → v2026.3.23-2
• New version changed entrypoint from dist/index.js → dist/entry.js
• LaunchAgent plist not updated by auto-update
• Gateway crash-looped ~10 hours overnight

Incident 2 (Mar 26): Same entrypoint issue

• v2026.3.23-2 → v2026.3.24
• Same plist/entrypoint mismatch
• openclaw doctor flagged it but nobody was around to act

Incident 3 (Mar 31): Plugin version requirements

• v2026.3.24 → v2026.3.28
• Auto-update wrote config compatible with v2026.3.28
• Binary stayed at v2026.3.24
• Every plugin (including discord, imessage) refused to load:

  plugins.entries.discord: plugin requires OpenClaw >=2026.3.28, but this host is 2026.3.24; skipping load
  

  (19 plugins failed with same error)
• Gateway could not start at all

Root Cause

Auto-update is not atomic. It can update:

• npm packages (including plugin manifests with new version requirements)
• Config file (via doctor/migration)
• But NOT the plist entrypoint
• And sometimes partially updates, leaving binary at old version while config/plugins expect new version

Expected Behavior

Auto-update should either:

1. Be fully atomic — update binary, config, plist, and plugins in one transaction, or roll back on failure
2. Run openclaw doctor --fix as part of the update before restarting
3. Validate config against the current binary version before applying config changes
4. Not modify config to require a version that is not yet running

Workaround

openclaw update (manual) works correctly every time. Only auto-update fails.

Related Issues

• Bug: Updates cause crash loop - openclaw doctor --fix not auto-run #25595 — Same root cause (config becomes invalid after update, doctor --fix not auto-run)
• Gateway silently dies after auto-update: launchd removes service due to rapid restart cycle #54861 — launchd kills service due to rapid restart cycle after auto-update

All three issues stem from the same fundamental problem: auto-update is not atomic and has no rollback mechanism.

[nikilster]

same thing happening to me

[steipete]

Closing this as implemented after Codex review.

Current main routes gateway auto-update through the same openclaw update flow as manual updates, respawns post-core plugin work into the updated install, and refreshes/restarts managed services from the updated entrypoint. The changelog shows the relevant plugin-refresh fix in 2026.4.12 and the service-entrypoint fix in 2026.4.14, so the issue is implemented on shipped releases.

What I checked:

• Auto-updater reuses manual update path: The startup auto-update code shells into update --yes --channel ... --json, and the CLI docs explicitly say the gateway auto-updater reuses the same update path. (src/infra/update-startup.ts:232, 90877e0d4274)
• Post-core plugin sync now runs from the updated install: updateCommand respawns post-core work into the updated dist/entry.js before plugin sync, instead of continuing plugin refresh in the pre-update process. Tests cover the respawn and fail-closed behavior. (src/cli/update-cli/update-command.ts:895, 90877e0d4274)
• Updater refreshes daemon install from updated entrypoint: After update, the CLI resolves the updated install entrypoint and runs gateway install --force from that root before restart, which addresses stale LaunchAgent/service command drift. (src/cli/update-cli/update-command.ts:256, 90877e0d4274)
• Restart path hardens launchd handoff/bootstrap: The macOS restart helper now uses a detached script that logs failures, re-enables disabled services, bootstraps the plist if needed, and then kickstarts launchd. Tests cover the bootstrap fallback and preserved failure status. (src/cli/update-cli/restart-helper.ts:98, 90877e0d4274)
• Shipped release evidence: The changelog records the plugin-refresh respawn fix in 2026.4.12 and the canonical service-entrypoint fix in 2026.4.14, making v2026.4.14 the first release that contains both parts relevant to this report. (CHANGELOG.md:672, 90877e0d4274)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review notes: reviewed against 90877e0d4274; fix evidence: release v2026.4.14.