WhatsApp: false-positive 'restored corrupted creds.json from backup' on every startup/reconnect

[cpicoto]

Summary

On every gateway startup and WhatsApp reconnect, the log emits:

[WARN] [web-session] restored corrupted WhatsApp creds.json from backup

However, creds.json and creds.json.bak are byte-identical — there is no actual corruption. The detection logic in auth-store-*.js (maybeRestoreCredsFromBackup) appears to have a false-positive condition.

Observed Behavior

• Every single WhatsApp connection (fresh start or reconnect after status 499) triggers this warning
• diff creds.json creds.json.bak shows zero differences
• creds.json is valid JSON with all expected fields
• WhatsApp connects successfully after the "restore" — it is functionally harmless
• When combined with the reconnect loop (see below), this generates hundreds of false warnings in the error log

Environment

• OpenClaw: 2026.4.2
• OS: macOS 25.3.0 (ARM64, Mac mini M1)
• Node: v25.6.1
• WhatsApp account type: Personal (linked device)

Expected Behavior

The corruption check should compare actual file content/validity rather than triggering unconditionally on startup. If the file is valid JSON with the expected schema, no warning should be emitted.

Log evidence

2026-04-02T20:41:10.186-07:00 [WARN] [web-session] restored corrupted WhatsApp creds.json from backup
2026-04-02T20:42:14.402-07:00 [WARN] [web-session] restored corrupted WhatsApp creds.json from backup
2026-04-02T20:43:18.013-07:00 [WARN] [web-session] restored corrupted WhatsApp creds.json from backup
...repeats every ~60 seconds during reconnect loop

Related

This is amplified by the reconnect storm issue (filed separately).

[zhuzhushiwojia]

我来认领这个 Bounty！

USDT TRC20: TMLkvEDrjvHEUbWYU1jfqyUKmbLNZkx6T1

预计完成时间：2小时内提交 PR

[nachtsheim]

Seeing the exact same false-positive on Windows 11 (OpenClaw 2026.4.2, Node v24.13.0). Confirmed via Get-FileHash:

creds.json     : 758E7342F56737C21FC418D696EABD5DC7DA9E12828D2C71E83F4BD4FE80BFDF
creds.json.bak : 758E7342F56737C21FC418D696EABD5DC7DA9E12828D2C71E83F4BD4FE80BFDF

Byte-identical — the file is never actually corrupted.

In our log the loop is driven by status 408 (Request Time-out) rather than 499, but the pattern is identical: every reconnect lands in maybeRestoreCredsFromBackup and emits the warn + stale-copy. Over several hours it fires every ~30 min, hundreds of times.

Root cause (confirmed by reading the bundled auth-store-*.js): readCredsJsonRaw() returns null for both "missing" and "size ≤ 1" (the transient 0-byte window while Baileys' async saveCreds truncates before writing). When a reconnect races that window, the function restores from .bak and overwrites the fresh creds with a stale copy.

Related: #58480 has the best root-cause writeup with a concrete atomic-write fix. PR #60650 attempted a statSync-based guard but was closed without merge — would be great to get an atomic writeFile → rename path landed, since this also silently discards any key rotation Baileys writes during the session.

Workaround: openclaw channels login --channel whatsapp --verbose forces a clean relink without QR rescan (creds are still valid).

[steipete]

Closing this as implemented after Codex review.

Current main has already addressed the reported WhatsApp creds.json false-positive by atomically writing queued creds updates and gating auth reads/repair behind the queued-save barrier; the changelog shows this shipped in v2026.4.10.

What I checked:

• Current bootstrap no longer blindly repairs during the transient save window: createWaSocket() now waits for waitForCredsSaveQueueWithTimeout(authDir) before deciding whether to repair from backup. If the queue is still flushing, it logs a timeout warning and skips repair; only a drained queue can reach restoreCredsFromBackupIfNeeded(authDir). (extensions/whatsapp/src/session.ts:121, 6bc0dc8fb671)
• Queued creds writes are now atomic: writeCredsJsonAtomically() writes to a same-directory temp file, fsyncs it, renames it into place, and fsyncs the directory. That removes the truncate-then-rewrite window described in the issue discussion. (extensions/whatsapp/src/creds-persistence.ts:32, 6bc0dc8fb671)
• Auth state now exposes the unstable case instead of restoring on a timed-out read: readWebAuthState() and readWebAuthSnapshot() treat a timed-out creds-save barrier as unstable, and the tests assert that behavior. The setup-surface test shows the user-facing status line as auth stabilizing rather than a corruption restore. (extensions/whatsapp/src/auth-store.test.ts:98, 6bc0dc8fb671)
• Regression coverage for the atomic write path exists on main: session.test.ts explicitly verifies that creds.json is written via temp file plus rename and that a failed rename preserves the previous valid creds file. (extensions/whatsapp/src/session.test.ts:436, 6bc0dc8fb671)
• Release evidence: The changelog entry under ## 2026.4.10 says: WhatsApp/web: rewrite queued creds.json updates atomically so interrupted saves do not leave truncated login state behind. (#63577) That matches the issue's reported false-positive/stale-restore failure mode. (CHANGELOG.md:895, 6bc0dc8fb671)
• Issue discussion aligns with the shipped fix: The April 6 comment from nachtsheim identified the transient 0-byte creds.json window and linked related work (WhatsApp creds.json corrupted on every reconnect — race between async save and sync restore #58480 and closed PR fix(whatsapp): skip false-positive creds.json corruption restore #60650). Current main addresses that same root cause with queued-save waiting and atomic writes, so the discussion materially supports closing as already implemented.

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review notes: reviewed against 6bc0dc8fb671; fix evidence: release v2026.4.10.