[Bug] Upgrade: entry.js hardcode + non-atomic service restart + TOKEN plist pollution

[octaviojuli]

Problem Summary

Three structural issues in the upgrade/service lifecycle that cause recurring failures on Homebrew + LaunchAgent installs.

---

Issue 1: update-cli still hardcodes dist/entry.js while doctor expects dist/index.js

File: dist/update-cli-*.js (found in 2026.4.12 at dist/update-cli-C4j9u3np.js)

Lines ~820 and ~1055 both hardcode:

const entryPath = path.join(verifiedPackageRoot, "dist", "entry.js");

However, openclaw doctor warns:

Gateway service entrypoint does not match the current install.
(/opt/homebrew/lib/node_modules/openclaw/dist/entry.js -> /opt/homebrew/lib/node_modules/openclaw/dist/index.js)

The update pipeline and the service audit are not using the same single source of truth for the gateway entrypoint. This causes doctor to report mismatches after every upgrade, and can cause service startup failures when launchd reloads a plist pointing to a stale entry.

---

Issue 2: Service restart is non-atomic —“先拆旧，再装新”

Upgrade sequence in dist/update-cli-*.js (~lines 977-996):

1. Upgrade succeeds (npm/pnpm install new version)
2. SIGTERM sent to old gateway → process shuts down
3. refreshGatewayServiceEnv() / runRestartScript() / runDaemonRestart() attempt to reload LaunchAgent

If step 3 fails or races, the system is left in a half-broken state:

• Old gateway is already killed
• LaunchAgent is not restored to loaded/running
• User sees "gateway unreachable" with no automatic recovery

There is no transaction-style rollback or "confirm new service is healthy before killing old one" logic.

---

Issue 3: LaunchAgent generator re-embeds OPENCLAW_GATEWAY_TOKEN into plist, conflicting with doctor audit

After manually removing OPENCLAW_GATEWAY_TOKEN from ~/Library/LaunchAgents/ai.openclaw.gateway.plist, running any official install/refresh command (openclaw gateway install, openclaw update, etc.) writes it back into the plist.

openclaw doctor then reports:

Gateway service embeds OPENCLAW_GATEWAY_TOKEN and should be reinstalled.

The installer writes it, the auditor flags it — directly contradictory. Every service regeneration pollutes the plist again.

---

Environment

• macOS Darwin arm64
• Homebrew install (/opt/homebrew)
• LaunchAgent managed gateway
• OpenClaw 2026.4.12 (also present in 2026.4.11 and earlier)
• Node.js 22.22.0 via Homebrew

---

Suggested Fixes

1. entry.js → index.js: Consolidate all update/doctor/install code paths to use dist/index.js as the single canonical entrypoint. Remove the entry.js hardcode entirely.

2. Atomic service restart: Implement a "start new before killing old" strategy, or add a rollback mechanism if the LaunchAgent reload fails. Add a health-check probe after restart before declaring success.

3. TOKEN injection alignment: Decide whether tokens should live in the plist env or the config file — then make the installer and auditor consistent. Doctor's "should be reinstalled" message should reflect the actual installer behavior, not an idealized state.

[jazzyalex]

Experienced this today (2026.4.14). Gateway stopped working after ~7 days offline.

Root cause: OpenClaw auto-updated at some point, regenerated the auth token in openclaw.json, but the LaunchAgent plist still had the old embedded OPENCLAW_GATEWAY_TOKEN. Running `openclaw gateway install --force` fixed it.

Symptoms:

• Gateway service installed but not running
• `openclaw health` failed with "gateway timeout after 10000ms"
• `openclaw gateway status` showed "RPC probe: failed"
• doctor output: "Gateway service OPENCLAW_GATEWAY_TOKEN does not match gateway.auth.token in openclaw.json (service token is stale)"

The non-atomic restart ("先拆旧，再装新") is especially dangerous because if step 3 (reload LaunchAgent) fails, the user is left with no gateway and no automatic recovery.

Would appreciate either:

1. A fix similar to Systemd: keep managed env in drop-in so upgrades preserve user directives #66295 (drop-in mechanism) for macOS launchd, OR
2. At minimum, automatic re-installation of the LaunchAgent after updates to avoid the token drift

OS: macOS 15.x, npm global install

[clawsweeper]

Closing this as implemented after Codex automated review.

Current main already resolves the reported upgrade/service lifecycle failures: gateway service install/update entrypoints use an index-first resolver, update refreshes the installed service before restarting it, macOS launchd restart has bootstrap recovery and health diagnostics, and gateway install no longer embeds generated gateway tokens into service environment metadata.

Best possible solution:

Close #66038 as implemented. Keep the shipped index-first service entrypoint resolver, pre-restart gateway install refresh, launchd bootstrap recovery, and non-embedded token install model; use #69066 only for broader future service-identity design.

What I checked:

• Entrypoint resolver prefers dist/index.js: Shared gateway entrypoint candidate order is index.js, index.mjs, then legacy entry files; update service refresh calls this resolver instead of hardcoding dist/entry.js for the service reinstall path. (src/daemon/gateway-entrypoint.ts:4, d74f897c1c6b)
• Update refreshes service before restart: When a gateway service is loaded, update prepares a restart helper and marks service env refresh; the restart flow runs refreshGatewayServiceEnv(), which invokes gateway install --force from the updated install before starting the restart. (src/cli/update-cli/update-command.ts:761, d74f897c1c6b)
• macOS restart no longer relies on bootout-only flow: LaunchAgent restart clears disabled state, uses kickstart, and if the service is not loaded rewrites the plist, bootstraps it, then retries kickstart; update helper scripts also log launchctl failures and bootstrap fallback. (src/daemon/launchd.ts:690, d74f897c1c6b)
• Post-restart health checks and retry path: runDaemonRestart waits for gateway health after restart, cleans stale gateway listeners, retries service.restart when needed, and fails with status/doctor hints if health never comes back. (src/cli/daemon-cli/lifecycle.ts:211, d74f897c1c6b)
• Generated token is persisted to config, not service env: Gateway install resolves or auto-generates the token, builds the service plan without passing a token parameter, and regression coverage verifies auto-minted tokens are saved to config while OPENCLAW_GATEWAY_TOKEN is absent from the installed service environment. (src/cli/daemon-cli/install.integration.test.ts:110, d74f897c1c6b)
• Release evidence: The latest release tag includes macOS Gateway restart fallback fixes preventing config-triggered restarts from leaving the LaunchAgent unloaded and re-registering stale plists during restart fallback. (CHANGELOG.md:495, cbcfdf62c729)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Codex Review notes: model gpt-5.5, reasoning high; reviewed against d74f897c1c6b; fix evidence: release v2026.4.24, commit cbcfdf62c729.