`gateway probe`: false positive "multiple reachable gateways" when SSH tunnel + `remote.url` hit the same gateway

[sk8man121]

Summary

openclaw gateway probe reports "Unconventional setup: multiple reachable gateways detected" when there is a single logical gateway but two successful probe transports (SSH tunnel + direct WebSocket URL to the same host).

Symptom

• With gateway.mode=remote, gateway.remote.sshTarget set (SSH tunnel succeeds), and gateway.remote.url pointing at the same logical gateway over a direct path (e.g. ws://chromebox:18789), the probe succeeds for both targets but emits a multiple gateways warning.
• Both probe targets succeed; behavior matches one gateway, two transports, not two distinct gateways.

Context

buildGatewayStatusWarnings treats reachable.length > 1 as multiple gateways. When an SSH tunnel target is in play, the probe includes both the tunnel URL and the configured gateway.remote.url, so two successes can mean redundant paths to one identity—not two separate gateway instances.

Relevant upstream sources (current main):

• src/commands/gateway-status/probe-run.ts — runGatewayStatusProbePass builds targets as tunnel first, then baseTargets filtered only by matching URL (same gateway, different URL is not deduped).
• src/commands/gateway-status/output.ts — buildGatewayStatusWarnings → multiple_gateways when reachable.length > 1 with no identity check.
• src/commands/gateway-status/helpers.ts — resolveTargets.

Environment

• OpenClaw: 2026.4.15 (Homebrew); bundled gateway-status-B2JeYHAg.js contains the same logic (e.g. line ~408 for targets construction).
• Client: macOS (thin client)
• Gateway: Linux (remote)

Expected behavior

Either:

• No warning when all reachable targets resolve to the same gateway identity (self / presence from pickGatewaySelfPresence), or
• A clearer warning that distinguishes "same gateway, multiple transports" from "multiple distinct gateways".

Actual behavior

A misleading multiple_gateways warning despite a single logical gateway.

Possible fixes

1. Dedupe by gateway identity — Before emitting multiple_gateways, collapse reachable entries that share the same non-null identity key (e.g. normalized host + ip from pickGatewaySelfPresence). Only warn when ≥ 2 distinct identities (define policy for probes with self == null).
2. Skip redundant configRemote when tunnel is active — Narrower change; tradeoff: loses automatic direct-path check unless probe --url or explicit second target is used.
3. Improve warning copy — If reachable.length > 1 but identities match, downgrade to an informational line instead of "multiple gateways."

Repro steps

1. On the client, configure remote mode with both SSH tunnel target and direct URL to the same gateway (placeholders only):

{
  "gateway": {
    "mode": "remote",
    "remote": {
      "sshTarget": "user@gateway-host",
      "url": "ws://gateway-host:18789",
      "token": "${OPENCLAW_GATEWAY_TOKEN}"
    }
  }
}

2. Ensure SSH resolves (e.g. ~/.ssh/config Host entry) and the direct ws:// URL is reachable on the LAN.
3. Run: openclaw gateway probe
4. Observe two successful targets (e.g. Remote over SSH ws://127.0.0.1:18789 and Remote (configured) ws://gateway-host:18789) plus the multiple-gateways warning.

Tests

Existing: src/commands/gateway-status/helpers.test.ts. Consider adding output.test.ts (or extending an existing suite) for buildGatewayStatusWarnings / multiple_gateways when two probes share identity.

Docs

Warning currently references: Gateway — multiple gateways same host

Suggested labels

bug, cli, gateway

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 4, 2026, 1:10 AM ET / 05:10 UTC.

Summary
Keep open. Current main and the latest release still warn on raw reachable probe target count, while the linked open fix PR specifically owns the identity-dedupe behavior and has not merged.

Reproducibility: yes. at source level: current main can probe both the SSH tunnel target and the configured remote URL, then warns on raw reachable target count when both connect. I did not run a live SSH tunnel repro in this read-only review.

Next step
A linked open PR already owns this fix, so ClawSweeper should not queue a competing repair branch.

Review details

Best possible solution:

Review and land, revise, or close #85791; after that PR merges, this issue can close as implemented.

Do we have a high-confidence way to reproduce the issue?

Yes at source level: current main can probe both the SSH tunnel target and the configured remote URL, then warns on raw reachable target count when both connect. I did not run a live SSH tunnel repro in this read-only review.

Is this the best way to solve the issue?

Yes, the linked PR is the best current fix path because it changes the warning decision at the output boundary and adds regression coverage for same-identity transports while preserving warnings for unknown or distinct identities.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• No live SSH/direct dual-transport probe was run during this read-only sweep; the keep-open decision rests on source-level reproduction and the active linked PR path.

Codex review notes: model gpt-5.5, reasoning high; reviewed against ce1ef04efe12.

Label changes

Label changes:

• remove clawsweeper:no-new-fix-pr: Current issue advisory state no longer selects this label.
• remove clawsweeper:linked-pr-open: Current issue advisory state no longer selects this label.

Label justifications:

• P2: This is a normal-priority gateway CLI diagnostic bug with limited blast radius and an active fix path.
• impact:other: The issue affects operator-facing gateway probe diagnostics, which is meaningful but does not fit the more specific impact labels.

Evidence reviewed

What I checked:

• Current-main warning behavior: buildGatewayStatusWarnings still emits multiple_gateways whenever more than one probed target is reachable, with no gateway identity comparison. (src/commands/gateway-status/output.ts:90, ce1ef04efe12)
• Current-main dual target path: When an SSH tunnel starts, runGatewayStatusProbePass prepends the tunnel target and only filters base targets by exact URL, so a tunnel URL plus configured remote URL can both be probed. (src/commands/gateway-status/probe-run.ts:116, ce1ef04efe12)
• Latest release still has the same warning condition: The latest release tag v2026.6.1 still contains the raw reachable.length > 1 warning logic and the same tunnel-plus-base-target URL filter. (src/commands/gateway-status/output.ts:90, 2e08f0f4221f)
• Docs describe the current warning as target-count based: The current CLI docs describe multiple_gateways as more than one reachable target, which matches the source behavior and not the requested identity-aware behavior. Public docs: docs/cli/gateway.md. (docs/cli/gateway.md:380, ce1ef04efe12)
• Linked PR owns the fix path: The provided GitHub context reports fix(gateway): dedupe probe warnings by gateway identity #85791 is open and unmerged; its local merge-ref object adds identity-aware warning logic plus output tests for SSH tunnel and configured remote sharing one self identity. (src/commands/gateway-status/output.ts:24, f662434b8400)
• History provenance: The gateway-status warning/probe split appears to date to the gateway discovery target refactor, which created output.ts and probe-run.ts; later gateway probe hardening also touched this output surface. (src/commands/gateway-status/output.ts:90, fe5819887b57)

Likely related people:

• Peter Steinberger: The gateway discovery target refactor created the split gateway-status output/probe-run modules and introduced the raw multiple-reachable-target warning path; later gateway probe hardening also touched this output area. (role: introduced behavior and recent area contributor; confidence: high; commits: fe5819887b57, baf4119ae374; files: src/commands/gateway-status/output.ts, src/commands/gateway-status/probe-run.ts)
• giodl73-repo: The open linked PR implements the identity-aware warning path and regression tests for this issue. (role: linked fix author; confidence: high; commits: 96757656b46c, f662434b8400; files: src/commands/gateway-status/output.ts, src/commands/gateway-status/output.test.ts, src/commands/gateway-presence.ts)
• ThanhNguyxn07: Credited on a recent gateway probe hardening change that touched gateway-status output/tests, so they may have useful context for nearby probe diagnostics. (role: adjacent contributor; confidence: medium; commits: baf4119ae374; files: src/commands/gateway-status/output.ts, src/commands/gateway-status.test.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.