Concurrent writes to openclaw.json produce invalid (concatenated) JSON; gateway refuses config until auto-restore

[hexorcist404]

Summary

When two OpenClaw processes write to ~/.openclaw/openclaw.json around the same time, the resulting file can contain two concatenated top-level JSON objects rather than a merged one. The gateway then fails to load config, and the UI surfaces this to the user as "agent failed before reply" on the next message. The built-in auto-restore from openclaw.json.last-good recovers correctly, but the failure window can drop at least one user turn.

Environment

• OpenClaw 2026.4.21 (f788c88)
• Node v22.22.2
• Linux 6.17.0-22-generic
• Gateway mode: local

What happened

On 2026-04-23, the config.observe auditor flagged the live config as invalid:

suspicious: ["missing-meta-vs-last-good", "gateway-mode-missing-vs-last-good"]
suspicious: ["reload-invalid-config"]

Both quarantined copies (openclaw.json.clobbered.2026-04-23T04-45-31-{238,252}Z) contain two separate top-level JSON objects, not one:

{
  "gateway": { "mode": "local", "auth": { … } },
  "wizard":  { "lastRunCommand": "doctor", … },
  "meta":    { "lastTouchedAt": "2026-04-23T04:27:20.367Z" }
}
{
  "agents": { "defaults": { "model": { "primary": "claude-cli/claude-opus-4-6" } } }
}

That's what doctor wrote (first object) followed by an unmerged agents.defaults.model.primary patch (second object) — the writer appears to have appended instead of merging, producing invalid JSON. The gateway's auto-restore kicked in from openclaw.json.last-good and the system recovered.

Suspected cause

Two writers racing without shared locking / atomic read-modify-write. Likely culprits: openclaw doctor and whichever code path sets agents.defaults.model.primary (possibly the gateway itself on startup, or a second CLI invocation). The config-audit log shows the bad reads happened at a gateway PID reading a config produced out-of-band.

Expected

All writers perform atomic merge (read → merge → write-via-tempfile-then-rename) under an advisory lock, so concurrent writes linearize instead of clobbering.

Impact

• User sees opaque "agent failed before reply" in the web UI until the next gateway reload.
• Recovery is automatic via last-good, but the current turn is lost.
• Two openclaw.json.clobbered.* files accumulate per incident (minor).

Repro (suspected, not yet confirmed)

Run a config-touching command (openclaw doctor, openclaw configure, openclaw models auth login …) in parallel with another config-touching command, or while the gateway is writing agents.defaults. The race window is small but likely reproducible under load.

Attachments

Happy to share sanitized copies of the two openclaw.json.clobbered.* files and the relevant config-audit.jsonl lines on request.

[clawsweeper]

Thanks for the context here. I did a careful shell check against current main, and this is already implemented.

Close as implemented. Current main now centralizes OpenClaw-owned config mutations behind a serialized mutation helper with cross-process locking and retry/rebase behavior, the merged canonical PR covers the reported doctor/gateway/agent-style race better than the older narrow lock proposal, and the fix is included in the beta release notes.

I found the merged PR that appears to have closed this: #76601: fix(config): serialize concurrent config mutations.

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review details

Best possible solution:

Keep the central mutation helper as the canonical config-write path and treat narrower direct-write locking proposals as follow-up hardening only if a remaining production caller is proven to bypass it.

Do we have a high-confidence way to reproduce the issue?

No, not for the exact concatenated-JSON interleaving on current main. The reporter supplied credible live audit evidence, and the merged fix includes real concurrent config-mutation proof for the same stale writer class.

Is this the best way to solve the issue?

Yes. Serializing and retrying semantic config mutations centrally is the maintainable fix because it covers read/merge/validate/write/refresh ordering; locking only final replacement would not rebase stale mutations.

Security review:

Security review: This is an issue triage item with no proposed patch diff to security-review.

What I checked:

• Current mutation lock: Current main has withConfigMutationLock, which creates the config directory, queues same-process mutations per config path, and wraps the mutation callback in withFileLock for cross-process serialization before the read/transform/write work runs. (src/config/mutate.ts:139, b7d3b74f1c16)
• Locked replace and transform entry points: replaceConfigFile and transformConfigFile both enter withConfigMutationLock; the unlocked commit path writes through writeConfigFile with the prepared baseSnapshot, so mutation callers linearize around the full read/validate/write/refresh transaction rather than only the final rename. (src/config/mutate.ts:331, b7d3b74f1c16)
• Reported writer class routed through mutation helpers: Gateway agent config writes use mutateConfigFileWithRetry, and model config updates use replaceConfigFile with the observed base hash, matching the kind of agents/model config writer implicated by the report. (src/gateway/server-methods/agents-config-mutations.ts:46, b7d3b74f1c16)
• Regression coverage: src/config/mutate.test.ts covers retrying stale config conflicts and same-process serialization before the second mutation reads its snapshot, which exercises the stale-snapshot race class fixed by the new mutation path. (src/config/mutate.test.ts:130, b7d3b74f1c16)
• Merged canonical PR provenance: GitHub reports fix(config): serialize concurrent config mutations #76601 merged at 2026-05-13T14:00:09Z with merge commit 2181564; the PR body states it centralizes config-file mutation so concurrent writers re-read, rebase, and commit against the latest persisted config, with real concurrent agents add proof. (218156447c9a)
• Git commit timestamp provenance: The merge/proof commit is on current main; its committer timestamp is 2026-05-13T15:00:07+01:00. (218156447c9a)

Likely related people:

• steipete: PR 76601's merged commit stack and local history show the central config mutation fix, gateway mutation refactor, and adjacent config IO work authored by Peter Steinberger/steipete across the affected files. (role: recent config mutation contributor; confidence: high; commits: 218156447c9a, 756379b11ddf, 23344fdb6116; files: src/config/mutate.ts, src/config/io.ts, src/gateway/server-methods/agents-config-mutations.ts)
• Vincent Koc: Recent local history shows Vincent Koc commits around prepared config snapshots, runtime config load avoidance, and config write performance, which are adjacent to the mutation and recovery path involved here. (role: adjacent config IO contributor; confidence: medium; commits: 120c384f0020, 6157933e39, e31dfa9897; files: src/config/io.ts, src/config/mutate.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against b7d3b74f1c16; fix evidence: merged PR #76601, release v2026.5.12-beta.5, commit 218156447c9a.