Gateway intermittently stalls: WebSocket preauth handshakes time out late during model catalog/provider discovery

[DerFlash]

Gateway intermittently stalls: WebSocket preauth handshakes time out late during model catalog/provider discovery

Summary

The OpenClaw Gateway intermittently becomes unresponsive for tens of seconds. During these windows, WebSocket preauth handshakes time out, but the timeout callbacks fire much later than the configured 10s timeout. Observed values range from ~18s to ~72s.

This strongly suggests the Gateway Node.js event loop is being blocked or starved by synchronous / CPU-heavy work inside the gateway process, rather than a pure networking or client-side timeout issue.

The strongest current suspect is expensive model catalog regeneration / provider discovery after model/config hot reloads, especially around:

• ensureOpenClawModelsJson()
• planOpenClawModelsJson()
• resolveProvidersForModelsJsonWithDeps()
• resolveImplicitProviders()
• resolveRuntimePluginDiscoveryProviders()
• dynamic import of plugins/provider-discovery.runtime.js
• resolvePluginDiscoveryProvidersRuntime() / resolvePluginProviders()

This is an initial issue with current findings. I can add deeper traces if needed.

Environment

• OS: Ubuntu 22.04.5 LTS, arm64
• Node.js: v24.14.1
• Gateway bound on LAN, local port 18789
• Gateway process remains alive during incidents
• No obvious FD leak observed during checks
• Host not thermally throttled during later checks:
  • 4 cores
  • temperature around ~41°C
  • vcgencmd get_throttled = 0x0

Symptoms

Observed in Gateway logs:

• WebSocket connections close before full connect/preauth.
• Important class: cause=handshake-timeout.
• Configured preauth handshake timeout is 10s.
• Actual logged handshakeMs / durationMs values were much larger:

Examples:

• handshakeMs=47133
• handshakeMs=54995
• handshakeMs=49755
• handshakeMs=71389
• handshakeMs=18201
• handshakeMs=34302

Because the timer callback itself fires late, this looks like event-loop starvation/blocking.

Additional symptoms seen during affected windows:

• Some Gateway RPCs occasionally slow:
  • config.get ~2.1–2.4s
  • channels.status ~2.0s
  • config.schema.lookup ~3.2s
  • agent.wait reached expected long wait timeout
• Telegram polling stalls were also seen near some incident windows.
• openclaw status --json --timeout 1000 had ~14s wall time despite reported gateway connect latency around ~160ms.
• openclaw logs --limit 5 --timeout 5000 had ~12s wall time, while the underlying logs.tail RPC later measured fast after warmup.

Findings

1. Not likely to be a simple network / socket issue

The Gateway was alive and listening on 0.0.0.0:18789.

HTTP/dashboard probes to 127.0.0.1:18789 were healthy when idle:

• first probe around ~285ms
• later probes around ~30ms

No obvious FD leak was observed:

• FD count around mid/high 30s
• threads around 11

2. Preauth timer firing late is the key evidence

Code inspection found:

• DEFAULT_PREAUTH_HANDSHAKE_TIMEOUT_MS = 10000
• server uses getPreauthHandshakeTimeoutMsFromEnv() for the preauth timer

But logs showed timeout callbacks firing after 18–72s. That strongly indicates the event loop was unable to run the timer callback on time.

3. Session/transcript sync reads are a smell, but probably not the sole root cause

Several gateway-adjacent paths use synchronous file reads/parsing:

• session store reads via readSessionStoreReadOnly
• transcript reads via readSessionMessages()
• some status/history/session preview paths

This is concerning, especially for large transcripts/checkpoints. However, microbenchmarks on the largest local artifacts showed individual parse costs mostly in the ~100–500ms range, not enough alone to explain 70s stalls.

So this remains a contributor/smell, but not the strongest single root cause.

4. Late handshake windows correlate with state churn

The worst late-handshake windows clustered around:

• config/model/default alias hot reloads
• provider/model catalog related changes
• pairing/device-state churn
• stuck session / embedded-run lifecycle events

This points toward bursts of gateway-side state recomputation or plugin/runtime work.

5. Stronger suspect: model catalog / provider discovery cold path

Local probes outside the gateway showed ensureOpenClawModelsJson() can be extremely expensive:

• importing model-catalog-*.js in a fresh Node process took ~6.5s

• loadModelCatalog() / ensureOpenClawModelsJson() without an outer provider-discovery timeout did not complete within test timeouts in some probes

• with:

  • OPENCLAW_LIVE_GATEWAY=1
  • OPENCLAW_LIVE_PROVIDER_DISCOVERY_TIMEOUT_MS=3000
  • OPENCLAW_LIVE_GATEWAY_PROVIDERS=codex

  it completed in ~20.7s and logged that Codex provider catalog discovery timed out after 3000ms.

Filtered single-provider probes still showed high wall times:

• anthropic-vertex: ~13.9s
• deepseek: ~38.6s
• codex with 3s provider timeout: ~20.7s

This suggests the problem is not only one slow live provider catalog call. There appears to be significant plugin/runtime/provider setup overhead.

6. Provider filtering appears insufficient for the full path

Direct call:

resolvePluginDiscoveryProvidersRuntime({ onlyPluginIds: ['deepseek'] })

behaved mostly as expected:

• entries-only returned only deepseek in ~81ms
• normal only-plugin run returned only deepseek in ~7.6s

But when running through ensureOpenClawModelsJson() with provider filtering, profiling still showed broad provider plugin loading, including:

• anthropic
• byteplus
• deepseek
• moonshot
• openai
• tencent
• volcengine
• xai

Even a minimized in-memory cfg.models.providers = { deepseek: ... } still showed broad provider plugin load/profile activity.

A later source-path refinement makes provider-specific policy helpers less likely to be the cold-load trigger: normalizeProviderConfigPolicy(), applyProviderNativeStreamingUsagePolicy(), and resolveProviderConfigApiKeyPolicy() call their plugin helpers with allowRuntimePluginLoad: false.

So the stronger suspect is the runtime discovery stage before/around normalization:

resolveProvidersForModelsJsonWithDeps()
  -> resolveImplicitProviders()
  -> resolveRuntimePluginDiscoveryProviders()
  -> dynamic import of plugins/provider-discovery.runtime.js
  -> resolvePluginDiscoveryProvidersRuntime()
  -> resolvePluginProviders()

In particular, resolvePluginDiscoveryProvidersRuntime() has a selective full-plugin fallback when onlyPluginIds is undefined. If the provider filter is not passed through correctly from config/hot-reload context, or if source snapshot projection reintroduces providers, this can cause broad provider loading.

7. Warm cache is much faster, cold path is the problem

Within one process:

• first full provider discovery call: ~17.5s
• second call: ~1.3s
• third call: ~0.7s

So caching helps, but config/model hot reloads or cache invalidation can re-enter the expensive cold path.

Current diagnosis

The Gateway can become temporarily unresponsive because model catalog regeneration / provider discovery performs expensive cold plugin/runtime work in or adjacent to latency-sensitive Gateway paths.

This can delay timers, WebSocket handshakes, CLI/RPC responses, Telegram polling, and possibly status/log commands.

The issue is likely not one single slow transcript read, but a combination of:

1. expensive cold provider/plugin runtime loading,
2. insufficient provider filtering in the full model-catalog regeneration path,
3. potentially unbounded or poorly bounded live provider discovery,
4. cache invalidation after model/config hot reloads,
5. work running on the Gateway event loop instead of being deferred/offloaded.

Proposed fixes / mitigations

Short-term mitigations

1. Add a bounded default timeout for live provider discovery in Gateway contexts.

   • Example: default OPENCLAW_LIVE_PROVIDER_DISCOVERY_TIMEOUT_MS to a small value when running inside gateway.
   • Avoid unbounded provider catalog resolution during hot reload.

2. Avoid running full ensureOpenClawModelsJson() synchronously after config/model hot reload.

   • Defer regeneration.
   • Serve stale cached catalog while refresh happens in background.
   • Emit a warning if refresh fails or times out.

3. Ensure provider discovery filters are passed through the full path.

   • In particular, check what onlyPluginIds is passed into resolveRuntimePluginDiscoveryProviders() during ensureOpenClawModelsJson() after config/model hot reloads.
   • Avoid broad resolvePluginProviders() when a narrowed provider set is known.

4. Add method-level timing logs around:

   • applyHotReload()
   • resetModelCatalogCache()
   • ensureOpenClawModelsJson()
   • planOpenClawModelsJson()
   • resolveProvidersForModelsJsonWithDeps()
   • resolveImplicitProviders()
   • resolveRuntimePluginDiscoveryProviders()
   • resolvePluginDiscoveryProvidersRuntime()
   • resolvePluginProviders()
   • readSessionMessages()

5. Add runtime event-loop-delay instrumentation in the Gateway.

   • For example, log when event-loop delay exceeds 1s / 5s / 10s, including the current high-level operation if known.

Longer-term fixes

1. Move expensive model catalog/provider discovery work out of the Gateway request/event-loop path.

   • Use a worker thread or child process.
   • Keep Gateway responsive while catalog refresh happens.

2. Make provider discovery fully cache-aware and cancellation-aware.

   • Timeouts should abort work cleanly, not merely stop waiting while leaving expensive tasks/resources alive.

3. Separate static provider config normalization from live provider discovery.

   • Normalization should not require broad plugin loading if static config is already known.

4. Improve CLI command decomposition.

   • Commands like openclaw status / openclaw logs should avoid unnecessary status/bootstrap/provider/model work when the requested RPC itself is cheap.

Reproduction / diagnostic hints

Useful probes:

• Compare logs.tail RPC time vs full openclaw logs command wall time.
• Trigger model/default alias config hot reload, then watch for late WS handshake timers.
• Run ensureOpenClawModelsJson() in a fresh Node process with plugin profiling enabled.
• Test with and without provider discovery timeout:
  • OPENCLAW_LIVE_PROVIDER_DISCOVERY_TIMEOUT_MS=3000
  • OPENCLAW_LIVE_GATEWAY_PROVIDERS=codex
  • OPENCLAW_PLUGIN_LOAD_PROFILE=1

Key expected signal:

• A 10s WebSocket preauth timer firing after much more than 10s is the clearest symptom of event-loop delay.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Keep open. Current main has partial mitigations around startup provider scoping and provider catalog timeouts, but it still leaves the reported gateway responsiveness problem unresolved: WebSocket preauth timers are ordinary event-loop timers, model catalog loading can still enter ensureOpenClawModelsJson/provider discovery on gateway request paths, non-live discovery remains broad when no provider ids are passed, and the runtime discovery path can still fall back to full provider plugin loading. Related open work such as #73853, #72352, #73728, #73729, and #73835 should be coordinated, but none is a merged full fix for this newer late-handshake/model-catalog stall report.

Required change / next step:

Keep this issue open as the broader gateway responsiveness/performance tracker. The best maintainer path is to land or revise the focused related PRs for scoped provider discovery and registry-cache churn, then add any remaining gateway-specific fixes: make model catalog refresh stale-while-revalidate or otherwise non-blocking for latency-sensitive RPC/handshake paths, ensure provider filters are derived and passed through all relevant model/config refresh paths, add bounded and preferably cancellable provider catalog discovery, and add event-loop-delay/timing instrumentation around the named catalog/provider/hot-reload operations.

Best possible solution:

Keep this issue open as the broader gateway responsiveness/performance tracker. The best maintainer path is to land or revise the focused related PRs for scoped provider discovery and registry-cache churn, then add any remaining gateway-specific fixes: make model catalog refresh stale-while-revalidate or otherwise non-blocking for latency-sensitive RPC/handshake paths, ensure provider filters are derived and passed through all relevant model/config refresh paths, add bounded and preferably cancellable provider catalog discovery, and add event-loop-delay/timing instrumentation around the named catalog/provider/hot-reload operations.

Acceptance criteria:

• pnpm test src/gateway/server-startup.test.ts src/agents/models-config.providers.implicit.discovery-scope.test.ts src/plugins/provider-discovery.runtime.test.ts
• pnpm test src/gateway/server.reload.test.ts src/gateway/server-methods/models.ts src/agents/model-catalog.test.ts if catalog refresh behavior changes
• pnpm exec oxfmt --check --threads=1 src/gateway/server-startup-post-attach.ts src/gateway/server/ws-connection.ts src/agents/models-config.ts src/agents/models-config.plan.ts src/agents/models-config.providers.implicit.ts src/plugins/provider-discovery.runtime.ts
• pnpm check:changed in Testbox before handoff for runtime changes

What I checked:

• preauth_timer_can_only_fire_when_event_loop_runs: The gateway computes the preauth handshake timeout and uses setTimeout; the timeout callback records handshakeMs as Date.now() - openedAt. This matches the report's diagnostic signal: if the event loop is blocked, the timer can fire much later than the configured timeout. (src/gateway/server/ws-connection.ts:369, 4eba70b532f8)
• current_timeout_tuning_is_not_a_stall_fix: Current main defaults preauth handshakes to 15 seconds and allows env/config overrides, but this is only a budget; there is no event-loop delay instrumentation or isolation of blocking work in this timeout helper. (src/gateway/handshake-timeouts.ts:1, 4eba70b532f8)
• gateway_model_catalog_still_enters_models_json_preparation: loadGatewayModelCatalog imports loadModelCatalog, and loadModelCatalog still calls ensureOpenClawModelsJson for non-read-only catalog loads before importing the PI model registry and merging plugin/configured catalog entries. models.list calls this gateway context loader. (src/agents/model-catalog.ts:140, 4eba70b532f8)
• implicit_provider_discovery_still_runs_runtime_discovery: models.json planning resolves implicit providers through resolveRuntimePluginDiscoveryProviders and then runs provider catalog hooks by discovery order. Provider catalog timeouts apply when an explicit timeout is passed or live env is set, but the timeout wrapper does not cancel already-started provider work. (src/agents/models-config.providers.implicit.ts:357, 4eba70b532f8)
• non_live_filter_can_remain_broad: resolveProviderDiscoveryFilter returns an onlyPluginIds scope for explicit provider ids or live env filters; otherwise, for ordinary non-live runs without providerDiscoveryProviderIds, it returns undefined and leaves discovery broad. (src/agents/models-config.providers.implicit.ts:101, 4eba70b532f8)
• runtime_discovery_can_fall_back_to_full_provider_loading: resolvePluginDiscoveryProvidersRuntime supports discoveryEntriesOnly, but when that is not requested it can call resolvePluginProviders; with onlyPluginIds undefined, the selective fallback only narrows some cases and the final fallback can still load provider plugins broadly. (src/plugins/provider-discovery.runtime.ts:143, 4eba70b532f8)

Likely related people:

• vincentkoc: Local blame for the current WebSocket preauth timer, handshake timeout helper, implicit provider discovery, and provider-discovery runtime points to Vincent Koc's d49ebe7 commit on current main. (role: current-main visible maintainer for the inspected handshake/provider-discovery lines; confidence: medium; commits: d49ebe7bdee3; files: src/gateway/server/ws-connection.ts, src/gateway/handshake-timeouts.ts, src/agents/models-config.providers.implicit.ts)
• steipete: Related ClawSweeper history for [AI-assisted] fix(plugins): reduce startup provider registry reloads #73853 and fix(agents): scope provider discovery from configured models #72352 routes gateway startup prewarm and models-config scoping work to steipete, including commits that introduced or maintained adjacent provider-discovery scoping and cache/fingerprint behavior. (role: recent gateway/model-discovery maintainer; confidence: medium; commits: 0f24a8d8e18b, 11f0244cf431, 1787d3be0793; files: src/gateway/server-startup-post-attach.ts, src/agents/models-config.ts, src/agents/models-config.plan.ts)
• shakkernerd: Related provider-discovery records point to shakkernerd/Shakker for owner-normalization, metadata reuse, and provider discovery fallback bounding work adjacent to the onlyPluginIds and plugin metadata snapshot paths. (role: adjacent provider metadata/filter maintainer; confidence: medium; commits: 5531502cb009, 4e7de4b5c9ed, 021ef1220d01; files: src/agents/models-config.providers.implicit.ts, src/plugins/provider-discovery.runtime.ts, src/plugins/providers.ts)
• brokemac79: Open PR [AI-assisted] fix(plugins): reduce startup provider registry reloads #73853 is a focused adjacent implementation candidate for startup/provider-registry reload reductions tied to Idle gateway high CPU/RSS on VPS; CPU profile points to repeated plugin/model registry + bundled runtime mirror work #73835 and resolvePluginCapabilityProviders triggers redundant full plugin loads per message (image/video/music generation) #73729, which overlap this issue's model/provider discovery stall path even though it is not a complete fix for this issue. (role: active adjacent implementation candidate owner; confidence: medium; commits: f7e05b763d3d; files: src/gateway/server-startup-post-attach.ts, src/plugins/capability-provider-runtime.ts, src/agents/models-config.ts)

Remaining risk / open question:

• This was a read-only source/history review; the reporter's live 18s to 72s late-handshake timings were not reproduced here.
• The issue spans several hot paths: WebSocket preauth, model catalog generation, provider plugin discovery, live provider catalog calls, hot reload, and CLI/RPC command decomposition. A single narrow patch may only reduce symptoms.
• Provider-discovery narrowing and cache changes can regress model availability if aliases, fallback models, subagent defaults, auth-profile-only providers, workspace plugins, or partially unresolved refs are under-scoped.
• Related open work ([AI-assisted] fix(plugins): reduce startup provider registry reloads #73853, fix(agents): scope provider discovery from configured models #72352, Default DEFAULT_PLUGIN_DISCOVERY_CACHE_MS / DEFAULT_PLUGIN_MANIFEST_CACHE_MS of 1 second is too short for gateway use #73728, resolvePluginCapabilityProviders triggers redundant full plugin loads per message (image/video/music generation) #73729, resolvePluginWebProviders snapshot cache never hits because callers pass fresh config objects #73730, Idle gateway high CPU/RSS on VPS; CPU profile points to repeated plugin/model registry + bundled runtime mirror work #73835) should be coordinated to avoid overlapping partial fixes with conflicting cache/discovery semantics.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 4eba70b532f8.

[DerFlash]

Follow-up: related issues/PRs, current release status, and fresh repro

A bit more cross-checking against adjacent reports/PRs:

Local/current release status

The affected local install is still:

OpenClaw 2026.4.26 (be8c246)

Latest published release/npm package currently also appears to be 2026.4.26, so several fixes already on main are not yet available in the installed release. I think the next release should be retested before assuming this is still fully reproducible on main.

Reproduced again on the affected 2026.4.26 install

After filing this issue, the same late preauth-timeout pattern reproduced again on the running 2026.4.26 gateway:

2026-04-29T08:23:10.495+02:00
cause=handshake-timeout
handshakeMs=32602
durationMs=32759
lastFrameMethod=connect
endpoint=127.0.0.1:57256->127.0.0.1:18789

A probe immediately after that showed:

New WS handshake-timeout lines: 1
closed-before-connect: 2
late timer closes >12s: 1
max handshake/duration: 32602ms
slow RPCs >=1000ms: 0
Telegram polling stalls: 0

So this was not just a startup-only observation from the original report. The gateway had been running already. The useful signal remains the same: a 10s preauth timer did not fire until ~32.6s.

There were nearby stuck-session diagnostics:

2026-04-29T08:17:10.616+02:00 stuck session: sessionId=unknown sessionKey=agent:main:telegram:slash:8598006230 state=processing age=164s queueDepth=1
2026-04-29T08:18:07.965+02:00 stuck session: sessionId=unknown sessionKey=agent:main:telegram:slash:8598006230 state=processing age=221s queueDepth=1
2026-04-29T08:18:46.698+02:00 stuck session: sessionId=unknown sessionKey=agent:main:telegram:slash:8598006230 state=processing age=260s queueDepth=1

I do not yet know whether those are cause or collateral, but they may be useful when correlating gateway event-loop stalls with session lifecycle / agent wait paths.

Relation to #73652

#73652 is still open and tracks a startup readiness boundary: the gateway accepts WebSocket connections before startup sidecars are ready.

This issue overlaps in symptom (handshake-timeout), but the fresh repro above happened on an already-running gateway, not immediately after restart/startup. So I would treat #73652 as a related startup-window bug, not as a complete explanation for this report.

Relation to #51282 / gateway.handshakeTimeoutMs

#51282 was closed as superseded because bcc6a2400d landed the gateway.handshakeTimeoutMs config surface directly on main with schema/docs/tests.

That is useful as a mitigation/config knob and should reduce false client-side failures once released/configured. But increasing the timeout does not address the core signal here: the gateway event loop can delay a 10s timer until 30s+ or even 70s+.

Relation to #73524

#73524 is closed as fixed on main by:

• 7e41913a20 — chat.history no longer waits on model catalog discovery
• 7994833fac — TUI/local gateway clients carry the configured/env preauth handshake budget into GatewayClient

These are definitely relevant and may remove part of the observed CLI/TUI latency surface. This should be retested after the next release. However, the fresh 32.6s late preauth timer above was observed on the current released 2026.4.26 build, before those main fixes are available locally.

Relation to #73908

#73908 looks highly related to the provider-discovery side: gateway startup probes too many manifest providers / external CLI credentials even with a narrow configured provider set.

Current comments there suggest main partially mitigates the startup/provider prewarm side, but provider-scoped external CLI credential discovery is still open.

I would separate it this way:

• [Bug]: Gateway unconditionally probes all 115 manifest providers and external CLI credentials at startup — causing 50s+ blocking even with 1 configured provider #73908: concrete startup/auth overlay/provider eligibility problem, especially external CLI credential discovery.
• This issue: broader gateway responsiveness/event-loop starvation problem where model catalog/provider discovery can still affect latency-sensitive request/handshake paths.

They may share underlying provider-scoping/cache invalidation fixes, but this issue is not limited to startup credential probing.

Relation to #73421

#73421 is the broader 2026.4.26 control-plane/browser/websocket stall regression report across NAS Docker / VPS / reverse-proxy environments.

This issue adds a narrower diagnostic signal to that broader symptom class: preauth timers firing far later than their configured timeout, plus suspected model-catalog/provider-discovery paths. So #73421 may be the broader user-visible regression, while this issue is a more specific root-cause/performance tracker.

Current working interpretation

Some of this may already be improved on main, especially chat.history and client timeout budget handling. But I think this issue should remain open until either:

1. a current main/next-release retest no longer reproduces late timer firing under similar load, or
2. provider/model catalog refresh is made non-blocking/stale-while-revalidate for latency-sensitive gateway paths, and provider discovery is demonstrably scoped/cached enough that it cannot starve WebSocket preauth timers.

[DerFlash]

Additional repro detail: openclaw logs --follow drops mid-stream

One more useful reproduction detail from the affected 2026.4.26 install:

The latest late-handshake events happened while openclaw logs --follow was actively running. The follow stream then simply dropped / broke away.

So this is not only a problem with new clients connecting during startup. It also affects an already-established, long-lived CLI log-follow path. That makes openclaw logs --follow both:

1. a visible casualty of the gateway responsiveness issue, and
2. a useful reproduction/monitoring path for it.

For local diagnosis I am avoiding relying on openclaw logs --follow as the primary evidence source and reading the direct log file instead, e.g. /tmp/openclaw/openclaw-YYYY-MM-DD.log, because the CLI follow path itself can disconnect during the stall.

This lines up with the most recent local repro:

2026-04-29T08:28:40.918+02:00
cause=handshake-timeout
handshakeMs=33538
durationMs=33552
lastFrameMethod=connect

Immediately after that window there was also a slower gateway RPC:

config.get 2514ms

[DerFlash]

Related main-branch update: #73853 merged

Small status update for the related-work picture:

PR #73853 was merged into main after the earlier comments:

• [AI-assisted] fix(plugins): reduce startup provider registry reloads #73853 — fix(plugins): reduce startup provider registry reloads
• merge commit: 20c7a98fb8b34bcc71caee029ff5d27ab82cc7a0
• merged: 2026-04-29T06:52:33Z

This appears directly relevant to part of this report because it keeps startup primary-model discovery on metadata-only provider entries and scopes capability-provider fallback registry loads to manifest-derived owners. It also closed #73729, #73835, and #73908.

I have not retested this issue against that commit yet. The affected local install is still the published npm release:

OpenClaw 2026.4.26 (be8c246)

and the latest npm/release still appears to be 2026.4.26, so this fix is not available in the local install yet.

Current expectation: #73853 may reduce/solve a meaningful chunk of the provider-registry/plugin-load surface, especially startup/prewarm and capability lookup churn. It does not by itself prove that late WebSocket preauth timer firing during an already-running gateway is gone; that should be retested once a release containing #73853 is installed.

[steipete]

Fixed on main by 6421e1f (fix(gateway): refresh model catalog off request path). Gateway model catalog reloads now serve the last successful catalog while stale provider/model discovery refreshes in the background, with regression coverage in src/gateway/server-model-catalog.test.ts.