Gateway 7-second event-loop stalls on 2026.4.27 — createOpenClawTools synchronously rebuilds plugin registry + provider-auth env-var resolution per tool-creation pass

[mids-neo]

Summary

After upgrading from 2026.4.15 → 2026.4.27, the gateway exhibits ~7-second synchronous event-loop stalls during normal agent activity, blocking Telegram polling and forcing watchdog-triggered container restarts. 24h post-upgrade window: 27 gateway crashes, 25 Tier 2 (full container restart). Pre-upgrade had been operating without this pattern.

.cpuprofile evidence (6 stalls aggregated, 230s combined CPU) shows the dominant hot path is createOpenClawTools / createOpenClawCodingTools invoking loadPluginRegistrySnapshotWithMetadata and resolveProviderAuthEnvVarCandidates synchronously on every tool-creation pass. Top self-time frames are lstat, readFileSync, path.resolve — classic uncached fs scan.

This may share root cause with #73532 (plugin loader hot loop on 4.25/4.26) but differs in entry point and version: that report's hot stack is prepareBundledPluginRuntimeDistMirror (mirror-init); mine is createOpenClawTools (tool-creation per agent invocation). Filing separately so the maintainer can dedup or split as appropriate.

This is distinct from #74345 (ACP session leak / 480s task-registry-maintenance event-loop holds, also on 4.27) — different fingerprint (~7s stalls, no ACP cleanup loop, no session-write-lock warnings).

Environment

• OpenClaw 2026.4.27 (c27ae31043c7) — installed via global npm
• Node v22.22.1
• Linux x86_64, host-mode container (Docker), gateway port 54401
• Channels enabled: Telegram (multi-bot), WhatsApp
• ~10 user agents bound to lanes via bindings[]; many tool-call-heavy

Symptom fingerprint

/data/.openclaw/logs/gateway-eventloop.jsonl — continuous ~7s stalls during normal load:

Timestamp (UTC)	Stall (ms)
04:17:28Z	6937
04:17:43Z	7130
04:18:49Z	7151
04:19:19Z	7365
04:20:34Z	6942
04:20:49Z	7038
04:23:04Z	7650

ELU peaked at 0.81 across two consecutive samples, with maxMs=6941–7650ms. CPU profiles auto-saved per stall.

gateway-monitor.log — 27 gateway crashes / 24h, 25 Tier 2 (full container restart), concentrated in the post-upgrade window. Watchdog kills gateway, container restarts, load resumes, stalls return.

While stalled: Telegram long-poll stays alive (update-offset-*.json mtime advances), getChat/getChatMember confirm bot-side state is fine, but channel-post-routed agent invocations don't dispatch — the agent isn't getting CPU.

CPU profile analysis (6 stalls aggregated, 230s combined)

Top 5 by inclusive time (caller + descendants):

Inclusive ms	%	Function	Source
51,637	3.2%	runEmbeddedAttempt	selection-8xKkwZC_.js:5792
46,688	2.9%	createOpenClawCodingTools	pi-tools-DvRlK7Mt.js:805
46,668	2.9%	createOpenClawTools	openclaw-tools-CHlPDJlv.js:8767
32,160	2.0%	loadPluginRegistrySnapshotWithMetadata	plugin-registry-Bjn9rPwy.js:115
24,240	1.5%	resolveProviderAuthEnvVarCandidates	provider-env-vars-DOy0Czuc.js:60

Top 5 by self time (where CPU actually burns):

Self ms	%	Function
13,343	5.8%	lstat
4,884	2.1%	post (inspector)
4,090	1.8%	(garbage collector)
3,241	1.4%	path.resolve
3,219	1.4%	readFileSync

The hot-path pattern is unambiguous: createOpenClawTools + createOpenClawCodingTools running synchronous plugin-registry rebuild + provider-auth-env-var resolution on every tool-creation pass, dominated by lstat / readFileSync / existsSync / readdir.

loadInstalledPluginIndex (22,638ms inclusive) and loadPluginManifest (905ms self) confirm the plugin index is being rebuilt, not cache-served.

resolveProviderAuthEnvVarCandidates → resolveManifestProviderAuthEnvVarCandidates → isProviderApiKeyConfigured → hasAuthForProvider indicates per-tool-call provider-auth resolution that walks process.env against every model provider's possible env var name.

Inferred bug class

In 2026.4.27, the tool-creation path appears to:

1. Reload the entire plugin registry from disk synchronously on every invocation rather than serving from the cache that loadOpenClawPlugins is supposed to provide.
2. Re-resolve provider-auth env-var candidates per tool synchronously without caching — this scales with (number of tools × number of providers × number of env-var aliases per provider).

Each pass takes ~7s of CPU time, blocking the event loop. Under any non-trivial agent activity (multiple tool calls per minute), the gateway never recovers and watchdog kills it.

This blocks: Telegram long-poll dispatch, agent response generation, all PM2 worker IPC.

Likely overlaps with #73532's "cache key varies between callers" / "cache invalidated too aggressively" hypotheses, but expressed via the tool-creation entry point rather than the mirror-prep one.

Reproduction

1. Install openclaw@2026.4.27 (or pull c27ae31043c7)
2. Configure ≥2 enabled user plugins and ≥2 model providers with auth profiles
3. Bind ≥1 Telegram bot to an agent and send agent any tool-call-heavy prompt under steady load (~1–2 invocations/minute)
4. Within minutes, gateway-eventloop.jsonl will show 6000–7700ms stalls per sample window
5. Within ~1h, watchdog Tier 2 restart will fire

CPU profiles auto-write to <DATA>/.openclaw/logs/gateway-stall-profiles/<pid>-<ts>/*.cpuprofile. Loading any in Chrome DevTools → Performance shows the flame graph matching the table above.

Suggested next steps

• Instrument getCachedPluginRegistry / setCachedPluginRegistry (per Plugin loader hot loop: prepareBundledPluginRuntimeDistMirror + JSON5 manifest parsing saturate gateway and starve event loop #73532's suggestion) to log cache key + hit/miss; verify whether createOpenClawTools is cache-missing every call.
• Audit resolveProviderAuthEnvVarCandidates for memoization — if there's no per-process or per-tool cache, the per-invocation env walk is the easy half of this regression to fix.
• Consider whether the 4.15 → 4.27 plugin-loader refactor moved registry-load from startup-time to tool-factory-time, and whether memoization survived the refactor.

Artifacts available

• 6 .cpuprofile files (10MB total) — happy to attach a redacted bundle on request
• gateway-eventloop.jsonl excerpt
• gateway-monitor.log crash log
• Internal finding doc with full top-10 inclusive/self frame analysis

Related

• Plugin loader hot loop: prepareBundledPluginRuntimeDistMirror + JSON5 manifest parsing saturate gateway and starve event loop #73532 — plugin loader hot loop (prepareBundledPluginRuntimeDistMirror + JSON5 parse). Adjacent code path, possibly same root cause.
• Event-loop saturation and ACP session leak on 2026.4.27 (9d8de70) #74345 — ACP session leak / 480s task-registry-maintenance holds on 4.27. Distinct fingerprint.
• [2026.4.26] Gateway main thread stalls under orchestration load; /readyz timeouts and reload deferred behind active runs #73467 — main thread stalls under orchestration load on 4.26. Possibly upstream of the same regression.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Keep this issue open. Current main contains several partial mitigations for plugin/runtime loading, but the source still shows a tool-construction path that can synchronously derive manifest-backed capability/provider-auth metadata during repeated tool creation, and the report has concrete production CPU-profile evidence plus a second macOS data point.

Required change / next step:

This is a concrete, source-local gateway performance regression with clear code paths, production profiling evidence, adjacent tests, and no required product decision before a narrow repair attempt.

Security review:

Security review: This is non-PR issue triage with no patch, so there is no patch security or supply-chain review to perform.

Review details

Best possible solution:

Fix the hot path with bounded, freshness-aware reuse: tool construction should avoid repeating manifest registry and provider-auth candidate/evidence derivation per tool/provider, preferably by computing stable lookup maps once per tool-construction or runtime-config snapshot and threading them through availability checks without adding a broad stale global metadata cache.

Do we have a high-confidence way to reproduce the issue?

Yes. The issue gives a high-confidence production reproduction path and CPU-profile fingerprint against 2026.4.27, and current source inspection confirms a repeated manifest/provider-auth lookup shape still exists; this review did not run a live gateway stress replay.

Is this the best way to solve the issue?

Unclear because there is no proposed patch. The reporter's memoization/instrumentation direction is sound, but the maintainable fix should be scoped to the tool-construction/auth lookup path and preserve plugin metadata freshness rules.

Acceptance criteria:

• pnpm test src/secrets/provider-env-vars.dynamic.test.ts src/agents/model-auth.test.ts src/agents/model-auth.profiles.test.ts src/agents/pi-model-discovery.auth.test.ts
• pnpm test src/agents/tools/image-generate-tool.test.ts src/agents/tools/music-generate-tool.test.ts src/agents/tools/video-generate-tool.test.ts src/plugins/capability-provider-runtime.test.ts
• pnpm test src/plugins/tools.optional.test.ts src/plugins/loader.runtime-registry.test.ts src/plugins/provider-discovery.runtime.test.ts
• pnpm build
• pnpm check:changed in Testbox before handoff

What I checked:

• Production profile evidence: The issue body reports repeated 6.9-7.6s gateway event-loop stalls on 2026.4.27, with aggregated CPU profiles naming createOpenClawTools, createOpenClawCodingTools, loadPluginRegistrySnapshotWithMetadata, and resolveProviderAuthEnvVarCandidates; a later comment adds a similar macOS arm64 data point.
• Tool creation still enters OpenClaw tool setup: createOpenClawCodingTools appends createOpenClawTools during normal tool construction, preserving the reported entry point. (src/agents/pi-tools.ts:599, 8093ae60292f)
• Plugin tools have only partial active-registry mitigation: createOpenClawTools still resolves plugin tools unless disabled; resolvePluginTools can reuse a compatible active registry, but falls back to runtime registry resolution when no compatible active registry exists. (src/agents/openclaw-tools.ts:343, 8093ae60292f)
• Media tool availability still does manifest-backed provider/auth checks at registration: hasGenerationToolAvailability enumerates bundled capability provider ids and checks hasAuthForProvider during tool construction; that helper calls resolveEnvApiKey before profile-store checks. (src/agents/tools/media-tool-shared.ts:280, 8093ae60292f)
• Provider auth lookup can still recompute candidate and evidence maps: resolveEnvApiKey derives candidateMap and authEvidenceMap when they are not injected, and the manifest-backed provider auth functions call loadPluginManifestRegistryForPluginRegistry with preferPersisted: false. (src/agents/model-auth-env.ts:113, 8093ae60292f)
• Derived registry fallback remains the filesystem-heavy path: When persisted reads are disabled or unusable, loadPluginRegistrySnapshotWithMetadata falls back to loadInstalledPluginIndex, matching the report's filesystem-heavy stack. (src/plugins/plugin-registry-snapshot.ts:181, 8093ae60292f)

Likely related people:

• shakkernerd: Commit metadata and changelog context tie this handle to manifest auth evidence, provider-auth lookup, and cold plugin manifest work in the implicated files. (role: recent provider-auth and plugin-metadata maintainer; confidence: high; commits: 10b9adb010a6, dd5b96c11dd0, 1a193b2d9666; files: src/secrets/provider-env-vars.ts, src/agents/model-auth-env.ts, src/agents/pi-auth-discovery-core.ts)
• Ayaan Zaidi: Recent main commits defer media generation provider discovery, web-search registration loading, media model resolution, and targeted runtime hook resolution on the same tool-construction performance surface. (role: recent adjacent tool/provider deferral maintainer; confidence: medium; commits: 60bdb96f2c4c, 40b0b1bfe051, 3144e7a7297d; files: src/agents/tools/media-tool-shared.ts, src/agents/tools/image-generate-tool.ts, src/agents/tools/web-search.ts)
• vincentkoc: Recent commits authored by Vincent Koc lazy-load provider env-var exports, isolate manifest registry cache state, and stop runtime-deps reinstall loops in adjacent performance paths. (role: plugin/provider performance maintainer; confidence: medium; commits: 961eb95e9a88, 3ceba442b77d, e311ffdcb94e; files: src/secrets/provider-env-vars.ts, src/agents/model-auth-env-vars.ts, src/plugins/loader-cache-state.ts)
• steipete: Recent local history shows Peter Steinberger on provider auth alias trust, avoiding setup scans during auth resolution, lightweight provider discovery, and models-list responsiveness. (role: recent provider-auth and plugin-discovery maintainer; confidence: medium; commits: e890db76bc7a, 7fd6e2ec4c7c, fbbd644d7ae2; files: src/agents/model-auth.ts, src/agents/provider-auth-aliases.ts, src/plugins/providers.ts)

Remaining risk / open question:

• This read-only review did not run a live gateway load replay or inspect the reporter's cpuprofile bundle, so the exact stall frequency on current main remains unmeasured.
• The remaining work overlaps with open gateway stall reports such as Plugin loader hot loop: prepareBundledPluginRuntimeDistMirror + JSON5 manifest parsing saturate gateway and starve event loop #73532 and [2026.4.26] Gateway main thread stalls under orchestration load; /readyz timeouts and reload deferred behind active runs #73467; a fix should keep this issue's provider-auth/tool-creation fingerprint distinct while linking shared root-cause evidence.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 8093ae60292f.

[mids-neo]

Concrete regression-source evidence — providerRequest manifest field is new in 4.27.

Followed up locally by diffing openclaw@2026.4.15 (npm tarball) against the current 4.27 install. The hot path involves loadPluginRegistrySnapshotWithMetadata and resolveProviderAuthEnvVarCandidates walking provider data per tool-call, so I compared the manifest-level provider surface between the two versions:

Metric	4.15	4.27	Δ
Bundled plugins (dist/extensions/*/openclaw.plugin.json)	98	116	+18
Manifests with providerRequest field	0	23	net-new field
Unique providerRequest.providers keys	0	30	new
Existing .providers[] entries (across all manifests)	52	60	+8

The providerRequest field doesn't appear in any 4.15 bundled manifest. In 4.27, 23 manifests declare it. Example from extensions/anthropic/openclaw.plugin.json in 4.27:

{
  "providerRequest": {
    "providers": {
      "anthropic": { "family": "anthropic" }
    }
  }
}

manifest-BRvO4Lcw.js and manifest-registry-adU8lVLL.js both reference providerRequest, putting this field on the loadPluginRegistrySnapshotWithMetadata path. Combined with the per-tool-call walk in resolveProviderAuthEnvVarCandidates shown in the original profile, this is the most concrete pointer I have for the regression source: the commit(s) that introduced the providerRequest manifest schema between 4.15 and 4.27, and the loader code that walks it.

Most of the 18 new bundled plugins themselves don't add many auth requirements (most are noauth or single-provider). The expense is the manifest-walking code path that grew from 0 → 23 manifests with providerRequest.

Also worth noting from a related search: no obvious config-only workaround knob exists in the bundled hot-path files (no max-plugins, pluginCap, cacheEnabled, registryCache — only cacheTtl, and not in a tunable form).

Re-iterating: I'm happy to attach the 6 .cpuprofile files (~10MB) on request — they show the call trees referenced above directly.

[Theo-jobs]

Additional data point from a macOS arm64 install running openclaw@2026.4.27 with Node v25.9.0.

Observed behavior matched this issue:

• Gateway stayed reachable, but Telegram replies and local health/status checks intermittently stalled.
• Liveness warnings showed event-loop delay spikes around 7–15 seconds; one observed spike was roughly 15 seconds.
• Gateway CPU was bursty: sometimes above one core during stalls, then back to idle.
• Active Memory amplified the issue: embedded recall runs repeatedly timed out and made Telegram latency worse. Disabling Active Memory improved the interactive path.
• Several staged runtime dependencies were missing in the 4.27 install. Making those dependencies resolvable removed immediate missing-module / degraded memory symptoms, but did not prove the event-loop root cause was fixed.

This looks consistent with the plugin/tool-creation hot path described here rather than a single missing dependency.

[big-hill]

Confirming this on 2026.4.29 with significantly worse numbers than the
original report (~7s) — we see consistent 25-30s total startup overhead
per agent turn.

Environment

• OpenClaw 2026.4.29 (a448042) — installed via global npm
• Node v22.22.2
• Linux x86_64, native systemd user service (no Docker)
• 16 configured agents
• 9 active model providers (openai, openai-codex, anthropic, kimi, google,
  ollama, xai, minimax, zai)
• 20 plugins enabled (post-disable; 117 in catalog)
• 5 active runtime plugins (acpx, browser, discord, file-transfer, memory-core)
• Discord channel only

[trace:embedded-run] startup stages measurements

Four consecutive runs, three sessions, all on primary openai-codex/gpt-5.5,
no fallback events:

Run	totalMs	runtime-plugins	model-resolution	auth	dispatch
1 (new ses)	30894	6346	13175	6436	4891
2 (new ses)	25310	1	12840	6357	6108
3 (new ses)	26601	2	13057	6435	7105
4 (reuse ses)	27686	4	13847	6871	6963

Key observations:

• No amortization across turns. Same session, second message: still
  model-resolution=13847ms, auth=6871ms. The hot path is rebuilt every
  turn, not cached after first invocation.
• Disabling 50 unused provider/channel plugins did not help. Pre-disable
  numbers were within ±500ms of these. Suggests the hot path doesn't iterate
  the full enabled-plugins list — it does something else expensive that
  scales differently.
• No correlation with system load. eventLoopUtilization was 0.05-0.10
  during idle windows between runs (CPU available), but each turn still
  pays the full overhead. Not a CPU contention issue.

Impact

Every Discord message (any channel, any session) waits 25-30s before the
model API call begins. After the model responds, normal streaming + tool
calls add another 5-30s depending on workload. End-user perception: agent
takes 30-60s minimum to first visible reply, even for trivial questions.

What 4.29 helped with (for reference)

• sqlite-vec mirroring ([Bug]: 2026.4.27 builtin memory can fail because plugin-runtime-deps snapshot misses sqlite-vec #74692) — fully resolved
• Bonjour/model-pricing event-loop blocks (/v1/* endpoints hang on healthy gateway; event loop blocked by bonjour/telegram/model-pricing timeouts #74633) — closed
• Plugin manifest caching (Plugin loader hot loop: prepareBundledPluginRuntimeDistMirror + JSON5 manifest parsing saturate gateway and starve event loop #73532 family) — improved cold startup, did not
  reach this hot path

Happy to provide a .cpuprofile capture for one of these runs if it would
help isolate where the 13s in model-resolution actually goes — please let
me know what to capture and I can attach.

[steipete]

Closing as fixed on current main.

This report's hot path was tool construction plus provider/auth/plugin metadata resolution. Current origin/main (0b4bc78496) has the relevant fixes: 29ed5266bf keeps runtime-deps repair out of plugin tool/runtime hot paths, and 354084b1b3 caches targeted provider runtime hook resolution instead of redoing that work repeatedly.

If the same createOpenClawTools / provider-auth stall still reproduces on a build containing those commits, please reopen with a fresh CPU profile or [trace:embedded-run] stage summary.