2026.5.2 upgrade silently wipes operator-customized gateway.systemd.env contents (EnvironmentFile contents reverted to bundled defaults)

[liemnhoang]

Summary

Upgrading from 2026.4.29 to 2026.5.2 (and/or running openclaw doctor post-upgrade) silently rewrites ~/.openclaw/gateway.systemd.env — the file declared as the gateway service's EnvironmentFile= in the systemd user unit. Operator-populated secrets are removed; only a small bundled-default subset (in our case: ALPACA_API_KEY, ALPACA_SECRET_KEY, SEATS_AERO_API_KEY) is preserved.

This is destructive and silent: no warning during the upgrade, no .bak left next to the wiped file, no log entry indicating the rewrite. Operators discover it only when downstream auth resolution fails.

Reproducer

1. On 2026.4.29 (or earlier), populate ~/.openclaw/gateway.systemd.env with custom secrets — e.g. via the documented "move secrets out of openclaw.json env block" pattern that the systemd unit's EnvironmentFile=-/home/<user>/.openclaw/gateway.systemd.env directive enables. Note the file's mode is 0600 and the gateway expects to load it at spawn time.
2. Verify the keys are loaded via cat /proc/$(systemctl --user show openclaw-gateway -p MainPID --value)/environ | tr '\0' '\n' | grep <YOUR_KEY>.
3. Upgrade to 2026.5.2 (npm install -g openclaw@latest).
4. Wait for the post-upgrade doctor cycle (or run openclaw doctor manually).
5. Inspect ~/.openclaw/gateway.systemd.env again.

Expected: operator-populated keys preserved; perhaps a notice that the file was inspected.
Actual: file has been overwritten; only a small bundled-default subset of keys remains. No backup was created.

Evidence (from our incident, 2026-05-03)

Pre-upgrade gateway.systemd.env had 25 keys. Post-upgrade: only 3 remained (ALPACA_API_KEY, ALPACA_SECRET_KEY, SEATS_AERO_API_KEY). 22 of 25 secrets silently removed.

Post-upgrade wizard state in openclaw.json confirms doctor ran at upgrade time:

"wizard": {
  "lastRunAt": "2026-05-03T05:12:20.790Z",
  "lastRunVersion": "2026.5.2",
  "lastRunCommand": "doctor",
  "lastRunMode": "local"
}

Impact

• Every provider that depends on env-sourced auth fails until secrets are restored. In our case: deepseek, anthropic, openrouter all returned FailoverError: No API key found for provider "..." for ~3 hours of production traffic before discovery.
• Cascading agent failures: model fallbacks trigger when primary is spotty; the fallback's auth then fails because the secret is gone; the agent's whole turn errors out.
• No recovery path without an operator backup.

Suggested fix

1. Preserve operator-customized keys. When the upgrade or doctor rewrites gateway.systemd.env, MERGE existing keys with new bundled defaults rather than replace. Existing keys win.
2. Always back up before rewrite. Drop a .bak.<timestamp> next to the file before overwriting.
3. Notify on rewrite. Log to journalctl that operator-customized keys were removed.

Environment

• OpenClaw version: 2026.4.29 → 2026.5.2 (build a448042)
• Node: v22.22.0
• OS: WSL2 Ubuntu on Windows 11 Pro 26200
• Install: npm global at /home/micha/.npm-global/lib/node_modules/openclaw
• Service: systemd user unit (openclaw-gateway.service)

Related

• Related but distinct: openclaw update silently drops user-added EnvironmentFile/Environment directives when regenerating systemd unit #66248 (systemd unit directives dropped on update — that's the unit file, this is the env file contents)
• Related: [Bug]: Linux Secrets Incontinuity - gateway install should use ~/.openclaw/.env as EnvironmentFile (or symlink) #53926 (Linux secrets incontinuity — install path, not upgrade wipe)
• Related: doctor --repair leaves gateway service PATH warning unresolved, with unclear canonical EnvironmentFile expectations #64115 (doctor --repair leaves EnvironmentFile expectations unclear)

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open: current main still writes gateway.systemd.env from generated state-dir .env entries without reading, merging, or backing up existing contents, and the open closing PR #76885 has not merged yet.

Reproducibility: yes. source-reproducible: create a state-dir .env, prepopulate gateway.systemd.env with extra provider keys, then call the systemd staging path; current main rewrites the file from dotenvVars only. I did not run a live WSL2 systemd upgrade in this read-only review.

Next step
No new repair job: #76885 is already an open closing PR for the same bug, so the maintainer next action is to review, land, or revise that PR.

Security
Needs attention: This issue affects a secret-bearing systemd EnvironmentFile, and current main can overwrite operator secrets without a merge or backup.

Review details

Best possible solution:

Make systemd env-file staging non-destructive by merging existing operator keys, preserving generated keys with clear precedence, backing up before content-changing writes, and adding regression coverage for doctor/update staging.

Do we have a high-confidence way to reproduce the issue?

Yes, source-reproducible: create a state-dir .env, prepopulate gateway.systemd.env with extra provider keys, then call the systemd staging path; current main rewrites the file from dotenvVars only. I did not run a live WSL2 systemd upgrade in this read-only review.

Is this the best way to solve the issue?

Yes, the narrow fix belongs in the systemd env-file writer and its doctor/update tests. The open PR #76885 is the right implementation candidate to review, but this issue should not close until a fix merges.

Security concerns:

• [high] Preserve secret EnvironmentFile contents before rewrites — src/daemon/systemd.ts:578
writeSystemdGatewayEnvironmentFile writes the secret-bearing gateway.systemd.env from generated entries only, so repair/update staging can destroy provider credentials that operators placed in the file.
  Confidence: 0.9

What I checked:

• Destructive writer still present: writeSystemdGatewayEnvironmentFile builds content only from dotenvVars and calls fs.writeFile on gateway.systemd.env, with no existing-file read, merge, or backup path. (src/daemon/systemd.ts:561, 1d34564de9ba)
• Doctor/update repair reaches the writer: In update repair mode, doctor stages the service through service.stage(...), which reaches the systemd writer using the generated environment plan. (src/commands/doctor-gateway-services.ts:590, 1d34564de9ba)
• Upgrade runs doctor with fix mode: The update runner invokes openclaw doctor --non-interactive --fix with OPENCLAW_UPDATE_IN_PROGRESS=1, matching the reporter's post-upgrade doctor path. (src/infra/update-runner.ts:1293, 1d34564de9ba)
• Regression coverage gap: Current systemd staging tests assert the generated env-file contents exactly equal the state-dir .env values, but do not cover preserving preexisting operator keys. (src/daemon/systemd.test.ts:750, 1d34564de9ba)
• Open paired fix PR: Provided GitHub context shows fix(daemon): preserve operator secrets in gateway.systemd.env on re-stage (#76860) #76885 is open, unmerged, and uses closing syntax for this issue; the issue should remain open until that PR or a replacement lands.

Likely related people:

• tmimmanuel: Commit metadata shows fix: avoid inline dotenv secrets in systemd unit during service repair (#66249) touched src/daemon/systemd.ts and its tests, directly adjacent to the current env-file staging behavior. (role: recent maintainer on central systemd writer; confidence: medium; commits: a2ab9e6a8e4c; files: src/daemon/systemd.ts, src/daemon/systemd.test.ts)
• steipete: Related daemon history includes env-file auth provenance and daemon install plan refactors across the doctor/systemd paths involved in this issue. (role: adjacent daemon/doctor maintainer; confidence: medium; commits: a2cb80b9c4be, c35f529fac4b; files: src/daemon/systemd.ts, src/daemon/systemd.test.ts, src/commands/doctor-gateway-services.ts)
• Kevin ONeill: Commit metadata shows prior work adding .env file vars to gateway service environment install planning, which feeds the same systemd service environment surface. (role: adjacent install-plan contributor; confidence: medium; commits: 77ec7b4adf3d; files: src/commands/daemon-install-helpers.ts, src/commands/daemon-install-helpers.test.ts)

Remaining risk / open question:

• The paired fix PR is still open, so current main and the latest release remain exposed until a fix lands.
• The issue asks for preservation, backup, and notification; PR review should verify the landed fix covers the intended recovery and operator-safety behavior.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 1d34564de9ba.

[steipete]

Fixed by #76885, landed on main as f8f881f.

What changed:

• gateway.systemd.env is now merged with existing operator-owned entries instead of being rewritten from only state-dir .env keys.
• OpenClaw-managed inline keys are still cleared from the env file so stale file values cannot override fresh staging values.
• EnvironmentFile-backed provider secrets remain file-owned and are not re-rendered as inline Environment= entries during doctor/update repair.
• Regression coverage covers preserving operator secrets, empty incoming .env, stale inline-managed keys, and the install/doctor source-metadata path.

Verified with local focused tests plus Crabbox pnpm check:changed.