OpenClaw 2026.5.4 Gateway status/health inconsistency on WSL2: diagnostics report ok/listener, external checks show no listener and HTTP 000

[metalbladex4]

Summary

OpenClaw Gateway on WSL2 does not maintain a stable externally observable loopback listener on port 18789. Local socket and HTTP checks repeatedly report no listener and HTTP 000 for /healthz and /readyz, but the official diagnostics bundle can report Gateway status/health as ok/running with a loopback listener category.

Environment

• OpenClaw version: 2026.5.4 (325df3e)
• Runtime: WSL2 Ubuntu with nvm-backed Node
• Auth route category: openai-codex/*
• Gateway target: loopback-only, port 18789
• Public bind: not detected

Symptom

• Gateway service reports active/enabled in local reports.
• No stable listener on 127.0.0.1:18789 or [::1]:18789.
• /healthz returns HTTP 000.
• /readyz returns HTTP 000.
• Windows-to-WSL loopback works with a temporary Python server, so WSL forwarding and Windows firewall/Avast are not currently indicated as the primary cause.

Diagnostics Review

The official diagnostics export ZIP was reviewed locally using only sanitized files. No raw logs/config/tokens are included here.

Safe observations from the sanitized bundle:

• ZIP hash matched the expected local SHA256.
• Sanitized config parsed successfully.
• Gateway config category is local/loopback on port 18789 with Tailscale off.
• Sanitized status snapshot reports wrapper status ok, service running, bind host 127.0.0.1, port 18789, port busy, and listener count 1.
• Sanitized health snapshot reports wrapper status ok.
• Sanitized event-loop category is degraded.
• Sanitized plugin errors are present.
• Sanitized config audit has 3 recommended-level entries.
• Exact strings searched but not found: runtime-dependency, exception, plugin-runtime-deps, prestageGatewayBundledRuntimeDeps, npm install, ENOTEMPTY, gateway.startup_failed.

This means the previous runtime-dependency/startup-exception classification is only partially supported. The stronger current issue is a mismatch between independent local listener/HTTP checks and the status/health categories captured by OpenClaw diagnostics.

Attempts Already Made

• Controlled Gateway restart loop with delayed stabilization checks.
• systemctl --user daemon-reload plus restart.
• OpenClaw-managed gateway stop/start.
• Documented systemd user-service runtime hardening drop-in.
• Gateway-only uninstall/install refresh without --force.
• Stable update to OpenClaw 2026.5.4 plus Gateway refresh/start.
• Narrow plugin dependency inspection attempt; documented openclaw plugins deps command was not usable in installed 2026.5.4.
• Read-only doctor, diagnostics export, and stability evidence collection.
• Sanitized diagnostics ZIP review and issue-package preparation.

Safety Notes

• No public/LAN/Tailscale exposure was configured.
• No channels/webhooks/mobile/browser profiles were configured.
• No auth/model route changes were made during diagnostics.
• Raw logs/config/tokens are not included in this issue body.

Diagnostics Artifact

I have a local OpenClaw diagnostics export zip produced by:

openclaw gateway diagnostics export --json --output

The bundle is being treated as sensitive until manually reviewed. It can be attached or shared through an approved support channel if requested.

Local metadata:

• File name: openclaw-diagnostics.zip
• Size: 6046 bytes
• SHA256: 593A826D5DE9EFEAADEB41A4F2851DAF78421999AD17036388F1DB8E82814246

Questions

• Why can the diagnostics status/health snapshot report ok/running/listener while repeated independent socket and HTTP checks see no stable listener and HTTP 000?
• Is event-loop degraded plus plugin errors enough to explain this active/running but externally unreachable behavior?
• Is openclaw plugins deps expected to exist in 2026.5.4? Official docs reference it, but the installed CLI returned an unknown/unusable command category in local testing.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open. This is a fresh, detailed Gateway reachability report on the latest stable release, and current main does not provide enough evidence to close it as fixed, duplicate, or support-only; source inspection shows the diagnostics export's status/health snapshots are not the same checks as independent HTTP /healthz and /readyz probes.

Reproducibility: no. not at high confidence. Source inspection shows why diagnostics status/health can differ from independent HTTP probes, but the WSL2 listener failure itself still needs the reporter's sanitized export or a current-main live reproduction.

Next step
Needs maintainer/live WSL2 diagnostic triage before a narrow autonomous fix is safe; the sensitive export is not attached and the root cause is not isolated.

Review details

Best possible solution:

Use this as a concrete WSL2 diagnostics/reachability tracker: inspect the sanitized export or reproduce live, then fix the root Gateway listener/event-loop/plugin-error cause or make diagnostics explicitly distinguish WS status/health from HTTP /healthz and /readyz reachability.

Do we have a high-confidence way to reproduce the issue?

No, not at high confidence. Source inspection shows why diagnostics status/health can differ from independent HTTP probes, but the WSL2 listener failure itself still needs the reporter's sanitized export or a current-main live reproduction.

Is this the best way to solve the issue?

Unclear. Closing is not supported, and a repair PR would be speculative until maintainers compare the diagnostics bundle timing with live socket/HTTP probes and identify whether the root is listener lifecycle, event-loop starvation, plugin startup errors, or documentation drift.

Acceptance criteria:

• Run a WSL2/latest-main or latest-release Gateway with loopback bind on port 18789, then sample ss -ltnp, curl -sv -m 5 http://127.0.0.1:18789/healthz, curl -sv -m 5 http://127.0.0.1:18789/readyz, openclaw gateway status --deep --require-rpc --json, and openclaw gateway diagnostics export --json during the same failure window.
• If a code fix is scoped, run targeted Gateway status/HTTP probe tests such as pnpm test src/gateway/server-http.probe.test.ts src/commands/gateway-status.test.ts src/cli/daemon-cli/status.gather.test.ts plus the changed gate in Testbox.

What I checked:

• issue-context: The issue reports WSL2 Ubuntu on OpenClaw 2026.5.4 with no stable 127.0.0.1/[::1]:18789 listener and HTTP 000 for /healthz and /readyz, while the sanitized diagnostics bundle reportedly showed service running, port busy, listener count 1, health ok, degraded event loop, and plugin errors.
• diagnostics-export-status-vs-health: gateway diagnostics export captures a daemon status snapshot via gatherDaemonStatus({ probe: true, requireRpc: false }) and a separate Gateway RPC health snapshot; it does not directly run HTTP /healthz or /readyz probes for the health file. (src/cli/gateway-cli/register.ts:363, 8489d0eb6847)
• support-bundle-snapshot-files: The support export writes status and health snapshots into separate files, so the reported bundle shape matches current main's export design. (src/logging/diagnostic-support-export.ts:571, 8489d0eb6847)
• status-port-and-ws-probe-path: Daemon status inspects OS port usage, then runs a WebSocket status probe against the resolved Gateway URL; this explains why its result can differ from a later independent HTTP curl sample if timing, event-loop blocking, TLS, or listener ownership changes. (src/cli/daemon-cli/status.gather.ts:469, 8489d0eb6847)
• http-probe-contract: The docs define /healthz as an HTTP liveness endpoint and /readyz as a stricter HTTP readiness endpoint, while gateway status only proves service state, WebSocket connect, and handshake auth by default. Public docs: docs/cli/gateway.md. (docs/cli/gateway.md:159, 8489d0eb6847)
• http-probe-routing: Current main registers /health, /healthz, /ready, and /readyz as Gateway HTTP probe paths, so failures on those endpoints remain relevant to Gateway listener/HTTP responsiveness. (src/gateway/server-http.ts:143, 8489d0eb6847)

Likely related people:

• @vincentkoc: Changelog history credits substantial Gateway performance, diagnostics, status, plugin/update, and event-loop-adjacent work; related ClawSweeper review history also routes Gateway HTTP/status responsiveness to this owner area. (role: adjacent gateway diagnostics and responsiveness maintainer; confidence: medium; commits: 1497425b8dbb, 04be516926da, c7d77f8c7b93; files: src/gateway/server-http.ts, docs/cli/gateway.md, docs/gateway/diagnostics.md)
• @steipete: Local blame for the inspected diagnostics/status files points to the current source snapshot commit by Peter Steinberger, and the reported affected release v2026.5.4 is also in recent release history by the same maintainer; local provenance is shallow/grafted, so route confidence is medium rather than blame-specific. (role: recent maintainer and current source snapshot/release owner; confidence: medium; commits: c744b2c236b2, 325df3efefe9; files: src/cli/gateway-cli/register.ts, src/logging/diagnostic-support-export.ts, src/cli/daemon-cli/status.gather.ts)
• @shakkernerd: Changelog entries credit Gateway/status false-positive event-loop degradation tuning and supervisor restart handoff diagnostics, both near the status/health inconsistency surface in this report. (role: adjacent status and diagnostics maintainer; confidence: medium; commits: 097eed8cd8b4, e69da9d5781c; files: src/gateway/server/event-loop-health.ts, src/cli/daemon-cli/status.gather.ts, docs/gateway/diagnostics.md)
• @joshavant: The current changelog credits degraded transport and gateway event-loop starvation signals in status surfaces, which overlaps the report's degraded event-loop/status mismatch symptoms. (role: adjacent event-loop signal contributor; confidence: low; files: CHANGELOG.md, src/cli/daemon-cli/status.gather.ts, src/gateway/server/event-loop-health.ts)

Remaining risk / open question:

• The sanitized diagnostics zip is not attached, so timestamp ordering between the status/health snapshot and the independent curl/socket checks cannot be verified from the repository alone.
• No WSL2 live reproduction was run against current main, and the exact listener disappearance could still be timing, process ownership, TLS/config drift, WSL forwarding, or event-loop starvation.
• Related Gateway HTTP/WS dispatch deadlock on Windows + Docker Desktop bind-mount setups (regression in 2026.4.24, persists in .25 and .26) #73874 may share an event-loop starvation root, but the WSL2 no-listener/diagnostics mismatch is not proven to be the same failure mode.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 8489d0eb6847.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/25413624013
• Updated: 2026-05-06T02:51:11.596Z

[metalbladex4]

Thanks, ClawSweeper. I captured the requested same-window diagnostics in a single quick sequence.

Same-window capture:

• Timestamp window: 2026-05-06T18:27:50Z to 2026-05-06T18:27:58Z
• ss -ltnp: loopback listener present on port 18789
• Public bind on port 18789: no
• /healthz: HTTP 200
• /readyz: HTTP 200
• openclaw gateway status --deep --require-rpc --json: command succeeded; safe category was service active/running, RPC ok, Gateway loopback, port busy, status listener count 1
• openclaw gateway diagnostics export --json: command succeeded
• Diagnostics ZIP: created locally, 6170 bytes, SHA256 A8A91F926B3AA0C891EF9427E5551B83078EE6E27FA8531E6F467DCA5C7A43A9
• Sensitive-like output detected by local classifier: no

The same-window mismatch did not reproduce in this capture: external socket/HTTP checks and --require-rpc status agreed as healthy in the same window.

I am not attaching the diagnostics ZIP or pasting raw diagnostics/logs/config here. The raw capture files and ZIP are retained locally in an ignored diagnostics folder for manual review if you need a specific sanitized excerpt or attachment later.