Silent port fallback on invalid --port in `node run` command

[davinci282828]

Severity: medium / Confidence: high / Category: bug
Triage: confirmed-bug
Detected against: openclaw v2026.5.18 (latest stable at time of scan, 2026-05-18)
Tooling: clawpatch 0.3.0 + acpx/claude-sonnet-4-5 via Brad Mills protocol

Evidence

• src/cli/node-cli/register.ts:15-16 (parsePortWithFallback)

function parsePortWithFallback(value: unknown, fallback: number): number {
  const parsed = parsePort(value);
  return parsed ?? fallback;
}

• src/cli/node-cli/register.ts:58-68 (None)

const port = parsePortWithFallback(opts.port, existing?.gateway?.port ?? 18789);
      await runNodeHost({
        gatewayHost: host,
        gatewayPort: port,

• src/cli/node-cli/daemon.ts:89-97 (runNodeDaemonInstall)

if (!Number.isFinite(port ?? Number.NaN) || (port ?? 0) <= 0 || (port ?? 0) > 65_535) {
    fail(
      opts.port !== undefined
        ? formatInvalidPortOption("--port")
        : formatInvalidConfigPort("node.gateway.port"),
    );
    return;
  }

Reasoning

The run subcommand uses parsePortWithFallback, which silently returns the fallback value (config port or 18789) when the supplied --port value is non-numeric or out of range. This means openclaw node run --port abc starts the node host on the fallback port with no diagnostic. The install subcommand validates the same value and calls fail with formatInvalidPortOption. A user who mis-types a port for run will get a silently wrong runtime address, which is hard to diagnose — especially when TLS fingerprinting or a NAT target is involved.

Reproduction

Run openclaw node run --port abc — the host starts on port 18789 without any error or warning.

Recommendation

Validate the port in the run action the same way runNodeDaemonInstall does: call parsePort, and if opts.port was provided but parsed as null, print an error and exit rather than falling back silently. The parsePortWithFallback helper should either be removed or renamed to parsePortWithSilentFallback to make the silent behavior explicit at each call-site.

Why existing tests miss this

No tests exist for this feature (the feature definition lists an empty tests array), so this path has never been exercised in a test environment.

Suggested regression test

In a Vitest unit test for registerNodeCli, invoke the run action with { port: 'abc' } and assert that runNodeHost is NOT called (or is called only after an error is surfaced), mirroring the existing validation contract in runNodeDaemonInstall.

Minimum fix scope

Add port validation to the run action handler in src/cli/node-cli/register.ts, matching the pattern in runNodeDaemonInstall.

---

Standardized clawpatch finding. Persistent in v2026.5.18 (not resolved by upgrading from v2026.5.12). Finding ID: fnd_sig-feat-cli-command-264278dce9-_0ae855a8ab.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Current main still has the reported CLI validation gap: invalid explicit --port values for openclaw node run fall through to the configured/default port, while sibling gateway and node install paths reject the same kind of input.

Reproducibility: yes. from source inspection: invalid explicit opts.port becomes null in parsePort, then parsePortWithFallback turns that into the config/default port before runNodeHost is called. I did not start the foreground node host during this read-only review.

Next step
This is a narrow, source-backed bug with clear files and a focused regression-test path; the companion test-gap issue at #83924 should be linked but does not need to block the fix.

Review details

Best possible solution:

Reject invalid explicit --port values in node run with the existing port-option diagnostic while preserving config/default fallback only when --port is omitted.

Do we have a high-confidence way to reproduce the issue?

Yes from source inspection: invalid explicit opts.port becomes null in parsePort, then parsePortWithFallback turns that into the config/default port before runNodeHost is called. I did not start the foreground node host during this read-only review.

Is this the best way to solve the issue?

Yes: the narrow maintainable fix is to split missing-port fallback from invalid explicit-port validation and reuse the existing formatInvalidPortOption("--port") behavior already used by adjacent commands.

Label justifications:

• P2: This is a normal CLI correctness bug with limited blast radius: mistyped node-host ports can launch against the wrong gateway address without a diagnostic.

Acceptance criteria:

• node scripts/run-vitest.mjs src/cli/node-cli/register.test.ts

What I checked:

• Current source: node run silently falls back: registerNodeCli calls parsePortWithFallback(opts.port, existing?.gateway?.port ?? 18789), and that helper returns the fallback whenever parsePort returns null. (src/cli/node-cli/register.ts:57, e9989f3a92e5)
• Current source: parsePort rejects invalid explicit values as null: parsePort returns null for undefined/null and for values rejected by parseStrictPositiveInteger; the node run helper does not distinguish missing input from invalid explicit input. (src/cli/shared/parse-port.ts:3, e9989f3a92e5)
• Sibling command contract: node install rejects invalid ports: runNodeDaemonInstall routes invalid explicit opts.port through formatInvalidPortOption("--port") and returns before installing or launching. (src/cli/node-cli/daemon.ts:98, e9989f3a92e5)
• Sibling command contract: gateway run rejects invalid ports: The gateway run path checks opts.port !== undefined && portOverride === null, emits formatInvalidPortOption("--port"), exits, and only then falls back to config for missing ports. (src/cli/gateway-cli/run.ts:531, e9989f3a92e5)
• Test gap on the implicated path: register.test.ts only checks that node start --json forwards the json option; there is no node run --port coverage around runNodeHost dispatch. (src/cli/node-cli/register.test.ts:35, e9989f3a92e5)
• Shipped behavior check: The v2026.5.18 tag contains the same parsePortWithFallback call in src/cli/node-cli/register.ts, so the latest stable release cited in the report has the same behavior. (src/cli/node-cli/register.ts:57, 50a2481652b6)

Likely related people:

• Takhoffman: git blame and git log --follow point the current src/cli/node-cli/register.ts and src/cli/node-cli/daemon.ts implementations, including the fallback helper and install validation contrast, to commit c92ebd6. (role: introduced current implementation; confidence: high; commits: c92ebd6a4104; files: src/cli/node-cli/register.ts, src/cli/node-cli/daemon.ts, src/cli/shared/parse-port.ts)

Remaining risk / open question:

• No live foreground openclaw node run process was started in this read-only review; the reproduction confidence comes from the direct source path and shipped-tag inspection.

Codex review notes: model gpt-5.5, reasoning high; reviewed against e9989f3a92e5.