respawnGatewayProcessForUpdate falsely reports mode=supervised on macOS when XPC_SERVICE_NAME is inherited from a launchd-managed parent

[richardmqq]

Summary

On macOS, respawnGatewayProcessForUpdate() (and restartGatewayProcessWithFreshPid()) trusts detectRespawnSupervisor() to decide whether launchd will restart the gateway. The detector returns "launchd" if any of LAUNCH_JOB_LABEL, LAUNCH_JOB_NAME, XPC_SERVICE_NAME, or OPENCLAW_LAUNCHD_LABEL is set.

But XPC_SERVICE_NAME is inherited by any child process of a launchd-managed parent. When OpenClaw's GUI app (ai.openclaw.mac) spawns the gateway as a child — or any custom supervisor inherits launchd env from its own parent — the gateway misidentifies itself as launchd-supervised.

Result: gateway writes a gateway-supervisor-restart-handoff.json with supervisorMode: "launchd" and exits cleanly, expecting launchd to restart it. But launchd has no ai.openclaw.gateway service registered (only ai.openclaw.mac for the parent). The gateway never comes back.

Environment

• OpenClaw: confirmed in 2026.5.19 (where I first hit it) and verified still present in 2026.5.20 (currently installed) by reading dist/supervisor-markers-B5EgETF5.js and dist/cli/gateway-lifecycle.runtime.js.
• Node: 25.x
• OS: macOS 15 (Darwin 25.4)
• Trigger: any user running the OpenClaw GUI app whose ai.openclaw.gateway LaunchAgent has been unloaded (e.g. by a prior mode=reload restart script that did launchctl bootout + a failed launchctl bootstrap, or by doctor's legacy-service cleanup). Trigger event: any SIGUSR1 / update.run restart, even a dry-run status=skipped one.

Code-level trace (against 2026.5.20)

dist/supervisor-markers-B5EgETF5.js:

const SUPERVISOR_HINTS = {
  launchd: ["LAUNCH_JOB_LABEL", "LAUNCH_JOB_NAME", "XPC_SERVICE_NAME", "OPENCLAW_LAUNCHD_LABEL"],
  // ...
};
function detectRespawnSupervisor(env = process.env, platform = process.platform) {
  if (platform === "darwin") return hasAnyHint(env, SUPERVISOR_HINTS.launchd) ? "launchd" : null;
  // ...
}

dist/cli/gateway-lifecycle.runtime.js:

function respawnGatewayProcessForUpdate(opts = {}) {
  if (isTruthy(process.env.OPENCLAW_NO_RESPAWN)) return { mode: "disabled", detail: "OPENCLAW_NO_RESPAWN" };
  const supervisor = detectRespawnSupervisor(process.env);
  if (supervisor) {
    if (supervisor === "schtasks") { /* ... */ }
    return { mode: "supervised" };  // ← false positive on darwin
  }
  // fallback: spawnDetachedGatewayProcess(...)
}

Observed sequence

09:32:30  update.run dry-run: current 2026.5.19 → target 2026.5.20, status=skipped
09:32:47  gateway PID 84633 receives SIGUSR1
09:33:17  drain timeout (2 tasks + 1 embedded run still active)
09:33:18  shutdown completed cleanly; "restart mode: update process respawn (supervisor restart)"
          → writes handoff.json with supervisorMode=launchd, sleeps 1500ms, exit(0)
[gap]     launchd does NOT restart anything (no ai.openclaw.gateway service registered)
09:33:21  OpenClaw GUI app fallback-spawns a new gateway child (PPID = GUI app, XPC inherited)
09:33:24  new gateway calls cleanStaleGatewayProcessesSync, kills PID 15647 (leftover on :18789)
09:33:57  another banner — yet another spawn, but hits the same bug, exits
[after]   no further gateway log entries; gateway is gone for ~2.5h until I manually
          `launchctl bootstrap`ed ai.openclaw.gateway.plist

Why this matters

Catastrophic and silent: the user's chat bots, agents, and integrations all go offline with no error visible to the gateway operator. Recovery requires CLI/launchctl knowledge to discover the service is unloaded.

Proposed fix

In src/infra/supervisor-markers.ts, narrow darwin detection to OpenClaw's own explicit marker so inherited generic launchd env vars don't trigger a false positive:

function detectRespawnSupervisor(env, platform) {
  if (platform === "darwin") {
    // Only trust the openclaw-specific marker; XPC_SERVICE_NAME and friends
    // are inherited by any child of a launchd-managed process and do not
    // mean *this* process is registered as a launchd service.
    return env.OPENCLAW_LAUNCHD_LABEL?.trim() ? "launchd" : null;
  }
  // ...
}

For belt-and-suspenders: before returning "launchd", optionally verify the service is actually registered via launchctl print "gui/$(id -u)/$LABEL".

Operators who run gateway under launchd should ensure ai.openclaw.gateway.plist sets OPENCLAW_LAUNCHD_LABEL=ai.openclaw.gateway in its EnvironmentVariables. Worth adding this to the bundled plist generator too, so the marker is set by default.

Related (not duplicates)

• gateway restart/update can fail to come back when respawn reuses unstable package-manager paths #52313 (open) — covers the unmanaged / spawned path: pnpm versioned realpaths becoming unstable after self-update. This issue is the opposite direction: the supervised path falsely chosen.
• [Bug]: SIGUSR1/config.patch restart orphans gateway under custom supervisors → EADDRINUSE crash loop (workaround: OPENCLAW_NO_RESPAWN=1) #65668 (closed) — covers detectRespawnSupervisor returning null under a custom supervisor, leading to orphan + EADDRINUSE. This issue is detectRespawnSupervisor returning "launchd" when it shouldn't.

Workaround

Set OPENCLAW_NO_RESPAWN=1 to force in-process restart (loses the fresh-module-graph benefit on real update.run upgrades, but survives spurious dry-run restarts).

Or: make sure ai.openclaw.gateway is bootstrapped into launchd before relying on update-triggered restarts.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open: current main and the latest shipped tag still classify inherited macOS XPC_SERVICE_NAME as launchd supervision, so the reported supervised-exit path is source-reproducible and needs a narrow fix.

Reproducibility: yes. for a source-level reproduction: Darwin plus only XPC_SERVICE_NAME currently returns launchd, and the respawn helpers then take the supervised-exit path. A live macOS launchd reproduction was not run in this read-only review.

Next step
This is a narrow, source-reproducible gateway lifecycle bug with clear implementation and regression-test targets.

Review details

Best possible solution:

Narrow Darwin respawn-supervisor detection to OpenClaw’s explicit gateway launchd identity, preserve the generated OPENCLAW_LAUNCHD_LABEL LaunchAgent path, and add regression tests for inherited XPC_SERVICE_NAME.

Do we have a high-confidence way to reproduce the issue?

Yes for a source-level reproduction: Darwin plus only XPC_SERVICE_NAME currently returns launchd, and the respawn helpers then take the supervised-exit path. A live macOS launchd reproduction was not run in this read-only review.

Is this the best way to solve the issue?

Yes, the proposed direction is the narrowest maintainable fix if scoped to respawn-supervisor detection: trust the existing OpenClaw-owned launchd marker for real gateway services and stop using generic inherited XPC state as proof of supervision.

Label changes:

• add P1: A gateway update/restart can leave macOS users without a running gateway until manual LaunchAgent recovery.
• add impact:crash-loop: The report concerns gateway process availability during SIGUSR1 and update restart flows.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:queueable-fix: Current issue advisory state selects this label.
• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.

Label justifications:

• P1: A gateway update/restart can leave macOS users without a running gateway until manual LaunchAgent recovery.
• impact:crash-loop: The report concerns gateway process availability during SIGUSR1 and update restart flows.

Acceptance criteria:

• node scripts/run-vitest.mjs src/infra/supervisor-markers.test.ts src/infra/process-respawn.test.ts
• node scripts/run-vitest.mjs src/daemon/service-env.test.ts
• node scripts/crabbox-wrapper.mjs run --shell -- "pnpm check:changed"

What I checked:

• Current detector treats XPC as launchd: On Darwin, detectRespawnSupervisor returns launchd when any launchd hint is non-blank, and the hint list includes XPC_SERVICE_NAME. (src/infra/supervisor-markers.ts:1, 229490a48924)
• Update respawn exits for any detected supervisor: respawnGatewayProcessForUpdate calls the detector and returns mode: "supervised" whenever a supervisor is present, without proving the gateway LaunchAgent is loaded. (src/infra/process-respawn.ts:100, 229490a48924)
• Run loop writes launchd handoff then exits: The update restart path writes the gateway restart handoff and exits after the supervised result, with an extra launchd delay when the supervisor mode is launchd. (src/cli/gateway-cli/run-loop.ts:206, 229490a48924)
• Existing tests encode the false-positive behavior: process-respawn.test.ts currently expects Darwin plus XPC_SERVICE_NAME to return supervised, so the regression test target is concrete. (src/infra/process-respawn.test.ts:126, 229490a48924)
• Stock service environments already carry an explicit marker: Generated gateway service environments set OPENCLAW_LAUNCHD_LABEL, which gives a safer OpenClaw-owned marker for real LaunchAgent supervision. (src/daemon/service-env.ts:394, 229490a48924)
• Documented update contract expects managed-service recovery: The update docs say macOS package updates verify the LaunchAgent and recover an installed-but-unloaded LaunchAgent when possible, which conflicts with silently trusting inherited XPC state. Public docs: docs/cli/update.md. (docs/cli/update.md:119, 229490a48924)

Likely related people:

• Thomas Krohnfuß: Current blame attributes src/infra/supervisor-markers.ts and src/infra/process-respawn.ts to commit 98af517. (role: recent area contributor; confidence: medium; commits: 98af51748d19; files: src/infra/supervisor-markers.ts, src/infra/process-respawn.ts)
• Peter Steinberger: The v2026.5.20 release commit contains the same respawn/supervisor files, and nearby history shows launchd restart work such as fix(gateway): use launchd KeepAlive restarts. (role: adjacent release and launchd contributor; confidence: medium; commits: e510042870cf, a65ab607c746; files: src/infra/process-respawn.ts, src/infra/supervisor-markers.ts, src/cli/gateway-cli/run-loop.ts)
• Nimrod Gutman: History around launchd compatibility scenarios includes launchd lifecycle test work, which is relevant for validating the macOS service edge case. (role: adjacent launchd test contributor; confidence: low; commits: 4d2fdb9f71af, eebad7a372e3; files: src/daemon/launchd.test.ts, src/daemon/launchd.ts)

Remaining risk / open question:

• No live macOS launchd/GUI inherited-XPC run was performed in this read-only review, so the outage sequence is proven from source rather than end-to-end replayed.
• The fix must avoid breaking other launchd cleanup paths that intentionally inspect LAUNCH_JOB_LABEL or XPC_SERVICE_NAME for update-job cleanup rather than respawn supervision.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 229490a48924.