openclaw backup create --verify exits 13, leaves corrupt .tmp archive; verifier also rejects older backup hardlinks

[mgonto]

• Version: OpenClaw 2026.5.28 (e932160)
• Command: openclaw backup create --output /home/gonto/backups/openclaw --verify
• Result: process exited 13 after ~2 min, leaving a partial .tmp archive.
• Only stderr:
  Warning: Detected unsettled top-level await at .../openclaw.mjs:653
• The leftover temp archive is corrupt: tar -tzf ends with:
  • gzip: stdin: unexpected end of file
  • tar: Unexpected EOF in archive
• Disk space was fine: /dev/sda1 had ~105GB free.
• Workaround: created a compatible archive manually and verified it successfully with openclaw backup verify (196,281 entries scanned).
• Additional verifier regression: a previous backup from 2026-05-04 now fails current openclaw backup verify with Archive hardlink target is outside the declared archive root....

Expected behavior:

• backup create --verify should either complete and verify a usable archive, or fail cleanly without leaving a corrupt temp archive.
• backup verify should keep verifying previously valid OpenClaw backup archives, including archives with internal hardlinks, as long as hardlink targets remain inside the archive root.

Notes:

• The manual workaround suggests the source data and available disk were not the blockers.
• The temp archive left by the failing command appears truncated rather than merely failing verification.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 1, 2026, 7:49 PM ET / 23:49 UTC.

Summary
Keep open: current main still has a plausible backup verifier regression for older internal hardlink entries, and the create failure is not proven fully fixed on main despite post-release backup-create changes.

Reproducibility: Do we have a high-confidence way to reproduce the issue? Partially: source inspection clearly shows the hardlink verifier path that can reject link targets before accepting the archive, but the exit-13 create failure was not reproduced under this read-only review.

Ways to help us reproduce this

• Add a screenshot or short recording showing the behavior.
• Add expected vs actual behavior.
• Include redacted logs or terminal output.

Next step
A focused repair lane can add hardlink regression coverage and audit temp cleanup, but should stop if reproducing the exit-13 path requires live user state or a broader backup redesign.

Review details

Best possible solution:

Keep this open for a narrow backup integrity fix that cleans temp output on create/verify failure and accepts valid internal hardlink targets without weakening archive traversal checks.

Do we have a high-confidence way to reproduce the issue?

Do we have a high-confidence way to reproduce the issue? Partially: source inspection clearly shows the hardlink verifier path that can reject link targets before accepting the archive, but the exit-13 create failure was not reproduced under this read-only review.

Is this the best way to solve the issue?

Is this the best way to solve the issue? Yes in direction: the maintainable path is a focused backup create/verify fix with regression tests, not a new CLI flag, config option, or broad restore redesign.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• The exact backup create --verify exit-13 path was not reproduced in this read-only review; current main has post-release backup-create changes that may reduce part of that failure but do not settle the hardlink verifier report.
• The safe hardlink fix needs care to preserve traversal and archive-root checks while accepting only valid internal targets.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 086274fd7e7a.

Label changes

Label changes:

• add P1: Backup creation and verification failure can break a real recovery workflow for users on the latest release.
• add impact:data-loss: The report concerns corrupt backup archives and rejection of previously valid backups, which can prevent recovery of user state.
• add issue-rating: 🐚 platinum hermit: Current issue advisory state selects this label.
• add clawsweeper:needs-live-repro: Current issue advisory state selects this label.

Label justifications:

• P1: Backup creation and verification failure can break a real recovery workflow for users on the latest release.
• impact:data-loss: The report concerns corrupt backup archives and rejection of previously valid backups, which can prevent recovery of user state.

Evidence reviewed

Acceptance criteria:

• node scripts/run-vitest.mjs src/commands/backup-verify.test.ts src/commands/backup.atomic.test.ts src/commands/backup.create-verify.test.ts src/cli/program/register.backup.test.ts
• git diff --check -- src/commands/backup-verify.ts src/infra/backup-create.ts src/commands/backup-verify.test.ts src/commands/backup.atomic.test.ts src/commands/backup.create-verify.test.ts src/cli/program/register.backup.test.ts

What I checked:

• Repository policy read: Read the full root policy and applied the deep review, read-only, source/history, current/shipped behavior, and scoped-docs guidance. (AGENTS.md:1, 086274fd7e7a)
• Live issue state: Live GitHub API shows this issue is open, has no protected labels or assignees, and only a ClawSweeper placeholder comment rather than substantive maintainer direction.
• Backup docs contract: The public backup docs say backup verify validates the archive layout and backup create --verify runs that validation immediately after writing the archive. Public docs: docs/cli/backup.md. (docs/cli/backup.md:31, 086274fd7e7a)
• Create-then-verify flow: backupCreateCommand creates the archive first, then calls backupVerifyCommand only after createBackupArchive returns. (src/commands/backup.ts:21, 086274fd7e7a)
• Current temp cleanup path: Current main writes to a randomized .tmp path, publishes after tar creation, and removes the temp path in a finally; this is relevant but does not by itself prove the reported exit-13 path cannot strand a temp file. (src/infra/backup-create.ts:636, 086274fd7e7a)
• Hardlink verifier behavior: Current verifier maps every tar hardlink linkpath through normalizeArchivePath, then rejects it unless the normalized target is inside the declared archive root and present in the entry set. (src/commands/backup-verify.ts:355, 086274fd7e7a)

Likely related people:

• jason-allen-oneal: GitHub file history shows the recent hardlink-target validation commits for the backup verifier. (role: recent backup verifier contributor; confidence: medium; commits: d8a2cd520405, 77d115761805; files: src/commands/backup-verify.ts, src/commands/backup-verify.test.ts)
• steipete: GitHub file history shows recent backup create/verify touches and committer history around the hardlink verifier and SQLite backup changes. (role: recent backup area contributor and committer; confidence: medium; commits: 1af4c035e4bc, 77d115761805; files: src/infra/backup-create.ts, src/commands/backup-verify.ts)
• vincentkoc: GitHub file history shows a recent backup verify manifest hardening change in the same verifier module. (role: recent backup verifier contributor; confidence: medium; commits: 865678eb6be7; files: src/commands/backup-verify.ts)
• shichangs: The original local backup CLI commit introduced the backup command surface later touched by this issue. (role: introduced backup CLI; confidence: medium; commits: 0ecfd37b4465; files: src/commands/backup.ts, src/infra/backup-create.ts, src/commands/backup-verify.ts)
• gumadeiras: GitHub file history shows co-authorship/review on the original backup CLI and later backup verify path validation hardening. (role: early backup hardening reviewer/contributor; confidence: medium; commits: 0ecfd37b4465, 09acbe65289d; files: src/commands/backup-verify.ts, src/infra/backup-create.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[mgonto]

Fresh live repro on current release:

• Version: OpenClaw 2026.6.1 (2e08f0f)
• Node: v22.22.0
• npm: 10.9.4
• Host: Ubuntu Linux 6.8.0-110-generic x86_64
• Disk was not the blocker: /dev/sda1 had ~90GB free after cleanup; ~98GB free before the attempts.

Commands attempted:

openclaw backup create --output /home/gonto/backups/openclaw --verify
openclaw backup create --output /home/gonto/backups/openclaw --verify --json
openclaw backup create --output /home/gonto/backups/openclaw --verify --no-include-workspace --json

All three failed the same way:

Warning: Detected unsettled top-level await at file:///home/gonto/.npm-global/lib/node_modules/openclaw/openclaw.mjs:653
    if (await tryImport("./dist/entry.js")) {
        ^

Observed details:

• Exit code: 13.
• Each failed run left a partial .tmp archive in the output directory.
• Temp archive sizes were around 1.6G each.
• --no-include-workspace still failed, so this was not just workspace size/content.
• Direct module invocation of dist/backup-create-CKOyWck9.js also failed with the same unsettled top-level-await warning, so this appears to be inside the JS tar/archive path rather than only the openclaw CLI command wrapper.

Dry-run source plan:

{
  "includeWorkspace": true,
  "assets": [
    {
      "kind": "state",
      "sourcePath": "/home/gonto/.openclaw",
      "displayPath": "~/.openclaw"
    }
  ],
  "skipped": [
    {
      "kind": "workspace",
      "displayPath": "~/.openclaw/workspace",
      "reason": "covered",
      "coveredBy": "~/.openclaw"
    }
  ]
}

Workaround used today:

• Created a manual tar.gz backup of ~/.openclaw with volatile exclusions.
• Verified it with sha256sum -c and tar -tzf.
• Moved the failed .tmp archives to trash.
• Kept the two newest real backups.

Note: I did not verify the manual fallback with openclaw backup verify; it was a recovery fallback for this live system after the official create path repeatedly failed.

[mgonto]

Applied the equivalent verifier patch from #89345 locally to the installed OpenClaw 2026.6.1 (2e08f0f) dist bundle and retested on the same live host.

Result:

• ✅ openclaw backup verify /home/gonto/backups/openclaw/2026-06-01T10-43-10.597Z-openclaw-backup.tar.gz --json now passes.
• It reports entryCount: 196281, assetCount: 1, runtime version in archive 2026.5.28.
• ❌ openclaw backup create --output /home/gonto/backups/openclaw --verify --json still fails with exit code 13 and the same warning:

Warning: Detected unsettled top-level await at file:///home/gonto/.npm-global/lib/node_modules/openclaw/openclaw.mjs:653
    if (await tryImport("./dist/entry.js")) {
        ^

It again left a partial .tmp archive around 1.6G; I moved it to trash after confirming the failure.

So #89345 appears to fix the backup verifier regression for the older archive, but it does not fix the separate backup create --verify / truncated-temp / unsettled-top-level-await failure.