[Bug]: Config file concurrent write race truncates openclaw.json to 61 bytes

[q1387154-spec]

Bug: Config file concurrent write race truncates openclaw.json

What happened

When the Gateway daemon and a CLI tool (or two Gateway processes) write ~/.openclaw/openclaw.json concurrently, the file can be truncated to ~61 bytes, corrupting the entire configuration and causing service interruption.

Environment

• OpenClaw: 2026.5.28 (e932160)
• OS: Windows 10.0.26200 (x64)
• Node: v24.16.0

Reproduction

1. Have Gateway running (it writes config on hot-reload/restart)
2. Trigger a CLI config write at the same time (e.g., openclaw config patch or a gateway tool call from an agent session)
3. Observe openclaw.json truncated to ~61 bytes

This has been observed at least twice in production use.

Root cause analysis

The config write uses an atomic-write pattern (write temp, fsync, rename), but there is no file-level locking to prevent two writers from racing. When both writers read the file at nearly the same time, one write overwrites the other's changes. In worst case, the temp file rename races with a read, producing a truncated file.

The missing-meta-before-write log entries on every config read suggest the meta field is stripped during reads, compounding the data loss.

Suggested fix

Add a proper file lock (e.g., proper-lockfile npm package) around all config read-modify-write operations in both the Gateway daemon and CLI tools. The lock should be:

• Acquired before reading the config file
• Held through the entire read-modify-write cycle
• Released after the atomic rename completes

Impact

• Severity: P0 — complete config loss, service interruption
• Frequency: Rare but reproducible under concurrent access
• Affected: All platforms (observed on Windows, likely affects Linux/macOS too)

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 2, 2026, 1:22 AM ET / 05:22 UTC.

Summary
Keep open: the report describes fresh production config data loss on the latest release, and current main's normal config mutation paths are already locked, but that same lock is present in the latest release, so the observed 61-byte truncation is not proven fixed.

Reproducibility: no. the report gives plausible timing steps and production observations, but I did not establish a current-main reproduction and the normal config write paths already use the locked mutation API.

Ways to help us reproduce this

• Add a screenshot or short recording showing the behavior.
• Add expected vs actual behavior.

Next step
This needs maintainer/debug review before an automated fix because the obvious lock path is already present in current main and in the reported release.

Review details

Best possible solution:

Keep this as a core stability bug until maintainers can reproduce or isolate the remaining config writer/atomic-write failure, then add targeted locking or recovery coverage for the exact concurrent Gateway/CLI path.

Do we have a high-confidence way to reproduce the issue?

No; the report gives plausible timing steps and production observations, but I did not establish a current-main reproduction and the normal config write paths already use the locked mutation API.

Is this the best way to solve the issue?

Unclear; file-level locking is the right class of fix, but current main and the latest release already lock the normal mutation path, so the next fix should first identify the bypass or Windows atomic-write failure.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• The reported Windows/current-release truncation was not reproduced in this read-only review.
• The normal write paths already have locking, so a repair first needs to isolate the remaining writer, lower-level atomic-write behavior, or recovery path rather than assuming the reported root cause is complete.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 6883351085c3.

Label changes

Label changes:

• add P0: The issue reports complete openclaw.json corruption and service interruption on a current release.
• add impact:data-loss: The reported failure truncates the user's persistent OpenClaw configuration.
• add impact:crash-loop: A corrupted config can interrupt Gateway availability and startup/reload behavior.
• add issue-rating: 🦪 silver shellfish: Current issue advisory state selects this label.
• add clawsweeper:needs-info: Current issue advisory state selects this label.
• add clawsweeper:no-new-fix-pr: Current issue advisory state selects this label.
• add clawsweeper:needs-maintainer-review: Current issue advisory state selects this label.

Label justifications:

• P0: The issue reports complete openclaw.json corruption and service interruption on a current release.
• impact:data-loss: The reported failure truncates the user's persistent OpenClaw configuration.
• impact:crash-loop: A corrupted config can interrupt Gateway availability and startup/reload behavior.

Evidence reviewed

What I checked:

• Issue report: The reporter says OpenClaw 2026.5.28 on Windows 10 truncated ~/.openclaw/openclaw.json to about 61 bytes during concurrent Gateway/CLI or Gateway/Gateway config writes, observed at least twice in production.
• Repository policy read: Root policy was read fully; it treats config loading/writes, persisted preferences, and upgrade behavior as compatibility-sensitive core surfaces. (AGENTS.md:1, 6883351085c3)
• Current mutation lock: Current main serializes config mutations through an in-process queue and cross-process withFileLock around the read/transform/write callback. (src/config/mutate.ts:149, 6883351085c3)
• Gateway write path: Gateway config.patch/config.apply persistence calls replaceConfigFile, so the normal gateway tool path should use the locked mutation API. (src/gateway/server-methods/config-write-flow.ts:222, 6883351085c3)
• CLI write paths: openclaw config set/patch/unset all call replaceConfigFile, so the named CLI examples also route through the locked mutation API. (src/cli/config-cli.ts:2174, 6883351085c3)
• Agent add write path: openclaw agents add transforms the latest config through transformConfigWithPendingPluginInstalls, which is built on the config mutation path rather than a raw write. (src/commands/agents.commands.add.ts:173, 6883351085c3)

Likely related people:

• Vincent Koc: Local blame/log history attributes the current config mutation lock, root writer, CLI config writes, Gateway config write flow, and agents-add config mutation path to commit 2f92fddef088e5d8d959614863f0629d49e5284b; older ownership is obscured by the grafted checkout. (role: recent area contributor; confidence: medium; commits: 2f92fddef088; files: src/config/mutate.ts, src/config/io.ts, src/cli/config-cli.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.