Chore: add Dockerfile HEALTHCHECK and debug-log silent catch blocks

[U-C4N]

Summary

Added HEALTHCHECK to the Dockerfile and added debug logging to silent catch blocks in 3 files. No behavior changes.

lobster-biscuit

Why This Matters

HEALTHCHECK lets container orchestrators (Docker Compose, Swarm, K8s) detect an unresponsive gateway and restart it automatically. Uses Node 22 native
fetch() against the /health endpoint every 30s.

Silent catch blocks were making debugging harder. They now log via getLogger().debug() — crash behavior unchanged.

Tests

• pnpm build and pnpm check pass
• No new tests — logging-only and Dockerfile changes

Manual Testing

1. docker build -t openclaw-test . then docker inspect shows HEALTHCHECK
2. Debug logs only appear when actual errors occur during gateway operation

Evidence

• Dockerfile — added HEALTHCHECK
• src/infra/update-startup.ts — log update check failures
• src/agents/model-auth.ts — log auth profile resolution failures
• src/gateway/server-close.ts — log shutdown cleanup failures (pluginServices, configReloader, browserControl)

Telegram catch blocks (withTelegramApiErrorLogging already handles logging), media-understanding speculative JSON parse blocks, and cleanup/finally
blocks were intentionally left unchanged.

Greptile Overview

Greptile Summary

This PR adds a Dockerfile HEALTHCHECK that probes the gateway’s /health endpoint via Node’s built-in fetch(), and replaces a few silent catch {} blocks with getLogger().debug(...) calls in the auth profile resolver, gateway shutdown handler, and update check scheduler. The logging changes are localized and keep control flow the same; the main behavioral impact is the new container health probe, which will affect how orchestrators classify the service as healthy/unhealthy.

Confidence Score: 3/5

• This PR is mostly safe, but the Docker HEALTHCHECK may mark containers unhealthy depending on gateway /health auth behavior.
• The code changes are small and limited to logging, but the Dockerfile HEALTHCHECK introduces a new runtime contract with orchestrators. If /health requires auth under the default container config, the container will flap unhealthy and be restarted despite the gateway running normally.
• Dockerfile

_{(2/5) Greptile learns from your feedback when you react with thumbs up/down!}

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[openclaw-barnacle]

This pull request has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[vincentkoc]

Rebased this PR branch onto current main and resolved the healthcheck concern directly.

What changed:

• Rewrote PR head branch to current base (it was stale/no merge base with current main).
• Updated Dockerfile healthcheck to use the built-in unauthenticated HTTP probe endpoint:
  • GET http://127.0.0.1:18789/healthz

Current diff is now a single, mergeable Dockerfile change.