Fix NODE_EXTRA_CA_CERTS missing from LaunchAgent environment on macOS

[Clawborn]

Problem

When OpenClaw runs as a macOS LaunchAgent (installed via openclaw gateway install), Node's undici/fetch cannot locate the system CA bundle because launchd does not inherit the shell environment. This causes TLS verification failures for all HTTPS connections (Telegram, webhooks, etc.), while the same gateway works fine in a foreground terminal session.

Root cause: buildServiceEnvironment and buildNodeServiceEnvironment in service-env.ts did not include NODE_EXTRA_CA_CERTS in the generated plist environment.

Fixes #22856.

Fix

Set NODE_EXTRA_CA_CERTS to /etc/ssl/cert.pem (the macOS system CA bundle) by default when building the service environment on macOS. A user-supplied NODE_EXTRA_CA_CERTS in the host environment always takes precedence.

The same default is applied to both buildServiceEnvironment (gateway) and buildNodeServiceEnvironment (node service) since both run under launchd on macOS.

Changes

• src/daemon/service-env.ts: add NODE_EXTRA_CA_CERTS to the service environment on macOS, falling back to /etc/ssl/cert.pem when not set by the user
• src/daemon/service-env.test.ts: add 4 tests covering the default and user-override cases for both environment builders

Greptile Summary

Fixes TLS verification failures for HTTPS connections when OpenClaw runs as a macOS LaunchAgent by setting NODE_EXTRA_CA_CERTS to the macOS system CA bundle path (/etc/ssl/cert.pem). The issue occurs because launchd services don't inherit the shell environment, preventing Node's undici/fetch from locating system certificates.

• Adds NODE_EXTRA_CA_CERTS environment variable to both buildServiceEnvironment and buildNodeServiceEnvironment functions
• Defaults to /etc/ssl/cert.pem on macOS (Darwin platform only)
• Respects user-provided NODE_EXTRA_CA_CERTS values as overrides
• Includes comprehensive test coverage for both default behavior and user override scenarios

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The implementation is clean, well-tested, and narrowly scoped. It adds a single environment variable that only affects macOS LaunchAgent environments, uses the correct system CA bundle path, properly respects user overrides, and includes comprehensive test coverage for all scenarios. The fix directly addresses a documented issue without introducing any breaking changes or side effects.
• No files require special attention

_{Last reviewed commit: 35c5a8e}

[arosstale]

Correct fix for a well-known macOS launchd issue — services don't inherit the shell environment so Node's TLS stack can't find the system CA bundle. Defaulting to /etc/ssl/cert.pem (the macOS system root) when NODE_EXTRA_CA_CERTS is unset is the right approach. User-provided value is respected via ??. Tests cover both paths.

[Lukavyi]

@steipete This fix is needed — the missing NODE_EXTRA_CA_CERTS in the LaunchAgent plist has broken my daemon startup multiple times during upgrades. Each time I update OpenClaw, the plist gets regenerated without it, Slack crashes the gateway with TLS errors, and I have to manually patch the plist to get the daemon running again.

The PR is approved and the approach is solid (default to /etc/ssl/cert.pem on macOS, respect user override). Just has merge conflicts that need resolving. Would be great to get this landed.

[Lukavyi]

Rebased this with conflicts resolved and opened #27915. The only conflicts were with the proxy env passthrough from #27276 — both proxy vars and NODE_EXTRA_CA_CERTS now coexist. Build passes.

@steipete either PR works — whichever is easier to land.

[obviyus]

Thanks for the PR. Superseded by #27915.