fix(daemon): harden launchd plist with umask 077

[liuxiaopai-ai]

Summary

• Problem: LaunchAgent plist regeneration during upgrades could drop Umask and revert daemon-created file permissions to world-readable defaults.
• Why it matters: Gateway state files created after update may be broader than intended until a later security audit/fix pass.
• What changed: Added a hardened default Umask=077 to generated macOS gateway LaunchAgent plist output.
• What changed: Added regression assertion to launchd install tests to lock Umask emission in generated plist.
• What did NOT change (scope boundary): No changes to launchctl lifecycle commands, non-macOS services, or environment-token handling logic.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes [Bug]:LaunchD plist regeneration drops Umask — gateway writes world-readable files after update #31905
• Related fix(infra): actively kickstart launchd on supervised gateway restart #29078

User-visible / Behavior Changes

• openclaw gateway install on macOS now writes LaunchAgent plist entries with Umask set to 077 (decimal 63), preserving owner-only default file creation behavior after upgrades.

Security Impact (required)

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (No)
• New/changed network calls? (No)
• Command/tool execution surface changed? (No)
• Data access scope changed? (No)
• If any Yes, explain risk + mitigation:

Repro + Verification

Environment

• OS: macOS-targeted path (validated by unit tests)
• Runtime/container: daemon launchd service install path
• Model/provider: N/A
• Integration/channel (if any): N/A
• Relevant config (redacted): default gateway install flow

Steps

1. Run LaunchAgent plist generation through daemon install path.
2. Inspect generated plist contents.
3. Verify KeepAlive/Throttle + new Umask key are present.

Expected

• Generated plist contains Umask with decimal value 63 (octal 077).

Actual

• Matches expected after patch.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

• Verified scenarios:
  • src/daemon/launchd.test.ts now asserts Umask exists in generated plist.
  • Existing launchd install/restart ordering assertions continue passing.
• Edge cases checked:
  • Non-macOS service paths untouched.
  • Existing plist fields (KeepAlive, ThrottleInterval, env dict) unaffected.
• What you did not verify:
  • Live end-to-end install on a macOS host in this PR run.

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (No)
• Migration needed? (No)
• If yes, exact upgrade steps:

Failure Recovery (if this breaks)

• How to disable/revert this change quickly:
  • Revert this commit.
• Files/config to restore:
  • src/daemon/launchd-plist.ts
  • src/daemon/launchd.test.ts
• Known bad symptoms reviewers should watch for:
  • Missing Umask key in newly generated LaunchAgent plist files.

Risks and Mitigations

• Risk: Some operators may expect permissive default file modes from launchd-managed gateway writes.
  • Mitigation: 077 is a security-hardening default aligned with existing owner-only expectations for gateway state; change is limited to macOS LaunchAgent generation.

[greptile-apps]

Greptile Summary

Adds Umask=077 (decimal 63) to macOS LaunchAgent plist generation to ensure gateway-created files default to owner-only permissions (mode 600) after upgrades. The change introduces a new constant LAUNCH_AGENT_UMASK_DECIMAL defined as 0o077 and adds the corresponding key-value pair to the plist template in buildLaunchAgentPlist().

Key changes:

• Added LAUNCH_AGENT_UMASK_DECIMAL = 0o077 constant in src/daemon/launchd-plist.ts
• Inserted <key>Umask</key> entry with decimal value 63 in generated plist XML
• Added regression test assertions to verify Umask presence in generated plists
• Updated CHANGELOG.md with appropriate entry

Security impact:

• Prevents gateway state files from being created with world-readable permissions after npm upgrades
• Aligns with security best practices for daemon-created files
• Only affects newly generated plists (backward compatible)

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The change is simple, well-tested, and implements a valid security hardening measure. The implementation correctly uses octal notation (0o077) for the constant while ensuring it's interpolated as decimal (63) in the plist. Test coverage includes regression assertions for both the key and value. The change is scoped appropriately to macOS LaunchAgent generation only and doesn't affect existing behavior or other platforms.
• No files require special attention

_{Last reviewed commit: d748b87}

[steipete]

Landed via temp rebase onto main.

• Gate: bunx vitest run src/daemon/launchd.test.ts
• Land commit: LAND_SHA_PLACEHOLDER
• Merge commit: MERGE_SHA_PLACEHOLDER

Thanks @liuxiaopai-ai!

[steipete]

Corrected SHA details for landed rebase flow:

• Gate: bunx vitest run src/daemon/launchd.test.ts
• Land commit: 49b6dc4
• Merge commit: 718d418

Thanks @liuxiaopai-ai!