fix(config): serialize async config writes to prevent data loss on startup

[sahancava]

Summary

Describe the problem and fix in 2–5 bullets:

• Problem: When OpenClaw Gateway restarts or encounters a connection error, the configuration file (openclaw.json) can be wiped or truncated down to a minimal skeleton (~10 lines), resulting in data loss.
• Why it matters: This causes the Gateway to fail startup with a "Gateway start blocked" error and forces users to rebuild their configuration manually.
• What changed:
  • Introduced a sequential configWriteQueue in src/config/io.ts to strictly serialize config disk writes.
  • Refactored the ownerDisplaySecret auto-persist routine to perform an atomic read-modify-write inside the queue lock, rather than computing a merge patch using a stale config snapshot.
  • Replaced .loadConfig() with .readConfigFileSnapshotForWrite() during secrets persistence to avoid permanently baking ephemeral runtime overrides.
  • Captured createConfigIO() and runtimeConfigSnapshot state before entering the write queue to prevent execution-time path or environment shifts.
  • Preserved retry semantics for auto-secrets by utilizing explicit rejection (throw Error) instead of silently returning on invalid snapshots.
  • Prevented queued writes from reviving cleared runtime snapshots by rigorously re-checking live global states (runtimeConfigSnapshot).
• What did NOT change (scope boundary): The structure of OpenClawConfig, JSON patching mechanisms (merge patch), and general config parsing behavior remain untouched.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes [Bug]: Config file wiped on Gateway restart #40410

User-visible / Behavior Changes

Users will no longer lose their ~/.openclaw/openclaw.json configuration file when restarting the Gateway or restarting their system. No defaults or config schemas were changed.

Security Impact (required)

• New permissions/capabilities? No
• Secrets/tokens handling changed? No
• New/changed network calls? No
• Command/tool execution surface changed? No
• Data access scope changed? No
• If any Yes, explain risk + mitigation: N/A

Repro + Verification

Environment

• OS: Linux (Ubuntu/Debian) / macOS
• Runtime/container: Node.js 24.x
• Model/provider: N/A
• Integration/channel (if any): N/A
• Relevant config (redacted): Any configuration with existing keys (e.g., gateway.port, gateway.auth)

Steps

1. Wait for Gateway to start with a working, populated OpenClaw configuration file.
2. Restart the system or restart the OpenClaw Gateway.
3. Observe the ~/.openclaw/openclaw.json file.

Expected

• The configuration file properties (such as existing auth configuration and port) remain intact.

Actual

• Prior to this PR: The configuration file is overwritten with a nearly empty file containing only the ownerDisplaySecret and basic defaults.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

(Note: Added src/config/io.write-config-queue.test.ts to reproduce the race condition exactly. The tests pass with this fix).

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: Ran targeted tests confirming sequential module-level writes do not corrupt configuration.
• Edge cases checked: Simulated the exact ownerDisplaySecret pattern with concurrent writeConfigFile calls to verify the stale snapshot issue is fully mitigated by the internal queue lock.
• What you did not verify: I did not manually verify the Windows scheduling behavior, as the fix resides at the platform-agnostic config file I/O layer.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? Yes
• Config/env changes? No
• Migration needed? No
• If yes, exact upgrade steps: N/A

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: Revert this specific PR commit.
• Files/config to restore: Any previously backed up openclaw.json.
• Known bad symptoms reviewers should watch for: Deadlocks or hangs during early Gateway startup (if the write queue resolves incorrectly).

Risks and Mitigations

• Risk: The write queue promise (configWriteQueue) could theoretically deadlock if a config write throws a catastrophic unhandled error without resolving.
  • Mitigation: The queue explicitly attaches a .finally() (via .then(success, failure)) to catch any thrown errors and properly advance the queue to the next write operation, ensuring no deadlocks ever occur.

[greptile-apps]

Greptile Summary

This PR fixes a config data-loss bug (#40410) where openclaw.json was truncated to ~10 lines on Gateway restart. The root cause was a concurrent read-modify-write race: the async ownerDisplaySecret auto-persist routine captured a stale config snapshot at load time, then the resulting write clobbered any concurrent writes (e.g., auth token bootstrap) that had landed on disk in the interim.

What changed:

• A module-level configWriteQueue promise chain (enqueueConfigWrite) is introduced to serialize all writeConfigFile calls, preventing concurrent rename races.
• The ownerDisplaySecret auto-persist routine now performs an atomic read-modify-write inside the queue (via freshIo.loadConfig() + freshIo.writeConfigFile()), so it always sees the latest disk state after any prior writes complete.
• The module-level writeConfigFile export is wrapped in enqueueConfigWrite, so all callers automatically benefit from serialization with zero API changes.
• A new test file (io.write-config-queue.test.ts) reproduces the original race condition and verifies the fix.

Concerns:

• The rejection handler fn in configWriteQueue.then(fn, fn) is unreachable dead code because configWriteQueue is unconditionally kept as a resolved promise — consider simplifying to configWriteQueue.then(fn).
• The ownerDisplaySecret path calls freshIo.writeConfigFile (instance method) which intentionally bypasses runtimeConfigSnapshot refresh and refreshHandler.refresh(). This is safe today but is an undocumented behavioral divergence from the previous code path that could silently break future callers relying on per-write snapshot/refresh guarantees.

Confidence Score: 4/5

• This PR is safe to merge — it directly fixes a data-loss bug with a well-scoped, backward-compatible change. The queue implementation is correct and deadlock-free.
• The core fix (serializing writes via enqueueConfigWrite and re-reading inside the queue for the ownerDisplaySecret path) is logically sound and correctly addresses the race condition. The two flagged concerns — the dead rejection handler and the undocumented bypass of runtime snapshot refresh — are documentation/style issues rather than correctness bugs in the current usage. No API contracts or config schemas changed, and the fix is confined to the config I/O layer.
• Pay close attention to src/config/io.ts lines 826–831 (the ownerDisplaySecret inner-queue write path) if the refreshHandler contract is ever extended to require per-write notification.

_{Last reviewed commit: f1063a7}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: aa9b3c5bbe

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b5df3f4811

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1368ae87d6

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: cc28c670d5

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[sahancava]

The two failing CI checks appear unrelated to this PR.

This PR only changes:

• src/config/io.ts
• src/config/io.write-config-queue.test.ts

The failing checks are in other areas (including Windows/secrets-related tests), and I was able to reproduce them independently of this change. I kept this PR scoped to the config write bugfix only.

[sahancava]

I also updated/synced the branch, and these two failures still appear unrelated to the config write fix in this PR.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9e0dc138c9

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 333c48d6ac

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fb38add833

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f2dad578a3

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6c50fc473b

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 568295217f

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[openclaw-barnacle]

This pull request has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[clawsweeper]

Thanks for the context here. I did a careful shell check against current main, and this is already implemented.

Close as implemented on main: the underlying config-wipe data-loss symptom is now covered by shipped destructive-write rejection and last-known-good recovery in v2026.4.29, and the stale branch would regress current writer contracts if merged as-is.

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review details

Best possible solution:

Keep the shipped config clobber guard and recovery path; if write serialization is still desired, open a fresh PR built around the current module writer contracts.

Do we have a high-confidence way to reproduce the issue?

Yes. The linked bug gives a concrete restart/truncation path with a sharp size drop and missing gateway.mode, and current main has focused tests/docs for rejecting or recovering that class of clobber.

Is this the best way to solve the issue?

No for this PR as-is. A queue could be revisited, but merging this stale wrapper would bypass current writer safety, refresh, and notification contracts that now solve the user-facing data-loss problem.

Security review:

Security review cleared: The diff is limited to config persistence and regression tests, with no dependency, workflow, package, download, or new secret-access surface.

What I checked:

• Current main rejects destructive config writes: Module-level config writes compute suspicious size-drop and gateway-mode-removal reasons, then reject blocking writes with CONFIG_WRITE_REJECTED before replacing openclaw.json. (src/config/io.ts:2168, ac607044f1ff)
• Current tests preserve the original file on clobber attempts: The regression test asserts a destructive internal write rejects with CONFIG_WRITE_REJECTED, leaves the original file unchanged, and saves a .rejected payload for inspection. (src/config/io.write-config.test.ts:621, ac607044f1ff)
• Gateway docs describe shipped recovery behavior: The docs state that OpenClaw preserves clobbered files, restores last-known-good config, rejects destructive OpenClaw-owned writes, and saves rejected payloads for inspection. Public docs: docs/gateway/configuration.md. (docs/gateway/configuration.md:92, ac607044f1ff)
• PR branch is stale against current writer contracts: Current main's module writer forwards destructive-write, size-drop, runtime-refresh, output-log, canonical-source, listener notification, and afterWrite contracts that the queued wrapper shape in this PR does not preserve. (src/config/io.ts:2421, ac607044f1ff)
• Release provenance: The proof commit is contained in release tag v2026.4.29, and that commit touched src/config/io.ts, src/config/io.write-config.test.ts, docs/gateway/configuration.md, and CHANGELOG.md. (CHANGELOG.md:2255, a448042c2edd)

Likely related people:

• steipete: Recent current-main history and release provenance route the config IO, destructive-write recovery, docs, and tests through Peter Steinberger, including the v2026.4.29 proof commit and later config IO maintenance. (role: recent maintainer and likely follow-up owner; confidence: high; commits: a448042c2edd, d92a634faeb0; files: src/config/io.ts, src/config/io.write-config.test.ts, docs/gateway/configuration.md)
• openclaw/openclaw-secops: CODEOWNERS marks secret-related config files and gateway auth/secret surfaces for secops review, and this PR changes ownerDisplaySecret persistence behavior adjacent to that boundary. (role: adjacent owner; confidence: medium; files: .github/CODEOWNERS, src/config/io.owner-display-secret.ts, src/config/io.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against ac607044f1ff; fix evidence: release v2026.4.29, commit a448042c2edd.