(fix) gateway restart health timeout

[rodrigouroz]

Summary

Describe the problem and fix in 2–5 bullets:

• Problem: daemon status/restart reachability checks were using the heavier status RPC through the generic gateway call path, which is a poor health signal during hot startup and interacts badly with derived probe URLs.
• Why it matters: restart can be reported as unhealthy even when the gateway is already listening, especially when startup is hot and daemon auth comes from config/SecretRef resolution.
• What changed: daemon status probing now uses a lightweight authenticated health probe; trusted daemon-derived loopback probes can stay device-bound without weakening explicit-auth requirements for user-supplied URL overrides; override-auth helpers were isolated into a small module so the daemon probe path does not need the heavier gateway call module.
• What did NOT change (scope boundary): this does not change user-facing gateway auth policy for explicit URL overrides, remote gateway transport requirements, or general status command behavior outside the daemon probe/restart-health path.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

None.

User-visible / Behavior Changes

• openclaw gateway status / daemon restart health checks use the lightweight health RPC instead of the heavier status RPC.
• CLI URL overrides for daemon probes still require truly explicit CLI credentials; daemon-derived auth no longer satisfies that requirement.
• Local restart reachability probes allow a longer handshake budget during hot startup windows.

Security Impact (required)

• New permissions/capabilities? (Yes/No) No
• Secrets/tokens handling changed? (Yes/No) Yes
• New/changed network calls? (Yes/No) Yes
• Command/tool execution surface changed? (Yes/No) No
• Data access scope changed? (Yes/No) No
• If any Yes, explain risk + mitigation:
  The probe path now distinguishes explicit CLI credentials from daemon-derived probe auth so user-supplied URL overrides cannot silently reuse daemon auth. The network call changes are limited to switching the daemon reachability probe from status to health and keeping trusted derived loopback probes device-bound when appropriate.

Repro + Verification

Environment

• OS: macOS host for local verification; GitHub Actions Linux CI rerun pending on current head
• Runtime/container: Node 24 / pnpm workspace
• Model/provider: N/A
• Integration/channel (if any): gateway / daemon CLI
• Relevant config (redacted): local loopback gateway, explicit URL override cases, daemon config auth token cases

Steps

1. Configure or derive a daemon probe target and run the daemon status / restart-health code path.
2. Exercise an explicit CLI URL override both with and without explicit CLI credentials.
3. Run the focused daemon/gateway tests and repo validation commands on the cleaned branch.

Expected

• Daemon reachability checks use a lightweight health probe.
• Explicit CLI URL overrides fail without explicit CLI credentials, even if daemon-derived auth exists.
• Local verification commands pass on the current head.

Actual

• The current head preserves the explicit-auth boundary, uses health for the daemon probe path, and passes the focused daemon/gateway tests plus pnpm build, pnpm tsgo, and pnpm check locally.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios:
  • pnpm test -- src/cli/daemon-cli/probe.test.ts src/gateway/probe.test.ts src/cli/daemon-cli/status.gather.test.ts src/cli/daemon-cli.coverage.test.ts src/cli/daemon-cli/restart-health.test.ts
  • pnpm build
  • pnpm tsgo
  • pnpm check
• Edge cases checked:
  • CLI URL override without explicit credentials but with daemon-derived auth available
  • CLI URL override with explicit credentials
  • health-only probe path and loopback device-identity behavior
• What you did not verify:
  • Full GitHub Actions rerun on the latest head has not completed yet
  • I did not manually verify remote non-loopback gateway deployments in a live environment

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

If a bot review conversation is addressed by this PR, resolve that conversation yourself. Do not leave bot review conversation cleanup for maintainers.

Compatibility / Migration

• Backward compatible? (Yes/No) Yes
• Config/env changes? (Yes/No) No
• Migration needed? (Yes/No) No
• If yes, exact upgrade steps:

Failure Recovery (if this breaks)

• How to disable/revert this change quickly:
  Revert the four commits in this PR branch or restore the previous daemon probe path to callGateway(... method: "status").
• Files/config to restore:
  src/cli/daemon-cli/probe.ts, src/cli/daemon-cli/status.gather.ts, src/gateway/probe.ts, src/gateway/call.ts, src/gateway/explicit-auth.ts
• Known bad symptoms reviewers should watch for:
  • daemon status/restart checks unexpectedly accepting override URLs without explicit CLI auth
  • daemon status/restart checks timing out or regressing startup memory unexpectedly

Risks and Mitigations

List only real risks for this PR. Add/remove entries as needed. If none, write None.

• Risk: the longer local reachability timeout can lengthen restart-health waits if the probe keeps timing out.
  • Mitigation: the change is limited to the local reachability path, and the health-only probe reduces work done once connected.
• Risk: probe-path import changes could affect startup-sensitive CLI paths.
  • Mitigation: explicit-auth helpers were split into src/gateway/explicit-auth.ts to keep the daemon probe path off the heavier gateway call module.

[greptile-apps]

Greptile Summary

This PR fixes gateway restart/status health checks by switching the daemon probe path from the heavier status RPC (via callGateway) to a lightweight health-only probe (via probeGateway with detailLevel: "health"), and hardens the security boundary around URL overrides so daemon-derived auth cannot silently satisfy explicit-auth requirements on CLI-supplied URL overrides.

Key changes:

• src/gateway/explicit-auth.ts (new): ExplicitGatewayAuth, resolveExplicitGatewayAuth, and ensureExplicitGatewayAuth extracted from call.ts so the daemon probe path doesn't pull in the full gateway call module.
• src/cli/daemon-cli/probe.ts: Replaces callGateway({ method: "status" }) with probeGateway({ detailLevel: "health" }), and adds two pre-dial security gates — explicit-auth enforcement for URL overrides, and isSecureWebSocketUrl rejection of plaintext non-loopback addresses.
• src/cli/daemon-cli/restart-health.ts: Introduces deadline-bounded probe timeouts (createRestartHealthDeadline / clampRestartProbeTimeoutMs). Per-probe timeout increases from 3 s to up to DEFAULT_LOCAL_GATEWAY_REACHABILITY_TIMEOUT_MS = 10 s, capped by remaining retry budget — giving hot-startup gateways more connection time while keeping overall wait bounded. Note: the deadline covers only inter-attempt delay, not probe execution time itself, so heavy-startup probes can shift the effective retry count.
• src/gateway/probe.ts: Adds "health" detailLevel, allowLoopbackDeviceIdentity flag, and tlsFingerprint parameter. The allowLoopbackDeviceIdentity flag lets trusted daemon loopback probes retain device identity without explicit credentials — correctly wired via probeUrlOverride === null in status.gather.ts.
• Test coverage is thorough for the new security boundary and the restart-health deadline logic; one minor gap exists for waitForGatewayHealthyListener's deadline-bounded timeout path (see inline comment).

Confidence Score: 4/5

• Safe to merge; no correctness bugs found. The increased per-probe timeout (3 s → 10 s) is an intentional behavioral change bounded by the new deadline mechanism, and the security hardening logic is correct.
• The refactoring is clean, the security invariants are well-reasoned and tested, and the deadline-bounded probe logic is correct. Score is 4 rather than 5 because: (1) the comment on disableDeviceIdentity in probe.ts is now misleading with the new allowLoopbackDeviceIdentity flag; (2) the waitForGatewayHealthyListener deadline-bounded timeout path lacks a focused test; and (3) the 3× increase in per-probe timeout is a meaningful behavioral change (though intentional and documented in the PR).
• src/cli/daemon-cli/restart-health.ts — review the deadline accounting comment and add a timeout-bounding test for waitForGatewayHealthyListener; src/gateway/probe.ts — update the disableDeviceIdentity comment to cover the new allowLoopbackDeviceIdentity case.

Comments Outside Diff (1)

1. src/cli/daemon-cli/restart-health.ts, line 278-297 (link)

   waitForGatewayHealthyListener has no test covering deadline-bounded timeouts

   waitForGatewayHealthyRestart gains a focused test ("bounds restart probe timeouts to the remaining retry budget") that asserts how probeGateway timeouts shrink across iterations. waitForGatewayHealthyListener received identical deadline threading (createRestartHealthDeadline + getRemainingRestartBudgetMs) but has no corresponding test.

   While the implementation looks correct, the symmetry gap means a future refactoring that accidentally breaks the listener deadline path (e.g. forgetting to thread probeTimeoutMs through) would go undetected. A parallel test for waitForGatewayHealthyListener matching the pattern at line 299–345 of restart-health.test.ts would close this coverage gap.

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: src/cli/daemon-cli/restart-health.ts
   Line: 278-297
   
   Comment:
   **`waitForGatewayHealthyListener` has no test covering deadline-bounded timeouts**
   
   `waitForGatewayHealthyRestart` gains a focused test (`"bounds restart probe timeouts to the remaining retry budget"`) that asserts how `probeGateway` timeouts shrink across iterations. `waitForGatewayHealthyListener` received identical deadline threading (`createRestartHealthDeadline` + `getRemainingRestartBudgetMs`) but has no corresponding test.
   
   While the implementation looks correct, the symmetry gap means a future refactoring that accidentally breaks the listener deadline path (e.g. forgetting to thread `probeTimeoutMs` through) would go undetected. A parallel test for `waitForGatewayHealthyListener` matching the pattern at line 299–345 of `restart-health.test.ts` would close this coverage gap.
   
   How can I resolve this? If you propose a fix, please make it concise.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: src/gateway/probe.ts
Line: 50-55

Comment:
**Comment doesn't cover the new `allowLoopbackDeviceIdentity` path**

The block comment still reads "Local authenticated probes should stay device-bound", which only describes the `!(token || password)` branch. The new `allowLoopbackDeviceIdentity` flag introduces a second reason `disableDeviceIdentity` can be false for unauthenticated loopback probes. Future readers who see the comment may incorrectly conclude that unauthenticated loopback probes *always* disable device identity.

Consider updating the comment to describe both conditions:

```suggestion
      // Unauthenticated local probes disable device identity to avoid silently inflating
      // the probe's privilege via device-token fallback.
      // `allowLoopbackDeviceIdentity: true` opts the caller back in for trusted daemon
      // loopback probes where device identity is the intended auth mechanism.
      return (
        isLoopbackHost(hostname) &&
        !(opts.auth?.token || opts.auth?.password) &&
        opts.allowLoopbackDeviceIdentity !== true
      );
```

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: src/cli/daemon-cli/restart-health.ts
Line: 74-77

Comment:
**Deadline doesn't account for initial probe duration**

`createRestartHealthDeadline` budgets exactly `attempts × delayMs`, but `waitForGatewayHealthyRestart` (and `waitForGatewayHealthyListener`) perform an *initial probe before the first sleep*. With default values (`DEFAULT_LOCAL_GATEWAY_REACHABILITY_TIMEOUT_MS = 10 000 ms`) the first probe can consume up to 10 s of a 60 s budget before any sleep occurs, so the effective number of retry probes that will actually fire can be lower than the configured `attempts`.

This won't cause incorrect behaviour (the budget still terminates the loop safely), but it may be surprising to callers who set small `attempts × delayMs` windows expecting a fixed retry count. A doc-comment noting that the deadline covers delays only (not probe execution time) would help future maintainers understand the trade-off.

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: src/cli/daemon-cli/restart-health.ts
Line: 278-297

Comment:
**`waitForGatewayHealthyListener` has no test covering deadline-bounded timeouts**

`waitForGatewayHealthyRestart` gains a focused test (`"bounds restart probe timeouts to the remaining retry budget"`) that asserts how `probeGateway` timeouts shrink across iterations. `waitForGatewayHealthyListener` received identical deadline threading (`createRestartHealthDeadline` + `getRemainingRestartBudgetMs`) but has no corresponding test.

While the implementation looks correct, the symmetry gap means a future refactoring that accidentally breaks the listener deadline path (e.g. forgetting to thread `probeTimeoutMs` through) would go undetected. A parallel test for `waitForGatewayHealthyListener` matching the pattern at line 299–345 of `restart-health.test.ts` would close this coverage gap.

How can I resolve this? If you propose a fix, please make it concise.

_{Last reviewed commit: bbcb796}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bc03cd3e25

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[aisle-research-bot]

🔒 Aisle Security Analysis

We found 2 potential security issue(s) in this PR:

#	Severity	Title
1	🟠 High	OPENCLAW_ALLOW_INSECURE_PRIVATE_WS allows plaintext ws:// to arbitrary hostnames (security check bypass)
2	🟠 High	Implicit device-token leakage to non-loopback URLs during unauthenticated gateway probes

---

1. 🟠 OPENCLAW_ALLOW_INSECURE_PRIVATE_WS allows plaintext ws:// to arbitrary hostnames (security check bypass)

Property	Value
Severity	High
CWE	CWE-319
Location	src/gateway/net.ts:468-479

Description

isSecureWebSocketUrl() is intended to allow plaintext ws:// only for loopback by default, with an opt-in “break-glass” mode (allowPrivateWs) for private networks only.

However, when allowPrivateWs is enabled, any non-IP hostname is accepted, including public domains (e.g. ws://evil.com) and deceptive userinfo URLs (e.g. ws://127.0.0.1@​evil.com). This undermines the new CLI-side enforcement (and other call sites) by permitting cleartext WebSocket connections to non-private remote hosts, exposing credentials and chat data to interception.

Why this happens:

• For ws:// URLs, if the host is not loopback and not a private IP literal, the code returns net.isIP(hostForIpCheck) === 0.
• net.isIP(x) === 0 means “x is not an IP address” (i.e., it is a hostname), so the function returns true for essentially all hostnames.

Vulnerable code:

if (opts?.allowPrivateWs) {
  if (isPrivateOrLoopbackHost(parsed.hostname)) {
    return true;
  }
  const hostForIpCheck =
    parsed.hostname.startsWith("[") && parsed.hostname.endsWith("]")
      ? parsed.hostname.slice(1, -1)
      : parsed.hostname;
  return net.isIP(hostForIpCheck) === 0; // <-- hostnames always pass
}

Recommendation

Tighten the break-glass behavior so it does not implicitly allow all hostnames.

Minimum safe fix (recommended): when allowPrivateWs is enabled, only allow private/loopback IP literals (and optionally a small, explicit hostname allowlist if you truly need it). For everything else, require wss://.

Example:

if (opts?.allowPrivateWs) {
  ​// Allow private/loopback *IP literals* only
  if (isPrivateOrLoopbackHost(parsed.hostname)) {
    return true;
  }
  return false; // hostnames must use wss://
}

If hostname support is required for private DNS (VPN/tailnet), introduce an async validator that resolves DNS and verifies that all returned A/AAAA records are private/loopback and ensure the WebSocket connection uses the resolved IP (to mitigate DNS rebinding / TOCTOU).

---

2. 🟠 Implicit device-token leakage to non-loopback URLs during unauthenticated gateway probes

Property	Value
Severity	High
CWE	CWE-522
Location	src/gateway/probe.ts:47-89

Description

probeGateway() only disables device identity for unauthenticated loopback URLs. For any non-loopback URL (including attacker-controlled wss://...) when opts.auth is omitted/empty, it leaves deviceIdentity enabled (passed as undefined).

Because GatewayClient treats deviceIdentity: undefined as “load or create a real device identity”, the connect handshake can:

• Send a stable device identifier/public key (tracking) to the remote endpoint
• Load a cached device token from disk and send it in the connect auth fields (implicit credential disclosure)

This violates the security invariant “don’t send device identity / cached device token to untrusted remote endpoints unless explicitly intended”.

Vulnerable logic (probe keeps identity enabled for non-loopback, unauthenticated URLs):

return (
  isLoopbackHost(hostname) &&
  !(opts.auth?.token || opts.auth?.password) &&
  opts.allowLoopbackDeviceIdentity !== true
);
...
deviceIdentity: disableDeviceIdentity ? null : undefined,

Why this leaks credentials (data flow):

• Input: opts.url is supplied by callers such as gateway discovery/status commands and can be user-controlled.
• Condition: when no explicit token/password is provided for a non-loopback URL, disableDeviceIdentity becomes false.
• Sink: GatewayClient loads device identity and may load a cached device token and include it in the WebSocket connect handshake auth payload sent to that URL.

Impact:

• Attacker-operated wss:// endpoint can collect the client’s device identity and cached device token.
• That token can enable authentication attempts or real-time credential forwarding attacks against the legitimate gateway, and at minimum discloses a sensitive credential to an untrusted party.

Recommendation

Make probes opt-out of device identity (and thus device-token fallback) by default, and only opt-in for explicitly trusted cases.

Recommended change in probeGateway():

• Disable device identity whenever explicit shared credentials are not provided, unless the caller explicitly opts in and the endpoint is trusted (e.g., loopback, or wss:// with a pinned tlsFingerprint).

Example:

const parsed = new URL(opts.url);
const isLoopback = isLoopbackHost(parsed.hostname);
const hasExplicitSharedAuth = Boolean(opts.auth?.token || opts.auth?.password);

​// Only allow device identity when explicitly intended.
const allowDeviceIdentity =
  hasExplicitSharedAuth ||
  (isLoopback && opts.allowLoopbackDeviceIdentity === true);

const client = new GatewayClient({
  ...,
  ​// Passing null disables identity; undefined loads/creates identity.
  deviceIdentity: allowDeviceIdentity ? undefined : null,
});

Optionally (defense-in-depth): update GatewayClient.selectConnectAuth() to never use stored device-token fallback unless an explicit allowDeviceTokenFallback flag is set and the URL is trusted.

---

Analyzed PR: #48472 at commit cbbec1b

_{Last updated on: 2026-03-17T15:28:11Z}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: cab1a1697b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[rodrigouroz]

@joshavant @visionik is this something that follows under your radar? Thanks

[rodrigouroz]

@greptileai please review

[clawsweeper]

Thanks for the context here. I swept through the related work, and this is now duplicate or superseded.

This PR should stay open as maintainer review material, not as a cleanup close: current main has later gateway auth/status hardening that the stale branch conflicts with, while the distinct timeout/health-probe idea still needs a narrow rebase and real behavior proof before it can land.

Canonical path: Close this PR as superseded by #72405.

So I’m closing this here and keeping the remaining discussion on #72405.

Review details

Best possible solution:

Close this PR as superseded by #72405.

Do we have a high-confidence way to reproduce the issue?

Yes for the blocking PR regressions: source comparison shows the PR head uses health-only status probing, env-only restart auth, and default probe identity behavior where current main has stronger contracts. I did not live-reproduce the original hot-start timeout symptom.

Is this the best way to solve the issue?

No, not as currently submitted. The maintainable path is a narrow rebase or replacement that keeps current-main gateway status/auth/security behavior while proving any remaining timeout improvement in a real restart flow.

Security review:

Security review needs attention: The diff is security-sensitive and would weaken current probe identity and URL-error handling if merged mechanically.

• [high] Probe identity hardening can regress — src/gateway/probe.ts:88
deviceIdentity: disableDeviceIdentity ? null : undefined can re-enable GatewayClient default identity behavior outside current-main's cached-token-only diagnostic path, which is a credential and device-identity boundary.
  Confidence: 0.87
• [medium] Security error prints raw override URL — src/cli/daemon-cli/probe.ts:43
  The new plaintext-WebSocket error includes opts.url without redaction, unlike current gateway connection details that redact sensitive URL-like strings before display.
  Confidence: 0.78

What I checked:

• linked superseding PR: fix(gateway): keep restart probe auth local #72405 (fix(gateway): keep restart probe auth local) is merged at 2026-04-28T05:25:20Z.
• cluster evidence: the durable review links that PR in the work cluster or recommended risk path.
• no human follow-up: live comments and timeline hydrated by apply contain no non-automation activity after the ClawSweeper review.

Likely related people:

• vincentkoc: Auth-sensitive restart probe behavior was narrowed and merged through the replacement PR that current main now carries. (role: recent area contributor; confidence: high; commits: ce01b8f250e8, 928c6fb83991, 0d0ce1f42747; files: src/gateway/probe-auth.ts, src/gateway/probe-auth.test.ts, src/cli/daemon-cli/restart-health.ts)
• obviyus: Recent current-main gateway status/probe commits preserve RPC status semantics and split probe capability from reachability on this path. (role: recent area contributor; confidence: high; commits: 2bf2fd6c3d13, 485c258aaf96, 2c5335490121; files: src/cli/daemon-cli/probe.ts, src/gateway/probe.ts)
• steipete: Recent current-main gateway probe commits cover non-mutating diagnostic identity, handshake timeout alignment, and import/startup-sensitive probe behavior. (role: recent area contributor; confidence: high; commits: 8d08e86f42ac, 7994833fac21, 193c7432e33f; files: src/gateway/probe.ts, src/cli/daemon-cli/probe.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against f799da09479e.

[clawsweeper]

ClawSweeper PR egg

🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat.

Where did the egg go?

• The egg game starts only after the PR passes the real-behavior proof check.
• Before that, no creature or rarity is rolled. The treat waits for real proof.
• This is still just collectible flavor: proof affects review readiness, not creature quality.

[clawsweeper]

ClawSweeper applied the proposed close for this PR.

• Action: closed this PR.
• Close reason: duplicate or superseded.
• Evidence: durable ClawSweeper review.