fix(android): avoid dataSync FGS for persistent node

[davelutztx]

Summary

• switches the persistent Android node foreground service from dataSync to connectedDevice
• declares FOREGROUND_SERVICE_CONNECTED_DEVICE and the required normal CHANGE_NETWORK_STATE companion permission
• keeps microphone as an additive foreground-service type only when talk mode is active
• updates the node foreground-service unit test expectations

Why

Android 15 applies a time budget to foreground services of type dataSync. The OpenClaw node service is a long-lived device connection to the gateway, not a bounded sync job, so dataSync can be exhausted and Android can then crash or deny service restarts with errors like:

• ForegroundServiceDidNotStopInTimeException
• ForegroundServiceStartNotAllowedException: Time limit already exhausted for foreground service type dataSync

connectedDevice better matches the service's purpose: keeping the Android device connected as an OpenClaw node. Android requires a connected-device foreground service to declare at least one qualifying capability permission; this PR uses CHANGE_NETWORK_STATE, a normal permission, so no new runtime permission prompt is introduced.

Real behavior proof

• Behavior addressed: Android OpenClaw node foreground service no longer crashes/restarts immediately after the dataSync foreground-service budget is exhausted. Before this change, adb/logcat showed NodeForegroundService crashes from ForegroundServiceDidNotStopInTimeException and ForegroundServiceStartNotAllowedException: Time limit already exhausted for foreground service type dataSync.
• Real environment tested: Samsung Galaxy Z Fold7 (SM-F966U1) running the OpenClaw Android node app with targetSdk=36, connected to a live OpenClaw gateway over the normal Android node websocket route.
• Exact steps or command run after fix: Built a debug APK with this change; installed it with adb install -r; force-stopped ai.openclaw.app; cleared logcat; launched the app with adb shell monkey -p ai.openclaw.app -c android.intent.category.LAUNCHER 1; checked openclaw nodes status; filtered adb logcat for AndroidRuntime, ForegroundServiceStartNotAllowedException, ForegroundServiceDidNotStopInTimeException, and NodeForegroundService.
• Observed result after fix: The Android node process stayed alive after launch, the Fold7 node reconnected to the gateway, and the crash filter had no new OpenClaw AndroidRuntime/FGS crash entries after the final connected-device build.
• What was not tested: Long-duration 6+ hour soak on multiple Android OEMs was not run in this PR. The failure mode was reproduced and cleared on a real Samsung targetSdk 36 device, and unit/build/APK manifest checks were run locally.
• Evidence after fix: adb/logcat before fix showed Process: ai.openclaw.app, ForegroundServiceDidNotStopInTimeException: A foreground service of type dataSync did not stop within its timeout, and ForegroundServiceStartNotAllowedException: Time limit already exhausted for foreground service type dataSync at NodeForegroundService.startForegroundWithTypes(NodeForegroundService.kt:187). After the fix, live command output showed Performing Streamed Install, Success, versionName=2026.5.5, pid=28121, Known: 2 · Paired: 2 · Connected: 1, Dave's Z Fold7 ... openclaw-android/node ... paired · connected (just now), and logcat only reported ActivityManager: Background started FGS: Allowed [callingPackage: ai.openclaw.app; ... targetSdkVersion:36] with no new AndroidRuntime, ForegroundServiceStartNotAllowedException, or ForegroundServiceDidNotStopInTimeException entries for ai.openclaw.app after final launch.

Validation

• ./gradlew :app:testPlayDebugUnitTest :app:assemblePlayDebug
• inspected the built APK manifest with aapt:
  • includes android.permission.FOREGROUND_SERVICE_CONNECTED_DEVICE
  • includes android.permission.CHANGE_NETWORK_STATE
  • no longer includes android.permission.FOREGROUND_SERVICE_DATA_SYNC
  • NodeForegroundService has foreground service type 0x90 (connectedDevice | microphone)

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 8, 2026, 9:40 AM ET / 13:40 UTC.

Summary
The branch switches Android NodeForegroundService from dataSync to connectedDevice, updates companion manifest permissions, unit expectations, and the Android platform docs.

PR surface: Docs 0, Other -15. Total -15 across 4 files.

Reproducibility: yes. The linked issue provides the dataSync foreground-service timeout stack trace, current main still uses dataSync, and Android's docs describe the same Android 15+ timeout and exception path; I did not run a live Android repro in this read-only review.

Review metrics: 1 noteworthy metric.

• Android FGS contract changed: 2 permissions added/replaced, 1 permission removed, 1 service type changed. The manifest permission and foreground-service type contract is enforced by Android at runtime, so maintainers should notice the OS-facing compatibility surface before merge.

Merge readiness
Overall: 🦞 diamond lobster
Proof: 🦞 diamond lobster
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Risk before merge

• [P1] This changes an OS-enforced Android foreground-service contract; the supplied proof is strong for one Samsung targetSdk 36 device, but it is not a long multi-OEM soak.

Maintainer options:

1. Accept the focused Android FGS change (recommended)
   Land the current connected-device repair with the supplied Samsung/logcat proof and normal checks, while accepting the residual multi-OEM soak gap.
2. Require broader Android proof
   Ask for an additional OEM or longer soak before merge if maintainers want stronger runtime compatibility evidence for the OS-facing manifest change.
3. Pause for a different Android strategy
   Pause this PR only if maintainers prefer a different foreground-service type or lifecycle design for the persistent node.

Next step before merge

• [P2] No repair lane is needed; the remaining action is maintainer review and land/close handling for the proof-positive Android crash fix.

Security
Cleared: The diff changes Android manifest permissions but uses the normal CHANGE_NETWORK_STATE companion permission required by the connected-device FGS contract, with no dependency, CI, secret, or code-execution surface changed.

Review details

Best possible solution:

Land this focused connected-device foreground-service repair, or an equivalent maintainer-approved Android fix, and close the linked crash issue after main no longer uses dataSync for the long-lived node service.

Do we have a high-confidence way to reproduce the issue?

Yes. The linked issue provides the dataSync foreground-service timeout stack trace, current main still uses dataSync, and Android's docs describe the same Android 15+ timeout and exception path; I did not run a live Android repro in this read-only review.

Is this the best way to solve the issue?

Yes. Switching the persistent node service to connectedDevice with the required companion permission is the narrowest maintainable fix for a long-lived device connection, and the PR now updates runtime, manifest, test expectations, and docs together.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 9a82b60024b5.

Label changes

Label changes:

• add merge-risk: 🚨 compatibility: The diff changes Android foreground-service type and manifest permissions, which are runtime-enforced platform compatibility contracts across Android versions and OEMs.
• add rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• remove rating: 🐚 platinum hermit: Current PR rating is rating: 🦞 diamond lobster, so this older rating label is no longer current.

Label justifications:

• P1: The PR fixes a linked Android node crash/restart loop that can break the real device connection workflow for affected users.
• merge-risk: 🚨 compatibility: The diff changes Android foreground-service type and manifest permissions, which are runtime-enforced platform compatibility contracts across Android versions and OEMs.
• rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (logs): The PR body includes after-fix real-device adb/logcat and node-status output showing a Samsung targetSdk 36 Android node stayed connected with no new FGS crash signatures.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix real-device adb/logcat and node-status output showing a Samsung targetSdk 36 Android node stayed connected with no new FGS crash signatures.

Evidence reviewed

PR surface:

Docs 0, Other -15. Total -15 across 4 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	0	0	0	0
Tests	0	0	0	0
Docs	1	1	1	0
Config	0	0	0	0
Generated	0	0	0	0
Other	3	7	22	-15
Total	4	8	23	-15

What I checked:

• Repository policy read: Read the full root AGENTS.md and the scoped docs/AGENTS.md; the review applied the OpenClaw requirement to inspect source, tests, docs, dependency contract, current behavior, and history before verdict. (AGENTS.md:1, 9a82b60024b5)
• Current main manifest still uses dataSync: Current main declares FOREGROUND_SERVICE_DATA_SYNC and android:foregroundServiceType="dataSync|microphone" for NodeForegroundService, so the central change is not already on main. (apps/android/app/src/main/AndroidManifest.xml:5, 9a82b60024b5)
• Current main runtime still uses DATA_SYNC: foregroundServiceTypesForVoiceMode currently uses ServiceInfo.FOREGROUND_SERVICE_TYPE_DATA_SYNC as the base type and adds microphone only for Talk Mode. (apps/android/app/src/main/java/ai/openclaw/app/NodeForegroundService.kt:237, 9a82b60024b5)
• PR diff targets the implicated Android path: The PR diff changes the manifest to connectedDevice|microphone, replaces the data-sync permission with FOREGROUND_SERVICE_CONNECTED_DEVICE, adds CHANGE_NETWORK_STATE, and changes runtime/test expectations to FOREGROUND_SERVICE_TYPE_CONNECTED_DEVICE. (apps/android/app/src/main/AndroidManifest.xml:1, 136bfd8d214b)
• Docs blocker is resolved in the PR diff: The current PR diff updates docs/platforms/android.md from dataSync/dataSync|microphone to connectedDevice/connectedDevice|microphone and mentions the connected-device companion permission. (docs/platforms/android.md:218, 136bfd8d214b)
• Android dependency contract checked: Android's official foreground-service docs state that Android 15+ limits dataSync foreground services to 6 hours per 24 hours and can throw ForegroundServiceStartNotAllowedException with Time limit already exhausted for foreground service type dataSync; the same docs list connectedDevice, FOREGROUND_SERVICE_CONNECTED_DEVICE, and CHANGE_NETWORK_STATE as a qualifying manifest permission path.

Likely related people:

• @obviyus: Ayaan Zaidi appears in the merged Android foreground-service history, authored related service/runtime changes, is assigned on this PR, and force-pushed the latest head commit for the connected-device repair. (role: feature-history owner and current assignee; confidence: high; commits: 5568b393a86d, 46145fde1988, 136bfd8d214b; files: apps/android/app/src/main/java/ai/openclaw/app/NodeForegroundService.kt, apps/android/app/src/test/java/ai/openclaw/app/NodeForegroundServiceTest.kt, apps/android/app/src/main/AndroidManifest.xml)
• @steipete: Peter Steinberger authored the merged Talk Mode exposure and recent Android service/doc comment work that touches the same foreground-service and voice capture surface. (role: Android Talk and foreground-service area contributor; confidence: medium; commits: 86d897cfaa6a, 0ef6702af379, 85beee613c64; files: apps/android/app/src/main/java/ai/openclaw/app/NodeForegroundService.kt, apps/android/app/src/main/AndroidManifest.xml, docs/platforms/android.md)
• @joshavant: Josh Avant has several recent merged commits in NodeRuntime.kt, the caller/callee side that drives NodeForegroundService.setVoiceCaptureMode for Talk and Mic state. (role: recent Android runtime contributor; confidence: medium; commits: 72b387ad488c, 53e50ec12747, 81f4fe6c113b; files: apps/android/app/src/main/java/ai/openclaw/app/NodeRuntime.kt)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[RomneyDa]

Heads up: this PR needs to be updated against current main before the new required Dependency Guard check can pass.

[obviyus]

Landed via rebase onto main.

• Scoped tests: git diff --check; pnpm docs:list; ./gradlew :app:testPlayDebugUnitTest --tests ai.openclaw.app.NodeForegroundServiceTest; .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main
• GitHub checks: android-build-play, android-test-play, android-test-third-party, check-docs, Real behavior proof, dependency-guard, preflight, security-fast all passed on the pushed head.
• Changelog: not updated; release generation owns CHANGELOG.md for normal PRs.
• PR branch head before merge: 136bfd8d214b20806148b43578c2e1b906a7cef5
• Main commits: 7d357a75fd (runtime/manifest/test), 6d7eb9bb84 (distill/docs cleanup)
• Merge commit: 6d7eb9bb8483b590a1c60322c5ea4fda733ed8ad

Thanks @davelutztx!