fix: retry config snapshot after rejection

[honor2030]

Summary

• Problem: getConfigSnapshot() cached the first readConfigFileSnapshot() promise forever, including rejected promises.
• Solution: clear the cached promise when the in-flight snapshot read rejects, while keeping successful snapshot reuse intact.
• What changed: added a focused regression test for transient read rejection -> retry -> successful cache reuse, and updated the cache path to drop only the rejected in-flight promise.
• What did NOT change (scope boundary): no config schema, CLI command allowlist, or runtime snapshot semantics changed beyond retrying after a failed read.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes Rejected promise cached permanently in getConfigSnapshot #83855
• Related Rejected promise cached permanently in getConfigSnapshot #83855
• This PR fixes a bug or regression

Motivation

• A transient config snapshot read failure should not poison the process for later CLI preflight calls. After the underlying read can succeed again, ensureConfigReady() should retry instead of reusing the already-rejected promise.

Real behavior proof (required for external PRs)

• Behavior or issue addressed: transient readConfigFileSnapshot() rejection no longer permanently poisons the cached config snapshot promise.
• Real environment tested: local OpenClaw checkout on macOS 26.4.1, Node v24.15.0.
• Exact steps or command run after this patch:
  • PATH=/opt/homebrew/opt/node@24/bin:/opt/homebrew/bin:$PATH node scripts/test-projects.mjs src/cli/program/config-guard.test.ts
  • Manual runtime probe with Node's module mock: first config snapshot read rejects, second succeeds, third reuses the recovered cached success.
• Evidence after fix (copied terminal output):

[test] starting test/vitest/vitest.cli.config.ts

 RUN  v4.1.6 /private/tmp/openclaw-83855-config-snapshot

 ✓  cli  src/cli/program/config-guard.test.ts (12 tests) 43ms

 Test Files  1 passed (1)
      Tests  12 passed (12)
   Start at  11:35:06
   Duration  318ms (transform 159ms, setup 151ms, import 38ms, tests 43ms, environment 0ms)

[test] passed 1 Vitest shard in 3.82s

Manual runtime probe output:

{"reads":2,"results":["first:transient probe failure","second:recovered","third:cached-success"]}

• Observed result after fix: the first rejected snapshot propagates, the next call retries and succeeds, and later calls reuse the successful cached snapshot.
• What was not tested: full packaged binary / long-running production process.
• Before evidence (optional but encouraged): the new regression test fails against the previous configSnapshotPromise ??= readConfigFileSnapshot() implementation because the rejected promise stays cached.

Root Cause (if applicable)

• Root cause: configSnapshotPromise ??= readConfigFileSnapshot() memoized the promise object without distinguishing fulfilled and rejected outcomes.
• Missing detection / guardrail: no regression covered the non-Vitest cached path when an initial snapshot read rejects.
• Contributing context (if known): tests usually bypass caching with process.env.VITEST === "true", so this production cache behavior needed an explicit test toggle.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/cli/program/config-guard.test.ts
• Scenario the test should lock in: first cached snapshot read rejects, a subsequent call retries and succeeds, and a third call reuses the successful cached snapshot.
• Why this is the smallest reliable guardrail: it exercises the ensureConfigReady() preflight seam and the production cache branch without broader CLI process setup.
• Existing test that already covers this (if any): none.
• If no new test is added, why not: N/A.

User-visible / Behavior Changes

• CLI config preflight can recover from a transient config snapshot read rejection within the same process instead of repeatedly failing with the original rejected promise.

Diagram (if applicable)

Before:
read rejects -> rejected promise remains cached -> later preflight reuses same rejection

After:
read rejects -> matching cached promise is cleared -> later preflight reads again -> success is cached

Security Impact (required)

• New permissions/capabilities? No
• Secrets/tokens handling changed? No
• New/changed network calls? No
• Command/tool execution surface changed? No
• Data access scope changed? No
• If any Yes, explain risk + mitigation: N/A

Repro + Verification

Environment

• OS: macOS 26.4.1
• Runtime/container: local checkout, Node v24.15.0
• Model/provider: N/A
• Integration/channel (if any): CLI config guard
• Relevant config (redacted): N/A

Steps

1. Mock readConfigFileSnapshot() to reject once and then resolve.
2. Run ensureConfigReady(["status"]) once and observe the transient rejection.
3. Run ensureConfigReady(["status"]) again and observe recovery, then run it a third time to confirm successful cache reuse.

Expected

• The rejected snapshot promise is not retained after rejection.
• The next config preflight retries the read and can recover.
• Successful reads remain cached.

Actual

• Matches expected after this patch.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

• Verified scenarios:
  • Focused Vitest file: src/cli/program/config-guard.test.ts
  • Manual runtime probe for reject -> retry -> cached success behavior using Node module mocking.
  • Formatting check for touched files via node_modules/.bin/oxfmt --check src/cli/program/config-guard.ts src/cli/program/config-guard.test.ts.
• Edge cases checked:
  • The cache is cleared only if the rejected promise is still the current cached promise.
  • A third successful call reuses the recovered cached promise instead of re-reading.
• What you did not verify:
  • Full repository test suite.
  • Packaged production binary.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? Yes
• Config/env changes? No
• Migration needed? No
• If yes, exact upgrade steps: N/A

Risks and Mitigations

• Risk: clearing the cache from an older rejected promise could race with a newer read.
  • Mitigation: the catch handler clears the module-level cache only when it still points at the same rejected promise object.

[clawsweeper]

Codex review: needs maintainer review before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR changes CLI config guard caching to clear a rejected in-flight config snapshot promise and adds a regression test for reject, retry, and successful cache reuse.

Reproducibility: yes. Source inspection shows current main caches the first readConfigFileSnapshot() promise, and the provided PR test/probe gives a clear reject -> retry -> cached-success reproduction path.

PR rating
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🐚 platinum hermit
Summary: A small, well-scoped bug fix with focused regression coverage and sufficient terminal proof, with no blocking findings found in read-only review.

Rank-up moves:

• none

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

PR egg
✨ Hatched: 🥚 common Velvet Branchling

       /\  .---.  /\         
      /  \/     \/  \        
     /   ( -   - )   \       
    |       ._.       |      
    |   /|  ===  |\   |      
     \  \|______/|/  /       
      '._  `--'  _.'         
         '-.__.-'            
       _/|_|  |_|\_          
      /__|      |__\         
       .-----------.         
      '-------------'        

Rarity: 🥚 common.
Trait: watches the merge queue.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Velvet Branchling in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• How to hatch it: reach status: 👀 ready for maintainer look or status: 🚀 automerge armed; that usually means sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

Real behavior proof
Sufficient (terminal): The PR body includes copied terminal output from a local checkout showing the focused test pass and a manual reject -> retry -> cached-success runtime probe for this nonvisual CLI cache path.

Next step before merge
No automated repair lane is needed because the PR already contains the focused code and test change; remaining action is normal maintainer/CI merge review.

Security
Cleared: The diff only changes in-memory config snapshot cache retry behavior and a focused test; it does not add dependencies, permissions, network access, secret handling, or code execution paths.

Review details

Best possible solution:

Land the narrow cache-clearing fix with its regression test once normal CI confirms the focused config guard lane on the exact PR head.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection shows current main caches the first readConfigFileSnapshot() promise, and the provided PR test/probe gives a clear reject -> retry -> cached-success reproduction path.

Is this the best way to solve the issue?

Yes. Clearing only the matching rejected pending promise preserves successful snapshot reuse while avoiding stale rejected-promise poisoning, and the regression test targets that exact behavior.

Label justifications:

• P2: This is a normal-priority CLI reliability bug with a narrow in-process config snapshot cache surface.

What I checked:

• Current main behavior: Current main still uses configSnapshotPromise ??= readConfigFileSnapshot(), so a first rejected snapshot promise would remain cached for later calls in the same process. (src/cli/program/config-guard.ts:33, 8bd24ad6d4ab)
• Affected call path: ensureConfigReady awaits getConfigSnapshot() when no doctor preflight snapshot was produced, and CLI bootstrap calls ensureConfigReady before command execution. (src/cli/program/config-guard.ts:74, 8bd24ad6d4ab)
• Proposed fix shape: PR head 5ab4f9b3c307d2a0e836980b2fee7229b9e0a8c8 replaces the ??= memoization with a pending promise and clears the cache only when that same pending promise rejects. (src/cli/program/config-guard.ts:30, 5ab4f9b3c307)
• Regression coverage: PR head adds a test that exercises the production cache branch by disabling the Vitest bypass, rejecting the first read, then verifying a retry succeeds and the recovered success is cached. (src/cli/program/config-guard.test.ts:130, 5ab4f9b3c307)
• Linked issue context: The linked open issue describes the same stale rejected-promise cache in getConfigSnapshot and recommends clearing the cached promise on failure; this PR is the paired implementation candidate.
• Feature history: git blame ties the current config guard cache lines to commit 424c6d0a5f4665b803ad6768d08b0be7659deaf4, and git show records luyao618 as co-author and takhofman as approver of that introduced behavior. (src/cli/program/config-guard.ts:20, 424c6d0a5f46)

Likely related people:

• takhofman: The commit that introduced the current config guard cache records this handle as approver and co-author, making them a good routing candidate for CLI config guard follow-up. (role: reviewer/approver of introduced behavior; confidence: medium; commits: 424c6d0a5f46; files: src/cli/program/config-guard.ts, src/cli/program/config-guard.test.ts)
• luyao618: The same introducing commit records this handle as a co-author on the change that added the current config guard cache path. (role: co-author of introduced behavior; confidence: medium; commits: 424c6d0a5f46; files: src/cli/program/config-guard.ts, src/cli/program/config-guard.test.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 8bd24ad6d4ab.

[Takhoffman]

@clawsweeper automerge

[clawsweeper]

🦞🔧
ClawSweeper automerge is enabled.

• Head: 5ab4f9b3c307
• Label: clawsweeper:automerge
• Action: repair worker queued. Run: https://github.com/openclaw/clawsweeper/actions/runs/26073255839
• Flow: review this head, repair/rebase only if needed, then re-review the exact repaired head before merge.

Draft PRs stay fix-only until GitHub marks them ready for review. Pause with /clawsweeper stop.

Automerge progress:

• 2026-05-19 02:50:58 UTC review queued 5ab4f9b3c307 (queued)

• 2026-05-19 02:52:54 UTC repair queued 5ab4f9b3c307 (autonomous) Run: https://github.com/openclaw/clawsweeper/actions/runs/26073255839

• 2026-05-19 02:55:21 UTC repair started (running) in 0s Run: https://github.com/openclaw/clawsweeper/actions/runs/26073255839 automerge-openclaw-openclaw-83931

• 2026-05-19 02:55:37 UTC validation plan (passed) in 17s Run: https://github.com/openclaw/clawsweeper/actions/runs/26073255839 pnpm check:changed; pnpm lint; pnpm check:test-types

• 2026-05-19 02:55:50 UTC Codex write preflight (passed) in 30s Run: https://github.com/openclaw/clawsweeper/actions/runs/26073255839 danger-full-access

• 2026-05-19 03:00:21 UTC Codex edit 1 0e4b3a25cbf3 (complete) in 5m 1s Run: https://github.com/openclaw/clawsweeper/actions/runs/26073255839 exit 0

• 2026-05-19 03:03:32 UTC validation and review 1 7ebf5820dc9d (base moved) in 8m 11s Run: https://github.com/openclaw/clawsweeper/actions/runs/26073255839 rebased

• 2026-05-19 03:04:10 UTC repair finished 7ebf5820dc9d (opened) in 8m 49s Run: https://github.com/openclaw/clawsweeper/actions/runs/26073255839 open_fix_pr

[clawsweeper]

ClawSweeper 🐠 reef update

Thanks for the contribution here. ClawSweeper could not safely push to this branch, so it opened a replacement PR from a writable branch and carried the contributor trail along with it.

Why replacement: ClawSweeper could not update the source PR branch directly; GitHub did not grant sufficient push rights to the bot for that branch.
Replacement PR: #83944
Why close: this run explicitly closes the superseded source PR after the credited replacement PR is open, so review continues in one place.
This closeout is intentional for this run: the replacement PR is now the active review lane.
Credit follows the fix over to the replacement PR. no sneaky treasure grab.
Co-author credit kept:

• @honor2030: Co-authored-by: 이민재 19909783+honor2030@users.noreply.github.com

fish notes: model gpt-5.5, reasoning high; reviewed against 7ebf582.