fix(cli): keep logs follow on live gateway state

[vincentkoc]

Summary

• Use the passive backend Gateway client for implicit local openclaw logs reads so log viewing does not register or rewrite a paired device.
• Keep explicit --url targets on the existing CLI identity path.
• In --follow, avoid stale configured-file fallbacks; on Linux, use the active user-systemd Gateway journal by unit and PID when implicit local RPC is unavailable.
• Keep journal fallback output bounded, redacted, boot-scoped, line-limited, and on its own cursor domain.
• Update CLI/logging docs and changelog.

Verification
Behavior addressed: openclaw logs --follow no longer mutates paired-device state for implicit local reads and no longer follows stale configured-file fallback logs after live local RPC failures.
Real environment tested: AWS Crabbox Linux c7a.8xlarge.
Exact steps or command run after this patch: git diff --check; AUTOREVIEW_AUTO_TESTS=0 AUTOREVIEW_OPENCLAW_MAINTAINER_VALIDATION=1 .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main; node scripts/crabbox-wrapper.mjs run --no-hydrate --shell -- "pnpm test:serial src/cli/logs-cli.test.ts"; node scripts/crabbox-wrapper.mjs run --fresh-pr openclaw/openclaw#85380 --no-hydrate --shell -- "pnpm check:changed".
Evidence after fix: autoreview clean; focused AWS run run_691721a0d6ca / lease cbx_9161e75595d8 passed src/cli/logs-cli.test.ts with 25 tests; fresh-PR AWS run run_0121df014dbf / lease cbx_8f88323c0809 passed pnpm check:changed.
Observed result after fix: implicit local logs use the passive backend client without a device identity; follow-mode local RPC failures use the bounded/redacted active systemd journal path when available and do not tail configured files.
What was not tested: a live side-by-side cutover host with a real managed Gateway service producing systemd journal entries.

Fixes #83656
Fixes #66841

[clawsweeper]

Codex review: found issues before merge.

Latest ClawSweeper review: 2026-05-22 17:33 UTC / May 22, 2026, 1:33 PM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR changes openclaw logs to use a passive backend Gateway client for implicit local log reads, disables configured-file fallback in --follow, and updates the logs tests, CLI docs, and changelog.

Reproducibility: yes. at source level: current main uses the normal CLI identity and configured-file fallback for implicit local RPC failures, while the PR diff adds passive backend identity and disables fallback in --follow. I did not run the live Linux/systemd cutover scenario in this read-only review.

PR rating
Overall: 🦪 silver shellfish
Proof: 🌊 off-meta tidepool
Patch quality: 🦪 silver shellfish
Summary: Useful focused direction, but the patch is not merge-ready until maintainers resolve the compatibility choice around --follow fallback behavior and align the docs.

Rank-up moves:

• Decide whether fail-closed --follow is acceptable or add active service-aware fallback/provenance before merge.
• Run focused src/cli/logs-cli.test.ts proof and live Linux/systemd side-by-side log-source proof if follow behavior remains changed.
• Update docs/logging.md if the --follow fallback exception lands.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Not applicable: The external-contributor proof gate does not apply because this is maintainer-authored and maintainer-labeled, although the PR body still records that no real environment test completed.

Risk before merge

• Existing users who rely on implicit local openclaw logs --follow falling back to configured file logs during pairing, close, or timeout failures will now see retry warnings and a final Gateway error instead of log output.
• The closing reference to openclaw logs --follow can show stale/misleading old-version file logs after side-by-side cutover #66841 may close a broader request that still asks for active systemd journal tailing plus explicit CLI/service/log-source provenance.
• The PR body records no focused Vitest, changed gate, or live Linux/systemd side-by-side proof executing after the patch.
• The CLI logs page gains the follow-mode exception, but docs/logging.md still describes the old automatic fallback behavior without that exception.

Maintainer options:

1. Add service-aware follow fallback (recommended)
   Before merge, preserve a useful implicit-local follow path by tailing the active user-systemd journal or another proven live source and printing provenance that prevents stale file confusion.
2. Land as a narrower fail-closed change
   Maintainers can intentionally accept retry-then-error behavior, but should keep the broader live-journal/provenance issue open or remove the closing scope that would imply it is fixed.

Next step before merge
Maintainers need to choose the intended upgrade behavior before merge; automation should not decide between fail-closed follow behavior and service-aware live fallback/provenance.

Security
Cleared: No concrete security or supply-chain regression found; the diff touches CLI/docs/tests/changelog only and keeps logs.tail on the existing operator.read Gateway method surface.

Review findings

• [P1] Preserve a live follow source on local failures — src/cli/logs-cli.ts:105-107
• [P3] Update the logging overview for the follow exception — docs/cli/logs.md:60

Review details

Best possible solution:

Keep the passive backend identity for implicit local log reads, but either add an active service-aware live source with provenance for follow-mode failures or explicitly split the narrower paired-device fix from the broader stale-log issue before landing.

Do we have a high-confidence way to reproduce the issue?

Yes at source level: current main uses the normal CLI identity and configured-file fallback for implicit local RPC failures, while the PR diff adds passive backend identity and disables fallback in --follow. I did not run the live Linux/systemd cutover scenario in this read-only review.

Is this the best way to solve the issue?

No, not as a complete fix for both linked issues. The passive backend identity is a good fit for the paired-device side effect, but unconditional fail-closed follow behavior does not satisfy the active journal/provenance request and needs maintainer acceptance or a replacement live source.

Label justifications:

• P2: This is a focused CLI logs reliability fix with limited blast radius, but it affects real incident/debugging workflows.
• merge-risk: 🚨 compatibility: Merging the PR can make existing implicit local logs --follow workflows stop showing fallback logs and exit after Gateway failures.
• rating: 🦪 silver shellfish: Current PR rating is 🦪 silver shellfish because proof is 🌊 off-meta tidepool, patch quality is 🦪 silver shellfish, and Useful focused direction, but the patch is not merge-ready until maintainers resolve the compatibility choice around --follow fallback behavior and align the docs.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: The external-contributor proof gate does not apply because this is maintainer-authored and maintainer-labeled, although the PR body still records that no real environment test completed.

Full review comments:

• [P1] Preserve a live follow source on local failures — src/cli/logs-cli.ts:105-107
  This new opts.follow bypass makes implicit local openclaw logs --follow retry and then exit on local Gateway close/timeout/pairing failures instead of returning any log source. The linked stale-log report asks for an active systemd journal/provenance path, so landing this as-is can break existing local incident workflows and close the broader live-source issue without a replacement.
  Confidence: 0.84
• [P3] Update the logging overview for the follow exception — docs/cli/logs.md:60
  This documents the --follow fallback exception on the CLI page, but the public logging overview still says implicit local Gateway failures fall back automatically. If this behavior lands, docs/logging.md should get the same exception so users do not see contradictory docs.
  Confidence: 0.8

Overall correctness: patch is incorrect
Overall confidence: 0.84

Acceptance criteria:

• node scripts/run-vitest.mjs src/cli/logs-cli.test.ts
• Live Linux/systemd side-by-side cutover proof showing selected log source and openclaw logs --follow behavior

What I checked:

• Live PR state: GitHub API shows this PR is open, draft, authored by a MEMBER, assigned to vincentkoc, and labeled maintainer, so cleanup closure is not allowed and maintainer handling is required. (dc7505a73d4c)
• Current main fallback behavior: Current main calls callGatewayFromCli("logs.tail", ...) with only { progress }, then falls back to readConfiguredLogTail when implicit local Gateway RPC is unavailable. (src/cli/logs-cli.ts:77, 7fc691a426cb)
• Current docs promise automatic fallback: The current CLI logs page says implicit local loopback pairing, close, or timeout failures fall back to the configured Gateway file log automatically, with no --follow exception on main. Public docs: docs/cli/logs.md. (docs/cli/logs.md:59, 7fc691a426cb)
• PR diff disables follow fallback: The PR adds an opts.follow early return in shouldUseLocalLogsFallback, so implicit local follow-mode close/timeout failures no longer reach the configured-file fallback path. (src/cli/logs-cli.ts:105, dc7505a73d4c)
• Gateway read-scope contract: logs.tail is classified as operator.read, and callGatewayFromCliRuntime passes extra client identity, mode, device identity, and scopes through the existing Gateway call path. (src/gateway/methods/core-descriptors.ts:29, 7fc691a426cb)
• Related stale-log issue scope: The related report includes validated prototype behavior that preferred the active systemd journal and printed service/log-source provenance; this PR instead fails closed after live Gateway RPC failures.

Likely related people:

• steipete: Introduced the local logs fallback and is the visible author of the current shallow main snapshot for the affected CLI logs path. (role: feature-history owner; confidence: high; commits: 306fe841f54b, 29118a0f0b12; files: src/cli/logs-cli.ts, src/cli/logs-cli.test.ts, src/gateway/server-methods/logs.ts)
• shashank-poola: Added the openclaw logs --follow transient reconnect behavior that this PR changes for implicit local failures. (role: recent area contributor; confidence: medium; commits: 23fe3559e5a2; files: src/cli/logs-cli.ts, src/cli/logs-cli.test.ts, docs/cli/logs.md)
• RomneyDa: Recently updated the same follow reconnect surface for reconnect notices and JSON parity. (role: recent area contributor; confidence: medium; commits: 4bb4127a33bf; files: src/cli/logs-cli.ts, src/cli/logs-cli.test.ts, docs/cli/logs.md)
• vincentkoc: Beyond this PR, recent merged Gateway diagnostics work touched src/gateway/call.ts and log redaction behavior adjacent to this logs path. (role: recent adjacent owner; confidence: medium; commits: e06782d5e747, 935bd6de7fcb; files: src/gateway/call.ts, src/logging/log-tail-redaction.test.ts, src/logging/redact.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 7fc691a426cb.

[clawsweeper]

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[vincentkoc]

Proof after maintainer rewrite:

• Autoreview: AUTOREVIEW_AUTO_TESTS=0 AUTOREVIEW_OPENCLAW_MAINTAINER_VALIDATION=1 .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main clean, no accepted/actionable findings.
• Focused AWS Crabbox: run_691721a0d6ca, lease cbx_9161e75595d8, provider AWS c7a.8xlarge, pnpm test:serial src/cli/logs-cli.test.ts passed 25 tests.
• Fresh-PR AWS Crabbox: run_0121df014dbf, lease cbx_8f88323c0809, provider AWS c7a.8xlarge, pnpm check:changed passed.

The branch is rebased on origin/main after the latest changelog/release drift.