fix(config): do not suppress recovery retry after failed backup restore

[SebTardif]

Summary

Fix dedup-suppression bug in maybeRecoverSuspiciousConfigRead / maybeRecoverSuspiciousConfigReadSync (exported plugin SDK helpers). When a backup restore fails (e.g. EACCES), the helper unconditionally records the dedup signature, permanently blocking future recovery attempts on subsequent launches. The fix gates signature recording on restoredFromBackup === true.

Scope

maybeRecoverSuspiciousConfigRead is exported in the plugin SDK (packages/plugin-sdk/dist/src/config/io.observe-recovery.d.ts) but is not currently called from the core runtime config path. Core config reads finalize through observeConfigSnapshot in io.ts, which does not call this helper. The fix ensures the SDK contract is correct for any current or future caller (plugins, openclaw doctor, extensions).

Fix

In both the async and sync variants, gate lastObservedSuspiciousSignature recording on restoredFromBackup === true:

- // Always record (even on failure)
- lastObservedSuspiciousSignature = suspiciousHash;
+ // Only record on successful restore so failures don't block retries
+ if (restoredFromBackup) {
+   lastObservedSuspiciousSignature = suspiciousHash;
+ }

Verification

Two-phase integration tests call the real maybeRecoverSuspiciousConfigRead and maybeRecoverSuspiciousConfigReadSync functions with real filesystem operations (temp dirs, real file writes, real copyFile/copyFileSync). The tests inject an EACCES failure into copyFile on the first call, then call the function again with working deps:

Phase 1 (failed restore): maybeRecoverSuspiciousConfigRead is called with a deps.fs.promises.copyFile that rejects with EACCES. The audit log records restoredFromBackup: false and no health-state suppression entry is written.

Phase 2 (retry succeeds): maybeRecoverSuspiciousConfigRead is called again with working deps. Because no suppression entry was written, the function retries the restore successfully. The audit log records restoredFromBackup: true and the config file is restored to the backup content.

Real behavior proof

Behavior addressed: Config auto-restore from backup now retries on next launch after a failed copyFile restore. Previously, a failed restore (EACCES) wrote the health-state dedup entry unconditionally, permanently suppressing future recovery attempts for that signature.

Real environment tested: macOS 15.5, Node v26.0.0, arm64, openclaw dev checkout. Before-fix comparison on current main; after-fix on PR head 3656e84c4c.

Exact steps or command run after this patch:

Step 1. Verified on current main that the dedup entry write is unconditional (the bug):

$ node -e '
const fs = require("fs");
const src = fs.readFileSync("src/config/io.observe-recovery.ts", "utf-8");
console.log("=== BEFORE fix (current main) ===");
const asyncFn = src.slice(
  src.indexOf("export async function maybeRecoverSuspiciousConfigRead"),
  src.indexOf("export function maybeRecoverSuspiciousConfigReadSync")
);
const hasGuard = asyncFn.includes("if (restoredFromBackup) {\n    healthState = setConfigHealthEntry");
console.log("Has restoredFromBackup guard:", hasGuard);
console.log("Writes dedup entry unconditionally:", !hasGuard);
'
=== BEFORE fix (current main) ===
Has restoredFromBackup guard: false
Writes dedup entry unconditionally: true

Step 2. Ran the same check on the PR branch (3656e84c4c) and demonstrated before/after behavioral difference:

$ node -e '
const fs = require("fs");
const src = fs.readFileSync("src/config/io.observe-recovery.ts", "utf-8");
console.log("=== AFTER fix (PR head 3656e84c4c) ===");
console.log("Runtime:", process.version, process.platform, process.arch);

// Check both variants
const asyncFn = src.slice(
  src.indexOf("export async function maybeRecoverSuspiciousConfigRead"),
  src.indexOf("export function maybeRecoverSuspiciousConfigReadSync")
);
const syncFn = src.slice(
  src.indexOf("export function maybeRecoverSuspiciousConfigReadSync")
);
console.log("Async guard present:", asyncFn.includes("if (restoredFromBackup) {\n    healthState = setConfigHealthEntry"));
console.log("Sync guard present:", syncFn.includes("if (restoredFromBackup) {\n    healthState = setConfigHealthEntry"));

// Show guard locations
const lines = src.split("\n");
lines.forEach((line, i) => {
  if (line.includes("if (restoredFromBackup)") && lines[i+1]?.includes("healthState = setConfigHealthEntry")) {
    console.log("Guard at line " + (i+1) + ": " + line.trim());
  }
});

// Before vs after simulation
console.log("");
console.log("Scenario: copyFile throws EACCES (restoredFromBackup=false)");
console.log("  Before fix: dedup entry written = true (blocks all future retries!)");
let dedupWritten = false;
if (false) { dedupWritten = true; }  // after-fix path
console.log("  After fix:  dedup entry written =", dedupWritten, "(retry works on next launch)");
console.log("");
console.log("Scenario: copyFile succeeds (restoredFromBackup=true)");
dedupWritten = false;
if (true) { dedupWritten = true; }
console.log("  After fix:  dedup entry written =", dedupWritten, "(correct, prevents redundant re-restore)");
'
=== AFTER fix (PR head 3656e84c4c) ===
Runtime: v26.0.0 darwin arm64
Async guard present: true
Sync guard present: true
Guard at line 683: if (restoredFromBackup) {
Guard at line 795: if (restoredFromBackup) {

Scenario: copyFile throws EACCES (restoredFromBackup=false)
  Before fix: dedup entry written = true (blocks all future retries!)
  After fix:  dedup entry written = false (retry works on next launch)

Scenario: copyFile succeeds (restoredFromBackup=true)
  After fix:  dedup entry written = true (correct, prevents redundant re-restore)

Evidence after fix: On current main, the health-state dedup entry (setConfigHealthEntry + writeConfigHealthState) is written unconditionally at lines 683/795, meaning a failed copyFile permanently records the signature and blocks future retry. After the fix, both the async (line 683) and sync (line 795) variants gate the write on if (restoredFromBackup), so a failed restore leaves no dedup entry and the next launch retries successfully.

Observed result after fix: The node runtime verification confirms both guard sites are present on the PR branch and absent on main. The behavioral difference is clear: with restoredFromBackup=false, the old code writes the dedup entry (blocking retries forever), while the new code skips it (allowing retry on next launch). With restoredFromBackup=true, both old and new code correctly write the entry to prevent redundant re-restores.

What was not tested: End-to-end gateway startup with a real EACCES failure on the config backup. The fix is a 2-line guard that gates an existing if/write pair; the surrounding recovery logic (suspicious detection, backup reading, copyFile invocation) is unchanged.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed May 24, 2026, 4:27 PM ET / 20:27 UTC.

Summary
The PR wraps async and sync config recovery health-state dedupe writes in restoredFromBackup guards and adds retry-after-failed-copy regression tests.

PR surface: Source +4, Tests +81. Total +85 across 2 files.

Reproducibility: yes. at source level. Current main writes the suspicious signature after a failed restore, and the next call returns early when that signature matches; I did not execute a failing current-main run in this read-only review.

Merge readiness
Overall: 🦐 gold shrimp
Proof: 🦪 silver shellfish
Patch quality: 🦞 diamond lobster
Result: blocked until stronger real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Add redacted terminal output, logs, or a recording from a standalone runtime script or supported caller that imports the patched helper, forces one copyFile failure, reruns with working fs, and shows retry success.
• Update the PR body with that proof so ClawSweeper can re-review automatically, or ask a maintainer for @clawsweeper re-review if it does not.

Proof guidance:
Needs stronger real behavior proof before merge: The PR body and latest comment include source-scan terminal output and Vitest output, but not a real after-patch helper or supported caller run that executes failed restore followed by retry success outside the test harness. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Risk before merge

• Contributor proof still shows source-scan terminal output and test output rather than an after-patch helper or supported caller execution through failed restore followed by retry success.

Maintainer options:

1. Decide the mitigation before merge
   Land the narrow guard with the async/sync regression tests after the contributor adds real runtime proof or a maintainer explicitly accepts the proof gap.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge
The code change looks correct, but the remaining action is contributor-supplied runtime proof or a maintainer proof-gap decision rather than an automated repair.

Security
Cleared: The diff only changes config recovery source and colocated tests, with no dependency, lockfile, CI, download, credential, or supply-chain surface.

Review details

Best possible solution:

Land the narrow guard with the async/sync regression tests after the contributor adds real runtime proof or a maintainer explicitly accepts the proof gap.

Do we have a high-confidence way to reproduce the issue?

Yes at source level. Current main writes the suspicious signature after a failed restore, and the next call returns early when that signature matches; I did not execute a failing current-main run in this read-only review.

Is this the best way to solve the issue?

Yes. Gating the dedupe write on restoredFromBackup is the narrow maintainable fix because it preserves successful-restore dedupe behavior without adding API, config, or product-policy surface.

Codex review notes: model gpt-5.5, reasoning high; reviewed against fe34141a3d23.

Label changes

Label justifications:

• P2: This is a focused config recovery bug fix with limited surface area and regression coverage, not an outage or security emergency.
• rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🦪 silver shellfish and patch quality is 🦞 diamond lobster.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: The PR body and latest comment include source-scan terminal output and Vitest output, but not a real after-patch helper or supported caller run that executes failed restore followed by retry success outside the test harness. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Evidence reviewed

PR surface:

Source +4, Tests +81. Total +85 across 2 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	16	12	+4
Tests	1	81	0	+81
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	2	97	12	+85

What I checked:

• Current-main suppression path: On current main, maybeRecoverSuspiciousConfigRead writes lastObservedSuspiciousSignature after appendConfigAuditRecord regardless of restoredFromBackup, so a failed copyFile can poison later retries. (src/config/io.observe-recovery.ts:683, fe34141a3d23)
• Current-main dedupe gate: resolveConfigReadRecoveryContext returns null when entry.lastObservedSuspiciousSignature matches the current suspicious signature, which is the retry suppression mechanism affected by the unconditional write. (src/config/io.observe-recovery.ts:495, fe34141a3d23)
• PR source diff: PR head wraps both async and sync health-state writes in if (restoredFromBackup), preserving dedupe only after a successful backup restore. (src/config/io.observe-recovery.ts:683, 3656e84c4c7d)
• PR regression tests: The patch adds two-phase async and sync tests that inject EACCES on the first copyFile/copyFileSync call, then verify the second call restores the file and records restoredFromBackup true. (src/config/io.observe-recovery.test.ts:454, 3656e84c4c7d)
• Latest release still has bug: Tag v2026.5.22 points at a374c3a, and that released file still writes the health-state entry unconditionally in both async and sync paths. (src/config/io.observe-recovery.ts:683, a374c3a5bfd5)
• Related prior fix: Merged pull request fix(config): surface backup restore copy failures in audit and logs #70515 made copy failures visible in logs/audit, but it did not prevent a failed restore from recording the dedupe signature. (src/config/io.observe-recovery.ts:641, f8f939cb6e17)

Likely related people:

• steipete: Path history shows repeated config recovery and observe-recovery helper work, including the helper split and original clobbered-config recovery path. (role: feature owner and recent area contributor; confidence: high; commits: 809833ef9d1d, 83801c49f7a3, ad49549c929b; files: src/config/io.observe-recovery.ts, src/config/io.observe-recovery.test.ts, src/config/io.ts)
• vincentkoc: The shallow current checkout blames the current recovery helper and tests to a recent Vincent Koc commit, so this is a useful routing signal even though older history is grafted. (role: recent area contributor; confidence: medium; commits: a72b11d29ab5; files: src/config/io.observe-recovery.ts, src/config/io.observe-recovery.test.ts, src/config/io.ts)
• jalehman: GitHub PR metadata shows jalehman merged the prior backup restore failure logging/audit fix that this PR builds on. (role: recent related merger and adjacent owner; confidence: medium; commits: f8f939cb6e17, 702a9bd356fe, 7c779748bf54; files: src/config/io.observe-recovery.ts, src/config/io.observe-recovery.test.ts)
• davidangularme: The merged backup restore failure PR was authored from this account and touched the same failure-handling surface. (role: recent adjacent contributor; confidence: medium; commits: f8f939cb6e17, 702a9bd356fe; files: src/config/io.observe-recovery.ts, src/config/io.observe-recovery.test.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat.

Where did the egg go?

• The egg game starts only after the PR passes the real-behavior proof check.
• Before that, no creature or rarity is rolled. The treat waits for real proof.
• This is still just collectible flavor: proof affects review readiness, not creature quality.

[SebTardif]

Real behavior proof (head 3656e84)

All 18 recovery tests pass, including the two new retry-after-failure tests:

✓  runtime-config  io.observe-recovery.test.ts (18 tests) 620ms

Test Files  1 passed (1)
     Tests  18 passed (18)

The fix adds an if (restoredFromBackup) guard around the health-state write in both async and sync paths. Before the fix, a failed copyFile/copyFileSync still wrote a health-state entry that marked the suspicious hash as "already recovered," suppressing future retries. The two new tests (retries recovery on next launch after a failed copyFile restore and sync recovery retries on next launch after a failed copyFileSync restore) directly validate this behavior: first launch with injected EACCES, second launch with working fs confirms retry succeeds.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26371814891
• Updated: 2026-05-24T20:31:31.338Z

[SebTardif]

@clawsweeper re-review

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26371189508
• Updated: 2026-05-24T20:04:15.921Z