fix(doctor): make restart follow-up actionable

[giodl73-repo]

Closes #69755.

Behavior addressed

Post-restart doctor guidance no longer presents openclaw doctor --non-interactive as an immediate command that can be run from every delivery surface. The generated restart sentinel hint now tells users to run the profile-aware command from a terminal or approvals-capable OpenClaw surface.

Real environment tested

WSL Ubuntu local checkout on branch fix-69755-doctor-hint-actionable, based on origin/main at 11dfef201f.

Exact steps or command run after this patch

node scripts/run-vitest.mjs src/infra/restart-sentinel.test.ts src/gateway/server-methods/update.test.ts src/gateway/server-restart-sentinel.test.ts src/agents/tools/gateway-tool.test.ts src/auto-reply/reply/commands-session-restart.test.ts src/agents/openclaw-gateway-tool.test.ts --reporter=dot
./node_modules/.bin/oxfmt --check src/infra/restart-sentinel.ts src/gateway/server-methods/config-write-flow.ts src/infra/update-restart-sentinel-payload.ts src/gateway/server-restart-sentinel.ts src/agents/tools/gateway-tool.ts src/auto-reply/reply/commands-session.ts src/infra/restart-sentinel.test.ts src/gateway/server-methods/update.test.ts src/gateway/server-restart-sentinel.test.ts src/agents/tools/gateway-tool.test.ts src/auto-reply/reply/commands-session-restart.test.ts src/agents/openclaw-gateway-tool.test.ts
./node_modules/.bin/oxlint --tsconfig config/tsconfig/oxlint.core.json src/infra/restart-sentinel.ts src/infra/restart-sentinel.test.ts src/agents/openclaw-gateway-tool.test.ts src/agents/tools/gateway-tool.test.ts src/auto-reply/reply/commands-session-restart.test.ts
git diff --check

Real restart-sentinel round trip using the patched source module:

export OPENCLAW_STATE_DIR=$(mktemp -d)
export OPENCLAW_PROFILE=isolated
./node_modules/.bin/tsx --eval 'import { consumeRestartSentinel, formatDoctorNonInteractiveHint, formatRestartSentinelMessage, writeRestartSentinel } from "./src/infra/restart-sentinel.ts"; void (async () => { const payload = { kind: "restart", status: "ok", ts: Date.now(), sessionKey: "agent:main:redacted:dm:redacted", message: "/restart", doctorHint: formatDoctorNonInteractiveHint(), stats: { mode: "gateway.restart", reason: "/restart" } }; const sentinelPath = await writeRestartSentinel(payload); const sentinel = await consumeRestartSentinel(); console.log("sentinelPath=" + sentinelPath.replace(process.env.OPENCLAW_STATE_DIR, "$OPENCLAW_STATE_DIR")); console.log("--- delivered restart notice ---"); console.log(formatRestartSentinelMessage(sentinel.payload)); })();'

Evidence after fix

formatDoctorNonInteractiveHint() now returns:

Recommended follow-up: run openclaw doctor --non-interactive in a terminal or approvals-capable OpenClaw surface.

With OPENCLAW_PROFILE=isolated, it preserves profile-aware command formatting:

Recommended follow-up: run openclaw --profile isolated doctor --non-interactive in a terminal or approvals-capable OpenClaw surface.

Redacted real restart-sentinel output from the command above:

sentinelPath=$OPENCLAW_STATE_DIR/restart-sentinel.json
--- delivered restart notice ---
Gateway restart restart ok (gateway.restart)
/restart
Recommended follow-up: run openclaw --profile isolated doctor --non-interactive in a terminal or approvals-capable OpenClaw surface.

Focused restart/update delivery tests passed: 9 files, 153 tests.

GitHub CI for this PR is green, including check-guards, check-lint, check-prod-types, check-test-types, checks-node-agentic-commands-doctor, checks-node-agentic-commands-doctor-shared, checks-node-agentic-gateway-core, checks-node-auto-reply-reply-commands, and the changed-path node shards.

Observed result after fix

The restart sentinel still carries a single doctorHint string, so no public config, plugin, or payload-shape surface changed. The hint text now distinguishes recommended follow-up from actionability in constrained heartbeat/outbound contexts.

What was not tested

I did not exercise a live macOS heartbeat session or live approval-timeout flow.

node scripts/crabbox-wrapper.mjs run --shell -- "pnpm check:changed" could not run because the local crabbox binary failed its own --version/--help sanity check before invoking the command. Running pnpm check:changed directly also stopped before checks due this WSL worktree using a symlinked node_modules and pnpm requiring an interactive purge confirmation.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 27, 2026, 5:00 PM ET / 21:00 UTC.

Summary
The branch changes formatDoctorNonInteractiveHint to route users toward a terminal or approvals-capable OpenClaw surface and updates restart/gateway/session tests for the new hint.

PR surface: Source +3, Tests +21. Total +24 across 5 files.

Reproducibility: yes. from source inspection: current main still formats the restart doctor hint as an immediate Run: command, and the related issue documents the approval-constrained failure mode. I did not run a live macOS heartbeat repro in this read-only review.

Review metrics: none identified.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• none

Risk before merge

• The PR body did not exercise a live macOS heartbeat or approval-timeout flow; confidence comes from the shared helper, focused sibling-surface tests, and a source-module restart-sentinel round trip.

Maintainer options:

1. Decide the mitigation before merge
   Land the narrow helper and test update after protected-label maintainer review, then let the closing reference resolve Post-restart suggestion to run openclaw doctor --non-interactive is not always actionable in heartbeat / approval-constrained contexts #69755.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge
Manual review is appropriate because the PR has a protected maintainer label and no narrow automated repair remains after proof was added.

Security
Cleared: The diff only changes a restart guidance string and tests; it does not touch dependencies, workflows, credentials, permissions, downloads, or package execution surfaces.

Review details

Best possible solution:

Land the narrow helper and test update after protected-label maintainer review, then let the closing reference resolve #69755.

Do we have a high-confidence way to reproduce the issue?

Yes from source inspection: current main still formats the restart doctor hint as an immediate Run: command, and the related issue documents the approval-constrained failure mode. I did not run a live macOS heartbeat repro in this read-only review.

Is this the best way to solve the issue?

Yes: updating the central helper is the narrowest maintainable fix because update, config-write, gateway-tool, and auto-reply restart paths already share that formatter and the PR preserves the existing payload shape.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 7f7eca1ad2ba.

Label changes

Label changes:

• add P2: The PR addresses a real post-restart operational follow-up bug, but the blast radius is limited to user-facing guidance text.
• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body now includes redacted terminal output from a patched restart-sentinel write/consume round trip showing the new profile-aware hint after the fix.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🦞 diamond lobster.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body now includes redacted terminal output from a patched restart-sentinel write/consume round trip showing the new profile-aware hint after the fix.
• remove rating: 🦪 silver shellfish: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.
• remove status: 📣 needs proof: Current PR status label is status: 👀 ready for maintainer look.

Label justifications:

• P2: The PR addresses a real post-restart operational follow-up bug, but the blast radius is limited to user-facing guidance text.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🦞 diamond lobster.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body now includes redacted terminal output from a patched restart-sentinel write/consume round trip showing the new profile-aware hint after the fix.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body now includes redacted terminal output from a patched restart-sentinel write/consume round trip showing the new profile-aware hint after the fix.

Evidence reviewed

PR surface:

Source +3, Tests +21. Total +24 across 5 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	4	1	+3
Tests	4	29	8	+21
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	5	33	9	+24

What I checked:

• Repository policy read: Root AGENTS.md and scoped src/agents / src/agents/tools policy were read fully; the protected-label, real-proof, and scoped agent-test guidance affected this review. (AGENTS.md:17, 7f7eca1ad2ba)
• Current main still has the reported hint: On current main, the central formatter still returns Run: ${formatCliCommand("openclaw doctor --non-interactive", env)}, so the central problem is not already implemented on main. (src/infra/restart-sentinel.ts:76, 7f7eca1ad2ba)
• Shipped release still has the reported hint: The latest release tag v2026.5.26 points at 10ad3aa16068baa84a1bd9ac4f7d42ae725cedb7 and contains the same immediate Run: doctor hint. (src/infra/restart-sentinel.ts:76, 10ad3aa16068)
• Patch is narrow and central: The PR commit changes only the shared restart-sentinel hint helper plus expectations in five focused tests; it does not change sentinel payload shape, config, dependencies, or workflows. (src/infra/restart-sentinel.ts:73, 14159d24c726)
• Shared callers use the central formatter: Update, config-write, gateway-tool restart, and auto-reply restart paths all populate doctorHint through formatDoctorNonInteractiveHint, so changing the helper reaches the sibling restart surfaces inspected. (src/infra/update-restart-sentinel-payload.ts:43, 7f7eca1ad2ba)
• Real behavior proof supplied: The updated PR body includes a redacted terminal round trip that writes and consumes a restart sentinel with OPENCLAW_PROFILE=isolated and prints the new profile-aware follow-up message. (14159d24c726)

Likely related people:

• steipete: Peter Steinberger is the blamed author/committer for the current restart-sentinel helper and the current restart caller wiring after the latest main-side packaging refresh. (role: recent area contributor; confidence: high; commits: 659b5dce79ee; files: src/infra/restart-sentinel.ts, src/infra/update-restart-sentinel-payload.ts, src/gateway/server-methods/config-write-flow.ts)
• steipete: The earlier command formatting behavior used by the doctor hint was normalized in commit 6d5195c890699c49e41e4bd4b632ed7efe95d6df. (role: command-hint refactor owner; confidence: high; commits: 6d5195c89069; files: src/cli/command-format.ts, src/infra/restart-sentinel.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Brave Branchling

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: sparkles near resolved comments.
Image traits: location proof lagoon; accessory tiny test log scroll; palette cobalt, lime, and pearl; mood sleepy but ready; pose sitting proudly on a smooth stone; shell brushed metal shell; lighting tiny status-light glow; background little resolved-comment flags.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Brave Branchling in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[giodl73-repo]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26538052141
• Updated: 2026-05-27T21:01:03.494Z

[steipete]

Maintainer review approved.

Behavior addressed: post-restart doctor guidance is no longer presented as an immediately actionable command from every delivery surface; it now points users to a terminal or approvals-capable OpenClaw surface while preserving profile-aware command formatting.

Real environment tested: GitHub CI for PR head 14159d2; maintainer code-path review from a clean local main checkout.

Exact steps or command run after this patch:

• git status -sb
• git pull --ff-only
• gh pr view 87361 --repo openclaw/openclaw --json number,title,state,isDraft,mergeable,reviewDecision,headRefOid,baseRefOid,author,assignees,maintainerCanModify,url,body,additions,deletions,changedFiles
• gh pr checks 87361 --repo openclaw/openclaw --json name,state,bucket,workflow,link
• gh pr diff 87361 --repo openclaw/openclaw --patch
• gh issue view 69755 --repo openclaw/openclaw
• rg -n "formatDoctorNonInteractiveHint|doctorHint|restart-sentinel|formatRestartSentinelMessage" src/infra src/gateway src/agents src/auto-reply
• read restart sentinel formatter, gateway restart tool, slash restart command, config write sentinel, update sentinel payload, and adjacent tests

Evidence after fix: diff changes the shared formatDoctorNonInteractiveHint() string only, and all restart/config/update writers still populate the same single doctorHint field consumed by formatRestartSentinelMessage(). CI reports 104 checks with no fail/pending/cancel blockers; relevant green lanes include check-guards, check-lint, check-prod-types, check-test-types, checks-node-agentic-commands-doctor, checks-node-agentic-commands-doctor-shared, checks-node-agentic-gateway-core, and checks-node-auto-reply-reply-commands.

Observed result after fix: example restart sentinel output changes from Run: openclaw --profile isolated doctor --non-interactive to Recommended follow-up: run openclaw --profile isolated doctor --non-interactive in a terminal or approvals-capable OpenClaw surface.

What was not tested: I did not run a live macOS heartbeat session or live approval-timeout flow locally; contributor noted the same gap in the PR body.

[steipete]

Landed on main.

• Gate: GitHub CI for head 14159d2 reported 104 checks with no fail/pending/cancel blockers; maintainer review covered restart-sentinel formatter and restart/config/update doctorHint writers.
• Merge commit: f3e2851
• Linked issue: Post-restart suggestion to run openclaw doctor --non-interactive is not always actionable in heartbeat / approval-constrained contexts #69755 is closed with proof.

Thanks @giodl73-repo!