fix: recover suspicious gateway startup configs

[steipete]

Summary

• Recover suspicious-but-valid tiny config clobbers only on gateway startup snapshot reads and loadConfig, leaving ordinary snapshot reads observational unless explicitly opted in.
• Validate .bak candidates with current config/plugin rules before copying them over openclaw.json.
• Avoid include-authored root restores and clean up env mutations from discarded clobbered configs before rereading the restored backup.

Fixes #89331

Verification

• node scripts/run-vitest.mjs src/config/io.observe-recovery.test.ts src/config/io.best-effort.test.ts --reporter=verbose
• node scripts/run-vitest.mjs src/config/io.write-config.test.ts --reporter=verbose
• node scripts/run-oxlint.mjs src/config/io.ts src/config/io.observe-recovery.ts src/config/io.observe-recovery.test.ts src/cli/gateway-cli/run.ts
• pnpm exec oxfmt --check --threads=1 src/config/io.ts src/config/io.observe-recovery.ts src/config/io.observe-recovery.test.ts src/cli/gateway-cli/run.ts
• /Users/steipete/Projects/agent-scripts/skills/autoreview/scripts/autoreview --mode local (clean)

[clawsweeper]

ClawSweeper status: review started.

I am starting a fresh review of this pull request: fix: recover suspicious gateway startup configs This is item 1/1 in the current shard. Shard 0/1.

This placeholder means the worker is alive and reading the current context. I will edit this same comment with the actual review when the claws are done clicking.

Crustacean status: shell secured, claws on keyboard, evidence pebbles being sorted.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7ceaf4c40e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Validate the backup file before restoring it

When a health entry exists, the later backupBaseline = entry.lastKnownGood gateway-mode check can pass without inspecting the actual .bak that was just parsed, so a stale/rotated .bak that is otherwise schema-valid but lacks gateway.mode can be copied over openclaw.json. This is reachable because ordinary observed reads update config-health.json without refreshing .bak; the next suspicious startup can then restore that stale backup and still fail the gateway-mode startup guard. Please fingerprint/validate the backup file itself before accepting it, and mirror the fix in the sync path.

Useful? React with 👍 / 👎.

[steipete]

Land-ready proof for head 7ceaf4c40e88bf25085b0576c4e1a0e572041881.

Local verification:

• node scripts/run-vitest.mjs src/config/io.observe-recovery.test.ts src/config/io.best-effort.test.ts --reporter=verbose
• node scripts/run-vitest.mjs src/config/io.write-config.test.ts --reporter=verbose
• node scripts/run-oxlint.mjs src/config/io.ts src/config/io.observe-recovery.ts src/config/io.observe-recovery.test.ts src/cli/gateway-cli/run.ts
• pnpm exec oxfmt --check --threads=1 src/config/io.ts src/config/io.observe-recovery.ts src/config/io.observe-recovery.test.ts src/cli/gateway-cli/run.ts
• git diff --check
• autoreview clean: no accepted/actionable findings.

CI:

• PR CI passed on head 7ceaf4c40e88bf25085b0576c4e1a0e572041881.
• OpenGrep precise scan initially failed during tool install (Failed to fetch available versions from GitHub), then passed after rerun.

Known gaps: none for this config startup/recovery surface.