fix(update): recover package gateway restart after refresh failure

[fuller-stack-dev]

Summary

• Continue package-update restart recovery when refreshing the managed gateway service environment from the updated install fails.
• Prefer the updated install's gateway restart path after refresh failure so unmanaged/stale gateway listeners can be replaced by the newer CLI.
• Add regression coverage for the observed stale-gateway sequence: refresh fails, first probe sees the old version, updated-root restart runs, second probe sees the new version.

Verification

• node scripts/run-vitest.mjs src/cli/update-cli.test.ts
• .agents/skills/autoreview/scripts/autoreview --mode local
• git diff --check
• npm pack --json --pack-destination /tmp/openclaw-pr-91581-artifacts from PR head 2fa5a5b2c15ec64d7d6d771d33f4496a2730d917
• Isolated macOS LaunchAgent package-update proof using published openclaw@2026.6.1 -> PR tarball openclaw-2026.6.2.tgz

Real behavior proof

Behavior addressed: Package-manager update could install the new OpenClaw package but stop restart recovery when gateway install --force failed, leaving an old gateway process serving the port.
Real environment tested: Local macOS LaunchAgent with disposable HOME, disposable npm prefix, named profile pr91581, service label ai.openclaw.pr91581, gateway port 19981, published baseline package openclaw@2026.6.1, and PR-head tarball openclaw-2026.6.2.tgz built from 2fa5a5b2c15ec64d7d6d771d33f4496a2730d917.
Exact steps or command run after this patch: Installed openclaw@2026.6.1 into /tmp/openclaw-pr-91581-live5/npm-prefix, ran openclaw --profile pr91581 gateway install --force --port 19981, verified the baseline gateway, then ran NPM_CONFIG_PREFIX=/tmp/openclaw-pr-91581-live5/npm-prefix openclaw --profile pr91581 update --tag /tmp/openclaw-pr-91581-artifacts/openclaw-2026.6.2.tgz --yes --timeout 240.
Evidence after fix: Terminal capture from the isolated run:

npm_root_g=/tmp/openclaw-pr-91581-live5/npm-prefix/lib/node_modules
baseline_cli=OpenClaw 2026.6.1 (2e08f0f)

# baseline gateway status
{
  "gatewayVersion": "2026.6.1",
  "port": 19981,
  "serviceLoaded": true,
  "serviceRuntime": "running",
  "program": [
    "/Users/jason/.nvm/versions/node/v23.11.1/bin/node",
    "/private/tmp/openclaw-pr-91581-live5/npm-prefix/lib/node_modules/openclaw/dist/index.js",
    "gateway",
    "--port",
    "19981"
  ]
}

Update Result: OK
  Root: /tmp/openclaw-pr-91581-live5/npm-prefix/lib/node_modules/openclaw
  Before: 2026.6.1
  After: 2026.6.2

Steps:
  ✓ global update (20.04s)
  ✓ global install swap (1.22s)
  ✓ openclaw doctor (5.69s)

Restarting service...
Gateway already reports the updated version after service refresh; skipped redundant restart.
Gateway: restarted and verified.

A separate disposable forced-failure run patched only the generated ai.openclaw.pr91581 service env during the update so the updated install's first launchctl bootstrap failed. That run reached the refresh-failure branch in the PR-head package:

Failed to refresh gateway service environment from updated install: Error: updated install refresh failed (/tmp/openclaw-pr-91581-live6/npm-prefix/lib/node_modules/openclaw/dist/index.js):
Gateway install failed: Error: launchctl bootstrap failed: simulated launchctl bootstrap failure for PR 91581 proof

Observed result after fix: The real named-profile package update replaced the baseline 2026.6.1 package with the PR 2026.6.2 package and verified the LaunchAgent gateway on port 19981. The forced-failure harness confirmed the updated package emits the refresh-failure path under a real package update, while the committed Vitest regression covers the intended fallback to updated-root gateway restart after that failure.
What was not tested: An organic macOS launchctl/LaunchAgent failure from the OS; the refresh-failure case was forced with a temporary launchctl wrapper in a disposable profile. The forced-failure harness was suitable for reaching the failure branch but not for a clean recovery-success claim, so the fallback success remains covered by the focused regression test.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 10, 2026, 5:15 AM ET / 09:15 UTC.

Summary
This PR changes package-update restart recovery to continue into the updated-install gateway restart path after service-environment refresh failure, adds service-root/running proof for ambiguous recovery, and adds regression tests.

PR surface: Source +58, Tests +270. Total +328 across 4 files.

Reproducibility: yes. Source inspection shows current main returns false immediately after a package service refresh failure, and the PR regression tests model the intended old-version-to-updated-version recovery path; I did not run a live current-main reproduction in this read-only review.

Review metrics: 1 noteworthy metric.

• Real Proof Head: proof names 2fa5a5b; current head is 3ae7658. The latest force-push changed the reviewed restart path after the supplied package tarball proof was captured.

Merge readiness
Overall: 🦐 gold shrimp
Proof: 🦐 gold shrimp
Patch quality: 🐚 platinum hermit
Result: blocked until stronger real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P1] Add redacted current-head proof for refresh failure followed by updated-root restart and verified updated managed Gateway.
• Keep private details such as paths, tokens, IPs, and local account information redacted in any posted proof.

Proof guidance:

• [P1] Needs stronger real behavior proof before merge: The PR body has useful terminal proof, but it targets an older tarball commit and does not show the current head's exact refresh-failure recovery path verifying the updated managed Gateway. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Risk before merge

• [P1] The supplied terminal proof targets an older PR tarball commit and does not demonstrate the current head's forced refresh-failure path recovering through updated-root restart and verifying the managed Gateway in one real run.
• [P2] This changes package-update Gateway restart control flow; if the fallback ordering or same-version service-root proof is wrong, users can finish an update with a stale or unavailable Gateway.

Maintainer options:

1. Refresh Current-Head Recovery Proof (recommended)
   Add redacted terminal output, logs, or a short recording from 3ae7658 or a later head where service refresh fails, updated-root restart runs, and the managed Gateway is verified updated.
2. Accept The Proof Gap
   Maintainers may explicitly accept the normal package-update proof plus forced branch-reachability proof and rely on the focused regression tests for the exact recovery success.

Next step before merge

• [P1] The remaining action is maintainer review or contributor-supplied current-head real behavior proof; there is no narrow code repair for ClawSweeper to generate.

Security
Cleared: The diff only changes CLI restart recovery code and focused tests; it does not change dependencies, workflows, package resolution, permissions, or secret handling.

Review details

Best possible solution:

Merge after redacted current-head real proof shows refresh failure, updated-root restart, and verified updated managed Gateway, or after maintainers explicitly accept the unit-test-backed proof gap for this hard-to-trigger service failure.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection shows current main returns false immediately after a package service refresh failure, and the PR regression tests model the intended old-version-to-updated-version recovery path; I did not run a live current-main reproduction in this read-only review.

Is this the best way to solve the issue?

Yes for the implementation shape: the PR reuses the updated-install restart path and adds service-root/running proof for ambiguous same-version recovery. The remaining blocker is validation of the current head, not an obvious better code layer.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 69aca06e0216.

Label changes

Label justifications:

• P2: The PR addresses a normal-priority package-update Gateway recovery bug with limited but real availability impact.
• merge-risk: 🚨 availability: The diff changes package-update Gateway restart fallback behavior, where a bad recovery order can leave a stale or unavailable Gateway after update.
• rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🦐 gold shrimp and patch quality is 🐚 platinum hermit.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: The PR body has useful terminal proof, but it targets an older tarball commit and does not show the current head's exact refresh-failure recovery path verifying the updated managed Gateway. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Evidence reviewed

PR surface:

Source +58, Tests +270. Total +328 across 4 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	2	83	25	+58
Tests	2	270	0	+270
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	4	353	25	+328

What I checked:

• Repository policy applied: Root AGENTS.md was read fully; no scoped src/cli AGENTS.md exists, so the root PR proof, best-fix, and availability-risk review guidance applies. (AGENTS.md:14, 69aca06e0216)
• Current main failure path: Current main logs refreshGatewayServiceEnv failure and returns false immediately for package updates, so it skips the existing updated-install restart fallback. (src/cli/update-cli/update-command.ts:2111, 69aca06e0216)
• PR recovery path: The PR head clears the stale restart script after package refresh failure, falls through to runUpdatedInstallGatewayRestart, and checks service-root proof for same-version cases. (src/cli/update-cli/update-command.ts:2167, 3ae765876907)
• Regression coverage: The PR adds tests for refresh failure falling back to updated-root restart, same-version success when the managed service points to the updated root, and same-version rejection for stale service definitions. (src/cli/update-cli.test.ts:5004, 3ae765876907)
• Running-service wait proof: The PR extends restart health waiting so callers can require the managed service runtime to report running, not only a healthy gateway listener. (src/cli/daemon-cli/restart-health.ts:548, 3ae765876907)
• Public update contract: The docs say package-manager updates refresh service metadata, restart the service, and verify the restarted Gateway reports the expected version before reporting success. Public docs: docs/cli/update.md. (docs/cli/update.md:121, 69aca06e0216)

Likely related people:

• vincentkoc: History shows work introducing and carrying the package-update service refresh and current restart path, including the current main line carrier and earlier service-refresh update commits. (role: feature owner / recent area contributor; confidence: high; commits: 45d9b2069264, 65f92fd83915, 56dc53f6d24c; files: src/cli/update-cli/update-command.ts, src/cli/update-cli.test.ts)
• steipete: History shows extensive ownership of update restart convergence and restart-health behavior across the central touched files, including the commits that verified gateway restart health after daemon restarts. (role: adjacent restart-convergence owner; confidence: high; commits: e93ba6ce2af3, 905e355f651d, 7b7d69a31e86; files: src/cli/update-cli/update-command.ts, src/cli/update-cli.test.ts, src/cli/daemon-cli/restart-health.ts)
• obviyus: The current PR head was force-pushed by obviyus and includes Ayaan Zaidi's refactor commit that added the service-root/running proof surface now under review. (role: current branch refactor author; confidence: medium; commits: 3ae765876907; files: src/cli/update-cli/update-command.ts, src/cli/update-cli.test.ts, src/cli/daemon-cli/restart-health.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[fuller-stack-dev]

@clawsweeper re-review

Updated the PR body with the requested real behavior proof. The latest Real behavior proof workflow passed: https://github.com/openclaw/openclaw/actions/runs/27182616434/job/80244803389

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27182684879
• Updated: 2026-06-09T03:58:07.876Z

[obviyus]

Land-ready proof after maintainer cleanup.

• Head: 3ae7658
• Local focused tests: node scripts/run-vitest.mjs src/cli/update-cli.test.ts src/cli/daemon-cli/restart-health.test.ts (184 passed)
• Format/whitespace: node_modules/.bin/oxfmt --write --threads=1 src/cli/update-cli/update-command.ts src/cli/update-cli.test.ts src/cli/daemon-cli/restart-health.ts src/cli/daemon-cli/restart-health.test.ts; git diff --check origin/main...HEAD
• Review gates: autoreview --mode local; autoreview --mode branch --base origin/main (both clean)
• PR checks: 164 total, 0 pending, 0 failing
• Changelog: not updated; release generation owns CHANGELOG.md.

Thanks @fuller-stack-dev.

[obviyus]

Landed via rebase onto main.

• Landed commits: cab62324f4, a283df4bfe
• Merge tip: a283df4bfe51551576034b96c1628e81401d2f3c
• Local focused tests: node scripts/run-vitest.mjs src/cli/update-cli.test.ts src/cli/daemon-cli/restart-health.test.ts (184 passed)
• Review gates: local autoreview clean; branch autoreview against origin/main clean
• PR checks before merge: 164 total, 0 pending, 0 failing
• Changelog: not updated; release generation owns CHANGELOG.md.

Thanks @fuller-stack-dev.