fix(gateway): surface headless LaunchAgent state

[fuller-stack-dev]

Summary

• classify macOS gui/$UID LaunchAgent bootstrap/print failures as a distinct missing GUI-session state
• stop gateway restart recovery from falling through to unmanaged-process restart when LaunchAgent bootstrap cannot access a logged-in GUI session
• update gateway status and doctor hints so installed-but-headless LaunchAgents explain the GUI-session requirement instead of only saying "installed but not loaded"

Real behavior proof

Behavior addressed: macOS Gateway LaunchAgent installed-but-not-loaded/headless state handling for status, doctor, start/restart recovery, and bootstrap repair.

Real environment tested: local macOS Codex worktree on macOS with an active Aqua gui/501 session, plus delegated Blacksmith Testbox attempts.

Exact steps or command run after this patch:

• pnpm docs:list
• pnpm oxfmt src/daemon/service-runtime.ts src/daemon/launchd.ts src/daemon/launchd.test.ts src/cli/daemon-cli/launchd-recovery.ts src/cli/daemon-cli/launchd-recovery.test.ts src/cli/daemon-cli/shared.ts src/cli/daemon-cli/shared.test.ts src/cli/daemon-cli/status.print.ts src/cli/daemon-cli/status.print.test.ts src/cli/daemon-cli/lifecycle.test.ts src/commands/doctor-format.ts src/commands/doctor-format.test.ts
• git diff --check
• node scripts/run-vitest.mjs src/daemon/launchd.test.ts src/cli/daemon-cli/launchd-recovery.test.ts src/cli/daemon-cli/shared.test.ts src/cli/daemon-cli/status.print.test.ts src/cli/daemon-cli/lifecycle.test.ts src/commands/doctor-format.test.ts
• launchctl print gui/$(id -u)
• launchctl print gui/999999/com.openclaw.gateway
• launchctl bootstrap gui/999999 /tmp/openclaw-codex-missing.plist
• .agents/skills/autoreview/scripts/autoreview --mode local

Evidence after fix: terminal output from the local macOS setup shows this machine has a usable GUI domain, so the exact headless Bootstrap failed: 125: Domain does not support specified action path is not directly reproducible here. The same live launchctl probes show the domain/label error surface that the patch classifies, and focused regression coverage exercised the unavailable headless branch.

$ id -u
501

$ launchctl print gui/501 | sed -n '1,12p'
gui/501 = {
	type = login
	handle = 100017
	active count = 467
	service count = 466
	active service count = 157
	creator = loginwindow[598]
	creator euid = 0
	session = Aqua
	endpoint destination = com.apple.xpc.launchd.domain.user.501
	auxiliary bootstrapper = com.apple.xpc.otherbsd (complete)
	security context = {

$ launchctl print gui/999999/com.openclaw.gateway
Bad request.
Could not find domain for user gui: 999999

$ launchctl bootstrap gui/999999 /tmp/openclaw-codex-missing.plist
Could not find domain for user gui: 999999

Supplemental regression proof: focused Vitest wrapper passed 3 shards: 2 unit-fast files / 13 tests, 1 daemon file / 87 tests, 3 cli files / 45 tests. Autoreview initially found the doctor hint priority gap; after fixing src/commands/doctor-format.ts, rerun was clean: autoreview clean: no accepted/actionable findings reported.

Observed result after fix: LaunchAgent headless GUI bootstrap failures now produce a missingGuiSession runtime/recovery state, status and doctor prioritize GUI-session guidance over generic missing-supervision wording, and restart recovery does not fall through to unmanaged restart after that launchd failure.

What was not tested: a true headless macOS loginwindow-disabled host where launchctl bootstrap gui/$UID ... returns Bootstrap failed: 125: Domain does not support specified action; this local Mac has an active Aqua session for gui/501. Final post-doctor-fix remote pnpm check:changed could not complete because Blacksmith Testbox leases tbx_01ktnbgxkyn9s5bf0xj652azgx and tbx_01ktnbhsvaeykqj4qd9f5kbevt shut down before command execution; default Crabbox mapped to Azure but this host lacks Azure CLI/session; direct AWS Crabbox requires broker login. A prior Blacksmith Testbox changed gate before the doctor follow-up completed successfully on tbx_01ktnavppcknwpxsfnhn9g6cd0 with pnpm check:changed exit 0.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 10, 2026, 1:14 AM ET / 05:14 UTC.

Summary
The PR adds a missingGuiSession LaunchAgent runtime state, routes it through gateway restart recovery, status, and doctor hints, and adds focused regression coverage.

PR surface: Source +128, Tests +205. Total +333 across 14 files.

Reproducibility: no. high-confidence exact host reproduction was established for a true headless macOS GUI-session failure. The source path is clear on current main, and the PR includes live launchctl error-shape proof plus regression tests for the unavailable branch.

Review metrics: 2 noteworthy metrics.

• Restart fallback behavior: 1 fallback path stopped. The PR stops gateway restart from falling through to unmanaged restart after a LaunchAgent GUI-session bootstrap failure.
• Runtime state surface: 1 optional state added. The new missingGuiSession flag can appear in runtime/status diagnostics, so consumers should tolerate the additive state.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Optional risk reducer: add a redacted openclaw gateway status or openclaw doctor transcript from a true headless macOS host if maintainers want OS-level proof before merge.

Risk before merge

• [P2] The PR deliberately changes gateway restart recovery: after a LaunchAgent GUI-session bootstrap failure, the current unmanaged restart fallback is blocked, so headless or SSH operators with an existing listener will now receive a GUI-session failure instead of a SIGUSR1 restart attempt.
• [P1] gateway status --json and doctor/runtime consumers can now see a new optional missingGuiSession runtime state; this is additive, but it is still a public diagnostic shape change.
• [P1] The supplied proof on latest head includes live launchctl output and focused tests, but not a true loginwindow-disabled macOS host returning the exact headless Bootstrap failed: 125 path.

Maintainer options:

1. Accept the fail-closed LaunchAgent recovery (recommended)
   Land if maintainers agree that GUI-session bootstrap failures should stop managed restart recovery instead of falling through to unmanaged listener restart.
2. Preserve fallback compatibility explicitly
   If headless operators still need unmanaged restart as the default, revise the PR to preserve that fallback and add an explicit strict LaunchAgent path with tests.
3. Wait for true headless macOS proof
   Pause merge until a loginwindow-disabled or SSH-only macOS host shows the gateway status and doctor output after this patch.

Next step before merge

• [P2] Human review should decide whether the compatibility and availability tradeoff in restart fallback behavior is acceptable; I did not find a narrow automated repair to request.

Security
Cleared: No concrete security or supply-chain concern found; the diff is bounded to launchd state classification, CLI/doctor presentation, and tests with no dependency, workflow, secret, or permission expansion.

Review details

Best possible solution:

Keep the launchd-owned classification and CLI/doctor guidance, then land only after maintainers accept the fail-closed restart fallback behavior and current proof level.

Do we have a high-confidence way to reproduce the issue?

No high-confidence exact host reproduction was established for a true headless macOS GUI-session failure. The source path is clear on current main, and the PR includes live launchctl error-shape proof plus regression tests for the unavailable branch.

Is this the best way to solve the issue?

Yes, this is likely the best code direction: classify the launchd error at the launchd runtime boundary and let CLI status, restart recovery, and doctor render that typed state. The remaining question is not the layer, but whether maintainers accept the stricter restart fallback behavior before merge.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against e9671ed60327.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body and latest proof workflow include after-fix live terminal output for the relevant launchctl GUI-domain error surface plus regression proof; the only proof gap is a true headless macOS host.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body and latest proof workflow include after-fix live terminal output for the relevant launchctl GUI-domain error surface plus regression proof; the only proof gap is a true headless macOS host.
• remove rating: 🌊 off-meta tidepool: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.

Label justifications:

• P2: This is a normal-priority macOS gateway reliability fix with limited platform scope but meaningful operator impact.
• merge-risk: 🚨 compatibility: The PR changes restart fallback behavior and adds a public runtime diagnostic state that existing scripts may observe.
• merge-risk: 🚨 availability: Merging can make gateway restart fail closed on headless LaunchAgent hosts instead of attempting unmanaged process recovery.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body and latest proof workflow include after-fix live terminal output for the relevant launchctl GUI-domain error surface plus regression proof; the only proof gap is a true headless macOS host.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body and latest proof workflow include after-fix live terminal output for the relevant launchctl GUI-domain error surface plus regression proof; the only proof gap is a true headless macOS host.

Evidence reviewed

PR surface:

Source +128, Tests +205. Total +333 across 14 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	7	175	47	+128
Tests	7	207	2	+205
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	14	382	49	+333

What I checked:

• Current main collapses headless GUI-domain print failures into generic supervision state: On current main, readLaunchAgentRuntime returns missingSupervision for any failed launchctl print when the plist exists; there is no distinct GUI-session state for unsupported gui/$UID failures. (src/daemon/launchd.ts:568, e9671ed60327)
• Current main can fall through to unmanaged restart recovery: recoverInstalledLaunchAgent returns null for failed bootstrap repair, and runDaemonRestart then tries restartGatewayWithoutServiceManager, so a LaunchAgent GUI-session failure can fall through to unmanaged restart handling. (src/cli/daemon-cli/launchd-recovery.ts:28, e9671ed60327)
• PR head classifies unsupported GUI domains at the launchd owner boundary: At the PR head, readLaunchAgentRuntime sets missingGuiSession for unsupported GUI-domain details and repairLaunchAgentBootstrap returns a typed gui-session-unavailable result instead of a generic bootstrap failure. (src/daemon/launchd.ts:574, ae5e34e66793)
• PR head routes doctor to runtime hints before install guidance: The doctor flow reads runtime for local macOS gateways even when not loaded, skips install/bootstrap guidance for missingGuiSession, and notes the runtime hint instead. (src/commands/doctor-gateway-daemon-flow.ts:229, ae5e34e66793)
• Regression coverage exercises the new state and fallback behavior: The PR adds launchd tests for both Bootstrap failed: 125 and Could not find domain for user gui, a restart test that avoids unmanaged fallback, and doctor tests that prefer GUI-session hints over install guidance. (src/daemon/launchd.test.ts:431, ae5e34e66793)
• Latest head has CI and proof workflow success: The latest PR head ae5e34e667931d6f558420e8cdfc4f6343c842fe has successful CI and Real behavior proof workflow runs. (ae5e34e66793)

Likely related people:

• steipete: Recent history shows repeated work on launchd recovery, doctor gateway checks, status output, and launchd documentation across the touched surfaces. (role: recent area contributor; confidence: high; commits: fd968bfb2d16, 3b914ca40bc8, 975d40d47483; files: src/cli/daemon-cli/lifecycle.ts, src/commands/doctor-gateway-daemon-flow.ts, src/daemon/launchd.ts)
• vincentkoc: The macOS LaunchAgent supervision state currently being refined appears to trace through the fix(daemon): reconcile macOS LaunchAgent supervision state work that touched launchd, status, and doctor surfaces. (role: adjacent feature owner; confidence: high; commits: 60d4d5e1fa05; files: src/daemon/launchd.ts, src/cli/daemon-cli/status.print.ts, src/commands/doctor-gateway-daemon-flow.ts)
• obviyus: Current-main history includes gateway status/probe work in the same status presentation area, and the latest PR commit also refines missing launchd GUI domain handling. (role: adjacent gateway status contributor; confidence: medium; commits: 485c258aaf96, ae5e34e66793; files: src/cli/daemon-cli/status.print.ts, src/daemon/launchd.ts, src/commands/doctor-gateway-daemon-flow.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[fuller-stack-dev]

@clawsweeper re-review

Real behavior proof was updated in the PR body and the fresh Real behavior proof workflow passed on d40fcfc359677f3406209b61cd8d49487b817c1c: https://github.com/openclaw/openclaw/actions/runs/27185545577

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27185599211
• Updated: 2026-06-09T05:30:22.240Z

[fuller-stack-dev]

@clawsweeper re-review

Addressed the doctor finding in e8feb58: doctor now reads macOS LaunchAgent runtime before the not-loaded branch and routes gui-session-unavailable bootstrap failures through the runtime hint path instead of generic install/bootstrap guidance.

Verification:

• Real behavior proof passed on e8feb58: https://github.com/openclaw/openclaw/actions/runs/27254185221
• node scripts/run-vitest.mjs src/commands/doctor-gateway-daemon-flow.test.ts src/commands/doctor-format.test.ts
• pnpm tsgo:test:src
• .agents/skills/autoreview/scripts/autoreview --mode commit --commit HEAD: clean, no accepted/actionable findings

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Failed
• Detail: The targeted re-review did not finish cleanly. Check the workflow run for details.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27254333848
• Updated: 2026-06-10T05:01:54.680Z

[obviyus]

Landed via rebase onto main.

• Scoped tests: node scripts/run-vitest.mjs src/daemon/launchd.test.ts src/commands/doctor-gateway-daemon-flow.test.ts src/cli/daemon-cli/launchd-recovery.test.ts src/cli/daemon-cli/shared.test.ts src/cli/daemon-cli/status.print.test.ts src/cli/daemon-cli/lifecycle.test.ts src/commands/doctor-format.test.ts
• Review: .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main
• Changelog: not updated; OpenClaw release generation owns CHANGELOG.md
• Land commit: ae5e34e
• Merge commit: c7b4c6b

Thanks @fuller-stack-dev!