openclaw/src/cli/daemon-cli/lifecycle-core.ts

import type { Writable } from "node:stream";
import { loadConfig } from "../../config/config.js";
import { resolveIsNixMode } from "../../config/paths.js";
import { checkTokenDrift } from "../../daemon/service-audit.js";
import type { GatewayService } from "../../daemon/service.js";
import { renderSystemdUnavailableHints } from "../../daemon/systemd-hints.js";
import { isSystemdUserServiceAvailable } from "../../daemon/systemd.js";
import {
  isGatewaySecretRefUnavailableError,
  resolveGatewayCredentialsFromConfig,
} from "../../gateway/credentials.js";
import { isWSL } from "../../infra/wsl.js";
import { defaultRuntime } from "../../runtime.js";
import {
  buildDaemonServiceSnapshot,
  createNullWriter,
  type DaemonAction,
  type DaemonActionResponse,
  emitDaemonActionJson,
} from "./response.js";

type DaemonLifecycleOptions = {
  json?: boolean;
};

type RestartPostCheckContext = {
  json: boolean;
  stdout: Writable;
  warnings: string[];
  fail: (message: string, hints?: string[]) => void;
};

async function maybeAugmentSystemdHints(hints: string[]): Promise<string[]> {
  if (process.platform !== "linux") {
    return hints;
  }
  const systemdAvailable = await isSystemdUserServiceAvailable().catch(() => false);
  if (systemdAvailable) {
    return hints;
  }
  return [...hints, ...renderSystemdUnavailableHints({ wsl: await isWSL() })];
}

function createActionIO(params: { action: DaemonAction; json: boolean }) {
  const stdout = params.json ? createNullWriter() : process.stdout;
  const emit = (payload: Omit<DaemonActionResponse, "action">) => {
    if (!params.json) {
      return;
    }
    emitDaemonActionJson({ action: params.action, ...payload });
  };
  const fail = (message: string, hints?: string[]) => {
    if (params.json) {
      emit({ ok: false, error: message, hints });
    } else {
      defaultRuntime.error(message);
    }
    defaultRuntime.exit(1);
  };
  return { stdout, emit, fail };
}

async function handleServiceNotLoaded(params: {
  serviceNoun: string;
  service: GatewayService;
  loaded: boolean;
  renderStartHints: () => string[];
  json: boolean;
  emit: ReturnType<typeof createActionIO>["emit"];
}) {
  const hints = await maybeAugmentSystemdHints(params.renderStartHints());
  params.emit({
    ok: true,
    result: "not-loaded",
    message: `${params.serviceNoun} service ${params.service.notLoadedText}.`,
    hints,
    service: buildDaemonServiceSnapshot(params.service, params.loaded),
  });
  if (!params.json) {
    defaultRuntime.log(`${params.serviceNoun} service ${params.service.notLoadedText}.`);
    for (const hint of hints) {
      defaultRuntime.log(`Start with: ${hint}`);
    }
  }
}

async function resolveServiceLoadedOrFail(params: {
  serviceNoun: string;
  service: GatewayService;
  fail: ReturnType<typeof createActionIO>["fail"];
}): Promise<boolean | null> {
  try {
    return await params.service.isLoaded({ env: process.env });
  } catch (err) {
    params.fail(`${params.serviceNoun} service check failed: ${String(err)}`);
    return null;
  }
}

export async function runServiceUninstall(params: {
  serviceNoun: string;
  service: GatewayService;
  opts?: DaemonLifecycleOptions;
  stopBeforeUninstall: boolean;
  assertNotLoadedAfterUninstall: boolean;
}) {
  const json = Boolean(params.opts?.json);
  const { stdout, emit, fail } = createActionIO({ action: "uninstall", json });

  if (resolveIsNixMode(process.env)) {
    fail("Nix mode detected; service uninstall is disabled.");
    return;
  }

  let loaded = false;
  try {
    loaded = await params.service.isLoaded({ env: process.env });
  } catch {
    loaded = false;
  }
  if (loaded && params.stopBeforeUninstall) {
    try {
      await params.service.stop({ env: process.env, stdout });
    } catch {
      // Best-effort stop; final loaded check gates success when enabled.
    }
  }
  try {
    await params.service.uninstall({ env: process.env, stdout });
  } catch (err) {
    fail(`${params.serviceNoun} uninstall failed: ${String(err)}`);
    return;
  }

  loaded = false;
  try {
    loaded = await params.service.isLoaded({ env: process.env });
  } catch {
    loaded = false;
  }
  if (loaded && params.assertNotLoadedAfterUninstall) {
    fail(`${params.serviceNoun} service still loaded after uninstall.`);
    return;
  }
  emit({
    ok: true,
    result: "uninstalled",
    service: buildDaemonServiceSnapshot(params.service, loaded),
  });
}

export async function runServiceStart(params: {
  serviceNoun: string;
  service: GatewayService;
  renderStartHints: () => string[];
  opts?: DaemonLifecycleOptions;
}) {
  const json = Boolean(params.opts?.json);
  const { stdout, emit, fail } = createActionIO({ action: "start", json });

  const loaded = await resolveServiceLoadedOrFail({
    serviceNoun: params.serviceNoun,
    service: params.service,
    fail,
  });
  if (loaded === null) {
    return;
  }
  if (!loaded) {
    await handleServiceNotLoaded({
      serviceNoun: params.serviceNoun,
      service: params.service,
      loaded,
      renderStartHints: params.renderStartHints,
      json,
      emit,
    });
    return;
  }
  try {
    await params.service.restart({ env: process.env, stdout });
  } catch (err) {
    const hints = params.renderStartHints();
    fail(`${params.serviceNoun} start failed: ${String(err)}`, hints);
    return;
  }

  let started = true;
  try {
    started = await params.service.isLoaded({ env: process.env });
  } catch {
    started = true;
  }
  emit({
    ok: true,
    result: "started",
    service: buildDaemonServiceSnapshot(params.service, started),
  });
}

export async function runServiceStop(params: {
  serviceNoun: string;
  service: GatewayService;
  opts?: DaemonLifecycleOptions;
}) {
  const json = Boolean(params.opts?.json);
  const { stdout, emit, fail } = createActionIO({ action: "stop", json });

  const loaded = await resolveServiceLoadedOrFail({
    serviceNoun: params.serviceNoun,
    service: params.service,
    fail,
  });
  if (loaded === null) {
    return;
  }
  if (!loaded) {
    emit({
      ok: true,
      result: "not-loaded",
      message: `${params.serviceNoun} service ${params.service.notLoadedText}.`,
      service: buildDaemonServiceSnapshot(params.service, loaded),
    });
    if (!json) {
      defaultRuntime.log(`${params.serviceNoun} service ${params.service.notLoadedText}.`);
    }
    return;
  }
  try {
    await params.service.stop({ env: process.env, stdout });
  } catch (err) {
    fail(`${params.serviceNoun} stop failed: ${String(err)}`);
    return;
  }

  let stopped = false;
  try {
    stopped = await params.service.isLoaded({ env: process.env });
  } catch {
    stopped = false;
  }
  emit({
    ok: true,
    result: "stopped",
    service: buildDaemonServiceSnapshot(params.service, stopped),
  });
}

export async function runServiceRestart(params: {
  serviceNoun: string;
  service: GatewayService;
  renderStartHints: () => string[];
  opts?: DaemonLifecycleOptions;
  checkTokenDrift?: boolean;
  postRestartCheck?: (ctx: RestartPostCheckContext) => Promise<void>;
}): Promise<boolean> {
  const json = Boolean(params.opts?.json);
  const { stdout, emit, fail } = createActionIO({ action: "restart", json });

  const loaded = await resolveServiceLoadedOrFail({
    serviceNoun: params.serviceNoun,
    service: params.service,
    fail,
  });
  if (loaded === null) {
    return false;
  }
  if (!loaded) {
    await handleServiceNotLoaded({
      serviceNoun: params.serviceNoun,
      service: params.service,
      loaded,
      renderStartHints: params.renderStartHints,
      json,
      emit,
    });
    return false;
  }

  const warnings: string[] = [];
  if (params.checkTokenDrift) {
    // Check for token drift before restart (service token vs config token)
    try {
      const command = await params.service.readCommand(process.env);
      const serviceToken = command?.environment?.OPENCLAW_GATEWAY_TOKEN;
      const cfg = loadConfig();
      const configToken = resolveGatewayCredentialsFromConfig({
        cfg,
        env: process.env,
        modeOverride: "local",
        // Drift checks should compare the persisted gateway token against the
        // service token, not let an exported shell env mask config drift.
        localTokenPrecedence: "config-first",
      }).token;
      const driftIssue = checkTokenDrift({ serviceToken, configToken });
      if (driftIssue) {
        const warning = driftIssue.detail
          ? `${driftIssue.message} ${driftIssue.detail}`
          : driftIssue.message;
        warnings.push(warning);
        if (!json) {
          defaultRuntime.log(`\n⚠️  ${driftIssue.message}`);
          if (driftIssue.detail) {
            defaultRuntime.log(`   ${driftIssue.detail}\n`);
          }
        }
      }
    } catch (err) {
      if (isGatewaySecretRefUnavailableError(err, "gateway.auth.token")) {
        const warning =
          "Unable to verify gateway token drift: gateway.auth.token SecretRef is configured but unavailable in this command path.";
        warnings.push(warning);
        if (!json) {
          defaultRuntime.log(`\n⚠️  ${warning}\n`);
        }
      }
    }
  }

  try {
    await params.service.restart({ env: process.env, stdout });
    if (params.postRestartCheck) {
      await params.postRestartCheck({ json, stdout, warnings, fail });
    }
    let restarted = true;
    try {
      restarted = await params.service.isLoaded({ env: process.env });
    } catch {
      restarted = true;
    }
    emit({
      ok: true,
      result: "restarted",
      service: buildDaemonServiceSnapshot(params.service, restarted),
      warnings: warnings.length ? warnings : undefined,
    });
    return true;
  } catch (err) {
    const hints = params.renderStartHints();
    fail(`${params.serviceNoun} restart failed: ${String(err)}`, hints);
    return false;
  }
}
-												fix: verify gateway restart health after daemon restart

											
										
										
											2026-02-21 18:02:05 +01:00
+								import type { Writable } from "node:stream";
-												fix(daemon): warn on token drift during restart (#18018)

When the gateway token in config differs from the token embedded in the
service plist/unit file, restart will not apply the new token. This can
cause silent auth failures after OAuth token switches.

Changes:
- Add checkTokenDrift() to service-audit.ts
- Call it in runServiceRestart() before restarting
- Warn user with suggestion to run 'openclaw gateway install --force'

Closes #18018

											
										
										
											2026-02-16 14:03:28 +01:00
+								import { loadConfig } from "../../config/config.js";
-												refactor(daemon): share service lifecycle runner

											
										
										
											2026-02-14 14:00:34 +00:00
+								import { resolveIsNixMode } from "../../config/paths.js";
-												fix(daemon): warn on token drift during restart (#18018)

When the gateway token in config differs from the token embedded in the
service plist/unit file, restart will not apply the new token. This can
cause silent auth failures after OAuth token switches.

Changes:
- Add checkTokenDrift() to service-audit.ts
- Call it in runServiceRestart() before restarting
- Warn user with suggestion to run 'openclaw gateway install --force'

Closes #18018

											
										
										
											2026-02-16 14:03:28 +01:00
+								import { checkTokenDrift } from "../../daemon/service-audit.js";
-												style: align formatting with oxfmt 0.33

											
										
										
											2026-02-18 01:34:35 +00:00
+								import type { GatewayService } from "../../daemon/service.js";
-												refactor(daemon): share service lifecycle runner

											
										
										
											2026-02-14 14:00:34 +00:00
+								import { renderSystemdUnavailableHints } from "../../daemon/systemd-hints.js";
 								import { isSystemdUserServiceAvailable } from "../../daemon/systemd.js";
-												Daemon CLI: resolve token drift from gateway credentials

											
										
										
											2026-03-07 16:02:18 -08:00
+								import {
 								  isGatewaySecretRefUnavailableError,
 								  resolveGatewayCredentialsFromConfig,
 								} from "../../gateway/credentials.js";
-												refactor(daemon): share service lifecycle runner

											
										
										
											2026-02-14 14:00:34 +00:00
+								import { isWSL } from "../../infra/wsl.js";
 								import { defaultRuntime } from "../../runtime.js";
 								import {
 								  buildDaemonServiceSnapshot,
 								  createNullWriter,
 								  type DaemonAction,
-												refactor: reuse daemon action response type in lifecycle core

											
										
										
											2026-02-19 14:03:47 +00:00
+								  type DaemonActionResponse,
-												refactor(daemon): share service lifecycle runner

											
										
										
											2026-02-14 14:00:34 +00:00
+								  emitDaemonActionJson,
 								} from "./response.js";
 								type DaemonLifecycleOptions = {
 								  json?: boolean;
 								};
-												fix: verify gateway restart health after daemon restart

											
										
										
											2026-02-21 18:02:05 +01:00
+								type RestartPostCheckContext = {
 								  json: boolean;
 								  stdout: Writable;
 								  warnings: string[];
 								  fail: (message: string, hints?: string[]) => void;
 								};
-												refactor(daemon): share service lifecycle runner

											
										
										
											2026-02-14 14:00:34 +00:00
+								async function maybeAugmentSystemdHints(hints: string[]): Promise<string[]> {
 								  if (process.platform !== "linux") {
 								    return hints;
 								  }
 								  const systemdAvailable = await isSystemdUserServiceAvailable().catch(() => false);
 								  if (systemdAvailable) {
 								    return hints;
 								  }
 								  return [...hints, ...renderSystemdUnavailableHints({ wsl: await isWSL() })];
 								}
 								function createActionIO(params: { action: DaemonAction; json: boolean }) {
 								  const stdout = params.json ? createNullWriter() : process.stdout;
-												refactor: reuse daemon action response type in lifecycle core

											
										
										
											2026-02-19 14:03:47 +00:00
+								  const emit = (payload: Omit<DaemonActionResponse, "action">) => {
-												refactor(daemon): share service lifecycle runner

											
										
										
											2026-02-14 14:00:34 +00:00
+								    if (!params.json) {
 								      return;
 								    }
 								    emitDaemonActionJson({ action: params.action, ...payload });
 								  };
 								  const fail = (message: string, hints?: string[]) => {
 								    if (params.json) {
 								      emit({ ok: false, error: message, hints });
 								    } else {
 								      defaultRuntime.error(message);
 								    }
 								    defaultRuntime.exit(1);
 								  };
 								  return { stdout, emit, fail };
 								}
-												refactor(daemon-cli): dedupe not-loaded hints

											
										
										
											2026-02-15 12:57:47 +00:00
+								async function handleServiceNotLoaded(params: {
 								  serviceNoun: string;
 								  service: GatewayService;
 								  loaded: boolean;
 								  renderStartHints: () => string[];
 								  json: boolean;
 								  emit: ReturnType<typeof createActionIO>["emit"];
 								}) {
 								  const hints = await maybeAugmentSystemdHints(params.renderStartHints());
 								  params.emit({
 								    ok: true,
 								    result: "not-loaded",
 								    message: `${params.serviceNoun} service ${params.service.notLoadedText}.`,
 								    hints,
 								    service: buildDaemonServiceSnapshot(params.service, params.loaded),
 								  });
 								  if (!params.json) {
 								    defaultRuntime.log(`${params.serviceNoun} service ${params.service.notLoadedText}.`);
 								    for (const hint of hints) {
 								      defaultRuntime.log(`Start with: ${hint}`);
 								    }
 								  }
 								}
-												refactor(cli): dedupe service-load and command-removal loops

											
										
										
											2026-02-18 22:40:09 +00:00
+								async function resolveServiceLoadedOrFail(params: {
 								  serviceNoun: string;
 								  service: GatewayService;
 								  fail: ReturnType<typeof createActionIO>["fail"];
 								}): Promise<boolean | null> {
 								  try {
 								    return await params.service.isLoaded({ env: process.env });
 								  } catch (err) {
 								    params.fail(`${params.serviceNoun} service check failed: ${String(err)}`);
 								    return null;
 								  }
 								}
-												refactor(daemon): share service lifecycle runner

											
										
										
											2026-02-14 14:00:34 +00:00
+								export async function runServiceUninstall(params: {
 								  serviceNoun: string;
 								  service: GatewayService;
 								  opts?: DaemonLifecycleOptions;
 								  stopBeforeUninstall: boolean;
 								  assertNotLoadedAfterUninstall: boolean;
 								}) {
 								  const json = Boolean(params.opts?.json);
 								  const { stdout, emit, fail } = createActionIO({ action: "uninstall", json });
 								  if (resolveIsNixMode(process.env)) {
 								    fail("Nix mode detected; service uninstall is disabled.");
 								    return;
 								  }
 								  let loaded = false;
 								  try {
 								    loaded = await params.service.isLoaded({ env: process.env });
 								  } catch {
 								    loaded = false;
 								  }
 								  if (loaded && params.stopBeforeUninstall) {
 								    try {
 								      await params.service.stop({ env: process.env, stdout });
 								    } catch {
 								      // Best-effort stop; final loaded check gates success when enabled.
 								    }
 								  }
 								  try {
 								    await params.service.uninstall({ env: process.env, stdout });
 								  } catch (err) {
 								    fail(`${params.serviceNoun} uninstall failed: ${String(err)}`);
 								    return;
 								  }
 								  loaded = false;
 								  try {
 								    loaded = await params.service.isLoaded({ env: process.env });
 								  } catch {
 								    loaded = false;
 								  }
 								  if (loaded && params.assertNotLoadedAfterUninstall) {
 								    fail(`${params.serviceNoun} service still loaded after uninstall.`);
 								    return;
 								  }
 								  emit({
 								    ok: true,
 								    result: "uninstalled",
 								    service: buildDaemonServiceSnapshot(params.service, loaded),
 								  });
 								}
 								export async function runServiceStart(params: {
 								  serviceNoun: string;
 								  service: GatewayService;
 								  renderStartHints: () => string[];
 								  opts?: DaemonLifecycleOptions;
 								}) {
 								  const json = Boolean(params.opts?.json);
 								  const { stdout, emit, fail } = createActionIO({ action: "start", json });
-												refactor(cli): dedupe service-load and command-removal loops

											
										
										
											2026-02-18 22:40:09 +00:00
+								  const loaded = await resolveServiceLoadedOrFail({
 								    serviceNoun: params.serviceNoun,
 								    service: params.service,
 								    fail,
 								  });
 								  if (loaded === null) {
-												refactor(daemon): share service lifecycle runner

											
										
										
											2026-02-14 14:00:34 +00:00
+								    return;
 								  }
 								  if (!loaded) {
-												refactor(daemon-cli): dedupe not-loaded hints

											
										
										
											2026-02-15 12:57:47 +00:00
+								    await handleServiceNotLoaded({
 								      serviceNoun: params.serviceNoun,
 								      service: params.service,
 								      loaded,
 								      renderStartHints: params.renderStartHints,
 								      json,
 								      emit,
-												refactor(daemon): share service lifecycle runner

											
										
										
											2026-02-14 14:00:34 +00:00
+								    });
 								    return;
 								  }
 								  try {
 								    await params.service.restart({ env: process.env, stdout });
 								  } catch (err) {
 								    const hints = params.renderStartHints();
 								    fail(`${params.serviceNoun} start failed: ${String(err)}`, hints);
 								    return;
 								  }
 								  let started = true;
 								  try {
 								    started = await params.service.isLoaded({ env: process.env });
 								  } catch {
 								    started = true;
 								  }
 								  emit({
 								    ok: true,
 								    result: "started",
 								    service: buildDaemonServiceSnapshot(params.service, started),
 								  });
 								}
 								export async function runServiceStop(params: {
 								  serviceNoun: string;
 								  service: GatewayService;
 								  opts?: DaemonLifecycleOptions;
 								}) {
 								  const json = Boolean(params.opts?.json);
 								  const { stdout, emit, fail } = createActionIO({ action: "stop", json });
-												refactor(cli): dedupe service-load and command-removal loops

											
										
										
											2026-02-18 22:40:09 +00:00
+								  const loaded = await resolveServiceLoadedOrFail({
 								    serviceNoun: params.serviceNoun,
 								    service: params.service,
 								    fail,
 								  });
 								  if (loaded === null) {
-												refactor(daemon): share service lifecycle runner

											
										
										
											2026-02-14 14:00:34 +00:00
+								    return;
 								  }
 								  if (!loaded) {
 								    emit({
 								      ok: true,
 								      result: "not-loaded",
 								      message: `${params.serviceNoun} service ${params.service.notLoadedText}.`,
 								      service: buildDaemonServiceSnapshot(params.service, loaded),
 								    });
 								    if (!json) {
 								      defaultRuntime.log(`${params.serviceNoun} service ${params.service.notLoadedText}.`);
 								    }
 								    return;
 								  }
 								  try {
 								    await params.service.stop({ env: process.env, stdout });
 								  } catch (err) {
 								    fail(`${params.serviceNoun} stop failed: ${String(err)}`);
 								    return;
 								  }
 								  let stopped = false;
 								  try {
 								    stopped = await params.service.isLoaded({ env: process.env });
 								  } catch {
 								    stopped = false;
 								  }
 								  emit({
 								    ok: true,
 								    result: "stopped",
 								    service: buildDaemonServiceSnapshot(params.service, stopped),
 								  });
 								}
 								export async function runServiceRestart(params: {
 								  serviceNoun: string;
 								  service: GatewayService;
 								  renderStartHints: () => string[];
 								  opts?: DaemonLifecycleOptions;
-												fix(daemon): scope token drift warnings

											
										
										
											2026-02-17 08:44:07 -05:00
+								  checkTokenDrift?: boolean;
-												fix: verify gateway restart health after daemon restart

											
										
										
											2026-02-21 18:02:05 +01:00
+								  postRestartCheck?: (ctx: RestartPostCheckContext) => Promise<void>;
-												refactor(daemon): share service lifecycle runner

											
										
										
											2026-02-14 14:00:34 +00:00
+								}): Promise<boolean> {
 								  const json = Boolean(params.opts?.json);
 								  const { stdout, emit, fail } = createActionIO({ action: "restart", json });
-												refactor(cli): dedupe service-load and command-removal loops

											
										
										
											2026-02-18 22:40:09 +00:00
+								  const loaded = await resolveServiceLoadedOrFail({
 								    serviceNoun: params.serviceNoun,
 								    service: params.service,
 								    fail,
 								  });
 								  if (loaded === null) {
-												refactor(daemon): share service lifecycle runner

											
										
										
											2026-02-14 14:00:34 +00:00
+								    return false;
 								  }
 								  if (!loaded) {
-												refactor(daemon-cli): dedupe not-loaded hints

											
										
										
											2026-02-15 12:57:47 +00:00
+								    await handleServiceNotLoaded({
 								      serviceNoun: params.serviceNoun,
 								      service: params.service,
 								      loaded,
 								      renderStartHints: params.renderStartHints,
 								      json,
 								      emit,
-												refactor(daemon): share service lifecycle runner

											
										
										
											2026-02-14 14:00:34 +00:00
+								    });
 								    return false;
 								  }
-												fix(daemon): warn on token drift during restart (#18018)

When the gateway token in config differs from the token embedded in the
service plist/unit file, restart will not apply the new token. This can
cause silent auth failures after OAuth token switches.

Changes:
- Add checkTokenDrift() to service-audit.ts
- Call it in runServiceRestart() before restarting
- Warn user with suggestion to run 'openclaw gateway install --force'

Closes #18018

											
										
										
											2026-02-16 14:03:28 +01:00
-												fix: include token drift warning in JSON response

Address review feedback - when --json mode is used, the drift warning
was completely suppressed. Now it's included in the warnings array
of the DaemonActionResponse so programmatic consumers can surface it.

											
										
										
											2026-02-16 14:48:00 +01:00
+								  const warnings: string[] = [];
-												fix(daemon): scope token drift warnings

											
										
										
											2026-02-17 08:44:07 -05:00
+								  if (params.checkTokenDrift) {
 								    // Check for token drift before restart (service token vs config token)
 								    try {
 								      const command = await params.service.readCommand(process.env);
 								      const serviceToken = command?.environment?.OPENCLAW_GATEWAY_TOKEN;
 								      const cfg = loadConfig();
-												Daemon CLI: resolve token drift from gateway credentials

											
										
										
											2026-03-07 16:02:18 -08:00
+								      const configToken = resolveGatewayCredentialsFromConfig({
 								        cfg,
 								        env: process.env,
 								        modeOverride: "local",
-												fix(cron): restore isolated delivery defaults

											
										
										
											2026-03-08 00:18:31 +00:00
+								        // Drift checks should compare the persisted gateway token against the
 								        // service token, not let an exported shell env mask config drift.
 								        localTokenPrecedence: "config-first",
-												Daemon CLI: resolve token drift from gateway credentials

											
										
										
											2026-03-07 16:02:18 -08:00
+								      }).token;
-												fix(daemon): scope token drift warnings

											
										
										
											2026-02-17 08:44:07 -05:00
+								      const driftIssue = checkTokenDrift({ serviceToken, configToken });
 								      if (driftIssue) {
 								        const warning = driftIssue.detail
 								          ? `${driftIssue.message} ${driftIssue.detail}`
 								          : driftIssue.message;
 								        warnings.push(warning);
 								        if (!json) {
 								          defaultRuntime.log(`\n⚠️  ${driftIssue.message}`);
 								          if (driftIssue.detail) {
 								            defaultRuntime.log(`   ${driftIssue.detail}\n`);
 								          }
-												fix: include token drift warning in JSON response

Address review feedback - when --json mode is used, the drift warning
was completely suppressed. Now it's included in the warnings array
of the DaemonActionResponse so programmatic consumers can surface it.

											
										
										
											2026-02-16 14:48:00 +01:00
+								        }
-												fix(daemon): warn on token drift during restart (#18018)

When the gateway token in config differs from the token embedded in the
service plist/unit file, restart will not apply the new token. This can
cause silent auth failures after OAuth token switches.

Changes:
- Add checkTokenDrift() to service-audit.ts
- Call it in runServiceRestart() before restarting
- Warn user with suggestion to run 'openclaw gateway install --force'

Closes #18018

											
										
										
											2026-02-16 14:03:28 +01:00
+								      }
-												Gateway: add SecretRef support for gateway.auth.token with auth-mode guardrails (#35094)


											
										
										
											2026-03-05 12:53:56 -06:00
+								    } catch (err) {
 								      if (isGatewaySecretRefUnavailableError(err, "gateway.auth.token")) {
 								        const warning =
 								          "Unable to verify gateway token drift: gateway.auth.token SecretRef is configured but unavailable in this command path.";
 								        warnings.push(warning);
 								        if (!json) {
 								          defaultRuntime.log(`\n⚠️  ${warning}\n`);
 								        }
 								      }
-												fix(daemon): warn on token drift during restart (#18018)

When the gateway token in config differs from the token embedded in the
service plist/unit file, restart will not apply the new token. This can
cause silent auth failures after OAuth token switches.

Changes:
- Add checkTokenDrift() to service-audit.ts
- Call it in runServiceRestart() before restarting
- Warn user with suggestion to run 'openclaw gateway install --force'

Closes #18018

											
										
										
											2026-02-16 14:03:28 +01:00
+								    }
 								  }
-												refactor(daemon): share service lifecycle runner

											
										
										
											2026-02-14 14:00:34 +00:00
+								  try {
 								    await params.service.restart({ env: process.env, stdout });
-												fix: verify gateway restart health after daemon restart

											
										
										
											2026-02-21 18:02:05 +01:00
+								    if (params.postRestartCheck) {
 								      await params.postRestartCheck({ json, stdout, warnings, fail });
 								    }
-												refactor(daemon): share service lifecycle runner

											
										
										
											2026-02-14 14:00:34 +00:00
+								    let restarted = true;
 								    try {
 								      restarted = await params.service.isLoaded({ env: process.env });
 								    } catch {
 								      restarted = true;
 								    }
 								    emit({
 								      ok: true,
 								      result: "restarted",
 								      service: buildDaemonServiceSnapshot(params.service, restarted),
-												fix: include token drift warning in JSON response

Address review feedback - when --json mode is used, the drift warning
was completely suppressed. Now it's included in the warnings array
of the DaemonActionResponse so programmatic consumers can surface it.

											
										
										
											2026-02-16 14:48:00 +01:00
+								      warnings: warnings.length ? warnings : undefined,
-												refactor(daemon): share service lifecycle runner

											
										
										
											2026-02-14 14:00:34 +00:00
+								    });
 								    return true;
 								  } catch (err) {
 								    const hints = params.renderStartHints();
 								    fail(`${params.serviceNoun} restart failed: ${String(err)}`, hints);
 								    return false;
 								  }
 								}