From f930fcbd3f99d185df6ee67693552cf6c8f7030b Mon Sep 17 00:00:00 2001 From: daymade Date: Sun, 8 Mar 2026 19:33:23 +0800 Subject: [PATCH] Add regression test and CHANGELOG entry MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Add test ensuring launchd path never returns "failed" status - Add CHANGELOG.md entry documenting the fix with issue/PR references - Reference ThrottleInterval evolution (#27650 → #29078 → current 1s) --- CHANGELOG.md | 1 + src/infra/process-respawn.test.ts | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fa1767156..b78de9fa2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -725,6 +725,7 @@ Docs: https://docs.openclaw.ai ### Fixes +- Gateway/macOS restart: remove self-issued `launchctl kickstart -k` from launchd supervised restart path to prevent race with launchd's async bootout state machine that permanently unloads the LaunchAgent. With `ThrottleInterval=1` (current default), `exit(0)` + `KeepAlive=true` restarts the service within ~1s without the race condition. (#39760) Landed from contributor PR #39763 by @daymade. Thanks @daymade. - Exec/system.run env sanitization: block dangerous override-only env pivots such as `GIT_SSH_COMMAND`, editor/pager hooks, and `GIT_CONFIG_` / `NPM_CONFIG_` override prefixes so allowlisted tools cannot smuggle helper command execution through subprocess environment overrides. Thanks @tdjackey and @SnailSploit for reporting. - Network/fetch guard redirect auth stripping: switch cross-origin redirect handling in `fetchWithSsrFGuard` from a narrow sensitive-header denylist to a safe-header allowlist so custom auth headers like `X-Api-Key` and `Private-Token` no longer leak on origin changes. Thanks @Rickidevs for reporting. - Security/Sandbox media reads: eliminate sandbox media TOCTOU symlink-retarget escapes by enforcing root-scoped boundary-safe reads at attachment/image load time and consolidating shared safe-read helpers across sandbox media callsites. This ships in the next npm release. Thanks @tdjackey for reporting. diff --git a/src/infra/process-respawn.test.ts b/src/infra/process-respawn.test.ts index c2d2d3afd..62091423a 100644 --- a/src/infra/process-respawn.test.ts +++ b/src/infra/process-respawn.test.ts @@ -80,6 +80,22 @@ describe("restartGatewayProcessWithFreshPid", () => { expectLaunchdSupervisedWithoutKickstart({ launchJobLabel: "ai.openclaw.gateway" }); }); + it("launchd supervisor never returns failed regardless of triggerOpenClawRestart outcome", () => { + clearSupervisorHints(); + setPlatform("darwin"); + process.env.OPENCLAW_LAUNCHD_LABEL = "ai.openclaw.gateway"; + // Even if triggerOpenClawRestart *would* fail, launchd path must not call it. + triggerOpenClawRestartMock.mockReturnValue({ + ok: false, + method: "launchctl", + detail: "Bootstrap failed: 5: Input/output error", + }); + const result = restartGatewayProcessWithFreshPid(); + expect(result.mode).toBe("supervised"); + expect(result.mode).not.toBe("failed"); + expect(triggerOpenClawRestartMock).not.toHaveBeenCalled(); + }); + it("does not schedule kickstart on non-darwin platforms", () => { setPlatform("linux"); process.env.INVOCATION_ID = "abc123";