openclaw 2026.4.21 auto-upgrade destroys user config

Summary

When openclaw auto-upgraded from 2026.4.14 to 2026.4.21, the npm i -g openclaw@latest step pruned @larksuiteoapi/node-sdk (a transitive dep used by the bundled feishu extension). On next gateway startup, loading ~/.openclaw/openclaw.json triggered the feishu extension's require('@larksuiteoapi/node-sdk'), which threw. openclaw treated the whole config as unreadable and wrote a default config (just channels, wizard, meta — 332 bytes) over the user's real ~40 KB file, destroying 15 of 18 top-level keys (env, browser, auth, acp, models, agents, tools, bindings, messages, commands, session, hooks, gateway, skills, plugins).

This happened 3 times within ~12 minutes as the gateway and the post-upgrade openclaw doctor both re-triggered the same write path.

Timeline (local time, 2026-04-22)

Root cause (two layers)

1. Missing dep after upgrade. @larksuiteoapi/node-sdk is relied on by the bundled feishu extension at dist/extensions/feishu/client-*.js but is not preserved across npm i -g openclaw@latest. The restart-sentinel npm log shows: added 16 packages, removed 464 packages, and changed 439 packages in 15s.
2. Recovery strategy writes on read failure. When config load fails, the gateway writes a default config over the user's file instead of refusing to start. A read error should never produce a destructive write. The auto-saved .clobbered.<ts> snapshots prove openclaw itself is aware the action is destructive — but it does it anyway.

Evidence in this bundle

• clobbered-1-during-upgrade.json — the 332-byte file openclaw wrote over the user's config during the upgrade.
• clobbered-2-post-upgrade.json — the 461-byte second clobber (gateway token redacted).
• clobbered-3-post-doctor.json — the 332-byte third clobber from the auto-doctor run.
• gateway-err-log-pattern.txt — the repeating error that filled the log.
• restart-sentinel-redacted.txt — the upgrade sentinel content including the npm log.

The user's actual openclaw.json is NOT included (even in schema form) because its key structure would still leak setup fingerprints. The list of top-level keys lost is enumerated above; the maintainer can reproduce by setting up any config that has those keys and triggering an upgrade that prunes @larksuiteoapi/node-sdk.

Workaround

npm i -g @larksuiteoapi/node-sdk
launchctl kickstart -k gui/$(id -u)/ai.openclaw.gateway

After this, config loads cleanly and the gateway writes back a correct ~40 KB file with all 18 top-level keys intact. No further clobbers observed.

Suggested fixes

1. Declare @larksuiteoapi/node-sdk (and any other extension deps) as hard deps of the openclaw npm package so npm i -g preserves them.
2. On config read failure, exit with error instead of writing. The .clobbered.<ts> backup mechanism is good, but the right action is to refuse to start and direct the user to the backup, not to overwrite with defaults.
3. Consider making extension loading lazy — a failing feishu extension should not prevent the gateway from loading the rest of the config.

Attachments (inlined)

clobbered-1-during-upgrade.json (332 B, written during upgrade)

{
  "channels": {
    "whatsapp": {
      "enabled": true
    }
  },
  "wizard": {
    "lastRunAt": "2026-04-22T15:24:41.310Z",
    "lastRunVersion": "2026.4.21",
    "lastRunCommand": "doctor",
    "lastRunMode": "local"
  },
  "meta": {
    "lastTouchedVersion": "2026.4.21",
    "lastTouchedAt": "2026-04-22T15:24:41.453Z"
  }
}

clobbered-2-post-upgrade.json (461 B original → 422 B with gateway token redacted)

{
  "channels": {
    "whatsapp": {
      "enabled": true
    }
  },
  "wizard": {
    "lastRunAt": "2026-04-22T15:30:50.762Z",
    "lastRunVersion": "2026.4.21",
    "lastRunCommand": "doctor",
    "lastRunMode": "local"
  },
  "meta": {
    "lastTouchedVersion": "2026.4.21",
    "lastTouchedAt": "2026-04-22T15:30:50.843Z"
  },
  "gateway": {
    "auth": {
      "mode": "token",
      "token": "<REDACTED>"
    }
  }
}

clobbered-3-post-doctor.json (332 B, written by post-upgrade auto-doctor)

{
  "channels": {
    "whatsapp": {
      "enabled": true
    }
  },
  "wizard": {
    "lastRunAt": "2026-04-22T15:36:03.398Z",
    "lastRunVersion": "2026.4.21",
    "lastRunCommand": "doctor",
    "lastRunMode": "local"
  },
  "meta": {
    "lastTouchedVersion": "2026.4.21",
    "lastTouchedAt": "2026-04-22T15:36:03.516Z"
  }
}

gateway-err-log-pattern.txt

The following entry repeated continuously in ~/.openclaw/logs/gateway.err.log,
growing it to ~53 MB before manual recovery:

Config invalid
File: ~/.openclaw/openclaw.json
Problem:
  - <root>: read failed: Error: Cannot find module '@larksuiteoapi/node-sdk'
Require stack:
- /opt/homebrew/lib/node_modules/openclaw/dist/extensions/feishu/client-<HASH>.js

Run: openclaw doctor --fix

restart-sentinel-redacted.txt

Contents of ~/.openclaw/restart-sentinel.json at time of bug
(file is consumed/deleted by gateway on next start; captured before deletion)

Sensitive fields (sessionKey, delivery target, user-specific Telegram ID) have
been redacted. The NPM log in `stats.steps[0].log.stdoutTail` is the smoking gun.

{
  "version": 1,
  "payload": {
    "kind": "update",
    "status": "ok",
    "ts": 1776869458102,
    "sessionKey": "agent:main:telegram:direct:<REDACTED_TG_USER_ID>",
    "deliveryContext": {
      "channel": "telegram",
      "to": "telegram:<REDACTED_TG_USER_ID>",
      "accountId": "main"
    },
    "message": "OpenClaw 已从 2026.4.14 升级到最新版 ✅ 重启完成，一切正常！",
    "doctorHint": "Run: openclaw doctor --non-interactive",
    "stats": {
      "mode": "npm",
      "root": "/opt/homebrew/lib/node_modules/openclaw",
      "before": { "version": "2026.4.14" },
      "after":  { "version": "2026.4.21" },
      "steps": [
        {
          "name": "global update",
          "command": "/opt/homebrew/bin/npm i -g openclaw@latest --no-fund --no-audit --loglevel=error",
          "cwd": "/opt/homebrew/lib/node_modules/openclaw",
          "durationMs": 14711,
          "log": {
            "stdoutTail": "\nadded 16 packages, removed 464 packages, and changed 439 packages in 15s",
            "stderrTail": null,
            "exitCode": 0
          }
        }
      ],
      "reason": null,
      "durationMs": 14954
    }
  }
}