Bug type

Behavior bug (incorrect output/state without crash)

Beta release blocker

Yes — reproduces on 2026.5.10-beta.1 and 2026.5.10-beta.2

Summary

openclaw doctor (which runs inside openclaw update) regenerates the systemd user unit at ~/.config/systemd/user/openclaw-gateway.service on every upgrade, wholesale-replacing it with a template. A .bak of the prior content is preserved, but the live unit is silently overwritten — operators only discover the regeneration when symptoms appear post-restart.

Fields overwritten in our case:

• TimeoutStartSec (120 → 30)
• ExecStart node binary path (e.g., ~/.nvm/versions/node/v26.1.0/bin/node → /usr/bin/node)
• EnvironmentFile (e.g., ~/.openclaw/.env → -~/.openclaw/gateway.systemd.env, switching to a different file with optional-load - prefix)
• Inline Environment= keys (replaced with a fixed set listed in OPENCLAW_SERVICE_MANAGED_ENV_KEYS)
• Adds StartLimitBurst=5, StartLimitIntervalSec=60, RestartPreventExitStatus=78

For our install, the load-bearing impact was the TimeoutStartSec drop to 30s. We use an ExecStartPost script that needs ~60–90s (health-wait poll + post-restart housekeeping + reconnect buffer). With only 30s, systemd SIGTERMs the otherwise-healthy gateway every restart cycle. NRestarts climbed to 22 in ~12 minutes before manual systemctl --user stop intervention.

Steps to reproduce

1. Customize the systemd user unit (any field doctor doesn't expect, e.g., TimeoutStartSec=120):

   sed -i 's/^TimeoutStartSec=.*/TimeoutStartSec=120/' ~/.config/systemd/user/openclaw-gateway.service
   systemctl --user daemon-reload

2. Run any operation that invokes openclaw doctor (any openclaw update does):

   openclaw update --tag 2026.5.10-beta.2 --no-restart --yes

3. Inspect the unit afterward:

   grep TimeoutStartSec ~/.config/systemd/user/openclaw-gateway.service
   diff ~/.config/systemd/user/openclaw-gateway.service{,.bak}

Expected behavior

doctor should either:

• Leave the live unit alone and emit a recommended diff for the operator to review/apply, or
• Strictly merge — preserve any field the user has set that's not invalid (only replace fields that are missing or malformed)

Actual behavior

Live unit is wholesale replaced with a template. Pre-existing copy is preserved as openclaw-gateway.service.bak but no warning is emitted about which fields were replaced.

OpenClaw version

2026.5.10-beta.1 (regenerated unit caused the restart loop) 2026.5.10-beta.2 (same regeneration behavior observed)

Operating system

WSL2 Ubuntu (Linux 6.6.x-microsoft-standard-WSL2)

Install method

npm global, nvm-managed Node 26.1.0

Model

N/A — bug is in update path

Provider / routing chain

N/A

Additional provider/model setup details

No response

Logs, screenshots, and evidence

Diff observed (pre-doctor .bak → post-doctor live):

< Description=OpenClaw Gateway (v2026.5.7)
> Description=OpenClaw Gateway (v2026.5.10-beta.1)
> StartLimitBurst=5
> StartLimitIntervalSec=60
< ExecStart=/home/<user>/.nvm/versions/node/v26.1.0/bin/node /home/<user>/.nvm/versions/node/v26.1.0/lib/node_modules/openclaw/dist/index.js gateway --port 18789
> ExecStart=/usr/bin/node /home/<user>/.nvm/versions/node/v26.1.0/lib/node_modules/openclaw/dist/index.js gateway --port 18789
> RestartPreventExitStatus=78
< TimeoutStartSec=120
> TimeoutStartSec=30
< EnvironmentFile=/home/<user>/.openclaw/.env
< Environment=WSL_HOST_IP=...
< Environment=LCM_LEAF_CHUNK_TOKENS=100000
< Environment=LCM_FRESH_TAIL_COUNT=64
> EnvironmentFile=-/home/<user>/.openclaw/gateway.systemd.env
> Environment=OPENCLAW_SERVICE_MANAGED_ENV_KEYS=<TOKEN_KEY_LIST>

Systemd journal during the resulting restart loop:

openclaw-gateway.service: start-post operation timed out. Terminating.
openclaw-gateway.service: Control process exited, code=killed, status=15/TERM

[gateway] ready was being reached at ~14–17s into startup; ExecStartPost work was getting cut off at the 30s ceiling and triggering the SIGTERM cascade.

Suggested fix

• Option A (preferred): Don't overwrite the live unit. Write the template to ~/.config/systemd/user/openclaw-gateway.service.suggested and emit a diff + recommended action.
• Option B: Strict merge — preserve any user-set field that's not invalid; only replace fields that are missing or malformed.
• Option C (smaller blast-radius mitigation if regeneration must persist): Ship the template with more generous timeouts (TimeoutStartSec=120, TimeoutStopSec=60) so the common ExecStartPost pattern works out of the box.

Adjacent observation

The doctor-written EnvironmentFile=-/home/<user>/.openclaw/gateway.systemd.env uses the - (optional) prefix. If the user had EnvironmentFile=/home/<user>/.openclaw/.env (required) and the new file doesn't exist or has different keys, the gateway starts without the expected env vars — channel auth, model API keys, etc. can silently fail.

Impact and severity

High when combined with an ExecStartPost script that exceeds the default 30s — produces a tight restart loop on an otherwise-healthy gateway. Also high when the EnvironmentFile swap causes secrets to silently drop out.

Additional information

Today's 2026.5.10-beta.1 upgrade hit this in production; the gateway entered a 22-restart loop until we restored TimeoutStartSec=120 manually and re-issued daemon-reload + start. We've since added a post-upgrade fixup step that re-applies the customizations after every openclaw update to mitigate, but the underlying regeneration behavior remains.