PR #63446: fix(gateway): short-circuit repeated device-required probes in probeGateway

• Repository: openclaw/openclaw
• Author: hclsys
• State: open | merged: False
• Link: https://github.com/openclaw/openclaw/pull/63446

Description (problem / solution / changelog)

Summary

When many short-lived processes probe the same unpaired gateway in a burst — e.g. openclaw status invoked by cron sessions, monitoring scripts, or any wrapper that re-spawns the CLI — each new process starts a fresh GatewayClient with no memory of prior rejections. Every probe opens a WebSocket, hits the DEVICE_IDENTITY_REQUIRED handshake rejection, and logs a handshake failed cause=device-required entry.

Reporter in #63427 observed 1127 rejections in 24h from 73 separate sessions on a single unpaired gateway.

Fixes #63427

Caller chain in production

openclaw status  (cli/daemon-cli/status.gather.ts:442)
  -> inspectGatewayRestart
     -> inspectGatewayPortHealth
        -> confirmGatewayReachable  (restart-health.ts:72)
           -> probeGateway          (gateway/probe.ts:43)

GatewayClient itself already has exponential backoff AND pauses reconnect on DEVICE_IDENTITY_REQUIRED, but each probe creates a fresh GatewayClient instance, so the backoff never accumulates across invocations. That's what makes this invisible to single-client logic.

Fix

Track recent device-required rejections per URL at module scope in src/gateway/probe.ts:

• DEVICE_REQUIRED_FAILURE_THRESHOLD = 3
• DEVICE_REQUIRED_TTL_MS = 5 * 60_000 (5 min window)

After 3 device-required rejections within the TTL window, subsequent probes for the same URL short-circuit with a synthetic rejected result (same code: 1008, reason: \"device identity required\", plus a hint explaining the short-circuit) without creating another WebSocket. Any successful probe clears the cache entry so a newly-paired gateway resumes normal probing immediately.

The cache layer sits inside probeGateway() itself, so every caller (restart-health.ts, lifecycle.ts, and any future callers) gets the same protection without duplicating the logic.

Why at this layer (not in confirmGatewayReachable)

An alternative would be to add \"device\" to the looksLikeAuthClose keyword list in restart-health.ts so device-required closes are treated as "reachable but unauthenticated". That fixes the semantic issue but does not reduce log noise — each probe still opens a WebSocket and still trips the server-side handshake failed log. The noise is the actual user pain in #63427, so the cache has to live at the probe boundary.

Tests

Added a describe(\"device-required short-circuit cache (#63427)\") block in src/gateway/probe.test.ts with 5 cases:

1. First 3 device-required probes hit the real GatewayClient mock (no premature short-circuit).
2. 4th probe short-circuits without constructing a client — asserted by gatewayClientState.options === null after reset.
3. Non-device-required closes (e.g. \"pairing required\") do NOT populate the cache even after 5 rejections — the 6th probe still hits the real client.
4. A successful probe clears the cache so the next rejection cycle starts fresh on the same URL.
5. Per-URL caches are independent — one unpaired gateway does not block probes to another.

Test helper __resetDeviceRequiredCacheForTests() is exported to reset the module-level cache between cases. It's namespaced with __ to mark it as internal / test-only.

Notes

• Credit to @djimit for the detailed RCA in the issue and follow-up comment; the updated RCA ("each cron session creates a fresh GatewayClient") is exactly right and drove this fix.
• Reporter's patched dist/probe-tkuAqDVF.js is the compiled output of src/gateway/probe.ts — this PR fixes it at source.
• The reporter's "bonus suggestion" of an unauthenticated /health HTTP endpoint is out of scope for this PR; the cache alone removes the log-noise pain without broadening the gateway attack surface.

Changed files

• src/gateway/probe.test.ts (modified, +113/-1)
• src/gateway/probe.ts (modified, +98/-0)