Issue Station
Sign In
Tools hereToolbox

openclaw - ✅(Solved) Fix Gateway crashes on Windows: ACL verification unavailable + UTF-8 BOM in secrets.json (v2026.4.21) [1 pull requests, 1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#70640Fetched 2026-04-24 05:55:18
View on GitHub
Comments
0
Participants
1
Timeline
4
Reactions
1
Author
bxy3045134656bxy3045134656
Participants
bxy3045134656bxy3045134656
Timeline (top)
referenced ×2closed ×1cross-referenced ×1

Error Message

The new ACL verification code (in resolve module, e.g. resolve-EGCQfR12.js:123) throws an error when it cannot read effective ACL permissions on Windows: throw new Error('ACL verification unavailable...'); If secrets.json contains a UTF-8 BOM (bytes EF BB BF at the start), Node.js JSON.parse() fails with a syntax error. 4. Gateway crashes with ACL verification error

  1. Change ACL verification to warn+continue instead of throw when perms.source === 'unknown': logger.warn('ACL verification unavailable on this platform, skipping');

Root Cause

Root Cause

Fix Action

Workaround

  1. Patch the source code: In the resolve module (e.g. resolve-EGCQfR12.js), change the throw to a silent skip when perms.source === 'unknown'.
  2. Remove BOM from secrets.json: Rewrite the file as UTF-8 without BOM.

PR fix notes

PR #70662: fix #70640: graceful ACL fallback on Windows + strip UTF-8 BOM in secrets

Description (problem / solution / changelog)

Summary

Fixes #70640

Issue

OpenClaw v2026.4.21 crashes on Windows due to two issues:

  1. ACL verification throws when perms.source is "unknown" on Windows
  2. secrets.json with UTF-8 BOM cannot be parsed

Changes

  1. Windows ACL graceful degradation: Changed assertSecurePath() to log a warning and continue (instead of throwing) when perms.source === "unknown" on Windows. This prevents the gateway from crashing on Windows where ACL info is often unavailable.

  2. UTF-8 BOM stripping: Added .replace(/^\uFEFF/, "") when reading file provider payloads to strip UTF-8 BOM before JSON.parse(). This handles secrets.json files created by Windows editors that add BOM.

Fix Before vs After

BeforeAfter
Windows ACLthrow new Error(...) → gateway crashlogger.warn(...) → graceful continue
BOM in secrets.jsonJSON.parse fails with syntax errorBOM stripped before parse

Testing

  • 3 new test cases added to resolve.test.ts:
    • UTF-8 BOM stripping in JSON mode
    • UTF-8 BOM stripping in singleValue mode
    • Windows ACL unknown source graceful handling

This PR was generated by the daily Issue→PR automation task.

Changed files

  • CHANGELOG.md (modified, +1/-0)
  • docs/cli/config.md (modified, +1/-0)
  • docs/gateway/configuration-reference.md (modified, +1/-0)
  • docs/help/testing.md (modified, +73/-73)
  • src/cli/config-cli.test.ts (modified, +2/-0)
  • src/cli/config-cli.ts (modified, +2/-1)
  • src/config/config.secrets-schema.test.ts (modified, +1/-0)
  • src/config/schema.base.generated.ts (modified, +3/-0)
  • src/config/types.secrets.ts (modified, +1/-0)
  • src/config/zod-schema.core.ts (modified, +1/-0)
  • src/secrets/configure.ts (modified, +8/-0)
  • src/secrets/resolve.test.ts (modified, +109/-0)
  • src/secrets/resolve.ts (modified, +2/-1)
  • src/security/windows-acl.test.ts (modified, +33/-3)
  • src/security/windows-acl.ts (modified, +25/-4)

Code Example

// Current behavior:
if (perms.source === 'unknown') {
  throw new Error('ACL verification unavailable...');
}

---

if (perms.source === 'unknown') {
  logger.warn('ACL verification unavailable on this platform, skipping');
  // do NOT throw
}

---

content = content.replace(/^\uFEFF/, '');
JSON.parse(content);
RAW_BUFFERClick to expand / collapse

Bug Description

OpenClaw v2026.4.21 added a security check for secrets.json file permissions (ACL) on startup. On Windows, this check fails and causes the gateway to crash.

Additionally, secrets.json files with UTF-8 BOM cannot be parsed.

Root Cause

Issue 1: ACL verification unavailable on Windows

The new ACL verification code (in resolve module, e.g. resolve-EGCQfR12.js:123) throws an error when it cannot read effective ACL permissions on Windows:

// Current behavior:
if (perms.source === 'unknown') {
  throw new Error('ACL verification unavailable...');
}

On Windows, ACL information is often not accessible via the Node.js API used, so perms.source returns 'unknown', and the gateway crashes immediately.

Issue 2: UTF-8 BOM in secrets.json

If secrets.json contains a UTF-8 BOM (bytes EF BB BF at the start), Node.js JSON.parse() fails with a syntax error.

Steps to Reproduce

  1. On Windows 11, install OpenClaw v2026.4.21 via npm install -g openclaw
  2. Ensure secrets.json exists (created by wizard or manually)
  3. Run openclaw gateway start or openclaw status
  4. Gateway crashes with ACL verification error

Expected Behavior

  • On Windows, when ACL verification is unavailable, the gateway should log a warning and continue (graceful degradation), not crash.
  • secrets.json parsing should strip UTF-8 BOM before calling JSON.parse().

Workaround

  1. Patch the source code: In the resolve module (e.g. resolve-EGCQfR12.js), change the throw to a silent skip when perms.source === 'unknown'.
  2. Remove BOM from secrets.json: Rewrite the file as UTF-8 without BOM.

Environment

  • OS: Windows 11 26200 x64
  • Node.js: v24.14.0
  • OpenClaw: v2026.4.21
  • Installation: global npm

Suggested Fix

  1. Change ACL verification to warn+continue instead of throw when perms.source === 'unknown':
if (perms.source === 'unknown') {
  logger.warn('ACL verification unavailable on this platform, skipping');
  // do NOT throw
}
  1. Strip BOM before parsing secrets.json:
content = content.replace(/^\uFEFF/, '');
JSON.parse(content);

Thanks!

extent analysis

TL;DR

The most likely fix is to modify the ACL verification code to log a warning and continue when permissions are unknown, and to strip the UTF-8 BOM from the secrets.json file before parsing.

Guidance

  • Modify the resolve-EGCQfR12.js file to change the throw statement to a warning log when perms.source === 'unknown', as shown in the suggested fix.
  • Remove the UTF-8 BOM from the secrets.json file by rewriting it as UTF-8 without BOM, or by using the provided code snippet to strip the BOM before parsing.
  • Verify that the gateway starts successfully after applying these changes.
  • Test the parsing of secrets.json files with and without UTF-8 BOM to ensure that the fix works as expected.

Example

if (perms.source === 'unknown') {
  logger.warn('ACL verification unavailable on this platform, skipping');
  // do NOT throw
}

content = content.replace(/^\uFEFF/, '');
JSON.parse(content);

Notes

The provided fix assumes that the logger object is available in the context of the resolve-EGCQfR12.js file. If this is not the case, additional modifications may be necessary to log the warning message.

Recommendation

Apply the workaround by modifying the ACL verification code and stripping the UTF-8 BOM from the secrets.json file, as this is a targeted fix that addresses the specific issues described in the bug report.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#installation#request error#file not found#serialization error

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING