Summary

openclaw update fails to restart the gateway service after a successful binary update because openclaw doctor --non-interactive (run as step 2 of every update) materializes Zod .default() values into the config file, and the subsequent refreshGatewayServiceEnv → gateway install --force validation rejects those same keys as "Unrecognized." The service restart code never executes, leaving the gateway dead after every update.

Environment

• OpenClaw: 2026.3.28 (f9b1079)
• Node: v22.22.0
• macOS: 26.3 (25D125), Apple Silicon
• Install: npm global (/opt/homebrew/lib/node_modules/openclaw)
• Service: launchd LaunchAgent (ai.openclaw.gateway)
• Channel config: BlueBubbles with multi-account (accounts.default + accounts.chip)

Reproduction

1. Have a BlueBubbles channel config with accounts (multi-account setup)
2. Ensure enrichGroupParticipantsFromContacts is NOT explicitly in the config
3. Run: OPENCLAW_AUTO_UPDATE=1 openclaw update --yes --channel stable --json
4. Observe:
   • npm install succeeds (exit 0)
   • openclaw doctor --non-interactive succeeds (exit 0) — but overwrites openclaw.json, injecting enrichGroupParticipantsFromContacts: true at 3 locations
   • After JSON output completes:

     Config overwrite: /Users/.../.openclaw/openclaw.json (sha256 ... -> ..., backup=...)
     Error: Config validation failed: channels.bluebubbles.accounts.default: Unrecognized key: "enrichGroupParticipantsFromContacts"

The error comes from refreshGatewayServiceEnv (update-cli, ~line 949), which is caught and silently suppressed in --json mode. Steps 4–5 (bootout + bootstrap + restart script) never execute. The binary is replaced but the service is never restarted.

Root cause

Two code paths disagree on schema scope:

Doctor (runs as subprocess with full plugin initialization):

• readConfigFileSnapshot() → validateConfigObjectWithPlugins(raw, { applyDefaults: true })
• BlueBubbles plugin schema includes: enrichGroupParticipantsFromContacts: z.boolean().optional().default(true) (config-schema-B0e8FgTR.js:49)
• Zod .parse() injects the default value when the key is absent
• Doctor writes the inflated config back to disk

refreshGatewayServiceEnv (runs in-process without full plugin initialization):

• Validates the doctor-modified config against the core channel schema
• Core schema doesn't include BlueBubbles plugin-specific keys
• Rejects enrichGroupParticipantsFromContacts as "Unrecognized key"

Same binary, two different schema scopes. Doctor adds keys the validator doesn't know about.

Impact

Every openclaw update (manual or auto):

1. Replaces the binary on disk ✓
2. Runs doctor which injects defaults into config ✓
3. Fails validation → skips service restart ✗
4. Old gateway process eventually crashes (stale module references — hash-based filenames no longer exist)
5. launchd restarts with new binary → new binary hits same config validation error → crash loop
6. launchd classifies service as "inefficient" → permanently removes it from job table
7. Gateway stays dead until manual launchctl load or openclaw gateway install

This has caused repeated multi-hour outages. The auto-update state is never written to update-check.json (gateway dies before the await writeState() at line 1530 executes), so there's no record of the failures.

Suggested fixes

1. Don't materialize Zod defaults into persisted config: readConfigFileSnapshot() should return raw config (or strip keys matching schema defaults before doctor writes back)
2. refreshGatewayServiceEnv should validate with full plugin schemas: Use the same validateConfigObjectWithPlugins as doctor, not the core-only validator
3. Don't silently suppress refreshGatewayServiceEnv failures in --json mode: At minimum, include the error in the JSON output so auto-update callers can detect the failure

Workaround

Manually removing the injected keys from openclaw.json after each update allows the next startup to succeed, but doctor re-adds them on every subsequent update, making this unsustainable.

Related issues

• #22272 (doctor --fix identifies unrecognized keys but doesn't remove them)
• #29780 (runtime writes invalid keys into config, causing crash loop)
• #46955 (update reinstalls plugins and rewrites openclaw.json on every run)
• #35957 (config migration introduces keys rejected by new version)