Summary
The CLI sidecar in OpenShift deployments fails to start with gateway timeout after 10000ms. The gateway closes the websocket connection (code=4008) before device auto-pairing completes — the same root cause as #119, but affecting the CLI channel rather than the browser.
The browser recovers because it retries and succeeds after the device is approved from the first (failed) attempt. The CLI sidecar does not appear to retry the same way, so it fails permanently.
Observed Behavior
[openclaw] Failed to start CLI: Error: gateway timeout after 10000ms
Gateway target: ws://127.0.0.1:18789
Source: local loopback
Config: /home/node/.openclaw/openclaw.json
Bind: loopback
Gateway logs show the CLI's local loopback connection closing before connect:
[ws] closed before connect conn=350ee0dc... peer=127.0.0.1:54530->127.0.0.1:18789 remote=127.0.0.1 code=1005 reason=n/a
Meanwhile the browser websocket retries and connects successfully ~3s later.
Relationship to #119
Issue #119 documented the same auto-pairing race for browser connections. The fix in b77a588 improved the installer's device approval logic (two-step list-then-approve-by-ID) but did not address the gateway's underlying behavior of closing websockets before auto-approval completes. The browser case was masked by retry behavior, but the CLI sidecar is still affected.
Root Cause
This is likely an upstream OpenClaw gateway issue: the gateway should either complete auto-approval before closing the websocket, or the CLI sidecar should have retry/backoff logic. The installer does not control either of these code paths.
If this isn't picked up upstream soon, we may need a temporary installer-side workaround (e.g., a wrapper script that retries the CLI connection, or a readiness gate).
Environment
This issue was filed by Claude Code under the supervision of Bill Murdock.
Summary
The CLI sidecar in OpenShift deployments fails to start with
gateway timeout after 10000ms. The gateway closes the websocket connection (code=4008) before device auto-pairing completes — the same root cause as #119, but affecting the CLI channel rather than the browser.The browser recovers because it retries and succeeds after the device is approved from the first (failed) attempt. The CLI sidecar does not appear to retry the same way, so it fails permanently.
Observed Behavior
Gateway logs show the CLI's local loopback connection closing before connect:
Meanwhile the browser websocket retries and connects successfully ~3s later.
Relationship to #119
Issue #119 documented the same auto-pairing race for browser connections. The fix in b77a588 improved the installer's device approval logic (two-step list-then-approve-by-ID) but did not address the gateway's underlying behavior of closing websockets before auto-approval completes. The browser case was masked by retry behavior, but the CLI sidecar is still affected.
Root Cause
This is likely an upstream OpenClaw gateway issue: the gateway should either complete auto-approval before closing the websocket, or the CLI sidecar should have retry/backoff logic. The installer does not control either of these code paths.
If this isn't picked up upstream soon, we may need a temporary installer-side workaround (e.g., a wrapper script that retries the CLI connection, or a readiness gate).
Environment
bmurdock-ak1-openclawbugfix/issue-71-tighten-openclaw-file-permissions(PR fix(security): tighten file permissions on config and state directory #126), but unrelated to permission changesThis issue was filed by Claude Code under the supervision of Bill Murdock.