Does restarting the gateway wipe conversations?

Depends on persistence settings—treat OPENCLAW_STATE_DIR as source of truth and never delete it during upgrades without tarball backup.

Should checkpoints live beside CI DerivedData?

No—keep assistant state on separate APFS volumes or directories to avoid janitor deletes.

AI / Automation May 8, 2026

2026-05-08 OpenClaw session state checkpoints & gateway restart recovery on a headless leased Apple Silicon cloud Mac (HK / JP / KR / SG / US)

MacXCode Engineering Team May 8, 2026 ~23 min read

Operators finally nailed health probes—then launchctl restarted the gateway during an npm upgrade and Slack lit up with “the bot forgot everything.” In reality the model did not forget; persistence boundaries moved because OPENCLAW_STATE_DIR was not snapshotted, or because a janitor deleted scratch beside CI artifacts. On leased Mac mini M4 hosts in Hong Kong, Tokyo, Seoul, Singapore, and the United States, the fix is procedural: treat session residue as data-plane state with the same seriousness as signing keys. This 2026-05-08 guide explains how checkpoint directories interact with launchd environments, how to rehearse recovery with synthetic traffic, and how to integrate signals from structured logging, KeepAlive triage, gateway upgrade & rollback, and the new file-transfer plugin policies so restarts become boring.

Why gateway restarts still blindside on-call

OpenClaw couples fast iteration with durable automation. When those layers collide—npm postinstall hooks mutating globals, engineers SSH’d into the same user as CI—the gateway process may restart cleanly yet reload different environment semantics. Without checkpoint discipline you lose not only chat transcripts but webhook dedupe caches and tool allowlists. Document expected persistence explicitly in the same README as your launchctl labels.

Golden rule: never run rm -rf on state directories during incidents—snapshot first, diff second.

Anatomy of OPENCLAW_STATE_DIR

Think in layers:

Session hints — conversational scaffolding your operators expect after reconnect.
Tool caches — bounded metadata that must survive short gateway pauses.
Webhook bookkeeping — dedupe keys that prevent double fulfillment.

Separately mount or ACL each layer when feasible so CI janitors cannot traverse upward into assistant state. Mirror separation guidance from parallel CI lanes when both workloads share a UID.

launchd: ThrottleInterval, exit codes, respawns

launchd may restart your gateway faster than humans notice—especially with aggressive KeepAlive policies. Pair this article with respawn triage: log exit codes, confirm ThrottleInterval prevents tight crash loops, and ensure StandardOutPath captures stderr splits. After plist edits, always run the curl readiness matrix from health probes before declaring victory.

Checkpoint playbook before maintenance windows

Freeze npm/Mint pins; export dependency trees.
Snapshot OPENCLAW_STATE_DIR with tar or APFS snapshots if available.
Notify webhook providers about potential duplicate deliveries during replay tests.
Restart gateway via launchctl kickstart—not ad-hoc kill -9.
Verify dedupe keys repopulate via synthetic inbound events.

Publish elapsed wall-clock minutes for each step so finance can compare leasing an extra witness node versus risking longer incident MTTR.

Failure modes matrix

Symptom	Likely cause	Mitigation
Duplicate customer emails post-restart	Dedupe cache cleared	Replay-safe webhook ids + external ledger
Tool denials after upgrade	Policy files not migrated	Version-control allowlists per plugin doc
Higher RSS after restart	Skills bundle loaded twice	Compare `npm ls` trees vs tarball backup

Plugins & file-transfer adjacency

The 2026-05-07 file-transfer plugin adds filesystem semantics that must survive restarts: if allowlists live only in ephemeral env vars, a restart silently narrows access. Persist policy files under state directories tracked by Git or sealed configs. Combine with chunking discipline so resumed sessions do not immediately spam giant fetches.

Security: session checkpoints may contain customer snippets—encrypt off-host backups when regulated data applies.

Structured logs & correlation IDs

Ensure every gateway emission includes session id, gateway generation counter, and restart nonce so Grafana can separate pre/post bounce windows. Tie logs to nginx edges per reverse proxy guidance when inbound traffic spikes during replay tests.

Eight-step recovery runbook

Detect restart via process start time vs heartbeat drift.
Compare tarball hash of state dir vs live directory.
Run synthetic CLI conversation against staging channel.
Replay webhook sample with idempotency tokens.
Validate plugin policies still deny unintended roots.
Roll forward npm pin if corruption suspected.
Document incident timeline with restart nonce.
Schedule retro on whether witness node would shorten MTTR.

SLO table

Signal	Threshold	Action
Session resume failures	> 0.5% of reconnects	Freeze deploys; audit plist env
Dedupe collisions	Any duplicate side effects	Replay ledger integrity check
Checkpoint tarball age	> 36h stale	Automate nightly snapshot job

FAQ

Question	Practical answer (2026-05-08)
ZFS/APFS snapshots supported?	If your lease permits—coordinate with provider; otherwise rely on tarball to object storage.
Should checkpoints sync across regions?	No—keep sessions regional; replicate configs, not live conversational caches.

Why Mac mini M4 fits stateful gateways

Unified memory and fast NVMe make checkpoint snapshots and tarball comparisons tractable during incidents—predictable hardware beats noisy neighbors when you must diff gigabyte-scale state trees under pressure. Budget discussions belong next to regional pricing; operator onboarding belongs in help docs plus optional VNC when GUI consent cannot be avoided.

Lease witness nodes before sessions become fate-shared

HK / JP / KR / SG / US · SSH / optional VNC

Compare regional nodes Read access guide