Codex review: needs maintainer review before merge.

What this changes:

The PR logs config health-state write failures in config I/O and observe-recovery helpers, adds async and sync regression tests for those failure paths, and adds a changelog entry.

Maintainer follow-up before merge:

This is an open maintainer-labeled implementation PR with a useful narrow code diff, but the remaining work is maintainer/author handling of PR metadata and exact-head CI rather than a safe autonomous repair lane.

Security review:

Security review cleared: The diff is limited to local config recovery logging, focused tests, and changelog text, with no dependency, workflow, permission, secret-handling, network, or code-execution changes.

Hi @sallyom and @jalehman,

I see that my core work from #70515 (audit extensions and EACCES tests) has been integrated here. Since those commits were already passing and validated in my original PR, I’m concerned that merging them into this broader scope of health-state logging is complicating the CI resolution.

I’m happy to help debug, but if the CI failures persist, it might be more efficient for the project to land the focused, verified fix from #70515 first. This would ensure the primary bug is resolved while we iterate on the additional logging layers separately.

Let me know the best way to support this.

I’ve just reviewed the CI logs for the checks-node-core failure here. It seems the integration of health-state logging is causing regressions that weren't present in my original PR #70515. As a maintainer, keeping the main branch stable is priority one. Since #70515 was already green and focused, I strongly suggest we land it now to fix the core bug. We can always follow up with @sallyom's additional logging once her CI is stabilized. Reopening #70515 is the fastest way to get back to a clean state.

@jalehman @steipete,

There is a significant issue with #75441 being labeled as 'superseding' my work. The claim that it "resolves the full issue #63423" is factually incorrect; that issue requires changes in src/pairing/ and src/infra/ which are untouched here.

By bundling my stable, verified fixes into a "full resolution" package that doesn't actually exist, this PR has introduced a structural regression. Specifically, it is currently failing CI because it attempts to import internal functions recently privatized in ad3e4db—functions my original fix does not depend on.

We are now in a situation where a green, verified baseline is being held hostage by a 'Red' PR that misrepresents its own scope. I have provided a standalone, passing branch (fix/config-restore-baseline) to restore stability immediately. I suggest landing the verified commits independently rather than waiting for a broken and over-scoped packaging to be reworked.

@sallyom A case study in how open-source contributions get lost — told entirely through public, verifiable facts.

The bug:
In openclaw, when a config backup restore fails (disk full, EACCES), the system logs "Config auto-restored from backup" and writes valid: true to the audit record. Users and audit tooling believe the config was repaired. It was not. A corrupted config persists silently.

What I did:
• Identified the root cause: a bare catch {} around copyFile in io.observe-recovery.ts (lines 659-662) that swallowed all errors unconditionally.
• Submitted PR #70515 with the fix, covering both async and sync recovery paths.
• Added two new audit fields: restoreErrorCode and restoreErrorMessage.
• Wrote regression tests with injected EACCES failures for both paths.
• Greptile's automated review: 5/5 confidence, "Safe to merge."
• Addressed every piece of review feedback (sync mirror test + log formatting) in a follow-up commit.
• CI was green. A maintainer (jalehman) self-assigned to the PR.

What happened next:
• Another contributor (sallyom) opened PR #75441, cherry-picking my commits, and labeling it "Includes and supersedes #70515."
• sallyom commented on my PR: "#75441 will resolve the full issue in one PR."
• An automated bot (clawsweeper) closed my PR as "duplicate/superseded."
• No human maintainer reviewed or approved this decision.

The factual problems with these claims:
• "Will resolve the full issue in one PR": The diff of #75441 only touches src/config/. Issue #63423 ("Empty catch blocks swallow errors silently") explicitly requires changes in src/pairing/ and src/infra/. These directories are untouched.
• "Fixes #63423" is used as a GitHub tag in the PR header. This is an auto-close tag — if merged, it would automatically close issue #63423 as resolved, even though the required files are not addressed. The project's bug tracking would be silently corrupted.
• "Supersedes #70515": The PR that claims to supersede mine has 5 failing CI checks and unresolved merge conflicts. The PR it replaced was green.
• The CI failures are caused by importing functions (observeConfigSnapshot, observeConfigSnapshotSync) that were recently moved to internal scope by a maintainer in commit ad3e4db. My original fix had no dependency on these functions.

What I did to try to resolve it:
• Offered to help debug the failing PR.
• Proposed landing the focused, verified fix first, then iterating on the broader scope separately.
• Created a standalone baseline branch (fix/config-restore-baseline, PR #75568) to give maintainers a clean path.
• Opened issue #75651 documenting the structural conflicts with evidence.

The response:
• PR #75568 was closed.
• Issue #75651 was closed as "not planned."
• The clawsweeper bot's own analysis on that issue confirmed every structural point I raised: "PR diff is config-only [...] with no src/pairing or src/infra changes" and "Current main keeps observe snapshot helpers internal."

The current state:
• The original bug is still on main.
• My verified, green fix sits in a closed PR.
• The PR that replaced it cannot merge.
• The bot that closed my work also produced the analysis that confirms the replacement doesn't do what it claims.

For context, this is not my first contribution to openclaw. PR #74453 (fix for voice-call webhook in-flight limiter) was merged.

I'm not posting this to call anyone out. Every commit, CI log, bot analysis, and comment is public. I'm posting it because this pattern — where a working contribution is absorbed into a larger, broken scope, the original is closed by automation, and the contributor loses all agency — is one of the invisible friction points that drives people away from open source.

The facts are the facts.

#OpenSource #SoftwareEngineering #CodeReview #DevCommunity

holding this as DRAFT PR until #70515 merges, will rebase off of that.

Merged #75441 via squash.\n\nPrepared head SHA: c49ed32\nMerge commit: 667371d