Token refresh rewrites openclaw.json causing repeated gateway restarts

[vmhq]

Summary

Each time the OAuth access token is refreshed, the plugin calls upsertPluginConfig() which rewrites ~/.openclaw/openclaw.json with the new accessToken and refreshToken. OpenClaw detects this config file change and triggers a full gateway restart (by design — the config watcher restarts on sensitive field changes).

This causes the gateway to restart multiple times per hour, which:

• Interrupts running cron jobs (they land in a "missed jobs after restart" queue and execute late)
• Creates a noisy restart loop visible in logs all day
• Breaks timed automation workflows that depend on stable scheduling

Observed behavior

Logs show a clear pattern repeating ~every 15–60 min:

config change detected; evaluating reload (plugins.entries.openclaw-membase.config.accessToken, plugins.entries.openclaw-membase.config.refreshToken)
config change requires gateway restart (plugins.entries.openclaw-membase.config.accessToken, plugins.entries.openclaw-membase.config.refreshToken)
membase: stopped
membase: connected (recall: true, capture: true)

Root cause

upsertPluginConfig() in src/commands/cli.ts writes the refreshed tokens directly into openclaw.json. Since accessToken and refreshToken are listed as sensitive fields that require gateway restart when changed, every token rotation restarts the entire gateway.

Proposed fix

Store the OAuth tokens in a separate file (e.g., ~/.openclaw/extensions/openclaw-membase/tokens.json) and only keep stable config values (apiUrl, clientId, tokenFile) in openclaw.json.

Changes needed:

1. src/config.ts: Add readTokenFile() and writeTokenFile() helpers; load tokens from the file at plugin load instead of from pluginConfig
2. src/index.ts: Call writeTokenFile() in the onTokenRefresh callback instead of upsertPluginConfig(); auto-migrate existing tokens on first boot
3. src/commands/cli.ts: Update login and logout to write/clear the token file; only persist apiUrl, clientId, and tokenFile path to openclaw.json
4. openclaw.plugin.json: Add tokenFile to the config schema
5. src/types.ts: Add tokenFile: string to MembasePluginConfig

This way, token refreshes only touch the private token file — which OpenClaw does not watch for config-triggered restarts — leaving the gateway stable.

Workaround applied locally

We implemented the patch described above locally on @membase/openclaw-membase@0.3.1. The gateway has been stable since applying it. Happy to share the diff if useful.

Environment

• openclaw-membase version: 0.3.1
• OpenClaw version: 2026.3.12
• OS: Ubuntu 24.04 LTS

[Seunghyun00Kim]

Thanks for the detailed report and the proposed fix — you diagnosed it correctly.

Both issues are now addressed and published in v0.3.2.

1. Gateway restart loop on token refresh (main fix)

Rotating OAuth tokens are no longer written into ~/.openclaw/openclaw.json. They are now stored in a separate file that OpenClaw does not watch for config-triggered restarts:

~/.openclaw/extensions/openclaw-membase/tokens.json

Changes:

• onTokenRefresh now writes only to the token file, not to openclaw.json
• login and logout also use the token file
• openclaw.json retains only stable fields: apiUrl, clientId, tokenFile
• Existing installs with accessToken/refreshToken in openclaw.json are migrated automatically on first boot — no manual steps needed

2. Heartbeat and metadata noise in memories (Processing...)

Auto-capture now filters out operational messages before they reach the ingest pipeline:

• Heartbeat control messages (heartbeat_ok, heartbeat ping, etc.)
• Untrusted metadata blocks injected by OpenClaw into conversation events

This prevents the repeated Processing... entries from accumulating in the Membase dashboard.

---

The fix matches the approach you described. Thanks again for sharing the diff — it helped confirm the root cause quickly.

---

To update:

openclaw plugins update openclaw-membase

If that doesn't work, reinstall manually:

openclaw plugins remove openclaw-membase
openclaw plugins install @membase/openclaw-membase

Then run openclaw membase login again — tokens will be migrated automatically.