#23779: fix(config): auto-repair invalid config keys from backup on load

## Problem When `openclaw.json` contains invalid values (e.g. manually edited with typos like `gateway.bind = "localhot"`), `loadConfig()` falls back to an empty config `{}`, causing the gateway to start without any auth, channels, plugins, or other settings — effectively broken. ## Solution Add automatic config repair in `loadConfig()` with a layered fallback strategy: ### 1. Surgical Repair (preferred) - Extracts the **top-level keys** from Zod validation error paths (e.g. `gateway.port` → `gateway`) - Loads the nearest valid `.bak` backup file - Replaces **only the broken keys** with values from backup, preserving all other config - Writes the patched config back to disk - Log: `Config auto-repair: restored keys [gateway] from backup, other settings preserved` ### 2. Full Backup Restore (fallback) - If surgical repair fails, or the config is completely unreadable (bad JSON/missing env vars) - Restores the entire config from the nearest valid backup - Log: `Config auto-rollback: config unreadable, restored full backup` ### 3. Empty Config (last resort) - If no valid backup exists, preserves the original behavior of `return {}` ## Testing Verified on live gateway: 1. Injected `gateway.bind = "localhot"` (invalid value) via manual edit 2. Killed gateway, watchdog restarted it 3. Gateway log confirmed surgical repair: ``` Invalid config at /root/.openclaw/openclaw.json: - gateway.bind: Invalid input Config auto-repair: restored keys [gateway] from backup, other settings preserved ``` 4. Gateway started successfully with restored `gateway.bind = "lan"` 5. All other config (auth, channels, plugins) preserved intact ## Changes - `src/config/io.ts`: Added `issuePathToTopKey()`, `loadFirstValidBackupConfig()`, `tryRepairFromBackup()` helper functions within `createConfigIO()` - Modified `loadConfig()` catch block to attempt repair before falling back to empty config <!-- greptile_comment --> <h3>Greptile Summary</h3> Adds automatic config repair functionality to recover from invalid config values. When `openclaw.json` validation fails, the system now attempts surgical repair by restoring only broken top-level keys from the nearest valid backup, preserving all other settings. If surgical repair fails, it falls back to full backup restoration. This prevents the gateway from starting with an empty config `{}` when manual edits introduce typos or invalid values. **Key changes:** - Added `issuePathToTopKey()` to extract top-level config keys from Zod validation paths - Added `loadFirstValidBackupConfig()` to find and validate the first usable backup from the rotation - Added `tryRepairFromBackup()` to surgically patch broken keys while preserving valid config - Modified `loadConfig()` catch block to attempt repair before returning empty config - Handles both validation-level errors (invalid values) and parse-level errors (bad JSON) <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with minimal risk - The implementation is well-structured with proper error handling, fallback strategies, and defensive coding practices. The surgical repair approach intelligently patches only broken keys while preserving valid config, and includes a full backup restore fallback. All edge cases are handled gracefully with try-catch blocks and null checks. The code follows the repository's style guidelines with clear comments and concise helper functions. - No files require special attention _{Last reviewed commit: 82a4e37} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->