OpenClaw gateways on a 24/7 macOS Mac mini occasionally freeze without crashing: Slack stops typing indicators, dashboards show “RPC probe: ok,” yet no assistant replies arrive for 90+ seconds. Operators often mislabel these incidents as model outages when the root cause is a read timeout waiting on bytes that never finish—or a half-open TLS session that stalled after a Wi-Fi blip. This runbook separates read stalls from HTTP 429 storms, sets reproducible curl -m baselines, and ties channel backpressure to gateway logs. Pair it with provider 429 handling when responses arrive but demand backoff, and with gateway doctor diagnostics for auth, bind, and port issues. When proxies sit in front of the gateway, also read reverse proxy hardening so idle timeouts align end-to-end.
You will get a decision matrix, numeric timeout starting points, macOS logging tips, and a FAQ aimed at platform engineers.
Signals you are debugging the wrong failure mode
If dashboards still show healthy RPC while users wait, you are likely stuck in application-layer reads, not process death. Another tell is partial JSON streaming: tokens appear for 300 ms then silence—upstream paused mid-chunk.
Finance-friendly counters: read-timeout count per hour, average stalled duration, abandoned conversations, and reopened tickets tagged “hung AI.” Without those four series you cannot prove a timeout change helped.
When incidents strike, freeze feature work: snapshot redacted tcpdump summaries and TLS session IDs, then roll back the last timeout change.
Document “break-glass” temporary timeout boosts with ticket IDs; otherwise teams silently raise ceilings during launches and wonder why Sunday bills spike.
Keep a single spreadsheet row per environment listing connect, first-byte, idle, and wall-clock caps so auditors can diff staging versus production in under five minutes during a bridge call.
Matrix: read timeout vs 429 vs DNS
| Symptom | Likely class | First probe |
|---|---|---|
| HTTP 429 with Retry-After | Rate limit | Follow provider backoff guide |
| No status line for > connect time | Read stall | curl -m stepped against upstream URL |
| Immediate NXDOMAIN | DNS | dig +trace from the gateway host |
Starting timeouts that survive audits
Initial client knobs: connect timeout 5 s, first-byte read timeout 45 s for chatty models, streaming chunk idle timeout 12 s, overall wall clock per user turn 180 s before returning a structured handoff link.
Cap retry attempts after a read timeout at 2 per user message unless the provider status page shows a declared incident.
When providers publish maintenance windows, pre-emptively lower concurrency by 20% starting 15 minutes before the window—prevents overlapping retries that amplify stalls.
Version timeout tables in Git; on-call should never guess which constants were live during an incident.
curl reproduction recipes
# Step through ceilings to find where upstream stalls
curl -sS -o /dev/null -w '%{http_code} %{time_connect} %{time_starttransfer}\n' \
-H "Authorization: Bearer $TOKEN" \
-m 10 https://api.example.com/v1/models
curl ... -m 30 ...
curl ... -m 60 ...Run the same sequence from the gateway host and from a bastion hop; divergent start-transfer times point to network path issues rather than OpenClaw itself.
Capture -w '%{remote_ip}' to ensure DNS pinned to the expected anycast POP during brownouts.
For streaming endpoints, add --no-buffer and tee output through pv so operators can see whether chunks pause because the server stopped emitting or because the local terminal backpressured the pipe. That distinction saves hours when debugging “nothing prints” reports from support.
When corporate proxies strip chunked encoding, curl may buffer until EOF—mirror the gateway’s exact HTTP library settings (HTTP/1.1 vs HTTP/2) so reproductions match production byte-for-byte.
macOS, launchd, and disk pressure
launchd inherits resilient defaults, but verbose debug logging can block writes when the root volume drops below 12% free—stalls masquerade as model hangs while the process waits on write().
Watch diskutil apfs listVolumeGroups snapshots during incidents: local Time Machine destinations on the same volume group can steal IOPS from the gateway log partition without triggering obvious CPU alerts.
TLS session resumption can mask intermittent read freezes: rotate diagnostic clients occasionally to force fresh handshakes when bisecting vendor issues.
If hardware procurement is slow, rent a cloud Mac mini to rehearse incidents: MacHTML Apple Silicon hosts commonly price near $16.9/day with SSH/VNC for live captures.
Combine read-timeout tuning with local fork limits—see the throttling guide for concurrency caps that prevent retry storms.
Channel UX during stalls
Slack and Teams users tolerate waits when copy explains why. Emit a templated message after 8 s without first token, another at 45 s, and a final handoff link at 120 s.
Avoid echoing raw stack traces into channels—they may contain internal hostnames.
When multilingual teams share one gateway, localize stall notices per workspace locale header.
Product analytics should split “no first token” from “stream stalled mid-answer.” The first points to connect or auth issues; the second almost always maps to read-idle timers or upstream chunk pauses. Mis-tagged funnels send engineers chasing OAuth when they should be diffing timeout tables.
If you expose a customer-facing status page, add a synthetic badge that flips yellow when synthetic probes exceed 2× baseline start-transfer time—even before user-visible error rates move—so comms can get ahead of Twitter threads.
Telemetry and SLOs
Export histograms of time_starttransfer from synthetic probes and compare to live gateway metrics—divergence beyond 25% suggests local policy drift.
Tag synthetic probes with a dedicated user-agent string so firewall teams can whitelist them without opening broad scrape windows. When probes succeed but live traffic fails, compare MTU and TCP window scaling between the probe subnet and the production VPC peer—mis-sized MSS still causes “mystery hangs” in 2026 just as it did a decade ago.
Security reviewers may ask whether longer read windows increase dwell time for attackers holding connections open; pair any timeout increase with lower max concurrent streams per tenant so risk stays bounded.
Alert when read-timeout rate exceeds 4× the seven-day baseline for more than 10 minutes; page network before touching model routing.
Retain structured audit logs for 90 days with correlation IDs tying user messages to provider request IDs.
Quarterly, manually review 35 longest waits; automated bucketing still mislabels regional brownouts as local bugs.
Annotate Grafana with Git merges touching timeout constants so spikes map to intentional changes.
Vendor coordination still matters: when status pages show “elevated latency” without hard failures, temporarily shorten streaming idle timeouts so users see explicit retry copy instead of infinite spinners—then restore prior values within 4 hours using the ticket-linked rollback checklist.
FAQ
Is a read timeout the same as 429?
No—429 includes a status line; read stalls lack terminal responses.
Should I raise timeouts first?
Only with a ticket, ceiling, and rollback timer.
Why rehearse on a physical Mac mini?
macOS TLS, launchd, and disk behavior differ from Linux CI.
Apple Silicon Mac mini hardware remains the most faithful rehearsal platform for OpenClaw timeout work: predictable thermals during long captures, native Keychain integration, and network stacks that match production gateways. MacHTML rents cloud Mac mini hosts with SSH/VNC so platform teams can validate read-timeout policies, doctor probes, and throttles without another CapEx cycle—provision for the drill, capture evidence, tear down when green.
Rehearse OpenClaw timeout diagnostics on a cloud Mac mini
Rent Apple Silicon capacity to reproduce read stalls, tune ceilings, and validate doctor plus throttle interactions on real macOS.