Brokered Azure lease allocation can time out before a late lease becomes ready

[brokemac79]

Summary

Brokered Azure Linux lease allocation can time out after the CLI/coordinator wait window with no lease was returned, even though a lease from the same Azure path can later appear as active/ready and be usable via crabbox run --id.

This makes OpenClaw's Azure-backed Crabbox default unreliable for proof runs: the user-facing command fails as unavailable, while the underlying Azure VM may still be provisioning or may become usable too late for the caller.

Environment

• Date observed: 2026-06-05
• Client OS/shell: Windows, PowerShell
• Crabbox CLI: 0.26.0
• Broker: https://crabbox.openclaw.ai
• Auth: GitHub broker auth for org openclaw
• Repository/worktree: C:\oc-work\oc-87735
• Repo config: OpenClaw .crabbox.yaml
• Default OpenClaw provider in that repo: azure
• Azure config in repo: location: eastus2
• Tested provider/type: azure, Standard_D4ads_v6, market=on-demand, target=linux
• Local rsync: installed and runnable (C:\Users\marti\.local\bin\rsync.cmd, rsync 3.4.2)

crabbox doctor --provider azure reached the broker/provider and reported provider=azure coordinator_secrets=ready. The only local doctor failure was the existing Windows config permission warning:

failed  config   C:\Users\marti\AppData\Roaming\crabbox\config.yaml: permissions 0666 want 0600
ok      broker   auth=github owner=martin_cleary@yahoo.co.uk org=openclaw default_type=Standard_D32ads_v6
ok      provider provider=azure coordinator_secrets=ready

Reproduction

From C:\oc-work\oc-87735:

pnpm crabbox:run -- --type Standard_D4ads_v6 --market on-demand --idle-timeout 10m --ttl 20m --timing-json --no-sync --no-hydrate --stop-after always --shell -- "echo CRABBOX_AZURE_SMOKE_OK; uname -srm; whoami; pwd"

This is intentionally a tiny no-sync/no-hydrate command so the result isolates lease allocation/SSH readiness rather than repo sync or test setup.

Observed Behavior

The command waited for a coordinator lease for the full 10-minute acquire window, then failed:

[crabbox] bin=..\..\Users\marti\.local\bin\crabbox.exe version=0.26.0 provider=azure providers=...
recording run run_87a63bdd35c2
coordinator lease class=standard preferred_type=Standard_D4ads_v6 keep=false slug=amber-barnacle idle_timeout=10m0s ttl=20m0s
waiting for coordinator lease provider=azure slug=amber-barnacle elapsed=30s timeout=10m0s
...
waiting for coordinator lease provider=azure slug=amber-barnacle elapsed=9m30s timeout=10m0s
timed out waiting for coordinator lease after 10m0s provider=azure target=linux type=Standard_D4ads_v6 slug=amber-barnacle lease=cbx_ddea6cab6b52; no lease was returned; next_action=check coordinator/cloud logs and retry, then run `crabbox stop --provider azure --target linux --id cbx_ddea6cab6b52` if a late lease appears

Immediately after the timeout, the hinted late lease id was not visible to the user:

crabbox status --provider azure --id cbx_ddea6cab6b52
coordinator GET /v1/leases/cbx_ddea6cab6b52: http 404: {"error":"not_found"}

In the same troubleshooting session, a separate Azure attempt from another chat showed the more worrying late-lease behavior directly: the command timed out after 10 minutes, but the reported late lease later appeared in the user-visible lease list as active/ready:

crabbox-harbor-crab-78988ccd active Standard_D4ads_v6 20.101.44.161 lease=cbx_2513f241d618 slug=harbor-crab keep=false target=linux

Status/inspect showed it was ready:

cbx_2513f241d618 slug=harbor-crab provider=azure target=linux state=active type=Standard_D4ads_v6 host=20.101.44.161 ready=true has_host=true idle_timeout=1h30m0s

A no-sync attach command against that late/ready Azure lease succeeded:

pnpm crabbox:run -- --provider azure --id cbx_2513f241d618 --no-sync --no-hydrate --timing-json --stop-after never --shell -- "echo CRABBOX_AZURE_REUSE_OK; uname -srm; whoami; pwd"

Output:

CRABBOX_AZURE_REUSE_OK
Linux 7.0.0-1004-azure x86_64
crabbox
/work/crabbox/cbx_2513f241d618/oc-87735

Timing summary:

{"provider":"azure","leaseId":"cbx_2513f241d618","slug":"harbor-crab","syncMs":0,"syncSkipped":true,"commandMs":1845,"totalMs":2353,"exitCode":0,"runId":"run_c85ec4db1c50","machineType":"Standard_D4ads_v6"}

Additional Cleanup Evidence

After filing this issue, the portal showed both late Azure leases as active:

• cbx_2513f241d618 / harbor-crab
• cbx_ddea6cab6b52 / amber-barnacle

harbor-crab released successfully:

crabbox stop --provider azure --target linux --id cbx_2513f241d618
released lease=cbx_2513f241d618 server=crabbox-harbor-crab-78988ccd

amber-barnacle is more concerning. It is visible as active/ready even though keep=false, idle_timeout=10m0s, and expiresAt is already in the past:

cbx_ddea6cab6b52 slug=amber-barnacle provider=azure target=linux state=active type=Standard_D4ads_v6 host=52.157.75.123 ready=true has_host=true idle_for=28m2s idle_timeout=10m0s expires=2026-06-05T18:37:13.214Z

A manual release attempt with a long local timeout failed at the broker release endpoint:

crabbox stop --provider azure --target linux --id cbx_ddea6cab6b52
Post "https://crabbox.openclaw.ai/v1/leases/cbx_ddea6cab6b52/release": context deadline exceeded

A follow-up list/status/inspect still showed it active/ready. So this issue covers both late lease visibility and a cleanup/release timeout for at least one late Azure lease.

Expected Behavior

One of these should happen:

1. Azure allocation returns the lease once the VM becomes SSH-ready, within the configured wait window for normal OpenClaw proof runs.
2. If Azure provisioning is legitimately slow, the CLI/coordinator reports a precise capacity/provisioning-delay state instead of a generic acquire timeout.
3. If a lease is still provisioning after the caller times out, late lease cleanup/status is reliable: the hinted lease id should be visible, inspectable, and stoppable once it exists.
4. The CLI should not leave the operator in a state where the proof run fails but a paid Azure lease later becomes active outside the failed run's control path.

Why This Looks Reportable

This does not appear to be a local user-auth problem:

• Broker auth is configured and works for the openclaw org.
• crabbox doctor --provider azure reaches the broker/provider and reports Azure coordinator secrets ready.
• An already-ready Azure lease can be attached to and used successfully.
• AWS brokered leases are usable from the same machine/session.

This also does not appear to be repo sync/test setup, because the failing repro uses --no-sync --no-hydrate and only tries to run echo, uname, whoami, and pwd.

Related PR history suggests small Azure Linux brokered warmups have previously completed well inside 10 minutes:

• feat(azure): support linux and native windows leases #39 reported brokered Azure Linux Standard_D2ads_v6 warmup around 2m25s.
• fix(azure): default to checkpointable OS disks #111 reported brokered Azure Standard_D2ads_v6 warmup around 1m55s.

The current symptom is therefore either a real Azure capacity/provisioning latency issue that needs better surfacing, or a coordinator/CLI late-lease lifecycle bug.

above screenshot from the UI, which i could see the boxes available afterwards

Acceptance Criteria

• A fresh brokered Azure no-sync smoke either succeeds or returns a clear, actionable capacity/provisioning status.
• Late Azure leases created by timed-out attempts are consistently visible to status/inspect/list once they exist.
• Timed-out attempts do not leave untracked active Azure leases, or the CLI provides a reliable cleanup command that works after late provisioning completes.
• If the right fix is a longer/default Azure acquire timeout for Standard_D4ads_v6/managed OS disk paths, document that expectation in the provider docs and OpenClaw .crabbox.yaml guidance.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 5, 2026, 3:14 PM ET / 19:14 UTC.

Summary
This should stay open: current main still has the reported brokered Azure timeout shape, and the only post-release main change is CHANGELOG.md, so there is no implementation evidence that the late-lease visibility/cleanup problem has been fixed.

Reproducibility: no. high-confidence live reproduction was run in this read-only review. Source inspection shows a credible path: the CLI can time out after 10 minutes while the Worker stores the lease only after Azure provisioning returns, and the issue body includes same-day Azure evidence of late ready leases.

Ways to help us reproduce this

• Add a screenshot or short recording showing the behavior.
• Add expected vs actual behavior.
• Include redacted logs or terminal output.

Next step
A focused fix is plausible, but maintainer review should choose the pending-lease lifecycle contract and require live or high-fidelity Azure validation.

Review details

Best possible solution:

Define a coordinator lifecycle where requested/in-progress brokered Azure leases are visible and cleanable through provisioning completion or failure, with Azure-specific late-resource cleanup kept in the Azure provider adapter.

Do we have a high-confidence way to reproduce the issue?

No high-confidence live reproduction was run in this read-only review. Source inspection shows a credible path: the CLI can time out after 10 minutes while the Worker stores the lease only after Azure provisioning returns, and the issue body includes same-day Azure evidence of late ready leases.

Is this the best way to solve the issue?

Unclear until maintainers choose the exact pending/failed lease contract. The narrowest maintainable direction is not a docs-only timeout increase, but a coordinator lifecycle fix that preserves observability and cleanup for late Azure resources.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• The exact live Azure timing behavior was not reproduced in this read-only pass; source inspection supports the lifecycle gap, but cloud timing and cleanup behavior still need maintainer validation.
• The local checkout history is grafted at v0.26.0, so owner routing uses current blame plus the provided merged PR metadata.

Codex review notes: model gpt-5.5, reasoning high; reviewed against c6fef7c90b41.

Label changes

Label changes:

• add clawsweeper:no-new-fix-pr: Current issue advisory state selects this label.
• add clawsweeper:needs-maintainer-review: Current issue advisory state selects this label.
• add clawsweeper:needs-product-decision: Current issue advisory state selects this label.

Label justifications:

• P2: The reported behavior can leave a paid Azure lease active after a failed proof run, but the blast radius is limited to brokered Azure allocation.
• impact:other: The concrete impact is cloud lease lifecycle reliability and cleanup rather than one of the more specific owned impact categories.

Evidence reviewed

Acceptance criteria:

• npm test --prefix worker -- azure.test.ts fleet.test.ts
• go test ./internal/cli ./internal/providers/azure
• Maintainer-run brokered Azure no-sync smoke covering timeout, late status/inspect/list visibility, and stop/release cleanup

What I checked:

• Repository policy applied: AGENTS.md was read fully; its provider-boundary guidance applies because the fix should keep Azure-specific reconciliation and cleanup behind the provider adapter while preserving provider-neutral coordinator flow. (AGENTS.md:1, c6fef7c90b41)
• Coordinator persists lease only after provisioning returns: createLease builds a LeaseRecord before provisioning, but calls provider.createServerWithFallback first and only stores the user-visible lease with putLease after that call succeeds. (worker/src/fleet.ts:1136, c6fef7c90b41)
• CLI has the reported Azure Linux wait-window timeout: The coordinator lease backend uses a 10-minute timeout for Azure Linux and emits the same late-lease cleanup hint when no lease is returned. (internal/cli/provider_coordinator.go:134, c6fef7c90b41)
• Azure cleanup is partial provider-side mitigation: Azure VM create timeouts enqueue deferred cleanup and request deletes, but this does not make the original lease visible or inspectable while provisioning is late. (worker/src/azure.ts:622, c6fef7c90b41)
• Current main does not change the affected implementation after v0.26.0: The diff from the latest release commit to current main is only CHANGELOG.md, so the issue observed on 0.26.0 is not fixed by current main code changes. (CHANGELOG.md:1, c6fef7c90b41)
• Related Azure feature provenance: The provided related context identifies feat(azure): support linux and native windows leases #39 as the merged PR that introduced brokered Azure leases and cleanup paths, and fix(azure): default to checkpointable OS disks #111 as a merged Azure OS-disk follow-up. (00725544c767)

Likely related people:

• jwmoss: The provided related PR context identifies this contributor as author of the merged Azure provider PR that added brokered Azure leases, status/list flows, and cleanup behavior, plus the later Azure OS-disk follow-up. (role: introduced Azure provider behavior; confidence: high; commits: 00725544c767, 7823b10a2166; files: worker/src/azure.ts, worker/src/fleet.ts, worker/test/azure.test.ts)
• Peter Steinberger: Current checkout blame for the coordinator lease and Azure lifecycle lines points to the v0.26.0 release commit authored by this person, though the grafted history limits finer local provenance. (role: recent release/history owner; confidence: medium; commits: 5bcee65667b8; files: worker/src/fleet.ts, worker/src/azure.ts, internal/cli/provider_coordinator.go)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[brokemac79]

@clawsweeper review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27034790119
• Updated: 2026-06-05T19:14:39.722Z

[steipete]

Fixed and verified on main.

Landed fixes:

• e7be027 fix(worker): fail closed on invalid SSH CIDRs (fix(worker): fail closed on invalid SSH CIDRs #223) is unrelated context only.
• 7baeea1 fix(azure): reconcile brokered lease lifecycle
• ddeacd6 fix(azure): sweep orphan VMs across legacy regions
• 55cf643 fix(worker): preserve provisioning release state

Live Azure E2E proof:

• Built repo CLI from main, then ran a brokered Azure no-sync smoke with explicit small on-demand VM:
  ./bin/crabbox run --provider azure --type Standard_D4ads_v6 --market on-demand --idle-timeout 10m --ttl 20m --no-sync --no-hydrate --stop-after always --timing-json --shell -- 'set -eu; echo CRABBOX_AZURE_215_SMOKE_OK; uname -srm; whoami; pwd'
• Run: run_8a0544ceb0e3
• Lease: cbx_5fd0e4667bca, slug tidal-lobster
• While provider creation was still pending, direct status returned the lease as state=provisioning with no host/cloud resource yet, proving the in-flight lease is now visible instead of hidden.
• Azure became ready after the slow allocation window, routed eastus to eastus2 after capacity fallback, and ran successfully over SSH:
  CRABBOX_AZURE_215_SMOKE_OK
  Linux 7.0.0-1004-azure x86_64
  crabbox
  /work/crabbox/cbx_5fd0e4667bca/crabbox
• Final timing JSON reported exitCode=0 and leaseStopped=true.
• Post-stop cleanup proof: status by slug returned 404 and Azure list was empty for tidal-lobster/cbx_5fd0e4667bca.

Regression hardening added after autoreview found a stale-write race:

• Re-read lease state after provider create and before final active write.
• Preserve released/failed terminal state when provisioning finishes late.
• Delete late-created resources only when the release intent requires deletion.
• Preserve no-delete release intent and allow later explicit deletion.
• Keep cleanup retry metadata for terminal leases when provider deletion fails.

Local verification:

• npm test --prefix worker: 14 files, 336 tests passed
• npm run lint --prefix worker: 0 warnings, 0 errors
• npm run check --prefix worker: passed
• npm run format:check --prefix worker: passed
• go test ./...: passed
• autoreview: clean, no accepted/actionable findings reported

CI proof for 55cf643:

• Release Check: success
• Docs: success
• Worker: success
• Scripts: success
• Go: success
• CodeQL Analyze actions/go/javascript-typescript/python: success