fix(agents): serialize new-session resolution per session key

openperf · openperf · commit 3b1a3b264368 · 2026-05-29T21:58:58.000+08:00
Concurrent commands for the same session key minted separate sessionIds because resolveSession ran before the per-session execution lane, so a second OpenAI-compatible request that arrived mid-turn forked an isolated, memory-less session. Reserve the brand-new-session path per session key so concurrent commands adopt one sessionId. Fixes #84575
diff --git a/src/agents/agent-command.ts b/src/agents/agent-command.ts
@@ -70,7 +70,7 @@ import {
   resolveInternalEventTranscriptBody,
 } from "./command/attempt-execution.shared.js";
 import { resolveAgentRunContext } from "./command/run-context.js";
-import { resolveSession } from "./command/session.js";
+import { resolveSessionWithReservation } from "./command/session-resolution-reservation.js";
 import type { AgentCommandIngressOpts, AgentCommandOpts } from "./command/types.js";
 import { DEFAULT_MODEL, DEFAULT_PROVIDER } from "./defaults.js";
 import { classifyEmbeddedAgentRunResultForModelFallback } from "./embedded-agent-runner/result-fallback-classifier.js";
@@ -449,13 +449,14 @@ async function prepareAgentCommandExecution(opts: AgentCommandOpts, runtime: Run
     overrideSeconds: timeoutSecondsRaw,
   });
 
-  const sessionResolution = resolveSession({
+  const sessionResolution = await resolveSessionWithReservation({
     cfg,
     to: opts.to,
     sessionId: opts.sessionId,
     sessionKey: explicitSessionKey,
     agentId: agentIdOverride,
     clone: false,
+    suppressVisibleSessionEffects: opts.sessionEffects === "internal",
   });
 
   const { sessionId, sessionKey, storePath, isNewSession, persistedThinking, persistedVerbose } =
diff --git a/src/agents/command/session-resolution-reservation.test.ts b/src/agents/command/session-resolution-reservation.test.ts
@@ -0,0 +1,92 @@
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+import { afterEach, describe, expect, it } from "vitest";
+import { clearSessionStoreCaches } from "../../config/sessions/store-cache.js";
+import { loadSessionStore } from "../../config/sessions/store.js";
+import type { OpenClawConfig } from "../../config/types.openclaw.js";
+import { resolveSessionWithReservation } from "./session-resolution-reservation.js";
+import { resolveSession } from "./session.js";
+
+async function withTempStore<T>(
+  run: (params: { cfg: OpenClawConfig; storePath: string }) => Promise<T>,
+): Promise<T> {
+  const dir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-session-reservation-"));
+  const storePath = path.join(dir, "sessions.json");
+  const cfg = { session: { store: storePath, mainKey: "main" } } as OpenClawConfig;
+  try {
+    return await run({ cfg, storePath });
+  } finally {
+    clearSessionStoreCaches();
+    await fs.rm(dir, { recursive: true, force: true });
+  }
+}
+
+afterEach(() => {
+  clearSessionStoreCaches();
+});
+
+describe("resolveSessionWithReservation", () => {
+  const sessionKey = "agent:main:finn:c1";
+
+  it("forks distinct sessionIds without the reservation lock (regression repro)", async () => {
+    await withTempStore(async ({ cfg }) => {
+      const first = resolveSession({ cfg, sessionKey });
+      const second = resolveSession({ cfg, sessionKey });
+      expect(first.isNewSession).toBe(true);
+      expect(second.isNewSession).toBe(true);
+      // Without serialization both requests mint their own id, so the second
+      // request runs in an isolated, memory-less session.
+      expect(first.sessionId).not.toBe(second.sessionId);
+    });
+  });
+
+  it("gives concurrent same-key requests one shared sessionId", async () => {
+    await withTempStore(async ({ cfg, storePath }) => {
+      const [first, second] = await Promise.all([
+        resolveSessionWithReservation({ cfg, sessionKey }),
+        resolveSessionWithReservation({ cfg, sessionKey }),
+      ]);
+      expect(first.sessionId).toBe(second.sessionId);
+      // Exactly one resolution created the session; the other adopted it.
+      expect([first.isNewSession, second.isNewSession].filter(Boolean)).toHaveLength(1);
+      // The reserved mapping is persisted so later turns resume the same session.
+      const persisted = loadSessionStore(storePath, { skipCache: true })[sessionKey];
+      expect(persisted?.sessionId).toBe(first.sessionId);
+    });
+  });
+
+  it("reuses the reserved id for a follow-up after the first request", async () => {
+    await withTempStore(async ({ cfg }) => {
+      const first = await resolveSessionWithReservation({ cfg, sessionKey });
+      const second = await resolveSessionWithReservation({ cfg, sessionKey });
+      expect(second.sessionId).toBe(first.sessionId);
+      expect(second.isNewSession).toBe(false);
+    });
+  });
+
+  it("leaves the explicit sessionId path unchanged", async () => {
+    await withTempStore(async ({ cfg }) => {
+      const resolution = await resolveSessionWithReservation({
+        cfg,
+        sessionId: "explicit-123",
+      });
+      expect(resolution.sessionId).toBe("explicit-123");
+    });
+  });
+
+  it("does not write a visible store row for internal handoffs (suppressVisibleSessionEffects)", async () => {
+    await withTempStore(async ({ cfg, storePath }) => {
+      const resolution = await resolveSessionWithReservation({
+        cfg,
+        sessionKey,
+        suppressVisibleSessionEffects: true,
+      });
+      expect(resolution.isNewSession).toBe(true);
+      expect(resolution.sessionId).toBeTruthy();
+      // Internal handoffs must not leak a visible session-store row.
+      const persisted = loadSessionStore(storePath, { skipCache: true })[sessionKey];
+      expect(persisted).toBeUndefined();
+    });
+  });
+});
diff --git a/src/agents/command/session-resolution-reservation.ts b/src/agents/command/session-resolution-reservation.ts
@@ -0,0 +1,86 @@
+import type { OpenClawConfig } from "../../config/types.openclaw.js";
+import { persistSessionEntry } from "./attempt-execution.shared.js";
+import { resolveSession, type SessionResolution } from "./session.js";
+
+// Per-session-key serialization for resolving a brand-new session identity.
+//
+// Concurrent commands that target the same session key must agree on a single
+// `sessionId`. `resolveSession` mints a fresh `crypto.randomUUID()` whenever the
+// key has no fresh stored entry, and that resolution runs before the per-session
+// execution lane is entered (the lane is keyed by session key but only
+// serializes execution). Two requests that race here -- e.g. a follow-up sent
+// while the first turn is still in flight on the OpenAI-compatible endpoint --
+// each mint their own id, so the later one runs in an isolated, memory-less
+// session. Serializing the mint-and-reserve step closes that window: the first
+// request persists the key-to-id mapping and any concurrent request adopts it
+// instead of forking a second session.
+const SESSION_RESERVATION_QUEUE = new Map<string, Promise<unknown>>();
+
+async function serializeReservation<T>(key: string, task: () => Promise<T>): Promise<T> {
+  const prev = SESSION_RESERVATION_QUEUE.get(key) ?? Promise.resolve();
+  const next = prev.then(task, task);
+  SESSION_RESERVATION_QUEUE.set(key, next);
+  try {
+    return await next;
+  } finally {
+    if (SESSION_RESERVATION_QUEUE.get(key) === next) {
+      SESSION_RESERVATION_QUEUE.delete(key);
+    }
+  }
+}
+
+export type ResolveSessionInput = {
+  cfg: OpenClawConfig;
+  to?: string;
+  sessionId?: string;
+  sessionKey?: string;
+  agentId?: string;
+  clone?: boolean;
+  /**
+   * Internal handoffs (sessionEffects === "internal") must not write visible
+   * session-store rows. Skip the reservation persist entirely; internal runs
+   * are orchestrated, not user-fired, so there is no same-key race to protect.
+   */
+  suppressVisibleSessionEffects?: boolean;
+};
+
+/**
+ * Resolve a session like {@link resolveSession}, but serialize the brand-new
+ * session path per session key so concurrent commands cannot fork separate
+ * sessions for the same key.
+ */
+export async function resolveSessionWithReservation(
+  opts: ResolveSessionInput,
+): Promise<SessionResolution> {
+  const resolution = resolveSession(opts);
+  // Only a brand-new session mints a random id and is therefore racy. An
+  // explicit session id or an existing fresh entry already pins the identity,
+  // so those paths skip the lock entirely and keep steady-state turns lock-free.
+  // Internal handoffs also skip reservation so they cannot create a visible
+  // session-store row that the suppressVisibleSessionEffects contract forbids.
+  if (
+    opts.suppressVisibleSessionEffects ||
+    opts.sessionId?.trim() ||
+    !resolution.isNewSession ||
+    !resolution.sessionKey
+  ) {
+    return resolution;
+  }
+  const reservationKey = `${resolution.storePath}::${resolution.sessionKey}`;
+  return await serializeReservation(reservationKey, async () => {
+    // Re-resolve inside the critical section: a concurrent command may have
+    // reserved an id between the initial resolve and acquiring the lock.
+    const rechecked = resolveSession(opts);
+    if (!rechecked.isNewSession || !rechecked.sessionKey || !rechecked.sessionStore) {
+      return rechecked;
+    }
+    const now = Date.now();
+    await persistSessionEntry({
+      sessionStore: rechecked.sessionStore,
+      sessionKey: rechecked.sessionKey,
+      storePath: rechecked.storePath,
+      entry: { sessionId: rechecked.sessionId, updatedAt: now, sessionStartedAt: now },
+    });
+    return rechecked;
+  });
+}
