fix(sessions): sweep orphan store temp files

sahibzada-allahyar · sahibzada-allahyar · commit c68ca1c842f9 · 2026-06-05T02:35:22.000+01:00
diff --git a/src/config/sessions/store-load.test.ts b/src/config/sessions/store-load.test.ts
@@ -0,0 +1,75 @@
+// Session store load tests cover startup sweep of orphaned atomic-write .tmp files.
+import fs from "node:fs";
+import path from "node:path";
+import { describe, expect, it } from "vitest";
+import { withTempDir } from "../../test-helpers/temp-dir.js";
+import { sweepOrphanSessionStoreTemps } from "./store-load.js";
+
+describe("sweepOrphanSessionStoreTemps", () => {
+  const uuid = "0f9c1a2b-3c4d-4e5f-8a9b-0c1d2e3f4a5b";
+
+  it("deletes stale orphan temp files matching the store basename", async () => {
+    await withTempDir({ prefix: "sweep-test" }, async (tmpDir) => {
+      const storePath = path.join(tmpDir, "sessions.json");
+
+      // Create a stale orphan (older than 5 min)
+      const staleOrphan = path.join(tmpDir, `sessions.json.12345.${uuid}.tmp`);
+      fs.writeFileSync(staleOrphan, "stale", "utf-8");
+      // Backdate mtime to 10 minutes ago
+      const tenMinAgo = Date.now() - 10 * 60 * 1000;
+      fs.utimesSync(staleOrphan, tenMinAgo / 1000, tenMinAgo / 1000);
+
+      // Create a fresh orphan (younger than 5 min — should be preserved)
+      const freshOrphan = path.join(tmpDir, `sessions.json.99999.${uuid}.tmp`);
+      fs.writeFileSync(freshOrphan, "fresh", "utf-8");
+
+      // Create an unrelated temp file (should not be touched)
+      const unrelated = path.join(tmpDir, "other.tmp");
+      fs.writeFileSync(unrelated, "unrelated", "utf-8");
+      fs.utimesSync(unrelated, tenMinAgo / 1000, tenMinAgo / 1000);
+
+      sweepOrphanSessionStoreTemps(storePath);
+
+      // Stale orphan matching the store basename should be deleted
+      expect(fs.existsSync(staleOrphan)).toBe(false);
+      // Fresh orphan should remain (not old enough)
+      expect(fs.existsSync(freshOrphan)).toBe(true);
+      // Unrelated temp files should not be touched
+      expect(fs.existsSync(unrelated)).toBe(true);
+    });
+  });
+
+  it("does nothing when no orphan temp files exist", async () => {
+    await withTempDir({ prefix: "sweep-empty" }, async (tmpDir) => {
+      const storePath = path.join(tmpDir, "sessions.json");
+      fs.writeFileSync(storePath, "{}", "utf-8");
+
+      expect(() => sweepOrphanSessionStoreTemps(storePath)).not.toThrow();
+    });
+  });
+
+  it("handles non-existent store directory gracefully", () => {
+    const storePath = "/tmp/nonexistent-dir-89520/sessions.json";
+    expect(() => sweepOrphanSessionStoreTemps(storePath)).not.toThrow();
+  });
+
+  it("only deletes temp files for the matching store basename", async () => {
+    await withTempDir({ prefix: "sweep-multi" }, async (tmpDir) => {
+      const storePath = path.join(tmpDir, "my-sessions.json");
+      const tenMinAgo = Date.now() - 10 * 60 * 1000;
+
+      const matchingOrphan = path.join(tmpDir, `my-sessions.json.12345.${uuid}.tmp`);
+      fs.writeFileSync(matchingOrphan, "match", "utf-8");
+      fs.utimesSync(matchingOrphan, tenMinAgo / 1000, tenMinAgo / 1000);
+
+      const otherStoreOrphan = path.join(tmpDir, `other-sessions.json.12345.${uuid}.tmp`);
+      fs.writeFileSync(otherStoreOrphan, "other", "utf-8");
+      fs.utimesSync(otherStoreOrphan, tenMinAgo / 1000, tenMinAgo / 1000);
+
+      sweepOrphanSessionStoreTemps(storePath);
+
+      expect(fs.existsSync(matchingOrphan)).toBe(false);
+      expect(fs.existsSync(otherStoreOrphan)).toBe(true);
+    });
+  });
+});
diff --git a/src/config/sessions/store-load.ts b/src/config/sessions/store-load.ts
@@ -1,5 +1,6 @@
 // Session store loading normalizes persisted records, migrations, maintenance, and caches.
 import fs from "node:fs";
+import path from "node:path";
 import { isRecord } from "@openclaw/normalization-core/record-coerce";
 import { createSubsystemLogger } from "../../logging/subsystem.js";
 import type { ChannelRouteRef } from "../../plugin-sdk/channel-route.js";
@@ -11,6 +12,7 @@ import {
   normalizeSessionDeliveryFields,
 } from "../../utils/delivery-context.shared.js";
 import { getFileStatSnapshot } from "../cache-utils.js";
+import { isSessionStoreTempArtifactName } from "./artifacts.js";
 import { hydrateSessionStoreSkillPromptRefs } from "./skill-prompt-blobs.js";
 import {
   cloneSessionStoreRecord,
@@ -373,6 +375,54 @@ export function normalizeSessionStore(store: Record<string, SessionEntry>): bool
   return changed;
 }
 
+/**
+ * Delete orphaned `<store>.<pid>.<uuid>.tmp` temp files left behind when
+ * `replaceFileAtomic` crashes between write and rename (#89520).
+ * Only files older than 5 minutes are removed to avoid racing live writers.
+ */
+export function sweepOrphanSessionStoreTemps(storePath: string): void {
+  const storeDir = path.dirname(storePath);
+  const storeBasename = path.basename(storePath);
+  let dir: fs.Dir | undefined;
+  try {
+    dir = fs.opendirSync(storeDir);
+  } catch {
+    // Store directory may not exist yet (first launch) — nothing to sweep.
+    return;
+  }
+  try {
+    const cutoffMs = Date.now() - 5 * 60 * 1000;
+    let deleted = 0;
+    for (let entry = dir.readSync(); entry; entry = dir.readSync()) {
+      if (!entry.isFile()) {
+        continue;
+      }
+      if (!isSessionStoreTempArtifactName(entry.name, storeBasename)) {
+        continue;
+      }
+      const fullPath = path.join(storeDir, entry.name);
+      try {
+        const stat = fs.statSync(fullPath);
+        if (stat.mtimeMs > cutoffMs) {
+          continue;
+        }
+        fs.unlinkSync(fullPath);
+        deleted += 1;
+      } catch {
+        // racing writer or concurrent sweep — skip
+      }
+    }
+    if (deleted > 0) {
+      log.info("deleted orphaned session store temp files", {
+        storePath,
+        count: deleted,
+      });
+    }
+  } finally {
+    dir?.closeSync();
+  }
+}
+
 export function loadSessionStore(
   storePath: string,
   opts: LoadSessionStoreOptions = {},
@@ -392,6 +442,9 @@ export function loadSessionStore(
     }
   }
 
+  // Sweep orphaned .tmp files left by crashed atomic writes before touching the store.
+  sweepOrphanSessionStoreTemps(storePath);
+
   // Retry a few times on Windows because readers can briefly observe empty or
   // transiently invalid content while another process is swapping the file.
   let store: Record<string, SessionEntry> = {};
