Make session write lock configurable + narrow lock scope (avoid timeout=All models failed)

[ruslanavapro]

Problem

OpenClaw uses a file lock ${sessionFile}.lock for session writes. In current build (npm openclaw@2026.2.9), the lock defaults are:

• timeoutMs = 10000 (10s)
• staleMs = 30min

However, call sites invoke it without overrides:

• acquireSessionWriteLock({ sessionFile })
  so timeoutMs/staleMs are effectively hardcoded defaults and not configurable via openclaw.json.

Additionally, the lock appears to be held across a broad portion of the embedded run (including LLM/tool execution), not just during the actual transcript append/flush. Under concurrent inbound messages to the same session, this produces:

• Error: session file locked (timeout 10000ms)
• which then propagates as All models failed / failover, even though this is not a model/provider error.

Why it matters

If two channels (e.g., Telegram + Webchat) end up hitting the same session concurrently, the second request times out after 10s and fails the run, causing user-visible outages. This is concurrency/locking contention, not provider failure.

Requested changes

1. Configurable lock timeouts

   • Allow configuring sessionWriteLock.timeoutMs and sessionWriteLock.staleMs via openclaw.json (global defaults), and/or via env.

2. Narrow lock scope

   • Hold the lock only during critical sections that read/repair/prewarm/append to the session file.
   • Avoid holding the lock across the entire LLM run.
   • Alternative: per-session async queue / single-writer actor to serialize writes without blocking the whole run.

3. Better error handling

   • Distinguish lock-timeout from model/provider failures.
   • Prefer a retry/backoff or a graceful 409/429-style response with “please retry” instead of surfacing All models failed.

Evidence (from dist bundle)

In dist/reply-*.js:

• Defaults inside acquireSessionWriteLock() include timeoutMs ?? 1e4 and staleMs ?? 1800*1e3.
• Multiple call sites use acquireSessionWriteLock({ sessionFile }) (no overrides).
• The lock is acquired early and released after the run finishes.

Workarounds we are using

• External cleanup of PID-dead .jsonl.lock files.
• Avoiding cross-channel contention by ensuring different channels don’t share the same sessionId.

Happy to provide exact line snippets from the bundle if you want, or test a PR.

[steipete]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Keep open. Current main has partial mitigations for session-lock contention and failover masking, but the requested public timeout/stale configuration and a truly narrower embedded lock lifecycle are still absent; the newest discussion also reports the same 10s lock timeout on v2026.4.26.

Required change / next step:

This is valid and operator-visible, but the remaining change needs maintainer direction on the public config contract and whether to stage a narrow config-only fix ahead of a larger lock-scope or single-writer redesign; the adjacent open PR should also be considered before spawning a replacement repair lane.

Best possible solution:

Add a supported session write-lock configuration surface with schema/types/docs, apply it consistently to embedded runs and transcript/session-store mutation paths, keep the typed lock-timeout failover suppression, and make an explicit maintainer call on whether to narrow the embedded prompt lifecycle lock now or stage that as a deeper single-writer refactor.

Acceptance criteria:

• pnpm test src/agents/session-write-lock.test.ts
• pnpm test src/agents/failover-error.test.ts
• pnpm test src/agents/pi-embedded-runner/run/attempt.test.ts
• pnpm test src/config/zod-schema.session.test.ts
• pnpm check:changed

What I checked:

• issue-discussion-current: The provided discussion includes an Apr. 26 maintainer review keeping this open for missing config/scope work, plus an Apr. 29 operator report of session file locked (timeout 10000ms) on v2026.4.26.
• lock-defaults-parameter-only: acquireSessionWriteLock accepts optional timeoutMs and staleMs, but still falls back to 10_000 and DEFAULT_STALE_MS locally; there is no config or env lookup in the primitive. (src/agents/session-write-lock.ts:501, 2d53b49b20e1)
• session-config-schema-missing: The strict SessionSchema exposes current session fields such as scope, reset, store, sendPolicy, threadBindings, and maintenance, but no sessionWriteLock, write-lock timeout, or stale-lock option. (src/config/zod-schema.session.ts:27, 2d53b49b20e1)
• session-config-types-missing: The public SessionConfig type mirrors the schema and has no session write-lock timeout/stale contract. (src/config/types.base.ts:158, 2d53b49b20e1)
• session-docs-missing: The user-facing session configuration docs list current session keys and maintenance knobs, but do not document a session write-lock timeout/stale setting. Public docs: docs/gateway/config-agents.md. (docs/gateway/config-agents.md:1137, 2d53b49b20e1)
• embedded-lock-still-spans-prompt: The embedded attempt acquires the session lock before session repair/prep and later calls activeSession.prompt(...) while still inside the same locked attempt lifecycle. (src/agents/pi-embedded-runner/run/attempt.ts:1256, 2d53b49b20e1)

Likely related people:

• vincentkoc: Current-main blame on the central session lock, embedded attempt, session schema/type, and session-store lock paths points to Vincent Koc in commit ad2516b; the issue timeline also mentions vincentkoc for this lock/lifecycle surface. (role: recent maintainer / current-main history; confidence: medium; commits: ad2516b1c876; files: src/agents/session-write-lock.ts, src/agents/pi-embedded-runner/run/attempt.ts, src/config/zod-schema.session.ts)
• steipete: Peter Steinberger authored recent adjacent embedded-attempt commits, authored the v2026.4.26 changelog consolidation, and already left a maintainer keep-open review in the discussion for this exact config/scope gap. (role: recent maintainer / triage reviewer; confidence: high; commits: 20e21173715e, 66cdbccc8a2a, be8c24633aaa; files: src/agents/pi-embedded-runner/run/attempt.ts, CHANGELOG.md)
• MonkeyLeeT: The provided issue context and current changelog credit MonkeyLeeT for the shipped subpart that stops session write-lock timeouts from entering model failover, which is adjacent to the remaining error-handling work. (role: partial fix author; confidence: medium; commits: 8cc38c1b86f4; files: src/agents/session-write-lock-error.ts, src/agents/failover-error.ts, src/agents/failover-error.test.ts)

Remaining risk / open question:

• The public config shape and env variable names for timeout/stale settings are still a product/API decision because they affect schema, exported types, docs, and config metadata.
• Narrowing the embedded lock scope or replacing it with a single-writer actor needs maintainer design because SessionManager, compaction, transcript rewrite/truncation, and cleanup all rely on serialized transcript mutation.
• Open PR fix(agent): pass --timeout to session write lock and expose SessionWriteLockError #69159 overlaps with timeout/error handling, but the provided PR body targets a different issue and does not provide the requested config/stale surface or full lock-scope change.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 2d53b49b20e1.

[richard-scott]

Re-upping this enhancement with a fresh data point. We hit the same Error: session file locked (timeout 10000ms) on v2026.4.26 (Linux native, single-host), and the contention was internal to the gateway — not cross-channel as your original repro framed it.

Same gateway PID, two lanes:

lane=main                            durationMs=25695  pid=852872
lane=session:agent:main:main         durationMs=25712  pid=852872

So even installs with only one channel hit this once the session jsonl grows large enough that lock-hold exceeds the 10s acquire timeout. In our case the trigger was a 1 MB session that had accumulated over ~22 hours without rotation.

Both requested changes would have helped us:

1. Configurable timeoutMs in openclaw.json — we could have raised it temporarily while diagnosing, instead of going straight to a version rollback.
2. Narrowing the lock scope — the lifecycle lock spanning the entire run is what makes the 10s timeout brittle once sessions grow.

Steipete's Apr 26 review note still holds: current main has partial lock-timeout/error-classification fixes but the public config surface and the per-session single-writer queue aren't done. From an operator perspective, the config surface alone would unblock most installs — the queue is a bigger refactor and can land later.

Happy to test a PR against either change on a Linux native install.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open. Current main has the acquire-timeout config and failover-classification parts, but the stale/max-hold public config and embedded lock-scope reduction are still not merged; an open closing PR already owns that remaining work.

Reproducibility: yes. at source level: current main still holds the embedded session lock through the prompt/model turn and lacks public stale/max-hold config. The linked PR body also reports Blacksmith Testbox reproduction against unmodified main, but I did not rerun that live scenario here.

Next step
Do not queue a new repair job while the open closing PR already owns the remaining implementation.

Review details

Best possible solution:

Review and either land or close #82891; after a fix merges, close this issue with implementation and release proof.

Do we have a high-confidence way to reproduce the issue?

Yes, at source level: current main still holds the embedded session lock through the prompt/model turn and lacks public stale/max-hold config. The linked PR body also reports Blacksmith Testbox reproduction against unmodified main, but I did not rerun that live scenario here.

Is this the best way to solve the issue?

No current-main solution is complete. The active path is the linked PR, but it still needs maintainer review for the lock boundary, public config contract, and merge conflict resolution.

What I checked:

• live-linked-pr-open: Live GitHub data shows this issue is still open and has an open closing PR at Release embedded session write lock before model I/O #82891; that PR is not merged and is currently conflicting with main. (3b875805b63b)
• acquire-timeout-config-present-only: Current main exposes session.writeLock.acquireTimeoutMs in the session schema/type, but the strict object has no stale/max-hold public config fields. (src/config/zod-schema.session.ts:59, 16ef041b5d86)
• stale-max-hold-defaults-not-public-config: The lock primitive still defines DEFAULT_STALE_MS and DEFAULT_MAX_HOLD_MS, and acquireSessionWriteLock resolves staleMs and maxHoldMs from optional call parameters rather than the public config object. (src/agents/session-write-lock.ts:39, 16ef041b5d86)
• embedded-lock-still-spans-prompt: Current main acquires the embedded session lock before session setup, calls promptActiveSession(...) while still in that locked attempt lifecycle, and only passes the lock to cleanup for release after the prompt/model turn path. (src/agents/pi-embedded-runner/run/attempt.ts:1804, 16ef041b5d86)
• failover-masking-subpart-addressed: Current main detects nested SessionWriteLockTimeoutError values and prevents them from being classified as timeout/model failover; tests cover direct and abort-wrapped lock errors. (src/agents/failover-error.ts:218, 16ef041b5d86)
• docs-show-partial-policy: User-facing docs document session.writeLock.acquireTimeoutMs and explicitly state stale-lock detection and maximum hold warnings remain separate policies. Public docs: docs/reference/session-management-compaction.md. (docs/reference/session-management-compaction.md:97, 16ef041b5d86)

Likely related people:

• joshavant: Current-line blame in this checkout points to Josh Avant across the central session-lock defaults/config, embedded attempt lock lifecycle, and failover handling snapshot. (role: recent area contributor; confidence: high; commits: 7d1317634e5b, 562d460d7599; files: src/agents/session-write-lock.ts, src/agents/pi-embedded-runner/run/attempt.ts, src/config/zod-schema.session.ts)
• amknight: The open closing PR for this issue is authored by amknight and directly changes the lock lifecycle, stale/max-hold config, docs, tests, SDK/runtime propagation, and Codex transcript mirror paths. (role: active linked fix author; confidence: high; commits: 3b875805b63b; files: src/agents/pi-embedded-runner/run/attempt.ts, src/agents/session-write-lock.ts, src/config/zod-schema.session.ts)
• MonkeyLeeT: The merged failover-classification subpart is credited to MonkeyLeeT in PR metadata and touches the session lock timeout error and failover classifier paths. (role: adjacent partial-fix author; confidence: medium; files: src/agents/failover-error.ts, src/agents/failover-error.test.ts, src/agents/session-write-lock-error.ts)
• steipete: The issue discussion includes a detailed keep-open review from steipete for this exact config/scope gap, and live commit metadata shows recent adjacent agent work. (role: triage reviewer and adjacent contributor; confidence: medium; commits: 2a7f9f354644; files: src/agents/pi-embedded-runner/run/attempt.ts, src/agents/session-write-lock.ts)

Remaining risk / open question:

• I did not rerun the live contention scenario in this read-only review; the keep-open decision is based on source inspection plus the linked PR's reported Blacksmith Testbox reproduction.
• The active closing PR is conflicting and maintainer-labeled, so it needs human review/landing rather than a separate ClawSweeper repair lane.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 16ef041b5d86.

[slideshow-dingo]

Fully agree this is the right direction. Adding concrete evidence that the timeout is hardcoded with no config path:

// Compiled dist: session-write-lock-Cij7epjy.js
const timeoutMs = resolvePositiveMs(params.timeoutMs, 1e4, { allowInfinity: true });
//                                                                  ^^^^ 10 seconds hardcoded default

There is no session.lockTimeout or similar config path in the schema. The acquireSessionWriteLock call uses the default 10s for every call site.

The impact of a hardcoded 10s: on a busy gateway (48 cron jobs, 73 active subagent sessions, 6 heartbeats, all contending for the same sessions.json lock), a 10s timeout is too aggressive. Under event loop saturation (I've measured eventLoopDelayP99Ms=2204ms on a 24-core VM), even small writes can take longer than 10s due to fsync blocking.

The two most impactful knobs to expose:

1. session.lockTimeoutMs — acquire timeout for the store lock (default: 10000). Under heavy load, 30-60s would be more appropriate.
2. session.lockMaxHoldMs — max time a lock can be held before auto-release (default: 300000 = 5 min). This prevents a stuck lane from permanently blocking cleanup.

The "narrow lock scope" idea in the issue is the real fix — per-session files + lock-per-file would eliminate the global bottleneck — but that's a larger refactor. Exposing the timeout as configurable is a pragmatic intermediate fix that would unblock deployments like mine today.