Bug Report: Session file path must be within sessions directory — All non-default agents fail to respond

[Mdx2025]

Bug Report: Session file path must be within sessions directory — All non-default agents fail to respond

Version: 2026.2.12 (f9e444d)
Platform: Ubuntu 24 (server, no GUI session)
Node.js: v22.22.0

---

Summary

All agents other than the default (main) silently fail to process incoming Telegram messages. The gateway starts successfully, bots show "typing..." in Telegram, but no response is ever sent. The error Session file path must be within sessions directory is thrown on every inbound message for non-default agents.

---

Steps to Reproduce

1. Configure multiple agents (e.g. main, coder, writer, researcher, etc.)
2. Start the gateway: openclaw gateway start
3. Send a message to any non-default agent via Telegram
4. Observe: bot shows "typing..." but never responds

---

Expected Behavior

All agents should process messages and respond normally.

---

Actual Behavior

Gateway logs show:

[telegram] handler failed: Error: Session file path must be within sessions directory

This error fires immediately on every inbound message for any agent that is not the DEFAULT_AGENT_ID.

---

Root Cause

In reply-B5GoyKpI.js, line 63597, inside runPreparedReply:

const sessionFile = resolveSessionFilePath(sessionIdFinal, sessionEntry);

This call passes no agentId and no sessionsDir. As a result, resolveSessionFilePath falls through to resolveAgentSessionsDir(DEFAULT_AGENT_ID) — always resolving to the main agent's sessions directory regardless of which agent is actually handling the message.

When the security check in resolvePathWithinSessionsDir (paths-B49s6UZQ.js, line 38) compares the resolved path against the agent's actual storePath, it detects a mismatch (the path is outside the expected sessions directory) and throws:

Error: Session file path must be within sessions directory

Relevant code path:

resolveSessionFilePath(sessionIdFinal, sessionEntry)
  → resolveSessionsDir(opts)           // opts has no agentId/sessionsDir
  → resolveAgentSessionsDir(DEFAULT_AGENT_ID)  // always "main"
  → returns /home/user/.openclaw/agents/main/sessions
  
// But storePath is /home/user/.openclaw/agents/coder/sessions/sessions.json
// path.dirname(storePath) = /home/user/.openclaw/agents/coder/sessions
// → security check fails → throws

---

Fix Applied

Passing the agentId from the session context resolves the issue:

// Before (line 63597):
const sessionFile = resolveSessionFilePath(sessionIdFinal, sessionEntry);

// After:
const sessionFile = resolveSessionFilePath(sessionIdFinal, sessionEntry, { agentId: params.agentId ?? sessionCtx?.AgentId });

This was applied as a manual patch to the dist file and confirmed working — all agents now respond correctly.

---

Impact

• Severity: Critical — affects all multi-agent deployments
• All agents except the default (main) are completely non-functional
• The error is silent from the user's perspective (only "typing..." is shown, no error message is delivered)
• Took several hours to diagnose due to the error occurring deep in the session resolution stack with no clear indication of which agent or path was involved

---

Additional Notes

• The doctor --fix command does not detect or resolve this issue
• Clearing sessions.json files does not help (the bug is in the path resolution logic, not stored data)
• The issue affects Telegram channel; other channels were not tested but likely affected as well
• The gateway otherwise starts and runs normally — openclaw gateway status shows healthy, RPC probe: ok

---

Environment

OpenClaw: 2026.2.12 (f9e444d)
Node.js: v22.22.0
OS: Ubuntu 24 (server)
Agents: main, coder, writer, researcher, clawma, reasoning, support, heartbeat
Channel: Telegram (polling mode)

[cjmny]

Just chiming in to confirm the bug and the fix

[JeremyMahieu]

duplicate of #15421 ?

[Mdx2025]

I think it's the same issue yes

[JaimeAlonsoGA]

I got the same problem. Had a hard time to debug it but I made some changes with the help of my agent and got it fixed. I told my bot to explain it:

Fix Summary
This issue is caused by calls to resolveSessionFilePath missing the required agentId option. The function defaults to DEFAULT_AGENT_ID (main), causing the resolved path to be outside the non-default agent's sessions directory → security check throws "Session file path must be within sessions directory".
Resolution
Added { agentId } to all affected call sites across the dist bundles.
I've created a reusable patcher script that:
Scans all .js files in the dist directory
Handles both 2-arg calls resolveSessionFilePath(a, b) and 3-arg calls resolveSessionFilePath(a, b, { ... })
Injects agentId safely (preserves existing sessionsDir etc.)
Creates timestamped backups before modifying files
Supports --dry-run to preview changes
Usage

From your OpenClaw workspace

node scripts/patch-session-path.js --dry-run # preview
node scripts/patch-session-path.js # apply patches
openclaw gateway restart # reload bundles
Verification
After applying and restarting, non-default agents (Telegram, etc.) respond normally without errors in the logs.
This approach is generic and safe for any OpenClaw deployment. The script is attached below or can be copied from this comment.
Script (patch-session-path.js):
#!/bin/bash

Patch verification for session file path bug

set -e

echo "=== OpenClaw Session Path Verification ==="
echo "Timestamp: $(date '+%Y-%m-%d %H:%M:%S')"
echo ""

1. Check patched lines in dist files

check_patch() {
local file=$1
local line_num=$2
local expected='resolveSessionFilePath(sessionIdFinal, sessionEntry, { agentId })'
local actual=$(sed -n "${line_num}p" "$file" 2>/dev/null | tr -d ' \t')
if echo "$actual" | grep -q "$expected"; then
echo "✅ $file:$line_num patched correctly"
else
echo "❌ $file:$line_num not patched. Found: $(sed -n "${line_num}p" "$file" 2>/dev/null)"
fi
}

echo "1) Checking patches in dist files..."
if [ -f /opt/homebrew/lib/node_modules/openclaw/dist/reply-B5GoyKpI.js ]; then
check_patch /opt/homebrew/lib/node_modules/openclaw/dist/reply-B5GoyKpI.js 63597
else
echo "❌ reply-B5GoyKpI.js not found"
fi

2. Dump Telegram session store entry

echo ""
echo "2) Telegram agent session store entry:"
cat ~/.openclaw/agents/telegram/sessions/sessions.json | jq -r '.["agent:telegram:main"] | {sessionId, sessionFile}' 2>/dev/null || echo "❌ Failed to read sessions.json"

3. Verify transcript file exists

echo ""
echo "3) Transcript file existence:"
if [ -f ~/.openclaw/agents/telegram/sessions/35bb348b-5bea-4862-b9d5-848ac6f1f623.jsonl ]; then
echo "✅ Transcript exists"
else
echo "✅ No transcript (will be created on first message)"
fi

4. Check for unresolved callsites (non-exhaustive)

echo ""
echo "4) Unpatched callsites (possible candidates):"
grep -n "resolveSessionFilePath(sessionIdFinal, sessionEntry)" /opt/homebrew/lib/node_modules/openclaw/dist/*.js 2>/dev/null | grep -v "{ agentId }" || echo "✅ No obvious unpatched sites in main reply file"

echo ""
echo "=== End of verification ==="