Gateway deadlocks session when model API call fails (stale .jsonl.lock)

[Grynn]

Summary

When a model API call fails (e.g., Anthropic quota exceeded, 429 rate limit, timeout), the gateway acquires a session .jsonl.lock but never releases it. This deadlocks all subsequent messages to that session, requiring a full gateway restart.

Reproduction

1. Start a session via Telegram using a model provider with limited quota (e.g., Anthropic)
2. Send messages until the provider quota is exceeded mid-API-call
3. The API call hangs/fails, but the .jsonl.lock is never released
4. All subsequent messages to the session block on the stale lock → gateway timeout (60s)
5. openclaw doctor reports "Main session transcript missing"
6. Only openclaw gateway restart resolves the issue

Evidence

• a7de8453-...-a7f0240e29cd.jsonl.lock existed without a corresponding .jsonl transcript file
• A second stale lock fbf913ec-...-4aef61a514f0.jsonl.lock from 3 weeks earlier (Jan 26) — same pattern, showing this is recurring
• Gateway process (PID 1242800) ran for 10+ hours but did not respond to WebSocket messages for the affected session
• Cron sessions continued to work fine (different session keys, not blocked by the lock)
• After gateway restart, agent responded immediately

Observed session metadata

{
  "sessionId": "a7de8453-d74e-4138-b14a-a7f0240e29cd",
  "model": "claude-opus-4.6",
  "modelProvider": "anthropic",
  "providerOverride": "github-copilot",
  "inputTokens": 3,
  "outputTokens": 49,
  "abortedLastRun": false,
  "sessionFile": "...sessions/a7de8453-...cd.jsonl"  // file did not exist
}

Expected behavior

• Lock should be released on API error (try/finally or equivalent)
• Error entry should be written to the transcript
• User should receive an error message (e.g., "Model API quota exceeded, try again later")
• Session should remain functional after the error

Suggested fixes

1. Wrap lock acquire + API call + transcript write in try/finally to always release lock
2. Add lock timeout (e.g., 120s) as a safety net for unexpected hangs
3. On gateway startup, clean stale .jsonl.lock files (check if holding PID is dead)
4. Write error entry to transcript on API failure instead of silently hanging
5. openclaw doctor should detect and offer to remove stale lock files (PID check)

Environment

• OpenClaw 2026.2.13 (203b5bd)
• Model provider: Anthropic (claude-opus-4-6)
• Channel: Telegram
• OS: Ubuntu (Proxmox KVM guest)

🦞 Diagnosed with help from Claude Code

[Grynn]

Source Code Analysis

Investigated the lock mechanism in the codebase. Key files:

src/agents/session-write-lock.ts

• Uses exclusive file locks (.jsonl.lock) with PID + timestamp payload
• Default timeoutMs: 10 seconds, staleMs: 30 minutes
• Has reentrant lock support via in-memory HELD_LOCKS map (same PID can re-acquire)
• Has signal cleanup handlers (SIGINT, SIGTERM, SIGQUIT, SIGABRT) + process.on("exit")
• Stale detection: isAlive(pid) + createdAt > staleMs

src/infra/file-lock.ts

• Lower-level lock primitive with similar PID-alive + stale checks
• Already has withFileLock(path, opts, fn) using try/finally — but session code may not be using it consistently

Why the deadlock happens

The gateway is a single long-lived process. When it holds a session lock and the model API call hangs:

1. Gateway (PID X) acquires .jsonl.lock for the session
2. Model API call hangs or fails silently (e.g., Anthropic quota exceeded, network timeout)
3. Lock is never released because the error path doesn't call release()
4. New Telegram message arrives for the same session
5. isAlive(X) returns true — the gateway process IS alive
6. Lock is NOT considered stale (PID alive, createdAt recent)
7. The reentrant HELD_LOCKS counter allows same-process re-acquisition, BUT the session handler is serialized — the hung API call blocks the response pipeline
8. The session is effectively deadlocked; transcript file is never written

Why stale detection doesn't help

• staleMs is 30 minutes, but the owning PID is the gateway itself — always alive
• Stale lock cleanup only runs when another process tries to acquire the same lock
• If the gateway holds the lock, isAlive() returns true, so it's never considered stale
• The 3-week-old stale lock (fbf913ec, Jan 26) was from a different gateway PID that had since restarted — but no one ever tried to acquire that specific session's lock again

Suggested code changes

1. Ensure all session write paths use try/finally (like withFileLock in file-lock.ts):

   const lock = await acquireSessionWriteLock({ sessionFile });
   try {
     const response = await callModelApi(...);
     await writeTranscript(sessionFile, response);
   } catch (err) {
     await writeTranscriptError(sessionFile, err);
   } finally {
     await lock.release();
   }

2. Add a per-lock TTL / watchdog: If a lock is held by the current process for longer than N seconds (e.g., 120s), auto-release it and log a warning. The in-memory HELD_LOCKS map could track acquiredAt timestamps.

3. Gateway startup cleanup: On openclaw gateway restart / startup, iterate all *.jsonl.lock files and remove any where isAlive(pid) is false OR createdAt is older than staleMs.

4. openclaw doctor enhancement: Add a check that scans for .jsonl.lock files, tests isAlive(pid), and offers --fix to remove stale ones.

5. Write error to transcript on API failure: The model call error handler should write an error entry to the .jsonl before releasing the lock, so the conversation history is preserved even on failure.

---

Diagnosed by tracing the issue on a production instance where Anthropic API quota expired mid-call, leaving the main Telegram session deadlocked for 4+ hours until gateway restart.