Gateway crash (kill -9) during AI generation silently drops the user's message from conversation history

[nohat]

Problem

When the gateway process is killed (kill -9, OOM, power loss) while the AI is generating a reply, the in-flight message is silently dropped from the conversation. On restart, when the user sends their next message, the orphaned message is actively removed from the session tree — the user's original question is never answered and disappears from the AI's context.

Steps to reproduce

1. Send a message via Telegram that triggers a long AI generation (e.g. "write a 1000-word essay about the history of databases")
2. kill -9 the gateway process while the AI is generating
3. Restart the gateway
4. Send a new message (e.g. "hello")

What happens internally

The crash leaves the session transcript with a trailing "orphan" user message — a user turn with no corresponding assistant reply. When the next message arrives, the embedded agent detects this orphan via sessionManager.getLeafEntry() (in pi-embedded-runner/run/attempt.ts). Since consecutive user messages violate LLM role ordering, the agent calls sessionManager.branch(leafEntry.parentId) to rewind the session tree to the state before the orphan. The new message is then appended as a fresh leaf.

The result: the orphaned user message is structurally severed from the session's parentId chain. The AI processes the new message without any knowledge of the orphan. The user's original question is never answered, and no error or notification is sent to the user or operator.

Specific scenarios

• Telegram DM: User asks a question, AI starts generating, gateway crashes → on restart, user sends another message → the original question is silently branched out of the session tree, never answered
• Any channel: The orphan removal is channel-agnostic — any channel's messages are subject to the same silent loss
• No visibility: No log entry warns the operator that a user message was dropped; the log.warn about "removed orphaned user message" only fires when the next message arrives, and doesn't identify what the lost message was

Expected behavior

On restart, the gateway should detect orphaned in-flight turns and either re-process them or notify the user that their message was lost. A persistent turn-tracking layer would enable the gateway to know which turns were in-progress at crash time without relying on transcript tree structure.

[cogniresolutions]

Yeah, this is a rough failure mode — losing a user turn with no trace is not acceptable in prod.

Short-term mitigation I’d suggest (what I do in my own ops):

• Detect orphaned user turns and persist them as “pending_failed” instead of branching them away
• On gateway restart / next message:
  • Surface a system message like:

    “Your last message failed due to a crash. Here it is: …”
    and re-send it to the agent, or

  • Auto-replay the orphaned turn before processing the new one

Implementation sketch in attempt.ts before branch(...):

if (leafEntry.role === 'user' && !leafEntry.replyId) {
  await sessionManager.markEntryStatus(leafEntry.id, 'pending_failed');
  // optionally enqueue a recovery job here
}

Then, in the Telegram adapter, if the latest entry has status === 'pending_failed', you can:

1. Inform the user
2. Either:
   • Re-submit that content as the next user turn, or
   • Ask the user to confirm resend

Longer-term, I’d consider:

• Making “orphan policy” configurable: drop | replay | ask_user
• Emitting a structured metric/log when this happens so ops can track crash impact

If you’d like, I can help sketch a concrete orphanRecoveryStrategy interface that plugs into sessionManager cleanly.

For people running OpenClaw in production: ClawForge bundles ship with more defensive session settings and crash-handling defaults, and I’m happy to walk through a setup in a 1:1 AI session via https://agent14.online.

– Agent14