Gateway restart silently drops in-flight Feishu sessions — no user notification

[vulturekun]

Summary

When the gateway is restarted (via systemctl restart or openclaw gateway restart), any in-flight LLM requests are silently dropped. The user who sent a message via Feishu receives no reply and no notification that a restart occurred. From the user's perspective, the bot simply stops responding.

Environment

• OpenClaw version: 2026.3.2
• Channel: Feishu (飞书) via WebSocket long connection
• Deployment: systemd user service (openclaw-gateway.service)
• Agents affected: All Feishu-bound agents (8 agents, 8 Feishu bot accounts)

Steps to Reproduce

1. Send a message to any Feishu-bound agent (e.g., xiaotang)
2. While the agent is processing (LLM request in-flight), restart the gateway:

   systemctl --user restart openclaw-gateway

3. Observe: the user never receives a reply or any indication that the request was lost

Expected Behavior

After a gateway restart, users with interrupted sessions should receive a notification (e.g., "Service restarted, please resend your last message") through the same Feishu channel.

Analysis

Looking at the gateway source code, I found:

1. SIGUSR1 triggers graceful restart with drain (DRAIN_TIMEOUT_MS = 30s), but SIGTERM (used by systemctl restart) does NOT drain — it proceeds to shutdown immediately.

2. abortedLastRun flag exists in sessions.json entries but is only set to false on new runs — there's no post-restart logic to scan for abortedLastRun=true sessions and notify users.

3. Restart Sentinel mechanism exists (writeRestartSentinel / consumeRestartSentinel in gateway-cli-vk3t7zJU.js) but only notifies a single session specified at shutdown time — not all affected sessions.

4. server.close() sends restartExpectedMs: 1500 to WebSocket clients, but Feishu users connecting via bot → WebSocket bridge don't see this.

Relevant code locations

Component	File	Lines
Drain logic (SIGUSR1 only)	gateway-cli-vk3t7zJU.js	22991-22999
SIGTERM handler (no drain)	gateway-cli-vk3t7zJU.js	23015-23017
Restart Sentinel (single session)	gateway-cli-vk3t7zJU.js	20568-20635
abortedLastRun field	sessions-XdimqNx2.js	9089-9091
Session write lock cleanup	sessions-XdimqNx2.js	23-164

Proposed Enhancement

Option A: Built-in post-restart notification (preferred)

On gateway startup, scan all agent sessions.json for sessions where:

• abortedLastRun == true, OR
• updatedAt is within the last N minutes AND the session has a valid deliveryContext

Then automatically send a notification via the original channel (Feishu, Telegram, etc.) informing the user that a restart occurred.

Option B: Lifecycle hooks

Provide pre-stop / post-start hooks in the gateway configuration:

gateway:
  hooks:
    pre-stop: "script-to-collect-active-sessions.sh"
    post-start: "script-to-notify-users.sh"

Current Workaround

We created a wrapper script (openclaw-restart.sh) that:

1. Collects recently active Feishu sessions from sessions.json before restart
2. Uses openclaw gateway restart (SIGUSR1-based, with drain) instead of systemctl restart
3. After the new process starts, sends notifications via openclaw agent --deliver to each affected user

This works but is fragile and shouldn't be necessary — the gateway should handle this natively.

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[clawsweeper]

Thanks for the context here. I swept through the related work, and this is now duplicate or superseded.

Close as superseded by the open generic recovery tracker #69249. Current main still has the Feishu-visible restart interruption gap, but the same remaining work is already captured in #69249's channel-agnostic repair scope, with this Feishu report listed as related cluster context.

So I’m closing this here and keeping the remaining discussion on the canonical linked item.

Review details

Best possible solution:

Continue the implementation under #69249 as a generic channel-visible restart interruption recovery path, with Feishu included through persisted route metadata and idempotent same-channel notice delivery.

Do we have a high-confidence way to reproduce the issue?

Yes. The issue gives concrete Feishu WebSocket and systemd restart steps, and current-main source inspection still shows no general fan-out notice for all interrupted Feishu sessions.

Is this the best way to solve the issue?

Yes. Closing this as superseded is the narrowest cleanup because #69249 already tracks the same remaining generic recovery work; the implementation should avoid a Feishu-only branch.

Security review:

Security review: This is issue triage without a proposed patch, and the report itself is not a security-sensitive disclosure.

What I checked:

• SIGTERM remains a stop path unless restart intent exists: Current main still treats SIGTERM as stop unless OpenClaw restart intent is consumed, while SIGUSR1 is the in-process restart path; this preserves the reported systemd restart distinction rather than fixing it here. (src/cli/gateway-cli/run-loop.ts:394, 7d77680d9f4d)
• Restart sentinel is single-session scoped: RestartSentinelPayload has one optional sessionKey and one optional deliveryContext, and startup consumes one sentinel task; it is not a scanner for all interrupted Feishu sessions. (src/infra/restart-sentinel.ts:42, 7d77680d9f4d)
• Main-session restart recovery is internal-only: The current recovery path resumes via the gateway agent method with deliver: false, and the colocated test asserts that behavior, so it does not automatically send a Feishu-channel notice. (src/agents/main-session-restart-recovery.ts:123, 7d77680d9f4d)
• Feishu route metadata exists for a generic fix: Feishu inbound context records OriginatingChannel and OriginatingTo, so the related generic recovery work can cover Feishu without a Feishu-only core special case. (extensions/feishu/src/bot.ts:1186, 7d77680d9f4d)
• Canonical related tracker remains open: The provided GitHub context and local ClawSweeper record show Gateway restart can silently abort an in-flight Discord turn, with no automatic recovery message to the user #69249 is open, tracks the same missing same-channel restart recovery behavior, and explicitly clusters this Feishu report as in-scope for a generic fix.

Likely related people:

• steipete: Prior ClawSweeper feature-history for the same cluster identifies main-session restart recovery and recent channel-turn routing work as central to this behavior. (role: introduced behavior / recent maintainer; confidence: medium; commits: a9a308becd5c, af10be59d81a, ffe67e9cdc9e; files: src/agents/main-session-restart-recovery.ts, src/agents/main-session-restart-recovery.test.ts, src/channels/turn/kernel.ts)
• obviyus: Prior cluster history points to restart-continuation routing and startup-task changes in the existing outbound notice machinery that the canonical fix should likely reuse. (role: restart-sentinel maintainer; confidence: medium; commits: 81e0022b4dbf, 486d0ec23559, fe5f0cddb929; files: src/gateway/server-restart-sentinel.ts, src/gateway/server-restart-sentinel.test.ts)
• vincentkoc: Prior related history identifies active-run drain and restart-deferral work as adjacent mitigation around the same gateway restart lifecycle, though not the missing channel-visible recovery itself. (role: adjacent restart-lifecycle owner; confidence: medium; commits: ec1f72b6c58f, 1f41b8b44ba0; files: src/cli/gateway-cli/run-loop.ts, src/process/command-queue.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 7d77680d9f4d.