[Bug]: switching session.dmScope back to main does not reconcile stale peer-keyed direct DM sessions

[SatsConvert]

Summary

Changing DM routing back to session.dmScope = "main" did not reconcile or retire old peer-keyed direct sessions on this machine.

That left multiple live direct-session identities coexisting, including the canonical main session and stale Telegram-peer-keyed direct sessions. In practice this created misleading "Telegram vs TUI are unsynced" symptoms until the stale session records were manually removed from the session store.

Environment

• OpenClaw: 2026.3.12
• OS: Linux x64
• Gateway mode: local
• Channel involved: Telegram DM + TUI/main

Relevant config

Live config during investigation (sanitized):

{
  "session": {
    "dmScope": "main",
    "mainKey": "main"
  }
}

Observed behavior

Even with session.dmScope = "main", the session store still contained both:

• canonical main direct session:
  • agent:main:main
• stale peer-keyed Telegram direct session:
  • agent:main:telegram:direct:TELEGRAM_USER_ID

At different points there were also other stale direct-ish leftovers, such as:

• an old Telegram slash session
• an old TUI-specific direct session

The key problem was that the stale peer-keyed Telegram direct session still existed after routing had supposedly returned to canonical main-session behavior.

Why this is a problem

From an operator perspective, this makes the system feel haunted:

• Telegram can correctly land in agent:main:main
• a stale peer-keyed direct session can still remain in the store with history
• TUI/session comparisons become ambiguous
• it is easy to conclude "Telegram and TUI are unsynced" when in reality a ghost session is still hanging around

Concrete evidence from this machine

During live investigation:

1. Current Telegram conversation was positively identified as agent:main:main.
2. A stale peer-keyed direct session still existed in the session store:
   • agent:main:telegram:direct:TELEGRAM_USER_ID
3. That stale session still had readable history.
4. Manual deletion of the stale peer-keyed session entry/file did not break current Telegram DM routing.
5. A fresh Telegram test message after deletion still landed in:
   • agent:main:main
6. The stale peer-keyed direct session did not get recreated immediately.

This strongly suggests the stale peer-keyed session had become leftover state rather than an actively required routing identity.

Manual workaround used

We had to manually clean the session store:

• backup sessions.json
• remove stale direct-session keys from ~/.openclaw/agents/main/sessions/sessions.json
• move the corresponding JSONL files aside
• verify fresh Telegram DM still attached to agent:main:main

After cleanup, only the intended main direct session remained for direct-chat use.

Expected behavior

When session.dmScope is changed back to main, OpenClaw should do one of the following:

1. automatically reconcile/retire stale peer-keyed direct DM sessions, or
2. clearly mark them as legacy/inactive so they do not continue to confuse operators, or
3. provide an official cleanup/migration command for collapsing old DM session identities safely.

Actual behavior

Stale peer-keyed direct sessions remain present and sufficiently "real" to confuse debugging, even after canonical DM routing is back on agent:main:main.

Impact

This caused substantial wasted debugging time because it made session continuity look broken or inconsistent across Telegram and TUI when the real issue was stale leftover session state.

Notes

This report is intentionally sanitized:

• Telegram user IDs redacted
• local usernames/paths minimized
• session/file UUIDs omitted

If maintainers want, I can provide a more structured sanitized before/after sessions.json shape as a follow-up.

[Ryce]

The 'haunted session' description is perfect — that's exactly what it feels like when stale session state lingers after config changes.

The manual workaround you described (backup sessions.json, remove stale keys, move JSONL files aside) is exactly the kind of surgery that most operators won't know how to do safely. And the risk of getting it wrong is real — delete the wrong session key and you've lost actual conversation history.

A few patterns worth noting:

1. Config changes should be treated as state mutations. Changing dmScope isn't just a config toggle — it invalidates existing session routing identities. The system should either reconcile automatically or at minimum warn that stale sessions will remain and offer a cleanup path.

2. The ghost session problem is worse than it looks. It's not just confusing debugging — stale sessions can hold meaningful history that an operator might want to reference later. Auto-retiring them needs to preserve that history somewhere discoverable, not just silently delete it.

3. This connects to a broader session health pattern. Right now there's no easy way to audit 'what sessions exist, which are active, which are stale' without manually inspecting sessions.json. A or similar command that flags orphaned/stale sessions would catch this class of issue before it becomes debugging archaeology.

The 'compare-and-set' / monotonic update approach from #45505 could apply here too — session store changes should converge to the intended state rather than accumulating leftovers.

[dsantoreis]

Good catch. The dmScope config controls routing going forward but there is no reconciliation pass that retires or migrates existing peer-keyed direct sessions when switching back to main.

What happens: you switch to dmScope: "per-peer" → gateway creates telegram:12345 keyed sessions. You switch back to main → new DMs route to main, but the old peer-keyed sessions still exist in the session store and can pick up messages if the routing lookup hits them first (race between stale session match and canonical main).

The fix needs a lifecycle hook on dmScope change that either:

1. Marks stale peer-keyed sessions as archived/inactive so the router skips them
2. Merges their recent context into main (harder, probably not worth the complexity)
3. At minimum logs a warning on startup when stale peer-keyed sessions exist but dmScope is main

Option 1 is the right call. The session store already has inactive/archived semantics for sub-agent sessions — extending that to direct sessions on scope change is clean.

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open. Current main still routes new main-scoped DMs to agent:<agent>:main, but there is no dmScope-back-to-main reconciliation path, and stale peer-keyed direct-session rows remain ordinary stored/listed sessions until retention or manual cleanup handles them.

Reproducibility: yes. from source inspection. Seed a store with agent:main:main plus agent:main:telegram:direct:123 while config has session.dmScope: "main"; routing returns the main key, but listing and cleanup still treat the peer-keyed row as an ordinary session.

Next step
This is a focused source-reproducible lifecycle gap with clear owner files, regression-test targets, and no protected label or open fixing PR in the provided context.

Review details

Best possible solution:

Extend the existing session cleanup or doctor repair surface to detect peer-keyed direct DM rows inconsistent with current main-scoped routing and retire or archive them with dry-run visibility while preserving history.

Do we have a high-confidence way to reproduce the issue?

Yes, from source inspection. Seed a store with agent:main:main plus agent:main:telegram:direct:123 while config has session.dmScope: "main"; routing returns the main key, but listing and cleanup still treat the peer-keyed row as an ordinary session.

Is this the best way to solve the issue?

Yes. The narrow maintainable fix is a generic, history-preserving stale-direct-session repair in the existing cleanup/doctor maintenance path, not Telegram-specific routing behavior or silent startup deletion.

Acceptance criteria:

• pnpm test src/commands/sessions-cleanup.test.ts src/routing/resolve-route.test.ts src/routing/session-key.continuity.test.ts src/gateway/session-utils.telegram-recreate.test.ts extensions/telegram/src/session-route.test.ts extensions/telegram/src/conversation-route.base-session-key.test.ts
• pnpm exec oxfmt --check --threads=1 src/config/sessions/cleanup-service.ts src/commands/sessions-cleanup.ts src/cli/program/register.status-health-sessions.ts docs/cli/sessions.md docs/concepts/session.md CHANGELOG.md

What I checked:

• Issue discussion confirms lifecycle gap: The reporter provided a sanitized agent:main:main plus agent:main:telegram:direct:<peer> store shape under session.dmScope: "main", and a follow-up comment notes that dmScope controls future routing but does not reconcile existing peer-keyed rows.
• Main-scoped direct routing collapses to main key: buildAgentPeerSessionKey returns buildAgentMainSessionKey for direct peers when dmScope is main or unset. (src/routing/session-key.ts:143, 47134d1ce63a)
• Route resolution has no store reconciliation side effect: resolveAgentRoute reads input.cfg.session?.dmScope ?? "main" and builds a route key; this path does not scan or mutate the session store. (src/routing/resolve-route.ts:623, 47134d1ce63a)
• Inbound metadata only normalizes aliases for the requested key: recordSessionMetaFromInbound resolves and updates the requested sessionKey, deleting only legacy aliases returned for that same key, so a separate peer-keyed direct row is untouched when the requested key is the main session. (src/config/sessions/store.ts:553, 47134d1ce63a)
• Cleanup service is retention/count/budget oriented: The cleanup action set is keep, prune-missing, prune-stale, cap-overflow, and evict-budget; preview/apply paths do not consider session.dmScope or peer-keyed direct-session retirement. (src/config/sessions/cleanup-service.ts:40, 47134d1ce63a)
• CLI exposes no stale-direct cleanup option: openclaw sessions cleanup exposes store/agent/all-agents/dry-run/enforce/fix-missing/active-key/json, but no dmScope-aware stale direct-session cleanup mode. (src/cli/program/register.status-health-sessions.ts:169, 47134d1ce63a)

Likely related people:

• Alphonse-arianee: The original dmScope feature commit is feat(session): add dmScope for multi-user DM isolation with Alphonse-arianee as co-author, making them relevant to the routing contract history. (role: introduced behavior; confidence: medium; commits: ca9688b5cc73; files: src/routing/session-key.ts, src/routing/resolve-route.ts, docs/concepts/session.md)
• steipete: Peter Steinberger authored nearby session-key normalization, main-session key handling, and gateway session-store canonicalization changes that shape the affected routing/store boundary. (role: session routing and store history owner; confidence: high; commits: 6c7a27c01087, c92265a51b72, 4b6cdd1d3cb5; files: src/routing/session-key.ts, src/gateway/session-utils.ts, src/config/sessions/store.ts)
• vincentkoc: Current-line blame in this checkout points to Vincent Koc on the affected routing/session cleanup/store files, and recent changelog/docs work also touches dmScope/session maintenance surfaces. (role: recent maintainer; confidence: medium; commits: 973e240bb347; files: src/routing/session-key.ts, src/config/sessions/cleanup-service.ts, src/config/sessions/store.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 47134d1ce63a.

[cdeniger]

+1 — hitting this on 2026.4.24. Single-owner Telegram DM, single agent, no session.dmScope set in config (so per the source default of "main" everything should collapse to the main key).

Wanted to add an observation that may be useful: there's a second consequence of these stale peer-keyed rows beyond cleanup hygiene — they actively divert tool/runtime lookups inside get-reply.js, because two different session keys are derived from the same inbound request and they don't agree.

In the installed dist/get-reply-CSQ5BMwG.js (matches src/runtime/reply/get-reply.ts in spirit):

Storage key (line 2923) — correctly canonicalized to agent:<id>:main:

sessionKey = canonicalizeMainSessionAlias({
    cfg, agentId,
    sessionKey: resolveSessionKey(sessionScope, sessionCtxForState, mainKey)
});

Tool/runtime key (line 3506) — uses raw ctx.SessionKey with no canonicalization:

const agentSessionKey =
    (ctx.CommandSource === "native"
        ? normalizeOptionalString(ctx.CommandTargetSessionKey)
        : void 0)
    || ctx.SessionKey;

For Telegram DMs ctx.SessionKey is the per-peer key built by the channel handler with dmScope: "per-account-channel-peer" (see runtime-policy-session-key-CQYorQe-.js line 50ish and buildAgentPeerSessionKey in session-key-EpIbK3Oz.js). It then propagates into:

• agentSessionKey: sessionKey on createOpenClawTools(...) (around line 1446)
• tool-resolution-e6mU41JB.js line 34 (createOpenClawTools({ agentSessionKey: params.sessionKey, ... }))
• runPreparedReply where it becomes runtimePolicySessionKey for silent-reply settings, tool policy lookup, command authorization

User-visible effect: session_status (and any other tool that takes opts.agentSessionKey) reports the stale peer-keyed entry — frozen model, frozen context %, frozen "updated 2h ago" — even though the live transcript is being appended to agent:<id>:main. Deleting the stale row breaks tools with Unknown sessionKey: agent:<id>:telegram:<account>:direct:<peer> because the lookup target still resolves to that key.

So in addition to the cleanup-service reconciliation path the issue body proposes, it'd be worth canonicalizing agentSessionKey at derivation in get-reply.ts so that it can't diverge from the storage key in the first place. Both pieces — derivation parity + cleanup of orphans — get this fully closed for affected users.

Happy to test a candidate fix.