[Bug]: Persisted oversized toolResult entries can poison shared main sessions (lag/token blowup/OOM risk)

[sene1337]

Bug type

Performance/reliability bug

Summary

Large tool results are persisted to session transcripts by default, which can poison shared human-facing sessions (session.dmScope = "main") and cause severe lag, token blowups, and eventual instability/OOM under tool-heavy workflows.

Steps to reproduce

1. Configure shared DM lane:
   • session.dmScope = "main"
2. Use a non-Anthropic model path in the main lane.
3. Run several heavy tool calls (exec, read) returning very large outputs (~150k-200k chars each).
4. Continue chatting in that same shared main session.

Expected behavior

• Large tool outputs should not be persisted verbatim into the live owner-facing transcript.
• Protection against tool-result bloat should apply regardless of provider path.
• Main lanes should remain responsive after tool-heavy turns.

Actual behavior

• toolResult payloads are persisted by default.
• Very large payloads still pass through (high hard cap), so transcript keeps accumulating giant entries.
• In production this led to:
  • inflated token counts on simple replies,
  • typing TTL stalls / multi-minute lag,
  • and one gateway crash with V8 JSON/OOM signature.

OpenClaw version

2026.3.13 (also observed historically in earlier versions)

Operating system

macOS 26.3.1 (arm64)

Install method

npm global

Model

openai-codex/gpt-5.4 and openai-codex/gpt-5.3-codex (main lane during incidents)

Provider / routing chain

OpenClaw -> OpenAI Codex (main lane), with tool-heavy turns in shared DM session

Config file / key location

~/.openclaw/openclaw.json

Additional provider/model setup details

contextPruning enabled in config, but this does not sufficiently protect persisted transcript state on non-Anthropic lanes.

Logs, screenshots, and evidence

Key runtime/doc evidence from source analysis:

• Tool results are persisted by guarded append path (default behavior).
• Hard cap is permissive enough for very large entries (HARD_MAX_TOOL_RESULT_CHARS = 400000, MAX_TOOL_RESULT_CONTEXT_SHARE = 0.3).
• Session pruning is documented as in-memory context trimming, not transcript rewrite.
• Pruning coverage is provider-limited (Anthropic/OpenRouter Anthropic), leaving non-Anthropic lanes underprotected.

Production impact observed:

• many persisted tool results >=150k chars in session history,
• repeated owner-facing lag,
• and one gateway crash showing node::OOMErrorHandler + v8::internal::JsonParser in diagnostics.

Impact and severity

Affected: owner-facing shared sessions that also run heavy tooling
Severity: High (reliability + responsiveness)
Frequency: Reproducible under sustained tool-heavy usage
Consequence: Human-facing main lane becomes unstable/unresponsive over time

Additional information

Likely related but not identical to:

• [Feature]: Feature Request: before_assistant_persist hook to prevent session corruption from oversized responses #21598 (before_assistant_persist feature request; assistant messages)
• the tokens got burned by dragging a huge context forward #1594 (huge context/token burn)

This report is specifically about persisted toolResult transcript bloat in live shared sessions.

Suggested fix directions:

1. safer default persistence policy for tool results (summarize/externalize large payloads),
2. optional transcript-aware compaction of oversized historical toolResult entries,
3. stricter persistence defaults for owner-facing lanes,
4. model-agnostic protection behavior.

[Hollychou924]

Analysis: Oversized toolResult persistence poisoning shared main sessions

This is a bounded-resource problem with no defense-in-depth. The hard cap (HARD_MAX_TOOL_RESULT_CHARS = 400000) is too permissive, and session pruning only trims in-memory context — it doesn't rewrite the persisted transcript.

The accumulation pattern

Each tool-heavy turn persists toolResult payloads to the session transcript. With session.dmScope = "main", human-facing turns share the same session. After several heavy tool calls:

transcript grows to: N × (up to 200k chars toolResult) + actual conversation
context window: correctly pruned in-memory
disk + replay cost: never pruned, grows unbounded

The next time the session is loaded (gateway restart, new context window), the transcript replay sends the full oversized toolResult entries to the LLM — causing token blowup even for simple replies.

Why non-Anthropic lanes are worse

Anthropic's context pruner knows how to identify and truncate tool results during context assembly. Non-Anthropic providers (OpenAI Codex, etc.) use a different context assembly path that may not apply the same truncation to persisted entries.

Fix directions

Option A (immediate): Lower HARD_MAX_TOOL_RESULT_CHARS to something sane (e.g., 20k chars), with truncation marker. Most tool results that exceed 20k are logs or file contents that don't need to be replayed verbatim in future turns.

Option B (session-level config): Add session.maxToolResultBytes config option that applies a per-session hard cap on persisted tool result size, truncating at persistence time rather than at context assembly time.

Option C (archival mode): For session.dmScope = "main", tool results above a threshold should be stored as external references (write to a temp file, store a reference) rather than inline in the transcript.

Option D (pruning fix): Make context pruning apply to persisted transcript, not just in-memory context. This is more invasive but fixes the root cause.

Impact

This is a latent issue for any user with tool-heavy workflows in shared main sessions. The 400k char hard cap means a single exec or read of a large codebase can pollute the transcript, and users won't notice until the session becomes unusably slow or the gateway OOMs.

Affected users: anyone using session.dmScope = "main" with heavy tool calls (file reads, shell commands on large repos, browser snapshots).

[sene1337]

Follow-up filed for operator-side prevention via diagnostics: #49899\n\n#49888 tracks the core runtime behavior fix. #49899 proposes an ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
██░▄▄▄░██░▄▄░██░▄▄▄██░▀██░██░▄▄▀██░████░▄▄▀██░███░██
██░███░██░▀▀░██░▄▄▄██░█░█░██░█████░████░▀▀░██░█░█░██
██░▀▀▀░██░█████░▀▀▀██░██▄░██░▀▀▄██░▀▀░█░██░██▄▀▄▀▄██
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
🦞 OPENCLAW 🦞

┌ OpenClaw doctor
[plugins] [lcm] Plugin loaded (enabled=true, db=/Users/senemaro/.openclaw/lcm.db, threshold=0.75)
│
◇ State integrity ────────────────────────────────────────────────╮
│ │
│ - Found 3 orphan transcript file(s) in │
│ ~/.openclaw/agents/main/sessions. They are not referenced by │
│ sessions.json and can consume disk over time. │
│ │
├──────────────────────────────────────────────────────────────────╯
│
◇ Session locks ──────────────────────────────────────────────────────────────╮
│ │
│ - Found 1 session lock file. │
│ - ~/.openclaw/agents/main/sessions/fa068c07-6045-4eb6-9cd7-2b487572ad82.js │
│ onl.lock │
│ pid=20665 (alive) age=42s stale=no │
│ │
├──────────────────────────────────────────────────────────────────────────────╯
│
◇ Gateway service config ───────────────────────────────────────────────╮
│ │
│ - Gateway service entrypoint does not match the current install. │
│ (/Users/senemaro/.openclaw/lib/node_modules/openclaw/dist/entry.js │
│ -> │
│ /Users/senemaro/.openclaw/lib/node_modules/openclaw/dist/index.js) │
│ │
├────────────────────────────────────────────────────────────────────────╯
│
◇ Security ────────────────────────────────────────────────────────────╮
│ │
│ - BlueBubbles DMs: multiple senders share the main session; run: │
│ openclaw config set session.dmScope "per-channel-peer" (or │
│ "per-account-channel-peer" for multi-account channels) to isolate │
│ sessions. │
│ - Run: openclaw security audit --deep │
│ │
├───────────────────────────────────────────────────────────────────────╯
│
◇ Skills status ────────────╮
│ │
│ Eligible: 28 │
│ Missing requirements: 31 │
│ Blocked by allowlist: 0 │
│ │
├────────────────────────────╯
│
◇ Plugins ──────╮
│ │
│ Loaded: 7 │
│ Disabled: 37 │
│ Errors: 0 │
│ │
├────────────────╯
Telegram: ok (@Seneschal1337bot) (209ms)
BlueBubbles: ok
Agents: main (default), kazuo
Heartbeat interval: 1h (main)
Session store (main): /Users/senemaro/.openclaw/agents/main/sessions/sessions.json (154 entries)

• agent:main:main (1m ago)
• agent:main:cron:d6fd5498-3672-4882-8c81-aa799242ab37 (7m ago)
• agent:main:cron:d6fd5498-3672-4882-8c81-aa799242ab37:run:a85ff485-a4f6-4b22-b784-81d204f13b22 (7m ago)
• agent:main:cron:ca346943-224c-4b26-8071-966b5c749184 (22m ago)
• agent:main:cron:ca346943-224c-4b26-8071-966b5c749184:run:6f888dab-e6d4-4b41-98a6-74f96d64090c (22m ago)
  │
  ◇ Channel warnings ───────────────────────────────────────────────────────╮
  │ │
  │ - telegram default: Config allows unmentioned group messages │
  │ (requireMention=false). Telegram Bot API privacy mode will block │
  │ most group messages unless disabled. (In BotFather run /setprivacy → │
  │ Disable for this bot (then restart the gateway).) │
  │ │
  ├──────────────────────────────────────────────────────────────────────────╯
  Run "openclaw doctor --fix" to apply changes.
  │
  └ Doctor complete. check to detect oversized persisted toolResult buildup early and provide guided remediation before main-lane responsiveness degrades.

[Ryce]

Good diagnosis. The core problem here is a reliability boundary violation: the session transcript is supposed to be the source of truth for continuity, but it is also the failure vector. When the transcript poisons itself, every recovery path that reads from it (doctor, context pruning, session resume) inherits the corruption.

The HARD_MAX_TOOL_RESULT_CHARS = 400000 threshold is doing double duty — it is the persistence threshold AND the safety cap, which means "safe enough to persist" and "safe enough to keep in context" are treated as the same question. They are not. A 300k char exec output is fine in a throwaway subagent transcript but toxic in a main-session lane that accumulates over days.

Provider-agnostic protection gap is the real issue. The pruning coverage being Anthropic/OpenRouter-only means the protection model depends on which model happens to be routing the session, not on the session's role or accumulation risk. An owner-facing main session running Codex or Bedrock gets zero protection regardless of transcript bloat.

Suggested fix priority:

1. Persistence policy, not cap policy. Separate "what gets persisted" from "what gets kept in active context." Large tool outputs should persist to an external store (or at minimum, a truncated summary + pointer), not inline in the transcript.

2. Owner-facing lane protection regardless of provider. If session.dmScope === main, apply compaction/summarization rules independent of which provider is active. The lane role determines protection, not the model.

3. Doctor should read storage, not just in-memory state. Current doctor reads session state from the same path that would be poisoned. An external health check that reads from a different entry point (D1 metrics, file system stats, independent process) would not inherit the corruption.

The #49899 feature request for doctor detection is a useful band-aid, but only if the doctor itself does not read through the poisoned transcript to get its metrics. Otherwise it is a canary that is breathing the same bad air.

[firfir-ekuri]

Confirmed hitting this on openai-codex/gpt-5.3-codex. The HARD_MAX_TOOL_RESULT_CHARS being the same threshold for persistence and context safety is the key issue — a 300k char exec result is tolerable in a subagent but toxic in a main lane shared with DMs.

Workaround that helped us: forcing all exec-heavy work to subagents (never in main), but that's a discipline workaround not a runtime fix. The provider-agnostic protection gap is what really needs addressing — pruning silently not activating on non-Anthropic paths is the part that catches people off guard.

Watching this closely.

[sam-ueckert]

Following up on this with a working reference implementation and a concrete feature proposal.

I've been running a production OpenClaw setup (dual gateway: Discord + Slack, Anthropic Claude Sonnet, tool-heavy workflows with extended thinking enabled) and hit this exact problem repeatedly. Sessions routinely grew to 300–400KB+ JSONL before becoming unresponsive.

As a stopgap I built a skill that does retroactive structural trimming: https://github.com/sam-ueckert/session-janitor (also on ClawHub as session-janitor). It's been running in production for several weeks. Real numbers from our sessions:

Session type	Before	After	Reduction
Heavy tool use + extended thinking	401KB	91KB	77%
Normal conversation	266KB	100KB	62%
Moderate tool use	316KB	102KB	68%
What the skill does (and what I'd love to see natively):

1. Structural trimming (no LLM required)

• Drop thinking blocks from non-recent turns (last N assistant turns kept verbatim, older ones stripped)
• Collapse toolCall arguments on old turns (keep name/id, drop arguments JSON — the model doesn't need to re-read old command arguments)
• Collapse toolResult bodies on old turns into a single summary line per turn: exec ✓(0): first line of output | Read ✓(0): 12KB | exec ✗(1): error text
• Keep last N user/assistant pairs fully intact (configurable, default 10)
• Insert a synthetic compaction entry describing what was archived

2. LLM extraction before archive (optional)

• Before discarding trimmed content, pass it to the gateway's own /v1/chat/completions endpoint
• Extract structured memories (facts, decisions, lessons, preferences) before the content is gone
• Store via configurable sink (mem CLI, MCP server, or custom hook)
• Guardrails: lockfile, max-per-run cap, char input cap, hard timeout — LLM extraction never inflates context

3. Session pruning

• Remove stale subagent/cron entries from sessions.json after configurable TTL
• Archive orphan transcripts (JSONL with no matching sessions entry) after grace period
• Clean old archives after retention window

4. Trigger model

• Periodic sweep (every N minutes via cron)
• Per-turn trigger: inotify (Linux) / FSEvents (macOS) fires trim within ~3 seconds of turn completion — this is the high-value one

Why native > skill:

The skill works but it's inherently racy. A filesystem watcher outside the gateway can't see:

• Whether a run is currently active (risk of trimming mid-turn)
• Session locks held by the gateway
• When compaction just ran (redundant trim)

Native implementation could trim after run completion, respect session state, and skip if compaction just fired. The external watcher has to use file modification timestamps and hope for the best.

Related issues this touches:

• #49899 (doctor detection) — detection is useful but doesn't fix the accumulation
• #21598 (before_assistant_persist hook) — write-time guard is complementary but doesn't handle existing bloat
• #58802 (fileEntries memory leak) — related but distinct; this is about JSONL disk size / token injection, not heap

Happy to share implementation details or the trim logic if it's useful for a native implementation. The core Python trim script is ~300 lines.

[manuel-claw]

Adding a cross-reference from a confirmed gateway OOM case that appears to support this issue’s payload-shape concern.

We just documented the primary crash-mechanism side on #45438, but the session shape in our case also matches this issue closely:

• one long-lived shared main session
• very large persisted toolResult/internal-context payloads
• 7,138 messages / ~7.36M chars total
• 84 messages >10k chars, 15 >20k, 5 >40k
• repeated context overflow / auto-compaction logs before crash

The actual crash stack looked like serializer / structuredClone pressure (Message::Serialize, StructuredClone, ValueSerializer::WriteJSObject), so I think #45438 is the best primary tracker for the OOM mechanism.

But this issue looks like the best match for the data shape that poisoned the long-lived main session enough to trigger that path.

Primary mechanism note is here:

• perf: structuredClone in session store cache causes native memory leak (~1GB/min) #45438 comment: perf: structuredClone in session store cache causes native memory leak (~1GB/min) #45438 (comment)

[steipete]

Closing this as implemented after Codex review.

Current main already bounds persisted toolResult payloads at write time, applies the guard on the shared session-manager path regardless of provider, and can rewrite oversized persisted tool results during overflow recovery. The changelog shows this shipped in 2026.4.5 and main has since tightened the default cap further to 16k chars.

What I checked:

• Write-time persistence guard caps tool results before transcript append: installSessionToolResultGuard() truncates toolResult messages before appendMessage writes them, then reapplies the cap after hooks as well. (src/agents/session-tool-result-guard.ts:194, 45146913007d)
• Default hard cap is now 16k, not 400k: DEFAULT_MAX_LIVE_TOOL_RESULT_CHARS and HARD_MAX_TOOL_RESULT_CHARS are both 16,000, with the same 30% context-share rule still present. (src/agents/pi-embedded-runner/tool-result-truncation.ts:28, 45146913007d)
• Guard is installed on the normal embedded-run session path: The run attempt opens the session file and immediately wraps it with guardSessionManager(...), passing config and context-window values; this is the shared path, not an Anthropic-only branch. (src/agents/pi-embedded-runner/run/attempt.ts:1059, 45146913007d)
• Overflow recovery rewrites oversized persisted tool results in-session: truncateOversizedToolResultsInExistingSessionManager() builds replacements and calls rewriteTranscriptEntriesInSessionManager(...), so existing poisoned transcripts can be compacted instead of only trimming in-memory context. (src/agents/pi-embedded-runner/tool-result-truncation.ts:609, 45146913007d)
• Docs and tests match the shipped behavior: Docs expose agents.defaults.contextLimits.toolResultMaxChars as the live cap for persisted results and overflow recovery, and tests assert oversized persisted tool results are truncated. Public docs: docs/gateway/config-agents.md. (docs/gateway/config-agents.md:175, 45146913007d)
• Release note shows this shipped: Changelog entry under 2026.4.5 says: Agents/tool results: cap live tool-result persistence and overflow-recovery truncation at 40k characters .... (CHANGELOG.md:1185)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review notes: reviewed against 45146913007d; fix evidence: release 2026.4.5.