Session modelOverride persists across gateway restarts, silently overrides config default

[Ike-li]

Bug type

Behavior bug (incorrect state without crash)

Summary

When a session-level model override is set via /model, it persists in the session store across gateway restarts. After changing the default model in openclaw.json and restarting, existing (and even /new-ed) sessions still use the stale override instead of the updated config default.

Steps to reproduce

1. In a DM session, pin a model: /model newapi/gpt-5.4
2. Verify with /status — shows newapi/gpt-5.4
3. Edit openclaw.json, change agents.defaults.model.primary (or agent-level model) to openrouter/xiaomi/mimo-v2-pro
4. Restart gateway (openclaw gateway restart)
5. In the same DM session, run /status — still shows newapi/gpt-5.4 (stale override)
6. Run /new — the new session also inherits or retains the old override instead of the new config default

Expected behavior

After changing the default model in config and restarting gateway:

• Existing sessions should either respect the new default OR clearly indicate they have a session-level override
• /new should create a fresh session with no override, picking up the new config default
• At minimum, there should be a way to clear all session model overrides

Actual behavior

modelOverride in ~/.openclaw/agents/main/sessions/sessions.json persists across restarts with highest precedence. The config default change is effectively invisible to any session that was ever touched by /model.

Root cause

Session-level modelOverride is stored in the session store and survives gateway restarts. Model resolution order gives session override higher precedence than config defaults, with no mechanism to clear stale overrides after config changes.

Impact

• Users changing their default model in config expect the change to take effect, but it silently doesn't for existing sessions
• No CLI or chat command to bulk-clear session model overrides
• Related to Cron isolated jobs ignore payload.model and keep stale session model override #33577 (cron case) but affects all regular sessions too

Suggested fix

1. On /new: always start fresh without inheriting modelOverride from the previous session
2. Model resolution precedence: consider making config-specified model higher priority than stale session overrides, or add an explicit "clear override" mechanism
3. Visibility: /status should clearly distinguish between "using config default" and "using session override" so users can tell when an override is active
4. Bulk reset: add a command like /model reset or /model inherit to clear session-level override and fall back to config

Related issues

• Cron isolated jobs ignore payload.model and keep stale session model override #33577 (cron isolated jobs keep stale session model override)
• Model override in cron agentTurn payload is ignored — falls back to default model #47381 (model override in cron agentTurn payload ignored)
• [Bug]: Control UI model switcher sends wrong provider prefix for cross-provider model switching #50050 (Control UI model switcher wrong provider prefix)

[Hollychou924]

This is a legitimate UX issue with session-level model overrides persisting across restarts. The core problem is that modelOverride in the session store has implicit "highest precedence" semantics but no expiration or config-awareness.

Three concrete fixes, in order of impact:

1. /new should always start clean (quick win, low risk)
When creating a new session, modelOverride should not be copied from the previous session. A "new" session should inherit the current config default, not a stale override from a prior session's /model command.

2. Add /model clear or /model inherit (UX fix)
A dedicated command to explicitly drop the session override and fall back to config. This gives users a way out without requiring direct JSON editing.

3. /status should distinguish "config default" vs "session override" (visibility)
Currently if /status says gpt-5.4 it doesn't tell you why. Adding a marker like model: newapi/gpt-5.4 (session override) vs model: openrouter/mimo-v2-pro (config default) would make the state obvious.

Regarding config-takes-precedence: Making config override session overrides after restart is semantically complicated — users might intentionally want per-session overrides to survive restarts. A cleaner approach is: on gateway restart, log/warn about active session model overrides so users know they exist, rather than silently clearing them. Then they can explicitly clear if needed.

Related: This also affects cron isolated jobs (#33577) for the same reason — they inherit stale modelOverride from the session store.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 14, 2026, 5:37 AM ET / 09:37 UTC.

Summary
Keep open: current main and v2026.6.6 still preserve explicit or legacy session model pins across resets, while only auto-created fallback pins are cleared. The issue is partly addressed by status/docs visibility and auto-fallback cleanup, but the remaining /new//reset and bulk-clear behavior is a compatibility-sensitive product decision, with related broader work still open.

Reproducibility: yes. as a source-level reproduction: current reset code and tests preserve user or legacy modelOverride entries while clearing only auto fallback pins. A live gateway restart was not exercised in this read-only review.

Next step
Manual review is appropriate because the source path is clear but the remaining fix is a compatibility/product choice about explicit model pins, not a safe autonomous bug fix.

Review details

Best possible solution:

Maintainers should choose the source-aware contract for explicit and legacy session model selections, then align /new, /reset, /model default, any bulk-reset command, status text, docs, and regression tests with that contract.

Do we have a high-confidence way to reproduce the issue?

Yes, as a source-level reproduction: current reset code and tests preserve user or legacy modelOverride entries while clearing only auto fallback pins. A live gateway restart was not exercised in this read-only review.

Is this the best way to solve the issue?

Unclear. The current auto-vs-user split is a deliberate partial fix, but the best final behavior for /new, /reset, and bulk clearing explicit pins needs maintainer product judgment before a safe implementation.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• Changing /new or /reset to drop explicit pins could break users who rely on durable per-session model choices.
• Current status/docs suggest /reset can clear a stale pin, while source and tests preserve user/legacy pins; the product contract and wording need to be reconciled.
• I did not run a live gateway restart repro in this read-only review; the current behavior is established from source, tests, docs, release tag inspection, and issue discussion.

Codex review notes: model internal, reasoning high; reviewed against db5e415888ae.

Label changes

Label changes:

• add issue-rating: 🐚 platinum hermit: Current issue advisory state selects this label.
• add clawsweeper:needs-live-repro: Current issue advisory state selects this label.
• remove clawsweeper:source-repro: Current issue advisory state no longer selects this label.
• remove issue-rating: 🦞 diamond lobster: Current issue advisory state no longer selects this label.

Label justifications:

• P2: This is a normal-priority session/model-routing UX problem with limited blast radius but real confusion for users changing defaults.
• impact:session-state: The report centers on persisted session override state surviving restarts and resets.
• impact:auth-provider: The user-visible failure is stale provider/model selection overriding the configured routing choice.

Evidence reviewed

What I checked:

• Current reset helper preserves explicit pins: resolveResetPreservedSelection says only user-driven overrides are preserved, auto-created overrides are cleared, and legacy source-less model overrides are treated as user-driven; the implementation copies preserved providerOverride, modelOverride, and modelOverrideSource back into the reset entry. (src/config/sessions/reset-preserved-selection.ts:15, db5e415888ae)
• Reply-session reset path reapplies preserved selection: initSessionState preserves user-driven model/auth overrides across any rollover that mints a new session, including explicit /new and /reset, and documents that auto fallback overrides are the ones cleared. (src/auto-reply/reply/session.ts:527, db5e415888ae)
• Tests encode the current split: Current tests assert selected model/auth overrides survive /new and /reset, while a separate test asserts auto-sourced model/provider/auth overrides are cleared on the same commands. (src/auto-reply/reply/session.test.ts:2639, db5e415888ae)
• Status visibility exists but still points at reset: Status rendering warns when a session-selected model differs from the configured primary, names the session override reason, and tells users to clear with /model <configuredDefault> or /reset; that is useful visibility, but the reset path still preserves explicit pins. (src/status/status-message.ts:985, db5e415888ae)
• Latest release has the same remaining behavior: The v2026.6.6 tag contains the same reset-preservation helper and status wording, so this is not only a current-main-only discrepancy. (src/config/sessions/reset-preserved-selection.ts:15, 8c802aa68351)
• Partial-fix provenance: PR fix(gateway): clear auto-fallback model override on session reset #63155 merged commit 5d46e4d, which fixed auto-fallback model override reset behavior while leaving explicit user choices preserved. (src/gateway/session-reset-service.ts, 5d46e4dc4f45)

Likely related people:

• steipete: History shows Peter Steinberger introduced per-session model selection and later shared selected-session model resolution, which are central to how session model overrides are interpreted. (role: feature introducer and recent area contributor; confidence: high; commits: 364a6a944480, 32ebaa37574e, 1fb44f0aadd4; files: src/agents/model-selection.ts, src/gateway/session-utils.ts, src/config/sessions/reset-preserved-selection.ts)
• frankekn: Authored and merged the auto-fallback reset fix that established the current distinction between automatic fallback state and explicit user model selections. (role: recent bugfix contributor; confidence: high; commits: 5d46e4dc4f45; files: src/gateway/session-reset-service.ts, src/sessions/model-overrides.ts, src/gateway/server.sessions.reset-models.test.ts)
• osolmaz: Opened the maintainer-labeled session model/auth resolver tracker that covers the shared interpretation boundary this issue depends on. (role: related architecture requester; confidence: medium; files: src/auto-reply/reply/model-selection.ts, src/gateway/server-methods/sessions.ts, src/gateway/session-utils.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.