sessions.patch modelOverride lost due to stale-cache race in agent handler

[CodeReclaimers]

Summary

Follow-up to #5369 (now closed/locked). The underlying root cause — a stale-cache race condition in the agent handler's session entry construction — appears to still be present on main.

The issue is intermittent (~3% reproduction rate) because it depends on timing between sessions.patch writing modelOverride to the store and the agent handler reading a cached (potentially stale) entry.

Root cause

When the agent handler runs for a spawned sub-agent session:

1. loadSessionEntry(key) returns a cached entry (may be stale — no modelOverride)
2. nextEntry is built from that stale entry, including modelOverride: entry?.modelOverride → undefined
3. updateSessionStore() acquires a lock and loads the store with skipCache: true (fresh from disk — has modelOverride from sessions.patch)
4. But the mutator ignores the fresh store data and writes store[key] = nextEntry — overwriting the fresh modelOverride with the stale undefined

Relevant lines on current main in src/gateway/server-methods/agent.ts:

// Line 214: stale cached read
const { cfg, storePath, entry, canonicalKey } = loadSessionEntry(requestedSessionKey);

// Line 252: nextEntry built from stale entry
modelOverride: entry?.modelOverride,

// Lines 284-286: mutator ignores fresh store, writes stale nextEntry
await updateSessionStore(storePath, (store) => {
  store[canonicalSessionKey] = nextEntry;
});

Fix

PR #19328 moves session entry construction inside the updateSessionStore mutator callback, reading from freshEntry = store[primaryKey] (which was loaded with skipCache: true) instead of the stale entry. This guarantees modelOverride, providerOverride, and all other fields reflect the latest writes from sessions.patch.

Reproduction

A standalone test (agent-stale-cache-race.test.ts in PR #19328) reproduces both the vulnerable and fixed code patterns without requiring the full module chain. It confirms:

• main's pattern drops modelOverride when the cache is stale
• The fix pattern preserves modelOverride from the fresh store
• When cache and store happen to agree, both patterns work identically (explains the intermittent nature)

Environment

Same as #5369 — affects any version where the agent handler builds nextEntry outside the updateSessionStore mutator.

[Hollychou924]

Analysis: sessions.patch modelOverride lost — stale-cache read before updateSessionStore mutator

This is a well-documented intermittent race: the agent handler reads a stale cached session entry before sessions.patch has flushed modelOverride to disk, then overwrites the store with the stale state inside the mutator.

Root cause summary

loadSessionEntry(key)          ← reads cache (stale, no modelOverride)
nextEntry = { modelOverride: entry?.modelOverride }  ← undefined from stale entry
updateSessionStore(storePath, store => {
  store[key] = nextEntry;      ← overwrites freshly written modelOverride with undefined
})

The updateSessionStore mutator loads the store with skipCache: true (correct), but then ignores that fresh data by writing the pre-built nextEntry instead of merging from store[key].

Why intermittent (~3%)

The race window is between:

• sessions.patch writing modelOverride to the store file
• loadSessionEntry returning its cached (pre-patch) version to the agent handler

When cache and disk happen to agree (no concurrent sessions.patch) the bug is invisible. The ~3% rate corresponds to the narrow window where a sessions.patch call lands between the agent handler's cache read and its updateSessionStore write.

Fix direction (Option A — minimal, as in PR #19328)

Move nextEntry construction inside the updateSessionStore mutator, reading from the fresh store:

await updateSessionStore(storePath, (store) => {
  const freshEntry = store[canonicalSessionKey];  // skipCache: true path already used this
  const nextEntry = {
    ...buildBaseSessionEntry(cfg, requestedSessionKey),
    modelOverride: freshEntry?.modelOverride,      // ← from fresh, not from stale entry
    providerOverride: freshEntry?.providerOverride,
    // ... other fields from freshEntry
  };
  store[canonicalSessionKey] = nextEntry;
});

Fix direction (Option B — defensive merge)

Apply a merge strategy inside the mutator: start from the fresh store entry as the base, then apply only the fields the agent handler legitimately needs to set (not the fields set by sessions.patch):

await updateSessionStore(storePath, (store) => {
  const base = store[canonicalSessionKey] ?? {};
  store[canonicalSessionKey] = {
    ...base,               // preserves modelOverride, providerOverride from sessions.patch
    ...agentHandlerFields, // overwrites only what the agent handler should own
  };
});

Option B is more defensive — it handles any future fields written by concurrent patchers, not just modelOverride.

Impact

Affects spawned sub-agent sessions where modelOverride is set via sessions.patch (e.g., sessions_spawn with a model override). The session silently runs with the default model instead of the requested one. Since the failure is intermittent and silent (no error), users may not notice until they check logs or see unexpected model responses.

PR #19328 appears to have the right fix approach — Option A.

[clawsweeper]

Closing this as duplicate or superseded after Codex automated review.

Current main does not implement the stale-cache race fix, but the same remaining work is already tracked by open PR #19328, which the issue body, comment, and timeline all identify as the exact fix for this regression. Close this issue as superseded by the canonical PR rather than as fixed.

What I checked:

• Current main still reads a possibly cached entry before the store update: The agent handler calls loadSessionEntry(requestedSessionKey) before constructing the patch for the session store write. (src/gateway/server-methods/agent.ts:639, 8e12c24d1721)
• Current main still carries override fields from that preloaded entry: nextEntryPatch is built with modelOverride: entry?.modelOverride and providerOverride: entry?.providerOverride, so a stale entry can contribute explicit undefined override fields. (src/gateway/server-methods/agent.ts:686, 8e12c24d1721)
• Fresh store data is loaded, but then merged with the stale patch: Inside updateSessionStore, the handler merges store[primaryKey] with nextEntryPatch. Because mergeSessionEntry spreads the patch over the existing entry, explicit undefined override fields from the stale patch can overwrite fresh store values. (src/gateway/server-methods/agent.ts:738, 8e12c24d1721)
• The store updater does re-read with skipCache inside the lock: updateSessionStore loads the store with { skipCache: true }, confirming the race is specifically the handler's stale patch construction rather than the store updater failing to read fresh data. (src/config/sessions/store.ts:421, 8e12c24d1721)
• Open PR Fix: preserve modelOverride in agent handler (#5369) #19328 is the canonical tracker for the same remaining fix: Provided GitHub context shows PR Fix: preserve modelOverride in agent handler (#5369) #19328, Fix: preserve modelOverride in agent handler (#5369), is open and describes moving session entry construction inside the updateSessionStore mutator to use fresh store data. git ls-remote confirms refs/pull/19328/head exists at fa295f2. (fa295f219f7b)

So I’m closing this here and keeping the remaining discussion on the canonical linked item.

Codex Review notes: model gpt-5.5, reasoning high; reviewed against 8e12c24d1721.