[Bug] Exec approval follow-up can leak into a new session after /new because it rebinds by sessionKey instead of original sessionId

[two3pro]

Summary

If a session has a pending exec approval and the user starts a new session with /new or /reset before that approval resolves, the eventual approval follow-up can be delivered into the new session. This shows up as unrelated stale approval messages, Exec denied, or continuation text in a fresh conversation.

Affected version

OpenClaw 2026.3.31

Observed behavior

The exec approval follow-up is effectively routed by logical sessionKey. After /new or /reset, the same sessionKey can point to a new sessionId, so when the old approval finishes its follow-up can land in the new session transcript.

Expected behavior

The follow-up should stay bound to the original session instance. Once that sessionKey has been rebound to a different sessionId, stale follow-ups should be dropped instead of being delivered into the new session.

Reproduction

1. Start a session for an agent with a stable sessionKey.
2. Trigger a tool execution that requires approval and leave it pending.
3. Before approving or denying it, send /new or /reset, creating a new sessionId under the same logical session key.
4. Approve or deny the old request.
5. Observe that the new session can receive the old approval follow-up or stale approval-related output.

Root cause

The follow-up path only tracked sessionKey, not the original sessionId that was active when the exec request was created.

Proposed fix

Capture expectedSessionId when creating the exec approval follow-up target, then before sending compare it with the latest sessionKey -> sessionId mapping. If they differ, log and drop the stale follow-up.

Validation

I reproduced this locally, applied that guard in the installed dist, restarted the gateway, and verified that a previously pending approval no longer polluted the new session after /reset.

Concrete validation data from the local repro:

• pending approval id: 21abfe34-9309-40bb-9a2b-9a43349d4d79
• old session id before reset: 59ada67a-ec92-4955-b3f5-b894be448e13
• new session id after reset: 6884416d-17e1-402a-870b-0b6a24762c4c

If helpful, I can also turn the validated local fix into a source-level PR.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed May 24, 2026, 2:41 PM ET / 18:41 UTC.

Summary
Keep open. Current main still dispatches exec approval follow-ups by sessionKey without an approval-time session-id guard, and the linked fixing PR is open but not merged, so the issue should remain open until that PR lands or is rejected.

Reproducibility: yes. at source level. The report gives concrete pending-approval plus /new or /reset steps, and current main still dispatches follow-ups by sessionKey while reset writes a fresh sessionId for that key.

Next step
No separate ClawSweeper repair job should be queued because #85679 already specifically references and implements the fix for this issue.

Review details

Best possible solution:

Land the linked narrow fix after maintainer review, or keep this issue as the canonical request for a session-id-bound guard across both gateway follow-up and direct fallback delivery.

Do we have a high-confidence way to reproduce the issue?

Yes, at source level. The report gives concrete pending-approval plus /new or /reset steps, and current main still dispatches follow-ups by sessionKey while reset writes a fresh sessionId for that key.

Is this the best way to solve the issue?

Yes. Capturing the approval-time session id and checking it before gateway or direct follow-up delivery is the narrow maintainable fix, and the linked open PR implements that direction.

Remaining risk / open question:

• Closing the issue before the linked PR merges could hide a still-present session-state/message-delivery bug if the PR changes, stalls, or is rejected.

Codex review notes: model gpt-5.5, reasoning high; reviewed against dfa1a5122584.

Label changes

Label changes:

• remove clawsweeper:fix-shape-clear: Current issue advisory state no longer selects this label.
• remove clawsweeper:queueable-fix: Current issue advisory state no longer selects this label.

Label justifications:

• P1: A pending approval can resume into a fresh /new or /reset conversation in a core agent workflow.
• impact:session-state: The bug is about async approval state crossing from an old runtime session into a new session instance under the same key.
• impact:message-loss: The stale follow-up can be delivered to the wrong conversation, which is message misrouting.

Evidence reviewed

What I checked:

• Current main inspected: The checkout is at current main dfa1a512258493437fbc38089cd5210b7b4769fb. (dfa1a5122584)
• Follow-up target is key-only: ExecApprovalFollowupTarget carries approvalId, sessionKey, delivery routing, direct mode, and elevated defaults, but no original or expected sessionId. (src/agents/bash-tools.exec-host-shared.ts:86, dfa1a5122584)
• Agent follow-up dispatch resolves by sessionKey: sendExecApprovalFollowup builds gateway agent follow-up arguments from the trimmed sessionKey and calls callGatewayTool("agent", ...) without checking whether the key still maps to the session that created the approval. (src/agents/bash-tools.exec-approval-followup.ts:310, dfa1a5122584)
• Reset rotates the session id under the same key: performGatewaySessionReset creates a fresh randomUUID() and writes it as the next SessionEntry.sessionId, matching the reported rebind boundary after /new or /reset. (src/gateway/session-reset-service.ts:776, dfa1a5122584)
• Gateway protocol lacks the proposed guard field on main: AgentParamsSchema exposes sessionId, sessionKey, internalRuntimeHandoffId, and idempotencyKey, but current main does not include an exec-approval expected-session field. (src/gateway/protocol/schema/agent.ts:155, dfa1a5122584)
• Open linked fix PR owns the remaining work: Live GitHub data shows fix(agents): drop stale exec approval followups after session rebind #85679 is open, references this issue through closingIssuesReferences, and its head is a082367592e4008966bea295e3102c2a6ed3c4d0; it is not merged yet. (a082367592e4)

Likely related people:

• steipete: Recent file history shows repeated work on exec approval follow-up delivery and runtime handoff isolation in the central follow-up files. (role: recent area contributor; confidence: high; commits: 8f4e9c841c18, 812a7636fbe7, 6559288d4acd; files: src/agents/bash-tools.exec-approval-followup.ts, src/agents/bash-tools.exec-host-shared.ts, src/gateway/server-methods/agent.ts)
• samzong: Recent history shows fix: stop denied exec followups, which touches the denied/direct follow-up path this bug needs guarded. (role: recent area contributor; confidence: medium; commits: 014b527e23d9; files: src/agents/bash-tools.exec-approval-followup.ts, src/agents/bash-tools.exec-host-shared.ts)
• udaymanish6: Recent history links this contributor to deduping exec follow-up continuations in the same dispatch path. (role: adjacent follow-up contributor; confidence: medium; commits: 91f45d9c8a10; files: src/agents/bash-tools.exec-approval-followup.ts, src/gateway/server-methods/agent.ts)
• joshavant: History shows earlier async approval follow-up hardening and later session reset/metadata work adjacent to the rebind boundary. (role: adjacent session/reset contributor; confidence: medium; commits: 5e4a64848f35, 23f73b3ecfd9; files: src/agents/bash-tools.exec-approval-followup.ts, src/gateway/session-reset-service.ts)
• openperf: The open fixing PR author also appears in recent session-reset-service.ts history for child session cleanup, making them relevant beyond only proposing this PR. (role: likely follow-up owner; confidence: medium; commits: 136c9271405a, a082367592e4; files: src/gateway/session-reset-service.ts, src/agents/bash-tools.exec-approval-followup.ts, src/gateway/server-methods/agent.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[CongSec]

Whenever I type /new, the expected behavior is to simply create a new session. However, immediately after creating the session, the agent starts executing a task on its own before I've given any instructions. Sometimes, the task it executes has no relation to my previous conversation history.