[Bug]: sessions_send unexpectedly injects label, causing mutual-exclusion error with sessionKey

[sunxq1017-hash]

Bug type

Behavior bug (incorrect output/state without crash)

Beta release blocker

No

Summary

When calling sessions_send, the effective invocation appears to include label even when the caller intends to send only by sessionKey.

调用 sessions_send 时，实际执行链路中疑似会被自动补入 label，即使调用方本意只传 sessionKey。这会导致本来合法的调用触发互斥报错。

This was observed from both:

ClawX session path
OpenClaw Control UI path
该问题同时在以下两条路径观察到：

ClawX 会话路径
OpenClaw Control UI 路径
This suggests the bug is not specific to ClawX, but likely exists in a shared invocation / argument assembly layer.

这说明问题并非 ClawX 私有，更可能存在于共享的调用封装或参数组装层。

Steps to reproduce

1. Open OpenClaw Control UI.
2. Call sessions_send targeting agent:tywin:main.
3. Intend to send by sessionKey with message test.
4. Observe the emitted invocation includes both sessionKey and label.
5. Observe the tool returns:
   Provide either sessionKey or label (not both).

Expected behavior

A sessions_send call intended to route by sessionKey should execute without silently adding label.

Actual behavior

Observed emitted call:

{
"sessionKey": "agent:tywin:main",
"label": "agent:tywin:main",
"agentId": "main",
"message": "test",
"timeoutSeconds": 30
}

Observed tool error:

Provide either sessionKey or label (not both).

OpenClaw version

2026.4.9

Operating system

macOS 15.5

Install method

mac app (ClawX embedded OpenClaw runtime)

Model

openrouter/openai/gpt-5.4

Provider / routing chain

Multiple client paths reproduced the same behavior: - ClawX -> embedded OpenClaw runtime -> sessions_send tool - OpenClaw Control UI -> embedded OpenClaw runtime -> sessions_send tool

Additional provider/model setup details

The same behavior was observed through both ClawX and OpenClaw Control UI, so this does not appear to be a ClawX-only client bug.

Logs, screenshots, and evidence

Observed tool error:
`Provide either sessionKey or label (not both).`

Follow-up testing also showed a separate policy-layer error when trying a label-only path:
`Agent-to-agent messaging denied by tools.agentToAgent.allow.`

However, the primary bug reported here is the apparent unexpected `label` injection causing the mutual-exclusion failure.

Impact and severity

Affected: users trying to send cross-session messages with sessions_send
Severity: Medium
Frequency: Observed in direct testing
Consequence: sessions_send fails before delivery because the emitted arguments violate the tool's mutual-exclusion rule

Additional information

This was observed on OpenClaw 2026.4.9 in a ClawX embedded runtime.

The issue report is focused on the apparent argument mutation/injection behavior:
a call intended to route by sessionKey appears to fail as if both sessionKey and label were present in the final invocation.

A separate policy denial was also observed later, but that is likely a different issue. This report is only for the mutual-exclusion failure path.

[sunxq1017-hash]

I reviewed the fix for #63308. It clarifies docs/schema only and does not change runtime behavior.

That means my issue is likely still relevant: actual client/wrapper paths are still capable of emitting an invalid sessions_send payload containing both sessionKey and label, which then correctly fails at runtime.

[sunxq1017-hash]

Update: Issue resolved ✅

根因分析 / Root Cause

问题不在 sessions_send 工具逻辑本身，而是在客户端参数组装层（ClawX / Control UI）——即使调用方只意图使用 sessionKey，也会自动注入 label。

The issue was not in sessions_send tool logic itself, but in the client-side argument assembly layer (ClawX / Control UI), which auto-injected label even when the caller only intended to use sessionKey.

---

修复方案 / Fix Applied (Two Layers)

1. 源码层 / Source Layer

文件 / File: src/agents/tools/sessions-send-tool.ts

将互斥校验改为 sessionKey 优先逻辑：

Changed the mutual-exclusion check to prefer sessionKey when both are present:

// Before: threw error if both present
// After: sessionKey takes precedence, label is ignored
const effectiveLabelParam = sessionKeyParam ? undefined : labelParam;

2. 运行层 / Runtime Layer

文件 / File: /Applications/ClawX.app/Contents/Resources/openclaw/dist/pi-embedded-Vw-lS5ti.js (line 11309)

由于 ClawX 使用预编译的 JS bundle，将相同逻辑应用到打包后的运行时。

Applied same logic to the bundled runtime since ClawX uses pre-compiled JS bundle.

3. 配置层 / Config Layer

开启跨 agent 通信：

Enabled cross-agent messaging:

"tools": {
  "agentToAgent": {
    "enabled": true
  }
}

---

验证结果 / Verification

端到端测试通过：

End-to-end test passed:

• 调用 / Call: sessions_send with sessionKey="agent:work:main" + label="wrong-label"
• 结果 / Result: Message successfully delivered to target session
• 行为 / Behavior: label correctly ignored, no mutual-exclusion error

---

长期建议 / Long-term Recommendation

客户端参数组装层不应在 sessionKey 已显式提供时自动注入 label。工具层的修复为这种情况提供了防御性处理。

The client-side parameter assembly should not auto-inject label when sessionKey is explicitly provided. The tool-layer fix provides defensive handling for this case.

[lui62233]

這個 issue 已經由你自己修復了，補充一點 long-term 建議

看到你在 comment 裡說 issue resolved ✅，很好！你的 root cause 分析也非常準確——問題真的在 client-side argument assembly 層，sessions_send tool 層收到的是已經被污染的 payload，而不是調用方直接給的。

Long-term 建議：

這個問題的深層原因是 OpenClaw 的 tool argument assembly layer 沒有嚴格的分離原則——當 explicit sessionKey 存在的時候，不應該再 fallback 到 label。建議在 tool schema 層面就强化這個 mutual-exclusion 約束：

// 在 sessions_send 的 schema 層面，sessionKey 和 label 應該是 mutually exclusive
const schema = {
  sessionKey: z.string().optional(),
  label: z.string().optional(),
};
// 然後在 parse 時做嚴格檢查

另外，你提到 --agentToAgent policy 需要開啟才能跨 agent 發消息，這是另一個獨立的問題——如果 policy 預設是關閉的，很多新用戶會遇到這個坑。建議向 maintainer 建議把這個 policy 預設為允許，這樣開箱即用體驗更順暢。

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 5, 2026, 1:05 AM ET / 05:05 UTC.

Summary
Keep open. Current main and the latest release still return the reported sessions_send mixed-selector error, while the target-repo repair remains unmerged at #74009.

Reproducibility: yes. from source inspection: current main still returns the exact mutual-exclusion error whenever both sessionKey and label are present, before any delivery path is reached.

Next step
Do not queue a duplicate repair because #74009 already targets this behavior and the issue has the linked-PR/no-new-fix-pr path.

Review details

Best possible solution:

Review and land or intentionally replace #74009 so sessionKey is the authoritative selector and mixed-selector calls have focused regression coverage.

Do we have a high-confidence way to reproduce the issue?

Yes from source inspection: current main still returns the exact mutual-exclusion error whenever both sessionKey and label are present, before any delivery path is reached.

Is this the best way to solve the issue?

Yes, the best fix direction is narrow tool-level normalization with sessionKey winning and regression coverage; fixing only one client-side injector would leave model/tool-call paths brittle.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• The existing repair PR still needs normal maintainer review and merge; closing this issue before that lands would drop the canonical user-facing tracking item.

Codex review notes: model gpt-5.5, reasoning high; reviewed against e0018382eb00.

Label changes

Label changes:

• remove clawsweeper:no-new-fix-pr: Current issue advisory state no longer selects this label.
• remove clawsweeper:linked-pr-open: Current issue advisory state no longer selects this label.

Label justifications:

• P2: The reported behavior blocks a bounded sessions_send delivery path without showing data loss, security bypass, or a core runtime outage.
• impact:message-loss: The issue is about a cross-session message failing before delivery because the tool rejects the emitted arguments.

Evidence reviewed

What I checked:

• Current main source still rejects mixed selectors: createSessionsSendTool reads both sessionKey and label, then returns the reported error when both are present before resolving or sending the message. (src/agents/tools/sessions-send-tool.ts:343, e0018382eb00)
• Latest release still has the guard: v2026.6.1 contains the same sessionKeyParam && labelParam guard and Provide either sessionKey or label (not both). error, so the reported behavior has not shipped as fixed. (src/agents/tools/sessions-send-tool.ts:338, 2e08f0f4221f)
• Guard provenance: The exact error string traces through the current file to the sessions label lookup work, then is carried forward by the current release and main commits. (src/agents/tools/sessions-send-tool.ts:343, 56e77f68432e)
• Existing repair path: The linked open repair head removes the mixed-selector guard, updates the tool description, and adds focused sessionKey-precedence regression tests; it is not on current main. (src/agents/tools/sessions-send-tool.ts:106, 115455ea2224)
• Related fork PR provenance: The fork PR head explicitly targets this issue and changes sessions_send to tolerate duplicate sessionKey and label, but it is not merged into this repository. (src/agents/tools/sessions-send-tool.ts, abca6622f7b3)
• Scoped repository policy: Root, src/agents, and src/agents/tools AGENTS guides were read; the review follows the repo's high-confidence source/history/test policy for agent tooling. (src/agents/tools/AGENTS.md:1, e0018382eb00)

Likely related people:

• steipete: git log -S ties the current mixed-selector guard to the sessions label lookup merge, and git shortlog shows the largest contribution count across the central sessions_send source/tests. (role: introduced behavior and heavy area contributor; confidence: high; commits: 56e77f68432e, 506c2ee18186; files: src/agents/tools/sessions-send-tool.ts, src/agents/tools/sessions.test.ts)
• azade-c: The sessions label lookup branch added label support in sessions_send and gateway coverage before it was merged into the current behavior. (role: original feature contributor; confidence: medium; commits: 3133c7c84e8a, e24e0cf364f5; files: src/agents/tools/sessions-send-tool.ts, src/gateway/server.sessions-send.test.ts)
• Tak Hoffman: Recent history includes sessions_send reply/routing changes and regression coverage in the same source/test surface. (role: recent adjacent contributor; confidence: medium; commits: 5b4669632a9d, f0d5d7a33a4a, bd5fe92c94cf; files: src/agents/tools/sessions-send-tool.ts, src/agents/tools/sessions.test.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Keep open. Current main still rejects any sessions_send payload containing both sessionKey and label before resolution, which matches the reported failure mode, and the latest release source still has the same guard. PR #74009 is now the active open implementation path, so this issue should remain open until that PR or an equivalent fix lands.

Required change / next step:

Not queued as a separate repair because PR #74009 is already open as the current implementation candidate; maintainers should review or replace that PR rather than creating another duplicate automated fix.

Review details

Best possible solution:

Land one canonical fix in src/agents/tools/sessions-send-tool.ts that treats sessionKey/sessionId as the authoritative target when redundant label-style fields are present, rejects truly conflicting targets, updates the tool-facing description, and adds focused regression tests in src/agents/tools/sessions.test.ts; close this issue only after that implementation is merged and release provenance is clear.

What I checked:

• Current main still hard-rejects both fields: createSessionsSendTool reads sessionKey and normalized label, then immediately returns Provide either sessionKey or label (not both). whenever both values are present, before target resolution or delivery. (src/agents/tools/sessions-send-tool.ts:106, acae48b790fa)
• Schema still exposes independent selectors: The tool schema still declares sessionKey and label as separate optional parameters, with no current executor-side normalization before the mutual-exclusion guard. (src/agents/tools/sessions-send-tool.ts:38, acae48b790fa)
• Regression coverage is still missing on main: The sessions_send gating tests cover missing targets, failed label resolution, cross-agent policy blocking, and stale reply handling, but they do not cover accepting duplicated sessionKey/label values or rejecting conflicting ones. (src/agents/tools/sessions.test.ts:607, acae48b790fa)
• Latest release still contains the same guard: The v2026.4.26 source for sessions-send-tool.ts shows the same unconditional if (sessionKeyParam && labelParam) rejection; git tag --contains a972c9ec45477735266d5501780e094468f859cd returned no containing release tag. (src/agents/tools/sessions-send-tool.ts:108, be8c24633aaa)
• Open implementation candidate exists: Provided GitHub context shows PR fix(agents): prefer sessionKey in sessions_send #74009 is open and unmerged, scoped to preferring sessionKey/sessionId, adding focused regression tests, and updating the tool description; git ls-remote confirms its open pull ref at 115455ea22243061f4e180d983908e66ba104aad. (115455ea2224)
• Feature-history owner signal: Current local blame/log for the central sessions tool and colocated tests points to commit a972c9ec45477735266d5501780e094468f859cd, which introduced or rewrote the current sessions_send implementation and test file in this checkout. (src/agents/tools/sessions-send-tool.ts:38, a972c9ec4547)

Likely related people:

• steipete: Current git blame and file history for the active sessions_send implementation and nearby tests point to commit a972c9ec45477735266d5501780e094468f859cd, authored by Peter Steinberger. (role: recent maintainer; confidence: high; commits: a972c9ec4547; files: src/agents/tools/sessions-send-tool.ts, src/agents/tools/sessions.test.ts)
• Mintalix: The open repair PR fix(agents): prefer sessionKey in sessions_send #74009 identifies PR fix(agents): prefer sessionKey in sessions_send #59324 by @Mintalix as the contributor path for the same sessions_send precedence repair. (role: prior implementation contributor; confidence: medium; files: src/agents/tools/sessions-send-tool.ts, src/agents/tools/sessions.test.ts)
• RevisitMoon: The open repair PR fix(agents): prefer sessionKey in sessions_send #74009 says to credit PR fix(sessions_send): prefer sessionKey over label when both are present (AI-assisted) #56203 by @RevisitMoon if that overlapping implementation or test shape is carried forward. (role: adjacent prior implementation contributor; confidence: low; files: src/agents/tools/sessions-send-tool.ts, src/agents/tools/sessions.test.ts)

Remaining risk / open question:

• Several overlapping items discuss the same normalization behavior (sessions_send schema encourages invalid sessionKey+label calls #63308, PR fix(agents): prefer sessionKey in sessions_send #74009, fork PR web_search: Add SearXNG as fallback provider #2317, and closed PR fix(tools): tolerate duplicate sessionKey/label in sessions_send #64846), so maintainers should keep one canonical implementation path.
• The exact precedence policy still needs maintainer confirmation for conflicting values: equal duplicate sessionKey/label should likely be tolerated, while genuinely different targets should still be rejected.

Codex review notes: model gpt-5.5, reasoning high; reviewed against acae48b790fa.