Claude CLI sessions reset on every turn in group channels due to groupIntro drift in extraSystemPromptHash

[Zordon7-pixel]

Summary

Companion to #64386 — that issue covers mcpConfigHash drift on gateway restart. This issue reports the second failure mode of the same function: extraSystemPromptHash drifts on every turn transition in any group-style channel (Discord channels, Telegram groups, etc.), completely independent of restarts, causing every turn-2 reply to be generated against a fresh claude -p with no memory of turn 1.

Affects any deployment using claude-cli backend where the agent replies in more than one group channel. With default settings this is "all Discord/Telegram group users."

Users experience this as "the agent has amnesia within seconds" — which they often misattribute to model behaviour or config rather than a session-plumbing bug.

Repro (does not require a restart)

1. Configure any agent on claude-cli backend in a Discord guild channel (channel_type=text).
2. Mention the agent twice in succession — ~10 seconds apart, within the 20-minute idle window.
3. Watch ~/.openclaw/logs/gateway.log:

[HH:MM:00] cli session reset: provider=claude-cli reason=system-prompt

4. Turn 2's reply reads as if it never saw turn 1. Transcript .jsonl on disk shows two separate session_ids, not one resumed session.

Expected: turn 2 reuses the session and references turn 1.

Root cause

In src/auto-reply/reply/route-reply.ts (bundled as get-reply-*.js in releases), runPreparedReply assembles extraSystemPromptParts:

const shouldInjectGroupIntro = Boolean(
  isGroupChat && (isFirstTurnInSession || sessionEntry?.groupActivationNeedsSystemIntro)
);
const groupIntro = shouldInjectGroupIntro
  ? buildGroupIntro({ cfg, sessionCtx, sessionEntry, defaultActivation, silentToken: SILENT_REPLY_TOKEN })
  : "";
// ...
const extraSystemPromptParts = [
  buildInboundMetaSystemPrompt(...),
  groupChatContext,
  groupIntro,           // <-- non-empty only on first turn / re-intro
  groupSystemPrompt,
  buildExecOverridePromptHint(...)
].filter(Boolean);

groupIntro (src/auto-reply/reply/groups.ts:buildGroupIntro) emits a ~200–400 char block describing activation mode ("Activation: always-on (you receive every group message)..." etc). By design it is present on turn 1 and absent on turn 2+.

That assembled text is joined and hashed in src/agents/cli-runner/prepare.ts:

const extraSystemPrompt = params.extraSystemPrompt?.trim() ?? "";
const extraSystemPromptHash = hashCliSessionText(extraSystemPrompt);

Turn 1 hash: sha256(inboundMeta + groupChatContext + groupIntro + groupSystemPrompt + execHint)
Turn 2 hash: sha256(inboundMeta + groupChatContext + "" + groupSystemPrompt + execHint)

Different bytes → different hash. On turn 2, resolveCliSessionReuse (src/agents/cli-session.ts) hits:

if (normalizeOptionalString(binding?.extraSystemPromptHash) !== currentExtraSystemPromptHash)
  return { invalidatedReason: "system-prompt" };

→ runCliWithSession(undefined) → claude -p (fresh) → amnesia.

Why this is the wrong invalidation key

This is the same category of bug as #64386 and the underlying architectural mistake is worth calling out together:

The system prompt is re-sent to claude-cli on every invocation via --system-prompt / --append-system-prompt. It does not live inside the --resume transcript. A different system prompt on turn 2 is not a corruption — it's the normal case (context drift, new tools, different user flags).

By the same token, mcpConfigHash (per #64386) hashes --mcp-config content that is also re-read per invocation.

So both extraSystemPromptHash and mcpConfigHash as session-reuse keys optimize for an imagined failure mode (resume-with-stale-env corrupts the transcript) that does not exist in the CLI runtime. They only produce false-positive invalidations.

The only legitimate invalidation keys are the two that remain: authProfileId and authEpoch — a genuine auth rotation means the stored sessionId likely belongs to a different account and shouldn't be resumed.

Additional aggravator in the writer

setCliSessionBinding (src/agents/cli-session.ts) stores optional fields via spread-conditional:

...normalizeOptionalString(binding.extraSystemPromptHash)
  ? { extraSystemPromptHash: normalizeOptionalString(binding.extraSystemPromptHash) }
  : {}

If a binding was first written under a dist that didn't populate the field, or by a turn that happened to produce an empty prompt, the stored binding lacks the field. The comparator then treats undefined !== <hex> as a mismatch, invalidating every subsequent turn for the lifetime of that binding.

In this environment I observed two live Discord channel bindings in sessions.json with exactly this shape:

"cliSessionBindings": {
  "claude-cli": {
    "sessionId": "ab533298-...",
    "mcpConfigHash": "452116cfc1..."
    // no authProfileId, no extraSystemPromptHash
  }
}

Every turn on those channels produced reason=system-prompt until the fix was applied.

Evidence from a live gateway

2026-04-19T11:38:10 [agent] cli session reset: provider=claude-cli reason=system-prompt  <- turn-2 after fresh session
2026-04-19T11:51:02 [agent] cli session reset: provider=claude-cli reason=system-prompt  <- turn-3 in a separate channel
2026-04-19T13:15:00 [agent] cli session reset: provider=claude-cli reason=mcp              <- #64386 after restart
2026-04-19T18:18:55 [agent] cli session reset: provider=claude-cli reason=mcp              <- #64386 after another restart

With the comparator change described below applied locally, zero reason=system-prompt events in 24h across five active Discord channels.

Why tests did not catch it

src/agents/cli-session.test.ts tests resolveCliSessionReuse with hand-crafted binding/params pairs, but has no end-to-end test that computes extraSystemPromptHash across two consecutive turn transitions in a group context. A test as narrow as:

it("reuses session across turn-1 → turn-2 in a group channel", async () => {
  const turn1Hash = await runTurnAndReturnHash({ isFirstTurn: true, isGroup: true });
  const turn2Hash = await runTurnAndReturnHash({ isFirstTurn: false, isGroup: true });
  expect(turn2Hash).toBe(turn1Hash); // would fail today
});

would have caught this.

Suggested fix

Two options, in order of preference:

1. Drop extraSystemPromptHash and mcpConfigHash from resolveCliSessionReuse entirely. Keep only authProfileId and authEpoch. This fixes both this issue and #64386 in one patch, and removes a class of future regressions when anyone adds a new part to extraSystemPromptParts or merges additional ephemeral state into mergedConfig.

2. If the hashes must be retained for some reason not yet documented, normalize the hashed inputs to strip turn-variable content:

• For extraSystemPromptHash: hash only buildInboundMetaSystemPrompt + groupSystemPrompt. Explicitly exclude groupIntro, groupChatContext (varies with member list), and buildExecOverridePromptHint (varies with per-message elevation state).
• For mcpConfigHash: compute on the user-authored mergedConfig before additionalConfig merges the loopback entry, per Claude CLI sessions reset on every gateway restart due to ephemeral loopback port in mcpConfigHash #64386.

Either way, make the comparator tolerant: if binding[field] is undefined (legacy binding), skip that axis rather than invalidating.

Workaround in use

Local patch replaces resolveCliSessionReuse body with option (1) + tolerant auth comparison. Applied via a gateway-launcher hook (~/.openclaw/bin/apply-hermes-dist-patches.sh) that re-applies after auto-updates and detects upstream refactors to fail loudly in a log rather than silently.

Happy to open a PR against src/agents/cli-session.ts with the comparator change + a regression test covering the turn-1 → turn-2 group-channel scenario if maintainers would accept it.

Environment

• openclaw 2026.4.15 (install via npm i -g openclaw)
• claude-cli backend, OAuth auth profile (Claude Pro)
• macOS 14, Node 22, launchd-managed gateway on port 18789
• Discord channels (guild text, not DM)

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 4, 2026, 1:07 AM ET / 05:07 UTC.

Summary
Codex review failed: codex execution failed.

Reproducibility: unclear. The review failed before ClawSweeper could establish a reproduction path.

Ways to help us reproduce this

• Add a screenshot or short recording showing the behavior.
• Add expected vs actual behavior.

Next step
Review did not complete, so no work-lane recommendation was made.

Review details

Best possible solution:

Retry the Codex review after fixing the execution failure.

Do we have a high-confidence way to reproduce the issue?

Unclear. The review failed before ClawSweeper could establish a reproduction path.

Is this the best way to solve the issue?

Unclear. Retry the review first so ClawSweeper can evaluate the actual issue and fix direction.

AGENTS.md: unclear because the file could not be read completely.

Remaining risk / open question:

• No close action taken because the review did not complete.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 79f6c5a8ad0c.

Label changes

Label changes:

• add issue-rating: 🦪 silver shellfish: Current issue advisory state selects this label.
• add clawsweeper:needs-info: Current issue advisory state selects this label.
• remove P1: Current review triage priority is none.
• remove clawsweeper:fix-shape-clear: Current issue advisory state no longer selects this label.
• remove clawsweeper:queueable-fix: Current issue advisory state no longer selects this label.
• remove clawsweeper:source-repro: Current issue advisory state no longer selects this label.
• remove impact:session-state: Current review selected no impact labels.
• remove issue-rating: 🦞 diamond lobster: Current issue advisory state no longer selects this label.

Evidence reviewed

What I checked:

• failure reason: codex execution failed.
• codex failure detail: Codex review failed for this issue with exit 1.
• codex stdout: Per-item Codex failure; continuing with the rest of the shard.

Likely related people:

• unknown: Codex failed before it could trace repository history. (role: review did not complete; confidence: low)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[oiGaDio]

We just hit a different trigger of this same bug on openclaw@2026.5.3, and I think the comparator-tolerance idea in your option (2) lands cleanly without dropping the hash entirely. Sharing in case it's useful — and as part of a chain of bugs we surfaced from the same investigation (companion reports: #77422 for the announce → webchat UI push gap, and our comment on #76038 for stuck-session recovery skipping).

Different trigger, same symptom: announce delivery

Your repro is groupIntro drift in group channels. Ours is direct-chat webchat session, but every subagent-announcement triggers cli session reset: provider=claude-cli reason=system-prompt. After every announce the orchestrator answers with no memory of prior conversation.

Two-layer evidence (instrumented trace)

Added a [cli-prompt-trace] log line in prepare.ts that dumps the actual extraSystemPromptStatic content per cli prepare call. Two consecutive calls within ~1 minute on the same orchestrator session:

User-typed turn (works — reuse=reusable):

[cli-prompt-trace] runId=4f39a636-… sessionKey=agent:orchestrator:dashboard:…
  hashPrefix=55c37e5330af staticLen=219
  BEGIN_CONTENT>>>You are in a WebChat direct conversation. Your replies are automatically sent to this conversation. If no response is needed, reply with exactly "NO_REPLY" (and nothing else) so OpenClaw can send a short fallback reply.<<<END_CONTENT
[agent/cli-backend] cli exec: useResume=true session=present resumeSession=3a4b3486d850 reuse=reusable historyPrompt=none

Announce-driven turn (broken — reuse=invalidated:system-prompt):

[cli-prompt-trace] runId=announce:v1:agent:planner:subagent:…
  hashPrefix= staticLen=0
  BEGIN_CONTENT>>><<<END_CONTENT
[agent/cli-backend] cli session reset: provider=claude-cli reason=system-prompt
[agent/cli-backend] cli exec: useResume=false session=none resumeSession=none reuse=invalidated:system-prompt historyPrompt=none

Same orchestrator session, same binding, ~1 minute apart. Only difference: user-typed populates the static, announce-driven leaves it empty. The hash mismatch is what triggers the reset.

Why "empty static" specifically

The announce delivery path (subagent-announce-delivery.ts → sendSubagentAnnounceDirectly → callGateway({method: "agent", params: {sessionKey, message, …}})) does not compute or pass extraSystemPromptStatic. The gateway "agent" handler in server-methods/agent.ts then dispatches with extraSystemPrompt: request.extraSystemPrompt (= undefined). By the time prepare.runtime sees it, both fields are empty — extraSystemPromptHash becomes the hash of empty content.

So this is structurally a different shape from your groupIntro drift, but the comparator behaviour is identical: stored=<populated hex>, current=<empty hex>, mismatch, reset.

Patch we applied (and verified) on v2026.5.3

Implements your option (2) with comparator tolerance — but covers both the legacy-binding case (your scenario, binding[field] === undefined) and the under-populated-caller case (our scenario, current === undefined):

-		if (normalizeOptionalString(binding?.extraSystemPromptHash) !== currentExtraSystemPromptHash) return { invalidatedReason: "system-prompt" };
+		const storedExtraHash = normalizeOptionalString(binding?.extraSystemPromptHash);
+		if (storedExtraHash && currentExtraSystemPromptHash && storedExtraHash !== currentExtraSystemPromptHash) return { invalidatedReason: "system-prompt" };

Semantic intent: extraSystemPromptHash validation answers "did the static system context CHANGE?" If either side is missing/empty (caller didn't compute, binding from a legacy turn that didn't populate, etc.), there's nothing being asserted as changed — preserve the binding rather than blow it away.

User-typed turns are unaffected (both sides populated, comparison still works as today). Group-channel turns from your repro: stored=<hex>, current=<hex>, comparator runs as before — but if your case includes any path where the binding was first written without extraSystemPromptHash, preservation kicks in. Announce-driven turns from our repro: stored populated, current undefined → preserved.

Verified working end-to-end: orchestrator now retains conversation context across announce delivery on v2026.5.3.

Layer 1 (caller side) — not fixed in our local patch, but worth flagging

The Layer 2 fix (above) prevents the symptom. There's also a Layer 1 issue on the caller side: the announce delivery path doesn't compute extraSystemPromptStatic at all. As a side effect, on the announce turn itself the system prompt sent to claude-cli also lacks the directChatContext text ("You are in a WebChat direct conversation…", NO_REPLY hint, etc.). Native conversation history (replayed by claude-cli via --resume) carries the implicit context, so behaviour is mostly fine, but on that one turn the orchestrator has weaker prompt-level reinforcement of its conversation policy.

A cleaner upstream fix would either:

• Refactor the announce delivery path through the same extraSystemPromptStaticParts-building pipeline that get-reply.ts uses for user-typed messages, or
• Have the gateway "agent" handler enrich the dispatch with session-context-derived extraSystemPromptStatic when the request doesn't provide one.

We left Layer 1 unfixed locally because both options have larger blast radius than the comparator one-liner. Ideally both layers land: Layer 2 makes the validator robust, Layer 1 ensures all callers populate context consistently.

Why your option (1) might still be preferable

You suggested dropping extraSystemPromptHash (and mcpConfigHash) entirely. Our finding strengthens that argument — if the hash can be empty for legitimate reasons (announce caller doesn't compute it) and can drift across legitimate per-turn variations (your groupIntro), the hash-as-invalidation-key is producing only false positives. We went with the comparator-tolerant fix because it's smaller, but if maintainers are open to the bigger change, dropping it would also fix a third scenario we haven't tested: a caller that legitimately wants to clear a stale binding by sending an empty static would no longer be able to (with our patch). We don't know of any such caller today, but it's the one regression risk of our patch versus your option (1).

Environment

• openclaw@2026.5.3 (installed 2026-05-04 via npm i -g openclaw)
• claude-cli backend, OAuth auth profile
• Linux, Node 22, openclaw-control-ui webchat client (direct-chat session)

[gorkem2020]

Subagent-announce delivery is another trigger for this bug

Posting per clawsweeper's recommendation on #81460, which they closed as duplicate of this issue. Same extraSystemPromptHash false invalidation, different entry path: subagent_announce delivery into the parent's reply pipeline. Adding the reproduction here as regression coverage for the shared fix.

Trigger sequence

1. Agent on claude-cli backend, parent session with accumulated history.
2. Parent calls sessions_spawn (any task, cleanup: "delete", agentId unset for self-spawn).
3. Subagent runs and completes.
4. subagent_announce posts an in-process agent call to the requester session with inputProvenance.kind: "inter_session" and sourceTool: "subagent_announce", which routes through the same reply/run pipeline as inbound chat. The composed extraSystemPromptStaticParts differs from what was hashed at binding time.
5. resolveCliSessionReuse compares hashes, returns invalidatedReason: "system-prompt", fresh claude -p is spawned.

Empirical evidence (2026.5.7 deployment)

Three claude-cli session forks in 21 minutes from a single subagent flow:

16:09  4933dfe2  (received the subagent_announce)
16:23  ef8c3930
16:30  28f770cb  (currently bound)

Original session jsonl 55c431d6 (906 entries, 775 KB) remains on disk, no longer the active binding target. Gateway log emits the same reason=system-prompt reset code described in the original report here.

Cross-runtime control

Same fleet, same subagent flow on a pi runtime agent (openai-codex/gpt-5.5). Pi-runtime parent kept its continuous session across the spawn. Confirms the trigger fires specifically through the claude-cli prompt-hash comparator, not through subagent flow plumbing in general.

Implication for fix scope

If the comparator-tolerance approach proposed earlier in this thread covers the groupIntro drift only, subagent-announce delivery would still invalidate. The shared root cause is that extraSystemPromptStaticParts is reassembled per-turn and includes context that is legitimately turn-variable (inter-session messages, group intros, etc.) which then drifts the hash even when the actual user-meaningful context is unchanged.

A fix that treats inter-session message envelopes and group intro overlays as transient (not part of the binding identity) would close both triggers at once.

Happy to provide jsonl excerpts, full sessions.json entries, or session-store dumps if useful.

[jallyai]

Hitting this on 2026.5.7 with a sonnet agent in a discord channel, confirms the live repro.

Every fresh session I attach a doc to the first message, get a great response, then my reply gets a "i dont know what youre talking about" and the doc context is gone. Happens 100% of the time, only between turn 1 and 2. Turn 3+ is fine.

Gateway log:

21:07:56  cli exec        model=sonnet promptChars=64707 session=none reuse=none
21:08:58  live session turn  durationMs=61657              ← good response, doc in context
21:11:13  cli session reset: reason=system-prompt           ← reset fires on first reply
21:11:13  cli exec        promptChars=1388 reuse=invalidated:system-prompt
21:11:13  live session close: reason=restart
21:11:13  live session start
21:16:30  live session reuse                                ← stable from here