[Bug]: enqueueSystemEvent not deduplicated by runId/contextKey — agents cascade duplicate exec approval prompts under new IDs, locking ecosystem

[reidperyam]

Bug type

Regression (worked before, now fails)

Beta release blocker

No

Summary

Summary

Under load, enqueueSystemEvent does not deduplicate queued exec approval requests by runId or contextKey. When a heartbeat run times out and the gateway fails over, the replacement attempt re-queues the same exec call with a fresh approval ID. Each retry surfaces a new Telegram approval prompt for the identical command, cascading until the operator kills the gateway. Left alone, it saturates the approval channel fast enough to risk system-level memory pressure.

Reproduced repeatably on a multi-agent install. Filing now so it can be fixed before users with directPolicy: "allow" + high-frequency heartbeats discover it the hard way.

Steps to reproduce

What the exec call is

Routine health-check probe issued from Maelcum's heartbeat:

ps aux | grep -E "contextstored|vllm|openclaw" | grep -v grep | awk '{print $11}' | sort -n | tail -5

Hits on-miss under the current allowlist, so an approval prompt is expected on first encounter. The bug is that it fires again, and again, and again, each time under a new approval ID, for the same run intent.

Not a duplicate of

I looked for upstream issues that might cover this and found three that are adjacent but distinct:

• Heartbeat exec-event prompt drops actual completion payload #66487 — heartbeat prompt drops completion body (peek-not-consume on a different queue event path, not the approval queue)
• Heartbeat checks wrong session queue for exec completion events #14191 — heartbeat routes to wrong session queue (routing bug, not a dedup bug)
• Hook deliver: false still injects system event into main session #36325 — deliver:false hooks still inject via enqueueSystemEvent (delivery flag bypass, not retry dedup)

None of these address the approval-event retry path or the (runId, contextKey) dedup gap.

Workaround in place

• All 11 agent heartbeats set to every: "999h" (circuit breaker)
• No agent work resumes on a normal schedule until this is fixed or a dedup workaround exists at the exec-approvals layer

Related bug (filing separately)

Telegram /approve allow-always writes a source field into the approvals allowlist entry that openclaw approvals set --file then rejects as unexpected on push. Will cross-reference the issue once filed.

Expected behavior

Either:

1. enqueueSystemEvent deduplicates queued exec approval events by (agentId, contextKey) or (runId, contextKey), coalescing retries into the already-pending prompt; or
2. When a run fails over, any exec approval events it queued are cancelled before the replacement run is allowed to enqueue new ones.

Today, neither happens.

bug-30-log-excerpt-clean.txt

Actual behavior

Observed behavior

Continual, unceasing consecutive approval prompts delivered to Telegram seconds apart, identical command, different IDs:

• befadc79-10bd-4e78-b1a4-9e2f546fd3c5
• 871d7305-c1cc-412c-9393-d538e99e4ae1
• etc.

Screenshot attached below.

Gateway log (/tmp/openclaw/openclaw-2026-04-18.log) shows the cascade signature (excerpt attached):

• stuck session: sessionId=maelcum sessionId=<uuid> sessionKey=agent:maelcum:telegram:direct:<user_id> — age ticking up by ~30s per line, crossing 462s before intervention
• embedded_run_failover_decision failoverReason=timeout — cycling through the provider chain: vllm-fast → vllm-brain → openrouter/z-ai/glm-5
• Heartbeat re-firing and regenerating the run under fresh runIds while the prior attempt is still pending approval

Each failover attempt re-enters enqueueSystemEvent carrying the same exec call, but the event queue has no compound key covering the (runId, contextKey) pair — so the prior queued approval does not cancel or collapse, and a new one is enqueued instead.

OpenClaw version

2026.4.14 (323493f)`

Operating system

macOS 26.4.1

Install method

npm global, latest stable as of filing

Model

mlx-community/Qwen3.5-9B-OptiQ-4bit (local, via rapid-mlx 0.3.12)

Provider / routing chain

openclaw -> vllm-fast (localhost:8001, rapid-mlx 0.3.12) -> Qwen3.5-9B-OptiQ-4bit

Additional provider/model setup details

Environment

• Host: macOS, Mac Mini M4 Pro, 48 GB unified memory
• Gateway: launchd-supervised, loopback bind, port 18789
• Heartbeat: every: "3h", directPolicy: "allow", target: "telegram", lightContext: true
• Exec approval policy: defaults.security: "allowlist", ask: "on-miss", askFallback: "deny"; maelcum uses host defaults

Logs, screenshots, and evidence

## Attached evidence

1. Screenshot of two consecutive approval prompts with different IDs for the same command
2. `bug-30-log-excerpt.txt` — 60 lines of the cascade from the gateway log

Impact and severity

Impact

• Saturates the approval channel — every cascade cycle produces a new Telegram prompt
• Fast enough to outrun manual intervention; forcing a gateway restart (openclaw gateway restart) is the only reliable stop
• On installs with many agents sharing a channel, one stuck agent can drown all approval prompts for every other agent
• Forced me to set all 11 heartbeats to every: "999h" as a circuit breaker while the bug is unresolved — effectively disabling the ecosystem's scheduled work layer

Additional information

No response

[reidperyam]

Cross-reference to #69482 (Telegram /approve allow-always writes unaccepted source field) — same approvals subsystem, distinct root cause but overlapping user-visible symptom.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 13, 2026, 1:11 AM ET / 05:11 UTC.

Summary
Keep open: current main and v2026.6.6 include the merged queue-side system-event dedupe, but the reported user-visible approval cascade still has a separate exec-approval forwarder path that creates fresh approval IDs and forwards by request ID.

Reproducibility: yes. at source level: current main still generates fresh approval IDs/context keys and the forwarder tracks by request ID, so repeated failover attempts can bypass the queue-side dedupe. I did not perform a live Telegram cascade reproduction.

Next step
Needs maintainer and security review to choose the stable approval-intent identity or cancellation semantics before an automated repair is safe.

Security
Needs attention: The issue is security-sensitive because exec approval dedupe must prevent prompt floods without approving or suppressing distinct command intents.

Review details

Best possible solution:

Implement a stable exec approval intent key or cancellation policy at the approval manager/forwarder boundary, with tests proving retries coalesce while distinct approval contexts remain separate.

Do we have a high-confidence way to reproduce the issue?

Yes at source level: current main still generates fresh approval IDs/context keys and the forwarder tracks by request ID, so repeated failover attempts can bypass the queue-side dedupe. I did not perform a live Telegram cascade reproduction.

Is this the best way to solve the issue?

No. The merged system-events change is a correct partial fix, but the best complete fix for this issue belongs at the exec approval intent/forwarder boundary with explicit security-preserving identity rules.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• The remaining fix is security-sensitive: a stable dedupe key must not collapse distinct commands, cwd, env, node, agent, session, or delivery routes into one approval.
• I did not run a live Telegram or Feishu failover cascade on current main; the keep-open decision is based on source-level path proof plus the issue and related PR discussion.

Codex review notes: model internal, reasoning high; reviewed against 6c88811b4bba.

Label changes

Label justifications:

• P1: The report describes a broken exec approval workflow that can flood an operator channel and disable scheduled agent work across a multi-agent install.
• impact:session-state: The cascade is tied to heartbeat/failover retries and pending approval state drifting across replacement runs.
• impact:security: Exec approvals are an operator security boundary, and the fix must preserve distinct approval intent while stopping duplicate prompts.
• impact:message-loss: The approval channel can be saturated with duplicate prompts, hiding or drowning other actionable approval messages.

Evidence reviewed

Security concerns:

• [medium] Preserve distinct approval intent — src/agents/bash-tools.exec-host-shared.ts:164
  Any forwarder-side dedupe must include enough command, cwd, env, node, agent, session, and route identity to avoid treating a different command as already approved or already prompted.
  Confidence: 0.84

What I checked:

• Current fresh approval identity: Current main still creates a fresh UUID approval ID and derives the system-event context key from that ID, so retries of the same command do not share a stable approval intent key. (src/agents/bash-tools.exec-host-shared.ts:164, 6c88811b4bba)
• Forwarder keyed by request ID: The approval forwarder tracks pending deliveries by request ID and sends the pending payload for each request; it does not coalesce separate approval IDs for the same command/context. (src/infra/exec-approval-forwarder.ts:545, 6c88811b4bba)
• Queue-side fix present: Current main dedupes keyed system events across the in-memory queue while preserving consecutive-only behavior for unkeyed events. (src/infra/system-events.ts:88, 6c88811b4bba)
• Queue-side regression coverage present: Current tests cover non-consecutive keyed duplicates, unkeyed non-consecutive duplicates, delivery-route disambiguation, context preservation, and re-enqueue after eviction or consumption. (src/infra/system-events.test.ts:306, 6c88811b4bba)
• Merged related PR was intentionally partial: The merged related pull request explicitly noted that the system-events patch fixed only the queue-side leak and that an ExecApprovalManager / exec-approval-forwarder stable-key follow-up was still needed. (6943b5b4a6d3)
• Maintainer review kept this issue open: The maintainer review on the merged queue-side pull request said it should not close this issue because the reported Telegram/exec approval cascade flows through the fresh-ID forwarder path. (e2cc8a7e5c15)

Likely related people:

• Ayaan Zaidi: Current blame for the extracted exec approval request-context and forwarder code points to d481994. (role: recent area contributor; confidence: medium; commits: d4819948f37d; files: src/agents/bash-tools.exec-host-shared.ts, src/infra/exec-approval-forwarder.ts)
• statxc: Authored the merged system-events dedupe pull request that partially addressed this issue. (role: queue-side fix author; confidence: high; commits: 6943b5b4a6d3; files: src/infra/system-events.ts, src/infra/system-events.test.ts)
• steipete: Maintainer review and fixup on the merged queue-side pull request explicitly separated the remaining forwarder work from the system-events fix. (role: reviewer and fixup author; confidence: high; commits: e2cc8a7e5c15; files: src/infra/system-events.ts, src/infra/system-events.test.ts)
• Josh Avant: Recently touched system-event queue behavior while fixing heartbeat retry handling, which is adjacent to the issue's heartbeat/failover surface. (role: recent adjacent contributor; confidence: medium; commits: e728957989f6; files: src/infra/system-events.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.