Stronger run interruptibility: unified generation invalidation and stale-output fencing

[darconadalabarga]

Problem

When a user sends /stop or a new message while the agent is mid-run (executing tools, streaming, running subprocesses), the current run may continue producing side effects: launching more tools, emitting stale progress updates, and finishing subprocess chains.

This creates a real UX and safety issue: the user loses confidence in their ability to regain control.

Observed behavior

• /stop cuts some parts of the system but not all
• Child processes may keep running after chat is aborted
• A tool batch may continue with subsequent tools after partial cancellation
• Stale progress/typing/messages keep arriving after stop
• New user messages may not immediately supersede the active run

Expected behavior

If the user sends a new message or /stop, the previous run should stop producing effects immediately. The new message should become the dominant instruction.

Existing primitives (they're good!)

OpenClaw already has solid abort primitives scattered across subsystems:

• chat.abort RPC handler
• abortEmbeddedPiRun() for embedded agent runs
• clearSessionQueues() for queue cleanup
• managedRun.cancel("manual-cancel") for exec processes
• cancel(runId) / cancelScope(scopeKey) in the process supervisor
• replyRunRegistry.abort() for reply run tracking
• abortedLastRun flag in session store
• handlerGeneration invalidation pattern in heartbeat-wake

These are all good building blocks. The issue is not missing cancellation, but missing coordination between them.

What's missing: unified run invalidation

The gap is a single coherent guarantee that:

1. A new user message or /stop invalidates the active run
2. The invalidated run cannot produce new side effects (messages, tool calls, progress, typing)
3. Subprocesses owned by the invalidated run are cancelled
4. Pending tool calls in the invalidated run are skipped
5. The new user message becomes the dominant instruction immediately

Proposed approach

Introduce stronger run-scoped interruption semantics, inspired by patterns from Hermes (which implements a well-tested version of this):

1. Run generation counter per session

A simple incrementing counter. When abort or new message arrives, increment generation. All downstream checks validate their captured generation is still current.

2. Pre-tool gate

Before each tool execution, check if the run's generation is still current. If not, skip the tool and return a cancelled result. (Hermes tests this explicitly in test_all_tools_skipped_when_interrupted.)

3. Stale output fence

Prevent stale runs from emitting visible effects. Before emitting streaming deltas, typing indicators, progress updates, or final messages: check generation. The pattern already exists in heartbeat-wake.ts — apply it to the reply pipeline.

4. Stronger subprocess cancellation

Wire exec/supervisor processes to session run scope. On generation change, cancel associated processes.

5. New message takeover

When a new user message arrives during an active run: increment generation → cancel active processes → abort embedded run → clear queues → new message becomes next input.

Prior art

Hermes agent demonstrates these patterns with good test coverage:

• Thread-scoped interrupt signaling (tools/interrupt.py)
• Pre-tool interrupt checks with test coverage
• Gateway run generation invalidation for stale outputs
• SIGTERM→SIGKILL escalation for resistant processes
• Pending message queue drain and combination

The goal is not a line-by-line port, but adapting these concepts to OpenClaw's async architecture.

Benefits

• Safer production behavior (tool chains stop reliably)
• Stronger user control and trust
• More predictable /stop semantics
• Fewer stale messages after abort
• Foundation for safer autonomous operation

I'm willing to contribute a PR

I have a prototype implementation plan and would be happy to contribute a PR if the maintainers are interested. The implementation is designed to layer on top of existing primitives without breaking current behavior.

This would be AI-assisted (Claude Code) with testing.

[darconadalabarga]

First-pass implementation of Piece A (run-generation registry) and partial Piece C (stale-output fence on the block reply path) is up as a draft PR: #70363.

Branch: https://github.com/darconadalabarga/openclaw/tree/feature/run-interruptibility

Three commits:

1. bcc87e7789 run-generation registry + wiring into replyRunRegistry + generation bump in abort.ts.
2. e031fdcc71 opt-in isRunCurrent parameter on createBlockReplyDeliveryHandler.
3. 8fba7e85b2 live wiring: agent-runner-execution.ts passes () => replyOperation.isCurrent() so superseded block replies are actually dropped in the runtime.

17 new tests + 1174 existing auto-reply tests pass. pnpm check:changed green, pnpm build clean.

What's in:

• ReplyOperation.runGeneration captured at run-begin, flipped to stale when abortWithReason bumps the session's generation.
• ReplyOperation.isCurrent() as a cheap check any deep call stack can consult.
• Fast-abort path also bumps generation (fences late output even if the registry lookup misses).
• SIGTERM→SIGKILL escalation already present in src/process/kill-tree.ts (no change needed).

What's deferred (each deserves its own focused commit):

• Piece B — pre-tool gate in pi-embedded-runner.
• Piece E — new-message takeover in dispatch.ts/queue.ts.
• More emission sites: typing.ts, reply-delivery non-block path, followup-delivery.ts.

Would appreciate a look at the approach before I push follow-ups — happy to break the PR into smaller pieces or reshape the API.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed May 30, 2026, 12:51 AM ET / 04:51 UTC.

Summary
Codex review failed: timeout.

Reproducibility: unclear. The review failed before ClawSweeper could establish a reproduction path.

Ways to help us reproduce this

• Add a screenshot or short recording showing the behavior.
• Include the exact command, prompt, or workflow that triggered it.
• Add expected vs actual behavior.

Next step
Review did not complete, so no work-lane recommendation was made.

Review details

Best possible solution:

Retry the Codex review after fixing the execution failure.

Do we have a high-confidence way to reproduce the issue?

Unclear. The review failed before ClawSweeper could establish a reproduction path.

Is this the best way to solve the issue?

Unclear. Retry the review first so ClawSweeper can evaluate the actual issue and fix direction.

AGENTS.md: unclear because the file could not be read completely.

Remaining risk / open question:

• No close action taken because the review did not complete.

Codex review notes: model gpt-5.5, reasoning high; reviewed against f848a6f7f74b.

Label changes

Label changes:

• add issue-rating: 🦪 silver shellfish: Current issue advisory state selects this label.
• add clawsweeper:needs-info: Current issue advisory state selects this label.

Evidence reviewed

What I checked:

• failure reason: timeout.
• codex failure detail: Codex review failed for this issue: spawnSync codex ETIMEDOUT.

Likely related people:

• unknown: Codex failed before it could trace repository history. (role: review did not complete; confidence: low)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[openclaw-barnacle]

Closing due to inactivity.
If this is still an issue, please retry on the latest OpenClaw release and share updated details.
If you are absolutely sure it still happens on the latest release, open a new issue with fresh steps to reproduce.