memory-core: dreaming subagent lacks operator.admin to delete its own session

[ketwi15]

memory-core: dreaming subagent lacks operator.admin to delete its own session

openclaw version: 2026.4.20 (commit 115f05d)
Pre-existing in: at least 2026.4.15

Summary

The dreaming cron in memory-core runs subagent.deleteSession() after generating
a narrative entry, but the embedded subagent runner is invoked without
operator.admin scope. Result: every dream cycle (light, REM, deep × number of
agents) emits narrative session cleanup failed: missing scope: operator.admin.

The narrative itself is generated and written successfully — only the
post-generation session cleanup fails, leaving stale session entries that have to
be cleaned externally.

Reproduction

1. Configure dreaming:

   "memory-core": {
     "enabled": true,
     "config": { "dreaming": { "enabled": true, "frequency": "0 3 * * *" } }
   }

2. Wait for cron to fire (or trigger manually)

3. Observe in /tmp/openclaw/openclaw-YYYY-MM-DD.log:

   memory-core: dreaming cleanup scrubbed 0 stale session entries and archived 42 orphan transcripts.
   memory-core: narrative session cleanup failed for light phase: missing scope: operator.admin
   memory-core: narrative session cleanup failed for rem phase: missing scope: operator.admin
   memory-core: narrative session cleanup failed for deep phase: missing scope: operator.admin
   

Source location

dist/dreaming-narrative-D2j0t41s.js:597 (in 2026.4.20):

if (params.subagent) try {
  await params.subagent.deleteSession({ sessionKey });
} catch (cleanupErr) {
  params.logger.warn(`memory-core: narrative session cleanup failed for ${params.data.phase} phase: ${formatErrorMessage(cleanupErr)}`);
}

The subagent context is created by manager-runtime.js for the dreaming sweep
without admin scope. The deleteSession API path requires operator.admin per
server.impl-DYBxSjUs.js:10196 (ADMIN_SCOPE = "operator.admin").

Suggested fix

Either:

1. Auto-grant operator.admin to the subagent runner spawned by the dreaming cron
   (it's the same trust boundary as the parent gateway, owns its own session).
2. Provide a subagent.deleteOwnSession() API that doesn't require admin scope
   when called by the session's own creator.
3. Use a separate cleanup path that doesn't go through the scope-gated HTTP delete.

Impact

• Repeated WARN log noise (multiple lines per dream cycle × multiple agents)
• Stale session entries accumulate; require external cleanup script
  (prune-dream-sessions.sh cron at 03:30 UTC handles this for us)
• managed dreaming cron could not be reconciled (cron service unavailable) —
  related warning suggesting the dreaming control plane is partially broken too

Environment

• LXC container, Debian 12, Node 22.22.2
• 14 agents, dreaming enabled per agent
• Cron is running and working (systemctl status cron shows active)
• Workaround: external prune-dream-sessions.sh at 03:30 UTC catches what
  the failed cleanup leaves behind

[Vksh07]

Same issue

[Akes119]

Reproduced again on OpenClaw 2026.4.23 after upgrading from an earlier 2026.4.x build.

Environment

• OpenClaw: 2026.4.23
• OS: macOS Darwin arm64
• Gateway: local
• Plugins loaded at ready: acpx, lossless-claw, memory-core, memory-wiki, openclaw-lark, openclaw-lark-okr

Important additional signal

In this environment, the current device auth already includes operator.admin, but the cleanup error still happens.

So at least in this repro, the failure does not look like a simple missing local authorization grant.

What still works

The main dreaming pipeline succeeds:

• light/rem/deep phases run
• dream diary entries are written
• promotion completes

What fails

Cleanup still fails at the end of each phase:

2026-04-25T10:17:07.027+08:00 [plugins] memory-core: narrative session cleanup failed for light phase: missing scope: operator.admin
2026-04-25T10:17:23.202+08:00 [plugins] memory-core: narrative session cleanup failed for rem phase: missing scope: operator.admin
2026-04-25T10:17:37.656+08:00 [plugins] memory-core: narrative session cleanup failed for deep phase: missing scope: operator.admin

Corresponding successful activity in the same run:

2026-04-25T10:17:07.026+08:00 [plugins] memory-core: dream diary entry written for light phase [workspace=/Users/robinxu/.openclaw/workspace].
2026-04-25T10:17:23.201+08:00 [plugins] memory-core: dream diary entry written for rem phase [workspace=/Users/robinxu/.openclaw/workspace].
2026-04-25T10:17:37.656+08:00 [plugins] memory-core: dream diary entry written for deep phase [workspace=/Users/robinxu/.openclaw/workspace].
2026-04-25T10:17:37.898+08:00 [plugins] memory-core: dreaming promotion complete (workspaces=1, candidates=10, applied=0, failed=0).

Source-level clue from local dist

In my installed 2026.4.23 distribution, the warning still appears to come from the narrative cleanup path in:

• dist/dreaming-narrative-CbBD6j4D.js

Relevant snippet:

if (params.subagent) try {
  await params.subagent.deleteSession({ sessionKey });
} catch (cleanupErr) {
  params.logger.warn(`memory-core: narrative session cleanup failed for ${params.data.phase} phase: ${formatErrorMessage(cleanupErr)}`);
}

So this still looks like an internal scope propagation / permission-check mismatch on subagent.deleteSession({ sessionKey }), not a user-side dreaming misconfiguration.

[vincentkoc]

Thanks for this. I am closing this as a duplicate of #68252 because both reports track the same root cause: memory-core dreaming writes the narrative, then subagent.deleteSession() fails with missing scope: operator.admin, so the cleanup path cannot remove the dreaming session.

I am keeping the canonical thread open there so fixes, validation, and follow-up stay in one place. Your report helped confirm the same failure across more environments. If this has a different reproduction path or still reproduces after the canonical fix lands, please reply and we can reopen or split it back out.