Heartbeat exec-event interval-bypass regression (re: #17797): runaway runs every ~10s instead of configured every:30m

[hexsprite]

Summary

#17797 ("Heartbeat flood: exec-event bypasses interval check, causing runaway heartbeat runs") is regressed on 2026.4.30 (or never actually shipped — that issue is closed as completed but has no closing PR). The exact same code path described in #17797 is still live, with the same self-feeding loop and the same observable symptoms.

Filing a new issue because #17797 is locked.

Reproducer

Failing unit test added to src/infra/heartbeat-runner.scheduler.test.ts:

it("does not bypass interval cooldown for repeated exec-event wakes within nextDueMs", async () => {
  useFakeHeartbeatTime();
  const runSpy = vi.fn().mockResolvedValue({ status: "ran", durationMs: 1 });
  const runner = startHeartbeatRunner({
    cfg: heartbeatConfig(),
    runOnce: runSpy,
    stableSchedulerSeed: TEST_SCHEDULER_SEED,
  });

  // First exec-event wake legitimately fires the run.
  requestHeartbeatNow({ reason: "exec-event", sessionKey: "agent:main:main", coalesceMs: 0 });
  await vi.advanceTimersByTimeAsync(1);
  expect(runSpy).toHaveBeenCalledTimes(1);

  // 4 more exec-events at 10s intervals — well within the 30m configured cadence.
  for (let i = 0; i < 4; i++) {
    await vi.advanceTimersByTimeAsync(10_000);
    requestHeartbeatNow({ reason: "exec-event", sessionKey: "agent:main:main", coalesceMs: 0 });
    await vi.advanceTimersByTimeAsync(1);
  }

  // 40s elapsed. Configured every is 30m. Subsequent exec-events should be debounced.
  expect(runSpy).toHaveBeenCalledTimes(1);
  runner.stop();
});

Result: AssertionError: expected "vi.fn()" to be called 1 times, but got 5 times.

Code path (still present on main, commit e3f84fa)

src/infra/heartbeat-runner.ts:1805:

const isInterval = reason === "interval";
// ...
for (const agent of state.agents.values()) {
  if (isInterval && now < agent.nextDueMs) {
    continue;
  }
  // runOnce fires regardless of nextDueMs for non-interval reasons
}

The targeted-wake branch (heartbeat-runner.ts:1772-1801) has no cooldown gate at all — any wake with sessionKey set bypasses everything.

src/agents/bash-tools.exec-runtime.ts:347 (maybeNotifyOnExit) still calls:

requestHeartbeatNow(
  scopedHeartbeatWakeOptions(sessionKey, { reason: "exec-event", coalesceMs: 0 }),
);

Other event sources also bypass: cron:*, hook:wake, acp:spawn:stream, notifications-event, cli:watchdog:stall. None enforce nextDueMs.

Production observation

Heartbeat configured every: "30m". Actual interval observed in /tmp/openclaw/openclaw-2026-04-30.log:

22:43:14 run done    (run took 49.9s)
22:43:25 run start   <- 11s gap
22:44:08 run done    (run took 50.2s)
22:44:19 run start   <- 11s gap
22:45:07 run done    (run took 55.6s)
22:45:24 run start   <- 17s gap
22:46:08 run done    (run took 51.1s)
22:46:18 run start   <- 10s gap
22:47:04 run done    (run took 52.2s)
22:47:14 run start   <- 10s gap

Average gap between completions and next start: ~12s (configured cadence: 30 minutes).

Cascading effects observed in the same session

Each runaway run pegs the single-threaded gateway event loop:

22:32:35 [diagnostic] liveness warning: eventLoopDelayMaxMs=6912.2
22:38:37 [diagnostic] liveness warning: eventLoopDelayMaxMs=6761.2
22:40:40 [diagnostic] liveness warning: eventLoopDelayMaxMs=8715.8 utilization=99.5% cpu=95.3%

This causes downstream symptoms:

• openclaw tui cannot connect — WS handshake closes 1000 mid-handshake (see TUI fully unresponsive to Ctrl+C / Ctrl+D / SIGINT after gateway WebSocket close #75379)
• Control UI static assets stall — TTFB on JS bundle reaches 4.5s; user sees "images load slowly then fail" and assumes frontend bug
• Telegram replies stall (Gateway CPU spin causes Telegram replies to stall and status probe to time out #72338)
• TUI 100% CPU at idle (TUI process consumes 89-99% CPU at idle and during message turns (busy-loop) #75137) — likely exacerbated since TUI busy-loops trying to read frames from a starved gateway

Why the existing test missed it

heartbeat-runner.scheduler.test.ts:437 ("does not fan out to unrelated agents for session-scoped exec wakes") covers exec-event routing — it verifies the wake reaches the right agent. It does not assert that the wake is rate-limited. There is currently no test guard for cooldown enforcement on non-interval reasons. The new test above closes that gap.

Suggested fix (combining #17797's option 2 with structural fixes)

Minimal patch:

// heartbeat-runner.ts: targeted branch (line 1772-)
+ if (now < targetAgent.nextDueMs && reason !== "manual") {
+   return { status: "skipped", reason: "not-due" };
+ }
  const res = await runOnce({ ... });

// heartbeat-runner.ts:1805 — broadcast branch
- if (isInterval && now < agent.nextDueMs) { continue; }
+ if (now < agent.nextDueMs && reason !== "manual") { continue; }

Architectural follow-ups worth bundling to prevent regression class:

1. Type the wake reason as a discriminated union instead of raw string. Today reason === "interval" is a fragile string-compare; a new event source bypasses the gate silently. Discriminated union + exhaustive switch makes "did I gate this?" a compile-time question.

2. Single shouldDeferWake(opts) helper called by both targeted and broadcast branches. They have different (broken) gate logic today. Centralizing the decision means future refactors can't forget one path.

3. Min-spacing floor independent of every. Even with nextDueMs enforced, two exec wakes arriving within milliseconds could still both fire — one before advanceAgentSchedule updates state, one after. A simple "no run within the last N seconds" floor catches the race.

4. Make exec wakes go through coalescer. The wake-pending-merge logic in heartbeat-wake.ts partially handles this, but exec wakes use coalesceMs: 0 which defeats it. Setting a sensible floor (e.g. 5s) on exec wakes lets multiple completions collapse into one heartbeat.

Happy to open a PR with the failing test + minimal patch + the helper extraction as a follow-up commit.

Environment

• OpenClaw 2026.4.30 commit e3f84fa
• macOS 15.4 (Darwin 25.4.0 arm64)
• Node 24.14.0
• Heartbeat config: every: "30m", isolatedSession: true, model openai-codex/gpt-5.2

Related

• Heartbeat flood: exec-event bypasses interval check, causing runaway heartbeat runs #17797 — original report (locked, closed without linked PR)
• BUG: heartbeat fires duplicate runs when external wake events (openclaw agent CLI) arrive during scheduled heartbeat #64016 — duplicate runs from external wake events during scheduled heartbeat (related symptom)
• Heartbeat isolated mode: cadence stalls, 'heartbeat last' mislabels exec-events, lightContext stays heavy, heartbeat-state writer appears missing #65161 — heartbeat isolated mode cadence stalls (related)
• Gateway CPU spin causes Telegram replies to stall and status probe to time out #72338 — gateway CPU spin stalling Telegram (this is the same root cause manifesting as a Telegram symptom)
• TUI process consumes 89-99% CPU at idle and during message turns (busy-loop) #75137 — TUI 100% CPU (likely contributing factor)
• TUI fully unresponsive to Ctrl+C / Ctrl+D / SIGINT after gateway WebSocket close #75379 — TUI unresponsive to Ctrl+C after gateway WS close (downstream of this)

[clawsweeper]

Thanks for the context here. I swept through the related work, and this is now duplicate or superseded.

Close as duplicate of #64016. Current main still matches this report, but #64016 is the open canonical tracker for wake-triggered heartbeat runs bypassing the configured cadence, and this issue does not show a distinct root cause from that cluster.

So I’m closing this here and keeping the remaining discussion on the canonical linked item.

Review details

Best possible solution:

Keep #64016 as the canonical tracker and fix the runner once there by centralizing the due/cooldown decision for targeted and broadcast wake paths, while preserving explicit manual heartbeat behavior and adding the repeated exec-event regression test.

Do we have a high-confidence way to reproduce the issue?

Yes. The provided unit test is a high-confidence reproduction path because current main's targeted exec-event branch calls runOnce without checking nextDueMs, so repeated session-scoped wakes within 30 minutes can run repeatedly by inspection.

Is this the best way to solve the issue?

Yes for triage: consolidating this under #64016 is the narrowest maintainer outcome because both reports point to the same wake-triggered heartbeat cadence bypass. The implementation should be a shared runner cooldown helper plus focused scheduler coverage, not separate downstream fixes for each symptom.

Security review:

Security review: No patch is under review; this is a reliability/cadence issue rather than a security-sensitive change.

What I checked:

• Current runner bypasses due gate for targeted wakes: The targeted wake branch resolves the target agent and calls runOnce before any now < targetAgent.nextDueMs check, then advances the schedule after the run. (src/infra/heartbeat-runner.ts:1771, 76930da7ebc7)
• Broadcast gate only applies to interval reasons: The broadcast loop checks nextDueMs only when reason === "interval", so non-interval wake reasons can still run during the cooldown window. (src/infra/heartbeat-runner.ts:1805, 76930da7ebc7)
• Exec completions still request immediate exec-event wakes: Exec notification paths call requestHeartbeatNow(scopedHeartbeatWakeOptions(sessionKey, { reason: "exec-event", coalesceMs: 0 })), which is the source described by the report. (src/agents/bash-tools.exec-runtime.ts:347, 76930da7ebc7)
• Existing scheduler test covers routing, not cooldown: The current scheduler test for session-scoped exec wakes asserts the wake reaches the right agent and does not fan out, but it does not assert rate limiting within nextDueMs. (src/infra/heartbeat-runner.scheduler.test.ts:437, 76930da7ebc7)
• Heartbeat cadence contract: Docs describe heartbeat as periodic scheduled agent turns, with a default/configurable interval such as 30 minutes. Public docs: docs/gateway/heartbeat.md. (docs/gateway/heartbeat.md:14, 76930da7ebc7)
• Canonical open duplicate: Provided GitHub context for BUG: heartbeat fires duplicate runs when external wake events (openclaw agent CLI) arrive during scheduled heartbeat #64016 describes the same remaining behavior: external wake events should not produce extra heartbeat runs within the configured interval, and suggests the same now < agent.nextDueMs fix boundary.

Likely related people:

• steipete: Local blame attributes the current heartbeat runner, wake module, scheduler test, and exec wake paths to commit 5a3b75d by Peter Steinberger. (role: current implementation and recent maintainer; confidence: medium; commits: 5a3b75de33dd; files: src/infra/heartbeat-runner.ts, src/infra/heartbeat-wake.ts, src/infra/heartbeat-runner.scheduler.test.ts)
• Vignesh: Recent commit b277ae3 changed src/infra/heartbeat-runner.ts and heartbeat commitment tests shortly after the current runner implementation. (role: recent adjacent maintainer; confidence: low; commits: b277ae3f4c40; files: src/infra/heartbeat-runner.ts, src/infra/heartbeat-runner.commitments.test.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 76930da7ebc7.