Add startup-time session-size guard: auto-archive when no context engine is registered

[100yenadmin]

Summary

When a context-engine plugin (lossless-claw, etc.) gets disabled — silently or by user error — the gateway loads existing session transcripts with their full message history. For users whose sessions have been growing under an active context engine, the resulting load cascade looks like a generic gateway stall, not "your context engine vanished." There's no preflight guard that catches this class of failure at boot.

We just hit it in the wild on 2026.5.2: the npm install -g openclaw upgrade silently dropped several configured extensions from the runtime plugin set (separate report incoming), including the registered contextEngine slot plugin (lossless-claw). On the next gateway boot:

[gateway] http server listening (3 plugins: browser, cortex, telegram; 2.7s)   # was 7 before upgrade
[context-engine] Context engine "lossless-claw" is not registered; falling back to default engine "legacy".
[agent/embedded] [context-overflow-diag] sessionKey=agent:main:main provider=openai-codex/gpt-5.5
  source=assistantError messages=808 sessionFile=…b1ed0fe1-…jsonl diagId=ovf-… compactionAttempts=0
  observedTokens=unknown error=Context overflow: estimated context size exceeds safe threshold during tool loop.
[agent/embedded] context overflow detected (attempt 1/3); attempting auto-compaction for openai-codex/gpt-5.5

808 messages on a 6.3 MB jsonl was the small case — and it still hit context overflow on the first turn. Looking at our own session directory, files at 24 MB, 37 MB, 55 MB, 143 MB, 200 MB are sitting there from prior sessions. Other reports in the wild are bigger:

• [Bug] Bloated session jsonl (444 MB) hangs gateway via String.prototype.replace — diagnose with sample+lsof #64767 — 444 MB session jsonl hangs gateway via String.prototype.replace
• session.maintenance has no size cap for transcript .jsonl files — unbounded growth causes gateway CPU 100% #66360 — session.maintenance has no size cap → gateway CPU 100%
• [Bug]: MEMORY.md grows unbounded → bootstrap overflow → Gateway freeze #73691 — MEMORY.md grows unbounded → bootstrap overflow → gateway freeze
• Embedded agent auto-compaction retries without reducing 873k-token Paperclip prompt #75740 — auto-compaction retries without reducing 873k-token prompt

The common shape: growth happens during normal operation under an active engine, but the failure mode shows up at gateway start when something disrupts the engine. From the user's perspective the gateway "just hangs after an update" with no actionable message.

Proposal

Add a startup-time session preflight guard with two new policies:

1. session.maintenance.sizeGuardMB (suggested default 1 — see threshold note below): if a session jsonl exceeds this and no contextEngine slot is registered for the agent (or the registered one failed to load), flag the session.
2. session.maintenance.guardAction: "warn" | "archive" | "block" — archive is the recommended default, see safety note below.

Behavior:

• warn — log a clear, actionable warning at startup naming the file, size, and required action ("install/repair the configured context-engine plugin, or run openclaw sessions archive <id>")
• archive — rename the jsonl to .archived-no-context-engine-<ISO>.jsonl and start a fresh session for that key. Recoverable via existing Recover archived (.reset) session transcripts in memory hook + session-logs skill #71537 / [codex] Include reset archives in session log searches #76119 archive-recovery work
• block — refuse to load the session, return a structured error to channels that subscribe, force operator action

Critically: the guard runs even if the context-engine slot resolves to "legacy" because the plugin failed to register. The [context-engine] ... is not registered; falling back to default engine "legacy" log line is the trigger condition.

Threshold note

10 MB would have missed the case that prompted this issue. 6.3 MB at 808 messages already overflowed gpt-5.5 (~200-400k effective context window). The right default is in the 1-3 MB range, possibly even lower for users on smaller-context models. Suggest 1 MB default with sizeGuardMB exposed as a config knob users can tune up if their workflow tolerates it.

For more nuanced sizing, the guard could also accept sizeGuardTokens (estimated, since exact count requires a tokenizer) and pick whichever threshold trips first.

Safety note (why archive is safer than it sounds)

For users running a context engine like LCM, the jsonl on disk is not the source of truth for conversation memory — LCM persists the full transcript into its own SQLite store at every compaction. The jsonl is just the live buffer of recent turns. Archiving it loses at most the fresh tail (~32-64 messages depending on freshTailCount) — which is exactly what a forced compaction would have rewritten anyway. Net user impact is roughly equivalent to "a compaction just happened."

For users running without LCM and on the default legacy engine, the on-disk jsonl IS the only conversation record. For them, warn is safer as the default. So one approach: detect whether a context engine has ever been registered for this session (via session metadata or LCM DB existence) and pick archive vs warn accordingly. That removes the manual config burden.

Why this matters

LCM (and similar context engines) historically take the blame for compaction stalls because users see "compaction is broken." But in practice, when LCM is working, it absorbs the growth. When it silently stops working (today's scenario, but also any plugin disable, npm upgrade regression, or config drift), the underlying session bloat is what actually crashes the gateway — and there's no signal pointing at the real cause. A startup guard:

1. Surfaces the real failure mode immediately ("LCM not loaded → 24 MB session → would hang") instead of an opaque stall
2. Gives ops a recovery path that doesn't require manual jsonl forensics
3. Means "context engine disabled" stops being a silent multi-issue cluster (overflow, OOM, gateway freeze, channel timeouts)

Implementation sketch

• Hook into the existing context-engine resolver path that emits Context engine "X" is not registered; falling back to default engine "legacy"
• Before falling back, walk the session directory for the affected agentId, lstat jsonl entries, compare to sizeGuardMB
• Apply guardAction per session — defaulting to archive if the session has prior context-engine activity (LCM DB exists / session metadata shows compaction history), warn otherwise
• Add a structured event (gateway.session.guard.tripped) so dashboards can count
• Adjacent issues to cross-link: session.maintenance has no size cap for transcript .jsonl files — unbounded growth causes gateway CPU 100% #66360, [Bug] Bloated session jsonl (444 MB) hangs gateway via String.prototype.replace — diagnose with sample+lsof #64767, [Bug]: MEMORY.md grows unbounded → bootstrap overflow → Gateway freeze #73691, Embedded agent auto-compaction retries without reducing 873k-token Paperclip prompt #75740
• Adjacent PRs in the archive-recovery space: Recover archived (.reset) session transcripts in memory hook + session-logs skill #71537, [codex] Include reset archives in session log searches #76119

Validation evidence

Real Eva install hit this today on 2026.5.2. LCM was the registered context engine; the npm install of openclaw@2026.5.2 silently disabled it (along with eva-xt, subagent-context-limiter, acpx — separate report incoming). Session at 808 messages / 6.3 MB caused immediate context-overflow loop on first interaction. Larger sessions in the same directory (200 MB jsonl files from prior work) would have made the gateway unrecoverable without manual jsonl rotation.

Happy to draft the PR — small, scoped to the resolver fallback path.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open. Current main has a recent startup-planner fix for selected context-engine plugins and existing session disk-budget cleanup, but missing or failing non-legacy context engines still fall back to legacy without a transcript-size preflight or the proposed guard policy.

Reproducibility: yes. at source level: configure a non-legacy plugins.slots.contextEngine that is missing, disabled, or fails registration and resolveContextEngine falls back to legacy without any transcript-size guard. I did not run a live gateway boot because this review was read-only.

Next step
The report is concrete and likely useful, but the default threshold/action and archival safety require maintainer product judgment before an automated fix PR.

Review details

Best possible solution:

Add a generic startup diagnostic/guard for a missing configured context-engine plus oversized active transcripts, with conservative default behavior and docs aligned to existing session maintenance and recovery surfaces.

Do we have a high-confidence way to reproduce the issue?

Yes, at source level: configure a non-legacy plugins.slots.contextEngine that is missing, disabled, or fails registration and resolveContextEngine falls back to legacy without any transcript-size guard. I did not run a live gateway boot because this review was read-only.

Is this the best way to solve the issue?

Unclear as proposed: the gap is real, but archive as a default and the 1 MB threshold need maintainer product judgment. A safer first implementation may start with warn-only diagnostics, explicit opt-in archival, and integration with existing session cleanup/docs.

Acceptance criteria:

• pnpm test src/context-engine/context-engine.test.ts src/plugins/effective-plugin-ids.test.ts src/config/sessions/disk-budget.test.ts
• pnpm test src/config/sessions/store.pruning.integration.test.ts
• pnpm exec oxfmt --check --threads=1 src/context-engine/registry.ts src/config/types.base.ts src/config/sessions/store-maintenance.ts src/config/sessions/disk-budget.ts docs/gateway/config-agents.md docs/concepts/session.md

What I checked:

• Fallback path still has no size guard: resolveContextEngine logs a missing non-default engine and immediately resolves the default legacy engine; there is no session scan, size check, archive, block, or structured guard event in this path. (src/context-engine/registry.ts:519, 990f931a2efc)
• Proposed config keys are absent: SessionMaintenanceConfig contains mode/prune/count/archive-retention/disk-budget fields, but no sizeGuardMB, token guard, or guardAction; rg also found no sizeGuard, guardAction, or archived-no-context-engine implementation. (src/config/types.base.ts:217, 990f931a2efc)
• Existing disk budget is not the requested startup guard: enforceSessionDiskBudget only acts when maxDiskBytes and highWaterBytes are configured and operates on total sessions-directory budget; it is not keyed to missing context-engine fallback and does not specifically archive oversized active transcripts at startup. (src/config/sessions/disk-budget.ts:244, 990f931a2efc)
• Related startup trigger was partially addressed separately: Current main includes resolveContextEngineSlotStartupPluginId, which includes a selected non-legacy context-engine plugin in gateway startup unless legacy, denylisted, or disabled; this reduces one trigger but does not cover plugin disable/failure or add transcript-size guarding. (src/plugins/gateway-startup-plugin-ids.ts:105, 990f931a2efc)
• Feature history: GitHub commit metadata shows [Bug]: Bug Report: Context engine plugin not registered despite being loaded #76576 (deb7b821...) added selected context-engine startup loading, and fix(context-engine): gracefully degrade to legacy engine on third-party plugin resolution failure #66930 (6aa45157...) added graceful degradation to legacy on third-party context-engine resolution failure.
• Related reports are adjacent, not canonical duplicates: The issue body links open reports for unbounded session JSONL, session.maintenance size gaps, MEMORY.md growth, and ineffective auto-compaction; those overlap operationally but do not fully track this startup-time missing-context-engine guard.

Likely related people:

• hclsys: Authored the current-main change that includes a selected context-engine slot plugin in the gateway startup plan, directly adjacent to the reported missing-engine startup trigger. (role: recent adjacent maintainer; confidence: high; commits: deb7b821c195; files: src/plugins/gateway-startup-plugin-ids.ts)
• openperf: Authored the graceful degradation path that falls back to legacy when a third-party context engine is not registered or fails resolution. (role: introduced fallback behavior; confidence: medium; commits: 6aa4515798cf; files: src/context-engine/registry.ts)
• steipete: Recent commits heavily maintain session maintenance, disk-budget behavior, and docs around the sessions cleanup surface that a guard would likely extend. (role: recent session maintenance owner; confidence: high; commits: de0d484236fc, fb40ed99a7f0, a2b84e98e981; files: src/config/sessions/disk-budget.ts, src/config/sessions/store-maintenance.ts, docs/gateway/config-agents.md)
• gumadeiras: Earlier session and cron maintenance hardening work appears to have introduced or substantially shaped the maintenance cleanup UX that this request would build on. (role: original adjacent contributor; confidence: medium; commits: eff3c5c70778; files: src/config/sessions/store-maintenance.ts, src/config/sessions/disk-budget.ts)

Remaining risk / open question:

• The requested default action is product-sensitive: startup archival can lose visible transcript history for users whose legacy JSONL is the source of truth.
• The right threshold is model-, workflow-, and engine-dependent, so a fixed 1 MB default needs maintainer review before becoming core policy.
• Current main appears to fix one startup omission for selected context-engine plugins, which may reduce the reported incident frequency but does not remove the broader missing-engine/failing-engine guard gap.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 990f931a2efc.

[100yenadmin]

@steipete @vincentkoc as a major contributor of LCM, I hate to admit it but when it breaks we get no blame and everyone says OC is broken!

Today is no different, when it got disabled in update many people got immediate claw gateway crash or 20minutes or more of system compacting massive files (if it even could, some people got rate limited and it just broke experience entirely).

In this case, patch broke but massive session files are a big risk to user experience. The prior fix messing with context engine overflow was a headache that also caused a lot of issues and broken user experiences.

Half my users got rate limited because their session files and system couldn't handle the compactions, thus I'm woken up 3am and everyone is pissed OC is "broke". Lot's of ways to fix this I can pursue any of them, though the above is likely the best path.

[100yenadmin]

Update: PR #76950 has been pushed with operator-feedback updates (rationale).

Three changes from the original proposal in this issue:

1. Default threshold 1mb → 2mb

Math: 1MiB ≈ 250k tokens of message content; 2MiB ≈ 500k tokens. 500k tokens overflows every shipping context window and overflows much sooner on 200-256k effective-window models. 2mb is the realistic guardrail; still configurable down via session.maintenance.contextFallbackGuard.sizeBytes.

2. Two trigger paths, one policy

Original proposal only covered the "configured engine fails to load" case. Most users hit the bigger unmanaged-growth case: no context engine ever configured, jsonl grows forever under legacy.

Important distinction the PR documents:

Engine	What it does to the on-disk jsonl
LCM	Actively rewrites it. Compactions replace runs of messages with summary entries. The jsonl actually shrinks.
Legacy (default)	Doesn't touch it. Compaction is in-memory prompt windowing only — the jsonl grows append-only.

So the PR adds two trigger paths funneling into one shared guard:

• On-fallback (inside resolveContextEngine): catches "configured engine failed to load mid-conversation"
• Boot-time (in server-startup-post-attach.ts after logGatewayStartup): catches "no engine configured" + "engine plugin missing from loaded set"

When the configured engine is loaded and active, the boot guard short-circuits — the engine itself owns size management.

3. Operator message includes a copy-pasteable recovery prompt

The terse single-line warn/archive was replaced with a structured block that ends with a copy-pasteable agent prompt. Sizing for the prompt:

• ~200 message tail (the fresh session has the whole context window to absorb context — don't be miserly)
• 1-2k tokens per chunk (matches LCM's chunked-summary granularity)
• ~40k tokens aggregate ceiling (leaves 200-300k tokens of headroom for ongoing work)

Full example block in the PR comment.

Status

PR #76950 is ready for review. 72 tests pass; locally swap-tested against a live gateway with LCM as the active engine.

[steipete]

Thanks for the report and the detailed context.

Closing this as not an OpenClaw core hotfix issue. The immediate failure mode here is lossless-claw compatibility/install/load behavior: when that plugin disappears or fails to load, OpenClaw falls back to legacy and exposes the oversized-session symptoms. The fix should happen in lossless-claw first.

Core hardening around missing context engines may still be worth revisiting separately, but it should be a conservative diagnostic/warn-only path unless we explicitly decide on transcript rotation policy. Auto-archiving session transcripts at gateway boot is product-sensitive and should not ride the hotfix as the primary answer to a plugin load failure.