[Bug]: commitments store has no write serialization — concurrent `markCommitmentsStatus` / `markCommitmentsAttempted` calls silently lose dismiss/sent/attempt updates (data-loss class; can re-deliver an already-sent commitment)

[YB0y]

Bug type

Behavior bug (incorrect output/state without crash)

Beta release blocker

No

Summary

The commitments store (~/.openclaw/commitments/commitments.json) is updated by markCommitmentsAttempted / markCommitmentsStatus (src/commitments/store.ts:434-461, 463-493) and by upsertInferredCommitments (src/commitments/store.ts:295-331) via an unsynchronized load-modify-save pattern: each call independently reads the entire store, mutates in memory, and writes the whole file back. There is no lockfile, mutex, or writer queue around the critical section.

When two callers race (background heartbeat + user CLI dismiss, or two heartbeat ticks for different sessions, or two Promise.all-style calls within one heartbeat tick), whichever save lands second silently overwrites the first caller's mutation with stale data from before the first save.

By contrast, the session store (src/config/sessions/store.ts:432, 442, 556, 638) wraps every mutation in runExclusiveSessionStoreWrite(storePath, fn) — a per-path async writer queue defined in src/config/sessions/store-writer.ts:14-97 (uses WRITER_QUEUES: Map<string, SessionStoreWriterQueue>). That exact pattern is exported from the session-store and could be reused for commitments. Commitments has no equivalent protection.

Failure modes that manifest under concurrency:

1. Lost dismiss — User runs openclaw commitments dismiss cm_xyz while the heartbeat is bumping attempts on another commitment. Heartbeat's snapshot lacks the dismiss; heartbeat's save wins → cm_xyz reverts to pending and gets delivered to the user.
2. Lost "sent" status → duplicate delivery — Heartbeat marks cm_xyz as sent (src/infra/heartbeat-runner.ts:1929). A concurrent markCommitmentsAttempted (src/infra/heartbeat-runner.ts:1568) on a different commitment overwrites the snapshot → next heartbeat tick sees cm_xyz as still pending and re-sends the same commitment. User-visible: duplicate follow-up message.
3. Lost attempts counter — Same race: attempts: N+1 gets rolled back to N; the retry-budget cap (maxPerDay) is silently extended; the user gets more reminders than the configured policy allows.

Verified live on v2026.5.10-beta.1 (152ea9af34); same source on v2026.5.7 stable.

Steps to reproduce

Deterministic in-process repro using the built dist/commitments/store.js directly. The same race triggers via CLI + heartbeat overlap in practice but the timing window is wider in-process.

cd ~/Gittensor/OpenCoven/openclaw-upstream     # any current checkout (HEAD 152ea9af34 verified)
export PATH=~/.nvm/versions/node/v22.22.2/bin:$PATH
pnpm install --prefer-offline                  # if dist/ isn't already built
pnpm build                                     # if needed

cat > race-repro.mjs <<'EOF'
import {
  loadCommitmentStore,
  saveCommitmentStore,
  markCommitmentsStatus,
  resolveCommitmentStorePath,
} from "./dist/commitments/store.js";

function seedStore() {
  const now = Date.now();
  return {
    version: 1,
    commitments: ["A", "B"].map((tag) => ({
      id: `cm_race${tag}`,
      agentId: "qa-race",
      sessionKey: "qa-race-session",
      channel: "slack",
      kind: "follow_up",
      sensitivity: "normal",
      source: "qa-seed",
      status: "pending",
      reason: `QA race repro id ${tag}`,
      suggestedText: `ping ${tag}`,
      dedupeKey: `qa-race-${tag}`,
      confidence: 0.9,
      dueWindow: { earliestMs: now - 1000, latestMs: now + 3600_000, timezone: "UTC" },
      createdAtMs: now,
      updatedAtMs: now,
      attempts: 0,
    })),
  };
}
async function snap() {
  const s = await loadCommitmentStore();
  return Object.fromEntries(s.commitments.map((c) => [c.id, c.status]));
}

let loss = 0, ok = 0;
for (let i = 0; i < 20; i++) {
  await saveCommitmentStore(undefined, seedStore());
  await Promise.all([
    markCommitmentsStatus({ ids: ["cm_raceA"], status: "dismissed", nowMs: Date.now() }),
    markCommitmentsStatus({ ids: ["cm_raceB"], status: "dismissed", nowMs: Date.now() }),
  ]);
  const a = await snap();
  if (a.cm_raceA === "dismissed" && a.cm_raceB === "dismissed") ok++; else loss++;
  console.log(`trial ${i+1}: A=${a.cm_raceA} B=${a.cm_raceB}`);
}
console.log(`\n${loss}/20 trials lost a write`);
EOF

node race-repro.mjs

Result (verified on v2026.5.10-beta.1 / 152ea9af34): 20/20 trials lose one of the two dismisses. One of the commitments reverts to pending every single time.

trial 1: A=pending B=dismissed
trial 2: A=pending B=dismissed
trial 3: A=pending B=dismissed
…
trial 20: A=dismissed B=pending

20/20 trials lost a write

Expected behavior

Both dismisses should succeed; final state should have both cm_raceA and cm_raceB marked dismissed. Equivalent reasoning applies to markCommitmentsAttempted and upsertInferredCommitments: independent mutations to disjoint records should not lose each other.

The session store achieves this with runExclusiveSessionStoreWrite(storePath, fn) (src/config/sessions/store-writer.ts:72) — every load-modify-save is queued per-store-path so a second writer can only start after the first writer's save commits. The commitments store should use the same pattern.

Actual behavior

markCommitmentsStatus and markCommitmentsAttempted perform the following sequence with no lock:

// src/commitments/store.ts:434-461
export async function markCommitmentsAttempted(params: {…}): Promise<void> {
  …
  const store = await loadCommitmentStore();          // ← read snapshot S0
  let changed = false;
  store.commitments = store.commitments.map((commitment) => { … });   // ← mutate in memory
  if (changed) {
    await saveCommitmentStore(undefined, store);      // ← write back
  }
}

The save path uses privateFileStore(...).writeJson(...) which DOES atomic-rename on disk, so the file is never torn. But atomic-rename only protects against partial reads; it does not protect against last-writer-wins data loss between two read-modify-save cycles whose reads happen before the first cycle's save commits.

Sequence diagram of the bug:

caller A                                  caller B                                disk
─────────                                 ─────────                                ─────
loadCommitmentStore()           → S0
                                          loadCommitmentStore()         → S0
mutate(A=dismissed in S0)→S1_A
                                          mutate(B=dismissed in S0)→S1_B
saveCommitmentStore(S1_A) ───────────────────────────────────────────────────→  {A:dismissed, B:pending}
                                          saveCommitmentStore(S1_B) ─────────→  {A:pending,   B:dismissed}   ← A's dismiss is gone

20/20 reproduction shows this is deterministic when both markCommitmentsStatus calls share an event-loop tick (typical of Promise.all and concurrent CLI/heartbeat invocations).

OpenClaw version

v2026.5.10-beta.1, v2026.5.7

Operating system

Ubuntu 24.04

Install method

No response

Model

Not applicable

Provider / routing chain

Not applicable

Additional provider/model setup details

No response

Logs, screenshots, and evidence

Impact and severity

No response

Additional information

No response

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open: current main still has the unsynchronized commitments store read-modify-save paths, and the reported lost-update behavior is a real existing bug rather than a feature request.

Reproducibility: yes. The provided Promise.all repro targets exported store functions, and current main source confirms both calls can read the same snapshot and later save whole-file stale state; I did not execute it because this review pass is read-only.

Next step
Narrow, source-proven data-loss bug in one store module with clear regression tests and no product or config decision required.

Review details

Best possible solution:

Add a commitments-store mutation helper that serializes per resolved store path across same-process and cross-process writers, then route all load-modify-save mutations through it with regression coverage.

Do we have a high-confidence way to reproduce the issue?

Yes. The provided Promise.all repro targets exported store functions, and current main source confirms both calls can read the same snapshot and later save whole-file stale state; I did not execute it because this review pass is read-only.

Is this the best way to solve the issue?

Yes, with one caveat: serializing commitments mutations is the right narrow fix, but reusing only the session store's in-process queue would be incomplete for CLI-versus-gateway races. Prefer a commitments-specific locked mutation helper using existing file-lock and queue patterns.

Acceptance criteria:

• pnpm test src/commitments/store.test.ts
• pnpm test src/infra/heartbeat-runner.commitments.test.ts
• pnpm check:changed

What I checked:

• Unsynchronized status and attempt writes: Current main loads the whole commitments store, mutates matching records in memory, then writes the whole file back for both markCommitmentsAttempted and markCommitmentsStatus; no writer queue or file lock wraps those critical sections. (src/commitments/store.ts:434, bebb36caa5c4)
• Upsert uses the same whole-file mutation pattern: upsertInferredCommitments calls loadCommitmentStoreWithExpiredMarked, mutates the loaded commitments array, and saves the whole store, so concurrent inferred writes can also lose independent changes. (src/commitments/store.ts:277, bebb36caa5c4)
• Heartbeat and CLI share the vulnerable mutation API: Heartbeat marks due commitments attempted before model work and later marks them dismissed or sent, while the CLI dismiss command also calls markCommitmentsStatus, matching the reported overlapping writer surfaces. (src/infra/heartbeat-runner.ts:1568, bebb36caa5c4)
• Comparable session store serialization exists: The session store wraps mutations in runExclusiveSessionStoreWrite, and the writer queue serializes per-store-path async tasks before saving. (src/config/sessions/store-writer.ts:72, bebb36caa5c4)
• Existing lock-plus-queue pattern covers this class of race: The persistent dedupe helper documents the same stale-read/last-writer-wins failure mode and uses a per-file in-process queue around withFileLock to avoid lost updates. (src/plugin-sdk/persistent-dedupe.ts:149, bebb36caa5c4)
• Current tests miss concurrent commitments writers: The commitments store tests cover enablement, delivery limits, expiry, legacy field cleanup, and listing, but not concurrent status or attempt writers. (src/commitments/store.test.ts:59, bebb36caa5c4)

Likely related people:

• @shakkernerd: Current blame and git log -S markCommitmentsStatus point the commitments store, heartbeat commitments calls, and comparable session writer code at Shakker's commit; repository credit metadata maps Shakker to @shakkernerd, but the shallow history makes this a medium-confidence routing signal. (role: feature-history owner / recent area contributor; confidence: medium; commits: 81fe17c4a655; files: src/commitments/store.ts, src/infra/heartbeat-runner.ts, src/config/sessions/store-writer.ts)

Remaining risk / open question:

• A session-store-style in-process queue alone would not cover CLI and gateway writers in separate processes; the fix should account for both same-process and cross-process writers.

Codex review notes: model gpt-5.5, reasoning high; reviewed against bebb36caa5c4.

[ai-hpc]

Hi, @YB0y I will review this

[jbetala7]

Opened PR #81910 with a commitments-store serialization fix and cross-process source-runtime proof that two concurrent dismiss writers both persist. PR: #81910