[Bug]: QMD archived session hits can be dropped by visibility filter due to normalized path mapping

[qxunomni-coder]

Summary

QMD can index and retrieve archived/reset session transcripts, but memory_search(corpus="sessions") can still drop those hits after retrieval because the session-hit visibility filter cannot map QMD's normalized archived-transcript path back to the original session key.

This is distinct from #80736 and #30220. Those covered archived transcripts being skipped or producing zero chunks. In this case, the archived transcript has content, QMD returns a hit, but the tool/API path removes it during post-search visibility filtering.

Related: #53550, #80736, #30220.

Environment

• OpenClaw: 2026.5.7 (eeef486)
• Backend: memory.backend = "qmd"
• QMD sessions enabled: memory.qmd.sessions.enabled = true
• Session recall query path: memory_search(..., corpus="sessions")
• Same-agent cross-session visibility configured for testing:
  • tools.sessions.visibility = "agent"
  • agents.defaults.sandbox.sessionToolsVisibility = "all"

Observed behavior

For a reset/archived session transcript, the QMD-exported source file exists with a name like:

<session-id>.jsonl.reset.<timestamp>.md

The exported Markdown contains the expected conversation text, and direct QMD/CLI search can retrieve it.

However, the memory_search tool path can return no archived hit for the same query. Non-archived session hits from the same QMD sessions collection do surface correctly.

Reproduction outline

1. Enable QMD session export:

{
  memory: {
    backend: "qmd",
    qmd: {
      sessions: { enabled: true }
    }
  }
}

2. Have a distinctive conversation in a session.
3. Reset/archive the session so the transcript becomes a usage-counted archive, e.g.:

<session-id>.jsonl.reset.<timestamp>

4. Let QMD export/index the archived transcript as Markdown.
5. Search for distinctive text from that archived transcript using direct QMD/CLI search. The hit is returned from a QMD sessions collection.
6. Search for the same text via the agent tool:

memory_search({ query: "<distinctive text>", corpus: "sessions", maxResults: 5, minScore: 0.1 })

7. The archived hit may be absent, while ordinary non-archived session hits still appear.

Local diagnosis

The failure appears to happen after QMD retrieval, inside the session-hit visibility filter:

• extensions/memory-core/src/session-search-visibility.ts
• filterMemorySearchHitsBySessionVisibility(...)
• extractTranscriptIdentityFromSessionsMemoryHit(...)
• resolveTranscriptStemToSessionKeys(...)

For normal QMD session result paths like:

qmd/sessions-main/<session-id>.md

extractTranscriptIdentityFromSessionsMemoryHit() derives <session-id>, and resolveTranscriptStemToSessionKeys() maps it back to the corresponding session store key. The visibility guard can then allow it.

For archived/reset hits, QMD may return a normalized/slugified result path like:

qmd/sessions-main/<session-id>-jsonl-reset-<timestamp>.md

The current identity extraction treats the whole slug as a plain .md stem:

<session-id>-jsonl-reset-<timestamp>

That stem does not match the canonical session id or session file basename in the combined session store, so resolveTranscriptStemToSessionKeys() returns no keys. With no mapped session key, filterMemorySearchHitsBySessionVisibility() drops the hit.

Expected behavior

If QMD returns an archived/reset session transcript hit, OpenClaw should map the QMD result path back to the original session id/key before applying session visibility.

For example, both of these should resolve to the same underlying session id:

<session-id>.jsonl.reset.<timestamp>.md
<session-id>-jsonl-reset-<timestamp>.md

Then the existing visibility policy (self / tree / agent / all, plus sandbox clamp and agent-to-agent rules) can decide whether to surface it.

Actual behavior

The archived hit is indexed and retrievable by QMD/CLI, but can be dropped by memory_search(corpus="sessions") because the normalized archived result path cannot be mapped back to a session key.

Why this matters

This creates a confusing failure mode:

• QMD has the transcript content.
• Direct search proves the archived session is indexed.
• memory_search(corpus="sessions") returns no relevant archived hit.
• Debug output reports only final hit counts, so users cannot tell whether the backend found hits that were later removed by visibility filtering.

From the user perspective, reset/archive can still look like forgotten conversation history even after the #80736 indexing fix.

Suggested fixes

1. Teach extractTranscriptIdentityFromSessionsMemoryHit() / related path handling to recognize QMD-normalized archived transcript names such as:

<session-id>-jsonl-reset-<timestamp>.md
<session-id>-jsonl-deleted-<timestamp>.md

and map them back to <session-id>.

2. Add a regression test where:

   • QMD returns a session hit path with a normalized archived/reset stem.
   • The combined session store has the canonical archived session id/file.
   • filterMemorySearchHitsBySessionVisibility() keeps the hit when visibility allows it.

3. Add memory_search debug counters for raw backend hits vs post-visibility-filter hits, with redacted reason buckets such as:

   • visibility_tree
   • sandbox_clamp
   • unmapped_transcript_stem
   • cross_agent_denied

This would make #53550-style failures much easier to diagnose without weakening the privacy model.

Privacy note

I intentionally used placeholder session ids/paths here. The underlying issue is filename/slug normalization and session-key resolution, not any user-specific data.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open: current main has strong coverage for literal .jsonl.reset.* / .jsonl.deleted.* archive paths and best-effort QMD indexed-path recovery, but the reported raw QMD-normalized fallback path can still reach the visibility filter as a plain .md slug and fail to resolve to the canonical session key.

Reproducibility: yes. source-level reproduction is high confidence: pass a source: "sessions" hit with qmd/sessions-main/<id>-jsonl-reset-<timestamp>.md through the current visibility filter with a store entry for <id>, and the extractor/resolver path leaves no matching session key. I did not run a live QMD scenario.

Next step
This is a safe focused repair candidate: the remaining bug is localized to session transcript hit identity/path resolution and focused regression coverage, with no product or security decision required.

Review details

Best possible solution:

Add a narrow, visibility-preserving archive-stem normalization path for QMD-normalized reset/deleted transcript names, plus focused tests for both direct normalized filter inputs and QMD indexed-path recovery.

Do we have a high-confidence way to reproduce the issue?

Yes, source-level reproduction is high confidence: pass a source: "sessions" hit with qmd/sessions-main/<id>-jsonl-reset-<timestamp>.md through the current visibility filter with a store entry for <id>, and the extractor/resolver path leaves no matching session key. I did not run a live QMD scenario.

Is this the best way to solve the issue?

Yes, the narrow maintainable fix is to normalize QMD slugified reset/deleted archive stems in the shared session-hit identity/resolution layer while leaving the visibility guard policy unchanged. Debug counters would be useful follow-up observability, but the core bug fix is the mapping regression plus tests.

Label justifications:

• P2: The issue is a normal-priority memory recall bug with a limited surface in QMD session-search filtering.
• impact:message-loss: The reported failure drops otherwise retrieved session-memory search hits from memory_search(corpus="sessions").
• impact:session-state: The bug concerns archived session transcript identity mapping and cross-session recall state.

Acceptance criteria:

• node scripts/run-vitest.mjs src/plugin-sdk/session-transcript-hit.test.ts
• node scripts/run-vitest.mjs extensions/memory-core/src/session-search-visibility.test.ts
• node scripts/run-vitest.mjs extensions/memory-core/src/memory/qmd-manager.slugified-paths.test.ts

What I checked:

• Normalized slug still falls through as a plain markdown stem: extractTranscriptIdentityFromSessionsMemoryHit() handles literal archive basenames via parseUsageCountedSessionIdFromFileName(), but a QMD-normalized basename like <id>-jsonl-reset-<timestamp>.md reaches the .md branch and returns the whole slug as stem with archived: false. (src/plugin-sdk/session-transcript-hit.ts:51, 4c613fbfe05f)
• Resolver requires the extracted stem to match store identity: resolveTranscriptStemToSessionKeys() compares the extracted stem against entry.sessionFile basename or entry.sessionId; it does not normalize -jsonl-reset- / -jsonl-deleted- back to a usage-counted archive filename. (src/plugin-sdk/session-transcript-hit.ts:70, 4c613fbfe05f)
• Visibility filter drops session hits with no resolved keys: After extracting identity, filterMemorySearchHitsBySessionVisibility() resolves session keys and drops the hit when keys.length === 0, matching the reported post-retrieval loss mode. (extensions/memory-core/src/session-search-visibility.ts:86, 4c613fbfe05f)
• QMD path recovery is best effort, not a complete fallback contract: resolveDocLocationFromHints() first tries indexed path recovery, but if the index lookup fails it falls back to toCollectionRelativePath() with the raw hinted path, so a normalized QMD URI can still be exposed downstream. (extensions/memory-core/src/memory/qmd-manager.ts:2374, 4c613fbfe05f)
• QMD slug recovery exists for normal indexed cases: matchesPreferredFileHint() normalizes row paths and preferred QMD file hints, which should recover many local indexed slugified paths before they reach the visibility filter. (extensions/memory-core/src/memory/qmd-manager.ts:2528, 4c613fbfe05f)
• Session transcript QMD behavior is documented user-facing behavior: The QMD docs describe memory.qmd.sessions.enabled as exporting session transcripts into a dedicated QMD collection for recall, so dropped visible archived-session hits are a product bug rather than a new feature request. Public docs: docs/concepts/memory-qmd.md. (docs/concepts/memory-qmd.md:150, 4c613fbfe05f)

Likely related people:

• buyitsydney: Authored the merged archive visibility fix that current main builds on; the remaining report is a narrower normalized-path gap adjacent to that work. (role: prior archive visibility fix author; confidence: high; commits: 2ffdb5d248a1; files: src/plugin-sdk/session-transcript-hit.ts, extensions/memory-core/src/session-search-visibility.ts, packages/memory-host-sdk/src/host/session-files.ts)
• vincentkoc: Closed and merged the prior archive visibility fix, and was assigned on that PR during the same memory/session archive area. (role: merger and area reviewer; confidence: high; commits: 2ffdb5d248a1; files: src/plugin-sdk/session-transcript-hit.ts, extensions/memory-core/src/session-search-visibility.ts, packages/memory-host-sdk/src/host/session-files.ts)
• Takhoffman: Authored the commit that added QMD slugified path resolution coverage in qmd-manager.ts and qmd-manager.slugified-paths.test.ts, which is directly adjacent to the reported normalized-path behavior. (role: QMD path recovery contributor; confidence: medium; commits: 4f00b769251d; files: extensions/memory-core/src/memory/qmd-manager.ts, extensions/memory-core/src/memory/qmd-manager.slugified-paths.test.ts)
• eleqtrizit: Authored the earlier QMD canonical read-path alignment in qmd-manager.ts, which established part of the current QMD path-resolution contract. (role: QMD read-path contributor; confidence: medium; commits: 37d5971db364; files: extensions/memory-core/src/memory/qmd-manager.ts)
• steipete: Local blame and recent history show repeated maintenance around the affected session visibility and memory runtime paths on current main. (role: recent memory/session area contributor; confidence: medium; commits: 6a12c6f79915, 694ca50e9775, f91de52f0d23; files: extensions/memory-core/src/session-search-visibility.ts, extensions/memory-core/src/memory/qmd-manager.ts, src/plugin-sdk/session-transcript-hit.ts)

Remaining risk / open question:

• I did not run a live QMD or mcporter reproduction; the current-main failure is source-reproducible for the raw normalized fallback path.
• Normal local QMD indexed-path recovery may already avoid the bug in many deployments, so the fix should preserve that path and add a regression for the fallback/raw normalized URI case.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 4c613fbfe05f.

[steipete]

Fixed by #83518, landed in 40a5942.

Proof:

• PR CI green: https://github.com/openclaw/openclaw/actions/runs/26035328240
• Testbox-through-Crabbox tbx_01krxk7k1dtd4cncsafkm6s2n9: focused QMD tests, live real QMD sessions.json archive/slug/collision probe, and pnpm check:changed all passed.
• Local focused regression proof passed: node scripts/run-vitest.mjs src/plugin-sdk/session-transcript-hit.test.ts extensions/memory-core/src/session-search-visibility.test.ts extensions/memory-wiki/src/query.test.ts src/gateway/server-methods/config.shared-auth.test.ts.

Archived QMD session transcript hits now resolve back to the live session identity for visibility checks while preserving normal markdown session ids that only look archive-like.