[Bug] EmbeddedAttemptSessionTakeoverError causes truncated replies + kimi-k2.6 schema incompatibility after upgrade

[mobai-ink]

Describe the bug

After upgrading to 2026.5.16-beta.7, conversations on both webchat and telegram channels exhibit the following issues:

1. Replies are truncated mid-sentence — the embedded agent fails with EmbeddedAttemptSessionTakeoverError before completing its response.
2. LLM requests fail with 400 on kimi-k2.6 — the provider rejects the new reasoning_details field.
3. All web_fetch / web_search tool calls are blocked — DNS resolution for public domains is classified as "private/internal IP".

To Reproduce

1. Upgrade OpenClaw to 2026.5.16-beta.7.
2. Send a message via telegram or webchat.
3. Observe: the reply starts normally but gets cut off, followed by an error message.

Expected behavior

• Replies should complete fully without truncation.
• reasoning_details field should either be conditionally sent based on provider compatibility, or the provider should accept it.
• Public domain URL fetches should not be blocked by the security layer.

Actual behavior

Issue 1: EmbeddedAttemptSessionTakeoverError — Truncated Replies

[2026-05-18T12:57:26.922Z] ERROR diagnostic: lane task error: lane=main durationMs=24271 error="EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released: <redacted>/agents/main/sessions/9b5ccdf9-f6d6-4455-a01a-255947761778.jsonl"

[2026-05-18T12:57:26.924Z] ERROR diagnostic: lane task error: lane=session:agent:main:telegram:direct:<redacted> durationMs=24274 error="EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released: <redacted>/agents/main/sessions/9b5ccdf9-f6d6-4455-a01a-255947761778.jsonl"

[2026-05-18T12:57:26.933Z] ERROR console: Embedded agent failed before reply: session file changed while embedded prompt lock was released: <redacted>/agents/main/sessions/9b5ccdf9-f6d6-4455-a01a-255947761778.jsonl

Timeline of a single conversation:

• Inbound telegram message received
• Model snapshot taken (vercel-ai-gateway/deepseek-v4-flash)
• Partial reply sent via telegram
• EmbeddedAttemptSessionTakeoverError thrown, agent aborts
• Error message sent to telegram

Suspected root cause: A concurrency race condition — the session .jsonl file was modified by another process/thread while the embedded agent prompt lock was released, causing the agent to abort before completing its reply.

---

Issue 2: Model Schema Incompatibility — reasoning_details Rejected by kimi-k2.6

[2026-05-18T07:37:56.508Z] ERROR diagnostic: lane task error: lane=session:agent:main:main durationMs=39527 error="FailoverError: LLM request failed: provider rejected the request schema or tool payload."

[2026-05-18T07:37:56.513Z] WARN model-fallback/decision:
  {
    "reason": "format",
    "status": 400,
    "errorPreview": "400 Error from provider: Extra inputs are not permitted, field: 'messages[2].reasoning_details', value: 'The user greeted me with...'",
    "fallbackStepFinalOutcome": "chain_exhausted"
  }

[2026-05-18T07:38:44.014Z] WARN agent/embedded:
  {
    "isError": true,
    "error": "LLM request failed: provider rejected the request schema or tool payload.",
    "failoverReason": "format",
    "providerRuntimeFailureKind": "schema"
  }

Suspected root cause: After the upgrade, OpenClaw sends a reasoning_details field in the messages array. The opencode-go/kimi-k2.6 provider API does not accept this field and returns 400: Extra inputs are not permitted. Since no fallback model is configured (fallback chain has only 1 candidate), the request fails entirely.

---

Issue 3: DNS Resolution Blocked by Security Policy

[2026-05-18T07:57:44.289Z] WARN security: blocked URL fetch (url-fetch) targetOrigin=https://httpbin.org reason=Blocked: resolves to private/internal/special-use IP address
[2026-05-18T07:57:44.315Z] WARN security: blocked URL fetch (url-fetch) targetOrigin=https://api.firecrawl.dev reason=Blocked: resolves to private/internal/special-use IP address
[2026-05-18T07:57:51.103Z] WARN security: blocked URL fetch (url-fetch) targetOrigin=https://www.google.com reason=Blocked: resolves to private/internal/special-use IP address
[2026-05-18T07:57:51.113Z] WARN security: blocked URL fetch (url-fetch) targetOrigin=https://www.baidu.com reason=Blocked: resolves to private/internal/special-use IP address

Suspected root cause: DNS resolution for all public domains returns IP addresses that OpenClaw security layer classifies as private/internal/special-use, blocking all outbound URL fetches.

Environment

• OpenClaw version: 2026.5.16-beta.7 (fff4532)
• Node.js: v24.15.0
• OS: Linux
• Gateway mode: local, loopback bind
• Primary model: opencode-go/deepseek-v4-pro
• Channels affected: webchat, telegram

Configuration (relevant sections)

{
  "agents": {
    "defaults": {
      "model": {
        "primary": "opencode-go/deepseek-v4-pro"
      },
      "models": {
        "opencode-go/kimi-k2.6": {},
        "opencode-go/deepseek-v4-pro": {},
        "opencode-go/deepseek-v4-flash": {}
      }
    }
  },
  "gateway": {
    "mode": "local",
    "bind": "loopback"
  },
  "tools": {
    "web": {
      "search": {
        "provider": "firecrawl",
        "enabled": true
      }
    }
  }
}

Additional context

• Full log file available on request (~2MB, can provide privately)
• Issue 1 is the most critical — it directly causes user-facing response truncation.
• The EmbeddedAttemptSessionTakeoverError appears to be a regression introduced in this version, as the same configuration worked before the upgrade.

[clawsweeper]

Thanks for the context here. I swept through the related work, and this is now duplicate or superseded.

Close as duplicate/superseded: the combined report is valid, but each remaining symptom is now owned by a narrower canonical thread or fix path: session takeover in #84059 and #84250, OpenCode Go Kimi replay in #83812, and DNS/SSRF false positives in the existing guarded-fetch issues.

Canonical path: Keep the narrower canonical work queues: land one coherent session-fence fix, resolve the OpenCode Go recursive replay sanitizer, and handle DNS/SSRF policy changes only through the focused network issues with resolved-address proof.

So I’m closing this here because the remaining work is already tracked in the canonical issue.

Review details

Best possible solution:

Keep the narrower canonical work queues: land one coherent session-fence fix, resolve the OpenCode Go recursive replay sanitizer, and handle DNS/SSRF policy changes only through the focused network issues with resolved-address proof.

Do we have a high-confidence way to reproduce the issue?

Yes for source-level reproduction of the main failure families, but not as one end-to-end current-main live run. Current main still has the session fingerprint throw path, and the Kimi and DNS symptoms are now covered by narrower source-reproducible reports.

Is this the best way to solve the issue?

Yes, closing this umbrella as superseded is the best maintainer cleanup path. The remaining work should be reviewed and fixed in the narrower session, Kimi, and SSRF threads rather than in one combined issue.

Security review:

Security review needs attention: The DNS/SSRF part is security-boundary-sensitive and should stay in the focused guarded-fetch issues rather than being fixed by a broad private-network bypass.

• [medium] Keep SSRF fixes in the focused network threads — src/infra/net/ssrf.ts:371
  Any change for public-domain DNS false positives must preserve fail-closed private/internal IP handling and be reviewed against the canonical SSRF policy issues with actual resolved-address evidence.
  Confidence: 0.82

What I checked:

• issue_discussion: The report and follow-up comments include beta.7 logs for three separate runtime failures, plus independent confirmation of EmbeddedAttemptSessionTakeoverError causing lost or truncated channel replies.
• session_source_path: Current main still records a session-file fingerprint during releaseForPrompt and throws EmbeddedAttemptSessionTakeoverError when the fingerprint changes after the prompt lock is released. (src/agents/pi-embedded-runner/run/attempt.session-lock.ts:284, 168f8a758e64)
• partial_session_fix_on_main: Current main includes the merged fallback-classification fix from fix(agents): skip model fallback for embedded session takeover and session write-lock errors [AI-assisted] #83550, so session takeover no longer consumes model fallback candidates, but that PR explicitly did not solve the reply-loss race itself. (src/agents/model-fallback.ts:1201, 6a5a1353c7f0)
• canonical_session_thread: EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released #84059 is the active multi-environment EmbeddedAttemptSessionTakeoverError hub, and fix(agents): tolerate in-process session writes during prompt release #84250 is an open focused fix that targets the session-fence ownership boundary.
• canonical_kimi_thread: [Bug]: OpenCode Go / Kimi K2.6 sends unsupported reasoning_details in replayed messages #83812 tracks the same OpenCode Go Kimi K2.6 replay-schema failure with a narrower source-reproducible payload-sanitization scope. (extensions/opencode-go/stream.ts:24, 168f8a758e64)
• ssrf_split_context: The DNS/SSRF symptom lacks resolved-address details in this combined report; existing narrower SSRF threads cover known root families, including mixed special-use DNS in [Bug] web_fetch fails in dual-stack networks when DNS returns IPv6 special-use addresses #41993 and RFC2544 fake-IP opt-in already closed as implemented in web_fetch SSRF policy allowRfc2544BenchmarkRange not effective in 2026.5.12 #84723. Public docs: docs/tools/web-fetch.md. (docs/tools/web-fetch.md:146, 168f8a758e64)

Likely related people:

• amknight: ClawSweeper review history for the related open session-fallback PR ties EmbeddedAttemptSessionTakeoverError and the prompt-lock-release session fence to merged PR Release embedded session write lock before model I/O #82891. (role: embedded session-lock feature owner; confidence: high; commits: 8a060b2904d4; files: src/agents/pi-embedded-runner/run/attempt.session-lock.ts, src/agents/pi-embedded-runner/run/attempt.ts)
• tianxiaochannel-oss88: Authored the open focused session-fence PR that fixes the canonical session issue by tolerating owned in-process session writes while preserving external takeover rejection. (role: active canonical fix author; confidence: high; commits: 9857fa07af80, 5250aec1c955, 045530c4793b; files: src/agents/pi-embedded-runner/run/attempt.session-lock.ts, src/agents/pi-embedded-runner/run/attempt.ts, src/config/sessions/transcript-write-context.ts)
• luyao618: Authored the merged fallback-classification fix that stops EmbeddedAttemptSessionTakeoverError and session write-lock failures from walking model fallback candidates. (role: recent partial-fix author; confidence: high; commits: 91feed332795, 6a5a1353c7f0; files: src/agents/failover-error.ts, src/agents/model-fallback.ts, src/agents/model-fallback.test.ts)
• kays0x: Authored open PR fix(agents): stop false-positive session-takeover on runner's own transcript appends #84046, which addresses the same session takeover surface through append-only transcript-tail validation and references this report plus the canonical session hub. (role: alternate session-fence fix author; confidence: medium; commits: ac07599ff6da; files: src/agents/pi-embedded-runner/run/attempt.session-lock.ts, src/agents/pi-embedded-runner/run/attempt.session-lock.test.ts, src/agents/pi-embedded-runner/transcript-file-state.ts)
• Alexander Krimm: The current ClawSweeper report for the narrower Kimi issue attributes the OpenCode Go Kimi wrapper, model normalization, and replay sanitizer/test lines to recent area work by this contributor. (role: OpenCode Go Kimi area contributor; confidence: medium; commits: 7cc4258dd592; files: extensions/opencode-go/stream.ts, extensions/opencode-go/provider-catalog.ts, extensions/opencode-go/index.test.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 168f8a758e64.

[mobai-ink]

I wonder if I could let my OpenCode take a look at where the problem is, although I'm not sure if it can find the issue.

[mobai-ink]

Code Analysis for Issue 1: EmbeddedAttemptSessionTakeoverError

I traced the error through the bundled source code. Here is the detailed breakdown:

Error Definition

File: dist/selection-DLj3d4H7.js (lines 7819-7823)

class EmbeddedAttemptSessionTakeoverError extends Error {
  constructor(sessionFile) {
    super(\`session file changed while embedded prompt lock was released: \${sessionFile}\`);
    this.name = "EmbeddedAttemptSessionTakeoverError";
  }
}

Core Mechanism: Session File Fence

This is a concurrency safety mechanism designed to prevent multiple processes/threads from writing to the same session file simultaneously.

Key function: createEmbeddedAttemptSessionLockController (lines 7876-7968)

Workflow:

1. Acquire write lock — The embedded agent acquires a write lock on the session file at startup (heldLock).

2. Release lock to send prompt — releaseForPrompt() (lines 7916-7922):

   async releaseForPrompt() {
     const lock = heldLock;
     heldLock = undefined;
     fenceFingerprint = await readSessionFileFingerprint(sessionFile); // Record file fingerprint
     fenceActive = true;  // Activate fence
     await lock.release(); // Release lock so LLM call can proceed
   }

3. Fingerprint comparison — assertSessionFileFence() (lines 7903-7909):

   async function assertSessionFileFence() {
     if (!fenceActive) return;
     const current = await readSessionFileFingerprint(sessionFile);
     if (!sameSessionFileFingerprint(fenceFingerprint, current)) {
       takeoverDetected = true;
       throw new EmbeddedAttemptSessionTakeoverError(sessionFile);
     }
   }

4. Fingerprint fields — sameSessionFileFingerprint (lines 7787-7790):

   function sameSessionFileFingerprint(left, right) {
     return left.dev === right.dev && left.ino === right.ino &&
            left.size === right.size && left.mtimeNs === right.mtimeNs &&
            left.ctimeNs === right.ctimeNs;
   }

   Compares 6 stat() fields: dev, ino, size, mtimeNs, ctimeNs, exists.

Trigger Path

The error is thrown in withSessionWriteLock (lines 7925-7940) when the LLM returns and the agent tries to write back to the session:

async withSessionWriteLock(run) {
  if (takeoverDetected) throw new EmbeddedAttemptSessionTakeoverError(sessionFile);
  // ...
  await assertSessionFileFence();  // ← Fingerprint mismatch detected here
}

The error is then caught and surfaced at agent-runner.runtime-krbCG0n1.js:1719:

defaultRuntime.error(\`Embedded agent failed before reply: \${message}\`);

Call Chain

installPromptSubmissionLockRelease (line 7970)
  → Wraps agent.streamFn, executing before each LLM call:
    → waitForSessionEvents()
    → releaseForPrompt()          ← Releases lock + records fingerprint

During LLM call (lock is released)
  → Another process/thread may modify the session file

After LLM returns
  → withSessionWriteLock()         ← Tries to re-acquire lock
    → assertSessionFileFence()     ← Fingerprint mismatch → throws error
      → EmbeddedAttemptSessionTakeoverError

Root Cause Analysis

Direct cause: Between releaseForPrompt() recording the fingerprint (line 7920) and assertSessionFileFence() checking it (line 7905), the session file properties (mtimeNs, size, or ino) were changed by another process/thread.

Likely trigger scenarios:

1. WebUI and Telegram operating on the same session — My config has session.dmScope: "per-channel-peer", which may cause webchat and telegram to share the same session. When a Telegram message arrives while webchat is also operating on the same session, concurrent writes occur.

2. Race condition during gateway restart — Logs show the gateway restarted multiple times around 20:49-20:50. The old process may not have fully released the file lock before the new process started writing.

3. Insufficient lock granularity in installSessionEventWriteLock and installSessionExternalHookWriteLock — These hooks (beforeToolCall, afterToolCall, compact, etc.) also use withSessionWriteLock, but during releaseForPrompt() (while the LLM is processing), these hooks are not triggered. So the issue likely stems from another gateway process or another channel's concurrent request modifying the session file.

Suggested Fix Directions

1. Add session-level mutex — Not just a file lock, but in-memory queuing for requests targeting the same sessionKey to prevent concurrent processing.

2. Improve fence fault tolerance — When takeover is detected, try to re-sync the session state instead of immediately aborting.

3. Concurrency safety for dmScope — When per-channel-peer mode causes multiple channels to share a session, stronger concurrency protection is needed.

[jsompis]

I also got this issue with openai/gpt-5.5 since 2026.5.6 beta6, current workaround is rolling back to 2026.5.6 beta5.

{
  "0": "{\"subsystem\":\"diagnostic\"}",
  "1": "lane task error: lane=main durationMs=127597 error=\"EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released: /Users/<user>/.openclaw/agents/main/sessions/67ebbe47-a99f-4eec-9524-728658b5f6a2.jsonl\"",
  "_meta": {
    "runtime": "node",
    "runtimeVersion": "24.15.0",
    "hostname": "unknown",
    "name": "{\"subsystem\":\"diagnostic\"}",
    "parentNames": [
      "openclaw"
    ],
    "date": "2026-05-18T02:22:05.091Z",
    "logLevelId": 5,
    "logLevelName": "ERROR",
    "path": {
      "fullFilePath": "file:///opt/homebrew/lib/node_modules/openclaw/dist/subsystem-LmgZvqF7.js:178:14",
      "fileName": "subsystem-LmgZvqF7.js",
      "fileNameWithLine": "subsystem-LmgZvqF7.js:178",
      "fileColumn": "14",
      "fileLine": "178",
      "filePath": "/opt/homebrew/lib/node_modules/openclaw/dist/subsystem-LmgZvqF7.js",
      "filePathWithLine": "/opt/homebrew/lib/node_modules/openclaw/dist/subsystem-LmgZvqF7.js:178",
      "method": "logToFile"
    }
  },
  "time": "2026-05-18T09:22:05.092+07:00",
  "hostname": "<hostname>",
  "message": "lane task error: lane=main durationMs=127597 error=\"EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released: /Users/<user>/.openclaw/agents/main/sessions/67ebbe47-a99f-4eec-9524-728658b5f6a2.jsonl\""
}
{
  "0": "{\"subsystem\":\"diagnostic\"}",
  "1": "lane task error: lane=session:agent:main:main durationMs=127604 error=\"EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released: /Users/<user>/.openclaw/agents/main/sessions/67ebbe47-a99f-4eec-9524-728658b5f6a2.jsonl\"",
  "_meta": {
    "runtime": "node",
    "runtimeVersion": "24.15.0",
    "hostname": "unknown",
    "name": "{\"subsystem\":\"diagnostic\"}",
    "parentNames": [
      "openclaw"
    ],
    "date": "2026-05-18T02:22:05.098Z",
    "logLevelId": 5,
    "logLevelName": "ERROR",
    "path": {
      "fullFilePath": "file:///opt/homebrew/lib/node_modules/openclaw/dist/subsystem-LmgZvqF7.js:178:14",
      "fileName": "subsystem-LmgZvqF7.js",
      "fileNameWithLine": "subsystem-LmgZvqF7.js:178",
      "fileColumn": "14",
      "fileLine": "178",
      "filePath": "/opt/homebrew/lib/node_modules/openclaw/dist/subsystem-LmgZvqF7.js",
      "filePathWithLine": "/opt/homebrew/lib/node_modules/openclaw/dist/subsystem-LmgZvqF7.js:178",
      "method": "logToFile"
    }
  },
  "time": "2026-05-18T09:22:05.098+07:00",
  "hostname": "<hostname>",
  "message": "lane task error: lane=session:agent:main:main durationMs=127604 error=\"EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released: /Users/<user>/.openclaw/agents/main/sessions/67ebbe47-a99f-4eec-9524-728658b5f6a2.jsonl\""
}
{
  "0": "{\"subsystem\":\"diagnostic\"}",
  "1": "lane task error: lane=main durationMs=46896 error=\"EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released: /Users/<user>/.openclaw/agents/main/sessions/67ebbe47-a99f-4eec-9524-728658b5f6a2.jsonl\"",
  "_meta": {
    "runtime": "node",
    "runtimeVersion": "24.15.0",
    "hostname": "unknown",
    "name": "{\"subsystem\":\"diagnostic\"}",
    "parentNames": [
      "openclaw"
    ],
    "date": "2026-05-18T02:22:52.603Z",
    "logLevelId": 5,
    "logLevelName": "ERROR",
    "path": {
      "fullFilePath": "file:///opt/homebrew/lib/node_modules/openclaw/dist/subsystem-LmgZvqF7.js:178:14",
      "fileName": "subsystem-LmgZvqF7.js",
      "fileNameWithLine": "subsystem-LmgZvqF7.js:178",
      "fileColumn": "14",
      "fileLine": "178",
      "filePath": "/opt/homebrew/lib/node_modules/openclaw/dist/subsystem-LmgZvqF7.js",
      "filePathWithLine": "/opt/homebrew/lib/node_modules/openclaw/dist/subsystem-LmgZvqF7.js:178",
      "method": "logToFile"
    }
  },
  "time": "2026-05-18T09:22:52.603+07:00",
  "hostname": "<hostname>",
  "message": "lane task error: lane=main durationMs=46896 error=\"EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released: /Users/<user>/.openclaw/agents/main/sessions/67ebbe47-a99f-4eec-9524-728658b5f6a2.jsonl\""
}
{
  "0": "{\"subsystem\":\"diagnostic\"}",
  "1": "lane task error: lane=session:agent:main:main durationMs=46903 error=\"EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released: /Users/<user>/.openclaw/agents/main/sessions/67ebbe47-a99f-4eec-9524-728658b5f6a2.jsonl\"",
  "_meta": {
    "runtime": "node",
    "runtimeVersion": "24.15.0",
    "hostname": "unknown",
    "name": "{\"subsystem\":\"diagnostic\"}",
    "parentNames": [
      "openclaw"
    ],
    "date": "2026-05-18T02:22:52.610Z",
    "logLevelId": 5,
    "logLevelName": "ERROR",
    "path": {
      "fullFilePath": "file:///opt/homebrew/lib/node_modules/openclaw/dist/subsystem-LmgZvqF7.js:178:14",
      "fileName": "subsystem-LmgZvqF7.js",
      "fileNameWithLine": "subsystem-LmgZvqF7.js:178",
      "fileColumn": "14",
      "fileLine": "178",
      "filePath": "/opt/homebrew/lib/node_modules/openclaw/dist/subsystem-LmgZvqF7.js",
      "filePathWithLine": "/opt/homebrew/lib/node_modules/openclaw/dist/subsystem-LmgZvqF7.js:178",
      "method": "logToFile"
    }
  },
  "time": "2026-05-18T09:22:52.610+07:00",
  "hostname": "<hostname>",
  "message": "lane task error: lane=session:agent:main:main durationMs=46903 error=\"EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released: /Users/<user>/.openclaw/agents/main/sessions/67ebbe47-a99f-4eec-9524-728658b5f6a2.jsonl\""
}

[aspalagin]

Confirming Issue 1 (EmbeddedAttemptSessionTakeoverError → lost/truncated replies) on a separate deployment.

Env

• Channel: telegram (direct chat with bot)
• Agent: long-lived embedded session, openai-codex/gpt-5.5, thinking=xhigh, harness=codex
• Host: Linux 6.8.0-111-generic (x64), Node v22.22.2

Repro pattern (consistent)

1. User sends message fix: add @lid format support and allowFrom wildcard handling #1, model is still mid-reply (xhigh thinking + tool_calls → 30-60s turns).
2. User sends message Login fails with 'WebSocket Error (socket hang up)' ECONNRESET #2 before the first reply lands.
3. While releaseForPrompt() has released the write-lock, the second inbound writes to the same <sessionId>.jsonl.
4. First turn returns from the provider, assertSessionFileFence() sees a changed fingerprint, throws EmbeddedAttemptSessionTakeoverError. Message fix: add @lid format support and allowFrom wildcard handling #1's reply is silently lost.

Concrete diagnostic line from our logs

2026-05-18T21:13:08.243+00:00 [diagnostic] lane task error:
  lane=session:agent:arseniy:telegram:direct:<redacted>
  durationMs=233163
  error="EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released:
         <agentDir>/sessions/<sessionId>.jsonl"

Code references (matches what @mobai-ink traced):

• dist/selection-Cr-9-UpD.js:7827 — error class
• :7884-7960 — createEmbeddedAttemptSessionLockController: releaseForPrompt() drops lock and snapshots fingerprint; assertSessionFileFence() later throws if the file changed
• There is no per-session turn queue around acquireSessionWriteLock, so a concurrent inbound just takes the lock and writes

Operator-side mitigations that do NOT fix the race

• payload.timeoutSeconds — irrelevant (cron-side, not embedded turn)
• agents.defaults.model.fallbacks — fallback fired against takeover (now skipped after fix(agents): skip model fallback for embedded session takeover and session write-lock errors [AI-assisted] #83550, but reply still lost)
• lightContext: true — narrows the window, doesn't close it
• Lowering thinking xhigh → high — narrows the race window 2-4x, still racy

What would actually help

• Per-session turn queue (or agents.execution.embedded.singleFlight: true) so a new inbound on the same session waits instead of racing the lock.
• Or: graceful retry of the first turn after takeover by replaying the provider response onto the rebased session, instead of dropping the reply.
• Or at least: surface a user-visible "your previous reply was dropped, please resend" event when takeover happens, so messages aren't silently lost.

Happy to attach more logs or test a patch against this deployment if useful.

[jsompis]

I agreed with aspalagin idea about implement Per-session turn queue.