EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released

[wuruofan]

Bug Description

After upgrading from OpenClaw 03.13 to 05.18, all embedded agent runs fail with:

EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released: /Users/meow/.openclaw/agents/main/sessions/<session-id>.jsonl

This error occurs on every single message sent via Feishu channel, across all sessions (including fresh /new sessions). The issue is 100% reproducible.

Environment

• OpenClaw version: 2026.5.18 (50a2481)
• macOS version: Darwin 21.6.0
• Channel: Feishu (websocket mode)
• Provider: minimax/MiniMax-M2.7
• Node version: 22.22.1
• File system: APFS
• Compaction mode: safeguard (default)

Root Cause

The error originates in pi-agent-core@0.75.1 (the dependency was @mariozechner/pi-agent-core@0.58.0 in v03.13).

The embedded runner uses a session file fingerprint mechanism to detect session takeover:

1. releaseForPrompt() — releases the write lock but saves the session file fingerprint (mtimeNs, size, ino, ctimeNs)
2. [LLM processes the prompt, lock is released]
3. withSessionWriteLock() — re-acquires the lock and calls assertSessionFileFence() to verify the fingerprint matches
4. If fingerprint changed since step 1 → throws EmbeddedAttemptSessionTakeoverError

The fingerprint check is overly sensitive — it compares mtimeNs at nanosecond precision. Any change to the file during the prompt processing window (including internal writes from session hooks, trajectory writers, or filesystem metadata updates) triggers the error.

Key observations

• Compaction mode is safeguard (default), but no compaction is actually being triggered based on logs
• No concurrent requests — only one user sending messages
• Not filesystem time drift — APFS mtime updates are genuine within-process writes
• The problem is in pi-agent-core@0.75.1 — it was not present in pi-agent-core@0.58.0 (v03.13)

The fingerprint check was introduced in pi-agent-core@0.75.1 to detect when a session file is modified by a competing process during embedded prompt processing. However, it fails to distinguish between:

• Legitimate internal writes (session hooks, trajectory writers within the same process)
• External/takeover modifications (actual session hijacking)

Log Excerpt

2026-05-19T08:35:08.679Z info channels/feishu {"subsystem":"channels/feishu"} feishu[default]: dispatching to agent (session=agent:main:feishu:direct:ou_83a5b7cae4c04464194d61ea3613d837)
2026-05-19T08:36:36.842Z error diagnostic {"subsystem":"diagnostic"} lane task error: lane=main durationMs=87458 error="EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released: /Users/meow/.openclaw/agents/main/sessions/95b31266-88de-4b33-a1ba-0cb86b3c1303.jsonl"
2026-05-19T08:36:36.846Z error diagnostic {"subsystem":"diagnostic"} lane task error: lane=session:agent:main:feishu:direct:ou_83a5b7cae4c04464194d61ea3613d837 durationMs=87461 error="EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released: /Users/meow/.openclaw/agents/main/sessions/95b31266-88de-4b33-a1ba-0cb86b3c1303.jsonl"
2026-05-19T08:36:36.852Z error Embedded agent failed before reply: session file changed while embedded prompt lock was released: /Users/meow/.openclaw/agents/main/sessions/95b31266-88de-4b33-a1ba-0cb86b3c1303.jsonl

Affected Sessions

Every session file that was used after the upgrade triggers this error. Examples:

• 7b4b64d4-4c3c-467a-a0f7-a0399f1cb009.jsonl
• 35949831-37bb-40fb-8030-5da1a3454714.jsonl
• 95ffa57c-87cc-4bf7-804d-5b257af42f01.jsonl
• 9b997e88-4fb3-4154-a02c-e63e1dac219f.jsonl
• 95b31266-88de-4b33-a1ba-0cb86b3c1303.jsonl

Attempted Workarounds

• /new to create fresh sessions — does not fix the issue
• Restarting gateway — temporarily resolves, then recurs
• Setting agents.defaults.compaction.mode to off — no effect (the error is not caused by compaction)

Severity

Critical — OpenClaw is completely non-functional via Feishu channel after upgrade.

Suggested Fix Direction

The fingerprint check in pi-agent-core@0.75.1 should either:

1. Exclude internal writes: Mark files written by the same embedded runner process as non-takeover changes
2. Relax fingerprint precision: Use second-level mtime instead of nanosecond mtimeNs to ignore trivial filesystem metadata updates
3. Reload fingerprint after internal hooks: If a session hook writes to the session file during prompt processing, refresh the saved fingerprint before assertSessionFileFence()

---

Error class: EmbeddedAttemptSessionTakeoverError
Error message pattern: session file changed while embedded prompt lock was released: {sessionFile}

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open: current main and v2026.5.18 still contain the reported embedded session-file fence, and source inspection shows the exact error is still thrown whenever the session file fingerprint changes after the prompt lock is released.

Reproducibility: no. high-confidence live reproduction was run. Source inspection confirms the exact current-main and v2026.5.18 error path will throw whenever the session file fingerprint changes during the released-lock prompt window.

Ways to help us reproduce this

• Add a screenshot or short recording showing the behavior.
• Add expected vs actual behavior.

Next step
This is a narrow source-backed repair candidate, but the fix worker should first identify and cover the legitimate same-process writer before changing the fence semantics.

Review details

Best possible solution:

Keep the takeover fence, make it ownership-aware for legitimate OpenClaw-managed transcript/session writes during the released-lock window, and add regression coverage that still rejects external takeovers.

Do we have a high-confidence way to reproduce the issue?

No high-confidence live reproduction was run. Source inspection confirms the exact current-main and v2026.5.18 error path will throw whenever the session file fingerprint changes during the released-lock prompt window.

Is this the best way to solve the issue?

Unclear whether relaxing timestamp precision is the best repair. The safer maintainable solution is to distinguish OpenClaw-owned internal writes from true external takeover and preserve tests for both cases.

Label justifications:

• P1: The report describes a fresh upgrade regression that breaks every Feishu embedded-agent message for a real user.
• impact:session-state: The failure is thrown by the embedded session-file takeover fence and directly concerns transcript/session file state.
• impact:message-loss: The channel accepts user messages but the embedded agent fails before producing a reply.

Acceptance criteria:

• node scripts/run-vitest.mjs src/agents/pi-embedded-runner/run/attempt.session-lock.test.ts
• node scripts/run-vitest.mjs src/agents/pi-embedded-runner/context-engine-maintenance.test.ts src/agents/pi-embedded-runner/transcript-rewrite.test.ts
• node scripts/run-vitest.mjs src/agents/pi-embedded-runner/google-prompt-cache.test.ts src/agents/model-fallback.test.ts src/agents/failover-error.test.ts

What I checked:

• Current dependency version: Current main pins the Pi dependency family to 0.75.1, matching the reporter's upgraded runtime family. (package.json:1768, aef93881af5f)
• Current fingerprint fence: The session-file fingerprint includes dev, ino, size, mtimeNs, and ctimeNs, and equality requires exact nanosecond timestamp matches. (src/agents/pi-embedded-runner/run/attempt.session-lock.ts:101, aef93881af5f)
• Exact error path: withSessionWriteLock calls assertSessionFileFence after reacquiring the lock and throws EmbeddedAttemptSessionTakeoverError when the saved fingerprint differs. (src/agents/pi-embedded-runner/run/attempt.session-lock.ts:284, aef93881af5f)
• Prompt lock release boundary: Prompt submission waits for queued session events, releases the attempt lock, then calls the original stream function, matching the reported released-lock window. (src/agents/pi-embedded-runner/run/attempt.session-lock.ts:389, aef93881af5f)
• Attempt wiring: runEmbeddedAttempt creates the session-lock controller for the active session file and installs the prompt-submission release hook before provider streaming. (src/agents/pi-embedded-runner/run/attempt.ts:2049, aef93881af5f)
• Feishu path reaches embedded agent: Feishu dispatches inbound turns through core.channel.turn.run after logging the same dispatch-to-agent message shown in the report. (extensions/feishu/src/bot.ts:1630, aef93881af5f)

Likely related people:

• steipete: git blame and git log show the current session-lock file and fingerprint fence coming from commit 1c3ff34, and the v2026.5.18 release tag was prepared by the same author. (role: introduced behavior in available history; confidence: medium; commits: 1c3ff34d752f, 50a2481652b6; files: src/agents/pi-embedded-runner/run/attempt.session-lock.ts, src/agents/pi-embedded-runner/run/attempt.ts, package.json)
• joshavant: Recent current-main history touched the embedded attempt runtime in src/agents/pi-embedded-runner/run/attempt.ts while preserving channel reply context, near the same run lifecycle surface. (role: recent adjacent contributor; confidence: medium; commits: cc835b6d7276; files: src/agents/pi-embedded-runner/run/attempt.ts)
• Galin Iliev: Recent current-main history touched the embedded attempt cleanup/trajectory area, which is one of the internal-write classes named in the report. (role: recent adjacent contributor; confidence: low; commits: ddeaebfc6807; files: src/agents/pi-embedded-runner/run/attempt.ts)

Remaining risk / open question:

• No live Feishu, MiniMax, or APFS run was executed in this read-only pass, so the exact same-process writer that changes the session file during the released-lock window is not isolated yet.
• A too-broad relaxation of the fingerprint check could mask real external session takeovers; the fix needs regression coverage for both allowed internal writes and rejected external writes.

Codex review notes: model gpt-5.5, reasoning high; reviewed against aef93881af5f.

[tianxiaochannel-oss88]

Additional local repro/evidence from another OpenClaw 2026.5.18 install.

Environment:

• OpenClaw: 2026.5.18
• Runtime: Node.js 24.15.0
• Gateway: local LaunchAgent
• Channel: Slack socket mode
• Model: openai/gpt-5.5 through a local OpenAI-compatible proxy
• Config highlights:
  • agents.defaults.maxConcurrent = 4
  • Slack group/channel conversations active

Observed on 2026-05-19:

EmbeddedAttemptSessionTakeoverError total: 68

Top affected stored sessions:
- 16 occurrences
- 14 occurrences
- 8 occurrences
- 8 occurrences
- 8 occurrences

Representative redacted log shape:

lane task error: lane=main durationMs=300588 error="EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released: ~/.openclaw/agents/main/sessions/<session-id>.jsonl"
lane task error: lane=session:agent:main:slack:channel:<redacted> durationMs=300592 error="EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released: ~/.openclaw/agents/main/sessions/<session-id>.jsonl"

The failure often appears after long-running active work:

long-running session: state=processing reason=queued_behind_active_work activeWorkKind=model_call

User-visible behavior: the model appears to keep working or has already done work, but the final visible reply fails/drops because the embedded run cannot commit after the session file changed.

Local mitigation that should reduce repro frequency:

{
  "messages": {
    "queue": {
      "byChannel": {
        "slack": "followup"
      }
    }
  }
}

That mitigation queues later Slack input rather than steering/writing into the same active session, but it is only a workaround. The underlying issue still looks like same-session write contention during embedded prompt lock release.

[nxxxsooo]

I can reproduce the same EmbeddedAttemptSessionTakeoverError on OpenClaw 2026.5.12 in Docker on Unraid, but with a Feishu-specific trigger:

• Package: openclaw@2026.5.12
• Channel/plugin: Feishu / Lark (@larksuite/openclaw-lark, @openclaw/feishu)
• Runtime: Docker on Unraid
• Trigger: a Feishu im.message.reaction.created_v1 event arrives on the same message currently being processed by the embedded LLM
• Timing: reaction arrives ~2s after dispatch; the in-flight turn then throws ~75s later when the model reply returns
• Error:

EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released:
/home/node/.openclaw/agents/main/sessions/<uuid>.jsonl

Observed timeline (one of 6 reproductions in a 2h window on the same container):

16:10:21  message in om_x100b6ff5e01d284cc393017aa48eeb6
16:10:22  dispatched to agent (session=agent:main:feishu:group:oc_6fd7...)
16:10:24  feishu[main]: reaction event on message om_x100b6ff5e01d284cc393017aa48eeb6   <- same msgId
16:11:39  lane task error: EmbeddedAttemptSessionTakeoverError (durationMs=75489)
16:11:40  dispatch complete (queuedFinal=true, replies=1)  <- "Something went wrong" card

6 of 7 takeover events in this window were preceded by a feishu[...]: reaction event log line 20-75s earlier. The 7th was on a different session without a reaction. Reactions on a different agent on the same container never triggered the race.

This looks like the same session-file fence mechanism already described in this issue, but the mutating event is not a second user text message — it is a Feishu reaction event on the active message. The reaction handler at openclaw-lark/src/messaging/inbound/reaction-handler.js documents that it bypasses the 7-stage message pipeline and dispatches directly via dispatchToAgent:

// Handles im.message.reaction.created_v1 events by building a MessageContext
// directly and dispatching to the agent via dispatchToAgent, BYPASSING the full
// 7-stage message pipeline.

The event-handler enqueues the reaction with the same chatId as normal messages (event-handlers.js:159-228, comment at L191-194 explicitly says "matches normal message queue key"), but the chat queue only serializes channel-side bookkeeping — it does not serialize the embedded session write lock (installSessionEventWriteLock / withSessionWriteLock / assertSessionFileFence in the bundled selection-Cr-9-UpD.js, L7785-L7980). So the reaction's dispatch acquires the write lock during the original lane's releaseForPrompt() window, writes events, bumps mtimeNs/ctimeNs/size, and the original lane's next withSessionWriteLock call trips the fingerprint mismatch.

Forensic confirmation from the session file (<uuid>.jsonl.reset.<ISO-ts> after the throw, 34 events, 90KB): the failing turn's last assistant.toolCall name=message never resolved to a toolResult; the trajectory file's session.ended for that turn is stamped at exactly the throw moment. No further appends to the session were visible before the rename.

Expected behavior (any one of these would resolve the Feishu variant):

• Reaction events should not mutate the active prompt transcript during the released-lock window, OR
• Same-session channel events should be queued/single-flighted behind the active embedded turn (the existing chat-queue key needs to extend into the session write lock), OR
• Reaction metadata should be written outside the transcript fence / ignored for takeover detection.

Workaround that confirms the trigger (not yet applied here): setting channels.feishu.accounts.<account>.reactionNotifications = "off" should stop the bot from subscribing to reaction events on that account.

Happy to share full logs, the renamed session JSONL, and the trajectory file if useful.

[WhiteGiverMa]

Same issue here — 100% reproducible on every message after upgrading to v2026.5.18.

Environment:

• WSL2 (Ubuntu, Linux 6.6.87.2-microsoft-standard-WSL2)
• Node v24.14.0
• Channel: WebChat (direct)
• Model: opencode-go/deepseek-v4-pro
• ext4 filesystem

Symptoms:

• Every turn triggers EmbeddedAttemptSessionTakeoverError
• Both lane=main and lane=session:agent:main:main fail simultaneously
• WebChat ... loading animation never finishes after reply
• Excluded external causes: no memory-recorder, no Hindsight, no concurrent file writers — error persists regardless

Session file observations:

• Permissions show 0664 (other sessions are 0600)
• Multiple .bak files accumulated (3 backups at different timestamps)
• Error timing: ~19 seconds after embedded run agent end, matching the fingerprint check window described above

This is clearly the nanosecond-precision fingerprint false-positive in pi-agent-core 0.75.1.

[dr00-eth]

Additional Discord + Lossless Claw + fallback-classification evidence from another OpenClaw 2026.5.18 install.

Environment

• OpenClaw: 2026.5.18
• Runtime: Pi embedded runner
• Channel: Discord group channel
• Primary model: openai/gpt-5.5
• Fallbacks at the time: anthropic/claude-sonnet-4-6, openai/gpt-5.5
• Lossless Claw installed: @martian-engineering/lossless-claw@0.11.1
• Related Lossless Claw issue filed for a same-turn plugin error: afterTurn transcript reconcile fails in 0.11.1: clearStableOrphanStrippingOrdinal is not a function Martian-Engineering/lossless-claw#713

Observed timeline

The affected Discord channel session had just been reset/recovered and Lossless assembled a tiny context for the new session:

2026-05-19T11:22:33.400-05:00 [lcm] assemble: done conversation=606 session=f8dcfe0a-78fb-4575-895a-74e6aae6d3fa sessionKey=agent:main:discord:channel:1433563133724725258 ... estimatedTokens=194 ...

The same turn then logged a Lossless afterTurn reconcile failure:

2026-05-19T11:22:38.943-05:00 [lcm] afterTurn: transcript reconcile failed for session=f8dcfe0a-78fb-4575-895a-74e6aae6d3fa sessionKey=agent:main:discord:channel:1433563133724725258: this.clearStableOrphanStrippingOrdinal is not a function

Local package inspection of @martian-engineering/lossless-claw@0.11.1 found clearStableOrphanStrippingOrdinal referenced once in the built package and no apparent definition, so that part is being tracked upstream in the linked Lossless issue.

About ten seconds later, the OpenClaw embedded run hit the same takeover error:

2026-05-19T11:22:48.805-05:00 lane task error: lane=main durationMs=17473 error="EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released: /Users/andrewmeyer/.openclaw/agents/main/sessions/f8dcfe0a-78fb-4575-895a-74e6aae6d3fa.jsonl"
2026-05-19T11:22:48.808-05:00 lane task error: lane=session:agent:main:discord:channel:1433563133724725258 durationMs=17477 error="EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released: /Users/andrewmeyer/.openclaw/agents/main/sessions/f8dcfe0a-78fb-4575-895a-74e6aae6d3fa.jsonl"

Fallback behavior question

The takeover error was then treated as a failed model candidate and advanced to the configured model fallback chain:

2026-05-19T11:22:48.832-05:00 model fallback decision:
requestedProvider=openai
requestedModel=gpt-5.5
candidateProvider=openai
candidateModel=gpt-5.5
attempt=1
total=2
errorPreview=session file changed while embedded prompt lock was released: ...
fallbackStepToModel=anthropic/claude-sonnet-4-6
fallbackConfigured=true

2026-05-19T11:22:52.967-05:00 Embedded agent failed before reply:
All models failed (2): openai/gpt-5.5: session file changed while embedded prompt lock was released ... | anthropic/claude-sonnet-4-6: You've hit your limit ...

This may be congruent with the current documented fallback policy for unrecognized errors while candidates remain, but from an operator/product perspective it was surprising because the original failure was local session coordination, not evidence that openai/gpt-5.5 or the OpenAI provider was unavailable.

Suggested triage framing:

• bug: local session/storage coordination errors should not trigger model fallback,
• product change: add a narrower fallback classifier or config knob for local/session errors,
• or expected behavior: docs/UI should make clear that local runner/session errors can trigger configured cross-provider fallback.

Current local mitigation

The global fallback list was changed from Anthropic-first to OpenAI-only:

openai/gpt-5.4

That avoids masking local session conflicts behind Anthropic quota failures, but it does not address the underlying takeover condition.