EmbeddedAttemptSessionTakeoverError fires on legitimate co-tenant writes to shared sessions (regression in 2026.5.17)

[eekfonky]

Summary

The new fingerprint-based session-takeover fence introduced in 2026.5.17 (Agents/sessions: ... release the embedded run's coarse transcript lock before model I/O while locking persistence and cleanup separately. Fixes #13744) treats any write to the session jsonl during the releaseForPrompt() window as adversarial takeover — including writes from legitimate co-tenants on the same session (heartbeat, cron, channel ingress) that go through the installSessionEventWriteLock / installSessionExternalHookWriteLock hooks.

Once tripped, hasSessionTakeover() is sticky and every subsequent withSessionWriteLock call throws. The diagnostic surfaces as a stalled session with recovery=none; the user-facing TUI shows "gateway disconnected: closed | idle" because the WS lane stalls at model_call:started and never streams.

Environment

• OpenClaw 2026.5.18 (50a2481), Node 24.15.0, Linux LXC (Proxmox)
• Gateway: local, loopback only, single-user
• Default agent main, heartbeat 30m (default), kimi-k2.6:cloud primary via ollama-iron provider (~100s typical model call)
• Shared session agent:main:main is also used by 8+ cron jobs and a Discord channel

Reproduction

1. Configure default agent with Heartbeat 30m (default).
2. Run any embedded turn through a slow provider (Ollama cloud, ~100s).
3. Within ~30 minutes, heartbeat (or any other co-tenant) writes to the same session via the registered write-lock hooks while the model I/O window is open.
4. The next withSessionWriteLock throws EmbeddedAttemptSessionTakeoverError; model_call stalls; subsequent retries on the same controller also throw.

Observed

Journal:

[diagnostic] lane task error: lane=main durationMs=116088
  error="EmbeddedAttemptSessionTakeoverError: session file changed while
  embedded prompt lock was released: ...sessions/<sid>.jsonl"
[diagnostic] lane task error: lane=session:agent:main:main durationMs=116091 ...
[model-fallback/decision] decision=candidate_failed ... reason=unknown
  detail=session file changed while embedded prompt lock was released
[diagnostic] stalled session: ... activeWorkKind=model_call
  lastProgress=model_call:started lastProgressAge=150s recovery=none

Both lane=main and lane=session:agent:main:main error at the same instant on the same session file with near-identical durationMs (off by 2–3 ms across multiple occurrences), confirming a within-process race rather than an external-process modification. Reproduced 4× in 2 hours on agent:main:main — cadence matches heartbeat (30 min).

Expected

The fence should distinguish writes by registered co-tenants (which already synchronize via installSessionEventWriteLock / installSessionExternalHookWriteLock) from external/uncoordinated mutators. A coordinated write should either (a) participate in the fingerprint by refreshing it under the write lock, or (b) not trip the fence at all.

Alternatively, provide a recovery path so the controller can re-fingerprint and resume after a legitimate concurrent write, rather than becoming permanently stuck on recovery=none.

Code references (2026.5.18 bundle)

• dist/plugin-sdk/src/agents/pi-embedded-runner/run/attempt.session-lock.d.ts
• dist/selection-Cr-9-UpD.js lines ~7827 (error class), ~7884 (createEmbeddedAttemptSessionLockController), ~7911 (assertSessionFileFence), ~7919 (refreshSessionFileFence)
• The tunables session.writeLock.{acquireTimeoutMs, staleMs, maxHoldMs} (and corresponding OPENCLAW_SESSION_WRITE_LOCK_* env vars) do not affect the fence — it is fingerprint-based, not timeout-based.

Workarounds

• Restart gateway to clear the stalled lane (resets controller state — works until the next co-tenant write).
• Pin TUI / critical turns to a dedicated agent / session not shared with heartbeat / cron / channels.
• Roll back to 2026.5.16 (last build before the fence was added).

[clawsweeper]

Thanks for the context here. I swept through the related work, and this is now duplicate or superseded.

Close as superseded: the current code still has the reported strict fingerprint behavior, but the same remaining session-takeover work is now tracked by the older canonical issue and the active ownership-aware fix PR.

Canonical path: Track and finish the repair through #84059 and #84250, preserving this issue as linked co-tenant reproduction evidence.

So I’m closing this here and keeping the remaining discussion on #84059, #84250, and #84149.

Review details

Best possible solution:

Track and finish the repair through #84059 and #84250, preserving this issue as linked co-tenant reproduction evidence.

Do we have a high-confidence way to reproduce the issue?

Yes, at source level: release one controller for prompt I/O, have another same-process lock-owning controller append to the same session file, then call the first controller's withSessionWriteLock. Current main's controller-local fingerprint path will reject that changed file as takeover.

Is this the best way to solve the issue?

Yes, superseding this duplicate is the best triage path because the remaining code change is already concentrated in the older canonical issue and active ownership-aware PR. The implementation should preserve external-edit fail-closed behavior while accepting narrow OpenClaw-owned transcript writes.

Security review:

Security review: Non-PR issue review; no patch security review applies, though the canonical fix must preserve external session mutation detection.

What I checked:

• Current strict fence remains on main: Current main still records a session-file fingerprint and throws EmbeddedAttemptSessionTakeoverError whenever the fingerprint differs after the prompt lock is reacquired. (src/agents/pi-embedded-runner/run/attempt.session-lock.ts:284, 1a7669bc63a0)
• Controller-local wiring explains the co-tenant failure: Each embedded attempt creates its own sessionLockController for the same session file, so another same-process controller can update the file while the first controller's fence snapshot remains stale. (src/agents/pi-embedded-runner/run/attempt.ts:2067, 1a7669bc63a0)
• Current tests only cover same-controller owned refresh: The main branch has coverage for an owned transcript mirror append routed back through the same controller, but not for another controller publishing a legitimate shared-session write during the first controller's prompt window. (src/agents/pi-embedded-runner/run/attempt.session-lock.test.ts:186, 1a7669bc63a0)
• Shared-session automation is documented behavior: The docs describe heartbeat as a periodic main-session turn and cron modes that can use main or persistent custom sessions, so shared-session writes are a supported workflow rather than an obviously external mutation. Public docs: docs/automation/index.md. (docs/automation/index.md:112, 1a7669bc63a0)
• Canonical open issue already tracks the same root class: EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released #84059 is the older open EmbeddedAttemptSessionTakeoverError cluster with Feishu, Slack, WebChat, Discord, and later production evidence for the same 2026.5.18 prompt-release fence regression.
• Active superseding fix PR covers this two-controller path: fix(agents): tolerate in-process session writes during prompt release #84250 adds owned session-file fingerprint publication and tests a second controller publishing an owned transcript write while the first controller is released for prompt I/O. (src/agents/pi-embedded-runner/run/attempt.session-lock.test.ts:218, da570f3c097b)

Likely related people:

• amknight: Merged history for the prompt-release session write-lock lifecycle and takeover fence points to PR Release embedded session write lock before model I/O #82891. (role: introduced behavior; confidence: high; commits: 8a060b2904d4; files: src/agents/pi-embedded-runner/run/attempt.session-lock.ts, src/agents/pi-embedded-runner/run/attempt.ts, src/agents/pi-embedded-runner/run/attempt.session-lock.test.ts)
• dr00-eth: Recent merged adjacent work added the owned transcript write context and message-tool delivery lock path that the active fix builds on. (role: recent adjacent contributor; confidence: high; commits: 7ff20f6dac40, 65030f31649b; files: src/config/sessions/transcript-write-context.ts, src/config/sessions/transcript.ts, src/agents/pi-embedded-runner/run/attempt.ts)
• tianxiaochannel-oss88: Authored the active ownership-aware session-lock PR that covers the same two-controller in-process write class and external-edit negative cases. (role: likely follow-up owner; confidence: medium; commits: da570f3c097b; files: src/agents/pi-embedded-runner/run/attempt.session-lock.ts, src/agents/pi-embedded-runner/run/attempt.session-lock.test.ts, src/config/sessions/transcript-write-context.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 1a7669bc63a0.

[rafaelreis-r]

Confirmed in production on a separate install. Worth noting the same fence also overfires on the runner's own tool-call appends during a long multi-tool turn (not only co-tenant heartbeat/cron writes) — a "make 5 tool calls" prompt reproduces it 100%. Built main + #84046 locally and the false positive is gone — details in my comment on #84046.