EmbeddedAttemptSessionTakeoverError races between heartbeat lane and channel/direct lane on same session file (internal ref #83510)

[ubehera]

Problem

EmbeddedAttemptSessionTakeoverError is fired when two embedded runs concurrently access the same session file — typically an agent's heartbeat lane racing a channel or direct lane on the same sessions/<uuid>.jsonl. The session-lock controller releases the write-lock around every provider stream call (releaseForPrompt() in attempt.session-lock.ts); during that release window, the other lane's writes mutate the file, the fence fingerprint (dev/ino/size/mtimeNs/ctimeNs) changes, and the original lane throws on reacquire.

In failover-error.ts, this is correctly classified via isNonProviderRuntimeCoordinationError, so the model-fallback chain aborts on it by design (no retries burned on the same provider). In practice this means the racing duplicate run on the same session file usually finishes and the user still gets a reply — but ~6% of affected turns propagate as user-visible Embedded agent failed before reply: All models failed, so the reply silently drops.

A pre-existing comment in attempt.session-lock.ts references internal issue #83510, so this is known but unfixed.

Reproduction

Any agent whose heartbeat is not marked isolatedSession: true and whose lanes share a session UUID:

1. Configure an agent whose agents.list[].heartbeat has isolatedSession: false (or omits it; default behavior depends on the agent template).
2. While the heartbeat embedded run is mid-stream (lock released for the provider call), an inbound chat event arrives on a lane that resolves to the same session file.
3. The chat-handler lane writes user-context entries; the heartbeat lane reacquires, fence mismatches, throws EmbeddedAttemptSessionTakeoverError.

Across a 3-day window in one observed deployment, 122 occurrences were logged across 37 distinct session files. Lane histogram:

Lane class	Count
synthetic main mirror	60
session:agent:<id>:main:heartbeat	36
session:agent:<id>:<channel-type>:channel:<id-A>	20
session:agent:<id>:<channel-type>:direct:<user>	3
session:agent:<id>:cron:…	1
session:agent:<other-id>:<channel-type>:channel:…	1
cron-nested	1

The worst single session accumulated 32 hits on one channel-bound UUID; another got 8 hits at the same channel. Heartbeat overlapping channel is the dominant pattern, not user-side double-send.

A specific reproducible trace from one session UUID: the gateway's stuck-session-recovery aborted an active embedded run and immediately re-fired a new run on the same session file, then both racing copies took turns invalidating each other's fence. durationMs values up to 1,303,727 ms (~22 min) confirm long-running embedded runs are exactly the ones that get stomped.

Code reference

• src/agents/pi-embedded-runner/run/attempt.session-lock.ts — EmbeddedAttemptSessionTakeoverError class; fence comparison in assertSessionFileFence; releaseForPrompt / reacquire path that builds the fingerprint.
• src/agents/failover-error.ts — isNonProviderRuntimeCoordinationError classifier with comment referencing internal #83510.
• src/agents/pi-embedded-runner/google-prompt-cache.ts — imports + catches EmbeddedAttemptSessionTakeoverError; second observation point.

The takeover detection itself works as designed; the bug is upstream — two lanes that should not be sharing the same session file are. The stuck-recovery path is the most reproducible contender: it kicks off a new embedded run on a session UUID that still has an active embedded prompt lock from the original run.

Proposed change

Two-part fix:

Part A — attempt.session-lock.ts: refuse to start a new embedded run on a session that already has one active.

Maintain a per-session-file registry of active embedded-prompt holders (in-process Map keyed by absolute path). When acquireForPrompt is invoked, check the registry; if a prior holder hasn't released, either wait on a promise the prior holder resolves on release, or escalate with a typed EmbeddedAttemptSessionContendedError so the caller can pick a fresh UUID.

const ACTIVE_EMBEDDED_PROMPTS = new Map<string, Promise<void>>();

async function acquireForPrompt(sessionFile: string, ...): Promise<SessionLock> {
  const existing = ACTIVE_EMBEDDED_PROMPTS.get(sessionFile);
  if (existing) {
    if (onContention === "wait") {
      await existing;
    } else {
      throw new EmbeddedAttemptSessionContendedError(sessionFile);
    }
  }
  let releaseSignal: () => void;
  ACTIVE_EMBEDDED_PROMPTS.set(sessionFile, new Promise(r => (releaseSignal = r)));
  // ... existing logic ...
  // on final release / completion / takeover, releaseSignal() and ACTIVE_EMBEDDED_PROMPTS.delete(sessionFile)
}

Part B — stuck-session-recovery: never re-fire on a session with an active embedded-prompt holder.

The abort_embedded_run recovery path should consult the same ACTIVE_EMBEDDED_PROMPTS registry before retriggering. If a holder exists, recovery should wait for natural release (timeout-bounded) or escalate to a fresh session UUID rather than racing.

Optional Part C — for agents without heartbeat.isolatedSession: true, the heartbeat lane competes with channel/direct lanes on the same UUID. Consider either making isolatedSession: true the default for new agent templates, or surfacing a warning at config-validation time so operators are aware of the contention surface.

Why

The race is reproducible in any multi-lane agent without isolated heartbeats. Six percent of contended turns silently drop the user-facing reply — significant on any chat surface where missed replies look like the bot ignoring the user. The classification path in failover-error.ts already treats takeover as a coordination error rather than a provider failure; the fix is to prevent the race from happening rather than handle it gracefully after the fact.

A coordination-only change (no behavior change for callers that don't contend) keeps the takeover-detection mechanism intact as a safety net while removing the actual cause.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Latest ClawSweeper review: 2026-05-24 05:01 UTC / May 24, 2026, 1:01 AM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open: current main still has the transcript-file contention window, and the new live log evidence confirms the source-level race can drop replies in real channel runs. The earlier fallback classification fix handles the symptom after takeover, but it does not prevent duplicate embedded prompt holders from entering the same session file.

Reproducibility: yes. at source level, and the reporter has now added real gateway log evidence. Current tests and code show that a same-file mutation during releaseForPrompt() causes EmbeddedAttemptSessionTakeoverError; this review did not run a live heartbeat/channel harness.

Next step
This is a bounded core reliability repair with clear implicated files and validation targets, though it should start from a focused failing regression before any broader live proof.

Review details

Best possible solution:

Add a transcript-file-scoped embedded prompt ownership guard before provider streaming, then make stuck-session recovery wait, steer, or fail cleanly instead of starting a second holder on the same JSONL file.

Do we have a high-confidence way to reproduce the issue?

Yes at source level, and the reporter has now added real gateway log evidence. Current tests and code show that a same-file mutation during releaseForPrompt() causes EmbeddedAttemptSessionTakeoverError; this review did not run a live heartbeat/channel harness.

Is this the best way to solve the issue?

Yes for the narrow fix boundary: prevent or serialize duplicate embedded prompt holders by resolved session file before provider streaming. Changing heartbeat.isolatedSession defaults is a separate config/product choice and should not be required for the core bug fix.

Label changes:

• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:queueable-fix: Current issue advisory state selects this label.
• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.
• remove clawsweeper:needs-live-repro: Current issue advisory state no longer selects this label.
• remove issue-rating: 🐚 platinum hermit: Current issue advisory state no longer selects this label.

Label justifications:

• P1: The issue has real log evidence of user-visible dropped replies in active channel workflows and current main still lacks a prevention guard.
• impact:message-loss: The reported failure mode includes Embedded agent failed before reply: All models failed, which can suppress the expected channel reply.
• impact:session-state: The root cause is concurrent embedded runs mutating and invalidating the same session transcript file/fence.

Acceptance criteria:

• node scripts/run-vitest.mjs src/agents/pi-embedded-runner/run/attempt.session-lock.test.ts
• node scripts/run-vitest.mjs src/logging/diagnostic-stuck-session-recovery.runtime.test.ts
• node scripts/run-vitest.mjs src/infra/heartbeat-runner.skips-busy-session-lane.test.ts
• node scripts/run-vitest.mjs src/agents/model-fallback.test.ts src/agents/failover-error.test.ts

What I checked:

• Current source releases the write lock during provider prompt and throws on changed session-file fence: createEmbeddedAttemptSessionLockController stores a fingerprint in releaseForPrompt, releases the held lock, and later assertSessionFileFence throws EmbeddedAttemptSessionTakeoverError when the same file changes outside trusted owned-write paths. (src/agents/pi-embedded-runner/run/attempt.session-lock.ts:670, fdfcb0795a26)
• Focused tests already prove the takeover condition, not the requested prevention: The lock tests assert that appending to the session file while the prompt lock is released makes the controller reject later writes with EmbeddedAttemptSessionTakeoverError; same-file second-controller cases are covered, but there is no file-scoped active prompt holder guard. (src/agents/pi-embedded-runner/run/attempt.session-lock.test.ts:198, fdfcb0795a26)
• Active embedded-run registry is not keyed by transcript file: The active-run state stores maps by session id and session key, and setActiveEmbeddedRun accepts only sessionId, handle, and optional sessionKey, so aliases that resolve to the same JSONL file are not guarded there. (src/agents/pi-embedded-runner/run-state.ts:48, fdfcb0795a26)
• Stuck-session recovery can abort or force-clear active work by session id/key: recoverStuckDiagnosticSession resolves active embedded work through session key/id and then calls abortAndDrainEmbeddedPiRun; the tests explicitly cover active abort and force-clear lane release behavior, but not transcript-file holder coordination. (src/logging/diagnostic-stuck-session-recovery.runtime.ts:88, fdfcb0795a26)
• Related fallback fix is present but only handles classification after takeover: isNonProviderRuntimeCoordinationError now treats embedded session takeover as non-provider runtime coordination and the model fallback test expects the chain to stop after one attempt, which closes the older fallback-consumption issue but leaves this prevention bug open. (src/agents/failover-error.ts:268, fdfcb0795a26)
• Live-repro comment narrows the failure pattern: The reporter added real gateway log evidence with 122 takeover events over three days and a redacted trace where the same session file produced Embedded agent failed before reply: All models failed; the comment says the observed pattern is mostly intra-class re-entry via stuck-session recovery rather than heartbeat-vs-channel cross-class races.

Likely related people:

• steipete: Local blame and git show identify Peter Steinberger as the current-main author/committer for the central session-lock, active embedded-run registry, stuck-session recovery, and failover-classification files sampled in this review. (role: recent area contributor; confidence: medium; commits: c617009cbf8a; files: src/agents/pi-embedded-runner/run/attempt.session-lock.ts, src/agents/pi-embedded-runner/runs.ts, src/agents/pi-embedded-runner/run-state.ts)
• ubehera: The issue author supplied the real gateway log aggregate and redacted trace that narrow the failure pattern to same-file embedded-run re-entry, which is useful routing context even though it is not code ownership. (role: reporter and live reproduction provider; confidence: medium)

Remaining risk / open question:

• No automated live harness was run in this read-only review; the strongest current proof is source-level behavior plus reporter-provided real gateway logs.
• A repair must preserve the existing benign/owned transcript-write allowances while preventing two prompt holders for the same resolved file from entering provider streaming.
• The stuck-session recovery path is operator-impacting: changing abort/wait/force-clear behavior needs focused tests for active run, forced clear, and queued lane cases.

Codex review notes: model gpt-5.5, reasoning high; reviewed against fdfcb0795a26.

[ubehera]

Adding the live-repro evidence ClawSweeper asked for (clawsweeper:needs-live-repro). The race fires in practice on a normal OpenClaw + Discord setup; the lane pattern is slightly different from the cross-class hypothesis in the review and worth surfacing before any fix work.

Where the data comes from

Three-day window from one local OpenClaw deployment, sourced from ~/.openclaw/logs/gateway.err.log. Aggregate row counts come from a straight grep "EmbeddedAttemptSessionTakeoverError" plus a small Python parser that bins each line by owning lane class and target session file. No production sanitization beyond redacting one channel id.

Aggregate: 122 takeover events in 3 days

Owning lane class	Takeover events	Distinct session files touched
lane=session:agent:<id>:main:heartbeat	36	32
lane=session:agent:<id>:discord:channel:<id>	21	3
lane=session:agent:<id>:discord:direct:<id>	3	1
lane=cron…	2	2
lane=main (synthetic mirror; ~1 per owning lane)	60	—

The lane=main synthetic mirror lines pair 1:1 with an underlying owning lane (the gateway emits both for diagnostic mirroring), so the 60 mirrors closely match 36 + 21 + 3 = 60 underlying lane events.

Observed race pattern (matters for the fix shape)

Heartbeat × channel cross-class races: 0 in this window. Every takeover I observed was intra-class — heartbeat lanes racing on heartbeat-owned session files, or channel lanes racing on channel-owned session files. That's consistent with the registry analysis in the ClawSweeper review:

Active embedded registry is keyed by session id/key, not transcript file: ... setActiveEmbeddedRun accepts sessionId, handle, and optional sessionKey, but no sessionFile, so aliases that resolve to the same JSONL file are not guarded there.

In practice, the second "owner" that re-enters the same file is not a different lane class — it's the gateway's own stuck-session recovery firing a fresh embedded run on a session UUID whose file resolution aliases to the already-active file. Once both runs are mid-prompt with releaseForPrompt() calls, whichever lane reacquires last sees the fence mismatch and throws.

Live trace from one session

Session UUID 9dada894-1cb4-4610-a135-68d5ece67e51 (channel lane in the <id> slot below redacted). 4 takeover events on 2026-05-19 between 02:41 and 03:06, all on the same .jsonl file. The first batch (paired diagnostic + owning-lane lines) is verbatim from gateway.err.log:

2026-05-19T02:41:21.614-06:00 [diagnostic] lane task error: lane=main durationMs=120774 error="EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released: ~/.openclaw/agents/main/sessions/9dada894-1cb4-4610-a135-68d5ece67e51.jsonl"
2026-05-19T02:41:21.616-06:00 [diagnostic] lane task error: lane=session:agent:main:discord:channel:<id> durationMs=120779 error="EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released: ~/.openclaw/agents/main/sessions/9dada894-1cb4-4610-a135-68d5ece67e51.jsonl"
2026-05-19T02:41:21.623-06:00 [model-fallback/decision] model fallback decision: decision=candidate_failed requested=ollama-cloud/kimi-k2.6:cloud candidate=ollama/kimi-k2.6:cloud reason=unknown next=ollama/qwen3.5:cloud detail=session file changed while embedded prompt lock was released: ~/.openclaw/agents/main/sessions/9dada894-1cb4-4610-a135-68d5ece67e51.jsonl
2026-05-19T02:42:31.097-06:00 [diagnostic] lane task error: lane=main durationMs=69433 error="EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released: ~/.openclaw/agents/main/sessions/9dada894-1cb4-4610-a135-68d5ece67e51.jsonl"
2026-05-19T02:42:31.099-06:00 [diagnostic] lane task error: lane=session:agent:main:discord:channel:<id> durationMs=69436 error="EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released: ~/.openclaw/agents/main/sessions/9dada894-1cb4-4610-a135-68d5ece67e51.jsonl"
2026-05-19T02:42:34.010-06:00 Embedded agent failed before reply: All models failed (6): … session file changed while embedded prompt lock was released: ~/.openclaw/agents/main/sessions/9dada894-1cb4-4610-a135-68d5ece67e51.jsonl …

Two things to note in that capture:

1. The fence error names the same session file on both takeover lines (1.6 ms apart, owning lane vs synthetic mirror), with durationMs ≈ 120 s — i.e., the embedded run was 2 minutes deep into a provider stream when the fence flipped.
2. At 02:42:34 the chain fully exhausted, and the failure propagated as a user-visible Embedded agent failed before reply: All models failed (6). That's the 6% silent-drop rate path from the report.

What this changes about the fix shape

The ClawSweeper review proposed:

Add a transcript-file-scoped embedded prompt ownership guard that makes duplicate logical lanes wait, steer, or fail with a typed coordination result before they can mutate the same session file, while keeping the existing takeover fence as a safety net.

The live-repro data is consistent with that proposal — file-scoped ownership would catch this race because the second entrant on the same file would either wait or escalate cleanly instead of striding into a provider stream and getting torn down by the fence later. The proposed guard does not depend on cross-class lane interactions; intra-class re-entry (mostly via stuck-session recovery) is what the registry needs to defend against.

The bot's secondary suggestion to leave heartbeat.isolatedSession defaults alone is also still correct — even with isolated heartbeats, the channel/direct lanes still race their own recovery, so the registry guard is the load-bearing change.

Crabbox/Testbox repro

The data above is from a real local gateway, not a curated harness. A focused Crabbox repro that reliably triggers the race would need to (a) start an embedded run on a channel session, (b) interrupt it long enough that stuck-session-recovery kicks in, (c) verify the recovery's new run on the same file races the original. That harness would be the natural seed for the bot's named acceptance-criteria file src/infra/heartbeat-runner.skips-busy-session-lane.test.ts and is reasonable scope for the fix PR rather than this issue comment.

Happy to attach more redacted slices of the log on request — I tried to keep this comment focused on the parts a maintainer would want to confirm before signing off on the fix design.

[ubehera]

@clawsweeper re-review

Added live-repro evidence above (122 takeover events across 3 days, redacted log capture, lane breakdown). Confirms source-level analysis and the proposed file-scoped registry fix shape; the race pattern is intra-class (heartbeat-on-heartbeat or channel-on-channel via stuck-session-recovery re-entry) rather than the cross-class hypothesis in the original review. Should clear the clawsweeper:needs-live-repro label.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26352382902
• Updated: 2026-05-24T05:06:33.503Z