pi-embedded-runner: stale sessionLastAssistant leaks prior provider's error string into later candidates in model-fallback

[jarvis-lane]

Summary

In pi-embedded-runner, the model-fallback loop reuses a single shared session file across every candidate provider. When the first candidate writes an assistant row with an errorMessage (e.g. OpenAI returns a real 429), and a later candidate (e.g. Anthropic, Google) times out without producing a new assistant for the current attempt, the failover path falls back to sessionLastAssistant.errorMessage from the shared session file and reports the previous provider's error string as if it came from the current candidate.

The net effect: a single real upstream error from provider A is re-surfaced as the failure cause for providers B and C, producing false-positive "all providers failed with the same error" output.

Where

• src/agents/pi-embedded-runner/run/attempt.ts — lastAssistant is computed by scanning messagesSnapshot for the most recent assistant regardless of provider.
• Bundled (production) lines from a 2026-05-24 build:
  • pi-embedded-Bcz04p2i.js:2865 (failover error construction):

    const assistantForFailover = currentAttemptAssistant ?? sessionLastAssistant;
    …
    new FailoverError(resolveAssistantFailoverErrorMessage(params), {
      …,
      rawError: params.lastAssistant?.errorMessage?.trim(),
    });

  • model-fallback-DIXhOaxb.js:379 (recordFailedCandidateAttempt) stores error: described.rawError ?? described.message, so the stale rawError wins over the candidate-attributed message.

(File names with hashes are from the published build artifact; map back to the corresponding source modules.)

Reproduction / observed cascade

1. OpenAI candidate hits a real 429 → session file now contains an assistant row with errorMessage = "You exceeded your current quota…" (and OpenAI as provider).
2. runWithModelFallback advances to Anthropic and spawns a fresh runEmbeddedPiAgent against the same sessionFile/sessionId.
3. The Anthropic request queues / hangs / aborts at the run-level timeout — no new assistant produced this attempt.
4. Failover-decision construction sees currentAttemptAssistant === undefined and falls back to sessionLastAssistant — which is still the OpenAI errored row.
5. The resulting FailoverError carries the OpenAI quota text as rawError, attributed (by the outer model-fallback) to Anthropic.
6. Same again for Google.

Smoking gun in our logs

Every [agent/embedded] embedded run failover decision line for two distinct runs (3c5d7ca0-83df-418b-be48-a9327459046a and b9ad1b27-…) logs from=openai/gpt-5.5 — including the decisions that the outer model-fallback layer interprets as Anthropic and Google candidate failures. There are zero from=anthropic/… or from=google/… decision logs. Inner pi-embedded-runner never saw a non-OpenAI-attributed assistant error.

Evidence table

For one failed run (runId=3c5d7ca0-83df-418b-be48-a9327459046a, 2026-05-24 06:38–06:43 PT):

Candidate	OUTER reason	OUTER detail (logged error string)	Real upstream call status
openai/gpt-5.5	rate_limit	OpenAI quota text	Real 429 — /v1/responses returned a genuine quota error from OpenAI (proxy logs confirm)
openai/gpt-5.5 (retry, different profile)	rate_limit	OpenAI quota text	Real 429 — same
anthropic/claude-opus-4-7	timeout	OpenAI quota text	No Anthropic 429 observed. Run ran ~123s and ended on run-level timeout; upstream proxy shows queued/rate-limited entries but no terminal quota-exhausted response for opus-4-7
google/gemini-3-pro-preview	timeout	OpenAI quota text	Same shape — reason=timeout, but detail is again the OpenAI quota text verbatim

Note specifically: two of the three statuses are timeout, not rate_limit — real quota errors produce immediate 429s, not run-level timeouts. And the error message is verbatim OpenAI's quota string; Anthropic and Google use entirely different wording for billing/quota errors.

Impact

• Misleads operators into believing all three providers are concurrently exhausted, when only one actually is.
• Drives unnecessary top-up / billing action on providers that aren't out of quota.
• Makes accurate triage of multi-provider gateways effectively impossible because the surfaced detail is unreliable for any candidate after the first failing provider.
• Hard to spot from the operator side because the detail looks like a fully-formed quota error.

In our own incident this caused a false-positive triple-provider quota outage that was only caught by RCA inspection of inner failover-decision logs.

Suggested fix

Two complementary guards:

1. In pi-embedded-runner failover construction (around the assistantForFailover = currentAttemptAssistant ?? sessionLastAssistant site):
   • If currentAttemptAssistant is undefined AND sessionLastAssistant?.provider !== <this candidate's provider>, do not propagate sessionLastAssistant.errorMessage as the FailoverError.rawError. Fall through to the candidate-attributed default (e.g. "LLM request timed out." / "no response from provider").
2. In recordFailedCandidateAttempt (the error: described.rawError ?? described.message site in model-fallback-…):
   • Additionally guard: if described.provider (from rawError attribution) differs from params.candidate.provider, prefer described.message over described.rawError.

Either guard alone would have prevented the false-positive in our case; both together are belt-and-suspenders.

Workaround

Operators can read from= in [agent/embedded] embedded run failover decision log lines instead of trusting the surfaced detail / outer error string. The workaround works but is fragile — it requires log access and inner-line correlation, and any wrapper that surfaces the outer error to humans (Slack alert, dashboard) will still show the stale text.

Severity

Medium. Functional fallback still works (requests do route to the next provider), and the workaround exists. But the misleading attribution actively damages triage of multi-provider failures, which is exactly when accurate signals matter most.

Filed by

Kentro.io engineering. Internal RCA tracked at KEN-4598 / KEN-4603. Happy to attach more log excerpts or test against a patch if useful.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Latest ClawSweeper review: 2026-05-24 14:53 UTC / May 24, 2026, 10:53 AM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open: current main still has a source-level path where a later fallback candidate with no current assistant can reuse the previous provider's assistant error and surface that raw text under the later candidate.

Reproducibility: yes. at source level: current main can have currentAttemptAssistant undefined while sessionLastAssistant still points at prior session history, and the failover path then exports that assistant's error as rawError. I did not execute a live reproduction because this review was required to stay read-only.

Next step
This is a narrow, source-proven model-fallback bug with clear affected files and a focused regression-test path.

Review details

Best possible solution:

Keep the fallback chain behavior, but make assistant error attribution candidate-scoped so stale session assistants cannot provide raw error text for a different provider, with regression coverage for a prior-provider error followed by later-provider timeouts.

Do we have a high-confidence way to reproduce the issue?

Yes, at source level: current main can have currentAttemptAssistant undefined while sessionLastAssistant still points at prior session history, and the failover path then exports that assistant's error as rawError. I did not execute a live reproduction because this review was required to stay read-only.

Is this the best way to solve the issue?

Yes, the suggested direction is the narrow maintainable fix: guard stale assistant reuse at the embedded-runner failover boundary and keep model-fallback summaries from preferring mismatched raw errors. The fix should preserve raw provider detail for same-candidate errors.

Label changes:

• add P2: This is a normal-priority model-fallback correctness bug with misleading operator diagnostics but no evidence of data loss, security bypass, or runtime outage.
• add impact:session-state: The reported failure depends on stale shared session transcript state leaking into a later fallback attempt.
• add impact:auth-provider: The visible problem is incorrect provider/model fallback attribution and provider-facing error reporting.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:queueable-fix: Current issue advisory state selects this label.
• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.

Label justifications:

• P2: This is a normal-priority model-fallback correctness bug with misleading operator diagnostics but no evidence of data loss, security bypass, or runtime outage.
• impact:session-state: The reported failure depends on stale shared session transcript state leaking into a later fallback attempt.
• impact:auth-provider: The visible problem is incorrect provider/model fallback attribution and provider-facing error reporting.

Acceptance criteria:

• node scripts/run-vitest.mjs src/agents/pi-embedded-runner/run.cross-provider-fallback-error-context.test.ts
• node scripts/run-vitest.mjs src/agents/model-fallback.test.ts
• git diff --check

What I checked:

• Current main selects stale session assistant when no current assistant exists: On current main, assistant failover still computes assistantForFailover as currentAttemptAssistant ?? sessionLastAssistant, so a candidate with no new assistant can inherit the last assistant from shared session history. (src/agents/pi-embedded-runner/run.ts:2472, 694d45e535db)
• Attempt snapshot separates current attempt from full session history: lastAssistant is the most recent assistant in the full snapshot, while currentAttemptAssistant searches only messages after prePromptMessageCount; this makes the reported no-current-assistant fallback state plausible from source inspection. (src/agents/pi-embedded-runner/run/attempt.ts:4382, 694d45e535db)
• Failover construction propagates the selected assistant raw error: handleAssistantFailover builds FailoverError using the provided last assistant's formatted text and rawError, so a stale assistantForFailover can become the thrown fallback error payload. (src/agents/pi-embedded-runner/run/assistant-failover.ts:215, 694d45e535db)
• Model fallback records rawError ahead of candidate-attributed message: recordFailedCandidateAttempt and related append logic store described.rawError ?? described.message for the candidate, matching the report's claim that stale raw text can win over the candidate-level failure message. (src/agents/model-fallback.ts:410, 694d45e535db)
• Existing regression test covers a narrower already-fixed case: The current cross-provider regression test covers a current-attempt DeepSeek assistant and a same-provider compaction fallback, but it does not cover a missing current assistant with a prior provider in session history. (src/agents/pi-embedded-runner/run.cross-provider-fallback-error-context.test.ts:100, 694d45e535db)
• Shipped release still has the same affected source shape: The latest provided release tag v2026.5.22 points at a374c3a and still contains the same currentAttemptAssistant ?? sessionLastAssistant and described.rawError ?? described.message patterns, so this is not already fixed in the latest release. (src/agents/pi-embedded-runner/run.ts:2468, a374c3a5bfd5)

Likely related people:

• @stainlu: Authored the prior merged cross-provider fallback error-context fix and regression test that this issue extends. (role: feature-history contributor; confidence: high; commits: acd3697162dc; files: src/agents/pi-embedded-runner/run.ts, src/agents/pi-embedded-runner/run.cross-provider-fallback-error-context.test.ts)
• @altaywtf: Reviewed and co-authored the prior cross-provider fallback error-context fix, and has adjacent failover classification/history in the same agent area. (role: reviewer and adjacent owner; confidence: medium; commits: acd3697162dc, 6e962d8b9e55; files: src/agents/pi-embedded-runner/run.ts, src/agents/model-fallback.ts)
• @steipete: Carried model-fallback failure tracking and related fallback refactors that control how candidate failures are summarized. (role: recent area contributor; confidence: medium; commits: e3d62095990d, dcc3392a1a40; files: src/agents/model-fallback.ts)
• @joshavant: Recently changed the current-attempt helper/context-engine path that determines the current attempt assistant slice used by this bug path. (role: adjacent helper contributor; confidence: medium; commits: a327b6750dbe; files: src/agents/pi-embedded-runner/run/attempt.context-engine-helpers.ts, src/agents/pi-embedded-runner/run/attempt.ts)
• @vincentkoc: Recent blame and log history show broad touches across the embedded runner/model-fallback source, although the visible blame is partly from the shallow/grafted checkout state. (role: recent area maintainer by history; confidence: low; commits: a56f4529720b, 93ce76afe310; files: src/agents/pi-embedded-runner/run.ts, src/agents/model-fallback.ts)

Remaining risk / open question:

• I did not run a live multi-provider timeout cascade in this read-only review; the current-main source path and shipped source shape are the proof basis.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 694d45e535db.