EmbeddedAttemptSessionTakeoverError: self-inflicted session file modification during lock-free window (race condition)

[lovensky1992-wk]

Bug Description

Cron jobs using idealab/claude-opus-4-6 as the model consistently fail with EmbeddedAttemptSessionTakeoverError when the session file fingerprint (dev/ino/size/mtimeNs/ctimeNs) changes between releaseForPrompt() and the subsequent assertSessionFileFence() check.

The modification is self-inflicted — the gateway's own internal async process (likely memory-core plugin indexing, model-snapshot write, or trajectory sync) modifies the .jsonl session file during the lock-free window while waiting for the model response.

Reproduction

• Version: 2026.5.20
• Trigger: Any isolated cron job with idealab/claude-opus-4-6 that has a ~20s+ model response time
• Frequency: 100% reproducible once timing corridor is hit (7/7 consecutive failures for the same job)
• Workaround: Switching to a different provider (e.g. dashscope/deepseek-v4-pro or even idealab/gpt-5.4) avoids the issue — suggesting the race is provider-specific in the streaming/auth initialization path

Evidence

1. The error appears in logs since 5/19, hitting multiple job types intermittently:

   • memory-capture-fallback (ops agent)
   • daily-ops-review (ops agent)
   • dreaming-narrative (main agent)
   • Dashboard sessions (main agent)

2. Same agent + same model + different prompt size = different outcome:

   • Short prompt job (capture-fallback, ~4s model response) → succeeds
   • Long prompt job (daily-ops-review, ~24s model response) → fails every time

3. Gateway restart does NOT fix it (confirmed: restarted, immediately failed again)

4. Switching model to non-Opus provider → session lock error disappears (fails on tool error instead, but the lock race is gone)

Root Cause Analysis

Source: dist/selection-BmjEdnnA.js lines 7945-8050

// releaseForPrompt() records fingerprint then releases lock
async releaseForPrompt() {
    fenceFingerprint = await readSessionFileFingerprint(sessionFile);
    fenceActive = true;
    await lock.release();
}

// assertSessionFileFence() checks fingerprint hasn't changed
async function assertSessionFileFence() {
    const current = await readSessionFileFingerprint(sessionFile);
    if (!sameSessionFileFingerprint(fenceFingerprint, current)) {
        // Only exception: growth is pure assistant transcript entries
        if (await changeLooksLikeOwnedPromptOutput({...})) {
            fenceFingerprint = current; return;
        }
        throw new EmbeddedAttemptSessionTakeoverError(sessionFile);
    }
}

// Fingerprint uses nanosecond-precision mtime
function sameSessionFileFingerprint(left, right) {
    return left.dev === right.dev && left.ino === right.ino
        && left.size === right.size
        && left.mtimeNs === right.mtimeNs
        && left.ctimeNs === right.ctimeNs;
}

The fingerprint comparison is correct in principle but the invariant assumption ("no internal process will write to the session file during the lock-free window") is violated by the gateway's own async pipeline.

Suggested Fixes

1. Drain all pending session writes before recording fingerprint — ensure no async internal write is in-flight when releaseForPrompt() snapshots the fingerprint
2. Relax fingerprint to size-only — if the file grew by known-good internal entries (not just assistant output), allow it
3. Add grace period — re-read fingerprint after a short delay if mismatch detected, to handle writes that were "in the pipeline" at snapshot time
4. Provider-aware lock timing — if certain providers trigger additional session writes during auth/streaming setup, account for them in the lock lifecycle

Environment

• macOS 14.6 (arm64)
• Node v22.19.0
• OpenClaw 2026.5.20
• Plugins: browser, memory-core, searxng, skill-trigger-engine
• 4 configured agents (main, ops, scout, editor)

[clawsweeper]

Thanks for the context here. I did a careful shell check against current main, and this is already implemented.

Current main and the latest release already handle the reported self-inflicted session-file changes by tracking owned in-process writes during the prompt lock release window while continuing to reject unowned external edits.

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review details

Best possible solution:

Keep the shipped owned-write fence behavior and ask for a new report only if the same failure reproduces on v2026.5.22 or newer with logs showing an unhandled internal writer.

Do we have a high-confidence way to reproduce the issue?

No, not against current main: I did not run the long idealab/claude-opus-4-6 cron path, but source and regression tests now cover the reported self-inflicted owned-write corridor. The report is credible for 2026.5.20, while current main and v2026.5.22 include the owned-write fence.

Is this the best way to solve the issue?

Yes. The current fix keeps the strict takeover protection for unowned external edits while allowing only same-process writes published through the session write-lock context, which is the narrow maintainable boundary for this race.

Security review:

Security review: This is an issue triage with no proposed patch to review for security or supply-chain regressions.

AGENTS.md: found and applied where relevant.

What I checked:

• Current source: owned in-process writes are trusted across the fence: The current session-lock controller tracks ownedSessionFileWrites/trusted session states and lets assertSessionFileFence() accept a newer fingerprint only when it matches an owned write generation; otherwise it still throws EmbeddedAttemptSessionTakeoverError. (src/agents/pi-embedded-runner/run/attempt.session-lock.ts:396, 3548cff14b9c)
• Current source: prompt/event/hook writes are routed through the lock context: The runner installs session event and external hook write locks, creates an owned transcript write context for the active prompt, and wraps provider prompt submission with that context so internal transcript writes can be published as owned. (src/agents/pi-embedded-runner/run/attempt.ts:2612, 3548cff14b9c)
• Regression coverage: owned writes pass, external edits still fail: Focused tests cover owned transcript mirror appends, owned session-manager appends, same-process published writes after releaseForPrompt(), and external edits that must still raise takeover errors. (src/agents/pi-embedded-runner/run/attempt.session-lock.test.ts:448, 3548cff14b9c)
• Git history provenance: git blame ties the owned-write fence, transcript write context, prompt context, and matching tests in this checkout to boundary commit 4738d0a2961ac71b067b5b2c78e565a86a1851a8; adjacent cleanup-takeover behavior was later touched by 7fbca96a0cda2c335a9b3458c569087cb0d3cf10. (src/agents/pi-embedded-runner/run/attempt.session-lock.ts:675, 4738d0a2961a)
• Release provenance: The latest release tag v2026.5.22 contains the owned-write session-lock implementation and tests, and git tag --contains a374c3a5bfd5225ce319bce3865aab6216309c4f returns v2026.5.22. (src/agents/pi-embedded-runner/run/attempt.session-lock.ts:406, a374c3a5bfd5)

Likely related people:

• Vincent Koc: Blame for the owned-write fence, transcript write context, runner installation points, and regression tests points to 4738d0a2961ac71b067b5b2c78e565a86a1851a8 in this checkout. (role: introduced current checked-out behavior; confidence: high; commits: 4738d0a2961a; files: src/agents/pi-embedded-runner/run/attempt.session-lock.ts, src/config/sessions/transcript-write-context.ts, src/agents/pi-embedded-runner/run/attempt.ts)
• clawsweeper[bot]: Recent commit 7fbca96a0cda2c335a9b3458c569087cb0d3cf10 touched cleanup takeover handling in the embedded runner path, which is adjacent to this failure mode. (role: recent adjacent contributor; confidence: medium; commits: 7fbca96a0cda; files: src/agents/pi-embedded-runner/run/attempt.ts, src/agents/pi-embedded-runner/run/attempt.spawn-workspace.context-engine.test.ts)
• Peter Steinberger: The release commit tagged v2026.5.22 and the current main head in this checkout were authored by Peter and contain the shipped/current session-lock implementation used as proof. (role: release/current-main provenance; confidence: medium; commits: a374c3a5bfd5, 3548cff14b9c; files: src/agents/pi-embedded-runner/run/attempt.session-lock.ts, src/config/sessions/transcript-write-context.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 3548cff14b9c; fix evidence: release v2026.5.22, commit a374c3a5bfd5.