[Bug]: Session file lock not released properly by watchdog

[sally-lemo]

Bug type

Behavior bug (incorrect output/state without crash)

Beta release blocker

No

Summary

Session write lock files persist beyond maxHoldMs timeout; watchdog fails to reclaim stale locks, causing "session file locked" errors on subsequent requests.

Steps to reproduce

1. Start OpenClaw 2026.5.22 gateway and let it run for extended periods (overnight)
2. Use multiple sessions or let sessions accumulate
3. Observe lock files in ~/.openclaw/agents/main/sessions/
4. Attempt to use OpenClaw after lock has exceeded maxHoldMs
5. Observe "session file locked" error

Expected behavior

Lock files should be automatically released when:

• The holding process exits
• maxHoldMs timeout (300000ms / 5 minutes) is exceeded
• Lock is marked as stale after staleMs (1800000ms / 30 minutes)

The watchdog should reclaim stale locks without manual intervention.

Actual behavior

Lock files persist for 8+ hours despite maxHoldMs being 300000ms (5 minutes)
Lock file shows maxHoldMs: 1020000 (17 minutes) instead of configured 300000ms
Watchdog does not reclaim stale locks automatically
User must manually delete lock files or restart gateway to resolve
Error message: "session file locked (timeout 60000ms): pid=16834 /path/to/session.jsonl.lock"

OpenClaw version

2026.5.22 (a374c3a)

Operating system

macOS Darwin 25.5.0 (arm64)

Install method

npm global

Model

qwen/kimi-k2.5

Provider / routing chain

openclaw -> modelstudio/qwen3.5-plus

Additional provider/model setup details

No response

Logs, screenshots, and evidence

Lock file content:

{
  "pid": 16834,
  "createdAt": "2026-05-28T01:12:54.261Z",
  "maxHoldMs": 1020000
}


Process status:

pid 16834  83.3% CPU  openclaw gateway

(Process running for 170+ minutes, lock held for 8+ hours)

Configuration:
- session.writeLock.acquireTimeoutMs: 60000
- session.writeLock.staleMs: 1800000  
- session.writeLock.maxHoldMs: 300000

Impact and severity

Affected: All OpenClaw users on 2026.5.22 with long-running gateway
Severity: Medium (requires manual intervention or workaround)
Frequency: Observed multiple times after overnight operation
Consequence: Agents fail to respond, user must manually delete lock files or restart gateway

Additional information

Workaround applied:

1. Extended timeouts via environment variables:

   • OPENCLAW_SESSION_WRITE_LOCK_ACQUIRE_TIMEOUT_MS=120000
   • OPENCLAW_SESSION_WRITE_LOCK_STALE_MS=3600000
   • OPENCLAW_SESSION_WRITE_LOCK_MAX_HOLD_MS=600000

2. Created cleanup script via crontab to remove stale locks every 10 minutes

Possible root causes:

1. Watchdog timer not properly checking lock expiration
2. maxHoldMs value being overridden somewhere (1020000 vs 300000)
3. Process exit detection not triggering lock cleanup
4. Race condition in lock acquisition/release

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed May 27, 2026, 10:57 PM ET / 02:57 UTC.

Summary
Keep open: current main has a session write-lock watchdog and newer timeout-abort cleanup, but the report describes a fresh released-build lock held for hours by a live gateway PID, and source/tests do not prove that current main fully fixes that overnight live-lock pattern.

Reproducibility: no. high-confidence live current-main reproduction is available. Source inspection does show the unresolved edge: cleanup does not reclaim live OpenClaw-owned lock files solely because maxHoldMs elapsed, while the report's full watchdog failure still needs a live macOS gateway repro.

Ways to help us reproduce this

• Add a screenshot or short recording showing the behavior.
• Add expected vs actual behavior.
• Include redacted logs or terminal output.

Next step
Manual review is safer than queueing an automatic fix because the live-PID recovery rule is compatibility-sensitive and the report needs a live current-main repro before changing lock cleanup semantics.

Review details

Best possible solution:

Keep this as a core session-state reliability item until maintainers can prove the live gateway watchdog path under long-running load or add targeted recovery for stuck same-process transcript locks without unsafe deletion of active locks.

Do we have a high-confidence way to reproduce the issue?

No high-confidence live current-main reproduction is available. Source inspection does show the unresolved edge: cleanup does not reclaim live OpenClaw-owned lock files solely because maxHoldMs elapsed, while the report's full watchdog failure still needs a live macOS gateway repro.

Is this the best way to solve the issue?

Unclear: the existing watchdog is the right default mechanism for same-process locks, but the reported live-PID stale lock needs maintainer review before adding broader cleanup or fail-open behavior around active OpenClaw processes.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• No live current-main reproduction was run for the reported macOS long-running gateway/high-CPU case, so the in-process watchdog test is not enough to prove the overnight stale live-lock symptom is fixed.
• Current cleanup intentionally avoids deleting live OpenClaw-owned locks solely because maxHoldMs elapsed, so changing this behavior needs maintainer judgment to avoid deleting legitimately active transcript locks.
• The nearby EmbeddedAttemptSessionTakeoverError reports may share session-lock pressure but do not fully cover this issue's stale lock-file/live-PID failure mode.

Codex review notes: model gpt-5.5, reasoning high; reviewed against edd4c62da1c2.

Label changes

Label justifications:

• P2: The issue describes a normal-priority reliability bug that blocks later agent turns and requires manual cleanup, but it is not a crash loop or security emergency.
• impact:session-state: The reported failure is a stale session transcript lock that prevents session state from being written.

Evidence reviewed

Acceptance criteria:

• Live macOS gateway repro on current main or latest release with session.writeLock.maxHoldMs configured and lock-file payload captured before/after maxHoldMs.
• Focused session-write-lock regression coverage if a code fix is chosen, covering active in-process watchdog release and orphaned live-PID cleanup policy.
• Run the narrow agent/session lock test surface with node scripts/run-vitest.mjs for any eventual fix.

What I checked:

• Repository policy and vision applied: Read the full root policy and VISION.md; session-state stability is aligned with current bug-fix priorities, and core session/auth state requires careful maintainer review. (AGENTS.md:1, edd4c62da1c2)
• Current watchdog source: Current main starts a background in-process watchdog and releases held entries once heldForMs exceeds each lock's maxHoldMs. (src/agents/session-write-lock.ts:262, edd4c62da1c2)
• Current cleanup limitation: Current startup/doctor cleanup sweeps lock files, but the cleanup path does not pass respectMaxHold for live OpenClaw-owned lock files, so it is not proof that an orphaned live-PID lock will be reclaimed solely because maxHoldMs elapsed. (src/agents/session-write-lock.ts:648, edd4c62da1c2)
• Test coverage gap: The focused tests prove synthetic in-process watchdog release, while another test explicitly keeps live OpenClaw-owned lock files past maxHold during cleanup, matching the unresolved live-PID policy edge. (src/agents/session-write-lock.test.ts:374, edd4c62da1c2)
• Documented contract: Docs say transcript mutations use session write locks, default acquire timeout is 60000ms, staleMs is 1800000ms, and maxHoldMs is the in-process watchdog release threshold with default 300000ms. Public docs: docs/reference/session-management-compaction.md. (docs/reference/session-management-compaction.md:97, edd4c62da1c2)
• Reported 1020000ms lock payload is explainable by current defaults: Current compaction default is 900000ms and max hold fallback adds the shared 120000ms grace, which explains a 1020000ms lock payload when no session.writeLock.maxHoldMs override reaches the lock acquisition path. (src/agents/embedded-agent-runner/compaction-safety-timeout.ts:5, edd4c62da1c2)

Likely related people:

• Peter Steinberger: Blame on the current session write-lock watchdog, cleanup sweep, startup cleanup hook, and associated tests points to commit 78c5eea, with older session-lock hardening commits also in this history. (role: current session-lock implementation and recent area contributor; confidence: medium; commits: 78c5eeab0188, 1becebe188eb, fb6e415d0c52; files: src/agents/session-write-lock.ts, src/agents/session-write-lock.test.ts, src/gateway/server-startup-post-attach.ts)
• Chunyue Wang: Commit 65fb565 recently changed embedded attempt session-lock cleanup on timeout-abort paths near this failure surface. (role: recent adjacent contributor; confidence: medium; commits: 65fb56513fb2; files: src/agents/embedded-agent-runner/run/attempt.session-lock.ts, src/agents/embedded-agent-runner/run/attempt.session-lock.test.ts, src/agents/embedded-agent-runner/run/attempt.ts)
• Vincent Koc: Recent session-lock history includes cleanup of leaked session lock exit listeners and recycled-PID recovery hardening in the same lock ownership area. (role: recent adjacent session-lock maintainer; confidence: medium; commits: f00f0a95968f, 5a2200b28003; files: src/agents/session-write-lock.ts, src/agents/session-write-lock.test.ts)
• Vishal Doshi: Commit e91a5b0 added stale session lock release and watchdog behavior in the same source file history. (role: watchdog feature history contributor; confidence: low; commits: e91a5b021648; files: src/agents/session-write-lock.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.