Session lock auto-cleanup on staleness detection

[todd-chisel]

Summary

Session JSONL lock files (.jsonl.lock) can become stale even when the gateway PID is alive and actively holding them, causing file lock stale errors in the sessions_send / sessions_spawn paths. This requires manual openclaw sessions cleanup intervention.

Background

Over the past 3 days (2026-05-26 to 2026-05-28), the OpenClaw gateway has experienced recurring "file lock stale" substrate failures affecting multiple agents simultaneously. The pattern:

• Lock files for session JSONL files are flagged as "stale" by the runtime
• The gateway PID is alive and actively working
• No orphaned .lock files exist on disk at failure time
• Logs show EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released

This appears to be a race condition in embedded-session lock management during concurrent sessions_send / sub-agent spawn operations, particularly affecting high-volume agents (woodhouse, fleet-ops, PMs).

Evidence:

• Instance fix: add @lid format support and allowFrom wildcard handling #1: 2026-05-28 04:22 UTC (347h gateway uptime)
• Instance Login fails with 'WebSocket Error (socket hang up)' ECONNRESET #2: 2026-05-28 06:45 UTC (<2h uptime, post-restart)
• Instance WA business, groups & office hours  #3+: 2026-05-28 14:23+ UTC (multiple agents)
• All instances affected the same high-volume session files
• Manual openclaw sessions cleanup clears the issue temporarily

Full forensic: [internal audit doc available on request]

Current Workaround

We've deployed a cron-based auto-cleanup sniffer:

• Runs every 5 minutes
• Scans for locks >5 minutes old with no active process
• Auto-executes openclaw sessions cleanup on P1/P0 alerts
• Alerts operators via inbox

This mitigates the immediate impact but does not address the root cause.

Requested Feature

Auto-cleanup on lock staleness detection:

1. When the runtime detects a stale lock internally, automatically run cleanup (equivalent to openclaw sessions cleanup) before retrying the operation
2. Log the auto-cleanup event for forensics
3. Optional: expose a config flag to disable auto-cleanup if operators want manual control

Benefits:

• Eliminates the 5-15 minute window between lock staleness and cron-driven cleanup
• Reduces fleet-wide stuck-but-alive agent occurrences
• Provides immediate self-healing for transient lock races

Alternative: Root Cause Fix

If the lock-staleness detection itself is buggy (i.e., the lock is NOT actually stale, but the runtime incorrectly thinks it is), then the root cause is in the lock validation logic. In that case:

1. Review the EmbeddedAttemptSessionTakeoverError path
2. Check if lock acquisition/release during sessions_send has a race window
3. Ensure lock validation accounts for concurrent operations on the same session file

We're happy to provide additional forensic data (logs, stack traces, timing) if that helps diagnose the root cause.

Impact

Severity: P1 (fleet-degrading, not P0 because manual mitigation exists)

Frequency: 3-4 instances in 3 days across 10+ agents

Affected workflows:

• Inter-agent messaging (sessions_send)
• Sub-agent spawning (sessions_spawn)
• Heartbeat coordination (agents appear "stuck but alive")

Environment

• OpenClaw version: [current production, can provide specific version if needed]
• Gateway uptime at first occurrence: 347h
• Gateway uptime at recurrence: <2h (shows restart does not permanently resolve)
• Affected session types: DM sessions (high concurrency), heartbeat sessions

---

Note: This issue is filed in parallel with our cron-based workaround deployment (Item A, Path 2 from internal substrate repair commission). We're requesting the upstream feature to enable eventual removal of the cron workaround once the feature is stable.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed May 28, 2026, 5:01 PM ET / 21:01 UTC.

Summary
This should stay open: current main has session-lock cleanup primitives, startup cleanup, and an in-process watchdog, but I did not find a runtime retry/self-heal path for stale-lock failures in sessions_send or sessions_spawn, and the reported high-concurrency race is not covered by the existing tests.

Reproducibility: no. high-confidence live reproduction is available from the public issue body. Source inspection does show the implicated stale-lock, cleanup, and embedded takeover paths, but the exact high-concurrency race still needs the reporter's forensic logs or a targeted stress test.

Ways to help us reproduce this

• Add a screenshot or short recording showing the behavior.
• Add expected vs actual behavior.

Next step
The report is credible and high-impact, but the exact race versus stale-validation behavior is unresolved and auto-removing live locks needs maintainer policy review before coding.

Review details

Best possible solution:

Fix the underlying session-lock/fence race first, then add narrowly scoped self-healing only for proven orphaned or dead-owner locks with forensic logging and regression coverage for concurrent sessions_send and sessions_spawn.

Do we have a high-confidence way to reproduce the issue?

No high-confidence live reproduction is available from the public issue body. Source inspection does show the implicated stale-lock, cleanup, and embedded takeover paths, but the exact high-concurrency race still needs the reporter's forensic logs or a targeted stress test.

Is this the best way to solve the issue?

No, unconditional sessions cleanup on every stale signal is not yet the best fix because current cleanup can classify old live OpenClaw-owned locks as stale. The safer direction is to prove the root cause, tighten ownership validation, and only then retry after scoped cleanup.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• The exact race is not publicly reproducible from the issue body because the forensic doc and raw logs were not attached.
• Blindly running cleanup when a live OpenClaw PID owns a lock could corrupt transcript writes, so the self-healing policy needs owner validation and focused concurrency proof.

Codex review notes: model gpt-5.5, reasoning high; reviewed against ec4a00beae98.

Label changes

Label changes:

• add P1: The report describes recurring production failures that degrade inter-agent messaging and sub-agent spawning across multiple active agents.
• add impact:message-loss: The affected workflows are sessions_send and sessions_spawn, where messages or delegated work can fail to progress while agents appear stuck.
• add impact:session-state: The failure centers on transcript .jsonl.lock ownership, session files, and embedded session takeover state.
• add issue-rating: 🐚 platinum hermit: Current issue advisory state selects this label.
• add clawsweeper:needs-live-repro: Current issue advisory state selects this label.
• add clawsweeper:no-new-fix-pr: Current issue advisory state selects this label.
• add clawsweeper:needs-maintainer-review: Current issue advisory state selects this label.
• add clawsweeper:needs-product-decision: Current issue advisory state selects this label.

Label justifications:

• P1: The report describes recurring production failures that degrade inter-agent messaging and sub-agent spawning across multiple active agents.
• impact:message-loss: The affected workflows are sessions_send and sessions_spawn, where messages or delegated work can fail to progress while agents appear stuck.
• impact:session-state: The failure centers on transcript .jsonl.lock ownership, session files, and embedded session takeover state.

Evidence reviewed

Acceptance criteria:

• node scripts/run-vitest.mjs src/agents/session-write-lock.test.ts
• node scripts/run-vitest.mjs src/agents/embedded-agent-runner/run/attempt.session-lock.test.ts
• node scripts/run-vitest.mjs src/agents/embedded-agent-runner/run/attempt.spawn-workspace.context-engine.test.ts
• Add a targeted concurrency/stress regression for overlapping sessions_send and sessions_spawn against the same transcript lock before landing any runtime retry policy.

What I checked:

• Issue report: The report describes recurring file lock stale and EmbeddedAttemptSessionTakeoverError failures across multiple high-volume agents from 2026-05-26 to 2026-05-28, with a cron-based cleanup workaround but no attached public forensic log.
• Current acquisition path: Current lock acquisition configures stale recovery, but if acquisition times out it throws SessionWriteLockTimeoutError; there is no call here to run a full session-lock cleanup and retry the session operation. (src/agents/session-write-lock.ts:746, ec4a00beae98)
• Cleanup primitive: cleanStaleLockFiles can scan .jsonl.lock files and remove stale ones, but it is a helper; source inspection found it wired into doctor/startup paths rather than the sessions_send/sessions_spawn runtime failure path. (src/agents/session-write-lock.ts:657, ec4a00beae98)
• Startup-only cleanup caller: Gateway startup schedules stale session-lock cleanup as a post-ready sidecar task, which helps after restarts but does not prove automatic recovery when a live runtime operation detects staleness. (src/gateway/server-startup-post-attach.ts:787, ec4a00beae98)
• Takeover fence path: The embedded attempt fence throws EmbeddedAttemptSessionTakeoverError when the session file changes outside an owned write; this matches the reported error class but does not itself clean or retry. (src/agents/embedded-agent-runner/run/attempt.session-lock.ts:702, ec4a00beae98)
• Existing tests: The session-write-lock tests cover stale lock cleanup, live-lock handling, env/config tuning, and watchdog behavior, but not the requested runtime auto-cleanup-and-retry behavior for concurrent session tool operations. (src/agents/session-write-lock.test.ts:610, ec4a00beae98)

Likely related people:

• steipete: Current blame and history show Peter Steinberger on the current session-lock lines and on the earlier single-writer session-file lock introduction. (role: recent area contributor; confidence: medium; commits: 6668805aca17, c42664f9b226, ec4a00beae98; files: src/agents/session-write-lock.ts, src/agents/embedded-agent-runner/run/attempt.session-lock.ts, src/agents/embedded-agent-runner/run/attempt.ts)
• Vishal Doshi: Commit e91a5b0 introduced the stale session-lock release/watchdog work and doctor lock cleanup surface that are directly relevant to this report. (role: introduced stale-lock cleanup/watchdog behavior; confidence: medium; commits: e91a5b021648; files: src/agents/session-write-lock.ts, src/commands/doctor-session-locks.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.