Restart-sentinel turn on channel-bound session emits outbound reply to source chat

[chrispydizzle]

GitHub issue draft — restart-sentinel turn produces user-facing outbound reply

Repo: openclaw/openclaw
Title: Restart-sentinel turn on channel-bound session emits outbound reply to source chat

Summary

When the gateway restarts, restart-sentinel events posted to a channel-bound main-session (e.g. a WhatsApp group session with key agent:main:whatsapp:group:<id>@g.us) can cause the agent to generate a user-facing assistant reply that is then routed back to the source chat. Sentinels should be system-only and never produce outbound messages.

Impact

A reply intended for a different session/context (the user's TUI/Discord) was emitted into a WhatsApp group chat after the gateway restarted. Content in our case was harmless dev output ("Brew bin is now on my exec PATH...") but the same path could leak arbitrary in-progress assistant text into any channel the session is bound to.

Severity: low data sensitivity in our case, but the leak class is high — outbound messages should never be triggered by system sentinels.

Reproduction (observed, not minimised)

1. Configure WhatsApp inbound such that group messages spawn main-session agents (this itself is arguably a separate bug — see "Related" below).
2. Have an active session bound to a WhatsApp group: session key shape agent:main:whatsapp:group:<id>@g.us.
3. Trigger a gateway restart while there is in-flight assistant context from a sibling session.
4. Restart-sentinel posts to the group-bound session as a user turn.
5. Agent generates a continuation and the runtime routes the outbound reply to the group chat.

Trajectory evidence (sanitised id):

• Session id: c9add990-...
• Sentinel message id: restart-sentinel:agent:main:whatsapp:group:<id>@g.us:agentTurn:<ts>
• trace.artifacts.didSendViaMessagingTool: false — meaning the model did not invoke the message tool; the outbound was the default assistant-reply routing, not an explicit tool call. So suppression has to live in the runtime, not in agent prompt discipline.

Expected behaviour

Restart sentinels should be either:

• Suppressed entirely (no agent turn fired), or
• Fired with outbound routing disabled (assistant reply discarded, only side-effects like state hydration retained).

Suggested fix locations

• Wherever restart-sentinel synthetic user turns are produced, set an "internal turn" flag on the run that causes the messaging/channel router to drop the assistant reply for that turn (logging it to trajectory only).
• Alternative: change sentinel to a non-user-turn event (lifecycle hook) so the agent loop doesn't run at all.

Related (worth a separate issue if confirmed)

• WhatsApp group inbound should not auto-spawn main-session agents by default. Default should be DM-only with an explicit group allowlist, otherwise any group member can wake the agent in the group's session context. The blast radius of bug-1 (this issue) is amplified by bug-2.

Workaround

Pull the WhatsApp integration / restrict its inbound routing so group sessions don't get spawned. We did exactly this — easy because we treated WhatsApp as gimmicky anyway, but not a real fix.

Environment

• OpenClaw runtime via npm global, node 24.x and 26.x in mix
• WhatsApp plugin via Baileys (default setup)
• Host: WSL2 (Ubuntu) on Windows 11
• Date observed: 2026-05-28

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed May 28, 2026, 6:15 PM ET / 22:15 UTC.

Summary
Keep open. Current main and the latest release still route restart-sentinel agentTurn continuations through the normal channel delivery path, and existing tests cover WhatsApp-routed final delivery, so the reported leak class remains real enough for maintainer review.

Reproducibility: yes. for the core path: source and existing tests show a routed restart agentTurn continuation can deliver a final assistant reply to a WhatsApp-style channel route. I did not run a live WhatsApp restart reproduction in this read-only review.

Next step
Manual review is needed because this is security-sensitive and changes a shipped restart continuation contract.

Security
Needs attention: The issue raises a concrete sensitive-output leak path through restart-sentinel final reply delivery.

Review details

Best possible solution:

Define restart-sentinel continuations as internal system input by default, suppress automatic source-channel final delivery for internal restart turns, and keep any explicit user-visible post-restart report behind a deliberate audience/route contract with regression coverage for group and direct channels.

Do we have a high-confidence way to reproduce the issue?

Yes for the core path: source and existing tests show a routed restart agentTurn continuation can deliver a final assistant reply to a WhatsApp-style channel route. I did not run a live WhatsApp restart reproduction in this read-only review.

Is this the best way to solve the issue?

Unclear pending maintainer policy. Suppressing automatic outbound delivery for internal restart-sentinel turns is the safer direction, but the exact contract must preserve or intentionally revise documented continuationMessage restart-resume behavior.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• No live WhatsApp repro was run in this read-only review; the source path and existing tests cover the core routed-continuation behavior.
• A fix can change shipped restart-resume semantics, so maintainers need to decide which explicit continuations may still produce user-visible post-restart reports.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 8e806e9125e6.

Label changes

Label changes:

• add P1: The report describes a real channel workflow that can leak assistant text into a group chat after restart.
• add impact:security: The issue is about unintended disclosure of in-progress assistant text into an external channel.
• add impact:message-loss: The affected behavior is misrouted outbound channel delivery caused by an internal restart-sentinel turn.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:no-new-fix-pr: Current issue advisory state selects this label.
• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.
• add clawsweeper:needs-maintainer-review: Current issue advisory state selects this label.
• add clawsweeper:needs-product-decision: Current issue advisory state selects this label.
• add clawsweeper:needs-security-review: Current issue advisory state selects this label.

Label justifications:

• P1: The report describes a real channel workflow that can leak assistant text into a group chat after restart.
• impact:security: The issue is about unintended disclosure of in-progress assistant text into an external channel.
• impact:message-loss: The affected behavior is misrouted outbound channel delivery caused by an internal restart-sentinel turn.

Evidence reviewed

Security concerns:

• [medium] Internal restart turn can speak into an external channel — src/gateway/server-restart-sentinel.ts:345
  A restart-sentinel agentTurn is tagged as internal system provenance but still sends final assistant payloads through the resolved channel route, which can expose unrelated in-progress assistant text to a group chat.
  Confidence: 0.86

Acceptance criteria:

• node scripts/run-vitest.mjs src/gateway/server-restart-sentinel.test.ts
• node scripts/run-vitest.mjs src/infra/restart-sentinel.test.ts
• node scripts/run-vitest.mjs src/auto-reply/reply/source-reply-delivery-mode.test.ts

What I checked:

• Issue report: The live issue reports a restart-sentinel:...:agentTurn:<ts> message on a WhatsApp group-bound session and notes didSendViaMessagingTool: false, meaning the outbound came from default assistant reply routing rather than an explicit message tool call.
• Current continuation creation: Current main creates an agentTurn restart continuation whenever a session key is present, even when no explicit continuationMessage is supplied. (src/infra/restart-sentinel.ts:165, 8e806e9125e6)
• Current routed delivery: The restart continuation is marked internal_system, but the delivery callback still sends final payloads to the resolved channel route with sendDurableMessageBatch. (src/gateway/server-restart-sentinel.ts:292, 8e806e9125e6)
• Current startup queueing: Startup enqueues any restart-sentinel continuation with a resolved route and suppresses only the separate wake path when that routed continuation is an agentTurn. (src/gateway/server-restart-sentinel.ts:597, 8e806e9125e6)
• Existing test coverage: The test suite explicitly proves a WhatsApp-routed restart agentTurn continuation dispatches and delivers a final assistant payload in the same routed thread. (src/gateway/server-restart-sentinel.test.ts:562, 8e806e9125e6)
• Shipped behavior: The latest release tag v2026.5.27 contains the same default agentTurn continuation creation and routed final delivery behavior, so this is not main-only. (src/infra/restart-sentinel.ts:165, 27ae826f6525)

Likely related people:

• obviyus: GitHub history shows this user authored the default restart acknowledgement continuation and several hardening commits for restart continuation binding and retry budget behavior. (role: feature-history owner; confidence: high; commits: b982d9e66910, f5173589a45c, fe5f0cddb929; files: src/infra/restart-sentinel.ts, src/gateway/server-restart-sentinel.ts, src/auto-reply/reply/commands-session.ts)
• TurboTheTurtle: Recent merged work changed restart continuation session binding and stale-route fallback behavior, directly adjacent to this report. (role: recent area contributor; confidence: medium; commits: d8641a661b86; files: src/gateway/server-restart-sentinel.ts)
• VACInc: Recent commits preserved restart continuation authority and adjusted retry/racing behavior in the same gateway restart continuation path. (role: adjacent restart-continuation contributor; confidence: medium; commits: 09be7de2b2be, 0c8c620d6f2d, 2efb36c6230c; files: src/gateway/server-restart-sentinel.ts)
• steipete: Recent message delivery and gateway-tool refactors touched surfaces that interact with restart continuation routing and final reply delivery. (role: recent adjacent contributor; confidence: medium; commits: 2ead1502c9bf, 77d9ac30bb8d; files: src/agents/tools/gateway-tool.ts, src/infra/outbound/targets.ts, src/gateway/server-restart-sentinel.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[joshavant]

Thanks for the detailed report, @chrispydizzle. The root cause was that restart sentinels could synthesize a session-scoped agentTurn after restart and then let normal assistant final-delivery route that turn back into the originating channel. In a channel-bound session, that meant internal restart recovery text could become a user-facing outbound message without the model explicitly using the message tool.

Fixed in #88161, merged as 584fa32.

The fix makes restart-sentinel continuations internal by default:

• no inferred “restart succeeded” agent continuation is created just because a sessionKey exists
• explicit continuationMessage still works for post-restart internal work
• visible post-restart output from that continuation must go through the message tool
• automatic final assistant delivery for restart continuations is disabled

Verification included focused restart-sentinel/gateway/reply regression tests, CI on the merged PR, and a live WhatsApp proof showing the restart notice still delivered while the continuation marker did not leak into the live channel.

Closing this as fixed. If a visible deterministic “restart completed” notification is wanted later, that should be a separate lifecycle notification with an explicit route/audience contract, not an implicit agent-turn final reply.