[Bug]: isolated cron can still self-conflict on a dedicated cron agent with EmbeddedAttemptSessionTakeoverError

[xuess]

Bug type

Regression (worked before, now fails)

Beta release blocker

No

Summary

On 2026.5.28-beta.3, cron runs can still fail with EmbeddedAttemptSessionTakeoverError on files inside /agents/cron/sessions even after cron was moved to a dedicated cron agent with isolated sessionTarget.

Steps to reproduce

1. Start OpenClaw 2026.5.28-beta.3 on Linux with main chat, dashboard, and cron enabled.
2. Configure cron jobs with sessionTarget: "isolated" and payload.kind: "agentTurn".
3. Move cron to a dedicated cron agent with its own agentDir and session directory.
4. Disable heartbeat and trigger cron runs repeatedly.
5. Observe some runs failing with EmbeddedAttemptSessionTakeoverError on files under /home/node/.openclaw/agents/cron/sessions/.

Expected behavior

After cron is moved to a dedicated agent and uses isolated sessionTarget, cron runs should not fail because their own session file changed during execution.

Actual behavior

Observed failing runs end with EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released. The latest examples are cron-owned session files such as /home/node/.openclaw/agents/cron/sessions/f1f8713e-b766-4b01-a6c2-489104a28854.jsonl, /home/node/.openclaw/agents/cron/sessions/e4b8e1ce-0100-4d64-9bb0-5376655ac06c.jsonl, and /home/node/.openclaw/agents/cron/sessions/3b0fac23-a272-46c5-9679-2068a7df6055.jsonl.

OpenClaw version

2026.5.28-beta.3

Operating system

Linux 5.19.17-z4pro-generic (x64)

Install method

Self-hosted gateway on Linux; exact packaging NOT_ENOUGH_INFO

Model

Multiple models were involved during fallback/retry in observed failing runs; see additional provider/model setup details.

Provider / routing chain

OpenClaw gateway -> configured fallback chain across multiple providers in observed failing runs (including Bailian, SiliconFlow, and Xiaomi Coding).

Additional provider/model setup details

Observed setup before the latest repro: single gateway, main chat + dashboard + cron originally; later cron moved to a dedicated cron agent with its own agentDir. Heartbeat was disabled. Cron jobs used sessionTarget: "isolated" and payload.kind: "agentTurn". Provider retries/noise were also present in logs, but the key evidence in this report is takeover on cron-owned session files under /agents/cron/sessions.

Logs, screenshots, and evidence

Observed error: EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released.
Latest failing examples:
- /home/node/.openclaw/agents/cron/sessions/f1f8713e-b766-4b01-a6c2-489104a28854.jsonl
- /home/node/.openclaw/agents/cron/sessions/e4b8e1ce-0100-4d64-9bb0-5376655ac06c.jsonl
- /home/node/.openclaw/agents/cron/sessions/3b0fac23-a272-46c5-9679-2068a7df6055.jsonl
Node.js: v24.14.0

Impact and severity

Affected: cron-driven scheduled jobs in this deployment, including Feishu-facing cron workflows.
Severity: High for affected scheduled workflows because runs fail before completion.
Frequency: Intermittent but repeatedly observed across multiple cron runs.
Consequence: scheduled tasks do not complete reliably, and retries/mixed failures make diagnosis harder.

Additional information

This appears related to earlier EmbeddedAttemptSessionTakeoverError reports, but the key distinction here is that the newer repro occurs on cron-owned session files after cron was moved off main into a dedicated cron agent. A separate workspace/path issue also exists in this deployment, but that is not the root cause of this specific report.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed May 30, 2026, 11:56 AM ET / 15:56 UTC.

Summary
Keep open. Current main still has the dedicated isolated-cron session path and takeover guard machinery, but the report is newer than the shipped false-takeover fixes and I found no current-main change that identifies or fixes the cron-owned writer advancing the transcript during the released prompt lock.

Reproducibility: no. high-confidence local/live reproduction was established. The issue provides concrete beta logs and source confirms the exact failing guard is reachable when an unowned write changes the cron session file during prompt lock release, but the writer is not identified.

Ways to help us reproduce this

• Add a screenshot or short recording showing the behavior.
• Add expected vs actual behavior.

Next step
Needs maintainer or live-runtime investigation before automation because the session writer that advances the cron transcript during the released prompt lock is still unknown.

Review details

Best possible solution:

Trace the cron-owned session writer in a live or high-fidelity repro, then preserve dedicated cron session isolation while teaching the lock to recognize only the legitimate OpenClaw-owned write or removing the unexpected write source.

Do we have a high-confidence way to reproduce the issue?

No high-confidence local/live reproduction was established. The issue provides concrete beta logs and source confirms the exact failing guard is reachable when an unowned write changes the cron session file during prompt lock release, but the writer is not identified.

Is this the best way to solve the issue?

Unclear. Current main already implements the intended dedicated isolated-cron session path, so the best fix is not another isolation move but a targeted root-cause fix with live proof.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• The exact writer advancing the cron-owned transcript during prompt lock release is still unidentified; relaxing the guard without that proof could hide real concurrent session corruption.
• Related isolated-cron reports have overlapping symptoms but different failure modes, so this should not be collapsed into a duplicate until live logs show the same root cause.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 77761f4a3e39.

Label changes

Label justifications:

• P1: The report is a recent regression that intermittently breaks real scheduled cron workflows before completion.
• impact:session-state: The failure is specifically about cron-owned session transcript state changing during an embedded run lock window.

Evidence reviewed

What I checked:

• Issue evidence: The provided GitHub context reports OpenClaw 2026.5.28-beta.3 on Linux failing repeatedly with EmbeddedAttemptSessionTakeoverError on files under /agents/cron/sessions after cron was moved to a dedicated cron agent with sessionTarget="isolated".
• Current dedicated cron handoff: Current main resolves the job agent, derives a cron session key from sessionTarget or cron:, then calls runCronIsolatedAgentTurn with lane="cron". (src/gateway/server-cron.ts:357, 77761f4a3e39)
• Current isolated session creation: The isolated cron runner force-creates a fresh session for sessionTarget="isolated", derives the agent-scoped cron run session key, and persists the session entry before execution. (src/cron/isolated-agent/run.ts:550, 77761f4a3e39)
• Current takeover guard: The embedded attempt lock still throws EmbeddedAttemptSessionTakeoverError when the session file fingerprint changes while the prompt lock is released and the write is not recognized as owned or benign. (src/agents/embedded-agent-runner/run/attempt.session-lock.ts:702, 77761f4a3e39)
• Existing cron isolation coverage: Current tests prove isolated jobs use a dedicated cron: session key and do not pass main as the isolated-run session key, so the reported failure is not closeable by that already-covered behavior alone. (src/gateway/server-cron.test.ts:1065, 77761f4a3e39)
• Existing lock behavior coverage: The lock tests show an unowned append during prompt release triggers takeover while a recognized delivery mirror append is allowed, matching the narrow class of remaining investigation needed here. (src/agents/embedded-agent-runner/run/attempt.session-lock.test.ts:620, 77761f4a3e39)

Likely related people:

• Peter Steinberger: Blame on the current cron handoff, isolated-run session setup, and embedded takeover guard lines points to the recent current-main rewrite, and history also shows earlier isolated-cron runner phase work. (role: recent area contributor; confidence: medium; commits: 5660b6706230, bbb73d3171e5; files: src/gateway/server-cron.ts, src/cron/isolated-agent/run.ts, src/agents/embedded-agent-runner/run/attempt.session-lock.ts)
• Sam: Authored the prior isolated cron sessionFile persistence fix that touched the same isolated runner and session files. (role: adjacent bug-fix author; confidence: medium; commits: 50375ab31a98; files: src/cron/isolated-agent/run.ts, src/cron/isolated-agent/run-executor.ts, src/cron/isolated-agent/session.ts)
• Vincent Koc: Recent history shows multiple cron runtime seam and lazy-loading changes in the isolated cron runner area, which may be relevant to tracing runtime-owned writes. (role: recent cron runtime contributor; confidence: medium; commits: 28787985c4eb, a5980df10128, 21d850dd6656; files: src/cron/isolated-agent/run.ts, src/cron/isolated-agent/run-executor.ts)
• Daniel Alkurdi: Authored the isolated cron workspace preservation fix, relevant because this report specifically involves a dedicated cron agent with its own agentDir/session directory. (role: adjacent isolated-agent owner; confidence: low; commits: a1d484d87706; files: src/gateway/server-cron.ts, src/cron/isolated-agent/run.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[xuess]

For triage: this looks related to several existing EmbeddedAttemptSessionTakeoverError tracks, but not fully covered by the fixes that have already landed.

• Fix embedded session file ownership race #87159 is merged and appears to address the cross-lane / same-physical-session-file ownership race. It superseded earlier PRs such as fix(agents): guard session prompt ownership #85955 and fix(agents): file-scoped prompt-window guard for same-session embedded races #86067.
• Hoist withOwnedSessionTranscriptWrites ALS scope to span agent.prompt() to fix vanilla-openclaw same-lane fence trip #86572 and PR fix(agents): gate owned-write publish on pre-append fingerprint (#86572) #86584 remain open for the same-lane / own-write false-takeover path.
• cron announce delivery triggers EmbeddedAttemptSessionTakeoverError when user is actively chatting #84583 and PR fix(cron): skip delivery mirror for routed peer sessions to prevent session lock races #84603 remain open for the cron announce-delivery path that can mutate a routed peer session during an active chat.
• [Bug]: EmbeddedAttemptSessionTakeoverError causes silent message loss when session lock is released during API retries #87180 remains open for retry/reacquire windows during provider failures.
• EmbeddedAttemptSessionTakeoverError on all isolated agentTurn cron jobs #87417 is the closest sibling report: isolated agentTurn cron jobs still failing with the same error.

The distinguishing detail in this report is that the latest failures happen on cron-owned session files under /agents/cron/sessions even after cron was moved off main into a dedicated cron agent with its own agentDir. That seems closer to the still-open same-lane class in #86572 / #86584 than to the already-merged cross-lane fix in #87159, but it may also indicate an additional cron-specific path.

If helpful, I can provide a sanitized comparison between the older /agents/main/sessions failures and the newer /agents/cron/sessions failures.

[yetval]

Traced this on current main (3ff86f335020). The fence (attempt.session-lock.ts:702) only trips on a session-file change that's neither owned nor benign. Ruled out the usual suspects: the run's own writes publish as owned (attempt.ts:3016-3022), concurrent attempts are serialized by the session-file owner mutex (attempt.ts:1887, #87159), and the delivery mirror is benign (transcript.ts:234). The same-lane streamFn gap (#86572) is already covered by the full-prompt() ALS wrap.

So the writer is a different in-process lane appending a non-benign line to the cron run's own file during the released window — same shape as the gateway's out-of-band gateway-injected inject (chat-transcript-inject.ts:105), but with a model that isn't whitelisted.

To pin it: on a failing cron/sessions/<uuid>.jsonl, what are role/provider/model of the last appended line? If it's provider:"openclaw" with a non-whitelisted transcript model → benign-set gap; if it's a real provider line → a genuine second writer that should route through the attempt's owner. Either way the fix is to make that writer own its write, not to relax the guard.

[xuess]

Thanks, this is super helpful and aligns with what we’re seeing.

We’ll extract a failing cron/sessions/<uuid>.jsonl and share the last appended line metadata (role / provider / model) plus a sanitized tail snippet (last 3-5 lines).

Goal is to disambiguate exactly as you suggested:

• provider:"openclaw" + non-whitelisted transcript model => benign-set gap.
• real provider append => second writer bypassing owner path.

We’ll post that evidence in this thread shortly.

[xuess]

Here is the tail snippet of the failing cron/sessions/<uuid>.jsonl file as requested for debugging:

{"type":"message","id":"92e7aa9b","parentId":"807f8143","timestamp":"2026-06-02T00:05:08.567Z","message":{"role":"assistant","content":[{"type":"text","text":"Step 2 also missing. Continuing to step 3 — today is Tuesday, not Monday, so we skip the parenting reminder.\n\nStep 4 — wechat feeds:\n\n"},{"type":"toolCall","id":"019e85a5fa27bc9e027644d8145c7216","name":"exec","arguments":{"command":"python3 scripts/wechat-feeds.py 2>&1","workdir":"/home/node/.openclaw/workspace","timeout":120},"partialArgs":"{\"command\": \"python3 scripts/wechat-feeds.py 2>&1\", \"workdir\": \"/home/node/.openclaw/workspace\", \"timeout\": 120}"}],"api":"openai-completions","provider":"siliconflow","model":"deepseek-ai/DeepSeek-V4-Flash","usage":{"input":300,"output":130,"cacheRead":22272,"cacheWrite":0,"reasoningTokens":0,"totalTokens":22702,"cost":{"input":0,"output":0,"cacheRead":0,"cacheWrite":0,"total":0}},"stopReason":"toolUse","timestamp":1780358706405,"responseId":"019e85a5f55e8489540ab627bd9c96f7"}}
{"type":"message","id":"214c7214","parentId":"92e7aa9b","timestamp":"2026-06-02T00:05:08.604Z","message":{"role":"toolResult","toolCallId":"019e85a5fa27bc9e027644d8145c7216","toolName":"exec","content":[{"type":"text","text":"python3: can't open file '/home/node/.openclaw/workspace/scripts/wechat-feeds.py': [Errno 2] No such file or directory\n\n(Command exited with code 2)"}],"details":{"status":"completed","exitCode":2,"durationMs":24,"aggregated":"python3: can't open file '/home/node/.openclaw/workspace/scripts/wechat-feeds.py': [Errno 2] No such file or directory\n\n(Command exited with code 2)","cwd":"/home/node/.openclaw/workspace"},"isError":false,"timestamp":1780358708603}}