Stuck-session recovery aborts long-but-active agent runs at warnMs×3 (~6min) with misleading "Reply operation aborted by user" reason

[tehao999]

Summary

On 2026.5.27, stuck-session diagnostic recovery (recoverStuckDiagnosticSession) aborts legitimately long, actively-working agent runs (e.g. a claude-cli backend agent doing a deep review with thinking: max) once the run age reaches the default abort threshold: stuckSessionWarnMs (2 min) × STALLED_EMBEDDED_RUN_ABORT_WARN_MULTIPLIER (3) = 6 min. The abort surfaces as AbortError: "Reply operation aborted by user", which is misleading — no user action occurred.

Net effect: any agent turn that legitimately takes >6 min is killed before producing its final reply (channel records no_final / no delivery), so on a Feishu channel (and presumably others) the agent simply "never replies".

Environment

• OpenClaw 2026.5.27, macOS, launchd gateway
• Agent backend: claude-cli runtime (anthropic/claude-opus-4-8), thinkingDefault: max, doing long content-review turns (reads several files + greps + extended thinking)
• No diagnostics block configured (defaults)

Symptom

• Short turns (<~5 min) reply normally; long turns get cut at ~6 min with no final reply.
• Gateway log shows only:

  [agent/cli-backend] claude live session close: provider=claude-cli model=... reason=abort
  feishu[...]: dispatch complete (queuedFinal=false, replies=0)
  

  No timeout text ("produced no output" / "exceeded timeout"), no channel error — very hard to diagnose from logs alone.

Root cause (captured)

Tracing AbortController.prototype.abort in the gateway process, the abort at ~6 min into the run was:

reason = AbortError: "Reply operation aborted by user"
  at abortInternally               (reply-run-registry-*.js)
  at abortWithReason               (reply-run-registry)
  at abortByUser                   (reply-run-registry)
  at abortReplyRunBySessionId      (reply-run-registry)
  at abortEmbeddedPiRun            (runs-*.js)
  at abortAndDrainEmbeddedPiRun    (runs)
  at recoverStuckDiagnosticSession (diagnostic-stuck-session-recovery.runtime-*.js)
  at                               (diagnostic-*.js)

Threshold math (diagnostic-*.js): with no config, resolveStalledEmbeddedRunAbortMs(120000) = max(MIN_STALLED_EMBEDDED_RUN_ABORT_MS 5min, 120000 × 3) = 360000 = exactly 6 min, matching the observed kill time (+ STUCK_SESSION_ABORT_SETTLE_MS 15s settle).

Two distinct problems

1. Active work misclassified as stalled. A single long model_call / embedded_run still actively producing tokens/tool calls (just without frequent "visible progress" deltas) is treated as stuck and aborted. In our capture, the CLI had emitted output only ~18 s before the abort (largest silent gap in the entire run was ~145 s) — clearly not hung. Stuck recovery should not abort a run whose underlying CLI/model is still actively streaming output.

2. Misleading abort reason. Recovery aborts via abortByUser() → AbortError: "Reply operation aborted by user". This is automatic recovery, not a user action; the reason made root-causing very hard (looks like a user cancel, not a timeout/recovery). Please surface an accurate reason such as stuck_session_recovery.

Regression

Did not happen on 2026.5.5 (its recovery runtime is ~86 lines, no abortEmbeddedPiRun / multiplier / stuckSessionAbortMs). The abort-of-active-runs path was added/expanded in 2026.5.12 (added diagnostics.stuckSessionAbortMs, outcome-driven recovery) and 2026.5.17 (abort active embedded runs on stale native tool call). Upgrading 5.5 → 5.27 introduced it.

Workaround

"diagnostics": { "stuckSessionAbortMs": 1800000 }

(Adding the top-level diagnostics object is not hot-reloadable — it triggers a full gateway restart to apply.)

Suggested fixes

• Don't abort a run as "stuck" while its CLI/model is still actively producing output (gate on output liveness, not just age / coarse progress).
• Use a truthful abort reason (e.g. stuck_session_recovery) instead of "Reply operation aborted by user".
• Document diagnostics.stuckSessionWarnMs / stuckSessionAbortMs and the default derivation (warnMs × 3, min 5 min) so the effective ~6 min cap on long agent turns is discoverable.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed May 31, 2026, 10:33 PM ET / 02:33 UTC.

Summary
Keep open: current main and v2026.5.28 appear to fix the active-progress liveness part and document the diagnostics thresholds, but the automatic recovery path can still fall through to abortByUser() for reply-run-only active work, so the misleading user-abort reason remains a narrow valid bug.

Reproducibility: no. high-confidence live current-main reproduction was run. Source and tests show active progress now prevents recovery, while source still shows the reply-run fallback can surface automatic aborts through the user-abort path.

Ways to help us reproduce this

• Add a screenshot or short recording showing the behavior.
• Add expected vs actual behavior.

Next step
A repair worker can attempt the narrow remaining abort-reason propagation without changing diagnostics thresholds or adding config.

Review details

Best possible solution:

Keep the v2026.5.28 liveness behavior, then add a narrow fix that lets diagnostic recovery pass an explicit stuck_recovery reason through embedded/reply-run abort paths with focused regression coverage.

Do we have a high-confidence way to reproduce the issue?

No high-confidence live current-main reproduction was run. Source and tests show active progress now prevents recovery, while source still shows the reply-run fallback can surface automatic aborts through the user-abort path.

Is this the best way to solve the issue?

No, the current state is only a partial solution. The maintainable finish is to preserve the liveness fix and thread an explicit recovery abort reason through the existing abort APIs rather than adding another config workaround.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• No live Feishu or claude-cli reproduction was run in this read-only sweep, so the active-run fix is source/test/release-proven rather than live-proven here.
• The remaining abortReplyRunBySessionId() fallback can still report an automatic recovery abort as a user abort unless the abort reason is threaded through that API.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 4932391e8a78.

Label changes

Label changes:

• add P2: The issue reports a real no-final-reply regression, but current release code already appears to cover the active-progress cutoff and the remaining work is a bounded diagnostic/recovery bug.
• add impact:message-loss: The reported failure mode is a long agent turn being aborted before any final channel reply is delivered.
• add impact:session-state: The affected surface is stuck-session recovery, active embedded-run state, and session-lane recovery behavior.
• add issue-rating: 🐚 platinum hermit: Current issue advisory state selects this label.
• add clawsweeper:needs-live-repro: Current issue advisory state selects this label.

Label justifications:

• P2: The issue reports a real no-final-reply regression, but current release code already appears to cover the active-progress cutoff and the remaining work is a bounded diagnostic/recovery bug.
• impact:message-loss: The reported failure mode is a long agent turn being aborted before any final channel reply is delivered.
• impact:session-state: The affected surface is stuck-session recovery, active embedded-run state, and session-lane recovery behavior.

Evidence reviewed

Acceptance criteria:

• node scripts/run-vitest.mjs src/auto-reply/reply/reply-run-registry.test.ts
• node scripts/run-vitest.mjs src/agents/embedded-agent-runner/runs.test.ts src/logging/diagnostic-stuck-session-recovery.runtime.test.ts
• node scripts/run-vitest.mjs src/logging/diagnostic.test.ts

What I checked:

• Active model-call liveness is covered on current main: Current tests assert that recent model_call:stream_progress prevents session.recovery.requested and leaves the run active instead of aborting it. (src/logging/diagnostic.test.ts:707, 4932391e8a78)
• Streaming model chunks refresh diagnostic progress: Current model-call diagnostics refresh in-memory progress for every stream chunk and throttle only the emitted diagnostic event, which directly addresses active streaming being treated as stale. (src/agents/embedded-agent-runner/run/attempt.model-diagnostic-events.ts:188, 4932391e8a78)
• Claude live CLI output and tools now mark progress: Claude live-session output emits cli_live:stream_progress, and active native tools emit periodic cli_live:tool_running progress, matching the reported claude-cli active-output scenario. (src/agents/cli-runner/claude-live-session.ts:571, 4932391e8a78)
• Diagnostics threshold docs are present: The docs now explain session.long_running, session.stalled, session.stuck, and the default stuckSessionAbortMs derivation as at least 5 minutes and 3x the warning threshold. Public docs: docs/concepts/agent-loop.md. (docs/concepts/agent-loop.md:168, 4932391e8a78)
• Remaining misleading abort reason path: abortEmbeddedAgentRun() still falls back to abortReplyRunBySessionId(), and that helper still calls operation.abortByUser(), which creates AbortError: Reply operation aborted by user. (src/auto-reply/reply/reply-run-registry.ts:541, 4932391e8a78)
• Latest release includes the liveness/docs improvements: The v2026.5.28 tag contains the stream-progress liveness code and the session-liveness docs, so the active-run cutoff part appears shipped rather than current-main-only. (src/agents/embedded-agent-runner/run/attempt.model-diagnostic-events.ts:85, e93216080aa1)

Likely related people:

• steipete: Authored the related stuck-session abort experiment pull request and is also on recent release/current-main commits that prove the shipped/current state. (role: feature-history contributor; confidence: medium; commits: de4e1940fd38, e93216080aa1, 4932391e8a78; files: src/logging/diagnostic.ts, src/logging/diagnostic-stuck-session-recovery.runtime.ts, docs/concepts/agent-loop.md)
• litang9: Opened the related model-call stalled-warning pull request with runtime proof and tests around the same diagnostic classification surface. (role: recent adjacent contributor; confidence: medium; commits: ec768e41839b; files: src/logging/diagnostic.ts, src/logging/diagnostic.test.ts)
• Alix-007: Local shallow blame maps the current liveness/docs implementation to commit 909c24e, so this is a weak but concrete checkout-history signal for the currently visible code. (role: current source provenance; confidence: low; commits: 909c24e3b70d; files: src/agents/embedded-agent-runner/run/attempt.model-diagnostic-events.ts, src/logging/diagnostic.test.ts, docs/concepts/agent-loop.md)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[abhinas90]

This sounds like a process lifecycle / session management failure, not just a one-off memory bug.

Here's a diagnostic matrix to narrow it down:

1. Check if it's single-session vs. cross-session accumulation

ps aux | grep claude | awk '{print $2, $4, $6}' >> /tmp/claude-mem.log
# Run your workload, then check if RSS grows linearly per task or exponentially over sessions

2. Identify zombie processes (most common cause of phantom memory growth)

ps aux | grep defunct
# If you see [claude] <defunct>, the parent isn't reaping children
# Known issue in some v1.x betas — check your CLI version

3. Session isolation test

for i in $(seq 1 5); do
  claude --print "hello world" && sleep 2
done
ps aux | grep claude
# If memory after 5 is significantly > after 1, it's accumulation

4. Quick mitigation while waiting for a patch
If you're hitting this in automated workflows, wrap sessions with a watchdog:

timeout 300 claude ... || kill -9 $(pgrep -f claude)

I maintain production agent fleets (OpenClaw) and have a hardening checklist for session pooling, resource limits, and monitoring hooks if that would help.