Bug: resuming a session with a corrupted header line silently wipes the entire transcript (data loss)

[yetval]

Summary

Resuming a session whose first line (the header) is corrupted/partially written causes the entire on-disk transcript to be silently destroyed. The file is truncated to a single fresh session header (with a brand-new id), and every persisted user/assistant message is permanently lost.

This is reachable from any crash, partial write, or disk-full condition that leaves the header line truncated — the header is the first line written to the file, so an interrupted initial flush corrupts exactly the line this code path is fragile to.

• Impact: data loss (full conversation history wiped on resume)
• Affected commands: openclaw --session <file>, --continue, and any resume path through SessionManager.open() / setSessionFile()
• Version audited: main @ 0b5be66e

Root cause

loadEntriesFromFile() (src/agents/sessions/session-manager.ts:384) silently skips unparseable lines, then validates only the first successfully parsed entry:

// src/agents/sessions/session-manager.ts ~384-415
const lines = content.trim().split("\n");
for (const line of lines) {
  if (!line.trim()) continue;
  try {
    entries.push(JSON.parse(line) as FileEntry);
  } catch {
    // Skip malformed lines   <-- a corrupt header line is dropped here
  }
}
if (entries.length === 0) return entries;
const header = entries[0];                       // now the first *message*, not the header
if (header.type !== "session" || typeof header.id !== "string") {
  return [];                                     // => treated as "empty/corrupt"
}

If the header line is corrupt it gets skipped, entries[0] becomes the first message, the header check fails, and the function returns [].

setSessionFile() then treats [] as empty/corrupt and overwrites the file:

// src/agents/sessions/session-manager.ts ~723-735
this.fileEntries = loadEntriesFromFile(this.sessionFile);
// If file was empty or corrupted (no valid header), truncate and start fresh
if (this.fileEntries.length === 0) {
  const explicitPath = this.sessionFile;
  this.newSession();
  this.sessionFile = explicitPath;
  this.rewriteFile();        // <-- truncates the file to a single fresh header
  this.flushed = true;
  return;
}

The intent ("recover from a genuinely empty file") is reasonable, but it cannot distinguish "empty file" from "intact conversation whose header line happens to be corrupt", and it destroys the latter.

Reproduction

Standalone vitest against pristine main:

import { mkdtempSync, readFileSync, writeFileSync } from "node:fs";
import { tmpdir } from "node:os";
import { join } from "node:path";
import { describe, expect, it } from "vitest";
import { SessionManager } from "./session-manager.js";

describe("corrupt header line on resume wipes history", () => {
  it("truncates the whole transcript to a fresh header", () => {
    const dir = mkdtempSync(join(tmpdir(), "oc-F-"));
    const file = join(dir, "2026-01-01T00-00-00-000Z_sess.jsonl");
    const header = { type: "session", version: 3, id: "sess-corrupt", timestamp: "2026-01-01T00:00:00.000Z", cwd: "/tmp/cwd" };
    const u = { type: "message", id: "u0000001", parentId: null, timestamp: "2026-01-01T00:00:01.000Z", message: { role: "user", content: [{ type: "text", text: "important question" }] } };
    const a = { type: "message", id: "a0000001", parentId: "u0000001", timestamp: "2026-01-01T00:00:02.000Z", message: { role: "assistant", content: [{ type: "text", text: "valuable answer" }] } };

    // Crash-truncated FIRST line (header), conversation otherwise intact:
    writeFileSync(file, `${JSON.stringify(header).slice(0, 30)}\n${JSON.stringify(u)}\n${JSON.stringify(a)}\n`);

    SessionManager.open(file);

    const text = readFileSync(file, "utf8");
    expect(text).toContain("important question"); // FAILS
    expect(text).toContain("valuable answer");     // FAILS
  });
});

Observed (main @ 0b5be66e)

before: 3 lines  [corrupt-header, user-msg, assistant-msg]
after:  1 line   [{"type":"session","version":3,"id":"019e8296-..."}]   // new id, both messages gone

Expected

Resuming must never destroy persisted messages. A file with a recoverable body should not be silently overwritten.

Suggested direction

• Don't truncate when the file is non-empty-on-disk but only fails header validation. Options:
  • Back up the original file (e.g. *.corrupt-<ts>.jsonl) before any rewrite, so history is recoverable.
  • Attempt header recovery: if a type:"session" entry exists anywhere in the parsed entries, use it instead of requiring it at index 0; or synthesize a header and prepend it, preserving the existing message lines.
  • Only take the "fresh start" path when the raw file is genuinely empty (0 bytes / no parseable lines), not merely "no valid header at line 0".

Happy to send a PR with a fix + the regression test above.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 1, 2026, 5:57 AM ET / 09:57 UTC.

Summary
Keep open: current main still has the reported data-loss path. A malformed first JSONL header is skipped, the remaining message entries fail header validation, and resume rewrites the non-empty transcript to a new session header.

Reproducibility: yes. there is a high-confidence source reproduction path: a non-empty JSONL with a malformed first line and valid message rows makes loadEntriesFromFile return [], after which setSessionFile rewrites the file. I could not execute the supplied Vitest in this checkout because dependencies are absent.

Next step
This is a narrow, source-proven data-loss bug with clear files and a focused regression path.

Review details

Best possible solution:

Make resume distinguish a genuinely empty/missing transcript from a non-empty invalid-header transcript, preserve the original body, and add regression coverage for corrupted first-line headers.

Do we have a high-confidence way to reproduce the issue?

Yes, there is a high-confidence source reproduction path: a non-empty JSONL with a malformed first line and valid message rows makes loadEntriesFromFile return [], after which setSessionFile rewrites the file. I could not execute the supplied Vitest in this checkout because dependencies are absent.

Is this the best way to solve the issue?

No, current main is not the best solution because it collapses empty and invalid-nonempty transcripts into the same truncate-and-start-fresh path. A narrow fix should preserve non-empty files and either fail with an actionable error or repair/prepend a safe header with tests.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• I did not run the supplied Vitest locally because this read-only checkout has no node_modules/tsx installed; the current source path is still sufficient to prove the failure mode.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 75ebf1c870e1.

Label changes

Label changes:

• add P0: The issue reports and current source supports full persisted transcript loss when resuming a non-empty corrupted session file.
• add impact:data-loss: The affected path overwrites previously persisted user and assistant messages in the session JSONL.
• add impact:session-state: The bug changes the session id and destroys the persisted conversation state used for resume.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:queueable-fix: Current issue advisory state selects this label.
• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.

Label justifications:

• P0: The issue reports and current source supports full persisted transcript loss when resuming a non-empty corrupted session file.
• impact:data-loss: The affected path overwrites previously persisted user and assistant messages in the session JSONL.
• impact:session-state: The bug changes the session id and destroys the persisted conversation state used for resume.

Evidence reviewed

Acceptance criteria:

• node scripts/run-vitest.mjs run src/agents/sessions/session-manager.test.ts
• node scripts/run-vitest.mjs run src/agents/session-file-repair.test.ts

What I checked:

• Current parser drops malformed header and returns empty for first parsed message: loadEntriesFromFile skips unparseable lines, then returns [] when the first successfully parsed entry is not a session header, matching the reported corrupt-header flow. (src/agents/sessions/session-manager.ts:384, 75ebf1c870e1)
• Resume path rewrites when loader returns empty: setSessionFile treats fileEntries.length === 0 as empty/corrupt, creates a new session, preserves the explicit path, and calls rewriteFile(). (src/agents/sessions/session-manager.ts:720, 75ebf1c870e1)
• Rewrite truncates the transcript: rewriteFile() delegates to writeJsonlEntriesSync, which uses writeFileSync; that replaces the existing file content rather than preserving body rows. (src/agents/sessions/session-manager.ts:799, 75ebf1c870e1)
• Affected entry points use SessionManager.open: SessionManager.open reloads the file through loadEntriesFromFile and constructs a persistent manager; switch/import/CLI paths call this entry point for resume-style behavior. (src/agents/sessions/session-manager.ts:1316, 75ebf1c870e1)
• Existing repair helper does not cover missing first header: repairSessionFileIfNeeded also requires the first parsed entry to be a valid session header and returns invalid session header, so existing repair coverage does not make this issue implemented. (src/agents/session-file-repair.ts:373, 75ebf1c870e1)
• Duplicate search found no canonical corrupt-header item: GitHub issue search for the exact corrupt-header/session-manager terms returned this issue plus related but distinct transcript/session items, not a merged fix or open canonical owner for this header-loss path.

Likely related people:

• steipete: Recent GitHub history for src/agents/sessions/session-manager.ts shows steipete authored/merged the runtime-internalization PR that established the current file path and made the latest area cleanup commits. (role: recent area contributor and merger; confidence: medium; commits: bb46b79d3c14, deb7bc653935, b9fe0894a6da; files: src/agents/sessions/session-manager.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[yetval]

Heads-up for triage: PR #89050 is linked as "Closes #89037", but it does not fix the data-loss path reported here — merging it as-is would auto-close this issue while the bug remains.

Where the truncation actually happens

The real resume path (attempt.ts:1961) is SessionManager.open(sessionFile) setSessionFile() loadEntriesFromFile() returns [] for a corrupt header the "empty or corrupted" branch calls this.rewriteFile() and truncates the file. This is in src/agents/sessions/session-manager.ts (:384, :725-735) and runs before prepareSessionManagerForRun (attempt.ts:2023), which is the only thing PR #89050 guards.

Source repro (still fails on the PR branch ffb09b97)

import { mkdtempSync, readFileSync, writeFileSync } from "node:fs";
import { tmpdir } from "node:os";
import { join } from "node:path";
import { SessionManager } from "./session-manager.js";

const dir = mkdtempSync(join(tmpdir(), "oc-"));
const file = join(dir, "2026-01-01T00-00-00-000Z_sess.jsonl");
const header = { type: "session", version: 3, id: "sess-corrupt", timestamp: "2026-01-01T00:00:00.000Z", cwd: "/tmp/cwd" };
const u = { type: "message", id: "u0000001", parentId: null, timestamp: "2026-01-01T00:00:01.000Z", message: { role: "user", content: [{ type: "text", text: "important question" }] } };
const a = { type: "message", id: "a0000001", parentId: "u0000001", timestamp: "2026-01-01T00:00:02.000Z", message: { role: "assistant", content: [{ type: "text", text: "valuable answer" }] } };

// crash-truncated FIRST line (header); rest of conversation intact
writeFileSync(file, `${JSON.stringify(header).slice(0, 30)}\n${JSON.stringify(u)}\n${JSON.stringify(a)}\n`);
SessionManager.open(file); // == what attempt.ts:1961 does on resume
console.log(readFileSync(file, "utf8")); // expect both messages; got a single fresh header

Result on both main (0b5be66e) and PR branch (ffb09b97):

before: 3 lines [corrupt-header, user-msg, assistant-msg]
after: 1 line {"type":"session","version":3,"id":"019e82c7-…"} // new id, both messages gone

(PR #89050's own regression test passes because it builds a fake sessionManager object literal and never goes through SessionManager.open()/setSessionFile().)

Suggested fix

Guard inside setSessionFile()'s empty/corrupt branch where the data is still intact: don't truncate a non-empty file that merely fails header validation; back up the original bytes before any rewrite; recover a type:"session" header from anywhere in the file (or synthesize+prepend one, keeping the message lines); only take the fresh-start path for a genuinely empty (0-byte / no-parseable-lines) file. A faithful regression should drive SessionManager.open(corruptFile).

Full details left on the PR: #89050 (comment).

[steipete]

Fixed on main by PR #89050, squash commit 2c48dd227734bf0d1e94ec08db014a22e20178bb.

Proof:

• Corrupt-header transcripts are backed up and recovered into valid active JSONL before resume/run prep can rewrite the file.
• Recovered user-only transcripts are preserved through run prep and can append the first assistant message without dropping the user row.
• Local focused tests, prod typecheck, test typecheck, lint, diff check, and maintainer autoreview passed.
• GitHub Real behavior proof passed on run https://github.com/openclaw/openclaw/actions/runs/26814603460.

No related open duplicates found in the local issue/PR cache for the corrupt session header resume data-loss terms.