EmbeddedAttemptSessionTakeoverError fires at ~120s on long Bedrock streams (fence whitelist too narrow?)

[swiser-nexa]

Summary

EmbeddedAttemptSessionTakeoverError ("session file changed while embedded prompt lock was released") fires consistently around the 120s mark on long Bedrock streaming runs, killing the turn even though no other agent or runner is touching the session. The fence's benign-rewrite whitelist appears too narrow for legitimate concurrent writes that happen during normal streaming + delivery flows.

Environment

• OpenClaw: 2026.5.22 (npm install, host Linux 6.17 x64, node v24.14.0)
• Bedrock provider: @openclaw/amazon-bedrock-provider 2026.5.22
• Model: amazon-bedrock/zai.glm-5 via bedrock-converse-stream API
• Channels: Slack DM (socket mode), GitHub webhook → /hooks/github-engineering, cron-nested isolated agentTurns
• Lanes affected: main, cron-nested, session:agent:main:slack:direct:<user>:thread:<ts>

Reliable repro pattern

1. Long Slack DM session with multiple exec + gh tool calls.
2. After the last tool result, the model needs to compose a long final reply (≥ ~120s of streaming).
3. At ~120s after the last toolResult, the runtime writes an empty provider:"amazon-bedrock" model:"zai.glm-5" assistant entry and throws EmbeddedAttemptSessionTakeoverError.

Failure timestamps observed (same session, two distinct user messages):

• Run 1: last toolResult 21:44:02.xxx, empty assistant + throw at 21:46:02.573 (durationMs ~129017).
• Run 2: last toolResult 22:02:48.xxx, empty assistant + throw at 22:04:48.944 (durationMs ~151455).

Same error type also fires from cron-nested lanes and from the github-engineering hook agentTurns running on completely different sessionFiles.

What the code path looks like

• dist/pi-embedded-CsSFzly6.js:159 — enqueueCommandInLane(sessionLane, () => enqueueGlobal(...)) — the two simultaneous lane errors per failure are the same single failure unwinding nested lanes (sessionLane outer, globalLane inner), not two writers.
• dist/selection-hR-AeOeU.js:7998 — TRANSCRIPT_ONLY_OPENCLAW_ASSISTANT_MODELS = new Set(["delivery-mirror","gateway-injected"]). Anything else flips takeoverDetected = true.
• dist/selection-hR-AeOeU.js:8086/8097 — sessionFenceAdvanceIsBenign / sessionFenceRewriteIsBenign only allow lines whose model is in that whitelist.
• dist/selection-hR-AeOeU.js:8210 — class EmbeddedAttemptSessionTakeoverError; thrown at :8324/:8387/:8440/:8530.

The failure stub written at the takeover moment has provider:"amazon-bedrock", model:"zai.glm-5" — i.e. the very record the runtime writes itself when the prompt lock is released — but on reacquire that line is treated as foreign.

Hypothesis

One of these (in order of likelihood) is writing during the prompt-lock-released window and tripping the fence:

1. Streaming partial assistant deltas being persisted mid-prompt by the chat handler (dist/chat-zFy9Y_4Y.js:1351 fs.writeFileSync(params.transcriptPath, ...)).
2. Delivery-mirror writers running on a different lane (dist/deliver-WPtVqUMT.js:1287, dist/run-delivery.runtime-B3LSluU0.js:366, dist/message-action-runner-B4oH5EYj.js:908) — but those use model:"delivery-mirror" which IS whitelisted, so probably not these.
3. The runtime's own failure-stub writer racing with the fence reacquire.

Suggested fixes

• Extend the benign-rewrite whitelist to recognise the runtime's own failure stubs (e.g. empty-content assistant lines whose runId matches the still-active attempt).
• Or: scope the fence check to lines written after lock release with a different runId, not "any line that doesn't match the whitelist".
• Or: surface a config-level escape hatch to relax the fence per agent (agents.<id>.session.fenceMode = "warn" | "strict").

Mitigation we applied locally

Not a fix, just headroom:

OPENCLAW_SESSION_WRITE_LOCK_ACQUIRE_TIMEOUT_MS=120000  # was 60000
OPENCLAW_SESSION_WRITE_LOCK_MAX_HOLD_MS=600000          # was 300000

These help when the lock is the contention point. They don't address the fence whitelist itself.

Logs / artefacts available on request

• Full session jsonl + trajectory (Slack DM session 0b213e58-...) showing both failures.
• Gateway logs around 21:46:02 and 22:04:48 UTC.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 1, 2026, 7:55 PM ET / 23:55 UTC.

Summary
Keep open. Current main has owned-write and diagnostic-timeout improvements, but the Bedrock provider assistant-stub path is not proven fixed; the fence whitelist still excludes provider/model assistant lines and the related 120s stalled-run family remains open.

Reproducibility: no. live current-main reproduction was established. The issue gives a detailed production pattern, and source inspection shows the provider/model assistant line is not benign-whitelisted, but Bedrock/Slack long-stream proof is still missing.

Ways to help us reproduce this

• Add a screenshot or short recording showing the behavior.
• Add expected vs actual behavior.

Next step
Manual review is needed because the repair changes a session takeover safety boundary and overlaps the open 120s stalled-run product decision in #85826.

Review details

Best possible solution:

Make the session fence recognize only proven OpenClaw-owned prompt-stream or failure-stub writes, add Bedrock/long-stream regression coverage, and avoid a broad per-agent fence-mode config unless maintainers explicitly choose that safety tradeoff.

Do we have a high-confidence way to reproduce the issue?

No live current-main reproduction was established. The issue gives a detailed production pattern, and source inspection shows the provider/model assistant line is not benign-whitelisted, but Bedrock/Slack long-stream proof is still missing.

Is this the best way to solve the issue?

Unclear. Current main's owned-write path is a plausible foundation, but the best fix should be a narrow session-fence ownership repair with regression coverage, not the broad per-agent warn/strict config escape hatch as the default answer.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• The report is against OpenClaw 2026.5.22 while current main has unreleased owned-write and stalled-abort changes, so live Bedrock/Slack proof is still needed before choosing the exact repair.
• Relaxing the session fence too broadly could mask a real session takeover, so the fix needs a clear owned-write contract rather than a broad whitelist or default warn-only mode.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 1ed7692d2fac.

Label changes

Label changes:

• add P1: The report describes real Slack, GitHub hook, and cron agent turns failing mid-response with session takeover and lost user-visible replies.
• add impact:message-loss: The turn dies before final delivery, leaving channel sessions without the expected response.
• add impact:session-state: The failure is a session-fence takeover while the embedded prompt lock is released.
• add issue-rating: 🐚 platinum hermit: Current issue advisory state selects this label.
• add clawsweeper:needs-live-repro: Current issue advisory state selects this label.
• add clawsweeper:no-new-fix-pr: Current issue advisory state selects this label.
• add clawsweeper:needs-maintainer-review: Current issue advisory state selects this label.
• add clawsweeper:needs-product-decision: Current issue advisory state selects this label.

Label justifications:

• P1: The report describes real Slack, GitHub hook, and cron agent turns failing mid-response with session takeover and lost user-visible replies.
• impact:session-state: The failure is a session-fence takeover while the embedded prompt lock is released.
• impact:message-loss: The turn dies before final delivery, leaving channel sessions without the expected response.

Evidence reviewed

Acceptance criteria:

• node scripts/run-vitest.mjs src/agents/embedded-agent-runner/run/attempt.session-lock.test.ts
• node scripts/run-vitest.mjs src/logging/diagnostic.test.ts
• Live or Crabbox/Testbox Bedrock long-stream proof through a Slack DM or equivalent gateway session with redacted transcript and gateway logs

What I checked:

• session fence whitelist: Current main only treats openclaw assistant transcript lines with delivery-mirror or gateway-injected models as benign, so amazon-bedrock assistant entries do not match this fallback whitelist. (src/agents/embedded-agent-runner/run/attempt.session-lock.ts:50, 1ed7692d2fac)
• takeover throw path: When the file change is neither a recorded owned write nor a benign append/rewrite, the controller marks takeover and throws EmbeddedAttemptSessionTakeoverError. (src/agents/embedded-agent-runner/run/attempt.session-lock.ts:704, 1ed7692d2fac)
• owned prompt-write path exists: Prompt streaming is wrapped in withOwnedSessionTranscriptWrites, which may cover some legitimate in-process appends, but that does not prove the reported Bedrock empty assistant/failure-stub path is covered. (src/agents/embedded-agent-runner/run/attempt.session-lock.ts:1026, 1ed7692d2fac)
• Bedrock assistant shape: The Bedrock stream initializes assistant output with provider: model.provider and model: model.id, matching the reporter's provider/model assistant-stub description rather than the OpenClaw transcript-only whitelist. (extensions/amazon-bedrock/stream.runtime.ts:62, 1ed7692d2fac)
• coverage gap: Existing session-lock tests cover delivery-mirror benign appends and owned prompt-stream appends, but the inspected coverage does not exercise a Bedrock/provider-model empty assistant or long-stream fence reacquire case. (src/agents/embedded-agent-runner/run/attempt.session-lock.test.ts:637, 1ed7692d2fac)
• diagnostic timing contract: Current main still uses a 120s default warning threshold, but abort-drain defaults to at least five minutes and 3x the warning threshold, so a 120s takeover remains suspicious. (src/logging/diagnostic.ts:75, 1ed7692d2fac)

Likely related people:

• Vincent Koc: Current blame and recent history tie the session fence, diagnostics constants, and Bedrock stream files in this checkout to c9d35c7172d3df970f82a7cbf476ccc6cf26199c; the broad commit subject makes exact ownership medium-confidence. (role: recent area contributor; confidence: medium; commits: c9d35c7172d3; files: src/agents/embedded-agent-runner/run/attempt.session-lock.ts, src/logging/diagnostic.ts, extensions/amazon-bedrock/stream.runtime.ts)
• Peter Steinberger: Earlier diagnostics commits added and hot-reloaded the stuck-session warning configuration that overlaps the reported 120s timing behavior. (role: diagnostics history contributor; confidence: medium; commits: 41cc46bbb41c, 68832f203e88; files: src/logging/diagnostic.ts, src/config/zod-schema.ts, src/config/schema.help.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[osolmaz]

Your diagnosis is right — the whitelist (TRANSCRIPT_ONLY_OPENCLAW_ASSISTANT_MODELS) is too narrow, and this is one instance of a wider class: OpenClaw-owned writes during the released prompt lock that the fence fails to recognize as owned. The durable fix is the session/transcript SQLite migration tracked in #88838 (single-writer transactional store; the file-fingerprint fence is deleted — already absent on josh/transcript-sqlite-migration). Cluster map with all related issues/PRs and the proposed fix condition: #88838 (comment)