Atomic write helper leaks orphan `.tmp` files; gateway never sweeps them (51 GB observed in the wild)

[gideonblaauw-creator]

TL;DR

src/infra/json-files.ts writes JSON atomically via <path>.<UUID>.tmp → rename. If the process dies between writeFile and rename (SIGKILL, OOM kill, hard shutdown, system sleep at the wrong moment), the finally block never runs and the .tmp is orphaned. There is no startup sweep, so orphans accumulate forever.

On one production user's machine (running an openclaw-gateway.service for ~3 months), this leaked 8,662 orphan files = 51 GB in ~/.openclaw/agents/main/sessions/. The current sessions.json was a healthy 54 MB. The 51 GB was 100% orphans matching sessions.json.<UUID>.tmp.

Reproduction (the leak)

1. Run openclaw-gateway as a long-lived service that frequently rewrites sessions.json (default behavior on an active agent).
2. Anything that hard-kills the process between fs.writeFile(tmp, ...) and fs.rename(tmp, filePath) orphans the tmp:
   • Force-quit / Activity Monitor → Force Quit
   • System sleep that hits the gateway at exactly the wrong moment
   • OOM kill
   • kill -9 (e.g. from a watchdog or restart script)
3. The tmp file is left behind. No code path ever removes it.
4. Over months and thousands of writes, this compounds catastrophically — each tmp is roughly the same size as sessions.json itself (50+ MB in heavy agents).

Diagnose on any host:
```bash
find ~/.openclaw -name 'sessions.json..tmp' -type f | wc -l
du -sh ~/.openclaw/agents//sessions
```

Root cause

src/infra/json-files.ts lines 27-57:

```ts
export async function writeTextAtomic(filePath, content, options) {
// ...
const tmp = `${filePath}.${randomUUID()}.tmp`;
try {
await fs.writeFile(tmp, payload, ...);
// ...
await fs.rename(tmp, filePath); // <-- if SIGKILL hits between writeFile and rename...
// ...
} finally {
await fs.rm(tmp, { force: true }).catch(() => undefined); // <-- ...this never runs
}
}
```

The in-process `finally` cleanup is correct, but the JS runtime cannot run `finally` blocks when the process is hard-killed.

Note: `src/infra/fs-safe.ts:310` and `src/config/io.ts:1291` already use a better naming convention (`${name}.${process.pid}.${randomUUID()}.tmp`, sometimes with a leading dot) — but `json-files.ts` is on the older pattern.

Proposed fixes

Fix A — startup sweep (minimum viable)

When the gateway boots (or when the session store first loads), sweep the directory:

```ts
// Pseudocode for somewhere in src/gateway/boot.ts or session-utils.ts init
import { glob } from "node:fs/promises"; // or use fs.readdir + filter
import fs from "node:fs/promises";

async function sweepOrphanTmpFiles(sessionsDir: string, maxAgeMs = 60 * 60_000) {
const entries = await fs.readdir(sessionsDir).catch(() => []);
const now = Date.now();
for (const name of entries) {
if (!name.endsWith(".tmp") || !name.includes("sessions.json.")) continue;
const p = path.join(sessionsDir, name);
const stat = await fs.stat(p).catch(() => null);
if (!stat) continue;
if (now - stat.mtimeMs > maxAgeMs) {
await fs.rm(p, { force: true }).catch(() => undefined);
}
}
}
```

Run this once on gateway boot. `maxAgeMs = 1h` ensures we never delete a tmp belonging to a currently-in-flight write.

Fix B — periodic sweep (defense in depth)

The existing `session-reaper.ts` has a perfect throttled-sweep pattern. Adding a parallel tmp-file sweep that runs on the same cron timer tick would catch leaks from long-running gateways that never restart.

Fix C — include pid in the tmp name (consistency)

Other call sites in the codebase already do this (`fs-safe.ts:310`, `config/io.ts:1291`). Adopting the same convention in `json-files.ts` would:

1. Make it possible to identify orphans from previous process generations vs. current
2. Allow a safer sweep predicate (`pid not in active PIDs`) without time-based heuristics

Why this matters

51 GB on a 245 GB MacBook is a full-disk-wedge event. The user's only signal is "my Mac is full" — they have no reason to suspect openclaw because the user-facing data (sessions.json) looks fine. We diagnosed it only by walking down from `du -sh ~/.openclaw`.

Happy to draft a PR if a maintainer can point to the preferred call site for the sweep (boot.ts? session-utils.ts module init?).

Environment

• openclaw release channel: `OPENCLAW_SERVICE_VERSION=2026.3.23-1`
• Host: macOS, gateway running as user service (`openclaw-gateway.service`)
• Detected: 2026-06-02

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 2, 2026, 12:06 PM ET / 16:06 UTC.

Summary
Keep open: current main shipped the important session-store temp classification work, but the reported automatic Gateway cleanup gap remains because default Gateway startup/read paths do not sweep stale sessions.json.*.tmp files and disk-budget cleanup only runs when a disk budget is configured.

Reproducibility: no. runtime hard-kill reproduction was run in this read-only review. The source path is high-confidence: an interrupted atomic rename can leave a temp file, and current main only reclaims stale temps through explicit cleanup or configured disk-budget paths.

Ways to help us reproduce this

• Add a screenshot or short recording showing the behavior.
• Add expected vs actual behavior.
• Include redacted logs or terminal output.

Next step
This is a narrow repair candidate because the matcher, stale window, and explicit cleanup function already exist; the remaining work is wiring a safe automatic path and tests.

Review details

Best possible solution:

Add a narrow, age-gated automatic reclaim path for stale session-store temp artifacts using the existing matcher and cleanup policy, without reviving the broad startup archive-cleanup PR shape.

Do we have a high-confidence way to reproduce the issue?

No runtime hard-kill reproduction was run in this read-only review. The source path is high-confidence: an interrupted atomic rename can leave a temp file, and current main only reclaims stale temps through explicit cleanup or configured disk-budget paths.

Is this the best way to solve the issue?

No, the already-shipped fix is only a partial solution for this report. The maintainable remaining fix is to reuse the existing session-store temp matcher and stale window in a narrow automatic cleanup path rather than adding an ad hoc glob sweep.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• A repair must avoid deleting a fresh in-flight atomic-write temp; the existing 5-minute stale window and matcher should be reused.
• Adding a broad Gateway startup/timer sweep could create unnecessary background I/O unless it is scoped and throttled to session-store temp artifacts.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 388dc56ba572.

Label changes

Label changes:

• add P2: The report is a concrete session-storage bug with severe disk-growth symptoms, but the remaining fix is bounded and not a current core-runtime outage.
• add impact:session-state: The affected files are persisted session-store atomic-write sidecars under the agent sessions directory.
• add impact:other: The reported impact is uncontrolled local disk consumption, including a 51 GB production observation, which does not fit the more specific owned impact labels.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:queueable-fix: Current issue advisory state selects this label.
• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.

Label justifications:

• P2: The report is a concrete session-storage bug with severe disk-growth symptoms, but the remaining fix is bounded and not a current core-runtime outage.
• impact:session-state: The affected files are persisted session-store atomic-write sidecars under the agent sessions directory.
• impact:other: The reported impact is uncontrolled local disk consumption, including a 51 GB production observation, which does not fit the more specific owned impact labels.

Evidence reviewed

Acceptance criteria:

• node scripts/run-vitest.mjs src/config/sessions/artifacts.test.ts src/config/sessions/disk-budget.test.ts src/config/sessions/store.pruning.integration.test.ts src/infra/json-files.test.ts
• If Gateway timer/startup code is touched: node scripts/run-vitest.mjs src/gateway/server-maintenance.test.ts src/gateway/server-runtime-services.test.ts

What I checked:

• Current atomic helper is no longer the old inline UUID temp writer: writeTextAtomic now delegates to replaceFileAtomic and supports a caller-provided tempPrefix, so the issue's quoted json-files.ts snippet is obsolete on current main. (src/infra/json-files.ts:80, 388dc56ba572)
• Session-store writes now use identifiable temp names: writeSessionStoreAtomic passes tempPrefix: path.basename(params.storePath), staging temps as sessions.json.<pid>.<uuid>.tmp so crash leftovers can be recognized. (src/config/sessions/store.ts:885, 388dc56ba572)
• Cleanup classifier covers current and legacy session-store temps: isSessionStoreTempArtifactName matches both current <store>.<pid>.<uuid>.tmp and legacy <store>.<uuid>.tmp, with tests covering both patterns. (src/config/sessions/artifacts.ts:49, 388dc56ba572)
• Explicit cleanup can reclaim stale store temps: pruneUnreferencedSessionArtifacts removes matching store temps older than the 5-minute stale window independent of the general artifact age threshold, and focused tests preserve fresh in-flight temps. (src/config/sessions/disk-budget.ts:301, 388dc56ba572)
• Default write-time disk-budget path is conditional: enforceSessionDiskBudget returns without scanning when maxDiskBytes and highWaterBytes are unset, so the shipped disk-budget reclaim path is not a default always-on Gateway sweep. (src/config/sessions/disk-budget.ts:535, 388dc56ba572)
• Docs confirm startup reads do not prune: The session-management docs state that session store reads do not prune or cap entries during Gateway startup and direct users to writes or openclaw sessions cleanup --enforce for cleanup. Public docs: docs/reference/session-management-compaction.md. (docs/reference/session-management-compaction.md:88, 388dc56ba572)

Likely related people:

• openperf: Authored the merged stale session-store temp cleanup PR that added tempPrefix, the temp classifier, and focused cleanup tests. (role: recent fix author; confidence: high; commits: 89aea9b84333; files: src/infra/json-files.ts, src/config/sessions/store.ts, src/config/sessions/artifacts.ts)
• steipete: Merged the related cleanup PR and co-authored adjacent session storage changes in the current history. (role: recent area contributor and merger; confidence: high; commits: 89aea9b84333, cabb55380f84; files: src/config/sessions/store.ts, src/config/sessions/disk-budget.ts, src/infra/json-files.ts)
• Gustavo Madeira Santana: Introduced or carried much of the session maintenance and cleanup UX surface that the temp sweep should reuse rather than bypass. (role: session maintenance feature-history contributor; confidence: medium; commits: eff3c5c70778; files: src/config/sessions/disk-budget.ts, src/config/sessions/cleanup-service.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.