EmbeddedAttemptSessionTakeoverError: auto-compaction at reason=threshold trips fence on rewritten session jsonl

[johnib]

Summary

EmbeddedAttemptSessionTakeoverError fires deterministically when auto-compaction at reason=threshold runs mid-turn on an active session that has paired lanes (main + session:<scope>). Both lanes die in the same millisecond the compaction completes, no user-visible reply is delivered, and the user sees only the generic "Something went wrong while processing your request" fallback.

This is the same error class as #86508 / #86966 / #86845 / #88369 / #89259 / #86572, but I'm filing separately because the trigger is different from any open ticket I could find:

• Hoist withOwnedSessionTranscriptWrites ALS scope to span agent.prompt() to fix vanilla-openclaw same-lane fence trip #86572 (ALS scope) — proposes a fix for the streaming listener path. Auto-compaction takes a different code path (pi-embedded-CJ87lW5R.js:adoptCompactionTranscript → swaps activeSessionFile / activeSessionId), which shrinks or replaces the jsonl rather than appending. The fence's changeLooksLikeOwnedPromptOutput whitelist short-circuits at current.size < params.previous.size (selection-BmjEdnnA.js:7817), so the ALS-tagging fix would not catch this variant.
• [Bug]: EmbeddedAttemptSessionTakeoverError: paired lanes on same session race after prompt-lock release #86966 (paired lanes post-release) — matches the lane topology (two lanes die together) but the named trigger there is the normal prompt cycle, not compaction.
• EmbeddedAttemptSessionTakeoverError: self-inflicted session file modification during lock-free window (race condition) #86804 / EmbeddedAttemptSessionTakeoverError: concurrent lane tasks race on session .jsonl file #85633 (closed) — closed by the file-scoped guard in fix(agents): file-scoped prompt-window guard for same-session embedded races #86067, which is what's running in 2026.5.20. The guard helps the append-during-stream case but doesn't cover compaction rewrite.

The point of a separate ticket is to give the compaction-specific variant its own deterministic repro so it doesn't get lost under the umbrella tickets.

Reproduction (deterministic on this deployment)

Single-user WhatsApp deployment, self-hosted Docker, 2026.5.20. The session in question (3a44d717-…) was 391 entries / 1.5 MB jsonl at the moment of failure. Auto-compaction fired at the threshold; 61 seconds later both lanes threw.

1. Drive a WhatsApp DM session past agents.defaults.compaction.softThresholdTokens so the next inbound message will trigger reason=threshold. (agents.defaults.compaction.memoryFlush.enabled = false in our config — this is not a memoryFlush trigger.)
2. Send a tool-heavy inbound message (in our trace: a request that drove the browser tool for several web searches).
3. Auto-compaction starts ~24s into the turn.
4. Compaction runs ~61s (calls the same provider as the turn).
5. The moment compaction completes, both lane=main and lane=session:agent:main:whatsapp:direct:<peer> throw EmbeddedAttemptSessionTakeoverError on the same session file in the same millisecond.

Evidence (verbatim from logs)

2026-06-05T15:04:31.585+03:00 [whatsapp] Inbound message <peer> -> <self> (direct, audio/ogg, 131 chars)
2026-06-05T15:04:46.936+03:00 [whatsapp] Sent message ... (282ms)            ← prior turn reply OK
2026-06-05T15:05:09.717+03:00 [agent/embedded] embedded run auto-compaction start: runId=1ca5018a-… reason=threshold
2026-06-05T15:06:11.025+03:00 [agent/embedded] embedded run auto-compaction complete: runId=1ca5018a-… reason=threshold compactionCount=1 willRetry=false
2026-06-05T15:06:11.041+03:00 [diagnostic] lane task error: lane=main durationMs=98855 error="EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released: /home/node/.openclaw/agents/main/sessions/3a44d717-bec8-4fe6-9128-3a8771a6fab1.jsonl"
2026-06-05T15:06:11.043+03:00 [diagnostic] lane task error: lane=session:agent:main:whatsapp:direct:<peer> durationMs=98858 error="EmbeddedAttemptSessionTakeoverError: ... /home/node/.openclaw/agents/main/sessions/3a44d717-bec8-4fe6-9128-3a8771a6fab1.jsonl"
2026-06-05T15:06:11.059+03:00 Embedded agent failed before reply: ...

Note the timing precision: compaction complete at .025, lane=main throws at .041 (16 ms later), lane=session:… throws at .043 (2 ms after that). Both lanes had the same fence snapshot from before compaction started; compaction swapped/rewrote the file; both lanes' next withSessionWriteLock calls trip assertSessionFileFence.

Root cause (read from the installed dist/)

Files referenced as they appear in 2026.5.20:

1. pi-embedded-CJ87lW5R.js:2682+ — context overflow detected mid-turn → compactContextEngineWithSafetyTimeout → on success, adoptCompactionTranscript(compactResult).
2. pi-embedded-CJ87lW5R.js:2214-2218:

   const adoptCompactionTranscript = (compactResult) => {
       const nextSessionId = compactResult.result?.sessionId;
       const nextSessionFile = compactResult.result?.sessionFile;
       if (nextSessionId && nextSessionId !== activeSessionId) activeSessionId = nextSessionId;
       if (nextSessionFile && nextSessionFile !== activeSessionFile) activeSessionFile = nextSessionFile;
   };

   This swaps activeSessionFile in-process but does not refresh the lock-guard's fence fingerprint — there is no call into selection-BmjEdnnA.js:refreshAfterOwnedSessionWrite() or any equivalent.
3. selection-BmjEdnnA.js:7815-7825 — changeLooksLikeOwnedPromptOutput:

   if (!params.previous?.exists || !params.current.exists
       || !sameSessionFileIdentity(params.previous, params.current)
       || params.current.size < params.previous.size) return false;

   Compaction can (a) shrink the file (rewrite-in-place) or (b) change ino/dev (rewrite-then-rename or write to a different path). Both cases fail this check immediately → fence throws → EmbeddedAttemptSessionTakeoverError.

So the bug is: the lock-guard fence doesn't know that the run itself just rewrote the session file via compaction, and treats its own write as a foreign takeover.

Why this matters

• Silent user-facing failure. No retry, no informative message — just the generic "Something went wrong" reply. Overlaps with EmbeddedAttemptSessionTakeoverError can silently terminate a run without user-visible reply #89734.
• Reproducible on every long-session WhatsApp DM once the threshold is crossed. Disabling memoryFlush (the other path into the same race, fixed for us by config) does not mitigate this because auto-compaction at reason=threshold has no off-switch.
• The user loses a turn's worth of work (61s of compaction + the model output that the parent run was about to produce).

Suggested fixes (in order of cost)

1. Refresh the fence after adoptCompactionTranscript. Whoever swaps activeSessionFile should also call lockGuard.refreshAfterOwnedSessionWrite() (or expose a refreshForOwnedSessionReplace(path) variant that re-snapshots the fence against the new path). Probably the smallest patch.
2. Extend changeLooksLikeOwnedPromptOutput with an "owned replacement" case: if the run holds an owned-compaction marker, accept any post-compaction fingerprint (including new ino, smaller size).
3. Hold the write lock across compaction. Removes the lock-free window entirely, at the cost of blocking concurrent paired-lane reads while the LLM summarization runs (61s in our case — likely unacceptable).

I think (1) is the right shape — it's the symmetric counterpart of the refreshAfterOwnedSessionWrite() that already exists for append-style owned writes.

Environment

• OpenClaw 2026.5.20 (self-hosted Docker)
• Node v24.14.0
• Host: Docker Desktop on macOS, virtiofs mounts
• Provider: a custom local-host provider (Anthropic-compatible endpoint reachable from the container), Anthropic-family model, Anthropic-style fallback chain
• Single operator, WhatsApp DM channel
• agents.defaults.compaction.memoryFlush.enabled = false
• agents.defaults.compaction.softThresholdTokens = 160000
• session.reset = {mode: "idle", idleMinutes: 10080} (so sessions accumulate for up to a week)

Happy to grab additional logs / fs_usage / a lsof snapshot of the session file at the moment of compaction if it would help narrow the rewrite-vs-replace distinction further.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 5, 2026, 2:06 PM ET / 18:06 UTC.

Summary
Keep open: current main and the latest release still have a source-reproducible path where threshold auto-compaction appends a compaction entry while the prompt fence is active, but that compaction write is not published as an owned session-file write before the next session-lock check.

Reproducibility: yes. source inspection gives a high-confidence reproduction path: trigger threshold auto-compaction during the prompt-lock-released window, then let the next withSessionWriteLock fence check run. I did not execute a live current-main repro in this read-only review.

Next step
This is a narrow source-reproducible core session bug with clear files and regression-test targets, and no new product/config decision is needed.

Review details

Best possible solution:

Publish threshold compaction appends and successor transcript rotations as owned session writes, or refresh the active attempt fence at that exact compaction-owned write boundary, with regression coverage that still rejects external JSONL edits.

Do we have a high-confidence way to reproduce the issue?

Yes, source inspection gives a high-confidence reproduction path: trigger threshold auto-compaction during the prompt-lock-released window, then let the next withSessionWriteLock fence check run. I did not execute a live current-main repro in this read-only review.

Is this the best way to solve the issue?

Yes, the narrowest maintainable fix is at the compaction-owned session write boundary, not a broad benign-change whitelist. The implementation should refresh or publish ownership for compaction writes while leaving unrelated external edits as takeovers.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• I did not run a live current-main WhatsApp or long-session threshold repro in this read-only review; the verdict rests on source inspection plus the reporter's detailed logs.
• The fix needs to preserve the takeover fence for real external edits; broadly whitelisting compaction-looking rewrites would weaken the session ownership boundary.

Codex review notes: model gpt-5.5, reasoning high; reviewed against b3eba2ff38b4.

Label changes

Label changes:

• add P1: The report describes a repeatable core agent/channel failure where long sessions lose the in-flight reply after threshold compaction.
• add impact:message-loss: Both active lanes fail before final delivery, so the user-visible reply is dropped.
• add impact:session-state: The failure is caused by the embedded attempt's session JSONL fence treating its own compaction write as a foreign session-state change.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:queueable-fix: Current issue advisory state selects this label.
• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.

Label justifications:

• P1: The report describes a repeatable core agent/channel failure where long sessions lose the in-flight reply after threshold compaction.
• impact:session-state: The failure is caused by the embedded attempt's session JSONL fence treating its own compaction write as a foreign session-state change.
• impact:message-loss: Both active lanes fail before final delivery, so the user-visible reply is dropped.

Evidence reviewed

Acceptance criteria:

• node scripts/run-vitest.mjs src/agents/embedded-agent-runner/run/attempt.session-lock.test.ts
• node scripts/run-vitest.mjs src/agents/embedded-agent-runner/run/attempt.spawn-workspace.context-engine.test.ts
• node scripts/run-vitest.mjs src/agents/embedded-agent-runner/run.overflow-compaction.loop.test.ts

What I checked:

• Threshold compaction trigger is current behavior: The active session checks assistant token usage and calls runAutoCompaction("threshold", false) when the compaction threshold is exceeded, matching the reported trigger. (src/agents/sessions/agent-session.ts:2063, b3eba2ff38b4)
• Compaction persists through appendCompaction: runCompactionWork persists the compaction result with sessionManager.appendCompaction, which writes a compaction entry rather than an assistant message. (src/agents/sessions/agent-session.ts:1940, b3eba2ff38b4)
• Only message appends currently refresh the attempt fence: The guarded appendMessage path invokes onMessagePersisted, which attempt.ts wires to sessionLockController.refreshAfterOwnedSessionWrite; the appendCompaction path is not patched by this guard. (src/agents/session-tool-result-guard.ts:607, b3eba2ff38b4)
• Unowned non-assistant changes still throw: assertSessionFileFence accepts a newer owned-write fingerprint or benign transcript-only OpenClaw assistant advances/rewrites, then marks takeover and throws EmbeddedAttemptSessionTakeoverError for other file changes such as compaction entries. (src/agents/embedded-agent-runner/run/attempt.session-lock.ts:716, b3eba2ff38b4)
• Latest release still has the same compaction write shape: The v2026.6.1 tag still shows appendCompaction in runCompactionWork and the same fence acceptance shape, so the reported 2026.5.20 behavior is not proven fixed in the latest release. (src/agents/sessions/agent-session.ts:1940, 2e08f0f4221f)
• History and ownership trail: Current checkout blame for the fence body is attributed to the local grafted baseline, while shortlog/history shows repeated session/agent touches by Peter Steinberger and adjacent context-window/context-engine work by Tak Hoffman and Josh Lehman. (src/agents/embedded-agent-runner/run/attempt.session-lock.ts:707, 69d1d786491c)

Likely related people:

• Peter Steinberger: The local history shows the largest number of commits touching the central session manager, session guard, and embedded attempt paths involved in this bug. (role: historical area contributor; confidence: high; commits: f5d5661adfec, 0c278bb93c2d, 55f07e0381ad; files: src/agents/sessions/session-manager.ts, src/agents/session-tool-result-guard.ts, src/agents/embedded-agent-runner/run/attempt.ts)
• Tak Hoffman: Recent history includes context-limit and pi-alignment work near the compaction threshold behavior that decides when auto-compaction runs. (role: adjacent context-window contributor; confidence: medium; commits: 4f00b769251d, 7fc1a74ee9e3; files: src/agents/embedded-agent-runner/run/attempt.ts, src/agents/sessions/agent-session.ts)
• Josh Lehman: Context-engine transcript maintenance is adjacent to the compaction/maintenance path and appears in the relevant file history. (role: adjacent context-engine contributor; confidence: medium; commits: 751d5b7849ca; files: src/agents/embedded-agent-runner/run/attempt.ts, src/agents/embedded-agent-runner/compaction-successor-transcript.ts)
• ubehera: The related discussion includes their prior file-scoped prompt-window guard PR and same-lane ALS issue, both focused on this EmbeddedAttemptSessionTakeoverError family even though this compaction trigger remains distinct. (role: related bug-fix proposer; confidence: medium; files: src/agents/embedded-agent-runner/run/attempt.session-lock.ts, src/agents/embedded-agent-runner/run/attempt.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[johnib]

Wtf 😅 so fast, thank you