fix(sessions): tolerate invalid sessionFile metadata

[haoyifan]

fix(sessions): tolerate invalid sessionFile metadata

AI-assisted: yes (Codex/OpenClaw agent).

Problem

• Some deployments end up with sessions.json entries containing a sessionFile field that is stale/corrupted
  (e.g., absolute paths persisted historically, state dir migrations, or other bad metadata).
• resolveSessionFilePath() currently treats an invalid sessionFile as fatal and throws:
  "Session file path must be within sessions directory".
• When this happens inside chat/channel handlers (observed with Telegram), the handler can fail mid-update,
  leading to silent non-replies even though the message was received.

Fix

• Treat entry.sessionFile as optional, best-effort metadata.
• If validation fails, ignore it and fall back to the derived safe transcript path based on sessionId
  (which is already validated and resolved within the agent sessions directory).

Security

• Containment checks are still enforced when a candidate is provided.
• This change does NOT allow escaping paths; it simply avoids taking down message handling due to invalid metadata.

Testing

• Local (Istanbul VM):

  • pnpm format:check PASS
  • pnpm check PASS
  • pnpm vitest run src/config/sessions/paths.test.ts PASS

  Concise output:

  • "✓ src/config/sessions/paths.test.ts (12 tests)"

• Real-world repro:

  • Reproduced intermittent Telegram handler failures caused by invalid/stale sessionFile metadata, and confirmed this
    change prevents silent non-replies by falling back to the derived safe transcript path.

Greptile Summary

This PR makes resolveSessionFilePath resilient to corrupted or stale sessionFile metadata in sessions.json. Instead of throwing (which could crash message handlers mid-update, causing silent non-replies on Telegram and other channels), invalid candidates now fall back to the derived safe transcript path based on sessionId.

• resolveSessionFilePath in paths.ts now wraps resolvePathWithinSessionsDir in a try/catch; if the persisted sessionFile fails validation (path traversal, absolute path outside sessions dir, etc.), it silently falls back to {sessionId}.jsonl
• Security containment checks are still enforced — the change does not allow path escapes, it just avoids a fatal error on bad metadata
• Tests updated from expecting throws to verifying fallback behavior, while still validating that legitimate candidates within the sessions dir are accepted
• Multiple callers (e.g., get-reply-run.ts, agent-runner.ts, doctor-state-integrity.ts) don't have their own try/catch around this function, confirming the fix is necessary at the source

Confidence Score: 5/5

• This PR is safe to merge — it strictly improves resilience without weakening any security checks.
• The change is minimal and well-scoped: a single try/catch in resolveSessionFilePath with a safe fallback. Security containment checks remain enforced for valid candidates. The fallback path is derived from sessionId which is validated by validateSessionId (alphanumeric + ._- only). Tests cover all key scenarios. No new dependencies or architectural changes.
• No files require special attention.

_{Last reviewed commit: c06f155}

_{(2/5) Greptile learns from your feedback when you react with thumbs up/down!}

[greptile-apps]

_{2 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[openclaw-barnacle]

This pull request has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[vincentkoc]

Deep-dive merge-readiness pass:

This branch looks close and mergeable, but the current check status is stale-failing. Please rebase and rerun CI on latest main.

Before merge, add one explicit regression test proving invalid sessionFile metadata falls back without aborting handler flow, and one test confirming valid in-dir sessionFile still wins over fallback.

Changelog guidance if merged: one ### Fixes line for resilient session-file metadata handling; credit should remain single-author for this PR (Thanks @haoyifan).

[vincentkoc]

Merge checklist (must-have):

• Rebase on current main and rerun CI (current check failure is stale).
• Keep try/catch fallback behavior, but add regression tests for both branches:
  • invalid/out-of-dir sessionFile falls back safely
  • valid in-dir sessionFile still resolves to stored transcript
• Ensure this does not mask path traversal (keep existing containment assertions).

Changelog line (if merged):
- Sessions/Resilience: ignore invalid persisted \'sessionFile\' metadata and fall back to the derived safe transcript path instead of aborting handlers. (#16061) Thanks @haoyifan.

Credit note:
This is the first focused resilience PR in the remaining queue for metadata-fallback behavior.

[vincentkoc]

Thanks for the fix here. Closing as superseded by #24657, which now carries the merged session-path fallback hardening path. If you still see a gap on current main, reply with a repro and we can reopen quickly.

[vincentkoc]

Merged in #24657 due to overlapping PR changes, appreciate your contribution.