fix(agents): stop treating session lock waits as timeout

[MonkeyLeeT]

Summary

• stop treating session lock wait errors as provider timeout failovers
• keep wrapped AbortError session-lock cases out of timeout classification, including request was aborted
• add regressions covering direct and wrapped session lock errors

Root Cause

session-write-lock reports local lock contention using the text session file locked (timeout ...).
The failover classifier treated the bare timeout substring as a model/provider timeout, and isTimeoutError() still treated abort-wrapped lock waits as timeouts when the outer abort message matched request was aborted.
That let model fallback continue across candidates for a local file-lock contention issue.

Impact

Session lock contention now fails fast as infrastructure pressure instead of drifting across fallback models, including abort-wrapped lock waits that previously still looked like timeout. This avoids wasting fallback attempts on the same locked session and keeps model fallback focused on actual provider-side failures.

Testing

• pnpm test src/agents/failover-error.test.ts -t "does not classify session lock wait errors as model timeout failover"
• pnpm test src/agents/failover-error.test.ts src/agents/session-write-lock.test.ts
• pnpm check

[greptile-apps]

Greptile Summary

This PR fixes a misclassification bug where session-write-lock errors containing the substring timeout (e.g., "session file locked (timeout 10000ms): ...") were incorrectly treated as provider/model timeout failures and triggered model failover cascades. The fix introduces isSessionLockError() — a cycle-safe recursive traversal over .error, .cause, and .reason chains — and applies it as an early-exit guard in both hasTimeoutHint() and resolveFailoverClassificationFromError(), with a regression test covering both the bare and AbortError-wrapped error shapes.

Confidence Score: 5/5

Safe to merge — the fix is well-scoped, correctly placed, and covered by a targeted regression test.

Both changed files are clean: the guard logic correctly short-circuits before any classifier path, cycle detection via seen prevents infinite loops in cyclic error chains, and the .reason traversal in isSessionLockError is intentionally aligned with how isTimeoutError already reads .reason from AbortErrors. The test covers both the direct and AbortError-wrapped cases. No P0 or P1 findings.

No files require special attention.

_{Reviews (1): Last reviewed commit: "fix(agents): stop treating session lock ..." | Re-trigger Greptile}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b9e135ec07

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[MonkeyLeeT]

@hxy91819 PTAL? Thanks!

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 83dc131f86

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 897c24c2ea

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c10b881ea0

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 28de0c56ce

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 59cae9058c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 70b8bbd183

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[aisle-research-bot]

🔒 Aisle Security Analysis

We found 3 potential security issue(s) in this PR:

#	Severity	Title
1	🟡 Medium	Potential denial-of-service via unbounded recursion in hasSessionWriteLockTimeout() error graph traversal
2	🟡 Medium	Failover/timeout classification bypass via spoofable SessionWriteLockTimeoutError code
3	🟡 Medium	SessionWriteLockTimeoutError message leaks internal lock path and allows log forging via unsanitized filename

1. 🟡 Potential denial-of-service via unbounded recursion in hasSessionWriteLockTimeout() error graph traversal

Property	Value
Severity	Medium
CWE	CWE-674
Location	src/agents/failover-error.ts:203-219

Description

The new hasSessionWriteLockTimeout() helper recursively traverses error, cause, and reason properties of arbitrary error-like objects without a maximum depth limit.

• Input err is unknown and can be any object (including provider/SDK error objects that may embed nested objects derived from remote responses)
• The function performs recursive descent on three properties per node (error, cause, reason)
• There is cycle detection (seen), but no depth/step limit, so an attacker (or untrusted upstream) that can influence the shape of an error object could create a very deep chain and trigger:
  • stack exhaustion (RangeError: Maximum call stack size exceeded)
  • excessive CPU time from large traversals

This helper is called from hasTimeoutHint(), isTimeoutError(), and resolveFailoverClassificationFromErrorInternal(), which are likely executed on error paths that can be triggered repeatedly, amplifying the DoS impact.

Vulnerable code:

return (
  hasSessionWriteLockTimeout(candidate.error, seen) ||
  hasSessionWriteLockTimeout(candidate.cause, seen) ||
  hasSessionWriteLockTimeout(candidate.reason, seen)
);

Recommendation

Add a maximum traversal depth / node budget similar to MAX_FAILOVER_CAUSE_DEPTH, and/or implement an iterative traversal to avoid stack exhaustion.

Example fix (depth-limited + iterative):

const MAX_SESSION_LOCK_CAUSE_DEPTH = 25;

function hasSessionWriteLockTimeout(err: unknown): boolean {
  const seen = new Set<object>();
  const stack: Array<{ value: unknown; depth: number }> = [{ value: err, depth: 0 }];

  while (stack.length) {
    const { value, depth } = stack.pop()!;
    if (isSessionWriteLockTimeoutError(value)) return true;
    if (!value || typeof value !== "object") continue;
    if (seen.has(value)) continue;
    if (depth >= MAX_SESSION_LOCK_CAUSE_DEPTH) continue;
    seen.add(value);

    const c = value as { error?: unknown; cause?: unknown; reason?: unknown };
    if (c.error !== undefined) stack.push({ value: c.error, depth: depth + 1 });
    if (c.cause !== undefined) stack.push({ value: c.cause, depth: depth + 1 });
    if (c.reason !== undefined) stack.push({ value: c.reason, depth: depth + 1 });
  }
  return false;
}

This prevents stack overflow and bounds worst-case work even with attacker-controlled nesting.

2. 🟡 Failover/timeout classification bypass via spoofable SessionWriteLockTimeoutError code

Property	Value
Severity	Medium
CWE	CWE-840
Location	src/agents/session-write-lock-error.ts:20-28

Description

isSessionWriteLockTimeoutError() trusts a magic string error code and returns true for any object with a matching code, not just real SessionWriteLockTimeoutError instances.

This is security-relevant because failover-error.ts uses hasSessionWriteLockTimeout() to suppress timeout detection and failover classification:

• hasTimeoutHint() / isTimeoutError() return false if a session-write-lock timeout is detected
• resolveFailoverClassificationFromErrorInternal() returns null (no failover) when hasSessionLock is true and there is no “explicit failover metadata”

Since failover classification consumes generic error objects and extracts .code recursively (getErrorCode() uses findErrorProperty() over error/cause), an error originating from outside this module (e.g., provider/network error payloads that include a code field) can be made to look like a session-write-lock timeout simply by setting code to OPENCLAW_SESSION_WRITE_LOCK_TIMEOUT. This can prevent retries/failover and degrade availability (routing manipulation / DoS on fallback).

Vulnerable code:

export function isSessionWriteLockTimeoutError(err: unknown): boolean {
  return (
    err instanceof SessionWriteLockTimeoutError ||
    Boolean(
      err &&
      typeof err === "object" &&
      (err as { code?: unknown }).code === SESSION_WRITE_LOCK_TIMEOUT_CODE,
    )
  );
}

Recommendation

Do not treat untrusted/plain objects as SessionWriteLockTimeoutError based solely on a magic string.

Options:

1. Strictest (preferred): only accept real instances (or ones that can be validated strongly):

export function isSessionWriteLockTimeoutError(err: unknown): err is SessionWriteLockTimeoutError {
  return err instanceof SessionWriteLockTimeoutError;
}

2. If cross-boundary serialization is required, add strong branding and validate multiple fields:

• check name === "SessionWriteLockTimeoutError"
• require numeric timeoutMs, string owner, string lockPath
• optionally include a non-guessable brand (e.g., a Symbol.for(...) property set only locally) or wrap/translate external errors into a dedicated internal error type rather than trusting .code.

Also consider scoping the suppression logic in failover-error.ts so only known-local lock-timeout errors (created by your locking code) suppress failover/timeout classification, rather than any nested error object containing a matching code.

3. 🟡 SessionWriteLockTimeoutError message leaks internal lock path and allows log forging via unsanitized filename

Property	Value
Severity	Medium
CWE	CWE-209
Location	src/agents/session-write-lock-error.ts:9-12

Description

SessionWriteLockTimeoutError embeds the absolute lockPath and owner (PID) directly in the exception message. This message is later propagated through generic error formatting (e.g., formatErrorMessage()), which is used for diagnostics/telemetry and potentially other user-visible surfaces.

Impact:

• Information disclosure: reveals internal filesystem layout (absolute session/lock path) and process IDs.
• Log forging / injection: POSIX filenames can contain newlines/control characters; because lockPath is derived from sessionFile (via path.basename(sessionFile)), an attacker who can influence sessionFile can inject newlines into logs/telemetry entries that include err.message.

Vulnerable code:

super(
  `session file locked (timeout ${params.timeoutMs}ms): ${params.owner} ${params.lockPath}`,
);

Recommendation

Avoid putting sensitive/internal identifiers (absolute paths, PIDs) into the human-readable error message. Keep them as structured fields for debugging, and sanitize/escape before logging.

Suggested change:

export class SessionWriteLockTimeoutError extends Error {
  readonly code = SESSION_WRITE_LOCK_TIMEOUT_CODE;
  readonly timeoutMs: number;
  readonly owner: string;
  readonly lockPath: string;

  constructor(params: { timeoutMs: number; owner: string; lockPath: string }) {
    super(`session file locked (timeout ${params.timeoutMs}ms)`);
    this.name = "SessionWriteLockTimeoutError";
    this.timeoutMs = params.timeoutMs;
    this.owner = params.owner;
    this.lockPath = params.lockPath;
  }
}

When logging, log structured metadata and escape control characters:

const safePath = lockPath.replace(/[\r\n\t]/g, " ");
log.warn({ code, owner, lockPath: safePath }, "session file locked");

If any of these errors can reach HTTP/UI responses, map them to a generic user-safe message and omit internal paths/PIDs.

---

Analyzed PR: #68700 at commit 6e5a8c7

_{Last updated on: 2026-04-25T04:07:14Z}

[chatgpt-codex-connector]

💡 Codex Review

https://github.com/openclaw/openclaw/blob/8ddbba84931cc9f77a4d2b9e896bc72b947a7d2a/src/agents/failover-error.ts#L287-L289
Apply session-lock suppression before cause-based return

resolveFailoverClassificationFromError returns causeClassification immediately in the !classification || classification.kind === "context_overflow" branch, before the new isSessionLockError(err) suppression runs. That means wrapped errors where session-lock text lives on the wrapper (for example in reason/error) but the cause looks timeout-like are still classified as provider failover (timeout/rate_limit) and continue model fallback instead of failing fast on lock contention. Fresh evidence in this commit is that the new guard was added only after this early return path.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 51239ad20e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[obviyus]

Verified the session write-lock timeout path and confirmed it no longer enters model failover when local transcript lock contention occurs.

Maintainer follow-up: replaced message-regex suppression with a typed session lock timeout error, kept wrapper traversal in the failover classifier, and added the active changelog entry.

Local gate: pnpm check:changed; after final changelog-only rebase, pnpm check:no-conflict-markers.

[obviyus]

Landed on main.

• Landed source commit: 6e5a8c7
• Merge commit: 8cc38c1

Thanks @MonkeyLeeT.