fix(gateway): clear reset skills snapshots

[Evizero]

Summary

• Problem: /new/sessions.reset preserved the cached skillsSnapshot from the previous session entry.
• Why it matters: long-lived channel sessions could keep advertising stale <available_skills> content after skills changed or after a Gateway restart reset the runtime-local skills snapshot version.
• What changed: reset entries now omit skillsSnapshot, forcing the next agent run to rebuild the visible skills catalog; added regression coverage for the session reset RPC path.
• What did NOT change (scope boundary): session identity/channel metadata, model reset behavior, and other preserved session settings remain unchanged.

AI-assisted: yes. I used an AI coding agent to prepare the branch/PR and I reviewed the diff and validation output.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #
• Related #
• This PR fixes a bug or regression

Real behavior proof (required for external PRs)

• Behavior or issue addressed: session reset should not carry a stale cached skills snapshot into the new session entry.
• Real environment tested: local OpenClaw checkout on Linux, Node/pnpm repo environment.
• Exact steps or command run after this patch: pnpm test src/gateway/server.sessions.reset-models.test.ts
• Evidence after fix (screenshot, recording, terminal capture, console output, redacted runtime log, linked artifact, or copied live output): command passed with Test Files 1 passed (1) and Tests 6 passed (6).
• Observed result after fix: the regression test verifies sessions.reset returns a new session entry without skillsSnapshot and the persisted store no longer contains skillsSnapshot for the reset session key.
• What was not tested: live Signal/Telegram/Discord channel /new roundtrip with an installed/removed skill; no screenshot/recording captured.
• Before evidence (optional but encouraged): the previous implementation explicitly copied currentEntry?.skillsSnapshot into the reset entry.

Root Cause (if applicable)

• Root cause: performGatewaySessionReset copied currentEntry?.skillsSnapshot into the new reset session entry along with durable session metadata.
• Missing detection / guardrail: there was no reset regression test asserting cached skills snapshots are ephemeral across /new.
• Contributing context (if known): skills snapshot versions are runtime-local, so a Gateway restart can make a stale persisted snapshot look current again.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/gateway/server.sessions.reset-models.test.ts
• Scenario the test should lock in: reset a session entry containing a skillsSnapshot and assert the returned/persisted reset entry drops it.
• Why this is the smallest reliable guardrail: the bug is in the gateway session reset persistence path, and the direct session RPC test exercises that path without needing a live channel.
• Existing test that already covers this (if any): none before this PR.
• If no new test is added, why not: N/A

User-visible / Behavior Changes

/new/session reset rebuilds visible skills instead of preserving a stale cached skills list.

Diagram (if applicable)

Before:
/user runs /new -> reset entry copies old skillsSnapshot -> next run may show stale skills

After:
/user runs /new -> reset entry omits skillsSnapshot -> next run rebuilds skills catalog

Security Impact (required)

• New permissions/capabilities? (Yes/No) No
• Secrets/tokens handling changed? (Yes/No) No
• New/changed network calls? (Yes/No) No
• Command/tool execution surface changed? (Yes/No) No
• Data access scope changed? (Yes/No) No
• If any Yes, explain risk + mitigation: N/A

Repro + Verification

Environment

• OS: Linux
• Runtime/container: local Node/pnpm checkout
• Model/provider: test config uses openai/gpt-test-a
• Integration/channel (if any): Gateway sessions RPC test harness
• Relevant config (redacted): test-local session store fixture only

Steps

1. Create a session store entry with skillsSnapshot.
2. Call sessions.reset for the session key.
3. Read the returned entry and persisted session store.

Expected

• The reset entry has a fresh session id and no skillsSnapshot.

Actual

• After this patch, the reset entry has a fresh session id and no skillsSnapshot.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Validation run:

pnpm test src/gateway/server.sessions.reset-models.test.ts
Test Files 1 passed (1)
Tests 6 passed (6)

Also run:

git diff --check
pnpm check:changed

pnpm check:changed completed the selected core/coreTests/docs lanes without errors.

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: targeted Gateway session reset regression test and changed-lane checks.
• Edge cases checked: persisted reset entry drops skillsSnapshot; existing reset model override tests still pass.
• What you did not verify: live channel /new behavior in Signal/Telegram/Discord with real skill install/removal.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

If a bot review conversation is addressed by this PR, resolve that conversation yourself. Do not leave bot review conversation cleanup for maintainers.

Compatibility / Migration

• Backward compatible? (Yes/No) Yes
• Config/env changes? (Yes/No) No
• Migration needed? (Yes/No) No
• If yes, exact upgrade steps: N/A

Risks and Mitigations

• Risk: dropping the cached snapshot means the next run must rebuild skills context.
  • Mitigation: that rebuild is desired after reset and avoids stale skill prompts; durable session metadata remains preserved.

[clawsweeper]

Codex review: needs changes before merge.

Summary
The branch stops /new and sessions.reset from preserving cached skillsSnapshot entries and adds regression coverage for both reset paths.

Reproducibility: yes. at source level: current main explicitly preserves skillsSnapshot through sessions.reset and preserves omitted fields through the /new store merge. The PR's added tests describe the focused failing/passing path, but I did not execute them in this read-only review.

Real behavior proof
Not applicable: The external-contributor proof gate does not apply because this PR is member-authored; the body still reports targeted terminal test output for the changed behavior.

Next step before merge
Only a mechanical repair remains: add the required Unreleased changelog entry without changing the runtime patch.

Security
Cleared: The diff only clears a persisted prompt/runtime cache and adds tests; it does not touch secrets, dependencies, CI, network calls, permissions, or code execution surfaces.

Review findings

• [P3] Add the required changelog entry — src/gateway/session-reset-service.ts:623-626

Review details

Best possible solution:

Add a concise Unreleased changelog fix bullet, then keep the runtime fix scoped to clearing reset-time skills snapshot caches.

Do we have a high-confidence way to reproduce the issue?

Yes at source level: current main explicitly preserves skillsSnapshot through sessions.reset and preserves omitted fields through the /new store merge. The PR's added tests describe the focused failing/passing path, but I did not execute them in this read-only review.

Is this the best way to solve the issue?

Yes for the runtime behavior: dropping the cache during reset is the narrowest maintainable fix because the next run already rebuilds snapshots through ensureSkillSnapshot. The remaining improvement is process-only: add the required changelog entry.

Full review comments:

• [P3] Add the required changelog entry — src/gateway/session-reset-service.ts:623-626
  This changes user-visible /new and sessions.reset behavior, but the PR does not touch CHANGELOG.md. OpenClaw policy requires user-facing fixes to add an Unreleased changelog bullet, so release notes would miss this fix.
  Confidence: 0.94

Overall correctness: patch is correct
Overall confidence: 0.86

Acceptance criteria:

• git diff --check

What I checked:

• Current gateway reset preserves stale snapshot: On current main, performGatewaySessionReset builds the replacement entry with skillsSnapshot: currentEntry?.skillsSnapshot, which matches the reported stale-cache root cause. (src/gateway/session-reset-service.ts:626, c8f3fecad6fe)
• Current /new path can preserve omitted fields: The reply-session reset path writes { ...store[sessionKey], ...sessionEntry }; when a reset entry omits skillsSnapshot, the old store value remains unless the field is explicitly set to undefined. (src/auto-reply/reply/session.ts:773, c8f3fecad6fe)
• Snapshot reuse explains user-visible staleness: ensureSkillSnapshot reuses or hydrates an existing snapshot when its version/filter still look current, so preserving an old snapshot across reset can continue advertising stale skill prompt content. (src/auto-reply/reply/session-updates.ts:157, c8f3fecad6fe)
• Docs make skill refresh user-visible: The skills documentation describes skill snapshots as part of prompt/command visibility and notes refresh behavior after skill changes, supporting that stale reset snapshots affect user-facing skill catalogs. Public docs: docs/tools/skills.md. (docs/tools/skills.md:84, c8f3fecad6fe)
• PR coverage targets both reset paths: The provided PR diff adds a sessions.reset regression test and an initSessionState /new regression test asserting persisted reset entries no longer contain skillsSnapshot. (src/gateway/server.sessions.reset-models.test.ts:53, c0e1c990c696)
• Changelog entry is absent from the PR file list: The PR changes user-visible reset behavior, but the provided changed-file list contains only runtime and test files and no CHANGELOG.md entry under the active Unreleased sections. (CHANGELOG.md:143, c8f3fecad6fe)

Likely related people:

• @vincentkoc: Current-main blame and file history for the gateway reset, reply reset, and skills snapshot paths point to commit 6e5ba8b by Vincent Koc; the local history available for these files is otherwise collapsed to that recent commit. (role: recent maintainer / current behavior owner; confidence: medium; commits: 6e5ba8b0471f; files: src/gateway/session-reset-service.ts, src/auto-reply/reply/session.ts, src/auto-reply/reply/session-updates.ts)

Remaining risk / open question:

• The required changelog entry is missing, so release notes would omit this user-visible reset fix.
• The PR body reports targeted and changed-lane checks, but this read-only review did not rerun tests or a live channel /new roundtrip.

Codex review notes: model gpt-5.5, reasoning high; reviewed against c8f3fecad6fe.