fix(agents): clean up exec abort listener after completion

[c19354837]

Summary

• Problem: completed exec tool calls register an abort listener but do not remove it when the command exits normally or yields to a background session.
• Why it matters: Node can retain the composite AbortSignal listener through gcPersistentSignals; the retained onAbortSignal closure keeps the exec run/session context reachable after the tool call has completed.
• What changed: track the registered abort signal and clean up the listener plus yield timer when foreground exec finishes, fails, or returns a background/running result.
• What did NOT change (scope boundary): this does not change exec command semantics, background session behavior, timeout behavior, or active abort handling.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #
• Related #
• This PR fixes a bug or regression

Real behavior proof (required for external PRs)

• Behavior or issue addressed: exec retained onAbortSignal listeners after successful completion/backgrounding, which kept the corresponding run/session context reachable.
• Real environment tested:
  • macOS 15.7.4
  • Node.js v22.21.0
  • pnpm 11.1.0
  • Source-built OpenClaw Gateway with --inspect and --expose-gc
  • Isolated OpenClaw state directories under /tmp
  • Local model/provider config was used but redacted from evidence.
• Exact steps or command run after this patch:
  1. Started the Gateway from source with an isolated OPENCLAW_STATE_DIR, --inspect=127.0.0.1:<port>, and --expose-gc.
  2. Installed a runtime probe through CDP that records AbortSignal/EventTarget addEventListener and removeEventListener calls without retaining target or listener objects.
  3. Created and ran 10 isolated cron jobs using --agent main --tools exec --no-deliver --light-context; each job executed a simple command that exits normally.
  4. Forced GC through CDP and captured a heap snapshot.
  5. Scanned the snapshot for onAbortSignal closures, gcPersistentSignals retainer paths, and paths from those closures to the run/session strings generated by the 10 cron jobs.
• Evidence after fix (copied live output):

fixed runtime probe:
onAbortAdds=20
onAbortRemoves=20

fixed heap scan:
abortSignalObjectCount=4
onAbortSignal.closureCount=0
onAbortSignal.abortSignalRetainedClosureCount=0
gcPersistentPathCount=0
closureToSessionStringCount=0
closureToSessionObjectCount=0

onAbortAdds=20 / onAbortRemoves=20 is expected because the probe hooks both AbortSignal.prototype and EventTarget.prototype; this corresponds to 10 exec listener registrations and 10 removals.

• Observed result after fix: all exec abort listeners registered by the 10 cron-triggered exec calls were removed, and no onAbortSignal closure remained retained by AbortSignal/gcPersistentSignals.
• What was not tested: I did not verify every channel integration. Full pnpm test was attempted, but the current upstream test suite failed with unrelated existing failures outside this change.
• Before evidence:

unfixed upstream runtime probe:
onAbortAdds=20
onAbortRemoves=0

unfixed upstream heap scan:
abortSignalObjectCount=44
onAbortSignal.closureCount=10
onAbortSignal.abortSignalRetainedClosureCount=10
gcPersistentPathCount=10
closureToSessionStringCount=10
closureToSessionObjectCount=10

The unfixed heap contained paths of the form:

gcPersistentSignals -> Set -> AbortSignal -> <symbol kEvents> -> Listener -> onAbortSignal
onAbortSignal closure -> internal context -> run / notifySessionKey -> agent:main:cron:<job-id>:run:<run-id>

Root Cause (if applicable)

• Root cause: exec registers onAbortSignal with the tool-call AbortSignal, but successful completion and background/yield completion only cleared the yield timer. They did not remove the abort listener.
• Missing detection / guardrail: existing exec tests covered abort behavior and update suppression, but did not assert listener cleanup after normal foreground completion or after returning a background running result.
• Contributing context (if known): Node composite abort signals can remain reachable through internal persistent signal structures, so a listener closure can retain the run/session context even after the tool call has completed.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/agents/bash-tools.test.ts
• Scenario the test should lock in:
  • foreground exec removes its abort listener after the process exits.
  • backgrounded exec removes its abort listener when the tool returns a running result.
• Why this is the smallest reliable guardrail: the leak is caused by missing cleanup at the exec tool boundary, so spying on the exact signal passed into execute() verifies the contract without requiring a full Gateway heap test.
• Existing test that already covers this (if any): none.
• If no new test is added, why not: N/A.

User-visible / Behavior Changes

None.

Diagram (if applicable)

Before:
exec starts -> add abort listener -> command completes -> listener remains -> run/session context can stay retained

After:
exec starts -> add abort listener -> command completes/backgrounds/fails -> remove abort listener -> run/session context can be released

Security Impact (required)

• New permissions/capabilities? (Yes/No): No
• Secrets/tokens handling changed? (Yes/No): No
• New/changed network calls? (Yes/No): No
• Command/tool execution surface changed? (Yes/No): No
• Data access scope changed? (Yes/No): No
• If any Yes, explain risk + mitigation: N/A

Repro + Verification

Environment

• OS: macOS 15.7.4
• Runtime/container: local source-built Gateway, Node.js v22.21.0
• Model/provider: local configured provider, redacted
• Integration/channel (if any): Gateway cron tasks using the exec tool
• Relevant config (redacted): isolated OPENCLAW_STATE_DIR, redacted provider config path, OPENCLAW_SKIP_CHANNELS=1

Steps

1. On unmodified upstream main, start the source Gateway with inspector and --expose-gc.
2. Install the CDP runtime listener probe.
3. Add and run 10 isolated cron jobs that invoke a successful exec command.
4. Force GC, capture a heap snapshot, and scan for onAbortSignal retainers and session paths.
5. Repeat the same steps after this patch.

Expected

• Completed/backgrounded exec tool calls remove the abort listener they registered.
• No completed exec onAbortSignal closure remains retained by AbortSignal/gcPersistentSignals.
• No retained onAbortSignal closure reaches the cron run/session keys from the completed tasks.

Actual

• Before this patch, 10 onAbortSignal closures remained retained and each could reach the corresponding cron run/session context.
• After this patch, the runtime probe showed matching add/remove counts and heap scans found zero retained onAbortSignal closures.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Focused test:

node scripts/run-vitest.mjs src/agents/bash-tools.test.ts -t "removes the abort listener"

2 passed

Build and checks:

pnpm build
passed

pnpm check
passed

Full test suite:

pnpm test
failed with unrelated current upstream failures outside the touched exec cleanup tests

Human Verification (required)

What I personally verified (not just CI), and how:

• Verified scenarios:
  • foreground exec normal completion removes the abort listener.
  • backgrounded exec returning a running result removes the abort listener.
  • source-built Gateway with 10 real cron-triggered exec calls removes all registered exec abort listeners after the patch.
  • forced-GC heap snapshot after the patch contains no retained onAbortSignal closures and no closure-to-session paths for those cron runs.
• Edge cases checked:
  • cleanup also runs on the rejected run.promise path.
  • active abort handling still uses the same onAbortSignal function and kill behavior.
  • background sessions still return PROCESS_STATUS_RUNNING.
• What you did not verify:
  • every channel integration.
  • a clean full pnpm test run, because current upstream/local environment produced unrelated failures.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? (Yes/No): Yes
• Config/env changes? (Yes/No): No
• Migration needed? (Yes/No): No
• If yes, exact upgrade steps: N/A

Risks and Mitigations

• Risk: removing the listener too early could change abort behavior for still-active foreground exec calls.

  • Mitigation: cleanup only runs when the exec promise resolves/rejects or when the tool returns a background/running result; the active abort path before completion is unchanged.

• Risk: background exec sessions should not be killed by the tool-call abort signal after they have been yielded.

  • Mitigation: this is the intended existing behavior; the cleanup removes the tool-call abort listener when returning the running background result, while timeout behavior remains unchanged.

AI-assisted disclosure

This PR was prepared with AI assistance. I reviewed the code changes and personally ran the real behavior verification described above.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 29, 2026, 2:40 AM ET / 06:40 UTC.

Summary
The PR tracks the exec tool-call AbortSignal listener, removes it with the yield timer when foreground exec settles or a background running result is returned, and adds foreground/background listener-cleanup tests.

PR surface: Source +8, Tests +36. Total +44 across 2 files.

Reproducibility: yes. Current main has a clear source-level reproduction path: exec registers the abort listener and lacks non-abort cleanup, and the PR body supplies before/after live listener and heap output for the same path.

Review metrics: none identified.

Merge readiness
Overall: 🦞 diamond lobster
Proof: 🦞 diamond lobster
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Next step before merge

• No automated repair is needed; the remaining action is maintainer review and required-check gating on the current head.

Security
Cleared: The diff only removes an AbortSignal listener/timer and adds focused tests; it does not add dependencies, permissions, secrets handling, network calls, or new command capabilities.

Review details

Best possible solution:

Land the narrow exec cleanup after maintainer review and required checks, preserving existing abort/background semantics and keeping the new listener-cleanup tests.

Do we have a high-confidence way to reproduce the issue?

Yes. Current main has a clear source-level reproduction path: exec registers the abort listener and lacks non-abort cleanup, and the PR body supplies before/after live listener and heap output for the same path.

Is this the best way to solve the issue?

Yes. The cleanup belongs at the exec tool boundary where the listener is registered, and the patch avoids changing process execution, active abort handling, timeout behavior, or background session polling.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 70230f4235f5.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes copied live output from a source-built Gateway with CDP listener counts and heap scans showing the after-fix listener removal and no retained onAbortSignal closure paths.
• add rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body includes copied live output from a source-built Gateway with CDP listener counts and heap scans showing the after-fix listener removal and no retained onAbortSignal closure paths.
• remove impact:session-state: Current review selected no impact labels.

Label justifications:

• P2: This is a focused exec/session retention bug fix with limited blast radius and normal maintainer priority.
• rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body includes copied live output from a source-built Gateway with CDP listener counts and heap scans showing the after-fix listener removal and no retained onAbortSignal closure paths.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes copied live output from a source-built Gateway with CDP listener counts and heap scans showing the after-fix listener removal and no retained onAbortSignal closure paths.

Evidence reviewed

PR surface:

Source +8, Tests +36. Total +44 across 2 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	18	10	+8
Tests	1	36	0	+36
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	2	54	10	+44

What I checked:

• Current main leak path: Current main registers onAbortSignal with { once: true }, but the normal foreground settlement and background-yield paths only clear the yield timer and do not remove the abort listener. (src/agents/bash-tools.exec.ts:1659, 70230f4235f5)
• PR diff adds scoped cleanup: The PR head adds registeredAbortSignal, a local cleanup helper, records the registered signal, and calls cleanup before returning a running background result and when run.promise settles or rejects. (src/agents/bash-tools.exec.ts:1654, fe86528ecb20)
• Regression tests cover both paths: The PR adds tests that spy on the passed AbortSignal and assert removeEventListener after a foreground exec exits and after an exec returns PROCESS_STATUS_RUNNING. (src/agents/bash-tools.test.ts:984, fe86528ecb20)
• Runtime semantics remain separated: runExecProcess already suppresses onUpdate for backgrounded, exited, or disabled sessions, and disableUpdates() only flips that suppression flag; process lifetime, timeout, and cancel handling remain in the supervisor path. (src/agents/bash-tools.exec-runtime.ts:714, 70230f4235f5)
• Node listener contract checked: Node v22.21.0 EventTarget.removeEventListener matches listener plus capture, and AbortSignal internals remove timeout/composite signals from gcPersistentSignals when the abort listener count reaches zero.
• Real behavior proof supplied: The PR body includes before/after copied live output from a source-built Gateway with CDP listener counts and heap scans showing matching listener removals and no retained onAbortSignal closure paths after the fix. (fe86528ecb20)

Likely related people:

• openperf: Authored the merged exec update-suppression work that added run.disableUpdates() to the abort path this PR now cleans up after completion/backgrounding. (role: introduced adjacent behavior; confidence: high; commits: 574bab80e565; files: src/agents/bash-tools.exec.ts, src/agents/bash-tools.exec-runtime.ts, src/agents/bash-tools.test.ts)
• steipete: Current blame and recent path history show heavy maintenance of the exec source/tests and broader agent runtime around this code path. (role: recent area contributor; confidence: high; commits: 70230f4235f5, bb46b79d3c14, 864899d1b0c9; files: src/agents/bash-tools.exec.ts, src/agents/bash-tools.exec-runtime.ts, src/agents/bash-tools.test.ts)
• shakkernerd: Recent public commit history for the same exec source and test files includes focused exec validation and agent test maintenance by this contributor. (role: adjacent exec contributor; confidence: medium; commits: a8a34c92f397, 0517b5494262; files: src/agents/bash-tools.exec.ts, src/agents/bash-tools.test.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[RomneyDa]

Heads up: this PR needs to be updated against current main before the new required Dependency Guard check can pass.

[c19354837]

@RomneyDa done, please re-review

[steipete]

Approved. I re-read the exec lifecycle around this, including the tool-call abort handoff, process supervisor, process registry, background polling path, and existing background abort tests.

Verification:

• Exact head checked: fe86528
• Current-main merge-tree: clean against origin/main
• Checks: gh pr checks 83022 is green for required/current rows
• Diff sanity: git diff --check origin/main...refs/remotes/pr/83022 passed
• Contract probe: Node removeEventListener removes an abort listener added with once true

No known proof gaps for this scope. The cleanup is at the same boundary that registers the listener and does not change process timeout, background polling, or active abort semantics.