[Fix] Preserve deferred lifecycle errors

[samzong]

Summary

• Problem: Gateway lifecycle errors can be deferred during the retry grace window, then a later non-terminal event can clear the only pending terminal cleanup timer.
• Solution: Store pending terminal lifecycle errors with their timer, event, and options, and cancel them only when the run actually restarts with lifecycle start.
• What changed: Added focused regression coverage for error -> tool -> grace expires and error -> start retry ordering.
• What did NOT change (scope boundary): No Telegram, provider, watchdog, stale-row recovery, or channel-specific behavior changed.

Motivation

• Closes [Bug]: Session stuck in "running" status persists in v2026.4.9 — phaseBeforeAbort fix no longer sufficient #63819. Provider timeouts can leave gateway sessions stuck in running; this fixes the lifecycle state transition that drops the terminal cleanup.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes [Bug]: Session stuck in "running" status persists in v2026.4.9 — phaseBeforeAbort fix no longer sufficient #63819
• This PR fixes a bug or regression

Real behavior proof (required for external PRs)

• Behavior addressed: A Gateway run that emits lifecycle error, then later emits a non-terminal event, still reaches terminal cleanup after the retry grace window instead of remaining running.
• Real environment tested: Maintainer local OpenClaw source checkout on macOS 26.4.1 with Node v25.9.0; real Gateway process started on loopback with an isolated OPENCLAW_CONFIG_PATH, isolated OPENCLAW_STATE_DIR, and isolated sessions.json.
• Exact steps or command run after this patch: Ran a one-off Node script through node --import tsx --input-type=module that started startGatewayServer(...), registered a run context for agent:main:main, emitted lifecycle:start, lifecycle:error, then tool:end, waited for the 15s Gateway retry grace, and read the persisted session store from disk.
• Evidence after fix: Terminal output from the real Gateway run:

openclaw real gateway lifecycle proof
gateway.process: started on 127.0.0.1:64575
event.path: real gateway agent-event subscription
event.order: lifecycle:start -> lifecycle:error -> tool:end
session.store: isolated sessions.json
session.key: agent:main:main
session.status.after.grace: failed
session.endedAt.persisted: true
session.runtimeMs.persisted: true
run.context.after.grace: cleared
result: PASS

• Observed result after fix: The running Gateway kept the deferred lifecycle error through the later tool event, persisted agent:main:main as failed, recorded terminal timing fields, and cleared the run context after the grace window.
• What was not tested: Live Telegram plus llama.cpp transport; this proof exercises the Gateway lifecycle/event persistence path directly.
• Before evidence: The new regression failed on the old implementation with TypeError: Cannot read properties of undefined (reading 'state') because no final error payload was emitted after the later tool event cleared the pending timer.

Root Cause (if applicable)

• Root cause: pendingTerminalLifecycleErrors stored only a timer, and the handler cleared that timer for any event that was not lifecycle error.
• Missing detection / guardrail: Existing tests covered grace-expiry cleanup and fallback recovery, but not lifecycle error followed by a later non-terminal event with no lifecycle end.
• Contributing context (if known): Retry grace handling needs to distinguish a real retry lifecycle start from ordinary tool/item/assistant events for the same run.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/gateway/server-chat.agent-events.test.ts
• Scenario the test should lock in: lifecycle error schedules terminal cleanup; a later tool event does not cancel it; a later lifecycle start still cancels it as a retry.
• Why this is the smallest reliable guardrail: The bug is entirely in gateway agent-event lifecycle ordering; no channel/provider transport participates in the state transition.
• Existing test that already covers this (if any): None covered this exact event ordering.
• If no new test is added, why not: New tests are added.

User-visible / Behavior Changes

Gateway sessions are less likely to remain stuck in running after provider timeout/error ordering where non-terminal events arrive after lifecycle error.

Diagram (if applicable)

Before:
lifecycle start -> lifecycle error -> tool result -> pending terminal cleanup cleared -> session can stay running

After:
lifecycle start -> lifecycle error -> tool result -> grace expires -> terminal cleanup persists failed state

Security Impact (required)

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (No)
• New/changed network calls? (No)
• Command/tool execution surface changed? (No)
• Data access scope changed? (No)
• If any Yes, explain risk + mitigation: N/A

Repro + Verification

Environment

• OS: macOS 26.4.1
• Runtime/container: Node v25.9.0, local source checkout
• Model/provider: N/A
• Integration/channel (if any): Gateway lifecycle handler
• Relevant config (redacted): N/A

Steps

1. Emit lifecycle start.
2. Emit lifecycle error with retry grace enabled.
3. Emit a later non-terminal tool event for the same run.
4. Advance the retry grace timer.

Expected

• Terminal error cleanup runs and the session can persist a failed terminal state.

Actual

• Before this patch, the later non-terminal event cleared the only pending terminal cleanup timer.
• After this patch, the terminal cleanup remains pending and runs after the grace window.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

• Verified scenarios: error -> tool -> grace expires; error -> start retry; existing lifecycle chat/fallback behavior in server-chat.agent-events.test.ts; real Gateway agent-event subscription persisted failed to an isolated sessions.json after the 15s grace.
• Edge cases checked: Timer replacement guard, restart cancellation, persistence of terminal error after delayed cleanup.
• What you did not verify: Live Telegram plus llama.cpp timeout path.

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (No)
• Migration needed? (No)
• If yes, exact upgrade steps: N/A

Risks and Mitigations

• Risk: A recoverable retry attempt could be finalized too early.
  • Mitigation: The fix keeps lifecycle start as the cancellation signal and adds regression coverage that restart still cancels the deferred error.

[clawsweeper]

Codex review: needs maintainer review before merge.

Latest ClawSweeper review: 2026-05-22 08:20 UTC / May 22, 2026, 4:20 AM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR stores pending gateway lifecycle errors as timer/event/options records, narrows cancellation to non-error lifecycle phases, and adds regression tests for error-to-tool, phase-less lifecycle, fallback, and retry-start ordering.

Reproducibility: yes. at source level. Current main schedules deferred cleanup for lifecycle errors but clears the only pending timer on later non-error events; the PR adds direct regression coverage and copied real Gateway output for the error -> tool -> grace path.

PR rating
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Summary: The PR has solid live Gateway proof and focused regression coverage, with remaining confidence mainly dependent on current-head CI because this review did not run tests.

Rank-up moves:

• Run node scripts/run-vitest.mjs src/gateway/server-chat.agent-events.test.ts on the current head before merge.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Sufficient (live_output): The PR body includes copied live terminal output from a real loopback Gateway run showing lifecycle:start -> lifecycle:error -> tool:end persists failed, records terminal timing, and clears run context after the grace window.

Risk before merge

• I did not execute the targeted Vitest file in this read-only review checkout, so CI or a maintainer-run node scripts/run-vitest.mjs src/gateway/server-chat.agent-events.test.ts should still prove the current head.

Maintainer options:

1. Decide the mitigation before merge
   Keep the structured pending-error record and lifecycle-only cancellation predicate, then land after current-head gateway lifecycle tests and normal maintainer review pass.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge
No ClawSweeper repair lane is needed; the remaining action is maintainer review and current-head validation after the author's follow-up commit appears to resolve the earlier blocking finding.

Security
Cleared: The diff only changes in-process gateway lifecycle timer bookkeeping and tests; it adds no dependencies, permissions, network calls, secret handling, or code-execution surface.

Review details

Best possible solution:

Keep the structured pending-error record and lifecycle-only cancellation predicate, then land after current-head gateway lifecycle tests and normal maintainer review pass.

Do we have a high-confidence way to reproduce the issue?

Yes, at source level. Current main schedules deferred cleanup for lifecycle errors but clears the only pending timer on later non-error events; the PR adds direct regression coverage and copied real Gateway output for the error -> tool -> grace path.

Is this the best way to solve the issue?

Yes. Storing the original terminal lifecycle event and options with the timer, then canceling only on non-error lifecycle continuation phases, is a narrow maintainable fix that preserves fallback while preventing ordinary tool/assistant events from erasing cleanup.

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes copied live terminal output from a real loopback Gateway run showing lifecycle:start -> lifecycle:error -> tool:end persists failed, records terminal timing, and clears run context after the grace window.
• add rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🦞 diamond lobster, patch quality is 🐚 platinum hermit, and The PR has solid live Gateway proof and focused regression coverage, with remaining confidence mainly dependent on current-head CI because this review did not run tests.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body includes copied live terminal output from a real loopback Gateway run showing lifecycle:start -> lifecycle:error -> tool:end persists failed, records terminal timing, and clears run context after the grace window.
• remove rating: 🧂 unranked krab: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.
• remove merge-risk: 🚨 session-state: Current PR review selected no merge-risk labels.
• remove merge-risk: 🚨 message-delivery: Current PR review selected no merge-risk labels.
• remove status: ⏳ waiting on author: Current PR status label is status: 👀 ready for maintainer look.

Label justifications:

• P1: The PR targets a high-impact gateway lifecycle regression that can leave sessions stuck running and block follow-up messages after provider timeouts.
• rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🦞 diamond lobster, patch quality is 🐚 platinum hermit, and The PR has solid live Gateway proof and focused regression coverage, with remaining confidence mainly dependent on current-head CI because this review did not run tests.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body includes copied live terminal output from a real loopback Gateway run showing lifecycle:start -> lifecycle:error -> tool:end persists failed, records terminal timing, and clears run context after the grace window.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes copied live terminal output from a real loopback Gateway run showing lifecycle:start -> lifecycle:error -> tool:end persists failed, records terminal timing, and clears run context after the grace window.

Acceptance criteria:

• node scripts/run-vitest.mjs src/gateway/server-chat.agent-events.test.ts

What I checked:

• Current main bug shape: Current main stores only a timeout for pending terminal lifecycle errors and clears that timer for any later event except a lifecycle error, so a later tool or assistant event can erase the deferred terminal cleanup. (src/gateway/server-chat.ts:232, 192a782b99de)
• Patch cancellation predicate: The final PR patch changes the pending-error clear predicate to lifecyclePhase !== null && lifecyclePhase !== "error", which preserves deferred cleanup across non-lifecycle events while still canceling on fallback/start/end-style lifecycle continuations. (src/gateway/server-chat.ts:814, f4f945f814a4)
• Patch regression coverage: The PR adds focused tests for lifecycle error followed by tool, phase-less lifecycle events, retry start cancellation, and fallback continuing beyond the retry grace without premature error finalization. (src/gateway/server-chat.agent-events.test.ts:2050, f4f945f814a4)
• Fallback contract in current tests: Current main already models error -> fallback -> end as a live continuation path that should preserve chat run remapping and avoid an error final state before the eventual lifecycle end. (src/gateway/server-chat.agent-events.test.ts:2006, 192a782b99de)
• Related issue context: The linked open issue [Bug]: Session stuck in "running" status persists in v2026.4.9 — phaseBeforeAbort fix no longer sufficient #63819 reports sessions stuck in running after provider timeouts, matching the gateway lifecycle cleanup path changed by this PR.
• Prior review finding addressed: The earlier ClawSweeper comment flagged start-only cancellation as a fallback regression; the second PR commit changes the predicate so lifecycle fallback-style events cancel the deferred terminal error. (src/gateway/server-chat.ts:814, f4f945f814a4)

Likely related people:

• samzong: GitHub commit history for the touched gateway files shows prior merged work on agent event fanout and incremental chat delta payloads, so the current PR author also has prior main-branch history in this path. (role: recent gateway event contributor; confidence: high; commits: bb8aa0cfe2b0, 10315ce21593; files: src/gateway/server-chat.ts, src/gateway/server-chat.agent-events.test.ts)
• steipete: Recent commits on src/gateway/server-chat.ts and related session-state behavior include v4 chat delta and gateway test work in the same event handling surface. (role: recent gateway/session-state contributor; confidence: high; commits: a6497b175905, 150bebcd0ce7, c3c451094282; files: src/gateway/server-chat.ts, src/gateway/server-chat.agent-events.test.ts)
• jalehman: History for the gateway event files shows review/coauthor involvement on recent agent event fanout work plus adjacent chat/tool display and replay fixes. (role: reviewer and adjacent event-flow contributor; confidence: medium; commits: bb8aa0cfe2b0, 4bfd7416f0f9; files: src/gateway/server-chat.ts, src/gateway/server-chat.agent-events.test.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 192a782b99de.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Tiny Shellbean

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: sniffs out flaky tests.
Image traits: location CI tidepool; accessory miniature diff map; palette moss green and polished brass; mood sparkly; pose leaning over a miniature review desk; shell starlit enamel shell; lighting cool dashboard glow; background soft code-shaped tiles.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Tiny Shellbean in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[steipete]

Landed via rebase onto main.

• PR head before merge: 92c0037
• Main commit: 6394dd1
• Verification: node scripts/run-vitest.mjs src/gateway/server-chat.agent-events.test.ts (71 passed); pnpm exec oxfmt --check --threads=1 src/gateway/server-chat.ts src/gateway/server-chat.agent-events.test.ts CHANGELOG.md; git diff --check
• CI: PR checks were green before the maintainer changelog commit; merge completed successfully on GitHub.

Thanks @samzong!