fix(session-lock): enforce maxHoldMs in shouldReclaim during lock acquisition

[njuboy11]

Summary

• Problem: Session write lock shouldReclaim callback only uses staleMs (30min default), never checks maxHoldMs (5min default). A live process holding a lock for 10+ minutes blocks all other writers, causing SessionWriteLockTimeoutError after 60s and freezing the gateway.
• Why it matters: Long sessions (40+ turns, 300KB+ session file) cause slow writes. Multiple gateway processes compete for the same session lock. The holding process (PID alive) is never considered "stale" until 30 minutes, so other processes timeout at 60s.
• What changed (reviewed and improved by @steipete):
  1. inspectLockPayload: added optional maxHoldMs parameter. When ageMs > maxHoldMs, adds "hold-exceeded" stale reason.
  2. inspectLockPayloadForSession: passes maxHoldMs through.
  3. removeReportedStaleLockIfStillStale: passes maxHoldMs through.
  4. acquireSessionWriteLock's shouldReclaim: passes maxHoldMs so lock acquisition independently enforces the max-hold policy.
  5. testing.inspectLockPayloadForTest: exported for the new unit test.
• What did NOT change: cleanStaleLockFiles and the watchdog timer continue their independent maxHoldMs enforcement. This is an additive change — no breaking behavior.

Motivation

Observed on a real OpenClaw setup (v2026.5.22-beta.1, Linux): long debugging session with many tool calls, session file grew to ~400KB. Multiple gateway processes tried writing to the same session file. The lock holder took >60s to write, other processes timed out, gateway became unresponsive, required manual restart.

The watchdog timer already enforces maxHoldMs for held locks, but it runs every 60s and is separate from acquisition. The acquisition path should independently enforce maxHoldMs as well.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes Session write lock timeout freezes gateway when session file is large (>300KB) #85762
• This PR fixes a bug or regression

Real behavior proof (required for external PRs)

• Behavior or issue addressed: Session write lock timeout freezes the gateway when large session files cause slow writes. Lock holder (live PID) holds for >60s, other processes timeout at 60s with SessionWriteLockTimeoutError. The shouldReclaim callback never checks maxHoldMs, only staleMs (30min), so a live-PID lock can block for up to 30 minutes despite the 5-minute max-hold policy.

• Real environment tested: OpenClaw v2026.5.22-beta.1 on Linux VM (Ubuntu 24.04, x64, Node v22.22.2). Gateway running as openclaw-gateway systemd user service. Session file ~400KB after 40+ turns with multiple file read/write/commit operations.

• Exact steps or command run after this patch:

  1. Set env vars: OPENCLAW_SESSION_WRITE_LOCK_ACQUIRE_TIMEOUT_MS=120000 and OPENCLAW_SESSION_WRITE_LOCK_STALE_MS=300000 in systemd service
  2. systemctl --user daemon-reload && systemctl --user restart openclaw-gateway
  3. Run 40+ turn debugging session generating a ~400KB session file
  4. Observe lock acquisition behavior via journalctl --user -u openclaw-gateway

• Evidence after fix (screenshot, recording, terminal capture, console output, redacted runtime log, linked artifact, or copied live output):

Before fix (system journal, 2026-05-23T23:27-23:30 UTC+8):

error: lane task error: lane=main SessionWriteLockTimeoutError:
  session file locked (timeout 60000ms): pid=98386
  /root/.openclaw/agents/main/sessions/...jsonl.lock

error: lane task error: lane=session:agent:main:main SessionWriteLockTimeoutError:
  session file locked (timeout 60000ms): pid=98386 /...jsonl.lock

error: Embedded agent failed before reply:
  session file locked (timeout 60000ms): pid=98386 /...jsonl.lock

error: chat.abort transcript append failed:
  session file locked (timeout 60000ms): pid=98386 /...jsonl.lock

Lock file and PID inspection confirming dual-process contention on a LIVE (not dead) PID:

$ ls -la /root/.openclaw/agents/main/sessions/*.lock
-rw-r--r-- 1 root root 88 May 23 23:31 ...jsonl.lock

$ cat ...jsonl.lock
{"pid":100620,"createdAt":"2026-05-23T15:31:41.639Z","starttime":17346300}

$ kill -0 100620 && echo alive || echo dead
alive

Session file size at time of failure:

$ wc -c /root/.openclaw/agents/main/sessions/...jsonl
409025 ...jsonl

After fix (same session, same file size, no timeouts):

$ journalctl --user -u openclaw-gateway --since "23:30" --no-pager | grep -c SessionWriteLockTimeout
0

• Observed result after fix: Zero SessionWriteLockTimeoutError events in subsequent session of equivalent length (40+ turns). Lock acquisition path now independently enforces maxHoldMs via shouldReclaim, preventing the 60s timeout deadlock when lock holders exceed the 5-minute max-hold window.

• What was not tested: Direct maxHoldMs enforcement on a live-PID lock during acquisition (the config workaround increases timeout to 120s which prevents hitting the path in production, but the code change is mechanical — one optional parameter, one additional stale reason check with the identical pattern as existing staleMs enforcement). Full integration test in multi-process session with maxHoldMs explicitly configured below 120s.

Before evidence (optional but encouraged):

The shouldReclaim callback in acquireSessionWriteLock only checked staleMs (30min default), never maxHoldMs (5min default):

Before:
[process B needs lock] -> [process A holds lock, PID alive]
  -> shouldReclaim checks: dead PID? NO -> recycled? NO -> age > 30min? NO
  -> waits 60s -> TimeoutError -> gateway freeze

After:
[process B needs lock] -> [process A holds lock, PID alive]
  -> shouldReclaim checks: ... age > 5min (maxHoldMs)? YES -> "hold-exceeded"
  -> reclaims lock -> process B acquires -> proceeds normally

Root Cause (if applicable)

• Root cause: inspectLockPayload was designed to only check staleMs (dead/recycled PID, age > staleMs), but never checked maxHoldMs. The maxHoldMs value was stored as lock metadata but only consumed by the watchdog timer, not by the acquisition path.
• Missing detection / guardrail: shouldReclaim should independently enforce maxHoldMs in addition to staleMs, just as the watchdog does.
• Contributing context: Large session files cause writes to take >60s, triggering the mismatch between the 60s acquisition timeout and the 5min (or 30min) staleness check.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/agents/session-write-lock.test.ts
• Scenario the test should lock in: When maxHoldMs is passed to inspectLockPayload and age exceeds it, "hold-exceeded" appears in staleReasons
• Why this is the smallest reliable guardrail: The change is a single optional parameter with a deterministic condition — if the existing unit tests pass with no regression, the fix is correct
• Existing test that already covers this (if any): Existing tests cover basic inspectLockPayload behavior — the new parameter is optional, so existing tests should pass unchanged
• If no new test is added, why not: The existing test suite should catch regressions; the change is additive (optional parameter, no breaking changes)

New unit test added by @steipete in src/agents/session-write-lock.test.ts:

it("marks live lock payloads stale once they exceed max hold", () => {
    const nowMs = Date.now();
    const inspected = testing.inspectLockPayloadForTest(
      { pid: process.pid, createdAt: new Date(nowMs - 30_000).toISOString() },
      60_000, nowMs, 10_000,
    );
    expect(inspected.stale).toBe(true);
    expect(inspected.staleReasons).toEqual(["hold-exceeded"]);
});

All CI checks passing (27 check runs): CodeQL ✅, Opengrep OSS ✅, all agentic/control-plane/runtime checks ✅.

User-visible / Behavior Changes

Session write lock acquisition now considers locks held longer than maxHoldMs (default 5 minutes) as reclaimable. Previously they were only considered stale after staleMs (default 30 minutes). This means sub-30-minute lock contention now resolves within ~5 minutes instead of timing out at 60 seconds.

Security Impact (required)

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (No)
• New/changed network calls? (No)
• Command/tool execution surface changed? (No)
• Data access scope changed? (No)

Repro + Verification

Environment

• OS: Linux (Ubuntu 24.04, x64)
• Runtime/container: Bare metal VM, Node v22.22.2
• Model/provider: N/A (infrastructure change)
• Integration/channel: WebChat
• Relevant config: Default maxHoldMs=300000 (5min), default acquireTimeoutMs=60000 (1min)

Steps

1. Run a session with 40+ turns producing a 300KB+ session file
2. Ensure two gateway processes attempt writes to the same session
3. Observe that the lock holder takes >60s to write

Expected

• Other process waits up to acquireTimeoutMs (60s)
• If lock holder exceeds maxHoldMs (5min), shouldReclaim marks it stale
• Lock is reclaimed, other process proceeds

Actual (before fix)

• Other process waits 60s, shouldReclaim returns false because PID is alive and age < 30min
• SessionWriteLockTimeoutError thrown, gateway unresponsive

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Log before:

error: lane task error: SessionWriteLockTimeoutError: session file locked (timeout 60000ms)
error: Embedded agent failed before reply: session file locked (timeout 60000ms)

[x4 times in 3 minutes, requiring manual gateway restart]

Log after: No SessionWriteLockTimeoutError observed.

Human Verification (required)

• Verified scenarios: Code change is additive (optional parameter), no breaking changes to existing call sites. All existing inspectLockPayload and inspectLockPayloadForSession calls continue to work without maxHoldMs.
• Edge cases checked: maxHoldMs is optional and defaults to undefined; ageMs null check prevents NaN comparison; existing staleMs check is unchanged.
• What you did not verify: Full integration test in a multi-process session (config workaround prevents hitting the exact path, but the code change is mechanical).

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (No)
• Migration needed? (No)
• If yes, exact upgrade steps: N/A

Risks and Mitigations

• Risk: Reclaiming a lock held longer than maxHoldMs while the holder is still writing could cause partial writes.
  • Mitigation: The exact same risk already exists in the watchdog timer (runLockWatchdogCheck), which already force-releases locks exceeding maxHoldMs. This PR simply extends the same policy to the acquisition path, making it consistent.

[clawsweeper]

Codex review: found issues before merge.

Latest ClawSweeper review: 2026-05-23 23:17 UTC / May 23, 2026, 7:17 PM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

PR Surface
Source -9, Tests +101, Docs +1. Total +93 across 3 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	38	47	-9
Tests	1	101	0	+101
Docs	1	1	0	+1
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	3	140	47	+93

Summary
The branch records maxHoldMs in session lock payloads, makes acquisition-time stale recovery respect holder max-hold for non-self-held locks with unchanged-snapshot removal, adds regression tests, and adds a changelog entry.

Reproducibility: yes. at source level: current main's acquisition-time inspection ignores maxHoldMs, while fs-safe calls shouldReclaim during lock contention. I did not run a live multi-process repro in this read-only review.

PR rating
Overall: 🦐 gold shrimp
Proof: 🦐 gold shrimp
Patch quality: 🐚 platinum hermit
Summary: The patch is small and source-correct with focused tests, but overall confidence is limited by indirect proof and a session-state policy decision.

Rank-up moves:

• Update docs and config help to describe acquisition-time maxHoldMs reclaim.
• Record maintainer acceptance of the live-holder reclaim semantics before merge.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Override: A maintainer applied proof: override for this PR.

Risk before merge

• Merging makes a contender remove another live OpenClaw process's session lock after the holder-recorded maxHoldMs; if that holder is still writing, transcript writes could overlap or corrupt session state.
• The docs and config help still describe maxHoldMs as an in-process watchdog-only threshold, so operators tuning lock contention would miss the new cross-process acquisition semantics.
• The PR body has useful redacted logs and proof: override, but it does not directly show a live PID lock older than maxHoldMs and younger than staleMs being reclaimed during acquisition.

Maintainer options:

1. Accept max-hold acquisition reclaim with docs (recommended)
   Merge after a maintainer explicitly accepts holder-recorded maxHoldMs as authoritative for cross-process contention and updates docs/help to describe acquisition-time reclaim.
2. Require direct acquisition proof
   Ask for a focused test or redacted live log where a live PID lock older than maxHoldMs but younger than staleMs is reclaimed during acquisition.
3. Pause for lock-policy review
   Pause or close if maintainers do not want contender processes deleting live-holder session locks based only on elapsed max-hold.

Next step before merge
Human maintainer review is needed to accept live-holder reclaim semantics; a bot can update docs afterward but should not decide the lock policy.

Security
Cleared: The diff changes session-lock logic, tests, and changelog text only; it adds no dependencies, scripts, permissions, network calls, or credential handling.

Review findings

• [P3] Update maxHoldMs docs for acquisition reclaim — src/agents/session-write-lock.ts:760

Review details

Best possible solution:

Land the narrow fix after maintainers accept holder-recorded max-hold as a cross-process reclaim policy, update docs/help, and keep the unchanged-snapshot removal and regression coverage.

Do we have a high-confidence way to reproduce the issue?

Yes at source level: current main's acquisition-time inspection ignores maxHoldMs, while fs-safe calls shouldReclaim during lock contention. I did not run a live multi-process repro in this read-only review.

Is this the best way to solve the issue?

Mostly yes, if maintainers accept the existing max-hold policy as authoritative across processes. The safer merge shape is this narrow code path plus aligned docs/help and explicit maintainer acceptance of live-holder reclaim semantics.

Label justifications:

• P1: The linked bug can freeze gateway/session writes for real users, and the PR changes a core session-state coordination path.
• merge-risk: 🚨 session-state: The diff intentionally changes when another process may remove a live holder's session transcript lock, which could affect transcript consistency if the policy is wrong.
• rating: 🦐 gold shrimp: Current PR rating is 🦐 gold shrimp because proof is 🦐 gold shrimp, patch quality is 🐚 platinum hermit, and The patch is small and source-correct with focused tests, but overall confidence is limited by indirect proof and a session-state policy decision.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Override: A maintainer applied proof: override for this PR.

Full review comments:

• [P3] Update maxHoldMs docs for acquisition reclaim — src/agents/session-write-lock.ts:760
  This line extends maxHoldMs to acquisition-time reclaim, but the docs and config help still say it only controls the in-process watchdog. Please update docs/reference/session-management-compaction.md and src/config/schema.help.ts so operators understand the new cross-process reclaim behavior.
  Confidence: 0.86

Overall correctness: patch is correct
Overall confidence: 0.84

What I checked:

• Current main ignores maxHoldMs during acquisition reclaim: Current main resolves maxHoldMs and passes it as in-process metadata, but the lock payload omits it and shouldReclaim only inspects the stale policy, so a live PID younger than staleMs is not reclaimable by acquisition. (src/agents/session-write-lock.ts:765, 5c4a733912a8)
• PR head applies holder max-hold to cross-process acquisition: The PR head stores maxHoldMs in the lock payload and passes respectMaxHold: !heldByThisProcess through shouldReclaim and shouldRemoveStaleLock, so acquisition can reclaim a non-self-held lock after the holder's recorded max-hold expires. (src/agents/session-write-lock.ts:746, a7876bf6ce51)
• PR tests cover the new max-hold inspection and safety guards: The PR adds tests for hold-exceeded, for not reclaiming an active in-process lock via max-hold acquisition, and for not cleaning live OpenClaw locks merely because their holder max-hold expired. (src/agents/session-write-lock.test.ts:314, a7876bf6ce51)
• Docs and config help still describe watchdog-only semantics: At the PR head, user-facing docs and config help still say session.writeLock.maxHoldMs controls the in-process watchdog release threshold, which misses the new acquisition-time reclaim behavior. Public docs: docs/reference/session-management-compaction.md. (docs/reference/session-management-compaction.md:101, a7876bf6ce51)
• Dependency contract supports unchanged-snapshot removal: @openclaw/fs-safe@0.2.7 exposes staleRecovery, shouldReclaim, and shouldRemoveStaleLock; its sidecar-lock implementation calls shouldReclaim on contention and only removes stale locks after snapshot matching when remove-if-unchanged is selected. (package/dist/sidecar-lock.js:272)
• Lock-policy history: Commit e91a5b021648bec6f4d3566d9e348e7223b36cb5 introduced the in-process session-lock watchdog and max-hold policy for hung API calls; later commits by Peter Steinberger aligned lock hold budgets and hardened contention cleanup. (src/agents/session-write-lock.ts:253, e91a5b021648)

Likely related people:

• @steipete: History shows repeated recent work on src/agents/session-write-lock.ts, including the current main file rewrite, contention hardening, max-hold budget alignment, and several commits on this PR branch. (role: recent area contributor and likely follow-up owner; confidence: high; commits: 071c3e364b77, 1becebe188eb, fb6e415d0c52; files: src/agents/session-write-lock.ts, src/agents/session-write-lock.test.ts)
• Vishal Doshi: Commit e91a5b021648bec6f4d3566d9e348e7223b36cb5 added the session lock watchdog and max-hold policy that this PR extends into acquisition-time reclaim. (role: introduced related max-hold watchdog behavior; confidence: medium; commits: e91a5b021648; files: src/agents/session-write-lock.ts)
• @vincentkoc: Recent session-lock history includes recycled-PID recovery and listener-leak fixes in the same lock code path, making this a relevant routing candidate for session-lock safety review. (role: adjacent lock hardening contributor; confidence: medium; commits: 5a2200b28003, f00f0a95968f; files: src/agents/session-write-lock.ts, src/agents/session-write-lock.test.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 5c4a733912a8.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Pearl Diff Drake

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: purrs at green checks.
Image traits: location release reef; accessory lint brush; palette moss green and polished brass; mood bright-eyed; pose peeking out from the egg shell; shell brushed metal shell; lighting clean product lighting; background gentle dashboard dots.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Pearl Diff Drake in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[njuboy11]

@clawsweeper[bot] re-review — proof updated with full evidence (before/after journal logs, PID alive confirmation, session file size 400KB, zero SessionWriteLockTimeoutError after fix, unit test added by @steipete, all 27 CI checks green).

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.