fix(tui): stabilize optimistic user messages across history reloads, runId reassignment, and abort

[RomneyDa]

What this fixes

The TUI renders an outbound user message optimistically, before the gateway persists it. Three situations could make that optimistic row disappear, jump position, or linger as a ghost. This PR makes it stable across all three by tracking it as a keyed pending entry that is reconciled against real history.

1. A stale history reload wipes the message. A chat.history rebuild (or run-error refresh) landing before the message is persisted used to clear the optimistic render. Pending rows now survive clearAll, are restored across rebuilds, and are reconciled (by text + timestamp) once persisted history catches up. (Original regressions: [Bug]: [tui] Outbound messages not visible until agent response completes (loadHistory wipes optimistic render) #54722, [Bug]: TUI input vanishes silently — messages typed/pasted disappear from history with no response #59014.)

2. The gateway reassigns the runId. When chat.send returns a different runId than the locally generated one, the pending row is re-keyed in place via ChatLog.rekeyPendingUser (a map-key swap, no re-mount), so it keeps its transcript position even if a reply already rendered below it.

3. Abort before the run registers. A new pendingSubmitDraft tracks a submit until it is durably registered (proven by isRunObserved or completion). abortActive drops the optimistic row only while the submit is still unregistered; once registered, the row is left to history. This removes both the ghost row that used to linger after aborting a pending submit and the risk of dropping a row whose reply already showed.

It also removes two unused ChatLog helpers (commitPendingUser, hasPendingUser) that had no caller.

Why it exists

Outbound TUI messages silently vanishing or mis-rendering is a recurring, high-annoyance class of bug (#54722, #59014). The optimistic-render path had no durable link between the rendered row and the eventual persisted/streamed run, so any reload, runId reassignment, or abort in the wrong window lost or misplaced it.

Commits

• fix(tui): preserve optimistic user messages — pending-row preservation + reconcile across history reloads (case 1).
• refactor(tui): drop unused pending-user chat-log helpers — remove dead commitPendingUser / hasPendingUser.
• fix(tui): reconcile optimistic user row across runId reassignment and abort — in-place re-key (case 2) + gated abort cleanup with the isRunObserved registration guard (case 3).

Related issues

• Guards against the closed disappearance regressions [Bug]: [tui] Outbound messages not visible until agent response completes (loadHistory wipes optimistic render) #54722 and [Bug]: TUI input vanishes silently — messages typed/pasted disappear from history with no response #59014.
• Folds in the optimistic-row handling from the closed Fix TUI Esc abort stale busy state #86200 (Esc abort), minus its editor draft-restore. The stale busy-state half of that issue (TUI Esc abort can leave stale optimistic busy state #86199) already landed separately via fix(tui): queue prompts submitted while busy #86722.
• Distinct from [Bug]: TUI long messages vanish — fullRender(true) clears terminal scrollback (\x1b[3J) #78017 (open), which is long-message scrollback loss in the renderer (\x1b[3J), not the optimistic-history path.

Verification

Maintainer local proof (no live Gateway run):

node scripts/run-vitest.mjs run --config test/vitest/vitest.tui.config.ts \
  src/tui/components/chat-log.test.ts src/tui/tui-command-handlers.test.ts \
  src/tui/tui-session-actions.test.ts src/tui/tui-event-handlers.test.ts
node scripts/run-vitest.mjs run --config test/vitest/vitest.tui-pty.config.ts
node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.core.test.json   # CI check-test-types lane (covers src/tui)
.agents/skills/autoreview/scripts/autoreview --mode local

• TUI unit lanes: 179 passed (4 files)
• Fake-backend PTY lane: 13 passed
• Test + prod types: clean · oxfmt --check: clean · git diff --check: clean
• autoreview: patch is correct, no accepted/actionable findings

New regression coverage: in-place re-key preserves transcript order; abort drops a not-yet-registered pending row; abort keeps a registered row; the draft is not re-armed when the accepted run already emitted events.

Not tested: no live Gateway/provider/streaming run; the fake-backend PTY harness does not prove transport, embedded runtime, providers, or session persistence.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 5, 2026, 3:05 PM ET / 19:05 UTC.

Summary
The PR changes TUI optimistic user messages into keyed pending rows that survive history rebuilds, re-key to gateway-accepted run IDs, and are dropped only for unregistered aborted or failed sends, with focused TUI regression coverage.

PR surface: Source +75, Tests +207. Total +282 across 10 files.

Reproducibility: yes. from source inspection and linked reports: current main renders an unkeyed optimistic user row, while loadHistory() rebuilds with clearAll(), so a stale refresh can wipe the row before persisted history catches up. I did not run a live TUI/Gateway reproduction in this read-only review.

Review metrics: 1 noteworthy metric.

• TUI pending state fields: 1 added. pendingSubmitDraft becomes the in-memory owner for whether abort may drop an optimistic row, so its lifecycle needs maintainer review before merge.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Maintainer should review the current merge ref against the recent TUI queue/abort/history cluster before landing.
• [P2] Add live Gateway or embedded-local TUI proof only if maintainers require transport or session-persistence coverage beyond the focused lanes.

Risk before merge

• [P1] A missed interleaving across send resolution, run registration, history reload, final/error events, and abort cleanup could still hide, duplicate, or mis-associate transcript rows.
• [P1] The supplied proof is focused TUI unit and fake-backend PTY proof; the scoped TUI guide says that lane does not prove Gateway transport, embedded runtime, providers, session persistence, or live streaming.
• [P1] The PR overlaps a recent TUI queue/abort/history cluster, so maintainers should review the current merge ref rather than only the branch-era diff.

Maintainer options:

1. Review and Land the Merge Ref (recommended)
   Proceed after a maintainer reviews this merge ref against the recent TUI queue, abort, and history cluster and accepts the remaining async race risk.
2. Require Live TUI Proof
   Ask for a live Gateway or embedded-local TUI run showing stale-history preservation and abort cleanup before merge if transport/session-persistence confidence is required.
3. Pause for Sequencing
   Pause this PR if maintainers decide the recently landed TUI queue or abort fixes should be the canonical path before this broader pending-row reconciliation lands.

Next step before merge

• [P2] Protected maintainer PR plus TUI message/session-state race risk needs human sequencing; I found no narrow automated repair to queue.

Security
Cleared: The diff stays inside TUI state handling and tests, with no dependency, workflow, secret, install, package, or code-execution surface changes.

Review details

Best possible solution:

Land the current merge ref only after maintainer review accepts the remaining TUI race risk or asks for a live/embedded TUI proof extension; the desired end state is one keyed optimistic row that remains visible until history or explicit failure owns it.

Do we have a high-confidence way to reproduce the issue?

Yes from source inspection and linked reports: current main renders an unkeyed optimistic user row, while loadHistory() rebuilds with clearAll(), so a stale refresh can wipe the row before persisted history catches up. I did not run a live TUI/Gateway reproduction in this read-only review.

Is this the best way to solve the issue?

Yes, this appears to be the best TUI-layer fix: it keeps one keyed pending row and reconciles against canonical history rather than adding a broader Gateway protocol change. A protocol-level run-ID contract would be larger and is not needed for this bounded repair.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 36d9241cf7d6.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-patch focused TUI unit, fake-backend PTY, type, format, and autoreview output; it does not claim live Gateway/provider/session-persistence proof.

Label justifications:

• P2: This is a normal-priority TUI message-rendering/session-state repair with limited blast radius but real user-visible annoyance.
• merge-risk: 🚨 session-state: The patch changes how TUI run registration, pending submit state, history refresh, and abort cleanup share state.
• merge-risk: 🚨 message-delivery: A bad merge could hide, duplicate, or wrongly keep outbound user transcript rows even when the backend run is handled correctly.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body includes after-patch focused TUI unit, fake-backend PTY, type, format, and autoreview output; it does not claim live Gateway/provider/session-persistence proof.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-patch focused TUI unit, fake-backend PTY, type, format, and autoreview output; it does not claim live Gateway/provider/session-persistence proof.

Evidence reviewed

PR surface:

Source +75, Tests +207. Total +282 across 10 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	6	83	8	+75
Tests	4	239	32	+207
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	10	322	40	+282

What I checked:

• Repository policy applied: Root and scoped TUI review policy were read; the scoped TUI guide specifically limits fake-backend PTY proof from proving Gateway transport, embedded runtime, providers, session persistence, or live streaming. (src/tui/AGENTS.md:1, 36d9241cf7d6)
• Current main behavior: Current main renders outbound text as an unkeyed user row before send resolution, so a later history rebuild has no row identity to preserve or reconcile. (src/tui/tui-command-handlers.ts:751, 36d9241cf7d6)
• History rebuild path: Current main rebuilds TUI history with chatLog.clearAll(), which clears the optimistic row before server history necessarily contains the sent user message. (src/tui/tui-session-actions.ts:452, 36d9241cf7d6)
• PR implementation: The merge ref adds keyed pending submit state, re-keys pending user rows to the accepted run ID, and drops pending rows on send failure. (src/tui/tui-command-handlers.ts:753, 6e37c58d607d)
• PR history reconciliation: The merge ref preserves pending rows across loadHistory(), collects history user timestamps, reconciles matching rows, and restores only unmatched pending rows. (src/tui/tui-session-actions.ts:458, 6e37c58d607d)
• PR registration guard: The event handler marks submitted runs registered when chat or lifecycle events arrive and exposes isRunObserved so abort cleanup does not drop rows whose reply already rendered. (src/tui/tui-event-handlers.ts:274, 6e37c58d607d)

Likely related people:

• vincentkoc: Authored prior pending-send and clock-skew reconciliation fixes in the same TUI optimistic/history area. (role: feature-history owner; confidence: high; commits: 51d6d7013f07, f0a44232716d, 397b0d85f571; files: src/tui/tui-command-handlers.ts, src/tui/tui-session-actions.ts, src/tui/components/chat-log.ts)
• vignesh07: Authored the earlier TUI optimistic user-message preservation change referenced by the current behavior path. (role: introduced adjacent optimistic-message behavior; confidence: high; commits: 61a0b0293104, 726ef48c2ac8, 6084c26d0046; files: src/tui/tui-command-handlers.ts, src/tui/tui-event-handlers.ts)
• neeravmakwana: Authored the recently merged busy-submit queue PR touching the same TUI pending-state and abort surfaces. (role: recent adjacent owner; confidence: medium; commits: 6842d72a9c7b; files: src/tui/tui-command-handlers.ts, src/tui/tui-session-actions.ts, src/tui/tui.ts)
• steipete: Recent TUI history-sync and refactor commits touch surrounding session/history behavior and tests. (role: recent adjacent contributor; confidence: medium; commits: ff2e9a52ff10, 2d6d6797d81a, 675764e866e8; files: src/tui/tui-session-actions.ts, src/tui/tui-command-handlers.ts, src/tui/tui-event-handlers.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[RomneyDa]

Addressed the ClawSweeper feedback and rebased onto current origin/main (ba88b7a178).

Summary:

• Removed the CHANGELOG.md edit from this contributor PR.
• Kept optimistic user messages pending after the first gateway run binding; they are now removed only when chat.history reconciliation sees the persisted user message or when chat.send fails explicitly.
• Added regressions for stale history rebuilds, run-binding retention, and send-failure cleanup.

Verification:

• git diff --check
• OPENCLAW_VITEST_FS_MODULE_CACHE_PATH=/tmp/openclaw-vitest-tui-disappearing-$RANDOM OPENCLAW_VITEST_MAX_WORKERS=1 OPENCLAW_VITEST_NO_OUTPUT_TIMEOUT_MS=30000 node scripts/run-vitest.mjs run --config test/vitest/vitest.tui.config.ts src/tui/components/chat-log.test.ts src/tui/tui-command-handlers.test.ts src/tui/tui-session-actions.test.ts src/tui/tui-event-handlers.test.ts --reporter=verbose (4 files, 174 tests)
• OPENCLAW_VITEST_FS_MODULE_CACHE_PATH=/tmp/openclaw-vitest-tui-pty-$RANDOM OPENCLAW_VITEST_MAX_WORKERS=1 OPENCLAW_VITEST_NO_OUTPUT_TIMEOUT_MS=30000 node scripts/run-vitest.mjs run --config test/vitest/vitest.tui-pty.config.ts (1 file, 13 tests)
• .agents/skills/autoreview/scripts/autoreview --mode local (clean)

Real behavior proof:
Behavior addressed: TUI optimistic user messages no longer disappear after gateway run binding when a stale chat.history reload races before persistence catches up.
Real environment tested: local macOS checkout after pnpm install restored the declared rastermill dependency.
Exact steps or command run after this patch: focused TUI unit lane and TUI PTY lane listed above.
Evidence after fix: tests cover stale history rebuild preservation, run-binding retention until history reconciliation, and explicit send-failure cleanup.
Observed result after fix: focused TUI lanes pass.
What was not tested: live gateway/TUI manual reproduction.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26771432131
• Updated: 2026-06-01T17:48:08.493Z

[RomneyDa]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27034073067
• Updated: 2026-06-05T19:06:06.465Z