fix(agents): release embedded-attempt session lock on every exit path

[openperf]

Summary

• Problem: During an embedded agent run the gateway holds a write lock on the session .jsonl file. If the run times out or a tool errors, the lock can be left held by the live gateway process — subsequent requests to that session block for the acquire timeout and then fail with SessionWriteLockTimeoutError (OPENCLAW_SESSION_WRITE_LOCK_TIMEOUT), and the retained session graph leaks memory. (SessionWriteLockTimeoutError: gateway never releases session file lock after embedded run timeout #86014)
• Root Cause: createEmbeddedAttemptSessionLockController acquires its coarse session lock (heldLock) eagerly at creation and the run releases it only inside the post-run cleanup block (acquireForCleanup → cleanupEmbeddedAttemptResources, which itself releases in a finally). That cleanup block is ordinary try-body code. The run's outer finally did not release the lock — it only emitted diagnostics and restored skill env. Normal timeout/abort/error paths funnel into aborted/timedOut/promptError flags and do reach the cleanup block, but an exception thrown in the ~post-prompt processing between the prompt teardown and the cleanup block (e.g. a tool/result step or the trajectory flush erroring) escapes straight to the outer finally, skipping the release. The lock then stays held by the live process (its PID is alive, so it is not stale) until the long compaction-scaled watchdog window elapses or a retry re-acquires it — effectively wedging the session. (The reporter's "maxHoldMs grows unboundedly" is a fixed value: the embedded-attempt lock's maxHoldMs is the compaction window + grace = 1020000ms, matching the reported lock file; the observed createdAt refresh is the lock being re-acquired by retries.)
• Regression provenance: this surfaced with Release embedded session write lock before model I/O #82891 ("Release embedded session write lock before model I/O", 8a060b2904d4), which replaced the single per-run sessionLock with this eagerly-acquired controller (release-before-I/O + reacquire) and added the post-prompt processing that can throw; the controller releases the lock only through the post-run cleanup hand-off, so an exception on the post-prompt path leaves it held.
• Fix: Give the lock controller an idempotent dispose() that releases heldLock if it is still retained, and call it from the run's outer finally so the lock is released on every exit path. On normal/aborted/timed-out runs the cleanup block still hands the lock to acquireForCleanup first, so dispose() is a no-op then (no double release); only the exception-skips-cleanup path now actually releases via dispose().
• What changed:
  • src/agents/pi-embedded-runner/run/attempt.session-lock.ts: add dispose(): Promise<void> to EmbeddedAttemptSessionLockController (releases the retained heldLock, idempotent).
  • src/agents/pi-embedded-runner/run/attempt.ts: capture a releaseRetainedSessionLock closure once the controller exists and invoke it in the run's outer finally (guarded so a release error is logged rather than masking the run's original error).
  • src/agents/pi-embedded-runner/run/attempt.session-lock.test.ts: regression coverage.
• What did NOT change (scope boundary):
  • The happy-path lock handoff (acquireForCleanup → cleanupEmbeddedAttemptResources) and its flush behavior are unchanged; dispose() is a safety net.
  • The session write-lock primitive, its watchdog/stale logic, and maxHoldMs derivation are unchanged. The separate "an operation inside withSessionWriteLock never returns" variant (its own finally cannot run) remains covered only by the watchdog and is out of scope.
  • No config keys, protocol, or message-delivery behavior changed.

Reproduction

1. An embedded attempt creates the session lock controller (eagerly acquiring the session write lock).
2. Post-prompt processing throws (e.g. a tool/result step or trajectory flush errors) before the cleanup block runs acquireForCleanup.

• Before: the exception escapes to the outer finally, which does not release the lock; the lock file persists held by the live process and the next request to that session fails with SessionWriteLockTimeoutError.
• After: the outer finally calls the controller's dispose(), releasing the retained lock; the next request succeeds.

Real behavior proof

• Behavior addressed: when an embedded attempt throws after eagerly acquiring the session lock but before the cleanup block, the run must still release the session write lock so later requests to the same session do not fail with SessionWriteLockTimeoutError.
• Real environment tested (Linux, Node 22): a standalone harness drives the real acquireSessionWriteLock and the real createEmbeddedAttemptSessionLockController against a temp session file, with the embedded-attempt maxHoldMs (1020000) the gateway uses. It runs an attempt that acquires the lock then throws during post-prompt processing, then issues a second acquireSessionWriteLock for the same session from the same live process — once without the fix (no dispose() in the finally) and once with it.
• Exact steps or command run after this patch: tsx /tmp/qmd86014/repro.mts.
• Evidence after fix (verbatim harness output):

--- BEFORE (pre-fix: outer finally does not release) (dispose in finally = false) ---
  attempt threw: post-processing failure (e.g., trajectory flush)
  lock file persists: true
  subsequent acquire on same session: FAILED SessionWriteLockTimeoutError (isSessionWriteLockTimeoutError=true)

--- AFTER (fix: outer finally calls controller.dispose()) (dispose in finally = true) ---
  attempt threw: post-processing failure (e.g., trajectory flush)
  lock file persists: false
  subsequent acquire on same session: SUCCEEDED

RESULT: PASS — BEFORE leaks the lock and the next request hits SessionWriteLockTimeoutError;
         AFTER (controller.dispose() in the outer finally) releases it and the next request succeeds.

• Observed result after fix: the leaked lock is released on the exception path; the next request to the same session succeeds instead of failing with SessionWriteLockTimeoutError — the reporter's error (session file locked (timeout 60000ms): pid=7 …/<session>.jsonl.lock) is reproduced verbatim (same shape, differing only in timeout/pid) and removed by the fix.
• Regression tests: pnpm test src/agents/pi-embedded-runner/run/attempt.session-lock.test.ts (68 passed) including two new cases — dispose() releases the eagerly-held lock when cleanup is skipped (and is idempotent), and dispose() does not double-release a lock already handed to acquireForCleanup.
• What was not tested: a full multi-process live gateway run with real cron agentTurn retries over time was not executed; the harness exercises the real lock primitive + real controller end to end and the unit tests cover the dispose() contract. The "stalled operation inside withSessionWriteLock never returns" variant is not addressed here (covered by the watchdog).

Risk / Mitigation

• Risk: releasing in the outer finally could double-release a lock the cleanup block already released, or a release error could mask the run's original error.
• Mitigation: dispose() is idempotent — the happy/aborted/timed-out paths transfer the lock out via acquireForCleanup (so the controller no longer retains it and dispose() is a no-op), proven by a no-double-release test. The outer-finally call is wrapped so a release failure is logged rather than thrown, mirroring the existing teardown logging. No behavior change on paths that already released the lock.

Change Type (select all)

• Bug fix

Scope (select all touched areas)

• Gateway / orchestration
• Sessions / storage

Linked Issue/PR

Fixes #86014

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 25, 2026, 8:51 AM ET / 12:51 UTC.

Summary
The PR adds an idempotent dispose path to the embedded-attempt session lock controller, calls it from runEmbeddedAttempt outer teardown, and adds controller lifecycle regression tests.

PR surface: Source +19, Tests +39. Total +58 across 3 files.

Reproducibility: yes. Source inspection shows current main can skip cleanup after trajectory flush throws, and the PR body supplies a before/after terminal harness using the real lock primitive and controller.

Review metrics: none identified.

Merge readiness
Overall: 🦞 diamond lobster
Proof: 🦞 diamond lobster
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Risk before merge

• A full live multi-process gateway or cron retry scenario was not executed; the supplied terminal harness and focused tests cover the implicated controller path, so this is a landing-confidence gap rather than a contributor blocker.

Maintainer options:

1. Decide the mitigation before merge
   Land the focused dispose/finally release after maintainer review and required CI, then close SessionWriteLockTimeoutError: gateway never releases session file lock after embedded run timeout #86014 as implemented while leaving the stalled-withSessionWriteLock watchdog variant out of scope.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge
No ClawSweeper repair lane is needed because the diff is narrow and I found no actionable defect; the remaining path is maintainer review and CI gating.

Security
Cleared: The diff only changes embedded runner lock lifecycle code and tests; it does not touch dependencies, workflows, packages, credentials, or other supply-chain surfaces.

Review details

Best possible solution:

Land the focused dispose/finally release after maintainer review and required CI, then close #86014 as implemented while leaving the stalled-withSessionWriteLock watchdog variant out of scope.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection shows current main can skip cleanup after trajectory flush throws, and the PR body supplies a before/after terminal harness using the real lock primitive and controller.

Is this the best way to solve the issue?

Yes. An idempotent controller-owned dispose called from the outer finally is a narrow safety net because normal cleanup still transfers and releases the lock through the existing cleanup path.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against fcf0bff92965.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body contains structured before/after terminal output from a Linux Node 22 harness using the real lock primitive and controller, plus focused regression test output.

Label justifications:

• P1: The linked bug can wedge embedded agent sessions behind a live-process write lock and cause repeated SessionWriteLockTimeoutError failures for real users.
• rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body contains structured before/after terminal output from a Linux Node 22 harness using the real lock primitive and controller, plus focused regression test output.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body contains structured before/after terminal output from a Linux Node 22 harness using the real lock primitive and controller, plus focused regression test output.

Evidence reviewed

PR surface:

Source +19, Tests +39. Total +58 across 3 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	2	19	0	+19
Tests	1	39	0	+39
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	3	58	0	+58

What I checked:

• Root policy read: Root AGENTS.md was read fully and applied; its ClawSweeper guidance for agents/session-state fixes, whole-surface review, and real behavior proof is relevant here. (AGENTS.md:1, fcf0bff92965)
• Scoped agent policy read: The scoped agent and embedded-runner AGENTS.md files were read fully; the embedded-runner guide favors focused helper tests for this kind of runner behavior. (src/agents/pi-embedded-runner/run/AGENTS.md:1, fcf0bff92965)
• Current-main retained lock path: Current main eagerly stores the acquired session write lock in heldLock, and the controller type has no dispose method before this PR. (src/agents/pi-embedded-runner/run/attempt.session-lock.ts:622, fcf0bff92965)
• Current-main cleanup gap: Current main runs trajectory flush before acquiring the cleanup lock; if that pre-cleanup step throws, the outer finally only emits diagnostics and restores skill env. (src/agents/pi-embedded-runner/run/attempt.ts:4963, fcf0bff92965)
• Cleanup handoff contract: cleanupEmbeddedAttemptResources releases the sessionLock it is handed in a finally block, which supports the PR's no-double-release handoff model. (src/agents/pi-embedded-runner/run/attempt.subscription-cleanup.ts:115, fcf0bff92965)
• PR diff reviewed: The current PR diff adds dispose(), wires it into the run outer finally with release-error logging, and adds skipped-cleanup and cleanup-handoff regression tests. (src/agents/pi-embedded-runner/run/attempt.session-lock.ts:630, 0f0787a5d2d1)

Likely related people:

• vincentkoc: Recent GitHub path history shows commit 2bb00f6, titled fix(agents): fence embedded session writes, touching the same embedded session-lock controller surface. (role: central session-lock contributor; confidence: high; commits: 2bb00f6726d4; files: src/agents/pi-embedded-runner/run/attempt.session-lock.ts)
• tianxiaochannel-oss88: Commit 1b77145 changed the same prompt-release and in-process session-write path shortly before this PR. (role: recent adjacent contributor; confidence: medium; commits: 1b77145687ca; files: src/agents/pi-embedded-runner/run/attempt.session-lock.ts)
• jalehman: The same recent prompt-release lock commit records @jalehman as reviewer/co-author, making them a useful routing candidate for this lock lifecycle area. (role: reviewer of adjacent lock behavior; confidence: medium; commits: 1b77145687ca; files: src/agents/pi-embedded-runner/run/attempt.session-lock.ts)
• steipete: The PR commit API shows steipete committed the current head comment-cleanup commit, and local blame in this shallow checkout attributes the current runner lock regions to Peter Steinberger. (role: recent branch committer and current area signal; confidence: medium; commits: 0f0787a5d2d1, b6b275575f; files: src/agents/pi-embedded-runner/run/attempt.ts, src/agents/pi-embedded-runner/run/attempt.session-lock.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🌱 uncommon Moonlit Test Hopper

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🌱 uncommon.
Trait: polishes edge cases.
Image traits: location branch lighthouse; accessory shell-shaped keyboard; palette plum, gold, and soft gray; mood sleepy but ready; pose pointing at a small proof artifact; shell paper lantern shell; lighting golden review-room light; background small review tokens.
Share on X: post this hatch
Copy: My PR egg hatched a 🌱 uncommon Moonlit Test Hopper in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[steipete]

Verification for PR #86427 on head b5dd866ce183ef4107e699751335fc36ed27dd1f:

Behavior addressed: embedded attempts release the eagerly-held session write lock from outer teardown when post-prompt code exits before the normal cleanup block, preventing later requests from wedging behind SessionWriteLockTimeoutError.
Real environment tested: focused local Vitest/format/diff checks plus GitHub CI on the rebased PR head.
Exact steps or command run after this patch:

node scripts/run-vitest.mjs src/agents/pi-embedded-runner/run/attempt.session-lock.test.ts
git diff --check origin/main...HEAD
./node_modules/.bin/oxfmt --check --threads=1 src/agents/pi-embedded-runner/run/attempt.session-lock.test.ts src/agents/pi-embedded-runner/run/attempt.session-lock.ts src/agents/pi-embedded-runner/run/attempt.ts

Evidence after fix: focused embedded session-lock suite passed with 68 tests; diff check and oxfmt check passed; CI run 26404204890, CodeQL Critical Quality 26404204885, Real behavior proof 26404203677, Workflow Sanity 26404204825, CodeQL 26404204826, OpenGrep 26404204888, Dependency Change Awareness 26404203646, Labeler 26404203675, Auto response 26404203647, and ClawSweeper Dispatch 26404203644 are green.
Observed result after fix: the retained lock is released by dispose() when cleanup is skipped, while cleanup-owned locks are not double-released.
What was not tested: no full multi-process live gateway wedge over time; the PR includes real lock-controller proof and focused regression tests for the teardown contract.