Fix run-scoped sessions_send pingback fallback

[TurboTheTurtle]

Summary

• route fire-and-forget sessions_send messages directly into active run-scoped targets when possible
• fall back to the durable parent session key if transcript-commit steering is rejected, so pending pingbacks are not stranded on an ended run
• add regression coverage for a [TASK-COMPLETE] pingback targeting a blocked cron run session

Fixes #86586

Real behavior proof

Behavior addressed: A faster callee can send a fire-and-forget sessions_send pingback to a caller's run-scoped cron session while the caller run is still blocked by a slower sibling tool call. If the active-run queue rejects before committing that pingback to the transcript, this patch reroutes the pending message to the durable parent session key instead of leaving it orphaned on the ended run.

Real environment tested: Local OpenClaw source runtime at PR head 20a916223e7974233007a4b0d5b42a0289920b36, Node v24.15.0, isolated temporary OPENCLAW_STATE_DIR and OPENCLAW_CONFIG_PATH, bundled plugins/channels disabled, real temporary gateway server, and real loopback GatewayClient. The harness imports the production startGatewayServer, GatewayClient, createSessionsSendTool, and embedded-run active session registry paths from this branch.

Exact steps or command run after this patch:

git fetch origin pull/86638/head:refs/tmp/pr86638-head
git worktree add /private/tmp/openclaw-pr86638-proof refs/tmp/pr86638-head
cd /private/tmp/openclaw-pr86638-proof
pnpm install --frozen-lockfile
node --import tsx .tmp/pr86638-real-gateway-proof.ts

The temporary proof harness did this against the real local gateway:

1. Started a gateway on a random loopback port with token auth, temp state/config, OPENCLAW_SKIP_CHANNELS=1, and OPENCLAW_DISABLE_BUNDLED_PLUGINS=1.
2. Connected a real GatewayClient and created the durable cron caller session through sessions.create for agent:leasing-ops:cron:monthly-utility.
3. Registered an active embedded run for the run-scoped caller key agent:leasing-ops:cron:monthly-utility:run:run-fast.
4. Confirmed the active run queue rejected transcript-commit steering with reason: transcript_commit_wait_unsupported.
5. Invoked production sessions_send with timeoutSeconds: 0 and a callGateway implementation backed by the real loopback GatewayClient.

Evidence after fix: Redacted terminal output from that command:

[gateway] http server listening (0 plugins)
[gateway/channels] skipping channel start (OPENCLAW_SKIP_CHANNELS=1 or OPENCLAW_SKIP_PROVIDERS=1)
[gateway] ready
[ws] ⇄ res ✓ sessions.create 272ms conn=d168b0fc…d877 id=0d3fa513…6118
[ws] ⇄ res ✓ agent 85ms runId=675300ae-7116-4a00-9156-08f6bdb97cc0 conn=d168b0fc…d877 id=3166d8bb…8292

{
  "scenario": "real temporary gateway run-scoped sessions_send fallback",
  "prHead": "20a916223e7974233007a4b0d5b42a0289920b36",
  "tempGateway": {
    "url": "ws://127.0.0.1:59052",
    "stateDir": "<temp-state-dir>",
    "configPath": "<temp-config-path>"
  },
  "realGatewaySessionCreate": {
    "ok": true,
    "key": "agent:leasing-ops:cron:monthly-utility"
  },
  "activeEmbeddedRunRegistry": {
    "runScopedCallerKey": "agent:leasing-ops:cron:monthly-utility:run:run-fast",
    "resolvedSessionId": "caller-active-session",
    "directTranscriptCommitQueueOutcome": {
      "queued": false,
      "sessionId": "caller-active-session",
      "reason": "transcript_commit_wait_unsupported",
      "gatewayHealth": "live"
    }
  },
  "sessionsSendResult": {
    "runId": "eb6867ab-89bb-4509-a194-1c0c0904be77",
    "status": "accepted",
    "sessionKey": "agent:leasing-ops:cron:monthly-utility:run:run-fast",
    "delivery": {
      "status": "pending",
      "mode": "announce"
    }
  },
  "fallbackGatewayDelivery": {
    "fallbackSessionKey": "agent:leasing-ops:cron:monthly-utility",
    "containsTaskComplete": true,
    "runScopedGatewayCallSeen": false,
    "acceptedRunId": "gateway-agent-request-issued"
  },
  "durableSessionVisibleInRealGateway": true
}

Observed result after fix: The real gateway accepted the durable cron session, the active run-scoped delivery rejected transcript-commit steering instead of silently committing the pingback, and the production sessions_send fallback issued the gateway agent request to agent:leasing-ops:cron:monthly-utility. The captured fallback payload preserved [TASK-COMPLETE] re-portal occupancy ready, and runScopedGatewayCallSeen: false proves the gateway request was not sent to the ended run-scoped key.

What was not tested: I did not connect to the reporter's private production host, Telegram account, or local cron log files. The fallback agent request was accepted by the real temp gateway, then the temp agent run later failed on missing OpenAI auth in the isolated state dir; that model-auth failure happened after routing proof and does not affect the verified session-key fallback behavior.

Supplemental verification

• node scripts/run-vitest.mjs src/agents/openclaw-tools.sessions.test.ts src/agents/pi-embedded-runner/runs.test.ts -> Test Files 4 passed (4), Tests 78 passed (78)
• pnpm check:test-types

If this PR is squash-merged or reworked, please preserve author attribution or include:
Co-authored-by: Andy Ye <35905412+TurboTheTurtle@users.noreply.github.com>

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed May 27, 2026, 1:24 AM ET / 05:24 UTC.

Summary
The PR changes sessions_send so fire-and-forget messages to active run-scoped sessions can steer into the active embedded run and fall back to the durable parent session when active steering is rejected, with regression tests.

PR surface: Source +87, Tests +207. Total +294 across 2 files.

Reproducibility: yes. by source inspection: current main sends timeout-zero sessions_send traffic to the run-scoped target without an active-run queue/fallback path, and the linked issue gives a concrete parallel-call incident. I did not execute a local repro because this review is read-only.

Review metrics: 2 noteworthy metrics.

• Proof drift: 3 commits after proofed SHA. The real-gateway proof covers 20a9162, while the final head 7e3090c changes fallback failure handling, A2A announcement, and unsupported transcript-commit retry behavior.
• Failed check runs: 3 failed. checks-node-core-fast, check-lint, and build-artifacts are failing on the latest head and must be settled before merge.

Merge readiness
Overall: 🦪 silver shellfish
Proof: 🦪 silver shellfish
Patch quality: 🐚 platinum hermit
Result: blocked until stronger real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Add or update real behavior proof against 7e3090c or a newer final head, redacting private IPs, keys, phone numbers, endpoints, and account details.
• Fix or rerun the failed checks-node-core-fast, check-lint, and build-artifacts jobs.
• Have a maintainer explicitly accept the run-scoped message-delivery routing contract before merge.

Proof guidance:
Needs stronger real behavior proof before merge: The PR includes strong terminal/log proof for an earlier head, but the latest head changed the routing behavior after that proof; final-head real behavior proof is still needed, with private host/account details redacted. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Risk before merge

• The final PR head no longer exactly matches the supplied real-gateway proof because three later commits changed the message-delivery routing behavior after the proofed SHA.
• Merging changes the timeoutSeconds: 0 run-scoped sessions_send delivery contract, so maintainers should explicitly accept the active-run steering versus durable-session fallback behavior for cron and parallel tool-call workflows.
• The latest check-run list has failing checks-node-core-fast, check-lint, and build-artifacts jobs that need to be fixed, rerun, or confirmed unrelated before merge.

Maintainer options:

1. Refresh proof and checks before merge (recommended)
   Run or attach final-head proof for the latest routing behavior and get the failed check runs green or documented as unrelated before landing.
2. Accept the routing contract explicitly
   Maintainers can choose to accept the new active-run-first/durable-parent fallback contract once they are comfortable with the cron and parallel sessions_send semantics.

Next step before merge
The remaining blockers are maintainer acceptance of the delivery contract, final-head proof, and failed CI checks rather than a narrow mechanical code repair.

Security
Cleared: No concrete security or supply-chain regression found; the diff changes internal session routing/tests only and does not add dependencies, workflows, secrets handling, or package execution surfaces.

Review details

Best possible solution:

Land a version that has final-head real behavior proof, green required checks, and maintainer acceptance of the run-scoped pingback routing contract.

Do we have a high-confidence way to reproduce the issue?

Yes, by source inspection: current main sends timeout-zero sessions_send traffic to the run-scoped target without an active-run queue/fallback path, and the linked issue gives a concrete parallel-call incident. I did not execute a local repro because this review is read-only.

Is this the best way to solve the issue?

Yes, the proposed direction is a narrow fit for the orphaned pingback bug, but the final-head behavior needs proof and green checks before merge. The safer end state is to preserve active-run delivery when possible and fall back only when queue admission is rejected.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against f348284fa9eb.

Label changes

Label changes:

• add rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🐚 platinum hermit.
• add status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: The PR includes strong terminal/log proof for an earlier head, but the latest head changed the routing behavior after that proof; final-head real behavior proof is still needed, with private host/account details redacted. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.
• remove proof: sufficient: Current real behavior proof status is insufficient, not sufficient.
• remove rating: 🐚 platinum hermit: Current PR rating is rating: 🦪 silver shellfish, so this older rating label is no longer current.
• remove status: 👀 ready for maintainer look: Current PR status label is status: 📣 needs proof.

Label justifications:

• P1: The PR targets a real broken agent workflow where parallel sessions_send pingbacks can be accepted but not delivered to the caller context.
• merge-risk: 🚨 message-delivery: The patch changes where pending run-scoped inter-session messages are delivered and how they fall back when active-run steering is rejected.
• rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🐚 platinum hermit.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: The PR includes strong terminal/log proof for an earlier head, but the latest head changed the routing behavior after that proof; final-head real behavior proof is still needed, with private host/account details redacted. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Evidence reviewed

PR surface:

Source +87, Tests +207. Total +294 across 2 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	92	5	+87
Tests	1	207	0	+207
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	2	299	5	+294

Acceptance criteria:

• Final-head real temporary-gateway proof for the run-scoped sessions_send fallback path
• node scripts/run-vitest.mjs src/agents/openclaw-tools.sessions.test.ts src/agents/pi-embedded-runner/runs.test.ts
• pnpm check:test-types
• Relevant failed CI jobs rerun or fixed: checks-node-core-fast, check-lint, build-artifacts

What I checked:

• Current main lacks the fallback path: On current main, timeoutSeconds === 0 starts an agent request for the resolved/display session key and then starts the normal A2A announce flow; there is no active-run queue attempt or durable parent fallback in this path. (src/agents/tools/sessions-send-tool.ts:494, f348284fa9eb)
• PR adds active-run steering and fallback: At PR head, startAgentRun resolves an active embedded run for the run-scoped key, tries queueEmbeddedPiMessageWithOutcomeAsync, retries without transcript-commit waiting when unsupported, and falls back to an agent call on the parent run key if queueing is rejected. (src/agents/tools/sessions-send-tool.ts:181, 7e3090cce2d5)
• Regression coverage targets the reported failure mode: The PR adds tests for rejected active steering rerouting to the durable cron session, unsupported transcript-commit wait preserving active delivery, and fallback admission failures surfacing as errors. (src/agents/openclaw-tools.sessions.test.ts:1301, 7e3090cce2d5)
• Real proof is stale relative to final head: The PR body's real temporary-gateway proof was run at 20a916223e7974233007a4b0d5b42a0289920b36; three later commits changed fallback failure reporting, fallback A2A announcement, and unsupported transcript-commit retry behavior, ending at 7e3090cce2d5b4d4f2bfa96f62634011c28c4097. (7e3090cce2d5)
• Current PR checks are not green: The live check-run list for PR head shows failures in checks-node-core-fast, check-lint, and build-artifacts; most focused agent/runtime and security checks are green. (7e3090cce2d5)

Likely related people:

• steipete: Recent commit history shows substantial work on sessions_send, active-run delivery, and the PR branch follow-up commits that changed fallback reporting and A2A behavior. (role: recent area contributor; confidence: high; commits: 49be9a15fe10, c5c08c074a44, 8daf0124c93e; files: src/agents/tools/sessions-send-tool.ts, src/agents/openclaw-tools.sessions.test.ts, src/agents/pi-embedded-runner/runs.ts)
• vincentkoc: History for the affected sessions tool includes the delayed sessions_send reply work and active-run restart/drain work adjacent to this routing path. (role: feature-history contributor; confidence: medium; commits: b0a6543838ac, ec1f72b6c58f; files: src/agents/tools/sessions-send-tool.ts, src/agents/pi-embedded-runner/runs.ts)
• fuller-stack-dev: Recent active-run queueing work introduced acceptance-aware steering and the async queue outcome contract this PR now uses for delivery decisions. (role: active-run steering contributor; confidence: medium; commits: 70df2b8fe28d, 1b64ccbffff1; files: src/agents/pi-embedded-runner/runs.ts, src/agents/subagent-announce-delivery.ts)
• joshavant: Recent merged work on subagent completion announce delivery touches the same active-requester delivery and transcript-commit timing area. (role: adjacent delivery contributor; confidence: medium; commits: 903d9c13f3ee, a54c73687f58; files: src/agents/subagent-announce-delivery.ts, src/agents/openclaw-tools.sessions.test.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat.

Where did the egg go?

• The egg game starts only after the PR passes the real-behavior proof check.
• Before that, no creature or rarity is rolled. The treat waits for real proof.
• This is still just collectible flavor: proof affects review readiness, not creature quality.

[martingarramon]

Verified at 20a91622.

Fix shape correct. resolveRunScopedFallbackSessionKey strips :run:<id> with a correctly greedy regex — captures the full durable parent key before the final :run: segment. The allowActiveRunQueueFallback path:

1. Attempts active-run queue first with waitForTranscriptCommit: true — keeps the pingback from stranding on an ended run.
2. Falls through to durable gateway delivery only when the queue rejects.
3. !start.activeRunQueue guard correctly skips startA2AFlow for the inline path.

Type flow: deliveryTimeoutMs threaded from both call sites through to queueEmbeddedPiMessageWithOutcomeAsync. ✓

CLI output shows fallback targeting agent:leasing-ops:cron:monthly-utility (durable key), not the ended run-scoped key. 78/78 pass.

LGTM.

[TurboTheTurtle]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26424061256
• Updated: 2026-05-25T23:45:39.805Z

[steipete]

Maintainer proof before landing:

• Behavior addressed: run-scoped sessions_send active-queue fallback now reports failed fallback admission, announces successful fallback runs through normal A2A flow, and preserves best-effort active steering when transcript-commit waiting is unsupported.
• Real environment tested: local OpenClaw checkout on PR head 7e3090cce2d5b4d4f2bfa96f62634011c28c4097.
• Exact steps or command run after this patch:
  • node scripts/run-vitest.mjs src/agents/openclaw-tools.sessions.test.ts
  • pnpm check:test-types
  • git diff --check
  • .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main
• Evidence after fix: focused sessions_send suite passed, test types passed, diff whitespace check passed, autoreview reported no accepted/actionable findings.
• Observed result after fix: active queue rejection plus fallback failure returns status: "error"; successful fallback returns the fallback run id and starts A2A wait/history on the durable fallback session; transcript-commit-wait unsupported active runs retry queue delivery without starting fallback.
• What was not tested: full repository CI could not be queried locally because the GitHub Actions API returned a rate-limit error; merge will still be subject to GitHub branch protection.

Thanks @TurboTheTurtle.

[steipete]

Landed in 81e7e8ef24dee045fe2bce7d0b50c169e718a699.

• PR head: 7e3090cce2d5b4d4f2bfa96f62634011c28c4097
• Gate: node scripts/run-vitest.mjs src/agents/openclaw-tools.sessions.test.ts; pnpm check:test-types; git diff --check; .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main
• Known proof gap: full repository CI could not be queried locally because the GitHub Actions API returned a rate-limit error; GitHub accepted the merge.

Thanks @TurboTheTurtle.