fix(agents): move session write lock into owned session runtime

[steipete]

Summary

• Follow-up to fix(agents): avoid session event queue self-wait #86123: move the session write-lock seam out of obsolete private session fields and into owned createAgentSession / AgentSession runtime code.
• Pass the embedded attempt session write lock into session creation, then fence message persistence, write-capable extension/provider hooks, compaction, and pre-tool execution.
• Delete the _handleAgentEvent / _agentEventQueue wrapper path and its tests; current agent-core awaits listeners directly.

Verification

• pnpm exec oxfmt --write src/agents/sessions/agent-session.ts src/agents/sessions/sdk.test.ts
• git diff --check
• node scripts/run-oxlint.mjs --tsconfig config/tsconfig/oxlint.core.json src/agents/sessions/agent-session.ts src/agents/sessions/sdk.ts src/agents/sessions/sdk.test.ts src/agents/embedded-agent-runner/run/attempt.ts src/agents/embedded-agent-runner/run/attempt-session.ts src/agents/embedded-agent-runner/run/attempt.session-lock.ts src/agents/embedded-agent-runner/run/attempt.session-lock.test.ts --threads=8
• OPENCLAW_VITEST_INCLUDE_FILE=<tmpfile> node scripts/run-vitest.mjs run --config test/vitest/vitest.unit-fast.config.ts --reporter verbose
• node scripts/run-vitest.mjs run --config test/vitest/vitest.agents-embedded-agent.config.ts src/agents/embedded-agent-runner/run/attempt.session-lock.test.ts --reporter verbose
• .agents/skills/autoreview/scripts/autoreview --mode local --prompt 'Review rerun after fixing accepted finding: beforeToolCall now always enters the embedded session write-lock fence, even with no tool_call extension handler, before tools may execute. Check for remaining concrete session persistence/concurrency issues in the owned-session write-lock seam.'

Behavior addressed: Embedded attempts release the coarse session lock during provider streaming; stale attempts must reacquire/fence before session-file writes or before side-effectful tools execute.
Real environment tested: Local OpenClaw checkout on current origin/main (4ff944c0e8).
Exact steps or command run after this patch: Focused unit-fast session SDK tests, embedded attempt session lock tests, oxlint, diff check, and autoreview rerun listed above.
Evidence after fix: sdk.test.ts now covers message persistence under the write lock, write-capable tool hooks under the write lock, and the no-handler beforeToolCall fence; attempt.session-lock.test.ts still passes the embedded lock lifecycle suite.
Observed result after fix: Focused tests passed (sdk.test.ts: 4 tests; attempt.session-lock.test.ts: 31 tests), oxlint passed, diff check passed, autoreview clean with no accepted/actionable findings.
What was not tested: Full repository pnpm check / broad CI was not run locally.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed May 27, 2026, 5:06 PM ET / 21:06 UTC.

Summary
The branch threads an embedded session write-lock callback into createAgentSession/AgentSession, fences session writes and hooks, removes private session event/hook wrappers, and updates focused session lock tests.

PR surface: Source -224, Tests -258. Total -482 across 7 files.

Reproducibility: yes. at source level: embedded attempts release the session lock during provider streaming, then session writes and side-effectful tool paths need to reacquire/fence before mutating the transcript or executing tools. I did not run the PR tests in this read-only review.

Review metrics: 1 noteworthy metric.

• Public SDK option: 1 optional CreateAgentSessionOptions field added. The type is re-exported through openclaw/plugin-sdk/agent-sessions, so the new field can become a plugin-facing compatibility contract.

Merge readiness
Overall: 🦪 silver shellfish
Proof: 🦪 silver shellfish
Patch quality: 🦐 gold shrimp
Result: blocked until real behavior proof from a real setup is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Keep withSessionWriteLock internal or document and approve it as a public SDK contract with compatibility coverage.
• Add redacted terminal/live embedded-attempt proof showing the changed lock path after provider streaming.

Proof guidance:
Needs real behavior proof before merge: The PR body lists focused tests, oxlint, diff check, and autoreview, but no after-fix real embedded attempt or live session output; add redacted terminal/live logs or a recording and update the PR body for re-review.

Risk before merge

• Adding withSessionWriteLock to CreateAgentSessionOptions exposes an embedded-runner lock callback through openclaw/plugin-sdk/agent-sessions unless maintainers intentionally approve that public SDK contract.
• The patch changes ownership of transcript persistence, compaction, provider hooks, and tool-hook write fencing while deleting the older queue-drain wrappers; mistakes in this path can corrupt session ordering or stall embedded attempts.
• The PR body currently provides focused tests and autoreview output, but no redacted terminal/live embedded-attempt proof showing the changed runtime path after provider streaming.

Maintainer options:

1. Keep The Lock Runner Internal (recommended)
   Move the write-lock runner out of the public CreateAgentSessionOptions surface and keep it on an internal embedded-session factory/config path.
2. Approve The SDK Contract
   Maintainers can accept the new public option if they want plugin SDK callers to rely on this lock-runner contract and add docs/compatibility coverage for it.
3. Require Runtime Proof
   Ask for redacted terminal/live output from an actual embedded attempt showing stale session writes and pre-tool fencing after provider streaming.

Next step before merge
Human review should decide whether the new SDK surface is intentional and require real behavior proof; the remaining blocker is not a safe automated repair contract.

Security
Cleared: No concrete security or supply-chain issue was found; the diff is limited to TypeScript runtime/tests and does not touch dependencies, workflows, package metadata, credentials, or install scripts.

Review findings

• [P2] Keep the lock runner off the public session SDK — src/agents/sessions/sdk.ts:88

Review details

Best possible solution:

Keep the owned-session lock seam, but route the lock runner through an internal embedded-session creation path or explicitly approve and document it as a public SDK contract, then add real embedded-run proof before merge.

Do we have a high-confidence way to reproduce the issue?

Yes, at source level: embedded attempts release the session lock during provider streaming, then session writes and side-effectful tool paths need to reacquire/fence before mutating the transcript or executing tools. I did not run the PR tests in this read-only review.

Is this the best way to solve the issue?

Mostly, but not as submitted. Moving the lock seam into AgentSession is the right ownership direction; exposing that runner through the public session SDK needs maintainer approval or an internal-only shape.

Full review comments:

• [P2] Keep the lock runner off the public session SDK — src/agents/sessions/sdk.ts:88
CreateAgentSessionOptions is re-exported through src/agents/sessions/index.ts and src/plugin-sdk/agent-sessions.ts, and package.json publishes that subpath, so adding withSessionWriteLock here makes the embedded-runner lock callback a public plugin SDK option. Keep this on an internal embedded-session factory/config path, or add explicit maintainer approval, docs, and compatibility tests for the new SDK contract before merge.
  Confidence: 0.84

Overall correctness: patch is incorrect
Overall confidence: 0.82

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 09d2682cd8c3.

Label changes

Label changes:

• add P2: This is a bounded agent runtime bug fix with a concrete public SDK surface concern and session-state-sensitive concurrency behavior.
• add merge-risk: 🚨 compatibility: Adding withSessionWriteLock to an exported session creation options type may create a new public plugin SDK contract.
• add merge-risk: 🚨 session-state: The patch changes which code owns the write lock around transcript persistence, compaction, provider hooks, and tool hooks.
• add merge-risk: 🚨 availability: The patch removes old queue-drain wrappers in embedded run concurrency code where lock mistakes can hang or stall attempts.

Label justifications:

• P2: This is a bounded agent runtime bug fix with a concrete public SDK surface concern and session-state-sensitive concurrency behavior.
• merge-risk: 🚨 compatibility: Adding withSessionWriteLock to an exported session creation options type may create a new public plugin SDK contract.
• merge-risk: 🚨 session-state: The patch changes which code owns the write lock around transcript persistence, compaction, provider hooks, and tool hooks.
• merge-risk: 🚨 availability: The patch removes old queue-drain wrappers in embedded run concurrency code where lock mistakes can hang or stall attempts.
• rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🦐 gold shrimp.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR body lists focused tests, oxlint, diff check, and autoreview, but no after-fix real embedded attempt or live session output; add redacted terminal/live logs or a recording and update the PR body for re-review.

Evidence reviewed

PR surface:

Source -224, Tests -258. Total -482 across 7 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	5	82	306	-224
Tests	2	167	425	-258
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	7	249	731	-482

What I checked:

• Repository policy applied: Root AGENTS.md was read fully; its review policy treats plugin API changes and session state as compatibility-sensitive merge risks, which applies to this PR's public SDK option and session write-lock changes. (AGENTS.md:24, 09d2682cd8c3)
• Scoped agents policy applied: The agents scoped guide and embedded-runner guide were read; the embedded guide favors focused helper coverage for runner behavior while preserving production composition when slimming tests. (src/agents/embedded-agent-runner/run/AGENTS.md:1, 09d2682cd8c3)
• PR adds a public session creation option: At PR head, withSessionWriteLock is added to CreateAgentSessionOptions, which is an exported session SDK type. (src/agents/sessions/sdk.ts:88, d03d521dab0f)
• Session SDK is plugin-facing: Current main exports src/agents/sessions/index.ts through src/plugin-sdk/agent-sessions.ts, and package.json publishes ./plugin-sdk/agent-sessions, so CreateAgentSessionOptions is part of the plugin SDK surface. (src/plugin-sdk/agent-sessions.ts:1, 09d2682cd8c3)
• PR centralizes write fencing in AgentSession: At PR head, AgentSession stores the external lock runner, wraps message-end/extension-handler events, fences tool-call hooks, and wraps manual compaction under the configured write lock. (src/agents/sessions/agent-session.ts:447, d03d521dab0f)
• Current agent-core supports removing the private event queue bridge: Current main documents and implements awaited listener settlement in Agent.subscribe/processEvents, supporting the PR's stated removal of the obsolete private _agentEventQueue wrapper path. (packages/agent-core/src/agent.ts:246, 09d2682cd8c3)

Likely related people:

• steipete: git blame and git log tie the current AgentSession/CreateAgentSession SDK surface, plugin SDK re-export, and much of the embedded session-lock wrapper history to the recent internal agent runtime refactor and adjacent lock work. (role: recent area contributor; confidence: high; commits: bb46b79d3c14, b01c6d4eaa0b; files: src/agents/sessions/agent-session.ts, src/agents/sessions/sdk.ts, src/plugin-sdk/agent-sessions.ts)
• luoyanglang: The related merged self-wait fix changed the same embedded attempt session-lock wrapper path and is directly referenced by this PR as the follow-up context. (role: recent adjacent contributor; confidence: medium; commits: b789e71e57d9; files: src/agents/embedded-agent-runner/run/attempt.session-lock.ts, src/agents/embedded-agent-runner/run/attempt.session-lock.test.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat.

Where did the egg go?

• The egg game starts only after the PR passes the real-behavior proof check.
• Before that, no creature or rarity is rolled. The treat waits for real proof.
• This is still just collectible flavor: proof affects review readiness, not creature quality.