fix(gateway): skip deleted-agent guard for ACP harness session keys

[scotthuang]

Summary

What problem does this PR solve?

• The deleted-agent guard added in [Bug]: Deleted agent's sessions remain accessible and executable #65524 treats ACP harness session keys like normal agent session keys.
• ACP keys use agent:<harnessId>:acp:<uuid> (for example agent:claude:acp:...), but <harnessId> is not an agents.list entry.
• That causes sessions.resolve, sessions_send, and other deleted-agent-guarded paths to reject valid ACP workers with Agent "claude" no longer exists in configuration.

Why does this matter now?

• ACP persistent/background workers are increasingly used from hub surfaces; a false deleted-agent rejection breaks follow-up routing by key or label.
• The guard is correct for real orphaned agent sessions, but it must not classify harness ids as deleted agents.

What is the intended outcome?

• resolveDeletedAgentIdFromSessionKey returns null for ACP harness session keys, so existing ACP sessions keep working while true deleted-agent protection remains for normal agent keys.
• The exemption lives in the shared helper so all deleted-agent guard callers benefit consistently (sessions.resolve key/sessionId/label paths, direct sessions.send / chat.send guards).

What is intentionally out of scope?

• No change to deleted-agent cleanup when an agent is actually removed from config.
• No ACP spawn/delegate lifecycle, label routing, protocol schema, config, or migration changes.
• No per-caller bypasses in sessions.resolve, sessions.send, or chat.send; no parseAgentSessionKey special-casing; no ACP metadata hydration gate.

What does success look like?

• sessions.resolve({ key: "agent:claude:acp:<uuid>" }) succeeds when the session exists, even if claude is not in agents.list.
• Real deleted-agent sessions such as agent:deleted-agent:main are still rejected.

What should reviewers focus on?

• The early isAcpSessionKey(sessionKey) bypass in resolveDeletedAgentIdFromSessionKey (src/gateway/session-utils.ts) — shared owner boundary, not a single-entry workaround.
• That normal deleted-agent behavior for non-ACP keys is unchanged.
• Why alternatives were rejected: resolver-only bypass (too narrow), parseAgentSessionKey ACP special-case (too wide), metadata-hydration gate (heavier than needed for guard-layer false positives).

Linked context

Which issue does this close?

Closes #

Which issues, PRs, or discussions are related?

• Related [Bug]: Deleted agent's sessions remain accessible and executable #65524 — deleted-agent guard / orphaned session rejection. This PR narrows that guard so ACP harness keys are not misclassified as deleted agents.

Was this requested by a maintainer or owner?

Local dogfood while testing ACP worker follow-up after the deleted-agent guard landed on main.

Real behavior proof (required for external PRs)

• Behavior or issue addressed: valid ACP harness session keys are no longer rejected by the deleted-agent guard when the harness id (for example claude, codex) is absent from agents.list.
• Real environment tested: local OpenClaw install on macOS; gateway on ws://127.0.0.1:18789; config at ~/.openclaw/openclaw.json with agents.list ids main and cursor only (no claude).
• Exact steps or command run after this patch:

pnpm openclaw config get agents.list --json | rg '"id"'
pnpm openclaw gateway call sessions.resolve \
  --params '{"key":"agent:claude:acp:48a22c29-5e40-474d-85a5-46234fd7d1ce"}' \
  --json

• Evidence after fix (screenshot, recording, terminal capture, console output, redacted runtime log, linked artifact, or copied live output):

Copied live terminal output from the local gateway RPC:

$ pnpm openclaw gateway call sessions.resolve --params '{"key":"agent:claude:acp:48a22c29-5e40-474d-85a5-46234fd7d1ce"}' --json
{
  "ok": true,
  "key": "agent:claude:acp:48a22c29-5e40-474d-85a5-46234fd7d1ce"
}

• Observed result after fix: live sessions.resolve accepts the existing ACP harness session key even though claude is not configured in agents.list; no deleted-agent error is returned for this key.
• What was not tested:
  • Full OPENCLAW_LIVE_ACP_BIND suite.
  • Broad CI / Crabbox / cross-channel proof.
• Proof limitations or environment constraints: live proof uses an existing local ACP session store entry under ~/.openclaw/agents/claude/sessions/sessions.json.
• Before evidence (optional but encouraged): prior dogfood observed ACP follow-up/resolution failing with deleted-agent errors when harness ids were not present in agents.list.

Tests and validation

Which commands did you run?

pnpm test src/gateway/sessions-resolve-store.test.ts -t "resolves ACP harness session keys from real stores"
pnpm test src/gateway/sessions-resolve-store.test.ts
pnpm test src/gateway/session-utils.test.ts -t "resolveDeletedAgentIdFromSessionKey ignores ACP harness session keys"
pnpm test src/gateway/sessions-resolve.test.ts -t "resolves ACP harness session keys even when harness id is not in agents.list"
pnpm test src/gateway/sessions-resolve.test.ts -t "rejects sessions belonging to a deleted agent"
pnpm openclaw gateway call sessions.resolve --params '{"key":"agent:claude:acp:48a22c29-5e40-474d-85a5-46234fd7d1ce"}' --json

What regression coverage was added or updated?

• src/gateway/session-utils.test.ts — ACP harness keys bypass deleted-agent detection.
• src/gateway/sessions-resolve.test.ts — key-based sessions.resolve succeeds for ACP harness keys when harness id is not in agents.list.
• src/gateway/sessions-resolve-store.test.ts — real store integration for ACP key/sessionId/label resolve without mocking the deleted-agent guard.

What failed before this fix, if known?

• ACP session keys such as agent:claude:acp:<uuid> could be treated as belonging to deleted agent claude, causing resolver/send paths to fail even though the ACP session store entry existed.

If no test was added, why not?

N/A — regression tests were added for helper, resolver path, and store integration.

Risk checklist

Did user-visible behavior change? (Yes)

Yes. ACP sessions that were incorrectly blocked by the deleted-agent guard can be resolved/sent again.

Did config, environment, or migration behavior change? (No)

No.

Did security, auth, secrets, network, or tool execution behavior change? (No)

No new surfaces. This removes a false positive from an existing guard; true deleted-agent rejection for normal agent session keys remains.

What is the highest-risk area?

Accidentally exempting too many session-key shapes from deleted-agent checks.

How is that risk mitigated?

• Exemption is limited to isAcpSessionKey(sessionKey) only — an existing session-key class; the guard should not reinterpret agent:<harnessId>:acp:*'s second segment as an agents.list owner.
• Existing deleted-agent tests for real orphaned agent keys remain in place and still pass.
• New tests assert ACP harness keys are ignored while deleted-agent keys are still rejected.
• Fix is centralized in the shared helper used by resolver and direct send guards, avoiding drift across entry points.

Current review state

What is the next action?

Refresh PR #91219 with store integration test + updated Real behavior proof.

What is still waiting on author, maintainer, CI, or external proof?

• CI on updated head after store test commit.
• Maintainer review.

Which bot or reviewer comments were addressed?

• Autoreview / code-read pass: no blocking findings.
• Verdict: best minimal fix — shared resolveDeletedAgentIdFromSessionKey bypass for ACP keys is the correct owner boundary; covers sessions.resolve (key/sessionId/label) via validateSessionAgentExists and direct sessions.send / chat.send guards.
• Evidence reviewed: session-utils.ts, sessions-resolve.ts, server-methods/sessions.ts, server-methods/chat.ts, session-key-utils.ts, adjacent tests.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 7, 2026, 2:21 PM ET / 18:21 UTC.

Summary
The PR adds an ACP session-key exemption to the shared deleted-agent guard and adds helper, resolver, and real-store regression coverage.

PR surface: Source +4, Tests +79. Total +83 across 4 files.

Reproducibility: yes. source-reproducible: current main parses agent:claude:acp:* as agent claude and the resolver/send paths call the deleted-agent helper. I did not run local tests because this review was required to keep the checkout read-only.

Review metrics: 1 noteworthy metric.

• Deleted-agent guard exemptions: 1 added. The only runtime behavior change is a new ACP-shaped key bypass in a security-sensitive guard, so maintainers should focus review on that invariant.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Let required CI complete on fed9faa before merge.
• Have a maintainer confirm the ACP session-key ownership invariant before landing.

Risk before merge

• [P1] The PR intentionally exempts all ACP-shaped agent::acp:* keys from deleted-agent rejection, so maintainers should confirm those keys are always harness identities rather than deleted OpenClaw agent ownership.

Maintainer options:

1. Accept the ACP harness identity boundary (recommended)
   If maintainers agree ACP-shaped keys identify harness sessions rather than OpenClaw agent ownership, merge after required CI because the fix is centralized and keeps non-ACP deleted-agent rejection intact.
2. Require metadata-backed narrowing
   If the ACP identity invariant is not guaranteed, require the bypass to check ACP session metadata or configured ACP runtime ownership before skipping deleted-agent rejection.
3. Pause for ACP owner review
   Pause the PR if ACP owners need to define how deleted configured ACP agents should behave before this guard can be narrowed safely.

Next step before merge

• [P2] Human review is the next action: there is no narrow repair finding, but maintainers need to accept the ACP security-boundary exemption and let required checks gate the exact head.

Security
Cleared: No concrete security or supply-chain defect was found in the diff; the sensitive point is the intended ACP-key exemption from an existing deleted-agent guard.

Review details

Best possible solution:

Merge the shared helper exemption after maintainer security-boundary confirmation and required CI, preserving deleted-agent rejection for non-ACP session keys.

Do we have a high-confidence way to reproduce the issue?

Yes, source-reproducible: current main parses agent:claude:acp:* as agent claude and the resolver/send paths call the deleted-agent helper. I did not run local tests because this review was required to keep the checkout read-only.

Is this the best way to solve the issue?

Yes, this appears to be the best narrow fix: the shared helper is the common owner boundary for sessions.resolve, sessions.send, sessions.steer, and chat.send. A resolver-only bypass would be too narrow, while changing parseAgentSessionKey would affect unrelated agent-key semantics.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 0c33f4e0786e.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix live gateway command output showing sessions.resolve succeeds for an ACP harness key when the harness id is not in agents.list.

Label justifications:

• P2: This is a normal-priority gateway bug fix for ACP follow-up routing with limited, well-scoped blast radius.
• merge-risk: 🚨 security-boundary: The diff narrows a guard that prevents deleted-agent session execution, so the ACP key ownership invariant needs maintainer acceptance before merge.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body includes after-fix live gateway command output showing sessions.resolve succeeds for an ACP harness key when the harness id is not in agents.list.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix live gateway command output showing sessions.resolve succeeds for an ACP harness key when the harness id is not in agents.list.

Evidence reviewed

PR surface:

Source +4, Tests +79. Total +83 across 4 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	6	2	+4
Tests	3	79	0	+79
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	4	85	2	+83

What I checked:

• Repository policy applied: Read the full root policy and the gateway scoped policy; the review applied the gateway/security-boundary guidance and avoided mutating the checkout. (AGENTS.md:1, 0c33f4e0786e)
• Current-main bug path: On current main, resolveDeletedAgentIdFromSessionKey parses any agent-scoped key and returns the agent id when absent from agents.list, so agent:claude:acp:* is classified as deleted claude. (src/gateway/session-utils.ts:921, 0c33f4e0786e)
• ACP key contract: The existing isAcpSessionKey helper recognizes agent::acp:* as ACP-shaped, and docs describe ACP session keys as agent::acp: for external harness targets. (src/sessions/session-key-utils.ts:290, 0c33f4e0786e)
• Shared call sites: sessions.resolve validates key, sessionId, and label results through validateSessionAgentExists, while sessions.send/sessions.steer and chat.send call the same deleted-agent helper directly. (src/gateway/sessions-resolve.ts:41, 0c33f4e0786e)
• PR implementation: The PR adds an early isAcpSessionKey return in the shared helper, so the exemption reaches sessions.resolve and direct send guards without per-caller bypasses. (src/gateway/session-utils.ts:925, fed9faa9f829)
• Regression coverage: The PR adds tests for helper behavior, key-based resolution, and real store resolution by key, sessionId, and label for an ACP harness key whose harness id is absent from agents.list. (src/gateway/sessions-resolve-store.test.ts:210, fed9faa9f829)

Likely related people:

• Vincent Koc: git blame in this checkout attributes the deleted-agent helper, ACP key predicate, and resolver guard to the current-main gateway/session snapshot commit. (role: current-main area contributor; confidence: medium; commits: b9d530e29213; files: src/gateway/session-utils.ts, src/sessions/session-key-utils.ts, src/gateway/sessions-resolve.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[scotthuang]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27100394792
• Updated: 2026-06-07T18:07:52.638Z

[shakkernerd]

Merged with rebase.

What landed:

• ACP harness session keys like agent:<harnessId>:acp:<uuid> no longer trip the deleted-agent guard when the harness id is not an OpenClaw agent.
• Configured ACP binding keys like agent:<agentId>:acp:binding:* still keep the deleted-agent protection because that segment is the owning OpenClaw agent.
• Added helper and real store resolver regression coverage for key, sessionId, and label resolution.

Verification:

• Auto-review: clean, no accepted/actionable findings.
• AWS Crabbox cbx_2cf7ec2bfbe3: focused gateway tests passed, 12 files / 492 tests; check:changed passed.
• AWS Crabbox cbx_391eb945bf7f: RPC/caller proof passed, 6 files / 12 tests.

Thanks @scotthuang.