fix(ui): require user intent for chat sessions

[TurboTheTurtle]

Fixes #89760.

Summary

• require an explicit user intent token before the WebChat UI helper can create a new session
• keep sidebar New Chat, chat view New Session, and typed /new working by passing that user intent at those action boundaries
• add a regression test that verifies the helper does not call sessions.create or mutate the active conversation without explicit intent
• restore real timers in a task-maintenance test that was timing out in the CI status-tools lane

Verification

• git diff --check
• node scripts/run-vitest.mjs ui/src/ui/app-render.helpers.node.test.ts ui/src/ui/app-gateway-chat-load.node.test.ts ui/src/ui/app-chat.test.ts src/gateway/server.sessions.reset-hooks.test.ts ui/src/ui/navigation.browser.test.ts
• node scripts/run-vitest.mjs src/commands/tasks.test.ts
• git log --format='%h %an <%ae> %s' upstream/main..HEAD

Real behavior proof

• Behavior addressed: WebChat startup, reconnect, or bootstrap paths cannot accidentally call the shared new-session helper and emit sessions.create reset hooks unless the caller passes explicit user intent. Explicit user actions still create new sessions normally.
• Real environment tested: Local macOS worktree /Users/andy/openclaw-89760 on branch codex/89760-webchat-no-auto-new, PR-head commit b58e185d5491b23b7a58e671d936d1bac5a7ce83, running the patched OpenClaw WebChat session helper through node --import tsx.
• Exact steps or command run after this patch: node --import tsx --input-type=module imported ./ui/src/ui/app-render.helpers.ts, called createChatSession(state) to simulate a startup/reconnect/no-user-intent path, then called createChatSession(state, { source: "user" }) to simulate an explicit New Chat user action against the same idle WebChat state.
• Evidence after fix: Terminal output from the PR-head source probe:

OpenClaw #89760 PR-head source probe
HEAD=b58e185d5491b23b7a58e671d936d1bac5a7ce83
startup_no_intent_result=false
startup_no_intent_methods=(none)
startup_no_intent_sessionKey=agent:ops:main
startup_no_intent_messages=old context
explicit_user_result=true
all_methods_after_explicit=sessions.create,sessions.list,loadAssistantIdentity,commands.list,sessions.messages.subscribe,chat.history,sessions.list
explicit_create_emitCommandHooks=true
final_sessionKey=agent:ops:dashboard:new-chat

• Observed result after fix: The no-intent path returned false, emitted no RPC methods, kept agent:ops:main, and kept the existing old context message. The explicit user path still emitted sessions.create with emitCommandHooks=true and switched to agent:ops:dashboard:new-chat.
• What was not tested: I did not run a live browser reconnect against a production gateway in this local pass. The repo changed-files Crabbox gate could not be run locally because the configured Azure provider needs Azure CLI/login, the Blacksmith Testbox path requires Crabbox >= 0.22.0 while this machine has 0.20.0, and local-container requires Docker, which is not installed on PATH.

[TurboTheTurtle]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

[TurboTheTurtle]

@clawsweeper re-review

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Failed
• Detail: The targeted re-review did not finish cleanly. Check the workflow run for details.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27156055307
• Updated: 2026-06-08T17:51:35.525Z

[clawsweeper]

Codex review: passed. Reviewed June 9, 2026, 6:39 PM ET / 22:39 UTC.

Summary
The PR adds an explicit user-intent argument to createChatSession, updates the New Chat and /new action callers to pass it, adds helper regression coverage, and carries minor gateway formatting/import ordering churn.

PR surface: Source +8, Tests +9. Total +17 across 8 files.

Reproducibility: yes. at source level: current main lets createChatSession(state) reach sessions.create with command hooks and the gateway maps that to a WebChat new reset path. I did not run the full browser reconnect flow, so the exact user-path reproduction remains integration-level rather than locally reproduced here.

Review metrics: none identified.

Merge readiness
Overall: 🦞 diamond lobster
Proof: 🦞 diamond lobster
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Mantis proof suggestion
A short browser/WebChat smoke would materially help reviewers see the user-visible reconnect/session-preservation flow that terminal helper proof cannot fully show. A maintainer can ask Mantis to capture proof by posting a new PR comment that starts with the OpenClaw Mantis account mention, followed by:

visual task: verify WebChat reconnect after a completed conversation preserves the active session, while New Chat and typed /new still create a new session.

Risk before merge

• [P1] I did not inspect a full live browser close/reopen smoke; the supplied proof exercises the patched helper boundary and explicit user path from terminal output.

Maintainer options:

1. Decide the mitigation before merge
   Land this exact-head PR after normal CI and mergeability gates, with an optional live WebChat reconnect smoke if maintainers want end-to-end confirmation before closing the linked issue.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge

• [P2] No repair lane is needed; the PR has no concrete patch defect and can continue through exact-head automerge, CI, and mergeability gates.

Security
Cleared: The diff changes UI session-helper behavior, tests, and formatting/import ordering only; it does not touch dependencies, lockfiles, CI/workflow execution, secrets, permissions, or package publishing surfaces.

Review details

Best possible solution:

Land this exact-head PR after normal CI and mergeability gates, with an optional live WebChat reconnect smoke if maintainers want end-to-end confirmation before closing the linked issue.

Do we have a high-confidence way to reproduce the issue?

Yes at source level: current main lets createChatSession(state) reach sessions.create with command hooks and the gateway maps that to a WebChat new reset path. I did not run the full browser reconnect flow, so the exact user-path reproduction remains integration-level rather than locally reproduced here.

Is this the best way to solve the issue?

Yes, this is the best small fix I found: gating the shared UI helper makes accidental startup/reconnect calls fail closed while preserving explicit New Chat and /new action boundaries. A gateway block or new config option would be broader and would not target accidental helper reuse as directly.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against e9bd90d20912.

Label changes

Label changes:

• add status: 🚀 automerge armed: This PR is in ClawSweeper's automerge lane. Sufficient (terminal): The PR body includes structured after-fix terminal proof from a real local PR-head source probe showing the no-intent path emits no RPC and explicit user action still creates a session.
• remove status: 👀 ready for maintainer look: Current PR status label is status: 🚀 automerge armed.

Label justifications:

• P1: The PR targets a linked WebChat session-state/data-loss bug where reconnect or bootstrap paths can archive active context without user intent.
• rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• status: 🚀 automerge armed: This PR is in ClawSweeper's automerge lane. Sufficient (terminal): The PR body includes structured after-fix terminal proof from a real local PR-head source probe showing the no-intent path emits no RPC and explicit user action still creates a session.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes structured after-fix terminal proof from a real local PR-head source probe showing the no-intent path emits no RPC and explicit user action still creates a session.

Evidence reviewed

PR surface:

Source +8, Tests +9. Total +17 across 8 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	6	18	10	+8
Tests	2	20	11	+9
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	8	38	21	+17

What I checked:

• Current main helper can create a session without an intent token: On current main, createChatSession(state) only checks connection/run/session-loading state before calling createSessionAndRefresh with parentSessionKey and emitCommandHooks: true when the active session is present in the loaded session list. (ui/src/ui/app-render.helpers.ts:699, e9bd90d20912)
• Gateway maps WebChat create hooks to the reset/new path: sessions.create with emitCommandHooks === true and a main parent session calls performGatewaySessionReset with reason: "new" and commandSource: "webchat", matching the linked issue's action:"new" symptom. (src/gateway/server-methods/sessions.ts:1392, e9bd90d20912)
• Reset/new replaces active session state and archives the previous transcript: performGatewaySessionReset writes a replacement session entry, archives transcripts for the old session id/file, and emits end/start lifecycle hooks, which explains the user-visible context loss reported in the linked issue. (src/gateway/session-reset-service.ts:970, e9bd90d20912)
• PR diff adds the intent gate and updates all current helper callers: The diff changes createChatSession to return false unless { source: "user" } is passed, and the only current UI call sites in sidebar New Chat, chat New Session, and typed /new pass that token. (ui/src/ui/app-render.helpers.ts:696, e7cd79006b59)
• Regression coverage targets the no-intent boundary: The PR adds a helper test asserting createChatSession(state) returns false, does not call createSessionAndRefresh, and preserves the active session key and old messages; existing creation tests are updated to pass { source: "user" }. (ui/src/ui/app-render.helpers.node.test.ts:784, e7cd79006b59)
• Real behavior proof exercises the patched helper boundary: The PR body includes terminal output from a local macOS PR-head source probe showing the no-intent path returned false, emitted no RPC methods, kept the existing session/messages, and an explicit user path still emitted sessions.create with emitCommandHooks=true. (e7cd79006b59)

Likely related people:

• clay-datacurve: Authored the dashboard session API work that substantially added sessions.create behavior and session controller plumbing around this bug's gateway/UI surface. (role: feature introducer; confidence: medium; commits: 7b61ca1b0615; files: src/gateway/server-methods/sessions.ts, ui/src/ui/controllers/sessions.ts)
• Peter Steinberger: Authored the gateway reset-service split and later split chat session controls, both adjacent to the reset/new lifecycle and UI action boundary this PR changes. (role: reset-path and chat-controls area contributor; confidence: medium; commits: c91d1622d5a6, 1fad8efa12cf; files: src/gateway/session-reset-service.ts, src/gateway/server-methods/sessions.ts, ui/src/ui/chat/session-controls.ts)
• Byron: Authored a nearby reconnect/tab-switch fix that preserves user-selected sessions, directly adjacent to the reported WebChat reopen behavior. (role: recent adjacent contributor; confidence: medium; commits: 891e42beec49; files: ui/src/ui/app-gateway.ts)
• Cameron Beeley: Current shallow blame for the implicated helper and gateway method points at a recent grafted snapshot commit, so this is useful only as a low-confidence current-source routing signal. (role: recent snapshot contributor; confidence: low; commits: 7269b26926d3; files: ui/src/ui/app-render.helpers.ts, src/gateway/server-methods/sessions.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[TurboTheTurtle]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27156511013
• Updated: 2026-06-08T18:01:05.241Z

[TurboTheTurtle]

Updated this branch with current origin/main in e7cd790 and resolved the single conflict in src/commands/tasks.test.ts by keeping main's explicit startedAt setup, which makes the prior fake-timer restoration unnecessary there.\n\nValidation: pnpm vitest run src/commands/tasks.test.ts ui/src/ui/app-render.helpers.node.test.ts (78 tests passed).\n\n@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27226577875
• Updated: 2026-06-09T18:28:20.005Z

[Takhoffman]

@clawsweeper visualize

[clawsweeper]

🦞👀
ClawSweeper visual brief is being prepared.

I queued a read-only visual pass. It will create or update one marker-backed visual brief comment and will not trigger close, merge, repair, label, or branch changes.

Lens: auto

[clawsweeper]

Source: #91480 (comment)
Visual model: gpt-5.5, reasoning low.

Visual brief

Lens: state

Advisory only. Maintainers remain the final judges.

PR: #91480
Bug: #89760

Legend: ✅ expected/preserved, 🐛 pre-fix broken path, ⚠️ unresolved concern, 🧠 active UI state, 💾 stored session state, 🧑‍⚖️ maintainer judgment

Before

WebChat opens/reconnects
        |
        v
Shared createChatSession(state)
        |
        v
🐛 emits sessions.create / action:new
        |
        v
💾 existing completed session marked done/archive
        |
        v
User returns to missing chat context

After

                 +-----------------------------+
                 | createChatSession(state, ?) |
                 +-----------------------------+
                         /              \
                        /                \
No explicit user intent                 Explicit user action
startup / reconnect / bootstrap         button / New Session / /new
        |                                |
        v                                v
✅ return false                          ✅ create new session
✅ no sessions.create                    ✅ sessions.create
✅ keep sessionKey                       ✅ emitCommandHooks=true
✅ keep old messages                     ✅ switch to new chat

State boundary:

Caller path                         Intent token           Result
----------------------------------  ---------------------  -------------------------
Startup / reconnect / bootstrap     none                   ✅ no mutation
Sidebar New Chat                    { source: "user" }     ✅ new session
Chat view New Session               { source: "user" }     ✅ new session
Typed /new                          { source: "user" }     ✅ new session

Changed surface:

ui/src/ui/app-render.helpers.ts
  createChatSession(state)
        becomes
  createChatSession(state, { source: "user" }?)

ui/src/ui/app-render.ts
  sidebar New Chat       -> passes user intent
  chat New Session       -> passes user intent

ui/src/ui/app.ts
  /new slash action      -> passes user intent

ui/src/ui/app-render.helpers.node.test.ts
  adds regression:
    no intent => no create, no active conversation mutation

Proof supplied:

Patched-source probe

No intent:
  result=false
  RPC methods=(none)
  sessionKey=agent:ops:main
  messages=old context

Explicit user:
  result=true
  RPC includes sessions.create
  emitCommandHooks=true
  final_sessionKey=agent:ops:dashboard:new-chat

Maintainer judgment point:

✅ Helper-level behavior is directly exercised.
✅ Existing user-initiated new-session paths are preserved.
⚠️ Live browser reconnect against a production gateway was not tested.
🧑‍⚖️ Decide whether helper proof + unit coverage is enough for this P1
    session-state/data-loss fix, or whether a live WebChat smoke is needed.

Maintainer ruling

Benefit: Prevents WebChat startup/reconnect/bootstrap paths from silently creating a new session and archiving existing context without user intent.

Risk: The remaining uncertainty is integration-level: the supplied proof does not include a live browser reconnect against a production gateway.

Proof needed: Optional live WebChat smoke covering close/reopen after a completed conversation.

Recommended next action: Maintainer review of the intent boundary and decision on whether live smoke proof is required.

Question presented: Is requiring { source: "user" } at explicit UI action boundaries the right product/API boundary for preventing autonomous session creation?

[Takhoffman]

@clawsweeper automerge

[clawsweeper]

🦞✅
ClawSweeper merged this PR after the passing review.

Source: clawsweeper[bot]
Feedback: structured ClawSweeper verdict: pass (sha=e7cd79006b5939acbd73ad1212625b4c4fb0f496)
Merge status: merged by ClawSweeper automerge
Merged at: 2026-06-09T22:40:08Z
Merge commit: 9833f3ea9bf8

What merged:

• The PR adds an explicit user-intent argument to createChatSession, updates the New Chat and /new action callers to pass it, adds helper regression coverage, and carries minor gateway formatting/import ordering churn.
• PR surface: Source +8, Tests +9. Total +17 across 8 files.
• Reproducibility: yes. at source level: current main lets createChatSession(state) reach sessions.create ... ct flow, so the exact user-path reproduction remains integration-level rather than locally reproduced here.

Automerge notes:

• PR branch already contained follow-up commit before automerge: test(tasks): restore timers before maintenance apply
• PR branch already contained follow-up commit before automerge: Merge remote-tracking branch 'origin/main' into HEAD

The automerge loop is complete.

Automerge progress:

• 2026-06-09 22:33:16 UTC review queued e7cd79006b59 (queued)

• 2026-06-09 22:39:56 UTC review passed e7cd79006b59 (structured ClawSweeper verdict: pass (sha=e7cd79006b5939acbd73ad1212625b4c4fb0f...)

• 2026-06-09 22:40:10 UTC merged e7cd79006b59 (merged by ClawSweeper automerge)