Fix stale main session startup recovery

[joshavant]

Summary

• mark startup-orphaned running main sessions for restart recovery before channels start
• run restart-aborted main-session recovery after gateway startup methods are available
• guard recovery against current-process active runs and duplicate-key rows from non-routable stores

Fixes #90525.

Verification

• .agents/skills/autoreview/scripts/autoreview --mode local
• node scripts/run-vitest.mjs src/agents/main-session-restart-recovery.test.ts src/gateway/server-startup-post-attach.test.ts
• AWS Crabbox live E2E: provider aws, run run_494e506ae17b, lease cbx_ec076ff48d6b, machine c7a.8xlarge, exit 0

Real behavior proof

Behavior addressed: Telegram group sessions could remain stuck after a hard gateway restart when the persisted main-session row was running but no embedded run was active.

Real environment tested: AWS Crabbox Linux worker using live Convex-leased Telegram credential and a mock OpenAI-compatible model server.

Exact steps or command run after this patch: Ran the Crabbox reproduction script from this branch; it built OpenClaw, started the gateway, sent a Telegram group message that hung the first model call, hard-killed the gateway, restarted it, and sent a follow-up Telegram message without sessions.reset.

Evidence after fix: Crabbox provider aws, run run_494e506ae17b, lease cbx_ec076ff48d6b, exit 0.

Observed result after fix: The stale Telegram main session was reproduced as running with hasActiveRun:false; after restart, automatic startup recovery cleared it to a terminal state and the follow-up Telegram turn completed with an outbound send.

What was not tested: Other live chat providers were not exercised in the E2E run; focused unit tests cover the generic recovery path, duplicate-key routing, active-run preservation, and startup scheduling.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 8, 2026, 10:47 PM ET / 02:47 UTC.

Summary
The PR adds generic startup orphan marking/recovery for running main-session rows, moves restart-aborted recovery until gateway methods are available, and adds focused agent/gateway tests.

PR surface: Source +217, Tests +357. Total +574 across 4 files.

Reproducibility: yes. The linked issue and current source show a stale persisted running row can have hasActiveRun:false while marker-gated recovery skips it, and the PR body reports a live Crabbox restart reproduction after the patch.

Review metrics: none identified.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Let required CI finish and have maintainers explicitly accept the session-state/message-delivery merge risk before landing.

Mantis proof suggestion
A live Telegram transcript would materially help show the stale running session is released and a follow-up message completes after restart. A maintainer can ask Mantis to capture proof by posting a new PR comment that starts with the OpenClaw Mantis account mention, followed by:

telegram live: verify that after a hard gateway restart with a stale running main session, a follow-up Telegram message completes without sessions.reset.

Risk before merge

• [P1] Merging this changes startup behavior from marker-only recovery to automatically marking persisted running main-session rows, so maintainers should consciously accept the session-state upgrade behavior.
• [P1] The live proof exercises Telegram plus focused generic tests; other live chat providers were not exercised, so cross-channel delivery assurance relies on the generic recovery boundary.

Maintainer options:

1. Land with session-state sign-off (recommended)
   If maintainers accept automatic startup recovery of stale running main-session rows, the PR has focused tests and live Telegram Crabbox proof to support landing after CI finishes.
2. Require broader live transport proof
   If maintainers want more upgrade assurance, ask for one additional live provider or Telegram direct-session proof before landing.
3. Pause for multi-process ownership rules
   If shared state across simultaneous gateway processes is a supported deployment, pause until the startup marker can distinguish another process's live owner.

Next step before merge

• No automated repair lane is needed; maintainers should review the startup session-state risk and land or request broader live proof.

Security
Cleared: No concrete security or supply-chain concern found; the diff changes TypeScript session recovery and tests without workflow, dependency, secret, or code-execution surface changes.

Review details

Best possible solution:

Land the generic startup orphan recovery at the agents/gateway boundary once maintainers accept the session-state risk and required CI remains clean.

Do we have a high-confidence way to reproduce the issue?

Yes. The linked issue and current source show a stale persisted running row can have hasActiveRun:false while marker-gated recovery skips it, and the PR body reports a live Crabbox restart reproduction after the patch.

Is this the best way to solve the issue?

Yes. The generic main-session recovery boundary is the right layer; a Telegram-only reset path would fix one channel symptom while leaving the persisted session-state invariant broken.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 329fa44d23f4.

Label changes

Label changes:

• add P1: The PR fixes a user-facing Telegram/session workflow where stale persisted running state can block replies until manual reset.
• add merge-risk: 🚨 message-delivery: Recovery can resume or fail interrupted main sessions and affects whether follow-up channel messages are delivered after restart.
• add merge-risk: 🚨 session-state: The patch changes startup recovery to mark and recover persisted running main-session rows, which directly mutates session state on upgrade/startup.
• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix live Crabbox proof with a Telegram credential, hard gateway restart scenario, reproduced stale state, and observed successful follow-up delivery.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body includes after-fix live Crabbox proof with a Telegram credential, hard gateway restart scenario, reproduced stale state, and observed successful follow-up delivery.
• add mantis: telegram-visible-proof: Mantis should capture Telegram visible proof. The bug is Telegram-visible because the user-facing proof path is a Telegram message after hard gateway restart, and a short Telegram recording could demonstrate the fixed reply delivery.

Label justifications:

• P1: The PR fixes a user-facing Telegram/session workflow where stale persisted running state can block replies until manual reset.
• merge-risk: 🚨 session-state: The patch changes startup recovery to mark and recover persisted running main-session rows, which directly mutates session state on upgrade/startup.
• merge-risk: 🚨 message-delivery: Recovery can resume or fail interrupted main sessions and affects whether follow-up channel messages are delivered after restart.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body includes after-fix live Crabbox proof with a Telegram credential, hard gateway restart scenario, reproduced stale state, and observed successful follow-up delivery.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix live Crabbox proof with a Telegram credential, hard gateway restart scenario, reproduced stale state, and observed successful follow-up delivery.
• mantis: telegram-visible-proof: Mantis should capture Telegram visible proof. The bug is Telegram-visible because the user-facing proof path is a Telegram message after hard gateway restart, and a short Telegram recording could demonstrate the fixed reply delivery.

Evidence reviewed

PR surface:

Source +217, Tests +357. Total +574 across 4 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	2	250	33	+217
Tests	2	357	0	+357
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	4	607	33	+574

What I checked:

• PR diff reviewed: The patch adds startup orphan marking before channels start, recovery after startup methods are available, active-run guards, duplicate-store routing checks, and regression coverage for the new recovery paths. (src/agents/main-session-restart-recovery.ts:217, 9c799c541dcf)
• Current main recovery gap: Current main only recovers running main-session rows when abortedLastRun === true, which matches the linked issue's stale unmarked running plus hasActiveRun:false gap. (src/agents/main-session-restart-recovery.ts:525, 329fa44d23f4)
• Current main startup ordering: Current main schedules main-session restart recovery as a post-ready sidecar, before the PR's move to schedule it after startup-unavailable gateway methods are cleared. (src/gateway/server-startup-post-attach.ts:950, 329fa44d23f4)
• Active-run projection checked: sessions.list computes hasActiveRun independently from persisted session status, so current source can represent a persisted running row with no tracked active run. (src/gateway/server-methods/sessions.ts:982, 329fa44d23f4)
• Linked issue evidence read: The linked reporter added redacted terminal evidence showing no active gateway work, Telegram health OK, a stale direct session row with status: running and hasActiveRun:false, and successful manual recovery with sessions.reset.
• Real behavior proof reviewed: The PR body reports AWS Crabbox live E2E run run_494e506ae17b with a live Telegram credential and mock OpenAI-compatible model server; the stale running/no-active-run state was reproduced and a follow-up Telegram turn completed without sessions.reset. (9c799c541dcf)

Likely related people:

• pfrederiksen: Authored recent main-session restart recovery behavior for notifying chat when recovery fails, directly adjacent to this PR's recovery path. (role: feature-history contributor; confidence: medium; commits: cf61b876ec5a; files: src/agents/main-session-restart-recovery.ts)
• samzong: Authored recent restart-recovery reply delivery work in the same main-session recovery module, making them relevant for recovery-delivery behavior. (role: recent area contributor; confidence: medium; commits: 4decdf6245a1; files: src/agents/main-session-restart-recovery.ts)
• anyech: Authored topic-suffixed restart lock recovery, an adjacent recovery edge case in the same module. (role: feature-history contributor; confidence: medium; commits: 228e5a238c1d; files: src/agents/main-session-restart-recovery.ts)
• vincentkoc: Local blame for the current checkout points to a grafted Vincent Koc release-validation commit, and GitHub path history shows recent gateway startup/session-method work by the same contributor. (role: recent gateway area contributor; confidence: medium; commits: 4b55a0e04d41, eb5d6c7294b6, c68291980880; files: src/gateway/server-startup-post-attach.ts, src/gateway/server-methods/sessions.ts)
• steipete: GitHub path history shows repeated recent commits and commits/merges around gateway startup, session docs, linting, and recovery-adjacent changes in these files. (role: recent area contributor-style area contributor; confidence: medium; commits: 27dde7a4d69b, dc23e924efce, a6ecc4bd89f4; files: src/agents/main-session-restart-recovery.ts, src/gateway/server-startup-post-attach.ts, src/gateway/server-methods/sessions.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[openclaw-mantis]

Mantis Telegram Desktop Proof

Summary: Mantis captured native Telegram Desktop before/after GIF evidence with Convex-leased Telegram credentials.

• Scenario: telegram-desktop-proof
• Trigger: pull_request_target
• Run: https://github.com/openclaw/openclaw/actions/runs/27180628783
• Artifact: https://github.com/openclaw/openclaw/actions/runs/27180628783/artifacts/7497780439
• Baseline: pass at 329fa44d23f4bc969eb6690d98820738308d8897, expected baseline visual proof captured
• Candidate: pass at 9c799c541dcfdf967e7688f3f3d739c841e45aa0, expected candidate visual proof captured
• Overall: true

Main screenshot	This PR screenshot

Main	This PR

Motion-trimmed clips:

• Main MP4
• This PR MP4

Raw QA files: https://artifacts.openclaw.ai/mantis/telegram-desktop/pr-91566/run-27180628783-1/index.json

[joshavant]

Additional scale sanity check from Molty, a long-running high-volume OpenClaw agent:

• openclaw sessions cleanup --all-agents --dry-run --json: 4 stores, 529 rows before / 503 after preview, 1.54s end-to-end.
• Separate read-only session-store scan across all found sessions.json stores: 32 stores, 539 rows, ~5.8 MB total store data.
• Direct store read/parse/filter timing: 18.7 ms total, including 7.8 ms actual file read time.
• Current states: 253 done, 4 failed, 4 running, 1 timeout, 277 unknown/legacy.
• SQLite aggregate checks: 5 queries in 24.2 ms.
• The expensive dry-run cost was artifact discovery: ~9,981 files scanned, 4,832 removable, ~1.77 GB reclaimable.

Takeaway: for this real high-volume instance, startup-wide session reconciliation over persisted session rows appears cheap; the expensive operation is full cleanup/artifact traversal, which this PR does not add. This supports the current startup reconciliation approach as reasonable from a performance standpoint, while still avoiding any per-message hot-path scan.