fix(webchat): finalize provider failure lifecycle

[TurboTheTurtle]

Fixes #91730

Summary

• Emit a marked final lifecycle error after embedded provider fallback is exhausted.
• Let the gateway finalize that marked error immediately while preserving retry grace for per-attempt fallback errors.
• Cover both the final-failure marker and the immediate gateway cleanup path with focused regression tests.
• Stabilize the deadcode unused-files test against CI resolving pnpm as an absolute runner path while preserving exact args/options checks.

Verification

• node scripts/run-vitest.mjs src/auto-reply/reply/agent-runner-execution.test.ts src/gateway/server-chat.agent-events.test.ts
• node scripts/run-vitest.mjs src/gateway/server-methods/agent.test.ts ui/src/ui/chat/run-lifecycle.test.ts ui/src/ui/session-run-state.test.ts ui/src/ui/app-chat.test.ts src/gateway/session-lifecycle-state.test.ts
• node scripts/run-vitest.mjs test/scripts/package-acceptance-workflow.test.ts
• node scripts/run-vitest.mjs test/scripts/openclaw-e2e-instance.test.ts
• node scripts/run-vitest.mjs test/scripts/check-deadcode-unused-files.test.ts
• node scripts/run-vitest.mjs run --config test/vitest/vitest.full-core-support-boundary.config.ts
• corepack pnpm exec oxfmt --check --threads=1 src/auto-reply/reply/agent-runner-execution.ts src/auto-reply/reply/agent-runner-execution.test.ts src/gateway/server-chat.ts src/gateway/server-chat.agent-events.test.ts
• node scripts/run-oxlint.mjs src/auto-reply/reply/agent-runner-execution.ts src/auto-reply/reply/agent-runner-execution.test.ts src/gateway/server-chat.ts src/gateway/server-chat.agent-events.test.ts
• corepack pnpm exec oxfmt --check --threads=1 test/scripts/check-deadcode-unused-files.test.ts
• node scripts/run-oxlint.mjs test/scripts/check-deadcode-unused-files.test.ts
• git diff --check
• corepack pnpm openclaw --version -> OpenClaw 2026.6.2 (c604b58)

Real behavior proof

Behavior addressed: OpenClaw-native provider failures that exhaust fallback now produce a final lifecycle error signal, so the gateway clears the webchat run and persists terminal failed session state immediately instead of leaving the session in progress/running.

Real environment tested: Patched local checkout /Users/andy/openclaw-91730-provider-failure on macOS, head c604b584263bd554d5246dd5d8437b48add0aa4f, build OpenClaw 2026.6.2 (c604b58), isolated temp OPENCLAW_HOME=/tmp/openclaw-91730-proof-cifix-IYxcUk, gateway on loopback port 18796, token auth with a throwaway proof token, default dev agent model openai/gpt-5.5, and deliberately invalid OPENAI_API_KEY=sk-openc*************alid. The provider failure used the real embedded runtime against OpenAI Responses websocket/HTTP endpoints; no provider mock was used for this proof.

Exact steps or command run after this patch: Started the temp gateway with OPENCLAW_HOME=/tmp/openclaw-91730-proof-cifix-IYxcUk OPENAI_API_KEY=<invalid> corepack pnpm openclaw gateway run --dev --reset --port 18796 --auth token --token <throwaway> --tailscale off --compact --verbose. Connected a loopback backend WebSocket client with shared-token auth and scopes operator.read,operator.write, verified health and an empty sessions.list, then sent chat.send with sessionKey=agent:dev:main, message=PR91895_PROOF_TRIGGER provider failure lifecycle ci-fix, and idempotencyKey=pr91895-proof-cifix-20260610T0231. After the terminal chat event, queried sessions.list, chat.history, and health, then stopped the temp gateway cleanly.

Evidence after fix: Gateway logs showed the real runtime starting the turn and contacting OpenAI, then failing on invalid auth:

OpenClaw 2026.6.2 (c604b58)
[ws] ⇄ res ✓ chat.send 5ms runId=pr91895-proof-cifix-20260610T0231
[diagnostic] session turn created: runId=pr91895-proof-cifix-20260610T0231 sessionId=354fa727-3b28-46a9-9045-f52efd334c1b sessionKey=agent:dev:main agentId=dev channel=webchat trigger=user
[agent/embedded] ... failed to connect to websocket: HTTP error: 401 Unauthorized, url: wss://api.openai.com/v1/responses
[agent/embedded] ... Incorrect API key provided: sk-openc*************alid ... auth error code: invalid_api_key
[ws] -> event agent ... stream=lifecycle ... phase=error
[diagnostic] session state: sessionId=354fa727-3b28-46a9-9045-f52efd334c1b sessionKey=agent:dev:main prev=processing new=idle reason="run_completed" queueDepth=0
[diagnostic] run cleared: sessionId=354fa727-3b28-46a9-9045-f52efd334c1b totalActive=0
[model-fallback/decision] model fallback decision: decision=candidate_failed requested=openai/gpt-5.5 candidate=openai/gpt-5.5 reason=rate_limit next=none detail=unexpected status 401 Unauthorized ... auth error code: invalid_api_key
[ws] -> event agent ... stream=lifecycle ... phase=fallback_step
[ws] -> event agent ... stream=lifecycle ... phase=error
[diagnostic] message processed: channel=webchat ... sessionKey=agent:dev:main outcome=completed
[shutdown] completed cleanly in 110ms

The proof client observed the terminal chat event:

{
  "chatSendAck": { "runId": "pr91895-proof-cifix-20260610T0231", "status": "started" },
  "terminalChatEvent": {
    "runId": "pr91895-proof-cifix-20260610T0231",
    "sessionKey": "agent:dev:main",
    "state": "error",
    "errorMessage": "unexpected status 401 Unauthorized: Incorrect API key provided: sk-openc*************alid..."
  }
}

A settled sessions.list after message_completed showed terminal failed state and no active run:

{
  "key": "agent:dev:main",
  "sessionId": "354fa727-3b28-46a9-9045-f52efd334c1b",
  "status": "failed",
  "startedAt": 1781083947833,
  "endedAt": 1781083966242,
  "runtimeMs": 18409,
  "modelProvider": "openai",
  "model": "gpt-5.5",
  "agentRuntime": { "id": "codex", "source": "implicit" },
  "deliveryContext": { "channel": "webchat" },
  "lastChannel": "webchat",
  "hasActiveRun": false
}

The same proof client also saw healthBefore.ok=true, healthAfter.ok=true, healthAfter.sessionCount=1, historySummary.ok=true, and historySummary.messageCount=1.

Observed result after fix: The live temp-gateway turn produced a visible terminal chat error event, cleared the active run (totalActive=0), and persisted the session as status:"failed" with endedAt, runtimeMs, and hasActiveRun:false. Health remained OK after the failure, and the temp proof gateway was stopped cleanly after the proof.

What was not tested: I did not reproduce the exact reporter environment of Linux plus OpenAI OAuth on openai/gpt-5.4-mini; the proof uses the same OpenClaw-native provider failure class with a deliberately invalid OpenAI API key so it can be reproduced safely without live credentials. At the time of this final proof update, GitHub Actions and ClawSweeper re-review still need to run on the amended head.

[TurboTheTurtle]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27263344345
• Updated: 2026-06-10T08:33:32.066Z

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 10, 2026, 5:43 AM ET / 09:43 UTC.

Summary
The branch emits a finalFailure lifecycle marker after embedded provider fallback exhaustion, makes the gateway finalize marked errors immediately, adds focused runner/gateway regression tests, and relaxes a pnpm command assertion in the deadcode unused-files test.

PR surface: Source +15, Tests +59. Total +74 across 5 files.

Reproducibility: yes. Source inspection gives a high-confidence current-main path: an unmarked lifecycle error is deferred, then a later fallback lifecycle event clears the pending terminal error; I did not run a live current-main repro in this read-only review.

Review metrics: 1 noteworthy metric.

• Lifecycle terminal marker: 1 internal marker added. The new finalFailure flag is the contract that changes gateway session finalization timing before merge.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Wait for the relevant checks on head c604b58.
• Have a maintainer explicitly accept finalFailure as the fallback-exhausted provider failure contract.

Risk before merge

• [P2] The PR intentionally changes session-state finalization timing: if finalFailure is later emitted for a per-attempt fallback error, webchat could prematurely clear an active run and persist failed session state.
• [P1] The live proof exercises the same provider-failure class with an invalid OpenAI key, but it does not exactly reproduce the reporter's Linux OAuth openai/gpt-5.4-mini setup.

Maintainer options:

1. Accept the final-failure contract (recommended)
   Merge after maintainer review and green checks if the team agrees finalFailure is the internal contract for fallback-exhausted provider failures.
2. Require exact-environment proof
   Ask for Linux OAuth openai/gpt-5.4-mini proof first if maintainers need confidence beyond the same OpenClaw-native provider-failure class.
3. Pause for a typed lifecycle API
   Hold the PR if maintainers want final terminal provider failure represented by a typed lifecycle event instead of an ad hoc data flag.

Next step before merge

• [P2] No repair lane is needed; the remaining work is maintainer review, relevant checks, and explicit acceptance of the session-state risk.

Security
Cleared: The diff does not change dependencies, workflows, permissions, package resolution, credential handling, or secret-handling code.

Review details

Best possible solution:

Land the narrow final-failure lifecycle contract after maintainers accept the session-state timing change and relevant checks remain green.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection gives a high-confidence current-main path: an unmarked lifecycle error is deferred, then a later fallback lifecycle event clears the pending terminal error; I did not run a live current-main repro in this read-only review.

Is this the best way to solve the issue?

Yes. The PR is a narrow fix because the runner marks only fallback-exhausted failures and the gateway preserves retry grace for ordinary per-attempt errors; a typed lifecycle event could be cleaner later but is not required for this patch.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against c84e52192063.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes sufficient after-fix live-output proof from a temp gateway using the real embedded runtime, with redacted credentials and observed terminal session cleanup.

Label justifications:

• P1: The linked bug leaves webchat sessions stuck in running/in-progress after provider failure, blocking clear recovery for affected users.
• merge-risk: 🚨 session-state: The PR changes when gateway lifecycle errors clear active runs and persist failed session state.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body includes sufficient after-fix live-output proof from a temp gateway using the real embedded runtime, with redacted credentials and observed terminal session cleanup.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes sufficient after-fix live-output proof from a temp gateway using the real embedded runtime, with redacted credentials and observed terminal session cleanup.

Evidence reviewed

PR surface:

Source +15, Tests +59. Total +74 across 5 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	2	16	1	+15
Tests	3	62	3	+59
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	5	78	4	+74

What I checked:

• Root policy read: Read the full root AGENTS.md; gateway session state and fallback behavior are compatibility-sensitive review surfaces, so this PR needs explicit session-state risk review rather than diff-only approval. (AGENTS.md:1, c84e52192063)
• Gateway scoped policy read: Read the gateway scoped guide; it reinforces checking gateway lifecycle tests and hot-path behavior for changes under src/gateway. (src/gateway/AGENTS.md:1, c84e52192063)
• Current-main deferred lifecycle behavior: Current main clears pending terminal lifecycle errors on any non-error lifecycle phase, and defers lifecycle error finalization while retry grace is active; a fallback lifecycle event can therefore cancel a pending per-attempt error before a terminal failure is persisted. (src/gateway/server-chat.ts:1007, c84e52192063)
• Session persistence callee: Gateway terminal lifecycle finalization clears run context, deletes run sequence state, clears the active run, persists the lifecycle event, and broadcasts sessions.changed when a session key is available. (src/gateway/server-chat.ts:482, c84e52192063)
• Runner backstop behavior on current main: The embedded lifecycle backstop marks ordinary lifecycle end/error events as terminal, but those unmarked errors still go through the gateway retry grace path. (src/auto-reply/reply/agent-runner-execution.ts:1307, c84e52192063)
• PR implementation path: The PR adds a marked finalFailure lifecycle error after fallback exhaustion and has the gateway bypass retry grace only when that marker is true. (src/auto-reply/reply/agent-runner-execution.ts:2932, c604b584263b)

Likely related people:

• TurboTheTurtle: Beyond authoring this PR, public current-main history shows prior merged work touching gateway chat/session code and auto-reply fallback policy, including commits 9833f3e and 57633c4. (role: recent area contributor; confidence: medium; commits: 9833f3ea9bf8, 57633c42b647, c604b584263b; files: src/gateway/server-chat.ts, src/auto-reply/reply/agent-runner-execution.ts)
• vincentkoc: Public file history shows recent gateway instrumentation and auto-reply delivery work, plus committer history on adjacent fallback behavior. (role: recent area contributor; confidence: medium; commits: c9050c982d95, 280d1cb977c4, 57633c42b647; files: src/gateway/server-chat.ts, src/auto-reply/reply/agent-runner-execution.ts)
• obviyus: Public current-main history shows recent work in the same auto-reply runner surface around compaction notice behavior, adjacent to the embedded run lifecycle path. (role: adjacent auto-reply contributor; confidence: low; commits: 98d5c465308a; files: src/auto-reply/reply/agent-runner-execution.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[TurboTheTurtle]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27264645693
• Updated: 2026-06-10T09:02:53.883Z

[TurboTheTurtle]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27265936319
• Updated: 2026-06-10T09:20:05.055Z

[TurboTheTurtle]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27266517189
• Updated: 2026-06-10T09:30:23.914Z

[TurboTheTurtle]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27267287210
• Updated: 2026-06-10T09:44:33.880Z

[sallyom]

I added a small rename to make the marker explicitly fallbackExhaustedFailure, so a future per-attempt fallback error would have to misuse a very specific field, addressing the P2 found in review

CI red checks are unrelated and check-test-types succeeded locally.

[sallyom]

Pushed a small signed-off maintainer follow-up commit: d868e8618b5.

This renames the internal lifecycle marker from finalFailure to fallbackExhaustedFailure. Behavior is unchanged: the gateway still finalizes immediately only after provider fallback is exhausted. The narrower name addresses the review concern that a broad finalFailure flag could later be reused for a per-attempt fallback error and accidentally clear/persist a still-active webchat run too early.

Focused verification after the rename:

• node scripts/run-vitest.mjs src/auto-reply/reply/agent-runner-execution.test.ts src/gateway/server-chat.agent-events.test.ts
• git diff --cached --check before commit

I did not rerun the live Real Behavior Proof because this is a mechanical internal marker rename; the existing proof still covers the unchanged fallback-exhausted failure behavior.