OpenClaw Issue Digest: Session Stability, Security Boundaries, and Provider Regressions

Open Issues

Recent activity in the OpenClaw repository reveals a series of high-severity regressions and structural bugs, primarily centered around session state management, security boundaries in Docker environments, and provider-specific failures.

Critical Security and Boundary Issues

Several reports highlight severe security gaps. Most notably, #84468 identifies a critical leak where the Docker setup script prints the full gateway bearer token to stdout, potentially exposing operator-level access in CI logs. Additionally, #83796 reports a containment escape: when using the Codex harness with a Docker sandbox, shell execution occurs in the gateway container rather than the isolated per-agent sandbox, effectively bypassing the security boundary.

Session State and Runtime Stability

Embedded agent runs are experiencing significant stability issues. Multiple reports (#84542, #84460, #84477) describe EmbeddedAttemptSessionTakeoverError crashes, where concurrent access to a session—even for read-only operations—kills active model calls. Furthermore, #84536 describes a "silent death" scenario where preemptive context overflow checks kill embedded sessions without notifying the user, leaving the agent frozen in a processing state.

Provider and Tooling Regressions

• Codex/OpenAI: A critical regression in #84511 causes multi-turn sessions to break permanently with 400 invalid_encrypted_content errors following an OAuth token refresh. Additionally, #84516 reports silent truncation of long replies (~1100 chars) in the Codex app-server path.
• Gemini/Ollama: #84496 identifies a regression where think: true is forwarded to non-reasoning Ollama models, resulting in HTTP 400 errors.
• MiniMax: The music generation provider is failing to pass durationSeconds to the API (#84508) and suffers from blocking HTTP requests that timeout for full-length tracks (#84506).
• Feishu: Users are reporting missing intermediate tool-call messages (#84491) and broken @mention tags due to MarkdownIt escaping (#84478).

Key Themes

1. Session Lock Contention

There is a recurring theme of "takeover errors" and lock contention. The current implementation of session file locking appears too aggressive or improperly scoped, leading to fatal errors when the Control UI or secondary lanes attempt to access a session while an embedded run is in progress.

2. Subagent and Isolated Runtime Fragility

Subagent orchestration is currently unreliable. Issues like #84489 and #84477 show that capability validation (e.g., thinking levels) is inconsistent between parent and child runtimes, and recovery mechanisms often skip lanes with sessionId=unknown, leading to permanent wedges.

3. Resource and Memory Leaks

Memory growth is a persistent concern. #84413 highlights how chrome-devtools-mcp sidecars accumulate under the gateway, while #69451 notes that loading all session files via readFileSync at startup leads to linear RSS growth.

Action Required

High Severity / Immediate Attention

• #84468 (Security): Remove plaintext gateway token printing from scripts/docker/setup.sh immediately.
• #83796 (Security): Fix the Codex runtime to ensure shell execution is routed into the per-agent sandbox.
• #84511 (Critical Bug): Resolve the invalid_encrypted_content error during OAuth refreshes to prevent permanent session loss for Codex users.
• #84542 / #84460 (Stability): Redesign the session lock mechanism to allow read-only access without killing active embedded runs.

Blocked or High-Impact Issues

• #84477 (Stability): Fix the "wedge" in the embedded-run prep path and ensure recovery covers sessionId=unknown lanes.
• #84489 (Orchestration): Implement a robust preflight resolution layer for subagents to align capabilities (thinking, tools) before returning accepted.
• #84464 (Connectivity): Resolve the Discord ReadyListener race condition that leaves bots stuck at "awaiting gateway readiness."