Why does runtime: 'acp' fail while subagent sessions still work?

Because ACP and subagent sessions use different session key types. If validation only allows spawnedBy for subagent keys, ACP calls can fail even when subagent flows still run.

Should we downgrade immediately?

Downgrade is a valid temporary move if ACP workloads are business-critical and no fast patch is available. Capture logs first, then use a controlled rollback and verification checklist.

How do we prevent this type of breakage next time?

Add an ACP smoke test to your upgrade process, canary one environment first, and block rollout if sessions_spawn fails in run or session mode.

Blog

OpenClaw ACP spawn errors: how to recover from spawnedBy regressions

Problem statement: after an upgrade, ACP jobs fail immediately with spawnedBy is only supported for subagent:* sessions when you call sessions_spawn with runtime: "acp". For most teams, this is not a minor bug. It can stop automation handoffs, break coding workflows, and leave production queues waiting on tasks that never start.

Recent reports

Issue #40800 (2026-03-09): ACP sessions_spawn failures started right after upgrade.
Issue #40799 (2026-03-09): tool errors can trigger restart loops and break channel delivery.

Why this specific failure is expensive

ACP is usually where teams run larger implementation tasks, code generation, and workflow delegation. When spawn fails, work does not degrade gracefully. It simply never launches. Teams then lose time in three places: diagnosing the root cause, manually rerunning tasks, and cleaning up side effects from partial automation. If your support channel is Telegram or another live channel, users see typing or acknowledgement without completion, which hurts trust quickly.

Root cause in plain language

Based on field reports, this regression appears when validation logic treats spawnedBy as valid only for subagent sessions. ACP sessions use a different key pattern, so requests that worked before can now be rejected. In practice, your request payload is not “wrong” for your workload. The compatibility contract changed in a way that blocks ACP execution.

Fast triage: confirm the issue in 10 minutes

Capture one failing request with full payload shape (without secrets).
Record exact version fingerprints for OpenClaw runtime and ACP backend.
Run the same payload in both modes: mode: "run" and mode: "session".
Compare runtime types: runtime: "acp" versus a known-good subagent call.
Collect gateway log lines showing INVALID_REQUEST and the full message text.

If ACP fails and subagent succeeds on the same environment, you have narrowed the failure to runtime-specific validation, not network reachability or random infra noise.

Step-by-step production recovery playbook

Step 1: Stop uncontrolled retries

Disable automatic ACP retriers that hammer the same failing spawn path. This protects logs, keeps queues readable, and avoids secondary outages from repeated failed attempts.

Step 2: Route urgent jobs to a temporary fallback

For business-critical work, route affected tasks to a known working path while you fix ACP. Depending on your setup, this can be temporary subagent delegation or a previous stable runtime. Keep this explicit and time-boxed so your team knows what is temporary.

Step 3: Run controlled rollback if needed

If ACP is core to delivery and the patch window is uncertain, rollback to your last verified version. Do not roll back blind. Keep one evidence bundle with: failing payload, failing logs, and post-rollback success logs. This gives you confidence now and useful data for upstream debugging later.

Step 4: Validate identity reconciliation messages

Reports alongside this regression mention startup identity reconcile failures. Treat those as a signal that runtime identity state may be inconsistent after upgrade. Verify that your ACP agent identifiers are present, expected, and readable by the gateway.

Step 5: Re-test from user-facing channel entry points

Do not stop at one terminal test. Trigger the same workflow from the real entry point your users rely on. If your team receives requests through chat channels, validate that end-to-end completion works there too.

Practical diagnostics teams skip (and regret skipping)

Schema drift check: compare request payload keys across old and new version docs.
Session key inspection: inspect actual prefixes returned by session APIs after upgrade.
Daemon state restart: ensure service restarts truly reload changed config and identity state.
Model/path parity: verify the same request shape across different ACP agents.
Channel impact audit: confirm no side effects on polling or delivery loops.

Edge cases that can mislead your debugging

Not every spawnedBy failure is caused by the same thing. Watch for these edge cases before concluding:

Multiple runtimes mixed in one workflow: only ACP path fails, making behavior look random.
Background process stale state: old gateway process still holds previous assumptions.
Partial upgrade: CLI and gateway versions differ, creating confusing compatibility results.
Error handling bug: first failure triggers restarts and hides the primary error line.

How to verify the fix is real

Run 5 ACP spawns with mode: "run"; all must complete.
Run 5 ACP spawns with mode: "session" and thread: true; all must complete.
Test one failure path (intentional invalid agent) and confirm graceful error without restart loop.
Check channel delivery stability for at least 30 minutes after fix deployment.
Save final config and version snapshot used in successful validation.

Common mistakes that prolong this outage

Assuming “ACP broken” means every runtime path is broken.
Changing version, config, and agent IDs all at once.
Skipping evidence collection before rollback.
Declaring success after a single test run.
Ignoring downstream user-facing channel behavior after technical fix.

Where this fits in your hosting decision

If regressions like this are rare in your environment and your team has strong ops coverage, self-hosting can still be a good fit. But if upgrade regressions repeatedly block delivery, your real cost is engineer interruption and missed release windows. Compare tradeoffs clearly on /compare/. If you want a managed path with lower day-to-day maintenance, review /openclaw-cloud-hosting/. If you stay self-hosted, keep your baseline setup current at /openclaw-setup/.

Fix once. Stop recurring ACP spawn failures after upgrades.

If this keeps coming back, you can move your existing setup to managed OpenClaw cloud hosting instead of rebuilding the same stack. Import your current instance, keep your context, and move onto a runtime with lower ops overhead.

Import flow in ~1 minute
Keep your current instance context
Run with managed security and reliability defaults

If you would rather compare options first, review OpenClaw cloud hosting or see the best OpenClaw hosting options before deciding.

Import your current OpenClaw instance in 1 click Keep self-hosted: apply fix checklist

OpenClaw import first screen in OpenClaw Setup dashboard (light theme) — 1) Paste import payload

OpenClaw import first screen in OpenClaw Setup dashboard (dark theme) — 1) Paste import payload

OpenClaw import completed screen in OpenClaw Setup dashboard (light theme) — 2) Review and launch

OpenClaw import completed screen in OpenClaw Setup dashboard (dark theme) — 2) Review and launch

Need ACP reliability without weekly firefighting?

Keep your current setup, import it in one click, and run with managed runtime defaults that reduce upgrade friction.

Import your current OpenClaw instance in 1 click Use stable browser workflows with relay

Operational hardening after recovery

Getting ACP back online is only half of the job. The second half is making sure one validation change cannot break your delivery pipeline again. Treat this as a reliability engineering opportunity.

Create a runtime contract file

Maintain one shared contract document for ACP request shape, required keys, optional keys, and expected failure behavior. Keep it in the same repository as your deployment scripts. When you upgrade, diff that contract against the new behavior. This prevents silent drift where individual engineers “just make it work” in local scripts while production assumptions diverge.

Add canary upgrades for ACP workflows

A canary environment should run your most important ACP actions on every candidate release before full rollout. The canary gate should include both happy-path and failure-path tests: successful spawn, bad-agent error handling, and channel-delivery continuity. If any gate fails, freeze rollout automatically.

Track leading indicators, not only incidents

Teams often watch only binary failure. That is too late. Track early warnings such as rising invalid-request counts, startup reconcile failures, retry bursts, and time-to-first-response drift in user-facing channels. These usually move before a full outage appears.

Define ACP change windows

Do not deploy ACP-sensitive upgrades during periods where you cannot staff incident response. Pick change windows with available owners, clear rollback authority, and communication channels ready. This one process shift saves more time than any individual debugging trick.

Reference command checklist for responders

Keep a short command checklist in your internal runbook so responders can collect consistent evidence fast. Include version readout, config snapshot checksum, one ACP spawn test in run mode, one in session mode, and one channel-triggered workflow test. The goal is consistency, not cleverness.

Version and runtime fingerprint captured before changes.
Failing and successful payload examples stored side by side.
Gateway log excerpts grouped by timestamped test runs.
Rollback decision recorded with owner and rationale.
Post-fix acceptance report linked in incident ticket.

Business impact model for this regression class

If ACP powers customer-facing delivery, each hour of spawn failure can create hidden backlog that appears later as SLA misses, delayed releases, or support escalations. Model impact across three layers:

Direct engineering time: triage, rollback, and verification effort.
Workflow interruption: stalled automation and manual rework.
Customer-facing delay: slower turnaround and trust erosion.

Use this model when deciding whether to keep full self-managed responsibility or shift critical paths to managed runtime. It turns emotional debates into measurable decisions.

Team communication template during incidents

Communication quality decides whether incidents feel controlled or chaotic. Use a simple update structure every 30 minutes: current status, confirmed scope, active mitigation, next checkpoint. Avoid speculative root causes in broad channels. Share only what is verified and what users should do right now.

FAQ

Can I patch this with custom middleware and keep latest version?

You can, but only if you can test every ACP path. For most teams, temporary rollback plus upstream fix is safer than a rushed local patch.

Does this affect only Codex ACP agent?

Reports show the failure pattern across ACP runtime usage, not one specific agent vendor. Validate your own configured agents explicitly.

Should we disable ACP permanently?

Usually no. ACP remains valuable for large tasks. The right move is controlled recovery, better upgrade gates, and runtime-specific smoke tests.

Post-incident retrospective questions

Schedule a short retrospective within 48 hours while details are still fresh. Ask questions that improve systems, not questions that blame individuals:

Which signal appeared first, and did we notice it in time?
Which assumption about ACP compatibility proved wrong?
What one automation check would have prevented this outage?
Which communication step reduced confusion the most?
What will we ship this week to avoid repeating this incident?

A strong retrospective turns a painful day into a durable competitive advantage. Teams that learn quickly from regressions ship faster with less stress over time.