Session Contamination Between Agents in Multi-Agent Gateway

Environment

• OpenClaw Version: 2026.2.26
• Platform: Debian 12 (IceKing server)
• Gateway Mode: Single openclaw-gateway process serving multiple agents
• Architecture: Two agents (franko, friday) with separate Telegram bot tokens and bindings

Summary

When running multiple agents through a single gateway process, conversation history from one agent's sessions contaminates another agent's session logs. This results in complete context isolation failure where agents can "see" each other's conversations and instructions.

Configuration

{
  "agents": {
    "list": [
      {"id": "franko", "workspace": "~/.openclaw/workspace-franko", "model": "claude-haiku-4-5"},
      {"id": "friday", "workspace": "~/.openclaw/workspace-friday", "model": "claude-sonnet-4-5"}
    ]
  },
  "bindings": [
    {"agentId": "franko", "match": {"channel": "telegram", "accountId": "franko"}},
    {"agentId": "friday", "match": {"channel": "telegram", "accountId": "friday"}}
  ],
  "channels": {
    "telegram": {
      "enabled": true,
      "accounts": {
        "franko": {"botToken": "867840494..."},
        "friday": {"botToken": "877076326..."}
      }
    }
  }
}

Both agents configured with:

• Separate Telegram bot tokens
• Separate workspace directories
• Separate agent bindings
• groupPolicy: "allowlist" for both

Evidence of Contamination

Filesystem Isolation (Correct)

Session directories are physically separate:

$ stat /home/openclaw/.openclaw/agents/franko/sessions/
  Inode: 676361

$ stat /home/openclaw/.openclaw/agents/friday/sessions/
  Inode: 676526

✅ Different inodes = separate directories (no symlinks)

Session Content Contamination (Bug)

Despite separate directories, Friday's conversation content appeared in Franko's session logs:

$ grep -c 'Evolve Skateboards' /home/openclaw/.openclaw/agents/franko/sessions/*.jsonl
44214dc7-f321-4b00-831d-2714bd4f4571.jsonl:1

$ grep -c 'Weekly monitoring' /home/openclaw/.openclaw/agents/franko/sessions/*.jsonl
44214dc7-f321-4b00-831d-2714bd4f4571.jsonl:2

"Evolve Skateboards" and "Weekly monitoring" are Friday's brand research tasks that were never discussed with Franko.

When grepping Franko's directory for telegram-related content, the results included literal conversation content from Friday's sessions:

• Brand research workflow instructions
• "Out, Bajaboard. In, SKP and Propel, Metroboard"
• "Weekly monitoring and reposting. Generate on Tuesday morning 9:00am"
• Brave API configuration for Friday's tasks

Franko later exhibited awareness of Friday's instructions and responded to them as if they were his own tasks.

Reproduction Steps

1. Configure two agents (A and B) in openclaw.json with:

   • Separate Telegram bot tokens
   • Separate workspace directories
   • groupPolicy: "allowlist" for both
   • Bindings routing each Telegram account to its respective agent

2. Start single gateway process:

   openclaw gateway

3. Have extended conversations with Agent A via Telegram (50+ messages)

4. Have extended conversations with Agent B via Telegram (50+ messages)

5. Search Agent B's session logs for content unique to Agent A:

   grep 'unique_phrase_from_agent_A' ~/.openclaw/agents/agentB/sessions/*.jsonl

Expected: No matches (complete session isolation)

Actual: Agent A's conversation content appears in Agent B's session files

Root Cause Hypothesis

Single openclaw-gateway process serving multiple agents has a session storage bug where:

1. Message routing works correctly - Messages deliver to the intended agent via channel bindings
2. Session persistence fails isolation - Conversation history writes to multiple agents' session logs during:
   • Message persistence to .jsonl files
   • Session state serialization
   • Compaction routines

The contamination appears to occur at the gateway's session manager layer, not at the filesystem level.

Impact

• Security: Complete context isolation failure between agents
• Behavior: Agents execute instructions meant for other agents
• Trust: Agents can "see" conversations and credentials of other agents
• Debugging: Impossible to determine which agent received which instructions

Suggested Investigation Areas

1. Session Manager: Message persistence logic when multiple agents share a gateway
2. Telegram Channel Handler: Session key resolution for multi-account configurations
3. Compaction Routine: File write isolation during history compaction
4. Binding Resolution: Verify bindings properly isolate session writes, not just reads

Workaround

Run separate gateway processes per agent using OpenClaw's --profile feature:

# Franko gateway (port 18789)
openclaw --profile franko gateway

# Friday gateway (port 18889)  
openclaw --profile friday gateway

This creates completely isolated state directories (~/.openclaw-franko, ~/.openclaw-friday) with separate session managers.

Additional Context

• Single gateway serves both agents via PID 126680
• No systemd service - gateway started manually
• Both agents communicate with the same human user (different bot tokens)
• Contamination persists across gateway restarts
• Issue discovered when agent responded to instructions meant for the other agent

Related: This may affect any multi-agent gateway configuration, not just Telegram. Worth investigating Discord, WhatsApp, and other channel handlers for similar isolation failures.