fix(memory): prevent silent vector index degradation when embedding provider temporarily unavailable

[yaaboo-gif]

Summary

Prevents memory sync from silently downgrading an existing semantic vector index to FTS-only when the configured embedding provider is temporarily unavailable.

This keeps fresh/default FTS-only indexes working, but refuses destructive fallback when existing metadata proves the index was semantic.

Changes

• Clear stale provider-null initialization state before aborting so a later sync can retry provider discovery after the embedding provider recovers.
• Guard both normal sync and safe reindex paths, including embedding-error fallback paths, before rebuilding in FTS-only mode.
• Add regression coverage for the semantic-index outage guard and update direct sync-op test harnesses for the new retry hook.
• Add changelog credit for @yaaboo-gif.

Real behavior proof

Behavior addressed: Existing semantic memory indexes should not be rewritten as FTS-only indexes just because the configured embedding provider is temporarily unavailable.

Real environment tested: OpenClaw 2026.5.20 on macOS arm64 with a local MLX embedding server using jina-embeddings-v5-text-small on 127.0.0.1:8123, plus local OpenClaw source checkout on macOS for the maintainer refresh at branch head b5f0441.

Exact steps or command run after this patch:

Contributor live proof:

1. Applied the same provider-retry and semantic-index guard as a production hot-fix to the built memory-core bundle.
2. Restarted the OpenClaw Gateway.
3. Ran openclaw memory status --deep against a real memory store.
4. Intentionally stopped the MLX embedding server.
5. Triggered memory sync/search activity.
6. Restarted the MLX embedding server without restarting the Gateway.
7. Ran memory_search("宙狗 方案").

Maintainer refresh proof:

OPENCLAW_VITEST_MAX_WORKERS=1 pnpm test extensions/memory-core/src/memory/manager.fts-only-reindex.test.ts extensions/memory-core/src/memory/manager-sync-ops.startup-catchup.test.ts extensions/memory-core/src/memory/manager-sync-ops.archive-delta-bypass.test.ts extensions/memory-core/src/memory/manager-sync-yield.test.ts
.agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main --parallel-tests "OPENCLAW_VITEST_MAX_WORKERS=1 pnpm test extensions/memory-core/src/memory/manager.fts-only-reindex.test.ts extensions/memory-core/src/memory/manager-sync-ops.startup-catchup.test.ts extensions/memory-core/src/memory/manager-sync-ops.archive-delta-bypass.test.ts extensions/memory-core/src/memory/manager-sync-yield.test.ts"

Evidence after fix:

Contributor live runtime output from the affected setup:

$ openclaw memory status --deep
main: 11,686 chunks, semantic vectors: ready, vector dims: 1024
codex: 11,673 chunks, semantic vectors: ready

$ # MLX embedding server intentionally stopped, then memory sync/search triggered
Memory sync aborted: embedding provider "openai" is configured but unavailable.
Refusing to run sync in fts-only fallback mode to protect existing vector index (current model: jina-embeddings-v5-text-small).

$ # MLX embedding server restarted; no Gateway restart
$ memory_search("宙狗 方案")
returned 6 results with vectorScore > 0.50

Maintainer refresh output: 4 memory-core test files passed, 11 tests passed. Autoreview completed clean with no accepted/actionable findings and reported the patch correct.

Observed result after fix: The real semantic vector store was preserved during an embedding-provider outage, sync failed loudly instead of rewriting the semantic index as FTS-only, provider initialization retried after the MLX server returned, and semantic search recovered without a Gateway restart. The refreshed branch also proves fresh and already-FTS-only indexes still sync in FTS-only mode.

What was not tested: A second live MLX/Jina outage run after the maintainer refresh commits; the refreshed code path is covered by regression tests and autoreview, and the contributor live proof covers the affected production scenario.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 25, 2026, 9:51 AM ET / 13:51 UTC.

Summary
Adds a memory-core guard that retries embedding provider initialization and aborts FTS-only fallback during normal and safe reindex paths when existing metadata shows a semantic index, with regression coverage and a changelog entry.

PR surface: Source +42, Tests +30, Docs +1. Total +73 across 7 files.

Reproducibility: yes. with high confidence from source inspection and the PR's live proof, though I did not execute the repro locally in this read-only review. Current main treats provider:null plus semantic metadata as a full reindex path, while the supplied live output shows the affected MLX-provider outage scenario.

Review metrics: 1 noteworthy metric.

• Fallback behavior changed: 1 guard added at 2 sync/reindex entry points. The patch changes memory fallback semantics during embedding-provider outages, which is the compatibility-sensitive part maintainers should notice before merge.

Merge readiness
Overall: 🦞 diamond lobster
Proof: 🦞 diamond lobster
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Risk before merge

• Compatibility-sensitive behavior change: existing semantic-index users with a configured provider will now see memory sync abort during provider outages instead of rebuilding a lexical-only index, so maintainers should intentionally accept that fail-closed behavior before merge.

Maintainer options:

1. Land the fail-closed guard (recommended)
   Accept the outage-time sync abort for existing semantic indexes because it preserves existing vectors and retries provider discovery when the provider returns.
2. Ask for a compatibility mode first
   If maintainers want semantic-index users to keep rebuilding lexical-only data during provider outages, request an explicit config or migration design before merge.

Next step before merge
No ClawSweeper repair is needed; the next action is maintainer review of the compatibility-sensitive fail-closed behavior plus normal head checks.

Security
Cleared: The diff touches memory-core runtime logic, tests, and changelog only; it does not add dependencies, workflows, secrets handling, package scripts, or new supply-chain execution paths.

Review details

Best possible solution:

Land the semantic-index protection if maintainers accept fail-closed sync during provider outages, keeping fresh and already-FTS-only fallback behavior intact.

Do we have a high-confidence way to reproduce the issue?

Yes, with high confidence from source inspection and the PR's live proof, though I did not execute the repro locally in this read-only review. Current main treats provider:null plus semantic metadata as a full reindex path, while the supplied live output shows the affected MLX-provider outage scenario.

Is this the best way to solve the issue?

Yes, this is the narrow maintainable fix: clear stale provider initialization state and guard only existing semantic indexes while preserving fresh and already-FTS-only fallback behavior. The only remaining question is maintainer acceptance of the deliberate fail-closed outage behavior.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 89a21db627f5.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix live output from a real macOS semantic memory store showing the provider outage abort, preserved semantic vectors, and recovered vector search after provider restart.
• add rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• remove rating: 🐚 platinum hermit: Current PR rating is rating: 🦞 diamond lobster, so this older rating label is no longer current.

Label justifications:

• P1: The PR addresses a real memory workflow regression where provider outages can silently destroy semantic vector availability for existing users.
• merge-risk: 🚨 compatibility: Merging changes outage behavior for existing semantic indexes from FTS-only fallback rebuilds to fail-closed sync aborts until the embedding provider recovers.
• rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body includes after-fix live output from a real macOS semantic memory store showing the provider outage abort, preserved semantic vectors, and recovered vector search after provider restart.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix live output from a real macOS semantic memory store showing the provider outage abort, preserved semantic vectors, and recovered vector search after provider restart.

Evidence reviewed

PR surface:

Source +42, Tests +30, Docs +1. Total +73 across 7 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	2	42	0	+42
Tests	4	30	0	+30
Docs	1	1	0	+1
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	7	73	0	+73

What I checked:

• Root policy read: Read the full root AGENTS.md and applied the OpenClaw review guidance requiring compatibility risk handling for fallback behavior changes, real behavior proof review, and scoped AGENTS checks. (AGENTS.md:1, 89a21db627f5)
• Scoped policy read: Read extensions/AGENTS.md; the touched memory-core files are bundled plugin code and the diff stays within the extension boundary without new core imports or SDK surface changes. (extensions/AGENTS.md:1, 89a21db627f5)
• Current-main degradation path: On current main, runSync passes provider:null into shouldRunFullMemoryReindex after reading existing metadata, so a semantic meta.model with no provider is treated as needing a full reindex. (extensions/memory-core/src/memory/manager-sync-ops.ts:1152, 89a21db627f5)
• Current-main reindex condition: shouldRunFullMemoryReindex currently returns true when provider is null and meta.model is not fts-only, which explains the semantic-index-to-FTS-only degradation path. (extensions/memory-core/src/memory/manager-reindex-state.ts:90, 89a21db627f5)
• PR guard implementation: The merge result adds assertFtsOnlySyncAllowed, which allows fresh or already-FTS-only indexes but throws before sync when a configured provider is unavailable and existing metadata is semantic. (extensions/memory-core/src/memory/manager-sync-ops.ts:1097, 8217c3ad5902)
• Provider retry implementation: The PR clears a rejected provider initialization promise and adds resetProviderInitializationForRetry so later syncs can retry discovery after the provider recovers. (extensions/memory-core/src/memory/manager.ts:315, b5f0441e6b21)

Likely related people:

• steipete: Peter Steinberger committed the maintainer refresh commits on this PR and appears as committer on recent memory-core history, including the current provider initialization commit and state-helper extraction. (role: recent area contributor and PR refresh committer; confidence: high; commits: 0a98c2d62697, f4d8393bf4c1, be14365df899; files: extensions/memory-core/src/memory/manager.ts, extensions/memory-core/src/memory/manager-sync-ops.ts, extensions/memory-core/src/memory/manager-reindex-state.ts)
• FullerStackDev: Current-main blame for ensureProviderInitialized and shouldRunFullMemoryReindex attributes the relevant code to commit 0a98c2d authored as FullerStackDev. (role: introduced current provider initialization and reindex behavior; confidence: medium; commits: 0a98c2d62697; files: extensions/memory-core/src/memory/manager.ts, extensions/memory-core/src/memory/manager-reindex-state.ts)
• osolmaz: Commit 7ff29a9 added nearby local embedding worker safety, provider lifecycle, and fallback behavior that this PR interacts with during degraded provider states. (role: adjacent local embedding fallback contributor; confidence: medium; commits: 7ff29a9e6df6; files: extensions/memory-core/src/memory/manager.ts, extensions/memory-core/src/memory/manager-provider-state.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Tiny Review Wisp

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: polishes edge cases.
Image traits: location review cove; accessory little merge flag; palette sunrise gold and clean white; mood celebratory; pose peeking out from the egg shell; shell frosted glass shell; lighting soft studio lighting; background miniature CI buoys.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Tiny Review Wisp in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[yaaboo-gif]

Thanks for the review. The blocking P1 compatibility issue has been addressed in the latest head (d266f062) by narrowing the guard to only abort when an existing semantic index would be downgraded to FTS-only. Fresh/default provider: "auto" users and already-FTS-only indexes remain allowed to sync without an embedding provider.

I also updated the PR body with the V2 behavior matrix and explicit after-fix live output for the real behavior proof check.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

[yaaboo-gif]

Thanks to ClawSweeper and everyone who reviewed! 🙏

V2 narrowed the guard to only protect existing semantic indexes (per review feedback), leaving the legitimate FTS-only fallback intact for auto/no-provider users. All 158 checks are green.

This fix addresses silent vector data loss on Gateway restart when the embedding provider is temporarily unreachable — we've verified it in production (11,715 chunks + 1024-dim vectors fully preserved after restart with MLX offline).

Would appreciate a maintainer review when anyone has time. Happy to make any further adjustments.