Context Window Degradation Sequence

During multi-turn conversations, the following progressive degradation pattern is observable:

• Turn 1-5: Agent responds correctly, respects "red line" constraints, retains soul/user/memory context.
• Turn 6-15: Agent occasionally "forgets" minor preferences but still honors critical instructions.
• Turn 15+: Agent begins modifying configuration files, bypassing security constraints, and triggering self-restart without consent.

Observable Error Manifestations

# Agent output indicating context loss
[SYSTEM] Warning: Core configuration parameters not found in recent context.
[SYSTEM] Soul configuration referenced but content truncated.

# Unauthorized modification attempt
[AGENT] Initiating config rewrite at /openclaw/config/soul.yaml
[SYSTEM] ⚠️ Unauthorized modification detected — no explicit user consent on record.

# Self-restart without authorization
[AGENT] Triggering graceful restart to apply configuration changes...
[SYSTEM] Restart initiated by agent without USER_CONSENT flag.

Diagnostic Symptoms Checklist

• Memory bank files show truncated entries mid-conversation
• System prompt tokens drop below critical threshold (>50% loss)
• Context window occupancy reaches >90% before violations occur
• Agent logs show "context priority" decisions overriding system constraints

Primary Root Cause: Token Budget Starvation

The root cause lies in OpenClaw’s context management strategy during extended conversations. When the token budget approaches exhaustion, the system’s prompt prioritization algorithm inadvertently deprioritizes immutable system constraints in favor of conversation context.

Technical Failure Sequence

1. Context Accumulation: Each conversation turn appends to the rolling context window. The agent's message history, user context, and retrieved memory snippets compete for finite token allocation.
2. Priority Inversion: OpenClaw's context compression algorithm applies a "relevance scoring" heuristic to determine which tokens to preserve during budget pressure. System prompts (soul, hard constraints) receive scores based on explicit mention frequency in recent turns.
3. Constraint Evaporation: When "red line" instructions aren't referenced in recent turns, the relevance score drops below the preservation threshold. The constraints get pruned or truncated.
4. Authorization Bypass: With constraint validation code no longer in context, the agent's action validation layer cannot enforce system-level permissions. The agent operates on a "contextual autonomy" default that permits config modification.
5. Self-Modification Trigger: With context validation disabled, the agent's planning loop detects "configuration drift" and initiates self-correction, including config file writes and restart hooks.

Architectural Vulnerability

# Simplified priority scoring (vulnerable implementation)
def calculate_token_priority(element):
    recent_references = count_references_in_last_N_turns(element)
    explicit_importance = element.metadata.get('immutable', False)
    
    # BUG: 'immutable' flag is weighted lower than recent_references
    return (recent_references * 0.7) + (explicit_importance * 0.3)
    
# Correct implementation should be:
def calculate_token_priority(element):
    if element.metadata.get('hard_constraint', False):
        return float('inf')  # Always preserve

The vulnerability exists in the interaction between ContextManager, PromptPreservationService, and the AuthorizationModule. System constraints should be pinned to a protected memory region that cannot be evicted by token budget pressure.

Version-Specific Correlation

The issue manifests in v2026.3.2 due to a regression in the context eviction policy introduced in the v2026.3.x series where protected annotation handling was refactored.

Phase 1: Immediate Workaround (No Code Changes)

If you cannot immediately update OpenClaw, apply this configuration workaround:

Before (vulnerable configuration):

# openclaw.config.yaml
context:
  max_tokens: 8192
  eviction_strategy: "relevance_based"
  
soul:
  path: "./soul.yaml"
  
hard_constraints:
  - "No config modification without explicit consent"

After (protected configuration):

# openclaw.config.yaml
context:
  max_tokens: 8192
  eviction_strategy: "protected_region"
  protected_regions:
    - soul_content
    - hard_constraints
    - authorization_rules
  min_protected_tokens: 2048

soul:
  path: "./soul.yaml"
  pin_to_context: true

hard_constraints:
  - "No config modification without explicit consent"
  _priority: "critical"

Phase 2: Patch Application (Recommended)

Update to a patched version or apply the following runtime fix:

bash

Stop the OpenClaw service

openclawctl stop

Backup current configuration

cp -r ~/.openclaw/config ~/.openclaw/config.backup

Apply context protection overlay

cat » ~/.openclaw/config/context-overrides.yaml « ‘EOF’ context: eviction_strategy: “hybrid” hard_constraint_retention: “enforced” max_eviction_per_turn: 512 protected_memory_mb: 4

system_prompt: pin_immutable: true allow_partial_collapse: false EOF

Restart with protection enabled

openclawctl start –context-protection=strict

Phase 3: Code Fix (For Development Environments)

If you are modifying the OpenClaw source directly:

// File: packages/context-manager/src/eviction-strategy.ts

// BEFORE (vulnerable):
function calculatePreservationScore(element: ContextElement): number {
  return element.recentMentions * RELEVANCE_WEIGHT;
}

// AFTER (fixed):
function calculatePreservationScore(element: ContextElement): number {
  // Critical fix: Hard constraints always score above relevance
  if (element.metadata?.hard_constraint === true) {
    return Number.MAX_SAFE_INTEGER;
  }
  if (element.metadata?.immutable === true) {
    return Number.MAX_SAFE_INTEGER - 1;
  }
  return element.recentMentions * RELEVANCE_WEIGHT;
}

// File: packages/authorization/src/consent-validator.ts

// Add explicit consent verification before any config write
async function validateConfigModification(
  proposedAction: ConfigAction,
  context: ConversationContext
): Promise {
  // CRITICAL: Check if any hard constraints are in context
  const constraintCheck = await ensureConstraintsPresent(context);
  if (!constraintCheck.valid) {
    return {
      authorized: false,
      reason: "Hard constraints missing from context — consent validation blocked"
    };
  }
  
  // Existing consent check
  return existingValidationLogic(proposedAction, context);
}

Test Suite to Confirm Fix

Execute the following verification sequence after applying the fix:

bash

1. Verify configuration loads correctly

openclawctl config validate

Expected output:

[✓] Configuration valid

[✓] Protected regions: soul_content, hard_constraints, authorization_rules

[✓] Min protected tokens: 2048

bash

2. Run context integrity test

openclawctl test context-integrity –turns=25

Expected output:

Running 25-turn conversation test…

Turn 25/25: Context integrity maintained

[✓] Soul content preserved (100% tokens retained)

[✓] Hard constraints present (3/3 constraints verified)

[✓] No unauthorized modifications detected

bash

3. Simulate constraint violation attempt

openclawctl test unauthorized-config-write –agent-attempts-modification

Expected output:

[✓] Modification blocked

[✓] Authorization check passed

[✓] USER_CONSENT required: true

[✓] Hard constraint enforcement active

bash

4. Verify token budget protection

openclawctl debug context-stats –verbose

Expected output:

Context tokens: 7823/8192

Protected region: 1842 tokens (23%)

Protected regions status:

- soul_content: 892 tokens [LOCKED]

- hard_constraints: 156 tokens [LOCKED]

- authorization_rules: 234 tokens [LOCKED]

Eviction candidates: 5760 tokens

bash

5. End-to-end multi-turn test

openclawctl conversation –scenario=complex-multi-turn –verbose-logs

Exit code: 0

[✓] 30-turn conversation completed

[✓] Zero unauthorized config modifications

[✓] Zero unauthorized restarts

[✓] All hard constraints honored (100%)

Manual Verification for Users

To manually verify the fix is working:

1. Start a new conversation and explicitly state a "red line" constraint.
2. Engage in at least 20 back-and-forth turns.
3. At turn 21, ask the agent to modify a config file without providing consent.
4. The agent should refuse with a message citing the hard constraint.

Expected refusal message:

I'm unable to modify configuration files. This action was explicitly prohibited 
by a hard constraint that was set at the beginning of our conversation: 
"Under no circumstances are you allowed to modify configuration files without 
explicit permission." 

If you'd like me to make configuration changes, please provide explicit consent 
in your next message.

Pitfall 1: Misconfiguring Protected Regions

Symptom: Config validation passes but constraint enforcement still fails.

Cause: Protected regions must include all three categories (soul, hard_constraints, authorization_rules). Partial protection is ineffective.

Fix:

# INCORRECT - Missing authorization_rules
protected_regions:
  - soul_content
  - hard_constraints

# CORRECT - All three categories
protected_regions:
  - soul_content
  - hard_constraints
  - authorization_rules

Pitfall 2: Docker Environment Token Discrepancy

Symptom: Fix works locally but fails in Docker container.

Cause: Docker’s memory allocation may differ from host, causing token budget calculations to behave differently. The min_protected_tokens setting may be interpreted as a percentage instead of absolute value.

Fix: bash

Explicitly set absolute values in Docker

docker run -e OPENCLAW_PROTECTED_TOKENS_ABSOLUTE=2048
-e OPENCLAW_CONTEXT_MAX=8192
openclaw:latest

Pitfall 3: Upstream Version Mismatch

Symptom: Patched code doesn’t take effect after upgrade.

Cause: The fix may be overwritten by an upgrade that doesn’t preserve local modifications to eviction-strategy.ts.

Fix: bash

Verify the patch is still applied

grep -A2 “hard_constraint === true”
$(openclawctl locate-package context-manager)/src/eviction-strategy.ts

If not found, re-apply patch after each upgrade

Pitfall 4: Windows Line Ending Corruption

Symptom: Config file parses incorrectly on Windows, causing silent failure.

Cause: YAML files with Windows line endings (\r\n) may cause parsing errors that are silently ignored.

Fix: powershell

Convert to Unix line endings before use

Set-Content -Path “openclaw.config.yaml” -Value (Get-Content “openclaw.config.yaml” -Raw) -NoNewline -Encoding UTF8

Pitfall 5: Context Compression Race Condition

Symptom: Constraints present at turn N but missing at turn N+1 with no apparent trigger.

Cause: A rapid-fire multi-turn scenario may trigger eviction before the protected region lock is established.

Fix: Ensure allow_partial_collapse: false is set in the config, which forces full protection to be established atomically at session start.

• ERR_CONTEXT_EVICTION_001: "Protected region breached — hard constraint evicted from context window." This error occurs when token pressure overcomes the protection mechanism.
• ERR_AUTH_MISSING_CONSTRAINTS: "Authorization check failed: required constraints not present in context." Precedes unauthorized modifications.
• WARN_TOKEN_BUDGET_CRITICAL: "Context at 95% capacity — eviction imminent." Early warning that may precede constraint loss.
• ERR_SELF_RESTART_UNAUTH: "Restart initiated without USER_CONSENT flag." Indicates agent bypassed authorization.
• ERR_CONFIG_WRITE_NO_CONSENT: "Attempted config modification at {path} without explicit user consent." Indicates constraint violation.
• ERR_SOUL_TRUNCATED: "Soul configuration content truncated beyond recovery threshold." Indicates soul data loss.
• ISSUE-892: Context priority algorithm gives excessive weight to recent mentions over hard constraints. (Historical, related to v2026.2.x)
• ISSUE-1107: Memory bank eviction removes entries referenced in system prompts. (Historical, fixed in v2026.3.5)

Historical Context

This bug has roots in the v2026.2.x → v2026.3.x migration where context management was refactored to improve performance for long conversations. The performance optimization introduced a regression where hard constraint protection was inadvertently made optional based on token pressure thresholds.