[Task] Add SessionBlocker ledger so unanswered questions stay recoverable

[Astro-Han]

Goal

Backend exposes a SessionBlocker ledger so the frontend does not need to walk message parts and reconcile against question.list to know whether a session is genuinely blocked.

The first user-visible target is question recovery: a question remains a recoverable blocker until the user answers, skips, dismisses, the session is explicitly stopped, the instance shuts down, or a real unrecoverable state error happens.

Priority triage

P1.

Question and permission blockers sit on the core conversation loop. If PawWork asks the user a question and that question disappears, times out as if the user cancelled it, or is recoverable only through frontend snapshot heuristics, the assistant can get stuck or continue without the missing decision. That is a main-session correctness issue, not just architecture cleanup.

This priority is based on the exported unanswered-question case recorded in this issue thread: waiting for user input is not provider silence, and a no-response wait window is not a user decision.

Current P1 slice

Ship a question-only SessionBlocker ledger v0 before widening the design.

1. Add one active ledger entry per pending Question.Request.
2. Include sessionID, requestID, embedded request, tool identity, status: awaiting_user, armedAt, and updatedAt.
3. Wire ledger state into question lifecycle:
   • ask: create pending question and ledger blocker.
   • reply: remove pending question and ledger blocker.
   • explicit dismiss or skip: remove both and emit a terminal rejected reason.
   • session cancel, shutdown, or system error: remove both with an explicit terminal reason.
4. Make LLM silent-stream timeout blocker-aware. While a question blocker is awaiting user input for the stream session, silent-stream timeout must not abort the run.
5. Expose blocker state to the frontend. The frontend should prefer blocker state for rendering and recovering the question dock, then fall back to existing question sync and recovery paths.
6. Keep UI simple. If a hidden question is recovered, show the question. If recovery fails, show a visible failure state with a concrete action.

Scope

In scope:

• New backend ledger keyed by session ID listing currently blocking question interactions with identity and monotonic timing.
• Sync or list surface for active question blockers so the frontend can subscribe or recover.
• Migration plan for the existing frontend snapshot and clock fallback in packages/app/src/pages/session/blockers/question-recovery-{snapshot,clock,reverify}.ts.
• Lost-event coverage after the ledger exists.
• Diagnostics or counters for ledger reconciliation outcomes where useful.

Out of scope:

• Permission ledger in the first PR. Reserve the shape so permission can join later.
• Persisted blockers across process restart.
• Full observability dashboard work.
• Removing old frontend fallback modules in the first ledger PR.
• Redesigning the question dock UI.
• Reworking [Bug] Question dock can remain blocked after skipping a question #352 skip semantics unless a regression is found.
• Halting policy changes. Halt remains the user-action escape hatch.

Relevant files or context

• Current frontend recovery: packages/app/src/pages/session/blockers/question-recovery-{snapshot,clock,reverify}.ts
• Backend question pending: packages/opencode/src/question/index.ts pending map
• Silent stream timeout: packages/opencode/src/session/llm.ts
• Related issue: [Bug] Question tool can block a session without showing the question UI #419
• Related PR: fix(app): recover hidden question blockers #430

Verification

• Configure a short stream timeout, start a question, do not answer, advance past timeout, and assert the question remains in blocker state and question.list().
• Assert no question.rejected is emitted for no-answer timeout.
• Answer after the timeout window and assert the assistant can continue with that answer.
• Simulate missing question.asked or empty frontend question store while backend blocker remains active; assert the dock renders from blocker state.
• Cancel, shutdown, and dismiss still clear the dock with the correct terminal reason and existing interrupted hint behavior.
• E2E: simulate a dropped sync event and assert the ledger reader still surfaces the blocker.

Execution mode

Agent should investigate and propose a plan first.

[Astro-Han]

Follow-ups carried forward from PR #430 review

Two items from the latest review round are deferred onto this ledger work because they're cheaper to do once the authoritative source of truth lands:

• P2.3 — E2E lost-event coverage. Sync-drop simulation infra isn't present today; the natural test once the ledger ships is "drop a sync.blockers event mid-stream → assert recovery still happens." Skipping the simulation under the snapshot/clock approach because the recovery path is best validated against the ledger contract, not the frontend fallback.
• P3.3 — Auto-heal counters / observability. Persistent transient question.list() failures now log a structured warn on give-up (PR fix(app): recover hidden question blockers #430, R16). Counters / dashboards make more sense after the ledger lands and the snapshot/clock module either collapses or goes away — instrumenting a soon-to-shrink module wastes wiring.

Adding both as checklist items below.

• E2E: simulate a dropped sync event and assert the ledger reader still surfaces the blocker (replaces snapshot/clock lost-event coverage)
• Observability: counters or telemetry for ledger reconciliation outcomes, including any residual frontend-side fallback paths

[Astro-Han]

Additional acceptance criteria from unanswered question timeout case

The 2026-05-06 exported session showed that pending question prompts can currently disappear after the wait window if the user does not answer. This should be covered by the SessionBlocker ledger design rather than patched by extending the timeout.

Add these expectations to the ledger work:

• A question remains a recoverable session blocker until the user answers, skips, or explicitly dismisses it.
• A no-response timeout does not remove the blocker and does not let the assistant treat the prompt as intentionally cancelled.
• The ledger should distinguish three cases for diagnostics and assistant context:
  • user has not responded yet,
  • frontend visibility gap: backend has a pending blocker but the dock was not visible,
  • system error / lost state: recovery failed or state is inconsistent.
• If a frontend visibility gap is recovered, just restore the question UI. Do not show extra user-facing warning by default; record it in diagnostics/export and make it available to assistant context.
• If recovery fails, show a visible failure state with a concrete action, such as retry recovery or ask the assistant to re-ask.

This keeps the product behavior simple for users: if the question can be recovered, show the question; if it cannot, tell the user what to do next.

[Astro-Han]

Integrated question-slice plan for #433 + #434

This issue should carry the user-visible fix, with #434 handled in the same vertical PR rather than as a standalone semantic-only change.

New verified code evidence:

• packages/opencode/src/session/llm.ts defines SILENT_STREAM_TIMEOUT_MS as 10 minutes.
• The stream wrapper currently arms setTimeout(() => ctrl.abort(), timeoutMs) and also applies Stream.timeout(Duration.millis(timeoutMs)).
• Question.ask treats the abort signal as terminal cancellation, publishes question.rejected, removes the pending question, and fails with RejectedError({ cancelled: true }).
• That matches the exported-session symptom: unanswered question calls ended after about 601 seconds with Question cancelled before the user answered it.

Product rule:

• Waiting for user input is not provider silence.
• A no-response wait window is not a user decision.
• A question remains a recoverable blocker until the user answers, skips/dismisses, the session is explicitly stopped, the instance shuts down, or a real unrecoverable state error happens.

Minimum vertical slice:

1. Add question-only SessionBlocker ledger v0.

   • One active blocker entry per pending Question.Request.
   • Include sessionID, requestID, embedded request, tool identity, status: awaiting_user, armedAt, and updatedAt.
   • Keep it in-memory and question-only in this PR; reserve kind: question so permission can join later.

2. Wire ledger into question lifecycle.

   • ask: create pending question and ledger blocker.
   • reply: remove pending question and ledger blocker.
   • explicit dismiss/skip: remove both and emit terminal rejected reason.
   • session cancel/shutdown/system error: remove both with explicit terminal reason.

3. Make LLM silent-stream timeout blocker-aware.

   • Both timeout mechanisms in llm.ts must be accounted for: the abort timer and Stream.timeout(...).
   • While a question blocker is awaiting user input for the stream session, silent-stream timeout must not abort the run.
   • When the blocker is removed, reset/resume timeout behavior.

4. Expose blocker state to the frontend.

   • Add blocker list/sync surface for active question blockers.
   • Keep existing question.asked/replied/rejected events for compatibility.
   • Frontend should prefer blocker state for rendering/recovering the question dock, then fall back to existing sync.data.question and current recovery paths.

5. Keep UI simple.

   • If a hidden question is recovered, just show the question. Do not add a user-facing warning by default.
   • If recovery fails, show a visible failure state with a concrete action.

Out of scope for this PR:

• Permission ledger.
• Persisted blockers across process restart.
• Full observability/dashboard work.
• Removing old frontend fallback modules.
• Redesigning the question dock UI.
• Reworking [Bug] Question dock can remain blocked after skipping a question #352 skip semantics unless a regression is found.

Key acceptance tests:

• Configure a short stream timeout, start a question, do not answer, advance past timeout, and assert the question remains in blocker state and question.list().
• Assert no question.rejected is emitted for no-answer timeout.
• Answer after the timeout window and assert the assistant can continue with that answer.
• Simulate missing question.asked / empty frontend question store while backend blocker remains active; assert the dock renders from blocker state.
• Cancel/shutdown/dismiss still clear the dock with the correct terminal reason and existing interrupted hint behavior.

This is intentionally larger than a #434-only contract PR, but smaller than full #433. It fixes the user-visible question UX while laying the same shape that the full backend SessionBlocker ledger can extend later.