[Feature] Recover model runs after tool activity on transport disconnect

[Astro-Han]

Revision 2 (2026-06-10) — this body is the only authoritative version. The original body proposed interactive recovery prompts (continue / retry / stop buttons). That design was dropped after a full shaping pass and two adversarial design reviews; the settled direction is silent-first recovery with zero new UI. The design-lock comment below carries the full rationale, code anchors, and the implementation brief.

What task are you trying to do?

When PawWork's connection to a model provider drops during or after tool activity, the session should recover silently and keep going — without ever repeating a side effect, and without throwing away work that already happened. Network jitter is normal for long-running agent sessions; a disconnect must feel like nothing happened, not like a crash.

Which area would this change affect?

Model harness, prompts, tools, or session mechanics

What do you do today?

#939 covers the simpler cases (no output yet, reasoning-only, text-started). For tool-phase disconnects the engine is at its worst today:

• A transport disconnect interrupts in-flight tool executions (packages/opencode/src/session/llm.ts:269 passes the same abort signal to tool execute as to streamText; processor.ts cleanup waits TOOL_CLEANUP_TIMEOUT_MS = 1s then marks unsettled tool parts as interrupted errors). The side effect may already have happened, the result is thrown away, and a replay would run the tool again.
• The recovery decision table in run-incident/policy.ts (merged in [Bug] Reasoning-only UND_ERR_SOCKET disconnects do not auto recover #939) already derives ask_user_before_retry / offer_continue recommendations for every tool phase, but the consumption layer degrades all of them to a halt with a static English string stuffed into the assistant error (processor.ts recoveryInterruptionMessage). The session stops dead; the user cannot tell whether resending will repeat a side effect.

What would a good result look like?

One silent recovery pipeline, no interactive recovery UI:

1. A disconnect never kills in-flight tools. Provider stream abort and local tool abort become separate signals: user cancel, lifecycle close, and session delete still abort tools; a transport disconnect does not. In-flight tools run to completion under their own timeouts and their results persist (this requires a completion path that does not depend on stream events).
2. Normalize the broken half-turn into legal history. Keep completed tool parts; mark genuinely dead tools (process killed, drain timeout) as tool-level errors carrying an explicit, model-visible caution: "this operation may have started or completed; do not repeat it without verifying / asking the user". Never set the assistant-message-level error in recoverable paths — toModelMessages() would drop the whole turn.
3. One recovery request, with backoff, under the shared safe-recovery budget (raised 3 → 5, renamed to a generic recovery-attempt budget): if the broken turn produced nothing visible and no tool ran, silently replay it; otherwise silently continue from the normalized history. No tool is ever re-executed by the engine.
4. Uncertainty never halts the run. A dead tool surfaces to the model as a normal tool error with the caution text; the model keeps going — it can verify state itself or ask the user conversationally. The only remaining stop is budget exhaustion (network genuinely down), which lands on the existing [Bug] Reasoning-only UND_ERR_SOCKET disconnects do not auto recover #939 safe_retry_failed notice.

What would count as done?

• A transport disconnect while a tool is executing does not interrupt the tool; its result persists and the run continues from that result after reconnect.
• A disconnect on an empty broken turn (no visible output, no tool execution) recovers by silent replay; the user sees only the existing retry status bar.
• A disconnect that leaves a genuinely dead tool marks that tool part as an error with the model-visible do-not-repeat caution, and the run continues; the engine never re-executes a tool call that already started.
• Recoverable paths never set the assistant-message error; the normalized half-turn survives toModelMessages() into the next request.
• The recovery budget is 5 attempts per turn, shared by replay and continue, with the existing backoff; exhaustion lands on the existing safe_retry_failed notice and clean idle state.
• Integration tests (TestLLMServer, simulated disconnect) cover: mid-text, mid-tool-input, tool call materialized but not executed, tool executing and drained to completion, tool executing and genuinely dead (caution reaches model context; no re-execution), budget exhausted.
• The interrupted-tool error card shows localized plain-language copy (what is uncertain, what to check); one snap visual check.

What should stay out of scope?

• Interactive recovery cards, continue/retry/stop buttons, a choice-reply API, sidebar pending markers — cut by design, not deferred.
• Automatic file-snapshot rollback (unreliable and riskier than disclosure; snapshots keep recording, existing undo stays the manual path).
• A separate evaluator model.
• Crash/restart recovery (crash_or_restart_incomplete is a different category).
• Provider-native resume.
• The existing [Bug] Reasoning-only UND_ERR_SOCKET disconnects do not auto recover #939 recovery paths (no-output retry, reasoning-only retry, text continuation) — unchanged.

Which audience does this matter to most?

Both

Extra context

Design history and decision evidence live in the design-lock comment below (shaping pass + two Codex adversarial reviews, 2026-06-10). Key prior art: #925 (retry pipeline + safety gate), #939 (failure classifier, run observability, recovery budget). Competitive grounding: Claude Code retries up to 10× and never lets network failure interrupt local tool execution (tools run between requests), yet still suffers orphaned-tool_use state corruption (claude-code#26729); Codex CLI blind-retries 5× then abandons the task (codex#19121, codex#18723). PawWork's differentiator: zero blind re-runs and zero unnecessary stops.

[Astro-Han]

Design lock (2026-06-10) — settled design + implementation brief

This comment is the single authoritative design record for #927. It supersedes everything before it; the issue body (Revision 2) is the behavioral contract, this comment is the why and the how.

Decision log

1. Silent-first, zero recovery UI. Recovery decisions the engine can prove are taken silently; the only user-visible trace is the existing retry status bar. Interactive recovery cards / continue-retry-stop buttons / a choice-reply API / sidebar pending markers are cut by design: a parked decision is worse than a safe automatic one, and the conversation itself is the interface for anything genuinely ambiguous.
2. A disconnect never kills in-flight tools. The robustness competitors get from architecture (Claude Code runs tools between requests, so network failure never touches them) we get by decoupling: provider-stream abort and local-tool abort become separate signals. This single cut converts most "tool was executing, outcome unknown" cases into "tool completed, result on disk".
3. Uncertainty never halts the run. A genuinely dead tool (process killed, drain timeout) surfaces to the model as a normal tool error carrying an explicit caution — "this operation may have started or completed; do not repeat it without verifying or asking the user" — and the run continues. The model verifies state itself or asks the user conversationally. The anti-duplication mechanism is model-visible context, not UI buttons.
4. No automatic file-snapshot rollback. Considered and cut: auto-revert is unreliable (snapshot covers only tracked worktree files; bash can half-write outside it) and riskier than disclosure (can erase the user's parallel manual edits). Snapshots keep recording; existing undo stays the manual path.
5. Recovery budget 3 → 5, renamed generic. SAFE_RECOVERY_MAX_ATTEMPTS (retry.ts:32) rises to 5 (Claude Code retries 10×, Codex 5×; PawWork rides third-party providers). Replay and continue share one budget; drain itself never consumes it. Budget exhaustion is the only remaining stop, landing on the existing [Bug] Reasoning-only UND_ERR_SOCKET disconnects do not auto recover #939 safe_retry_failed notice.
6. The decision table is already merged — this issue is the consumption layer. run-incident/policy.ts (from [Bug] Reasoning-only UND_ERR_SOCKET disconnects do not auto recover #939) stays the source of recommendations; the work is wiring offer_continue-class outcomes to real actions instead of halt() + static English.

Review trail

• Shaping interview with maintainer (2026-06-10): direction reset from "four-mode decision UI" to silent-first; then to "never stop on uncertainty — trust the agent" (product stance: agents must survive network jitter on long unattended runs; assume models keep getting smarter).
• Codex adversarial review, round 1: confirmed zero-card direction; hardened three points — rollback preconditions (later mooted by cutting rollback), continue must not go through halt() (assistant-level error makes toModelMessages() drop the whole turn), and the uncertainty marker must be model-visible (a UI-only notice would let the model blindly re-run the tool on resend).
• Codex adversarial review, round 2: keep the decoupling step (necessary base); unify replay/continue into one drain → normalize → recover flow; the minimal model-visible marker is the existing ToolStateError (no new part type — toModelMessages() already converts tool errors to model-visible output-error); UI needs zero new states (busy during drain, existing retry during recovery, idle after).

Implementation brief

Two flat PRs from latest dev, sequential (PR2 starts after PR1 merges). Implementer: read the repo-root AGENTS.md first and follow it (worktree-only development, bun install --frozen-lockfile, lint only, no snapshot -u, Conventional Commit titles, PR template, English artifacts, labels). Do not refactor #939 machinery beyond the stated integration points.

PR1 — decouple tool execution from the stream lifecycle (the risky cut)

• Split abort signals. Today llm.ts passes the same input.abort to tool execute (llm.ts:269) and to streamText (llm.ts:394). Introduce a tool-scoped abort wired to user cancel / lifecycle close / session delete only; transport death stops the provider iterator, never the tools.
• Give tool execution a completion path independent of stream events. Tool results currently reach persistence via tool-result stream events; after stream death the engine must still await each in-flight tool's deferred and persist its result and part state. This is the hardest part — if it turns out far more expensive than expected, stop and report back before proceeding.
• Split processor.ts cleanup (TOOL_CLEANUP_TIMEOUT_MS=1s wait at ~line 1104) into two concepts: drainToolCalls (await in-flight tools under their own timeouts, before any recovery decision) and finalizeUnresolvedToolsAsUncertain (only for genuinely dead tools).
• Fix observability ordering: record tool-interrupted facts (pending_tool_parts_interrupted and related, run-observability/recorder.ts) only after drain fails, not at stream death — otherwise the recovery decision sees artificially interrupted tools.
• Tests: unit coverage for the signal split; TestLLMServer integration — disconnect mid-bash, command completes, result persists, facts recorded post-drain.
• This PR is independently shippable: even before PR2, a disconnect no longer destroys in-flight work.

PR2 — recovery consumption (replay / continue / caution)

• Normalize the broken half-turn: keep completed tool parts; set dead tools to state.status="error" with the caution text ("this operation may have started or completed; do not repeat it without verifying with the user") plus metadata (interrupted: true, interruption phase). Never set the assistant-message-level error on recoverable paths — halt() (processor.ts ~1190) writes error.data.message today and toModelMessages() drops errored assistant messages.
• Wire the retry loop (processor.ts ~1482–1550): empty broken turn (no visible text, no tool execution) → remove the half-turn and replay; anything else → build a continue request from the normalized history via MessageV2.toModelMessages(). The engine never re-executes a tool call that already started.
• Budget: SAFE_RECOVERY_MAX_ATTEMPTS 3 → 5; rename replay-specific identifiers to generic recovery-attempt naming; replay and continue share the budget with existing backoff. Exhaustion → existing safe_retry_failed notice path unchanged.
• Retire the static recoveryInterruptionMessage strings (processor.ts:174) on paths that now recover.
• UI: localized plain-language copy for the interrupted-tool error card (packages/ui i18n, en + zh), rendered from the metadata flag; add or extend one snap target for the visual check. No new part types, no new session states.
• Tests: TestLLMServer integration per the acceptance list in the issue body (six disconnect points), plus a contract test pinning that the caution text reaches model context (tool error → output-error in toModelMessages() output).

Execution mode

Maintainer-approved (2026-06-10). Implementation: Codex CLI driven by the maintainer, using this comment as the brief. Review: Claude session does fresh-eye review + the snap visual check on each PR; PR CI is the gate.