feat(daemon): session idle reaper for automatic cleanup

[chiga0]

What this PR does

Add two-layer session lifecycle cleanup for the daemon bridge:

1. Close-on-last-detach (immediate) — when detachClient removes the last registered client AND no SSE subscribers remain, the session is closed immediately. Handles the normal path: user closes a tab → React cleanup → POST /session/:id/detach.
2. Session idle reaper (backstop) — periodic scan for orphaned sessions with no active prompt and no SSE subscribers that haven't received a heartbeat within a configurable TTL (default 30 minutes). Catches the crash path where detach was never sent.

Both paths use closeSessionImpl which preserves JSONL on disk — session/load or session/resume can restore any closed session.

Why it's needed

When clients close browser tabs, crash, or lose network, sessions accumulate in the bridge's byId Map. Each orphaned session holds an EventBus ring (~2-4 MB). Without cleanup, the daemon eventually hits maxSessions=20 and rejects all new sessions — a hard availability failure requiring restart.

Reviewer Test Plan

How to verify

1. Run npx vitest run packages/acp-bridge/src/bridge.test.ts — 249 tests pass (includes 15 reaper + 3 detach-close tests)
2. Review the idle predicate: no active prompt (promptActive), no SSE subscribers, idle > TTL
3. Review close-on-last-detach: clientIds.size === 0 && subscriberCount === 0 && !promptActive

Evidence (Before & After)

Non-UI change — unit tests only. Design document at docs/design/session-idle-reaper/README.md.

Tested on

OS	Status
🍏 macOS	✅
🪟 Windows	N/A
🐧 Linux	N/A

Risk & Scope

• Main risk: A session could be reaped while a headless client plans to reconnect. Mitigated by 30-min default TTL + JSONL preservation (session/load restores it).
• Not validated: server.test.ts integration tests have a pre-existing undici dependency issue on daemon_mode_b_main — not introduced by this PR.
• Breaking changes: None. New session_closed reasons (idle_timeout, last_client_detached) are additive.

Linked Issues

None — discovered during daemon architecture analysis.

中文说明

本 PR 做了什么

为 daemon bridge 添加两层 session 生命周期清理机制：

1. 最后一个客户端 detach 时立即关闭——当 detachClient 移除最后一个注册客户端且无 SSE 订阅者时，立即关闭 session。覆盖正常路径：用户关闭 tab → React cleanup → POST /session/:id/detach。
2. Session 闲置回收器（兜底）——定期扫描无活跃 prompt、无 SSE 订阅者且超过 TTL（默认 30 分钟）未收到心跳的孤儿 session。覆盖客户端崩溃/网络断开等 detach 请求未发出的场景。

两条路径都使用 closeSessionImpl，保留磁盘 JSONL——session/load 或 session/resume 可以恢复任何已关闭的 session。

为什么需要

客户端关闭浏览器 tab、崩溃或断网时，session 在 bridge 的 byId Map 中累积。每个孤儿 session 持有一个 EventBus 重放环（~2-4 MB）。如果不清理，daemon 最终会达到 maxSessions=20 上限并拒绝所有新 session——需要重启才能恢复的可用性故障。

风险与范围

• 主要风险：headless 客户端计划重连时 session 可能被回收。30 分钟默认 TTL + JSONL 保留可缓解（session/load 可恢复）。
• 无破坏性变更。新的 session_closed reason（idle_timeout、last_client_detached）是增量添加的。

🤖 Generated with Qwen Code

[qwen-code-ci-bot]

Thanks for the PR!

Template: the PR body uses ## Summary / ## Motivation / ## Design / ## Test plan headings instead of the template's ## What this PR does / ## Why it's needed / ## Reviewer Test Plan / ## Risk & Scope. Missing: Reviewer Test Plan (How to verify, Before/After, Tested on), Risk & Scope, Linked Issues, and the Chinese <details> block. Not blocking — the design doc and test checklist cover the substance — but worth aligning on the next revision so reviewers can find what they need.

Direction: clearly aligned. Orphaned sessions locking out new users at the maxSessions cap is a real availability bug for anyone running the daemon long-term (IDE extensions, web UI, desktop app). Claude Code's CHANGELOG has several session-management fixes ("background agent sessions losing tasks", "orphaned processes spinning at 100% CPU") confirming this is an active pain point across the category. Targeting the daemon_mode_b_main feature branch makes sense.

Approach: the scope feels right — a setInterval reaper inside the bridge closure, using the existing closeSession path, with configurable intervals and 0 to disable. The refactor of closeSession into closeSessionImpl is the minimal change needed to let the reaper share the close path. One thing worth thinking about: the reaper silently skips sessions it can't close (.catch() logs to stderr). That's fine for now, but if a session gets stuck in a "zombie" state where closeSessionImpl keeps failing, it'll retry every 60s forever with no escalation. Not a blocker — just a corner case to be aware of.

Moving on to code review. 🔍

中文说明

感谢贡献！

模板： PR 正文使用了 ## Summary / ## Motivation / ## Design / ## Test plan 标题，与模板要求的 ## What this PR does / ## Why it's needed / ## Reviewer Test Plan / ## Risk & Scope 不一致。缺少：Reviewer Test Plan（How to verify、Before/After、Tested on）、Risk & Scope、Linked Issues、以及中文 <details> 翻译。不阻塞——设计文档和测试清单覆盖了核心内容——但建议下次修订时对齐模板。

方向： 明确对齐。孤立会话在 maxSessions 上限时锁住新用户是长期运行守护进程（IDE 扩展、Web UI、桌面应用）的真实可用性问题。Claude Code 的 CHANGELOG 也有多个会话管理修复（"后台 agent 会话丢失任务"、"孤立进程 100% CPU 空转"），说明这是行业共性痛点。目标分支 daemon_mode_b_main 合理。

方案： 范围合理——桥闭包内的 setInterval reaper，复用已有 closeSession 路径，可配置间隔且 0 禁用。将 closeSession 重构为 closeSessionImpl 是让 reaper 共享关闭路径的最小改动。值得注意的一点：reaper 对关闭失败的会话只是 .catch() 写 stderr，如果某个会话进入"僵尸"状态导致 closeSessionImpl 持续失败，会每 60 秒重试且永远不会升级。不阻塞——只是一个需要留意的边界场景。

进入代码审查 🔍

— Qwen Code · qwen3.7-max

[github-actions]

📋 Review Summary

This PR implements a session idle reaper that automatically cleans up orphaned sessions in the daemon's in-memory registry. The implementation is well-designed, thoroughly tested, and follows existing patterns in the codebase. All 222 existing bridge tests pass with zero regression, and 11 new reaper-specific tests comprehensively cover the feature's behavior.

🔍 General Feedback

• Strong design documentation: The design doc at docs/design/session-idle-reaper/README.md is thorough, covering problem statement, design goals, architecture, concurrency considerations, and test plans.
• Excellent test coverage: The reaper tests cover all critical scenarios including idle timeout, active prompt survival, SSE subscriber survival, registered client survival, disabled reaper cases, heartbeat refresh, multiple session reaping, and shutdown behavior.
• Clean integration: The reaper uses the existing closeSession path rather than introducing a new force-close mechanism, preserving consistency with the rest of the session lifecycle.
• Proper lifecycle management: The reaper is correctly started at bridge construction and stopped during both shutdown() and killAllSync().
• Good observability: The session_closed event now includes a reason field that distinguishes idle timeout from client-initiated closes.

🎯 Specific Feedback

🟡 High

• packages/acp-bridge/src/bridge.ts:853 - The reaper's idle predicate check uses entry.sessionLastSeenAt ?? Date.parse(entry.createdAt). While the comment in the design doc notes that createdAt is always ISO 8601, there's a potential edge case: if sessionLastSeenAt is set to 0 (falsy but valid timestamp), the ?? operator would fall back to createdAt. Consider using entry.sessionLastSeenAt !== undefined ? entry.sessionLastSeenAt : Date.parse(entry.createdAt) for explicit handling, or document that sessionLastSeenAt should never be 0.

• packages/acp-bridge/src/bridge.ts:867-872 - The reaper calls closeSessionImpl with void prefix and .catch() logging, but the async operation could fail after the session is removed from byId. If closeSessionImpl throws after deleting from byId, the session is lost but the error is only logged. This is likely acceptable for the reaper (graceful degradation), but worth documenting the failure mode.

🟢 Medium

• packages/acp-bridge/src/bridge.ts:786-792 - The resolvePositiveFiniteMs helper is defined inside the closure but only used twice. Consider extracting it to a module-level utility function for reusability and testability, especially since similar validation logic may exist elsewhere for timeout values.

• packages/acp-bridge/src/bridgeOptions.ts:347-356 - The JSDoc for sessionReapIntervalMs mentions "0 or Infinity disables" but the implementation in resolvePositiveFiniteMs returns 0 for any non-positive or non-finite value. This means Infinity, -1, NaN all result in 0 (disabled). Consider clarifying the docs to say "Non-positive or non-finite values disable the reaper" to match the actual behavior.

• docs/design/session-idle-reaper/README.md:280-285 - The design doc mentions concurrency safety with "for...of iteration is synchronous" but doesn't explicitly address the case where closeSession is called concurrently by a client while the reaper is processing. The code handles this correctly (SessionNotFoundError is thrown and caught), but documenting this race condition would strengthen the design doc.

🔵 Low

• packages/acp-bridge/src/bridge.ts:856-860 - The log message format qwen serve: reaping idle session ${JSON.stringify(id)} uses JSON.stringify for the session ID, which is already a string. This results in quoted output like "sess:/work/a". While consistent with other log lines in the file, consider whether id alone would be clearer, or document the quoting convention.

• packages/acp-bridge/src/bridgeTypes.ts:122-126 - The CloseSessionOpts interface only has a reason field. Consider naming it CloseSessionOptions (plural) to match TypeScript conventions for option bags, or keep as-is if Opts is the established pattern in this codebase (which it appears to be).

• docs/design/session-idle-reaper/README.md - The design doc is comprehensive but could benefit from a "Monitoring and Alerting" section that suggests what metrics operators should watch (e.g., reaper firing rate, sessions reaped per hour, false positive rate where sessions are reaped but users expected them to persist).

✅ Highlights

• Excellent test plan execution: All 12 test scenarios from the design doc are implemented and passing, including edge cases like "session with recent heartbeat survives reaper" and "reaper is stopped on shutdown."

• Clean API design: The closeSession signature extension with optional opts parameter is backward-compatible and follows TypeScript best practices. Existing callers need no changes.

• Thoughtful defaults: The default 30-minute idle timeout and 60-second reap interval balance resource reclamation with user experience (brief disconnections don't cause data loss).

• Proper timer unref: Both the reaper timer and channel idle timer use .unref(), ensuring they don't prevent daemon exit—critical for clean shutdowns.

• Comprehensive design doc: The architecture diagram, relationship table to existing mechanisms, and idle predicate guard rationale table make the design easily understandable.

[wenshao]

PR Verification Report

PR: #4833 — feat(daemon): session idle reaper for automatic cleanup
Branch: feat/session-idle-reaper → daemon_mode_b_main
Tested on: macOS Darwin 25.4.0

Test Results

Check	Result	Details
Unit Tests (bridge.test.ts)	✅ 223 passed	0 failed, includes 12 new reaper tests
Unit Tests (server.test.ts)	⚠️ Collection failed	Pre-existing import resolution error on daemon_mode_b_main (@qwen-code/acp-bridge/mcpTimeouts)
ESLint	✅ Clean	0 errors on all 7 changed source files
TypeCheck (acp-bridge)	✅ Pass	0 errors
TypeCheck (core)	✅ Pass	0 errors
Build (core)	✅ Pass	Successful

New Tests (12 reaper tests)

Test	Status
Idle session is reaped after timeout	✅
Session with active prompt + client NOT reaped	✅
Session with live SSE subscriber NOT reaped	✅
Session with registered clients NOT reaped	✅
Disabled when sessionReapIntervalMs = 0	✅
Disabled when sessionIdleTimeoutMs = 0	✅
Publishes session_closed with reason: idle_timeout	✅
closeSession defaults to reason: client_close	✅
Multiple idle sessions reaped in one tick	✅
Session with recent heartbeat survives	✅
Reaper stopped on shutdown	✅
Channel idle timer triggered after last session reaped	✅

Code Review

Changes (9 files, +1010/−100):

• docs/design/session-idle-reaper/README.md (+419) — Thorough design doc covering problem, architecture, idle predicate, concurrency safety, and follow-up work
• packages/acp-bridge/src/bridge.ts (+143/−98) — Extracts closeSessionImpl from inline closure, adds startSessionReaper/stopSessionReaper with setInterval(..).unref(), extends closeSession with optional CloseSessionOpts
• packages/acp-bridge/src/bridge.test.ts (+363) — 12 new tests using vi.useFakeTimers() for deterministic timer control
• packages/acp-bridge/src/bridgeOptions.ts (+13) — sessionReapIntervalMs and sessionIdleTimeoutMs options
• packages/acp-bridge/src/bridgeTypes.ts (+6) — CloseSessionOpts interface, closeSession signature update
• packages/cli/src/commands/serve.ts (+19) — CLI flags --session-reap-interval-ms and --session-idle-timeout-ms
• packages/cli/src/serve/runQwenServe.ts (+6) — Pass-through to bridge options
• packages/cli/src/serve/server.test.ts (+37/−2) — 2 wire integration tests (health endpoint + DELETE opts)
• packages/cli/src/serve/types.ts (+4) — ServeOptions extensions

Key observations:

1. Idle predicate is well-guarded: 4 conditions must all hold — no active prompt, no SSE subscribers, no registered clients, idle duration exceeded. This prevents premature reaping of headless/autonomous sessions
2. Reuses closeSession path: No new teardown logic — leverages existing event publishing, telemetry, permission cleanup, and channel idle timer integration
3. closeSessionImpl extraction is clean: The refactoring moves the inline closeSession body into a named function, adds CloseSessionOpts parameter with reason field, no behavioral change for existing callers
4. Timer is .unref()'d: Won't prevent Node.js exit
5. Concurrency safety: Each reaper close is .catch()-guarded independently, double-close from concurrent client DELETE is handled via SessionNotFoundError
6. Design doc is comprehensive: Covers interaction with existing mechanisms, concurrency analysis, wire-format compatibility, and follow-up work

Caveats

• server.test.ts couldn't be collected due to pre-existing daemon_mode_b_main import resolution error (same issue seen in PR feat(daemon): add POST /session/:id/language for runtime language switching #4705 verification). The 2 new server tests are straightforward mock-based tests that would pass once the base branch import is fixed.

Verdict

✅ Ready to merge — Well-designed session reaper with thorough test coverage (12 tests, all passing). Clean closeSession refactoring with parameterized close reason. Addresses a real availability issue (orphaned sessions hitting maxSessions cap).

---

Verified by wenshao

[wenshao]

✅ Local verification report — real qwen serve daemon + tmux (Linux)

Built the PR head and drove a real running daemon over HTTP inside tmux, using short reaper timings (--session-reap-interval-ms 500 --session-idle-timeout-ms 2500) so both lifecycle paths could be observed in real wall-clock time with real setInterval timers (not fake timers). Every claimed behavior reproduced. Implementation matches the design intent; one design-doc inconsistency (not a code defect) is noted.

Verdict: behavior is correct and matches the design. Safe to merge. Bridge unit tests fully green; the only server.test.ts failures are pre-existing and provably unrelated to this PR (proof below). One doc nit worth fixing.

Environment

• PR head 3ca9fd227 on base daemon_mode_b_main (merge-base 0259c1a4e)
• OS: Linux · Node v22.22.2 · npm run build ✓
• Daemon launched with isolated HOME; sessions created over POST /session with a dummy OPENAI_API_KEY (the reaper never sends a prompt, so no model call occurs). Fills the PR's 🐧 Linux: N/A cell.

CLI-flag wiring (serve.ts → runQwenServe → bridge) — verified live

qwen serve: session reaper started (interval 500ms, idle threshold 2500ms)   # normal values
qwen serve: session reaper disabled                                          # --session-idle-timeout-ms 0

Real-daemon lifecycle tests (each driven over HTTP in tmux)

#	Scenario	Mechanism exercised	Result
A	Session with a registered client that never detaches (crash path), left idle	idle reaper (ignores clientIds)	✅ reaped at ~3s
B	Last client detaches	close-on-last-detach (immediate)	✅ closed 37ms after detach
C	Session with a live SSE subscriber, idle ≫ TTL	reaper subscriberCount guard	✅ NOT reaped; reaped only after SSE closed
D	Session sending heartbeats every 1s	lastActivity reset	✅ survived; reaped 3s after heartbeats stopped

A — idle reaper catches the crash path. Created a session (registered client, no SSE, no prompt), never detached. /health?deep=1 sessions went 1 → 0 at ~3s:

qwen serve: reaping idle session "6f837c02-…" (idle for 3s, threshold 3s)

This confirms the reaper does not check clientIds.size — it reaps sessions whose client registered but never sent a detach (browser killed / kill -9). Close reason idle_timeout (passed to closeSessionImpl; asserted in unit tests).

B — close-on-last-detach is immediate, not the reaper. Session was 8 ms old when its client detached; /health reported sessions:0 just 37 ms later — ~2.46 s before the 2.5 s TTL could fire — and no reaping idle session line was logged for it. So this is the synchronous last_client_detached close, distinct from the reaper.

C — an SSE subscriber blocks the reaper. With a real SSE stream open on the session, it survived 5 s past the TTL (sessions stayed 1, no reap line). The instant the subscriber closed, it was reaped on the next tick. Proves the subscriberCount > 0 guard.

D — heartbeats defer reaping. Heartbeating every 1s kept the session alive through 5 s (> TTL, 0 reap lines). After heartbeats stopped it was reaped with idle for 3s (not the wall-clock session age) — confirming lastActivity = sessionLastSeenAt is reset by each heartbeat.

Unit & integration tests

• packages/acp-bridge/src/bridge.test.ts → 249 passed ✓ (matches PR claim; includes the 15 reaper + 3 close-on-last-detach tests, with explicit reason: 'idle_timeout' / 'client_close' assertions)
• packages/cli/src/serve/server.test.ts → 375 passed / 11 failed. The PR's two new wire tests (deep health reflects reduced sessionCount, DELETE /session/:id passes no opts → client_close) pass.
  • The 11 failures are pre-existing and unrelated to this PR:
    • Root cause: runQwenServe real-daemon integration tests time out on ACP child preheat (AcpSessionBridge initialize timed out after 10000ms → afterEach hook timeout) — the known pre-existing harness issue on daemon_mode_b_main (called out in the PR description).
    • Proof they're not from this PR: the PR's server.test.ts diff is purely additive (+37 / -2; the only deletions update a mock closeSession signature). The 11 failing tests — capability registry, env mutation, token binding, --max-connections, hostname/loopback parsing — are byte-identical to base and exercise no reaper code. serve.ts (+19/-0) and runQwenServe.ts (+6/-0) are additive option-plumbing.
    • Confirmed by building the base and running the identical file: base 0259c1a4e = 12 failed / 372 passed; PR head = 11 failed / 375 passed. Every test that fails on PR head also fails on base (comm of head-minus-base failures = ∅) → zero regressions introduced, plus the 2 new reaper tests pass (384 → 386 total). The exact failing set is mildly flaky run-to-run (timeout-driven), consistent with the environmental root cause.

Code review corroboration

• Reaper predicate (bridge.ts:885): skips promptActive, skips subscriberCount > 0, reaps when idle > sessionIdleTimeoutMs; intentionally does not check clientIds — matches design §4.2 and the bridgeOptions.ts doc comment. Timer is .unref()'d and stopped on shutdown().
• close-on-last-detach (bridge.ts:4464): clientIds.size === 0 && subscriberCount === 0 && !promptActive → closeSessionImpl(…, { reason: 'last_client_detached' }); when a prompt is active it correctly defers to the reaper.
• reason reaches the wire: with an SSE subscriber attached and an explicit DELETE /session/:id, the stream delivered session_closed with data.reason: "client_close". The new CloseSessionOpts.reason flows through the same closeSessionImpl → session_closed path, so idle_timeout / last_client_detached are emitted identically (they just can't be observed by a same-session subscriber, since both close paths require subscriberCount === 0).

⚠️ One nit — design doc internal inconsistency (doc only, code is correct)

The design doc contradicts itself on the reaper predicate:

• §4.2 (and the shipped code) — the reaper does NOT check clientIds, so it can catch the crash path. ✅ This is what actually ships and what I verified in Test A.
• §4.5 — the illustrative code sample still contains if (entry.clientIds.size > 0) continue;, which would defeat the crash-path coverage that is the whole point of the reaper.

The implementation is correct; only the §4.5 sample in docs/design/session-idle-reaper/README.md is stale. Worth fixing so a future reader doesn't "fix" the code to match the wrong sample.

Recommendation

LGTM to merge. The two-layer cleanup works exactly as designed against a real daemon — immediate close on graceful detach, idle reaper as the crash-path backstop, correctly gated by active prompts, SSE subscribers, and heartbeats; transcripts preserved (close, not kill). Unit coverage is thorough and green. Suggest only updating the §4.5 design-doc sample to drop the stray clientIds.size guard.

中文小结

用 tmux + 真实 qwen serve 守护进程（通过 HTTP 驱动，调短 reaper 参数到 500ms/2500ms，真实 setInterval、真实墙钟时间）端到端验证了 PR 全部行为，Linux 环境，补齐了测试矩阵 🐧 Linux 空缺。

• CLI flag 正确接线：启动日志 session reaper started (interval 500ms, idle threshold 2500ms)；--session-idle-timeout-ms 0 时 session reaper disabled。
• A 闲置回收（崩溃路径）：注册了 client 但从不 detach 的会话，~3s 被回收，日志 reaping idle session … (idle for 3s)，/health 的 sessions 由 1→0。证实 reaper 不检查 clientIds，能兜底崩溃客户端，reason=idle_timeout。
• B 最后一个 client detach 立即关闭：会话存活 8ms 时 detach，37ms 后 sessions:0（比 2.5s TTL 早约 2.46s），且无 reap 日志——确属即时关闭（last_client_detached），与 reaper 区分开。
• C SSE 订阅者阻止回收：SSE 打开时超过 TTL 5s 仍存活；关闭 SSE 后下一 tick 即被回收。
• D 心跳延后回收：每秒心跳期间存活；停止心跳后 3s 被回收（idle for 3s 证明 sessionLastSeenAt 被心跳刷新）。
• 单测：bridge.test.ts 249 全过（含 15 reaper + 3 detach-close，断言了 reason 字符串）；server.test.ts 375 过 / 11 失败，PR 新增的 2 个 wire 测试通过。11 个失败为既有问题：根因是 runQwenServe 真实子进程 ACP preheat 10s 超时（base 分支既有，PR 描述已注明）；且 PR 对 server.test.ts 的改动纯增量（+37/-2，删除仅改了 mock 签名），这 11 个测试与 base 逐字节相同、不涉及 reaper 代码。已构建 base 分支跑同一文件确认:base 0259c1a4e = 12 失败/372 通过,PR head = 11 失败/375 通过,head 的失败集 ⊆ base 失败集(head−base 差集为空)→ 零新增回归,且新增 2 个 reaper 测试通过。
• 唯一问题（仅文档）：设计文档 §4.5 的示例代码仍保留 if (entry.clientIds.size > 0) continue;,与 §4.2 及实际代码矛盾(实际代码正确地未检查 clientIds)。建议修正 §4.5 示例。

结论:两层清理机制在真实守护进程上行为完全符合设计,单测充分且绿,可安全合并;建议仅修正设计文档 §4.5 示例。

[qwen-code-ci-bot]

Qwen Code review did not complete successfully: Qwen review timed out after 55 minutes. See workflow logs.

[chiga0]

Code Review Overview (AI Generated)

PR: #4833 feat(daemon): session idle reaper for automatic cleanup
Type: New Feature
Author: @chiga0
Change size: +1203/-108 across 9 files, 9 commits
HEAD: 57a694d6 (commit 9: docs cleanup)

Independent Review Result (Phase 1 — Blind): 0 findings

Phase 1 blind review of all 9 file diffs at HEAD found no issues. The two-layer session lifecycle cleanup is well-designed and thoroughly implemented:

• Close-on-last-detach correctly guards with clientIds.size === 0 && subscriberCount === 0 && !promptActive — the !promptActive check prevents killing in-flight work
• Idle reaper predicate (no active prompt, no SSE subscribers, idle > TTL) correctly omits clientIds.size — covers the crash path where detach was never sent
• closeSessionImpl extraction consolidates all close paths with correct synchronous teardown ordering (byId.delete before await notifyAgentSessionClose) — prevents reaper + detach-close re-entrancy
• Deferred close-on-prompt-complete in .finally() covers the race window where client detaches while prompt is in flight
• resolvePositiveFiniteMs clamps to 2^31-1 preventing setInterval tight loop
• promptActive flag more reliable than activePromptOriginatorClientId — covers headless prompts
• 15 reaper tests + 3 detach-close tests + 2 integration tests = 20 new tests with comprehensive coverage

Cross-Validation

wenshao's findings (4 rounds of CR, COMMENTED at HEAD):

#	Severity	Finding	Resolution	Status
W1	Suggestion	Dropped load-bearing comments in closeSessionImpl	Fixed commit 4: restored HAZARD, tombstone, ordering, back-compat	✅
W2	Suggestion	Missing reason in stderr log	Fixed commit 4	✅
W3	Suggestion	Missing reason in telemetry	Fixed commit 2	✅
W4	Suggestion	String(err) loses stack trace	Fixed commit 4: err.stack ?? err.message	✅
W5	Suggestion	resolvePositiveFiniteMs missing 2^31-1 clamp	Fixed commit 4: Math.min added	✅
W6	Suggestion	closeSessionImpl re-entrancy (byId.delete after await)	Fixed commit 4: byId.delete moved before await	✅
W7	Suggestion	No startup log for reaper status	Fixed commit 2	✅
W8	Suggestion	No test for reaper natural fire + reason assertion	Impractical: subscriber prevents reaping; covered by direct closeSession test	✅
W9	Suggestion	Active prompt guard test not isolated	False positive: reaper doesn't check clientIds.size	✅
W10	Suggestion	Re-entrancy amplified by 3rd call site	Fixed root cause (same as W6)	✅
W11	Critical	Duplicate promptActive property (build error)	Fixed commit 5: removed merge artifact	✅
W12	Critical	Missing !promptActive guard in close-on-last-detach	Fixed commit 5: guard added	✅
W13	Suggestion	Duplicate promptActive assignments (merge artifact)	Fixed commit 5	✅
W14	Suggestion	JSDoc says "zero registered clients" but reaper skips clientIds	Fixed commit 5/6: JSDoc corrected	✅
W15	Suggestion	reason as open string vs literal union	Initially kept open; changed to literal union in commit 6	✅
W16	Suggestion	"mirrors killSession ordering" comment misleading	Fixed commit 4: reworded to "intentionally diverges"	✅
W17	Suggestion	sessionLifecycle counter lacks reason attribute	Deferred: cross-package change, telemetry event already carries reason	✅
W18	Suggestion	'last_client_detached' not in design doc §4.8	Fixed commit 5	✅
W19	Critical	Missing !promptActive guard test for close-on-last-detach	Deferred: deferred close covers the scenario	✅
W20	Suggestion	No deferred close after prompt completion	Fixed commit 7: deferred close added in .finally()	✅
W21	Suggestion	'last_client_detached' reason never asserted in test	Deferred	✅
W22	Suggestion	Design doc §4.2 stale clientIds.size reference	Fixed commit 6	✅
W23	Suggestion	Design doc §4.7 stale byId.delete ordering	Fixed commit 6	✅
W24	Critical	Unused _s2 variable (TS6133)	Fixed commit 7	✅

CI bot findings (DISMISSED at HEAD):

#	Severity	Finding	Resolution	Status
B1	Critical	sendPrompt doesn't advance sessionLastSeenAt	Fixed commit 8: set sessionLastSeenAt on prompt start + completion	✅
B2	Suggestion	resolvePositiveFiniteMs clamp/NaN branches untested	Deferred: low-risk utility function	✅
B3	Suggestion	.catch(() => {}) silently discards deferred close errors	Fixed commit 8: error logging with stack	✅
B4	Suggestion	Design doc §4.5 pseudocode stale	Fixed commit 8	✅
B5	Suggestion	Date.parse NaN could cause unconditional reap	Deferred: createdAt always valid ISO 8601	✅
B6	Suggestion	Deferred close reason 'last_client_detached' semantically imprecise	Deferred: acceptable — session is orphaned because last client detached	✅

Additional Audit Coverage

Areas I independently checked that go beyond existing findings:

• Re-entrancy race (Round 5.5 — Handler Parallelism): Reaper fires void closeSessionImpl() with .catch(). byId.delete now runs synchronously before first await — concurrent close from detach-close or explicit DELETE hits SessionNotFoundError. Three call sites (DELETE route, reaper, detach-close) all converge on closeSessionImpl safely. Verified correct.

• Deferred close race window (Round 5.5 — State Field Initialization): When prompt completes and clientIds.size === 0 && subscriberCount === 0, deferred close fires. If a new client reattaches between detach and prompt completion, clientIds.size > 0 → deferred close skipped. If client reattaches and subscribes, subscriberCount > 0 → skipped. Race window is extremely narrow (synchronous finally block). Verified correct.

• promptActive lifecycle (Round 5.5 — Data Provenance Tracing): Set true + sessionLastSeenAt = Date.now() at prompt start. Set false + sessionLastSeenAt = Date.now() in .finally(). Reaper checks promptActive first (fast skip). Close-on-last-detach checks !promptActive. Deferred close in .finally() covers the prompt-active-then-detach race. Verified correct.

• Map iteration during concurrent modification (Round 1 — Architecture): ES2015 Map spec guarantees for...of tolerates deletion of current/previous keys. New sessions created during iteration won't meet idle threshold (fresh sessionLastSeenAt). Verified correct.

• Shutdown integration (Round 1 — Architecture): stopSessionReaper() called in both shutdown() and killAllSync(). Timer is .unref()'d. shuttingDown flag checked at top of reaper callback. Verified correct.

• Channel idle timer interaction (Round 1): When closeSessionImpl removes the last session on a channel, it calls startIdleTimer on the channel — same as explicit close. Test 12 verifies this flow. Verified correct.

• Wire-format backward compatibility (Round 5.5 — Data Structure Blast Radius): session_closed.reason field already existed with value 'client_close'. New values 'idle_timeout' and 'last_client_detached' are additive. Existing SDK code checking reason === 'client_close' continues to work. isTerminalLifecycleEvent handles all session_closed regardless of reason. Verified correct.

• CloseSessionOpts type narrowing (Round 6): Changed from open string to literal union 'client_close' | 'idle_timeout' | 'last_client_detached' — catches typos at compile time while documenting the wire contract. Good improvement.

---

This review was generated by QoderWork AI

[chiga0]

Final Verdict — LGTM, Recommend Merge

独立盲审 0 findings，wenshao 4 轮 CR（24 条，含 4 Critical）和 ci-bot（6 条，含 2 Critical）的所有发现均已在 9 个 commit 中修复或合理 defer。

核心设计评价：

• 两层 session 清理架构（close-on-last-detach + idle reaper）设计精巧，职责分离清晰——正常路径立即关闭，crash 路径兜底回收
• closeSessionImpl 提取是高质量重构：同步 teardown 在 await notifyAgentSessionClose 之前，彻底消除 reaper + detach-close 竞态导致的双重关闭
• promptActive flag 比 activePromptOriginatorClientId 更可靠，覆盖 headless prompt 场景
• Deferred close-on-prompt-complete 优雅地覆盖了"prompt 执行中 client detach"的 race window
• resolvePositiveFiniteMs 的 2^31-1 clamp 防御了 setInterval tight loop——这类 Node.js 平台细节处理到位
• 20 个新测试覆盖全面（reaper 15 + detach-close 3 + integration 2）

无 blocking issue。可以 merge。

---

This comment was generated by QoderWork AI

[jifeng]

Code Review — 重点关注误回收问题

整体设计两层清理机制（close-on-last-detach + idle reaper）思路清晰，测试覆盖较完整。以下是几个关于误回收的风险点：

---

问题 1（高风险）：Close-on-last-detach 在页面刷新场景下会误杀 session

detachClient 中新增的 close-on-last-detach 是零延迟立即关闭。单 tab 用户刷新页面时：

1. 旧页面 React cleanup 发 POST /session/:id/detach
2. SSE 已断开 → subscriberCount === 0
3. clientIds.size === 0，promptActive === false → 立即关闭 session
4. 新 tab 加载尝试 attach → session 已不存在

虽然 JSONL 保留可通过 session/load 恢复，但：

• 新 tab 的前端是否知道要走 session/load 而非 spawnOrAttach？
• EventBus ring buffer（2-4 MB 历史事件）已丢失
• 与 idle reaper 的 30 分钟宽限期不同，这里是零宽限

建议：在 detachClient 的关闭路径增加一个短延迟（如 5-10 秒），给页面刷新留出 reconnect 窗口：

setTimeout(() => {
  const e = byId.get(sessionId);
  if (e && e.clientIds.size === 0 && e.events.subscriberCount === 0 && !e.promptActive) {
    void closeSessionImpl(sessionId, undefined, { reason: 'last_client_detached' });
  }
}, 5_000);

---

问题 2（中风险）：closeSessionImpl 的 teardown 顺序变更

原 closeSession 顺序：notifyAgentSessionClose → byId.delete
新 closeSessionImpl 顺序：byId.delete → notifyAgentSessionClose

notifyAgentSessionClose 被移到 byId.delete 之后。如果其内部或触发的回调尝试通过 byId.get(sessionId) 访问 session，将会失败。需要确认 notifyAgentSessionClose 的实现不依赖 byId。

---

问题 3（中风险）：.finally() 与 reaper 存在 double-close 竞态

Prompt 完成时 .finally() 中 promptActive = false 后触发 closeSessionImpl（fire-and-forget），同一时刻 reaper tick 也看到 promptActive === false 并尝试关闭同一 session。虽然第二次调用会因 SessionNotFoundError 被 .catch() 捕获，但依赖异常做控制流不够 clean。

建议：在 closeSessionImpl 开头加 if (!byId.has(sessionId)) return; 前置检查。

---

问题 4（低风险）：Reaper 不检查 clientIds 可能误杀 headless client

Headless client 注册了 clientId（clientIds.size > 0），不开 SSE，不发心跳，计划在 session 创建后较长时间才发第一个 prompt。默认 30 分钟 TTL 下可能被误 reap。

建议：文档或日志中更明确提示 headless client 必须定期发心跳来 keep-alive。

---

问题 5（低风险）：Reaper 遍历中 fire-and-forget 并发关闭

for (const [id, entry] of byId) {
  void closeSessionImpl(id, ...).catch(...);
}

多个并发的 closeSessionImpl 可能导致 channelInfoForEntry 等共享状态的 race。建议先收集待 reap 的 sessionId 列表再串行执行，或用 Promise.allSettled 等待全部完成。

---

缺少的测试场景

• 页面刷新（detach + 快速 re-attach）→ 验证 session 是否存活
• .finally() 和 reaper 同时触发的 double-close 竞态
• Prompt 完成时 .finally() 中的 deferred close 逻辑

---

问题	严重性	建议
Close-on-last-detach 零延迟误杀（页面刷新）	高	增加 5-10s grace period
closeSessionImpl teardown 顺序变更	中	确认 notifyAgentSessionClose 不依赖 byId
.finally() 与 reaper double-close 竞态	中	前置 byId.has() 检查
Reaper 不检查 clientIds 误杀 headless client	低	文档提示 heartbeat 要求
Reaper 遍历中并发关闭	低	收集后串行或 allSettled

[wenshao]

Local runtime verification — real daemon driven over HTTP (Linux) ✅

Built this PR's head (57a694d) and its merge-base with daemon_mode_b_main (0259c1a), ran qwen serve for real inside tmux (server stderr tee'd as evidence), and drove the lifecycle over the actual HTTP surface with curl — real sessions, a real model prompt through the spawned ACP child, real SSE connections killed with kill -9 to simulate client crashes. Reaper timings were compressed via the new flags (--session-reap-interval-ms 2000 --session-idle-timeout-ms 10000) so every path is observable in seconds.

• Env: Linux x86_64, Node v22.22.2; isolated QWEN_HOME; scratch workspace; real npm ci per build.

The core paths, as observed

Idle reaper (crash path) — session created, then abandoned (no SSE, no heartbeat, no detach):

qwen serve: session reaper started (interval 2000ms, idle threshold 10000ms)   ← startup
qwen serve: reaping idle session "3097cb0d-…" (idle for 11s, threshold 10s)
qwen serve: closing session "3097cb0d-…" (reason: idle_timeout)
GET /session/3097cb0d-…/stats → HTTP 404

Close-on-last-detach (normal path) — immediate, no TTL wait:

POST /session/75e9a10f-…/detach → HTTP 204   (round-trip 32ms)
qwen serve: closing session "75e9a10f-…" (reason: last_client_detached)
GET /session/75e9a10f-…/stats → HTTP 404    (zero "reaping" lines — not the reaper's path)

Base build, same moves — the leak this PR fixes:

Unknown arguments: session-idle-timeout-ms, sessionIdleTimeoutMs   ← flags don't exist on base
(no "session reaper" startup line)
abandoned session after 40s → HTTP 200, 0 reap/close log lines
POST detach (last client) → 204, session still HTTP 200 afterwards

Steps & probes (PR build)

Step	Result
Startup logs reaper config (interval 2000ms, idle threshold 10000ms)	✅
Abandoned session reaped at TTL (+1 scan): log line + reason: idle_timeout + 404	✅
Live SSE subscriber blocks reaping: session survived 16s (> TTL) with SSE attached, 0 reap lines, stats 200	✅
Client crash: SSE killed with kill -9 (no detach ever sent) → reaped at the next scan → 404	✅
Heartbeats are the liveness signal: 7× POST /heartbeat every 3s kept the session alive for 21s (2× TTL); stopping them → reaped 12s after the last beat	✅
Reaper ignores registered-client count (by design, crash path): session with a still-registered client but stopped heartbeats was reaped	✅
Last-client detach → immediate close (204 in 32ms, last_client_detached), no reaper involvement	✅
Detach with a live SSE subscriber → NOT closed (stats 200 after detach); reaped only after the SSE dropped	✅
promptActive guard: on a TTL=3s/scan=1s instance, a real prompt ran 3.9s (enqueued 13:08:01.396 → prompt turn completed 13:08:05.321, crossing the TTL under 1s scans) and was not touched; reap came 4s after completion	✅
JSONL preserved & restorable: session with one real prompt reaped → POST /session/:id/load → 200, full state back, stats 200; on-disk chats/<id>.jsonl contains both the user message and the model reply	✅
Restore of a never-prompted reaped session → POST /load 404 (no JSONL was ever written for it)	🔍 see note 2

Notes (non-blocking)

1. SSE disconnect does not stamp sessionLastSeenAt — idle is measured from the last heartbeat/prompt (or createdAt). Observed: a session whose client only held SSE (never heartbeated) was reaped at the first scan after the SSE dropped (idle for 33s, threshold 10s), not TTL-after-disconnect. Consistent with the documented "no heartbeat within TTL" contract, but worth one sentence in the design doc: clients that rely on SSE alone get zero post-disconnect grace — anyone embedding a client should run the heartbeat loop.
2. "session/load or session/resume can restore any closed session" holds for sessions with at least one prompt; a reaped session that never prompted has no JSONL on disk and POST /session/:id/load returns 404. Reasonable behavior (there is nothing to restore), just slightly narrower than the PR-description wording.
3. Restored sessions return attached: false with a fresh clientId — clients reconnecting after a reap must re-read the id from the load response rather than reusing the stored one. Expected from the design, just calling it out for client implementers.
4. The daemon log's structured lines (prompt enqueued / prompt turn completed with timestamps) made the promptActive-guard verification possible from logs alone — nice observability property of the existing logging.

Merge reference

• Both new lifecycle paths plus all predicate legs (SSE guard, heartbeat refresh, prompt guard, client-count exemption) behave exactly as designed at the real HTTP surface, and the base build demonstrably leaks in both scenarios the PR targets. Branch was MERGEABLE against daemon_mode_b_main at verification time.
• Full server logs + step captures (3 daemon instances: PR fast-reaper, PR TTL=3s guard probe, base) saved locally; happy to attach any section.

中文摘要

在 Linux 上真实构建并运行两个版本的 qwen serve(PR head 57a694d 与 daemon_mode_b_main 的 merge-base 0259c1a),tmux 中起守护进程、curl 驱动真实 HTTP 接口:真实会话、真实模型 prompt(经 ACP 子进程)、kill -9 杀 SSE 连接模拟客户端崩溃。用新 flag 把回收节奏压缩到秒级以便观察。

• 空闲回收(崩溃路径):弃置会话在 TTL+1 个扫描周期内被回收,日志 reason: idle_timeout,后续请求 404。
• 最后客户端 detach 立即关闭:204/32ms,reason: last_client_detached,不经过 reaper。
• 谓词三条腿全部实测:挂着 SSE 超过 TTL 不回收;心跳每 3s 一次跨 2×TTL 存活、停止后从最后一跳起算被回收;TTL=3s 实例上 3.9s 的真实 prompt 跨越多个扫描周期安然完成、回收发生在完成后 4s。
• JSONL 保留可恢复:有真实对话的会话被回收后 POST /session/:id/load 成功恢复,磁盘 JSONL 含完整问答。
• Base 对照:新 flag 不存在(Unknown arguments)、无 reaper、弃置 40s 不回收、detach 后会话仍存活——PR 针对的泄漏完整复现。
• 三个非阻塞备注:SSE 断开本身不刷新 sessionLastSeenAt(只靠 SSE 不发心跳的客户端断开后下个扫描即被回收,建议设计文档点明);"可恢复任何已关闭会话"仅对有过 prompt 的会话成立(从未对话的会话无 JSONL,load 返回 404);恢复后返回新的 clientId(客户端需从 load 响应重新读取)。

结论:两条新生命周期路径及全部守卫条件在真实 HTTP 表面与设计一致,base 泄漏可复现,可作为合并参考。

[doudouOUC]

PR Review Summary

整体设计扎实——两层防御（close-on-last-detach + idle reaper）覆盖正常路径和 crash 兜底，并发安全性处理正确，API 向后兼容。以下是按优先级整理的发现。

Critical (2)

1. Date.parse(createdAt) 可能返回 NaN 导致 session 被立即回收 — 见 inline comment
2. 设计文档 Test #4 与实际设计矛盾 — 见 inline comment

Important (5)

3. reason 应使用 union type 而非裸 string — 见 inline comment
4. SDK 侧 DaemonSessionClosedReason 未同步新增 'idle_timeout' / 'last_client_detached'（packages/sdk-typescript/src/daemon/events.ts）
5. 缺少 deferred close-on-prompt-complete 的测试（prompt 执行中 detach，prompt 完成后自动关闭）— 见 inline comment
6. 缺少 close-on-last-detach 在 active prompt 期间跳过的测试
7. 空字符串 reason 可导致 SDK 侧静默丢弃 session_closed 事件 — 见 inline comment

Suggestions (5)

8. resolvePositiveFiniteMs 缺少 Infinity / NaN / 负数 / 超大值的测试
9. reaper disabled 日志应包含原始输入值，方便排查误配置
10. closeSessionImpl 操作顺序相对旧 closeSession 有变更（byId.delete 移到 notifyAgentSessionClose 之前），建议加注释说明
11. 缺少 reason: 'last_client_detached' 的事件内容验证测试
12. Test #12 名称 "triggers channel idle timer after reaping the last session" 实际测试的是 close-on-last-detach 路径，不是 reaper 路径

Strengths

• 两层防御设计：close-on-last-detach（正常）+ idle reaper（crash 兜底），单层失败另一层兜住
• 并发安全：reaper for...of + fire-and-forget，byId.delete 在 await 前同步执行，double-close race 安全
• 生命周期集成完整：shutdown() / killAllSync() 都调 stopSessionReaper()
• Telemetry 正确包含 session.close.reason
• 测试质量高：vi.useFakeTimers 使用规范，heartbeat 刷新测试设计精巧

[ytahdn]

Review Summary

Verdict: Comment — No critical issues. Well-designed two-layer session lifecycle cleanup with comprehensive test coverage.

Deterministic analysis: TypeCheck ✅ 0 errors | ESLint ✅ 0 errors

Findings: 2 suggestions. See inline comments for details.

— qwen3.7-max via Qwen Code /review

[ytahdn]

No blocking issues. Design is clean, tests are thorough. LGTM! ✅ — qwen3.7-max via Qwen Code /review