bug: WebSocket transport disconnects are handled as fatal termination with multiple abrupt disconnect paths

[William17738]

Summary

WebSocket disconnections (from network issues, slow clients, or server-side close) are handled as fatal session termination rather than recoverable events. Multiple code paths convert transient transport issues into permanent session death with no reconnection or graceful degradation.

This is not a guaranteed process panic — I did not find one in static review — but the combination of these paths explains reported behavior where transient disconnects behave like fatal session termination.

Finding 1: Slow or congested clients are proactively disconnected

File: codex-rs/app-server/src/transport.rs

• Line 46: CHANNEL_CAPACITY = 128 (bounded outbound queue).
• Line 592: writer.try_send(message) for disconnectable connections.
• Line 596: TrySendError::Full(_) → immediate disconnect.
• Lines 445-450: inbound Ping handler uses try_send for Pong; queue-full → connection closed.

A slow client that falls 128 messages behind is disconnected without warning or backpressure signal.

Finding 2: WebSocket task teardown is hard-abort

File: codex-rs/app-server/src/transport.rs, lines 363-370

tokio::select! {
    _ = &mut outbound_task => {
        disconnect_token.cancel();
        inbound_task.abort();  // hard abort
    }
    _ = &mut inbound_task => {
        disconnect_token.cancel();
        outbound_task.abort();  // hard abort
    }
}

When either loop exits (including on transient errors), the peer task is force-aborted. This risks dropping tail messages in the outbound queue and bypasses WebSocket close frame semantics.

Finding 3: Realtime WebSocket has zero reconnection logic

File: codex-rs/core/src/realtime_conversation.rs, lines 317-388

spawn_realtime_input_task breaks on any send failure (line 330) or error/close event (lines 351, 359). It sends a RealtimeConversationClosed event and exits permanently. There is no retry or reconnection loop.

File: codex-rs/codex-api/src/endpoint/realtime_websocket/methods.rs

• Line 57: spawns the pump task.
• Line 74: breaks pump loop on send error.
• Line 154: turns failed command delivery into WsError::ConnectionClosed.

Any network hiccup permanently kills the realtime conversation session.

Finding 4: WsStream::Drop aborts pump without sending Close frame

File: codex-rs/codex-api/src/endpoint/responses_websocket.rs, lines 157-161

impl Drop for WsStream {
    fn drop(&mut self) {
        self.pump_task.abort();  // no Close frame sent
    }
}

The remote peer sees a TCP reset rather than a clean WebSocket close. This can cause the peer to log errors or treat the connection as abnormally terminated.

Finding 5: TOCTOU race in send_json

File: codex-rs/codex-api/src/endpoint/realtime_websocket/methods.rs, lines 330-346

async fn send_json(&self, message: RealtimeOutboundMessage) -> Result<(), ApiError> {
    if self.is_closed.load(Ordering::SeqCst) {   // check
        return Err(ApiError::Stream(...));
    }
    self.stream.send(Message::Text(...)).await     // send — connection may close between check and here
        .map_err(...)?;
}

The is_closed check and the actual send() are not atomic. The connection can close between these operations. The error is properly mapped (not a panic), but callers relying on the is_closed guard may not expect send() to still fail.

Context: the responses WebSocket client does have reconnection

For comparison, the responses WebSocket client (codex-rs/core/src/client.rs:730-771) does check conn.is_closed() before each turn and reconnects if needed, with fallback to HTTP after exhausting retries (try_switch_fallback_transport(), line 1062-1088). The realtime path lacks equivalent recovery.

Suggested improvements

1. Add backpressure signaling before disconnecting slow clients (e.g., skip non-critical messages instead of disconnecting).
2. Use graceful shutdown with close frames instead of task.abort().
3. Add a reconnection loop in the realtime conversation path, similar to the responses WebSocket client.
4. Send a WebSocket Close frame in WsStream::Drop before aborting the pump task.
5. Consider merging the is_closed check and send() into a single atomic operation.

I have a fix ready and can submit a PR if invited.

[jkaunert]

A maintainer on #17428 suggested posting bug/design detail rather than PR offers, so here is the websocket-specific design input that was still useful after we refreshed our fork behavior against rust-v0.120.0.

I would narrow the recovery target here to the responses-WebSocket turn path rather than trying to solve every disconnect surface in one pass.

The design that held up best for us was:

1. Treat mid-turn WebSocket disconnect as a transport failure first, not immediate turn-fatal termination.

   • If the socket dies during run_sampling_request() / try_run_sampling_request(), do not let that short-circuit shared cleanup.
   • The cleanup path still needs to run so any completed in-flight tool futures are recorded before retry decisions are made.

2. Preserve partial response identity when a reconnectable attempt had already established server-side response state.

   • If the interrupted attempt had already produced a partial response identity, carry that forward into the next reconnect attempt instead of immediately starting a fresh logical turn.
   • This gives the provider a chance to resume the existing response rather than duplicating or abandoning it.

3. If the provider rejects partial resume with previous_response_not_found, immediately downgrade to a fresh retry.

   • That specific rejection should not be treated as fatal.
   • It means the transport reconnect succeeded but the remote no longer recognizes the partial response anchor, so the client should clear the preserved partial identity and retry from rebuilt conversation history.

4. Rebuild retry input from fresh conversation history for the downgraded retry.

   • If cleanup persisted tool outputs or other state right before the reconnect decision, the downgraded retry must not reuse a stale prompt snapshot.
   • Otherwise the client can reconnect successfully but still omit already-recorded outputs from the next request.

5. Distinguish transport recovery from visible-progress accounting.

   • Commentary-only partial output should not force the retry loop into a "made progress" path if no substantive result was advanced.
   • Otherwise websocket interruptions during commentary-heavy turns can look healthier than they are and spin through misleading retries.

Why I think this narrower framing matters for this issue:

• it isolates a user-visible failure mode in the responses-WebSocket path without requiring a full realtime/session-layer reconnection design
• it composes with #16255, where interrupted streams can otherwise drop tool outputs before retry
• it turns one class of disconnect from fatal-turn behavior into bounded retry behavior with a clean downgrade path

Local validation that passed with this design in place:

• cargo test -p codex-core client_websockets -- --nocapture
• cargo test -p codex-core stream_no_completed -- --nocapture

I’m deliberately keeping this as design detail rather than code, per the maintainer guidance on #17428.