fix(feishu): gate onConfirmedConnect on readyState OPEN (P2 nonce-delay fix)

zhangxin840 · claude · zhangxin840 · commit 99d18b489398 · 2026-04-06T10:10:02.000+08:00
The SDK's reconnect nonce delay can be up to 30 s. During this window `lastConnectTime` is already non-zero (set by the failed initial attempt) and stable, so FEISHU_WS_STABLE_TICKS_REQUIRED (2 ticks ≈ 20 s) is reached before the nonce expires. This triggered `onConfirmedConnect` falsely, setting `hadSuccessfulConnect = true` even though no connection was established — causing boot-time failures to reset `supervisorAttempt` to 0 and preventing exponential backoff escalation. Fix: gate `onConfirmedConnect` on the same `getWsReadyState()` check added in the previous commit. If `readyState === 1` (OPEN) or is not observable (null, for tests/future SDK changes — backward-compatible fallback), fire the callback. If readyState is known but not OPEN (e.g. 0=CONNECTING during nonce wait), defer confirmation until the socket is actually open. `getWsReadyState()` is extracted as a shared helper used by both the confirmed-connect path and the post-reconnect stall-clock clear path. Regression test added: "does not confirm connection during nonce delay" — verifies that readyState CONNECTING blocks onConfirmedConnect and allows supervisorAttempt to increment on subsequent stall. Addresses Codex P2 in #57978 (2026-04-06 review comment on line 267 of monitor.transport.ts). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
diff --git a/extensions/feishu/src/monitor.cleanup.test.ts b/extensions/feishu/src/monitor.cleanup.test.ts
@@ -324,6 +324,71 @@ describe("feishu websocket cleanup", () => {
     vi.useRealTimers();
   });
 
+  it("does not confirm connection during nonce delay (P2 regression — readyState gate)", async () => {
+    // Scenario: initial connect attempt fires (lastConnectTime advances once),
+    // then the SDK enters its reconnect nonce delay (up to 30 s). During that
+    // window lastConnectTime is stable and non-zero, but the socket is not OPEN
+    // (readyState = 0 CONNECTING). onConfirmedConnect must NOT fire, so
+    // hadSuccessfulConnect stays false and supervisorAttempt increments on stall.
+    vi.useFakeTimers();
+
+    const accountId = "alpha";
+
+    let connectTime = 0;
+    // readyState starts at 0 (CONNECTING) — simulates the SDK in nonce delay.
+    const mockWsInstance = { readyState: 0 /* CONNECTING */ };
+    const firstClient: MockWsClient = {
+      start: vi.fn(),
+      close: vi.fn(),
+      getReconnectInfo: vi.fn(() => ({ lastConnectTime: connectTime })),
+      wsConfig: { getWSInstance: vi.fn(() => mockWsInstance) },
+    };
+
+    const abortController = new AbortController();
+    const secondClient = createWsClient();
+    secondClient.getReconnectInfo.mockReturnValue({ lastConnectTime: 0 });
+
+    createFeishuWSClientMock.mockReturnValueOnce(firstClient).mockReturnValueOnce(secondClient);
+
+    const monitorPromise = monitorWebSocket({
+      account: createAccount(accountId),
+      accountId,
+      runtime: { log: vi.fn(), error: vi.fn(), exit: vi.fn() },
+      abortSignal: abortController.signal,
+      eventDispatcher: {} as never,
+    });
+
+    // Tick 0: lastConnectTime = 0, no-op.
+    await vi.advanceTimersByTimeAsync(10_000);
+
+    // Initial connect attempt fires — lastConnectTime advances.
+    connectTime = Date.now();
+    await vi.advanceTimersByTimeAsync(10_000); // connectChangeCount = 1, stable = 0
+
+    // Nonce delay: lastConnectTime stable for 2 ticks, but readyState = CONNECTING.
+    await vi.advanceTimersByTimeAsync(10_000); // stable = 1
+    await vi.advanceTimersByTimeAsync(10_000); // stable = 2 → readyState CONNECTING → no confirm
+
+    // Nonce expires; SDK fires reconnect attempt.
+    connectTime = Date.now() + 1;
+    await vi.advanceTimersByTimeAsync(10_000); // connectChangeCount = 2, staleSinceMs set
+
+    // Freeze — no more attempts. Advance 90 s to trip the stall.
+    await vi.advanceTimersByTimeAsync(90_000);
+
+    // onConfirmedConnect did not fire (readyState was CONNECTING, not OPEN),
+    // so hadSuccessfulConnect = false and supervisorAttempt incremented.
+    expect(computeBackoffMock).toHaveBeenCalled();
+    const firstCall = computeBackoffMock.mock.calls[0] as unknown as [unknown, number] | undefined;
+    expect(firstCall?.[1] ?? 0).toBeGreaterThanOrEqual(1);
+
+    abortController.abort();
+    await vi.runAllTimersAsync();
+    await monitorPromise;
+
+    vi.useRealTimers();
+  });
+
   it("clears stall clock after successful reconnect — no false eviction (P1 regression)", async () => {
     // Scenario: initial connect → reconnect attempt (stall clock starts) →
     // reconnect succeeds (WS readyState OPEN + lastConnectTime stable for ≥2 ticks)
diff --git a/extensions/feishu/src/monitor.transport.ts b/extensions/feishu/src/monitor.transport.ts
@@ -201,6 +201,20 @@ function runFeishuWSClientUntilDead(params: {
 }): Promise<"aborted" | "stalled"> {
   const { wsClient, eventDispatcher, accountId, log, abortSignal, onConfirmedConnect } = params;
 
+  // Read the underlying WebSocket's readyState via the SDK's private wsConfig
+  // shape. Returns the numeric state (0–3) when available, or null when the
+  // accessor is absent (e.g. in tests without a full mock, or after a future
+  // SDK refactor). Callers treat null as "unknown — fall back to stable ticks."
+  function getWsReadyState(): number | null {
+    try {
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      const wsInstance = (wsClient as any).wsConfig?.getWSInstance?.();
+      return wsInstance != null ? (wsInstance.readyState as number) : null;
+    } catch {
+      return null;
+    }
+  }
+
   return new Promise<"aborted" | "stalled">((resolve) => {
     if (abortSignal?.aborted) {
       resolve("aborted");
@@ -257,14 +271,25 @@ function runFeishuWSClientUntilDead(params: {
 
       // lastConnectTime is unchanged this tick.
 
-      // Accumulate stable ticks only when the SDK has actually recorded a
-      // connect attempt (lastConnectTime non-zero) and the stall clock has not
-      // yet fired (connection looks healthy on the initial connect path).
+      // Accumulate stable ticks on the initial-connect path (staleSinceMs null).
+      // Fire onConfirmedConnect once we have enough stable evidence AND the
+      // WebSocket is actually open.
+      //
+      // The readyState gate prevents a false positive during the SDK's reconnect
+      // nonce delay (up to 30 s): after a failed initial connect, lastConnectTime
+      // is already non-zero and stable during the nonce wait, but the socket is
+      // not OPEN yet. If readyState is not observable (null), we fall back to
+      // stable-tick-only confirmation to preserve backward compatibility.
       if (!confirmedConnectFired && lastConnectTime !== 0 && staleSinceMs === null) {
         connectedAndStableCount += 1;
         if (connectedAndStableCount >= FEISHU_WS_STABLE_TICKS_REQUIRED) {
-          confirmedConnectFired = true;
-          onConfirmedConnect?.();
+          const readyState = getWsReadyState();
+          if (readyState === null || readyState === 1 /* WebSocket.OPEN */) {
+            confirmedConnectFired = true;
+            onConfirmedConnect?.();
+          }
+          // readyState is known but not OPEN (e.g. CONNECTING during nonce wait) —
+          // do not fire; check again next tick without resetting the counter.
         }
       }
 
@@ -274,38 +299,29 @@ function runFeishuWSClientUntilDead(params: {
       }
 
       // A reconnect attempt was recorded (staleSinceMs set). Before declaring
-      // a stall, check whether the underlying WebSocket is actually open — this
-      // is the only signal that reliably distinguishes a fast successful
-      // reconnect (readyState === OPEN → clear stall clock) from SDK retry
-      // exhaustion (CLOSED/CONNECTING → keep the clock).
+      // a stall, check whether the underlying WebSocket is actually open — the
+      // only signal that reliably distinguishes a fast successful reconnect
+      // (readyState OPEN → clear stall clock) from SDK retry exhaustion
+      // (CLOSED/CONNECTING → keep the clock running).
       //
       // We wait for FEISHU_WS_STABLE_TICKS_REQUIRED consecutive stable ticks
-      // before checking, to avoid a false positive while the SDK is still
-      // mid-handshake after the reconnect attempt.
-      //
-      // wsConfig is accessed via the SDK's runtime shape (not the public type).
-      // The whole block is guarded so that any future SDK refactor degrades
-      // gracefully to the existing stall-detection behaviour instead of throwing.
+      // before checking, to avoid clearing prematurely while a handshake is
+      // still in progress. If readyState is not observable we leave the stall
+      // clock running (conservative: prefer a false restart over a silent death).
       if (lastConnectTime !== 0) {
         connectedAndStableCount += 1;
         if (connectedAndStableCount >= FEISHU_WS_STABLE_TICKS_REQUIRED) {
-          try {
-            // eslint-disable-next-line @typescript-eslint/no-explicit-any
-            const wsInstance = (wsClient as any).wsConfig?.getWSInstance?.();
-            if (wsInstance != null && wsInstance.readyState === 1 /* WebSocket.OPEN */) {
-              // WebSocket is open — reconnect confirmed. Clear the stall clock
-              // so a healthy recovered session is not falsely evicted after 90 s.
-              log(
-                `feishu[${accountId}]: WebSocket reconnect confirmed (readyState OPEN); ` +
-                  `clearing stall clock`,
-              );
-              staleSinceMs = null;
-              connectedAndStableCount = 0;
-              return;
-            }
-          } catch {
-            // wsConfig private API unavailable; fall through to normal stall check.
+          const readyState = getWsReadyState();
+          if (readyState === 1 /* WebSocket.OPEN */) {
+            log(
+              `feishu[${accountId}]: WebSocket reconnect confirmed (readyState OPEN); ` +
+                `clearing stall clock`,
+            );
+            staleSinceMs = null;
+            connectedAndStableCount = 0;
+            return;
           }
+          // readyState is CLOSED/CONNECTING/null — stall clock continues.
         }
       }
 
