[Bug]: Embedded run timeout leaves zombie handle blocking heartbeat delivery

[ai-nurmamat]

Bug Summary

When an embedded run times out but the underlying provider promise never settles (e.g., dead HTTP connection, hung stream), the run handle stays in ACTIVE_EMBEDDED_RUNS permanently. This silently kills all subsequent heartbeat deliveries for the session.

Steps to Reproduce

1. Configure a heartbeat sharing a session with the main agent (default behavior)
2. Trigger a condition where the provider connection hangs (e.g., misconfigured endpoint, network interruption)
3. Wait for the embedded run timeout to fire
4. Observe that ACTIVE_EMBEDDED_RUNS still contains the zombie handle after timeout
5. All subsequent heartbeat ticks are silently dropped

Root Cause Analysis

In src/agents/pi-embedded-runner/run/attempt.ts, clearActiveEmbeddedRun is placed in a finally block:

} finally {
    clearTimeout(abortTimer);
    clearActiveEmbeddedRun(params.sessionId, queueHandle, params.sessionKey);
}

However, this finally only executes when the await abortable(activeSession.prompt(...)) promise resolves or rejects. If the abort signal fires but the provider stream/promise never settles, the finally block never runs.

The abort timer fires and calls abortRun(true), but if the underlying HTTP client does not honor the abort (or the connection is in a state where it cannot be interrupted), the promise hangs indefinitely.

In src/auto-reply/reply/queue-policy.ts:

export function resolveActiveRunQueueAction(params) {
  if (!params.isActive) return "run-now";
  if (params.isHeartbeat) return "drop";  // heartbeat silently killed!
  // ...
}

Since the zombie handle keeps isEmbeddedPiRunActive(sessionId) returning true, every heartbeat tick hits "drop" and exits without any log message.

Observed Behavior

From gateway logs:

2026-03-21T13:08:05 [agent/embedded] embedded run timeout: runId=620fd6bf sessionId=50d88d7d timeoutMs=600000
2026-03-21T13:08:13 [diagnostic] wait for active embedded runs timed out: activeRuns=1 timeoutMs=90000

The zombie run persisted for 10+ hours. During that period, no heartbeat was delivered.

Suggested Fix

After the abort timer fires and a grace period elapses (e.g., 30-60s), forcibly remove the handle:

// In the abort timer callback, after abortRun(true):
setTimeout(() => {
  if (ACTIVE_EMBEDDED_RUNS.get(params.sessionId) === queueHandle) {
    ACTIVE_EMBEDDED_RUNS.delete(params.sessionId);
    notifyEmbeddedRunEnded(params.sessionId);
    log.warn(`force-cleared zombie run: sessionId=${params.sessionId}`);
  }
}, ZOMBIE_CLEANUP_GRACE_MS); // e.g., 30_000

Alternatively, waitForActiveEmbeddedRuns could forcibly clear runs that have exceeded their timeout.

Impact

• Heartbeat failure causes session to appear dead
• No auto-recovery without gateway restart
• Silent failure - very difficult to diagnose

Labels

bug, regression, embedded-run, heartbeat

[Hollychou924]

Analysis: Zombie embedded run blocks heartbeats — finally block never runs when provider promise hangs

The reporter has correctly identified the root cause. This is a promise-not-settling problem, not an abort problem.

The failure chain

abortTimer fires → abortRun(true) called → abort signal fires
  ↓
provider stream/HTTP client does NOT honor abort signal
  ↓
await abortable(activeSession.prompt(...)) hangs forever
  ↓
finally block never runs → clearActiveEmbeddedRun never called
  ↓
ACTIVE_EMBEDDED_RUNS retains zombie handle indefinitely
  ↓
resolveActiveRunQueueAction: isActive=true + isHeartbeat=true → "drop"
  ↓
All heartbeats silently dropped for the session

Fix: Force-clear the handle after timeout + grace period

The reporter's suggested fix is correct. Implement it in the abort timer callback:

// In attempt.ts, inside the abort timer callback:
const abortTimer = setTimeout(() => {
  abortRun(true);
  
  // Force-clear zombie handle if promise still hasn't settled
  const ZOMBIE_GRACE_MS = 30_000; // 30s grace for provider to clean up
  setTimeout(() => {
    const currentHandle = ACTIVE_EMBEDDED_RUNS.get(params.sessionId);
    if (currentHandle === queueHandle) {
      ACTIVE_EMBEDDED_RUNS.delete(params.sessionId);
      notifyEmbeddedRunEnded(params.sessionId);
      log.warn('[agent/embedded] force-cleared zombie run after timeout grace', {
        sessionId: params.sessionId,
        runId: params.runId,
      });
    }
  }, ZOMBIE_GRACE_MS);
}, params.timeoutMs);

Additional fix: waitForActiveEmbeddedRuns should have a hard deadline

waitForActiveEmbeddedRuns currently waits up to 90s (the diagnostic log shows this). After the 90s deadline, it should also force-clear any remaining handles:

// After the 90s wait times out:
for (const [sessionId, handle] of ACTIVE_EMBEDDED_RUNS.entries()) {
  log.warn('[agent/embedded] force-clearing zombie run at shutdown', { sessionId });
  ACTIVE_EMBEDDED_RUNS.delete(sessionId);
  notifyEmbeddedRunEnded(sessionId);
}

Why abort signals don't always work

HTTP clients (node-fetch, undici, got) use the platform's abort signal to cancel in-flight requests. But if the underlying TCP connection is in a broken state (half-open, not draining), the abort may be queued but the promise resolver never called. This is a known Node.js issue with certain network failure modes.

Impact reminder

This bug turns a transient provider timeout into a permanent heartbeat blackout for the session. The only recovery is a gateway restart. Given that heartbeats drive proactive behaviors (reminders, health checks, scheduled actions), this is a serious reliability issue.

[badmutt]

Hitting this with active-memory embedded runs on 2026.4.11. The run times out (anthropic:default → Opus, 15s timeout), the handle stays active, and the gateway enters a zombie state where it's running but can't process any Telegram messages. Related: #65517

[steipete]

Closing this as implemented after Codex review.

Close. Current main already wraps the embedded provider promise in an abort-aware abortable() helper, so a timeout abort rejects the await immediately and the finally cleanup clears the active run handle. The same implementation is present in release v2026.4.22 (00bd2cf7a376f1fba26291c6c4766f1f15cbdfa5).

What I checked:

• Abort-aware wrapper rejects on timeout abort: abortable() listens to runAbortController.signal and rejects immediately on abort instead of waiting for the provider promise to settle. (src/agents/pi-embedded-runner/run/attempt.ts:1803, 60f7a59f5ed5)
• The embedded prompt await is wrapped by abortable(): Both prompt submission paths await abortable(activeSession.prompt(...)), so a hung provider promise does not block exit from the try/finally once the run aborts. (src/agents/pi-embedded-runner/run/attempt.ts:2392, 60f7a59f5ed5)
• Timeout path still funnels through final cleanup: After timeout, abortRun(true) fires from the timer, and the surrounding finally clears the active handle with clearActiveEmbeddedRun(...). (src/agents/pi-embedded-runner/run/attempt.ts:1950, 60f7a59f5ed5)
• Active-run registry cleanup remains in finally: The cleanup path removes the session from the active embedded run registry in finally, which now executes because the abort-aware wrapper rejects on abort. (src/agents/pi-embedded-runner/run/attempt.ts:2706, 60f7a59f5ed5)
• The same guard shipped in the latest release: Release tag v2026.4.22 points at 00bd2cf7a376f1fba26291c6c4766f1f15cbdfa5, and that release already contains the same abortable() wrapper and wrapped prompt call in src/agents/pi-embedded-runner/run/attempt.ts. (src/agents/pi-embedded-runner/run/attempt.ts:1729, 00bd2cf7a376)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review notes: reviewed against 60f7a59f5ed5; fix evidence: release v2026.4.22, commit 00bd2cf7a376.