agents: wrap runEmbeddedAttempt in error boundary + add cancelled liveness state

[100yenadmin]

Problem

Two small but related gaps in the terminal lifecycle coverage from PRs C and H:

1. No uncaught-exception boundary around runEmbeddedAttempt. If the inner run function throws (network glitch, provider SDK bug, runtime OOM), setTerminalLifecycleMeta is never called and the caller gets no terminal lifecycle meta at all. The finally block at run.ts:1783 disposes context but doesn't set a fallback terminal state.

2. No "cancelled" liveness state. In src/agents/pi-embedded-runner/run/incomplete-turn.ts:184, user-initiated abort signals and hard runtime errors both map to "blocked". From the user's perspective these are very different situations — a cancelled run should be visually distinct from a blocked run, and downstream channels may want to surface them differently.

Both are on completion criterion 4 in #64227 — "replay/liveness failures are surfaced as explicit states, not silent disappearance."

Fix

For the exception boundary:

Wrap the main body of runEmbeddedPiAgent in a try/finally or try/catch where the catch path sets:

attempt.setTerminalLifecycleMeta?.({
  replayInvalid: true,
  livenessState: "blocked",  // or a new "errored" state
});

and re-throws. This way every exit has terminal meta set, even uncaught exceptions.

For the "cancelled" state:

1. Add "cancelled" to the EmbeddedRunLivenessState union in src/agents/pi-embedded-runner/types.ts.
2. Update resolveRunLivenessState in incomplete-turn.ts:168-191 to return "cancelled" when params.aborted && !params.timedOut.
3. Update any downstream consumer that does a 4-way match on liveness state to handle the new value (look for "working" | "paused" | "blocked" | "abandoned" grep hits).

Consider whether this interacts with the channel surfacing issue (#64XXX) — the two probably want to land together so the UX is coherent.

Acceptance

• runEmbeddedPiAgent sets terminal meta on every uncaught exception path (regression test with a forced throw).
• User abort produces livenessState: "cancelled" distinct from "blocked" (regression test with a simulated abort).

Part of

#64227 (criterion 4).

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open. Current main still exposes only the existing four embedded-run liveness states, still maps abort-without-timeout to blocked, and a thrown embedded attempt reaches runner/auto-reply error handling without replay/liveness metadata.

Reproducibility: yes. Source inspection is enough: resolveRunLivenessState({ payloadCount: 0, aborted: true, timedOut: false, ... }) reaches the blocked branch, and a rejected runEmbeddedAttemptWithBackend crosses the unguarded await before lifecycle metadata is available.

Next step
This is a narrow source-reproducible runtime correctness fix with clear files, regression tests, and no required config or product-policy decision.

Review details

Best possible solution:

Extend the embedded liveness contract in the central type/resolver, preserve timeout/error states separately, and add a runner-level terminal metadata backstop for uncaught attempt failures before rethrowing.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection is enough: resolveRunLivenessState({ payloadCount: 0, aborted: true, timedOut: false, ... }) reaches the blocked branch, and a rejected runEmbeddedAttemptWithBackend crosses the unguarded await before lifecycle metadata is available.

Is this the best way to solve the issue?

Yes. The narrow maintainable fix is to update the shared liveness type/resolver and add a runner error backstop with focused regression coverage, rather than adding config or redesigning the harness SPI.

Acceptance criteria:

• pnpm test src/agents/pi-embedded-runner/run.incomplete-turn.test.ts src/agents/pi-embedded-subscribe.handlers.lifecycle.test.ts src/auto-reply/reply/agent-runner-execution.test.ts
• pnpm check:changed

What I checked:

• Liveness union still omits cancelled: EmbeddedRunLivenessState remains working | paused | blocked | abandoned, so there is no typed cancelled state for embedded runs. (src/agents/pi-embedded-runner/types.ts:113, ae87f7800b2a)
• Abort without timeout still maps to blocked: resolveRunLivenessState returns blocked whenever (aborted || timedOut) && payloadCount === 0, which conflates user cancellation with timeout/blockage. (src/agents/pi-embedded-runner/run/incomplete-turn.ts:384, ae87f7800b2a)
• Attempt dispatch has no local catch: runEmbeddedPiAgent directly awaits runEmbeddedAttemptWithBackend and only normalizes the attempt after that await, so a rejection crosses this boundary before an attempt can set terminal lifecycle metadata. (src/agents/pi-embedded-runner/run.ts:1014, ae87f7800b2a)
• Runner finally is cleanup only: The enclosing finally disposes caches/context/MCP state but does not emit fallback replay or liveness metadata for uncaught attempt failures. (src/agents/pi-embedded-runner/run.ts:2607, ae87f7800b2a)
• Auto-reply error backstop lacks liveness meta for thrown runs: The auto-reply lifecycle backstop only copies livenessState and replayInvalid from successful result metadata; the error phase for thrown runner failures only formats the error. (src/auto-reply/reply/agent-runner-execution.ts:838, ae87f7800b2a)
• Existing test still encodes blocked abort semantics: The lifecycle backstop test models an aborted embedded result as livenessState: "blocked", confirming current coverage has not been updated for cancellation. (src/auto-reply/reply/agent-runner-execution.test.ts:1207, ae87f7800b2a)

Likely related people:

• Peter Steinberger: Local history shows Peter carrying the embedded replay/liveness landing and follow-up refactors around the affected files, including fix: surface replay and liveness state, refactor: consolidate embedded replay state, and fix: finalize OpenAI replay liveness landing. (role: recent maintainer and replay/lifecycle owner; confidence: high; commits: aa5bec4bdf40, 761b71e268a7, 07edaffb0448; files: src/agents/pi-embedded-runner/run.ts, src/agents/pi-embedded-runner/run/incomplete-turn.ts, src/agents/pi-embedded-runner/types.ts)
• 100yenadmin: The issue is tied to the GPT-5.4/Codex parity work, and the provided context plus changelog show related merged PRs [codex] Harden GPT-5.4 runtime paths #70743 and [codex] Add Pi/Codex harness extension seams #70772 credited to this handle while explicitly leaving cancellation/liveness as focused follow-up. (role: domain contributor for related GPT-5.4/Codex runtime hardening; confidence: medium; commits: 600cdedee473, 9f72d93e8fef; files: src/agents/pi-embedded-runner/run.ts, src/agents/pi-embedded-runner/run/incomplete-turn.ts, src/agents/pi-embedded-runner/types.ts)

Remaining risk / open question:

• Adding cancelled extends a runtime metadata contract, so downstream consumers, tests, and lifecycle/status renderers that assume the current four states need to be updated together.

Codex review notes: model gpt-5.5, reasoning high; reviewed against ae87f7800b2a.