fix(matrix): contain sync outage failures

[gumadeiras]

Summary

• Problem: Matrix startup reported success before sync was actually ready, and detached Matrix monitor tasks could reject without an owner.
• Why it matters: a homeserver outage could escalate from a channel-scoped failure into a process-wide unhandled rejection crash loop, bypassing gateway.channelMaxRestartsPerHour.
• What changed: Matrix startup now waits for ready sync states, monitor status/fatal sync handling is owned inside the Matrix plugin, and detached monitor work is centrally contained and drained on shutdown.
• What did NOT change (scope boundary): no core Matrix special-casing in gateway orchestration, no new config surface, no global unhandled-rejection policy change.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes Matrix provider connection failure causes rapid gateway process crash loop #62376
• Related Matrix: prompt invite auto-join during onboarding #62168
• This PR fixes a bug or regression

Root Cause (if applicable)

• Root cause: the Matrix plugin treated matrix-js-sdk startup as ready too early, then left background room-message/verification tasks detached from channel lifecycle ownership.
• Missing detection / guardrail: Matrix sync fatality and detached task rejection never fed back into the Matrix channel task, so global unhandled rejection policy killed the whole gateway before channel restart budgeting could apply.
• Contributing context (if known): matrix-js-sdk emits long-lived sync state transitions after startClient() returns, and replayed/in-flight events during outage windows made orphaned async failures much easier to hit.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: extensions/matrix/src/matrix/sdk.test.ts, extensions/matrix/src/matrix/monitor/index.test.ts, extensions/matrix/src/matrix/monitor/sync-lifecycle.test.ts
• Scenario the test should lock in: startup does not resolve before ready sync, startup times out/fails on sync fatal, detached monitor task failures do not escape as unhandled rejections, and fatal sync errors reject the Matrix channel task.
• Why this is the smallest reliable guardrail: the bug lives at the Matrix SDK/monitor seam, below a full gateway e2e but above pure helper-local logic.
• Existing test that already covers this (if any): none sufficiently covered the startup-readiness or detached-task ownership seam.
• If no new test is added, why not: N/A

User-visible / Behavior Changes

• Matrix startup now waits for real sync readiness before the channel is considered started.
• Fatal Matrix sync failures now stop/restart the Matrix channel instead of crashing the whole gateway process.
• Matrix channel runtime status now reflects starting, healthy, error, and stopped transitions more accurately.

Diagram (if applicable)

Before:
[matrix startClient returns] -> [Matrix marked started] -> [background task rejects] -> [global unhandled rejection] -> [gateway exits]

After:
[matrix startClient returns] -> [wait for ready sync] -> [background task or sync fatal] -> [Matrix channel task rejects] -> [gateway channel restart policy]

Security Impact (required)

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (No)
• New/changed network calls? (No)
• Command/tool execution surface changed? (No)
• Data access scope changed? (No)
• If any Yes, explain risk + mitigation:

Repro + Verification

Environment

• OS: macOS
• Runtime/container: Node 24 / local repo workspace
• Model/provider: N/A
• Integration/channel (if any): Matrix
• Relevant config (redacted): Matrix account with unreachable homeserver or fatal sync failure after startup

Steps

1. Configure Matrix and start the gateway with an unreachable or failing homeserver.
2. Let Matrix startup or replayed inbound event handling hit a sync/background-task failure.
3. Observe whether the whole gateway exits or only the Matrix channel fails.

Expected

• Matrix stays channel-scoped: startup waits for readiness, fatal sync failures reject the Matrix channel task, and gateway restart budgeting applies at the channel layer.

Actual

• Before this change the gateway could exit from unhandled Matrix monitor rejections, bypassing channel restart controls.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: targeted Matrix tests for startup readiness, startup timeout, unexpected sync fatal, detached room-message failure containment, and intentional shutdown STOPPED handling; local pnpm build.
• Edge cases checked: fatal sync error after startup, detached task rejection sink, intentional shutdown not misclassified as fatal, startup timeout branch with fake timers.
• What you did not verify: full repo pnpm check remains blocked by unrelated preexisting tsgo failures in extensions/msteams/src/attachments.graph.test.ts, src/agents/subagent-registry.test.ts, and src/infra/host-env-security.test.ts.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

If a bot review conversation is addressed by this PR, resolve that conversation yourself. Do not leave bot review conversation cleanup for maintainers.

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (No)
• Migration needed? (No)
• If yes, exact upgrade steps:

Risks and Mitigations

List only real risks for this PR. Add/remove entries as needed. If none, write None.

• Risk: Matrix sync.state = ERROR remains SDK-owned reconnect behavior and is not automatically escalated into channel restart.
  • Mitigation: this PR only escalates clear fatal paths (sync.unexpected_error, unexpected STOPPED, startup readiness failure) to avoid fighting the SDK on transient reconnects.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 69a8b95c3f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Copilot]

Pull request overview

This PR hardens the Matrix integration against homeserver sync outages by making Matrix startup wait for actual sync readiness and by ensuring monitor/background work is owned and contained within the Matrix channel lifecycle (preventing process-wide unhandled rejections).

Changes:

• Add Matrix sync-state typing/helpers and wire Matrix sync lifecycle events (sync.state, sync.unexpected_error) through the MatrixClient bridge.
• Make MatrixClient.start() wait for initial ready sync states (with timeout / fatal handling) before reporting startup success.
• Introduce a centralized monitor task runner + sync lifecycle/status controllers so detached monitor work is tracked, drained on shutdown, and fatal sync errors fail the channel task (not the whole process).

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
extensions/matrix/src/matrix/sync-state.ts	Defines sync state type + readiness/disconnected/terminal helpers.
extensions/matrix/src/matrix/sdk/types.ts	Extends Matrix client event map with sync lifecycle events.
extensions/matrix/src/matrix/sdk.ts	Waits for initial sync readiness; bridges SDK sync events; tracks current sync state.
extensions/matrix/src/matrix/sdk.test.ts	Adds tests for startup readiness gating, unexpected sync errors, and startup timeout.
extensions/matrix/src/matrix/monitor/task-runner.ts	Adds tracked detached-task runner + idle draining for shutdown containment.
extensions/matrix/src/matrix/monitor/sync-lifecycle.ts	Adds sync fatality ownership to fail the channel task on unexpected STOPPED / sync fatal events.
extensions/matrix/src/matrix/monitor/sync-lifecycle.test.ts	Tests fatal sync handling and intentional shutdown STOPPED handling.
extensions/matrix/src/matrix/monitor/status.ts	Adds Matrix monitor status controller to publish starting/healthy/error/stopped snapshots.
extensions/matrix/src/matrix/monitor/index.ts	Wires status + lifecycle + task runner into the Matrix monitor and abort/fatal handling.
extensions/matrix/src/matrix/monitor/index.test.ts	Adds tests for status publishing, detached-task rejection containment, and fatal sync propagation.
extensions/matrix/src/matrix/monitor/events.ts	Wraps key event handlers in contained tasks to prevent unhandled rejections.
extensions/matrix/src/channel.ts	Plumbs channel lifecycle status sink (ctx.setStatus) into Matrix monitor.
CHANGELOG.md	Documents the Matrix/gateway outage containment fix.

Comments suppressed due to low confidence (1)

extensions/matrix/src/matrix/sdk.ts:468

• startSyncSession() calls this.client.startClient() and then can reject from waitForInitialSyncReady() (timeout / unexpected error / terminal state). On those failure paths, the underlying matrix-js-sdk client remains started and will keep its sync loop running, while MatrixClient.started stays false, so subsequent retries may attempt a second startClient() on an already-running client.

Consider wrapping the post-startClient() startup phase in a try/catch (or try/finally) that stops the SDK client (e.g., via stopSyncWithoutPersist() / client.stopClient()) and resets any related state before rethrowing, so a failed startup does not leak background work or leave the instance in a half-started state.

  private async startSyncSession(opts: { bootstrapCrypto: boolean }): Promise<void> {
    if (this.started) {
      return;
    }

    await this.ensureCryptoSupportInitialized();
    this.registerBridge();
    await this.initializeCryptoIfNeeded();

    await this.client.startClient({
      initialSyncLimit: this.initialSyncLimit,
    });
    await this.waitForInitialSyncReady();
    if (opts.bootstrapCrypto && this.autoBootstrapCrypto) {
      await this.bootstrapCryptoIfNeeded();
    }
    this.started = true;
    this.emitOutstandingInviteEvents();
    await this.refreshDmCache().catch(noop);

[greptile-apps]

Greptile Summary

This PR contains the Matrix channel startup/reliability fix: MatrixClient.start() now blocks until the SDK reaches a ready sync state (PREPARED/SYNCING/CATCHUP) with a 30-second timeout, fatal sync errors are routed through the channel's own lifecycle (rejecting its task so gateway restart budgeting applies), and detached background handler failures are tracked and drained on shutdown instead of leaking as unhandled rejections.

The three new modules — task-runner.ts, sync-lifecycle.ts, and status.ts — carve out clean, testable seams, and the added test coverage in sdk.test.ts, monitor/index.test.ts, and sync-lifecycle.test.ts directly locks in the startup-readiness, fatal escalation, and rejection-containment invariants.

Confidence Score: 5/5

Safe to merge. The fix is logically correct, well-tested, and scoped entirely to the Matrix extension.

All remaining findings are P2 (documentation/style). The core correctness of the bug fix is sound: startup readiness gating, fatal-error routing through channel lifecycle, and background-task containment all behave correctly. The test coverage directly locks in the key invariants (startup timeout, fatal rejection, detached-task containment, intentional-shutdown STOPPED classification).

No files require special attention.

Vulnerabilities

No security concerns identified. No new network calls, secrets handling changes, or permission surface changes were introduced.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: extensions/matrix/src/matrix/monitor/sync-lifecycle.ts
Line: 56-63

Comment:
**`waitForFatalStop` assumes single-caller ownership**

The resolve/reject callbacks are stored in module-level `let` slots, so a second concurrent call to `waitForFatalStop()` would silently overwrite the first caller's references — leaving its promise forever pending. This isn't a live bug (the only call site is the `Promise.race` in `index.ts`), but the invariant is implicit. A short guard comment or an early-throw would make the constraint explicit for future callers.

```suggestion
    async waitForFatalStop(): Promise<void> {
      if (fatalError) {
        throw fatalError;
      }
      // NOTE: only one concurrent caller is supported; a second call would
      // overwrite these slots and the first promise would never settle.
      await new Promise<void>((resolve, reject) => {
        resolveFatalWait = resolve;
        rejectFatalWait = (error) => reject(error);
      });
    },
```

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: extensions/matrix/src/matrix/monitor/status.ts
Line: 93-95

Comment:
**Unknown sync states don't update `connected`**

The fallback branch (for future/unknown SDK states that aren't `PREPARED`/`SYNCING`/`CATCHUP`/`RECONNECTING`/`ERROR`/`STOPPED`) updates `healthState` and `lastEventAt` but leaves `status.connected` unchanged. If the SDK ever introduces a state that arrives while `connected === true`, the status would report a connected client in an unknown health state. A brief comment clarifying this is intentional would help readers avoid adding `status.connected = false` here by mistake.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "fix(matrix): contain sync outage failure..." | Re-trigger Greptile}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: dd310b208d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 657e1ce06a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9cd2677d7a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 843a52a7c5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6b4662e7f2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 382e4e667a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[aisle-research-bot]

🔒 Aisle Security Analysis

We found 3 potential security issue(s) in this PR:

#	Severity	Title
1	🟡 Medium	Unbounded background task tracking enables memory/CPU exhaustion and can block shutdown
2	🟡 Medium	Matrix startup abort misclassification via generic AbortError name check
3	🟡 Medium	MatrixClient.start() abort/timeout can leave Matrix sync running in background

1. 🟡 Unbounded background task tracking enables memory/CPU exhaustion and can block shutdown

Property	Value
Severity	Medium
CWE	CWE-400
Location	extensions/matrix/src/matrix/monitor/task-runner.ts:7-31

Description

createMatrixMonitorTaskRunner tracks every detached handler promise in an in-memory Set until it settles. Event handlers for high-volume Matrix events (room.message, Reaction, verification.summary) are now executed via runDetachedTask, so an attacker who can generate many events (e.g., spamming messages/reactions) can:

• Create an unbounded number of concurrently in-flight tasks (no concurrency limit/backpressure)
• Cause sustained memory growth from the growing Set (and promise closures) when handlers are slow
• Potentially block shutdown indefinitely because waitForIdle() loops until all tracked promises settle; if any handler hangs (network call stuck, deadlock), cleanup will never finish when mode === "persist"

Vulnerable code:

const inFlight = new Set<Promise<void>>();
...
inFlight.add(trackedTask);
...
while (inFlight.size > 0) {
  await Promise.allSettled(Array.from(inFlight));
}

Recommendation

Introduce backpressure and bounded concurrency, and ensure tasks cannot hang forever.

Options (can be combined):

1. Concurrency limit / queue (preferred):

import pLimit from "p-limit";

const limit = pLimit(25); // tune
const runDetachedTask = (label: string, task: () => Promise<void>) => {
  const trackedTask = limit(async () => {
    await task();
  })
  .catch((err) => { /* log */ })
  .finally(() => inFlight.delete(trackedTask));

  inFlight.add(trackedTask);
  return trackedTask;
};

2. Timeout + abort propagation: wrap tasks with an AbortSignal (or Promise.race timeout) so stuck handlers eventually settle.

3. Bound the tracked set: if inFlight.size exceeds a safe threshold, drop/skip low-priority work or coalesce events (e.g., dedupe per room).

4. In shutdown, consider a max wait for waitForIdle() and then proceed with releaseSharedClientInstance(client, "stop").

2. 🟡 Matrix startup abort misclassification via generic `AbortError` name check

Property	Value
Severity	Medium
CWE	CWE-697
Location	extensions/matrix/src/matrix/startup-abort.ts:13-15

Description

isMatrixStartupAbortError treats any Error with name === "AbortError" as an intentional Matrix startup abort.

• createMatrixStartupAbortError() creates an Error and sets name = "AbortError"
• isMatrixStartupAbortError() then matches solely on error.name === "AbortError"
• Many underlying libraries (e.g., fetch/Matrix SDK request layer, undici) may throw abort-related errors with the same name for non-user-initiated reasons (timeouts, internal cancellations, transient network conditions)
• This causes control-flow changes:
  • In runMatrixStartupMaintenance, such errors are rethrown instead of being logged as non-fatal, potentially aborting startup.
  • In monitorMatrixProvider, if the outer abort signal is already aborted, any AbortError will be treated as a startup abort and the function will cleanup("stop") and return (skipping the normal error propagation path).

This is an error-class confusion issue that can lead to unintended early termination (availability impact) and altered cleanup semantics based on an error name that is not unique to the intended abort condition.

Vulnerable code:

export function isMatrixStartupAbortError(error: unknown): boolean {
  return error instanceof Error && error.name === "AbortError";
}

Recommendation

Use a distinct error type or marker that cannot be confused with generic abort errors from other libraries.

Option A (preferred): custom class + instanceof

export class MatrixStartupAbortError extends Error {
  constructor() {
    super("Matrix startup aborted");
    this.name = "MatrixStartupAbortError";
  }
}

export function createMatrixStartupAbortError(): Error {
  return new MatrixStartupAbortError();
}

export function isMatrixStartupAbortError(err: unknown): err is MatrixStartupAbortError {
  return err instanceof MatrixStartupAbortError;
}

Option B: add a non-enumerable symbol marker

const kMatrixStartupAbort = Symbol.for("openclaw.matrix.startup_abort");

export function createMatrixStartupAbortError(): Error {
  const e = new Error("Matrix startup aborted");
  (e as any)[kMatrixStartupAbort] = true;
  return e;
}

export function isMatrixStartupAbortError(err: unknown): boolean {
  return err instanceof Error && (err as any)[kMatrixStartupAbort] === true;
}

Then keep handling generic AbortError from fetch/SDK as ordinary errors (logged or retried) unless they carry the explicit marker/type.

3. 🟡 MatrixClient.start() abort/timeout can leave Matrix sync running in background

Property	Value
Severity	Medium
CWE	CWE-400
Location	extensions/matrix/src/matrix/sdk.ts:487-493

Description

MatrixClient.startSyncSession() starts the underlying matrix-js-sdk client (startClient()), then waits for a ready sync state. If the wait rejects (abort signal, timeout, or unexpected sync error), the function throws without stopping the underlying Matrix client, leaving a live /sync loop running.

This can cause:

• Unexpected background network activity (continued syncing) after the caller believes startup failed
• Processing/decryption of events without the intended higher-level application state/handlers being fully initialized
• Potential resource exhaustion over time (leaked timers/requests), especially if callers retry startup repeatedly

Vulnerable flow:

• sink: this.client.startClient(...) begins syncing
• error paths: waitForInitialSyncReady(...) can reject on abort/timeout/unexpected error
• missing cleanup: no stopClient()/stopSyncWithoutPersist() in these failure paths

Vulnerable code:

await this.client.startClient({ initialSyncLimit: this.initialSyncLimit });
await this.waitForInitialSyncReady({ abortSignal: opts.abortSignal, timeoutMs: opts.readyTimeoutMs });

If waitForInitialSyncReady rejects, the sync loop can continue running.

Recommendation

Ensure the underlying matrix-js-sdk client is stopped if startup fails after startClient().

For example, wrap the post-startClient() startup sequence in try/catch, and stop the client on any failure:

await this.client.startClient({ initialSyncLimit: this.initialSyncLimit });
try {
  await this.waitForInitialSyncReady({ abortSignal: opts.abortSignal, timeoutMs: opts.readyTimeoutMs });
  throwIfMatrixStartupAborted(opts.abortSignal);

  if (opts.bootstrapCrypto && this.autoBootstrapCrypto) {
    await this.bootstrapCryptoIfNeeded(opts.abortSignal);
  }
  throwIfMatrixStartupAborted(opts.abortSignal);

  this.started = true;
  this.emitOutstandingInviteEvents();
  await this.refreshDmCache().catch(noop);
} catch (e) {
  ​// stop any background sync started by startClient()
  this.stopSyncWithoutPersist();
  throw e;
}

This guarantees abort/timeout/unexpected errors during startup do not leave a running sync session behind.

---

Analyzed PR: #62779 at commit 901bb76

_{Last updated on: 2026-04-08T18:43:14Z}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 27f9d850c1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 795ef740b7

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[gumadeiras]

Merged via squash.

• Prepared head SHA: 901bb767b56250915de2b866db91e4e2d8b098b0
• Merge commit: 0c00c3c2306f760f2f7ec44f4426163e4ffdb649

Thanks @gumadeiras!

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 901bb767b5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".