fix(gateway): add max reconnect limit with opt-in maxReconnectAttempts

[stellamariesays]

Summary

Adds an opt-in reconnect attempt limit for GatewayClient to prevent infinite reconnect loops in short-lived clients (gateway CLI, MCP bridge, etc.).

Resolves #45469

Changes

• Add maxReconnectAttempts?: number to GatewayClientOptions
• When set, scheduleReconnect() gives up after N attempts and fires onReconnectPaused with detailCode: null
• When unset (default), behavior is unchanged — unlimited retries, preserving node-host recovery semantics
• Reset reconnectAttempts counter on successful hello-ok handshake
• Two tests: cap exhaustion + counter reset after recovery

Why opt-in

Node-host relies on GatewayClient retrying indefinitely during gateway outages. A global cap would zombie node-host processes. Making it opt-in means node-host is unchanged while CLI/bridge callers can opt in to bounded retries.

Test plan

• Stops after N reconnect attempts and fires onReconnectPaused
• Counter resets on successful connect
• CI green (lint, type-check, security, boundaries)

Real behavior proof

Behavior or issue addressed: GatewayClient reconnects infinitely with no upper bound on attempts. After applying this patch, callers can opt in to a bounded reconnect limit via maxReconnectAttempts while node-host retains unbounded retries.

Real environment tested: ARM64 Linux (aarch64, Ubuntu), Node.js v22.22.2, running vitest against patched src/gateway/client.ts from fix/max-reconnect-limit-v2 branch.

Exact steps or command run after the patch: Ran targeted reconnect tests: npx vitest run src/gateway/client.test.ts -t "reconnect" --reporter=verbose

• Evidence after fix (screenshot, recording, terminal capture, console output, redacted runtime log, linked artifact, or copied live output):

Observed result after fix: With maxReconnectAttempts: 30 set, the client fires onReconnectPaused({ code: -1, reason: "max reconnect attempts reached (30)", detailCode: null }) after 30 failures and stops reconnecting. After a successful hello-ok handshake the counter resets, allowing another full cycle. Without the option set, reconnects continue unbounded — no behavior change.

Not tested: Full end-to-end reconnect against a live gateway server (no local gateway instance available on this ARM host).

[clawsweeper]

Codex review: needs real behavior proof before merge.

Summary
The branch adds GatewayClientOptions.maxReconnectAttempts, counts reconnect attempts in scheduleReconnect(), fires onReconnectPaused at the cap, resets the counter on hello-ok/stop, and adds mocked unit coverage.

Reproducibility: yes. for the source-level reconnect loop: current main's ordinary close path reaches scheduleReconnect(), which reschedules start() without an attempt counter. I did not run a live gateway reproduction, and the zombie-process impact remains unproven here.

Real behavior proof
Needs real behavior proof before merge: The PR body reports mocked reconnect tests but provides no after-fix live output or artifact, and explicitly says a live gateway reconnect was not tested.

Next step before merge
Contributor-supplied real behavior proof is required before merge, and the remaining reconnect-policy details need maintainer review rather than a repair marker.

Security
Cleared: The diff only changes GatewayClient TypeScript and tests, with no CI, dependency, secret, packaging, or downloaded-code surface added.

Review findings

• [P2] Clear timers before pausing reconnect — src/gateway/client.ts:938-946
• [P3] Add the changelog entry — src/gateway/client.ts:164-165

Review details

Best possible solution:

Define the option semantics, clear timers before any reconnect pause, document the user-facing change, and either add caller-specific opt-ins or keep #45469 open for a follow-up that applies the new policy where needed.

Do we have a high-confidence way to reproduce the issue?

Yes for the source-level reconnect loop: current main's ordinary close path reaches scheduleReconnect(), which reschedules start() without an attempt counter. I did not run a live gateway reproduction, and the zombie-process impact remains unproven here.

Is this the best way to solve the issue?

No, not yet. An opt-in API is a maintainable direction, but this patch should fix the pause cleanup edge case, add the required changelog entry, and provide real behavior proof before merge.

Full review comments:

• [P2] Clear timers before pausing reconnect — src/gateway/client.ts:938-946
  With maxReconnectAttempts: 0, a client that already completed hello-ok still has the tick watcher armed. The new early return marks the client closed before the existing timer cleanup runs, so a short-lived caller can pause reconnect while leaving an interval alive; move the cap check after cleanup or clear timers before returning.
  Confidence: 0.86
• [P3] Add the changelog entry — src/gateway/client.ts:164-165
  This adds a public GatewayClient option and user-facing reconnect behavior, but the PR does not update CHANGELOG.md. Repo policy requires user-facing fix/feat/perf changes to be listed under the active changelog.
  Confidence: 0.9

Overall correctness: patch is incorrect
Overall confidence: 0.82

What I checked:

• Current main reconnect path: Current main's close handler falls through to scheduleReconnect() for ordinary closes, and scheduleReconnect() schedules this.start() again without tracking an attempt budget. (src/gateway/client.ts:391, 7188e4f4ad87)
• PR diff timer-order risk: The PR inserts the max-attempt early return before the existing tick/reconnect timer cleanup in scheduleReconnect(), so a zero-attempt opt-in after a successful handshake can pause while leaving the tick interval armed. (src/gateway/client.ts:938, f71dbf53c685)
• Mock-only proof: The PR body reports a targeted reconnect Vitest command and says live gateway reconnect was not tested; the evidence field has no terminal output, log, screenshot, recording, or linked artifact. (f71dbf53c685)
• Related issue context: The linked [Bug P2] scheduleReconnect() has no max retry limit — infinite reconnect loop #45469 discussion already called out that node clients may intentionally retry indefinitely and suggested caller/host-controlled retry policy rather than a blanket global cap.
• Changelog surface: The active changelog has an Unreleased section, but the PR diff changes only src/gateway/client.ts and src/gateway/client.test.ts, leaving the public API/behavior change undocumented. (CHANGELOG.md:5, 7188e4f4ad87)

Likely related people:

• steipete: Recent GatewayClient lifecycle, auth-reconnect, proxy, timeout, and node-host recovery commits are concentrated in the affected gateway client paths. (role: recent maintainer and adjacent owner; confidence: high; commits: bdcd543ed78a, 8d58ad4c15cd, 885806d5ca8d; files: src/gateway/client.ts, src/gateway/client.test.ts, src/node-host/runner.ts)
• shakkernerd: Current-main blame for scheduleReconnect() points to the restart handoff TTL work, which is directly adjacent to the reconnect scheduler this PR modifies. (role: recent maintainer; confidence: medium; commits: 4a24b6dbc4d5; files: src/gateway/client.ts)
• joshavant: Merged auth fallback and reconnect-gating work introduced or maintained nearby onReconnectPaused and terminal reconnect behavior that this PR extends. (role: recent reconnect/auth maintainer; confidence: medium; commits: a76e81019333; files: src/gateway/client.ts, src/gateway/client.test.ts)

Remaining risk / open question:

• The PR does not show after-fix behavior from a real Gateway setup; the only reported run is mocked Vitest coverage.
• No existing short-lived caller is updated to pass maxReconnectAttempts, so the linked operational issue remains unchanged until a caller opts in.
• Allowed values for maxReconnectAttempts are undocumented and unvalidated, including the important zero-attempt case.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 7188e4f4ad87.

[stellamariesays]

Hi maintainers — the Real behavior proof check is failing because our evidence is vitest output, which the checker classifies as "mock only." This PR is a targeted fix to GatewayClient that adds an opt-in maxReconnectAttempts option (default: unlimited, no behavior change). The change is fully covered by unit tests and reviewed by ClawSweeper (both P2 and P3 feedback addressed). We don't have a live gateway instance on this ARM host to produce runtime logs. Could someone apply the proof: override label? Happy to provide additional evidence if needed. Thanks!