fix: yield diagnostic event drains

[galiniliev]

Summary

• Problem: high-frequency async diagnostic events could drain a large backlog in one setImmediate turn, monopolizing the gateway event loop during agent/subagent bursts.
• Why it matters: diagnostic traffic should not create liveness-delay spikes or duplicate/lost dynamic-tool terminal diagnostics.
• What changed: async diagnostic drains now process at most 100 queued events per turn; callers can explicitly wait for a full diagnostic drain; Codex dynamic-tool fallback diagnostics check the pending queue for the matching terminal event instead of waiting on unrelated global backlog; trusted terminal tool diagnostics get queue priority at saturation.
• What did NOT change (scope boundary): diagnostic payload shapes, public diagnostic stream filtering, listener ordering, and the 10k async queue cap remain intact.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes [Bug]: Gateway liveness reports severe event-loop stalls under subagent load #82936
• Related #
• This PR fixes a bug or regression

Real behavior proof (required for external PRs)

• Behavior addressed: Diagnostic event bursts from concurrent gateway agent/subagent activity no longer drain the whole async queue in one event-loop turn, and Codex dynamic-tool terminal diagnostics are not duplicated or dropped behind diagnostic backlog.
• Real environment tested: Local OpenClaw worktree, Node v24.15.0, rebased on origin/main 0556ac0291a894836382307eeeeb3b503aa1c0e5.
• Exact steps or command run after this patch:

node --import tsx -e "import { emitDiagnosticEvent, onDiagnosticEvent, resetDiagnosticEventsForTest } from './src/infra/diagnostic-events.ts'; resetDiagnosticEventsForTest(); const events=[]; onDiagnosticEvent((event)=>events.push(event)); for (let index=0; index<250; index+=1) emitDiagnosticEvent({type:'model.call.started', runId:'run-'+index, callId:'call-'+index, provider:'openai', model:'gpt-5.4'}); if (events.length !== 0) throw new Error('expected async queue before first turn, got '+events.length); await new Promise((resolve)=>setImmediate(resolve)); if (events.length !== 100) throw new Error('expected 100 after one turn, got '+events.length); await new Promise((resolve)=>setImmediate(resolve)); if (events.length !== 200) throw new Error('expected 200 after two turns, got '+events.length); await new Promise((resolve)=>setImmediate(resolve)); if (events.length !== 250) throw new Error('expected 250 after three turns, got '+events.length); console.log('diagnostic async drain burst probe passed: 250 events over 3 turns');"
node --max-old-space-size=8192 --import tsx scripts/generate-plugin-sdk-api-baseline.ts --check
node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.core.test.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/core-test.tsbuildinfo
node scripts/run-vitest.mjs src/infra/diagnostic-events.test.ts
node scripts/run-vitest.mjs extensions/codex/src/app-server/run-attempt.test.ts -t "does not duplicate terminal diagnostics for wrapped dynamic tool errors"
AUTOREVIEW_AUTO_TESTS=0 .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main

• Evidence after fix:

diagnostic async drain burst probe passed: 250 events over 3 turns
OK docs/.generated/plugin-sdk-api-baseline.sha256
core test typecheck completed with exit code 0
Test Files  1 passed (1)
Tests  25 passed (25)
Test Files  1 passed (1)
Tests  1 passed | 183 skipped (184)
autoreview clean: no accepted/actionable findings reported
Test Files  2 passed (2)
Tests  210 passed (210)

• Observed result after fix: The scheduler delivered a 250-event burst as 100/200/250 across three event-loop turns; the focused diagnostic tests cover full drain, pending queue inspection, terminal priority under saturation, immutable inspector inputs, and uncloneable pending entries; the Codex regression did not duplicate terminal diagnostics behind a 150-event async backlog.
• What was not tested: I did not rerun the original private multi-subagent gateway workload. Full PR CI was restarted after the refreshed push and is expected to provide broader repository proof.
• Before evidence (optional but encouraged): Redacted log excerpt from the captured bug evidence:

"liveness warning: reasons=event_loop_delay,event_loop_utilization,cpu interval=30s eventLoopDelayP99Ms=6123.7 eventLoopDelayMaxMs=7709.1 eventLoopUtilization=0.975 cpuCoreRatio=0.983 active=5 waiting=0 queued=1 ..."
"liveness warning: reasons=event_loop_delay,event_loop_utilization interval=329s eventLoopDelayP99Ms=12750.7 eventLoopDelayMaxMs=12750.7 eventLoopUtilization=1 ..."
"liveness warning: reasons=event_loop_delay,cpu interval=30s eventLoopDelayP99Ms=1780.5 eventLoopDelayMaxMs=2128.6 eventLoopUtilization=0.892 cpuCoreRatio=0.951 active=6 ..."

Root Cause (if applicable)

• Root cause: scheduleAsyncDiagnosticDrain moved high-frequency diagnostic events out of the emitter path, but processed every queued event in one async drain turn. Under agent/subagent bursts, listener cloning/freezing and stability recording could still monopolize the event loop until the backlog was empty.
• Missing detection / guardrail: Existing coverage only asserted that high-frequency events were asynchronous; it did not assert that large bursts yield between drain turns or that terminal tool diagnostics survive backlog/saturation cases.
• Contributing context (if known): Liveness warnings showed active agent/subagent work and queued work while event-loop delay P99 reached seconds.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/infra/diagnostic-events.test.ts; extensions/codex/src/app-server/run-attempt.test.ts
• Scenario the test should lock in: A burst of 250 async model-call diagnostic events drains as 100/200/250 across three setImmediate turns; full-drain callers can await the entire queue; pending diagnostic inspection does not mutate or throw on malformed queued entries; trusted terminal tool diagnostics survive queue saturation; Codex dynamic-tool fallback diagnostics are not duplicated behind backlog.
• Why this is the smallest reliable guardrail: The bug is in the diagnostic event queue scheduler and Codex’s dynamic-tool terminal fallback path, so focused scheduler and app-server tests prove the exact contracts without provider or channel setup.
• Existing test that already covers this (if any): Existing async dispatch coverage only covered a two-event burst.
• If no new test is added, why not: N/A

User-visible / Behavior Changes

The gateway should remain more responsive during diagnostic event bursts from concurrent agent/subagent workloads.

Diagram (if applicable)

Before:
[diagnostic burst] -> [one drain turn processes entire backlog] -> [event-loop stall risk]

After:
[diagnostic burst] -> [100-event drain turn] -> [yield] -> [next drain turn] -> [continued gateway work]

Security Impact (required)

• New permissions/capabilities? (Yes/No): No
• Secrets/tokens handling changed? (Yes/No): No
• New/changed network calls? (Yes/No): No
• Command/tool execution surface changed? (Yes/No): No
• Data access scope changed? (Yes/No): No
• If any Yes, explain risk + mitigation: N/A

Repro + Verification

Environment

• OS: Linux local worktree
• Runtime/container: Node v24.15.0
• Model/provider: N/A for focused diagnostic queue probe
• Integration/channel (if any): Gateway diagnostics, Codex app-server dynamic tools
• Relevant config (redacted): Diagnostics event dispatch defaults

Steps

1. Register a diagnostic event listener.
2. Emit 250 high-frequency model.call.started diagnostic events.
3. Await successive setImmediate turns and count delivered events.

Expected

• The async drain yields between chunks instead of delivering all 250 events in one turn.

Actual

• After patch, delivery progressed as 0 before yield, then 100, 200, and 250 across three event-loop turns.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: Focused runtime probe for the diagnostic async queue burst; scheduler Vitest coverage; Codex dynamic-tool duplicate-terminal regression; Plugin SDK API baseline check; core test typecheck matching the CI failure shard; git diff --check; autoreview.
• Edge cases checked: Existing two-event async behavior remains compatible because it still drains in the first turn; large backlog continues scheduling while queue entries remain; terminal diagnostics queued behind large async backlog are detected before fallback emission; trusted terminal diagnostics are preserved at queue saturation; pending queue inspection does not expose mutable queued entries or throw on uncloneable queued entries.
• What you did not verify: Original private gateway/subagent workload; full CI is running after the refreshed push.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

If a bot review conversation is addressed by this PR, resolve that conversation yourself. Do not leave bot review conversation cleanup for maintainers.

Compatibility / Migration

• Backward compatible? (Yes/No): Yes
• Config/env changes? (Yes/No): No
• Migration needed? (Yes/No): No
• If yes, exact upgrade steps: N/A

Risks and Mitigations

• Risk: Diagnostic event listeners may observe large async bursts over more event-loop turns instead of one immediate turn.
  • Mitigation: Ordering is preserved and small bursts still drain in a single turn; the queue keeps scheduling until empty.

[clawsweeper]

Codex review: passed.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The branch caps async diagnostic drains at 100 events per turn, adds pending/full-drain diagnostic helpers, updates Codex dynamic-tool terminal diagnostics to inspect pending events, and adds regression coverage plus changelog/baseline updates.

Reproducibility: yes. from source inspection. Current main drains the entire async diagnostic queue in one setImmediate callback, and the PR body supplies a focused 250-event after-fix probe showing 100/200/250 delivery across turns.

PR rating
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Summary: Good focused bug-fix PR with strong terminal proof and no blocking findings; the remaining risk is maintainer acceptance of chunked diagnostic listener timing.

Rank-up moves:

• Let exact-head checks finish before automerge.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Sufficient (terminal): The PR body contains exact terminal commands and copied after-fix output for the runtime burst probe, focused tests, typecheck, baseline check, and autoreview, which is sufficient for this non-visual runtime change.

Risk before merge

• Large async diagnostic bursts will now reach listeners over multiple setImmediate turns instead of one callback; event order is preserved, but this is a listener-timing compatibility change.
• The original private multi-subagent gateway workload was not rerun; the supplied proof is a focused runtime probe, focused regression tests, and copied terminal output.

Maintainer options:

1. Accept Chunked Diagnostic Timing (recommended)
   Land once exact-head checks pass if maintainers accept preserving diagnostic ordering while spreading large backlogs across event-loop turns.
2. Request Broader Gateway Proof
   Ask for a live or packaged multi-agent gateway workload if focused scheduler and Codex regression proof is not enough for the timing change.
3. Pause The Timing Change
   Pause or close if diagnostic listeners must continue seeing every large async burst fully drained in one event-loop turn.

Next step before merge
No ClawSweeper repair job is needed; this automerge-opted PR has no actionable review findings, so exact-head checks and maintainer timing acceptance should gate merge.

Security
Cleared: The diff changes in-memory diagnostic scheduling, an existing SDK diagnostic-runtime export surface, tests, generated baseline hash metadata, and changelog text with no dependency, workflow, secret, network, permission, or package-resolution changes.

Review details

Best possible solution:

Land the scheduler cap and pending-terminal-diagnostic guard through the existing automerge path once exact-head gates pass and maintainers accept the chunked listener timing.

Do we have a high-confidence way to reproduce the issue?

Yes from source inspection. Current main drains the entire async diagnostic queue in one setImmediate callback, and the PR body supplies a focused 250-event after-fix probe showing 100/200/250 delivery across turns.

Is this the best way to solve the issue?

Yes, with the compatibility caveat. The patch changes the existing scheduler and Codex fallback path directly, preserves queue order and caps, and adds focused tests instead of creating a parallel diagnostic mechanism.

What I checked:

• Current-main behavior: Current main schedules high-frequency diagnostic events with setImmediate but drains the entire async queue with state.asyncQueue.splice(0), matching the reported event-loop monopolization path. (src/infra/diagnostic-events.ts:803, 0556ac0291a8)
• Scheduler patch: The PR head adds MAX_ASYNC_DIAGNOSTIC_EVENTS_PER_TURN=100, drains only that many events per turn, and exposes waitForDiagnosticEventsDrained for callers that need the full async queue flushed. (src/infra/diagnostic-events.ts:652, 95610934cde8)
• Pending diagnostic guard: The Codex run-attempt path no longer waits behind unrelated backlog; it checks for a matching pending terminal diagnostic before emitting a fallback terminal diagnostic. (extensions/codex/src/app-server/run-attempt.ts:2187, 95610934cde8)
• Regression coverage: The PR adds tests for 250-event chunked draining, full-drain waiting, immutable pending inspection, uncloneable pending entries, queue saturation priority, and the Codex duplicate-terminal diagnostic backlog case. (src/infra/diagnostic-events.test.ts:421, 95610934cde8)
• Proof supplied by PR body: The PR body includes terminal commands and copied after-fix output for a 250-event runtime probe, focused diagnostic tests, the Codex regression test, SDK baseline check, core test typecheck, and autoreview. (95610934cde8)
• History provenance: git blame ties the current all-at-once async drain and Codex fallback wait path on main to commit 5d19beb; the PR directly changes those blamed areas. (src/infra/diagnostic-events.ts:803, 5d19beb547e1)

Likely related people:

• hcl: git blame attributes the current main diagnostic scheduler and Codex dynamic-tool terminal fallback lines changed by this PR to commit 5d19beb. (role: recent area contributor; confidence: medium; commits: 5d19beb547e1; files: src/infra/diagnostic-events.ts, extensions/codex/src/app-server/run-attempt.ts, src/plugin-sdk/diagnostic-runtime.ts)
• Vincent Koc: git log -G for diagnostic-events shows prior diagnostics and plugin-hook work touching the diagnostic event area, including OpenTelemetry migration and hook registry preservation commits. (role: diagnostics history contributor; confidence: medium; commits: de656e319471, d22279d2e873; files: src/infra/diagnostic-events.ts)
• pash-openai: recent history for extensions/codex/src/app-server/run-attempt.ts includes adjacent Codex app-server work, making this a plausible review route for Codex run-attempt behavior. (role: recent adjacent Codex contributor; confidence: low; commits: e0d1a2a9b9a8; files: extensions/codex/src/app-server/run-attempt.ts)
• Peter Steinberger: git log -G for diagnostic-events shows adjacent core runtime state consolidation and release-history work touching the diagnostics area. (role: adjacent core runtime contributor; confidence: low; commits: 9428b38452f8, 50a2481652b6; files: src/infra/diagnostic-events.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 0556ac0291a8.

[Takhoffman]

@clawsweeper automerge

[clawsweeper]

🦞✅
ClawSweeper merged this PR after the passing review.

Source: clawsweeper[bot]
Feedback: structured ClawSweeper verdict: pass (sha=95610934cde899f5d6549d2c8c99425d4d26a2db)
Merge status: merged by ClawSweeper automerge
Merged at: 2026-05-20T02:55:18Z
Merge commit: 5d799c2d2052

What merged:

• The branch caps async diagnostic drains at 100 events per turn, adds pending/full-drain diagnostic helpers, ... rminal diagnostics to inspect pending events, and adds regression coverage plus changelog/baseline updates.
• Reproducibility: yes. from source inspection. Current main drains the entire async diagnostic queue in one s ... ck, and the PR body supplies a focused 250-event after-fix probe showing 100/200/250 delivery across turns.

Automerge notes:

• PR branch already contained follow-up commit before automerge: fix: yield diagnostic event drains

The automerge loop is complete.

Automerge progress:

• 2026-05-20 01:49:58 UTC review queued f1afdb6ad943 (after repair)

• 2026-05-20 02:00:02 UTC automerge wait f1afdb6ad943 (waiting) in 26m 49s Run: https://github.com/openclaw/clawsweeper/actions/runs/26135705990 waiting for GitHub checks: build-artifacts:IN_PROGRESS, check-additional-boundaries-a:IN_PROGRESS

• 2026-05-20 01:56:13 UTC review passed f1afdb6ad943 (structured ClawSweeper verdict: pass (sha=f1afdb6ad94352025ed49260e80829e35680e...)

• 2026-05-20 02:00:03 UTC repair finished f1afdb6ad943 (pushed) in 26m 50s Run: https://github.com/openclaw/clawsweeper/actions/runs/26135705990 repair_contributor_branch

• 2026-05-20 02:20:23 UTC review queued f1afdb6ad943 (queued)

• 2026-05-20 02:22:30 UTC repair queued f1afdb6ad943 (autonomous) Run: https://github.com/openclaw/clawsweeper/actions/runs/26137352287

• 2026-05-20 02:26:40 UTC repair started (running) in 1s Run: https://github.com/openclaw/clawsweeper/actions/runs/26137352287 automerge-openclaw-openclaw-82937

• 2026-05-20 02:26:58 UTC validation plan (passed) in 18s Run: https://github.com/openclaw/clawsweeper/actions/runs/26137352287 pnpm check:changed; pnpm lint; pnpm check:test-types

• 2026-05-20 02:27:23 UTC Codex write preflight (passed) in 43s Run: https://github.com/openclaw/clawsweeper/actions/runs/26137352287 danger-full-access

• 2026-05-20 02:35:20 UTC Codex edit 1 e921e19de164 (complete) in 8m 40s Run: https://github.com/openclaw/clawsweeper/actions/runs/26137352287 exit 0

• 2026-05-20 02:32:21 UTC review passed e921e19de164 (structured ClawSweeper verdict: pass (sha=e921e19de1645b035dc852b2b6d1d925b72b0...)

• 2026-05-20 02:46:00 UTC validation and review 1 697a216ae14a (base moved) in 19m 20s Run: https://github.com/openclaw/clawsweeper/actions/runs/26137352287 rebased

• 2026-05-20 02:46:04 UTC repair completed (no branch change) in 19m 24s Run: https://github.com/openclaw/clawsweeper/actions/runs/26137352287 source PR branch changed while the repair worker was preparing its push; requeue against the latest head

• 2026-05-20 02:46:05 UTC repair finished (blocked) in 19m 25s Run: https://github.com/openclaw/clawsweeper/actions/runs/26137352287 source PR branch changed while the repair worker was preparing its push; requeue against the latest head

• 2026-05-20 02:50:54 UTC review passed 95610934cde8 (structured ClawSweeper verdict: pass (sha=95610934cde899f5d6549d2c8c99425d4d26a...)

• 2026-05-20 02:55:20 UTC merged 95610934cde8 (merged by ClawSweeper automerge)

[clawsweeper]

🦞✅
ClawSweeper is pausing this repair loop for human review.

Source: clawsweeper[bot]
Reason: The protected maintainer label and absence of actionable review findings make this a human landing/review decision, not a ClawSweeper repair job.; Cleared: Cleared: the diff changes in-memory diagnostic scheduling, an SDK re-export, and tests, with no dependency, workflow, secret, network, package-resolution, or permission changes. (sha=4024e1172d5343681d8d465132420b11063ae90d)

Why human review is needed:
This item touches a maintainer-protected decision point. ClawSweeper is keeping the item open so a maintainer can own the final validation choice.

Recommended next action:
Have a maintainer review the flagged decision, then either add the missing proof and re-run ClawSweeper or merge manually if the maintainer accepts the remaining risk.

I added clawsweeper:human-review and left the final call with a maintainer.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Pearl Crabkin

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: purrs at green checks.
Image traits: location artifact grotto; accessory CI status badge; palette charcoal, cyan, and signal green; mood curious; pose balancing on a branch marker; shell woven fiber shell; lighting moonlit rim light; background gentle dashboard dots.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Pearl Crabkin in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.