fix(gateway): broadcast agent-run error payloads

[vincentkoc]

Summary

• broadcast returned isError agent-run payloads as terminal chat error events after an agent has started
• mark the chat:<runId> dedupe entry failed for those returned error payloads
• add a regression covering post-agent-start idle-timeout-style error delivery without mirroring assistant transcript entries

Fixes #84945.

Verification

• node scripts/run-vitest.mjs src/gateway/server-methods/chat.directive-tags.test.ts (2 files, 152 tests passed)
• node_modules/.bin/oxfmt --check src/gateway/server-methods/chat.ts src/gateway/server-methods/chat.directive-tags.test.ts CHANGELOG.md
• git diff --check origin/main...HEAD

Real behavior proof

Behavior addressed: returned isError payloads after agentRunStarted=true were persisted/logged but not broadcast as terminal chat errors.
Real environment tested: local Gateway server-method unit harness in a Codex worktree, with dispatchInboundMessage triggering onAgentRunStart and returning a final error payload.
Exact steps or command run after this patch: node scripts/run-vitest.mjs src/gateway/server-methods/chat.directive-tags.test.ts.
Evidence after fix: the new regression observes a chat event with state: "error", errorMessage: "LLM idle timeout (120s): no response from model", and a failed chat:<runId> dedupe snapshot.
Observed result after fix: connected Gateway clients receive the terminal error event while normal agent-run final text still is not mirrored into assistant transcript entries.
What was not tested: a live ACP/Ki-Agents 120s idle timeout run; CI and the focused Gateway harness cover the source-level failure path.

[clawsweeper]

Codex review: needs maintainer review before merge.

Latest ClawSweeper review: 2026-05-22 12:47 UTC / May 22, 2026, 8:47 AM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR updates Gateway chat handling so returned isError payloads after an agent run starts are broadcast as terminal chat error events, marks the chat dedupe entry failed, and adds a focused regression plus changelog entry.

Reproducibility: yes. Source-level reproduction is high confidence: current main stores block/final replies in deliveredReplies, then the agentRunStarted branch only updates the user transcript and marks dedupe ok, while the PR harness simulates onAgentRunStart plus a final isError payload.

PR rating
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Summary: Focused, reviewable patch with a regression for the source-level failure path and no blocking findings; the remaining confidence gap is live transport proof and duplicate-PR coordination.

Rank-up moves:

• Choose the canonical branch relative to fix(gateway): surface resolved chat errors #84953 before landing both.
• Let required checks finish, then use a live ACP/WebChat smoke only if maintainers want to retire the transport-proof gap.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Not applicable: The external contributor proof gate does not apply to this maintainer-authored PR; the PR body provides focused unit-harness proof but not a live ACP timeout run.

Risk before merge

• A live ACP/Ki-Agents 120s idle-timeout run was not exercised; the remaining merge risk is whether real connected clients observe exactly the same terminal chat error event as the focused Gateway harness.
• There are open external PRs for the same linked bug, especially fix(gateway): surface resolved chat errors #84953, so maintainers should avoid landing duplicate competing fixes.

Maintainer options:

1. Land with focused Gateway proof (recommended)
   If required checks stay green, maintainers can accept the remaining live-timeout proof gap because the patch uses the existing chat error event contract and covers the source-level failure path.
2. Request live transport proof
   Before merge, maintainers can ask for a short ACP/WebChat smoke that injects or triggers the returned isError payload and shows the connected client receiving the terminal error.
3. Pick the canonical duplicate branch
   Pause this branch if maintainers prefer the broader existing fix in fix(gateway): surface resolved chat errors #84953, then close or supersede the other PR to avoid drift.

Next step before merge
No automated repair is needed; this protected maintainer PR has no blocking review findings and should proceed through normal maintainer merge/CI handling.

Security
Cleared: No concrete security or supply-chain regression found; the diff touches Gateway event handling, a regression test, and changelog only, with no new dependencies, workflows, permissions, or secret handling.

Review details

Best possible solution:

Land one canonical Gateway fix that broadcasts returned agent-run error payloads, preserves the transcript ownership boundary, and then close the linked issue while superseding duplicate PRs.

Do we have a high-confidence way to reproduce the issue?

Yes. Source-level reproduction is high confidence: current main stores block/final replies in deliveredReplies, then the agentRunStarted branch only updates the user transcript and marks dedupe ok, while the PR harness simulates onAgentRunStart plus a final isError payload.

Is this the best way to solve the issue?

Yes. The PR is the narrow maintainable fix: it inspects delivered error payloads in the existing post-dispatch path, reuses broadcastChatError, updates dedupe consistently, and avoids mirroring normal Pi assistant turns into transcript history.

Label changes:

• add P1: The PR fixes a real Gateway/ACP workflow where users can lose the terminal error event and see a silently stopped response.
• add merge-risk: 🚨 message-delivery: The patch changes terminal chat error delivery and dedupe behavior for connected Gateway clients, which focused tests cover but live transport proof has not exercised.
• add rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🌊 off-meta tidepool, patch quality is 🐚 platinum hermit, and Focused, reviewable patch with a regression for the source-level failure path and no blocking findings; the remaining confidence gap is live transport proof and duplicate-PR coordination.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: The external contributor proof gate does not apply to this maintainer-authored PR; the PR body provides focused unit-harness proof but not a live ACP timeout run.

Label justifications:

• P1: The PR fixes a real Gateway/ACP workflow where users can lose the terminal error event and see a silently stopped response.
• merge-risk: 🚨 message-delivery: The patch changes terminal chat error delivery and dedupe behavior for connected Gateway clients, which focused tests cover but live transport proof has not exercised.
• rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🌊 off-meta tidepool, patch quality is 🐚 platinum hermit, and Focused, reviewable patch with a regression for the source-level failure path and no blocking findings; the remaining confidence gap is live transport proof and duplicate-PR coordination.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: The external contributor proof gate does not apply to this maintainer-authored PR; the PR body provides focused unit-harness proof but not a live ACP timeout run.

What I checked:

• Current main drops returned agent-run error payloads: On current main, deliveredReplies records block/final payloads, but once agentRunStarted is true the post-dispatch branch only emits the user transcript update and then writes a successful chat dedupe entry. (src/gateway/server-methods/chat.ts:2815, 111bad106544)
• Existing protocol supports the intended event: The Gateway protocol already defines ChatErrorEventSchema with state: "error" and optional errorMessage, so the PR uses an existing client-facing event shape rather than adding a new protocol contract. (src/gateway/protocol/schema/logs-chat.ts:121, 111bad106544)
• Agent timeout path returns an error payload: The Pi embedded runner timeout path returns a normal reply payload with isError: true, matching the issue's non-throwing flow that would bypass the .catch() broadcast path. (src/agents/pi-embedded-runner/run.ts:2775, 111bad106544)
• PR patch broadcasts and marks dedupe failure: The PR detects returned isError payloads after an agent starts, calls broadcastChatError, and writes a failed chat:<runId> dedupe payload instead of ok: true. (src/gateway/server-methods/chat.ts:2902, a230fcc4cc38)
• Regression covers terminal error event without transcript mirroring: The new test simulates onAgentRunStart followed by a final isError payload and expects a chat error event, failed dedupe snapshot, user transcript update, and no assistant transcript mirror. (src/gateway/server-methods/chat.directive-tags.test.ts:970, a230fcc4cc38)
• Maintainer discussion keeps the bug independent: A maintainer comment on the linked issue says not to close it with fix(codex): recover final text after prompt timeout #84993 and identifies this Gateway chat delivery path as the next narrow repair candidate.

Likely related people:

• Peter Steinberger: Current blame for the Gateway post-dispatch branch, deliveredReplies handling, and the timeout payload return path points to the same recent local-history commit. (role: recent area contributor; confidence: medium; commits: 4ee8a2ac2ea5; files: src/gateway/server-methods/chat.ts, src/gateway/server-methods/chat.directive-tags.test.ts, src/agents/pi-embedded-runner/run.ts)
• vincentkoc: The live PR and linked issue are assigned to this member account, and the issue discussion includes their maintainer routing note that this Gateway delivery bug is independent of adjacent fixes. (role: current follow-up owner; confidence: medium; commits: a230fcc4cc38; files: src/gateway/server-methods/chat.ts, src/gateway/server-methods/chat.directive-tags.test.ts, CHANGELOG.md)
• JulyanXu: The issue discussion and open related PRs include source-level analysis and proposed fixes for the same returned-error-payload delivery path. (role: adjacent contributor; confidence: low; files: src/gateway/server-methods/chat.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 111bad106544.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 💎 rare Mossy Merge Sprite

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 💎 rare.
Trait: polishes edge cases.
Image traits: location green-check meadow; accessory lint brush; palette moonlit blue and soft silver; mood celebratory; pose balancing on a branch marker; shell glossy opal shell; lighting bright celebratory glints; background smooth stones and checkmarks.
Share on X: post this hatch
Copy: My PR egg hatched a 💎 rare Mossy Merge Sprite in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.