fix(reply-queue): remove the drained item by reference instead of front index

[yetval]

Summary

During a burst of inbound messages to a busy session, the reply queue can silently drop a queued message: it is never answered and is not even counted in the "Dropped N messages due to cap" overflow summary.

The drain helper removes the wrong item. drainNextQueueItem (src/utils/queue-helpers.ts) captures next = items[0], awaits the run (a real agent turn, seconds long), then calls items.shift() on the assumption that index 0 still holds the item it just ran:

const next = items[0];
await run(next);
items.shift();

But enqueueFollowupRun mutates the same shared items array for every concurrent inbound message, and at or over cap applyQueueDropPolicy does items.splice(0, dropCount), removing from the front. If enough messages arrive while items[0] is in flight, the in-flight item is itself spliced off the front (and recorded as dropped), shifting a different, still-undelivered survivor into index 0. When the await returns, items.shift() deletes that survivor: it was never run, and it is not in the overflow summary either.

The same positional-front assumption breaks the collect path in src/auto-reply/reply/queue/drain.ts: it snapshots const items = queue.items.slice(), runs each authorization group, then does queue.items.splice(0, groupItems.length) after the awaited run, which can splice off survivors that arrived during the run rather than the group it actually processed.

The fix removes the items that were actually processed by identity instead of by front position. A small removeQueuedItemsByRef helper does an indexOf + splice per processed item; drainNextQueueItem removes the one item it ran, and the collect path removes the group it ran.

Diff size

 src/auto-reply/reply/queue/drain.ts |  3 ++-
 src/utils/queue-helpers.ts          | 11 ++++++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

Verification

Local (Node 22.19.0), against this checkout:

• node scripts/run-vitest.mjs src/utils/queue-helpers.test.ts src/auto-reply/reply/queue/drain.identity-guard.test.ts - pass (11 tests).
• node scripts/run-vitest.mjs src/auto-reply/reply/reply-flow.test.ts - pass (12 tests).
• tsgo:core - exit 0. scripts/run-oxlint.mjs --tsconfig config/tsconfig/oxlint.core.json on both changed files - clean.
• Red/green proof: a local harness that drives the real exported queue helpers (drainNextQueueItem, applyQueueDropPolicy, buildQueueSummaryPrompt) and recreates a cap-overflow burst during an in-flight drain fails on origin/main (a survivor is lost) and passes on this branch. The harness is kept local and is not part of this single-commit fix; its captured before/after output is in Real behavior proof below.

Real behavior proof

• Behavior addressed: when a burst of inbound messages overflows the cap while the queue is draining an in-flight item, a still-undelivered queued message that survives the drop policy is no longer removed without running. Every survivor is now delivered, left queued, or counted in the overflow summary.
• Real environment tested: the real exported reply-queue helpers in this checkout (src/utils/queue-helpers.ts drainNextQueueItem, applyQueueDropPolicy, buildQueueSummaryPrompt), composed exactly as the drain loop composes them: seed one item, begin draining it, and while that drain is awaiting, push a 7-message burst through applyQueueDropPolicy at cap 3 (the same shared array the drain holds), then drain the remainder and read back what was delivered, what stayed queued, what the drop policy dropped, and the emitted overflow summary. No network or provider credentials are involved; the defect is pure in-memory queue bookkeeping.
• Exact steps or command run after this patch: seeded m1, began draining it, and during the awaited run pushed m2..m8 through applyQueueDropPolicy on the shared array (cap 3, summarize policy), then drained to completion and printed DELIVERED, REMAINING, DROPPED_BY_POLICY, the SUMMARY_PROMPT, and LOST (any id that is in none of delivered, remaining, or dropped). Ran the identical harness once on this branch and once with the two production files reverted to origin/main.
• Evidence after fix: live before/after output of the harness. Before is the two production files at origin/main; after is this branch:

# origin/main (drain shift()s index 0)
DELIVERED:         ["m1","m7","m8"]
REMAINING:         []
DROPPED_BY_POLICY: ["m1","m2","m3","m4","m5"]
SUMMARY_PROMPT:    "[Queue overflow] Dropped 5 messages due to cap.\nSummary:\n- m3\n- m4\n- m5"
LOST:              ["m6"]

# this branch (drain removes the item it ran by reference)
DELIVERED:         ["m1","m6","m7","m8"]
REMAINING:         []
DROPPED_BY_POLICY: ["m1","m2","m3","m4","m5"]
SUMMARY_PROMPT:    "[Queue overflow] Dropped 5 messages due to cap.\nSummary:\n- m3\n- m4\n- m5"
LOST:              []

• Observed result after fix: m6 survived the drop policy but, on origin/main, appeared in none of delivered, remaining, or the overflow summary (LOST: ["m6"]) - silent loss beyond the cap accounting. On this branch the identical burst delivers m6 (DELIVERED includes m6, LOST is empty); the documented overflow accounting for m1..m5 is unchanged.
• What was not tested: a fully live multi-message burst over a real channel against a running agent. The before/after above exercises the real exported queue helpers composed in the production drain order; it does not stand up a live Discord/Telegram/Slack session, which is unnecessary because the lost-survivor bug lives entirely in the shared in-memory queue bookkeeping these helpers own.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 8, 2026, 11:55 AM ET / 15:55 UTC.

Summary
This PR changes reply-queue drains to remove processed items by object identity in single-item and collect drains, and adds a helper-level regression test for overflow mutation during an awaited drain.

PR surface: Source +10, Tests +53. Total +63 across 3 files.

Reproducibility: yes. Source inspection shows the current-main race between awaited drain removal and front-splicing overflow, and the PR body provides before/after helper output that loses m6 on current main and preserves it after the patch.

Review metrics: none identified.

Merge readiness
Overall: 🦞 diamond lobster
Proof: 🦞 diamond lobster
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Next step before merge

• No ClawSweeper repair lane is needed because review found no actionable patch defect; maintainer merge review and CI are the remaining gates.

Security
Cleared: The diff only changes internal TypeScript queue bookkeeping and a regression test; I found no concrete security or supply-chain concern.

Review details

Best possible solution:

Land this focused identity-removal fix after normal CI and maintainer review, keeping any broader overflow-accounting cleanup separate.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection shows the current-main race between awaited drain removal and front-splicing overflow, and the PR body provides before/after helper output that loses m6 on current main and preserves it after the patch.

Is this the best way to solve the issue?

Yes. Removing the processed object reference after the awaited run is the narrowest maintainable fix because it preserves retry-on-throw behavior while avoiding a stale front-index assumption.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against cfeaf6897fd8.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix live helper output, with before/after comparison showing the lost survivor disappears after the patch; no contributor action is needed for proof.

Label justifications:

• P1: The PR fixes a shipped reply-queue path that can silently lose an inbound message during a busy agent/channel burst.
• rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body includes after-fix live helper output, with before/after comparison showing the lost survivor disappears after the patch; no contributor action is needed for proof.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix live helper output, with before/after comparison showing the lost survivor disappears after the patch; no contributor action is needed for proof.

Evidence reviewed

PR surface:

Source +10, Tests +53. Total +63 across 3 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	2	12	2	+10
Tests	1	53	0	+53
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	3	65	2	+63

What I checked:

• current main source bug: Current main captures the next item, awaits the run, then removes index 0, while the overflow policy can splice the same shared array from the front during that await. (src/utils/queue-helpers.ts:178, cfeaf6897fd8)
• collect path has the same positional removal: The collect drain snapshots queue items, awaits each authorization group run, then splices from the front by group length, so concurrent front mutation can remove a different survivor. (src/auto-reply/reply/queue/drain.ts:500, cfeaf6897fd8)
• proposed merge result fixes both removals: The PR merge ref adds removeQueuedItemsByRef and uses it after the awaited single-item and collect-group runs, so removal targets the processed object references rather than current front position. (src/utils/queue-helpers.ts:169, f57c9784256a)
• proposed merge result fixes collect drain: The proposed merge ref changes the collect path to call removeQueuedItemsByRef(queue.items, groupItems) after each group run. (src/auto-reply/reply/queue/drain.ts:501, f57c9784256a)
• focused regression coverage: The added test recreates an awaited drain plus cap overflow burst and asserts the survivor m6 is delivered rather than lost while dropped items remain accounted. (src/utils/queue-helpers.test.ts:175, f57c9784256a)
• shipped behavior check: The latest release commit v2026.6.1 still contains the positional shift/splice behavior, so the bug is not already fixed in a shipped release. (src/utils/queue-helpers.ts:157, 2e08f0f4221f)

Likely related people:

• steipete: Shared queue helper and drain history includes the next-item drain helper and a prior pending-item preservation fix on this path. (role: feature-history owner; confidence: high; commits: 8d048d412f5e, 712644f0d9a4; files: src/utils/queue-helpers.ts, src/auto-reply/reply/queue/drain.ts)
• Agustin Rivera: Auth-context collect batching changed the collect drain grouping surface where one of this PR's positional-removal fixes applies. (role: adjacent collect-mode contributor; confidence: medium; commits: 43d4be902755; files: src/auto-reply/reply/queue/drain.ts, src/auto-reply/reply/queue.collect.test.ts)
• mushuiyu_xydt: Current main blame for the extracted queue helper and drain files points to the recent fix #90452: Regression: Heartbeat exec completion still shows generic fallback text instead of actual output #90897 squash commit that carried the current implementation forward. (role: recent area contributor; confidence: medium; commits: b2c1de77acc7; files: src/utils/queue-helpers.ts, src/auto-reply/reply/queue/drain.ts, src/auto-reply/reply/queue/enqueue.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[obviyus]

Landed via rebase onto main.

• Scoped tests: node scripts/run-vitest.mjs src/utils/queue-helpers.test.ts src/auto-reply/reply/queue.drain-restart.test.ts src/auto-reply/reply/queue.collect.test.ts
• Formatting/lint/type proof: ./node_modules/.bin/oxfmt --check --threads=1 src/utils/queue-helpers.ts src/utils/queue-helpers.test.ts src/auto-reply/reply/queue/drain.ts; node scripts/run-oxlint.mjs --tsconfig config/tsconfig/oxlint.core.json src/utils/queue-helpers.ts src/utils/queue-helpers.test.ts src/auto-reply/reply/queue/drain.ts; node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.test.src.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/test-src-pr91450.tsbuildinfo
• Review: .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main clean after rebase
• CI: required GitHub checks green after rebase; previous checks-node-agentic-cli failure cleared on the rebased run
• Changelog: not updated; release generation owns CHANGELOG.md, and the PR body/commit messages carry the release-note context
• Land commit: ede2b5d7d150d8f943311d1b6dd0c7ff4286c0c4
• Merge commit: 47fc1c288b83a68ceb2a251594ea1c8c67314791

Thanks @yetval!