@namzu/sdk 0.2.0 → 0.4.0

package/src/session/__tests__/integration/spawn-rollback.test.ts

@@ -0,0 +1,313 @@
+/**
+ * Integration — AgentManager.provisionSpawn compensating rollback.
+ *
+ * Covers Codex SPAWN-ROLLBACK critique (ses_001-hierarchy-redesign Phase 2
+ * adversarial review, 2026-04-18). Without the try/catch wrapper around the
+ * createSession → updateSession → createSubSession → workspace.create
+ * mutation block, a failure after createSession leaves an `active` child
+ * session with no subsession edge — invisible to the parent, but counted
+ * against `maxDelegationWidth` and visible to SessionStore.listSessions
+ * consumers (archive/delete flows in ThreadManager).
+ *
+ * Failure modes exercised:
+ *   A. Workspace driver throws on create. Subsession exists; must flip to
+ *      'failed' for audit. Child session must be hard-deleted.
+ *   B. Subsession insert fails (store injection). No subsession recorded.
+ *      Child session must be hard-deleted.
+ *
+ * Assertions in both cases:
+ *   - sendMessage rejects with the underlying error.
+ *   - SessionStore.listSessions(threadId) returns no row with the child id.
+ *   - Parent session remains untouched (status, currentActor).
+ *   - Fan-out cap reclaims the slot (next spawn succeeds up to the same
+ *     width).
+ */
+
+import { describe, expect, it } from 'vitest'
+import { EMPTY_TOKEN_USAGE } from '../../../constants/limits.js'
+import { AgentManager } from '../../../manager/agent/lifecycle.js'
+import { ThreadManager } from '../../../manager/thread/lifecycle.js'
+import { AgentRegistry } from '../../../registry/agent/definitions.js'
+import { InMemorySessionStore } from '../../../store/session/memory.js'
+import { InMemoryThreadStore } from '../../../store/thread/memory.js'
+import type {
+	AgentCapabilities,
+	AgentInput,
+	BaseAgentConfig,
+	BaseAgentResult,
+} from '../../../types/agent/base.js'
+import type { Agent } from '../../../types/agent/core.js'
+import type { AgentDefinition } from '../../../types/agent/factory.js'
+import type { AgentTaskContext, SendMessageOptions } from '../../../types/agent/task.js'
+import type { RunId, TenantId, UserId } from '../../../types/ids/index.js'
+import { createAssistantMessage } from '../../../types/message/index.js'
+import type { SummaryId } from '../../../types/session/ids.js'
+import { ZERO_COST } from '../../../utils/cost.js'
+import { DefaultCapacityValidator } from '../../handoff/capacity.js'
+import type { ActorRef } from '../../hierarchy/actor.js'
+import { SessionSummaryMaterializer } from '../../summary/materialize.js'
+import type {
+	BranchWorkspaceParams,
+	CreateWorkspaceParams,
+	WorkspaceBackendDriver,
+	WorkspaceInspection,
+} from '../../workspace/driver.js'
+import type { WorkspaceRef } from '../../workspace/ref.js'
+import { WorkspaceBackendRegistry } from '../../workspace/registry.js'
+
+const tenant = 'tnt_alpha' as TenantId
+
+const capabilities: AgentCapabilities = {
+	supportsTools: false,
+	supportsStreaming: false,
+	supportsConcurrency: false,
+	supportsSubAgents: false,
+}
+
+function buildAgent(id: string): Agent<BaseAgentConfig, BaseAgentResult> {
+	return {
+		type: 'reactive',
+		metadata: {
+			type: 'reactive',
+			id,
+			name: id,
+			version: '1.0.0',
+			category: 'test',
+			description: id,
+			capabilities,
+		},
+		run: async (_input: AgentInput, _config: BaseAgentConfig): Promise<BaseAgentResult> => ({
+			runId: 'run_child' as RunId,
+			status: 'completed',
+			usage: { ...EMPTY_TOKEN_USAGE },
+			cost: { ...ZERO_COST },
+			iterations: 1,
+			durationMs: 1,
+			messages: [createAssistantMessage('child did the work')],
+			result: 'child did the work',
+		}),
+		cancel: async () => undefined,
+		getCapabilities: () => capabilities,
+	}
+}
+
+function buildDefinition(agent: Agent<BaseAgentConfig, BaseAgentResult>): AgentDefinition {
+	return {
+		info: {
+			id: agent.metadata.id,
+			name: agent.metadata.name,
+			version: agent.metadata.version,
+			category: agent.metadata.category,
+			description: agent.metadata.description,
+			tools: [],
+			defaults: { model: 'test', tokenBudget: 1_000 },
+		},
+		typedAgent: agent,
+	}
+}
+
+class FailingWorkspaceDriver implements WorkspaceBackendDriver {
+	readonly kind = 'git-worktree' as const
+	createCalls = 0
+
+	async create(_params: CreateWorkspaceParams): Promise<WorkspaceRef> {
+		this.createCalls += 1
+		throw new Error('synthetic workspace backend failure')
+	}
+
+	async branch(_source: WorkspaceRef, _params: BranchWorkspaceParams): Promise<WorkspaceRef> {
+		throw new Error('unused in this test')
+	}
+
+	async dispose(_ref: WorkspaceRef): Promise<void> {
+		/* no-op */
+	}
+
+	async inspect(_ref: WorkspaceRef): Promise<WorkspaceInspection> {
+		throw new Error('unused in this test')
+	}
+}
+
+describe('provisionSpawn compensating rollback', () => {
+	it('workspace driver failure — deletes child session, marks subsession failed, leaves no orphan', async () => {
+		const store = new InMemorySessionStore()
+		const threadStore = new InMemoryThreadStore()
+		const project = await store.createProject(
+			{ tenantId: tenant, name: 'rollback-project' },
+			tenant,
+		)
+		const thread = await threadStore.createThread(
+			{ projectId: project.id, title: 'rollback-topic' },
+			tenant,
+		)
+
+		const userActor: ActorRef = {
+			kind: 'user',
+			userId: 'usr_root' as UserId,
+			tenantId: tenant,
+		}
+
+		const parentSession = await store.createSession(
+			{ threadId: thread.id, projectId: project.id, currentActor: userActor },
+			tenant,
+		)
+		await store.updateSession({ ...parentSession, status: 'active' }, tenant)
+
+		let summaryCounter = 0
+		const materializer = new SessionSummaryMaterializer({
+			store,
+			generateSummaryId: () => `sum_test_${++summaryCounter}` as SummaryId,
+		})
+
+		const registry = new AgentRegistry()
+		registry.register(buildDefinition(buildAgent('worker')))
+
+		const workspaceRegistry = new WorkspaceBackendRegistry()
+		const failingDriver = new FailingWorkspaceDriver()
+		workspaceRegistry.register(failingDriver)
+
+		const threadManager = new ThreadManager({ threadStore, sessionStore: store })
+		const manager = new AgentManager(registry, undefined, {
+			sessionStore: store,
+			summaryMaterializer: materializer,
+			workspaceRegistry,
+			capacity: new DefaultCapacityValidator(store),
+			threadManager,
+		})
+
+		const taskContext: AgentTaskContext = {
+			parentRunId: 'run_parent' as RunId,
+			parentAgentId: 'supervisor',
+			parentAbortController: new AbortController(),
+			depth: 0,
+			budgetTracker: { total: 100_000, remaining: 100_000 },
+			tenantId: tenant,
+			threadId: thread.id,
+			sessionId: parentSession.id,
+			projectId: project.id,
+			parentActor: userActor,
+		}
+
+		const options: SendMessageOptions = {
+			agentId: 'worker',
+			input: { messages: [], workingDirectory: '/tmp' },
+			parentSessionId: parentSession.id,
+			tenantId: tenant,
+			projectId: project.id,
+			parentActor: userActor,
+			workspaceBackend: 'git-worktree',
+		}
+
+		await expect(manager.sendMessage(options, taskContext)).rejects.toThrow(
+			'synthetic workspace backend failure',
+		)
+		expect(failingDriver.createCalls).toBe(1)
+
+		// Child session is gone — archive/delete flows and fan-out caps see
+		// zero child attached to the thread beyond the parent.
+		const sessionsOnThread = await store.listSessions(thread.id, tenant)
+		expect(sessionsOnThread.map((s) => s.id)).toEqual([parentSession.id])
+
+		// Parent session is untouched.
+		const refetchedParent = await store.getSession(parentSession.id, tenant)
+		expect(refetchedParent?.status).toBe('active')
+		expect(refetchedParent?.currentActor).toEqual(userActor)
+
+		// No subsession breadcrumb — `subsession_spawned` never fired
+		// (provisionSpawn aborted before buildSpawnRecord), so nothing is
+		// expecting an audit row. Leaving a `status: 'failed'` record would
+		// dangle with no corresponding emission.
+		const subsessions = await store.getChildren(parentSession.id, tenant)
+		expect(subsessions).toHaveLength(0)
+	})
+
+	it('repeated rollback does not accumulate orphan sessions or subsessions', async () => {
+		const store = new InMemorySessionStore()
+		const threadStore = new InMemoryThreadStore()
+		const project = await store.createProject(
+			{
+				tenantId: tenant,
+				name: 'rollback-repeat-project',
+			},
+			tenant,
+		)
+		const thread = await threadStore.createThread(
+			{ projectId: project.id, title: 'rollback-width-topic' },
+			tenant,
+		)
+
+		const userActor: ActorRef = {
+			kind: 'user',
+			userId: 'usr_root' as UserId,
+			tenantId: tenant,
+		}
+
+		const parentSession = await store.createSession(
+			{ threadId: thread.id, projectId: project.id, currentActor: userActor },
+			tenant,
+		)
+		await store.updateSession({ ...parentSession, status: 'active' }, tenant)
+
+		let summaryCounter = 0
+		const materializer = new SessionSummaryMaterializer({
+			store,
+			generateSummaryId: () => `sum_test_${++summaryCounter}` as SummaryId,
+		})
+
+		const registry = new AgentRegistry()
+		registry.register(buildDefinition(buildAgent('worker')))
+
+		const workspaceRegistry = new WorkspaceBackendRegistry()
+		workspaceRegistry.register(new FailingWorkspaceDriver())
+
+		const threadManager = new ThreadManager({ threadStore, sessionStore: store })
+		const manager = new AgentManager(registry, undefined, {
+			sessionStore: store,
+			summaryMaterializer: materializer,
+			workspaceRegistry,
+			capacity: new DefaultCapacityValidator(store),
+			threadManager,
+		})
+
+		const taskContext: AgentTaskContext = {
+			parentRunId: 'run_parent' as RunId,
+			parentAgentId: 'supervisor',
+			parentAbortController: new AbortController(),
+			depth: 0,
+			budgetTracker: { total: 100_000, remaining: 100_000 },
+			tenantId: tenant,
+			threadId: thread.id,
+			sessionId: parentSession.id,
+			projectId: project.id,
+			parentActor: userActor,
+		}
+
+		const options: SendMessageOptions = {
+			agentId: 'worker',
+			input: { messages: [], workingDirectory: '/tmp' },
+			parentSessionId: parentSession.id,
+			tenantId: tenant,
+			projectId: project.id,
+			parentActor: userActor,
+			workspaceBackend: 'git-worktree',
+		}
+
+		// Two consecutive failing spawns. Without rollback, two orphan
+		// `active` child sessions would accumulate; with rollback, each
+		// attempt cleans up after itself and the store stays at { parent }.
+		await expect(manager.sendMessage(options, taskContext)).rejects.toThrow(
+			'synthetic workspace backend failure',
+		)
+		await expect(manager.sendMessage(options, taskContext)).rejects.toThrow(
+			'synthetic workspace backend failure',
+		)
+
+		// Still no child session under the thread.
+		const sessionsOnThread = await store.listSessions(thread.id, tenant)
+		expect(sessionsOnThread.map((s) => s.id)).toEqual([parentSession.id])
+
+		// No lingering subsession rows — both attempts rolled back cleanly.
+		const subsessions = await store.getChildren(parentSession.id, tenant)
+		expect(subsessions).toHaveLength(0)
+	})
+})

package/src/session/__tests__/integration/summary-materialization-e2e.test.ts

@@ -18,18 +18,20 @@
 import { describe, expect, it } from 'vitest'
 import { InMemorySessionStore } from '../../../store/session/memory.js'
 import type { SessionId } from '../../../types/ids/index.js'
-import type { SummaryId } from '../../../types/session/ids.js'
+import type { SummaryId, ThreadId } from '../../../types/session/ids.js'
 import { SessionSummaryMaterializer } from '../../summary/materialize.js'
 import { SessionAlreadySummarizedError } from '../../summary/ref.js'
 import { DEFAULT_TENANT, agentActor } from './_fixtures.js'
 
+const TEST_THREAD_ID = 'thd_test' as ThreadId
+
 async function seedActive(store: InMemorySessionStore) {
 	const project = await store.createProject(
 		{ tenantId: DEFAULT_TENANT, name: 'summary' },
 		DEFAULT_TENANT,
 	)
 	const session = await store.createSession(
-		{ projectId: project.id, currentActor: agentActor('agt_worker') },
+		{ threadId: TEST_THREAD_ID, projectId: project.id, currentActor: agentActor('agt_worker') },
 		DEFAULT_TENANT,
 	)
 	await store.updateSession({ ...session, status: 'active' }, DEFAULT_TENANT)

package/src/session/__tests__/integration/tenant-isolation.test.ts

@@ -14,10 +14,12 @@
 import { describe, expect, it } from 'vitest'
 import { InMemorySessionStore } from '../../../store/session/memory.js'
 import { createUserMessage } from '../../../types/message/index.js'
-import type { ProjectId, SubSessionId, SummaryId } from '../../../types/session/ids.js'
+import type { ProjectId, SubSessionId, SummaryId, ThreadId } from '../../../types/session/ids.js'
 import { TenantIsolationError } from '../../errors.js'
 import { DEFAULT_TENANT, OTHER_TENANT, agentActor, userActor } from './_fixtures.js'
 
+const TEST_THREAD_ID = 'thd_test' as ThreadId
+
 async function seedTenantAResources() {
 	const store = new InMemorySessionStore()
 	const project = await store.createProject(
@@ -25,11 +27,11 @@ async function seedTenantAResources() {
 		DEFAULT_TENANT,
 	)
 	const parent = await store.createSession(
-		{ projectId: project.id, currentActor: userActor('usr_a') },
+		{ threadId: TEST_THREAD_ID, projectId: project.id, currentActor: userActor('usr_a') },
 		DEFAULT_TENANT,
 	)
 	const child = await store.createSession(
-		{ projectId: project.id, currentActor: agentActor('agt_a') },
+		{ threadId: TEST_THREAD_ID, projectId: project.id, currentActor: agentActor('agt_a') },
 		DEFAULT_TENANT,
 	)
 	const sub = await store.createSubSession(
@@ -200,7 +202,11 @@ describe('Integration — tenant isolation', () => {
 		const { store, project } = await seedTenantAResources()
 		await expect(
 			store.createSession(
-				{ projectId: project.id, currentActor: userActor('usr_intruder', OTHER_TENANT) },
+				{
+					threadId: TEST_THREAD_ID,
+					projectId: project.id,
+					currentActor: userActor('usr_intruder', OTHER_TENANT),
+				},
 				OTHER_TENANT,
 			),
 		).rejects.toBeInstanceOf(TenantIsolationError)
@@ -232,7 +238,11 @@ describe('Integration — tenant isolation', () => {
 			OTHER_TENANT,
 		)
 		const otherChild = await store.createSession(
-			{ projectId: otherProject.id, currentActor: userActor('usr_other', OTHER_TENANT) },
+			{
+				threadId: TEST_THREAD_ID,
+				projectId: otherProject.id,
+				currentActor: userActor('usr_other', OTHER_TENANT),
+			},
 			OTHER_TENANT,
 		)
 
@@ -264,7 +274,7 @@ describe('Integration — tenant isolation', () => {
 			await store.createProject({ tenantId: DEFAULT_TENANT, name: 'del' }, DEFAULT_TENANT)
 		).id
 		const lonely = await store.createSession(
-			{ projectId: project, currentActor: userActor('usr_lonely') },
+			{ threadId: TEST_THREAD_ID, projectId: project, currentActor: userActor('usr_lonely') },
 			DEFAULT_TENANT,
 		)
 		await expect(store.deleteSession(lonely.id, OTHER_TENANT)).rejects.toBeInstanceOf(

package/src/session/errors.ts

@@ -8,6 +8,8 @@
  */
 
 import type { SessionId, TenantId } from '../types/ids/index.js'
+import type { ThreadId } from '../types/session/ids.js'
+import type { SessionStatus } from './hierarchy/session.js'
 import type { WorkspaceBackendKind } from './workspace/driver.js'
 
 /**
@@ -68,3 +70,90 @@ export class WorkspaceBackendError extends Error {
 		this.details = details
 	}
 }
+
+/**
+ * Raised by {@link import('../types/thread/store.js').ThreadStore.updateThread}
+ * when the supplied {@link Thread.ownerVersion} does not match the persisted
+ * record. The caller must re-read via `getThread`, re-apply its intended
+ * mutation on top of the fresh record, and retry. Mirrors the Session
+ * handoff CAS pattern (§6.1).
+ */
+export class StaleThreadError extends Error {
+	readonly details: {
+		threadId: ThreadId
+		expectedVersion: number
+		actualVersion: number
+	}
+
+	constructor(details: { threadId: ThreadId; expectedVersion: number; actualVersion: number }) {
+		super(
+			`Stale Thread ${details.threadId}: expected ownerVersion=${details.expectedVersion}, actual=${details.actualVersion}`,
+		)
+		this.name = 'StaleThreadError'
+		this.details = details
+	}
+}
+
+/**
+ * Raised by the spawn path (and any caller that enforces the open-thread
+ * precondition) when a Thread is in `'archived'` state and would-be mutations
+ * require it to be `'open'`. Convention #5: deny-by-default — archival is a
+ * hard read-only boundary.
+ */
+export class ThreadClosedError extends Error {
+	readonly details: {
+		threadId: ThreadId
+		op: string
+	}
+
+	constructor(details: { threadId: ThreadId; op: string }) {
+		super(`Thread ${details.threadId} is archived; operation '${details.op}' rejected`)
+		this.name = 'ThreadClosedError'
+		this.details = details
+	}
+}
+
+/**
+ * Raised by {@link import('../manager/thread/lifecycle.js').ThreadManager.archive}
+ * and `.delete` when the Thread's session-presence precondition is violated:
+ *
+ * - `op: 'archive'` — at least one Session under the Thread is in a
+ *   non-terminal state (`active | locked | awaiting_hitl | awaiting_merge`).
+ *   The caller must first quiesce those sessions (let them reach `idle`,
+ *   `failed`, or `archived`) before flipping the Thread to archived.
+ * - `op: 'delete'` — the Thread still has at least one attached Session.
+ *   Callers must either archive + tombstone those sessions (`deleteSession`)
+ *   before calling `deleteThread`, or accept that deletion is not yet safe.
+ *
+ * `blockingSessions` carries the first {@link THREAD_NOT_EMPTY_SAMPLE_LIMIT}
+ * offenders with their current status so operator tooling can surface an
+ * actionable list without unbounded error payloads on large threads.
+ * `totalBlockingSessions` holds the full count even when the sample is
+ * truncated. Convention #5: deny-by-default — no implicit cascade, no silent
+ * no-op.
+ */
+export const THREAD_NOT_EMPTY_SAMPLE_LIMIT = 50
+
+export class ThreadNotEmptyError extends Error {
+	readonly details: {
+		threadId: ThreadId
+		tenantId: TenantId
+		op: 'archive' | 'delete'
+		blockingSessions: ReadonlyArray<{ sessionId: SessionId; status: SessionStatus }>
+		totalBlockingSessions: number
+	}
+
+	constructor(details: {
+		threadId: ThreadId
+		tenantId: TenantId
+		op: 'archive' | 'delete'
+		blockingSessions: ReadonlyArray<{ sessionId: SessionId; status: SessionStatus }>
+		totalBlockingSessions: number
+	}) {
+		super(
+			`Thread ${details.threadId} ${details.op} blocked: ${details.totalBlockingSessions} session(s) still attached`,
+		)
+		this.name = 'ThreadNotEmptyError'
+		this.details = details
+	}
+}