agent-relay-server 0.11.6 → 0.11.9

package/runner/src/adapter.ts

@@ -12,6 +12,10 @@ export interface ProviderStatusEvent {
     status: string;
     id?: string;
     timestamp?: number;
+    title?: string;
+    body?: string;
+    icon?: string;
+    metadata?: Record<string, unknown>;
   };
   id?: string;
   label?: string;

package/src/bus.ts

@@ -159,6 +159,7 @@ function handleFrame(ws: BusWebSocket, frame: ReturnType<typeof validateClientFr
         }
         const after = getAgent(conn.agentId);
         auditProviderStateTransition(conn.agentId, before, after);
+        auditRunnerTimelineEvent(conn.agentId, after?.meta?.timelineEvent);
         // A real PreCompact/SessionStart hook arrives as a timelineEvent in the
         // merged meta — clears any pending stall watch (stale events ignored).
         noteAgentTimelineEvent(conn.agentId, after?.meta?.timelineEvent);
@@ -558,6 +559,47 @@ function auditProviderStateTransition(agentId: string, before: AgentCard | null
   }
 }
 
+function auditRunnerTimelineEvent(agentId: string, timelineEvent: unknown): void {
+  if (!isRecord(timelineEvent)) return;
+  const metadata = isRecord(timelineEvent.metadata) ? timelineEvent.metadata : {};
+  if (metadata.source !== "runner") return;
+  const status = stringValue(timelineEvent.status);
+  if (!status) return;
+  const eventType = stringValue(metadata.eventType) ?? status;
+  const timestamp = numberValue(timelineEvent.timestamp) ?? Date.now();
+  const id = stringValue(timelineEvent.id) ?? `${eventType}-${timestamp}`;
+  const title = stringValue(timelineEvent.title) ?? status.replace(/[._-]+/g, " ");
+  const body = stringValue(timelineEvent.body);
+  const icon = stringValue(timelineEvent.icon) ?? "ti-activity";
+  try {
+    const event = createActivityEvent({
+      clientId: `runner-timeline-${agentId}-${id}`,
+      kind: "state",
+      title,
+      body,
+      meta: agentId,
+      icon,
+      view: "agents",
+      agentId,
+      metadata: {
+        ...metadata,
+        eventType,
+        timelineStatus: status,
+        timelineId: id,
+        timelineTimestamp: timestamp,
+      },
+    });
+    emitRelayEvent({
+      type: "activity.created",
+      source: "server",
+      subject: String(event.id),
+      data: event as unknown as Record<string, unknown>,
+    });
+  } catch {
+    // Timeline writes must never block bus status updates.
+  }
+}
+
 function providerStateFromAgent(agent: AgentCard | null | undefined): Record<string, unknown> | null {
   const value = agent?.meta?.providerState;
   if (!isRecord(value) || typeof value.state !== "string") return null;

package/src/config-store.ts

@@ -7,13 +7,17 @@ import type {
   ConfigHistoryEntry,
   ManagedAgentState,
   ManagedAgentStatus,
+  SpawnApprovalMode,
   SpawnPolicy,
   SpawnProvider,
+  StewardConfig,
 } from "./types";
 
 const CONFIG_HISTORY_LIMIT = 50;
 const SPAWN_POLICY_NAMESPACE = "spawn-policy";
 const AGENT_PROFILE_NAMESPACE = "agent-profile";
+const STEWARD_NAMESPACE = "steward";
+const STEWARD_KEY = "default";
 const VALID_PROVIDERS = ["claude", "codex"] as const;
 const VALID_PROFILE_PROVIDERS = ["any", "claude", "codex"] as const;
 const VALID_PROFILE_BASES = ["host", "minimal", "isolated"] as const;
@@ -390,10 +394,42 @@ function cleanBinding(value: unknown): NonNullable<SpawnPolicy["binding"]> {
   };
 }
 
+const STEWARD_CONFIG_DEFAULTS: StewardConfig = {
+  enabled: false,
+  provider: "claude",
+  permissionMode: "open",
+  keepaliveSeconds: 300,
+};
+
+function validateStewardConfig(value: unknown): StewardConfig {
+  if (!isRecord(value)) throw new ValidationError("steward config value must be an object");
+  const config: StewardConfig = {
+    enabled: value.enabled === undefined ? false : cleanBoolean(value.enabled, "enabled"),
+    provider: cleanEnum(value.provider, "provider", VALID_PROVIDERS) as SpawnProvider,
+    model: cleanString(value.model, "model", { max: 120 }),
+    effort: value.effort === undefined || value.effort === null ? undefined : cleanEnum(value.effort, "effort", VALID_EFFORTS) as ProviderEffort,
+    permissionMode: (value.permissionMode === undefined || value.permissionMode === null
+      ? "open"
+      : cleanEnum(value.permissionMode, "permissionMode", VALID_PERMISSION_MODES)) as SpawnApprovalMode,
+    keepaliveSeconds: value.keepaliveSeconds === undefined || value.keepaliveSeconds === null
+      ? 300
+      : cleanNumber(value.keepaliveSeconds, "keepaliveSeconds", { min: 0, max: 2_592_000 }),
+  };
+  // Reject a provider/model/effort combo the catalog can't resolve before it ever
+  // reaches a spawn (same guard as spawn policies).
+  try {
+    resolveProviderSelection({ provider: config.provider, model: config.model, effort: config.effort });
+  } catch (error) {
+    throw new ValidationError(error instanceof Error ? error.message : String(error));
+  }
+  return config;
+}
+
 function normalizeValue(namespace: string, key: string, value: unknown): unknown {
   if (value === undefined) throw new ValidationError("value required");
   if (namespace === SPAWN_POLICY_NAMESPACE) return validateSpawnPolicy(key, value);
   if (namespace === AGENT_PROFILE_NAMESPACE) return validateAgentProfile(key, value);
+  if (namespace === STEWARD_NAMESPACE) return validateStewardConfig(value);
   if (JSON.stringify(value) === undefined) throw new ValidationError("value must be valid JSON");
   return value;
 }
@@ -485,6 +521,28 @@ function setSpawnPolicy(policy: SpawnPolicy, updatedBy?: string): ConfigEntry<Sp
   return setConfig(SPAWN_POLICY_NAMESPACE, policy.name, policy, updatedBy);
 }
 
+/** Global steward config, merged over defaults (always returns a usable value). */
+export function getStewardConfig(): StewardConfig {
+  const entry = getConfig<StewardConfig>(STEWARD_NAMESPACE, STEWARD_KEY);
+  return entry ? { ...STEWARD_CONFIG_DEFAULTS, ...entry.value } : { ...STEWARD_CONFIG_DEFAULTS };
+}
+
+export function getStewardConfigEntry(): ConfigEntry<StewardConfig> {
+  const entry = getConfig<StewardConfig>(STEWARD_NAMESPACE, STEWARD_KEY);
+  return entry ?? {
+    namespace: STEWARD_NAMESPACE,
+    key: STEWARD_KEY,
+    value: { ...STEWARD_CONFIG_DEFAULTS },
+    version: 0,
+    updatedAt: "default",
+    updatedBy: "system",
+  };
+}
+
+export function setStewardConfig(value: unknown, updatedBy?: string): ConfigEntry<StewardConfig> {
+  return setConfig(STEWARD_NAMESPACE, STEWARD_KEY, value as StewardConfig, updatedBy);
+}
+
 function builtInProfileEntry(profile: AgentProfile): ConfigEntry<AgentProfile> {
   return {
     namespace: AGENT_PROFILE_NAMESPACE,

package/src/config.ts

@@ -24,6 +24,10 @@ export const OFFLINE_PRUNE_MS = envPositiveInt("OFFLINE_PRUNE_MS", DAY_MS); // 2
 export const REAP_INTERVAL_MS = envPositiveInt("REAP_INTERVAL_MS", 60_000); // reaper cadence
 export const CLAIM_LEASE_MS = envPositiveInt("AGENT_RELAY_CLAIM_LEASE_MS", 1_800_000); // 30min claim lease
 export const POOL_CLAIM_LEASE_MS = envPositiveInt("AGENT_RELAY_POOL_CLAIM_LEASE_MS", STALE_TTL_MS * 3); // pool binding lease
+// Per-repo merge serialization lease — only one base merge may run at a time per
+// repo. Held from when a workspace.merge command is dispatched until it settles
+// (or this TTL expires, in case the orchestrator never reports back).
+export const WORKSPACE_MERGE_LEASE_MS = envPositiveInt("AGENT_RELAY_WORKSPACE_MERGE_LEASE_MS", 900_000); // 15min
 
 // Max body size for any POST/PATCH request (64 KiB).
 export const MAX_BODY_BYTES = 64 * 1024;

package/src/db.ts

@@ -71,7 +71,7 @@ import type {
   WorkspaceRecord,
   WorkspaceStatus,
 } from "./types";
-import { STALE_TTL_MS, DAY_MS, CLAIM_LEASE_MS, POOL_CLAIM_LEASE_MS } from "./config";
+import { STALE_TTL_MS, DAY_MS, CLAIM_LEASE_MS, POOL_CLAIM_LEASE_MS, WORKSPACE_MERGE_LEASE_MS } from "./config";
 
 let db: Database;
 const CONTEXT_SNAPSHOT_DEBOUNCE_MS = 60_000;
@@ -379,6 +379,31 @@ export function initDb(path: string = "agent-relay.db"): Database {
     CREATE INDEX IF NOT EXISTS idx_workspaces_owner_agent ON workspaces(owner_agent_id);
     CREATE INDEX IF NOT EXISTS idx_workspaces_policy ON workspaces(owner_policy_name);
 
+    -- Persistent per-repo steward record. Keyed to the repo, not a live agent, so
+    -- it survives a full all-agents-offline gap: steward_agent_id goes NULL
+    -- (dormant) while last_steward_agent_id preserves continuity, and the row is
+    -- re-filled when an agent rejoins the repo. This is the durable backing store
+    -- the steward column on workspace rows mirrors for display/maintenance.
+    CREATE TABLE IF NOT EXISTS repo_stewards (
+      repo_root TEXT PRIMARY KEY,
+      steward_agent_id TEXT,
+      last_steward_agent_id TEXT,
+      elected_at INTEGER,
+      updated_at INTEGER NOT NULL
+    );
+
+    -- Per-repo merge serialization lease. Exactly one base merge may be in flight
+    -- per repo; a second merge request is rejected until the holder settles or the
+    -- lease expires. Atomicity comes from the repo_root PRIMARY KEY + expiry guard.
+    CREATE TABLE IF NOT EXISTS workspace_merge_leases (
+      repo_root TEXT PRIMARY KEY,
+      workspace_id TEXT NOT NULL,
+      command_id TEXT,
+      holder TEXT,
+      acquired_at INTEGER NOT NULL,
+      expires_at INTEGER NOT NULL
+    );
+
     CREATE TABLE IF NOT EXISTS tasks (
       id INTEGER PRIMARY KEY AUTOINCREMENT,
       source TEXT NOT NULL,
@@ -1692,6 +1717,9 @@ export function upsertAgent(input: RegisterAgentInput): AgentCard {
   const agent = getAgent(input.id)!;
   if (agent.kind === "channel") upsertChannelForAgent(agent);
   evaluatePoolBindings();
+  // A (re)joining agent may revive a dormant repo steward — re-elect for the
+  // repos it owns live workspaces in (issue #157, steward survives offline gap).
+  if (agent.status !== "offline") electWorkspaceStewardsForAgent(agent.id);
   return agent;
 }
 
@@ -4140,13 +4168,16 @@ function relayConversationId(message: Message): string | undefined {
 }
 
 function isCoveredByLaterAgentResponse(message: Message, agentId: string): boolean {
+  // Order by id, not created_at: ids are monotonic insertion order, so this is
+  // robust when a reply lands in the same millisecond as the message it covers
+  // (created_at > … strictly would miss it, leaving the message wrongly pending).
   const replies = (db.prepare(`
     ${MSG_SELECT}
     WHERE m.from_agent = ?
-      AND m.created_at > ?
-    ORDER BY m.created_at ASC
+      AND m.id > ?
+    ORDER BY m.id ASC
     LIMIT 200
-  `).all(agentId, message.createdAt) as any[]).map(rowToMessage);
+  `).all(agentId, message.id) as any[]).map(rowToMessage);
 
   const conversationId = relayConversationId(message);
   return replies.some((reply) => {
@@ -5108,31 +5139,203 @@ export function updateWorkspaceStatus(id: string, status: WorkspaceStatus, metad
   return getWorkspace(id);
 }
 
+// Workspace statuses that count as "live" for stewardship — an agent owning one
+// of these is a candidate steward; the repo is worth coordinating.
+const STEWARD_LIVE_STATUSES = "'active', 'ready', 'conflict', 'review_requested', 'merge_planned'";
+
+export interface RepoStewardRecord {
+  repoRoot: string;
+  stewardAgentId?: string;
+  lastStewardAgentId?: string;
+  electedAt?: number;
+  updatedAt: number;
+}
+
+function rowToRepoSteward(row: any): RepoStewardRecord {
+  return {
+    repoRoot: row.repo_root,
+    stewardAgentId: row.steward_agent_id ?? undefined,
+    lastStewardAgentId: row.last_steward_agent_id ?? undefined,
+    electedAt: row.elected_at ?? undefined,
+    updatedAt: row.updated_at,
+  };
+}
+
+export function getRepoSteward(repoRoot: string): RepoStewardRecord | null {
+  const row = db.prepare("SELECT * FROM repo_stewards WHERE repo_root = ?").get(repoRoot) as any;
+  return row ? rowToRepoSteward(row) : null;
+}
+
+export function listRepoStewards(): RepoStewardRecord[] {
+  return (db.prepare("SELECT * FROM repo_stewards ORDER BY updated_at DESC").all() as any[]).map(rowToRepoSteward);
+}
+
+// Persist the elected steward for a repo. The row is never deleted, so a repo's
+// stewardship survives a full all-agents-offline gap (steward goes NULL/dormant,
+// last_steward_agent_id keeps continuity) and resumes on the next agent join.
+function upsertRepoSteward(repoRoot: string, steward: string | null, now: number): void {
+  db.prepare(`
+    INSERT INTO repo_stewards (repo_root, steward_agent_id, last_steward_agent_id, elected_at, updated_at)
+    VALUES ($repoRoot, $steward, $steward, $electedAt, $now)
+    ON CONFLICT(repo_root) DO UPDATE SET
+      steward_agent_id = $steward,
+      last_steward_agent_id = coalesce($steward, repo_stewards.last_steward_agent_id),
+      elected_at = CASE
+        WHEN $steward IS NOT NULL AND $steward IS NOT repo_stewards.steward_agent_id THEN $now
+        ELSE repo_stewards.elected_at
+      END,
+      updated_at = $now
+  `).run({ $repoRoot: repoRoot, $steward: steward, $electedAt: steward ? now : null, $now: now });
+}
+
 function electWorkspaceStewards(repoRoot?: string): void {
   const params: string[] = repoRoot ? [repoRoot] : [];
   const repoRows = db.prepare(`
     SELECT DISTINCT repo_root FROM workspaces
-    WHERE status IN ('active', 'ready', 'conflict', 'review_requested', 'merge_planned')
+    WHERE status IN (${STEWARD_LIVE_STATUSES})
     ${repoRoot ? "AND repo_root = ?" : ""}
   `).all(...params) as Array<{ repo_root: string }>;
+  const now = Date.now();
   for (const row of repoRows) {
-    const current = db.prepare(`
-      SELECT steward_agent_id FROM workspaces
-      WHERE repo_root = ? AND steward_agent_id IS NOT NULL AND status IN ('active', 'ready', 'conflict', 'review_requested', 'merge_planned')
-      LIMIT 1
-    `).get(row.repo_root) as { steward_agent_id?: string } | undefined;
-    const currentAgent = current?.steward_agent_id ? getAgent(current.steward_agent_id) : null;
-    const steward = currentAgent && currentAgent.status !== "offline" && current?.steward_agent_id
-      ? current.steward_agent_id
-      : ((db.prepare(`
-          SELECT owner_agent_id FROM workspaces
-          WHERE repo_root = ? AND owner_agent_id IS NOT NULL AND status IN ('active', 'ready', 'conflict', 'review_requested', 'merge_planned')
-          ORDER BY created_at ASC
-          LIMIT 1
-        `).get(row.repo_root) as { owner_agent_id?: string } | undefined)?.owner_agent_id);
-    db.prepare("UPDATE workspaces SET steward_agent_id = ?, updated_at = ? WHERE repo_root = ? AND status IN ('active', 'ready', 'conflict', 'review_requested', 'merge_planned')")
-      .run(steward ?? null, Date.now(), row.repo_root);
+    // Candidate pool: owners of live workspaces in this repo who are online,
+    // oldest first. A steward must be an online agent actively in the repo — an
+    // offline agent can't coordinate, so it is never elected (the old bug).
+    const pool = (db.prepare(`
+      SELECT w.owner_agent_id AS id, MIN(w.created_at) AS created_at
+      FROM workspaces w JOIN agents a ON a.id = w.owner_agent_id
+      WHERE w.repo_root = ? AND w.owner_agent_id IS NOT NULL
+        AND a.status != 'offline' AND w.status IN (${STEWARD_LIVE_STATUSES})
+      GROUP BY w.owner_agent_id
+      ORDER BY created_at ASC
+    `).all(row.repo_root) as Array<{ id: string }>).map((r) => r.id);
+
+    // Keep the current steward if it is still in the pool (stable election);
+    // otherwise promote the oldest online owner, else go dormant (null).
+    const current = getRepoSteward(row.repo_root)?.stewardAgentId ?? null;
+    const steward = (current && pool.includes(current) ? current : pool[0]) ?? null;
+
+    upsertRepoSteward(row.repo_root, steward, now);
+    // Mirror onto live workspace rows only when the steward actually changed, so
+    // re-elections don't churn updated_at and reset the auto-abandon clock for a
+    // dormant repo (a stranded review_requested must still age out).
+    if (steward !== current) {
+      db.prepare(`UPDATE workspaces SET steward_agent_id = ?, updated_at = ? WHERE repo_root = ? AND status IN (${STEWARD_LIVE_STATUSES})`)
+        .run(steward, now, row.repo_root);
+    }
+  }
+}
+
+// Public re-election trigger that does not change any workspace status — used by
+// maintenance to revive a dormant steward (e.g. on the next agent join) before
+// deciding whether a stranded worktree needs escalation.
+export function reelectRepoSteward(repoRoot: string): void {
+  electWorkspaceStewards(repoRoot);
+}
+
+// Merge a metadata patch into a workspace WITHOUT bumping updated_at or running a
+// steward election. For maintenance bookkeeping (stranded/escalation markers)
+// that must not disturb age-based GC timers. undefined values delete keys.
+export function patchWorkspaceMetadata(id: string, patch: Record<string, unknown>): WorkspaceRecord | null {
+  const existing = getWorkspace(id);
+  if (!existing) return null;
+  const next = { ...existing.metadata };
+  for (const [k, v] of Object.entries(patch)) {
+    if (v === undefined) delete next[k];
+    else next[k] = v;
   }
+  db.prepare("UPDATE workspaces SET metadata = ? WHERE id = ?").run(JSON.stringify(next), id);
+  return getWorkspace(id);
+}
+
+// Re-elect stewards for every repo where an agent owns a live workspace. Called
+// when an agent (re)registers so a dormant repo regains a steward on rejoin
+// without a full unscoped sweep.
+function electWorkspaceStewardsForAgent(agentId: string): void {
+  const repos = db.prepare(`
+    SELECT DISTINCT repo_root FROM workspaces
+    WHERE owner_agent_id = ? AND status IN (${STEWARD_LIVE_STATUSES})
+  `).all(agentId) as Array<{ repo_root: string }>;
+  for (const r of repos) electWorkspaceStewards(r.repo_root);
+}
+
+// --- Per-repo merge serialization lease (issue #157) -----------------------
+
+export interface MergeLeaseRecord {
+  repoRoot: string;
+  workspaceId: string;
+  commandId?: string;
+  holder?: string;
+  acquiredAt: number;
+  expiresAt: number;
+}
+
+function rowToMergeLease(row: any): MergeLeaseRecord {
+  return {
+    repoRoot: row.repo_root,
+    workspaceId: row.workspace_id,
+    commandId: row.command_id ?? undefined,
+    holder: row.holder ?? undefined,
+    acquiredAt: row.acquired_at,
+    expiresAt: row.expires_at,
+  };
+}
+
+export function getMergeLease(repoRoot: string): MergeLeaseRecord | null {
+  const row = db.prepare("SELECT * FROM workspace_merge_leases WHERE repo_root = ?").get(repoRoot) as any;
+  return row ? rowToMergeLease(row) : null;
+}
+
+export function listMergeLeases(): MergeLeaseRecord[] {
+  return (db.prepare("SELECT * FROM workspace_merge_leases ORDER BY acquired_at DESC").all() as any[]).map(rowToMergeLease);
+}
+
+export function releaseExpiredMergeLeases(now: number = Date.now()): string[] {
+  const expired = db.prepare("SELECT repo_root FROM workspace_merge_leases WHERE expires_at <= ?").all(now) as Array<{ repo_root: string }>;
+  if (!expired.length) return [];
+  db.prepare("DELETE FROM workspace_merge_leases WHERE expires_at <= ?").run(now);
+  return expired.map((r) => r.repo_root);
+}
+
+// Atomically acquire the per-repo merge lease. Succeeds if no live lease is held
+// for the repo (or the existing one has expired). Serialized via db.transaction
+// so two concurrent merge requests for the same repo can't both win.
+export function acquireMergeLease(
+  repoRoot: string,
+  workspaceId: string,
+  holder?: string,
+): { ok: true; lease: MergeLeaseRecord } | { ok: false; lease: MergeLeaseRecord } {
+  return db.transaction(() => {
+    const now = Date.now();
+    const existing = getMergeLease(repoRoot);
+    if (existing && existing.expiresAt > now) return { ok: false as const, lease: existing };
+    const expiresAt = now + WORKSPACE_MERGE_LEASE_MS;
+    db.prepare(`
+      INSERT INTO workspace_merge_leases (repo_root, workspace_id, command_id, holder, acquired_at, expires_at)
+      VALUES (?, ?, NULL, ?, ?, ?)
+      ON CONFLICT(repo_root) DO UPDATE SET
+        workspace_id = excluded.workspace_id, command_id = NULL, holder = excluded.holder,
+        acquired_at = excluded.acquired_at, expires_at = excluded.expires_at
+    `).run(repoRoot, workspaceId, holder ?? null, now, expiresAt);
+    return { ok: true as const, lease: getMergeLease(repoRoot)! };
+  })();
+}
+
+// Attach the dispatched command id to a held lease so it can be released by
+// command id when the merge settles.
+export function setMergeLeaseCommand(repoRoot: string, commandId: string): void {
+  db.prepare("UPDATE workspace_merge_leases SET command_id = ? WHERE repo_root = ?").run(commandId, repoRoot);
+}
+
+// Release a merge lease. Guard by commandId/workspaceId when known so a stale
+// release can't drop a newer lease for the same repo.
+export function releaseMergeLease(opts: { repoRoot?: string; commandId?: string; workspaceId?: string }): boolean {
+  const where: string[] = [];
+  const params: string[] = [];
+  if (opts.repoRoot) { where.push("repo_root = ?"); params.push(opts.repoRoot); }
+  if (opts.commandId) { where.push("command_id = ?"); params.push(opts.commandId); }
+  if (opts.workspaceId) { where.push("workspace_id = ?"); params.push(opts.workspaceId); }
+  if (!where.length) return false;
+  return db.prepare(`DELETE FROM workspace_merge_leases WHERE ${where.join(" AND ")}`).run(...params).changes > 0;
 }
 
 export function deleteOrchestrator(id: string): boolean {