agent-relay-server 0.11.6 → 0.11.9

package/src/maintenance.ts

@@ -9,22 +9,31 @@ import {
   createActivityEvent,
   evaluatePoolBindings,
   expireQueuedMessages,
+  getAgent,
   getDb,
+  getRepoSteward,
+  getWorkspace,
   listOrchestrators,
   listWorkspaces,
+  patchWorkspaceMetadata,
   pruneOfflineAgents,
   pruneOldMessages,
   deleteWorkspace,
   pruneOrphanedSharedWorkspaces,
   reapStaleAgents,
   reapStaleOrchestrators,
+  reelectRepoSteward,
   releaseExpiredClaims,
+  releaseExpiredMergeLeases,
   releaseOrphanedTasks,
   sendMessage,
   sweepArtifacts,
   updateWorkspaceStatus,
 } from "./db";
 import type { WorkspaceMergePreview, WorkspaceRecord, WorkspaceStatus } from "./types";
+import { requestWorkspaceMerge } from "./workspace-merge";
+import { getStewardConfig } from "./config-store";
+import { ensureRepoSteward } from "./steward";
 import { emitRelayEvent } from "./events";
 import { getLifecycleManager } from "./lifecycle-manager";
 import { applyCommandToRecipe } from "./recipe-runner";
@@ -49,10 +58,58 @@ const CONFLICT_SCAN_INTERVAL_MS = Number(process.env.AGENT_RELAY_CONFLICT_SCAN_I
 const WORKSPACE_RETENTION_MS = Number(process.env.AGENT_RELAY_WORKSPACE_RETENTION_MS) || DAY_MS;
 const WORKSPACE_REVIEW_TTL_MS = Number(process.env.AGENT_RELAY_WORKSPACE_REVIEW_TTL_MS) || 3 * DAY_MS;
 const WORKSPACE_GC_INTERVAL_MS = Number(process.env.AGENT_RELAY_WORKSPACE_GC_INTERVAL_MS) || 60 * 60 * 1000;
+// Deterministic auto-land (Layer 0): merge clean fast-forwards with no human in
+// the loop. Default on for the seamless workflow; set AGENT_RELAY_WORKSPACE_AUTO_MERGE=0
+// to require a manual or steward merge per repo. Read at call-time so operators can
+// toggle it without a restart.
+const WORKSPACE_AUTO_MERGE_INTERVAL_MS = Number(process.env.AGENT_RELAY_WORKSPACE_AUTO_MERGE_INTERVAL_MS) || CONFLICT_SCAN_INTERVAL_MS;
+// Don't re-wake the managed steward for the same workspace more than once per
+// this window — a persistent conflict/behind row would otherwise re-ping every sweep.
+const STEWARD_WAKE_COOLDOWN_MS = Number(process.env.AGENT_RELAY_STEWARD_WAKE_COOLDOWN_MS) || 10 * 60 * 1000;
+// How long a stranded review_requested/conflict worktree (no online steward) may
+// sit before escalating to the configured fallback target, and the durable
+// escalation target itself (`policy:<name>`, `label:<name>`, `cap:<name>`, an
+// agent id, or `broadcast`). Read at call-time so config changes take effect
+// without a restart (issue #157).
+const stewardEscalationMs = () => Number(process.env.AGENT_RELAY_WORKSPACE_STEWARD_ESCALATION_MS) || 60 * 60 * 1000;
+const stewardFallbackTarget = () => (process.env.AGENT_RELAY_WORKSPACE_STEWARD_FALLBACK || "").trim();
+// Statuses that need an owner — a stranded one of these is what escalation rescues.
+const STRANDABLE_STATUSES = new Set<WorkspaceStatus>(["review_requested", "conflict"]);
 // Live statuses worth scanning. Terminal (cleaned/merged/abandoned) and
 // in-flight (cleanup_requested) states are skipped.
 const CONFLICT_SCAN_STATUSES = new Set<WorkspaceStatus>(["active", "ready", "review_requested", "merge_planned", "conflict"]);
 const TERMINAL_WORKSPACE_STATUSES = new Set<WorkspaceStatus>(["cleaned", "merged", "abandoned"]);
+// In-flight merge statuses that should reconcile to `merged` once the host
+// reports the branch's work has landed in base (squash/cherry-pick, or a merged
+// PR). Excludes active/ready: an agent still working may have landed an early
+// commit while more work is in flight — don't yank its workspace out from under it.
+const LANDED_RECONCILE_STATUSES = new Set<WorkspaceStatus>(["merge_planned", "review_requested", "conflict"]);
+
+// Orphaned-session reaper. A spawned agent's process can outlive its relay
+// presence: the relay agent goes offline/pruned but the orchestrator still
+// reports the session's process running, so it lingers forever (visible under the
+// orchestrator, gone from the Agents panel). Runtime-token self-heal recovers the
+// recoverable ones; this is the backstop that stops the genuinely stuck ones.
+// Conservative by design — a session must be observed continuously orphaned by
+// THIS relay for the grace window before it is reaped, and the tracker is in-memory
+// so a relay restart restarts the clock (giving self-heal first crack every time).
+const ORPHAN_REAPER_INTERVAL_MS = Number(process.env.AGENT_RELAY_ORPHAN_REAPER_INTERVAL_MS) || 5 * 60 * 1000;
+// Read at call-time so changes take effect without a restart (and so tests can tune
+// them). Parsed to allow an explicit 0 (immediate) — `|| default` would reject it.
+const envMsOrDefault = (name: string, fallback: number): number => {
+  const v = Number(process.env[name]);
+  return Number.isFinite(v) && v >= 0 ? v : fallback;
+};
+const orphanGraceMs = () => envMsOrDefault("AGENT_RELAY_ORPHAN_GRACE_MS", 30 * 60 * 1000);
+const orphanReapCooldownMs = () => envMsOrDefault("AGENT_RELAY_ORPHAN_REAP_COOLDOWN_MS", 5 * 60 * 1000);
+// Set AGENT_RELAY_ORPHAN_REAP=0 to detect + log orphans but never stop them.
+const orphanReapEnabled = () => process.env.AGENT_RELAY_ORPHAN_REAP !== "0";
+// orchestratorId + session identity -> when we first saw it orphaned (and last reaped).
+const orphanTracker = new Map<string, { firstOrphanedAt: number; lastReapAt?: number }>();
+
+export function resetOrphanTrackerForTests(): void {
+  orphanTracker.clear();
+}
 
 interface MaintenanceJobDefinition {
   id: string;
@@ -205,6 +262,14 @@ const definitions: MaintenanceJobDefinition[] = [
       return { prunedAgentIds };
     },
   },
+  {
+    id: "orphaned-session-reaper",
+    title: "Orphaned session reaper",
+    description: "Stop spawned sessions whose relay agent is offline/gone but whose process the orchestrator still reports running, after a grace period for self-heal.",
+    intervalMs: ORPHAN_REAPER_INTERVAL_MS,
+    runOnStart: false,
+    handler: reapOrphanedSessions,
+  },
   {
     id: "orchestrator-reaper",
     title: "Orchestrator reaper",
@@ -305,6 +370,15 @@ const definitions: MaintenanceJobDefinition[] = [
     timeoutMs: 60 * 1000,
     handler: scanWorkspaceConflicts,
   },
+  {
+    id: "workspace-auto-merge",
+    title: "Workspace auto-merge",
+    description: "Auto-merge clean fast-forward review_requested worktrees into base under the per-repo lease; conflicts and diverged bases are left for the steward.",
+    intervalMs: WORKSPACE_AUTO_MERGE_INTERVAL_MS,
+    runOnStart: false,
+    timeoutMs: 60 * 1000,
+    handler: autoMergeCleanFastForwards,
+  },
   {
     id: "workspace-gc",
     title: "Workspace GC",
@@ -323,7 +397,7 @@ function workspacePathWithinBase(path: string | undefined, baseDir: string | und
 }
 
 async function fetchHostMergePreview(apiUrl: string, workspace: WorkspaceRecord): Promise<WorkspaceMergePreview | { available: false } | null> {
-  const query = new URLSearchParams({ path: workspace.worktreePath });
+  const query = new URLSearchParams({ path: workspace.worktreePath, checkPr: "1" });
   if (workspace.baseRef) query.set("baseRef", workspace.baseRef);
   if (workspace.baseSha) query.set("baseSha", workspace.baseSha);
   const headers: Record<string, string> = {};
@@ -342,6 +416,118 @@ async function fetchHostMergePreview(apiUrl: string, workspace: WorkspaceRecord)
 // cleanly. Auto-flag `conflict` when a clean merge is no longer possible, and
 // auto-clear conflicts we set ourselves once they resolve (restoring the prior
 // status). Human-set conflicts are never cleared.
+// Stop orphaned spawned sessions: process reported alive by the orchestrator, but
+// the relay agent is offline/pruned and self-heal has had its chance. See the
+// ORPHAN_* notes above. Covers both policy-managed and dashboard/ad-hoc spawns by
+// iterating the orchestrators' reported managedAgents directly.
+function reapOrphanedSessions(): Record<string, unknown> {
+  const now = Date.now();
+  const grace = orphanGraceMs();
+  const cooldown = orphanReapCooldownMs();
+  const reapEnabled = orphanReapEnabled();
+  const seen = new Set<string>();
+  const reaped: string[] = [];
+  let orphaned = 0;
+
+  for (const orch of listOrchestrators()) {
+    if (orch.status !== "online") continue; // can't trust the report or deliver the stop
+    for (const agent of orch.managedAgents) {
+      const sessionId = agent.spawnRequestId || agent.tmuxSession || agent.sessionName || agent.agentId;
+      if (!sessionId) continue;
+      const key = `${orch.id}:${sessionId}`;
+      const relayAgent = agent.agentId ? getAgent(agent.agentId) : null;
+      // Orphan = orchestrator reports the process running, but no live relay agent.
+      // "stale" is a recent/borderline disconnect — treat as alive and give it time;
+      // it will either recover or progress to "offline" and be caught next pass.
+      const isOrphan = !relayAgent || relayAgent.status === "offline";
+      if (!isOrphan) { orphanTracker.delete(key); continue; }
+      seen.add(key);
+      orphaned++;
+      const entry = orphanTracker.get(key) ?? { firstOrphanedAt: now };
+      orphanTracker.set(key, entry);
+      if (now - entry.firstOrphanedAt < grace) continue; // let self-heal recover it first
+      if (!reapEnabled) continue; // detect-only mode
+      if (entry.lastReapAt && now - entry.lastReapAt < cooldown) continue; // don't spam shutdowns
+      entry.lastReapAt = now;
+      const command = createCommand({
+        type: "agent.shutdown",
+        source: "system",
+        target: orch.agentId,
+        correlationId: agent.spawnRequestId,
+        params: {
+          action: "shutdown",
+          agentId: agent.agentId,
+          spawnRequestId: agent.spawnRequestId,
+          sessionName: agent.sessionName,
+          tmuxSession: agent.tmuxSession,
+          policyName: agent.policyName,
+          graceful: false,
+          timeoutMs: 10_000,
+          reason: "orphaned-session-reaper",
+          requestedBy: "orphaned-session-reaper",
+          requestedAt: now,
+          orchestratorId: orch.id,
+        },
+      });
+      emitRelayEvent({ type: "command.requested", source: "system", subject: command.id, data: { command } });
+      createActivityEvent({
+        clientId: `orphaned-session-reaper-${key}-${now}`,
+        kind: "state",
+        title: "Orphaned session reaped",
+        body: `${agent.label ?? agent.agentId ?? sessionId}: process still running on ${orch.id}, but its relay agent has been offline > ${Math.round(grace / 60000)}m and did not self-heal — stopping it`,
+        meta: agent.label ?? agent.agentId ?? sessionId,
+        icon: "ti-ghost",
+        view: "orchestrators",
+        agentId: agent.agentId || undefined,
+        metadata: {
+          source: "server",
+          maintenanceJobId: "orphaned-session-reaper",
+          orchestratorId: orch.id,
+          agentId: agent.agentId,
+          spawnRequestId: agent.spawnRequestId,
+          tmuxSession: agent.tmuxSession,
+          commandId: command.id,
+          orphanAgeMs: now - entry.firstOrphanedAt,
+        },
+      });
+      reaped.push(key);
+    }
+  }
+  // Forget sessions that recovered or are no longer reported, so a future orphaning
+  // of the same session starts a fresh grace window.
+  for (const key of orphanTracker.keys()) if (!seen.has(key)) orphanTracker.delete(key);
+  return { orphaned, reaped, tracked: orphanTracker.size, reapEnabled };
+}
+
+// Wake the managed per-repo steward (issue #167) for a workspace it should handle:
+// auto-provision the policy from global steward config, then queue a `policy:` wake
+// message (which also spawns the on-demand agent now via onMessageForPolicy). Honors a
+// per-workspace cooldown so a persistent conflict/behind row isn't re-pinged every sweep.
+// Returns the steward policy name on a fresh wake, or null (disabled / no owner / cooled down).
+function wakeRepoSteward(ws: WorkspaceRecord, reason: string): string | null {
+  const meta = ws.metadata as Record<string, unknown>;
+  const lastWoke = typeof meta.stewardWokenAt === "number" ? meta.stewardWokenAt : 0;
+  if (lastWoke && Date.now() - lastWoke < STEWARD_WAKE_COOLDOWN_MS) return null;
+  const policyName = ensureRepoSteward(ws.repoRoot);
+  if (!policyName) return null;
+  try {
+    const msg = sendMessage({
+      from: "system",
+      to: `policy:${policyName}`,
+      kind: "system",
+      subject: `Steward: ${ws.status} workspace needs attention`,
+      body: `Workspace \`${ws.branch ?? ws.id}\` in ${ws.repoRoot} is ${ws.status} and could not auto-land (${reason}). cd into ${ws.worktreePath}, rebase onto ${ws.baseRef ?? "base"}, resolve, run checks, then land it via POST /api/workspaces/${ws.id}/actions {"action":"merge","strategy":"rebase-ff"} — or escalate if you can't.`,
+      payload: { kind: "workspace.steward-task", workspaceId: ws.id, repoRoot: ws.repoRoot, worktreePath: ws.worktreePath, branch: ws.branch, baseRef: ws.baseRef, status: ws.status, reason },
+    });
+    emitNewMessage(msg);
+    getLifecycleManager().onMessageForPolicy(policyName);
+    patchWorkspaceMetadata(ws.id, { stewardWokenAt: Date.now(), stewardPolicy: policyName });
+    return policyName;
+  } catch {
+    return null;
+  }
+}
+
 async function scanWorkspaceConflicts(): Promise<Record<string, unknown>> {
   const orchestrators = listOrchestrators().filter((orch) => orch.status === "online" && orch.apiUrl);
   if (!orchestrators.length) return { scanned: 0, skipped: "no online orchestrators" };
@@ -351,6 +537,7 @@ async function scanWorkspaceConflicts(): Promise<Record<string, unknown>> {
   );
   const flagged: string[] = [];
   const cleared: string[] = [];
+  const merged: string[] = [];
   const notifiedStewards: string[] = [];
 
   for (const ws of candidates) {
@@ -362,6 +549,37 @@ async function scanWorkspaceConflicts(): Promise<Record<string, unknown>> {
     if (p.error || p.missing || p.conflict === undefined) continue;
 
     const meta = ws.metadata as Record<string, unknown>;
+
+    // Landing wins over everything else. Once the work is in base — whether the
+    // PR was squash/cherry-pick merged on GitHub or fast-forwarded locally — the
+    // workspace is done, even if `git merge-tree` still predicts a textual
+    // conflict against the now-moved base (a PR-strategy row sits at
+    // merge_planned forever otherwise, and the conflict scan can even pin a
+    // landed branch to `conflict`). Reconcile to the terminal `merged` status so
+    // the dashboard stops showing it as unmerged and GC prunes it on schedule.
+    const landed = p.landed === true || p.prMerged === true;
+    if (landed && LANDED_RECONCILE_STATUSES.has(ws.status)) {
+      updateWorkspaceStatus(ws.id, "merged", {
+        autoMerged: true,
+        mergedFromStatus: ws.status,
+        landedDetectedAt: Date.now(),
+        landedVia: p.prMerged === true ? "pr" : "git",
+        autoConflict: false,
+      });
+      merged.push(ws.id);
+      createActivityEvent({
+        clientId: "server-workspace-" + ws.id + "-merged-" + Date.now(),
+        kind: "state",
+        title: "Workspace work landed in base",
+        body: `${ws.branch ?? ws.id} is ${p.prMerged === true ? "merged on the remote (PR)" : "already merged into base"} ${p.baseRef ? `(${p.baseRef})` : ""} — marking merged`,
+        meta: ws.branch ?? ws.id,
+        icon: "ti-git-merge",
+        view: "orchestrators",
+        metadata: { source: "server", maintenanceJobId: "workspace-conflict-scan", workspaceId: ws.id, fromStatus: ws.status },
+      });
+      continue;
+    }
+
     if (p.conflict === true && ws.status !== "conflict") {
       updateWorkspaceStatus(ws.id, "conflict", {
         autoConflict: true,
@@ -382,10 +600,15 @@ async function scanWorkspaceConflicts(): Promise<Record<string, unknown>> {
         view: "orchestrators",
         metadata: { source: "server", maintenanceJobId: "workspace-conflict-scan", workspaceId: ws.id, ahead: p.ahead, behind: p.behind },
       });
-      // The steward is the repo's coordination point — ping it so a conflict
-      // gets resolved instead of silently rotting until merge time. Once-per-
-      // onset (we only enter this branch on the active→conflict transition).
-      if (ws.stewardAgentId) {
+      // Hand the conflict to a steward so it gets resolved instead of rotting
+      // until merge time. Once-per-onset (we only enter this branch on the
+      // active→conflict transition). When managed stewards are enabled, wake the
+      // auto-provisioned per-repo steward agent (#167); otherwise fall back to the
+      // legacy direct ping of the elected steward agent.
+      if (getStewardConfig().enabled) {
+        const woke = wakeRepoSteward(getWorkspace(ws.id) ?? ws, "conflict");
+        if (woke) notifiedStewards.push(woke);
+      } else if (ws.stewardAgentId) {
         try {
           const msg = sendMessage({
             from: "system",
@@ -410,7 +633,86 @@ async function scanWorkspaceConflicts(): Promise<Record<string, unknown>> {
     }
   }
 
-  return { scanned: candidates.length, flagged, cleared, notifiedStewards };
+  return { scanned: candidates.length, flagged, cleared, merged, notifiedStewards };
+}
+
+// Deterministic auto-land (Layer 0, issue #167). Walk the "ready to land" queue
+// (`review_requested` isolated worktrees) and, for any whose work is a strict
+// clean fast-forward (no conflict, base hasn't moved, real commits ahead), land
+// it via the shared merge helper — the same lease-serialized path the merge route
+// uses. Conflicts and diverged bases (`behind>0`, even if cleanly rebasable) are
+// deliberately left for the steward (a human or, later, the managed steward
+// agent): per the chosen "Clean FF immediate" gate, anything needing a rebase or
+// conflict reasoning is not auto-landed. No agent in the loop for the easy case.
+async function autoMergeCleanFastForwards(): Promise<Record<string, unknown>> {
+  if (process.env.AGENT_RELAY_WORKSPACE_AUTO_MERGE === "0") return { skipped: "disabled" };
+  const orchestrators = listOrchestrators().filter((orch) => orch.status === "online" && orch.apiUrl);
+  if (!orchestrators.length) return { scanned: 0, skipped: "no online orchestrators" };
+
+  const candidates = listWorkspaces().filter(
+    (ws) => ws.mode === "isolated" && Boolean(ws.worktreePath) && ws.status === "review_requested",
+  );
+  const stewardEnabled = getStewardConfig().enabled;
+  const merged: string[] = [];
+  const heldByLease: string[] = [];
+  const leftForSteward: string[] = [];
+  const wokeStewards: string[] = [];
+
+  for (const ws of candidates) {
+    const orch = orchestrators.find((candidate) => workspacePathWithinBase(ws.sourceCwd, candidate.baseDir));
+    if (!orch?.apiUrl) continue;
+    const preview = await fetchHostMergePreview(orch.apiUrl, ws);
+    if (!preview || (preview as { available?: false }).available === false) continue;
+    const p = preview as WorkspaceMergePreview;
+    if (p.error || p.missing) continue;
+
+    const ahead = p.unmergedAhead ?? p.ahead ?? 0;
+    const cleanFF = p.cleanFastForward === true && p.conflict !== true && (p.behind ?? 0) === 0 && ahead > 0;
+    if (!cleanFF) {
+      // Base moved on (behind>0) or conflict — needs reasoning/rebase, which is the
+      // steward's job. Wake the managed steward when enabled (cooldown-guarded);
+      // otherwise leave it for conflict-scan's legacy ping / human review.
+      leftForSteward.push(ws.id);
+      if (stewardEnabled) {
+        const woke = wakeRepoSteward(ws, (p.behind ?? 0) > 0 ? "base moved on (behind>0)" : "conflict");
+        if (woke) wokeStewards.push(woke);
+      }
+      continue;
+    }
+
+    const result = requestWorkspaceMerge(ws, { strategy: "rebase-ff", requestedBy: "auto-merge" });
+    if (!result.ok) {
+      // 409 = another merge holds this repo's lease this tick; retry next sweep.
+      heldByLease.push(ws.id);
+      continue;
+    }
+    emitCommand(result.command);
+    merged.push(ws.id);
+    createActivityEvent({
+      clientId: `workspace-auto-merge-${ws.id}-${Date.now()}`,
+      kind: "state",
+      title: "Workspace auto-merging (clean fast-forward)",
+      body: `${ws.branch ?? ws.id} → ${p.baseRef ?? "base"} (${ahead} ahead, clean)`,
+      meta: ws.branch ?? ws.id,
+      icon: "ti-git-merge",
+      view: "orchestrators",
+      metadata: { source: "server", maintenanceJobId: "workspace-auto-merge", workspaceId: ws.id, commandId: result.command.id, ahead },
+    });
+  }
+
+  return { scanned: candidates.length, merged, heldByLease, leftForSteward, wokeStewards };
+}
+
+// Send a system DM, swallowing failures (a stale/missing/misconfigured target
+// must never break the GC sweep). Returns the target on success, null otherwise.
+function notifyTarget(target: string, subject: string, body: string, payload: Record<string, unknown>): string | null {
+  if (!target) return null;
+  try {
+    emitNewMessage(sendMessage({ from: "system", to: target, kind: "system", subject, body, payload }));
+    return target;
+  } catch {
+    return null;
+  }
 }
 
 async function workspaceGC(): Promise<Record<string, unknown>> {
@@ -418,6 +720,10 @@ async function workspaceGC(): Promise<Record<string, unknown>> {
   const cutoff = now - WORKSPACE_RETENTION_MS;
   const reviewCutoff = now - WORKSPACE_REVIEW_TTL_MS;
 
+  // 0. Free any merge leases whose holder never reported back (orchestrator died
+  // mid-merge). The lease TTL is the safety net; this just reclaims them eagerly.
+  const releasedLeaseRepos = releaseExpiredMergeLeases(now);
+
   // 1. Prune terminal rows past retention
   const all = listWorkspaces();
   const terminalIds: string[] = [];
@@ -428,29 +734,84 @@ async function workspaceGC(): Promise<Record<string, unknown>> {
     }
   }
 
-  // 2. Auto-abandon stale review_requested worktrees
+  // 2. Rescue stranded review_requested/conflict worktrees (issue #157). A
+  // worktree is "stranded" when its steward is gone (all repo agents offline).
+  // Re-elect first — an agent may have rejoined — and hand off to the new
+  // steward; if none can be elected past the TTL, escalate to the fallback
+  // target so it never rots in silence. Bookkeeping uses patchWorkspaceMetadata
+  // (no updated_at bump) so the auto-abandon clock below keeps ticking.
+  const escalatedIds: string[] = [];
+  const reassignedIds: string[] = [];
+  const escalationTargets: string[] = [];
+  const escalationMs = stewardEscalationMs();
+  const fallbackTarget = stewardFallbackTarget();
+  for (const ws of all) {
+    if (!STRANDABLE_STATUSES.has(ws.status) || ws.mode !== "isolated" || !ws.worktreePath) continue;
+    reelectRepoSteward(ws.repoRoot);
+    const fresh = getWorkspace(ws.id);
+    if (!fresh || !STRANDABLE_STATUSES.has(fresh.status)) continue;
+    const meta = fresh.metadata as Record<string, unknown>;
+    const steward = fresh.stewardAgentId;
+    const stewardOnline = Boolean(steward && getAgent(steward) && getAgent(steward)!.status !== "offline");
+    const strandedAt = typeof meta.strandedAt === "number" ? meta.strandedAt : undefined;
+
+    if (stewardOnline) {
+      // An online steward owns it. If it was previously stranded and this
+      // steward hasn't been told, hand it off explicitly, then clear markers.
+      if (strandedAt !== undefined && meta.strandedNotifiedSteward !== steward) {
+        const sent = notifyTarget(
+          steward!,
+          "Workspace stewardship reassigned",
+          `You are now steward for ${fresh.repoRoot}. Workspace \`${fresh.branch ?? fresh.id}\` is ${fresh.status} and was stranded without an online steward — please coordinate ${fresh.status === "conflict" ? "conflict resolution" : "review/merge"}.`,
+          { kind: "workspace.steward-reassigned", workspaceId: fresh.id, repoRoot: fresh.repoRoot, branch: fresh.branch, status: fresh.status },
+        );
+        if (sent) reassignedIds.push(fresh.id);
+      }
+      patchWorkspaceMetadata(fresh.id, { strandedAt: undefined, escalatedAt: undefined, strandedNotifiedSteward: steward });
+      continue;
+    }
+
+    // Stranded: no online steward could be elected.
+    if (strandedAt === undefined) { patchWorkspaceMetadata(fresh.id, { strandedAt: now }); continue; }
+    if (now - strandedAt < escalationMs || meta.escalatedAt) continue;
+    const sent = notifyTarget(
+      fallbackTarget,
+      "Stranded workspace needs an owner",
+      `Workspace \`${fresh.branch ?? fresh.id}\` in ${fresh.repoRoot} is ${fresh.status} with no online steward (all repo agents offline) for ${Math.round((now - strandedAt) / (60 * 60 * 1000))}h. Please coordinate ${fresh.status === "conflict" ? "conflict resolution" : "review/merge"} or clean up the worktree.`,
+      { kind: "workspace.stranded-escalation", workspaceId: fresh.id, repoRoot: fresh.repoRoot, branch: fresh.branch, status: fresh.status, strandedAt },
+    );
+    if (sent) escalationTargets.push(sent);
+    patchWorkspaceMetadata(fresh.id, { escalatedAt: now });
+    escalatedIds.push(fresh.id);
+    createActivityEvent({
+      clientId: `workspace-gc-escalate-${fresh.id}-${now}`,
+      kind: "state",
+      title: "Workspace escalated",
+      body: `${fresh.branch ?? fresh.id} in ${fresh.repoRoot} — stranded ${fresh.status} escalated${fallbackTarget ? ` to ${fallbackTarget}` : " (no fallback configured)"}`,
+      meta: fresh.branch ?? fresh.id,
+      icon: "ti-alert-octagon",
+      view: "orchestrators",
+      metadata: { source: "server", maintenanceJobId: "workspace-gc", workspaceId: fresh.id, fallback: fallbackTarget || null },
+    });
+  }
+
+  // 3. Auto-abandon stale review_requested worktrees
   const abandonedIds: string[] = [];
   const notifiedStewards: string[] = [];
   for (const ws of all) {
     if (ws.status === "review_requested" && ws.updatedAt < reviewCutoff) {
       updateWorkspaceStatus(ws.id, "abandoned", { autoAbandoned: true, abandonedReason: "review_requested TTL exceeded", abandonedAt: now });
       abandonedIds.push(ws.id);
-      if (ws.stewardAgentId) {
-        try {
-          const msg = sendMessage({
-            from: "system",
-            to: ws.stewardAgentId,
-            kind: "system",
-            subject: "Workspace auto-abandoned",
-            body: `Workspace \`${ws.branch ?? ws.id}\` in ${ws.repoRoot} was auto-abandoned after ${Math.round(WORKSPACE_REVIEW_TTL_MS / DAY_MS)}d without steward action. Run workspace cleanup to reclaim the worktree.`,
-            payload: { kind: "workspace.auto-abandoned", workspaceId: ws.id, repoRoot: ws.repoRoot, branch: ws.branch },
-          });
-          emitNewMessage(msg);
-          notifiedStewards.push(ws.stewardAgentId);
-        } catch {
-          // Steward gone — activity event is enough.
-        }
-      }
+      // Notify the steward if one exists, else the configured fallback so a
+      // stranded abandon isn't silent (issue #157).
+      const target = ws.stewardAgentId ?? fallbackTarget;
+      const sent = notifyTarget(
+        target,
+        "Workspace auto-abandoned",
+        `Workspace \`${ws.branch ?? ws.id}\` in ${ws.repoRoot} was auto-abandoned after ${Math.round(WORKSPACE_REVIEW_TTL_MS / DAY_MS)}d without steward action. Run workspace cleanup to reclaim the worktree.`,
+        { kind: "workspace.auto-abandoned", workspaceId: ws.id, repoRoot: ws.repoRoot, branch: ws.branch },
+      );
+      if (sent) notifiedStewards.push(sent);
       createActivityEvent({
         clientId: `workspace-gc-abandon-${ws.id}-${now}`,
         kind: "state",
@@ -483,7 +844,16 @@ async function workspaceGC(): Promise<Record<string, unknown>> {
     pruneCommands.push(command.id);
   }
 
-  return { prunedTerminal: terminalIds, autoAbandoned: abandonedIds, notifiedStewards, pruneCommands };
+  return {
+    prunedTerminal: terminalIds,
+    autoAbandoned: abandonedIds,
+    notifiedStewards,
+    pruneCommands,
+    releasedLeaseRepos,
+    escalated: escalatedIds,
+    reassigned: reassignedIds,
+    escalationTargets,
+  };
 }
 
 let timer: Timer | null = null;