patchrelay 0.76.0 → 0.78.0

package/dist/run-finalizer.js

@@ -2,10 +2,11 @@ import { CLEARED_FAILURE_PROVENANCE } from "./failure-provenance.js";
 import { buildStageReport, countEventMethods } from "./run-reporting.js";
 import { buildRunCompletedActivity, buildRunFailureActivity } from "./linear-session-reporting.js";
 import { handleNoPrCompletionCheck } from "./no-pr-completion-check.js";
-import { resolveCompletedRunState } from "./run-completion-policy.js";
+import { resolvePostRunFactoryState } from "./run-completion-policy.js";
 import { computeChangeIdentityFromWorktree } from "./change-identity.js";
 import { inspectGitWorktreeStatus, isRepairRunType } from "./git-worktree-status.js";
 import { buildRunOutcomeSummary } from "./run-outcome-summary.js";
+import { settleRun } from "./run-settlement.js";
 const WRITER = "run-finalizer";
 function parseEventJson(eventJson) {
     if (!eventJson)
@@ -376,7 +377,9 @@ export class RunFinalizer {
         }
         const verifiedRepairError = await this.completionPolicy.verifyReactiveRunAdvancedBranch(run, freshIssue);
         if (verifiedRepairError) {
-            const holdState = params.resolveRecoverableRunState(freshIssue) ?? "failed";
+            // The run failed verification — it did not do its work, so resolve
+            // the hold state from GitHub truth like any other recovery path.
+            const holdState = resolvePostRunFactoryState(freshIssue, run, { outcome: "recovered" }) ?? "failed";
             this.failRunAndClear(run, verifiedRepairError, holdState);
             this.syncFailureOutcome({
                 run,
@@ -446,23 +449,22 @@ export class RunFinalizer {
         // any git error returns undefined and we leave the cache as-is.
         this.maybeUpdateLastPublishedIdentity(run, refreshedIssue);
         const postRunFollowUp = await this.completionPolicy.resolvePostRunFollowUp(run, refreshedIssue);
-        const postRunState = postRunFollowUp?.factoryState ?? resolveCompletedRunState(refreshedIssue, run);
+        const postRunState = postRunFollowUp?.factoryState ?? resolvePostRunFactoryState(refreshedIssue, run);
         const outcomeSummary = this.buildOutcomeSummary({
             run,
             issue: refreshedIssue,
             postRunState,
             latestAssistantSummary: report.assistantMessages.at(-1),
         });
-        // `refreshedIssue` was read before several async policy checks; a
-        // version conflict here means a webhook landed mid-finalize. Re-resolve
-        // the post-run state from the fresh row so we never regress it (e.g.
-        // the PR merged while we were verifying the publish).
+        // `refreshedIssue` was read before several async policy checks; a webhook
+        // may have landed mid-finalize. settleRun re-reads the row inside its
+        // transaction and resolves the post-run state from that fresh truth, so
+        // we never regress it (e.g. the PR merged while we were verifying the
+        // publish). settleRun also owns the slot clear (plan §B1): it refuses to
+        // touch a slot that no longer points at this run.
         const buildCompletionUpdate = (record) => {
-            const state = postRunFollowUp?.factoryState ?? resolveCompletedRunState(record, run);
+            const state = postRunFollowUp?.factoryState ?? resolvePostRunFactoryState(record, run);
             return {
-                projectId: run.projectId,
-                linearIssueId: run.linearIssueId,
-                activeRunId: null,
                 ...(state ? { factoryState: state } : {}),
                 pendingRunType: null,
                 pendingRunContextJson: null,
@@ -472,18 +474,17 @@ export class RunFinalizer {
             };
         };
         const completed = this.withHeldLease(run.projectId, run.linearIssueId, (lease) => {
-            this.db.runs.finishRun(run.id, this.buildCompletedRunUpdate({
-                threadId,
-                ...(params.completedTurnId ? { completedTurnId: params.completedTurnId } : {}),
-                report,
-                outcomeSummary,
-            }));
-            this.db.issueSessions.commitIssueState({
-                writer: WRITER,
+            settleRun({
+                db: this.db,
+                run,
+                finish: this.buildCompletedRunUpdate({
+                    threadId,
+                    ...(params.completedTurnId ? { completedTurnId: params.completedTurnId } : {}),
+                    report,
+                    outcomeSummary,
+                }),
                 lease,
-                expectedVersion: refreshedIssue.version,
-                update: buildCompletionUpdate(refreshedIssue),
-                onConflict: (current) => buildCompletionUpdate(current),
+                buildIssueUpdate: buildCompletionUpdate,
             });
             if (postRunFollowUp) {
                 return this.appendWakeEventWithLease(lease, issue, postRunFollowUp.pendingRunType, postRunFollowUp.context, "post_run");

package/dist/run-launcher.js

@@ -219,6 +219,11 @@ export class RunLauncher {
                     update: { projectId: params.project.id, linearIssueId: params.issue.linearIssueId, threadId },
                 });
             }
+            // Plan §B5: persist the thread id on the run row BEFORE startTurn is
+            // awaited, so a turn/completed notification arriving while the turn is
+            // starting can already resolve the run by thread id. The orchestrator
+            // re-records it (with the turn id) after the launch returns.
+            this.recordRunThread(params, threadId, parentThreadId);
             this.db.runs.updateLaunchPhase(params.run.id, "thread_started");
             try {
                 const turn = await this.codex.startTurn({ threadId, cwd: params.worktreePath, input: params.prompt });
@@ -237,6 +242,9 @@ export class RunLauncher {
                         lease: { projectId: params.project.id, linearIssueId: params.issue.linearIssueId, leaseId: params.leaseId },
                         update: { projectId: params.project.id, linearIssueId: params.issue.linearIssueId, threadId },
                     });
+                    // Plan §B5: re-point the run row at the fresh thread before the
+                    // retried startTurn, for the same notification race.
+                    this.recordRunThread(params, threadId, parentThreadId);
                     const turn = await this.codex.startTurn({ threadId, cwd: params.worktreePath, input: params.prompt });
                     turnId = turn.turnId;
                     this.db.runs.updateLaunchPhase(params.run.id, "turn_started");
@@ -285,6 +293,19 @@ export class RunLauncher {
             throw error;
         }
     }
+    // Persist the Codex thread id on the run row under the launch lease.
+    // Losing the lease here aborts the launch the same way assertLaunchLease
+    // does — the run row must not be touched by a worker that no longer owns
+    // the session.
+    recordRunThread(params, threadId, parentThreadId) {
+        const recorded = this.db.issueSessions.updateRunThreadWithLease({ projectId: params.project.id, linearIssueId: params.issue.linearIssueId, leaseId: params.leaseId }, params.run.id, { threadId, ...(parentThreadId ? { parentThreadId } : {}) });
+        if (recorded)
+            return;
+        const error = new Error("Lost issue-session lease while recording the Codex thread id");
+        error.name = "IssueSessionLeaseLostError";
+        this.logger.warn({ runId: params.run.id, issueId: params.issue.linearIssueId }, "Aborting run launch after losing issue-session lease while recording the Codex thread id");
+        throw error;
+    }
     async setInitialImplementationGoal(threadId, issue) {
         const goalSetter = this.codex.setThreadGoal;
         if (typeof goalSetter !== "function") {

package/dist/run-notification-handler.js

@@ -1,6 +1,5 @@
 import { buildRunFailureActivity } from "./linear-session-reporting.js";
 import { extractTurnId, resolveRunCompletionStatus } from "./run-reporting.js";
-import { resolveRecoverablePostRunState } from "./interrupted-run-recovery.js";
 import { resolveFailureFactoryState } from "./reactive-pr-state.js";
 const WRITER = "run-notification-handler";
 const DEFAULT_PUBLISH_COMMAND_TIMEOUT_MS = 10 * 60 * 1000;
@@ -146,7 +145,6 @@ export class RunNotificationHandler {
             thread,
             threadId,
             ...(completedTurnId ? { completedTurnId } : {}),
-            resolveRecoverableRunState: resolveRecoverablePostRunState,
         });
         this.activeThreadId = undefined;
     }

package/dist/run-orchestrator.js

@@ -9,16 +9,16 @@ import { IdleIssueReconciler } from "./idle-reconciliation.js";
 import { LinearSessionSync } from "./linear-session-sync.js";
 import { recoverLinearAgentActivityContext } from "./linear-agent-activity-recovery.js";
 import { IssueSessionLeaseService } from "./issue-session-lease-service.js";
-import { InterruptedRunRecovery } from "./interrupted-run-recovery.js";
 import { RunCompletionPolicy } from "./run-completion-policy.js";
+import { RunFailurePolicy } from "./run-failure-policy.js";
 import { RunFinalizer } from "./run-finalizer.js";
 import { RunLauncher } from "./run-launcher.js";
 import { RunNotificationHandler } from "./run-notification-handler.js";
 import { RunReconciler } from "./run-reconciler.js";
-import { RunRecoveryService } from "./run-recovery-service.js";
 import { RunWakePlanner } from "./run-wake-planner.js";
 import { WakeDispatcher } from "./wake-dispatcher.js";
-import { getRemainingZombieRecoveryDelayMs } from "./zombie-recovery.js";
+import { settleRun } from "./run-settlement.js";
+import { getRemainingZombieRecoveryDelayMs } from "./run-budgets.js";
 import { classifyIssue } from "./issue-class.js";
 import { buildIssueTriageHash, IssueTriageService } from "./issue-triage.js";
 import { loadConfig } from "./config.js";
@@ -27,10 +27,6 @@ import { emitTelemetry, noopTelemetry } from "./telemetry.js";
 import { LinearIssueProjectionService } from "./linear-issue-projection.js";
 import { RunAdmissionController } from "./run-admission-controller.js";
 const WRITER = "run-orchestrator";
-// A terminal run must hold the active slot for at least this long before
-// the orchestrator force-clears it, so we never race the normal
-// notification-driven finalize that runs within seconds of completion.
-const DANGLING_ACTIVE_RUN_MIN_AGE_MS = 2 * 60_000;
 function lowerCaseFirst(value) {
     return value ? `${value.slice(0, 1).toLowerCase()}${value.slice(1)}` : value;
 }
@@ -62,9 +58,8 @@ export class RunOrchestrator {
     leaseService;
     runFinalizer;
     runLauncher;
-    runRecovery;
+    runFailurePolicy;
     runWakePlanner;
-    interruptedRunRecovery;
     runCompletionPolicy;
     completionCheck;
     issueTriage;
@@ -86,7 +81,6 @@ export class RunOrchestrator {
     recoveryPorts = {
         failRunAndClear: (run, message, nextState) => this.failRunAndClear(run, message, nextState),
         restoreIdleWorktree: (issue) => this.restoreIdleWorktree(issue),
-        recoverOrEscalate: (issue, runType, reason) => this.recoverOrEscalate(issue, runType, reason),
     };
     activeSessionLeases;
     botIdentity;
@@ -138,9 +132,8 @@ export class RunOrchestrator {
         this.runFinalizer = new RunFinalizer(db, logger, this.linearSync, this.wakeDispatcher, this.leasePorts.withHeldLease, this.leasePorts.releaseLease, (lease, issue, runType, context, dedupeScope) => this.appendWakeEventWithLease(lease, issue, runType, context, dedupeScope), this.recoveryPorts.failRunAndClear, this.runCompletionPolicy, this.completionCheck, feed);
         this.runLauncher = new RunLauncher(config, db, codex, logger, this.worktreeManager);
         this.runNotificationHandler = new RunNotificationHandler(config, db, logger, this.linearSync, this.runFinalizer, this.threadPorts.readThreadWithRetry, this.leasePorts.withHeldLease, this.leasePorts.heartbeatLease, this.leasePorts.releaseLease, feed, { interruptTurn: (options) => codex.interruptTurn(options) });
-        this.runRecovery = new RunRecoveryService(db, logger, this.linearSync, this.leasePorts.withHeldLease, this.leasePorts.getHeldLease, (lease, issue, runType, context, dedupeScope) => this.appendWakeEventWithLease(lease, issue, runType, context, dedupeScope), this.leasePorts.releaseLease, (projectId, issueId) => this.enqueueIssue(projectId, issueId), feed);
-        this.interruptedRunRecovery = new InterruptedRunRecovery(db, logger, this.linearSync, this.leasePorts.withHeldLease, this.leasePorts.releaseLease, this.recoveryPorts.failRunAndClear, this.recoveryPorts.restoreIdleWorktree, this.runCompletionPolicy, (projectId, issueId) => this.enqueueIssue(projectId, issueId), feed);
-        this.runReconciler = new RunReconciler(db, logger, linearProvider, this.linearSync, this.interruptedRunRecovery, this.runFinalizer, this.leasePorts.withHeldLease, this.leasePorts.releaseLease, this.threadPorts.readThreadWithRetry, this.recoveryPorts.recoverOrEscalate, (projectId) => this.config.projects.find((project) => project.id === projectId)?.github?.repoFullName, feed);
+        this.runFailurePolicy = new RunFailurePolicy(db, logger, this.linearSync, this.leasePorts.withHeldLease, this.leasePorts.releaseLease, (lease, issue, runType, context, dedupeScope) => this.appendWakeEventWithLease(lease, issue, runType, context, dedupeScope), this.wakeDispatcher, this.recoveryPorts.restoreIdleWorktree, this.runCompletionPolicy, (projectId) => this.config.projects.find((project) => project.id === projectId), feed);
+        this.runReconciler = new RunReconciler(db, logger, linearProvider, this.linearSync, this.runFailurePolicy, this.runFinalizer, this.leasePorts.withHeldLease, this.leasePorts.releaseLease, this.threadPorts.readThreadWithRetry, (projectId) => this.config.projects.find((project) => project.id === projectId)?.github?.repoFullName, feed, telemetry);
         this.runWakePlanner = new RunWakePlanner(db);
         this.linearIssueProjection = new LinearIssueProjectionService(db, linearProvider, logger);
         this.runAdmission = new RunAdmissionController(db, this.linearIssueProjection);
@@ -589,10 +582,10 @@ export class RunOrchestrator {
         for (const run of this.db.runs.listRunningRuns()) {
             await this.reconcileRun(run);
         }
-        // Free any issue whose active slot is pinned to an already-terminal
+        // Settle any issue whose active slot is pinned to an already-terminal
         // run (post-run finalize interrupted by restart). Must run before the
         // idle reconciler so the freed issue is routed in this same pass.
-        this.finalizeDanglingActiveRuns();
+        this.settleDanglingActiveRuns();
         // Preemptively detect stuck merge-queue PRs (conflicts visible on
         // GitHub) and dispatch queue_repair before the Steward evicts.
         await this.queueHealthMonitor.reconcile();
@@ -605,70 +598,35 @@ export class RunOrchestrator {
     advanceIdleIssue(issue, newState, options) {
         this.idleReconciler.advanceIdleIssue(issue, newState, options);
     }
-    /**
-     * After a zombie/stale run is cleared, decide whether to re-enqueue
-     * or escalate. Checks: PR already merged → done; budget exhausted →
-     * escalate; backoff delay not elapsed → skip.
-     */
-    recoverOrEscalate(issue, runType, reason) {
-        this.runRecovery.recoverOrEscalate({
-            issue,
-            runType,
-            reason,
-            isRequestedChangesRunType,
-        });
-    }
-    // Clear a dangling active slot: an issue still pointing at an
+    // Settle a dangling active slot: an issue still pointing at an
     // already-terminal run via `activeRunId`. The post-run finalize was
     // interrupted (almost always a restart between marking the run
     // terminal and clearing the slot), so the run can never drive the
     // session forward, yet every idle/recovery pass skips the issue
-    // because `activeRunId` is set. We re-read under the issue-session
-    // lease and null the slot; the idle reconciler then routes the issue
-    // from GitHub truth (e.g. a missed changes_requested → review_fix).
-    finalizeDanglingActiveRuns() {
+    // because `activeRunId` is set. settleRun is idempotent and its slot
+    // clear is a predicate-guarded versioned commit, so no age gate is
+    // needed — it cannot destructively race the notification finalizer.
+    // The idle reconciler then routes the issue from GitHub truth (e.g. a
+    // missed changes_requested → review_fix).
+    settleDanglingActiveRuns() {
         for (const issue of this.db.issues.listIssuesWithTerminalActiveRun()) {
             if (issue.activeRunId === undefined)
                 continue;
             const run = this.db.runs.getRunById(issue.activeRunId);
-            // The query already filters to terminal runs; this guards against a
-            // race where the run advanced back to active between query and read.
-            if (!run || run.status === "running" || run.status === "queued")
-                continue;
-            // Hold off until the run has been terminal long enough that the
-            // normal notification-driven finalize has demonstrably not run —
-            // avoids racing a live completion that is milliseconds from clearing
-            // the slot itself.
-            const endedAtMs = run.endedAt ? Date.parse(run.endedAt) : Number.NaN;
-            if (Number.isFinite(endedAtMs) && Date.now() - endedAtMs < DANGLING_ACTIVE_RUN_MIN_AGE_MS)
+            if (!run)
                 continue;
             const lease = this.claimLeaseForReconciliation(run.projectId, run.linearIssueId);
-            // "skip" → a live lease owns the session (a real run is in flight);
-            // leave it alone. "owned" → an outer local scope holds it, so we
-            // must not release it here.
+            // "skip" → a live lease owns the session (a worker is mid-finalize or
+            // mid-launch); settleRun could not corrupt its writes, but deferring
+            // lets the owner land its richer post-run state first. "owned" → an
+            // outer local scope holds it, so we must not release it here.
             if (lease === "skip")
                 continue;
             try {
-                const cleared = this.withHeldIssueSessionLease(run.projectId, run.linearIssueId, (held) => {
-                    const fresh = this.db.issues.getIssue(run.projectId, run.linearIssueId);
-                    if (!fresh || fresh.activeRunId !== run.id)
-                        return false;
-                    const danglingClear = {
-                        projectId: run.projectId,
-                        linearIssueId: run.linearIssueId,
-                        activeRunId: null,
-                    };
-                    const commit = this.db.issueSessions.commitIssueState({
-                        writer: WRITER,
-                        lease: held,
-                        expectedVersion: fresh.version,
-                        update: danglingClear,
-                        // Never clear a slot a concurrent writer re-pointed elsewhere.
-                        onConflict: (current) => (current.activeRunId === run.id ? danglingClear : undefined),
-                    });
-                    return commit.outcome === "applied";
-                });
-                if (cleared) {
+                // No `finish` outcome: the run is already terminal, and settleRun
+                // leaves a run that raced back to non-terminal status untouched.
+                const settled = this.withHeldIssueSessionLease(run.projectId, run.linearIssueId, (held) => settleRun({ db: this.db, run, lease: held }));
+                if (settled?.slotCleared) {
                     this.logger.warn({ issueKey: issue.issueKey, runId: run.id, runType: run.runType, runStatus: run.status }, "Cleared dangling active-run slot left by a terminal run; idle reconcile will resume the issue");
                     this.feed?.publish({
                         level: "warn",
@@ -701,14 +659,14 @@ export class RunOrchestrator {
     }
     // ─── Internal helpers ─────────────────────────────────────────────
     escalate(issue, runType, reason) {
-        this.runRecovery.escalate({
+        this.runFailurePolicy.escalate({
             issue,
             runType,
             reason,
         });
     }
     failRunAndClear(run, message, nextState = "failed") {
-        this.runRecovery.failRunAndClear({
+        this.runFailurePolicy.failRunAndClear({
             run,
             message,
             nextState,

package/dist/run-reconciler.js

@@ -3,10 +3,10 @@ import { TERMINAL_STATES } from "./factory-state.js";
 import { resolveAuthoritativeLinearStopState } from "./linear-workflow.js";
 import { buildRunFailureActivity } from "./linear-session-reporting.js";
 import { getThreadTurns } from "./codex-thread-utils.js";
-import { resolveRecoverablePostRunState } from "./interrupted-run-recovery.js";
 import { resolveEffectiveActiveRun } from "./effective-active-run.js";
 import { isThreadMaterializingError } from "./codex-thread-errors.js";
 import { fetchPullRequestSnapshot } from "./reconcile-pr-fetch.js";
+import { emitTelemetry, noopTelemetry } from "./telemetry.js";
 const THREAD_MATERIALIZATION_GRACE_MS = 10 * 60_000;
 const WRITER = "run-reconciler";
 function isWithinThreadMaterializationGrace(run, nowMs = Date.now()) {
@@ -20,27 +20,27 @@ export class RunReconciler {
     logger;
     linearProvider;
     linearSync;
-    interruptedRunRecovery;
+    failurePolicy;
     runFinalizer;
     withHeldLease;
     releaseLease;
     readThreadWithRetry;
-    recoverOrEscalate;
     resolveRepoFullName;
     feed;
-    constructor(db, logger, linearProvider, linearSync, interruptedRunRecovery, runFinalizer, withHeldLease, releaseLease, readThreadWithRetry, recoverOrEscalate, resolveRepoFullName = () => undefined, feed) {
+    telemetry;
+    constructor(db, logger, linearProvider, linearSync, failurePolicy, runFinalizer, withHeldLease, releaseLease, readThreadWithRetry, resolveRepoFullName = () => undefined, feed, telemetry = noopTelemetry) {
         this.db = db;
         this.logger = logger;
         this.linearProvider = linearProvider;
         this.linearSync = linearSync;
-        this.interruptedRunRecovery = interruptedRunRecovery;
+        this.failurePolicy = failurePolicy;
         this.runFinalizer = runFinalizer;
         this.withHeldLease = withHeldLease;
         this.releaseLease = releaseLease;
         this.readThreadWithRetry = readThreadWithRetry;
-        this.recoverOrEscalate = recoverOrEscalate;
         this.resolveRepoFullName = resolveRepoFullName;
         this.feed = feed;
+        this.telemetry = telemetry;
     }
     async reconcile(params) {
         const { run, issue, recoveryLease } = params;
@@ -67,6 +67,19 @@ export class RunReconciler {
             if (commit?.outcome === "applied") {
                 effectiveIssue = commit.issue;
                 this.logger.info({ issueKey: effectiveIssue.issueKey, runId: run.id, runType: run.runType }, "Reattached detached active run during reconciliation");
+                // Plan §B5: with settleRun idempotent and the launcher persisting the
+                // thread id before startTurn, this reattachment should never fire.
+                // Telemetry observes it for one release before the block is deleted.
+                emitTelemetry(this.telemetry, {
+                    type: "health.invariant",
+                    invariant: "detached_active_run",
+                    status: "repaired",
+                    projectId: run.projectId,
+                    linearIssueId: run.linearIssueId,
+                    ...(effectiveIssue.issueKey ? { issueKey: effectiveIssue.issueKey } : {}),
+                    runId: run.id,
+                    detail: `Reattached detached active ${run.runType} run during reconciliation`,
+                });
             }
             else if (commit?.outcome === "conflict_skipped" && commit.issue) {
                 effectiveIssue = commit.issue;
@@ -111,19 +124,14 @@ export class RunReconciler {
                 return;
             }
             this.logger.warn({ issueKey: effectiveIssue.issueKey, runId: run.id, runType: run.runType }, "Zombie run detected (no thread)");
-            const zombieClear = { projectId: run.projectId, linearIssueId: run.linearIssueId, activeRunId: null };
-            this.withHeldLease(run.projectId, run.linearIssueId, () => {
-                const commit = this.db.issueSessions.commitIssueState({
-                    writer: WRITER,
-                    expectedVersion: effectiveIssue.version,
-                    update: zombieClear,
-                    onConflict: (current) => (current.activeRunId === run.id ? zombieClear : undefined),
-                });
-                if (commit.outcome !== "applied")
-                    return;
-                this.db.runs.finishRun(run.id, { status: "failed", failureReason: "Zombie: never started (no thread after restart)" });
+            // Detection only — the failure policy settles the run and decides
+            // retry vs escalate (plan §B4).
+            this.failurePolicy.settleStrandedRunAndRecover({
+                run,
+                issue: effectiveIssue,
+                reason: "zombie",
+                failureReason: "Zombie: never started (no thread after restart)",
             });
-            this.recoverOrEscalate(effectiveIssue, run.runType, "zombie");
             const recoveredIssue = this.db.issues.getIssue(run.projectId, run.linearIssueId) ?? effectiveIssue;
             void this.linearSync.emitActivity(recoveredIssue, buildRunFailureActivity(run.runType, "The Codex turn never started before PatchRelay restarted."));
             void this.linearSync.syncSession(recoveredIssue, { activeRunType: run.runType });
@@ -144,19 +152,14 @@ export class RunReconciler {
                 return;
             }
             this.logger.warn({ issueKey: effectiveIssue.issueKey, runId: run.id, runType: run.runType, threadId: run.threadId }, "Stale thread during reconciliation");
-            const staleClear = { projectId: run.projectId, linearIssueId: run.linearIssueId, activeRunId: null };
-            this.withHeldLease(run.projectId, run.linearIssueId, () => {
-                const commit = this.db.issueSessions.commitIssueState({
-                    writer: WRITER,
-                    expectedVersion: effectiveIssue.version,
-                    update: staleClear,
-                    onConflict: (current) => (current.activeRunId === run.id ? staleClear : undefined),
-                });
-                if (commit.outcome !== "applied")
-                    return;
-                this.db.runs.finishRun(run.id, { status: "failed", failureReason: "Stale thread after restart" });
+            // Detection only — the failure policy settles the run and decides
+            // retry vs escalate (plan §B4).
+            this.failurePolicy.settleStrandedRunAndRecover({
+                run,
+                issue: effectiveIssue,
+                reason: "stale_thread",
+                failureReason: "Stale thread after restart",
             });
-            this.recoverOrEscalate(effectiveIssue, run.runType, "stale_thread");
             const recoveredIssue = this.db.issues.getIssue(run.projectId, run.linearIssueId) ?? effectiveIssue;
             void this.linearSync.emitActivity(recoveredIssue, buildRunFailureActivity(run.runType, "PatchRelay lost the active Codex thread after restart and needs to recover."));
             void this.linearSync.syncSession(recoveredIssue, { activeRunType: run.runType });
@@ -207,7 +210,7 @@ export class RunReconciler {
         }
         const latestTurn = getThreadTurns(thread).at(-1);
         if (latestTurn?.status === "interrupted") {
-            await this.interruptedRunRecovery.handle(run, effectiveIssue);
+            await this.failurePolicy.handleInterruptedRun(run, effectiveIssue);
             return;
         }
         if (latestTurn?.status === "completed") {
@@ -218,7 +221,6 @@ export class RunReconciler {
                 thread,
                 threadId: run.threadId,
                 ...(latestTurn.id ? { completedTurnId: latestTurn.id } : {}),
-                resolveRecoverableRunState: resolveRecoverablePostRunState,
             });
             return;
         }

package/dist/run-settlement.js

@@ -0,0 +1,57 @@
+const WRITER = "run-settlement";
+const TERMINAL_RUN_STATUSES = new Set(["completed", "failed", "released", "superseded"]);
+export function isTerminalRunStatus(status) {
+    return TERMINAL_RUN_STATUSES.has(status);
+}
+// Phase B1 (core simplification plan): the fast, transactional, idempotent
+// half of run finalization. One transaction marks the run terminal and
+// clears the issue's active slot — the two writes whose separation caused
+// the dangling-active-run freeze (PR #566): a restart landing between them
+// left `activeRunId` pointing at a terminal run forever, hiding the issue
+// from every idle/recovery pass. Safe to call from both the notification
+// finalizer and reconciliation at any time:
+//   - already-terminal run → finishRun skipped;
+//   - slot already cleared or re-pointed at another run → issue untouched;
+//   - non-terminal run with no `finish` outcome → full no-op.
+export function settleRun(params) {
+    const { db, run } = params;
+    return db.transaction(() => {
+        const freshRun = db.runs.getRunById(run.id);
+        if (!freshRun) {
+            return { runFinished: false, slotCleared: false, issue: db.issues.getIssue(run.projectId, run.linearIssueId) };
+        }
+        let runFinished = false;
+        if (!isTerminalRunStatus(freshRun.status)) {
+            if (!params.finish) {
+                return { runFinished: false, slotCleared: false, issue: db.issues.getIssue(run.projectId, run.linearIssueId) };
+            }
+            db.runs.finishRun(run.id, params.finish);
+            runFinished = true;
+        }
+        const current = db.issues.getIssue(run.projectId, run.linearIssueId);
+        if (!current || current.activeRunId !== run.id) {
+            return { runFinished, slotCleared: false, issue: current };
+        }
+        const buildUpdate = (record) => ({
+            projectId: run.projectId,
+            linearIssueId: run.linearIssueId,
+            ...params.buildIssueUpdate?.(record),
+            // After the caller-provided fields so nothing can override the clear.
+            activeRunId: null,
+        });
+        const commit = db.issueSessions.commitIssueState({
+            writer: WRITER,
+            ...(params.lease ? { lease: params.lease } : {}),
+            expectedVersion: current.version,
+            update: buildUpdate(current),
+            // The read above happened inside this same transaction, so a version
+            // conflict cannot normally occur; the predicate keeps the invariant
+            // explicit: never clear a slot that was re-pointed at another run.
+            onConflict: (fresh) => (fresh.activeRunId === run.id ? buildUpdate(fresh) : undefined),
+        });
+        if (commit.outcome !== "applied") {
+            return { runFinished, slotCleared: false, issue: commit.outcome === "conflict_skipped" ? commit.issue : current };
+        }
+        return { runFinished, slotCleared: true, issue: commit.issue };
+    });
+}

package/dist/service.js

@@ -14,6 +14,7 @@ import { ServiceStartupRecovery } from "./service-startup-recovery.js";
 import { WakeDispatcher } from "./wake-dispatcher.js";
 import { WebhookHandler } from "./webhook-handler.js";
 import { acceptIncomingWebhook } from "./service-webhooks.js";
+import { ABANDONED_PENDING_WEBHOOK_AGE_MS } from "./db/webhook-event-store.js";
 import { runWebhookEventRetention } from "./event-retention.js";
 import { parseStringArray, TrackedIssueListQuery } from "./tracked-issue-list-query.js";
 import { AgentInputService } from "./agent-input-service.js";
@@ -103,6 +104,7 @@ export class PatchRelayService {
     }
     async start() {
         this.db.issueSessions.releaseExpiredIssueSessionLeases();
+        this.sweepAbandonedWebhookEvents();
         const repairedInstallations = this.db.linearInstallations.repairProjectInstallations(this.config.projects.map((project) => project.id));
         for (const repair of repairedInstallations) {
             this.logger.info({ projectId: repair.projectId, installationId: repair.installationId, reason: repair.reason }, "Repaired Linear project installation link");
@@ -287,6 +289,26 @@ export class PatchRelayService {
     getReadiness() {
         return this.runtime.getReadiness();
     }
+    // Core simplification plan §C2: webhook_events is a dedupe + forensics log,
+    // not a replay queue. A row stuck at 'pending' means a crash or restart
+    // interrupted processing; the event will never be replayed (recovery is
+    // re-derivation from GitHub/Linear via reconciliation), so mark it
+    // 'abandoned' — making it archiveable — and surface the count to the
+    // operator, because every abandoned row is a crash worth seeing.
+    sweepAbandonedWebhookEvents() {
+        const cutoffIso = new Date(Date.now() - ABANDONED_PENDING_WEBHOOK_AGE_MS).toISOString();
+        const abandoned = this.db.webhookEvents.markAbandonedPendingEventsBefore(cutoffIso);
+        if (abandoned === 0)
+            return;
+        this.logger.warn({ abandoned, cutoffIso }, "Marked stale pending webhook events as abandoned at startup");
+        this.feed.publish({
+            level: "warn",
+            kind: "webhook",
+            status: "abandoned_events",
+            summary: `Startup: marked ${abandoned} stale pending webhook event(s) as abandoned`,
+            detail: "Processing was interrupted (crash/restart). State recovers via reconciliation; the rows stay archiveable for forensics.",
+        });
+    }
     scheduleEventRetention(delayMs = 24 * 60 * 60 * 1000) {
         if (this.eventRetentionTimer !== undefined) {
             clearTimeout(this.eventRetentionTimer);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "patchrelay",
-  "version": "0.76.0",
+  "version": "0.78.0",
   "license": "MIT",
   "type": "module",
   "repository": {