fix(broker-lifecycle): reject stale sessions via PID-alive + age checks

Анатолий Иванов · Анатолий Иванов · commit 6ce0540dce2c · 2026-04-23T13:59:49.000+07:00
isBrokerEndpointReady() only does a 150ms socket ping. If the broker's
underlying codex app-server subprocess is in a bad state — observed
after multi-day uptime — the socket still accepts connections, so the
existing session is trusted and reused, but every task disconnects
mid-turn because the transport subsystem behind the socket is broken.

Two complementary guards added in isSessionStale():

1. PID-alive probe: process.kill(session.pid, 0) detects a crashed
   broker whose socket file may linger. Covers the acute crash case.

2. Age-based rotation: compare Date.now() against session.startedAt
   (new field, captured when the broker spawns). Default threshold 6h,
   overridable via CODEX_COMPANION_BROKER_MAX_AGE_HOURS env var.
   Covers the slow-degradation case where neither PID nor socket ping
   surface the problem.

Gate added to ensureBrokerSession() before trusting the socket ping:
existing session must (a) exist, (b) not be stale, (c) pass the socket
ping. If any check fails, the existing session is torn down and a
fresh broker is spawned — the same path already used for missing or
unreachable brokers.

Observed in the wild: broker process with 3d+11h uptime caused 100%
task disconnect rate for every /codex:rescue invocation. Restarting
the broker (deleting broker.json and letting the next task spawn
fresh) fully restored task reliability until the next degradation.
diff --git a/plugins/codex/scripts/lib/broker-lifecycle.mjs b/plugins/codex/scripts/lib/broker-lifecycle.mjs
@@ -110,9 +110,58 @@ async function isBrokerEndpointReady(endpoint) {
   }
 }
 
+// Observed failure: after days of broker uptime the socket still accepts
+// connections (passes isBrokerEndpointReady), but the underlying `codex
+// app-server` subprocess is in a bad state and drops transport mid-turn
+// on every task. Socket ping alone does not detect this. Add two guards:
+//   1. PID-alive probe — detects a crashed broker before trusting the socket.
+//   2. Age-based rotation — forces a fresh broker past a threshold; default
+//      6h, overridable via CODEX_COMPANION_BROKER_MAX_AGE_HOURS.
+function getBrokerMaxAgeMs() {
+  const hours = Number(process.env.CODEX_COMPANION_BROKER_MAX_AGE_HOURS);
+  const safe = Number.isFinite(hours) && hours > 0 ? hours : 6;
+  return safe * 60 * 60 * 1000;
+}
+
+function isPidAlive(pid) {
+  if (!Number.isFinite(pid) || pid <= 0) return false;
+  try {
+    // signal 0 only checks existence; no actual signal delivered
+    process.kill(pid, 0);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function isSessionStale(session) {
+  if (!session) return true;
+  // PID check — covers crashed-broker case
+  if (session.pid != null && !isPidAlive(session.pid)) return true;
+  // Legacy rotation — sessions persisted before startedAt was introduced
+  // skip age validation otherwise; force one-time rotation so the fix
+  // applies to pre-upgrade broker.json entries.
+  if (!session.startedAt) return true;
+  // Age check — covers slow-degradation case
+  const age = Date.now() - session.startedAt;
+  if (age > getBrokerMaxAgeMs()) return true;
+  return false;
+}
+
+// Default kill for stale-rotation teardown. Without this, rotating a still-alive
+// broker only removes its socket/pid files — the detached process keeps running
+// and leaks host resources. SIGTERM is best-effort; ignore missing-process errors.
+function defaultKillProcess(pid) {
+  try {
+    process.kill(pid, "SIGTERM");
+  } catch {
+    // process already gone — fine
+  }
+}
+
 export async function ensureBrokerSession(cwd, options = {}) {
   const existing = loadBrokerSession(cwd);
-  if (existing && (await isBrokerEndpointReady(existing.endpoint))) {
+  if (existing && !isSessionStale(existing) && (await isBrokerEndpointReady(existing.endpoint))) {
     return existing;
   }
 
@@ -123,7 +172,10 @@ export async function ensureBrokerSession(cwd, options = {}) {
       logFile: existing.logFile ?? null,
       sessionDir: existing.sessionDir ?? null,
       pid: existing.pid ?? null,
-      killProcess: options.killProcess ?? null
+      // Use defaultKillProcess so stale (but PID-alive) brokers actually
+      // terminate during rotation — otherwise they leak as orphaned
+      // processes while only their socket/pidfile are cleaned up.
+      killProcess: options.killProcess ?? defaultKillProcess
     });
     clearBrokerSession(cwd);
   }
@@ -164,7 +216,8 @@ export async function ensureBrokerSession(cwd, options = {}) {
     pidFile,
     logFile,
     sessionDir,
-    pid: child.pid ?? null
+    pid: child.pid ?? null,
+    startedAt: Date.now()  // used by isSessionStale() for age-based rotation
   };
   saveBrokerSession(cwd, session);
   return session;
