feat(sdk): chat.agent oomMachine for automatic OOM-retry on a larger machine

Setting oomMachine opts a chat.agent into one-shot OOM recovery: the
failed turn re-runs on the larger machine, derives a session.in cutoff
from the latest trigger:turn-complete chunk on session.out, and skips
the turns that already completed on the prior attempt. Adds the
setMinTimestamp filter on the session-stream manager and force-kills
the dev worker between attempts so local behavior matches prod.

Author: ericallam

packages/cli-v3/src/dev/taskRunProcessPool.ts

@@ -127,7 +127,11 @@ export class TaskRunProcessPool {
     return { taskRunProcess: newProcess, isReused: false };
   }
 
-  async returnProcess(process: TaskRunProcess, version: string): Promise<void> {
+  async returnProcess(
+    process: TaskRunProcess,
+    version: string,
+    options?: { forceKill?: boolean }
+  ): Promise<void> {
     // Remove from busy processes for this version
     const busyProcesses = this.busyProcessesByVersion.get(version);
     if (busyProcesses) {
@@ -141,6 +145,19 @@ export class TaskRunProcessPool {
       );
     }
 
+    // `forceKill` skips the reuse heuristic and tears the process down. Used
+    // on outcomes that leave the process in a state we can't safely reuse
+    // (OOM in particular — production would get a fresh container, so local
+    // dev should match that).
+    if (options?.forceKill) {
+      logger.debug("[TaskRunProcessPool] Force-killing process", {
+        version,
+        pid: process.pid,
+      });
+      await this.killProcess(process);
+      return;
+    }
+
     if (this.shouldReuseProcess(process, version)) {
       const availableCount = this.availableProcessesByVersion.get(version)?.length || 0;
       const busyCount = this.busyProcessesByVersion.get(version)?.size || 0;

packages/cli-v3/src/entryPoints/dev-run-controller.ts

@@ -2,6 +2,8 @@ import {
   CompleteRunAttemptResult,
   DequeuedMessage,
   IntervalService,
+  isManualOutOfMemoryError,
+  isOOMRunError,
   LogLevel,
   RunExecutionData,
   SuspendedProcessError,
@@ -52,6 +54,12 @@ export class DevRunController {
   private readonly cwd?: string;
   private isCompletingRun = false;
   private isShuttingDown = false;
+  // Set when the current attempt's outcome means the worker process can't
+  // safely be reused (OOM in particular). Production gives every retry a
+  // fresh container; local dev's process pool needs the same on these
+  // outcomes or in-process state (e.g. session.in cursors) leaks across
+  // attempts and the OOM retry skips the message that triggered it.
+  private discardProcessOnReturn = false;
 
   private state:
     | {
@@ -539,6 +547,13 @@ export class DevRunController {
         error: TaskRunProcess.parseExecuteError(error),
       } satisfies TaskRunFailedExecutionResult;
 
+      // Same OOM check as the success path: if the thrown error parses to
+      // an OOM, force-kill the process when it's eventually returned (via
+      // runFinished / stop) instead of recycling it.
+      if (isOOMRunError(completion.error) || isManualOutOfMemoryError(completion.error)) {
+        this.discardProcessOnReturn = true;
+      }
+
       const completionResult = await this.httpClient.dev.completeRunAttempt(
         run.friendlyId,
         this.snapshotFriendlyId ?? snapshot.friendlyId,
@@ -664,10 +679,22 @@ export class DevRunController {
 
     this.isCompletingRun = true;
 
+    // Detect OOM in the failure result so we can force-kill the worker
+    // instead of returning it to the pool. Mirrors the production behavior
+    // where OOM retry happens on a brand-new container.
+    if (
+      !completion.ok &&
+      (isOOMRunError(completion.error) || isManualOutOfMemoryError(completion.error))
+    ) {
+      this.discardProcessOnReturn = true;
+    }
+
     // Return process to pool instead of killing it
     try {
       const version = this.opts.worker.serverWorker?.version || "unknown";
-      await this.opts.taskRunProcessPool.returnProcess(this.taskRunProcess, version);
+      await this.opts.taskRunProcessPool.returnProcess(this.taskRunProcess, version, {
+        forceKill: this.discardProcessOnReturn,
+      });
       this.taskRunProcess = undefined;
     } catch (error) {
       logger.debug("Failed to return task run process to pool, submitting completion anyway", {
@@ -820,7 +847,9 @@ export class DevRunController {
     if (this.taskRunProcess) {
       try {
         const version = this.opts.worker.serverWorker?.version || "unknown";
-        await this.opts.taskRunProcessPool.returnProcess(this.taskRunProcess, version);
+        await this.opts.taskRunProcessPool.returnProcess(this.taskRunProcess, version, {
+          forceKill: this.discardProcessOnReturn,
+        });
         this.taskRunProcess = undefined;
       } catch (error) {
         logger.debug("Failed to return task run process to pool during runFinished", { error });
@@ -854,7 +883,9 @@ export class DevRunController {
     if (this.taskRunProcess && !this.taskRunProcess.isBeingKilled) {
       try {
         const version = this.opts.worker.serverWorker?.version || "unknown";
-        await this.opts.taskRunProcessPool.returnProcess(this.taskRunProcess, version);
+        await this.opts.taskRunProcessPool.returnProcess(this.taskRunProcess, version, {
+          forceKill: this.discardProcessOnReturn,
+        });
         this.taskRunProcess = undefined;
       } catch (error) {
         logger.debug("Failed to return task run process to pool during stop", { error });

packages/core/src/v3/sessionStreams/index.ts

@@ -59,6 +59,14 @@ export class SessionStreamsAPI implements SessionStreamManager {
     this.#getManager().setLastSeqNum(sessionId, io, seqNum);
   }
 
+  public setMinTimestamp(
+    sessionId: string,
+    io: SessionChannelIO,
+    minTimestamp: number | undefined
+  ): void {
+    this.#getManager().setMinTimestamp(sessionId, io, minTimestamp);
+  }
+
   public shiftBuffer(sessionId: string, io: SessionChannelIO): boolean {
     return this.#getManager().shiftBuffer(sessionId, io);
   }

packages/core/src/v3/sessionStreams/manager.test.ts

@@ -0,0 +1,151 @@
+import { describe, expect, it } from "vitest";
+import { StandardSessionStreamManager } from "./manager.js";
+import type { ApiClient } from "../apiClient/index.js";
+import type { SSEStreamPart } from "../apiClient/runStream.js";
+
+// Single-shot mock that mimics S2's long-poll: delivers `records` once via
+// `onPart` on the first subscribe call, then keeps the returned async
+// iterable OPEN until the abort signal fires. Real S2 keeps the SSE
+// connection alive on a long-poll; the manager's `runTail` finally /
+// reconnect path only fires when the connection actually closes. Returning
+// an empty stream synchronously triggers a tight reconnect loop, so the
+// mock parks indefinitely instead.
+function singleShotApiClient(
+  records: Array<{ id: string; chunk: unknown; timestamp: number }>
+): ApiClient {
+  let delivered = false;
+  return {
+    async subscribeToSessionStream<T>(
+      _sessionIdOrExternalId: string,
+      _io: "out" | "in",
+      options?: { onPart?: (part: SSEStreamPart<T>) => void; signal?: AbortSignal }
+    ) {
+      if (!delivered) {
+        delivered = true;
+        for (const record of records) {
+          options?.onPart?.(record as SSEStreamPart<T>);
+        }
+      }
+      const signal = options?.signal;
+      return (async function* () {
+        if (signal?.aborted) return;
+        await new Promise<void>((resolve) => {
+          if (!signal) {
+            // No signal — block the stream forever; tests must
+            // explicitly call `disconnectStream` / `disconnect` to
+            // unblock.
+            return;
+          }
+          signal.addEventListener("abort", () => resolve(), { once: true });
+        });
+      })() as unknown as Awaited<ReturnType<ApiClient["subscribeToSessionStream"]>>;
+    },
+  } as unknown as ApiClient;
+}
+
+describe("StandardSessionStreamManager — minTimestamp filter", () => {
+  const sessionId = "session-1";
+  const io = "in" as const;
+
+  it("dispatches records when no filter is set", async () => {
+    const records = [
+      { id: "0", chunk: { kind: "message", payload: { id: "u1" } }, timestamp: 1000 },
+      { id: "1", chunk: { kind: "message", payload: { id: "u2" } }, timestamp: 2000 },
+    ];
+    const manager = new StandardSessionStreamManager(singleShotApiClient(records), "http://localhost");
+
+    const first = await manager.once(sessionId, io);
+    expect(first).toEqual({ ok: true, output: { kind: "message", payload: { id: "u1" } } });
+
+    const second = await manager.once(sessionId, io);
+    expect(second).toEqual({ ok: true, output: { kind: "message", payload: { id: "u2" } } });
+
+    manager.disconnectStream(sessionId, io); // stop reconnect loop
+    manager.disconnect();
+  });
+
+  it("drops records whose timestamp is <= minTimestamp", async () => {
+    const records = [
+      { id: "0", chunk: { kind: "message", payload: { id: "u1" } }, timestamp: 1000 },
+      { id: "1", chunk: { kind: "message", payload: { id: "u2" } }, timestamp: 2000 },
+      { id: "2", chunk: { kind: "message", payload: { id: "u3" } }, timestamp: 3000 },
+    ];
+    const manager = new StandardSessionStreamManager(singleShotApiClient(records), "http://localhost");
+
+    // Cutoff at 2000 (inclusive: `<=` is dropped). Only u3 should pass.
+    manager.setMinTimestamp(sessionId, io, 2000);
+
+    const passed = await manager.once(sessionId, io, { timeoutMs: 200 });
+    expect(passed).toEqual({ ok: true, output: { kind: "message", payload: { id: "u3" } } });
+
+    manager.disconnectStream(sessionId, io);
+    manager.disconnect();
+  });
+
+  it("clears the filter when set to undefined", async () => {
+    const records = [
+      { id: "0", chunk: { kind: "message", payload: { id: "u1" } }, timestamp: 1000 },
+    ];
+    const manager = new StandardSessionStreamManager(singleShotApiClient(records), "http://localhost");
+
+    manager.setMinTimestamp(sessionId, io, 5000);
+    manager.setMinTimestamp(sessionId, io, undefined);
+
+    const passed = await manager.once(sessionId, io, { timeoutMs: 200 });
+    expect(passed).toEqual({ ok: true, output: { kind: "message", payload: { id: "u1" } } });
+
+    manager.disconnectStream(sessionId, io);
+    manager.disconnect();
+  });
+
+  it("filter is per-(sessionId, io) and doesn't bleed across streams", async () => {
+    const inApi = singleShotApiClient([
+      { id: "0", chunk: { kind: "in-record" }, timestamp: 1000 },
+    ]);
+    const manager = new StandardSessionStreamManager(inApi, "http://localhost");
+
+    manager.setMinTimestamp(sessionId, "in", 5000);
+
+    // The "out" stream uses the same singleShotApiClient instance — its
+    // single-shot delivers the same fixture, but the filter doesn't apply
+    // to "out" so the record passes.
+    const outResult = await manager.once(sessionId, "out", { timeoutMs: 200 });
+    expect(outResult).toEqual({ ok: true, output: { kind: "in-record" } });
+
+    // The "in" stream is filtered (minTimestamp=5000, record ts=1000): the
+    // once() call should idle-timeout instead of resolving with the record.
+    // But the singleShot instance has already delivered to the "out" tail,
+    // so the "in" tail will get nothing on first connect anyway. Use a
+    // separate manager+api to keep the assertion crisp.
+    const inApi2 = singleShotApiClient([
+      { id: "0", chunk: { kind: "in-record-2" }, timestamp: 1000 },
+    ]);
+    const manager2 = new StandardSessionStreamManager(inApi2, "http://localhost");
+    manager2.setMinTimestamp(sessionId, "in", 5000);
+
+    const inResult = await manager2.once(sessionId, "in", { timeoutMs: 100 });
+    expect(inResult.ok).toBe(false); // filter-dropped → idle timeout
+
+    manager.disconnectStream(sessionId, "in");
+    manager.disconnectStream(sessionId, "out");
+    manager.disconnect();
+    manager2.disconnectStream(sessionId, "in");
+    manager2.disconnect();
+  });
+
+  it("reset() clears all per-stream timestamp filters", async () => {
+    const records = [
+      { id: "0", chunk: { kind: "message", payload: { id: "u1" } }, timestamp: 1000 },
+    ];
+    const manager = new StandardSessionStreamManager(singleShotApiClient(records), "http://localhost");
+
+    manager.setMinTimestamp(sessionId, io, 5000);
+    manager.reset();
+
+    const passed = await manager.once(sessionId, io, { timeoutMs: 200 });
+    expect(passed).toEqual({ ok: true, output: { kind: "message", payload: { id: "u1" } } });
+
+    manager.disconnectStream(sessionId, io);
+    manager.disconnect();
+  });
+});

packages/core/src/v3/sessionStreams/manager.ts

@@ -36,6 +36,13 @@ export class StandardSessionStreamManager implements SessionStreamManager {
   private onceWaiters = new Map<string, OnceWaiter[]>();
   private buffer = new Map<string, unknown[]>();
   private tails = new Map<string, TailState>();
+  // Per-stream lower-bound timestamp filter. When set, records whose
+  // SSE timestamp is <= the bound are dropped before dispatch — used by
+  // chat.agent on OOM-retry boot to skip session.in records belonging
+  // to turns that already completed on the prior attempt. The filter
+  // is consulted in `runTail`'s `onPart` so the buffer never sees the
+  // dropped records.
+  private minTimestamps = new Map<string, number>();
   // Keys that were explicitly torn down by `disconnectStream`. The tail's
   // `.finally` reconnect path checks this so a long-lived persistent handler
   // (e.g. `chat.agent`'s run-level `stopInput.on(...)`) doesn't silently
@@ -164,6 +171,19 @@ export class StandardSessionStreamManager implements SessionStreamManager {
     }
   }
 
+  setMinTimestamp(
+    sessionId: string,
+    io: SessionChannelIO,
+    minTimestamp: number | undefined
+  ): void {
+    const key = keyFor(sessionId, io);
+    if (minTimestamp === undefined) {
+      this.minTimestamps.delete(key);
+    } else {
+      this.minTimestamps.set(key, minTimestamp);
+    }
+  }
+
   shiftBuffer(sessionId: string, io: SessionChannelIO): boolean {
     const key = keyFor(sessionId, io);
     const buffered = this.buffer.get(key);
@@ -213,6 +233,7 @@ export class StandardSessionStreamManager implements SessionStreamManager {
   reset(): void {
     this.disconnect();
     this.seqNums.clear();
+    this.minTimestamps.clear();
     this.handlers.clear();
 
     for (const [, waiters] of this.onceWaiters) {
@@ -271,16 +292,40 @@ export class StandardSessionStreamManager implements SessionStreamManager {
     const key = keyFor(sessionId, io);
     try {
       const lastSeq = this.seqNums.get(key);
+      // Dispatch is driven from `onPart` (not the for-await loop) so each
+      // record reaches dispatch with its full SSE metadata in scope —
+      // specifically the timestamp, which we need for the per-stream
+      // min-timestamp filter. The for-await loop below just drains the
+      // pipeThrough output to keep the source flowing.
       const stream = await this.apiClient.subscribeToSessionStream<unknown>(sessionId, io, {
         signal,
         baseUrl: this.baseUrl,
         timeoutInSeconds: 600,
         lastEventId: lastSeq !== undefined ? String(lastSeq) : undefined,
         onPart: (part) => {
+          if (signal.aborted) return;
           const seqNum = parseInt(part.id, 10);
           if (Number.isFinite(seqNum)) {
             this.seqNums.set(key, seqNum);
           }
+
+          // Min-timestamp filter: drop records older than (or at) the
+          // bound. Used to skip already-processed records on OOM-retry
+          // boot.
+          const minTs = this.minTimestamps.get(key);
+          if (minTs !== undefined && part.timestamp <= minTs) {
+            return;
+          }
+
+          let data: unknown = part.chunk;
+          if (typeof data === "string") {
+            try {
+              data = JSON.parse(data);
+            } catch {
+              // keep as string
+            }
+          }
+          this.#dispatch(key, data);
         },
         onComplete: () => {
           if (this.debug) {
@@ -294,21 +339,10 @@ export class StandardSessionStreamManager implements SessionStreamManager {
         },
       });
 
-      for await (const record of stream) {
+      // Drain to keep the pipeThrough flowing. Records were already
+      // dispatched in `onPart`, so the body here is a no-op.
+      for await (const _record of stream) {
         if (signal.aborted) break;
-
-        let data: unknown;
-        if (typeof record === "string") {
-          try {
-            data = JSON.parse(record);
-          } catch {
-            data = record;
-          }
-        } else {
-          data = record;
-        }
-
-        this.#dispatch(key, data);
       }
     } catch (error) {
       if (error instanceof Error && error.name === "AbortError") return;