mirror of
https://github.com/multica-ai/multica.git
synced 2026-07-06 14:00:09 +02:00
* feat(comments): skip default thread read on resumed comment sessions Co-authored-by: multica-agent <github@multica.ai> * fix(comments): scope since delta to trigger thread Co-authored-by: multica-agent <github@multica.ai> * chore(comments): address thread delta review nits Co-authored-by: multica-agent <github@multica.ai> --------- Co-authored-by: Eve <eve@multica-ai.local> Co-authored-by: multica-agent <github@multica.ai>
3554 lines
130 KiB
Go
3554 lines
130 KiB
Go
package daemon
|
||
|
||
import (
|
||
"context"
|
||
"encoding/json"
|
||
"errors"
|
||
"fmt"
|
||
"log/slog"
|
||
"math/rand"
|
||
"os"
|
||
"path/filepath"
|
||
"strconv"
|
||
"strings"
|
||
"sync"
|
||
"sync/atomic"
|
||
"time"
|
||
|
||
"github.com/multica-ai/multica/server/internal/cli"
|
||
"github.com/multica-ai/multica/server/internal/daemon/execenv"
|
||
"github.com/multica-ai/multica/server/internal/daemon/repocache"
|
||
"github.com/multica-ai/multica/server/pkg/agent"
|
||
)
|
||
|
||
// ErrRepoNotConfigured is returned by ensureRepoReady when the requested repo
|
||
// URL is not present in the workspace's repo configuration after a fresh
|
||
// server refresh.
|
||
var ErrRepoNotConfigured = errors.New("repo is not configured for this workspace")
|
||
|
||
// taskRunner executes a single agent task and returns the result.
|
||
// Extracted as an interface so tests can inject a fake without spawning real
|
||
// agent processes, while keeping test scaffolding out of the production struct.
|
||
type taskRunner interface {
|
||
run(ctx context.Context, task Task, provider string, slot int, log *slog.Logger) (TaskResult, error)
|
||
}
|
||
|
||
// taskRunnerFunc adapts a plain function to the taskRunner interface.
|
||
type taskRunnerFunc func(context.Context, Task, string, int, *slog.Logger) (TaskResult, error)
|
||
|
||
func (f taskRunnerFunc) run(ctx context.Context, task Task, provider string, slot int, log *slog.Logger) (TaskResult, error) {
|
||
return f(ctx, task, provider, slot, log)
|
||
}
|
||
|
||
var (
|
||
isBrewInstall = cli.IsBrewInstall
|
||
getBrewPrefix = cli.GetBrewPrefix
|
||
matchKnownBrewPrefix = cli.MatchKnownBrewPrefix
|
||
|
||
// detectAgentVersion / checkAgentMinVersion are indirections over the
|
||
// real agent helpers so tests can run the registration path without
|
||
// shelling out to a real CLI. Mirrors the pattern used for the brew
|
||
// helpers above.
|
||
detectAgentVersion = agent.DetectVersion
|
||
checkAgentMinVersion = agent.CheckMinVersion
|
||
)
|
||
|
||
// workspaceState tracks registered runtimes for a single workspace.
|
||
//
|
||
// allowedRepoURLs covers the workspace-level repo bindings; it gets rebuilt on
|
||
// every refresh from the server. taskRepoURLs covers repos that the server
|
||
// surfaced through a per-task claim (project github_repo resources today,
|
||
// possibly other typed sources later) — those don't show up in
|
||
// GetWorkspaceRepos, so they would be wiped on refresh if we shared one map.
|
||
type workspaceState struct {
|
||
workspaceID string
|
||
runtimeIDs []string
|
||
reposVersion string // stored for future use: skip refresh when version unchanged
|
||
allowedRepoURLs map[string]struct{}
|
||
taskRepoURLs map[string]struct{}
|
||
settings json.RawMessage // workspace settings (JSONB)
|
||
lastRepoSyncErr string
|
||
repoRefreshMu sync.Mutex
|
||
}
|
||
|
||
type repoCacheBackend interface {
|
||
Lookup(workspaceID, url string) string
|
||
Sync(workspaceID string, repos []repocache.RepoInfo) error
|
||
CreateWorktree(params repocache.WorktreeParams) (*repocache.WorktreeResult, error)
|
||
}
|
||
|
||
// Daemon is the local agent runtime that polls for and executes tasks.
|
||
type Daemon struct {
|
||
cfg Config
|
||
client *Client
|
||
repoCache repoCacheBackend
|
||
logger *slog.Logger
|
||
|
||
mu sync.Mutex
|
||
workspaces map[string]*workspaceState
|
||
runtimeIndex map[string]Runtime // runtimeID -> Runtime for provider lookups
|
||
reloading sync.Mutex // prevents concurrent workspace syncs
|
||
runtimeSet *runtimeSetWatcher // multi-subscriber pub/sub for runtime-set changes
|
||
|
||
versionsMu sync.RWMutex // guards agentVersions
|
||
agentVersions map[string]string // provider -> detected CLI version (set during registration)
|
||
|
||
wsHBMu sync.RWMutex // guards wsHBLastAck
|
||
wsHBLastAck map[string]time.Time // runtime_id -> last successful WS heartbeat ack timestamp
|
||
|
||
// runtimeGoneMu guards runtimeGoneInflight, reregisterNextAttempt, and
|
||
// reregisterLastCompletedAt. The state lets heartbeat / poller / WS-ack
|
||
// handlers converge on a single recovery path when they each detect that a
|
||
// runtime row was deleted server-side without three of them stampeding
|
||
// registerRuntimesForWorkspace.
|
||
runtimeGoneMu sync.Mutex
|
||
runtimeGoneInflight map[string]struct{} // runtime_id -> currently recovering
|
||
reregisterNextAttempt map[string]time.Time // workspace_id -> earliest time the next re-register attempt may run
|
||
reregisterLastCompletedAt map[string]time.Time // workspace_id -> wall-clock at which the last SUCCESSFUL re-register call returned (failures intentionally not stamped — see recordRegisterCompletion)
|
||
|
||
cancelFunc context.CancelFunc // set by Run(); called by triggerRestart
|
||
rootCtx context.Context // set by Run(); used by long-running recoveries that must survive per-runtime ctx cancellation
|
||
restartBinary string // non-empty after a successful update; path to the new binary
|
||
updating atomic.Bool // prevents concurrent update attempts
|
||
activeTasks atomic.Int64 // number of tasks currently in handleTask; exposed via /health
|
||
|
||
// claimMu guards pauseClaims and claimsInFlight. It is held only for the
|
||
// microseconds it takes to make a decision; ClaimTask itself runs without
|
||
// the lock so a slow per-runtime claim cannot stall auto-update or any
|
||
// other poller.
|
||
//
|
||
// The pair is the auto-update path's barrier against the issue's
|
||
// requirement that "升级过程中如果有 task 进来,会延后升级而不是中断 task":
|
||
// runRuntimePoller refuses to call ClaimTask while pauseClaims is set, and
|
||
// tryAutoUpdate refuses to flip pauseClaims while any poller is mid-claim
|
||
// or any task is in handleTask. Together that closes the fetch-then-claim
|
||
// race where a new task slipping in during the release-metadata fetch
|
||
// would be cancelled by triggerRestart's root-ctx cancel.
|
||
claimMu sync.Mutex
|
||
pauseClaims bool // when true, runRuntimePoller skips ClaimTask
|
||
claimsInFlight int // pollers that have decided to claim but haven't yet handed the task off to handleTask
|
||
|
||
activeEnvRootsMu sync.Mutex
|
||
activeEnvRoots map[string]int // env root path -> reference count (handles reuse paths marked twice)
|
||
|
||
// localPathLocks serialises agent tasks whose project resource is a
|
||
// local_directory pinned to this daemon. Two tasks targeting the same
|
||
// on-disk path run sequentially; the second blocks on the lock and is
|
||
// surfaced via the server-side waiting_local_directory status while it
|
||
// waits. See MUL-2663.
|
||
localPathLocks *LocalPathLocker
|
||
|
||
// bgSyncs tracks background goroutines started by registerTaskRepos so
|
||
// callers (notably tests using t.TempDir-backed cache roots) can wait for
|
||
// them to drain before tearing the daemon down. Without this the bg
|
||
// goroutine can race against t.TempDir cleanup, leaving a partially
|
||
// deleted bare clone and an unrelated `not empty` cleanup failure.
|
||
bgSyncs sync.WaitGroup
|
||
|
||
runner taskRunner // executes agent tasks; set to d.runTask by New(), overridable in tests
|
||
cancelPollInterval time.Duration // how often handleTask polls for server-side cancellation; overridable in tests
|
||
// runUpdateFn executes the brew-or-download upgrade. Set to d.runUpdate by
|
||
// New() and overridable in tests so the auto-update poller can be exercised
|
||
// without touching the real network or the brew CLI.
|
||
runUpdateFn func(targetVersion string) (string, error)
|
||
}
|
||
|
||
// New creates a new Daemon instance.
|
||
func New(cfg Config, logger *slog.Logger) *Daemon {
|
||
cacheRoot := filepath.Join(cfg.WorkspacesRoot, ".repos")
|
||
client := NewClient(cfg.ServerBaseURL)
|
||
// Tag every daemon HTTP request with the daemon's CLI version so the
|
||
// server can split logs/metrics by client version (parallel to the CLI).
|
||
client.SetVersion(cfg.CLIVersion)
|
||
d := &Daemon{
|
||
cfg: cfg,
|
||
client: client,
|
||
repoCache: repocache.New(cacheRoot, logger),
|
||
logger: logger,
|
||
workspaces: make(map[string]*workspaceState),
|
||
runtimeIndex: make(map[string]Runtime),
|
||
runtimeSet: newRuntimeSetWatcher(),
|
||
agentVersions: make(map[string]string),
|
||
wsHBLastAck: make(map[string]time.Time),
|
||
activeEnvRoots: make(map[string]int),
|
||
localPathLocks: NewLocalPathLocker(),
|
||
runtimeGoneInflight: make(map[string]struct{}),
|
||
reregisterNextAttempt: make(map[string]time.Time),
|
||
reregisterLastCompletedAt: make(map[string]time.Time),
|
||
cancelPollInterval: 5 * time.Second,
|
||
}
|
||
d.runner = taskRunnerFunc(d.runTask)
|
||
d.runUpdateFn = d.runUpdate
|
||
return d
|
||
}
|
||
|
||
// setAgentVersion records the detected CLI version for an agent provider so
|
||
// later task-dispatch code (e.g. Codex sandbox policy) can read it.
|
||
func (d *Daemon) setAgentVersion(provider, version string) {
|
||
d.versionsMu.Lock()
|
||
defer d.versionsMu.Unlock()
|
||
d.agentVersions[provider] = version
|
||
}
|
||
|
||
// agentVersion returns the last-detected CLI version for an agent provider,
|
||
// or an empty string if unknown.
|
||
func (d *Daemon) agentVersion(provider string) string {
|
||
d.versionsMu.RLock()
|
||
defer d.versionsMu.RUnlock()
|
||
return d.agentVersions[provider]
|
||
}
|
||
|
||
func (d *Daemon) notifyRuntimeSetChanged() {
|
||
d.runtimeSet.notify()
|
||
}
|
||
|
||
// reregisterCoalesceWindow caps how often the daemon re-registers a workspace
|
||
// after detecting a runtime_not_found response. Many stale runtime IDs may be
|
||
// reported within seconds of each other (one delete clears all of a daemon's
|
||
// runtimes), and a single re-register call replaces every runtime in the
|
||
// workspace, so concurrent recoveries must collapse to one API call.
|
||
const reregisterCoalesceWindow = 30 * time.Second
|
||
|
||
// reregisterFailureBackoff is the additional wait inserted before the next
|
||
// re-register attempt when the previous one failed. This prevents heartbeat
|
||
// ticks (~15s) from converting a server-side log flood into a re-register
|
||
// flood when re-registration itself is failing (workspace removed, server
|
||
// unreachable, ...).
|
||
const reregisterFailureBackoff = 60 * time.Second
|
||
|
||
// handleRuntimeGone is the single recovery entry point shared by the HTTP
|
||
// heartbeat path, the runtime poller, and the WebSocket runtime_gone ack
|
||
// handler. All three may notice the same stale runtime within a few ms of
|
||
// each other, so this function:
|
||
//
|
||
// - keys an in-flight set on runtimeID to drop concurrent calls for the same
|
||
// ID after the first one is already cleaning up;
|
||
// - keys a per-workspace next-attempt timestamp on workspaceID so that
|
||
// concurrent recoveries triggered by the SAME initial event coalesce to a
|
||
// single registerRuntimesForWorkspace call. The slot is cleared on success
|
||
// so a later distinct runtime deletion in the same workspace can trigger
|
||
// its own recovery without waiting for the coalesce window to expire; and
|
||
// - keys a per-workspace last-completed timestamp so that a straggler whose
|
||
// removeStaleRuntime took long enough that a sibling fully ran AND cleared
|
||
// the slot can still recognize itself as same-wave and bail. Without this,
|
||
// the success-case slot clear opens a race where the late caller re-claims
|
||
// an empty slot and double-registers.
|
||
//
|
||
// On failure of the underlying re-register, the next-attempt timestamp is
|
||
// extended by reregisterFailureBackoff so we don't replace a server-side log
|
||
// flood with a daemon-side register flood. workspaceSyncLoop will retry
|
||
// independently every DefaultWorkspaceSyncInterval as a safety net.
|
||
//
|
||
// The recovery HTTP call uses the daemon root context, not the caller's. The
|
||
// heartbeat path's per-runtime ctx is cancelled by notifyRuntimeSetChanged the
|
||
// moment we prune the dead UUID, and if we forwarded that ctx the in-flight
|
||
// register would self-cancel mid-flight.
|
||
func (d *Daemon) handleRuntimeGone(runtimeID string) {
|
||
if runtimeID == "" {
|
||
return
|
||
}
|
||
|
||
// entryAt anchors the same-wave-straggler check at the bottom of the
|
||
// function. Captured at the very top so removeStaleRuntime mutex
|
||
// contention can't push it past a sibling's register completion.
|
||
entryAt := time.Now()
|
||
|
||
// Stampede control per runtime ID.
|
||
d.runtimeGoneMu.Lock()
|
||
if _, inflight := d.runtimeGoneInflight[runtimeID]; inflight {
|
||
d.runtimeGoneMu.Unlock()
|
||
return
|
||
}
|
||
d.runtimeGoneInflight[runtimeID] = struct{}{}
|
||
d.runtimeGoneMu.Unlock()
|
||
defer func() {
|
||
d.runtimeGoneMu.Lock()
|
||
delete(d.runtimeGoneInflight, runtimeID)
|
||
d.runtimeGoneMu.Unlock()
|
||
}()
|
||
|
||
workspaceID, removed := d.removeStaleRuntime(runtimeID)
|
||
if !removed {
|
||
// Already gone from local state — a parallel recovery already
|
||
// cleaned this up, or workspaceSyncLoop pruned the whole workspace.
|
||
return
|
||
}
|
||
|
||
d.logger.Info("runtime deleted server-side; pruned from local state",
|
||
"runtime_id", runtimeID, "workspace_id", workspaceID)
|
||
d.notifyRuntimeSetChanged()
|
||
|
||
if !d.tryClaimRegisterSlot(workspaceID, entryAt, time.Now()) {
|
||
d.logger.Debug("skip re-register: coalescing with recent attempt",
|
||
"workspace_id", workspaceID)
|
||
return
|
||
}
|
||
|
||
err := d.reregisterWorkspaceAfterRuntimeGone(d.recoveryContext(), workspaceID)
|
||
d.recordRegisterCompletion(workspaceID, time.Now(), err)
|
||
if err != nil {
|
||
// Logged at Warn (not Error) because workspaceSyncLoop retries
|
||
// independently every DefaultWorkspaceSyncInterval, so a transient
|
||
// failure here is not a stuck state — just an extra wait.
|
||
d.logger.Warn("re-register after runtime gone failed",
|
||
"workspace_id", workspaceID, "error", err)
|
||
}
|
||
}
|
||
|
||
// tryClaimRegisterSlot atomically decides whether the calling goroutine should
|
||
// run registerRuntimesForWorkspace. Returns true and claims the in-flight slot
|
||
// when the caller may proceed; returns false (without mutating state) when the
|
||
// call must be coalesced with a peer.
|
||
//
|
||
// Two gates are checked under runtimeGoneMu:
|
||
//
|
||
// 1. reregisterNextAttempt: a future timestamp means a peer holds the slot or
|
||
// a previous attempt failed and we are inside the failure backoff window.
|
||
// 2. reregisterLastCompletedAt: a timestamp at or after our entryAt means a
|
||
// peer's register SUCCEEDED after we entered handleRuntimeGone, so the
|
||
// workspace state is already covered for our wave and we can bail.
|
||
// Failures intentionally don't stamp this field (see
|
||
// recordRegisterCompletion), so a same-wave straggler whose entryAt
|
||
// predates a failed sibling can still retry once the failure backoff
|
||
// expires — failures don't cover anything.
|
||
//
|
||
// entryAt is the wall-clock captured at the top of handleRuntimeGone. now is
|
||
// passed in (rather than read inside) so tests can drive the gate
|
||
// deterministically without sleeping.
|
||
func (d *Daemon) tryClaimRegisterSlot(workspaceID string, entryAt, now time.Time) bool {
|
||
d.runtimeGoneMu.Lock()
|
||
defer d.runtimeGoneMu.Unlock()
|
||
if next, ok := d.reregisterNextAttempt[workspaceID]; ok && now.Before(next) {
|
||
return false
|
||
}
|
||
if last, ok := d.reregisterLastCompletedAt[workspaceID]; ok && !last.Before(entryAt) {
|
||
return false
|
||
}
|
||
d.reregisterNextAttempt[workspaceID] = now.Add(reregisterCoalesceWindow)
|
||
return true
|
||
}
|
||
|
||
// recordRegisterCompletion records the outcome of a register call. On success
|
||
// it stamps lastCompletedAt (which suppresses same-wave stragglers via
|
||
// tryClaimRegisterSlot) and clears the in-flight slot so a genuinely later
|
||
// runtime deletion can claim immediately. On failure it extends
|
||
// reregisterNextAttempt by the failure backoff and intentionally does NOT
|
||
// stamp lastCompletedAt — a failed register did not cover any workspace
|
||
// state, so a same-wave straggler whose entryAt predates the failure must
|
||
// still be allowed to retry once the backoff expires. workspaceSyncLoop only
|
||
// retries when the workspace's runtimeIDs fully drain, so partial-deletion
|
||
// recovery has to come from the straggler path.
|
||
func (d *Daemon) recordRegisterCompletion(workspaceID string, completedAt time.Time, err error) {
|
||
d.runtimeGoneMu.Lock()
|
||
defer d.runtimeGoneMu.Unlock()
|
||
if err != nil {
|
||
d.reregisterNextAttempt[workspaceID] = completedAt.Add(reregisterFailureBackoff)
|
||
return
|
||
}
|
||
d.reregisterLastCompletedAt[workspaceID] = completedAt
|
||
delete(d.reregisterNextAttempt, workspaceID)
|
||
}
|
||
|
||
// recoveryContext returns the daemon root context for long-running recovery
|
||
// HTTP calls (re-register, recover-orphans) that must survive the heartbeat
|
||
// loop tearing down a per-runtime context. Falls back to Background when the
|
||
// daemon was not started via Run(), e.g. unit-test fixtures.
|
||
func (d *Daemon) recoveryContext() context.Context {
|
||
if d.rootCtx != nil {
|
||
return d.rootCtx
|
||
}
|
||
return context.Background()
|
||
}
|
||
|
||
// removeStaleRuntime drops a runtime ID from its owning workspace's runtimeIDs
|
||
// list, the daemon-level runtimeIndex, and the WS heartbeat freshness map.
|
||
// Returns the workspace ID and true if the runtime was tracked, "" and false
|
||
// otherwise.
|
||
//
|
||
// Callers must NOT replace workspaceState pointers — only mutate fields in
|
||
// place — because ensureRepoReady holds workspaceState.repoRefreshMu through
|
||
// long repo-sync calls. See syncWorkspacesFromAPI for the same invariant.
|
||
func (d *Daemon) removeStaleRuntime(runtimeID string) (string, bool) {
|
||
d.mu.Lock()
|
||
var workspaceID string
|
||
for wsID, ws := range d.workspaces {
|
||
found := false
|
||
filtered := ws.runtimeIDs[:0:0]
|
||
for _, rid := range ws.runtimeIDs {
|
||
if rid == runtimeID {
|
||
found = true
|
||
continue
|
||
}
|
||
filtered = append(filtered, rid)
|
||
}
|
||
if found {
|
||
ws.runtimeIDs = filtered
|
||
workspaceID = wsID
|
||
break
|
||
}
|
||
}
|
||
if workspaceID == "" {
|
||
d.mu.Unlock()
|
||
return "", false
|
||
}
|
||
delete(d.runtimeIndex, runtimeID)
|
||
d.mu.Unlock()
|
||
|
||
d.wsHBMu.Lock()
|
||
delete(d.wsHBLastAck, runtimeID)
|
||
d.wsHBMu.Unlock()
|
||
|
||
return workspaceID, true
|
||
}
|
||
|
||
// workspaceNeedsRuntimeRecovery reports whether a tracked workspace currently
|
||
// has zero runtime IDs — the state reached when handleRuntimeGone pruned every
|
||
// runtime and its inline re-register failed. workspaceSyncLoop calls this on
|
||
// each tick so the workspace can recover without waiting for an external
|
||
// trigger.
|
||
func (d *Daemon) workspaceNeedsRuntimeRecovery(workspaceID string) bool {
|
||
d.mu.Lock()
|
||
defer d.mu.Unlock()
|
||
ws, ok := d.workspaces[workspaceID]
|
||
if !ok {
|
||
return false
|
||
}
|
||
return len(ws.runtimeIDs) == 0
|
||
}
|
||
|
||
// reregisterWorkspaceAfterRuntimeGone calls registerRuntimesForWorkspace and
|
||
// updates the existing workspaceState in place. The register response is
|
||
// authoritative for this workspace's runtime set — every configured provider
|
||
// is included, with UpsertAgentRuntime returning the same row ID for surviving
|
||
// providers and a fresh ID for any that were deleted server-side. Replacing
|
||
// (rather than appending) is required: a partial recovery, where only one
|
||
// runtime in a multi-provider workspace was deleted, would otherwise produce
|
||
// duplicates for every provider that wasn't deleted.
|
||
//
|
||
// The workspaceState pointer is NEVER replaced (see syncWorkspacesFromAPI's
|
||
// invariant about repoRefreshMu). Only fields are mutated.
|
||
func (d *Daemon) reregisterWorkspaceAfterRuntimeGone(ctx context.Context, workspaceID string) error {
|
||
resp, err := d.registerRuntimesForWorkspace(ctx, workspaceID)
|
||
if err != nil {
|
||
return fmt.Errorf("register runtimes: %w", err)
|
||
}
|
||
|
||
newIDs := make([]string, 0, len(resp.Runtimes))
|
||
newIDSet := make(map[string]struct{}, len(resp.Runtimes))
|
||
for _, rt := range resp.Runtimes {
|
||
newIDs = append(newIDs, rt.ID)
|
||
newIDSet[rt.ID] = struct{}{}
|
||
}
|
||
|
||
d.mu.Lock()
|
||
ws, ok := d.workspaces[workspaceID]
|
||
if !ok {
|
||
d.mu.Unlock()
|
||
return fmt.Errorf("workspace %s no longer tracked", workspaceID)
|
||
}
|
||
// Drop runtimeIndex entries for prior runtime IDs that the server did not
|
||
// return — typically there are none for upsert-on-existing-provider, but
|
||
// a daemon config change (provider removed) would leak entries otherwise.
|
||
for _, oldID := range ws.runtimeIDs {
|
||
if _, kept := newIDSet[oldID]; !kept {
|
||
delete(d.runtimeIndex, oldID)
|
||
}
|
||
}
|
||
for _, rt := range resp.Runtimes {
|
||
d.runtimeIndex[rt.ID] = rt
|
||
}
|
||
// Response is authoritative — replace, do not append. Replacing also
|
||
// catches the rare case where UpsertAgentRuntime returns a different ID
|
||
// for a surviving provider (e.g. schema change); the daemon converges on
|
||
// what the server says without leaving stale heartbeat goroutines.
|
||
ws.runtimeIDs = newIDs
|
||
if resp.ReposVersion != "" {
|
||
ws.reposVersion = resp.ReposVersion
|
||
ws.allowedRepoURLs = repoAllowlist(resp.Repos)
|
||
}
|
||
if len(resp.Settings) > 0 {
|
||
ws.settings = resp.Settings
|
||
}
|
||
d.mu.Unlock()
|
||
|
||
for _, rid := range newIDs {
|
||
d.logger.Info("re-registered runtime after server-side deletion",
|
||
"workspace_id", workspaceID, "runtime_id", rid)
|
||
}
|
||
d.notifyRuntimeSetChanged()
|
||
|
||
// Tell the server about any tasks the previous (now-deleted) runtime
|
||
// was working on, mirroring the registration path's recover-orphans call.
|
||
for _, rid := range newIDs {
|
||
if err := d.client.RecoverOrphans(ctx, rid); err != nil {
|
||
d.logger.Warn("recover-orphans after re-register failed",
|
||
"runtime_id", rid, "error", err)
|
||
}
|
||
}
|
||
return nil
|
||
}
|
||
|
||
// runtimeSetWatcher is a tiny pub/sub for runtime-set changes. It exists
|
||
// because more than one supervisor (taskWakeupLoop, heartbeatLoop, pollLoop)
|
||
// needs to react to runtime-set changes; a single buffered channel would
|
||
// race so only the first listener would learn about each change.
|
||
//
|
||
// Each subscriber gets a 1-slot channel; missed nudges coalesce into a
|
||
// single signal — the subscriber is expected to re-derive the current
|
||
// runtime set via allRuntimeIDs() rather than relying on edge counts.
|
||
type runtimeSetWatcher struct {
|
||
mu sync.Mutex
|
||
subscribers map[chan struct{}]struct{}
|
||
}
|
||
|
||
func newRuntimeSetWatcher() *runtimeSetWatcher {
|
||
return &runtimeSetWatcher{subscribers: make(map[chan struct{}]struct{})}
|
||
}
|
||
|
||
// Subscribe returns a channel that receives a non-blocking nudge whenever
|
||
// the runtime set changes, and an unsubscribe func the caller must invoke
|
||
// when done.
|
||
func (w *runtimeSetWatcher) Subscribe() (<-chan struct{}, func()) {
|
||
ch := make(chan struct{}, 1)
|
||
w.mu.Lock()
|
||
w.subscribers[ch] = struct{}{}
|
||
w.mu.Unlock()
|
||
return ch, func() {
|
||
w.mu.Lock()
|
||
delete(w.subscribers, ch)
|
||
w.mu.Unlock()
|
||
}
|
||
}
|
||
|
||
func (w *runtimeSetWatcher) notify() {
|
||
w.mu.Lock()
|
||
defer w.mu.Unlock()
|
||
for ch := range w.subscribers {
|
||
select {
|
||
case ch <- struct{}{}:
|
||
default:
|
||
}
|
||
}
|
||
}
|
||
|
||
// wsHeartbeatFreshness defines how long a WS heartbeat ack is considered
|
||
// "fresh enough" to suppress the HTTP heartbeat for that runtime. The window
|
||
// is 2× HeartbeatInterval so a single dropped WS ack still keeps HTTP
|
||
// suppressed, but two missed acks (~30s of WS silence) re-enable HTTP — well
|
||
// inside the server-side 45s offline threshold.
|
||
func (d *Daemon) wsHeartbeatFreshness() time.Duration {
|
||
if d.cfg.HeartbeatInterval <= 0 {
|
||
return 30 * time.Second
|
||
}
|
||
return 2 * d.cfg.HeartbeatInterval
|
||
}
|
||
|
||
// recordWSHeartbeatAck stamps the runtime as having received a fresh WS
|
||
// heartbeat ack from the server. Called by the WS read pump.
|
||
func (d *Daemon) recordWSHeartbeatAck(runtimeID string) {
|
||
if runtimeID == "" {
|
||
return
|
||
}
|
||
d.wsHBMu.Lock()
|
||
d.wsHBLastAck[runtimeID] = time.Now()
|
||
d.wsHBMu.Unlock()
|
||
}
|
||
|
||
// wsHeartbeatRecentlyAcked reports whether the runtime received a WS
|
||
// heartbeat ack inside the freshness window. The HTTP heartbeat loop uses
|
||
// this to skip duplicate work when WS is already keeping the runtime alive.
|
||
func (d *Daemon) wsHeartbeatRecentlyAcked(runtimeID string) bool {
|
||
d.wsHBMu.RLock()
|
||
last, ok := d.wsHBLastAck[runtimeID]
|
||
d.wsHBMu.RUnlock()
|
||
if !ok {
|
||
return false
|
||
}
|
||
return time.Since(last) < d.wsHeartbeatFreshness()
|
||
}
|
||
|
||
// clearWSHeartbeatAcks drops all WS heartbeat freshness records. Called on
|
||
// WS disconnect so HTTP heartbeats resume on the next tick.
|
||
func (d *Daemon) clearWSHeartbeatAcks() {
|
||
d.wsHBMu.Lock()
|
||
for k := range d.wsHBLastAck {
|
||
delete(d.wsHBLastAck, k)
|
||
}
|
||
d.wsHBMu.Unlock()
|
||
}
|
||
|
||
// Run starts the daemon: resolves auth, registers runtimes, then polls for tasks.
|
||
func (d *Daemon) Run(ctx context.Context) error {
|
||
// Wrap context so handleUpdate can cancel the daemon for restart.
|
||
ctx, cancel := context.WithCancel(ctx)
|
||
d.cancelFunc = cancel
|
||
d.rootCtx = ctx
|
||
|
||
// Bind health port early to detect another running daemon.
|
||
healthLn, err := d.listenHealth()
|
||
if err != nil {
|
||
return err
|
||
}
|
||
|
||
agentNames := make([]string, 0, len(d.cfg.Agents))
|
||
for name := range d.cfg.Agents {
|
||
agentNames = append(agentNames, name)
|
||
}
|
||
logFields := []any{"version", d.cfg.CLIVersion, "agents", agentNames, "server", d.cfg.ServerBaseURL}
|
||
if d.cfg.Profile != "" {
|
||
logFields = append(logFields, "profile", d.cfg.Profile)
|
||
}
|
||
d.logger.Info("starting daemon", logFields...)
|
||
d.logger.Debug("daemon config resolved",
|
||
"daemon_id", d.cfg.DaemonID,
|
||
"device_name", d.cfg.DeviceName,
|
||
"workspaces_root", d.cfg.WorkspacesRoot,
|
||
"health_port", d.cfg.HealthPort,
|
||
"poll_interval", d.cfg.PollInterval,
|
||
"heartbeat_interval", d.cfg.HeartbeatInterval,
|
||
"agent_timeout", d.cfg.AgentTimeout,
|
||
"idle_watchdog", d.cfg.AgentIdleWatchdog,
|
||
"max_concurrent_tasks", d.cfg.MaxConcurrentTasks,
|
||
"gc_enabled", d.cfg.GCEnabled,
|
||
"auto_update", d.cfg.AutoUpdateEnabled,
|
||
"launched_by", d.cfg.LaunchedBy,
|
||
)
|
||
|
||
// Load auth token from CLI config.
|
||
if err := d.resolveAuth(); err != nil {
|
||
return err
|
||
}
|
||
|
||
// Renew the PAT before the first API call, then do the initial
|
||
// workspace sync. Both steps live in preflightAuth so the ordering
|
||
// invariant (renew first) is enforced at one site instead of
|
||
// scattered into Run, and tests can exercise the failure paths
|
||
// without the full Run setup.
|
||
if err := d.preflightAuth(ctx); err != nil {
|
||
return err
|
||
}
|
||
|
||
// Deregister runtimes on shutdown (uses a fresh context since ctx will be cancelled).
|
||
defer d.deregisterRuntimes()
|
||
|
||
// Start workspace sync loop to discover newly created workspaces.
|
||
go d.workspaceSyncLoop(ctx)
|
||
|
||
taskWakeups := make(chan struct{}, 1)
|
||
go d.taskWakeupLoop(ctx, taskWakeups)
|
||
go d.heartbeatLoop(ctx)
|
||
go d.gcLoop(ctx)
|
||
go d.autoUpdateLoop(ctx)
|
||
go d.tokenRenewalLoop(ctx)
|
||
go d.serveHealth(ctx, healthLn, time.Now())
|
||
d.logger.Debug("background loops launched (workspace-sync, task-wakeup, heartbeat, gc, auto-update, token-renewal, health)")
|
||
err = d.pollLoop(ctx, taskWakeups)
|
||
d.logger.Debug("daemon main loop returning", "error", err)
|
||
return err
|
||
}
|
||
|
||
// RestartBinary returns the path to the new binary if the daemon needs to restart
|
||
// after a successful update, or empty string if no restart is needed.
|
||
func (d *Daemon) RestartBinary() string {
|
||
return d.restartBinary
|
||
}
|
||
|
||
// deregisterRuntimes notifies the server that all runtimes are going offline.
|
||
func (d *Daemon) deregisterRuntimes() {
|
||
runtimeIDs := d.allRuntimeIDs()
|
||
if len(runtimeIDs) == 0 {
|
||
d.logger.Debug("deregister: no runtimes to deregister")
|
||
return
|
||
}
|
||
|
||
d.logger.Debug("deregistering runtimes on shutdown", "count", len(runtimeIDs), "runtime_ids", runtimeIDs)
|
||
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
|
||
defer cancel()
|
||
|
||
if err := d.client.Deregister(ctx, runtimeIDs); err != nil {
|
||
d.logger.Warn("failed to deregister runtimes on shutdown", "error", err)
|
||
} else {
|
||
d.logger.Info("deregistered runtimes", "count", len(runtimeIDs))
|
||
}
|
||
}
|
||
|
||
// resolveAuth loads the auth token from the CLI config for the active profile.
|
||
func (d *Daemon) resolveAuth() error {
|
||
cfg, err := cli.LoadCLIConfigForProfile(d.cfg.Profile)
|
||
if err != nil {
|
||
return fmt.Errorf("load CLI config: %w", err)
|
||
}
|
||
if cfg.Token == "" {
|
||
loginHint := "'multica login'"
|
||
if d.cfg.Profile != "" {
|
||
loginHint = fmt.Sprintf("'multica login --profile %s'", d.cfg.Profile)
|
||
}
|
||
d.logger.Warn("not authenticated — run " + loginHint + " to authenticate, then restart the daemon")
|
||
return fmt.Errorf("not authenticated: run %s first", loginHint)
|
||
}
|
||
d.client.SetToken(cfg.Token)
|
||
d.logger.Info("authenticated")
|
||
d.logger.Debug("auth token loaded", "profile", d.cfg.Profile, "token_len", len(cfg.Token))
|
||
return nil
|
||
}
|
||
|
||
// allRuntimeIDs returns all runtime IDs across all watched workspaces.
|
||
func (d *Daemon) allRuntimeIDs() []string {
|
||
d.mu.Lock()
|
||
defer d.mu.Unlock()
|
||
var ids []string
|
||
for _, ws := range d.workspaces {
|
||
ids = append(ids, ws.runtimeIDs...)
|
||
}
|
||
return ids
|
||
}
|
||
|
||
// findRuntime looks up a Runtime by its ID.
|
||
func (d *Daemon) findRuntime(id string) *Runtime {
|
||
d.mu.Lock()
|
||
defer d.mu.Unlock()
|
||
if rt, ok := d.runtimeIndex[id]; ok {
|
||
return &rt
|
||
}
|
||
return nil
|
||
}
|
||
|
||
func (d *Daemon) registerRuntimesForWorkspace(ctx context.Context, workspaceID string) (*RegisterResponse, error) {
|
||
d.logger.Debug("registering runtimes for workspace", "workspace_id", workspaceID, "agent_count", len(d.cfg.Agents))
|
||
var runtimes []map[string]string
|
||
for name, entry := range d.cfg.Agents {
|
||
version, err := detectAgentVersion(ctx, entry.Path)
|
||
if err != nil {
|
||
d.logger.Warn("skip registering runtime", "name", name, "error", err)
|
||
continue
|
||
}
|
||
if err := checkAgentMinVersion(name, version); err != nil {
|
||
d.logger.Warn("skip registering runtime: version too old", "name", name, "version", version, "error", err)
|
||
continue
|
||
}
|
||
d.setAgentVersion(name, version)
|
||
d.logger.Debug("agent version detected", "name", name, "version", version, "path", entry.Path)
|
||
displayName := strings.ToUpper(name[:1]) + name[1:]
|
||
if d.cfg.DeviceName != "" {
|
||
displayName = fmt.Sprintf("%s (%s)", displayName, d.cfg.DeviceName)
|
||
}
|
||
runtimes = append(runtimes, map[string]string{
|
||
"name": displayName,
|
||
"type": name,
|
||
"version": version,
|
||
"status": "online",
|
||
})
|
||
}
|
||
if len(runtimes) == 0 {
|
||
return nil, fmt.Errorf("no agent runtimes could be registered")
|
||
}
|
||
|
||
req := map[string]any{
|
||
"workspace_id": workspaceID,
|
||
"daemon_id": d.cfg.DaemonID,
|
||
"legacy_daemon_ids": d.cfg.LegacyDaemonIDs,
|
||
"device_name": d.cfg.DeviceName,
|
||
"cli_version": d.cfg.CLIVersion,
|
||
"launched_by": d.cfg.LaunchedBy,
|
||
"runtimes": runtimes,
|
||
}
|
||
|
||
resp, err := d.client.Register(ctx, req)
|
||
if err != nil {
|
||
return nil, fmt.Errorf("register runtimes: %w", err)
|
||
}
|
||
if len(resp.Runtimes) == 0 {
|
||
return nil, fmt.Errorf("register runtimes: empty response")
|
||
}
|
||
d.logger.Debug("register response", "workspace_id", workspaceID, "runtimes", len(resp.Runtimes), "repos", len(resp.Repos), "repos_version", resp.ReposVersion)
|
||
return resp, nil
|
||
}
|
||
|
||
func newWorkspaceState(workspaceID string, runtimeIDs []string, reposVersion string, repos []RepoData, settings json.RawMessage) *workspaceState {
|
||
return &workspaceState{
|
||
workspaceID: workspaceID,
|
||
runtimeIDs: runtimeIDs,
|
||
reposVersion: reposVersion,
|
||
allowedRepoURLs: repoAllowlist(repos),
|
||
settings: settings,
|
||
}
|
||
}
|
||
|
||
func repoAllowlist(repos []RepoData) map[string]struct{} {
|
||
allowed := make(map[string]struct{}, len(repos))
|
||
for _, repo := range repos {
|
||
if repo.URL == "" {
|
||
continue
|
||
}
|
||
allowed[repo.URL] = struct{}{}
|
||
}
|
||
return allowed
|
||
}
|
||
|
||
func (d *Daemon) setWorkspaceRepoSyncError(workspaceID, syncErr string) {
|
||
d.mu.Lock()
|
||
defer d.mu.Unlock()
|
||
if ws, ok := d.workspaces[workspaceID]; ok {
|
||
ws.lastRepoSyncErr = syncErr
|
||
}
|
||
}
|
||
|
||
func (d *Daemon) workspaceRepoAllowed(workspaceID, repoURL string) bool {
|
||
d.mu.Lock()
|
||
defer d.mu.Unlock()
|
||
ws, ok := d.workspaces[workspaceID]
|
||
if !ok {
|
||
return false
|
||
}
|
||
if _, allowed := ws.allowedRepoURLs[repoURL]; allowed {
|
||
return true
|
||
}
|
||
if _, allowed := ws.taskRepoURLs[repoURL]; allowed {
|
||
return true
|
||
}
|
||
return false
|
||
}
|
||
|
||
func (d *Daemon) workspaceLastRepoSyncErr(workspaceID string) string {
|
||
d.mu.Lock()
|
||
defer d.mu.Unlock()
|
||
ws, ok := d.workspaces[workspaceID]
|
||
if !ok {
|
||
return ""
|
||
}
|
||
return ws.lastRepoSyncErr
|
||
}
|
||
|
||
// workspaceCoAuthoredByEnabled returns whether the Co-authored-by hook should
|
||
// be installed for the given workspace. Defaults to true when either setting
|
||
// is absent (new workspaces, older servers that don't send settings).
|
||
//
|
||
// The hook is gated by BOTH the GitHub master switch (`github_enabled`) and
|
||
// the dedicated co-author switch (`co_authored_by_enabled`) so flipping the
|
||
// workspace's master GitHub toggle off also stops new trailers from landing
|
||
// in commits, matching the contract documented in RFC MUL-2414 §4.8.
|
||
func (d *Daemon) workspaceCoAuthoredByEnabled(workspaceID string) bool {
|
||
d.mu.Lock()
|
||
defer d.mu.Unlock()
|
||
ws, ok := d.workspaces[workspaceID]
|
||
if !ok || len(ws.settings) == 0 {
|
||
return true // default: enabled
|
||
}
|
||
var s struct {
|
||
GitHubEnabled *bool `json:"github_enabled"`
|
||
CoAuthoredByEnabled *bool `json:"co_authored_by_enabled"`
|
||
}
|
||
if err := json.Unmarshal(ws.settings, &s); err != nil {
|
||
return true // default: enabled when payload is malformed
|
||
}
|
||
if s.GitHubEnabled != nil && !*s.GitHubEnabled {
|
||
return false
|
||
}
|
||
if s.CoAuthoredByEnabled == nil {
|
||
return true // default: enabled
|
||
}
|
||
return *s.CoAuthoredByEnabled
|
||
}
|
||
|
||
// registerTaskRepos merges task-scoped repos (e.g. project github_repo
|
||
// resources lifted into resp.Repos by the claim handler) into the workspace's
|
||
// allowlist and kicks off a cache sync for any URLs that aren't yet cached.
|
||
//
|
||
// It's safe to call with the workspace's own repos — duplicates are
|
||
// idempotent. Called from runTask before the agent spawns so
|
||
// `multica repo checkout` accepts project-only URLs without an extra round
|
||
// trip back to GetWorkspaceRepos (which doesn't carry project resources).
|
||
func (d *Daemon) registerTaskRepos(workspaceID string, repos []RepoData) {
|
||
if len(repos) == 0 {
|
||
return
|
||
}
|
||
|
||
type repoCandidate struct {
|
||
url string
|
||
tracked bool
|
||
}
|
||
|
||
d.mu.Lock()
|
||
ws, ok := d.workspaces[workspaceID]
|
||
if !ok {
|
||
d.mu.Unlock()
|
||
return
|
||
}
|
||
if ws.taskRepoURLs == nil {
|
||
ws.taskRepoURLs = make(map[string]struct{}, len(repos))
|
||
}
|
||
candidates := make([]repoCandidate, 0, len(repos))
|
||
for _, repo := range repos {
|
||
url := strings.TrimSpace(repo.URL)
|
||
if url == "" {
|
||
continue
|
||
}
|
||
// Don't re-sync if the URL is already tracked (workspace or task-scoped)
|
||
// AND the cache already has it.
|
||
_, inWorkspace := ws.allowedRepoURLs[url]
|
||
_, inTask := ws.taskRepoURLs[url]
|
||
ws.taskRepoURLs[url] = struct{}{}
|
||
candidates = append(candidates, repoCandidate{
|
||
url: url,
|
||
tracked: inWorkspace || inTask,
|
||
})
|
||
}
|
||
d.mu.Unlock()
|
||
|
||
toSync := make([]RepoData, 0, len(candidates))
|
||
for _, candidate := range candidates {
|
||
if candidate.tracked && d.repoCache != nil && d.repoCache.Lookup(workspaceID, candidate.url) != "" {
|
||
continue
|
||
}
|
||
toSync = append(toSync, RepoData{URL: candidate.url})
|
||
}
|
||
|
||
if d.repoCache != nil && len(toSync) > 0 {
|
||
// Sync in the background — same shape used at workspace registration.
|
||
// `ensureRepoReady` reports a meaningful error if the cache isn't ready
|
||
// yet, so the agent's first checkout will surface a sync failure
|
||
// without silently treating it as a config bug.
|
||
d.bgSyncs.Add(1)
|
||
go func() {
|
||
defer d.bgSyncs.Done()
|
||
d.syncWorkspaceRepos(workspaceID, toSync)
|
||
}()
|
||
}
|
||
}
|
||
|
||
// waitBackgroundSyncs blocks until every background sync started by
|
||
// registerTaskRepos has finished. Intended for test teardown: tests that
|
||
// hand the daemon a t.TempDir-backed repo cache must call this before
|
||
// returning, otherwise an in-flight clone/fetch can race against TempDir
|
||
// cleanup and surface as an unrelated "directory not empty" failure.
|
||
func (d *Daemon) waitBackgroundSyncs() {
|
||
d.bgSyncs.Wait()
|
||
}
|
||
|
||
func (d *Daemon) syncWorkspaceRepos(workspaceID string, repos []RepoData) {
|
||
if d.repoCache == nil {
|
||
return
|
||
}
|
||
if err := d.repoCache.Sync(workspaceID, repoDataToInfo(repos)); err != nil {
|
||
d.setWorkspaceRepoSyncError(workspaceID, err.Error())
|
||
d.logger.Warn("repo cache sync failed", "workspace_id", workspaceID, "error", err)
|
||
return
|
||
}
|
||
d.setWorkspaceRepoSyncError(workspaceID, "")
|
||
}
|
||
|
||
func (d *Daemon) refreshWorkspaceRepos(ctx context.Context, workspaceID string) (*WorkspaceReposResponse, error) {
|
||
refreshCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
|
||
defer cancel()
|
||
|
||
resp, err := d.client.GetWorkspaceRepos(refreshCtx, workspaceID)
|
||
if err != nil {
|
||
return nil, err
|
||
}
|
||
|
||
d.mu.Lock()
|
||
if ws, ok := d.workspaces[workspaceID]; ok {
|
||
ws.reposVersion = resp.ReposVersion
|
||
ws.allowedRepoURLs = repoAllowlist(resp.Repos)
|
||
// Keep the cached settings in sync with the server. The daemon's
|
||
// feature gates (e.g. workspaceCoAuthoredByEnabled) read directly from
|
||
// this field, so toggling a Setting in the web UI must update it here
|
||
// without requiring a daemon restart. An empty payload from the server
|
||
// clears the override and falls back to defaults.
|
||
ws.settings = resp.Settings
|
||
}
|
||
d.mu.Unlock()
|
||
|
||
return resp, nil
|
||
}
|
||
|
||
func (d *Daemon) ensureRepoReady(ctx context.Context, workspaceID, repoURL string) error {
|
||
if d.repoCache == nil {
|
||
return fmt.Errorf("repo cache not initialized")
|
||
}
|
||
|
||
repoURL = strings.TrimSpace(repoURL)
|
||
|
||
d.mu.Lock()
|
||
ws, ok := d.workspaces[workspaceID]
|
||
d.mu.Unlock()
|
||
if !ok {
|
||
return fmt.Errorf("workspace is not watched by this daemon: %s", workspaceID)
|
||
}
|
||
|
||
// Record whether the cache already had this repo before we took the
|
||
// per-workspace mutex. The two states behave differently below:
|
||
//
|
||
// - cacheHitOnEntry=true: the repo is already cloned; we still must
|
||
// refresh `workspaceState.settings` because the /repo/checkout
|
||
// handler reads workspaceCoAuthoredByEnabled right after this and
|
||
// the 30s workspaceSyncLoop tick is too slow for a freshly-flipped
|
||
// GitHub master switch / `co_authored_by_enabled` toggle to feel
|
||
// live (RFC MUL-2414 §4.8; PR #2847 review by Emacs).
|
||
//
|
||
// - cacheHitOnEntry=false but cache hit *after* we acquire the mutex:
|
||
// a sibling goroutine on a concurrent cold-miss already refreshed
|
||
// and populated the cache. We can skip the duplicate refresh — the
|
||
// sibling's refresh is fresh enough for our gate read.
|
||
cacheHitOnEntry := d.workspaceRepoAllowed(workspaceID, repoURL) && d.repoCache.Lookup(workspaceID, repoURL) != ""
|
||
|
||
ws.repoRefreshMu.Lock()
|
||
defer ws.repoRefreshMu.Unlock()
|
||
|
||
if !cacheHitOnEntry && d.workspaceRepoAllowed(workspaceID, repoURL) && d.repoCache.Lookup(workspaceID, repoURL) != "" {
|
||
return nil
|
||
}
|
||
|
||
resp, err := d.refreshWorkspaceRepos(ctx, workspaceID)
|
||
if err != nil {
|
||
return fmt.Errorf("refresh workspace repos: %w", err)
|
||
}
|
||
|
||
if !d.workspaceRepoAllowed(workspaceID, repoURL) {
|
||
return ErrRepoNotConfigured
|
||
}
|
||
|
||
if d.repoCache.Lookup(workspaceID, repoURL) != "" {
|
||
return nil
|
||
}
|
||
|
||
d.syncWorkspaceRepos(workspaceID, resp.Repos)
|
||
|
||
if d.repoCache.Lookup(workspaceID, repoURL) != "" {
|
||
return nil
|
||
}
|
||
|
||
if syncErr := d.workspaceLastRepoSyncErr(workspaceID); syncErr != "" {
|
||
return fmt.Errorf("repo is configured but not synced: %s", syncErr)
|
||
}
|
||
|
||
return fmt.Errorf("repo is configured but not synced")
|
||
}
|
||
|
||
// DefaultTokenRenewalInterval is how often the daemon asks the server to
|
||
// extend its PAT. The server-side threshold is 7 days of remaining lifetime;
|
||
// polling every ~3 days gives at least two chances to renew before the
|
||
// window closes, so a single failed call (network blip, server restart) does
|
||
// not push the token out of the renewal window.
|
||
const DefaultTokenRenewalInterval = 3 * 24 * time.Hour
|
||
|
||
// preflightAuth runs the two auth-sensitive startup steps in their
|
||
// required order: a synchronous PAT renewal first, then the initial
|
||
// workspace sync. The order matters — running tryRenewToken before any
|
||
// other API call is what surfaces a user-actionable "run multica login"
|
||
// WARN when the PAT is already revoked or expired. If we let the
|
||
// workspace sync go first, its 401 would short-circuit Run before the
|
||
// renewal loop's first tick ever fires, and the operator would see only
|
||
// a generic auth failure in the workspace-sync log with no hint that
|
||
// re-login is the fix.
|
||
//
|
||
// The renewal is best-effort: tryRenewToken logs and returns, never
|
||
// propagating errors. preflightAuth's exit status is driven entirely by
|
||
// the workspace sync — so a transient renewal failure (network blip,
|
||
// 500) does not by itself block startup. A successful sync with zero
|
||
// workspaces is fine: a newly-signed-up user may start the daemon
|
||
// before creating their first workspace, and workspaceSyncLoop will
|
||
// register runtimes once one appears.
|
||
func (d *Daemon) preflightAuth(ctx context.Context) error {
|
||
d.tryRenewToken(ctx)
|
||
return d.syncWorkspacesFromAPI(ctx)
|
||
}
|
||
|
||
// tokenRenewalLoop keeps the daemon's PAT alive by periodically asking the
|
||
// server to extend its expires_at in-place. The startup renewal happens
|
||
// synchronously in preflightAuth so a daemon coming back online after a
|
||
// week of downtime gets a fresh expiry before its next heartbeat could
|
||
// 401; this loop owns the long-running ~3-day cadence after that.
|
||
//
|
||
// The server is authoritative on the renewal threshold (it sees expires_at;
|
||
// we don't), so this loop is intentionally dumb: call, log, sleep, repeat.
|
||
// On 401 we surface a clear "re-login required" warning because the daemon
|
||
// has no way to recover automatically — but we keep the loop running so the
|
||
// user sees the same warning on every cycle until they fix it, rather than
|
||
// silently exiting and forcing them to read scrollback to find the cause.
|
||
func (d *Daemon) tokenRenewalLoop(ctx context.Context) {
|
||
ticker := time.NewTicker(DefaultTokenRenewalInterval)
|
||
defer ticker.Stop()
|
||
|
||
for {
|
||
select {
|
||
case <-ctx.Done():
|
||
return
|
||
case <-ticker.C:
|
||
d.tryRenewToken(ctx)
|
||
}
|
||
}
|
||
}
|
||
|
||
// tryRenewToken performs one renewal round-trip with a short, isolated
|
||
// timeout. Errors are logged but never propagated — there is no caller to
|
||
// handle them. Failures are debug-level except for 401, which gets a
|
||
// user-actionable warning.
|
||
func (d *Daemon) tryRenewToken(ctx context.Context) {
|
||
reqCtx, cancel := context.WithTimeout(ctx, 15*time.Second)
|
||
defer cancel()
|
||
|
||
resp, err := d.client.RenewToken(reqCtx)
|
||
if err != nil {
|
||
if isUnauthorizedError(err) {
|
||
loginHint := "'multica login'"
|
||
if d.cfg.Profile != "" {
|
||
loginHint = fmt.Sprintf("'multica login --profile %s'", d.cfg.Profile)
|
||
}
|
||
d.logger.Warn("auth token rejected by server — run "+loginHint+" to re-authenticate, then restart the daemon", "error", err)
|
||
return
|
||
}
|
||
d.logger.Debug("token renewal failed; will retry on next cycle", "error", err)
|
||
return
|
||
}
|
||
if resp.Renewed {
|
||
d.logger.Info("auth token renewed", "expires_at", resp.ExpiresAt)
|
||
} else {
|
||
d.logger.Debug("auth token not yet eligible for renewal", "expires_at", resp.ExpiresAt)
|
||
}
|
||
}
|
||
|
||
// workspaceSyncLoop periodically fetches the user's workspaces from the API
|
||
// and registers runtimes for any new ones.
|
||
func (d *Daemon) workspaceSyncLoop(ctx context.Context) {
|
||
ticker := time.NewTicker(DefaultWorkspaceSyncInterval)
|
||
defer ticker.Stop()
|
||
|
||
for {
|
||
select {
|
||
case <-ctx.Done():
|
||
return
|
||
case <-ticker.C:
|
||
if err := d.syncWorkspacesFromAPI(ctx); err != nil {
|
||
d.logger.Debug("workspace sync failed", "error", err)
|
||
}
|
||
}
|
||
}
|
||
}
|
||
|
||
// syncWorkspacesFromAPI fetches all workspaces the user belongs to and
|
||
// registers runtimes for any that aren't already tracked. Workspaces the user
|
||
// has left are cleaned up.
|
||
func (d *Daemon) syncWorkspacesFromAPI(ctx context.Context) error {
|
||
d.reloading.Lock()
|
||
defer d.reloading.Unlock()
|
||
|
||
apiCtx, cancel := context.WithTimeout(ctx, 15*time.Second)
|
||
defer cancel()
|
||
|
||
workspaces, err := d.client.ListWorkspaces(apiCtx)
|
||
if err != nil {
|
||
return fmt.Errorf("list workspaces: %w", err)
|
||
}
|
||
d.logger.Debug("workspace sync: fetched workspaces", "count", len(workspaces))
|
||
|
||
apiIDs := make(map[string]string, len(workspaces)) // id -> name
|
||
for _, ws := range workspaces {
|
||
apiIDs[ws.ID] = ws.Name
|
||
}
|
||
|
||
d.mu.Lock()
|
||
currentIDs := make(map[string]bool, len(d.workspaces))
|
||
for id := range d.workspaces {
|
||
currentIDs[id] = true
|
||
}
|
||
d.mu.Unlock()
|
||
|
||
var registered int
|
||
var removed int
|
||
for id, name := range apiIDs {
|
||
if currentIDs[id] {
|
||
// Already tracked: refresh the cached workspace settings so
|
||
// feature toggles flipped in the web UI take effect on the next
|
||
// gated operation without a daemon restart (see RFC MUL-2414 §4.8;
|
||
// reviewed in PR #2847). refreshWorkspaceRepos covers settings +
|
||
// repos in a single round trip.
|
||
if _, err := d.refreshWorkspaceRepos(ctx, id); err != nil {
|
||
d.logger.Debug("workspace sync: refresh settings failed", "workspace_id", id, "error", err)
|
||
}
|
||
// Only intervene further if the workspace lost all of its
|
||
// runtimes (most commonly because handleRuntimeGone pruned them
|
||
// and its inline re-register failed). The pointer is not replaced
|
||
// here either — ensureRepoReady holds repoRefreshMu from the
|
||
// original pointer.
|
||
if !d.workspaceNeedsRuntimeRecovery(id) {
|
||
continue
|
||
}
|
||
d.logger.Info("workspace has no runtimes; retrying registration", "workspace_id", id, "name", name)
|
||
if err := d.reregisterWorkspaceAfterRuntimeGone(ctx, id); err != nil {
|
||
d.logger.Warn("retry register failed", "workspace_id", id, "error", err)
|
||
continue
|
||
}
|
||
registered++
|
||
continue
|
||
}
|
||
resp, err := d.registerRuntimesForWorkspace(ctx, id)
|
||
if err != nil {
|
||
d.logger.Error("failed to register runtimes", "workspace_id", id, "name", name, "error", err)
|
||
continue
|
||
}
|
||
runtimeIDs := make([]string, len(resp.Runtimes))
|
||
for i, rt := range resp.Runtimes {
|
||
runtimeIDs[i] = rt.ID
|
||
d.logger.Info("registered runtime", "workspace_id", id, "runtime_id", rt.ID, "provider", rt.Provider)
|
||
}
|
||
d.mu.Lock()
|
||
d.workspaces[id] = newWorkspaceState(id, runtimeIDs, resp.ReposVersion, resp.Repos, resp.Settings)
|
||
for _, rt := range resp.Runtimes {
|
||
d.runtimeIndex[rt.ID] = rt
|
||
}
|
||
d.mu.Unlock()
|
||
|
||
if d.repoCache != nil && len(resp.Repos) > 0 {
|
||
go d.syncWorkspaceRepos(id, resp.Repos)
|
||
}
|
||
|
||
// Tell the server about any tasks the previous daemon process was
|
||
// running on these runtimes. Without this, an issue can stay stuck
|
||
// at in_progress until the slow heartbeat sweeper or the in-flight
|
||
// task timeout (2.5h) kicks in.
|
||
for _, rid := range runtimeIDs {
|
||
if err := d.client.RecoverOrphans(ctx, rid); err != nil {
|
||
d.logger.Warn("recover-orphans failed", "runtime_id", rid, "error", err)
|
||
}
|
||
}
|
||
|
||
d.logger.Info("watching workspace", "workspace_id", id, "name", name, "runtimes", len(resp.Runtimes), "repos", len(resp.Repos))
|
||
registered++
|
||
}
|
||
|
||
// Remove workspaces the user no longer belongs to.
|
||
for id := range currentIDs {
|
||
if _, ok := apiIDs[id]; !ok {
|
||
d.mu.Lock()
|
||
if ws, exists := d.workspaces[id]; exists {
|
||
for _, rid := range ws.runtimeIDs {
|
||
delete(d.runtimeIndex, rid)
|
||
}
|
||
}
|
||
delete(d.workspaces, id)
|
||
d.mu.Unlock()
|
||
d.logger.Info("stopped watching workspace", "workspace_id", id)
|
||
removed++
|
||
}
|
||
}
|
||
if registered > 0 || removed > 0 {
|
||
d.notifyRuntimeSetChanged()
|
||
}
|
||
|
||
if len(d.allRuntimeIDs()) == 0 && registered == 0 && len(workspaces) > 0 {
|
||
return fmt.Errorf("failed to register runtimes for any of the %d workspace(s)", len(workspaces))
|
||
}
|
||
if registered > 0 || removed > 0 {
|
||
d.logger.Debug("workspace sync done", "registered", registered, "removed", removed, "tracked", len(apiIDs))
|
||
}
|
||
return nil
|
||
}
|
||
|
||
// heartbeatLoop supervises per-runtime HTTP heartbeat goroutines. Each runtime
|
||
// gets an independent ticker so a slow heartbeat for one runtime cannot block
|
||
// heartbeats for any other runtime — this matters when a single daemon serves
|
||
// multiple workspaces, because the previous shared loop would serialize an
|
||
// up-to-30s HTTP timeout across every runtime in the set.
|
||
func (d *Daemon) heartbeatLoop(ctx context.Context) {
|
||
runtimeSetCh, unsub := d.runtimeSet.Subscribe()
|
||
defer unsub()
|
||
|
||
cancels := make(map[string]context.CancelFunc)
|
||
defer func() {
|
||
for _, cancel := range cancels {
|
||
cancel()
|
||
}
|
||
}()
|
||
|
||
sync := func() {
|
||
want := make(map[string]struct{})
|
||
for _, rid := range d.allRuntimeIDs() {
|
||
want[rid] = struct{}{}
|
||
}
|
||
for rid, cancel := range cancels {
|
||
if _, ok := want[rid]; !ok {
|
||
cancel()
|
||
delete(cancels, rid)
|
||
}
|
||
}
|
||
for rid := range want {
|
||
if _, ok := cancels[rid]; ok {
|
||
continue
|
||
}
|
||
rctx, rcancel := context.WithCancel(ctx)
|
||
cancels[rid] = rcancel
|
||
go d.runRuntimeHeartbeat(rctx, rid)
|
||
}
|
||
}
|
||
|
||
sync()
|
||
for {
|
||
select {
|
||
case <-ctx.Done():
|
||
return
|
||
case <-runtimeSetCh:
|
||
sync()
|
||
}
|
||
}
|
||
}
|
||
|
||
// runRuntimeHeartbeat owns the HTTP heartbeat schedule for a single runtime.
|
||
// The first tick fires after a small jittered delay (up to one full interval)
|
||
// to avoid a thundering herd when the daemon registers many runtimes at once.
|
||
func (d *Daemon) runRuntimeHeartbeat(ctx context.Context, rid string) {
|
||
interval := d.cfg.HeartbeatInterval
|
||
if interval <= 0 {
|
||
interval = 15 * time.Second
|
||
}
|
||
// Jittered initial delay; cap at the interval so the first beat still
|
||
// happens within one period.
|
||
if jitter := time.Duration(rand.Int63n(int64(interval))); jitter > 0 {
|
||
select {
|
||
case <-ctx.Done():
|
||
return
|
||
case <-time.After(jitter):
|
||
}
|
||
}
|
||
|
||
d.runHeartbeatTick(ctx, rid)
|
||
|
||
ticker := time.NewTicker(interval)
|
||
defer ticker.Stop()
|
||
for {
|
||
select {
|
||
case <-ctx.Done():
|
||
return
|
||
case <-ticker.C:
|
||
d.runHeartbeatTick(ctx, rid)
|
||
}
|
||
}
|
||
}
|
||
|
||
func (d *Daemon) runHeartbeatTick(ctx context.Context, rid string) {
|
||
// Skip HTTP heartbeat for runtimes that successfully acked a recent
|
||
// WebSocket heartbeat. The WS path keeps last_seen_at fresh and delivers
|
||
// actions, so the HTTP write would be a duplicate DB update. If the WS
|
||
// heartbeat goes silent the freshness window expires and HTTP resumes
|
||
// automatically on the next tick — that is the fallback the WS path
|
||
// relies on.
|
||
if d.wsHeartbeatRecentlyAcked(rid) {
|
||
d.logger.Debug("heartbeat: skipping HTTP tick, WS recently acked", "runtime_id", rid)
|
||
return
|
||
}
|
||
d.logger.Debug("heartbeat: HTTP tick", "runtime_id", rid)
|
||
resp, err := d.client.SendHeartbeat(ctx, rid)
|
||
if err != nil {
|
||
if ctx.Err() == nil {
|
||
if isRuntimeNotFoundError(err) {
|
||
// Server says this runtime is gone — recover instead of
|
||
// looping on the dead UUID. handleRuntimeGone coalesces
|
||
// concurrent callers and runs the recovery HTTP call under
|
||
// the daemon root context so notifyRuntimeSetChanged
|
||
// tearing down this heartbeat goroutine cannot abort it.
|
||
go d.handleRuntimeGone(rid)
|
||
return
|
||
}
|
||
d.logger.Warn("heartbeat failed", "runtime_id", rid, "error", err)
|
||
}
|
||
return
|
||
}
|
||
if resp != nil && resp.RuntimeGone {
|
||
// The WS path returns a successful ack with RuntimeGone=true for the
|
||
// same scenario; treat it the same way here in case HTTP starts
|
||
// surfacing this signal too.
|
||
go d.handleRuntimeGone(rid)
|
||
return
|
||
}
|
||
d.handleHeartbeatActions(ctx, rid, resp)
|
||
}
|
||
|
||
// handleHeartbeatActions dispatches the pending-action set returned by either
|
||
// transport (HTTP POST /api/daemon/heartbeat or WS daemon:heartbeat_ack).
|
||
// Each action is dispatched in its own goroutine so a slow handler cannot
|
||
// block subsequent heartbeats.
|
||
func (d *Daemon) handleHeartbeatActions(ctx context.Context, runtimeID string, resp *HeartbeatResponse) {
|
||
if resp == nil {
|
||
return
|
||
}
|
||
if resp.PendingUpdate != nil || resp.PendingModelList != nil || resp.PendingLocalSkills != nil || resp.PendingLocalSkillImport != nil {
|
||
d.logger.Debug("heartbeat: pending actions",
|
||
"runtime_id", runtimeID,
|
||
"update", resp.PendingUpdate != nil,
|
||
"model_list", resp.PendingModelList != nil,
|
||
"local_skills", resp.PendingLocalSkills != nil,
|
||
"local_skill_import", resp.PendingLocalSkillImport != nil,
|
||
)
|
||
}
|
||
if resp.PendingUpdate != nil {
|
||
go d.handleUpdate(ctx, runtimeID, resp.PendingUpdate)
|
||
}
|
||
if resp.PendingModelList != nil {
|
||
if rt := d.findRuntime(runtimeID); rt != nil {
|
||
go d.handleModelList(ctx, *rt, resp.PendingModelList.ID)
|
||
}
|
||
}
|
||
if resp.PendingLocalSkills != nil {
|
||
if rt := d.findRuntime(runtimeID); rt != nil {
|
||
go d.handleLocalSkillList(ctx, *rt, resp.PendingLocalSkills.ID)
|
||
}
|
||
}
|
||
// Prefer the batch field (new backend); fall back to singular (old backend).
|
||
if len(resp.PendingLocalSkillImports) > 0 {
|
||
if rt := d.findRuntime(runtimeID); rt != nil {
|
||
for _, imp := range resp.PendingLocalSkillImports {
|
||
go d.handleLocalSkillImport(ctx, *rt, imp)
|
||
}
|
||
}
|
||
} else if resp.PendingLocalSkillImport != nil {
|
||
if rt := d.findRuntime(runtimeID); rt != nil {
|
||
go d.handleLocalSkillImport(ctx, *rt, *resp.PendingLocalSkillImport)
|
||
}
|
||
}
|
||
}
|
||
|
||
// handleModelList resolves the provider's supported models (via static
|
||
// catalog or by shelling out to the agent CLI) and reports the result
|
||
// back to the server. Model discovery failures are reported as empty
|
||
// lists rather than errors so the UI can still render a creatable
|
||
// dropdown.
|
||
func (d *Daemon) handleModelList(ctx context.Context, rt Runtime, requestID string) {
|
||
d.logger.Info("model list requested", "runtime_id", rt.ID, "request_id", requestID, "provider", rt.Provider)
|
||
|
||
entry, ok := d.cfg.Agents[rt.Provider]
|
||
if !ok {
|
||
d.reportModelListResult(ctx, rt, requestID, map[string]any{
|
||
"status": "failed",
|
||
"error": fmt.Sprintf("no agent configured for provider %q", rt.Provider),
|
||
})
|
||
return
|
||
}
|
||
|
||
models, err := agent.ListModels(ctx, rt.Provider, entry.Path)
|
||
if err != nil {
|
||
d.reportModelListResult(ctx, rt, requestID, map[string]any{
|
||
"status": "failed",
|
||
"error": err.Error(),
|
||
})
|
||
return
|
||
}
|
||
|
||
// Wire format matches handler.ModelEntry. Use a struct (not
|
||
// map[string]string) so the Default bool and the per-model
|
||
// Thinking catalog round-trip — without it the UI loses its
|
||
// "default" badge on the advertised pick and the thinking-level
|
||
// picker for claude/codex (MUL-2339).
|
||
type thinkingLevelWire struct {
|
||
Value string `json:"value"`
|
||
Label string `json:"label"`
|
||
Description string `json:"description,omitempty"`
|
||
}
|
||
type modelThinkingWire struct {
|
||
SupportedLevels []thinkingLevelWire `json:"supported_levels"`
|
||
DefaultLevel string `json:"default_level,omitempty"`
|
||
}
|
||
type modelWire struct {
|
||
ID string `json:"id"`
|
||
Label string `json:"label"`
|
||
Provider string `json:"provider,omitempty"`
|
||
Default bool `json:"default,omitempty"`
|
||
Thinking *modelThinkingWire `json:"thinking,omitempty"`
|
||
}
|
||
wire := make([]modelWire, 0, len(models))
|
||
for _, m := range models {
|
||
entry := modelWire{
|
||
ID: m.ID,
|
||
Label: m.Label,
|
||
Provider: m.Provider,
|
||
Default: m.Default,
|
||
}
|
||
if m.Thinking != nil {
|
||
levels := make([]thinkingLevelWire, 0, len(m.Thinking.SupportedLevels))
|
||
for _, lvl := range m.Thinking.SupportedLevels {
|
||
levels = append(levels, thinkingLevelWire{
|
||
Value: lvl.Value,
|
||
Label: lvl.Label,
|
||
Description: lvl.Description,
|
||
})
|
||
}
|
||
entry.Thinking = &modelThinkingWire{
|
||
SupportedLevels: levels,
|
||
DefaultLevel: m.Thinking.DefaultLevel,
|
||
}
|
||
}
|
||
wire = append(wire, entry)
|
||
}
|
||
d.reportModelListResult(ctx, rt, requestID, map[string]any{
|
||
"status": "completed",
|
||
"models": wire,
|
||
"supported": agent.ModelSelectionSupported(rt.Provider),
|
||
})
|
||
}
|
||
|
||
func (d *Daemon) handleLocalSkillList(ctx context.Context, rt Runtime, requestID string) {
|
||
d.logger.Info("runtime local skills requested", "runtime_id", rt.ID, "request_id", requestID, "provider", rt.Provider)
|
||
|
||
skills, supported, err := listRuntimeLocalSkills(rt.Provider)
|
||
if err != nil {
|
||
d.reportLocalSkillListResult(ctx, rt, requestID, map[string]any{
|
||
"status": "failed",
|
||
"error": err.Error(),
|
||
})
|
||
return
|
||
}
|
||
|
||
d.reportLocalSkillListResult(ctx, rt, requestID, map[string]any{
|
||
"status": "completed",
|
||
"skills": skills,
|
||
"supported": supported,
|
||
})
|
||
}
|
||
|
||
func (d *Daemon) handleLocalSkillImport(ctx context.Context, rt Runtime, pending PendingLocalSkillImport) {
|
||
d.logger.Info("runtime local skill import requested", "runtime_id", rt.ID, "request_id", pending.ID, "provider", rt.Provider, "skill_key", pending.SkillKey)
|
||
|
||
skill, supported, err := loadRuntimeLocalSkillBundle(rt.Provider, pending.SkillKey)
|
||
if err != nil {
|
||
d.reportLocalSkillImportResult(ctx, rt, pending.ID, map[string]any{
|
||
"status": "failed",
|
||
"error": err.Error(),
|
||
})
|
||
return
|
||
}
|
||
if !supported {
|
||
d.reportLocalSkillImportResult(ctx, rt, pending.ID, map[string]any{
|
||
"status": "failed",
|
||
"error": fmt.Sprintf("provider %q does not expose runtime local skills", rt.Provider),
|
||
})
|
||
return
|
||
}
|
||
|
||
d.reportLocalSkillImportResult(ctx, rt, pending.ID, map[string]any{
|
||
"status": "completed",
|
||
"skill": skill,
|
||
})
|
||
}
|
||
|
||
// runtimeReportBackoffs defines the retry schedule for delivering any
|
||
// daemon→server async result (model list, local-skill list, local-skill
|
||
// import). First attempt runs immediately, then we back off. The sum
|
||
// (≈6.5s) stays well under the server-side running timeout (60s) so a
|
||
// report that eventually lands still updates the request instead of
|
||
// racing a timeout transition.
|
||
//
|
||
// Overridable for tests to avoid real sleeps.
|
||
var runtimeReportBackoffs = []time.Duration{0, 500 * time.Millisecond, 2 * time.Second, 4 * time.Second}
|
||
|
||
// reportLocalSkillListResult delivers a list-report to the server with retry
|
||
// on transient failures. See reportRuntimeResultWithRetry for semantics.
|
||
func (d *Daemon) reportLocalSkillListResult(ctx context.Context, rt Runtime, requestID string, payload map[string]any) {
|
||
d.reportRuntimeResultWithRetry(ctx, "local_skill_list", rt.ID, requestID, func(ctx context.Context) error {
|
||
return d.client.ReportLocalSkillListResult(ctx, rt.ID, requestID, payload)
|
||
})
|
||
}
|
||
|
||
// reportLocalSkillImportResult delivers an import-report to the server with
|
||
// retry on transient failures.
|
||
func (d *Daemon) reportLocalSkillImportResult(ctx context.Context, rt Runtime, requestID string, payload map[string]any) {
|
||
d.reportRuntimeResultWithRetry(ctx, "local_skill_import", rt.ID, requestID, func(ctx context.Context) error {
|
||
return d.client.ReportLocalSkillImportResult(ctx, rt.ID, requestID, payload)
|
||
})
|
||
}
|
||
|
||
// reportModelListResult delivers a model-list report to the server with retry
|
||
// on transient failures. Without this the daemon used to fire once and
|
||
// swallow any 5xx, leaving the request stranded in "running" on the server
|
||
// until its 60s timeout — defeating the multi-node store fix.
|
||
func (d *Daemon) reportModelListResult(ctx context.Context, rt Runtime, requestID string, payload map[string]any) {
|
||
d.reportRuntimeResultWithRetry(ctx, "model_list", rt.ID, requestID, func(ctx context.Context) error {
|
||
return d.client.ReportModelListResult(ctx, rt.ID, requestID, payload)
|
||
})
|
||
}
|
||
|
||
// reportRuntimeResultWithRetry retries `fn` on 5xx / network errors and
|
||
// stops on success, 4xx, or after exhausting runtimeReportBackoffs.
|
||
//
|
||
// Why this exists: the server persists the report through a Redis / DB
|
||
// write; on a transient store failure it correctly returns 500. Without a
|
||
// client-side retry the daemon would fire once, swallow the error, and the
|
||
// pending request stays in "running" on the server until its timeout — which
|
||
// is exactly the "daemon did not respond" failure mode the multi-node store
|
||
// fix was meant to eliminate. 4xx is treated as permanent (request-not-found,
|
||
// cross-workspace token rejected, bad body) — retrying those just wastes
|
||
// heartbeat cycles.
|
||
func (d *Daemon) reportRuntimeResultWithRetry(ctx context.Context, kind, runtimeID, requestID string, fn func(context.Context) error) {
|
||
var lastErr error
|
||
for attempt, wait := range runtimeReportBackoffs {
|
||
if wait > 0 {
|
||
select {
|
||
case <-ctx.Done():
|
||
d.logger.Error("runtime async report cancelled",
|
||
"kind", kind, "runtime_id", runtimeID, "request_id", requestID,
|
||
"attempt", attempt, "error", ctx.Err())
|
||
return
|
||
case <-time.After(wait):
|
||
}
|
||
}
|
||
err := fn(ctx)
|
||
if err == nil {
|
||
if attempt > 0 {
|
||
d.logger.Info("runtime async report succeeded after retry",
|
||
"kind", kind, "runtime_id", runtimeID, "request_id", requestID,
|
||
"attempt", attempt+1)
|
||
}
|
||
return
|
||
}
|
||
lastErr = err
|
||
|
||
// 4xx is permanent (request expired, workspace mismatch, malformed
|
||
// body). No amount of retrying will make it succeed.
|
||
var reqErr *requestError
|
||
if errors.As(err, &reqErr) && reqErr.StatusCode >= 400 && reqErr.StatusCode < 500 {
|
||
d.logger.Error("runtime async report rejected — not retrying",
|
||
"kind", kind, "runtime_id", runtimeID, "request_id", requestID,
|
||
"status", reqErr.StatusCode, "error", err)
|
||
return
|
||
}
|
||
|
||
d.logger.Warn("runtime async report failed — will retry",
|
||
"kind", kind, "runtime_id", runtimeID, "request_id", requestID,
|
||
"attempt", attempt+1, "error", err)
|
||
}
|
||
d.logger.Error("runtime async report exhausted retries",
|
||
"kind", kind, "runtime_id", runtimeID, "request_id", requestID, "error", lastErr)
|
||
}
|
||
|
||
// handleUpdate performs the CLI update when triggered by the server via heartbeat.
|
||
func (d *Daemon) handleUpdate(ctx context.Context, runtimeID string, update *PendingUpdate) {
|
||
// Desktop-managed daemons share their CLI binary with the Electron app,
|
||
// which is responsible for shipping and replacing it. Letting the daemon
|
||
// self-update would just get overwritten on the next Desktop launch and
|
||
// could brick the embedded binary mid-update. Refuse cleanly.
|
||
if d.cfg.LaunchedBy == "desktop" {
|
||
d.logger.Info("refusing CLI self-update: daemon is managed by Desktop", "runtime_id", runtimeID, "update_id", update.ID)
|
||
d.reportUpdateResult(ctx, runtimeID, update.ID, map[string]any{
|
||
"status": "failed",
|
||
"error": "CLI is managed by Multica Desktop — update the Desktop app to upgrade the CLI",
|
||
})
|
||
return
|
||
}
|
||
|
||
// Prevent concurrent update attempts.
|
||
if !d.updating.CompareAndSwap(false, true) {
|
||
d.logger.Warn("update already in progress, ignoring", "runtime_id", runtimeID, "update_id", update.ID)
|
||
return
|
||
}
|
||
defer d.updating.Store(false)
|
||
|
||
d.logger.Info("CLI update requested", "runtime_id", runtimeID, "update_id", update.ID, "target_version", update.TargetVersion)
|
||
|
||
// Report running status.
|
||
d.reportUpdateResult(ctx, runtimeID, update.ID, map[string]any{
|
||
"status": "running",
|
||
})
|
||
|
||
output, err := d.runUpdateFn(update.TargetVersion)
|
||
if err != nil {
|
||
d.logger.Error("CLI update failed", "error", err, "output", output)
|
||
d.reportUpdateResult(ctx, runtimeID, update.ID, map[string]any{
|
||
"status": "failed",
|
||
"error": err.Error(),
|
||
})
|
||
return
|
||
}
|
||
|
||
d.logger.Info("CLI update completed successfully", "output", output)
|
||
d.reportUpdateResult(ctx, runtimeID, update.ID, map[string]any{
|
||
"status": "completed",
|
||
"output": fmt.Sprintf("Updated to %s", update.TargetVersion),
|
||
})
|
||
|
||
// Trigger daemon restart with the new binary.
|
||
d.triggerRestart()
|
||
}
|
||
|
||
// runUpdate executes the brew-or-download upgrade against targetVersion and
|
||
// returns the human-readable output (always populated, even on failure when
|
||
// brew gives us a useful diagnostic). The caller is responsible for the
|
||
// `updating` CAS guard and for reporting status back to the server / triggering
|
||
// the restart — extracted so the server-triggered path (handleUpdate) and the
|
||
// auto-update poller (autoUpdateLoop) share the exact same execution body.
|
||
func (d *Daemon) runUpdate(targetVersion string) (string, error) {
|
||
if cli.IsBrewInstall() {
|
||
d.logger.Info("updating CLI via Homebrew...")
|
||
out, err := cli.UpdateViaBrew()
|
||
if err != nil {
|
||
return out, fmt.Errorf("brew upgrade failed: %w", err)
|
||
}
|
||
return out, nil
|
||
}
|
||
d.logger.Info("updating CLI via direct download...", "target_version", targetVersion)
|
||
out, err := cli.UpdateViaDownload(targetVersion)
|
||
if err != nil {
|
||
return out, fmt.Errorf("download update failed: %w", err)
|
||
}
|
||
return out, nil
|
||
}
|
||
|
||
// updateReportBackoffs defines the retry schedule for delivering CLI update
|
||
// status back to the server. This mirrors localSkillReportBackoffs because
|
||
// both features have the same user-visible failure mode: the daemon completed
|
||
// work locally, but a transient report failure leaves the UI waiting until the
|
||
// server-side request times out.
|
||
//
|
||
// Overridable for tests to avoid real sleeps.
|
||
var updateReportBackoffs = []time.Duration{0, 500 * time.Millisecond, 2 * time.Second, 4 * time.Second}
|
||
|
||
func (d *Daemon) reportUpdateResult(ctx context.Context, runtimeID, updateID string, payload map[string]any) {
|
||
d.reportUpdateResultWithRetry(ctx, runtimeID, updateID, func(ctx context.Context) error {
|
||
return d.client.ReportUpdateResult(ctx, runtimeID, updateID, payload)
|
||
})
|
||
}
|
||
|
||
func (d *Daemon) reportUpdateResultWithRetry(ctx context.Context, runtimeID, updateID string, fn func(context.Context) error) {
|
||
var lastErr error
|
||
for attempt, wait := range updateReportBackoffs {
|
||
if wait > 0 {
|
||
select {
|
||
case <-ctx.Done():
|
||
d.logger.Error("CLI update report cancelled",
|
||
"runtime_id", runtimeID, "update_id", updateID,
|
||
"attempt", attempt, "error", ctx.Err())
|
||
return
|
||
case <-time.After(wait):
|
||
}
|
||
}
|
||
|
||
err := fn(ctx)
|
||
if err == nil {
|
||
if attempt > 0 {
|
||
d.logger.Info("CLI update report succeeded after retry",
|
||
"runtime_id", runtimeID, "update_id", updateID,
|
||
"attempt", attempt+1)
|
||
}
|
||
return
|
||
}
|
||
lastErr = err
|
||
|
||
var reqErr *requestError
|
||
if errors.As(err, &reqErr) && reqErr.StatusCode >= 400 && reqErr.StatusCode < 500 {
|
||
d.logger.Error("CLI update report rejected — not retrying",
|
||
"runtime_id", runtimeID, "update_id", updateID,
|
||
"status", reqErr.StatusCode, "error", err)
|
||
return
|
||
}
|
||
|
||
d.logger.Warn("CLI update report failed — will retry",
|
||
"runtime_id", runtimeID, "update_id", updateID,
|
||
"attempt", attempt+1, "error", err)
|
||
}
|
||
d.logger.Error("CLI update report exhausted retries",
|
||
"runtime_id", runtimeID, "update_id", updateID, "error", lastErr)
|
||
}
|
||
|
||
// tryEnterClaim records the intent to call ClaimTask. Returns true if the
|
||
// caller may proceed, false if the auto-update barrier is in effect. Every
|
||
// successful call MUST be paired with an exitClaim() on every exit path —
|
||
// either right after a failed/empty claim, or via the handleTask goroutine's
|
||
// defer once the task is handed off.
|
||
func (d *Daemon) tryEnterClaim() bool {
|
||
d.claimMu.Lock()
|
||
defer d.claimMu.Unlock()
|
||
if d.pauseClaims {
|
||
return false
|
||
}
|
||
d.claimsInFlight++
|
||
return true
|
||
}
|
||
|
||
// exitClaim releases the in-flight claim recorded by tryEnterClaim.
|
||
func (d *Daemon) exitClaim() {
|
||
d.claimMu.Lock()
|
||
defer d.claimMu.Unlock()
|
||
d.claimsInFlight--
|
||
}
|
||
|
||
// trySetClaimBarrier atomically pauses new ClaimTask calls if the daemon is
|
||
// fully idle (no claims in flight, no tasks running). Returns true if the
|
||
// caller now holds the barrier and must release it with releaseClaimBarrier
|
||
// on every non-restart exit path; false if the daemon is busy and the caller
|
||
// should defer to the next tick. Used by tryAutoUpdate to close the race
|
||
// where a task slips in between the cheap pre-fetch idle check and the
|
||
// actual upgrade kick-off.
|
||
func (d *Daemon) trySetClaimBarrier() bool {
|
||
d.claimMu.Lock()
|
||
defer d.claimMu.Unlock()
|
||
if d.claimsInFlight > 0 || d.activeTasks.Load() > 0 {
|
||
return false
|
||
}
|
||
d.pauseClaims = true
|
||
return true
|
||
}
|
||
|
||
// releaseClaimBarrier clears the auto-update claim barrier so pollers may
|
||
// resume claiming. Called on failure paths only — a successful upgrade leaves
|
||
// the barrier set because triggerRestart is about to take the process down
|
||
// and clearing it would open a window for new claims during shutdown.
|
||
func (d *Daemon) releaseClaimBarrier() {
|
||
d.claimMu.Lock()
|
||
defer d.claimMu.Unlock()
|
||
d.pauseClaims = false
|
||
}
|
||
|
||
// triggerRestart initiates a graceful daemon restart after a successful CLI update.
|
||
// For brew installs, it keeps the symlink path (e.g. /opt/homebrew/bin/multica)
|
||
// so the restarted daemon picks up the new Cellar version automatically.
|
||
// For non-brew installs, it resolves to the absolute path of the replaced binary.
|
||
// The caller (cmd_daemon.go) checks RestartBinary() and launches the new process.
|
||
func (d *Daemon) triggerRestart() {
|
||
newBin, err := os.Executable()
|
||
if err != nil {
|
||
d.logger.Error("could not resolve executable path for restart", "error", err)
|
||
return
|
||
}
|
||
// On Linux, os.Executable() reads /proc/self/exe, which the kernel resolves
|
||
// to the Cellar path. brew cleanup deletes that path after upgrade, so we
|
||
// must use the stable <brew-prefix>/bin/multica symlink instead.
|
||
if isBrewInstall() {
|
||
if brewPrefix := getBrewPrefix(); brewPrefix != "" {
|
||
newBin = filepath.Join(brewPrefix, "bin", "multica")
|
||
} else if prefix := matchKnownBrewPrefix(newBin); prefix != "" {
|
||
newBin = filepath.Join(prefix, "bin", "multica")
|
||
} else {
|
||
d.logger.Warn("brew install detected but prefix could not be resolved; restart may fail",
|
||
"executable", newBin)
|
||
}
|
||
} else {
|
||
if resolved, err := filepath.EvalSymlinks(newBin); err == nil {
|
||
newBin = resolved
|
||
}
|
||
}
|
||
|
||
d.logger.Info("scheduling daemon restart", "new_binary", newBin)
|
||
d.restartBinary = newBin
|
||
|
||
// Cancel the main context to trigger graceful shutdown.
|
||
if d.cancelFunc != nil {
|
||
d.cancelFunc()
|
||
}
|
||
}
|
||
|
||
// pollLoop supervises one runtimePoller goroutine per registered runtime,
|
||
// fans wake-up signals out to all of them, and waits for in-flight tasks to
|
||
// drain on shutdown. Per-runtime workers replace the previous round-robin
|
||
// loop so that a slow ClaimTask call (HTTP 30s timeout) for one runtime no
|
||
// longer delays claims on every other runtime — that was the cross-workspace
|
||
// stall mode reported in MUL-1744.
|
||
func (d *Daemon) pollLoop(ctx context.Context, taskWakeups <-chan struct{}) error {
|
||
sem := newTaskSlotSemaphore(d.cfg.MaxConcurrentTasks)
|
||
var taskWG sync.WaitGroup // tracks in-flight handleTask goroutines
|
||
var pollerWG sync.WaitGroup // tracks runRuntimePoller goroutines
|
||
|
||
runtimeSetCh, unsub := d.runtimeSet.Subscribe()
|
||
defer unsub()
|
||
|
||
type pollerHandle struct {
|
||
cancel context.CancelFunc
|
||
wakeup chan struct{}
|
||
}
|
||
pollers := make(map[string]*pollerHandle)
|
||
|
||
syncPollers := func() {
|
||
want := make(map[string]struct{})
|
||
for _, rid := range d.allRuntimeIDs() {
|
||
want[rid] = struct{}{}
|
||
}
|
||
for rid, h := range pollers {
|
||
if _, ok := want[rid]; !ok {
|
||
h.cancel()
|
||
delete(pollers, rid)
|
||
}
|
||
}
|
||
for rid := range want {
|
||
if _, ok := pollers[rid]; ok {
|
||
continue
|
||
}
|
||
pctx, pcancel := context.WithCancel(ctx)
|
||
wakeup := make(chan struct{}, 1)
|
||
pollers[rid] = &pollerHandle{cancel: pcancel, wakeup: wakeup}
|
||
pollerWG.Add(1)
|
||
go func(rid string, pctx context.Context, wakeup <-chan struct{}) {
|
||
defer pollerWG.Done()
|
||
d.runRuntimePoller(pctx, ctx, rid, sem, wakeup, &taskWG)
|
||
}(rid, pctx, wakeup)
|
||
}
|
||
}
|
||
|
||
syncPollers()
|
||
|
||
for {
|
||
select {
|
||
case <-ctx.Done():
|
||
d.logger.Info("poll loop stopping, waiting for in-flight tasks", "max_wait", "30s")
|
||
for _, h := range pollers {
|
||
h.cancel()
|
||
}
|
||
// Wait for all pollers to fully return before waiting on taskWG.
|
||
// Otherwise a poller that's between ClaimTask and taskWG.Add(1)
|
||
// could race with taskWG.Wait when the counter is zero, which
|
||
// is an undefined sync.WaitGroup misuse.
|
||
pollerWG.Wait()
|
||
|
||
waitDone := make(chan struct{})
|
||
go func() { taskWG.Wait(); close(waitDone) }()
|
||
select {
|
||
case <-waitDone:
|
||
case <-time.After(30 * time.Second):
|
||
d.logger.Warn("timed out waiting for in-flight tasks")
|
||
}
|
||
return ctx.Err()
|
||
case <-runtimeSetCh:
|
||
syncPollers()
|
||
case <-taskWakeups:
|
||
// Fan out to every runtime poller. Any of them might have a queued
|
||
// task; the per-poller wakeup channel coalesces (cap 1) so a burst
|
||
// of wake-ups doesn't pile up.
|
||
d.logger.Debug("task wakeup: fanning out to pollers", "pollers", len(pollers))
|
||
for _, h := range pollers {
|
||
select {
|
||
case h.wakeup <- struct{}{}:
|
||
default:
|
||
}
|
||
}
|
||
}
|
||
}
|
||
}
|
||
|
||
// runRuntimePoller is the per-runtime claim+dispatch loop. It owns its own
|
||
// poll cadence and wakeup channel so that a slow HTTP claim for this runtime
|
||
// cannot delay any other runtime's claims.
|
||
//
|
||
// The execution slot is acquired BEFORE ClaimTask. The alternative —
|
||
// claiming first and then waiting for a slot — would let claimed tasks pile
|
||
// up in the server-side `dispatched` state without a corresponding
|
||
// StartTask, and the server's sweeper would fail them as `failed/timeout`
|
||
// after dispatchTimeoutSeconds=300s (runtime_sweeper.go:25). That is the
|
||
// exact user-visible failure this issue is fixing, so we cannot risk
|
||
// recreating it under load.
|
||
//
|
||
// Slot-before-claim does mean a slow claim holds a slot during its HTTP
|
||
// roundtrip; the upper bound is `client.Timeout = 30s` (client.go:59), well
|
||
// below the 300s dispatch timeout, so other runtimes' tasks stay in
|
||
// server-side `queued` state (which has no timeout) rather than entering
|
||
// `dispatched` and racing the sweeper.
|
||
//
|
||
// pollerCtx is cancelled when this runtime is removed from the watched set
|
||
// (e.g. workspace de-registered). parentCtx is the daemon's root ctx and is
|
||
// passed to handleTask so an in-flight task is not killed just because the
|
||
// runtime set changed mid-flight — the task continues to run until the
|
||
// daemon itself shuts down (or the server cancels it).
|
||
func (d *Daemon) runRuntimePoller(
|
||
pollerCtx, parentCtx context.Context,
|
||
rid string,
|
||
sem chan int,
|
||
wakeup <-chan struct{},
|
||
taskWG *sync.WaitGroup,
|
||
) {
|
||
for {
|
||
if pollerCtx.Err() != nil {
|
||
return
|
||
}
|
||
|
||
// Acquire an execution slot before claiming. If at capacity, sleep
|
||
// without claiming so we don't push a task into `dispatched` and
|
||
// then race the 5-min server-side dispatch timeout while waiting.
|
||
var slot int
|
||
select {
|
||
case slot = <-sem:
|
||
case <-pollerCtx.Done():
|
||
return
|
||
default:
|
||
d.logger.Debug("poll: at capacity", "runtime_id", rid, "running", d.cfg.MaxConcurrentTasks)
|
||
if err := sleepWithContextOrWakeup(pollerCtx, d.cfg.PollInterval, wakeup); err != nil {
|
||
return
|
||
}
|
||
continue
|
||
}
|
||
|
||
// Refuse new claims while an auto-update is preparing to roll the
|
||
// process. The barrier is paired with a re-check of claimsInFlight +
|
||
// activeTasks inside tryAutoUpdate, so once we get past tryEnterClaim
|
||
// the auto-update path is guaranteed to defer until this poller has
|
||
// handed the task off (or given up).
|
||
if !d.tryEnterClaim() {
|
||
sem <- slot
|
||
if err := sleepWithContextOrWakeup(pollerCtx, d.cfg.PollInterval, wakeup); err != nil {
|
||
return
|
||
}
|
||
continue
|
||
}
|
||
|
||
task, err := d.client.ClaimTask(pollerCtx, rid)
|
||
if err != nil {
|
||
d.exitClaim()
|
||
sem <- slot
|
||
if pollerCtx.Err() == nil {
|
||
if isRuntimeNotFoundError(err) {
|
||
// Server says this runtime is gone — recover and exit
|
||
// the poller; the runtime-set watcher will tear this
|
||
// goroutine down via pollerCtx once the workspace is
|
||
// re-registered with a new runtime ID.
|
||
go d.handleRuntimeGone(rid)
|
||
return
|
||
}
|
||
d.logger.Warn("claim task failed", "runtime_id", rid, "error", err)
|
||
}
|
||
if err := sleepWithContextOrWakeup(pollerCtx, d.cfg.PollInterval, wakeup); err != nil {
|
||
return
|
||
}
|
||
continue
|
||
}
|
||
|
||
if task == nil {
|
||
d.exitClaim()
|
||
sem <- slot
|
||
if err := sleepWithContextOrWakeup(pollerCtx, d.cfg.PollInterval, wakeup); err != nil {
|
||
return
|
||
}
|
||
continue
|
||
}
|
||
|
||
taskTarget := task.IssueID
|
||
if taskTarget == "" && task.ChatSessionID != "" {
|
||
taskTarget = "chat:" + shortID(task.ChatSessionID)
|
||
}
|
||
d.logger.Info("task received", "task", shortID(task.ID), "target", taskTarget)
|
||
taskWG.Add(1)
|
||
d.activeTasks.Add(1)
|
||
go func(t Task, slot int) {
|
||
defer taskWG.Done()
|
||
defer d.exitClaim()
|
||
defer d.activeTasks.Add(-1)
|
||
defer func() { sem <- slot }()
|
||
d.handleTask(parentCtx, t, slot)
|
||
}(*task, slot)
|
||
// Loop immediately: more tasks may already be queued for this runtime.
|
||
}
|
||
}
|
||
|
||
// newTaskSlotSemaphore returns a buffered channel pre-populated with stable
|
||
// slot indices [0, n). Receive to acquire a slot, send the same slot back to
|
||
// release. Used by pollLoop to expose MULTICA_TASK_SLOT to spawned tasks.
|
||
func newTaskSlotSemaphore(maxConcurrentTasks int) chan int {
|
||
sem := make(chan int, maxConcurrentTasks)
|
||
for i := 0; i < maxConcurrentTasks; i++ {
|
||
sem <- i
|
||
}
|
||
return sem
|
||
}
|
||
|
||
// shouldInterruptAgent decides whether the running agent should be cancelled
|
||
// based on the latest GetTaskStatus call. Pure function so the decision is
|
||
// trivially testable; the polling goroutine in watchTaskCancellation is just
|
||
// I/O around it.
|
||
//
|
||
// Two cases trigger cancellation:
|
||
//
|
||
// 1. status == "cancelled" — the server moved the task to cancelled
|
||
// (issue reassigned, user cancel, ...).
|
||
// 2. err is a 404 with "task not found" — the task row was deleted while
|
||
// the agent was running. Without this we'd let the local agent keep
|
||
// emitting tool calls against a dead task for its full timeout window.
|
||
//
|
||
// All other errors (transient network, 5xx, ...) intentionally do NOT
|
||
// trigger cancellation — the next tick will retry and we don't want a
|
||
// flaky link to kill an in-flight agent.
|
||
func shouldInterruptAgent(status string, err error) bool {
|
||
if err != nil {
|
||
return isTaskNotFoundError(err)
|
||
}
|
||
return status == "cancelled"
|
||
}
|
||
|
||
// watchTaskCancellation polls the server for the task's status on the given
|
||
// interval and returns a channel that is closed when the running agent
|
||
// should be interrupted. The polling goroutine stops when ctx is cancelled,
|
||
// so callers should pass the runCtx that was set up around the agent run.
|
||
func (d *Daemon) watchTaskCancellation(ctx context.Context, taskID string, pollInterval time.Duration, taskLog *slog.Logger) <-chan struct{} {
|
||
cancelled := make(chan struct{})
|
||
go func() {
|
||
ticker := time.NewTicker(pollInterval)
|
||
defer ticker.Stop()
|
||
for {
|
||
select {
|
||
case <-ctx.Done():
|
||
return
|
||
case <-ticker.C:
|
||
status, err := d.client.GetTaskStatus(ctx, taskID)
|
||
if !shouldInterruptAgent(status, err) {
|
||
continue
|
||
}
|
||
if err != nil {
|
||
taskLog.Info("task gone server-side, interrupting agent", "error", err)
|
||
} else {
|
||
taskLog.Info("task cancelled by server, interrupting agent")
|
||
}
|
||
close(cancelled)
|
||
return
|
||
}
|
||
}
|
||
}()
|
||
return cancelled
|
||
}
|
||
|
||
func (d *Daemon) handleTask(ctx context.Context, task Task, slot int) {
|
||
d.mu.Lock()
|
||
rt := d.runtimeIndex[task.RuntimeID]
|
||
d.mu.Unlock()
|
||
provider := rt.Provider
|
||
|
||
// Task-scoped logger with short ID for readable concurrent logs.
|
||
taskLog := d.logger.With("task", shortID(task.ID))
|
||
agentName := "agent"
|
||
if task.Agent != nil {
|
||
agentName = task.Agent.Name
|
||
}
|
||
if task.ChatSessionID != "" {
|
||
taskLog.Info("picked chat task", "chat_session", shortID(task.ChatSessionID), "agent", agentName, "provider", provider)
|
||
} else {
|
||
taskLog.Info("picked task", "issue", task.IssueID, "agent", agentName, "provider", provider)
|
||
}
|
||
taskLog.Debug("task context",
|
||
"workspace_id", task.WorkspaceID,
|
||
"runtime_id", task.RuntimeID,
|
||
"agent_id", task.AgentID,
|
||
"repos", len(task.Repos),
|
||
"project_id", task.ProjectID,
|
||
"autopilot_run_id", task.AutopilotRunID,
|
||
"trigger_comment_id", task.TriggerCommentID,
|
||
"resume_session", task.PriorSessionID != "",
|
||
"reuse_workdir", task.PriorWorkDir != "",
|
||
)
|
||
|
||
// If the task targets a project_resource of type local_directory that
|
||
// is pinned to this daemon, acquire the path mutex BEFORE StartTask so
|
||
// the server-side state machine is dispatched → waiting_local_directory
|
||
// → running rather than backwards-transitioning from running into the
|
||
// wait state. The release is deferred so a panic or early return
|
||
// always frees the lock for the next waiter.
|
||
localRelease, abort := d.acquireLocalDirectoryLockIfNeeded(ctx, task, taskLog)
|
||
if abort {
|
||
return
|
||
}
|
||
if localRelease != nil {
|
||
defer localRelease()
|
||
}
|
||
|
||
if err := d.client.StartTask(ctx, task.ID); err != nil {
|
||
taskLog.Error("start task failed", "error", err)
|
||
if failErr := d.client.FailTask(ctx, task.ID, fmt.Sprintf("start task failed: %s", err.Error()), "", "", "agent_error"); failErr != nil {
|
||
taskLog.Error("fail task after start error", "error", failErr)
|
||
}
|
||
return
|
||
}
|
||
|
||
_ = d.client.ReportProgress(ctx, task.ID, fmt.Sprintf("Launching %s", provider), 1, 2)
|
||
|
||
// Create a cancellable context so we can interrupt the running agent
|
||
// when the server signals the task should stop — either status moves
|
||
// to "cancelled" or the task row is deleted (404).
|
||
runCtx, runCancel := context.WithCancel(ctx)
|
||
defer runCancel()
|
||
|
||
// Poll interval is d.cancelPollInterval (5s in production, reduced in tests
|
||
// via direct field override). Guard against zero so a misconfigured daemon
|
||
// doesn't panic time.NewTicker.
|
||
pollInterval := d.cancelPollInterval
|
||
if pollInterval == 0 {
|
||
pollInterval = 5 * time.Second
|
||
}
|
||
cancelledByPoll := d.watchTaskCancellation(runCtx, task.ID, pollInterval, taskLog)
|
||
go func() {
|
||
select {
|
||
case <-cancelledByPoll:
|
||
runCancel()
|
||
case <-runCtx.Done():
|
||
}
|
||
}()
|
||
|
||
result, err := d.runner.run(runCtx, task, provider, slot, taskLog)
|
||
|
||
// Report usage before any early return — the agent accumulates tokens
|
||
// whether the task completes, errors, or is cancelled mid-run by the poll
|
||
// goroutine. Both claude.go and codex.go populate result.Usage even when
|
||
// runCtx is cancelled, so dropping this on the cancelled path silently
|
||
// under-reports billing.
|
||
if len(result.Usage) > 0 {
|
||
if usageErr := d.client.ReportTaskUsage(ctx, task.ID, result.Usage); usageErr != nil {
|
||
taskLog.Warn("report task usage failed", "error", usageErr)
|
||
}
|
||
}
|
||
|
||
// Check if we were cancelled by the polling goroutine.
|
||
select {
|
||
case <-cancelledByPoll:
|
||
taskLog.Info("task cancelled during execution, discarding result")
|
||
return
|
||
default:
|
||
}
|
||
|
||
if err != nil {
|
||
taskLog.Error("task failed", "error", err)
|
||
// runTask returned without a TaskResult, so we don't have a SessionID
|
||
// to forward — best we can do is record the failure.
|
||
if failErr := d.client.FailTask(ctx, task.ID, err.Error(), "", "", "agent_error"); failErr != nil {
|
||
taskLog.Error("fail task callback failed", "error", failErr)
|
||
}
|
||
return
|
||
}
|
||
|
||
_ = d.client.ReportProgress(ctx, task.ID, "Finishing task", 2, 2)
|
||
|
||
// Final pre-completion check: if the server already moved the task to
|
||
// "cancelled" or deleted the row outright, skip reporting — the
|
||
// complete/fail callbacks would fail anyway. Reuse shouldInterruptAgent
|
||
// so this guard honors the same signals as the in-flight watcher.
|
||
if status, err := d.client.GetTaskStatus(ctx, task.ID); shouldInterruptAgent(status, err) {
|
||
taskLog.Info("task cancelled during execution, discarding result", "status", status, "error", err)
|
||
return
|
||
}
|
||
|
||
d.reportTaskResult(ctx, task.ID, result, taskLog)
|
||
|
||
// Write GC metadata after the task finishes so the periodic GC loop
|
||
// can look up the parent record (issue / chat session / autopilot run /
|
||
// task itself for quick-create) later. Written last so that a mid-task
|
||
// crash leaves the directory as an orphan (cleaned up by GCOrphanTTL).
|
||
if result.EnvRoot != "" {
|
||
if meta, ok := gcMetaForTask(task); ok {
|
||
// A local_directory project_resource matched this daemon
|
||
// means the agent ran in the user's own tree. Stamp the
|
||
// meta so the GC loop never tries to RemoveAll envRoot's
|
||
// sibling workdir (which is the user's path) or the envRoot
|
||
// itself (we want output/ and logs/ to linger for forensic
|
||
// access).
|
||
if assignment, _ := findLocalDirectoryAssignment(task.ProjectResources, d.cfg.DaemonID); assignment != nil {
|
||
meta.LocalDirectory = true
|
||
}
|
||
if err := execenv.WriteGCMeta(result.EnvRoot, meta, taskLog); err != nil {
|
||
taskLog.Warn("write gc meta failed (non-fatal)", "error", err)
|
||
}
|
||
}
|
||
}
|
||
}
|
||
|
||
// acquireLocalDirectoryLockIfNeeded inspects the task's project resources for
|
||
// a local_directory pinned to this daemon, validates the path, and takes the
|
||
// path mutex. Returns a release callback (nil when no local_directory
|
||
// resource applies) and abort=true when the caller must bail without
|
||
// starting the task (the helper has already reported the failure to the
|
||
// server).
|
||
//
|
||
// The helper covers four distinct failure modes:
|
||
//
|
||
// 1. The project_resource JSON is structurally broken — fail the task fast.
|
||
// 2. The path fails validation (missing, not a directory, no R/W, system
|
||
// blacklist) — fail the task fast with a user-facing reason.
|
||
// 3. The mutex is held by another task — call MarkTaskWaitingLocalDirectory
|
||
// so the row flips to waiting_local_directory while we block on the
|
||
// lock, then return the release callback once we win.
|
||
// 4. The blocking wait is cancelled (daemon shutdown, server-side cancel)
|
||
// — fail the task with the ctx error.
|
||
func (d *Daemon) acquireLocalDirectoryLockIfNeeded(ctx context.Context, task Task, taskLog *slog.Logger) (release func(), abort bool) {
|
||
if len(task.ProjectResources) == 0 || d.cfg.DaemonID == "" {
|
||
return nil, false
|
||
}
|
||
assignment, err := findLocalDirectoryAssignment(task.ProjectResources, d.cfg.DaemonID)
|
||
if err != nil {
|
||
taskLog.Error("local_directory: resolve resource failed", "error", err)
|
||
if failErr := d.client.FailTask(ctx, task.ID, err.Error(), "", "", "local_directory_error"); failErr != nil {
|
||
taskLog.Error("fail task after local_directory resolve error", "error", failErr)
|
||
}
|
||
return nil, true
|
||
}
|
||
if assignment == nil {
|
||
return nil, false
|
||
}
|
||
taskLog = taskLog.With("local_directory", assignment.AbsPath)
|
||
if err := validateLocalPath(assignment.AbsPath); err != nil {
|
||
taskLog.Error("local_directory: path validation failed", "error", err)
|
||
if failErr := d.client.FailTask(ctx, task.ID, err.Error(), "", "", "local_directory_error"); failErr != nil {
|
||
taskLog.Error("fail task after local_directory validation error", "error", failErr)
|
||
}
|
||
return nil, true
|
||
}
|
||
|
||
// While the lock is contended the daemon would otherwise sit blocked on
|
||
// the path mutex with no signal back from the server — the main
|
||
// per-task watcher only starts after StartTask. If the user cancels
|
||
// the issue or it gets reassigned during the wait, we need to notice
|
||
// promptly so the daemon slot isn't pinned by a phantom waiter. We
|
||
// spin up the cancellation watcher lazily inside onWait so the
|
||
// no-contention fast path still costs nothing.
|
||
waitCtx, waitCancel := context.WithCancel(ctx)
|
||
defer waitCancel()
|
||
pollInterval := d.cancelPollInterval
|
||
if pollInterval == 0 {
|
||
pollInterval = 5 * time.Second
|
||
}
|
||
var (
|
||
watcherOnce sync.Once
|
||
cancelledByPoll <-chan struct{}
|
||
)
|
||
|
||
onWait := func(holder string) {
|
||
reason := fmt.Sprintf("local_directory %s", assignment.AbsPath)
|
||
if holder != "" {
|
||
reason = fmt.Sprintf("%s (held by task %s)", reason, shortID(holder))
|
||
}
|
||
taskLog.Info("local_directory: waiting on path mutex", "holder", shortID(holder))
|
||
if waitErr := d.client.MarkTaskWaitingLocalDirectory(ctx, task.ID, reason); waitErr != nil {
|
||
// Non-fatal: even if the server-side flag fails to update,
|
||
// we still want to block on the lock and proceed when free.
|
||
// The UI just won't see the explicit "waiting" badge.
|
||
taskLog.Warn("local_directory: mark waiting status failed", "error", waitErr)
|
||
}
|
||
// Start polling once we actually park. shouldInterruptAgent inside
|
||
// watchTaskCancellation already handles both server-side cancel
|
||
// (status=cancelled) and the row-deleted reassignment case (404),
|
||
// which is the full set of "this task shouldn't run anymore"
|
||
// signals we need to react to during the wait.
|
||
watcherOnce.Do(func() {
|
||
cancelledByPoll = d.watchTaskCancellation(waitCtx, task.ID, pollInterval, taskLog)
|
||
go func() {
|
||
select {
|
||
case <-cancelledByPoll:
|
||
waitCancel()
|
||
case <-waitCtx.Done():
|
||
}
|
||
}()
|
||
})
|
||
}
|
||
release, err = d.localPathLocks.Acquire(waitCtx, assignment.RealPath, task.ID, onWait)
|
||
if err != nil {
|
||
// If the wait was cut short because the server cancelled the task
|
||
// (or deleted the row), the row is already in a terminal state —
|
||
// return silently the same way the run-phase poller does at
|
||
// lines ~2104. Issuing FailTask here would be a no-op at best
|
||
// and a confusing redundant log line at worst.
|
||
if cancelledByPoll != nil {
|
||
select {
|
||
case <-cancelledByPoll:
|
||
taskLog.Info("local_directory: wait aborted by server-side cancel")
|
||
return nil, true
|
||
default:
|
||
}
|
||
}
|
||
taskLog.Error("local_directory: lock acquire failed", "error", err)
|
||
failureReason := "local_directory_error"
|
||
if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
|
||
failureReason = "cancelled"
|
||
}
|
||
if failErr := d.client.FailTask(ctx, task.ID, fmt.Sprintf("local_directory wait cancelled: %s", err.Error()), "", "", failureReason); failErr != nil {
|
||
taskLog.Error("fail task after local_directory lock cancel", "error", failErr)
|
||
}
|
||
return nil, true
|
||
}
|
||
taskLog.Info("local_directory: lock acquired")
|
||
return release, false
|
||
}
|
||
|
||
// reportTaskResult writes the final task disposition back to the server.
|
||
//
|
||
// Fail closed: only an explicit "completed" status is reported as success.
|
||
// Anything else — "blocked", "cancelled", or any future status we forget to
|
||
// enumerate — must go through FailTask, so a run that never produced a real
|
||
// result can never be displayed as "Completed" in the UI (e.g. provider 429 /
|
||
// out-of-credit / runtime crash). Forward SessionID/WorkDir on every path:
|
||
// the agent may have built a real session before getting stuck, and we want
|
||
// the next chat turn to resume there rather than start over and "forget"
|
||
// the conversation.
|
||
func (d *Daemon) reportTaskResult(ctx context.Context, taskID string, result TaskResult, taskLog *slog.Logger) {
|
||
switch result.Status {
|
||
case "completed":
|
||
taskLog.Info("task completed", "status", result.Status)
|
||
err := d.client.CompleteTask(ctx, taskID, result.Comment, result.BranchName, result.SessionID, result.WorkDir)
|
||
if err == nil {
|
||
return
|
||
}
|
||
// CompleteTask retries transient errors internally. A transient
|
||
// error reaching us here means the schedule was exhausted while
|
||
// the upstream was still 5xx / unreachable. Converting that into
|
||
// a fail would lose the agent's actual result and surface a
|
||
// misleading red badge in the UI — leave the task in running
|
||
// instead so a future fix (server-side stuck-task reaper, or a
|
||
// daemon-side persistent pending queue) can recover it. Only
|
||
// permanent server-side rejections (4xx other than 408/429)
|
||
// warrant the legacy fallback, because at that point the server
|
||
// has already refused this task and the only useful UI signal
|
||
// left is a concrete failure.
|
||
if isTransientError(err) {
|
||
taskLog.Error("complete task failed after retries; leaving task in running rather than falling back to fail", "error", err)
|
||
return
|
||
}
|
||
taskLog.Error("complete task rejected by server, falling back to fail", "error", err)
|
||
if failErr := d.client.FailTask(ctx, taskID, fmt.Sprintf("complete task failed: %s", err.Error()), result.SessionID, result.WorkDir, "agent_error"); failErr != nil {
|
||
taskLog.Error("fail task fallback also failed", "error", failErr)
|
||
}
|
||
default:
|
||
failureReason := result.FailureReason
|
||
if failureReason == "" {
|
||
if result.Status == "cancelled" {
|
||
failureReason = "cancelled"
|
||
} else {
|
||
failureReason = "agent_error"
|
||
}
|
||
}
|
||
taskLog.Info("task did not complete, reporting failure", "status", result.Status, "failure_reason", failureReason)
|
||
if err := d.client.FailTask(ctx, taskID, result.Comment, result.SessionID, result.WorkDir, failureReason); err != nil {
|
||
taskLog.Error("report failed task failed", "error", err)
|
||
}
|
||
}
|
||
}
|
||
|
||
// gcMetaForTask classifies a finished task and produces a GCMeta of the right
|
||
// kind. The discriminator order matters: a task carrying both an issue_id
|
||
// and a chat_session_id (theoretical, not produced today) should be treated
|
||
// as a chat task because the chat session is the longer-lived parent record.
|
||
//
|
||
// Returns ok=false when the task has no recognizable parent (e.g. an
|
||
// internal task with no IDs at all). The caller skips writing a meta file
|
||
// in that case so the directory falls back to mtime-based orphan cleanup.
|
||
func gcMetaForTask(task Task) (execenv.GCMeta, bool) {
|
||
meta := execenv.GCMeta{WorkspaceID: task.WorkspaceID}
|
||
switch {
|
||
case task.ChatSessionID != "":
|
||
meta.Kind = execenv.GCKindChat
|
||
meta.ChatSessionID = task.ChatSessionID
|
||
case task.AutopilotRunID != "":
|
||
meta.Kind = execenv.GCKindAutopilotRun
|
||
meta.AutopilotRunID = task.AutopilotRunID
|
||
case task.IssueID != "":
|
||
meta.Kind = execenv.GCKindIssue
|
||
meta.IssueID = task.IssueID
|
||
case task.QuickCreatePrompt != "":
|
||
// Quick-create tasks reach WriteGCMeta before the server runs
|
||
// LinkTaskToIssue, so IssueID is always empty here. Persist the
|
||
// task ID instead and let the GC loop ask the server for terminal
|
||
// state via the task gc-check endpoint.
|
||
meta.Kind = execenv.GCKindQuickCreate
|
||
meta.TaskID = task.ID
|
||
default:
|
||
return execenv.GCMeta{}, false
|
||
}
|
||
return meta, true
|
||
}
|
||
|
||
func providerNeedsInlineSystemPrompt(provider string) bool {
|
||
switch provider {
|
||
case "openclaw", "kiro", "kimi":
|
||
return true
|
||
default:
|
||
return false
|
||
}
|
||
}
|
||
|
||
func (d *Daemon) runTask(ctx context.Context, task Task, provider string, slot int, taskLog *slog.Logger) (TaskResult, error) {
|
||
// Refuse to spawn an agent without a workspace. An empty workspace_id
|
||
// here would make MULTICA_WORKSPACE_ID empty in the agent env, and the
|
||
// CLI would otherwise silently fall back to the user-global config — a
|
||
// path that can leak operations into an unrelated workspace when
|
||
// multiple workspaces share a host.
|
||
if task.WorkspaceID == "" {
|
||
return TaskResult{}, fmt.Errorf("refusing to spawn agent: task has no workspace_id (task_id=%s)", task.ID)
|
||
}
|
||
|
||
// task.Repos is the authoritative repo list for this task — when the
|
||
// claimed task belongs to a project with github_repo resources the server
|
||
// has already narrowed it to project repos only. Make sure those URLs are
|
||
// in the per-workspace allowlist and the local cache, otherwise
|
||
// `multica repo checkout` would reject project-only URLs that aren't also
|
||
// bound at the workspace level.
|
||
d.registerTaskRepos(task.WorkspaceID, task.Repos)
|
||
|
||
entry, ok := d.cfg.Agents[provider]
|
||
if !ok {
|
||
return TaskResult{}, fmt.Errorf("no agent configured for provider %q", provider)
|
||
}
|
||
|
||
agentName := "agent"
|
||
var agentID string
|
||
var skills []SkillData
|
||
var instructions string
|
||
if task.Agent != nil {
|
||
agentID = task.Agent.ID
|
||
agentName = task.Agent.Name
|
||
skills = task.Agent.Skills
|
||
instructions = task.Agent.Instructions
|
||
}
|
||
|
||
// Prepare isolated execution environment.
|
||
// Repos are passed as metadata only — the agent checks them out on demand
|
||
// via `multica repo checkout <url>`.
|
||
taskCtx := execenv.TaskContextForEnv{
|
||
IssueID: task.IssueID,
|
||
TriggerCommentID: task.TriggerCommentID,
|
||
NewCommentCount: task.NewCommentCount,
|
||
NewCommentsSince: task.NewCommentsSince,
|
||
PriorSessionResumed: task.PriorSessionID != "",
|
||
AgentID: agentID,
|
||
AgentName: agentName,
|
||
AgentInstructions: instructions,
|
||
AgentSkills: convertSkillsForEnv(skills),
|
||
Repos: convertReposForEnv(task.Repos),
|
||
ProjectID: task.ProjectID,
|
||
ProjectTitle: task.ProjectTitle,
|
||
ProjectResources: convertProjectResourcesForEnv(task.ProjectResources),
|
||
ChatSessionID: task.ChatSessionID,
|
||
AutopilotRunID: task.AutopilotRunID,
|
||
AutopilotID: task.AutopilotID,
|
||
AutopilotTitle: task.AutopilotTitle,
|
||
AutopilotDescription: task.AutopilotDescription,
|
||
AutopilotSource: task.AutopilotSource,
|
||
AutopilotTriggerPayload: strings.TrimSpace(string(task.AutopilotTriggerPayload)),
|
||
QuickCreatePrompt: task.QuickCreatePrompt,
|
||
IsSquadLeader: strings.Contains(instructions, "## Squad Operating Protocol"),
|
||
RequestingUserName: task.RequestingUserName,
|
||
RequestingUserProfileDescription: task.RequestingUserProfileDescription,
|
||
WorkspaceContext: task.WorkspaceContext,
|
||
}
|
||
|
||
// Mark candidate env roots as active before any env work so the GC loop
|
||
// can't reclaim artifacts inside them mid-execution. We mark both the
|
||
// predicted root for a fresh Prepare and the prior root for Reuse — they
|
||
// usually differ (Reuse keeps the original task's directory).
|
||
predictedRoot := execenv.PredictRootDir(d.cfg.WorkspacesRoot, task.WorkspaceID, task.ID)
|
||
d.markActiveEnvRoot(predictedRoot)
|
||
defer d.unmarkActiveEnvRoot(predictedRoot)
|
||
if task.PriorWorkDir != "" {
|
||
priorRoot := filepath.Dir(task.PriorWorkDir)
|
||
if priorRoot != predictedRoot {
|
||
d.markActiveEnvRoot(priorRoot)
|
||
defer d.unmarkActiveEnvRoot(priorRoot)
|
||
}
|
||
}
|
||
|
||
// Try to reuse the workdir from a previous task on the same (agent, issue) pair.
|
||
var env *execenv.Environment
|
||
codexVersion := d.agentVersion("codex")
|
||
openclawBin := ""
|
||
if provider == "openclaw" {
|
||
openclawBin = entry.Path
|
||
}
|
||
// Resolve any local_directory assignment again here so runTask can plumb
|
||
// LocalWorkDir into execenv. handleTask already validated + locked the
|
||
// path; this call is a pure JSON parse over the same task payload.
|
||
localAssignment, _ := findLocalDirectoryAssignment(task.ProjectResources, d.cfg.DaemonID)
|
||
// Reuse intentionally skipped for local_directory tasks: the prior
|
||
// WorkDir is the user's own path (always present) but the reuse path
|
||
// loses the envRoot association the GC loop needs, and re-running
|
||
// Prepare against a stable user path is cheap (no clone, no copy).
|
||
var agentMcpConfig json.RawMessage
|
||
if task.Agent != nil {
|
||
agentMcpConfig = task.Agent.McpConfig
|
||
}
|
||
if task.PriorWorkDir != "" && localAssignment == nil {
|
||
env = execenv.Reuse(execenv.ReuseParams{
|
||
WorkDir: task.PriorWorkDir,
|
||
Provider: provider,
|
||
CodexVersion: codexVersion,
|
||
OpenclawBin: openclawBin,
|
||
McpConfig: agentMcpConfig,
|
||
Task: taskCtx,
|
||
}, d.logger)
|
||
}
|
||
if env == nil {
|
||
var err error
|
||
prepParams := execenv.PrepareParams{
|
||
WorkspacesRoot: d.cfg.WorkspacesRoot,
|
||
WorkspaceID: task.WorkspaceID,
|
||
TaskID: task.ID,
|
||
AgentName: agentName,
|
||
Provider: provider,
|
||
CodexVersion: codexVersion,
|
||
OpenclawBin: openclawBin,
|
||
McpConfig: agentMcpConfig,
|
||
Task: taskCtx,
|
||
}
|
||
if localAssignment != nil {
|
||
prepParams.LocalWorkDir = localAssignment.AbsPath
|
||
}
|
||
env, err = execenv.Prepare(prepParams, d.logger)
|
||
if err != nil {
|
||
return TaskResult{}, fmt.Errorf("prepare execution environment: %w", err)
|
||
}
|
||
}
|
||
// Belt-and-suspenders: also mark whatever root we ended up with, in case
|
||
// future changes diverge from PredictRootDir.
|
||
if env.RootDir != predictedRoot && env.RootDir != "" {
|
||
d.markActiveEnvRoot(env.RootDir)
|
||
defer d.unmarkActiveEnvRoot(env.RootDir)
|
||
}
|
||
|
||
// Inject runtime-specific config (meta skill) so the agent discovers .agent_context/.
|
||
runtimeBrief, err := execenv.InjectRuntimeConfig(env.WorkDir, provider, taskCtx)
|
||
if err != nil {
|
||
d.logger.Warn("execenv: inject runtime config failed (non-fatal)", "error", err)
|
||
}
|
||
// Workdir is preserved for reuse by future tasks on the same (agent,
|
||
// issue) pair in cloud mode; the work_dir path is stored in DB on task
|
||
// completion and passed back via PriorWorkDir on the next claim, so
|
||
// rewriting the marker block in place is the right behavior.
|
||
//
|
||
// In local_directory mode the workdir is the user's own repo, reuse is
|
||
// already disabled above (see localAssignment == nil), and the brief
|
||
// would otherwise live on inside the user's repository — a subsequent
|
||
// manual `claude` / `codex` / `gemini` run in that directory would pick
|
||
// up stale Multica instructions (issue id, trigger comment id, reply
|
||
// rules) and start acting on the previous task's context. Excise the
|
||
// marker block on the way out instead.
|
||
if env.LocalDirectory {
|
||
defer func() {
|
||
if cerr := execenv.CleanupRuntimeConfig(env.WorkDir, provider); cerr != nil {
|
||
d.logger.Warn("execenv: cleanup runtime config failed (non-fatal)", "error", cerr)
|
||
}
|
||
// Excise the sidecar tree (.agent_context/, .multica/,
|
||
// provider-specific .claude/skills/ etc.) that Prepare wrote
|
||
// into the user's repo. Without this pass the user's tree
|
||
// accumulates one directory layer per task — see MUL-2784.
|
||
// CleanupRuntimeConfig handles the runtime brief inside
|
||
// CLAUDE.md / AGENTS.md / GEMINI.md; CleanupSidecars handles
|
||
// every other file Prepare placed under WorkDir. Together
|
||
// they round-trip the workdir to its exact pre-task bytes.
|
||
if cerr := execenv.CleanupSidecars(env.RootDir); cerr != nil {
|
||
d.logger.Warn("execenv: cleanup sidecars failed (non-fatal)", "error", cerr)
|
||
}
|
||
}()
|
||
}
|
||
|
||
prompt := BuildPrompt(task, provider)
|
||
|
||
// Pass the daemon's auth credentials and context so the spawned agent CLI
|
||
// can call the Multica API and the local daemon (e.g. `multica repo checkout`).
|
||
// MULTICA_TASK_SLOT is allocated from the daemon-wide concurrency pool, not
|
||
// per-agent. When one daemon hosts multiple agents, slots index shared
|
||
// daemon-level resources such as GPUs.
|
||
// MULTICA_TOKEN is the credential the agent process will use to call the
|
||
// Multica API. Prefer the task-scoped token the server minted at claim
|
||
// time — that token is bound to (agent, task) and the auth middleware
|
||
// rejects it on owner-only endpoints (e.g. `/api/agents/{id}/env`), so
|
||
// the agent cannot use it to read another agent's secrets. Falls back
|
||
// to the daemon's own credential only when the server returned no
|
||
// auth_token (older server, or cloud / system runtime with no owner) —
|
||
// in that legacy mode lateral-movement protection relies on the
|
||
// runtime not handing the daemon a workspace-owner PAT in the first
|
||
// place. See MUL-2600.
|
||
agentToken := task.AuthToken
|
||
if agentToken == "" {
|
||
agentToken = d.client.Token()
|
||
}
|
||
agentEnv := map[string]string{
|
||
"MULTICA_TOKEN": agentToken,
|
||
"MULTICA_SERVER_URL": d.cfg.ServerBaseURL,
|
||
"MULTICA_DAEMON_PORT": fmt.Sprintf("%d", d.cfg.HealthPort),
|
||
"MULTICA_WORKSPACE_ID": task.WorkspaceID,
|
||
"MULTICA_AGENT_NAME": agentName,
|
||
"MULTICA_AGENT_ID": task.AgentID,
|
||
"MULTICA_TASK_ID": task.ID,
|
||
"MULTICA_TASK_SLOT": strconv.Itoa(slot),
|
||
}
|
||
if task.AutopilotRunID != "" {
|
||
agentEnv["MULTICA_AUTOPILOT_RUN_ID"] = task.AutopilotRunID
|
||
}
|
||
if task.AutopilotID != "" {
|
||
agentEnv["MULTICA_AUTOPILOT_ID"] = task.AutopilotID
|
||
}
|
||
// Quick-create marker — when set, the multica CLI's `issue create`
|
||
// command stamps the new issue with origin_type=quick_create +
|
||
// origin_id=<task_id> so the completion handler can find it
|
||
// deterministically (see GetIssueByOrigin).
|
||
if task.QuickCreatePrompt != "" {
|
||
agentEnv["MULTICA_QUICK_CREATE_TASK_ID"] = task.ID
|
||
}
|
||
// Ensure the multica CLI is on PATH inside the agent's environment.
|
||
// Some runtimes (e.g. Codex) run in an isolated sandbox that may not
|
||
// inherit the daemon's PATH. Prepend the directory of the running
|
||
// multica binary so that `multica` commands in the agent always resolve.
|
||
if selfBin, err := os.Executable(); err == nil {
|
||
binDir := filepath.Dir(selfBin)
|
||
agentEnv["PATH"] = binDir + string(os.PathListSeparator) + os.Getenv("PATH")
|
||
}
|
||
// Point Codex to the per-task CODEX_HOME so it discovers skills natively
|
||
// without polluting the system ~/.codex/skills/.
|
||
if env.CodexHome != "" {
|
||
agentEnv["CODEX_HOME"] = env.CodexHome
|
||
}
|
||
// Point OpenClaw at the per-task synthesized config. The config pins
|
||
// agents.defaults.workspace (and any agents.list[].workspace) to the
|
||
// task workdir, so the CLI's native skill scanner picks up the per-task
|
||
// skills written under {workDir}/skills/. Falls back silently when the
|
||
// preparer didn't run (non-openclaw provider, or write failure).
|
||
if env.OpenclawConfigPath != "" {
|
||
agentEnv["OPENCLAW_CONFIG_PATH"] = env.OpenclawConfigPath
|
||
}
|
||
// Grant the wrapper config permission to $include the user's active
|
||
// config across directories. OpenClaw's $include defaults to confining
|
||
// resolution to the wrapper's own directory; without this, the
|
||
// wrapper-out-of-envRoot $include into ~/.openclaw/openclaw.json is
|
||
// rejected and the run boots with no user-registered agents.
|
||
if rootsValue, ok := composeOpenclawIncludeRoots(env.OpenclawIncludeRoot, os.Getenv("OPENCLAW_INCLUDE_ROOTS")); ok {
|
||
agentEnv["OPENCLAW_INCLUDE_ROOTS"] = rootsValue
|
||
}
|
||
// Inject user-configured custom environment variables (e.g. ANTHROPIC_API_KEY,
|
||
// ANTHROPIC_BASE_URL for router/proxy mode, or CLAUDE_CODE_USE_BEDROCK for
|
||
// Bedrock). These are set per-agent via the agent settings UI.
|
||
// Critical internal variables are blocklisted to prevent accidental or
|
||
// malicious override of daemon-set values.
|
||
if task.Agent != nil {
|
||
for k, v := range task.Agent.CustomEnv {
|
||
if isBlockedEnvKey(k) {
|
||
d.logger.Warn("custom_env: blocked key skipped", "key", k)
|
||
continue
|
||
}
|
||
agentEnv[k] = v
|
||
}
|
||
}
|
||
backend, err := agent.New(provider, agent.Config{
|
||
ExecutablePath: entry.Path,
|
||
Env: agentEnv,
|
||
Logger: d.logger,
|
||
})
|
||
if err != nil {
|
||
return TaskResult{}, fmt.Errorf("create agent backend: %w", err)
|
||
}
|
||
|
||
reused := task.PriorWorkDir != "" && env.WorkDir == task.PriorWorkDir
|
||
taskLog.Info("starting agent",
|
||
"provider", provider,
|
||
"workdir", env.WorkDir,
|
||
"model", entry.Model,
|
||
"reused", reused,
|
||
)
|
||
if task.PriorSessionID != "" {
|
||
taskLog.Info("resuming session", "session_id", task.PriorSessionID)
|
||
}
|
||
|
||
taskStart := time.Now()
|
||
|
||
var customArgs []string
|
||
extraArgs := defaultArgsForProvider(d.cfg, provider)
|
||
var mcpConfig json.RawMessage
|
||
if task.Agent != nil {
|
||
customArgs = task.Agent.CustomArgs
|
||
mcpConfig = task.Agent.McpConfig
|
||
}
|
||
// Two-tier model resolution: an explicit agent.model wins,
|
||
// then the daemon-wide MULTICA_<PROVIDER>_MODEL env var. If
|
||
// both are empty we deliberately pass "" through — each
|
||
// backend omits `--model` from the CLI invocation, so the
|
||
// provider picks its own default (Claude Code's shipped
|
||
// default, codex app-server's account-scoped default, etc.).
|
||
// Baking a Go-side "recommended default" here is how the
|
||
// cursor regression happened — static guesses drift from
|
||
// whatever the upstream CLI actually accepts.
|
||
model := ""
|
||
if task.Agent != nil && task.Agent.Model != "" {
|
||
model = task.Agent.Model
|
||
}
|
||
if model == "" {
|
||
model = entry.Model
|
||
}
|
||
thinkingLevel := ""
|
||
if task.Agent != nil {
|
||
thinkingLevel = task.Agent.ThinkingLevel
|
||
}
|
||
// Per-model guard: the server validates the literal token against the
|
||
// provider's enum, but per-model gaps (Claude's `xhigh` on a non-Opus
|
||
// model, Codex's per-model `supported_reasoning_levels`) only resolve
|
||
// here, against the daemon's local CLI catalog. Invalid combinations
|
||
// log a warning and drop the level rather than failing the task, so a
|
||
// stale persisted value never blocks execution. Empty model is passed
|
||
// through unchanged — ValidateThinkingLevel resolves it to the
|
||
// provider's default model internally so default-model tasks aren't
|
||
// misjudged. Discovery errors fail open: if we can't list models, we
|
||
// keep the persisted level and let the CLI surface any objection.
|
||
if thinkingLevel != "" {
|
||
ok, err := agent.ValidateThinkingLevel(ctx, provider, entry.Path, model, thinkingLevel)
|
||
if err != nil {
|
||
taskLog.Warn("thinking_level: catalog lookup failed; passing through",
|
||
"provider", provider,
|
||
"model", model,
|
||
"thinking_level", thinkingLevel,
|
||
"error", err,
|
||
)
|
||
} else if !ok {
|
||
taskLog.Warn("thinking_level: not valid for this (provider, model); skipping injection",
|
||
"provider", provider,
|
||
"model", model,
|
||
"thinking_level", thinkingLevel,
|
||
)
|
||
thinkingLevel = ""
|
||
}
|
||
}
|
||
execOpts := agent.ExecOptions{
|
||
Cwd: env.WorkDir,
|
||
Model: model,
|
||
Timeout: d.cfg.AgentTimeout,
|
||
SemanticInactivityTimeout: d.cfg.CodexSemanticInactivityTimeout,
|
||
ResumeSessionID: task.PriorSessionID,
|
||
ExtraArgs: extraArgs,
|
||
CustomArgs: customArgs,
|
||
McpConfig: mcpConfig,
|
||
ThinkingLevel: thinkingLevel,
|
||
}
|
||
// Some providers do not reliably load the per-task runtime config files we
|
||
// write into the task workdir:
|
||
// - openclaw is pinned to the task workdir via the per-task config we
|
||
// synthesize (see prepareOpenclawConfig), so AGENTS.md / .agent_context/
|
||
// in the workdir ARE picked up by the CLI. Inline injection is retained
|
||
// as a belt-and-suspenders for older openclaw releases until that load
|
||
// path stabilises in production; remove this once a release tracks the
|
||
// workdir bootstrap reliably end-to-end.
|
||
// - kiro and kimi are wrapped through their own CLIs whose cwd handling
|
||
// is opaque enough that we can't trust the file-based path either.
|
||
// Pass the full runtime brief inline (CLI catalog + workflow steps + agent
|
||
// identity/persona + skills + project context) so the backend prepends the
|
||
// same payload that file-based runtimes pick up from disk. Without this,
|
||
// these providers silently miss the workflow section and never call
|
||
// `multica issue status` / `multica issue comment add`, leaving issues
|
||
// stuck in `todo`.
|
||
//
|
||
// Hermes is intentionally excluded: ACP sessions start in the task cwd and
|
||
// Hermes loads AGENTS.md / .agent_context itself. Prepending the full runtime
|
||
// brief into the ACP user prompt duplicates that context, bloats every turn,
|
||
// and has triggered upstream safety filters on harmless tasks.
|
||
if providerNeedsInlineSystemPrompt(provider) {
|
||
execOpts.SystemPrompt = runtimeBrief
|
||
}
|
||
|
||
taskLog.Debug("invoking backend",
|
||
"provider", provider,
|
||
"model", model,
|
||
"prompt_bytes", len(prompt),
|
||
"custom_args", len(customArgs),
|
||
"extra_args", len(extraArgs),
|
||
"mcp_config", len(mcpConfig) > 0,
|
||
"inline_system_prompt", execOpts.SystemPrompt != "",
|
||
"resume_session", execOpts.ResumeSessionID != "",
|
||
"timeout", execOpts.Timeout,
|
||
)
|
||
|
||
result, tools, err := d.executeAndDrain(ctx, backend, prompt, execOpts, taskLog, task.ID)
|
||
if err != nil {
|
||
return TaskResult{}, err
|
||
}
|
||
|
||
// Fallback: if session resume failed before establishing a session, retry
|
||
// with a fresh session. We check SessionID == "" to distinguish a resume
|
||
// failure (no session established) from a failure during actual execution.
|
||
if result.Status == "failed" && task.PriorSessionID != "" && result.SessionID == "" {
|
||
firstUsage := result.Usage
|
||
taskLog.Warn("session resume failed, retrying with fresh session", "error", result.Error)
|
||
execOpts.ResumeSessionID = ""
|
||
retryResult, retryTools, retryErr := d.executeAndDrain(ctx, backend, prompt, execOpts, taskLog, task.ID)
|
||
if retryErr != nil {
|
||
taskLog.Error("fresh session also failed to start", "error", retryErr)
|
||
} else {
|
||
result = retryResult
|
||
result.Usage = mergeUsage(firstUsage, result.Usage)
|
||
tools = retryTools
|
||
}
|
||
}
|
||
|
||
elapsed := time.Since(taskStart).Round(time.Second)
|
||
taskLog.Info("agent finished",
|
||
"status", result.Status,
|
||
"duration", elapsed.String(),
|
||
"tools", tools,
|
||
)
|
||
taskLog.Debug("agent result detail",
|
||
"status", result.Status,
|
||
"output_bytes", len(result.Output),
|
||
"session_id", result.SessionID,
|
||
"models_with_usage", len(result.Usage),
|
||
"agent_error", result.Error,
|
||
)
|
||
|
||
// Convert agent usage map to task usage entries.
|
||
var usageEntries []TaskUsageEntry
|
||
for model, u := range result.Usage {
|
||
if u.InputTokens == 0 && u.OutputTokens == 0 && u.CacheReadTokens == 0 && u.CacheWriteTokens == 0 {
|
||
continue
|
||
}
|
||
usageEntries = append(usageEntries, TaskUsageEntry{
|
||
Provider: provider,
|
||
Model: model,
|
||
InputTokens: u.InputTokens,
|
||
OutputTokens: u.OutputTokens,
|
||
CacheReadTokens: u.CacheReadTokens,
|
||
CacheWriteTokens: u.CacheWriteTokens,
|
||
})
|
||
}
|
||
|
||
switch result.Status {
|
||
case "completed":
|
||
if result.Output == "" {
|
||
// The agent completed successfully but produced no text output.
|
||
// This is valid — the agent may have done all its work via tool
|
||
// calls (e.g. posting comments via CLI, pushing code). Treat as
|
||
// a normal completion so the task is not incorrectly marked as
|
||
// blocked.
|
||
return TaskResult{
|
||
Status: "completed",
|
||
Comment: "",
|
||
SessionID: result.SessionID,
|
||
WorkDir: env.WorkDir,
|
||
EnvRoot: env.RootDir,
|
||
Usage: usageEntries,
|
||
}, nil
|
||
}
|
||
// Detect "poisoned" terminal output: the agent didn't reach a real
|
||
// conclusion but emitted a known fallback marker (iteration limit,
|
||
// fallback meta message). Route through the blocked path with a
|
||
// specific failure_reason so the server can exclude this session
|
||
// from the (agent_id, issue_id) resume lookup — otherwise a manual
|
||
// rerun would inherit the same poisoned session and reproduce the
|
||
// same bad output.
|
||
if reason, ok := classifyPoisonedOutput(result.Output); ok {
|
||
taskLog.Warn("agent finished with poisoned fallback output, classifying as blocked",
|
||
"failure_reason", reason,
|
||
)
|
||
return TaskResult{
|
||
Status: "blocked",
|
||
Comment: result.Output,
|
||
SessionID: result.SessionID,
|
||
WorkDir: env.WorkDir,
|
||
EnvRoot: env.RootDir,
|
||
Usage: usageEntries,
|
||
FailureReason: reason,
|
||
}, nil
|
||
}
|
||
return TaskResult{
|
||
Status: "completed",
|
||
Comment: result.Output,
|
||
SessionID: result.SessionID,
|
||
WorkDir: env.WorkDir,
|
||
EnvRoot: env.RootDir,
|
||
Usage: usageEntries,
|
||
}, nil
|
||
case "timeout":
|
||
// Surface session_id/work_dir so the chat resume pointer is kept
|
||
// in sync even when the agent times out after building a session.
|
||
// We mark as "blocked" (not a hard error return) so handleTask
|
||
// goes through the FailTask path that forwards session info.
|
||
comment := result.Error
|
||
if comment == "" {
|
||
comment = fmt.Sprintf("%s timed out after %s", provider, d.cfg.AgentTimeout)
|
||
}
|
||
failureReason := "timeout"
|
||
if reason, ok := classifyResumeUnsafeTimeout(provider, comment); ok {
|
||
taskLog.Warn("agent timed out with resume-unsafe session, classifying as blocked",
|
||
"failure_reason", reason,
|
||
)
|
||
failureReason = reason
|
||
}
|
||
return TaskResult{
|
||
Status: "blocked",
|
||
Comment: comment,
|
||
SessionID: result.SessionID,
|
||
WorkDir: env.WorkDir,
|
||
EnvRoot: env.RootDir,
|
||
FailureReason: failureReason,
|
||
Usage: usageEntries,
|
||
}, nil
|
||
case "idle_watchdog":
|
||
// The idle watchdog force-stopped the run because the backend
|
||
// went silent (e.g. claude blocked on a tool call against a
|
||
// frozen child process). Route through the blocked path with a
|
||
// dedicated failure_reason so the run leaves "running" state and
|
||
// operators can tell idle-stop apart from a real timeout.
|
||
comment := result.Error
|
||
if comment == "" {
|
||
comment = idleWatchdogReason(d.cfg.AgentIdleWatchdog)
|
||
}
|
||
return TaskResult{
|
||
Status: "blocked",
|
||
Comment: comment,
|
||
SessionID: result.SessionID,
|
||
WorkDir: env.WorkDir,
|
||
EnvRoot: env.RootDir,
|
||
FailureReason: "idle_watchdog",
|
||
Usage: usageEntries,
|
||
}, nil
|
||
case "cancelled":
|
||
// Server cancelled the task (e.g. issue reassignment, user cancel).
|
||
// handleTask's cancelledByPoll branch already discards this result,
|
||
// so this case is mainly defensive — and preserves the "cancelled"
|
||
// status string for the "agent finished" log line so operators can
|
||
// distinguish "task cancelled by server" from a real timeout.
|
||
return TaskResult{
|
||
Status: "cancelled",
|
||
Comment: "task cancelled by server",
|
||
SessionID: result.SessionID,
|
||
WorkDir: env.WorkDir,
|
||
EnvRoot: env.RootDir,
|
||
Usage: usageEntries,
|
||
}, nil
|
||
default:
|
||
errMsg := result.Error
|
||
if errMsg == "" {
|
||
errMsg = fmt.Sprintf("%s execution %s", provider, result.Status)
|
||
}
|
||
// Forward SessionID/WorkDir on the blocked path: backends commonly
|
||
// emit a real session_id before failing (rate-limit, tool error,
|
||
// model reject, …). Without this the chat_session resume pointer
|
||
// would either be left stale or overwritten with NULL on the
|
||
// server, causing the next chat turn to lose context.
|
||
//
|
||
// Classify upstream API 400 invalid_request_error failures with a
|
||
// dedicated failure_reason so GetLastTaskSession excludes the
|
||
// task from the (agent_id, issue_id) resume lookup. Without this
|
||
// classifier a corrupt image or oversized payload baked into the
|
||
// conversation permanently blocks the issue: every follow-up
|
||
// task resumes the same poisoned session and hits the same 400.
|
||
failureReason, _ := classifyPoisonedError(errMsg)
|
||
if failureReason != "" {
|
||
taskLog.Warn("agent failed with poisoned API error, classifying as blocked",
|
||
"failure_reason", failureReason,
|
||
)
|
||
}
|
||
return TaskResult{
|
||
Status: "blocked",
|
||
Comment: errMsg,
|
||
SessionID: result.SessionID,
|
||
WorkDir: env.WorkDir,
|
||
EnvRoot: env.RootDir,
|
||
Usage: usageEntries,
|
||
FailureReason: failureReason,
|
||
}, nil
|
||
}
|
||
}
|
||
|
||
// executeAndDrain runs a backend, drains its message stream (forwarding to the
|
||
// server), and waits for the final result.
|
||
func (d *Daemon) executeAndDrain(ctx context.Context, backend agent.Backend, prompt string, opts agent.ExecOptions, taskLog *slog.Logger, taskID string) (agent.Result, int32, error) {
|
||
// Wrap the caller's ctx so the idle watchdog (below) can interrupt both
|
||
// the agent subprocess (via the ctx passed to backend.Execute) AND the
|
||
// drain loop with a single cancel. Without this layer the backend would
|
||
// stay tied to the parent ctx and our cancellation could only abort
|
||
// drain, leaving the subprocess running.
|
||
agentCtx, agentCancel := context.WithCancel(ctx)
|
||
defer agentCancel()
|
||
|
||
session, err := backend.Execute(agentCtx, prompt, opts)
|
||
if err != nil {
|
||
taskLog.Debug("backend execute returned error", "error", err)
|
||
return agent.Result{}, 0, err
|
||
}
|
||
taskLog.Debug("backend started, draining messages")
|
||
|
||
// Create an independent drain deadline so we don't block forever if the
|
||
// backend's internal timeout fails to produce a Result (e.g. scanner
|
||
// stuck on a hung stdout pipe). The extra 30 s gives the backend time
|
||
// to clean up after its own timeout fires.
|
||
drainTimeout := opts.Timeout + 30*time.Second
|
||
if opts.Timeout == 0 {
|
||
drainTimeout = 21 * time.Minute
|
||
}
|
||
drainCtx, drainCancel := context.WithTimeout(agentCtx, drainTimeout)
|
||
defer drainCancel()
|
||
|
||
var toolCount atomic.Int32
|
||
// lastActivityAt records (as unix nanos) when the drain loop most
|
||
// recently received a message from the backend. The idle watchdog
|
||
// reads this to decide whether the agent has gone silent for too long.
|
||
// Initialise to the start so a backend that never emits a single
|
||
// message also trips the watchdog.
|
||
var lastActivityAt atomic.Int64
|
||
lastActivityAt.Store(time.Now().UnixNano())
|
||
// inFlightTools counts tool_use messages that haven't yet been paired
|
||
// with a matching tool_result. A non-zero count means the agent is
|
||
// legitimately waiting on a tool (e.g. `npm install`, `docker build`)
|
||
// that may run far longer than the idle window without emitting any
|
||
// message — so the watchdog must not interpret that silence as a hang.
|
||
var inFlightTools atomic.Int32
|
||
var idleWatchdogFired atomic.Bool
|
||
idleWindow := d.cfg.AgentIdleWatchdog
|
||
if idleWindow > 0 {
|
||
go d.runIdleWatchdog(agentCtx, idleWindow, &lastActivityAt, &inFlightTools, &idleWatchdogFired, agentCancel, session.Messages, taskLog, taskID)
|
||
}
|
||
|
||
go func() {
|
||
var seq atomic.Int32
|
||
var mu sync.Mutex
|
||
var pendingText strings.Builder
|
||
var pendingThinking strings.Builder
|
||
var batch []TaskMessageData
|
||
callIDToTool := map[string]string{}
|
||
|
||
flush := func() {
|
||
mu.Lock()
|
||
if pendingThinking.Len() > 0 {
|
||
s := seq.Add(1)
|
||
batch = append(batch, TaskMessageData{
|
||
Seq: int(s),
|
||
Type: "thinking",
|
||
Content: pendingThinking.String(),
|
||
})
|
||
pendingThinking.Reset()
|
||
}
|
||
if pendingText.Len() > 0 {
|
||
s := seq.Add(1)
|
||
batch = append(batch, TaskMessageData{
|
||
Seq: int(s),
|
||
Type: "text",
|
||
Content: pendingText.String(),
|
||
})
|
||
pendingText.Reset()
|
||
}
|
||
toSend := batch
|
||
batch = nil
|
||
mu.Unlock()
|
||
|
||
if len(toSend) > 0 {
|
||
sendCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
|
||
if err := d.client.ReportTaskMessages(sendCtx, taskID, toSend); err != nil {
|
||
taskLog.Debug("failed to report task messages", "error", err)
|
||
} else {
|
||
taskLog.Debug("reported task messages", "count", len(toSend), "last_seq", toSend[len(toSend)-1].Seq)
|
||
}
|
||
cancel()
|
||
}
|
||
}
|
||
|
||
ticker := time.NewTicker(500 * time.Millisecond)
|
||
defer ticker.Stop()
|
||
|
||
done := make(chan struct{})
|
||
go func() {
|
||
for {
|
||
select {
|
||
case <-ticker.C:
|
||
flush()
|
||
case <-done:
|
||
return
|
||
}
|
||
}
|
||
}()
|
||
|
||
var sessionPinned atomic.Bool
|
||
for {
|
||
select {
|
||
case msg, ok := <-session.Messages:
|
||
if !ok {
|
||
goto drainDone
|
||
}
|
||
// Stamp activity as soon as a message lands. The idle
|
||
// watchdog reads this to decide whether the backend has
|
||
// gone silent — stamping before processing makes sure a
|
||
// slow downstream call (mu.Lock contention, batch resize)
|
||
// can't be misattributed to backend silence.
|
||
lastActivityAt.Store(time.Now().UnixNano())
|
||
switch msg.Type {
|
||
case agent.MessageStatus:
|
||
// Persist the session/work_dir as soon as the backend
|
||
// reveals them. Without this, a daemon crash mid-run
|
||
// loses the resume pointer and the auto-retry fires
|
||
// without context.
|
||
if msg.SessionID != "" && !sessionPinned.Swap(true) {
|
||
sid := msg.SessionID
|
||
wd := opts.Cwd
|
||
go func() {
|
||
pinCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
|
||
defer cancel()
|
||
if err := d.client.PinTaskSession(pinCtx, taskID, sid, wd); err != nil {
|
||
taskLog.Debug("pin session failed", "error", err)
|
||
}
|
||
}()
|
||
}
|
||
case agent.MessageToolUse:
|
||
n := toolCount.Add(1)
|
||
inFlightTools.Add(1)
|
||
taskLog.Info(fmt.Sprintf("tool #%d: %s", n, msg.Tool))
|
||
if msg.CallID != "" {
|
||
mu.Lock()
|
||
callIDToTool[msg.CallID] = msg.Tool
|
||
mu.Unlock()
|
||
}
|
||
s := seq.Add(1)
|
||
mu.Lock()
|
||
batch = append(batch, TaskMessageData{
|
||
Seq: int(s),
|
||
Type: "tool_use",
|
||
Tool: msg.Tool,
|
||
Input: msg.Input,
|
||
})
|
||
mu.Unlock()
|
||
case agent.MessageToolResult:
|
||
// Decrement only when the count would stay >= 0. A stray
|
||
// tool_result with no matching tool_use (backend bug or
|
||
// reconnect mid-stream) shouldn't push the counter
|
||
// negative — that would re-arm the watchdog one tool_use
|
||
// too early on the next call.
|
||
for {
|
||
cur := inFlightTools.Load()
|
||
if cur <= 0 {
|
||
break
|
||
}
|
||
if inFlightTools.CompareAndSwap(cur, cur-1) {
|
||
break
|
||
}
|
||
}
|
||
s := seq.Add(1)
|
||
output := msg.Output
|
||
if len(output) > 8192 {
|
||
output = output[:8192]
|
||
}
|
||
toolName := msg.Tool
|
||
if toolName == "" && msg.CallID != "" {
|
||
mu.Lock()
|
||
toolName = callIDToTool[msg.CallID]
|
||
mu.Unlock()
|
||
}
|
||
taskLog.Info("tool_result observed", "seq", s, "tool", toolName, "call_id", msg.CallID)
|
||
mu.Lock()
|
||
batch = append(batch, TaskMessageData{
|
||
Seq: int(s),
|
||
Type: "tool_result",
|
||
Tool: toolName,
|
||
Output: output,
|
||
})
|
||
mu.Unlock()
|
||
case agent.MessageThinking:
|
||
if msg.Content != "" {
|
||
mu.Lock()
|
||
pendingThinking.WriteString(msg.Content)
|
||
mu.Unlock()
|
||
}
|
||
case agent.MessageText:
|
||
if msg.Content != "" {
|
||
taskLog.Debug("agent", "text", truncateLog(msg.Content, 200))
|
||
mu.Lock()
|
||
pendingText.WriteString(msg.Content)
|
||
mu.Unlock()
|
||
}
|
||
case agent.MessageError:
|
||
taskLog.Error("agent error", "content", msg.Content)
|
||
s := seq.Add(1)
|
||
mu.Lock()
|
||
batch = append(batch, TaskMessageData{
|
||
Seq: int(s),
|
||
Type: "error",
|
||
Content: msg.Content,
|
||
})
|
||
mu.Unlock()
|
||
}
|
||
case <-drainCtx.Done():
|
||
goto drainDone
|
||
}
|
||
}
|
||
drainDone:
|
||
close(done)
|
||
flush()
|
||
}()
|
||
|
||
select {
|
||
case result := <-session.Result:
|
||
if idleWatchdogFired.Load() {
|
||
// The backend's wait goroutine (e.g. claude.go) translates the
|
||
// SIGKILL we delivered via agentCancel into Status="aborted".
|
||
// Re-tag it as "idle_watchdog" so runTask routes the
|
||
// disposition through a dedicated failure_reason, not the
|
||
// generic "agent_error" bucket the aborted path falls into.
|
||
result.Status = "idle_watchdog"
|
||
if result.Error == "" {
|
||
result.Error = idleWatchdogReason(idleWindow)
|
||
}
|
||
}
|
||
return result, toolCount.Load(), nil
|
||
case <-drainCtx.Done():
|
||
// Idle watchdog cancels via agentCancel(), which propagates here as
|
||
// context.Canceled. Check this BEFORE the generic cancelled/timeout
|
||
// classifiers so a watchdog-induced stop isn't misreported as
|
||
// "task cancelled by server".
|
||
if idleWatchdogFired.Load() {
|
||
return agent.Result{
|
||
Status: "idle_watchdog",
|
||
Error: idleWatchdogReason(idleWindow),
|
||
}, toolCount.Load(), nil
|
||
}
|
||
// Distinguish external cancellation (e.g. server-initiated cancel
|
||
// because the issue was reassigned, or the user invoked CancelTask)
|
||
// from genuine drain-deadline timeouts. context.Canceled means the
|
||
// upstream runCtx fired runCancel(); context.DeadlineExceeded is the
|
||
// drain deadline expiring on its own.
|
||
if errors.Is(drainCtx.Err(), context.Canceled) {
|
||
return agent.Result{
|
||
Status: "cancelled",
|
||
Error: "task cancelled by upstream context (server cancel or daemon shutdown)",
|
||
}, toolCount.Load(), nil
|
||
}
|
||
return agent.Result{
|
||
Status: "timeout",
|
||
Error: "agent did not produce result within drain timeout",
|
||
}, toolCount.Load(), nil
|
||
}
|
||
}
|
||
|
||
// idleWatchdogReason formats the human-facing explanation surfaced on
|
||
// idle_watchdog dispositions. Centralised so the result-arrival branch and the
|
||
// drain-timeout branch in executeAndDrain emit identical wording.
|
||
func idleWatchdogReason(window time.Duration) string {
|
||
return fmt.Sprintf("agent produced no new messages for %s and message queue was empty; force-stopped by idle watchdog", window)
|
||
}
|
||
|
||
// runIdleWatchdog ticks until either agentCtx is cancelled or the backend has
|
||
// been silent for at least window with no in-flight tool call. On firing, it
|
||
// sets fired and calls cancel, which propagates to the agent subprocess (via
|
||
// the ctx passed to backend.Execute) and to drainCtx. The check requires:
|
||
//
|
||
// 1. inFlightTools == 0 — the backend has emitted a tool_use whose
|
||
// matching tool_result hasn't arrived yet, meaning a real tool (e.g.
|
||
// `npm install`, `docker build`) is legitimately running. Long tool
|
||
// calls produce no messages between use and result; killing here would
|
||
// yank the agent mid-build. AND
|
||
// 2. time since lastActivityAt exceeds window — the drain loop is single
|
||
// reader, so a stale stamp means no message has actually arrived; AND
|
||
// 3. session.Messages buffer is empty — defensive against a hypothetical
|
||
// drain stall where unprocessed messages would still imply progress.
|
||
//
|
||
// Tick interval is window/2 (floored at 30 s in production, but the floor only
|
||
// kicks in for windows >= 1 min so tests can pass tiny windows like 50 ms and
|
||
// see the watchdog fire within a few ticks).
|
||
func (d *Daemon) runIdleWatchdog(agentCtx context.Context, window time.Duration, lastActivityAt *atomic.Int64, inFlightTools *atomic.Int32, fired *atomic.Bool, cancel context.CancelFunc, messages <-chan agent.Message, taskLog *slog.Logger, taskID string) {
|
||
interval := window / 2
|
||
if window >= time.Minute && interval < 30*time.Second {
|
||
interval = 30 * time.Second
|
||
}
|
||
if interval <= 0 {
|
||
interval = window
|
||
}
|
||
ticker := time.NewTicker(interval)
|
||
defer ticker.Stop()
|
||
for {
|
||
select {
|
||
case <-agentCtx.Done():
|
||
return
|
||
case <-ticker.C:
|
||
// In-flight tool call: the agent has emitted tool_use and
|
||
// the corresponding tool_result hasn't landed yet. A long
|
||
// build/install/test can sit here silently for many minutes
|
||
// — that is forward progress, not a hang.
|
||
if inFlightTools.Load() > 0 {
|
||
continue
|
||
}
|
||
last := time.Unix(0, lastActivityAt.Load())
|
||
idleFor := time.Since(last)
|
||
if idleFor < window {
|
||
continue
|
||
}
|
||
// A buffered-but-undrained message means the drain loop is
|
||
// behind, not the backend. Wait one more tick rather than
|
||
// killing a backend that is still producing output.
|
||
if len(messages) > 0 {
|
||
continue
|
||
}
|
||
taskLog.Warn("idle watchdog firing: no agent activity, force-stopping run",
|
||
"task", shortID(taskID),
|
||
"idle_for", idleFor.Round(time.Second).String(),
|
||
"threshold", window.String(),
|
||
)
|
||
fired.Store(true)
|
||
cancel()
|
||
return
|
||
}
|
||
}
|
||
}
|
||
|
||
func mergeUsage(a, b map[string]agent.TokenUsage) map[string]agent.TokenUsage {
|
||
if len(a) == 0 {
|
||
return b
|
||
}
|
||
if len(b) == 0 {
|
||
return a
|
||
}
|
||
merged := make(map[string]agent.TokenUsage, len(a)+len(b))
|
||
for model, u := range a {
|
||
merged[model] = u
|
||
}
|
||
for model, u := range b {
|
||
existing := merged[model]
|
||
existing.InputTokens += u.InputTokens
|
||
existing.OutputTokens += u.OutputTokens
|
||
existing.CacheReadTokens += u.CacheReadTokens
|
||
existing.CacheWriteTokens += u.CacheWriteTokens
|
||
merged[model] = existing
|
||
}
|
||
return merged
|
||
}
|
||
|
||
// repoDataToInfo converts daemon RepoData to repocache RepoInfo.
|
||
func repoDataToInfo(repos []RepoData) []repocache.RepoInfo {
|
||
info := make([]repocache.RepoInfo, len(repos))
|
||
for i, r := range repos {
|
||
info[i] = repocache.RepoInfo{URL: r.URL}
|
||
}
|
||
return info
|
||
}
|
||
|
||
func convertReposForEnv(repos []RepoData) []execenv.RepoContextForEnv {
|
||
if len(repos) == 0 {
|
||
return nil
|
||
}
|
||
result := make([]execenv.RepoContextForEnv, len(repos))
|
||
for i, r := range repos {
|
||
result[i] = execenv.RepoContextForEnv{URL: r.URL, Description: r.Description}
|
||
}
|
||
return result
|
||
}
|
||
|
||
func convertProjectResourcesForEnv(resources []ProjectResourceData) []execenv.ProjectResourceForEnv {
|
||
if len(resources) == 0 {
|
||
return nil
|
||
}
|
||
result := make([]execenv.ProjectResourceForEnv, len(resources))
|
||
for i, r := range resources {
|
||
result[i] = execenv.ProjectResourceForEnv{
|
||
ID: r.ID,
|
||
ResourceType: r.ResourceType,
|
||
ResourceRef: r.ResourceRef,
|
||
Label: r.Label,
|
||
}
|
||
}
|
||
return result
|
||
}
|
||
|
||
// markActiveEnvRoot records that a task is currently using the given env root,
|
||
// so the GC loop won't reclaim its artifacts mid-execution. Calls are
|
||
// reference-counted so a reuse path marked twice (predicted + prior) only
|
||
// becomes inactive after both unmark calls.
|
||
func (d *Daemon) markActiveEnvRoot(envRoot string) {
|
||
if envRoot == "" {
|
||
return
|
||
}
|
||
d.activeEnvRootsMu.Lock()
|
||
defer d.activeEnvRootsMu.Unlock()
|
||
d.activeEnvRoots[envRoot]++
|
||
}
|
||
|
||
func (d *Daemon) unmarkActiveEnvRoot(envRoot string) {
|
||
if envRoot == "" {
|
||
return
|
||
}
|
||
d.activeEnvRootsMu.Lock()
|
||
defer d.activeEnvRootsMu.Unlock()
|
||
if d.activeEnvRoots[envRoot] <= 1 {
|
||
delete(d.activeEnvRoots, envRoot)
|
||
return
|
||
}
|
||
d.activeEnvRoots[envRoot]--
|
||
}
|
||
|
||
func (d *Daemon) isActiveEnvRoot(envRoot string) bool {
|
||
d.activeEnvRootsMu.Lock()
|
||
defer d.activeEnvRootsMu.Unlock()
|
||
return d.activeEnvRoots[envRoot] > 0
|
||
}
|
||
|
||
// shortID returns the first 8 characters of an ID for readable logs.
|
||
func shortID(id string) string {
|
||
if len(id) <= 8 {
|
||
return id
|
||
}
|
||
return id[:8]
|
||
}
|
||
|
||
// truncateLog truncates a string to maxLen, appending "…" if truncated.
|
||
// Also collapses newlines to spaces for single-line log output.
|
||
func truncateLog(s string, maxLen int) string {
|
||
s = strings.ReplaceAll(s, "\n", " ")
|
||
s = strings.TrimSpace(s)
|
||
if len(s) <= maxLen {
|
||
return s
|
||
}
|
||
return s[:maxLen] + "…"
|
||
}
|
||
|
||
func convertSkillsForEnv(skills []SkillData) []execenv.SkillContextForEnv {
|
||
if len(skills) == 0 {
|
||
return nil
|
||
}
|
||
result := make([]execenv.SkillContextForEnv, len(skills))
|
||
for i, s := range skills {
|
||
result[i] = execenv.SkillContextForEnv{
|
||
Name: s.Name,
|
||
Description: s.Description,
|
||
Content: s.Content,
|
||
}
|
||
for _, f := range s.Files {
|
||
result[i].Files = append(result[i].Files, execenv.SkillFileContextForEnv{
|
||
Path: f.Path,
|
||
Content: f.Content,
|
||
})
|
||
}
|
||
}
|
||
return result
|
||
}
|
||
|
||
// composeOpenclawIncludeRoots returns the value the daemon should set for
|
||
// OPENCLAW_INCLUDE_ROOTS on the child openclaw process so its `$include`
|
||
// loader will follow the wrapper's reference out of envRoot into the
|
||
// user's active config directory.
|
||
//
|
||
// addRoot is the directory we must grant (typically dirname of the user's
|
||
// active openclaw.json). userValue is whatever the daemon's own
|
||
// environment already has under OPENCLAW_INCLUDE_ROOTS — the user's own
|
||
// cross-directory layout. We prepend addRoot, dedupe by string equality,
|
||
// drop empty path segments, and return ok=false when there's nothing to
|
||
// grant (addRoot is empty — fresh install case), so callers can leave the
|
||
// env var alone in that case.
|
||
//
|
||
// Path separator is the OS-native list separator (`:` on Unix, `;` on
|
||
// Windows) to match how OpenClaw splits the env var.
|
||
func composeOpenclawIncludeRoots(addRoot, userValue string) (string, bool) {
|
||
if addRoot == "" {
|
||
return "", false
|
||
}
|
||
parts := []string{addRoot}
|
||
seen := map[string]struct{}{addRoot: {}}
|
||
for _, p := range strings.Split(userValue, string(os.PathListSeparator)) {
|
||
if p == "" {
|
||
continue
|
||
}
|
||
if _, dup := seen[p]; dup {
|
||
continue
|
||
}
|
||
seen[p] = struct{}{}
|
||
parts = append(parts, p)
|
||
}
|
||
return strings.Join(parts, string(os.PathListSeparator)), true
|
||
}
|
||
|
||
// isBlockedEnvKey returns true if the key must not be overridden by user-
|
||
// configured custom_env. This prevents accidental or malicious override of
|
||
// daemon-internal variables and critical system paths.
|
||
func isBlockedEnvKey(key string) bool {
|
||
upper := strings.ToUpper(key)
|
||
if strings.HasPrefix(upper, "MULTICA_") {
|
||
return true
|
||
}
|
||
switch upper {
|
||
case "HOME", "PATH", "USER", "SHELL", "TERM", "CODEX_HOME", "OPENCLAW_CONFIG_PATH", "OPENCLAW_INCLUDE_ROOTS":
|
||
return true
|
||
}
|
||
return false
|
||
}
|
||
|
||
func defaultArgsForProvider(cfg Config, provider string) []string {
|
||
var args []string
|
||
switch provider {
|
||
case "claude":
|
||
args = cfg.ClaudeArgs
|
||
case "codex":
|
||
args = cfg.CodexArgs
|
||
default:
|
||
return nil
|
||
}
|
||
return append([]string(nil), args...)
|
||
}
|