fix: throttle sibling re-resume + faster dead-event-stream detection (#406)

[PureWeen]

Problem

When a session hits a connection error and reconnects, PolyPilot fires 35-47 concurrent ResumeSessionAsync calls for all sibling sessions. This floods the server's event delivery mechanism — SendAsync on the primary session succeeds, but the event stream goes silently dead. The 120s watchdog eventually kills and retries, but the retry can also be affected.

Evidence from ~/.polypilot/event-diagnostics.log (ci-agentic session, 2026-03-18):

• 22:56 — watchdog kills after 1173s with no SessionIdleEvent
• 22:58 — reconnect fires, retries prompt, logs "awaiting events"
• 23:00 — watchdog kills the retry after 120s (IsProcessing=false — watchdog timeout after 120s)

The user had to prod it manually.

Root Cause

The sibling re-resume Task.Run launched all 47 sessions concurrently with no throttling. The resulting flood of ResumeSessionAsync calls likely exhausted the server's per-client connection limits or I/O queues, silently breaking the event delivery for the session that just reconnected.

Fixes

1. Throttle sibling re-resume concurrency (primary fix)

Replace the sequential loop (which was also calling await sequentially — actually serialized, but with no back-pressure) with a proper parallel dispatch bounded by SemaphoreSlim(3, 3). At most 3 siblings resume at a time. The primary session's event handler is already registered before the Task.Run starts.

2. Faster dead-event-stream detection

Add IsReconnectedSend flag on SessionState. On the reconnect path, set it true before StartProcessingWatchdog. When the first real SDK event arrives (HandleSessionEvent), clear it. In the watchdog, use a new WatchdogReconnectInactivityTimeoutSeconds = 35 (vs 120s) when IsReconnectedSend=true and no tools are involved. This means a dead event stream after reconnect is detected and retried in ~35s, not 2 minutes.

3. Re-snapshot EventsFileSizeAtSend on reconnect

The stale snapshot from the failed primary send is no longer valid after reconnect. A fresh snapshot enables the watchdog's Case D (dead-send detection) on the retried send. Also reset WatchdogAbortAttempted=false so Case D can fire on the retry.

Test Results

• Build: ✅ 0 errors
• Tests: ✅ 2807/2809 passed (2 flaky timing-based tests, confirmed flaky by running in isolation — both pass)

[PureWeen]

PR #409 Review — Throttle sibling re-resume + faster dead-event-stream detection

CI: ⚠️ No checks configured. Author reports 2807/2809 tests pass (2 pre-existing flaky tests).
Prior reviews: None.
Models: claude-opus-4.6 ×2, claude-sonnet-4.6, gemini-3-pro-preview, gpt-5.3-codex (5/5 completed)

---

Production Logic: ✅ Correct

All three fixes are well-designed and thread-safe:

• SemaphoreSlim(3, 3) throttle: Semaphore is disposed via using only after await Task.WhenAll(siblingTasks) completes, so no ObjectDisposedException race. The acquired guard pattern (finally { if (acquired) siblingThrottle.Release(); }) correctly prevents over-release on OperationCanceledException before slot acquisition. (5/5 models confirmed correct)
• IsReconnectedSend flag: volatile bool is the right primitive for a flag written on the UI/reconnect thread and read on the watchdog background thread. Cleared on first SDK event, on CompleteResponse, and at the start of each new turn. (5/5 models confirmed correct)
• WatchdogAbortAttempted = false reset: The old watchdog is superseded by StartProcessingWatchdog before the flag is reset. Arming Case D again on the retry is intentional and safe — no double-abort risk. (5/5 models confirmed correct)
• IsProcessing early-return (sibling): Not orphaning capturedOtherState when IsProcessing=true is correct — a concurrent SendPromptAsync is active on it and owns that state's lifecycle. Our re-resume's TryUpdate would fail anyway (stale comparand). (5/5 models confirmed correct)
• EventsFileSizeAtSend snapshot ordering: Snapshot taken before StartProcessingWatchdog; watchdog's first tick is 15s later. No race. (confirmed correct)

---

Finding — 🟡 MODERATE (4/5 models)

ProcessingWatchdogTests.cs:901 — Test helper ComputeEffectiveTimeout diverges from production; existing test WatchdogTimeoutSelection_HasUsedTools_UsesToolTimeout asserts the wrong value

The test helper's useToolTimeout includes || hasUsedTools:

// Test helper (line 901) — WRONG
var useToolTimeout = hasActiveTool || (isResumed && !useResumeQuiescence) || hasUsedTools;

Production (CopilotService.Events.cs:2005) does NOT:

// Production — correct
var useToolTimeout = hasActiveTool || (state.Info.IsResumed && !useResumeQuiescence);

Consequences:

1. useUsedToolsTimeout (newly added by this PR to the test helper) is always false — dead code. Because !useToolTimeout implies !hasUsedTools in the test, useUsedToolsTimeout can never be true.
2. The test helper's return chain skips the WatchdogUsedToolsIdleTimeoutSeconds (180s) tier entirely, making it unreachable in tests even though it's a live path in production.
3. The pre-existing test WatchdogTimeoutSelection_HasUsedTools_UsesToolTimeout asserts 600 (WatchdogToolExecutionTimeoutSeconds) but production routes hasUsedTools=true, !hasActiveTool, !isResumed through useUsedToolsTimeout and returns WatchdogUsedToolsIdleTimeoutSeconds (180s). The test passes but validates the wrong timeout.

The divergence is pre-existing (the || hasUsedTools was on main before this PR), but this PR adds isReconnectedSend tests on top of the wrong helper and adds useUsedToolsTimeout (which is correctly added but is dead due to the pre-existing bug). The new reconnect tests themselves are correct (they all use hasUsedTools=false where both formulas agree).

Fix:

// Remove || hasUsedTools from useToolTimeout in ComputeEffectiveTimeout
var useToolTimeout = hasActiveTool || (isResumed && !useResumeQuiescence);
var useUsedToolsTimeout = !useToolTimeout && hasUsedTools && !hasActiveTool;
var useReconnectTimeout = isReconnectedSend && !useToolTimeout && !useUsedToolsTimeout && !useResumeQuiescence;
return useResumeQuiescence
    ? CopilotService.WatchdogResumeQuiescenceTimeoutSeconds
    : useToolTimeout
        ? CopilotService.WatchdogToolExecutionTimeoutSeconds
        : useUsedToolsTimeout
            ? CopilotService.WatchdogUsedToolsIdleTimeoutSeconds
            : useReconnectTimeout
                ? CopilotService.WatchdogReconnectInactivityTimeoutSeconds
                : CopilotService.WatchdogInactivityTimeoutSeconds;

And update WatchdogTimeoutSelection_HasUsedTools_UsesToolTimeout to assert WatchdogUsedToolsIdleTimeoutSeconds (180) instead of WatchdogToolExecutionTimeoutSeconds (600).

---

Test Coverage Assessment

The new reconnect timeout tests adequately cover the happy path (isReconnectedSend=true, hasUsedTools=false). One missing case worth adding after the test helper is fixed:

• WatchdogTimeoutSelection_ReconnectedSend_WithUsedTools_UsesUsedToolsTimeout: isReconnectedSend=true, hasUsedTools=true, !hasActiveTool, !isResumed → should give 180s, NOT 35s. This confirms that hasUsedTools takes priority over the reconnect timeout.

---

Verdict: ⚠️ Request changes

One targeted fix needed: correct ComputeEffectiveTimeout in the test helper and update the HasUsedTools assertion to 180s. The production code is correct and the three new features work as designed. After the test fix, this is ready to merge.

[PureWeen]

PR #409 Re-Review — Round 2 (Post-Fix)

Commit reviewed: 842f75b3 "fix: correct ComputeEffectiveTimeout helper and update tests for 180s used-tools tier"
CI: ⚠️ No checks configured | Tests run locally: 163/163 ProcessingWatchdog tests pass ✅
Models: claude-opus-4.6 ×2, claude-sonnet-4.6, gemini-3-pro-preview, gpt-5.3-codex (5/5 completed)

---

Previous Findings Status

Finding	Status
🟡 F1 — ComputeEffectiveTimeout test helper diverges from production (|| hasUsedTools bug; WatchdogTimeoutSelection_HasUsedTools_UsesToolTimeout asserts wrong 600s)	✅ FIXED (5/5 models confirmed)

---

Fix Verification

The author's fix commit correctly addresses F1:

Before (buggy):

var useToolTimeout = hasActiveTool || (isResumed && !useResumeQuiescence) || hasUsedTools;
// return chain: quiescence → tool → inactivity  (useUsedToolsTimeout was dead code)

After (fixed):

var useToolTimeout = hasActiveTool || (isResumed && !useResumeQuiescence);
var useUsedToolsTimeout = !useToolTimeout && hasUsedTools && !hasActiveTool;
var useReconnectTimeout = isReconnectedSend && !useToolTimeout && !useUsedToolsTimeout && !useResumeQuiescence;
// return chain: quiescence → tool → usedTools (180s) → reconnect (35s) → inactivity (120s)

All affected tests updated:

• WatchdogTimeoutSelection_HasUsedTools_UsesToolTimeout → renamed UsesUsedToolsTimeout, assertion 600→180
• Regression_PR148_ToolLoops_Use600sNotInactivity → renamed UseUsedToolsTimeoutNotInactivity, assertion 600→180
• Exhaustive matrix [InlineData(false, false, false, true, false, 600)] → 180
• ResumeQuiescence_NotResumed_NeverTriggersQuiescence inline assertion 600→180 for hasUsedTools case

---

New Findings (Consensus Filter: 2+ models required)

None. One model (Sonnet) raised a potential concern about siblingState.IsReconnectedSend not being set during sibling re-resume — but this is not a real issue: sibling re-resume never calls StartProcessingWatchdog for siblings, and SendPromptAsync clears IsReconnectedSend = false before starting a new watchdog. The flag on siblingState is never read while true. (1/5 models flagged → filtered out.)

---

Production Logic Confirmed Clean (5/5 models)

• SemaphoreSlim(3,3) throttle: acquired guard pattern correctly prevents over-release on OperationCanceledException before slot acquisition. Task.WhenAll(siblingTasks) awaited after loop — semaphore lifetime covers all in-flight tasks. ✅
• INV-14 (IsOrphaned): capturedOtherState.IsOrphaned = true + ProcessingGeneration = long.MaxValue + TrySetCanceled set on orphaned state. Error path also orphans on non-cancellation exceptions. ✅
• INV-15 (TryUpdate): _sessions.TryUpdate(capturedKey, siblingState, capturedOtherState) used — not direct assignment. ✅
• INV-16 (handler-before-publish): resumed.On(evt => ...) registered before _sessions.TryUpdate(...). ✅
• IsReconnectedSend lifecycle: Set to true before StartProcessingWatchdog on primary reconnect path (line 3411); cleared to false at start of each SendPromptAsync (line 2887) and in CompleteResponse. ✅
• EventsFileSizeAtSend re-snapshot: Correctly re-snapshots events.jsonl size on reconnect so Case D dead-send detection works. ✅

---

Test Coverage

✅ The new reconnect timeout tier (WatchdogReconnectInactivityTimeoutSeconds, 35s) is covered by new tests for isReconnectedSend=true combinations. The 180s useUsedToolsTimeout tier is now correctly exercised by the fixed tests.

No coverage gaps introduced by this PR.

---

Verdict: ✅ Approve

The single blocking finding from Round 1 is definitively fixed. All three features (sibling throttle, IsReconnectedSend fast-fail, EventsFileSizeAtSend re-snapshot) are correct and thread-safe as confirmed in Round 1. Tests pass. Ready to merge.

Co-reviewed by: Copilot 223556219+Copilot@users.noreply.github.com

[PureWeen]

PR #409 Round 3 Re-Review

New commit reviewed: 756a65ec "fix: clear IsReconnectedSend in all termination paths (INV-1)"
CI: ⚠️ No checks configured | Local tests: 163/163 watchdog tests pass ✅
Models: claude-opus-4.6 ×2, claude-sonnet-4.6, gemini-3-pro-preview, gpt-5.3-codex (5/5 completed)

---

Previous Findings Status

Finding	Status
🟡 F1 (Round 1) — ComputeEffectiveTimeout test helper diverges from production	✅ FIXED (confirmed Round 2, 5/5 models)

---

New Commit Analysis

Two new IsReconnectedSend = false sites added to CopilotService.Events.cs:

Line 801 — SessionErrorEvent termination path: SDK error event triggers IsProcessing = false. Now explicitly clears IsReconnectedSend alongside IsResumed and SendingFlag. Correct placement and ordering.

Line 2311 — Watchdog Case C kill: Watchdog times out and kills the session. Clears IsReconnectedSend before IsProcessing = false. Technically redundant (watchdog has already made its timeout decision), but correct as defense-in-depth.

These two paths were the real risks: IsReconnectedSend is only read by the watchdog at Events.cs:2019. Both SessionErrorEvent and the watchdog kill are paths where the watchdog may still be looping when the flag is read. The fix is correctly targeted.

---

Coverage Assessment: Remaining Uncovered Paths (Consensus: Safe)

One model (Gemini, 1/5) flagged that 9 other IsProcessing = false paths (AbortSessionAsync, SendAsync error paths, steer error, permission recovery, watchdog crash handler, ForceCompleteProcessing) still do not explicitly clear IsReconnectedSend. Four models analyzed and dismissed this:

• The watchdog loop condition is while (state.Info.IsProcessing) — every termination path either calls CancelProcessingWatchdog() or sets IsProcessing = false, preventing the watchdog from reading a stale value on a subsequent tick
• SendPromptAsync unconditionally clears IsReconnectedSend = false at line 2887 at the START of every new turn, before StartProcessingWatchdog is called — no scenario where stale true persists into a new watchdog cycle
• Stale true biases toward the shorter 35s timeout vs. 120s — the safer failure mode, not worse

1/5 model consensus — below 2-model threshold, not included in findings.

---

Verdict: ✅ Approve

The new commit adds correct, well-placed INV-1 hygiene in the two paths that actually needed it. F1 remains fixed. 163/163 watchdog tests pass. All 4 commits are clean. Ready to merge.

Co-reviewed by: Copilot 223556219+Copilot@users.noreply.github.com

[PureWeen]

PR #409 Round 4 Re-Review

New commit reviewed: 94a04d01 "fix: clear IsReconnectedSend in AbortSessionAsync (INV-1)"
CI: ⚠️ No checks configured | Local tests: 163/163 watchdog tests pass ✅
Models: claude-opus-4.6 ×3, claude-sonnet-4.6, gemini-3-pro-preview (5/5 completed)

---

Previous Findings Status

Finding	Status
🟡 F1 (Round 1) — ComputeEffectiveTimeout test helper bug	✅ FIXED (confirmed Round 2)
Round 3 — SessionErrorEvent + Watchdog Case C clears	✅ Clean

---

New Commit Analysis (5/5 models: no issues)

Single-line addition to AbortSessionAsync in CopilotService.cs:3632:

state.HasUsedToolsThisTurn = false;
state.IsReconnectedSend = false; // INV-1: clear all per-turn flags on abort  ← NEW
Interlocked.Exchange(ref state.SuccessfulToolCountThisTurn, 0);

Placement: Correct — grouped logically with adjacent per-turn flag resets (HasUsedToolsThisTurn, SuccessfulToolCountThisTurn), before CancelProcessingWatchdog.

Is this a real bug fix or defense-in-depth? Per 5/5 model consensus: defense-in-depth. Two existing mechanisms already prevented the "35s timeout on next turn" scenario described in the commit message:

1. AbortSessionAsync sets IsProcessing = false at line 3623 → watchdog exits on next tick; already cannot read stale IsReconnectedSend
2. SendPromptAsync clears IsReconnectedSend = false at line 2887 before StartProcessingWatchdog for any new turn → stale true couldn't have affected a new watchdog regardless

The commit message slightly overclaims, but the addition is correct, harmless, and improves consistency with INV-1 hygiene across all termination paths.

---

IsReconnectedSend Coverage After This Commit (Complete)

Site	Path	Status
Events.cs:235	First SDK event received	Pre-existing
Events.cs:801	SessionErrorEvent	Added Round 3
Events.cs:1028	CompleteResponse	Pre-existing
Events.cs:2311	Watchdog Case C kill	Added Round 3
CopilotService.cs:2887	Start of each SendPromptAsync turn	Added Round 1 commit
CopilotService.cs:3632	AbortSessionAsync	Added this commit

Remaining uncovered paths (SendAsync errors, steer error, permission recovery, watchdog crash, ForceCompleteProcessing) are all safe via SendPromptAsync:2887 self-healing — as established in Round 3.

---

Verdict: ✅ Approve

5/5 models confirmed clean. The addition is correct and consistent. All prior findings remain fixed. 163/163 watchdog tests pass. Ready to merge.

Co-reviewed by: Copilot 223556219+Copilot@users.noreply.github.com