feat(daemon): session idle reaper for automatic cleanup

[chiga0]

Summary

• Add a session idle reaper that periodically scans the bridge's in-memory session registry and closes sessions with no SSE subscribers, no registered clients, no active prompt, and whose last heartbeat exceeds a configurable idle TTL (default 30 minutes)
• Uses the existing closeSession path (soft close) — JSONL transcripts on disk are preserved, session/load or session/resume can restore any reaped session
• Emits session_closed with reason: 'idle_timeout' so clients can distinguish reaper closes from explicit closes
• Configurable via --session-reap-interval-ms (default 60s) and --session-idle-timeout-ms (default 30min) CLI flags; 0 disables

Motivation

Idle sessions accumulate when clients close browser tabs or crash without calling DELETE /session. Each orphaned session holds an EventBus replay ring (~2-4 MB). Without cleanup, the daemon eventually hits the maxSessions cap (default 20) and rejects new sessions entirely — a hard availability failure.

Design

Full design document included at docs/design/session-idle-reaper/README.md.

Test plan

• Idle session is reaped after timeout
• Session with active prompt + client survives reaper
• Session with live SSE subscriber survives reaper
• Session with registered client survives reaper
• Reaper disabled when interval = 0
• Reaper disabled when timeout = 0
• session_closed event carries correct reason field
• closeSession defaults to reason: 'client_close'
• Multiple idle sessions reaped in one tick
• Heartbeat refreshes the idle clock
• Reaper stopped on shutdown (no post-shutdown errors)
• All 222 existing bridge tests pass (zero regression)

🤖 Generated with Qwen Code

[qwen-code-ci-bot]

Thanks for the PR!

Template: the PR body uses ## Summary / ## Motivation / ## Design / ## Test plan headings instead of the template's ## What this PR does / ## Why it's needed / ## Reviewer Test Plan / ## Risk & Scope. Missing: Reviewer Test Plan (How to verify, Before/After, Tested on), Risk & Scope, Linked Issues, and the Chinese <details> block. Not blocking — the design doc and test checklist cover the substance — but worth aligning on the next revision so reviewers can find what they need.

Direction: clearly aligned. Orphaned sessions locking out new users at the maxSessions cap is a real availability bug for anyone running the daemon long-term (IDE extensions, web UI, desktop app). Claude Code's CHANGELOG has several session-management fixes ("background agent sessions losing tasks", "orphaned processes spinning at 100% CPU") confirming this is an active pain point across the category. Targeting the daemon_mode_b_main feature branch makes sense.

Approach: the scope feels right — a setInterval reaper inside the bridge closure, using the existing closeSession path, with configurable intervals and 0 to disable. The refactor of closeSession into closeSessionImpl is the minimal change needed to let the reaper share the close path. One thing worth thinking about: the reaper silently skips sessions it can't close (.catch() logs to stderr). That's fine for now, but if a session gets stuck in a "zombie" state where closeSessionImpl keeps failing, it'll retry every 60s forever with no escalation. Not a blocker — just a corner case to be aware of.

Moving on to code review. 🔍

中文说明

感谢贡献！

模板： PR 正文使用了 ## Summary / ## Motivation / ## Design / ## Test plan 标题，与模板要求的 ## What this PR does / ## Why it's needed / ## Reviewer Test Plan / ## Risk & Scope 不一致。缺少：Reviewer Test Plan（How to verify、Before/After、Tested on）、Risk & Scope、Linked Issues、以及中文 <details> 翻译。不阻塞——设计文档和测试清单覆盖了核心内容——但建议下次修订时对齐模板。

方向： 明确对齐。孤立会话在 maxSessions 上限时锁住新用户是长期运行守护进程（IDE 扩展、Web UI、桌面应用）的真实可用性问题。Claude Code 的 CHANGELOG 也有多个会话管理修复（"后台 agent 会话丢失任务"、"孤立进程 100% CPU 空转"），说明这是行业共性痛点。目标分支 daemon_mode_b_main 合理。

方案： 范围合理——桥闭包内的 setInterval reaper，复用已有 closeSession 路径，可配置间隔且 0 禁用。将 closeSession 重构为 closeSessionImpl 是让 reaper 共享关闭路径的最小改动。值得注意的一点：reaper 对关闭失败的会话只是 .catch() 写 stderr，如果某个会话进入"僵尸"状态导致 closeSessionImpl 持续失败，会每 60 秒重试且永远不会升级。不阻塞——只是一个需要留意的边界场景。

进入代码审查 🔍

— Qwen Code · qwen3.7-max

[github-actions]

📋 Review Summary

This PR implements a session idle reaper that automatically cleans up orphaned sessions in the daemon's in-memory registry. The implementation is well-designed, thoroughly tested, and follows existing patterns in the codebase. All 222 existing bridge tests pass with zero regression, and 11 new reaper-specific tests comprehensively cover the feature's behavior.

🔍 General Feedback

• Strong design documentation: The design doc at docs/design/session-idle-reaper/README.md is thorough, covering problem statement, design goals, architecture, concurrency considerations, and test plans.
• Excellent test coverage: The reaper tests cover all critical scenarios including idle timeout, active prompt survival, SSE subscriber survival, registered client survival, disabled reaper cases, heartbeat refresh, multiple session reaping, and shutdown behavior.
• Clean integration: The reaper uses the existing closeSession path rather than introducing a new force-close mechanism, preserving consistency with the rest of the session lifecycle.
• Proper lifecycle management: The reaper is correctly started at bridge construction and stopped during both shutdown() and killAllSync().
• Good observability: The session_closed event now includes a reason field that distinguishes idle timeout from client-initiated closes.

🎯 Specific Feedback

🟡 High

• packages/acp-bridge/src/bridge.ts:853 - The reaper's idle predicate check uses entry.sessionLastSeenAt ?? Date.parse(entry.createdAt). While the comment in the design doc notes that createdAt is always ISO 8601, there's a potential edge case: if sessionLastSeenAt is set to 0 (falsy but valid timestamp), the ?? operator would fall back to createdAt. Consider using entry.sessionLastSeenAt !== undefined ? entry.sessionLastSeenAt : Date.parse(entry.createdAt) for explicit handling, or document that sessionLastSeenAt should never be 0.

• packages/acp-bridge/src/bridge.ts:867-872 - The reaper calls closeSessionImpl with void prefix and .catch() logging, but the async operation could fail after the session is removed from byId. If closeSessionImpl throws after deleting from byId, the session is lost but the error is only logged. This is likely acceptable for the reaper (graceful degradation), but worth documenting the failure mode.

🟢 Medium

• packages/acp-bridge/src/bridge.ts:786-792 - The resolvePositiveFiniteMs helper is defined inside the closure but only used twice. Consider extracting it to a module-level utility function for reusability and testability, especially since similar validation logic may exist elsewhere for timeout values.

• packages/acp-bridge/src/bridgeOptions.ts:347-356 - The JSDoc for sessionReapIntervalMs mentions "0 or Infinity disables" but the implementation in resolvePositiveFiniteMs returns 0 for any non-positive or non-finite value. This means Infinity, -1, NaN all result in 0 (disabled). Consider clarifying the docs to say "Non-positive or non-finite values disable the reaper" to match the actual behavior.

• docs/design/session-idle-reaper/README.md:280-285 - The design doc mentions concurrency safety with "for...of iteration is synchronous" but doesn't explicitly address the case where closeSession is called concurrently by a client while the reaper is processing. The code handles this correctly (SessionNotFoundError is thrown and caught), but documenting this race condition would strengthen the design doc.

🔵 Low

• packages/acp-bridge/src/bridge.ts:856-860 - The log message format qwen serve: reaping idle session ${JSON.stringify(id)} uses JSON.stringify for the session ID, which is already a string. This results in quoted output like "sess:/work/a". While consistent with other log lines in the file, consider whether id alone would be clearer, or document the quoting convention.

• packages/acp-bridge/src/bridgeTypes.ts:122-126 - The CloseSessionOpts interface only has a reason field. Consider naming it CloseSessionOptions (plural) to match TypeScript conventions for option bags, or keep as-is if Opts is the established pattern in this codebase (which it appears to be).

• docs/design/session-idle-reaper/README.md - The design doc is comprehensive but could benefit from a "Monitoring and Alerting" section that suggests what metrics operators should watch (e.g., reaper firing rate, sessions reaped per hour, false positive rate where sessions are reaped but users expected them to persist).

✅ Highlights

• Excellent test plan execution: All 12 test scenarios from the design doc are implemented and passing, including edge cases like "session with recent heartbeat survives reaper" and "reaper is stopped on shutdown."

• Clean API design: The closeSession signature extension with optional opts parameter is backward-compatible and follows TypeScript best practices. Existing callers need no changes.

• Thoughtful defaults: The default 30-minute idle timeout and 60-second reap interval balance resource reclamation with user experience (brief disconnections don't cause data loss).

• Proper timer unref: Both the reaper timer and channel idle timer use .unref(), ensuring they don't prevent daemon exit—critical for clean shutdowns.

• Comprehensive design doc: The architecture diagram, relationship table to existing mechanisms, and idle predicate guard rationale table make the design easily understandable.

[wenshao]

[Suggestion] The closeSessionImpl extraction drops four load-bearing comments from the old inline closeSession method. These comments explain why, not what — and the regression suite explicitly does not enforce the invariants they describe.

The most critical is the HAZARD block about channelInfoForEntry(entry) vs module-scoped channelInfo:

"The two diverge during the channel-overlap window — A dying, B freshly spawned — where capturing channelInfo would (1) skip the sessionIds.delete() since B.channel !== entry.channel, and (2) call markSessionClosed on B's client instead of A's. The regression test is single-channel smoke only and WILL NOT fail if this reverts to module-scoped channelInfo."

Without this warning, a future maintainer could "simplify" channelInfoForEntry(entry) to channelInfo and silently reintroduce the channel-overlap bug.

Three other dropped comments are also load-bearing:

• Tombstone: markSessionClosed prevents late extNotification from seeding the early-event buffer
• Ordering: session_closed must be published before ACP cancel so late cancellation frames are intentionally dropped
• Back-compat: data.closedBy exists for wire-level back-compat; new code should use envelope-level originatorClientId

Please restore these comments verbatim in closeSessionImpl. AGENTS.md states: "don't delete existing [comments] as cleanup."

— qwen3.7-max via Qwen Code /review

[wenshao]

[Suggestion] The stderr log line here does not include the close reason. When the reaper closes a session, operators see the same log format as a client-initiated close — making it hard to distinguish the two during incident investigation.

Suggested change

	`qwen serve: closing session ${JSON.stringify(sessionId)}` +
	writeStderrLine(
	`qwen serve: closing session ${JSON.stringify(sessionId)}` +
	` (reason: ${closeOpts?.reason ?? 'client_close'})` +
	(originatorClientId
	? ` by client ${JSON.stringify(originatorClientId)}`
	: ''),
	);

— qwen3.7-max via Qwen Code /review

[wenshao]

[Suggestion] The telemetry event does not include the close reason attribute. This makes it impossible to answer "how many sessions were reaped vs. explicitly closed?" from a telemetry dashboard — a likely first question during incidents involving unexpected session closures.

Suggested change

	'qwen-code.daemon.bridge.operation': 'session.close',
	telemetry.event('session.close', {
	'qwen-code.daemon.bridge.operation': 'session.close',
	'session.id': sessionId,
	'session.close.reason': closeOpts?.reason ?? 'client_close',
	});

Note: since reason is computed later (line 2128), you'd need to either move this computation up or inline the fallback as shown above.

— qwen3.7-max via Qwen Code /review

[wenshao]

[Suggestion] String(err) calls toString() which only returns the message, losing the stack trace. If closeSessionImpl fails inside notifyAgentSessionClose (which does async I/O to the ACP child), the operator gets a one-line error with no call stack — making reaper failures hard to debug.

Suggested change

	}, sessionReapIntervalMs);
	writeStderrLine(
	`qwen serve: session reaper failed to close ` +
	`${JSON.stringify(id)}: ${err instanceof Error ? (err.stack ?? err.message) : String(err)}`,
	);

— qwen3.7-max via Qwen Code /review

[wenshao]

PR Verification Report

PR: #4833 — feat(daemon): session idle reaper for automatic cleanup
Branch: feat/session-idle-reaper → daemon_mode_b_main
Tested on: macOS Darwin 25.4.0

Test Results

Check	Result	Details
Unit Tests (bridge.test.ts)	✅ 223 passed	0 failed, includes 12 new reaper tests
Unit Tests (server.test.ts)	⚠️ Collection failed	Pre-existing import resolution error on daemon_mode_b_main (@qwen-code/acp-bridge/mcpTimeouts)
ESLint	✅ Clean	0 errors on all 7 changed source files
TypeCheck (acp-bridge)	✅ Pass	0 errors
TypeCheck (core)	✅ Pass	0 errors
Build (core)	✅ Pass	Successful

New Tests (12 reaper tests)

Test	Status
Idle session is reaped after timeout	✅
Session with active prompt + client NOT reaped	✅
Session with live SSE subscriber NOT reaped	✅
Session with registered clients NOT reaped	✅
Disabled when sessionReapIntervalMs = 0	✅
Disabled when sessionIdleTimeoutMs = 0	✅
Publishes session_closed with reason: idle_timeout	✅
closeSession defaults to reason: client_close	✅
Multiple idle sessions reaped in one tick	✅
Session with recent heartbeat survives	✅
Reaper stopped on shutdown	✅
Channel idle timer triggered after last session reaped	✅

Code Review

Changes (9 files, +1010/−100):

• docs/design/session-idle-reaper/README.md (+419) — Thorough design doc covering problem, architecture, idle predicate, concurrency safety, and follow-up work
• packages/acp-bridge/src/bridge.ts (+143/−98) — Extracts closeSessionImpl from inline closure, adds startSessionReaper/stopSessionReaper with setInterval(..).unref(), extends closeSession with optional CloseSessionOpts
• packages/acp-bridge/src/bridge.test.ts (+363) — 12 new tests using vi.useFakeTimers() for deterministic timer control
• packages/acp-bridge/src/bridgeOptions.ts (+13) — sessionReapIntervalMs and sessionIdleTimeoutMs options
• packages/acp-bridge/src/bridgeTypes.ts (+6) — CloseSessionOpts interface, closeSession signature update
• packages/cli/src/commands/serve.ts (+19) — CLI flags --session-reap-interval-ms and --session-idle-timeout-ms
• packages/cli/src/serve/runQwenServe.ts (+6) — Pass-through to bridge options
• packages/cli/src/serve/server.test.ts (+37/−2) — 2 wire integration tests (health endpoint + DELETE opts)
• packages/cli/src/serve/types.ts (+4) — ServeOptions extensions

Key observations:

1. Idle predicate is well-guarded: 4 conditions must all hold — no active prompt, no SSE subscribers, no registered clients, idle duration exceeded. This prevents premature reaping of headless/autonomous sessions
2. Reuses closeSession path: No new teardown logic — leverages existing event publishing, telemetry, permission cleanup, and channel idle timer integration
3. closeSessionImpl extraction is clean: The refactoring moves the inline closeSession body into a named function, adds CloseSessionOpts parameter with reason field, no behavioral change for existing callers
4. Timer is .unref()'d: Won't prevent Node.js exit
5. Concurrency safety: Each reaper close is .catch()-guarded independently, double-close from concurrent client DELETE is handled via SessionNotFoundError
6. Design doc is comprehensive: Covers interaction with existing mechanisms, concurrency analysis, wire-format compatibility, and follow-up work

Caveats

• server.test.ts couldn't be collected due to pre-existing daemon_mode_b_main import resolution error (same issue seen in PR feat(daemon): add POST /session/:id/language for runtime language switching #4705 verification). The 2 new server tests are straightforward mock-based tests that would pass once the base branch import is fixed.

Verdict

✅ Ready to merge — Well-designed session reaper with thorough test coverage (12 tests, all passing). Clean closeSession refactoring with parameterized close reason. Addresses a real availability issue (orphaned sessions hitting maxSessions cap).

---

Verified by wenshao

[wenshao]

[Suggestion] resolvePositiveFiniteMs does not clamp its return value to 2_147_483_647 (max 32-bit signed int), unlike the sibling helper resolvedChannelIdleTimeoutMs (line ~823) which does Math.min(raw, 2_147_483_647). The resolved value feeds setInterval — Node.js treats delays larger than 2^31-1 as 1ms, which would cause the reaper to fire in a tight CPU-burning loop.

Suggested change

	fallback: number,
	function resolvePositiveFiniteMs(
	raw: number | undefined,
	fallback: number,
	): number {
	if (raw === undefined) return fallback;
	return raw > 0 && Number.isFinite(raw) ? Math.min(raw, 2_147_483_647) : 0;
	}

— qwen3.7-max via Qwen Code /review

[wenshao]

[Suggestion] closeSessionImpl is fire-and-forget (void) with no re-entrancy guard. Since byId.delete(sessionId) happens after await notifyAgentSessionClose(...) (an ACP round-trip that can take seconds), the next reaper tick can find the same session still in byId and fire a duplicate close — producing double notifyAgentSessionClose, double session_closed events, and double telemetry. The same gap also creates a TOCTOU race: a client that reconnects during the async window has its session silently destroyed, violating the design doc's goal of "never destroy a session that has an active prompt."

Consider adding a Set<string> guard plus an idle-predicate re-check:

const reapingSessions = new Set<string>();

// In reaper loop:
if (reapingSessions.has(id)) continue;
reapingSessions.add(id);
void closeSessionImpl(id, undefined, { reason: 'idle_timeout' })
  .catch((err) => { ... })
  .finally(() => { reapingSessions.delete(id); });

// Inside closeSessionImpl, after the byId.get check:
if (closeOpts?.reason === 'idle_timeout') {
  if (entry.activePromptOriginatorClientId !== undefined) return;
  if (entry.events.subscriberCount > 0) return;
  if (entry.clientIds.size > 0) return;
}

This also prevents the race between the reaper and an explicit client DELETE arriving concurrently.

— qwen3.7-max via Qwen Code /review

[wenshao]

[Suggestion] No startup log confirms whether the reaper is active or what thresholds it is using. If resolvePositiveFiniteMs silently converts an invalid CLI flag value (e.g., NaN from --session-idle-timeout-ms=abc) to 0, the reaper is disabled with no diagnostic. During an incident, an oncall engineer has no way to confirm the reaper is running without inspecting process args.

Suggested change

	if (entry.activePromptOriginatorClientId !== undefined) continue;
	function startSessionReaper(): void {
	if (sessionReapIntervalMs <= 0 || sessionIdleTimeoutMs <= 0) {
	writeStderrLine('qwen serve: session reaper disabled');
	return;
	}
	writeStderrLine(
	`qwen serve: session reaper started ` +
	`(interval ${sessionReapIntervalMs}ms, ` +
	`idle threshold ${sessionIdleTimeoutMs}ms)`,
	);
	sessionReaper = setInterval(() => {

— qwen3.7-max via Qwen Code /review

[wenshao]

[Suggestion] No test combines the reaper's natural fire with an assertion on the published session_closed event's reason field. The "idle_timeout reason" test (above) calls bridge.closeSession directly — bypassing the reaper. The "reaps an idle session" test lets the reaper fire but only checks sessionCount === 0, never verifying the event carries reason: 'idle_timeout'. If someone accidentally omits the opts argument in the reaper's closeSessionImpl call, no test would catch it.

Consider adding a test that subscribes to events, lets the reaper fire naturally (fake timers + detach + advance), and asserts event.data.reason === 'idle_timeout'.

— qwen3.7-max via Qwen Code /review

[wenshao]

[Suggestion] The "active prompt" guard test does not isolate the guard it claims to verify. The test sends a prompt but never calls detachClient, so entry.clientIds.size > 0 throughout. The reaper checks clientIds.size > 0 before checking activePromptOriginatorClientId, so if someone accidentally removed the active-prompt guard, this test would still pass because the clientIds guard alone prevents reaping.

To properly isolate the guard: detach the client first (making clientIds.size === 0), then verify the session survives solely because activePromptOriginatorClientId !== undefined.

— qwen3.7-max via Qwen Code /review

[wenshao]

[Suggestion] R3 adds a third call site for closeSessionImpl (the new close-on-last-detach path, alongside the explicit DELETE /session route and the idle reaper), which makes the latent re-entrancy in this function easier to hit.

The R2 round flagged the re-entrancy risk at the reaper level. A per-entry guard in the reaper loop would treat the symptom, but the root cause lives here: byId.delete(sessionId) happens on line 2142, after await notifyAgentSessionClose(...) on line 2135. Compare with killSession (around line 3830), which does the symmetric teardown correctly — byId.delete(sessionId) there is synchronous and precedes await notifyAgentSessionClose(...).

Scenario in R3: a client sends detach, detachClient observes clientIds.size === 0 and enters the new close-on-last-detach branch, which awaits this function. During the notifyAgentSessionClose ACP round-trip (potentially seconds), the reaper tick fires, finds the same entry still in byId, and calls closeSessionImpl again. Both invocations proceed past the byId.get guard and reach the ACP notification, the session_closed publish, and the session.close telemetry event — producing duplicate agent notifications, duplicate telemetry, and a second session_closed publish that only avoids crashing because the entry.events.publish try/catch swallows the "bus already closed" throw.

Suggested fix: mirror the killSession ordering. Move the synchronous teardown block (byId.delete, permissionMediator.forgetSession, pendingPermissionIds.clear, telemetry.metrics?.sessionLifecycle('close'), ci?.client.markSessionClosed) to run before await notifyAgentSessionClose(...). After that, any concurrent caller that does byId.get(sessionId) gets undefined and throws SessionNotFoundError, which every caller already catches. Optionally, also add a closing flag on the entry as defense in depth.

— qwen3.7-max via Qwen Code /review