Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 54 additions & 8 deletions packages/server/src/server/serveStdio.ts
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@
* were written for.
*/
import type {
CancelledNotificationParams,
JSONRPCMessage,
JSONRPCNotification,
JSONRPCRequest,
Expand Down Expand Up @@ -117,6 +118,16 @@
* Per-instance channel
* ------------------------------------------------------------------------ */

/**
* How long the probe-discard path waits for the probe instance to answer the
* requests it was delivered before closing it. The wait normally settles as
* soon as the DiscoverResult is handed to the wire (or immediately, when a
* delivered cancellation already settled the probe); the bound is a backstop
* so no edge can ever hold the connection's inbound pump indefinitely behind
* the discard.
*/
const DISCARD_ANSWER_TIMEOUT_MS = 3000;

/**
* The transport a pinned instance is connected to: a thin channel that writes
* through to the entry-owned wire transport and receives the messages the
Expand Down Expand Up @@ -173,21 +184,45 @@
}
if (isJSONRPCRequest(message)) {
this._pendingRequests.add(message.id);
} else if (isJSONRPCNotification(message) && message.method === 'notifications/cancelled') {
// By protocol contract a cancelled request may legitimately go
// unanswered (the instance aborts the in-flight handler and writes
// nothing for it), so a delivered cancellation settles the request
// it names: nothing should keep waiting for an answer that may
// never come. Non-cancelled requests still settle only when their
// answer is handed to the wire.
const cancelledId = (message.params as CancelledNotificationParams | undefined)?.requestId;
if (cancelledId !== undefined) {
this._settle(cancelledId);
}
}

Check notice on line 198 in packages/server/src/server/serveStdio.ts

View check run for this annotation

Claude / Claude Code Review

Pre-existing: Protocol._oncancel falsy requestId check ignores cancellation of request id 0

Pre-existing issue (not introduced by this PR): `Protocol._oncancel` in `packages/core/src/shared/protocol.ts:512-515` guards with `if (!notification.params.requestId) return`, so a `notifications/cancelled` naming request id `0` — the very first id an SDK client uses — is silently ignored and the in-flight handler is never aborted. The new channel-level settle here correctly checks `cancelledId !== undefined`; a follow-up should change the Protocol guard to `requestId === undefined` so the two
Comment on lines +187 to 198

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟣 Pre-existing issue (not introduced by this PR): Protocol._oncancel in packages/core/src/shared/protocol.ts:512-515 guards with if (!notification.params.requestId) return, so a notifications/cancelled naming request id 0 — the very first id an SDK client uses — is silently ignored and the in-flight handler is never aborted. The new channel-level settle here correctly checks cancelledId !== undefined; a follow-up should change the Protocol guard to requestId === undefined so the two layers agree on whether id 0 is cancellable.

Extended reasoning...

What the bug is. Protocol._oncancel (packages/core/src/shared/protocol.ts:512-519) starts with if (!notification.params.requestId) { return; }. RequestId is string | number, and 0 (as well as '') is falsy, so a cancellation that names request id 0 is treated as if the field were absent: the method returns early, the matching AbortController is never looked up, and the in-flight request handler keeps running to completion.

Why id 0 is realistic — in fact the most likely id to be cancelled. Protocol initializes its request counter at 0 (private _requestMessageId = 0, protocol.ts:418) and assigns ids with post-increment (const messageId = this._requestMessageId++, protocol.ts:1132). So an SDK-built client's very first request on a connection — e.g. the opening server/discover probe that this PR's headline scenario is about — carries id 0, and the client's own cancellation path (protocol.ts:1165) sends notifications/cancelled with that same numeric id.

Concrete walkthrough. 1) An SDK 2026 client opens a stdio connection and sends server/discover with id 0 (its first request). 2) It decides to abandon the probe and pipelines notifications/cancelled with requestId: 0. 3) On the server, the entry delivers both messages to the probe instance; the new channel code in serveStdio.ts:187-198 correctly settles pending id 0 because it checks cancelledId !== undefined. 4) But Protocol._oncancel evaluates !0 === true and returns — the discover handler's abort signal never fires, the handler runs to completion, and its response is still written. The cancellation is silently ignored for that one id.

Why this PR doesn't prevent or recreate it. The PR only touches the channel layer in serveStdio.ts; protocol.ts is unchanged. Importantly, this does NOT recreate the wedge the PR fixes: because the handler for id 0 is never aborted, the discover answer still reaches the wire, send() settles the pending id, and the discard wait resolves — the connection's pump is never blocked. The visible impact is limited to wasted handler work and a response the cancelling client must ignore per spec. However, after this PR the channel layer (!== undefined) and the Protocol layer (falsy check) disagree on whether id 0 is a valid cancellation target, which is exactly the off-by-falsy class the new code in this diff was careful to avoid.

How to fix. In a follow-up to core (out of scope for this PR), change the guard to if (notification.params.requestId === undefined) { return; } — or drop it entirely, since the schema requires the field. String ids of '' would be handled correctly by the same change.

All four verifiers independently confirmed the falsy guard, the id-0 starting counter, and that the impact is non-blocking; there were no refutations.

this.onmessage?.(message, extra);
}

/**
* Resolves once every request delivered to the instance has been answered
* through {@linkcode send} (or the channel has been closed and nothing
* further can be answered). Used by the probe-discard path so a probe
* request the entry accepted is never silently dropped.
* through {@linkcode send}, settled by a delivered cancellation, or the
* channel has been closed and nothing further can be answered. The wait is
* bounded by `timeoutMs` as a backstop so no edge can hold the caller
* indefinitely; resolves `false` only when the bound elapsed with requests
* still unanswered. Used by the probe-discard path so a probe request the
* entry accepted is never silently dropped.
*/
async whenRequestsAnswered(): Promise<void> {
async whenRequestsAnswered(timeoutMs: number): Promise<boolean> {
if (this._closed || this._pendingRequests.size === 0) {
return;
return true;
}
await new Promise<void>(resolve => this._drainWaiters.push(resolve));
return await new Promise<boolean>(resolve => {
const waiter = (): void => {
clearTimeout(timer);
resolve(true);
};
const timer = setTimeout(() => {
this._drainWaiters = this._drainWaiters.filter(pending => pending !== waiter);
resolve(false);
}, timeoutMs);
this._drainWaiters.push(waiter);
});
}

async close(): Promise<void> {
Expand Down Expand Up @@ -405,8 +440,19 @@
// the instance aborts whatever it still has in flight. Let the
// in-flight DiscoverResult reach the wire before the instance is
// closed; the probe instance only ever receives `server/discover`,
// whose entry-installed handler always answers promptly.
await instance.channel.whenRequestsAnswered();
// whose entry-installed handler always answers promptly. A probe
// the client cancelled is already settled by the delivered
// cancellation (a cancelled request may go unanswered), and the
// wait is bounded as a backstop so nothing can wedge the
// connection's pump behind the discard.
const answered = await instance.channel.whenRequestsAnswered(DISCARD_ANSWER_TIMEOUT_MS);
if (!answered) {
reportError(
new Error(
`Discarded the probe instance with requests still unanswered after ${DISCARD_ANSWER_TIMEOUT_MS}ms; continuing with the fallback`
)
);
}
await instance.product.close();
} catch (error) {
reportError(toError(error));
Expand Down
35 changes: 35 additions & 0 deletions packages/server/test/server/serveStdio.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -403,6 +403,41 @@ describe('server/discover probe window', () => {
await handle.close();
});

it('a pipelined cancellation of the probe followed by initialize still falls back to a working legacy session', async () => {
const { handle, request, notify, flush, eras, closed, errors } = await startEntry();

// The client pipelines all three messages without waiting for any
// answer: the probe, an enveloped cancellation naming the probe id
// (which aborts the in-flight discover handler, so the probe may
// legitimately never be answered), and the fallback 2025 handshake.
// The cancelled probe must not hold the connection: the handshake is
// answered and the legacy session is fully usable.
void request({ jsonrpc: '2.0', id: 'probe-1', method: 'server/discover', params: { _meta: envelope() } });
void notify({
jsonrpc: '2.0',
method: 'notifications/cancelled',
params: { requestId: 'probe-1', reason: 'negotiation aborted', _meta: envelope() }
});
const init = await request(initializeRequest(2));
expect(isJSONRPCResultResponse(init)).toBe(true);
if (isJSONRPCResultResponse(init)) {
expect((init.result as { protocolVersion?: string }).protocolVersion).toBe(LATEST_PROTOCOL_VERSION);
}

// The probe instance was discarded and the fallback is served end to
// end by a fresh legacy instance.
expect(eras).toEqual(['modern', 'legacy']);
expect(closed[0]).toBe(true);
expect(closed[1]).toBe(false);

const list = await request({ jsonrpc: '2.0', id: 3, method: 'tools/list', params: {} });
expect(isJSONRPCResultResponse(list)).toBe(true);
await flush();
expect(errors).toEqual([]);

await handle.close();
});

it('an enveloped non-discover request after the probe still pins the modern era', async () => {
const { handle, request, eras } = await startEntry();

Expand Down
Loading