Greptile Summary

This PR replaces the old fire-and-forget monitorWebSocket with a proper supervisor loop that polls getReconnectInfo().lastConnectTime to detect when the Lark SDK silently exhausts its retry budget, then closes the dead client, waits with exponential backoff, and creates a fresh one — mirroring the Slack/Telegram patterns and fixing the 6-hour production outage where the gateway went dark after a network disruption.

The overall approach is solid and directly addresses the bug. A few items worth verifying before merge:

• Stall detection / backoff semantics depend on lastConnectTime SDK behaviour — the correctness of both the "no false stall on healthy connections" guarantee and the supervisorAttempt reset hinge on whether getReconnectInfo().lastConnectTime stays 0 for sessions that have never needed a reconnect, and whether it advances on failed attempts or only successful ones. If the initial connect updates it, healthy connections would be evicted after 90 s. If failed attempts advance it, the exponential backoff effectively collapses to always 5 s. A short comment citing the confirmed SDK source location would future-proof this.
• Dead no-op try/catch around createFeishuWSClient (just rethrows) is cleanup debt.
• Two consecutive JSDoc blocks describing supervisorAttempt should be merged into one.

Confidence Score: 4/5

• Safe to merge once the lastConnectTime SDK semantics are confirmed; the supervisor loop itself is well-structured and addresses the production bug.
• The core fix is correct and well-documented. Two P2 style issues (dead try/catch, duplicate comment) are trivial. The logic concern around getReconnectInfo().lastConnectTime semantics is the only item that could represent a real defect — specifically, if lastConnectTime updates on the initial connect then healthy sessions would be evicted every 90 s, and if it updates on failed attempts then the exponential backoff is effectively disabled. Confirming SDK behaviour (with a comment/source reference) before merge is warranted, dropping the score from 5 to 4.
• extensions/feishu/src/monitor.transport.ts — confirm getReconnectInfo().lastConnectTime semantics (lines 196–233)

This is a comment left during a code review.
Path: extensions/feishu/src/monitor.transport.ts
Line: 276-282

Comment:
**No-op `try/catch` is dead code**

The `try/catch` around `createFeishuWSClient` only re-throws without any special handling, so it has no effect. Removing it keeps the intent clearer and avoids the impression that there is error-specific logic here. Any synchronous throw from `createFeishuWSClient` (e.g. missing credentials) will still propagate out of the `while` loop and through the outer `try/finally` to clean up state correctly.

```suggestion
      wsClient = createFeishuWSClient(account);
```

Or, keeping the `let` declaration:
```ts
let wsClient: Lark.WSClient;
wsClient = createFeishuWSClient(account);
```

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: extensions/feishu/src/monitor.transport.ts
Line: 251-267

Comment:
**Duplicate JSDoc blocks should be merged**

There are two back-to-back JSDoc comment blocks describing the supervisor loop and `supervisorAttempt`. These should be merged into a single block to avoid confusion about which comment applies to which thing.

```suggestion
  /**
   * Supervisor loop: each iteration creates a fresh WSClient and runs it until
   * either (a) the abort signal fires or (b) the SDK silently exhausts its
   * internal retry budget (stall detected). On stall we close the dead client,
   * wait with exponential backoff, then start a fresh cycle.
   *
   * `supervisorAttempt` counts consecutive boot-time failures (cycle stalled
   * before any successful connect). It resets to 0 whenever the SDK records a
   * successful connection, so a runtime network disruption that causes a stall
   * does not accumulate against the boot-time backoff schedule.
   */
  let supervisorAttempt = 0;
```

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: extensions/feishu/src/monitor.transport.ts
Line: 196-233

Comment:
**Stall detection and backoff reset correctness depend on `lastConnectTime` semantics**

The correctness of two closely related invariants hinges on exactly when the Lark SDK updates `getReconnectInfo().lastConnectTime`:

**1. False-stall risk for healthy connections**

The comment on `FEISHU_WS_STALL_DETECT_MS` says "a healthy long-lived connection that has never needed to reconnect does NOT trigger a false stall." That guarantee only holds if `lastConnectTime` stays `0` for a connection that has never needed to reconnect. Once `lastConnectTime` becomes non-zero (`staleSinceMs` is set), a healthy connection that remains stable for 90+ seconds without further SDK activity will satisfy `idleMs >= FEISHU_WS_STALL_DETECT_MS` and be falsely evicted.

If the SDK sets `lastConnectTime` on every connection attempt — including the very first one — every successful connection would begin a countdown of at most 90 s before a spurious restart.

**2. Backoff reset may fire too eagerly**

`hadSuccessfulConnect` is set to `true` the first time `lastConnectTime` becomes non-zero (line 206: `isFirstConnect` check calls `onFirstConnect`). If `lastConnectTime` advances on any connection attempt (including failed ECONNRESET retries), `hadSuccessfulConnect` becomes `true` during the first SDK retry cycle even if the connection was never actually established. When that cycle eventually stalls, `supervisorAttempt` is reset to `0` and the backoff stays at the minimum 5 s forever — the intended distinction between "boot-time failure" and "runtime disruption" disappears.

**Suggested verification**

It would be worth adding a comment or an inline source reference (e.g. `// larksuite/node-sdk src/ws/client.ts:L…`) documenting the confirmed SDK semantics: does `lastConnectTime` advance only on reconnect attempts (i.e. after the first successful connect), or on every connect attempt including the initial one? If the former, both invariants hold as-is; if the latter, the stall guard and the backoff reset both need adjusting.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "fix(feishu): add supervisor loop to reco..." | Re-trigger Greptile}

Thanks for the detailed review. All three items have been addressed in the latest push (aea91c8):

P1 — Bot identity cleared on supervisor restart (now fixed)

Confirmed the bug: botOpenIds.delete(accountId) and botNames.delete(accountId) were in the per-cycle finally block, which runs on every stall-driven restart — not only on shutdown. After the first reconnect cycle, checkBotMentioned() would find no botOpenId and group accounts requiring a mention would go silent.

Fix: the per-cycle finally now only calls wsClients.delete(accountId). Bot identity maps are cleared solely in the outer finally (the true shutdown path). Added a regression test in monitor.cleanup.test.ts that uses fake timers to simulate a full stall+restart cycle and asserts that botOpenIds/botNames survive into the next cycle.

lastConnectTime SDK semantics — confirmed and fixed

Read the SDK source at dist/extensions/feishu/node_modules/@larksuiteoapi/node-sdk/lib/index.js (WSClient.reConnect). Confirmed: lastConnectTime is set inside tryConnect(), which is called on every connection attempt — including the very first start() call via reConnect(isStart=true). It is not limited to reconnect-after-drop scenarios.

The original code started the stall clock on the first non-zero lastConnectTime observation. This would falsely evict any healthy long-lived connection after 90 s, contradicting the guarantee stated in the FEISHU_WS_STALL_DETECT_MS comment.

Fix: introduced a connectChangeCount counter. The stall clock now only starts after the second lastConnectTime change — i.e. the first genuine reconnect attempt (triggered by the WebSocket close handler calling reConnect(isStart=false)). The FEISHU_WS_STALL_DETECT_MS JSDoc and runFeishuWSClientUntilDead JSDoc have been updated to document the confirmed SDK behavior with a source reference.

The backoff reset via hadSuccessfulConnect / onFirstConnect is not affected: it fires on the first connect attempt regardless, which is the correct heuristic for distinguishing boot-time failure from runtime disruption.

Dead no-op try/catch — removed

The try { wsClient = createFeishuWSClient(account) } catch (err) { throw err } block has been removed. Any synchronous throw from createFeishuWSClient (e.g. missing credentials) still propagates through the outer try/finally for correct cleanup.

Duplicate JSDoc blocks — merged

The two back-to-back JSDoc blocks describing the supervisor loop and supervisorAttempt have been merged into one.

Rebase

The branch has been rebased onto current upstream/main. The only conflict was the import line: upstream introduced safeEqualSecret from browser-support to replace the inline timingSafeEqualString helper. Both the new upstream import and the PR's computeBackoff/sleepWithAbort imports are now present.

CI failures

• checks-fast-extensions: failure in extensions/matrix/src/matrix/monitor/events.test.ts (room ID assertion !fallback:example.org vs !dm:example.org) — pre-existing Matrix extension issue, unrelated to this PR.
• checks-windows-node-test-3, -4, -6: src/tasks/flow-registry.store.test.ts timeout at 120 s — pre-existing Windows runner flake, unrelated to this PR.

Re: Codex review PRR_kwDOQb6kR87xtZOm (P2 — base backoff on confirmed connection, not first attempt)

Fixed in ba25f3d.

Replaced onFirstConnect with onConfirmedConnect. The poll loop now tracks connectedAndStableCount: incremented each tick where lastConnectTime is non-zero, stable (unchanged from last tick), and the stall clock has not started. hadSuccessfulConnect is set to true only after FEISHU_WS_STABLE_TICKS_REQUIRED = 2 consecutive stable ticks (~20 s of confirmed liveness).

In the startup-outage scenario you described: the first attempt fires and lastConnectTime advances, but before two stable ticks accumulate the SDK moves to a reconnect attempt — connectedAndStableCount resets to 0, onConfirmedConnect never fires, hadSuccessfulConnect stays false, and supervisorAttempt keeps incrementing → full exponential backoff applies correctly.

The connectChangeCount/stall-clock logic from the previous commit is unchanged. Two new regression tests in monitor.cleanup.test.ts cover both paths:

• Startup outage: reconnect fires before stable ticks accumulate → supervisorAttempt >= 1
• Normal recovery: stable ticks accumulate before any reconnect → supervisorAttempt == 0

Re: CI failure checks-node-channels-3 — WhatsApp extension test

The failing test extensions/whatsapp/src/action-runtime.test.ts > applies default account allowFrom when accountId is omitted asserts status: 403 on a ToolAuthorizationError, but that class only sets this.name — it has no status property in the current codebase (extensions/whatsapp/src/runtime-api.ts:50). This test failure is pre-existing on upstream main and is completely unrelated to the Feishu supervisor changes in this PR. No fix attempted here.

Addressing Codex P1 (review #4055460051)

Root cause of the false-stall issue: lastConnectTime is set inside tryConnect() on every connection attempt (confirmed in SDK source at WSClient.reConnect → tryConnect). This means it's indistinguishable whether a stable lastConnectTime reflects "SDK reconnected successfully" or "SDK exhausted retries and stopped." Simple stable-tick counting can't disambiguate the two cases.

Fix (b05a8320f8): After FEISHU_WS_STABLE_TICKS_REQUIRED consecutive stable poll ticks while the stall clock is running, we check wsClient.wsConfig?.getWSInstance()?.readyState. If the underlying WebSocket is OPEN (readyState === 1), the reconnect succeeded — we clear staleSinceMs. If it's CLOSED/CONNECTING or the accessor is unavailable (SDK refactor safeguard), the stall clock continues and fires normally.

Tradeoffs documented:

• Accesses the non-public wsConfig property — wrapped in try/catch so future SDK changes degrade gracefully to the original behaviour
• The readyState check is gated on FEISHU_WS_STABLE_TICKS_REQUIRED ticks (~20 s) to avoid clearing prematurely while a handshake is still in progress

Tests added:

• "clears stall clock after successful reconnect" — readyState OPEN + stable → no false supervisor restart after 90 s
• "stall fires when reconnect socket is not OPEN" — readyState CLOSED → stall detected and second supervisor cycle started

All 8 cleanup tests pass.

Addressing Codex P2 (2026-04-06, line 267)

Issue: onConfirmedConnect could fire falsely during the SDK's reconnect nonce delay (up to 30 s). After a failed initial connect, lastConnectTime is already non-zero and stable — so FEISHU_WS_STABLE_TICKS_REQUIRED (2 ticks ≈ 20 s) is reached before the nonce expires. This set hadSuccessfulConnect = true with no actual connection, preventing exponential backoff from escalating on boot-time failures.

Fix (99d18b4893): Gate onConfirmedConnect on the same getWsReadyState() helper introduced in the previous commit. Confirmation fires only when readyState === 1 (OPEN) or when the accessor is unavailable (null — backward-compatible fallback to stable-tick behavior for tests/future SDK changes). If readyState is known but not OPEN (e.g., 0=CONNECTING during nonce wait), the callback is deferred until the socket is actually open.

getWsReadyState() is now a shared helper covering both: confirmed-connect detection and post-reconnect stall-clock clearing.

Regression test added: "does not confirm connection during nonce delay" — readyState = 0 (CONNECTING) blocks onConfirmedConnect for 2 stable ticks; after the nonce fires and all retries stall, computeBackoff is called with attempt ≥ 1.

All 9 cleanup tests pass.

Thanks for the context here. I swept through the related work, and this is now duplicate or superseded.

Close as superseded by the maintainer-labeled Feishu recovery PR #73739. Current main still lacks post-start SDK retry-exhaustion recovery, but the same #52618 work is now tracked in a current-main replacement path, while this branch is dirty/stale and adds raw supervisor error logging that should not be carried forward.

So I’m closing this here and keeping the remaining discussion on the canonical linked item.