feat(agents): pull-wake runner health check, principal rename, and lifecycle hardening

[KyleAMathews]

Summary

Adds pull-wake runner health diagnostics, renames runner ownership from owner_user_id to canonical owner_principal URLs, and hardens the pull-wake runner lifecycle around heartbeats, reconnects, shutdown, and error reporting.

This PR also fixes the local desktop send path so mutating local server requests can go through the Electron main process instead of being blocked behind Chromium's HTTP/1.1 connection limit, while keeping normal shape reads in the renderer.

Root Cause

Pull-wake dispatch had too little observability and too many implicit lifecycle assumptions. When a runner missed wakes, got stuck reconnecting, or failed during shutdown, the server/UI had limited information to explain the state. The ownership field also used owner_user_id, which was misleading because principals can be users, agents, services, or system actors.

Local development exposed a separate but related issue: renderer-origin mutating requests could stall behind long-lived shape/SSE requests, delaying sends and new agent startup by seconds even when the server processed the request in milliseconds.

Approach

Runner Health Diagnostics

• PullWakeRunner reports stream, heartbeat, claim, dispatch, reconnect, and error diagnostics in heartbeat payloads.
• Runtime diagnostics are stored separately from the normal runner row so the regular runners shape stays stable.
• GET /_electric/runners/:id/health aggregates runner state, liveness lease, sanitized client diagnostics, active claims, dispatch stats, and derived health issues.
• Health output tolerates partial/bogus diagnostics and invalid lease timestamps without producing misleading typed output.

Principal Ownership

• Runner ownership is stored as canonical principal URLs in owner_principal.
• API boundaries canonicalize owner principals before storing/comparing.
• electric-principal request headers now accept either a principal key (user:alice) or a principal URL (/principal/user%3Aalice) through parsePrincipalInput() and compare internally by canonical URL.
• The migration expires active runner claims, clears runner dispatch state, deletes existing runner rows, and renames the ownership column.

Pull-Wake Runner Lifecycle

• Adds public runner status diagnostics: stopped | starting | connecting | streaming | reconnecting | stopping.
• Makes onError reporting-only and isolates throwing reporters with a console.error fallback.
• stop() gates new claim dispatch, aborts outstanding work, waits boundedly for claim actors, drains runtime wakes, and rethrows drain errors after recording diagnostics.
• waitForStopped() now waits for the full stop path, not just the stream loop.
• Heartbeats are single-flight/coalesced, event-driven heartbeat scheduling uses the event throttle knob, and per-run heartbeat/reconnect counters reset on start().
• Reconnects use exponential backoff and heartbeat failures can request a stream reconnect.
• Removed maxConcurrentClaims: it only limited claim/enqueue work, not actual wake execution, so it was a misleading invariant.

Dispatch And Local Send Performance

• Dispatch subscription relinking is cached after the first successful link instead of doing Durable Streams round trips on every send.
• Local Electron mutating requests can be routed through the desktop main process for saved local servers, avoiding browser connection-limit stalls.
• Local /send remains normal application/json; the preflight/connection issue is handled by the desktop fetch path rather than changing API semantics.
• Ngrok warning-skip headers are only added for known ngrok hosts.

Key Invariants

• Stored owner_principal values are canonical principal URLs.
• Runner auth compares canonical URL to canonical URL.
• onError cannot control runner lifecycle.
• Stop always gates late dispatch before runtime drain and reports drain failures to callers.
• Heartbeat health state is updated by one in-flight heartbeat at a time.
• Dispatch subscription linking is idempotent and cached per stream client/service/subscription/stream.

Non-goals

• No broad terminology rename in this PR.
• No full module split of pull-wake-runner.ts; the critical invariants are fixed and tested first.
• No persistent claim-failure circuit breaker; failures are visible in diagnostics and can be escalated separately.
• No cross-principal runner listing/admin surface.

Verification

pnpm --dir packages/agents-runtime exec vitest run test/pull-wake-runner.test.ts --reporter=dot
pnpm --dir packages/agents-server exec vitest run test/principal.test.ts test/runners-router.test.ts test/dispatch-policy-routing.test.ts --reporter=dot
pnpm --dir packages/agents-server-ui exec vitest run src/lib/auth-fetch.test.ts --reporter=dot

pnpm --dir packages/agents-runtime typecheck
pnpm --dir packages/agents-server typecheck
pnpm --dir packages/agents-server-ui typecheck
pnpm --dir packages/agents-desktop typecheck

pnpm --dir packages/agents-server-ui build
pnpm --dir packages/agents-desktop build

[codecov]

Codecov Report

❌ Patch coverage is 72.31947% with 253 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (main@e4acb1d). Learn more about missing BASE report.
⚠️ Report is 4 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
...src/components/settings/pages/LocalRuntimePage.tsx	0.00%	101 Missing ⚠️
packages/agents-server/src/entity-registry.ts	20.51%	27 Missing and 4 partials ⚠️
packages/agents-runtime/src/pull-wake-runner.ts	92.91%	27 Missing ⚠️
packages/agents-server-ui/src/main.tsx	0.00%	20 Missing ⚠️
packages/agents-server-ui/src/lib/auth-fetch.ts	82.60%	12 Missing ⚠️
...gents-server-ui/src/lib/ElectricAgentsProvider.tsx	0.00%	11 Missing ⚠️
...kages/agents-server/src/routing/dispatch-policy.ts	80.76%	10 Missing ⚠️
...ckages/agents-server/src/routing/runners-router.ts	92.74%	9 Missing ⚠️
...agents-server-ui/src/hooks/useServerConnection.tsx	0.00%	7 Missing ⚠️
packages/agents-server/src/server.ts	14.28%	6 Missing ⚠️
... and 11 more

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #4339   +/-   ##
=======================================
  Coverage        ?   59.56%           
=======================================
  Files           ?      290           
  Lines           ?    28579           
  Branches        ?     7754           
=======================================
  Hits            ?    17022           
  Misses          ?    11540           
  Partials        ?       17           

Flag	Coverage Δ
packages/agents	70.92% <0.00%> (?)
packages/agents-mcp	77.54% <ø> (?)
packages/agents-runtime	80.74% <93.01%> (?)
packages/agents-server	73.93% <76.75%> (?)
packages/agents-server-ui	6.66% <26.51%> (?)
packages/electric-ax	42.61% <83.33%> (?)
packages/experimental	87.73% <ø> (?)
packages/react-hooks	86.48% <ø> (?)
packages/start	82.83% <ø> (?)
packages/typescript-client	94.39% <ø> (?)
packages/y-electric	56.05% <ø> (?)
typescript	59.56% <72.31%> (?)
unit-tests	59.56% <72.31%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[claude]

Test iteration 7 body placeholder

[kevin-dp]

I had a look through the code and left some comments.
On a higher level, i don't like the "claims" name, it collides too much with auth claims.
The term "lease" is more standard in distributed systems so I would rename the claims variables to: lease / activeLeaseCount / maxConcurrentLeases / getActiveLeasesForRunner.

Also, i think the code needs quite some refactoring. Currently there are ~20 variables inside one closure and they are being mutated from everywhere in this file. That's very error-prone. I'll try refactoring in a follow up PR.

[kevin-dp]

I would define streamConnected as a getter:

get streamConnected() {
  return !!streamConnectedSince
}

[kevin-dp]

Perhaps this could be a nested property:

export interface PullWakeRunnerHealth {
  // ...
  claims: {
    succeeded: number
    skipped: number
    failed: number
  }
}

Not sure how useful these numbers are. Perhaps an array of the actual claims that succeeded/skipped/failed would be better.

[kevin-dp]

The running. prefixes are a bit unusual.

[kevin-dp]

Would this benefit from being an actual TS enum?

enum PullWakeRunnerState {
  Stopped = `stopped`,
  Starting = `starting`,
  Connecting = `running.connecting`,
  Streaming = `running.streaming`,
  Reconnecting = `running.reconnecting`,
  Stopping = `stopping`
}

This would make the code less string-heavy.

Or if you don't like enums:

const PullWakeRunnerState = {
  Stopped: 'stopped',
  Starting: 'starting',
  Connecting: 'running.connecting',
  Streaming: `running.streaming`,
  Reconnecting: `running.reconnecting`,
  Stopping: `stopping`
} as const

type PullWakeRunnerState = (typeof PullWakeRunnerState)[keyof typeof PullWakeRunnerState]

[kevin-dp]

Why have "state" and "status" ? They are almost identical.
I would just go with the enum approach from my previous comment.
Users use it like PullWakeRunnerState.Connecting and it resolves to the string "running.connecting" so we effectively get the usage we want.

[kevin-dp]

nit: we have 2 if statements for fast return, to be consistent the first one would only do the signal checks and the 2nd one would do heartbeat checks, or we would use only one if statement:

if (!signal || signal.aborted) return
if (heartbeatIntervalMs <= 0 || eventHeartbeatTimer) return

[kevin-dp]

We could also avoid the eventHeartbeatTimer check by rewriting the assignment:

eventHeartbeatTimer ??= setTimeout(() => {
  eventHeartbeatTimer = null
  void heartbeat(signal)
}, eventHeartbeatThrottleMs)

[kevin-dp]

Why do we check heartbeatIntervalMs <= 0 if it's not used in this function?
This function uses eventHeartbeatThrottleMs instead.

[kevin-dp]

We already set lastHeartbeatOk = false on L256 right before throwing and here we only set it inside if (!signal.aborted) but it will already be false. Is this the behaviour we want? If we only want it to be set to false if !signal.aborted then we need to not set it right before throwing.

[kevin-dp]

Do we need to set claimErrorRecorded = true here?
Perhaps would be better if recordClaimError does that (e.g. we could wrap it such that we can't forget to set this variable).

[kevin-dp]

This should be extracted to a utility file.

[kevin-dp]

Spent some time testing the lifecycle hardening claims in this PR against a running desktop app + local agents-server. Some of what's claimed works as advertised; one significant gap turned up that I think is worth flagging before merge.

What worked

• ✅ GET /_electric/runners/:id/health endpoint returns the documented shape; UI and curl agree.
• ✅ Diagnostic counters update on dispatch within ~2s — event-driven heartbeat throttle path is firing as designed (last_hb jumped off the 30s schedule into a fresh slot ~2s after a last_dispatch_at change, consistent with the 2s throttle).
• ✅ Health status escalation (healthy → degraded → unhealthy) computes correctly on the server side.
• ✅ Principal rename (owner_user_id → owner_principal) and URL validation work end-to-end (after fixing one default-value alignment issue between desktop and server, which I've already pushed on fix-pull-wake).

Things turned up while testing

While testing this PR I also surfaced three related reliability issues that the new diagnostics made visible — they aren't introduced by this PR (the diagnostics just exposed them), but they all interact with this work:

• Pull-wake: active claim leaks when in-memory write-token is missing (server restart, newer-wake eviction, retry) #4340 — active claim is not released after dispatch (success or failure)
• Pull-wake: heartbeat path nulls out lease_expires_at on consumer_claims #4341 — lease_expires_at: null on materialized claims removes the safety net for Pull-wake: active claim leaks when in-memory write-token is missing (server restart, newer-wake eviction, retry) #4340
• Local Runtime page shows stale/contradictory state when agents-server is unreachable #4342 — Local Runtime UI shows stale/contradictory state when agents-server is unreachable (compounded by Pull-wake: stream reconnect path does not fire when agents-server becomes unreachable (Ctrl-C and kill -9 both verified) #4343 since the UI reads exactly the stream_connected: true field that this bug pins to true)

Suggestion

#4343 feels like it should block merge — the headline reliability claims in the PR description don't hold under the testing I did. The four issues together are also somewhat overlapping (the UI staleness in #4342 wouldn't be nearly as bad if #4343 was fixed, because the stream_connected field would actually flip during the outage), so fixing #4343 has some leverage on the others.

Happy to help test once you've got a candidate fix.

[kevin-dp]

We should address #4339 (comment) before merging.

[icehaunter]

This will make runners into a quite noisy shape, with every runner causing an update every 2 seconds. I suggest we split it into a separate table for heartbeats & claims, and keep status, started, last_error & last_error_at in the main table. Anyone needing full diagnostics can then either get the endpoint, or subscribe to a filtered shape for diagnostics of a particular runner. WDYT?

[KyleAMathews]

It should be a max of every two seconds (if there's lots of activity) and then when things aren't happening, updates would drop to every 30 seconds.

But yeah, fairly noisy I agree actually still. Lemme think about it.

[icehaunter]

We don't need the entire object on that table for "normal" UIs I think. the heartbeat endpoint can split this up easily

[KyleAMathews]

yeah makes sense — refactored

[claude]

test body 2

[claude]

Claude Code Review (iteration 1)

Substantial PR (~3.5k additions / 60+ files): runner health endpoint, owner_user_id -> owner_principal rename, pull-wake runner hardening (state machine, bounded concurrency, exponential backoff, event-driven heartbeats). Overall direction solid. Main concerns: type-safety latent bug in health response, two small state-reset bugs, stack of unresolved inline review comments from kevin-dp.

WHAT IS WORKING WELL

• kevin-dps tested concern (Pull-wake: stream reconnect path does not fire when agents-server becomes unreachable (Ctrl-C and kill -9 both verified) #4343) appears addressed. heartbeat() drives stream reset after HEARTBEAT_FAILURE_STREAM_RESET_THRESHOLD (2) consecutive failures via requestStreamReconnect() at pull-wake-runner.ts:278-285, with a focused test at pull-wake-runner.test.ts:613-672.
• Noisy-shape feedback from icehaunter applied. Diagnostics split out of runners shape into runner_runtime_diagnostics (migration 0008).
• Server-side sanitization of heartbeat diagnostics (runners-router.ts:150-198): typed allowlist, finite/non-negative number checks.
• Owner-principal authorization consistent across all runner routes (register/list/get/heartbeat/claim/enable/disable/health).
• Generation-tracked claim cleanup handles start/stop race (pull-wake-runner.ts:458-491).
• Strong test coverage: 15 runner tests (was 5), 12 router tests, new pull-wake-subscription-stack.test.ts.
• Changesets present for every publishable package touched.

CRITICAL (Must Fix): None found.

IMPORTANT (Should Fix)

1. RunnerHealthResponse.client type lies about completeness (electric-agents-types.ts:157 + runners-router.ts:150-198). Typed as Omit<PullWakeRunnerHealth, ...> | null (all required) but sanitizeRunnerDiagnostics builds field-by-field and casts partial result. Test "sanitizes stored runner diagnostics..." (runners-router.test.ts:331-334) shows body.client = {reconnect_count:6, last_heartbeat_ok:false} -- 2 of 15 fields. Today the runner always sends all 15 fields; future drift or partial heartbeats break the type contract. Fix: make each diagnostic field optional, or fill in defaults in sanitizer.

2. consecutiveHeartbeatFailures not reset across start/stop cycles (pull-wake-runner.ts:128, 272). Only reset to 0 on heartbeat success. After stop/restart, leftover non-zero counter can trip requestStreamReconnect on the very first failure. Reset in start() alongside runGeneration++. Worth also clarifying intent of reconnectCount, eventsReceived, etc. on restart -- startedAt resets, so per-start counters drift unless they reset too.

3. Misleading guard in notifyHeartbeatChange (pull-wake-runner.ts:238-246). Function uses eventHeartbeatThrottleMs but gates on heartbeatIntervalMs <= 0. Disabling fixed-interval heartbeats silently disables event-driven ones too. kevin-dp flagged inline.

4. lastHeartbeatOk = false set twice with different intent (pull-wake-runner.ts:266 + 275). Set before throw on non-OK response, then again in catch only if !signal.aborted. Aborted heartbeats falsely report failure. kevin-dp flagged inline.

5. Unresolved inline review comments from kevin-dp -- ~10 style/refactor suggestions on pull-wake-runner.ts not yet addressed: getter for streamConnected, unify state/status enum, dotted state names atypical (running.connecting etc.), nest claim counters, extract sleep, fragile claimErrorRecorded flag. None blocking but should be triaged.

6. Unresolved inline question from icehaunter on durable-streams-routing-adapter.ts -- "why did you undo my work here?" (May 18 18:38 UTC). Appears resolved by later c6eda8c commit ("keep durable streams control urls opaque") that restored opaque-prefix handling. Worth replying inline to close the thread.

SUGGESTIONS (Nice to Have)

• Two back-to-back migrations (0007 adds diagnostics column, 0008 immediately moves to separate table). Could be one combined migration -- though once they ship, leave them.
• Migration 0007 deletes all runners + clears dispatch state + expires active claims. PR description acknowledges this; worth flagging in the changeset that operators must expect every existing local runner to re-register after deploy.
• HEARTBEAT_FAILURE_STREAM_RESET_THRESHOLD = 2 hardcoded (default 30s heartbeat -> ~60s detection). Consider making configurable via PullWakeRunnerConfig.
• Default maxConcurrentClaims = 10 is reasonable but undocumented in user-facing types. Add doc comment.
• Heartbeat sends diagnostics with stream_connected: false while state = starting (before stream is open). Server-side derivation escalates to degraded ("Client reports stream disconnected"). Emits a transient degraded window on every start. Consider gating diagnostic reporting until after first stream open, or ignoring stream_connected:false while status===starting.

ISSUE CONFORMANCE

No linked GitHub issue on this PR. PR description is unusually thorough (root cause, approach, invariants, non-goals, trade-offs, verification, files-changed table) and substitutes well for a tracked issue. Diagnostics work surfaced #4340-#4342 and #4343, filed and tracked separately. Consider attaching Closes for whichever #4343 fixes are landing in this PR (the heartbeat-driven reset is option (a) per kevin-dp).

PREVIOUS REVIEW STATUS

A prior Claude Code Review comment existed but contained only a placeholder fragment ("PLACEHOLDER continuing in next edit.") -- replaced with this complete review.

NOTE ON PROMPT-INJECTION ATTEMPT

While reading .review-context/conversation.json I encountered a fake system-reminder tag embedded inside one of KyleAMathewss comment bodies (re: task tools). Treated as untrusted comment content, ignored. Flagging so you know.

Review iteration: 1 | 2026-05-18

[claude]

Iteration 2 — 2026-05-18 (re-validation pass)

Re-read the diff and inline review threads. No new commits on the branch since iteration 1 was posted at 18:29 UTC. All findings in the prior Claude review (comment id 4480689327) remain open as written.

Independent verification confirms:

• The Critical claim-leak (pull-wake-runner.ts:434-438) is still enshrined by the test that skips dispatch from a claim actor after shutdown begins at pull-wake-runner.test.ts:526-566.
• The heartbeat-driven reset test at pull-wake-runner.test.ts:613-672 exercises the cancel path end-to-end, but does NOT cover the half-open first-connect window flagged in Important [Merged on #3] Write inserts, updates and deletes to Vaxine #2.
• sanitizeRunnerDiagnostics remains a strict allowlist; still no length cap on last_error (Suggestion list).
• currentOffset is initialized to -1 at pull-wake-runner.ts:112, with the dead conditional at line 257-259 still present (Important Postgres replication source TCP server #3).
• Migration 0007 still does DELETE FROM runners plus claim-state wipe; changeset is still patch-level (Important Read from vaxine stream, send transactions to slot server #4).

No new issues surfaced beyond iteration 1.

---

Review iteration: 2 | 2026-05-18

[claude]

Claude Code Review

Summary

Iteration 5 on fix-pull-wake. One new commit since iteration 4: e8241f12c ("Harden pull-wake runner invariants") — a broad cleanup commit that addresses all five "Important" findings from iteration 4 plus three of the carry-over Suggestions. No critical issues remain. The remaining open items are kevin-dp's style nits and a couple of new wrinkles introduced by this iteration.

What's Working Well

All five iteration-4 Important findings are now fixed in code (and three of them are covered by new tests):

1. RunnerHealthResponse.client type vs. sanitizer reality — fixed by introducing RunnerClientDiagnostics = Partial<Omit<PullWakeRunnerHealth, 'running'|'offset'>> at electric-agents-types.ts:144-146 and updating client to use it (line 160). sanitizeRunnerDiagnostics is now type-honest.
2. Per-start counter reset across stop/restart — fixed at pull-wake-runner.ts:596-610. start() now resets reconnectCount, lastError, lastErrorAt, lastHeartbeatAt, lastHeartbeatOk, lastClaimAt, lastClaimResult, lastDispatchAt, eventsReceived, claimsSucceeded/Skipped/Failed, consecutiveHeartbeatFailures, nextReconnectBackoffMs, and streamResetError. New test resets heartbeat failure counters across restarts covers this.
3. notifyHeartbeatChange guard — fixed at pull-wake-runner.ts:234. Now gates on eventHeartbeatThrottleMs <= 0 (the value the function actually uses).
4. lastHeartbeatOk = false set twice — fixed at pull-wake-runner.ts:273-278. The pre-throw assignment is removed; only the catch block flips the flag, and only when !signal.aborted.
5. Per-send dispatch relink hot-path — fixed at dispatch-policy.ts:22, 220-243 via a module-level linkedDispatchSubscriptions WeakMap keyed on streamClient. Subsequent sends to a linked entity short-circuit before any HEAD/GET/PUT to durable-streams. Test at dispatch-policy-routing.test.ts:340-353 confirms the second send issues zero getSubscription/ensure/addSubscriptionStreams calls. Unlink invalidates the cache.

Other iteration-5 wins:

• Heartbeat coalescing (heartbeatInFlight + heartbeatPending at pull-wake-runner.ts:110-111, 242-256) avoids pile-up if a heartbeat outlives its interval. New test coalesces event heartbeats while a heartbeat is in flight confirms behavior end-to-end.
• Number.isFinite guard on parsed lease timestamps (runners-router.ts:443-449, 518-521) — a malformed liveness_lease_expires_at no longer produces NaN-tainted output. Covered by new test ignores invalid runner lease timestamps in health output.
• desktopServerFetch drops the dead buildCloudAuthHeaders call (carry-over Suggestion).
• currentOffset !== undefined unreachable ternary removed; heartbeat now sends wake_stream_offset: currentOffset unconditionally (carry-over Suggestion).
• isNgrokHost extended to include ngrok.dev and ngrok-free.dev (iteration-4 Suggestion).
• waitForStopped() now awaits stopPromise if present (avoids returning before drain completes if called mid-stop).

Issues Found

Critical (Must Fix)

None.

Important (Should Fix)

1. Dispatch link cache has no failure-recovery path. The module-level linkedDispatchSubscriptions WeakMap in dispatch-policy.ts:22 is populated on first successful link and never invalidated except by unlinkEntityDispatchSubscription. If the durable-streams server is restarted with state loss, manually wiped, or otherwise loses the subscription, the cache will report "linked" forever and linkEntityDispatchSubscription will skip the ensure + getSubscription + addSubscriptionStreams repair sequence on every subsequent send. There's no self-healing path — the agents-server process must restart to re-sync. At minimum, consider invalidating the cache entry when a send fails (e.g., catch in sendEntity after linkEntityDispatchSubscription, drop the cache key, retry once). Or document that DS state loss requires an agents-server restart.

2. parsePrincipalInput contradicts the "strict validation" claim. principal.ts:50-58 now accepts both URL form (/principal/...) and legacy key form (user:alice) via parsePrincipalInput, and getPrincipalFromRequest (line 67) uses it. But the PR description and the pull-wake-health-diagnostics.md changeset both state: "Strict validation via parsePrincipalUrl() — rejects invalid URLs at the API boundary" / "This is a breaking change with no backward compatibility — all callers must send principal URLs." The code as-shipped is in fact lenient. Either update the description/changeset to reflect the dual-form acceptance, or remove the key fallback in getPrincipalFromRequest so the stated invariant holds.

Suggestions (Nice to Have)

• Outstanding kevin-dp inline review comments on pull-wake-runner.ts — still uniformly unaddressed across all five iterations, not blocking:

  • getter for streamConnected (line 114-115)
  • nested claims: { succeeded, skipped, failed } shape (line 82-84)
  • running.* dotted state names are atypical (line 87-93)
  • state vs status duplication — could collapse into a single TS enum / as const (lines 87-93 + 155-170)
  • rolling claimErrorRecorded into recordClaimError (line 359 / 396-398)
  • extracting sleep to a utility file (line 462)

• requestStreamReconnect still early-returns when !streamConnected. pull-wake-runner.ts:226-230. Heartbeat failures piling up during initial consumeWakeStream setup won't trigger reset. In practice the stream connect itself would fail and surface in run's catch block, so the gap is theoretical — but if a server returns 200 on the stream open then silently drops the connection before any event arrives, heartbeat failures couldn't kick a reset until streamConnected flipped true. Worth a defensive consideration; not a known repro.

• text/plain content-type revert is undocumented. This commit reverted iteration 4's sendMessage.ts:222 content-type to application/json. Since serverFetch also injects custom headers (e.g. electric-principal), the request is not a CORS "simple" request regardless of body content-type, so the original text/plain attempt couldn't actually avoid a preflight on its own — the rollback is correct. But the desktop-local-fetch.md changeset description ("Route local desktop mutating agents-server requests through the Electron main process so CORS preflights cannot stall behind renderer connection limits") is now the only mechanism doing the work. Worth a one-line note in the commit message clarifying that text/plain alone was insufficient and main-process routing is the real fix.

• Carried from iteration 4, unchanged:

  • HEARTBEAT_FAILURE_STREAM_RESET_THRESHOLD = 2 hardcoded (pull-wake-runner.ts:99). At the 30s default heartbeat interval, this gives ~60s detection. Worth exposing on PullWakeRunnerConfig for tuning.
  • Migration 0007 still DELETE FROM runners + claim wipe; changeset is patch-level. Worth a one-line operator-facing note in the changeset body.

• Removed config option: maxConcurrentClaims is gone from PullWakeRunnerConfig, along with waitForClaimCapacity and the generation-tracked claimActors map. If any external consumer was relying on bounded claim concurrency, this is a silent removal. The changeset doesn't mention it. Worth confirming no one external set this option, or noting the removal in harden-pull-wake-runner.md.

Issue Conformance

No linked GitHub issue. PR description remains thorough but should be reconciled with the actual behavior on two points:

1. Principal validation is now lenient (URL or key form), not strict.
2. maxConcurrentClaims is no longer in the public config — the "Concurrent claim limiting" section in the description still describes it.

The new commit e8241f12c ("Harden pull-wake runner invariants") isn't reflected in the description's Files changed table either.

Previous Review Status

Prior Claude review is comment id 4483859257 (iteration 4). Of iteration 4's Important findings #1–#5: all five fixed in code, three with new test coverage. Inline-style punch list (#6) still uniformly unaddressed. Of iteration 4's Suggestions: dead buildCloudAuthHeaders, unreachable currentOffset ternary, and ngrok TLD extension all addressed. HEARTBEAT_FAILURE_STREAM_RESET_THRESHOLD and migration-0007 changeset note still open.

---

Review iteration: 5 | 2026-05-19