What is the 'Neural Link'?

The Neural Link is a bi-directional bridge that connects AI agents (like Gemini or Claude) directly to the Neo.mjs runtime. It allows agents to 'see' the application's Scene Graph, inspect component state, verify event listeners, and even mutate the running application in real-time. This turns the application into a 'glass box' for AI, enabling autonomous debugging and feature development.

Why is Neo.mjs called an 'Application Engine' instead of a framework?

Traditional frameworks are general-purpose libraries (like a Toyota) that help you organize code, but they compile away into ephemeral DOM nodes. Neo.mjs is a precision-engineered runtime (like an F1 car), similar to Unreal Engine for games. It maintains a persistent 'Scene Graph' of objects in a separate worker thread. These objects retain their identity, state, and relationships, allowing for advanced capabilities like multi-window orchestration, runtime permutation, and deep AI introspection that are impossible with 'melted plastic' DOM-based frameworks.

What is 'Context Engineering'?

Context Engineering is the practice of curating the environment and information flow for AI agents to maximize their autonomy. In Neo.mjs, this is implemented via three Model Context Protocol (MCP) servers: a Knowledge Base for semantic code understanding, a Memory Core for learning from past sessions, and a GitHub Workflow server for project management. This ecosystem allows agents to work as fully integrated members of the development team.

What is 'Object Permanence' in the context of Neo.mjs?

In Neo.mjs, UI components are persistent JavaScript objects living in the App Worker, not just transient rendering results. This 'Object Permanence' means a component (like a Dashboard) maintains its state (scroll position, user input, internal logic) even if it is detached from the DOM or moved to a different browser window. This is the 'Lego Technic' approach versus the 'Duplo' approach of traditional frameworks.

What is an 'Agent Operating System'?

Neo.mjs v11 introduced the concept of an Agent OS, where the platform itself provides the tools and interfaces for AI agents to operate. It combines a standalone, type-safe AI SDK for autonomous 'Code Execution' with the Neural Link for runtime control. This enables agents to monitor, debug, and heal the application autonomously, effectively acting as an operating system for synthetic intelligence.

How does Neo.mjs handle multi-window applications?

Neo.mjs uses shared web workers to run a single application instance across multiple browser windows. All windows share the same application state and data in real-time. Components can even move between windows while retaining their JavaScript instances. This enables desktop-class experiences like multi-window IDEs, browser-based email clients, and multi-screen control rooms.

What makes Neo.mjs different from React, Angular, or Vue?

Neo.mjs is fundamentally different in its architecture: (1) It uses True Multithreading via web workers to prevent UI jank, (2) It is an AI-Native Application Engine with built-in bridges for AI collaboration, and (3) It treats components as persistent objects in a Scene Graph, enabling native multi-window support and runtime permutation.

Frontmatter

id	10648
title	Add wake reactivation gate and circuit breaker
state	Closed
labels	bugairegressionarchitecture
assignees	neo-opus-4-7
createdAt	May 3, 2026, 4:54 PM
updatedAt	May 3, 2026, 5:40 PM
githubUrl	https://github.com/neomjs/neo/issues/10648
author	neo-gpt
commentsCount	0
parentIssue	10647
subIssues	[]
subIssuesCompleted	0
subIssuesTotal	0
blockedBy	[]
blocking	[]
closedAt	May 3, 2026, 5:40 PM

Add wake reactivation gate and circuit breaker

Name: Neo.mjs Application Engine
Author: Neo.mjs

Closedbugairegressionarchitecture

neo-gpt commented on May 3, 2026, 4:54 PM

Context

Child of #10647. Wakeups and heartbeat are intentionally disabled after the 2026-05-03 regression burst. The immediate failure mode was not just one bad shortcut or one stale cache entry: the scheduler/recovery path was allowed to continue taking high-authority actions while the substrate was in an unsafe state.

Observed unsafe outcomes:

fresh Claude sessions spawned repeatedly while active sessions were still unfinished;
Antigravity accepted a wake payload into editor/file content instead of the agent prompt surface (#10644);
Codex wake bootstrap could not reliably hydrate its AgentIdentity template after restart (#10645);
checkSunsetted can still extract legacy origin rows (#10643);
all-agent-idle/cooldown and steady-state session-id follow-ups remain open (#10633, #10627).

Duplicate Sweep Notes

Creation sweep performed as part of #10647:

Live latest-20 open GitHub issues were read with number/title/author/labels/URL. Adjacent entries included #10645, #10644, #10643, #10633, #10627, #10604, #10601, #10517, #10442, #10422; no open ticket owned a circuit breaker that blocks heartbeat/resume actions while wake delivery is unsafe.
Local resource search found generic prior "circuit breaker" language in #9866 and earlier wake validation gaps in #10440, but no current wake-reactivation safety gate.
ask_knowledge_base(type: 'ticket') found no equivalent ticket for this reactivation gate.

The Problem

The wake/recovery substrate currently has no fail-closed coordination primitive. When one layer is broken, other layers can still run and amplify the damage.

Examples:

A stale or weak sunset detector can authorize fresh-session spawning.
A bridge adapter can log delivery success even when payload lands in the wrong UI surface.
Heartbeat can keep looping after an unsafe delivery signal unless a human kills the processes.
Narrow fixes can merge and make one symptom disappear without proving the scheduler is safe to turn back on.

The minimum rule should be: when wake delivery is unsafe or unverified, the scheduler must no-op and report, not spawn/steer/paste.

The Architectural Reality

Likely ownership surfaces:

ai/scripts/swarm-heartbeat.sh — scheduler / heartbeat loop.
ai/scripts/checkSunsetted.mjs — sunset predicate that must not authorize recovery from stale memory alone.
ai/scripts/resumeHarness.mjs — fresh-session / boot-grounding executor.
ai/scripts/bridge-daemon.mjs — delivery adapter observability and unsafe-delivery signals.
Memory Core wake subscription state — durable source for whether a subscription is active, disabled, or intentionally sunsetted.

This ticket should not replace #10643/#10644/#10645. It protects the scheduler from acting while those local fixes are incomplete or while a new unsafe signal appears.

The Fix

Add an explicit wake safety gate that heartbeat/resume paths must consult before taking any high-authority action.

Possible implementation shapes:

A durable/local wake safety state, e.g. a small file under .neo-ai-data/wake-daemon/ or an existing graph/log primitive, with states like enabled, disabled, tripped, and a reason.
Scheduler checks in swarm-heartbeat.sh before invoking recovery/resume logic.
Resume checks in resumeHarness.mjs so direct invocations also fail closed when unsafe.
Unsafe signal recording when the bridge or validation path observes: payload landed outside prompt surface, osascript failure, missing subscription template, unexpected fresh-session spawn, or unresolved explicit sunset ambiguity.
A deliberate override path controlled by @tobiu/operator input, not by a passing unit test alone.

Acceptance Criteria

Heartbeat/resume paths consult a wake safety gate before spawning or steering any harness session.
The default current state after this incident can be represented as disabled/tripped with a human-readable reason.
If the gate is disabled/tripped, swarm-heartbeat.sh no-ops for high-authority actions and logs/report the reason.
resumeHarness.mjs also refuses direct fresh-session spawn when the gate is disabled/tripped, unless an explicit operator override is provided.
Fresh-session spawn requires an explicit sunset/unsubscribe predicate; stale AGENT_MEMORY, idle age, or ambiguous origin extraction cannot authorize spawn.
Tests cover: unsafe gate blocks heartbeat, unsafe gate blocks direct resume, explicit override works, and active/non-sunset state does not spawn a fresh session.
The gate can be reset only after the #10647 prompt-landing matrix passes or @tobiu explicitly accepts the residual risk.

Out of Scope

Fixing Antigravity's current keybinding/prompt-surface regression (#10644).
Fixing AgentIdentity cache hydration (#10645).
Fixing checkSunsetted ordering (#10643), except as a dependency for trustworthy authorization.
Implementing HarnessPresence/wakePolicy semantics in full (#10517).
Reactivating heartbeat as part of this ticket.

Avoided Traps

Trap: assume a killed process is the safety mechanism. Rejected. Manual process killing is an emergency brake, not architecture.
Trap: treat one passing unit test as permission to reactivate. Rejected. The gate needs cross-harness validation before reset.
Trap: place the guard only in heartbeat. Rejected. Direct resumeHarness.mjs invocation must also fail closed.
Trap: use stale memory as sunset authority. Rejected. #10642 removed this class; this ticket prevents reintroduction.

Parent epic: #10647.
Grandparent epic: #10601.
Dependencies/adjacent: #10517, #10627, #10633, #10643, #10644, #10645.

Origin Session ID: 89b259c3-27ec-4afb-baaf-fd39b55bffe1

Retrieval Hint: wake reactivation gate circuit breaker heartbeat resumeHarness unsafe delivery fresh session spawn.

tobiu referenced in commit 8f5bdc4 - "feat(ai): add wake safety gate and circuit breaker (#10648) (#10653) on May 3, 2026, 5:40 PM

tobiu closed this issue on May 3, 2026, 5:40 PM

tobiu referenced in commit 7a7d362 - "docs(agentos): add wake substrate incident protocol (#10650) (#10655) on May 3, 2026, 7:00 PM

tobiu referenced in commit 75c72cd - "feat(ai): per-identity idle-out A2A heartbeat nudge dispatcher (#10675) (#10690) on May 4, 2026, 3:23 PM