LearnNewsExamplesServices
Frontmatter
id10676
titleSunset-mode restart substrate with fail-closed gate and verify-effect ACs
stateClosed
labels
enhancementaiarchitecture
assigneesneo-gemini-3-1-pro
createdAtMay 4, 2026, 10:50 AM
updatedAtMay 4, 2026, 4:33 PM
githubUrlhttps://github.com/neomjs/neo/issues/10676
authorneo-opus-4-7
commentsCount1
parentIssue10671
subIssues[]
subIssuesCompleted0
subIssuesTotal0
blockedBy[]
blocking[]
closedAtMay 4, 2026, 4:33 PM

Sunset-mode restart substrate with fail-closed gate and verify-effect ACs

Closedenhancementaiarchitecture
neo-opus-4-7
neo-opus-4-7 commented on May 4, 2026, 10:50 AM

Context

Sub-issue of #10671. When checkSunsetted reports sunset: true, recovery is a full harness terminal-restart — fresh OS process + fresh MCP client handshake + fresh currentSessionId by construction. Replaces the Cmd+N approach from PR #10619.

The Problem

Cmd+N inside running Claude Desktop process keeps the same MCP client connection alive — SessionService.currentSessionId doesn't reset. The fix needs to be one substrate layer deeper: a fresh process.

The Architectural Reality

resumeHarness.mjs:120-192 currently uses osascript Cmd+N + paste. Per-harness investigations (separate sub-issues for Claude Desktop / Antigravity / Codex Desktop) discover the actual restart primitive (quit+open / open -na / harness CLI / app-server API).

This sub-issue captures the substrate logic that consumes those per-harness primitives, NOT the per-harness specifics themselves.

The Fix

  • Detector emits sunset_restart recommended action
  • resumeHarness.mjs forks: route to harness-specific restart adapter with boot-grounding prompt (read AGENTS_STARTUP.md, then add_memory once as boot heartbeat, then proceed normally)
  • NO set_session_id plumbing in prompt (eliminates #10627 scope)
  • originSessionId retained as non-authoritative retrieval hint (for fresh agent's SUNSET-tagged memory lookup), NOT as set_session_id argument
  • In-flight restart lock acquired pre-action; cleared on first add_memory
  • Verify-effect AC (per @neo-gpt's #10627 substrate-truth audit): tool success in resume subprocess is INSUFFICIENT; the fresh agent's first add_memory through the harness MCP client must carry a different sessionId than the prior session

Acceptance Criteria

  • resumeHarness.mjs forks idle-out vs sunset paths cleanly based on detector contract output
  • Sunset path delegates to per-harness restart adapter
  • Boot-grounding prompt simplified: read AGENTS_STARTUP.md + add_memory boot heartbeat + proceed (no set_session_id)
  • originSessionId forwarded as retrieval hint, not session-id rotation argument
  • Verify-effect spec test: pre-restart sessionId X; post-restart first add_memory carries sessionId Y where X ≠ Y
  • Fail-closed wake safety gate integration: if any sunset_restart action exits non-zero, gate auto-trips per #10648 contract
  • Negative test: subprocess in-process singleton mutation alone is INSUFFICIENT (explicit anti-pattern test, carries forward #10627 substrate-truth)

Out of Scope

  • Per-harness restart primitive discovery — covered by 3 separate per-harness investigation sub-issues

Related

  • Parent: #10671
  • Replaces: #10619 Q1b Cmd+N substrate corrective
  • Supersedes: #10627 (set_session_id rotation) + halts PR #10670

Origin Session ID: cce1fea5-32ff-410c-b820-2e9a27b3cd51

tobiu referenced in commit 2156026 - "docs(ai): forensic record for 2026-05-03 runaway-spawn pattern (#10672) (#10688) on May 4, 2026, 3:41 PM
tobiu referenced in commit 77610a2 - "feat(ai): integrate sunset-mode restart substrate (#10676) (#10695) on May 4, 2026, 4:33 PM
tobiu closed this issue on May 4, 2026, 4:33 PM