fix(sync): wire embedded feed-sync executor + workers/poll RangeError

[buremba]

Summary

Two bugs blocked the headless lobu run -> lobu apply -> trigger_feed -> events appear data sync loop on a fresh install.

• Bug A: embedded mode never executed runs(run_type='sync'). Nothing called /api/workers/poll, so trigger_feed enqueued runs that sat forever. Fix: spin up the existing WorkerDaemon in-process from both server.ts (prod) and start-local.ts (PGlite dev), pointed at the local gateway. Started after listen() so its boot health check resolves. Opt-out via LOBU_DISABLE_EMBEDDED_WORKER=1 for deployments with a separate connector-worker pod. Atomic claim already lives in worker-api.ts::pollWorkerJob (FOR UPDATE OF r SKIP LOCKED + claimed_by), so embedded + external workers co-exist without double-execution.

• Bug B: /api/workers/poll 500'd with RangeError: init["status"] must be in the range of 200 to 599 whenever a Better-Auth session-token bearer hit it. Root cause: MultiTenantProvider.resolveAuth's setContextAndContinue discarded the cb's Response return value (await ...; return undefined; pattern across 8 call sites). The workers/* gating middleware's "Worker token missing device_worker:run scope" 403 was silently dropped, Hono never installed it as c.res, and a downstream c.header() re-wrap collapsed into new Response(c.body, c) with the Hono Context as init — init.status = c.status (a function) → RangeError. Fix: return setContextAndContinue(...) at every call site, widen the helper return type + WorkspaceProvider.resolveAuth's next param (new ResolveAuthNext union) so the cb's Response propagates.

Design doc: docs/fix-sync-loop-design.md (codex-reviewed; addressed blockers around WorkerDaemon vs startDaemon, listener-ordering, and TypeScript widening).

Reproducer

Boot start-local.bundle.mjs on port 8802 with PGlite. Sign in as install_operator via /api/local-init. Create a hackernews connection + a stories feed with search_query: openai, call trigger_feed.

Pre-fix:

• Run row sits forever in status='pending'; no events ever land.
• POST /api/workers/poll -H 'Authorization: Bearer <signed-session-token>' -> HTTP 500, log: RangeError: init["status"] must be in the range of 200 to 599.

Post-fix:

• Run transitions pending -> running -> completed (336 events for HN openai search, written to events table).
• POST /api/workers/poll with the same session bearer -> HTTP 403 Worker token missing device_worker:run scope (correct behavior — session auth lacks the scope; use a PAT instead). With a PAT -> HTTP 200. Log has zero RangeErrors.

Test plan

• make build-packages — clean
• make typecheck (strict, matches Dockerfile) — clean
• Boot embedded server, drive the full trigger_feed -> events landed loop end-to-end
• Curl /api/workers/poll with bad/good/PAT bearers — no 500s
• pi review
• Soak: confirm the embedded daemon coexists with an external fleet worker without double-execution (claim row by row id)

Summary by CodeRabbit

• New Features

  • Embedded connector-worker daemon can run inside the server process to enable sync operations on fresh installs; opt-out via environment flag. Startup/shutdown are now coordinated with the server lifecycle.

• Bug Fixes

  • Fixed /api/workers/poll 500 error by preserving middleware responses through auth flow.
  • Restored reliable execution of sync runs by ensuring the worker daemon is started in embedded scenarios.

• Documentation

  • Added design doc with validation checklist and test plan for embedded sync-loop fixes.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR fixes two issues blocking embedded lobu run → lobu apply sync loops on fresh installs. First, it adds an in-process connector-worker daemon (Bug A fix) that executes pending sync runs and persists events. Second, it corrects auth middleware Response propagation (Bug B fix) by introducing ResolveAuthNext type and updating MultiTenantProvider.resolveAuth to return Response objects instead of dropping them, fixing /api/workers/poll 500 errors. Both fixes are wired into server.ts and start-local.ts with an environment opt-out flag.

Changes

Embedded sync-loop and auth response fixes

Layer / File(s)	Summary
Response propagation type system packages/server/src/workspace/types.ts	Exports new ResolveAuthNext type with widened `Promise<Response
Auth middleware Response propagation packages/server/src/workspace/multi-tenant.ts	Updates MultiTenantProvider.resolveAuth to use ResolveAuthNext and return Response objects from downstream middleware by making setContextAndContinue async and returning its value across all auth branches.
MCP auth middleware integration packages/server/src/auth/middleware.ts	Updates mcpAuth to import ResolveAuthNext and widen the next parameter type for proper Response propagation through auth resolution.
Embedded connector-worker daemon packages/server/src/scheduled/embedded-connector-worker.ts	Adds new module that conditionally starts an in-process WorkerDaemon with deterministic workerId, embedded-safe configuration, and lifecycle management (stop/wait) for claiming and executing sync runs.
Embedded worker server lifecycle packages/server/src/server.ts	Wires embedded connector-worker into main gateway: dynamically imports starter, initializes daemon after listen() with reachable host computation, and extends shutdown to stop/wait for daemon before closing other components.
Embedded worker local development lifecycle packages/server/src/start-local.ts	Wires embedded connector-worker into local dev server: initializes daemon inside httpServer.listen callback and extends graceful shutdown with 15s timeout wait before proceeding.
Connector-worker env & packaging packages/connector-worker/src/env.ts, packages/connector-worker/src/bin.ts, packages/connector-worker/src/compile-connector.ts	Adds buildConnectorWorkerEnv() env whitelist, switches CLI to use it, and extends connector search paths to support embedded CLI bundle layout.
Design documentation docs/fix-sync-loop-design.md	Documents both bugs and fixes with validation checklist and end-to-end test plan for sync loop and /api/workers/poll behavior; confirms no schema or migrations required.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• lobu-ai/lobu#827: Modifies the same MultiTenantProvider.resolveAuth auth-resolution flow in multi-tenant.ts, with one PR handling Response propagation via ResolveAuthNext and the other removing LOBU_NO_AUTH logic.
• lobu-ai/lobu#830: Touches the same MultiTenantProvider.resolveAuth code path; main PR changes continuation/Response propagation while retrieved PR changes Bearer token branching.
• lobu-ai/lobu#779: Modifies MultiTenantProvider.resolveAuth in multi-tenant.ts; one PR changes Response propagation via ResolveAuthNext while the other adds LOBU_NO_AUTH short-circuit auth path.

Suggested labels

skip-size-check

Poem

🐰
I burrowed through code in the soft moonlight,
Started the worker so syncs take flight,
Responses now travel the auth-lined way,
Fresh installs hum through the bright new day,
Hooray for small fixes that make systems right!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main changes: fixing the embedded feed-sync executor wiring and a RangeError in the workers/poll endpoint.
Description check	✅ Passed	The description covers all key aspects: detailed explanation of both bugs and fixes, reproducer with pre/post results, and test plan with checkboxes showing validation performed.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/fix-sync-loop

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/fix-sync-loop-design.md`:
- Around line 33-40: Update the fenced code block that begins with "RangeError
at undici/initializeResponse" to include a language identifier (use "text")
after the opening backticks so the block becomes ```text; this fixes
markdownlint MD040 and prevents docs lint failures for the stack-trace block in
the document.

In `@packages/server/src/start-local.ts`:
- Around line 287-290: The code calls startEmbeddedConnectorWorker(env,
`http://${HOST}:${PORT}`) using HOST directly which breaks when HOST is 0.0.0.0
or an IPv6 literal; implement a small normalizeHost function that maps "0.0.0.0"
-> "127.0.0.1" and "::" -> "::1", detects IPv6 addresses and wraps them in
brackets (e.g., "[::1]") for URL formatting, then call
startEmbeddedConnectorWorker(env, `http://${normalizedHost}:${PORT}`) so the
embedded worker receives a dialable, correctly-formatted host string.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: b5fb477b-9d25-49ca-90de-18d1a4ae55ab

📥 Commits

Reviewing files that changed from the base of the PR and between 8932729 and 9123dbf.

📒 Files selected for processing (7)

• docs/fix-sync-loop-design.md
• packages/server/src/auth/middleware.ts
• packages/server/src/scheduled/embedded-connector-worker.ts
• packages/server/src/server.ts
• packages/server/src/start-local.ts
• packages/server/src/workspace/multi-tenant.ts
• packages/server/src/workspace/types.ts

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add a language identifier to the fenced stack-trace block.

This currently triggers markdownlint MD040 and can fail docs linting pipelines.

Suggested fix

-```
+```text
 RangeError at undici/initializeResponse
   new Response(body, init)
   at [getResponseCache] (`@hono/node-server`)
   at get headers (`@hono/node-server`)
   at set res (hono/context.js:133)
   at dispatch (hono/compose.js:38)

</details>

<details>
<summary>🧰 Tools</summary>

<details>
<summary>🪛 markdownlint-cli2 (0.22.1)</summary>

[warning] 33-33: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

</details>

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @docs/fix-sync-loop-design.md around lines 33 - 40, Update the fenced code
block that begins with "RangeError at undici/initializeResponse" to include a
language identifier (use "text") after the opening backticks so the block
becomes ```text; this fixes markdownlint MD040 and prevents docs lint failures
for the stack-trace block in the document.

</details>

<!-- fingerprinting:phantom:triton:hawk -->

<!-- This is an auto-generated comment by CodeRabbit -->

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify all embedded-worker startup URL constructions and host normalization paths.
rg -n "startEmbeddedConnectorWorker\\(|http://\\$\\{HOST\\}:\\$\\{PORT\\}|daemonHost" \
  packages/server/src/start-local.ts \
  packages/server/src/server.ts

Repository: lobu-ai/lobu

Length of output: 495

---

🏁 Script executed:

# Get full context around the problematic line in start-local.ts
cat -n packages/server/src/start-local.ts | sed -n '280,295p'

Repository: lobu-ai/lobu

Length of output: 712

---

🏁 Script executed:

# Get full context around the comparison code in server.ts
cat -n packages/server/src/server.ts | sed -n '320,335p'

Repository: lobu-ai/lobu

Length of output: 813

---

🏁 Script executed:

# Check if IPv6 addresses (::1, ::, etc.) are mentioned or supported anywhere
rg "\\:\\:" packages/server/src/ -A 2 -B 2 | head -30

Repository: lobu-ai/lobu

Length of output: 127

---

🏁 Script executed:

# Check for any HOST or host validation/parsing logic
rg "HOST.*0\\.0\\.0\\.0|host.*0\\.0\\.0\\.0" packages/server/src/ -B 2 -A 2

Repository: lobu-ai/lobu

Length of output: 3028

---

🏁 Script executed:

# Check if IPv6 addresses are ever used as HOST values in tests or config
rg "HOST.*::|host.*::" packages/server/src/

Repository: lobu-ai/lobu

Length of output: 1540

---

🏁 Script executed:

# Look at the mcp-proxy client to understand IPv6 handling
cat -n packages/server/src/mcp-proxy/client.ts | sed -n '1,50p'

Repository: lobu-ai/lobu

Length of output: 2233

---

🏁 Script executed:

# Check startEmbeddedConnectorWorker signature to see what format it expects
rg -A 5 "function startEmbeddedConnectorWorker|export.*startEmbeddedConnectorWorker" packages/

Repository: lobu-ai/lobu

Length of output: 667

---

🏁 Script executed:

# Check if there are other instances of http://${HOST}:${PORT} in start-local.ts
rg "http://\\\$\{HOST\\\}" packages/server/src/start-local.ts -n

Repository: lobu-ai/lobu

Length of output: 38

---

🏁 Script executed:

# Verify server.ts also has the same issue with IPv6
rg "http://\\\$\{" packages/server/src/server.ts -n

Repository: lobu-ai/lobu

Length of output: 229

---

🏁 Script executed:

# Check how the codebase normalizes IPv6 addresses elsewhere
cat -n packages/server/src/mcp-proxy/client.ts | sed -n '80,120p'

Repository: lobu-ai/lobu

Length of output: 1440

---

Normalize embedded worker URL host to ensure a dialable address.

Line 289 uses HOST directly without validation. If HOST=0.0.0.0 (explicitly supported in this file's comments), the daemon cannot dial a non-routable address; IPv6 literals also require bracketed formatting in URLs. This causes sync runs to block indefinitely.

Apply the proposed fix to map 0.0.0.0 to 127.0.0.1 and :: to ::1, and wrap IPv6 addresses with brackets for valid URL formatting:

Proposed fix

   httpServer.listen(PORT, HOST, () => {
     logger.info(`Lobu running at http://${HOST}:${PORT}`);
     logger.info(`Data: ${DATA_DIR}`);
     // Embedded daemon must wait for the listener — its boot-time
     // health check hits `/api/health` on this same process.
-    embeddedWorker = startEmbeddedConnectorWorker(env, `http://${HOST}:${PORT}`);
+    const daemonHost =
+      HOST === '0.0.0.0' ? '127.0.0.1' : HOST === '::' ? '::1' : HOST;
+    const daemonHostForUrl = daemonHost.includes(':') ? `[${daemonHost}]` : daemonHost;
+    embeddedWorker = startEmbeddedConnectorWorker(env, `http://${daemonHostForUrl}:${PORT}`);
   });

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// Embedded daemon must wait for the listener — its boot-time
	// health check hits `/api/health` on this same process.
	embeddedWorker = startEmbeddedConnectorWorker(env, `http://${HOST}:${PORT}`);
	});
	// Embedded daemon must wait for the listener — its boot-time
	// health check hits `/api/health` on this same process.
	const daemonHost =
	HOST === '0.0.0.0' ? '127.0.0.1' : HOST === '::' ? '::1' : HOST;
	const daemonHostForUrl = daemonHost.includes(':') ? `[${daemonHost}]` : daemonHost;
	embeddedWorker = startEmbeddedConnectorWorker(env, `http://${daemonHostForUrl}:${PORT}`);
	});

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/server/src/start-local.ts` around lines 287 - 290, The code calls
startEmbeddedConnectorWorker(env, `http://${HOST}:${PORT}`) using HOST directly
which breaks when HOST is 0.0.0.0 or an IPv6 literal; implement a small
normalizeHost function that maps "0.0.0.0" -> "127.0.0.1" and "::" -> "::1",
detects IPv6 addresses and wraps them in brackets (e.g., "[::1]") for URL
formatting, then call startEmbeddedConnectorWorker(env,
`http://${normalizedHost}:${PORT}`) so the embedded worker receives a dialable,
correctly-formatted host string.

[buremba]

pi review findings — addressed in 7dc32dd

Critical (fixed)

Secret leak via connector env. The first commit passed the gateway's full Env into WorkerDaemon, which SubprocessExecutor.fork spreads onto pickSystemEnv() as the connector subprocess env. That would leak DATABASE_URL / ENCRYPTION_KEY / BETTER_AUTH_SECRET / provider secrets into every connector run.

Fix: extracted the standalone connector-worker CLI's existing env whitelist (buildEnv) into packages/connector-worker/src/env.ts::buildConnectorWorkerEnv so the embedded daemon can reuse the same sanitized env. Couldn't import from bin.ts directly — its top-level main() runs on import.

High (fixed)

Published-CLI connector resolution. The worker-side resolver in compile-connector.ts had no candidate for node_modules/@lobu/cli/dist/connectors, where packages/cli/scripts/build.cjs actually copies bundled sources. The monorepo repro worked because packages/connectors/src was reachable via a different candidate; a fresh npx @lobu/cli install would have claimed runs and failed them with "did not resolve to a local source file".

Fix: added resolve(HERE, 'connectors') so the bundled-CLI layout resolves correctly. Works for both the CLI bundle (HERE = node_modules/@lobu/cli/dist/) and the server bundle (HERE = packages/server/dist/).

Non-blocking

Updated the daemon startup comment to be honest — start().catch only logs and the embedded worker stays dead until restart if the boot health check throws. The listen()-callback ordering makes this work in practice; explicit retry-with-backoff would be a follow-up if it ever bites.

Re-validation

• make typecheck + make build-packages clean.
• E2E re-run: trigger_feed against the rebuilt bundle → 336 events landed in events table.
• RangeError count in server log: 0.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/connector-worker/src/env.ts`:
- Line 32: Remove WORKER_API_TOKEN from the connector subprocess environment
whitelist so it is not propagated into connector child processes; locate the env
whitelist (the object/constant that includes the key WORKER_API_TOKEN in
packages/connector-worker/src/env.ts or any code that builds context.env) and
delete that entry (or stop adding process.env.WORKER_API_TOKEN) so the token
remains only in daemon/worker config and is not exposed to connectors.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: b6f88252-b5f9-47e7-82ac-d37fa0b7216c

📥 Commits

Reviewing files that changed from the base of the PR and between 9123dbf and 7dc32dd.

📒 Files selected for processing (4)

• packages/connector-worker/src/bin.ts
• packages/connector-worker/src/compile-connector.ts
• packages/connector-worker/src/env.ts
• packages/server/src/scheduled/embedded-connector-worker.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/server/src/scheduled/embedded-connector-worker.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Remove WORKER_API_TOKEN from connector subprocess env whitelist.

This token is for worker↔gateway auth and is already passed to daemon config; exposing it through context.env leaks it into every connector child process.

Suggested fix

 export function buildConnectorWorkerEnv(): Env {
   return {
@@
-    WORKER_API_TOKEN: process.env.WORKER_API_TOKEN,
   };
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	WORKER_API_TOKEN: process.env.WORKER_API_TOKEN,
	export function buildConnectorWorkerEnv(): Env {
	return {
	};
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/connector-worker/src/env.ts` at line 32, Remove WORKER_API_TOKEN
from the connector subprocess environment whitelist so it is not propagated into
connector child processes; locate the env whitelist (the object/constant that
includes the key WORKER_API_TOKEN in packages/connector-worker/src/env.ts or any
code that builds context.env) and delete that entry (or stop adding
process.env.WORKER_API_TOKEN) so the token remains only in daemon/worker config
and is not exposed to connectors.