fix(terminal): remove ACK output flow control to end PTY back-pressure deadlock (SUPER-939/#4993)

[Kitenite]

Summary

Terminal panes hard-freeze under heavy/concurrent agent output (SUPER-939 / #4993): the agent's PTY write() blocks forever at 0% CPU while the pane stops redrawing.

Root cause. The ACK-based output flow control added in #4896 pushed PTY back-pressure across two hops to a remote xterm. The daemon pauses the PTY once its per-connection unacked-bytes budget fills, and only renderer ACKs (sent after xterm's write callback, relayed host-service → daemon) credit it back. Any path where bytes are never ACKed leaves the PTY paused forever:

• no renderer attached (background pane / reconnect gap),
• a renderer socket closing with bytes in flight,
• or — the case in the sampled stacks — a renderer main thread pinned so ACKs stall.

Coupling the producer's back-pressure to an unreliable, far-away consumer is the defect. Rather than patch each leak path, this removes the mechanism and moves the one bound that matters to the hop that matters: host → renderer.

Changes

pty-daemon

• Remove flowControlUnacked accounting, ack-output/AckOutputMessage, subscribe.flowControl, the 100KB/5KB watermarks, maybePause/maybeResume/pausedSessions, and the now-dead Pty.pause()/resume().
• The daemon always drains the PTY; daemon↔host memory stays bounded by the existing 8 MB outboundBufferCap (destroy-on-overflow in writeMessage).

host-service

• Remove DaemonPty.ackOutput and the output-ack relay.
• New bound: broadcastBytes drops a socket once its ws.raw.bufferedAmount exceeds WS_SEND_BUFFER_CAP_BYTES (8 MB). The renderer auto-reconnects and replays the bounded tail buffer. The PTY is never paused, so a slow / dead / pinned renderer can only lose scrollback — it can't wedge the shell. This preserves the OOM protection [bug] host-service.js V8 OOM (~4 GB heap) under active terminal use — wedged anon_pipe_write to Electron parent, repros 1.9.6 → 1.11.1 #4868 wanted, without the deadlock.

renderer

• Remove sendOutputAck and the xterm write-callback round-trip; bytes go straight to terminal.write().

Net: roughly −170 lines of production code (with ~39 lines of new bounded-buffer logic).

Trade-off

A hopelessly-slow / pinned renderer drops output (clean reconnect + replay of the bounded tail) instead of back-pressuring all the way to the shell. The shell never freezes. #4896 originally existed to bound memory when the renderer lags (#4868); the per-socket send-buffer cap covers that.

Tests

• host-service terminal.adoption.node-test.ts: heavy output with no renderer never wedges the PTY, and a renderer whose send buffer exceeds the cap is dropped while output keeps flowing. The cap test is mutation-verified (disabling the cap makes it time out).
• Removed the obsolete daemon flow-control suite.
• Green: pty-daemon 57/57 unit + 48/48 integration, host-service 15/15 adoption, renderer transport 2/2, full-repo typecheck 28/28, lint clean.

---

---

Summary by cubic

Removes ACK-based terminal output flow control to stop PTY back-pressure deadlocks, fixing terminal freezes under heavy/concurrent agent output (SUPER-939 / #4993). The PTY now always drains; slow renderers are isolated by an 8 MB host-side send-buffer cap with auto-reconnect and tail replay.

• Bug Fixes

  • Shell no longer wedges; the PTY isn’t paused on remote ACKs.
  • Slow or pinned renderer is dropped past the 8 MB cap; output continues and the renderer replays the bounded tail on reconnect.
  • Added host-side tests for heavy output and slow-renderer drop; removed a stale desktop settings test to keep the suite green.
  • Aligned shared test with the current Claude flag: --dangerously-skip-permissions.

• Refactors

  • pty-daemon: removed ACK flow-control, watermarks, and Pty.pause()/resume(); rely on outboundBufferCap (8 MB).
  • host-service: removed output-ack; added WS_SEND_BUFFER_CAP_BYTES (8 MB) using ws.raw.bufferedAmount to drop lagging sockets.
  • Renderer: removed sendOutputAck; bytes go straight to terminal.write().

^{Written for commit ee60a6d. Summary will update on new commits.}

Summary by CodeRabbit

• Bug Fixes

  • Terminal output no longer wedges under heavy or concurrent load
  • Slow or stalled renderer connections are now capped and dropped to prevent unbounded buffering and stalled output

• Tests

  • Added end-to-end regression tests for high-volume output and renderer disconnect/overflow scenarios

• Chores

  • Removed legacy flow-control tests and updated integration test list to focus on byte-fidelity and replay behavior

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a99efaf5-cd0a-4fc6-97d1-6e67009f994e

📥 Commits

Reviewing files that changed from the base of the PR and between bedcbf0 and ee60a6d.

📒 Files selected for processing (1)

• apps/desktop/src/renderer/routes/_authenticated/settings/utils/settings-search/settings-search.test.ts

💤 Files with no reviewable changes (1)

• apps/desktop/src/renderer/routes/_authenticated/settings/utils/settings-search/settings-search.test.ts

---

📝 Walkthrough

Walkthrough

Removes byte-ACK output flow-control across daemon, host, and renderer; replaces it with per-socket buffered-send caps on the host that close slow renderer sockets and rely on tail replay after reconnect.

Changes

PTY Output Flow-Control Removal

Layer / File(s)	Summary
Protocol message type updates packages/pty-daemon/src/protocol/messages.ts, packages/pty-daemon/src/protocol/index.ts	SubscribeMessage no longer includes flowControl; AckOutputMessage removed from protocol schema and re-exports.
PTY daemon interface and server implementation packages/pty-daemon/src/Pty/Pty.ts, packages/pty-daemon/src/Server/Server.ts	Pty interface removes pause()/resume; Server removes flow-control watermarks, pausedSessions, per-session unacked-byte bookkeeping, and "ack-output" handling.
Handler connection state and subscription logic packages/pty-daemon/src/handlers/handlers.ts	Conn no longer has flowControlUnacked; handleSubscribe/handleUnsubscribe stop maintaining flow-control counters; replay still sends buffered output when present.
Host service client and terminal packages/host-service/src/terminal/DaemonClient/DaemonClient.ts, packages/host-service/src/terminal/terminal.ts	DaemonClient removes ackOutput() and flowControl subscribe option; host drops output-ack message handling and DaemonPty.ackOutput() forwarding. Adds WS_SEND_BUFFER_CAP_BYTES, socketBufferedAmount(), and broadcastBytes() logic that closes sockets exceeding the cap with code 1013.
Renderer terminal transport apps/desktop/src/renderer/lib/terminal/terminal-ws-transport.ts	Binary PTY frames written directly via terminal.write(new Uint8Array(...)) without waiting for xterm.write(..., callback); sendOutputAck() removed.
Test mocks and new regression tests packages/pty-daemon/src/SessionStore/SessionStore.test.ts, packages/pty-daemon/src/SessionStore/snapshot.test.ts, packages/pty-daemon/src/handlers/handlers.test.ts, packages/pty-daemon/test/byte-fidelity.test.ts, packages/pty-daemon/test/flow-control.test.ts, packages/pty-daemon/package.json, packages/host-service/src/terminal/terminal.adoption.node-test.ts, packages/shared/src/agent-command.test.ts, apps/desktop/src/renderer/routes/_authenticated/settings/utils/settings-search/settings-search.test.ts	Test PTY stubs drop pause/resume; flow-control.test.ts removed from integration suite; added E2E tests asserting high-output completion and socket-drop behavior; updated integration test list and a CLI-flag assertion in agent test; small test import/test-case deletions.

Sequence Diagram(s)

sequenceDiagram
  participant Renderer as Renderer Socket
  participant Host as Host Terminal
  participant Daemon as PTY Daemon

  Daemon->>Host: output frame (PTY data)
  Host->>Host: broadcastBytes()
  Host->>Host: socketBufferedAmount(socket)

  alt socket bufferedAmount > WS_SEND_BUFFER_CAP_BYTES
    Host->>Renderer: close(1013, "terminal output back-pressure")
    Renderer-->>Host: disconnect
    Host->>Daemon: continue broadcasting
    Renderer->>Host: reconnect with replay
  else bufferedAmount within cap
    Host->>Renderer: send output frame
    Renderer-->>Host: receive and render
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• superset-sh/superset#4566: Overlaps on renderer transport changes removing write-callback/ACK plumbing.
• superset-sh/superset#4896: Earlier PR that added flow-control/ack-output behavior which this PR removes.
• superset-sh/superset#4458: Related daemon-side outbound buffering/backpressure cap work touching Server output handling.

Poem

🐰 I hopped through queues of bytes and frames,
Dropped fragile ACKs and quieted the games.
Slow sockets closed, the stream stays light,
Reconnect and replay the tail at night.
Simpler hops — the terminal feels right.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically identifies the main fix: removing ACK output flow control to resolve PTY back-pressure deadlocks, with issue references.
Description check	✅ Passed	The PR description comprehensively covers the Summary, Related Issues, Type of Change (bug fix), detailed Testing section, and Additional Notes with context; it exceeds template expectations.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/super-939-remove-terminal-ack-flow-control

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[capy-ai]

Capy auto-review is paused for this organization because the monthly auto-review limit has been reached. Increase the limit or turn it off in billing settings to resume automatic reviews.

[stage-review]

Ready to review this PR? Stage has broken it down into 7 individual chapters for you:

	Title
1	Remove flow control from pty-daemon protocol
2	Strip flow control logic from pty-daemon
3	Update host-service DaemonClient and terminal interfaces
4	Implement host-side send buffer capping
5	Remove ACK logic from renderer
6	Add regression tests for terminal back-pressure
7	Miscellaneous test cleanups

_{Chapters generated by Stage for commit ee60a6d on Jun 2, 2026 5:29pm UTC.}

[greptile-apps]

Greptile Summary

Removes the ACK-based output flow-control mechanism that caused PTY deadlocks when renderers were slow, absent, or had a pinned main thread. The replacement bound is a per-socket bufferedAmount cap (8 MB) enforced in broadcastBytes: a socket that exceeds it is closed and removed, the renderer auto-reconnects and replays from the daemon's ring buffer, and the PTY is never paused.

• pty-daemon: strips flowControlUnacked, ack-output, maybePause/maybeResume, pausedSessions, and Pty.pause()/resume() — the daemon always drains the PTY and the 8 MB outbound socket cap (existing) destroys on overflow.
• host-service: removes ackOutput, output-ack relay, and the flowControl: true subscription option; adds socketBufferedAmount helper and a drop-on-cap path in broadcastBytes, with two new regression tests verifying the shell never wedges under heavy output or with a stuck renderer.
• renderer: terminal.write() is called directly without a callback, removing the ACK round-trip.

Confidence Score: 4/5

Safe to merge; the new buffer-cap mechanism correctly replaces the ACK flow-control on the single hop that matters and the two new tests are mutation-verified.

The socketBufferedAmount helper silently returns 0 when socket.raw?.bufferedAmount is absent, meaning the 8 MB drop-on-cap guard never fires for non-node-ws sockets. In that situation the only protection against unbounded host memory growth is gone with no log or metric to surface the gap. Production exclusively uses node-ws (so the guard works today), but the failure mode is completely invisible if the socket type ever changes.

packages/host-service/src/terminal/terminal.ts — the socketBufferedAmount helper and the broadcastBytes cap check warrant a second look.

Important Files Changed

Filename	Overview
packages/host-service/src/terminal/terminal.ts	Core change: adds WS_SEND_BUFFER_CAP_BYTES guard in broadcastBytes; silent 0 fallback in socketBufferedAmount when raw.bufferedAmount is absent means OOM protection is silently bypassed on non-node-ws sockets.
packages/pty-daemon/src/Server/Server.ts	Removes all flow-control accounting (flowControlUnacked, pausedSessions, maybePause/maybeResume, handleAckOutput) cleanly; dropConn is now a single-line delete with no remaining cleanup.
packages/host-service/src/terminal/terminal.adoption.node-test.ts	Adds two targeted regression tests: heavy output with no renderer (verifies PTY never wedges) and stuck renderer dropped while output flows (verifies cap behaviour and socket removal); mutation-verified per PR description.
packages/pty-daemon/src/Pty/Pty.ts	Removes pause()/resume() from both NodePtyAdapter and AdoptedPty; straightforward deletion with no remaining callers.
packages/pty-daemon/test/flow-control.test.ts	Deleted in full — entire 217-line suite for the now-removed daemon flow-control mechanism; the two new host-service tests cover the replacement behaviour.
apps/desktop/src/renderer/lib/terminal/terminal-ws-transport.ts	Removes sendOutputAck and the terminal.write callback; bytes go straight to xterm, reconnect/replay handles back-pressure from the host side.

Sequence Diagram

sequenceDiagram
    participant Shell as Shell (PTY)
    participant Daemon as pty-daemon
    participant Host as host-service
    participant Renderer as Renderer (xterm)

    Note over Daemon,Host: Daemon always drains PTY (no pause/resume)
    Shell->>Daemon: PTY output bytes
    Daemon->>Daemon: Append to 8 MB ring buffer
    Daemon->>Host: output frame (binary)

    Host->>Host: pushToTailRing + modeTracker.feed
    Host->>Host: broadcastBytes(session, bytes)

    alt "socket.bufferedAmount <= 8 MB cap"
        Host->>Renderer: send binary frame
        Renderer->>Renderer: terminal.write(bytes)
        Note over Renderer: No ACK sent back
    else "socket.bufferedAmount > 8 MB cap"
        Host->>Host: session.sockets.delete(socket)
        Host->>Renderer: close(1013, back-pressure)
        Note over Host: sent=0 -> bufferOutput called
        Renderer-->>Host: reconnects (onopen)
        Host->>Renderer: replayBuffer (64 KB FIFO)
        Host->>Daemon: resubscribe with replay:true
        Daemon->>Host: replay ring buffer tail
        Host->>Renderer: replayed output
    end

Loading

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
packages/host-service/src/terminal/terminal.ts:708-711
**Silent 0 fallback disables OOM protection when `raw` is absent**

When `socket.raw` is `undefined` (any non-node-ws adapter, or if the underlying implementation doesn't expose `raw`), this returns `0`, so `socketBufferedAmount(socket) > WS_SEND_BUFFER_CAP_BYTES` is always `false` and the drop-on-cap path never fires. The removed ACK flow-control mechanism has no fallback in that situation, so a lagging socket accumulates data without bound. In production this appears safe because node-ws always provides `raw`, but the failure is completely silent — there's no log, assertion, or metric to catch the missing guard if the socket type ever changes.

_{Reviews (1): Last reviewed commit: "fix(terminal): remove ACK output flow co..." | Re-trigger Greptile}

[cubic-dev-ai]

No issues found across 15 files

Architecture diagram

sequenceDiagram
    participant Sh as Shell (PTY)
    participant Dm as pty-daemon
    participant HS as host-service
    participant Rt as Renderer (xterm)

    Note over Sh,Rt: NEW: Output flow (no ACK back-pressure)

    Sh->>Dm: PTY output bytes (unthrottled)
    Dm->>Dm: Always drain PTY (no pause/resume)
    Dm->>HS: relay: output (id, bytes)
    Dm->>HS: bounded by outboundBufferCap (8 MB)

    HS->>HS: broadcastBytes(session, bytes)
    alt Renderer send buffer < 8 MB cap
        HS->>Rt: binary frame (PTY bytes)
        Rt->>Rt: terminal.write() directly (no ACK callback)
    else Renderer send buffer > 8 MB cap
        HS->>HS: Drop socket (close code 1013)
        Note over HS,Rt: Renderer reconnects + replays tail buffer
        HS-->>Rt: (later) replay on reconnect
    end

    Note over Dm,Rt: REMOVED: ACK round-trip

    Note over Rt: REMOVED: sendOutputAck() after xterm.write()
    Note over HS: REMOVED: relay output-ack to daemon
    Note over Dm: REMOVED: ack-output handler, flowControlUnacked, maybePause/maybeResume

Loading

_{Re-trigger cubic}

[greptile-apps]

Silent 0 fallback disables OOM protection when raw is absent

When socket.raw is undefined (any non-node-ws adapter, or if the underlying implementation doesn't expose raw), this returns 0, so socketBufferedAmount(socket) > WS_SEND_BUFFER_CAP_BYTES is always false and the drop-on-cap path never fires. The removed ACK flow-control mechanism has no fallback in that situation, so a lagging socket accumulates data without bound. In production this appears safe because node-ws always provides raw, but the failure is completely silent — there's no log, assertion, or metric to catch the missing guard if the socket type ever changes.

Prompt To Fix With AI

This is a comment left during a code review.
Path: packages/host-service/src/terminal/terminal.ts
Line: 708-711

Comment:
**Silent 0 fallback disables OOM protection when `raw` is absent**

When `socket.raw` is `undefined` (any non-node-ws adapter, or if the underlying implementation doesn't expose `raw`), this returns `0`, so `socketBufferedAmount(socket) > WS_SEND_BUFFER_CAP_BYTES` is always `false` and the drop-on-cap path never fires. The removed ACK flow-control mechanism has no fallback in that situation, so a lagging socket accumulates data without bound. In production this appears safe because node-ws always provides `raw`, but the failure is completely silent — there's no log, assertion, or metric to catch the missing guard if the socket type ever changes.

How can I resolve this? If you propose a fix, please make it concise.

[github-actions]

🧹 Preview Cleanup Complete

The following preview resources have been cleaned up:

• ✅ Neon database branch

Thank you for your contribution! 🎉