fix(cancel): narrow STOP critical-window so deploy-park cancel applies (ORCH-090)
Review P1: a STOP while a self-hosting task is PARKED on `deploy` awaiting the manual `Confirm Deploy` was classified as a critical merge/deploy window solely because the task still held the per-repo merge-lease (held from merge-gate through deploy->done). That window is fully reversible — nothing is merged or deployed yet (the irreversible merge_pr runs later in _handle_merge_verify, always under an INITIATED marker). So the cancel was DEFERRED to run_deploy_finalizer, which only runs after Phase B (Confirm Deploy) — the very step the operator pressed STOP to avoid. Result: the deferred cancel was never applied, the task wedged non-terminal holding the lease, blocking the repo's serial-gate (ORCH-088) and merges. Fix: gate the merge-lease branch of cancel.in_critical_window on an actively RUNNING actor (_task_has_running_actor). Lease held + running deploy/merge job -> still deferred (genuine in-flight step). Lease held + no running actor (idle deploy parking) -> NOT critical -> immediate full reset, which itself releases the lease (step 3c) and drives the task terminal. INITIATED-marker deferral unchanged. Also fixes review P2 (AC-6): set_task_cancel_requested now returns the first-stamp fact (rowcount), and the deferred branch only notifies on the first transition — a repeated STOP while still deferred no longer spams duplicate notifications. Tests: test_d7_lease_held_idle_parking_is_not_critical, test_d7_lease_held_with_running_actor_still_critical, test_d7_stop_on_deploy_awaiting_confirm_full_resets, test_d7_repeated_stop_in_critical_window_no_duplicate_notify. Full suite green (1349). Refs: ORCH-090 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
13
src/db.py
13
src/db.py
@@ -867,20 +867,23 @@ def mark_task_cancelled(task_id: int) -> bool:
|
||||
def set_task_cancel_requested(task_id: int) -> bool:
|
||||
"""ORCH-090 (ADR-001 D7): mark a deferred cancellation (STOP in critical window).
|
||||
|
||||
Idempotent: only stamps ``cancel_requested_at`` the first time. The deterministic
|
||||
deploy/merge finalizer reads it once the irreversible step completes and then
|
||||
applies the full cancellation. never-raise -> False on error.
|
||||
Idempotent: only stamps ``cancel_requested_at`` the first time. Returns the
|
||||
**first-stamp fact** — ``True`` iff THIS call actually stamped the column (a
|
||||
repeated STOP while still deferred updates 0 rows -> ``False``), so the caller can
|
||||
suppress duplicate notifications (AC-6). The deterministic deploy/merge finalizer
|
||||
reads the column once the irreversible step completes and then applies the full
|
||||
cancellation. never-raise -> False on error.
|
||||
"""
|
||||
try:
|
||||
conn = get_db()
|
||||
try:
|
||||
conn.execute(
|
||||
cur = conn.execute(
|
||||
"UPDATE tasks SET cancel_requested_at=datetime('now') "
|
||||
"WHERE id = ? AND cancel_requested_at IS NULL",
|
||||
(task_id,),
|
||||
)
|
||||
conn.commit()
|
||||
return True
|
||||
return cur.rowcount > 0
|
||||
finally:
|
||||
conn.close()
|
||||
except Exception:
|
||||
|
||||
Reference in New Issue
Block a user