fix(hub): preserve session metadata across archive transitions (#825)

* fix(hub): preserve flavor session ids in metadata across archive transitions

When a session ends (terminate, crash, local-launch failure, handoff),
the runner's archive write replaces sessions.metadata wholesale. If the
CLI's locally cached Metadata is null (e.g. Zod parse failed at bootstrap
and api.ts nulled it out) or stale, the spread in archiveAndClose ships
a sparse blob and the resume token (cursorSessionId, codexSessionId,
claudeSessionId, etc.) gets cleared from the row even though the
on-disk chat data is still intact.

Fix at the hub layer because update-metadata is the single chokepoint
for every metadata write surface (CLI, web, future): in the store-level
updateSessionMetadata, read the prior row's metadata inside a
transaction and carry forward a small allowlist of flavor resume tokens
when the incoming write omits them. Explicit overwrites still win.

The allowlist mirrors pickExistingSessionMetadata in sessionFactory.ts
which already preserves the same fields on bootstrap.

Closes #820

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(hub): address cold-review findings on metadata merge

Three bot findings on the initial patch:

1. (P1) Sparse archive payloads still resulted in metadata blobs that
   failed MetadataSchema parse downstream — required `path`/`host` were
   not in the carry-forward set, so even though the resume token
   survived, hub session cache and CLI getSession nulled-out the row
   and resume_unavailable came back. Add PARSE_IDENTITY_FIELDS = `path`,
   `host` to the carry-forward.

2. (P2) Preserving `cursorSessionProtocol` whenever it was omitted
   carried a stale protocol over to a freshly written `cursorSessionId`,
   misrouting a future remote resume. Pair-aware logic: drop the prior
   protocol when next sets a new id; preserve the protocol only when
   next is silent on both id and protocol.

3. (P2) The successful update-metadata broadcast emitted the pre-merge
   payload to other CLIs in the session room, so even though the DB row
   was preserved, peer caches diverged. Switch the broadcast value to
   `result.value` (the persisted merged value) so live caches stay in
   sync with the truth.

Refactor preserveProtocolResumeFields into mergeSessionMetadata with
two tiers (PARSE_IDENTITY_FIELDS + SIMPLE_RESUME_TOKENS) plus the
cursor pair handler. 6 new tests cover the regressions; existing 16
still pass plus 1 new socket-level test for the broadcast.

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(hub): preserve flavor + machineId across sparse metadata merges

Bot P2 on the prior fix: PARSE_IDENTITY_FIELDS (path, host) made the
blob parseable and SIMPLE_RESUME_TOKENS preserved the chat-id, but
flavor and machineId were still being dropped by sparse archive
payloads. Consequences:

- flavor: hub/src/web/routes/sessions.ts and sync/syncEngine.ts read
  `metadata?.flavor ?? 'claude'` to pick which session id field to
  resume. With flavor missing, a Cursor/Codex/Gemini session was
  routed as Claude and the preserved cursorSessionId was ignored.

- machineId: telegram/bot.ts and the CLI's resumable listing read
  `metadata?.machineId` to scope sessions to the current host. With
  machineId missing, the row dropped out of the resume picker.

Add a third carry-forward tier ROUTING_FIELDS = [flavor, machineId]
between PARSE_IDENTITY_FIELDS and SIMPLE_RESUME_TOKENS in
mergeSessionMetadata. 3 new tests cover preservation, no-invention,
and explicit override.

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(hub,cli): support explicit-clear sentinel for carry-forward fields

Upstream cold-review (Major): the carry-forward semantics introduced
in the prior commits ("omit field → preserve from prior") collide
with cli/src/codex/session.ts resetCodexThread(), which intentionally
clears codexSessionId by deleting it from the metadata blob before
calling updateMetadata. With omit-as-preserve, the cleared id was
restored from the prior row and /clear on a Codex session no longer
dropped the persisted thread.

Add an explicit-clear sentinel: when next sets a carry-forward field
to `null`, the merge drops the key entirely from the persisted blob
(key removed; not stored as null since MetadataSchema fields are
`string().optional()`). `undefined` (key missing from next) keeps its
"carry forward" meaning. The two semantics now compose cleanly:

  - next.field = "x"   → next wins (caller sets a new value)
  - next.field = null  → drop the field (caller intentionally clears)
  - next omits field   → carry forward prior (caller didn't touch it)

Update resetCodexThread() to send `codexSessionId: null` so the
reset actually drops the persisted thread under the new merge.

4 new hub tests cover: explicit clear of a single token, clear-one-
preserve-others independence, no-op clear on a never-set field, and
the success-ack value reflects the cleared blob. cli/src/codex tests
(224/224) and hub suite (301/301) green; bun typecheck clean.

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: heavygee

cli/src/codex/session.ts

@@ -102,9 +102,16 @@ export class CodexSession extends AgentSessionBase<EnhancedMode> {
         this.sessionId = null;
         this.resetTranscriptPath();
         this.client.updateMetadata((metadata: Metadata) => {
-            const updated = { ...metadata };
-            delete updated.codexSessionId;
-            return updated;
+            // Explicit-clear sentinel: `null` instructs the hub merge to
+            // drop `codexSessionId` from the persisted blob. Plain
+            // `delete` arrives at the hub as an omitted field, which the
+            // carry-forward path then restores from the prior row —
+            // defeating the reset. See hub/src/store/sessions.ts
+            // mergeSessionMetadata. The value is `null` on the wire only;
+            // MetadataSchema parses `string().optional()`, so the
+            // post-merge persisted blob carries no key.
+            const updated: Record<string, unknown> = { ...metadata, codexSessionId: null };
+            return updated as unknown as Metadata;
         });
     }
 

hub/src/socket/handlers/cli/sessionHandlers.test.ts

@@ -6,9 +6,9 @@ import { registerSessionHandlers } from './sessionHandlers'
 
 class FakeSocket {
     readonly roomEvents: Array<{ room: string; event: string; data: unknown }> = []
-    private readonly handlers = new Map<string, (data: unknown) => void>()
+    private readonly handlers = new Map<string, (data: unknown, ack?: (response: unknown) => void) => void>()
 
-    on(event: string, handler: (data: unknown) => void): this {
+    on(event: string, handler: (data: unknown, ack?: (response: unknown) => void) => void): this {
         this.handlers.set(event, handler)
         return this
     }
@@ -21,8 +21,8 @@ class FakeSocket {
         }
     }
 
-    trigger(event: string, data: unknown): void {
-        this.handlers.get(event)?.(data)
+    trigger(event: string, data: unknown, ack?: (response: unknown) => void): void {
+        this.handlers.get(event)?.(data, ack)
     }
 }
 
@@ -64,4 +64,60 @@ describe('cli session handlers', () => {
         expect(socket.roomEvents).toHaveLength(0)
         expect(webEvents).toHaveLength(0)
     })
+
+    it('update-metadata broadcasts the merged value, not the pre-merge payload', () => {
+        const store = new Store(':memory:')
+        const session = store.sessions.getOrCreateSession(
+            'broadcast-merged',
+            {
+                path: '/tmp/project',
+                host: 'example',
+                cursorSessionId: 'broadcast-survives'
+            },
+            null,
+            'default'
+        )
+        const socket = new FakeSocket()
+
+        registerSessionHandlers(socket as unknown as CliSocketWithData, {
+            store,
+            resolveSessionAccess: () => ({ ok: true, value: session as StoredSession }),
+            emitAccessError: () => {
+                throw new Error('unexpected access error')
+            }
+        })
+
+        let ackResponse: unknown = null
+        socket.trigger(
+            'update-metadata',
+            {
+                sid: session.id,
+                expectedVersion: session.metadataVersion,
+                metadata: {
+                    lifecycleState: 'archived',
+                    archivedBy: 'cli',
+                    archiveReason: 'Session crashed'
+                }
+            },
+            (response) => {
+                ackResponse = response
+            }
+        )
+
+        // Ack: success and the version bumps; the persisted value carries the
+        // merged metadata so other CLIs can update their cache to the truth.
+        const ack = ackResponse as { result: string; version: number; metadata: unknown }
+        expect(ack.result).toBe('success')
+        const ackMetadata = ack.metadata as Record<string, unknown>
+        expect(ackMetadata.cursorSessionId).toBe('broadcast-survives')
+        expect(ackMetadata.path).toBe('/tmp/project')
+
+        // Broadcast: the room event must carry the same merged value.
+        const broadcast = socket.roomEvents.find((event) => event.event === 'update')
+        expect(broadcast).toBeDefined()
+        const broadcastBody = (broadcast?.data as { body: { metadata: { value: Record<string, unknown> } } }).body
+        expect(broadcastBody.metadata.value.cursorSessionId).toBe('broadcast-survives')
+        expect(broadcastBody.metadata.value.path).toBe('/tmp/project')
+        expect(broadcastBody.metadata.value.lifecycleState).toBe('archived')
+    })
 })

hub/src/socket/handlers/cli/sessionHandlers.ts

@@ -202,7 +202,13 @@ export function registerSessionHandlers(socket: CliSocketWithData, deps: Session
                 body: {
                     t: 'update-session' as const,
                     sid,
-                    metadata: { version: result.version, value: metadata },
+                    // Broadcast the persisted (merged) value, not the pre-merge
+                    // payload — otherwise other CLIs in the session room would
+                    // overwrite their local cache with a tokenless metadata
+                    // snapshot even though the DB row was preserved.
+                    // See store.sessions.mergeSessionMetadata for the merge
+                    // contract.
+                    metadata: { version: result.version, value: result.value },
                     agentState: null
                 }
             }