fix(chat-recovery): bound Durable Object memory-limit (OOM) crash loops (#1825)

[threepointone]

Summary

Fixes #1825: a chat-recovery turn whose Durable Object isolate exceeds its 128 MB memory limit could loop forever, re-running the (billable) turn on every platform alarm retry.

Why it looped

A reset isolate has usually already streamed a little content, which bumps the durable progress counter. On the next wake, recovery reads that as forward progress and resets both progress-keyed bounds — the attempt cap (maxAttempts) and the no-progress window (noProgressTimeoutMs). Because each crash lands inside the alarm-debounce window, the attempt counter is pinned too. With maxRecoveryWork defaulting to Infinity, no instrument could ever seal the turn, so the model re-ran indefinitely.

This matches the customer's logs exactly: OOM during boot/hydration → "failed to read recovery incident during give-up" (the give-up read itself OOMing mid-turn) → "~4 min later" platform alarm retry → "error executing callback _chatRecoveryContinue after 3 attempts" → repeat. Their workaround was an override alarm() that caught "exceeded its memory limit" and called deleteAlarm(); this PR builds that behavior into the base class — but surgical, bounded, attributable, and observable.

The fix (layered)

1. Finite maxRecoveryWork default (1000, was Infinity). The work meter is the one signal that keeps climbing across the loop, so a finite default seals a runaway with reason="work_budget_exceeded". A normal interrupted turn never approaches it.

2. OOM-specific in-DO budget (chatRecovery.maxOomRetries, default 3). A memory reset re-OOMs on re-run (the turn's working set, not the platform, is the cause), so it's classified as a distinct deterministic failure rather than a deploy-style transient — it is not deferred and retried forever. Each crash bumps a durable per-incident oomAttempts counter; after a small number of tries it seals with reason="out_of_memory". Fast and attributable.

3. Alarm-boundary circuit breaker (Agent.alarm()) — the universal backstop for OOMs that bypass the in-DO budgets entirely: thrown before the budget code runs (boot-time state hydration), or whose own small writes also OOM under memory pressure. Left unhandled, such an error propagates out of alarm() and the platform auto-retries forever. alarm() now intercepts only Durable Object memory-limit resets at the outermost frame — where the heavy turn has unwound and GC has reclaimed its footprint, so the seal/purge writes can land where mid-turn ones OOMed. A durable strike counter (static maxAlarmMemoryLimitStrikes, default 3) tolerates a few resets (a transient spike may clear), backing off the looping rows so the retry isn't a hot loop, then seals the recovery and surgically purges only the looping schedule rows, leaving unrelated scheduled tasks intact. Emits a new alarm:memory_limit_reset observability event. Everything except memory-limit resets re-throws exactly as before.

Supporting changes

• Broaden + export isDurableObjectMemoryLimitReset(error) — now matches the shared "exceeded its memory limit" fragment so truncated/reworded surfacings (observed in real Neverending retries during recovery #1825 logs) still classify. Sibling to isDurableObjectCodeUpdateReset / isPlatformTransientError.
• _executeScheduleCallback now defers (re-throws) memory-limit resets for one-shot rows instead of swallowing them after in-process retries, so the error reaches the alarm-boundary breaker. Tracks the executing row id so the breaker can purge the exact looping row.
• think / ai-chat override _cf_recoveryAlarmCallbacks() + _cf_sealMemoryLimitedRecovery() to target their recovery continuation callbacks and terminalize active incidents (banner + onExhausted + seal).
• Remove the redundant result-path OOM handling in continueLastTurn: those turns are already terminalized, so it only risked wasteful reschedules and duplicate terminal signals.

Configuration

Option	Default	Scope
chatRecovery.maxRecoveryWork	1000 (was Infinity)	chat recovery work backstop
chatRecovery.maxOomRetries	3	in-DO OOM budget
maxAlarmMemoryLimitStrikes	3	base-agent alarm circuit breaker

Test plan

• pnpm run check (sherif + exports + oxfmt + oxlint + typecheck, 113 projects) — green
• agents / think / ai-chat test suites — green
• New unit coverage: broadened predicate, listActiveChatRecoveryIncidents
• New integration coverage: alarm memory-limit circuit breaker (under budget → backoff/row preserved; at budget → seal/purge; truncated message match; non-memory errors pass through unchanged)
• Reviewer: confirm default budgets (1000 / 3 / 3) feel right for shipped behavior

Notes

• Two changesets (work-budget default flip + OOM budget/breaker), both patch on agents / @cloudflare/think / @cloudflare/ai-chat.
• Does not close #1285 (zero-signal hard OOM kills during non-alarm requests): a true hard kill runs no in-isolate code, so nothing can emit. This PR does add a new signal (alarm:memory_limit_reset + downstream recovery exhaustion) for the catchable alarm-loop class that was previously also silent — a natural follow-up for Durable Object OOM kills produce zero observability signal #1285 is a boot-time "interrupted run" breadcrumb detector.
• RFC follow-up section + user-facing docs updated.

Made with Cursor

---

[changeset-bot]

🦋 Changeset detected

Latest commit: c69cfd5

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@cloudflare/ai-chat	Patch
@cloudflare/think	Patch
agents	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

[pkg-pr-new]

Open in StackBlitz

agents

npm i https://pkg.pr.new/agents@1826

@cloudflare/ai-chat

npm i https://pkg.pr.new/@cloudflare/ai-chat@1826

@cloudflare/codemode

npm i https://pkg.pr.new/@cloudflare/codemode@1826

create-think

npm i https://pkg.pr.new/create-think@1826

hono-agents

npm i https://pkg.pr.new/hono-agents@1826

@cloudflare/shell

npm i https://pkg.pr.new/@cloudflare/shell@1826

@cloudflare/think

npm i https://pkg.pr.new/@cloudflare/think@1826

@cloudflare/voice

npm i https://pkg.pr.new/@cloudflare/voice@1826

@cloudflare/worker-bundler

npm i https://pkg.pr.new/@cloudflare/worker-bundler@1826

commit: c69cfd5