fix(engine): real back-pressure in StreamingEncoder.writeFrame

[miguel-heygen]

Problem

writeFrame returned stdin.write()'s boolean synchronously. Node's highWaterMark is advisory, so when FFmpeg encodes slower than workers capture, the writable buffer grows without bound — the #1353 / PR #1351 review numbers put the multi-worker worst case at ~80 GB over a 1h render, OOM-killing the producer before the render finishes. The 1800s multi-worker cap bounds the practical risk but is a band-aid.

Fix

writeFrame is now (buffer: Buffer) => Promise<boolean>:

• accepted === true: unchanged fast path (reset inactivity timer, resolve true).
• accepted === false: await drain raced against the shared FFmpeg exit promise — if FFmpeg dies before draining, the promise resolves false instead of hanging forever, and the drain listener is removed either way (listener-leak safe across thousands of frames). exitStatus is re-checked after drain.
• Inactivity-timer semantics preserved: no reset before drain, so a hung FFmpeg still trips SIGTERM via the un-reset timer; drain itself is proof of consumption and resets it.

All five call sites now await, so back-pressure propagates through the frame reorder buffer to the capture loops: captureStreamingStage.ts:198/266, captureHdrSequentialLoop.ts:192/209, captureHdrHybridLoop.ts:188 (the HDR loops weren't listed in the issue — found via caller sweep).

MULTI_WORKER_MAX_DURATION_SECONDS is deliberately untouched; relaxing it is the follow-up this PR enables.

Tests

• Buffered write pends until drain, then resolves true; drain listener count returns to 0.
• FFmpeg exits before drain → resolves false promptly (no hang), listener cleaned up.
• The existing "buffered writes don't reset the timer" test rewritten for the new semantics: a back-pressured caller stays pending while the inactivity timer correctly fires SIGTERM.
• Engine suite 697/697, producer typecheck clean, oxlint/oxfmt clean.

Fixes #1353

[james-russo-rames-d-jusso]

Solid fix. The drain-vs-exit race correctly handles the listener-leak case the prior fire-and-forget design couldn't. One real concern about microtask accumulation on the shared exitPromise over long renders; everything else is small.

Concerns:

• packages/engine/src/services/streamingEncoder.ts:452-472 — exitPromise.then(...) registered per back-pressured writeFrame call leaks closures until FFmpeg exits. Every slow-path write adds exitPromise.then(() => { drainAbort.abort(); return "exit"; }) to the shared exitPromise's reaction list. V8 doesn't GC .then callbacks on an unsettled Promise — so on a 1h render at 30fps under steady back-pressure you'd accumulate ~108K registrations, each pinning a fresh AbortController + closure (~hundreds of bytes each → tens of MB). That's well under the 80 GB OOM this PR fixes, but it directly works against the PR's heap-stability goal and is the exact kind of slow leak the multi-worker cap was masking. Fix is small: keep one persistent exitPromise consumer outside writeFrame, e.g. set an exitedFlag + an Array<AbortController> purged on each call, OR have waitForDrainOrExit use Promise.race([oncePromise, new Promise(r => ffmpeg.once('close', r))]) with a one-shot listener that auto-removes. The latter matches the symmetry of the current once(stdin, 'drain', { signal }) and avoids the shared-Promise reaction list entirely.

• packages/producer/src/services/render/stages/captureStreamingStage.ts:198,266 + HDR loops — false return value from writeFrame is still discarded by every caller. If FFmpeg exits mid-render, writeFrame short-circuits and returns false instantly, but the producer loop keeps capturing frames and walking the reorder buffer until close() eventually surfaces the failure. Not a regression from this PR (old code had the same issue) — but the new Promise<boolean> signature is the natural seam to short-circuit on. A if (!(await currentEncoder.writeFrame(buffer))) break; per loop would let the failure propagate ~one frame faster and stop wasting capture work. Non-blocking, but worth one line.

Nits:

• streamingEncoder.ts:468-471 — the if (result === "drain") drainAbort.abort(); defensive abort is harmless but redundant: once() with { signal } removes its listener on resolve too, and AbortController.abort() after resolve is a no-op. Could drop the conditional for clarity, or comment why the defense is there.
• Comment on streamingEncoder.ts:489-497 is great but the phrase "the shared exit promise wins the race" is the exact line that masks the leak in concern #1 — worth nuancing once the fix lands.

Things NOT in the diff worth checking:

• Observability for time-spent-back-pressured. HDR loops already roll drain time into encoderWriteMs, but captureStreamingStage has no equivalent. If a render gets slower post-merge, oncall can't distinguish capture-bound vs encoder-bound without code-reading. A counter or histogram on the slow path (incremented when accepted === false) would pay for itself the first time someone asks "why is this render slow now?".

• close() racing with a pending writeFrame. close() calls stdin.end() which flushes; if the kernel pipe drains, the pending writeFrame resolves true, but the producer loop is already tearing down — the result is consumed by no one and the buffer copy was wasted. Probably fine in practice but no test asserts the behavior. Worth one test case: spawn → write returns false → close() → assert pending writeFrame settles (either to true or false, but doesn't hang).

• Determinism contract holds. Verified — no setTimeout/Date.now() introduced in the back-pressure path; 'drain' is event-driven. -framerate is configured at FFmpeg spawn so output frame timestamps remain deterministic regardless of producer wall-clock blocking. Vai's lane on the broader runtime semantics; from a determinism-contract reading this is clean.

• Concurrent writeFrame callers and drain-listener accumulation. Confirmed not reachable: every caller goes through reorderBuffer.waitForFrame → writeFrame → advanceTo, which strictly serializes. If a future caller bypasses the reorder buffer (e.g. an audio side-channel), once(stdin, 'drain') from two concurrent callers would both register listeners and both resolve on the same 'drain' event — currently safe (both return true), but worth a "callers must serialize" docstring on the encoder interface so it doesn't get bypassed silently later.

Review by Rames D Jusso

[miguel-heygen]

Addressed both review points:

• The drain wait no longer chains onto the shared exit promise — it races one-shot drain/close listeners (both aborted in a finally), so steady back-pressure can't accumulate per-frame closures on an unsettled promise. An exit-status re-check after listener attachment covers the close-before-attach window. Regression tests assert listener counts return to baseline on both emitters after every back-pressured write, plus a no-hang test for close firing mid-wait.
• All five call sites now check the result via a shared ensureFrameWritten guard and stop the render with a frame-indexed error instead of discarding the boolean.

MULTI_WORKER_MAX_DURATION_SECONDS is deliberately untouched — relaxing it stays the follow-up this PR enables.

[james-russo-rames-d-jusso]

R2 — concerns resolved, ship once CI unblocks. The load-bearing closure-leak fix landed exactly as prescribed — one-shot once() listeners with abort-in-finally, plus the close-before-attach re-check. All five writeFrame call sites now go through ensureFrameWritten. Two non-blocking items I flagged for "things not in the diff" are still open (observability counter, serialization docstring). CI is red but on an unrelated file — DomEditOverlay.tsx lint/format breakage that has nothing to do with this PR.

R1 carry-over status:

1. ✅ Closure leak (streamingEncoder.ts:452-485) — resolved. waitForDrainOrExit now uses once(stdin,'drain',{signal}) + once(ffmpeg,'close',{signal}), aborts in finally, re-checks exitStatus !== "running" after listener attachment. Zero .then() on the shared exitPromise. The new test at streamingEncoder.test.ts:632-666 loops 12 back-pressured writes and asserts proc.listenerCount("close") returns to baseline each cycle — the exact V8-reaction-list shape I was worried about, verified.
2. ✅ Callers discard false (captureStreamingStage.ts:198,266 + captureHdrHybridLoop.ts:188 + captureHdrSequentialLoop.ts:193,210) — resolved. All five sites: ensureFrameWritten(await encoder.writeFrame(buf), i). Throws a frame-indexed Error("Streaming encoder exited before frame N was written") instead of discarding. Stricter than the break; I suggested — actually surfaces the failure up the stack.
3. ✅ Redundant defensive abort — N/A. Entirely refactored away; new code aborts unconditionally in finally.
4. ✅ Misleading "shared exit promise wins the race" comment — resolved. New comment block at streamingEncoder.ts:455-461 explicitly explains why they don't race the shared exit promise (V8 retains .then entries on unsettled promises).
5. ❌ Back-pressure observability counter on captureStreamingStage — still open. HDR loops still get addHdrTiming(hdrPerf, "encoderWriteMs", writeStart); streaming stage has no equivalent. Non-blocking, follow-up.
6. ✅ close() racing pending writeFrame test — resolved. New test "resolves false when close fires after write returns false before await attaches listeners" (the close-before-attach hang window) at streamingEncoder.test.ts:696-723, plus "resolves false instead of hanging when FFmpeg exits before drain" at 670-694.
7. ✅ Determinism — N/A (verified clean in R1).
8. ❌ "Callers must serialize" docstring on StreamingEncoder.writeFrame — still open. Non-blocking; today every caller goes through reorderBuffer.waitForFrame so it's not reachable.

CI status — red but unrelated to this PR:

• CI / Lint — oxlint error on packages/studio/src/components/editor/DomEditOverlay.tsx: "Parameter 'onSelectElementById' is declared but never used."
• CI / Format — oxfmt --check complains about the same DomEditOverlay.tsx.
• regression (required) and Windows render verification are SKIPPED+FAILURE-cascade because preflight (lint+format) gated them out.
• Every check from this PR's actual diff is green: Test (1m46s), Typecheck, Build, Test: runtime contract, CLI smoke (required), SDK: unit + contract + smoke, CodeQL, Fallow audit, Smoke: global install.
• Same DomEditOverlay.tsx lint hit is blocking #1373 too — same studio main-branch breakage from a separate PR.

Anything NEW worth flagging:

• Drive-by swap of writeFileSync → writeFileExclusiveSync in captureHdrHybridLoop.ts:331 and captureHdrSequentialLoop.ts:204 for the HDR debug-dump path. Unrelated to back-pressure but defensible — prevents two parallel HDR workers from stomping the same frame_NNNN_final_rgb48le.bin if the debug-dump cadences ever overlap.
• The ensureFrameWritten helper lives in captureHdrFrameShared.ts:212 and is used by both the streaming stage and HDR loops — good shared seam, well-placed.
• Commit message is unusually thorough and accurate — correctly names the V8 reaction-list mechanism, the ~108K closure estimate, and the MULTI_WORKER_MAX_DURATION_SECONDS follow-up framing.

R2 review by Rames D Jusso

[miguel-heygen]

R2 follow-ups: rebased onto current main (past the DomEditOverlay lint breakage fixed in #1377), and the "callers must serialize" contract is now documented on StreamingEncoder.writeFrame — one in-flight write per encoder, ordering provided by the frame reorder buffer. The back-pressure histogram for captureStreamingStage stays a follow-up item.

[jrusso1020]

LGTM. The drain-race-against-exitPromise shape with abort-controller-driven listener cleanup is exactly the durable fix this surface needed.

[james-russo-rames-d-jusso]

R3 — item #8 ✅ landed cleanly; item #5 ⚠️ still not addressed. Closure-leak fix intact. CI is effectively green (all blocking checks SUCCESS; regression-shards in progress as expected for a render PR). Non-blocking to ship: #5 was already flagged R2 as non-blocking concern. Worth a one-line ack about the observability gap before stamp.

R2 open-item status:

• ⚠️ #5 Back-pressure observability counter — not added. packages/producer/src/services/render/stages/captureStreamingStage.ts:199 and :267 still call ensureFrameWritten(await currentEncoder.writeFrame(buffer), frameIndex) with no surrounding addStreamingTiming / counter / histogram. HDR loops do still wrap with addHdrTiming(hdrPerf, "encoderWriteMs", writeStart) after the await (captureHdrHybridLoop.ts:189, captureHdrSequentialLoop.ts:193/:210), so the HDR path does roll drain time into encoderWriteMs — but the streaming stage emits nothing. When chat-host renders get slower post-merge, oncall still won't be able to distinguish capture-bound vs encoder-bound on the streaming path. Same gap as R2.
• ✅ #8 "Callers must serialize" docstring — added on the interface declaration at packages/engine/src/services/streamingEncoder.ts:130-136. JSDoc on StreamingEncoder.writeFrame reads: "Callers must serialize calls — one in-flight writeFrame per encoder (the frame reorder buffer provides this ordering); concurrent calls would interleave frame bytes on the pipe and race the drain wait." Lands on the interface, so IDE hover surfaces it on every call site. Exactly the shape requested.

CI status post-rebase:

All required checks green at HEAD 8b5f476:

• CI / Lint ✅, CI / Format ✅, CI / Build ✅, CI / Typecheck ✅, CI / Test ✅, CI / CLI smoke (required) ✅, CI / SDK: unit + contract + smoke ✅, CI / Test: runtime contract ✅, CI / Studio: load smoke ✅, CI / Smoke: global install ✅, CI / Semantic PR title ✅, CI / File size check ✅, CI / Fallow audit ✅
• CodeQL ✅ (all three analyzers), Windows render verification ✅, player-perf ✅, preview-regression ✅
• regression-shards (shard-1..8) are IN_PROGRESS — normal for a render-pipeline PR; the lint/format failure R2 flagged on DomEditOverlay.tsx is gone post-rebase.

Anything NEW:

Single squashed commit since R2 (8b5f476), 6 files / 247 ins / 31 del. Diff cross-check:

• Closure-leak fix preserved: streamingEncoder.ts:462-484 still uses one-shot once(stdin, 'drain', { signal }) + once(ffmpeg, 'close', { signal }) with AbortController.abort() in finally — not .then on the shared exitPromise. Comment at line 462 explicitly documents not racing exitPromise.then(...) to avoid V8 reaction-list retention. The only .then calls (lines 471, 474) are on the per-write once(...) promises that settle when drain/close fires or get aborted in finally — not long-lived. Load-bearing fix intact.
• Close-before-attach hang window closed: streamingEncoder.ts:478-480 re-checks exitStatus !== "running" after listener attachment, as the R2 review prescribed.
• Shared ensureFrameWritten guard at captureHdrFrameShared.ts:309-313 is the right shape — single helper, frame-indexed error, no callers swallow the boolean. Applied at all five write sites.
• No new feature flags, no API/wire changes, no test deletions. streamingEncoder.test.ts got +166 lines covering the new async path.

R3 review by Rames D Jusso

[vanceingalls]

LGTM