fix: propagate sandbox timeout to nested tool calls

The sandbox's 5-minute timeout only interrupted QuickJS execution via the
interrupt handler, but that handler doesn't fire during async suspension
(when waiting for host functions like mux.bash()).

Changes:
- Add setTimeout timer that fires independently of QuickJS execution
- Tools now use runtime.getAbortSignal() instead of AI SDK's signal
- This signal is aborted both by timeout AND external abort requests
- Add abortRequested flag to handle abort() before eval() starts
- Fix edge case where addEventListener on already-aborted signal is a no-op

When timeout fires during a tool call:
1. setTimeout aborts the runtime's AbortController
2. Tool sees aborted signal and can cancel (if it respects abort)
3. When tool returns, interrupt handler also stops QuickJS

Note: JavaScript cannot preemptively cancel Promises - this is cooperative
cancellation. Tools that check their abort signal will cancel; pure async
operations complete but subsequent calls fail fast.

Author: ethanndickson

src/node/services/ptc/quickjsRuntime.test.ts

@@ -291,6 +291,44 @@ describe("QuickJSRuntime", () => {
       expect(result.success).toBe(false);
       expect(result.error).toContain("timeout");
     });
+
+    it("aborts signal when timeout fires during async host function", async () => {
+      // This tests the setTimeout-based timeout's effect on the abort signal.
+      // The interrupt handler only fires during QuickJS execution, but when
+      // waiting for an async host function, the setTimeout aborts the signal.
+      //
+      // Important: The host function itself won't be cancelled mid-flight
+      // (JavaScript can't interrupt Promises), but the signal will be aborted
+      // so subsequent tool calls will see it and fail fast.
+      let firstCallCompleted = false;
+
+      runtime.registerFunction("slowOp", async () => {
+        // Sleep for 200ms
+        await new Promise((resolve) => setTimeout(resolve, 200));
+        firstCallCompleted = true;
+        return "done";
+      });
+
+      // Check the abort signal state from QuickJS (sync is fine, made async for type)
+      runtime.registerFunction("checkAbortState", () => {
+        return Promise.resolve({ aborted: runtime.getAbortSignal()?.aborted ?? false });
+      });
+
+      runtime.setLimits({ timeoutMs: 100 }); // 100ms timeout
+
+      const result = await runtime.eval(`
+        slowOp();           // Takes 200ms, timeout fires at 100ms
+        checkAbortState();  // Should show aborted = true
+        slowOp();           // This would start after abort
+        return "finished";
+      `);
+
+      // The first call completes (can't be interrupted mid-Promise)
+      expect(firstCallCompleted).toBe(true);
+      // But the overall execution fails due to timeout
+      expect(result.success).toBe(false);
+      expect(result.error).toContain("timeout");
+    });
   });
 
   describe("abort", () => {

src/node/services/ptc/quickjsRuntime.ts

@@ -28,6 +28,7 @@ export class QuickJSRuntime implements IJSRuntime {
   private disposed = false;
   private eventHandler?: (event: PTCEvent) => void;
   private abortController?: AbortController;
+  private abortRequested = false; // Track abort requests before eval() starts
   private limits: RuntimeLimits = {};
   private consoleSetup = false;
 
@@ -243,6 +244,11 @@ export class QuickJSRuntime implements IJSRuntime {
     this.toolCalls = [];
     this.consoleOutput = [];
 
+    // Honor abort requests made before eval() was called
+    if (this.abortRequested) {
+      this.abortController.abort();
+    }
+
     // Set up console capturing (only once)
     if (!this.consoleSetup) {
       this.setupConsole();
@@ -264,6 +270,14 @@ export class QuickJSRuntime implements IJSRuntime {
       return false; // Continue execution
     });
 
+    // Set up a real timeout timer that fires even during async suspension.
+    // The interrupt handler only runs during QuickJS execution, but when suspended
+    // waiting for an async host function (e.g., mux.bash()), it never fires.
+    // This timer ensures nested tools are cancelled when the deadline is exceeded.
+    const timeoutId = setTimeout(() => {
+      this.abortController?.abort();
+    }, timeoutMs);
+
     // Wrap code in function to allow return statements.
     // With asyncify, async host functions appear synchronous to QuickJS,
     // so we don't need an async IIFE. Using evalCodeAsync handles the suspension.
@@ -311,13 +325,20 @@ export class QuickJSRuntime implements IJSRuntime {
         consoleOutput: this.consoleOutput,
         duration_ms,
       };
+    } finally {
+      clearTimeout(timeoutId);
     }
   }
 
   abort(): void {
+    this.abortRequested = true;
     this.abortController?.abort();
   }
 
+  getAbortSignal(): AbortSignal | undefined {
+    return this.abortController?.signal;
+  }
+
   dispose(): void {
     if (!this.disposed) {
       this.ctx.dispose();

src/node/services/ptc/runtime.ts

@@ -59,6 +59,13 @@ export interface IJSRuntime extends Disposable {
    */
   abort(): void;
 
+  /**
+   * Get the abort signal for the current execution.
+   * This signal is aborted when the sandbox times out or abort() is called.
+   * Used by tool bridge to propagate cancellation to nested tool calls.
+   */
+  getAbortSignal(): AbortSignal | undefined;
+
   /**
    * Clean up resources. Called automatically with `using` declarations.
    */

src/node/services/ptc/toolBridge.test.ts

@@ -28,6 +28,7 @@ function createMockRuntime(overrides: Partial<IJSRuntime> = {}): IJSRuntime {
     setLimits: mock((_limits: RuntimeLimits) => undefined),
     onEvent: mock((_handler: (event: PTCEvent) => void) => undefined),
     abort: mock(() => undefined),
+    getAbortSignal: mock(() => undefined),
     dispose: mock(() => undefined),
     [Symbol.dispose]: mock(() => undefined),
     ...overrides,
@@ -191,7 +192,7 @@ describe("ToolBridge", () => {
       expect(result).toEqual({ error: "Result not JSON-serializable" });
     });
 
-    it("passes abortSignal to tool execute", async () => {
+    it("uses runtime abort signal for tool cancellation", async () => {
       const mockExecute = mock((_args: unknown) => ({ result: "ok" }));
 
       const tools: Record<string, Tool> = {
@@ -207,16 +208,20 @@ describe("ToolBridge", () => {
           return undefined;
         }
       );
-      const mockRuntime = createMockRuntime({ registerObject: mockRegisterObject });
-
+      // Provide an abort signal via getAbortSignal
       const abortController = new AbortController();
-      bridge.register(mockRuntime, abortController.signal);
+      const mockRuntime = createMockRuntime({
+        registerObject: mockRegisterObject,
+        getAbortSignal: () => abortController.signal,
+      });
+
+      bridge.register(mockRuntime);
 
       await registeredMux.file_read({ filePath: "test.txt" });
       expect(mockExecute).toHaveBeenCalledTimes(1);
     });
 
-    it("throws if abortSignal is already aborted", async () => {
+    it("throws if runtime abort signal is already aborted", async () => {
       const mockExecute = mock(() => ({ result: "ok" }));
 
       const tools: Record<string, Tool> = {
@@ -232,11 +237,16 @@ describe("ToolBridge", () => {
           return undefined;
         }
       );
-      const mockRuntime = createMockRuntime({ registerObject: mockRegisterObject });
 
+      // Pre-abort the signal
       const abortController = new AbortController();
       abortController.abort();
-      bridge.register(mockRuntime, abortController.signal);
+      const mockRuntime = createMockRuntime({
+        registerObject: mockRegisterObject,
+        getAbortSignal: () => abortController.signal,
+      });
+
+      bridge.register(mockRuntime);
 
       // Type assertion needed because Record indexing returns T | undefined for ESLint
       const fileRead = registeredMux.file_read as (...args: unknown[]) => Promise<unknown>;

src/node/services/ptc/toolBridge.ts

@@ -65,8 +65,17 @@ export class ToolBridge {
     return Object.fromEntries(this.nonBridgeableTools.entries());
   }
 
-  /** Register all bridgeable tools on the runtime under `mux` namespace */
-  register(runtime: IJSRuntime, abortSignal?: AbortSignal): void {
+  /**
+   * Register all bridgeable tools on the runtime under `mux` namespace.
+   *
+   * Tools receive the runtime's abort signal, which is aborted when:
+   * - The sandbox timeout is exceeded
+   * - runtime.abort() is called (e.g., from the parent's abort signal)
+   *
+   * This ensures nested tool calls are cancelled when the sandbox times out,
+   * not just when the parent stream is cancelled.
+   */
+  register(runtime: IJSRuntime): void {
     const muxObj: Record<string, (...args: unknown[]) => Promise<unknown>> = {};
 
     for (const [name, tool] of this.bridgeableTools) {
@@ -75,6 +84,9 @@ export class ToolBridge {
       const toolName = name;
 
       muxObj[name] = async (args: unknown) => {
+        // Get the runtime's abort signal - this is aborted on timeout or manual abort
+        const abortSignal = runtime.getAbortSignal();
+
         // Check if already aborted before executing
         if (abortSignal?.aborted) {
           throw new Error("Execution aborted");

src/node/services/tools/code_execution.ts

@@ -129,12 +129,17 @@ ${muxTypes}
           });
         }
 
-        // Register tools with abortSignal for mid-execution cancellation
-        toolBridge.register(runtime, abortSignal);
+        // Register tools - they'll use runtime.getAbortSignal() for cancellation
+        toolBridge.register(runtime);
 
-        // Handle abort signal - interrupt sandbox at next checkpoint
+        // Handle abort signal - interrupt sandbox and cancel nested tools
         if (abortSignal) {
-          abortSignal.addEventListener("abort", () => runtime.abort(), { once: true });
+          // If already aborted, abort runtime immediately
+          if (abortSignal.aborted) {
+            runtime.abort();
+          } else {
+            abortSignal.addEventListener("abort", () => runtime.abort(), { once: true });
+          }
         }
 
         // Execute the code