fix(review): cancel-aware turn completion and stale-cancel HTTP status

Driver.streamTurn now checks ctx.Err() before completing a turn on
ProviderTurnDone, mirroring the closed-channel guard. Both branches can
be ready in the same select cycle (provider had queued done while
handleToolCall was running and ctx was canceled); without the check the
race could journal turn.completed for a canceled turn.

Dispatcher.handleTurnCancel now returns ErrTurnNotRunning /
ErrTurnMismatch sentinels (defined in agentserver), and writeResult maps
them to 404 / 409 respectively. Stale cancels and mistyped turn IDs no
longer surface as 500.

Author: m0n0x41d

internal/agentdriver/dispatcher.go

@@ -227,15 +227,15 @@ func (d *Dispatcher) handleTurnCancel(c agentproto.TurnCancelCmd) (agentserver.D
 	rt, ok := d.running[c.SessionID]
 	d.mu.Unlock()
 	if !ok {
-		return agentserver.DispatchResult{}, fmt.Errorf("no running turn on session %s", c.SessionID)
+		return agentserver.DispatchResult{}, fmt.Errorf("%w: %s", agentserver.ErrTurnNotRunning, c.SessionID)
 	}
 	// If the cancel names a specific turn, only cancel when it matches the
 	// turn that is actually in flight. A late cancel for a turn that has
 	// already completed must NOT abort a newer turn that started since.
 	// An empty TurnID means "cancel whatever is running" — kept for
 	// pre-turn-id clients; deprecate in M2c.
 	if c.TurnID != "" && c.TurnID != rt.turnID {
-		return agentserver.DispatchResult{}, fmt.Errorf("turn %s is not the running turn on session %s (running=%s)", c.TurnID, c.SessionID, rt.turnID)
+		return agentserver.DispatchResult{}, fmt.Errorf("%w: turn %s on session %s (running=%s)", agentserver.ErrTurnMismatch, c.TurnID, c.SessionID, rt.turnID)
 	}
 	rt.cancel()
 	return agentserver.DispatchResult{SessionID: c.SessionID}, nil

internal/agentdriver/driver.go

@@ -180,6 +180,15 @@ func (d *Driver) streamTurn(ctx context.Context, session agentcore.Session, turn
 					return d.failTurn(session, turnID, fmt.Errorf("tool call: %w", err))
 				}
 			case ProviderTurnDone:
+				// Both ctx.Done() and a buffered ProviderTurnDone can be
+				// ready in the same select cycle (e.g. an operator cancels
+				// while handleToolCall was running and the provider had
+				// already queued its done event). If this branch wins the
+				// race we would journal turn.completed for a canceled
+				// turn. Mirror the closed-channel guard above.
+				if cerr := ctx.Err(); cerr != nil {
+					return d.failTurn(session, turnID, cerr)
+				}
 				session, err = flushText(session)
 				if err != nil {
 					return d.failTurn(session, turnID, fmt.Errorf("flush text: %w", err))

internal/agentserver/server.go

@@ -281,6 +281,10 @@ func (s *Server) writeResult(w http.ResponseWriter, res DispatchResult, err erro
 			status = http.StatusNotFound
 		case errors.Is(err, agentcore.ErrTurnAlreadyRunning):
 			status = http.StatusConflict
+		case errors.Is(err, ErrTurnNotRunning):
+			status = http.StatusNotFound
+		case errors.Is(err, ErrTurnMismatch):
+			status = http.StatusConflict
 		case errors.Is(err, agentcore.ErrPermissionNotFound):
 			status = http.StatusNotFound
 		case errors.Is(err, agentcore.ErrPermissionDecision):

internal/agentserver/store_dispatcher.go

@@ -28,6 +28,19 @@ type StoreDispatcher struct {
 // envelope but cannot handle the operation themselves.
 var ErrUnsupportedCommand = errors.New("agentserver: dispatcher does not support this command")
 
+// ErrTurnNotRunning is returned by Dispatchers when a turn.cancel arrives
+// for a session that has no in-flight turn. Stale cancels (the turn
+// already completed, or a client retry after the cancel succeeded) are an
+// expected client-visible state, not a server fault — transport maps this
+// to 404.
+var ErrTurnNotRunning = errors.New("agentserver: no running turn on session")
+
+// ErrTurnMismatch is returned by Dispatchers when a turn.cancel names a
+// turn ID that is not the currently running turn on the session. The
+// session exists and a turn is running, but it's a different one — the
+// late cancel must not abort it. Mapped to 409.
+var ErrTurnMismatch = errors.New("agentserver: turn id does not match running turn")
+
 // Dispatch routes the typed command. Errors are returned as-is; the
 // transport maps them to HTTP status codes.
 func (d *StoreDispatcher) Dispatch(ctx context.Context, cmd agentproto.RPCCommand) (DispatchResult, error) {