feat(satellite): make MCP process restart limit configurable via env

Add MCP_PROCESS_MAX_RESTART_ATTEMPTS environment variable to control
the maximum number of automatic restart attempts within a 5-minute
window before a process is marked as permanently_failed.

Default remains 3 (unchanged behavior). Set to 1 for stricter
production environments, or 0 to disable automatic restarts entirely.

Author: Lasim

services/satellite/.env.example

@@ -167,6 +167,13 @@ MCP_USE_TMPFS=false
 # Default: 180 seconds (3 minutes)
 MCP_PROCESS_IDLE_TIMEOUT_SECONDS=180
 
+# Process Crash Restart Limit (stdio MCP servers only)
+# Maximum number of automatic restart attempts within a 5-minute window
+# After this limit is exceeded, the process is marked as permanently_failed
+# Set to 0 to disable automatic restarts entirely
+# Default: 3
+MCP_PROCESS_MAX_RESTART_ATTEMPTS=3
+
 # Runtime Validation (optional)
 # Set to 'true' to skip system runtime checks at startup (Node.js, Python)
 # By default, satellite validates that required runtimes are installed before starting

services/satellite/src/process/manager.ts

@@ -68,7 +68,8 @@ export class ProcessManager extends EventEmitter {
     this.logBuffer = new LogBuffer(eventBus, logger);
     this.spawner = new ProcessSpawner(logger);
     this.githubHandler = new GitHubDeploymentHandler(logger, this.logBuffer, backendClient);
-    this.restartHandler = new RestartHandler(logger, eventBus);
+    const maxRestartAttempts = parseInt(process.env.MCP_PROCESS_MAX_RESTART_ATTEMPTS || '3', 10);
+    this.restartHandler = new RestartHandler(logger, eventBus, undefined, maxRestartAttempts);
     this.dormantManager = new DormantManager(logger, runtimeState, eventBus);
     this.tmpfsManager = new TmpfsManager(logger);
     this.cacheManager = new CacheManager(logger);

services/satellite/src/process/restart-handler.ts

@@ -22,7 +22,8 @@ export class RestartHandler {
   constructor(
     private logger: Logger,
     private eventBus?: EventBus,
-    private backendStatusCallback?: StatusCallback
+    private backendStatusCallback?: StatusCallback,
+    private maxRestartAttempts: number = 3
   ) {}
 
   /**
@@ -124,8 +125,8 @@ export class RestartHandler {
         operation: 'restart_limit_exceeded',
         installation_name: installationName,
         team_id: processInfo.config.team_id,
-        max_attempts: 3
-      }, `Max restart attempts (3) exceeded for ${installationName} - marking as permanently failed`);
+        max_attempts: this.maxRestartAttempts
+      }, `Max restart attempts (${this.maxRestartAttempts}) exceeded for ${installationName} - marking as permanently failed`);
 
       // Emit mcp.server.permanently_failed event
       try {
@@ -236,7 +237,7 @@ export class RestartHandler {
   }
 
   /**
-   * Check if restart should be attempted (max 3 attempts in 5 minutes)
+   * Check if restart should be attempted (max attempts in 5 minutes, configurable)
    */
   shouldAttemptRestart(installationName: string): boolean {
     const now = Date.now();
@@ -249,8 +250,7 @@ export class RestartHandler {
     recentAttempts.push(now);
     this.restartAttempts.set(installationName, recentAttempts);
 
-    // Max 3 attempts in 5 minutes
-    return recentAttempts.length <= 3;
+    return recentAttempts.length <= this.maxRestartAttempts;
   }
 
   /**