LunarCommand
diff --git a/‎CHANGELOG.md‎
Lines changed: 4 additions & 1 deletion b/‎CHANGELOG.md‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎docs/concepts/observability.md‎
Lines changed: 30 additions & 2 deletions b/‎docs/concepts/observability.md‎
Lines changed: 30 additions & 2 deletions
diff --git a/‎openarmature-spec‎ b/‎openarmature-spec‎
diff --git a/‎pyproject.toml‎
Lines changed: 1 addition & 1 deletion b/‎pyproject.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/openarmature/__init__.py‎
Lines changed: 1 addition & 1 deletion b/‎src/openarmature/__init__.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/openarmature/graph/__init__.py‎
Lines changed: 2 additions & 1 deletion b/‎src/openarmature/graph/__init__.py‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/openarmature/graph/compiled.py‎
Lines changed: 90 additions & 26 deletions b/‎src/openarmature/graph/compiled.py‎
Lines changed: 90 additions & 26 deletions
@@ -8,19 +8,22 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). The
 
 ### Added
 
+- **Bounded drain timeout on `CompiledGraph.drain()`** (proposal 0010, accepted in spec v0.19.0). `drain()` accepts an optional `timeout: float | None = None` parameter (non-negative seconds). When supplied, drain returns no later than the deadline; any observer events still queued or in-flight are reported as undelivered. Workers are cancelled cleanly so the compiled graph remains usable for subsequent invocations — partial delivery state from one drain does NOT leak into the next. Solves the "slow / hung / misbehaving observer blocks process exit" footgun for short-lived processes (CLIs, scripts, serverless functions). Observers SHOULD be cancellation-safe (idempotent writes, `try/finally` cleanup); the spec doesn't mandate it but the docs recommend it.
+- **`DrainSummary` frozen dataclass** at `openarmature.graph.DrainSummary`. Returned from every `drain()` call (with or without `timeout`). Fields: `undelivered_count: int`, `timeout_reached: bool`. The shape is consistent across timed and untimed drains — callers receive the same dataclass whether the timeout was supplied or not. Per the v0.19.0 contract the two declared fields are the spec-mandated minimum; richer diagnostic detail (per-observer counts, sampled event metadata) is reserved for follow-on PRs.
 - **Per-instance fan-out resume contract** (proposal 0009, accepted in spec v0.18.0). The engine now writes a checkpoint record at every `completed` event inside a fan-out instance (in addition to the existing outermost-graph + subgraph-internal + fan-out node completion saves). On resume the engine consults the saved record's `fan_out_progress` field and treats each instance as `completed` (skip, contribution rolls forward), `in_flight` (re-run from subgraph entry), or `not_started` (dispatch normally). The `append` reducer's no-double-merge guarantee holds across resume because `completed` is a one-shot accumulator state.
 - **`FanOutProgress` and `FanOutInstanceProgress` public dataclasses** on `openarmature.checkpoint`. The `CheckpointRecord.fan_out_progress` field is now `tuple[FanOutProgress, ...]` (default empty tuple), with per-instance state, result, and `completed_inner_positions` observability. Was a `None` placeholder under proposal 0008.
 - **`FanOutInternalSaveBatching` config** on `InMemoryCheckpointer`. Backends MAY opt into batching scoped to fan-out instance internal saves to bound the write volume of high-instance-count fan-outs. Outermost-graph, subgraph-internal, and the fan-out node's own completion save remain synchronous regardless. Default off. Buffered-but-unflushed saves are lost on crash by design; on resume, instances whose `completed` state was only buffered revert and re-run. Surfaces a new optional `save_fan_out_internal` / `save_fan_out_in_flight_failure` Checkpointer Protocol seam; backends that don't implement either fall back to the standard `save`.
 - **Patterns docs section** at `docs/patterns/`, sibling to Concepts. Seeded with four recipes drawn from downstream usage and proposal 0008's alternatives section: parameterized entry point, tool-dispatch-as-node, session-as-checkpoint-resume, and bypass-if-output-exists. Patterns are user-level how-to recipes composing existing primitives, not framework contracts; new patterns can be added without spec coordination. Each page follows a problem / approach / snippet / when this is the right pattern / when it isn't / cross-references structure.
 
 ### Changed
 
+- **`CompiledGraph.drain()` return type** changed from `None` to `DrainSummary` (pre-1.0; per proposal 0010 v0.19.0 contract). Callers that ignored the return are unaffected — `await graph.drain()` discards the returned dataclass exactly as before. Callers that explicitly typed the return as `None` will need to update their annotation.
 - **Fan-out resume behavior** flipped from atomic restart (0008's v1 contract) to per-instance resume. A crash mid-fan-out used to re-run the entire fan-out on resume; now only the instances that did not complete-and-record their contribution re-run. The economics matter for large fan-outs of expensive work (LLM calls, long extractions): an 80% complete fan-out crash now restores 80% of its results rather than discarding them.
 - **`SQLiteCheckpointer` schema** picks up a new `fan_out_progress_blob` column (added via `ALTER TABLE` for backward compatibility with pre-0009 databases). Pre-0009 rows back-fill as NULL on load and round-trip as the empty-tuple default. Both `pickle` and `json` serialization modes round-trip the new field.
 
 ### Notes
 
-- **Pinned spec version bumped from v0.17.0 to v0.18.1 over this Unreleased cycle.** Three spec versions absorbed: v0.17.1 (proposal 0019, multi-provider wire-format extension; purely textual reframe of llm-provider §8 as a catalog of wire-format mappings, OpenAI-compatible body nested under §8.1, code references updated to §8.1 / §8.1.1 / §8.1.2 / §8.1.3 / §8.1.5.1 / §8.1.1.1), v0.18.0 (proposal 0009, per-instance fan-out resume; pipeline-utilities §10.3 / §10.7 revised, §10.11 added with per-instance state machine plus composition rules plus configurable batching; the `append` reducer no-double-merge invariant from §10.11.1 is the load-bearing correctness story; see Added / Changed above), and v0.18.1 (fixture-only patch on `release/v0.18.1` correcting an off-by-one literal in fixture 052's expected `results`). All existing conformance fixtures continue to pass.
+- **Pinned spec version bumped from v0.17.0 to v0.19.0 over this Unreleased cycle.** Four spec versions absorbed: v0.17.1 (proposal 0019, multi-provider wire-format extension; purely textual reframe of llm-provider §8 as a catalog of wire-format mappings, OpenAI-compatible body nested under §8.1, code references updated to §8.1 / §8.1.1 / §8.1.2 / §8.1.3 / §8.1.5.1 / §8.1.1.1), v0.18.0 (proposal 0009, per-instance fan-out resume; pipeline-utilities §10.3 / §10.7 revised, §10.11 added with per-instance state machine plus composition rules plus configurable batching; the `append` reducer no-double-merge invariant from §10.11.1 is the load-bearing correctness story; see Added / Changed above), v0.18.1 (fixture-only patch on `release/v0.18.1` correcting an off-by-one literal in fixture 052's expected `results`), and v0.19.0 (proposal 0010, bounded drain timeout; graph-engine §6 amended with the `timeout` parameter and `DrainSummary` return contract; see Added / Changed above). All existing conformance fixtures continue to pass.
 
 ## [0.8.0] — 2026-05-23
 
 
@@ -221,11 +221,13 @@ finished. For long-running services that's fine. For short-lived
 processes (scripts, serverless, CLIs), events dispatched late in the
 run may not be delivered before the process exits.
 
-`drain()` blocks until every dispatched event has been delivered:
+`drain()` waits until every dispatched event has been delivered and
+returns a `DrainSummary` reporting the outcome:
 
 ```python
 final = await compiled.invoke(initial)
-await compiled.drain()
+summary = await compiled.drain()
+# DrainSummary(undelivered_count=0, timeout_reached=False)
 ```
 
 - Per-graph, not per-invoke. Drain awaits *all* prior invocations'
@@ -239,6 +241,32 @@ await compiled.drain()
 If you forget `drain()` in a CLI, the symptom is an empty trace file
 or missing log entries.
 
+### Bounded drain (optional timeout)
+
+`drain()` accepts an optional `timeout` parameter (non-negative
+seconds) — `await compiled.drain(timeout=5.0)` bounds the wait at five
+seconds. When the deadline fires, in-flight workers are cancelled
+cleanly so the compiled graph stays usable for subsequent invocations
+— partial delivery state from one drain does NOT leak into the next.
+
+The returned `DrainSummary` carries:
+
+- `timeout_reached: bool` — `True` only when the timeout actually
+  fired. A drain that finishes before the deadline reports `False`.
+- `undelivered_count: int` — events dispatched but not fully delivered
+  to every subscribed observer before the deadline. Always `0` when
+  `timeout_reached is False`.
+
+Observers **should** be cancellation-safe (idempotent writes,
+`try/finally` cleanup) so that interruption by drain timeout does not
+leave partial side effects in an inconsistent state.
+
+When to set a timeout: short-lived processes (CLIs, scripts,
+serverless functions) where a misbehaving observer holding drain
+indefinitely would stall process exit. Long-running services that
+control their own lifecycle can leave the timeout off and let drain
+wait for natural completion.
+
 ## Error isolation
 
 An observer that raises:
 
@@ -48,7 +48,7 @@ Repository = "https://github.com/LunarCommand/openarmature-python"
 Specification = "https://github.com/LunarCommand/openarmature-spec"
 
 [tool.openarmature]
-spec_version = "0.18.1"
+spec_version = "0.19.0"
 
 [dependency-groups]
 dev = [
 
@@ -1,4 +1,4 @@
 """OpenArmature: workflow framework for LLM pipelines and tool-calling agents."""
 
 __version__ = "0.8.0"
-__spec_version__ = "0.18.1"
+__spec_version__ = "0.19.0"
@@ -48,7 +48,7 @@
     exponential_jitter_backoff,
 )
 from .nodes import FunctionNode, Node
-from .observer import Observer, RemoveHandle, SubscribedObserver
+from .observer import DrainSummary, Observer, RemoveHandle, SubscribedObserver
 from .parallel_branches import BranchSpec, ParallelBranchesNode
 from .projection import ExplicitMapping, FieldNameMatching, ProjectionStrategy
 from .reducers import Reducer, append, last_write_wins, merge
@@ -62,6 +62,7 @@
     "ConditionalEdge",
     "ConflictingReducers",
     "DanglingEdge",
+    "DrainSummary",
     "EdgeException",
     "EndSentinel",
     "ExplicitMapping",
 
@@ -93,6 +93,7 @@
 from .nodes import Node
 from .observer import (
     _DRAIN_SENTINEL,
+    DrainSummary,
     Observer,
     RemoveHandle,
     SubscribedObserver,
@@ -523,10 +524,14 @@ class CompiledGraph[StateT: State]:
     # dataclass: the list reference is fixed but its contents change.
     # Parameterized factories so pyright infers the element types.
     _attached_observers: list[SubscribedObserver] = field(default_factory=list[SubscribedObserver])
-    # `set` (not list) so a per-task `add_done_callback(self._active_workers.discard)`
-    # auto-removes completed workers — long-running services that never call
-    # drain() don't accumulate completed Task references indefinitely.
-    _active_workers: set[asyncio.Task[None]] = field(default_factory=set[asyncio.Task[None]])
+    # Per-task `add_done_callback` auto-removes completed workers — long-
+    # running services that never call drain() don't accumulate completed
+    # Task references indefinitely. Values are the per-invocation
+    # `_InvocationContext` so `drain()` can read each worker's
+    # `drain_counters` to compute the undelivered-event count at timeout.
+    _active_workers: dict[asyncio.Task[None], _InvocationContext] = field(
+        default_factory=dict[asyncio.Task[None], _InvocationContext]
+    )
     # Single-element list so the frozen-dataclass binding is stable but
     # the user can swap the registered Checkpointer via
     # ``attach_checkpointer``. ``None`` when no backend is registered.
@@ -680,35 +685,90 @@ async def _migrate_record(
         )
         return migrated, summary
 
-    async def drain(self) -> None:
+    async def drain(self, timeout: float | None = None) -> DrainSummary:
         """Await delivery of every observer event produced by prior
-        invocations of this graph.
+        invocations of this graph, optionally bounded by ``timeout``.
 
         Callers running in short-lived processes (scripts, serverless
-        functions, CLIs) MUST use drain to avoid losing observer
-        events that were dispatched but not yet delivered.
+        functions, CLIs) MUST use drain to avoid losing observer events
+        that were dispatched but not yet delivered.
 
         Only events dispatched before this call are awaited; events
         from invocations started concurrently with drain may or may
         not be included. Subgraph events from active invocations are
         part of the parent invocation's worker and are covered
         automatically.
 
-        **Unbounded by design.** Drain blocks until every queued event has
-        been delivered to every subscribed observer. A slow, hung, or
-        misbehaving observer can therefore hold drain, and the calling
-        process, indefinitely. If you need a bounded wait, wrap the call
-        in `asyncio.wait_for` and accept that events still queued when the
-        deadline elapses will not be delivered::
-
-            await asyncio.wait_for(compiled.drain(), timeout=5.0)
+        ``timeout`` is a non-negative duration in seconds. If omitted
+        or ``None``, drain waits indefinitely — a slow, hung, or
+        misbehaving observer can therefore hold drain (and the calling
+        process) indefinitely. If supplied, drain returns no later
+        than ``timeout`` seconds after the call begins; any observer
+        events still queued or in-flight at that point are considered
+        undelivered. Workers are cancelled via ``Task.cancel()`` so
+        the compiled graph remains usable for subsequent invocations
+        — partial delivery state from one drain does NOT leak into
+        the next invocation.
+
+        Returns a :class:`DrainSummary` with ``undelivered_count`` and
+        ``timeout_reached`` fields. The shape is the same whether or
+        not a timeout was supplied; on the no-timeout / timeout-not-
+        fired path both fields are zero / false.
+
+        Observers SHOULD be written to be cancellation-safe
+        (idempotent writes, try/finally cleanup) so that interruption
+        by drain timeout does not leave partial side effects in an
+        inconsistent state.
+
+        Raises ``ValueError`` if ``timeout`` is negative or NaN.
+        Non-numeric input raises ``TypeError`` from the comparison.
         """
+        # ``not (timeout >= 0)`` is the right check: catches negative
+        # values, catches NaN (all comparisons with NaN return False),
+        # and lets non-numeric input raise ``TypeError`` from the
+        # comparison operator itself. Silently treating a negative
+        # timeout as "immediate cancel" would be a user-hostile failure
+        # mode — the spec contract is non-negative seconds.
+        if timeout is not None and not (timeout >= 0):
+            raise ValueError(f"drain timeout must be non-negative, got {timeout!r}")
         if not self._active_workers:
-            return
-        # Snapshot the set: each worker's done-callback removes itself
-        # from `_active_workers`, so iterating it directly while gather
-        # awaits would mutate during iteration.
-        await asyncio.gather(*list(self._active_workers), return_exceptions=True)
+            return DrainSummary(undelivered_count=0, timeout_reached=False)
+        # Snapshot the dict: each worker's done-callback removes its
+        # entry from `_active_workers`, so iterating directly while
+        # `asyncio.wait` awaits would mutate during iteration.
+        snapshot = dict(self._active_workers)
+        workers = list(snapshot.keys())
+
+        _done, pending = await asyncio.wait(
+            workers,
+            timeout=timeout,
+            return_when=asyncio.ALL_COMPLETED,
+        )
+
+        if pending:
+            undelivered = sum(
+                snapshot[w].drain_counters.dispatched - snapshot[w].drain_counters.delivered for w in pending
+            )
+            timeout_reached = True
+            for w in pending:
+                w.cancel()
+        else:
+            undelivered = 0
+            timeout_reached = False
+
+        # Gather ALL workers (done + pending) so any exception that
+        # escaped a delivery worker surfaces here instead of leaking
+        # as a "Task exception was never retrieved" warning. The
+        # ``return_exceptions=True`` absorbs both the synthetic
+        # ``CancelledError`` from cancelled workers and any genuine
+        # bug-escape from a ``deliver_loop`` that ever raised past
+        # its inner ``warnings.warn`` isolation. Also load-bearing
+        # for the cross-invocation cleanliness contract — done-
+        # callbacks fire on cancellation, so ``_active_workers`` is
+        # empty by the time we return.
+        await asyncio.gather(*workers, return_exceptions=True)
+
+        return DrainSummary(undelivered_count=undelivered, timeout_reached=timeout_reached)
 
     # ------------------------------------------------------------------
     # Public invocation
@@ -893,12 +953,16 @@ async def invoke(
         # "per-invocation is OUTERMOST invoke" wording).
         correlation_token = _set_correlation_id(resolved_correlation_id)
         invocation_token = _set_invocation_id(invocation_id)
-        worker = asyncio.create_task(deliver_loop(queue))
-        self._active_workers.add(worker)
+        worker = asyncio.create_task(deliver_loop(queue, context.drain_counters))
+        self._active_workers[worker] = context
         # Auto-prune: when the worker completes (after the sentinel is
-        # processed), remove it from the active set so long-running
-        # services don't leak Task references between drain() calls.
-        worker.add_done_callback(self._active_workers.discard)
+        # processed, or after cancellation by drain() on timeout), remove
+        # it from the active set so long-running services don't leak Task
+        # references between drain() calls. ``pop(key, None)`` is the
+        # idempotent form — if a concurrent drain() removed the entry
+        # already (it shouldn't with the current design, but the no-arg
+        # form would raise KeyError), this is a safe no-op.
+        worker.add_done_callback(lambda t: self._active_workers.pop(t, None))
         # Per spec §6 cross-ref in proposal 0014: dispatch the
         # ``checkpoint_migrated`` event as soon as the delivery
         # worker is alive but before any node runs, so the OTel