fix(honcho): include user_id in agent cache signature to prevent shared-thread peer contamination

PR #27371 introduced a per-user-peer resolver in HonchoSessionManager, but the resolved runtime identity is frozen into the manager at first- message init. When the gateway session_key intentionally omits the participant ID (the default for threads via thread_sessions_per_user= False), a cached AIAgent created by user A is reused for user B's messages, attributing B's writes to A's resolved Honcho peer and breaking #27371's per-user-peer contract. Fix by including user_id and user_id_alt in _agent_config_signature so the cache key distinguishes participants in shared threads. Each user in a shared thread now triggers a fresh AIAgent build (trading prompt- cache warmth for memory-attribution correctness — the right tradeoff for an external-memory backend where misattribution is unrecoverable). The default-None case keeps the signature byte-identical to pre-fix behavior so this change doesn't invalidate in-flight caches on deploy.
2026-05-29 06:31:32 +00:00 · 2026-05-21 22:18:06 +00:00 · 2026-05-21 22:18:06 +00:00 · c03960decd
commit c03960decd
parent 00e6830204
2 changed files with 92 additions and 0 deletions
--- a/gateway/run.py
+++ b/gateway/run.py
@ -15080,6 +15080,8 @@ class GatewayRunner:
        enabled_toolsets: list,
        ephemeral_prompt: str,
        cache_keys: dict | None = None,
+        user_id: str | None = None,
+        user_id_alt: str | None = None,
    ) -> str:
        """Compute a stable string key from agent config values.

@ -15093,6 +15095,20 @@ class GatewayRunner:
        the output of ``_extract_cache_busting_config(user_config)`` so
        edits to model.context_length / compression.* in config.yaml are
        picked up on the next gateway message without a manual restart.
+
+        ``user_id`` and ``user_id_alt`` are the runtime user identities
+        carried by the current message's gateway source.  They participate
+        in the cache key because the Honcho memory provider freezes them
+        into ``HonchoSessionManager`` at first-message init (see
+        ``plugins/memory/honcho/__init__.py::_do_session_init``).  Without
+        them in the signature, a shared-thread session_key (one in which
+        ``build_session_key`` intentionally omits the participant ID,
+        e.g. ``thread_sessions_per_user=False``) would reuse the cached
+        AIAgent across distinct users, causing the second user's messages
+        to be attributed to the first user's resolved Honcho peer.  This
+        broke #27371's per-user-peer contract in multi-user gateways.
+        Per-user agent rebuilds in shared threads trade prompt-cache
+        warmth for correct memory attribution.
        """
        import hashlib, json as _j

@ -15117,6 +15133,8 @@ class GatewayRunner:
                # cached agent and doesn't affect system prompt or tools.
                ephemeral_prompt or "",
                _cache_keys_sorted,
+                str(user_id or ""),
+                str(user_id_alt or ""),
            ],
            sort_keys=True,
            default=str,
@ -16658,6 +16676,8 @@ class GatewayRunner:
                enabled_toolsets,
                combined_ephemeral,
                cache_keys=self._extract_cache_busting_config(user_config),
+                user_id=getattr(source, "user_id", None),
+                user_id_alt=getattr(source, "user_id_alt", None),
            )
            agent = None
            _cache_lock = getattr(self, "_agent_cache_lock", None)