hermes-agent/tests/gateway/test_webhook_session_close.py
Gumclaw 14882bab7e fix(gateway): close webhook sessions on delivery completion so prune can reap them
Webhook deliveries created a unique one-shot session (delivery_id baked into
the session key at gateway/platforms/webhook.py:668) but the adapter fired
handle_message via asyncio.create_task WITHOUT ever ending the session
(webhook.py:713, pre-fix). Nothing else closes it: the gateway caches/expires
the agent per session_key but never calls end_session for the webhook path,
and _end_session_on_close teardown doesn't run for these fire-and-forget tasks.

SessionDB.prune_sessions (hermes_state.py:4965) only deletes rows WHERE
ended_at IS NOT NULL. So every webhook session stayed with ended_at NULL ->
unprunable -> unbounded state.db growth. This was the primary driver of the
SQLite lock-contention gateway outage.

Fix: wrap the delivery in _run_delivery_and_close, which awaits
handle_message and then (in finally, so failures still reap) calls
_end_webhook_session -> SessionDB.end_session(session_id, 'webhook_complete').
This mirrors how cron closes its session with 'cron_complete'
(cron/scheduler.py:3065). end_session is first-reason-wins and no-ops on an
already-ended row, so it never clobbers a compression/agent_close reason.

Adds tests/gateway/test_webhook_session_close.py asserting the invariant
(a completed webhook session has ended_at set + is prunable), including the
error-path case, against a real SessionStore + SessionDB.
2026-07-03 03:26:53 +05:30

178 lines
6.4 KiB
Python

"""Invariant test: a completed webhook delivery closes its session.
Regression guard for the ghost-session leak. Webhook deliveries create a
unique one-shot session (``delivery_id`` baked into the session key), but the
adapter historically fired ``handle_message`` without ever ending the session.
``SessionDB.prune_sessions`` only reaps rows where ``ended_at IS NOT NULL``, so
every webhook session stayed unprunable and state.db grew without bound (this
was the primary driver of the SQLite lock-contention gateway outage).
The invariant asserted here is a *behavior contract*, not a snapshot: once a
webhook delivery's agent run completes, the session row for that delivery must
have ``ended_at`` set — mirroring how a cron run closes its session with
``end_session(..., "cron_complete")``. We exercise the REAL close path
(``WebhookAdapter._run_delivery_and_close`` → ``_end_webhook_session`` →
``SessionDB.end_session``) against a REAL ``SessionStore`` + ``SessionDB`` on a
temp HERMES_HOME, so an integration regression can't hide behind a mock.
"""
import asyncio
import pytest
from gateway.config import GatewayConfig, Platform, PlatformConfig
from gateway.platforms.base import MessageEvent, MessageType, SendResult
from gateway.platforms.webhook import WebhookAdapter, _INSECURE_NO_AUTH
from gateway.session import SessionSource, SessionStore
from hermes_state import SessionDB
def _make_adapter(routes, **extra_kw) -> WebhookAdapter:
extra = {"host": "127.0.0.1", "port": 0, "routes": routes}
extra.update(extra_kw)
config = PlatformConfig(enabled=True, extra=extra)
return WebhookAdapter(config)
class _FakeRunner:
"""Minimal gateway runner surface the webhook close path depends on.
Wires a real ``SessionStore`` (which owns a real ``SessionDB``) and reuses
that same ``SessionDB`` as ``_session_db`` so the row created at routing
time is the row the close path ends — exactly the wiring the live gateway
has (``self.session_store`` + ``self._session_db``).
"""
def __init__(self, store: SessionStore):
self.session_store = store
self._session_db = store._db
def _session_key_for_source(self, source: SessionSource) -> str:
return self.session_store._generate_session_key(source)
@pytest.mark.asyncio
async def test_completed_webhook_delivery_closes_its_session(tmp_path):
"""After a webhook run finishes, its session row has ended_at set."""
sessions_dir = tmp_path / "sessions"
sessions_dir.mkdir()
config = GatewayConfig(
platforms={Platform.WEBHOOK: PlatformConfig(enabled=True)}
)
store = SessionStore(sessions_dir=sessions_dir, config=config)
assert store._db is not None, "test requires a real SessionDB"
runner = _FakeRunner(store)
adapter = _make_adapter(
{
"alerts": {
"secret": _INSECURE_NO_AUTH,
"prompt": "Alert: {message}",
"deliver": "log",
}
}
)
adapter.gateway_runner = runner
# The gateway creates the session row when it routes the inbound event to
# the agent. Simulate that inside handle_message so the close path has a
# real row to reap, and capture the session_id for the assertion.
created = {}
async def _fake_handle_message(event: MessageEvent) -> None:
entry = store.get_or_create_session(event.source)
created["session_id"] = entry.session_id
adapter.handle_message = _fake_handle_message
delivery_id = "alert-close-001"
session_chat_id = f"webhook:alerts:{delivery_id}"
source = adapter.build_source(
chat_id=session_chat_id,
chat_name="webhook/alerts",
chat_type="webhook",
user_id="webhook:alerts",
user_name="alerts",
)
event = MessageEvent(
text="Alert: server on fire",
message_type=MessageType.TEXT,
source=source,
raw_message={"message": "server on fire"},
message_id=delivery_id,
)
# Run the exact wrapper the adapter now schedules on delivery.
await adapter._run_delivery_and_close(event, session_chat_id)
session_id = created["session_id"]
row = store._db.get_session(session_id)
assert row is not None
# INVARIANT: a completed webhook session must be closed so prune can reap it.
assert row["ended_at"] is not None, (
"webhook session was never closed — ended_at is NULL, so "
"prune_sessions can never reap it (the ghost-session leak)"
)
assert row["end_reason"] == "webhook_complete"
# And the closed row is actually prunable, unlike the pre-fix leak.
pruned = store._db.prune_sessions(older_than_days=0, source="webhook")
assert pruned >= 1
store._db.close()
@pytest.mark.asyncio
async def test_webhook_session_closed_even_when_agent_run_raises(tmp_path):
"""A failing agent run still closes the session (finally-path)."""
sessions_dir = tmp_path / "sessions"
sessions_dir.mkdir()
config = GatewayConfig(
platforms={Platform.WEBHOOK: PlatformConfig(enabled=True)}
)
store = SessionStore(sessions_dir=sessions_dir, config=config)
runner = _FakeRunner(store)
adapter = _make_adapter(
{"alerts": {"secret": _INSECURE_NO_AUTH, "prompt": "x", "deliver": "log"}}
)
adapter.gateway_runner = runner
created = {}
async def _boom(event: MessageEvent) -> None:
# Row exists (routing happened) before the run blows up mid-turn.
entry = store.get_or_create_session(event.source)
created["session_id"] = entry.session_id
raise RuntimeError("agent exploded mid-run")
adapter.handle_message = _boom
delivery_id = "alert-fail-001"
session_chat_id = f"webhook:alerts:{delivery_id}"
source = adapter.build_source(
chat_id=session_chat_id,
chat_name="webhook/alerts",
chat_type="webhook",
user_id="webhook:alerts",
user_name="alerts",
)
event = MessageEvent(
text="x",
message_type=MessageType.TEXT,
source=source,
raw_message={},
message_id=delivery_id,
)
with pytest.raises(RuntimeError):
await adapter._run_delivery_and_close(event, session_chat_id)
row = store._db.get_session(created["session_id"])
assert row is not None
assert row["ended_at"] is not None, (
"session left open after a failed webhook run — the leak persists "
"on the error path"
)
assert row["end_reason"] == "webhook_complete"
store._db.close()