Fix session creation race condition and add capacity tests#77
Open
NIDNASSER-Abdelmajid wants to merge 4 commits intohuggingface:mainfrom
Open
Fix session creation race condition and add capacity tests#77NIDNASSER-Abdelmajid wants to merge 4 commits intohuggingface:mainfrom
NIDNASSER-Abdelmajid wants to merge 4 commits intohuggingface:mainfrom
Conversation
- Reserve session capacity before slow constructor work to prevent concurrent creates from oversubscribing global and per-user limits - Release reservations on all failure paths (constructor failure, task creation failure) to prevent capacity leaks - Add unit tests for global capacity enforcement, per-user capacity enforcement, and slot release on construction failure under concurrent load - Add API-level regression test for /api/session 503 response on capacity errors - Document session limit behavior and concurrency safety in README This fixes a correctness bug where simultaneous session creation requests could all pass the limit check before any were registered, causing the server to exceed MAX_SESSIONS and MAX_SESSIONS_PER_USER under load.
…ssion isolation Implements session-scoped file read tracking for local tools (read, write, edit) to prevent cross-session isolation bugs. Problem: _files_read was module-global in local_tools.py, allowing reads from one session to satisfy write/edit safety guards in another session. Solution: - Add _local_files_read: set[str] to Session object (agent/core/session.py) - Update _read_handler, _write_handler, _edit_handler to accept session param - Use session._local_files_read when available, fallback to global for compat - Thread session through handler calls (already supported by ToolRouter) Impact: Each session now independently tracks file reads, preventing Session B from bypassing write guards by relying on Session A's reads. Verification: - All 14 existing unit tests pass (no regressions) - Handlers maintain backward compatibility (session param is optional) - Session isolation properties now guaranteed by design
…olation Updated test stubs to properly mock fastapi.testclient module, allowing more comprehensive test collection and validation.
Collaborator
|
@claude please review this PR. Focus on correctness, security, LiteLLM/Bedrock routing impact, and whether it's safe to merge against current main. Keep it concise and prefer inline comments where it matters. |
|
Claude Code is working… I'll analyze this and get back to you. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This fixes a correctness bug where simultaneous session creation requests could all pass the limit check before any were registered, causing the server to exceed MAX_SESSIONS and MAX_SESSIONS_PER_USER under load.