Skip to content

Harden the master-chat receive/reply path (concurrency + robustness follow-ups from #4660) #4661

Description

@sanil-23

Summary

Close out the concurrency/robustness hardening deferred from #4660 (master-chat receive loop review). The substantive correctness + security findings were fixed in that PR; these are the lower-risk hardening items tracked here as a follow-up.

Problem / Context

CodeRabbit + Codex flagged several defensive improvements on the orchestration receive/reply path. They are safe today under the current single-user desktop model and serialized master-chat wakes, but they narrow real edges (concurrent A2A activity, races on seq allocation, mismatched session ids, and remote key-bundle staleness). Grouping them so they can be knocked out together rather than blocking #4660.

See the resolution comment on #4660 for the rationale on each deferral.

Scope

Orchestration + tinyplace only. No behavior change intended beyond hardening; keep the master-chat happy path unchanged.

Acceptance criteria

  • Beacon process-global race (src/openhuman/orchestration/tools.rsMASTER_ORIGIN / current_master_origin) — eliminate, don't just document, the window where a concurrent A2A send_to_agent during a local-master turn reads the master origin and mis-threads a peer reply into master. Options: scope the beacon to the master turn's own sends, or carry an origin token that only master sends honor.
  • Arm pending_ask before the outbound send (tools.rs send_to_agent) — arm the correlation before the DM leaves, clearing it on send failure, so a fast reply can't race the post-send arm.
  • Immediate transactions for seq allocation + insert (src/openhuman/orchestration/schemas.rs handle_send_master_message; tools.rs send_to_agent) — wrap next_session_seq + insert_message/upsert_session in in_immediate_txn so concurrent writers can't allocate a duplicate seq.
  • Reject invalid/mismatched sessionId (tools.rs send_to_agent) — when a caller passes an explicit sessionId that doesn't belong to the recipient, error instead of silently falling back to latest/mint.
  • Check remote key-bundle health before declaring discoverable (src/openhuman/tinyplace/manifest.rssignal_key_status / ensure_signal_keys_published) — gate encryptionKeyPublished on the remote prekey bundle actually being serveable, not just the directory card being present.
  • Diff coverage ≥ 80% — the implementing PR meets the changed-lines coverage gate.

Related

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
Todo

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions