Review — end-to-end ✅ (clean approve, behavioural harness confirms bug + fix)

Production fix for #1494 / Bug #2 of #1458. Wraps four with sqlite3.connect(...) as conn: callsites in contextlib.closing(...) because Python's sqlite3 connection context manager only commits/rolls back on exit — it does not close the connection. /api/sessions polling on a long-running webui leaked one or more state.db* FDs per poll until the process hit the macOS 256-FD soft limit and new request handlers RST'd before producing bytes.

What this ships

• api/agent_sessions.py:238 — read_importable_agent_session_rows (sidebar agent-session listing)
• api/agent_sessions.py:310 — read_session_lineage_metadata (sidebar lineage collapse, runs every poll)
• api/models.py:1105 — get_cli_session_messages (CLI session detail)
• api/models.py:1146 — delete_cli_session (with explicit conn.commit() retained — see Minor observations)
• tests/test_issue1494_state_db_fd_leak.py — 234 LOC, 4 tests using a _TrackingConn wrapper that monkeypatches sqlite3.connect and asserts every connection opened by each function is .close()'d.

Traced against upstream hermes-agent

Webui-only change. The CLI / agent has its own hermes_state.SessionDB layer with proper connection lifecycle — verified state.db write paths in the agent tarball don't share these four functions. The SessionDB cache fix from #1421 is orthogonal (covered cached-connection LRU eviction, not raw sqlite3.connect() callers). No cross-tool surface. ✓

Behavioural harness — bug and fix verified

$ python3 -c "..." # see review for full script
BUG: connection still open after with block (this is the bug)
FIX OK: connection closed after closing(): Cannot operate on a closed database.

Confirms:

1. with sqlite3.connect(p) as c: does NOT close — the connection remains usable after the block (FD still open).
2. with closing(sqlite3.connect(p)) as c: DOES close — cursor() raises ProgrammingError: Cannot operate on a closed database. after the block.

Audit — exhaustive sweep of production callsites

$ grep -rn "sqlite3.connect" api/ --include="*.py"
api/agent_sessions.py:238:    with closing(sqlite3.connect(str(db_path))) as conn:
api/agent_sessions.py:310:        with closing(sqlite3.connect(str(db_path))) as conn:
api/models.py:1105:        with closing(sqlite3.connect(str(db_path))) as conn:
api/models.py:1146:        with closing(sqlite3.connect(str(db_path))) as conn:

All 4 production callsites in api/ are wrapped. No other sqlite3.connect() invocations exist outside the test directory. The PR description's audit claim ("re-ran the audit and confirmed there are no other production callsites of the leaking pattern") is verified.

End-to-end trace

Pre-fix request flow on a long-running webui:

1. Browser polls /api/sessions every few seconds.
2. Each call invokes read_importable_agent_session_rows (api/agent_sessions.py:235) and read_session_lineage_metadata (api/agent_sessions.py:307).
3. Each function used with sqlite3.connect(str(db_path)) as conn: — __exit__ commits, never closes.
4. Connection's underlying FDs (state.db, state.db-wal, state.db-shm) stay open.
5. After ~80 polls (3 FDs × ~80 calls = ~240 + base ~25 = ~256), the process hits macOS soft FD limit.
6. Next request handler thread tries sqlite3.connect() → OSError: [Errno 24] Too many open files.
7. Handler returns without writing bytes; ThreadingHTTPServer closes the socket; kernel RSTs the client.
8. Process stays alive (accept loop is fine), port stays in LISTEN, every request RSTs. The exact symptoms reported.

Post-fix: every connection is closed on scope exit; FD count flat across stress tests (reporter measured 92 across 100 requests).

Edge-case trace

Security audit

• ✅ No XSS, no SSRF, no path traversal — pure sqlite connection lifecycle fix.
• ✅ No new endpoints; no auth changes; no config.yaml writes.
• ✅ closing() is from stdlib contextlib, well-tested.
• ✅ The _TrackingConn wrapper in tests is test-only (under tests/) and is not production code.

Tests

• tests/test_issue1494_state_db_fd_leak.py — 4/4 pass:
  • test_read_importable_agent_session_rows_closes_connection — calls 5×, asserts 5/5 closed
  • test_read_session_lineage_metadata_closes_connection — calls 5×, asserts 5/5 closed
  • test_get_cli_session_messages_closes_connection — calls 5×, asserts 2 messages returned + all closed (sanity-checks the real query path is exercised, not just open/close)
  • test_delete_cli_session_closes_connection — first call deletes (rowcount > 0), second is idempotent no-op; verifies commit semantics survived via a separate sqlite3.Connection that re-queries the table afterward
• PR description claims the test catches the bug. Verified by reverting the closing() wrap on read_importable_agent_session_rows — produces:

  AssertionError: read_importable_agent_session_rows leaked 5 of 5 sqlite connection(s) — context-manager-only `with sqlite3.connect()` does not close. Wrap in contextlib.closing(). See #1494.
  

• Full suite: 3817 passed, 55 skipped, 3 xpassed, 0 failed in 18.64s on the PR branch.
• CI: 3.11 / 3.12 / 3.13 all green.

Race / state analysis

• Concurrent calls to the patched functions (e.g. two sidebar polls hitting /api/sessions near-simultaneously): each opens its own connection, runs SELECTs, closes. No shared connection state between threads. ✓
• delete_cli_session two-call race: explicit conn.commit() before return; second call sees the deleted state on its own connection. SQLite WAL mode handles this. ✓
• Exception during SELECT inside with closing(...): closing.__exit__ calls close() regardless of exception status. FD released. ✓

Minor observations (non-blocking)

• closing() skips the original __exit__'s auto-commit/rollback semantics. contextlib.closing(thing) only calls thing.close() on exit — it does not delegate to thing.__exit__. For the 3 read-only callsites this is a non-issue (no transaction to commit). For delete_cli_session, the PR correctly retains an explicit conn.commit() (api/models.py:1150). A future contributor adding a write op inside one of these blocks expecting auto-commit would silently get a no-op. Could be tightened with the layered-context idiom (with closing(sqlite3.connect(...)) as conn: with conn: ...) but the current shape is correct for what's there now. Worth a one-line code comment near the closing() wrap noting "auto-commit semantics are dropped — add explicit conn.commit() if you need it." Not blocking.

• The 4 leak sites are all read-mostly. The agent's own write-heavy SessionDB layer was already correctly closed via #1421's LRU eviction fix — this PR is the missing piece for the raw sqlite3.connect() callers that didn't go through SessionDB.

• PR description test count off by ~53 (3870 claimed vs 3817 local). Counting drift consistent with prior batches; not blocking.

• Reporter attribution is well done — @insecurejezza did the production diagnosis (lsof analysis, source audit, fix shape, verification stress loop) and gets a Co-authored-by trailer. Good external-contributor credit.

Recommendation

✅ Approved. Textbook FD-leak fix: correct diagnosis (verified independently via behavioural harness), correct fix at all 4 production callsites (verified via exhaustive grep), regression tests prove the fix and are confirmed to catch the bug when reverted. Cross-tool clean. No security implications. Reporter's stress-loop verification (FD count flat at 92 across 100 requests vs. monotonic growth pre-fix) is the kind of evidence reviews want.

This unblocks the persistent-host wedge that #1483 surfaced after fixing the supervisor double-fork. Bug #3 of #1458 (HTTP-unhealthy without FD exhaustion) still tracked separately — correct scope discipline.

Parked at approval — ready for the release agent's merge/tag pipeline.