Review — end-to-end ✅ (clean approve, with one issue-number inconsistency to fix before merge)

P0 self-built hotfix for issue #1558 (data loss on SSE reconnect after server restart). Three defensive layers + a startup self-heal recovery path. Behavioral harness confirms the bug exists on master and the guard prevents it.

What this ships

• Layer 1 — api/models.py:368-385 — Session.save() raises RuntimeError if _loaded_metadata_only=True. Loud crash beats silent wipe.
• Layer 1 wiring — api/models.py:494-500 — Session.load_metadata_only() sets _loaded_metadata_only=True on the returned stub.
• Layer 2 — api/routes.py:344-368 — _clear_stale_stream_state() detects the metadata-only flag and reloads with metadata_only=False before mutating. If the reload fails, bails without clearing rather than wipe (the right asymmetry).
• Layer 3 (backup) — api/models.py:411-441 — Session.save() writes <sid>.json.bak IFF the previous on-disk message count is greater than the incoming one. Asymmetric: zero overhead on the normal grow path, snapshot on every shrink.
• Layer 3 (recovery) — new api/session_recovery.py module with recover_all_sessions_on_startup(), recover_session(), and inspect_session_recovery_status() helpers. Stages restore via tmp + atomic replace.
• Startup hook — server.py:113-122 calls recover_all_sessions_on_startup(SESSION_DIR) after fix_credential_permissions(). Best-effort, never blocks startup.
• tests/test_metadata_save_wipe_1557.py — 6 tests covering all three layers. Mutation-verified to fail on master with assert 0 == 1000.

Traced against upstream hermes-agent

Webui-only fix. The metadata_only partial-load path is webui's own performance optimization for sidebar polling — the agent CLI doesn't use it. The Session.save() atomicity (via os.replace()) is webui-only too. No cross-tool surface. ✅

End-to-end trace

Pre-fix production flow (the bug):

1. User on v0.50.279+ has a 1000-message session with stale active_stream_id after a server restart.
2. Browser SSE reconnect loop polls /api/session/status?session_id=X (api/routes.py:1837).
3. Handler calls get_session(sid, metadata_only=True) → Session.load_metadata_only(sid) returns a stub with messages=[].
4. Handler calls _clear_stale_stream_state(stub) (api/routes.py:327).
5. Helper checks STREAMS (server crashed → empty), so stream_alive=False. Mutates stub.active_stream_id=None, pending_user_message=None, calls stub.save().
6. Session.save() writes self.messages=[] to a tmp file, then os.replace(tmp, path) — the on-disk JSON is now empty.
7. Next reconnect cycle reads back the empty file. UI shows the loading banner. User sees their conversation shrink to 0 messages in real time.

Post-fix flow (Layer 1 + Layer 2):

1-3. Same as above.
4. _clear_stale_stream_state(stub) checks getattr(session, "_loaded_metadata_only", False) → True.
5. Helper calls get_session(stub.session_id, metadata_only=False) to reload with the full messages array.
6. The full-load path runs _repair_stale_pending() which independently clears the stale stream flags. After reload, active_stream_id=None already → helper returns False without mutating further.
7. If the explicit clear path runs (some flags still set after _repair_stale_pending), it now operates on a Session with the real messages — save() writes them back unchanged.
8. On-disk file preserved. ✅

Layer 3 (defense in depth): Even if Layer 1+2 missed a future variant of this bug shape, Layer 3's .bak snapshot before any shrinking save means the next server start auto-restores from .bak.

Behavioral harness — bug + guard verified

On disk: 1000 messages
Metadata-only stub: messages=0, _loaded_metadata_only=True
GUARD FIRED: Refusing to save metadata-only session 's_repro': would atomically
             overwrite on-disk messages with []. Reload with metadata_only=False
             before mutating state. See #1557.
On disk after save attempt: 1000 messages
OK: messages preserved

Confirms:

1. The _loaded_metadata_only flag is correctly set by load_metadata_only().
2. The guard fires with an informative error message before any disk write.
3. On-disk messages are preserved after the failed save attempt.

Security audit

• ✅ No XSS, no SSRF, no auth changes — pure data-handling fix.
• ✅ Backup files (<sid>.json.bak) inherit the same dir + ownership as the session JSON. tmp_path.replace(session_path) is atomic. Recovery uses shutil.copyfile + tmp.replace() for safety.
• ✅ recover_all_sessions_on_startup is best-effort with broad except Exception swallow at the startup level — never blocks server startup.
• ✅ The .bak mechanism stores a JSON copy in the same dir; no new directory or auth surface.
• ✅ No regex / no SQL / no path traversal — all paths derived from session_path.with_suffix().

Race / state analysis

• Session.save() runs under the per-session lock (api/models.py:393 — verified by reading existing code). The new backup-before-write step is under that same lock, so the read-existing + write-bak + write-new dance is atomic per session.
• Two threads racing on _clear_stale_stream_state for the same session: both would individually re-load the full session via get_session(metadata_only=False), both would call _repair_stale_pending which is idempotent (already-cleared flags → no-op). Safe.
• Concurrent backup + restore: the recovery path reads <sid>.json and <sid>.json.bak then writes <sid>.json via tmp + atomic replace. No interleaving with a concurrent save() because both go through the same per-session lock.
• Startup recovery vs concurrent save: startup recovery runs before the HTTP server starts accepting requests (server.py:113 is before the bind), so no concurrent saves can race with it.

Edge-case trace

Tests

• tests/test_metadata_save_wipe_1557.py — 6/6 pass:
  • test_metadata_only_save_raises_to_prevent_wipe — Layer 1 fires before disk write
  • test_clear_stale_stream_state_preserves_messages — end-to-end Layer 2
  • test_save_writes_bak_when_messages_shrink — Layer 3 backup fires on shrink
  • test_save_does_not_write_bak_when_messages_grow — zero overhead on grow
  • test_recover_all_sessions_on_startup_restores_shrunken_session — startup self-heal
  • test_recover_all_sessions_on_startup_is_idempotent_no_op_on_clean_state — clean install no-op
• Full suite: 3972 passed, 55 skipped, 3 xpassed, 0 failed in 79.94s on the PR branch.
• CI: all 3 (3.11/3.12/3.13) green.

Other audit — things that are correct already

• ✅ The "bail rather than wipe" asymmetry in Layer 2 is exactly right — better to leave a stale active_stream_id than wipe the conversation.
• ✅ The _repair_stale_pending interaction is handled correctly — Layer 2 returns False if the full-load already cleared the flag.
• ✅ Reporter attribution clean (user via AvidFuturist relayed from Twitter/X DM).
• ✅ Pre-merge checklist in PR body is unusually thorough and the reproducer test fails on master with a clear assertion message.

Minor observations (non-blocking, but worth fixing before merge)

• 🚨 Issue-number mismatch — code/tests/comments reference #1557 but the actual issue is #1558. PR title and PR body are correct ("Closes #1558"), but every code comment, the test file name (test_metadata_save_wipe_1557.py), the error-message string in Session.save() ("See #1557."), the docstring in api/session_recovery.py, and the commit message body ("Closes #1557.") all reference #1557. PR #1557 is an unrelated open PR by @dutchaiagency. The 17 wrong references won't auto-close issue #1558 from the commit message — and the test file name will be misleading for future archeology. Worth a one-pass s/#1557/#1558/g (and rename test file → test_metadata_save_wipe_1558.py) before merge so the artifacts agree with reality.

• existing_msg_count = -1 on JSON decode error (api/models.py:425) means a corrupt previous file always triggers backup write. Reasonable defensive choice — preserves a corrupt-but-might-be-recoverable file. Worth a comment that this is the intent (rather than a bug).

• recover_all_sessions_on_startup scans every .json in the dir but doesn't filter by extension subtly enough — _index.json and any other non-session JSON would be scanned too. They have no messages key so _msg_count returns -1 and recommend="no_action" (since bak doesn't exist). Harmless waste; flagging for awareness.

• Layer 3 doesn't garbage-collect old .bak files. A long-lived session that occasionally shrinks messages will accumulate .bak files (one per shrinking save, overwriting the previous). That's actually fine — only one .bak per session id at any time. But there's no cleanup once the session is deleted. Minor disk-leak; the session file itself is what user state cares about.

• PR description test count says 4019 → 4025. Local I see 3972 passed. Counting drift consistent with prior batches.

Recommendation

✅ Approved. Excellent P0 hotfix with three independent defensive layers, a startup self-heal recovery path, and a behavioral-harness-verified reproducer. Cross-tool safe. The "bail rather than wipe" asymmetry in Layer 2 and the "shrink-only backup" asymmetry in Layer 3 are both the right calls.

The one thing to fix before merge: the #1557 references throughout new code, comments, the test file name, and commit message body should be #1558 to match the actual issue this closes. Doc-only inconsistency, but it'll mislead future archeology and the commit-body "Closes #1557" won't auto-close issue #1558 either. A one-pass find/replace (and test-file rename) clears it cleanly.

Parked at approval — ready for the release agent's merge/tag pipeline. Given P0 severity, recommend the release agent fix the issue-number references in the same merge so the hotfix lands with consistent artifacts.