code review fixes

Author: ericallam

apps/webapp/app/routes/api.v1.sessions.$session.ts

@@ -63,23 +63,41 @@ const { action } = createActionApiRoute(
       return json({ error: "Session not found" }, { status: 404 });
     }
 
-    const updated = await prisma.session.update({
-      where: { id: existing.id },
-      data: {
-        ...(body.tags !== undefined ? { tags: body.tags } : {}),
-        ...(body.metadata !== undefined
-          ? {
-              metadata:
-                body.metadata === null
-                  ? Prisma.JsonNull
-                  : (body.metadata as Prisma.InputJsonValue),
-            }
-          : {}),
-        ...(body.externalId !== undefined ? { externalId: body.externalId } : {}),
-      },
-    });
+    try {
+      const updated = await prisma.session.update({
+        where: { id: existing.id },
+        data: {
+          ...(body.tags !== undefined ? { tags: body.tags } : {}),
+          ...(body.metadata !== undefined
+            ? {
+                metadata:
+                  body.metadata === null
+                    ? Prisma.JsonNull
+                    : (body.metadata as Prisma.InputJsonValue),
+              }
+            : {}),
+          ...(body.externalId !== undefined ? { externalId: body.externalId } : {}),
+        },
+      });
 
-    return json<RetrieveSessionResponseBody>(serializeSession(updated));
+      return json<RetrieveSessionResponseBody>(serializeSession(updated));
+    } catch (error) {
+      // A duplicate externalId in the same environment violates the
+      // `(runtimeEnvironmentId, externalId)` unique constraint. Surface that
+      // as a 409 rather than a generic 500.
+      if (
+        error instanceof Prisma.PrismaClientKnownRequestError &&
+        error.code === "P2002" &&
+        Array.isArray((error.meta as { target?: string[] })?.target) &&
+        ((error.meta as { target?: string[] }).target ?? []).includes("externalId")
+      ) {
+        return json(
+          { error: "A session with this externalId already exists in this environment" },
+          { status: 409 }
+        );
+      }
+      throw error;
+    }
   }
 );
 

apps/webapp/app/routes/api.v1.sessions.ts

@@ -89,38 +89,43 @@ const { action } = createActionApiRoute(
       let isCached = false;
 
       if (body.externalId) {
-        // Idempotent: (env, externalId) uniquely identifies the Session.
-        const existing = await prisma.session.findUnique({
+        // Atomic upsert — two concurrent POSTs with the same externalId both
+        // converge to the same row without either hitting a 500 from the
+        // unique constraint.
+        const { id, friendlyId } = SessionId.generate();
+        const externalId = body.externalId;
+        const pre = await prisma.session.findFirst({
           where: {
-            runtimeEnvironmentId_externalId: {
-              runtimeEnvironmentId: authentication.environment.id,
-              externalId: body.externalId,
-            },
+            runtimeEnvironmentId: authentication.environment.id,
+            externalId,
           },
+          select: { id: true },
         });
+        isCached = pre !== null;
 
-        if (existing) {
-          session = existing;
-          isCached = true;
-        } else {
-          const { id, friendlyId } = SessionId.generate();
-          session = await prisma.session.create({
-            data: {
-              id,
-              friendlyId,
-              externalId: body.externalId,
-              type: body.type,
-              taskIdentifier: body.taskIdentifier ?? null,
-              tags: body.tags ?? [],
-              metadata: body.metadata as Prisma.InputJsonValue | undefined,
-              expiresAt: body.expiresAt ?? null,
-              projectId: authentication.environment.projectId,
+        session = await prisma.session.upsert({
+          where: {
+            runtimeEnvironmentId_externalId: {
               runtimeEnvironmentId: authentication.environment.id,
-              environmentType: authentication.environment.type,
-              organizationId: authentication.environment.organizationId,
+              externalId,
             },
-          });
-        }
+          },
+          create: {
+            id,
+            friendlyId,
+            externalId,
+            type: body.type,
+            taskIdentifier: body.taskIdentifier ?? null,
+            tags: body.tags ?? [],
+            metadata: body.metadata as Prisma.InputJsonValue | undefined,
+            expiresAt: body.expiresAt ?? null,
+            projectId: authentication.environment.projectId,
+            runtimeEnvironmentId: authentication.environment.id,
+            environmentType: authentication.environment.type,
+            organizationId: authentication.environment.organizationId,
+          },
+          update: {},
+        });
       } else {
         const { id, friendlyId } = SessionId.generate();
         session = await prisma.session.create({

apps/webapp/app/routes/realtime.v1.sessions.$session.$io.append.ts

@@ -17,10 +17,18 @@ const ParamsSchema = z.object({
 // POST: server-side append of a single record to a session channel. Mirrors
 // the existing /realtime/v1/streams/:runId/:target/:streamId/append route,
 // scoped to a Session primitive.
+// S2 enforces a 1 MiB per-record limit (metered as
+// `8 + 2*H + Σ(header name+value) + body`). We cap the raw HTTP body at
+// 512 KiB so the JSON wrapper (`{"data":"...","id":"..."}`), string
+// escaping, and any future per-record header additions all stay comfortably
+// below S2's ceiling. See https://s2.dev/docs/limits.
+const MAX_APPEND_BODY_BYTES = 1024 * 512;
+
 const { action } = createActionApiRoute(
   {
     params: ParamsSchema,
     method: "POST",
+    maxContentLength: MAX_APPEND_BODY_BYTES,
     allowJWT: true,
     corsStrategy: "all",
     authorization: {

apps/webapp/app/routes/realtime.v1.sessions.$session.$io.ts

@@ -79,7 +79,12 @@ const loader = createLoaderApiRoute(
     },
     authorization: {
       action: "read",
-      resource: (session) => ({ sessions: [session.friendlyId, session.externalId ?? ""] }),
+      resource: (session) => {
+        const ids = session.externalId
+          ? [session.friendlyId, session.externalId]
+          : [session.friendlyId];
+        return { sessions: ids };
+      },
       superScopes: ["read:sessions", "read:all", "admin"],
     },
   },
@@ -104,19 +109,22 @@ const loader = createLoaderApiRoute(
 
     const lastEventId = request.headers.get("Last-Event-ID") ?? undefined;
 
-    const timeoutInSecondsRaw = request.headers.get("Timeout-Seconds") ?? undefined;
-    const timeoutInSeconds = timeoutInSecondsRaw ? parseInt(timeoutInSecondsRaw, 10) : undefined;
-
-    if (timeoutInSeconds !== undefined && isNaN(timeoutInSeconds)) {
-      return new Response("Invalid timeout seconds", { status: 400 });
-    }
-
-    if (timeoutInSeconds !== undefined && timeoutInSeconds < 1) {
-      return new Response("Timeout seconds must be greater than 0", { status: 400 });
-    }
-
-    if (timeoutInSeconds !== undefined && timeoutInSeconds > 600) {
-      return new Response("Timeout seconds must be less than 600", { status: 400 });
+    const timeoutInSecondsRaw = request.headers.get("Timeout-Seconds");
+    let timeoutInSeconds: number | undefined;
+    if (timeoutInSecondsRaw) {
+      // `Number()` rejects `"10abc"` as NaN; `parseInt` would silently accept
+      // the trailing garbage and bypass the bounds checks below.
+      const parsed = Number(timeoutInSecondsRaw);
+      if (!Number.isFinite(parsed) || !Number.isInteger(parsed)) {
+        return new Response("Invalid timeout seconds", { status: 400 });
+      }
+      if (parsed < 1) {
+        return new Response("Timeout seconds must be greater than 0", { status: 400 });
+      }
+      if (parsed > 600) {
+        return new Response("Timeout seconds must be less than 600", { status: 400 });
+      }
+      timeoutInSeconds = parsed;
     }
 
     return realtimeStream.streamResponseFromSessionStream(

apps/webapp/app/routes/realtime.v1.streams.$runId.$target.$streamId.append.ts

@@ -13,9 +13,17 @@ const ParamsSchema = z.object({
   streamId: z.string(),
 });
 
+// S2 enforces a 1 MiB per-record limit (metered as
+// `8 + 2*H + Σ(header name+value) + body`). Cap the raw HTTP body at
+// 512 KiB so the JSON wrapper, string escaping, and any future per-record
+// header additions all stay well under S2's ceiling.
+// See https://s2.dev/docs/limits.
+const MAX_APPEND_BODY_BYTES = 1024 * 512;
+
 const { action } = createActionApiRoute(
   {
     params: ParamsSchema,
+    maxContentLength: MAX_APPEND_BODY_BYTES,
   },
   async ({ request, params, authentication }) => {
     const run = await $replica.taskRun.findFirst({

apps/webapp/app/services/realtime/sessions.server.ts

@@ -27,13 +27,11 @@ export async function resolveSessionByIdOrExternalId(
     });
   }
 
-  return prisma.session.findUnique({
-    where: {
-      runtimeEnvironmentId_externalId: {
-        runtimeEnvironmentId,
-        externalId: idOrExternalId,
-      },
-    },
+  // `findFirst` rather than `findUnique` per the repo rule — `findUnique`'s
+  // implicit DataLoader has open correctness bugs in Prisma 6.x that bite
+  // hot-path lookups exactly like this one.
+  return prisma.session.findFirst({
+    where: { runtimeEnvironmentId, externalId: idOrExternalId },
   });
 }
 

packages/core/src/v3/schemas/api.ts

@@ -1456,8 +1456,8 @@ export type CompleteWaitpointTokenRequestBody = z.infer<typeof CompleteWaitpoint
 export const CreateSessionRequestBody = z.object({
   /** Plain string discriminator — e.g. `"chat.agent"`. Not validated against an enum on the server. */
   type: z.string().min(1).max(64),
-  /** User-supplied idempotency key. Unique per environment. */
-  externalId: z.string().max(256).optional(),
+  /** User-supplied idempotency key. Unique per environment. Empty strings are rejected. */
+  externalId: z.string().trim().min(1).max(256).optional(),
   /** Optional pointer for task-owned session types. */
   taskIdentifier: z.string().max(128).optional(),
   /** Up to 10 tags for dashboard filtering. */
@@ -1495,7 +1495,10 @@ export type RetrieveSessionResponseBody = z.infer<typeof RetrieveSessionResponse
 export const UpdateSessionRequestBody = z.object({
   tags: z.array(z.string().max(128)).max(10).optional(),
   metadata: z.record(z.unknown()).nullable().optional(),
-  externalId: z.string().max(256).nullable().optional(),
+  // Null explicitly clears the externalId; non-null values must be non-empty.
+  externalId: z
+    .union([z.literal(null), z.string().trim().min(1).max(256)])
+    .optional(),
 });
 export type UpdateSessionRequestBody = z.infer<typeof UpdateSessionRequestBody>;
 
@@ -1514,19 +1517,27 @@ export type SessionStatus = z.infer<typeof SessionStatus>;
  * narrowing fields — both produced automatically by `zodfetchCursorPage`
  * and the matching client-side search-query helper.
  */
-export const ListSessionsQueryParams = z.object({
-  "page[size]": z.coerce.number().int().min(1).max(100).default(20),
-  "page[after]": z.string().optional(),
-  "page[before]": z.string().optional(),
-  "filter[type]": z.union([z.string(), z.array(z.string())]).optional(),
-  "filter[tags]": z.union([z.string(), z.array(z.string())]).optional(),
-  "filter[taskIdentifier]": z.union([z.string(), z.array(z.string())]).optional(),
-  "filter[externalId]": z.string().optional(),
-  "filter[status]": z.union([SessionStatus, z.array(SessionStatus)]).optional(),
-  "filter[createdAt][period]": z.string().optional(),
-  "filter[createdAt][from]": z.coerce.number().int().optional(),
-  "filter[createdAt][to]": z.coerce.number().int().optional(),
-});
+export const ListSessionsQueryParams = z
+  .object({
+    "page[size]": z.coerce.number().int().min(1).max(100).default(20),
+    "page[after]": z.string().optional(),
+    "page[before]": z.string().optional(),
+    "filter[type]": z.union([z.string(), z.array(z.string())]).optional(),
+    "filter[tags]": z.union([z.string(), z.array(z.string())]).optional(),
+    "filter[taskIdentifier]": z.union([z.string(), z.array(z.string())]).optional(),
+    "filter[externalId]": z.string().optional(),
+    "filter[status]": z.union([SessionStatus, z.array(SessionStatus)]).optional(),
+    "filter[createdAt][period]": z.string().optional(),
+    "filter[createdAt][from]": z.coerce.number().int().optional(),
+    "filter[createdAt][to]": z.coerce.number().int().optional(),
+  })
+  .refine(
+    (value) => !(value["page[after]"] && value["page[before]"]),
+    {
+      message: "Cannot pass both page[after] and page[before] on the same request",
+      path: ["page[before]"],
+    }
+  );
 export type ListSessionsQueryParams = z.infer<typeof ListSessionsQueryParams>;
 
 /**