Skip to content

Fix retained Amp network sessions#2138

Merged
steipete merged 1 commit into
mainfrom
codex/fix-amp-session-cleanup
Jul 14, 2026
Merged

Fix retained Amp network sessions#2138
steipete merged 1 commit into
mainfrom
codex/fix-amp-session-cleanup

Conversation

@steipete

@steipete steipete commented Jul 13, 2026

Copy link
Copy Markdown
Owner

Summary

  • Finish every temporary Amp API and dashboard URLSession after its request completes or fails.
  • Inject session creation/finalization internally so lifecycle behavior is testable without live accounts, cookies, or Keychain access.
  • Add serialized regression coverage for API and web fetches across successful responses and transport failures.

Root cause

Both Amp fetch paths created ephemeral sessions with redirect delegates but never invalidated them. Repeated refreshes could retain delegates, URL-cache state, and transport resources beyond each one-shot request.

Validation

  • swift test --filter 'AmpUsageFetcherTests|AmpUsageParserTests'
    • 32 tests in 2 suites passed
  • make check
    • SwiftFormat: clean
    • SwiftLint: 0 violations
  • Autoreview: no accepted or actionable findings; correctness confidence 0.98.
  • make test: 639/639 selections, 54/54 groups passed on first attempt; 0 failures, retries, or timeouts.
  • Exact-head CI required before merge.

Screenshots and live account probes are not applicable. The transport lifecycle is covered hermetically with injected URLProtocol responses.

@clawsweeper clawsweeper Bot added rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. P2 Normal priority bug or improvement with limited blast radius. labels Jul 14, 2026
@clawsweeper

clawsweeper Bot commented Jul 14, 2026

Copy link
Copy Markdown

Codex review: needs maintainer review before merge. Reviewed July 13, 2026, 8:42 PM ET / July 14, 2026, 00:42 UTC.

Summary
The PR injects Amp URLSession lifecycle hooks, finalizes temporary API and dashboard sessions on every exit path, adds serialized lifecycle tests, and updates the release notes.

Reproducibility: yes. at source level: current main has two temporary Amp session creation paths without invalidation, and the proposed tests directly exercise finalization on every relevant exit mode.

Review metrics: 3 noteworthy metrics.

  • Patch scope: 3 files, +187/-11. The change is bounded to one provider fetcher, its tests, and one release-note entry.
  • Lifecycle cases: 4 added tests. Both Amp API and web paths are covered on successful response and transport failure.
  • Check state: 7 passed, 1 in progress. Only the required Linux x64 exact-head build remained unresolved in the supplied snapshot.

Merge readiness
Overall: 🦞 diamond lobster
Proof: 🦞 diamond lobster
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Risk before merge

  • [P1] The exact-head Linux x64 build was still in progress in the supplied check snapshot, so merge should wait for that required check to complete successfully.

Maintainer options:

  1. Decide the mitigation before merge
    Merge the defer-based lifecycle fix once the remaining exact-head check is green, retaining the focused hermetic tests as regression coverage.
  2. Pause or close
    Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge

  • [P2] No repair job is needed; wait for the remaining exact-head build and then perform the normal owner merge decision.

Security
Cleared: No security or supply-chain concern was found because the patch adds no dependency, permission, secret access, download, or new execution source.

Review details

Best possible solution:

Merge the defer-based lifecycle fix once the remaining exact-head check is green, retaining the focused hermetic tests as regression coverage.

Do we have a high-confidence way to reproduce the issue?

Yes at source level: current main has two temporary Amp session creation paths without invalidation, and the proposed tests directly exercise finalization on every relevant exit mode.

Is this the best way to solve the issue?

Yes: defer-based finalization directly beside session construction is the narrowest maintainable repair and does not alter Amp authentication, redirects, parsing, or fallback semantics.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 315ff65f7b2a.

Label changes

Label justifications:

  • P2: The PR fixes provider-specific resource retention with limited blast radius and no evidence of outage, data loss, or security impact.
  • rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: The owner-authored PR is exempt from the external-contributor proof gate; hermetic URLProtocol lifecycle tests are appropriate supplemental evidence for this internal transport cleanup.
Evidence reviewed

What I checked:

Likely related people:

  • steipete: Authored the current focused change and owns the repository-level merge decision for this provider fix. (role: repository owner and recent Amp lifecycle contributor; confidence: high; commits: 09c7558e26f4; files: Sources/CodexBarCore/Providers/Amp/AmpUsageFetcher.swift, Tests/CodexBarTests/AmpUsageFetcherTests.swift)
  • duailibe: Release history credits @duailibe with introducing Amp Free usage tracking through the original provider work. citeturn6search0. (role: Amp feature introducer; confidence: medium; files: Sources/CodexBarCore/Providers/Amp/AmpUsageFetcher.swift)
  • JosephDoUrden: Release history credits @JosephDoUrden with Amp login-redirect hardening adjacent to the session delegate path changed here. citeturn7search0. (role: recent Amp fetch-path contributor; confidence: medium; files: Sources/CodexBarCore/Providers/Amp/AmpUsageFetcher.swift, Tests/CodexBarTests/AmpUsageFetcherTests.swift)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.
Review history (2 earlier review cycles)
  • reviewed 2026-07-14T00:07:13.205Z sha 09c7558 :: needs maintainer review before merge. :: none
  • reviewed 2026-07-14T00:24:41.929Z sha 09c7558 :: needs maintainer review before merge. :: none

@clawsweeper clawsweeper Bot added rating: 🦞 diamond lobster Very strong PR readiness with only minor maintainer review expected. and removed rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. labels Jul 14, 2026
@steipete steipete merged commit 0437067 into main Jul 14, 2026
14 of 15 checks passed
@steipete steipete deleted the codex/fix-amp-session-cleanup branch July 14, 2026 00:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

P2 Normal priority bug or improvement with limited blast radius. rating: 🦞 diamond lobster Very strong PR readiness with only minor maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant