fix(routes): remove duplicate GET /api/sessions shadowing session_list() #17

2026-06-15T18:03:22Z

will.anderson commented

2026-06-15 18:03:22 +00:00

Summary

Removes the stale route_sessions() function that searched engram for session-start — a label never written by the current session_create(). This caused every GET /api/sessions request to return [], making the sidebar appear empty after a daemon restart.
Removes the first GET /api/sessions if-block in handle_request that called route_sessions(). The surviving handler (previously dead code) now calls the correct session_list() from sessions.el.
Adds DELETE /api/sessions/:id route wired to session_delete().
Adds PATCH /api/sessions/:id route wired to session_update_patch().

Test plan

GET /api/sessions returns real sessions after daemon restart
DELETE /api/sessions/:id removes session from engram
PATCH /api/sessions/:id updates title and/or folder
Unrelated routes unaffected

## Summary - Removes the stale `route_sessions()` function that searched engram for `session-start` — a label never written by the current `session_create()`. This caused every `GET /api/sessions` request to return `[]`, making the sidebar appear empty after a daemon restart. - Removes the first `GET /api/sessions` if-block in `handle_request` that called `route_sessions()`. The surviving handler (previously dead code) now calls the correct `session_list()` from `sessions.el`. - Adds `DELETE /api/sessions/:id` route wired to `session_delete()`. - Adds `PATCH /api/sessions/:id` route wired to `session_update_patch()`. ## Test plan - [ ] `GET /api/sessions` returns real sessions after daemon restart - [ ] `DELETE /api/sessions/:id` removes session from engram - [ ] `PATCH /api/sessions/:id` updates title and/or folder - [ ] Unrelated routes unaffected

will.anderson added 1 commit 2026-06-15 18:04:09 +00:00

fix(routes): remove duplicate GET /api/sessions that shadowed session_list()

Neuron Soul CI / build (pull_request) Failing after 9m52s

Details

c43d3e6ca8

The first registration called route_sessions() which searched for a
'session-start' label that no longer exists, returning an empty array
on every list request and making the sidebar appear empty after restart.
The second registration (dead code) called the correct session_list().

Removes route_sessions() entirely and the stale first route block.
Also wires up session_delete() and session_update_patch() — both existed
in sessions.el but had no HTTP routes — via new DELETE and PATCH blocks.

will.anderson commented

2026-06-17 17:48:36 +00:00

The core fix is correct and necessary. The old route_sessions() function used engram_search_json("session-start", 20) — wrong label ("session-start" vs "session:meta"), wrong limit (20 vs 50), and no filtering — so GET /api/sessions was silently returning wrong/empty results for clients using the new sessions system. Removing it and letting the real session_list() handler (already present further down the GET chain) take over is the right call. The DELETE and PATCH routing additions are also correct and complete a gap between what sessions.el exported and what routes.el wired up.

One blocker to fix before merge:

session_delete in sessions.el does not invalidate the session_index state cache. After a successful DELETE, session_list() will serve the deleted session from the fast-path state cache (state_get("session_index")) until the daemon restarts. This was latent before — DELETE had no route. Now that you've wired up DELETE routing, the stale-list bug is immediately observable.

Fix: add state_set("session_index", "") in session_delete before its return, matching the pattern that session_update_patch already uses correctly (line 290 of sessions.el).

// Clear state
state_set("session_hist_" + session_id, "")
state_set("session_node_" + session_id, "")
state_set("session_index", "")   // <-- add this
return "{\"ok\":true,\"session_id\":\"" + session_id + "\"" ...

Everything else looks good — the ID extraction logic for DELETE and PATCH is consistent with the existing GET/POST session handlers, session_update_patch correctly invalidates the cache, and there are no new shell-injection surfaces introduced.

The core fix is correct and necessary. The old `route_sessions()` function used `engram_search_json("session-start", 20)` — wrong label (`"session-start"` vs `"session:meta"`), wrong limit (20 vs 50), and no filtering — so `GET /api/sessions` was silently returning wrong/empty results for clients using the new sessions system. Removing it and letting the real `session_list()` handler (already present further down the GET chain) take over is the right call. The DELETE and PATCH routing additions are also correct and complete a gap between what `sessions.el` exported and what `routes.el` wired up. **One blocker to fix before merge:** `session_delete` in `sessions.el` does not invalidate the `session_index` state cache. After a successful DELETE, `session_list()` will serve the deleted session from the fast-path state cache (`state_get("session_index")`) until the daemon restarts. This was latent before — DELETE had no route. Now that you've wired up DELETE routing, the stale-list bug is immediately observable. Fix: add `state_set("session_index", "")` in `session_delete` before its return, matching the pattern that `session_update_patch` already uses correctly (line 290 of `sessions.el`). ```el // Clear state state_set("session_hist_" + session_id, "") state_set("session_node_" + session_id, "") state_set("session_index", "") // <-- add this return "{\"ok\":true,\"session_id\":\"" + session_id + "\"" ... ``` Everything else looks good — the ID extraction logic for DELETE and PATCH is consistent with the existing GET/POST session handlers, `session_update_patch` correctly invalidates the cache, and there are no new shell-injection surfaces introduced.

will.anderson added 2 commits 2026-06-17 18:00:12 +00:00

fix(chat): store bridge messages/tools as raw JSON to prevent double-escape corruption on agentic_resume 26513d56b7

bridge_save was wrapping messages and tools_json with json_safe() before
storing them as string fields. Since both are already well-formed JSON arrays
containing double quotes, json_safe added a second escape layer. agentic_resume
then called json_get() which stripped only one layer, leaving the messages array
corrupted before it was passed back into agentic_loop.

Fix: store messages as messages_raw and tools_json as tools_raw as inline raw
JSON values (unquoted), and read them back with json_get_raw. Backward
compatibility: fall back to the old string-escaped fields if the raw fields are
absent, so sessions saved before this fix can still be resumed.

Also fixes write_file returning a pre-escaped literal instead of calling
json_safe consistently with every other tool result.

fix(sessions): invalidate session_index cache in session_delete

Neuron Soul CI / build (pull_request) Failing after 8m11s

Details

b1fdd14ed5

session_delete cleared the per-session state (session_hist_ and
session_node_) but not the shared session_index cache. The next call
to session_list() hit the fast path (state_get("session_index")) and
returned the deleted session until the daemon restarted.

session_update_patch already called state_set("session_index","") to
force a re-fetch from Engram; session_delete now does the same.

Add tests/test_sessions.el covering:
- session_title_from_message (pure function, all edge cases)
- session_make_content (JSON structure and required session:meta marker)
- DELETE cache invalidation: session_index cleared, fast path disabled
- PATCH cache invalidation: stale title/folder not returned via fast path
- GET /api/sessions: session_list() fast path returns session_index
  (confirms removal of the stale route_sessions() engram stub)

will.anderson merged commit 189093b348 into main

2026-06-17 18:05:26 +00:00

will.anderson deleted branch fix/sessions-route-dedup

2026-06-17 18:05:32 +00:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: neuron-technologies/neuron#17