Fix tenant isolation and test harness leaks

Author: acailic

benchmarks/__init__.py

@@ -13,6 +13,7 @@
     run_replay_determinism_session,
     run_safety_escalation_session,
 )
+from .seed_enrichment import SESSION_ENRICHMENT, validate_session_enrichment
 
 __all__ = [
     "SeedSession",
@@ -26,4 +27,6 @@
     "run_looping_behavior_session",
     "run_failure_cluster_session",
     "run_replay_determinism_session",
+    "SESSION_ENRICHMENT",
+    "validate_session_enrichment",
 ]

benchmarks/seed_enrichment.py

@@ -0,0 +1,82 @@
+"""Curated enrichment metadata for demo benchmark sessions."""
+
+from __future__ import annotations
+
+SESSION_ENRICHMENT = {
+    "seed-prompt-injection": {
+        "total_tokens": 856,
+        "total_cost_usd": 0.0042,
+        "retention_tier": "summarized",
+        "fix_note": "Added input sanitization and prompt boundary checks",
+        "errors": 0,
+        "behavior_alerts": 1,
+    },
+    "seed-evidence-grounding": {
+        "total_tokens": 140,
+        "total_cost_usd": 0.0021,
+        "retention_tier": "summarized",
+        "fix_note": None,
+        "errors": 0,
+        "behavior_alerts": 0,
+    },
+    "seed-multi-agent-dialogue": {
+        "total_tokens": 412,
+        "total_cost_usd": 0.0038,
+        "retention_tier": "summarized",
+        "fix_note": None,
+        "errors": 0,
+        "behavior_alerts": 0,
+    },
+    "seed-prompt-policy-shift": {
+        "total_tokens": 164,
+        "total_cost_usd": 0.0028,
+        "retention_tier": "summarized",
+        "fix_note": "Added policy consistency checks across turns",
+        "errors": 0,
+        "behavior_alerts": 1,
+    },
+    "seed-safety-escalation": {
+        "total_tokens": 1987,
+        "total_cost_usd": 0.0142,
+        "retention_tier": "full",
+        "fix_note": "Added output validation after tool call",
+        "errors": 1,
+        "behavior_alerts": 1,
+    },
+    "seed-looping-behavior": {
+        "total_tokens": 1245,
+        "total_cost_usd": 0.0089,
+        "retention_tier": "summarized",
+        "fix_note": "Added max iteration limit with circuit breaker",
+        "errors": 0,
+        "behavior_alerts": 2,
+    },
+    "seed-failure-cluster": {
+        "total_tokens": 1567,
+        "total_cost_usd": 0.0112,
+        "retention_tier": "full",
+        "fix_note": "Added pre-call validation and error recovery",
+        "errors": 0,
+        "behavior_alerts": 1,
+    },
+    "seed-replay-determinism": {
+        "total_tokens": 289,
+        "total_cost_usd": 0.0031,
+        "retention_tier": "summarized",
+        "fix_note": None,
+        "errors": 0,
+        "behavior_alerts": 0,
+    },
+}
+
+
+def validate_session_enrichment(session_id: str, enrichment: dict[str, object]) -> None:
+    """Validate curated enrichment metrics for demo seed sessions."""
+    total_tokens = enrichment.get("total_tokens")
+    total_cost_usd = enrichment.get("total_cost_usd")
+
+    if not isinstance(total_tokens, int) or total_tokens <= 0:
+        raise ValueError(f"Seed enrichment for {session_id} must define positive total_tokens")
+
+    if not isinstance(total_cost_usd, (int, float)) or float(total_cost_usd) <= 0:
+        raise ValueError(f"Seed enrichment for {session_id} must define positive total_cost_usd")

collector/server.py

@@ -160,6 +160,19 @@ def _get_redaction_pipeline() -> RedactionPipeline:
     return RedactionPipeline.from_config()
 
 
+def _resolve_session_id(requested_id: str | None) -> str:
+    if requested_id is None:
+        return str(uuid.uuid4())
+
+    if get_config().mode != "local":
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Explicit session IDs are only supported in local mode",
+        )
+
+    return requested_id
+
+
 async def _persist_event_if_configured(
     event: TraceEvent,
     tenant_id: str = "local",
@@ -271,7 +284,7 @@ async def _create_session(
 ) -> SessionResponse:
     deps = dependencies or _resolve_dependencies()
     session = Session(
-        id=session_data.id or str(uuid.uuid4()),
+        id=_resolve_session_id(session_data.id),
         agent_name=session_data.agent_name,
         framework=session_data.framework,
         config=session_data.config,

scripts/seed_demo_sessions.py

@@ -16,96 +16,19 @@
 
 from agent_debugger_sdk.core.context import configure_event_pipeline
 from agent_debugger_sdk.core.events import Checkpoint, Session, TraceEvent
-from benchmarks import DEFAULT_SEED_SESSION_IDS, iter_seed_scenarios
+from benchmarks import (
+    DEFAULT_SEED_SESSION_IDS,
+    SESSION_ENRICHMENT,
+    iter_seed_scenarios,
+    validate_session_enrichment,
+)
 from collector.buffer import get_event_buffer
 from collector.server import configure_storage
 from storage import Base, TraceRepository
 from storage.models import AnomalyAlertModel
 
 DATABASE_URL = os.environ.get("AGENT_DEBUGGER_DB_URL", "sqlite+aiosqlite:///./data/agent_debugger.db")
 
-# Session enrichment data: realistic values for demo sessions
-# Note: failure_count is computed in API layer (services.py) as errors count
-# behavior_alert_count is computed in API layer from AnomalyAlertModel records
-def validate_session_enrichment(session_id: str, enrichment: dict[str, object]) -> None:
-    """Validate curated enrichment metrics for demo seed sessions."""
-    total_tokens = enrichment.get("total_tokens")
-    total_cost_usd = enrichment.get("total_cost_usd")
-
-    if not isinstance(total_tokens, int) or total_tokens <= 0:
-        raise ValueError(f"Seed enrichment for {session_id} must define positive total_tokens")
-
-    if not isinstance(total_cost_usd, (int, float)) or float(total_cost_usd) <= 0:
-        raise ValueError(f"Seed enrichment for {session_id} must define positive total_cost_usd")
-
-
-SESSION_ENRICHMENT = {
-    "seed-prompt-injection": {
-        "total_tokens": 856,
-        "total_cost_usd": 0.0042,
-        "retention_tier": "summarized",
-        "fix_note": "Added input sanitization and prompt boundary checks",
-        "errors": 0,
-        "behavior_alerts": 1,
-    },
-    "seed-evidence-grounding": {
-        "total_tokens": 140,
-        "total_cost_usd": 0.0021,
-        "retention_tier": "summarized",
-        "fix_note": None,
-        "errors": 0,
-        "behavior_alerts": 0,
-    },
-    "seed-multi-agent-dialogue": {
-        "total_tokens": 412,
-        "total_cost_usd": 0.0038,
-        "retention_tier": "summarized",
-        "fix_note": None,
-        "errors": 0,
-        "behavior_alerts": 0,
-    },
-    "seed-prompt-policy-shift": {
-        "total_tokens": 164,
-        "total_cost_usd": 0.0028,
-        "retention_tier": "summarized",
-        "fix_note": "Added policy consistency checks across turns",
-        "errors": 0,
-        "behavior_alerts": 1,
-    },
-    "seed-safety-escalation": {
-        "total_tokens": 1987,
-        "total_cost_usd": 0.0142,
-        "retention_tier": "full",
-        "fix_note": "Added output validation after tool call",
-        "errors": 1,
-        "behavior_alerts": 1,
-    },
-    "seed-looping-behavior": {
-        "total_tokens": 1245,
-        "total_cost_usd": 0.0089,
-        "retention_tier": "summarized",
-        "fix_note": "Added max iteration limit with circuit breaker",
-        "errors": 0,
-        "behavior_alerts": 2,
-    },
-    "seed-failure-cluster": {
-        "total_tokens": 1567,
-        "total_cost_usd": 0.0112,
-        "retention_tier": "full",
-        "fix_note": "Added pre-call validation and error recovery",
-        "errors": 0,
-        "behavior_alerts": 1,
-    },
-    "seed-replay-determinism": {
-        "total_tokens": 289,
-        "total_cost_usd": 0.0031,
-        "retention_tier": "summarized",
-        "fix_note": None,
-        "errors": 0,
-        "behavior_alerts": 0,
-    },
-}
-
 
 def validate_session_metrics(total_tokens: int, total_cost_usd: float, *, context: str) -> None:
     """Validate curated session metrics before persisting demo seed data."""

storage/repositories/session_repo.py

@@ -4,12 +4,12 @@
 
 from typing import Any
 
-from sqlalchemy import func, select
+from sqlalchemy import delete, func, select
 from sqlalchemy.ext.asyncio import AsyncSession
 
 from agent_debugger_sdk.core.events import Session
 from storage.converters import orm_to_session
-from storage.models import SessionModel
+from storage.models import AnomalyAlertModel, SessionModel
 
 
 class SessionRepository:
@@ -195,5 +195,11 @@ async def delete_session(self, session_id: str) -> bool:
         if db_session is None:
             return False
 
+        await self.session.execute(
+            delete(AnomalyAlertModel).where(
+                AnomalyAlertModel.session_id == session_id,
+                AnomalyAlertModel.tenant_id == self.tenant_id,
+            )
+        )
         await self.session.delete(db_session)
         return True