refactor(audience-session): hoist Identity out of _initLock; double-seal in Shutdown

ImmutableJeffrey · claude · ImmutableJeffrey · commit 4a03d8846bab · 2026-04-23T19:19:58.000+10:00
Two Cursor Bugbot findings on 63b13bb: SetConsent held _initLock across Identity.GetOrCreate / Identity.Get. On the None → Anonymous/Full upgrade path, GetOrCreate creates directories and writes a UUID file — real disk I/O under the lock. Moved the capture outside _initLock. Identity's own _sync lock serialises the I/O; TOCTOU on previous is accepted — a racing SetConsent fires its own PUT and our slightly-stale anonymousId still identifies the user. Shutdown's outside-lock EmitEndAndSeal targeted whatever _session pointed to at call time. A Reset completing fully (including new session Start()) in the narrow window before Shutdown's lock acquire would leave the new session's session_start on the wire with no matching session_end — Shutdown disposes the new session after flipping _initialized=false, so Track drops the closing event. Added a second EmitEndAndSeal inside the lock as a race guard. Idempotent on the same instance (no-op via _sessionId null check); the slow path only runs when the race actually happened. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/src/Packages/Audience/Runtime/ImmutableAudience.cs b/src/Packages/Audience/Runtime/ImmutableAudience.cs
@@ -374,16 +374,32 @@ public static void SetConsent(ConsentLevel level)
         {
             if (!_initialized) return;
 
+            var config = _config;
+            if (config == null) return;
+
+            // Snapshot check before any I/O: no-op if already at target consent.
+            var snapshotPrevious = _consent;
+            if (level == snapshotPrevious) return;
+
+            // Capture anonymousId for the PUT audit trail outside _initLock.
+            // Identity methods hold their own _sync lock; disk I/O on a cold
+            // cache (None → Anonymous/Full upgrade creates the UUID file) does
+            // not block _initLock. A racing SetConsent may change _consent
+            // between this read and our lock acquire — acceptable, the racing
+            // call fires its own PUT and our slightly-stale ID still
+            // identifies the user.
+            var anonymousIdForPut = snapshotPrevious == ConsentLevel.None
+                ? Identity.GetOrCreate(config.PersistentDataPath!, level)
+                : Identity.Get(config.PersistentDataPath!);
+
             // Phase 1 under _initLock: flip _consent and swap _session / _userId.
             // Phase 2 outside the lock runs the blocking side effects (persist,
             // dispose, purge, downgrade, backend sync, new session_start) so a
             // concurrent Shutdown / Init / Reset isn't held waiting on them.
             ConsentLevel previous;
-            AudienceConfig? config;
             EventQueue? queue;
             Session? oldSession = null;
             Session? newSession = null;
-            string? anonymousIdForPut;
             bool downgradeFullToAnonymous = false;
 
             lock (_initLock)
@@ -397,12 +413,6 @@ public static void SetConsent(ConsentLevel level)
                 previous = _consent;
                 if (level == previous) return;
 
-                // Snapshot anonymousId before Identity.Reset (on None) wipes it.
-                // The PUT audit trail needs to record whose consent changed.
-                anonymousIdForPut = previous == ConsentLevel.None
-                    ? Identity.GetOrCreate(config.PersistentDataPath!, level)
-                    : Identity.Get(config.PersistentDataPath!);
-
                 _consent = level;
 
                 if (level == ConsentLevel.None)
@@ -555,6 +565,15 @@ public static void Shutdown()
             {
                 if (!_initialized) return;
 
+                // Race guard: a concurrent Reset or SetConsent(upgrade-from-None)
+                // may have swapped _session to a new instance that has already
+                // fired session_start. Seal it too so its session_end lands
+                // before the flag flip. Idempotent on the same instance (no-op
+                // via _sessionId null check); the slow path only runs when
+                // Reset fully completed its Start() between the outside-lock
+                // call above and this point — a narrow window.
+                _session?.EmitEndAndSeal();
+
                 // Flip the gate. Init / SetConsent / Reset acquiring after
                 // this see _initialized == false and return cleanly.
                 _initialized = false;
