File descriptor leak in api_server platform: ResponseStore SQLite connections not closed on retry

[jscoltock]

Bug Description

The api_server platform accumulates file descriptors (FDs) over time due to SQLite WAL connections in ResponseStore not being properly closed during platform retry cycles.

Environment

• OS: macOS 26.4.1 (Mac Mini)
• Installation: Homebrew
• Hermes version: (latest via Homebrew)
• Gateway PID: 42506, uptime ~12 hours
• FD limit: 65,535 (raised from Mac default 256)

Reproduction

1. Enable api_server platform via API_SERVER_ENABLED=true in ~/.hermes/.env (with no API_SERVER_KEY set)
2. Observe FD count: lsof -p $(pgrep -f 'hermes_cli.main gateway') | grep response_store.db | wc -l
3. After 12 hours: 122+ FDs pointing to response_store.db on a single gateway process (PID 42506)
4. This equals ~41 complete SQLite WAL connection sets (main db + WAL + SHM = 3 FDs each)

Root Cause

Three contributing factors:

1. api_server auto-enabled without API_SERVER_KEY

In gateway/config.py line 1486:

if api_server_enabled or api_server_key:
    config.platforms[Platform.API_SERVER] = PlatformConfig()

The platform is instantiated even when only API_SERVER_ENABLED=true is set, without a valid API_SERVER_KEY. The HTTP server refuses to start (Refusing to start: API_SERVER_KEY is required) but the adapter is still loaded into the gateway.

2. Connected check always returns True

In gateway/config.py line 425:

_PLATFORM_CONNECTED_CHECKERS = {
    Platform.API_SERVER: lambda cfg: True,  # always returns True
    ...
}

The api_server is always reported as "connected" regardless of whether it is actually running. This is misleading and may prevent proper retry/recovery logic.

3. ResponseStore opened at init, never closed

In gateway/platforms/api_server.py line 706:

class APIServerAdapter(BasePlatformAdapter):
    def __init__(self, config: PlatformConfig):
        ...
        self._response_store = ResponseStore()  # line 706

ResponseStore.__init__ opens a SQLite connection with WAL mode (sqlite3.connect(..., check_same_thread=False) + apply_wal_with_fallback). This is called at adapter __init__ time, not when the HTTP server starts. The connection is never explicitly closed — no close() method is defined on ResponseStore, and APIServerAdapter has no teardown logic for the store.

On each gateway restart or platform reconnect cycle, a new ResponseStore instance may be created while old ones are not garbage-collected, leading to accumulation of SQLite WAL file handles.

Impact

• Gateway hits OSError: [Errno 24] Too many open files after ~17–24 hours of uptime
• Cron jobs fail silently when the FD limit is reached (scheduler can't open files)
• Kanban dispatcher fails (kanban_db.py fails first at line 1111)
• Gateway becomes unresponsive and requires manual restart
• 10+ unexpected restarts observed in one month on this setup

Proposed Fix

Fix 1: Require API_SERVER_KEY for platform to be loaded

# config.py line 1486 — change OR to AND
if api_server_enabled and api_server_key:
    config.platforms[Platform.API_SERVER] = PlatformConfig()

Fix 2: Fix the connected checker to validate key presence

_PLATFORM_CONNECTED_CHECKERS = {
    Platform.API_SERVER: lambda cfg: bool(cfg.extra.get("key")) if cfg else False,
    ...
}

Fix 3: Add close() to ResponseStore and call it on adapter teardown

# api_server.py — ResponseStore
def close(self):
    if self._conn:
        self._conn.close()
        self._conn = None

# api_server.py — APIServerAdapter
def stop(self):
    if self._response_store:
        self._response_store.close()
        self._response_store = None
    ...

Alternatively, make ResponseStore a process-wide singleton so repeated adapter instantiation does not create new SQLite connections.

Verification

# Count response_store.db FDs on gateway PID
lsof -p $(pgrep -f 'hermes_cli.main gateway') 2>/dev/null | grep response_store.db | wc -l

# Should be stable at ~3 (one set of db+wal+shm) after fix
# Before fix: grows by ~3 every gateway restart or retry cycle

[datin-antasena]

@jscoltock Thanks for the thorough analysis here. We independently hit the same problem in production (#37369) and your root cause breakdown was spot on — saved us significant debugging time.

We've implemented the fix based on your proposed approach (connection pooling + close() + adapter teardown) and opened PR #37389. The key addition beyond your proposal is reference-counted connection pooling so multiple ResponseStore instances for the same DB file share a single SQLite connection, rather than just closing on teardown.

Production verification after the fix:

• response_store.db FDs: 3 (stable, down from 15+ after 20 min)
• Total gateway FDs: 25 (healthy)

PR: #37389 — would appreciate your review if you have time.

[x-hansong]

I hit the same failure mode on macOS, with a lower default launchd FD limit, and it broke cron delivery rather than only the API server.

Environment / config:

• macOS 15.7.3
• launchd maxfiles: 256 unlimited
• gateway running with api_server.enabled=true on 127.0.0.1:8642
• API_SERVER_KEY was missing from the active .env

Observed symptoms:

• gateway retry loop logged repeated Refusing to start: API_SERVER_KEY is required...
• gateway FD count reached ~241 real FDs / 287 lsof rows
• dominant leaked FDs were duplicate handles to ~/.hermes/response_store.db and ~/.hermes/response_store.db-wal (~108 each in my case)
• once the process hit the soft FD limit, unrelated gateway subsystems failed:
  • cron job delivery failed with [Errno 24] Too many open files
  • kanban dispatcher failed opening ~/.hermes/kanban.db.init.lock
  • channel directory writes failed creating temp files

Local mitigation:

1. set a real API_SERVER_KEY in the active .env
2. restart gateway once to clear leaked handles
3. verify API server health with /health

Local code fix I tested:

• move the API key validation to the start of APIServerAdapter.connect(), before creating the aiohttp app/background sweep task
• keep the network-accessible placeholder-key guard after that early key check
• call cancel_background_tasks() and self._response_store.close() from disconnect()
• add a regression test that a missing-key connect returns False with no app and no background tasks allocated

Validation:

• gateway FD count dropped from ~241 real FDs to ~28-32 after restart/fix
• API health returned OK
• cron scheduler recovered and the previously failing 1-minute job advanced last_run_at successfully
• targeted tests passed: tests/gateway/test_api_server.py::TestAdapterInit::test_connect_without_api_key_fails_before_background_sweep plus TestResponseStore (11 passed), and tests/cron (386 passed)

This seems to confirm the retry path leak described here. The missing-key misconfiguration is enough to reproduce quickly on macOS because the default launchd soft limit is only 256.