From a9c2e7892220a102f7fc840d4040b668078fd0cc Mon Sep 17 00:00:00 2001
From: oxoxDev <nikhil@tinyhumans.ai>
Date: Tue, 19 May 2026 14:19:41 +0530
Subject: [PATCH 1/2] test(observability): pin OPENHUMAN-TAURI-SG verbatim
 session-expired wire shape

OPENHUMAN-TAURI-SG (33 events, escalating, release 0.53.43) was a
pre-#1763 leak of `providers::openhuman_backend::resolve_bearer`'s
SESSION_EXPIRED sentinel through `agent.run_single`. PR #1763 (1fb0bef5)
wired the `SessionExpired` arm and the classifier now matches verbatim.

Add a single-case test that pins the exact byte string lifted from the
Sentry-event payload so a future tweak to `is_session_expired_message`
(or its callers) cannot regress this specific wire form without a red
test.

Related: OPENHUMAN-TAURI-SG
---
 src/core/observability.rs | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/src/core/observability.rs b/src/core/observability.rs
index 8f685f17d8..fd6f2007d7 100644
--- a/src/core/observability.rs
+++ b/src/core/observability.rs
@@ -1643,6 +1643,25 @@ mod tests {
         }
     }
 
+    /// OPENHUMAN-TAURI-SG (33 events, escalating, release `0.53.43+2b64ea8…`):
+    /// pre-#1763 leak of the `resolve_bearer` sentinel through
+    /// `agent.run_single`. PR #1763 (1fb0bef5) wired the `SessionExpired`
+    /// arm and the existing `classifies_session_expired_messages` test
+    /// covers the same byte string — this test pins the *Sentry-event
+    /// verbatim* shape (taken from the OPENHUMAN-TAURI-SG event payload)
+    /// so a future tweak to `is_session_expired_message` cannot regress
+    /// this exact wire form without a red test.
+    #[test]
+    fn session_expired_sg_wire_shape_matches() {
+        let msg = "SESSION_EXPIRED: backend session not active — sign in to resume LLM work";
+        assert_eq!(
+            expected_error_kind(msg),
+            Some(ExpectedErrorKind::SessionExpired),
+            "OPENHUMAN-TAURI-SG wire shape must classify as SessionExpired — \
+             a regression here re-leaks 33+ events/cycle to Sentry"
+        );
+    }
+
     #[test]
     fn does_not_classify_byo_key_provider_401_as_session_expired() {
         // Critical: a BYO-key 401 from OpenAI / Anthropic etc. is an

From 5aed975650b7287746b3a50601a817ae180d31a8 Mon Sep 17 00:00:00 2001
From: oxoxDev <nikhil@tinyhumans.ai>
Date: Tue, 19 May 2026 14:21:19 +0530
Subject: [PATCH 2/2] test(observability): pin SESSION_EXPIRED sibling family
 (factory.rs:247,266)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

`providers::factory::verify_session_active` emits two more SESSION_EXPIRED
bail variants alongside the run_single sentinel that anchored SG:

- "SESSION_EXPIRED: backend session not active — sign in to use custom providers"
  (scheduler_gate signed-out fast-path)
- "SESSION_EXPIRED: no backend session — sign in to use OpenHuman"
  (empty auth-profile JWT pre-flight)

All three currently classify via the `msg.contains("SESSION_EXPIRED")`
branch in `is_session_expired_message`. Pin both sibling strings with
their own test so a future matcher tweak (e.g. moving from `contains`
to a stricter prefix/suffix match) is caught for the whole family, not
just the SG instance — preventing leak #3 / #4 down the line.

Related: OPENHUMAN-TAURI-SG
---
 src/core/observability.rs | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/src/core/observability.rs b/src/core/observability.rs
index fd6f2007d7..91332de1dd 100644
--- a/src/core/observability.rs
+++ b/src/core/observability.rs
@@ -1662,6 +1662,35 @@ mod tests {
         );
     }
 
+    /// The two sibling `SESSION_EXPIRED:` bail sites in
+    /// `providers::factory::verify_session_active` emit different message
+    /// suffixes but the same sentinel prefix. They route through the same
+    /// classifier as the run_single bail at
+    /// `providers::openhuman_backend::resolve_bearer`, and any matcher
+    /// tweak that breaks the family (e.g. moving from `contains` to a
+    /// stricter prefix/suffix match) would re-leak ALL of them. Pin every
+    /// variant the codebase actually emits so a future regression on the
+    /// matcher is caught for the whole family, not just the SG instance.
+    #[test]
+    fn session_expired_sibling_family_factory_strings_match() {
+        // src/openhuman/inference/provider/factory.rs:247
+        // (verify_session_active — scheduler_gate signed-out path)
+        let custom_providers_variant =
+            "SESSION_EXPIRED: backend session not active — sign in to use custom providers";
+        // src/openhuman/inference/provider/factory.rs:266
+        // (verify_session_active — empty auth-profile JWT path)
+        let no_backend_session_variant =
+            "SESSION_EXPIRED: no backend session — sign in to use OpenHuman";
+
+        for raw in [custom_providers_variant, no_backend_session_variant] {
+            assert_eq!(
+                expected_error_kind(raw),
+                Some(ExpectedErrorKind::SessionExpired),
+                "factory.rs sibling sentinel must classify as SessionExpired: {raw}"
+            );
+        }
+    }
+
     #[test]
     fn does_not_classify_byo_key_provider_401_as_session_expired() {
         // Critical: a BYO-key 401 from OpenAI / Anthropic etc. is an