P3-03: Double-checked locking on plugin _HTTP_CLIENT — race during concurrent init #21

New issue

Closed

opened 2026-06-16 13:57:02 +00:00 by Artur · 0 comments

Artur commented

2026-06-16 13:57:02 +00:00

Owner

Severity: P3 (Low)
File: ~/.hermes/plugins/decider/__init__.py lines 85-89

Problem

def _get_client(timeout):
    global _HTTP_CLIENT
    if _HTTP_CLIENT is None:  # race: two threads pass this check
        import httpx
        _HTTP_CLIENT = httpx.Client(timeout=timeout)
    return _HTTP_CLIENT

Two threads calling _call_decider simultaneously may both see _HTTP_CLIENT is None and create separate clients. Benign (just wasted connections) but a classic anti-pattern.

Fix

Use a module-level lock or initialize eagerly at module load time:

import httpx
_HTTP_CLIENT = httpx.Client(timeout=_DEFAULT_TIMEOUT)

def _get_client(timeout):
    return _HTTP_CLIENT

**Severity**: P3 (Low) **File**: `~/.hermes/plugins/decider/__init__.py` lines 85-89 ## Problem ```python def _get_client(timeout): global _HTTP_CLIENT if _HTTP_CLIENT is None: # race: two threads pass this check import httpx _HTTP_CLIENT = httpx.Client(timeout=timeout) return _HTTP_CLIENT ``` Two threads calling `_call_decider` simultaneously may both see `_HTTP_CLIENT is None` and create separate clients. Benign (just wasted connections) but a classic anti-pattern. ## Fix Use a module-level lock or initialize eagerly at module load time: ```python import httpx _HTTP_CLIENT = httpx.Client(timeout=_DEFAULT_TIMEOUT) def _get_client(timeout): return _HTTP_CLIENT ```

Artur added the

enhancement

reliability

P3-Low

labels

2026-06-16 13:57:02 +00:00

Artur referenced this issue from a commit

2026-06-16 13:59:15 +00:00

fix: P2-01, P2-04, P3-01, P3-02, P3-03, P3-04, P3-05

Artur closed this issue

2026-06-16 14:24:07 +00:00