Ensure webhook sync uses independent sessions

backend/api/routes_sync.py

@@ -20,7 +20,7 @@
 from sqlalchemy.orm import Session
 
 from api.config import get_settings
-from api.db import get_db
+from api.db import SessionLocal, get_db
 from api.models import SyncEvent
 from api.security import require_write_token, validate_hygraph_request
 from api.metrics import (
@@ -110,8 +110,9 @@ async def hygraph_webhook(
 
     async def _process(event_id_local: Optional[str], body_sha_local: str) -> None:
         t0 = time.perf_counter()
+        session = SessionLocal()
         try:
-            counts = await HygraphService.pull_all(db)
+            counts = await HygraphService.pull_all(session)
             for t, c in counts.items():
                 sync_records_upserted_total.labels(t).inc(int(c or 0))
             sync_success_total.labels("all").inc()
@@ -135,6 +136,8 @@ async def _process(event_id_local: Optional[str], body_sha_local: str) -> None:
                     "error": str(e),
                 },
             )
+        finally:
+            session.close()
 
     background.add_task(_process, event_id, body_sha)
     # Explicit background attachment ensures Starlette runs it before TestClient returns

backend/api/security.py

@@ -12,6 +12,17 @@
 
 from api.config import Settings, get_settings
 
+
+def _load_expected_write_token(settings: Settings) -> str:
+    """Resolve the configured API write token from settings or environment."""
+
+    token = getattr(settings, "api_write_token", None)
+    if isinstance(token, str) and token.strip():
+        return token.strip()
+    env_token = os.getenv("API_WRITE_TOKEN", "")
+    return env_token.strip()
+
+
 # Write token (admin) auth
 api_key_header = APIKeyHeader(name="Authorization", auto_error=False)
 

backend/tests/test_sync_routes_metrics.py

@@ -3,11 +3,14 @@
 import hmac
 import json
 import re
+import uuid
 
 import pytest
 from fastapi.testclient import TestClient
+from sqlalchemy import text
 
 from api.main import app
+from api.routes_sync import settings as sync_settings
 
 
 def _sig(secret: str, body: bytes) -> str:
@@ -16,8 +19,7 @@ def _sig(secret: str, body: bytes) -> str:
 
 
 @pytest.fixture()
-def client(monkeypatch):
-    monkeypatch.setenv("HYGRAPH_WEBHOOK_SECRET", "whsec")
+def client():
     return TestClient(app)
 
 
@@ -30,8 +32,9 @@ async def fake_pull_all(db, page_size=None):
 
     monkeypatch.setattr(svc.HygraphService, "pull_all", fake_pull_all)
 
-    body = json.dumps({"ping": "ok"}).encode()
-    sig = _sig("whsec", body)
+    unique_payload = {"ping": str(uuid.uuid4())}
+    body = json.dumps(unique_payload).encode()
+    sig = _sig(sync_settings.hygraph_webhook_secret, body)
 
     # First delivery -> 202 Accepted, background processing logs counts
     r1 = client.post("/api/sync/hygraph", data=body, headers={"x-hygraph-signature": sig})
@@ -55,6 +58,28 @@ async def fake_pull_all(db, page_size=None):
     assert found, "missing structured sync summary log"
 
 
+def test_webhook_background_uses_new_session(client, caplog, monkeypatch):
+    from services import hygraph_service as svc
+
+    calls: list[bool] = []
+
+    async def fake_pull_all(db, page_size=None):
+        db.execute(text("SELECT 1"))
+        calls.append(db.is_active)
+        return {"materials": 0, "modules": 0, "systems": 0}
+
+    monkeypatch.setattr(svc.HygraphService, "pull_all", fake_pull_all)
+
+    body = json.dumps({"ping": str(uuid.uuid4())}).encode()
+    sig = _sig(sync_settings.hygraph_webhook_secret, body)
+
+    r = client.post("/api/sync/hygraph", data=body, headers={"x-hygraph-signature": sig})
+    assert r.status_code == 202
+    assert r.json()["ok"] is True
+    assert calls == [True]
+    assert not any(rec.getMessage() == "hygraph_webhook_failure" for rec in caplog.records)
+
+
 def test_pull_alias_and_page_size_validation(client, monkeypatch):
     from services import hygraph_service as svc