sessions: persist to disk, prune, track client liveness, accept UE_LOGFMT (#1014)HEADmain

Branch started as a sessions-service overhaul (persistence, client liveness, UE_LOGFMT intake) and grew to pick up adjacent infrastructure work: an early-startup log backlog, a hardened `MemoryArena`, the `zen trace serve` viewer gaining a counter view + compact timeline + tabbed callsite panel, defensive fixes in the third-party `tourist` trace parser, a series of allocation reductions across the HTTP and compact-binary hot paths, and a new `zen sessions` CLI command tree.

## Sessions service

**Persistence.** Each session lives on disk under `<DataRoot>/sessions/<id>/` as `info.cb` (metadata) plus `log.bin` (length-prefixed CbObject log records). On startup the service scans that directory and loads prior sessions as ended sessions, preloading the tail of each log so historical views work after a restart. `SessionLog` is noexcept-constructed and falls back to a disabled state on disk errors, so a bad disk can't take down `RegisterSession`. `GetSession` falls back to the ended-sessions list (fixes historical log fetches over HTTP). `LoadTail` counts only successfully-parsed records.

**Pruning.** Periodic cleanup task drops ended sessions once any of three caps is exceeded: age (default 1 year), count (default 1000), or total on-disk footprint (default 50 MiB). Runs 30 s after startup, hourly thereafter. Active sessions never pruned; disk removal and directory stat happen outside the exclusive lock so a slow filesystem can't stall lookups.

**Client liveness.** Sessions carry a `ProcessHandle` for the client-reported pid, captured at registration time so Windows pid recycling can't produce false positives. A 30 s asio timer probes liveness and ends dead sessions through the normal remove path, producing a synthetic `Session ended: process exited (...)` line persisted to `log.bin`. Windows decodes common NTSTATUS exit codes to human names (Ctrl-C, access violation, stack overflow, ...); POSIX stays at plain `process exited`. Clients auto-fill `ClientPid` only for local targets (unix socket / loopback); the server defensively accepts pids only from `IsLocalMachineRequest()` peers. zenserver also reports its own pid when registering its self-session, so it shows up with a real pid in the dashboard and `zen sessions ls`.

**Synthetic end-of-session line.** `RemoveSession` takes an optional reason; before the session moves to the ended list it appends an Info-level `Session ended[: reason]` entry through the normal log path (released outside `m_Lock`). Current reasons: `client request` (HTTP DELETE), `server shutdown` (self-session), `process exited (...)` (liveness).

**UE_LOGFMT structured entries.** `POST /sessions/{id}/log` now accepts `{level, logger, format, fields}` alongside the existing `{level, logger, message}` shape. New `logtemplate.{h,cpp}` implements UE's `StructuredLog.cpp` template grammar (field paths with `.name` / `[N]`, `{{`/`}}` escapes, `$text` / `$format` / `$locformat` object conventions, bounded recursion). Renders to a displayable message at intake while persisting raw format + fields so a future UI can drill into fields without another schema bump. Hot path is zero-alloc — renders into `ExtendableStringBuilder<256>` using stack-buffered `Oid::ToString` / `IoHash::ToHexString` overloads. UI shows a `{…}` marker with the raw template + JSON-pretty fields on hover.

**Parent sessions.** `SessionInfo` gains `parent_session_id`; hub-managed storage server child processes inherit the hub's session id via `--parent-session=<id>`. `ZEN_SESSIONS_URL` env var becomes a fallback for `--sessions-url` / config when neither is provided. The in-process session log sink is disabled when a remote sessions target is configured (logs flow through `SessionsServiceClient` instead). The sessions UI groups child sessions under their parent (collapsible/expandable, sorts as a unit, supports nesting).

**Platform reporting.** `SessionInfo` gains `Platform`, flowed end-to-end: client auto-fills via `GetRuntimePlatformName()`, server persists in `info.cb` (`plat`) and emits on GET. UI renders as a SimpleIcons-style inline SVG (windows / macOS / iOS / linux / wine / android / playstation / xbox / nintendo) with case-insensitive alias resolution (Win32/Win64, PS4/PS5, XSX/XSS, NintendoSwitch, iPhone/iPad, Darwin/OSX). Unknown values fall back to text; sorting runs on the underlying string.

**WebSocket log streaming.** Sessions UI moves from 2 s polling to a WebSocket push model. New `WsSubscriber` has a stable id + helper methods. UI caps the log-line DOM at 5 000 entries with a shared cursor-regression helper, factored out of two call sites. Per-broadcast allocations trimmed on the push path; fixed a stack overrun in the WS log broadcast hex-id buffer.

**Log memory.** `LogEntry::Level` is now `logging::LogLevel` (1 byte) instead of `std::string` (~32 B) — saves ~310 KB per full 10 k-entry deque and eliminates a per-message allocation in the in-proc sink. On-disk format writes an int32 and accepts either int or legacy string on read. `LogEntry` strings now live in a `MemoryArena`; logger names are interned across the deque. `SessionLog::Append` and `WriteSessionInfoFile` drop their `UniqueBuffer` round-trip and write `CbObject::GetView()` straight through `BasicFile` / `SafeWriteFile`. Multi-entry `POST /log` batched under one lock + one push.

**In-proc log timestamps.** `InProcSessionLogSink::TimePointToDateTime` previously preserved only whole seconds, so every in-proc entry rendered at `.000` ms in the dashboard and `zen sessions tail`. It now adds the sub-second part (nanoseconds → 100 ns ticks) to keep ms precision end-to-end.

**UI.** Side "Session Details" panel is gone — its info is inline in the table (appname, mode, platform, id, timestamps, this/log pills, active dot). Bottom panel is a tabbed `Log | Metadata` view with a right-side "Session Information" panel beside metadata; log-only controls (filter, newest-first, follow, log-level filter, expand/collapse) hide when Metadata is active, polling keeps running across tab switches. Wide-mode toggle fills the viewport edge-to-edge. Log lines show the logger category; timestamps render in 24 h with zero-padded fields regardless of locale. Sessions list defaults to All / 10 per page / created-desc, gains click-to-sort headers on the full dataset, a header filter box, and a pager aligned to the table's right edge. Duplicate auto-injected `<h1>Sessions</h1>` removed.

## `zen sessions` CLI

New command tree on the `zen` client for inspecting the sessions service from the terminal:

- **`zen sessions ls`** — lists sessions (active first, ended next; newest-first within each group) with id, status, app/mode, pid, created, duration, and log count. Supports `--status active|ended|all` (default `all`).
- **`zen sessions status`** — prints the sessions service summary: self id, active / ended counts, and the read/write/delete/list/request/bad-request counters from `/stats/sessions`.
- **`zen sessions tail [session]`** — tails a session's log. With no argument it tails zenserver's own session (resolved via `/sessions/list`'s `self_id`); an explicit 24-hex id targets any session, including ended ones (historical replay). `--lines N` (default 50, 0 = all buffered) trims the initial dump client-side. `--follow` prefers a WebSocket push subscription on `/sessions/ws` for sub-second latency; on upgrade failure (older server, blocked port, unix-socket transport) it falls back to HTTP cursor polling at `--interval-ms` (default 500), with sleeps chunked to 50 ms so Ctrl-C reacts quickly. Output matches `zen::logging::FullFormatter` (`[YY-MM-DD HH:MM:SS.mmm] [lvl] [logger] message`); on a TTY the level is colored and the logger is bold, with continuation lines indented under the message column using the *visible* prefix width. 404 surfaces as `(session ended)` and connection errors as `(server gone)` — both clean exits, so stopping the server mid-tail no longer prints a stack trace.
- **`zen sessions ui`** — opens `<host>/dashboard/?page=sessions` in the user's default browser. Rejects unix-socket hosts.

A small `ZenServiceClient::IsUnixSocket()` helper now wraps the unix-socket check used by `ui`, `sessions tail` (WS path), and `sessions ui`.

## Logging

`BacklogSink` captures early-startup log entries in a fixed-capacity ring so late-attached sinks (session sink, file sink) can replay them. Detaches from the broadcast list when disabled; backed by destructor-only cleanup (no `unique_ptr` indirection per entry). Tuned defaults so the backlog covers typical bring-up without unbounded growth.

## `zen trace serve` viewer

- Compact timeline mode for high-density views.
- New `TRACE_INT_VALUE` / `TRACE_FLOAT_VALUE` counter trace points + a counters page in the viewer.
- Callsite tables collapsed into a single tabbed panel.
- Lossless `Oid <-> Guid` bridge for trace session ids; trace `SessionId` plumbed through.
- `tourist` parser hardening: bounds-check `BufferStream::read`, validate `Type::info_size` before `patch()`, convert `parse_important_aux` to a loop (avoids deep recursion), widen `ParserPool` index to `uint32`, bounds-check field offsets in the dispatcher, pin `Types::parse` buffer up-front.

## `MemoryArena`

Configurable chunk size, inline chunk list, oversize requests routed to truly-dedicated chunks (no slack waste, no fragmentation when one allocation is much larger than the chunk).

## Allocation cleanups across hot paths

- `zenhttp::HttpRequestRouter::HandleRequest` and `FormatPackageMessageInternal`: drop heap allocations.
- Compact-binary validation: `eastl::fixed_vector` + `eastl::sort`; eliminate `std::vector` churn.
- `zenserverprocess`: trim transient allocations in spawn paths.
- Sessions HTTP intake / broadcast: drop transient `std::string` allocs.

1 files changed, 174 insertions, 19 deletions

diff --git a/src/zenserver/sessions/sessions.h b/src/zenserver/sessions/sessions.h
index a84ca6506..a722704e0 100644
--- a/src/zenserver/sessions/sessions.h
+++ b/src/zenserver/sessions/sessions.h
@@ -4,6 +4,8 @@
 
 #include <zencore/compactbinary.h>
 #include <zencore/logbase.h>
+#include <zencore/memory/memoryarena.h>
+#include <zencore/process.h>
 #include <zencore/thread.h>
 #include <zencore/uid.h>
 
@@ -11,7 +13,10 @@ ZEN_THIRD_PARTY_INCLUDES_START
 #include <EASTL/deque.h>
 #include <tsl/robin_map.h>
 ZEN_THIRD_PARTY_INCLUDES_END
+#include <filesystem>
+#include <functional>
 #include <optional>
+#include <span>
 #include <string>
 #include <vector>
 
@@ -34,25 +39,62 @@ public:
 		Oid			Id;
 		std::string AppName;
 		std::string Mode;
-		Oid			JobId;
-		CbObject	Metadata;
-		DateTime	CreatedAt;
-		DateTime	UpdatedAt;
-		DateTime	EndedAt{0};
+		std::string Platform;		// Reported by the client, e.g. "windows", "linux", "macos"
+		uint32_t	ClientPid = 0;	// Non-zero = local PID to probe for liveness. 0 = don't track.
+		Oid			ParentSessionId;
+		// Optional task/action identifier used to associate this session with a
+		// specific unit of work. Distinct from ParentSessionId, which records
+		// process/session ancestry.
+		Oid		 JobId;
+		CbObject Metadata;
+		DateTime CreatedAt;
+		DateTime UpdatedAt;
+		DateTime EndedAt{0};
 	};
 
+	/// Stored form of a log entry. The string fields are arena-borrowed
+	/// `const char*` — they live in the owning Session's MemoryArena and
+	/// are valid only for that Session's lifetime. Default copy is
+	/// intentionally shallow (string pointers are shared with the source);
+	/// callers must not let copies outlive the originating Session.
+	///
+	/// Build entries via `LogEntryInput` and route them through
+	/// `Session::AppendLog` / `AppendLogBatch`, which intern logger names
+	/// and arena-allocate the other strings before storing.
 	struct LogEntry
 	{
-		DateTime	Timestamp;
-		std::string Level;
-		std::string Message;
-		CbObject	Data;
+		DateTime Timestamp{0};
+		// Sentinel: Off means "no level set" (e.g. plain-text POSTed entries
+		// where the client didn't include a level). Real log entries use
+		// Trace..Critical, so Off is free to reuse as "omit on serialize".
+		logging::LogLevel Level = logging::Off;
+		// Arena pointers (null-terminated). Empty string is the default
+		// — never null, so callers don't need to guard.
+		const char* LoggerName = "";  // Interned: one canonical copy per unique name across the session.
+		const char* Message	   = "";  // For structured entries: the rendered form (populated at intake).
+		const char* Format	   = "";  // UE_LOGFMT template; "" for plain entries.
+		CbObject	Fields;			  // Present only when Format is non-empty.
+	};
+
+	/// Input form used to build an entry on the way into a Session. The
+	/// string_view fields are caller-borrowed; AppendLog interns/copies
+	/// them into the Session's arena before any LogEntry is built. Use
+	/// this struct rather than constructing LogEntry directly so the
+	/// arena ownership invariant stays one-sided.
+	struct LogEntryInput
+	{
+		DateTime		  Timestamp{0};
+		logging::LogLevel Level = logging::Off;
+		std::string_view  LoggerName;
+		std::string_view  Message;
+		std::string_view  Format;
+		CbObject		  Fields;
 	};
 
 	class Session : public TRefCounted<Session>
 	{
 	public:
-		Session(const SessionInfo& Info);
+		Session(const SessionInfo& Info, Ref<SessionLog> Log = {}, ProcessHandle ClientProcess = {});
 		~Session();
 
 		Session(Session&&) = delete;
@@ -67,12 +109,29 @@ public:
 
 		void SetEndedAt(DateTime When) { m_Info.EndedAt = When; }
 
-		void				  AppendLog(LogEntry Entry);
+		/// Appends an entry to the in-memory deque and to the persisted
+		/// log. Returns the new cursor value (m_TotalAppended post-
+		/// increment). Logger name is interned, message and format are
+		/// arena-allocated — the input's string_views may safely be
+		/// caller-stack-bound.
+		uint64_t AppendLog(LogEntryInput Input);
+
+		/// Append-many counterpart that takes the deque lock exactly once
+		/// for the whole batch. Use this when an inbound HTTP POST carries
+		/// multiple entries — single-lock semantics keep entries from one
+		/// caller contiguous on the wire even when other appends race in,
+		/// and the WS-push observer can fire just once for the whole batch.
+		/// Returns the new cursor (the value at the tail of the batch).
+		uint64_t AppendLogBatch(std::span<LogEntryInput> Inputs);
+
 		std::vector<LogEntry> GetLogEntries(uint32_t Limit = 0, uint32_t Offset = 0) const;
 		uint64_t			  GetLogCount() const;
 
 		/// Returns entries appended after the given cursor and the new cursor value.
 		/// A cursor of 0 returns all entries currently in the deque.
+		/// The returned LogEntries borrow strings from this Session's
+		/// arena — callers must hold a Ref<Session> for as long as they
+		/// keep the result.
 		struct CursorResult
 		{
 			std::vector<LogEntry> Entries;
@@ -81,26 +140,118 @@ public:
 		};
 		CursorResult GetLogEntriesAfter(uint64_t AfterCursor) const;
 
+		// Seed this session with pre-existing log entries (e.g. loaded from disk
+		// on startup). Sets the total-appended counter to reflect what was on
+		// disk so cursors remain meaningful for historical sessions. The inputs
+		// are interned/arena-allocated into this session.
+		void PreloadEntries(std::span<const LogEntryInput> Tail, uint64_t TotalCount);
+
+		/// Process handle used for client-liveness checks. Acquired at
+		/// registration time (while the pid is known to refer to the reporting
+		/// process) and held for the session's lifetime; on Windows this is a
+		/// real HANDLE tied to the specific process instance and is immune to
+		/// pid reuse. Invalid (IsValid() == false) for remote sessions or when
+		/// OpenProcess() failed. Set once at construction — no synchronization
+		/// needed for readers.
+		const ProcessHandle& GetClientProcess() const { return m_ClientProcess; }
+		ProcessHandle&		 GetClientProcess() { return m_ClientProcess; }
+
+		static constexpr uint32_t MaxLogEntries = 10000;
+
 	private:
+		// Intern a logger name into m_LogArena and return the canonical
+		// pointer for that name. Subsequent calls with the same string
+		// return the same pointer. Caller must hold m_LogLock exclusive.
+		const char* InternLoggerNameLocked(std::string_view Name);
+
+		// Allocate a copy of Str into m_LogArena and return a null-
+		// terminated pointer. No deduplication. Caller must hold m_LogLock
+		// exclusive. Empty input returns "" (no allocation).
+		const char* AllocateLogStringLocked(std::string_view Str);
+
 		SessionInfo			   m_Info;
 		Ref<SessionLog>		   m_Log;
+		ProcessHandle		   m_ClientProcess;
 		mutable RwLock		   m_LogLock;
 		eastl::deque<LogEntry> m_LogEntries;
 		uint64_t			   m_TotalAppended = 0;	 // monotonically increasing counter
-
-		static constexpr uint32_t MaxLogEntries = 10000;
+		// String storage for the in-memory deque. LoggerName is interned
+		// (one canonical copy per unique name); Message and Format are
+		// duplicated per entry. Both die with the Session — so the
+		// LogEntry pointers do too. Sized to fit a typical session's
+		// strings in one chunk; spills to additional chunks otherwise.
+		MemoryArena									  m_LogArena{4096};
+		tsl::robin_map<std::string_view, const char*> m_InternedLoggerNames;
 	};
 
-	SessionsService();
+	/// Construct a SessionsService. If StorageRoot is non-empty, session
+	/// metadata and logs are persisted under that directory (one subdirectory
+	/// per session id) and previously-persisted sessions are loaded as ended.
+	explicit SessionsService(std::filesystem::path StorageRoot = {});
 	~SessionsService();
 
-	bool		 RegisterSession(const Oid& SessionId, std::string AppName, std::string Mode, const Oid& JobId, CbObjectView Metadata);
-	bool		 UpdateSession(const Oid& SessionId, CbObjectView Metadata);
-	Ref<Session> GetSession(const Oid& SessionId) const;
+	bool					  RegisterSession(const Oid&   SessionId,
+											  std::string  AppName,
+											  std::string  Mode,
+											  std::string  Platform,
+											  uint32_t	   ClientPid,
+											  const Oid&   ParentSessionId,
+											  const Oid&   JobId,
+											  CbObjectView Metadata);
+	bool					  UpdateSession(const Oid& SessionId, CbObjectView Metadata);
+	Ref<Session>			  GetSession(const Oid& SessionId) const;
 	std::vector<Ref<Session>> GetSessions() const;
 	std::vector<Ref<Session>> GetEndedSessions() const;
-	bool					  RemoveSession(const Oid& SessionId);
-	uint64_t				  GetSessionCount() const;
+	/// Ends a session. If Reason is non-empty, a synthetic log line is
+	/// appended to the session log before it's moved to ended so the
+	/// historical log has a clear closing event.
+	bool	 RemoveSession(const Oid& SessionId, std::string_view Reason = {});
+	uint64_t GetSessionCount() const;
+
+	/// Appends a log entry to `SessionId` and, if the session exists,
+	/// invokes the log-appended callback with the new cursor so downstream
+	/// push subscribers (e.g. the HTTP WS broadcast) can deliver the delta
+	/// without polling. Returns the new cursor, or 0 if the session is
+	/// unknown. Fires the callback AFTER any internal locks are released
+	/// so the callback can safely call back into this service.
+	uint64_t AppendLog(const Oid& SessionId, LogEntryInput Input);
+
+	/// Batch counterpart of AppendLog. Atomic with respect to other
+	/// appends to the same session — entries land contiguously on the
+	/// wire and persist in order — and fires exactly one push-callback
+	/// for the whole batch. Empty batches and unknown sessions are
+	/// no-ops returning 0.
+	uint64_t AppendLogBatch(const Oid& SessionId, std::span<LogEntryInput> Inputs);
+
+	/// Observer fired after an entry is appended to any session. Replaces
+	/// any previously set callback. Pass {} to clear. Only one listener is
+	/// supported — the single consumer today is the HTTP WebSocket push.
+	using LogAppendedCallback = std::function<void(const Oid& SessionId, uint64_t NewCursor)>;
+	void SetLogAppendedCallback(LogAppendedCallback Callback);
+
+	/// Drop ended sessions that are too old, that push us over the count
+	/// limit, or that push the on-disk footprint over the byte budget, and
+	/// delete their persisted directories. Active sessions are never
+	/// pruned. Returns the number removed by each criterion.
+	struct PruneResult
+	{
+		size_t ExpiredByAge		= 0;
+		size_t ExpiredByCount	= 0;
+		size_t ExpiredByStorage = 0;
+	};
+	PruneResult PruneExpired(TimeSpan MaxAge, size_t MaxCount, uint64_t MaxStorageBytes);
+
+	/// End any active session whose tracked client process is no longer
+	/// running. Sessions with an invalid ProcessHandle (remote, or
+	/// OpenProcess failed at registration) are skipped. Returns the number
+	/// of sessions ended by this pass.
+	size_t CheckProcessLiveness();
+
+	// Tuning defaults. Expressed in whole days / bytes so they're easy to
+	// override from a future command-line flag without touching internals.
+	static constexpr int	  kDefaultMaxSessionAgeDays = 365;
+	static constexpr size_t	  kDefaultMaxSessionCount	= 1000;
+	static constexpr uint64_t kDefaultMaxStorageBytes	= 50ull * 1024 * 1024;	// 50 MiB
 
 private:
 	LoggerRef& Log() { return m_Log; }
@@ -110,6 +261,10 @@ private:
 	tsl::robin_map<Oid, Ref<Session>, Oid::Hasher> m_Sessions;
 	std::vector<Ref<Session>>					   m_EndedSessions;
 	std::unique_ptr<SessionLogStore>			   m_SessionLogs;
+	// Set once at wiring-time (single consumer), never reassigned while
+	// hot, so no dedicated lock — just a plain member. Copy-on-call
+	// guards against the theoretical re-register race below.
+	LogAppendedCallback m_LogAppendedCallback;
 };
 
 }  // namespace zen