fix(responses): harden sparse SSE tool streams

[AnthonyRonning]

Summary

• add a Responses SSE wrapper that sets anti-buffering headers and emits 1s keepalive heartbeats
• keep pending tool-call events flowing during sparse idle gaps instead of batching them until tool completion
• refresh dev and prod PCR measurements for the resulting enclave build

Validation

• cargo fmt --check
• cargo test
• just update-pcr-all
• just verify-pcr-history dev
• just verify-pcr-history prod

---

Summary by CodeRabbit

• New Features

  • Server-sent events streams now include automatic keep-alive signals sent every second to maintain active connections.

• Improvements

  • Enhanced caching and buffering control headers for streaming responses.

• Chores

  • Updated PCR development and production history records with new entries containing updated hash values and timestamps.

[coderabbitai]

Walkthrough

The PR appends new PCR history records to both development and production JSON history files, and refactors the SSE response handler to return a typed Response with keepalive heartbeat configuration and HTTP cache/buffering headers.

Changes

Cohort / File(s)	Summary
PCR History Data pcrDevHistory.json, pcrProdHistory.json	Appended new record entries with updated PCR hash values, new timestamps (1776880840 for dev, 1776880894 for prod), and corresponding signatures; no existing records modified.
SSE Response Handler src/web/responses/handlers.rs	Refactored create_response_stream() to return Response instead of Sse<...>, wrapping the SSE stream with a new helper that configures keepalive heartbeat (1-second interval with "keep-alive" text) and sets HTTP headers (Cache-Control: no-cache, x-accel-buffering: no); updated imports to support KeepAlive, IntoResponse, and header types.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Possibly related PRs

• Add timing logs for Responses tool streaming #174: Modifies src/web/responses/handlers.rs with changes to create_response_stream function signature and implementation.
• Append services to apple external oauth #32: Appends new records to both pcrDevHistory.json and pcrProdHistory.json files.
• Use llama for Responses web query extraction and refresh PCRs #158: Updates both PCR history JSON files and modifies the same src/web/responses/handlers.rs file.

Poem

🐰 The keepalive drum beats strong and true,
A heartbeat every second, fresh and new,
Headers whisper "no cache" with gentle care,
While PCR records bloom in data's air,
The stream flows on, alive and fair! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly reflects the main change: adding SSE keepalive and anti-buffering headers to harden sparse SSE tool streams in the responses module.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/responses-sse-keepalive

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 2 additional findings.

[coderabbitai]

🧹 Nitpick comments (1)

src/web/responses/handlers.rs (1)

2943-2948: Optional: strengthen cache directive for intermediaries.

Consider including no-transform in Cache-Control to further reduce proxy-side response transformations on streaming traffic.

Suggested tweak

-            (header::CACHE_CONTROL, HeaderValue::from_static("no-cache")),
+            (
+                header::CACHE_CONTROL,
+                HeaderValue::from_static("no-cache, no-transform"),
+            ),

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/web/responses/handlers.rs` around lines 2943 - 2948, The Cache-Control
header currently uses HeaderValue::from_static("no-cache"); update the header
value to include no-transform (e.g. "no-cache, no-transform") so intermediaries
won't alter streaming responses; change the value where header::CACHE_CONTROL is
set (the HeaderValue::from_static("no-cache") call) and keep the existing
x-accel-buffering header unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@src/web/responses/handlers.rs`:
- Around line 2943-2948: The Cache-Control header currently uses
HeaderValue::from_static("no-cache"); update the header value to include
no-transform (e.g. "no-cache, no-transform") so intermediaries won't alter
streaming responses; change the value where header::CACHE_CONTROL is set (the
HeaderValue::from_static("no-cache") call) and keep the existing
x-accel-buffering header unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: bcc363a1-d9be-44a3-a815-b2c0ae61a37a

📥 Commits

Reviewing files that changed from the base of the PR and between 7121385 and 4e5c5b5.

⛔ Files ignored due to path filters (2)

• pcrDev.json is excluded by !pcrDev.json
• pcrProd.json is excluded by !pcrProd.json

📒 Files selected for processing (3)

• pcrDevHistory.json
• pcrProdHistory.json
• src/web/responses/handlers.rs

[devin-ai-integration]

🚩 Other SSE endpoint lacks keepalive and proxy headers

The chat completions SSE endpoint at src/web/openai.rs:380 uses Sse::new(stream).into_response() without any keepalive or x-accel-buffering: no header. If the motivation for this PR is that sparse SSE streams get dropped by proxies/load balancers, the same issue could affect the other SSE endpoint. Consider whether the responses_sse_response helper should be reused there as well.

---

Was this helpful? React with 👍 or 👎 to provide feedback.