Summary

Phase 1 of docs/planning/identity-async-safety.md. Makes identity safe to read on threads that outlive the originating HTTP request (async continuations, auto-instrumented spans, cluster tasks) by moving the source of truth from the live request/session to a thread-scoped HoistIdentity cache, populated lazily on request threads and propagated explicitly across async boundaries.

Fixes the IllegalStateException: The request object has been recycled thrown by TraceService.createSpan → IdentityService.getAuthUsername → request.getSession() (and the same shape via TagSpanProcessor.onStart, TrackService.parseSubmittedEntry).

Changes

• New HoistIdentity (immutable POGO: username, authUsername)
• New IdentityPropagatingPromiseFactory — installed at startup, propagates identity into Grails task {} workers
• IdentityService refactored to a single ThreadLocal<HoistIdentity>; accessors read cache; mutators update cache + session in lock-step; getSessionIfExists catches IllegalStateException from recycled facades
• HoistFilter clears the cache in finally to prevent leakage on pooled threads
• ClusterTask installs/clears via the unified cache
• TrackService / browser.Utils use a safeHeader helper so observability reads tolerate recycled facades

Out of scope

Phase 2 (eliminate live-request propagation into workers via a runDetached sibling to runAsync) is optional and not included here. See the plan doc.

Test plan

• Build clean (./gradlew assemble — confirmed locally)
• Manual: trigger original repro path (span/track from post-response async work); confirm no IllegalStateException
• Manual: impersonation still works (apparent vs auth user surfaces correctly)
• Manual: regular login/logout flow
• Manual: cluster task identity propagation
• Unit/integration tests deferred — recommend adding before merge

🤖 Generated with Claude Code