feat(sessions): multi-subscriber cap enforcement + mode-gated FailFast

src/ZB.MOM.WW.MxGateway.Tests/Gateway/Sessions/SessionEventDistributorTests.cs

@@ -355,7 +355,8 @@ public sealed class SessionEventDistributorTests
                 Interlocked.Increment(ref overflowCalls);
                 Volatile.Write(ref observedIsOnlySubscriberValue, isOnlySubscriber);
                 Volatile.Write(ref observedIsOnlySubscriberSet, 1);
-            });
+            },
+            singleSubscriberMode: false);
         await distributor.StartAsync(CancellationToken.None);
 
         // Slow subscriber: registered but never read, so its capacity-2 channel fills.
@@ -377,7 +378,7 @@ public sealed class SessionEventDistributorTests
             async () => await DrainUntilFaultAsync(slow.Reader));
         Assert.Equal(SessionManagerErrorCode.EventQueueOverflow, fault.ErrorCode);
 
-        // Two subscribers were registered at overflow time, so isOnlySubscriber is false.
+        // Multi-subscriber mode, so isOnlySubscriber is always false (Task 8 mode-gating).
         // Use Interlocked.Read / Volatile.Read so the test-thread reads are ordered after the
         // pump-thread writes, avoiding a data race by the C# memory model.
         Assert.Equal(1, Volatile.Read(ref overflowCalls));
@@ -395,15 +396,12 @@ public sealed class SessionEventDistributorTests
     public async Task SlowSubscriberOverflow_WithMultipleSubscribers_HandlerSeesIsOnlySubscriberFalse_OtherKeepsReceiving()
     {
         // Distributor-level pin for "FailFast with multiple subscribers degrades to
-        // disconnect-only (no session fault)": when the overflowing subscriber is NOT the
-        // sole subscriber, isOnlySubscriber is false, so a FailFast-wired handler must NOT
-        // fault the session. This test drives the distributor directly (without GatewaySession)
-        // with two subscribers and a FailFast-style overflow handler seam, overflows the slow
-        // one, and asserts (a) isOnlySubscriber==false, (b) the other subscriber keeps
-        // receiving, and (c) the pump keeps running — all without a GatewaySession.
-        //
-        // TODO(Task 8): add a GatewaySession-level "session stays Ready" assertion once
-        // multi-subscriber config is enabled by the Tasks 7/8 validator/guard change.
+        // disconnect-only (no session fault)": in multi-subscriber mode isOnlySubscriber is
+        // always false (Task 8 mode-gating), so a FailFast-wired handler must NOT fault the
+        // session. This test drives the distributor directly (without GatewaySession) in
+        // multi-subscriber mode with two subscribers and a FailFast-style overflow handler
+        // seam, overflows the slow one, and asserts (a) isOnlySubscriber==false, (b) the other
+        // subscriber keeps receiving, and (c) the pump keeps running.
         Channel<MxEvent> source = Channel.CreateUnbounded<MxEvent>();
         bool handlerFiredWithFalse = false;
         bool sessionFaultWouldBeCalled = false; // tracks if a FailFast path would fault
@@ -427,7 +425,8 @@ public sealed class SessionEventDistributorTests
                     // Single-subscriber: FailFast would fault the session — must not happen here.
                     Volatile.Write(ref sessionFaultWouldBeCalled, true);
                 }
-            });
+            },
+            singleSubscriberMode: false);
         await distributor.StartAsync(CancellationToken.None);
 
         // Slow subscriber: never reads, so capacity-2 channel overflows quickly.
@@ -520,6 +519,56 @@ public sealed class SessionEventDistributorTests
             "isInternal must be true for a subscriber registered with isInternal: true.");
     }
 
+    [Fact]
+    public async Task SingleSubscriberMode_LoneExternalOverflow_HandlerSeesIsOnlySubscriberTrue()
+    {
+        // Task 8 mode-gating: in single-subscriber mode a lone external subscriber that
+        // overflows reports isOnlySubscriber==true, so the legacy FailFast session-fault path
+        // is preserved. The decision is gated on the fixed session mode, NOT a live count, so
+        // it is race-free.
+        Channel<MxEvent> source = Channel.CreateUnbounded<MxEvent>();
+        int observedSet = 0;
+        bool observedValue = false;
+        await using SessionEventDistributor distributor = new(
+            "session-single-sub",
+            ct => source.Reader.ReadAllAsync(ct),
+            subscriberQueueCapacity: 2,
+            replayBufferCapacity: 0,
+            replayRetentionSeconds: 0,
+            NullLogger<SessionEventDistributor>.Instance,
+            TimeProvider.System,
+            (isOnlySubscriber, _) =>
+            {
+                Volatile.Write(ref observedValue, isOnlySubscriber);
+                Volatile.Write(ref observedSet, 1);
+            },
+            singleSubscriberMode: true);
+        await distributor.StartAsync(CancellationToken.None);
+
+        using IEventSubscriberLease external = distributor.Register();
+
+        for (ulong sequence = 1; sequence <= 10; sequence++)
+        {
+            source.Writer.TryWrite(Event(sequence));
+        }
+
+        SessionManagerException fault = await Assert.ThrowsAsync<SessionManagerException>(
+            async () => await DrainUntilFaultAsync(external.Reader));
+        Assert.Equal(SessionManagerErrorCode.EventQueueOverflow, fault.ErrorCode);
+
+        await Task.Run(async () =>
+        {
+            using CancellationTokenSource cts = new(ReadTimeout);
+            while (Volatile.Read(ref observedSet) == 0)
+            {
+                await Task.Delay(10, cts.Token);
+            }
+        });
+
+        Assert.True(Volatile.Read(ref observedValue),
+            "isOnlySubscriber must be true for a lone external subscriber in single-subscriber mode.");
+    }
+
     private static async Task DrainUntilFaultAsync(ChannelReader<MxEvent> reader)
     {
         // Drains any buffered events, then surfaces the channel's completion fault (if any)