--- issue: 111 title: "Scanner: deliverWebhook goroutines use blocking time.Sleep — goroutine leak under sustained failure" severity: medium domain: Scanner labels: [bug, scanner, goroutine-leak] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Scanner: deliverWebhook goroutines use blocking time.Sleep — goroutine leak under sustained failure **Severity:** medium **Domain:** Scanner **Labels:** bug, scanner, goroutine-leak ## Description `scanner/webhook.go:90` spawns a goroutine per webhook delivery that uses `time.Sleep` for retry backoff. Under sustained backend failure, many goroutines accumulate blocking on sleep with no upper bound on their count or total memory usage. ## Options 1. Replace per-delivery sleeping goroutines with a persisted retry queue + ticker (already partially present). 2. Use a bounded worker pool + context cancellation instead of `time.Sleep`. 3. Cap concurrent in-flight deliveries with a semaphore. ## Recommendation Move retries to the persisted queue/ticker model with a bounded worker pool and context-aware delays. Coordinate with ISSUE-112. ## Affected Files - `scanner/webhook.go:90` ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-67 - [[ISSUE-112-scanner-unbounded-goroutine-fan-out-for-webhook-retries|ISSUE-112]]