diff --git a/src/agents/session-write-lock.ts b/src/agents/session-write-lock.ts
index 832d368a633..82a2428da89 100644
--- a/src/agents/session-write-lock.ts
+++ b/src/agents/session-write-lock.ts
@@ -35,8 +35,8 @@ function isAlive(pid: number): boolean {
 function releaseAllLocksSync(): void {
   for (const [sessionFile, held] of HELD_LOCKS) {
     try {
-      if (typeof held.handle.fd === "number") {
-        fsSync.closeSync(held.handle.fd);
+      if (typeof held.handle.close === "function") {
+        void held.handle.close().catch(() => {});
       }
     } catch {
       // Ignore errors during cleanup - best effort
diff --git a/src/agents/tools/web-tools.fetch.test.ts b/src/agents/tools/web-tools.fetch.test.ts
index 04923b6072f..86bdeb7a275 100644
--- a/src/agents/tools/web-tools.fetch.test.ts
+++ b/src/agents/tools/web-tools.fetch.test.ts
@@ -1,5 +1,6 @@
-import { afterEach, describe, expect, it, vi } from "vitest";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 
+import * as ssrf from "../../infra/net/ssrf.js";
 import { createWebFetchTool } from "./web-tools.js";
 
 type MockResponse = {
@@ -73,6 +74,18 @@ function requestUrl(input: RequestInfo): string {
 describe("web_fetch extraction fallbacks", () => {
   const priorFetch = global.fetch;
 
+  beforeEach(() => {
+    vi.spyOn(ssrf, "resolvePinnedHostname").mockImplementation(async (hostname) => {
+      const normalized = hostname.trim().toLowerCase().replace(/\.$/, "");
+      const addresses = ["93.184.216.34", "93.184.216.35"];
+      return {
+        hostname: normalized,
+        addresses,
+        lookup: ssrf.createPinnedLookup({ hostname: normalized, addresses }),
+      };
+    });
+  });
+
   afterEach(() => {
     // @ts-expect-error restore
     global.fetch = priorFetch;