fix(agents): trust session fingerprints before publishing

tianxiaochannel-oss88 · tianxiaochannel-oss88 · commit 7008438d978c · 2026-05-20T04:06:00.000+08:00
diff --git a/src/agents/pi-embedded-runner/run/attempt.session-lock.test.ts b/src/agents/pi-embedded-runner/run/attempt.session-lock.test.ts
@@ -248,6 +248,42 @@ describe("embedded attempt session lock lifecycle", () => {
     expect(releases).toEqual(["release", "release", "release"]);
   });
 
+  it("rejects external session edits even when another controller appends under lock afterward", async () => {
+    const sessionFile = await createTempSessionFile();
+    const releases: string[] = [];
+    const acquireSessionWriteLock = vi.fn(async () => ({
+      release: vi.fn(async () => {
+        releases.push("release");
+      }),
+    }));
+    const firstController = await createEmbeddedAttemptSessionLockController({
+      acquireSessionWriteLock,
+      lockOptions: { ...lockOptions, sessionFile },
+    });
+
+    await firstController.releaseForPrompt();
+    await fs.appendFile(sessionFile, '{"type":"message","id":"external"}\n', "utf8");
+
+    const secondController = await createEmbeddedAttemptSessionLockController({
+      acquireSessionWriteLock,
+      lockOptions: { ...lockOptions, sessionFile },
+    });
+    await secondController.withSessionWriteLock(async () => {
+      await fs.appendFile(sessionFile, '{"type":"message","id":"same-process"}\n', "utf8");
+    });
+    await secondController.releaseForPrompt();
+
+    await expect(
+      firstController.withSessionWriteLock(async () => {
+        await fs.appendFile(sessionFile, '{"type":"message","id":"late"}\n', "utf8");
+      }),
+    ).rejects.toBeInstanceOf(EmbeddedAttemptSessionTakeoverError);
+
+    expect(firstController.hasSessionTakeover()).toBe(true);
+    expect(acquireSessionWriteLock).toHaveBeenCalledTimes(3);
+    expect(releases).toEqual(["release", "release", "release"]);
+  });
+
   it("returns a no-op cleanup lock after prompt lock reacquisition times out", async () => {
     const releases: string[] = [];
     const acquireSessionWriteLock = vi
diff --git a/src/agents/pi-embedded-runner/run/attempt.session-lock.ts b/src/agents/pi-embedded-runner/run/attempt.session-lock.ts
@@ -134,12 +134,18 @@ type OwnedSessionFileWrite = {
   fingerprint: SessionFileFingerprint;
 };
 
+type TrustedSessionFileState = {
+  generation: number;
+  fingerprint: SessionFileFingerprint;
+};
+
 // Controllers in the same OpenClaw process can legitimately take turns writing
 // the same session file while another attempt is released for model I/O. Track
 // only fingerprints that changed while OpenClaw held the write lock so the
 // takeover fence can distinguish those locked in-process writes from unowned
 // external file changes.
 const ownedSessionFileWrites = new Map<string, OwnedSessionFileWrite>();
+const trustedSessionFileStates = new Map<string, TrustedSessionFileState>();
 let ownedSessionFileWriteGeneration = 0;
 
 function resolveSessionFileFenceKey(sessionFile: string): string {
@@ -151,13 +157,41 @@ function recordOwnedSessionFileWrite(
   fingerprint: SessionFileFingerprint,
 ): number {
   ownedSessionFileWriteGeneration += 1;
-  ownedSessionFileWrites.set(sessionFileKey, {
+  const state = {
+    generation: ownedSessionFileWriteGeneration,
+    fingerprint,
+  };
+  ownedSessionFileWrites.set(sessionFileKey, state);
+  trustedSessionFileStates.set(sessionFileKey, state);
+  return ownedSessionFileWriteGeneration;
+}
+
+function trustSessionFileState(
+  sessionFileKey: string,
+  fingerprint: SessionFileFingerprint,
+): number | undefined {
+  const trusted = trustedSessionFileStates.get(sessionFileKey);
+  if (trusted) {
+    return sameSessionFileFingerprint(trusted.fingerprint, fingerprint)
+      ? trusted.generation
+      : undefined;
+  }
+  ownedSessionFileWriteGeneration += 1;
+  trustedSessionFileStates.set(sessionFileKey, {
     generation: ownedSessionFileWriteGeneration,
     fingerprint,
   });
   return ownedSessionFileWriteGeneration;
 }
 
+function isTrustedSessionFileState(
+  sessionFileKey: string,
+  fingerprint: SessionFileFingerprint,
+): boolean {
+  const trusted = trustedSessionFileStates.get(sessionFileKey);
+  return !!trusted && sameSessionFileFingerprint(trusted.fingerprint, fingerprint);
+}
+
 async function readSessionFileFingerprint(sessionFile: string): Promise<SessionFileFingerprint> {
   try {
     const stat = await fs.stat(sessionFile, { bigint: true });
@@ -347,6 +381,9 @@ export async function createEmbeddedAttemptSessionLockController(params: {
     if (sameSessionFileFingerprint(beforeWrite, fingerprint)) {
       return null;
     }
+    if (!isTrustedSessionFileState(sessionFileFenceKey, beforeWrite)) {
+      return null;
+    }
     const generation = recordOwnedSessionFileWrite(sessionFileFenceKey, fingerprint);
     return { fingerprint, generation };
   }
@@ -390,11 +427,12 @@ export async function createEmbeddedAttemptSessionLockController(params: {
       heldLock = undefined;
       const fingerprint = await readSessionFileFingerprint(params.lockOptions.sessionFile);
       const ownedWrite = ownedSessionFileWrites.get(sessionFileFenceKey);
+      const trustedGeneration = trustSessionFileState(sessionFileFenceKey, fingerprint);
       fenceFingerprint = fingerprint;
       fenceGeneration =
         ownedWrite && sameSessionFileFingerprint(ownedWrite.fingerprint, fingerprint)
           ? ownedWrite.generation
-          : fenceGeneration;
+          : (trustedGeneration ?? fenceGeneration);
       fenceActive = true;
       await lock.release();
     },
