[Bug]: encoded trajectory export request can erase an explicit session key

[giodl73-repo]

Summary

A local code audit found that merging an encoded export-trajectory request can overwrite an explicitly supplied session key with an empty placeholder when the encoded request omits sessionKey.

Affected area

• src/commands/export-trajectory.ts
• decodeExportTrajectoryRequest
• resolveExportTrajectoryOptions

Repro

Call the trajectory export command with a direct sessionKey and a base64url request that only supplies another option such as output. The resolved options can lose the direct session key and fail with the --session-key is required path.

Expected

Decoded request values should not overwrite already-defined CLI options with empty placeholders.

Suggested fix

Only include sessionKey in decoded partial options when the encoded request contains a non-empty string, or merge decoded values without replacing defined direct options with empty values.

Source: local code audit.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by maintainer comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors can comment @clawsweeper re-review or @clawsweeper re-run on their own open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open because current main still contains the reported source-level bug, and two open PRs already reference this issue with closing syntax. The issue should remain open until one fix PR is reviewed and merged or both are deliberately closed.

Reproducibility: yes. A direct source reproduction is exportTrajectoryCommand({ sessionKey, requestJsonBase64: base64url({ output }) }), where decoding produces sessionKey: "" and the later spread overwrites the explicit value before the required-session check.

Next step
No new repair job should be queued because open fix PRs already reference this issue with closing syntax.

Review details

Best possible solution:

Review and land one of the existing focused fix PRs, preserving non-empty encoded-value precedence while preventing absent or blank decoded fields from overwriting explicit direct options.

Do we have a high-confidence way to reproduce the issue?

Yes. A direct source reproduction is exportTrajectoryCommand({ sessionKey, requestJsonBase64: base64url({ output }) }), where decoding produces sessionKey: "" and the later spread overwrites the explicit value before the required-session check.

Is this the best way to solve the issue?

Yes. The narrow maintainable solution is to omit absent or blank decoded fields, or otherwise merge decoded values without replacing already-defined direct options with empty placeholders.

What I checked:

• Current source reproduces the merge bug: decodeExportTrajectoryRequest always returns an own sessionKey property using readOptionalString(request.sessionKey) ?? "", and resolveExportTrajectoryOptions spreads the decoded object after direct CLI options, so an encoded request without sessionKey overwrites an explicit session key with an empty string. (src/commands/export-trajectory.ts:60, 816fbe0cf03c)
• Existing tests miss the mixed direct-plus-encoded case: Current tests cover missing session key, malformed encoded JSON, and a direct missing-session lookup, but they do not cover direct sessionKey plus a partial encoded request. (src/commands/export-trajectory.test.ts:37, 816fbe0cf03c)
• CLI exposes the conflicting inputs together: The sessions export-trajectory command accepts both --session-key and --request-json-base64 and forwards both to exportTrajectoryCommand, so the merge path is reachable through the documented CLI surface. (src/cli/program/register.status-health-sessions.ts:271, 816fbe0cf03c)
• Open implementation PRs already reference this issue: Live GitHub state shows two open fix PRs, fix(export-trajectory): preserve direct sessionKey when encoded request omits it (#83282) #83298 and fix(export): preserve explicit trajectory session keys #83308, both associated as closing pull requests for this issue.
• Shipped provenance contains the same buggy shape: The export trajectory command was present in release tag v2026.5.12; that tagged source has the same sessionKey: readOptionalString(request.sessionKey) ?? "" and decoded-after-direct spread behavior. (src/commands/export-trajectory.ts:55, f066dd2f31c2)
• Canonical search found this issue plus the open fix PRs: Search for the central export-trajectory/sessionKey problem found this issue and the two open fix PRs, with no merged replacement fix found in the search results.

Likely related people:

• steipete: Peter Steinberger authored the release commit that added the export-trajectory command, CLI registration, slash-command bridge, and tests, and also appears in recent CLI-area history for the same registration file. (role: feature introducer and recent area contributor; confidence: medium; commits: f066dd2f31c2, 9bdc183b7d05; files: src/commands/export-trajectory.ts, src/commands/export-trajectory.test.ts, src/cli/program/register.status-health-sessions.ts)

Remaining risk / open question:

• No runtime command was executed because this review was read-only; the reproduction is source-level but direct.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 816fbe0cf03c.