fix(agents): enforce visibility guard after sessionId resolution in session_status

[kevinWangSheng]

Summary

• When session_status receives a sessionId (not an explicit agent:... key), the sessionId resolution block (lines 328-357) rewrites requestedKeyRaw to an explicit agent key
• The visibility guard check at line 375 tested !requestedKeyRaw.startsWith("agent:"), which becomes false after resolution — skipping the visibility check entirely
• A sandboxed agent could bypass visibility restrictions by providing a sessionId instead of an explicit session key

Root cause

The visibility guard has two check sites:

1. Line 281-286: Runs when the original input is an explicit agent:... key
2. Line 375-382: Runs when the input is NOT an explicit agent key (e.g., a sessionId or alias)

After sessionId resolution at line 340, requestedKeyRaw is overwritten to an explicit agent key. The condition at line 375 re-evaluates the now-mutated requestedKeyRaw and concludes it starts with "agent:", so it skips the visibility check — even though check #1 also never ran (since the original input was not an explicit key).

Fix

Replace !requestedKeyRaw.startsWith("agent:") with !isExplicitAgentKey, which was captured at line 306 before sessionId resolution and reflects whether the original input was an explicit agent key.

• Original input = explicit agent key → isExplicitAgentKey = true → skip (already checked at line 281)
• Original input = sessionId → isExplicitAgentKey = false → run visibility check

Test plan

• 26 session access/resolution tests pass
• Code inspection confirms both visibility guard check sites now cover all input types without gaps

🤖 Generated with Claude Code

[greptile-apps]

Greptile Summary

This PR fixes a security bypass in session_status where a sandboxed agent could circumvent visibility restrictions by passing a sessionId instead of an explicit agent: key. The one-line fix replaces a stale requestedKeyRaw.startsWith("agent:") test (evaluated after mutation) with the pre-mutation boolean isExplicitAgentKey, ensuring the second visibility guard fires on sessionId-resolved inputs as originally intended.

• Root cause closed: requestedKeyRaw is overwritten to an agent: key during sessionId resolution (line 340), causing the old guard condition to short-circuit and skip the check; the first check (lines 295–304) also never ran because the original input was not an explicit agent key — leaving both check sites missed.
• Fix is minimal and correct: isExplicitAgentKey is captured at line 306, before any mutation, and accurately reflects whether the original caller input was an explicit agent key.
• No new logic introduced: only the condition variable is changed; the check body and call site are unchanged.

Confidence Score: 5/5

• Safe to merge — single-line targeted fix closes a concrete visibility bypass with no side effects on unrelated paths.
• The change is a one-line, surgical correction to a clearly identified security bug. The pre-mutation isExplicitAgentKey flag is already in place at line 306 and its semantics are exact. Both visibility check sites now cover all input types without gaps: explicit agent keys hit the first check (lines 295–304), all other inputs hit the second check (line 375). The PR author's walkthrough is accurate, and 26 existing session access/resolution tests are reported to pass.
• No files require special attention.

_{Last reviewed commit: "fix(agents): enforce..."}

[steipete]

Closing this as implemented after Codex review.

Current main already covers this session_status visibility-gap report with broader post-resolution visibility enforcement and regression tests, and the same implementation is present in released tag v2026.4.22.

What I checked:

• Post-resolution visibility check on main: After sessionId resolution, session_status computes visibilityTargetKey and unconditionally runs visibilityGuard.check(...), so resolved sessionId lookups still pass through visibility enforcement. (src/agents/tools/session-status-tool.ts:460, 60f7a59f5ed5)
• Regression tests for sessionId/tree-visibility bypass: Main includes explicit tests that reject unsandboxed and sandboxed sessionId-based access outside the allowed tree, including parent/other-session cases. (src/agents/openclaw-tools.session-status.test.ts:1324, 60f7a59f5ed5)
• Shipped in latest release: The same guard flow and regression tests are present in release commit 00bd2cf7a376f1fba26291c6c4766f1f15cbdfa5 for v2026.4.22, so the fix is already shipped. (src/agents/tools/session-status-tool.ts:460, 00bd2cf7a376)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review notes: reviewed against 60f7a59f5ed5; fix evidence: release v2026.4.22, commit 00bd2cf7a376.