fix(session-lock): allow co-tenant writes during prompt I/O window

[Jerry-Xin]

Summary

EmbeddedAttemptSessionTakeoverError fires on legitimate co-tenant writes (heartbeat, cron, channel ingress) to shared sessions during the prompt I/O window.

Root Cause

attempt.session-lock.ts:284-291: releaseForPrompt() records a file stat fingerprint and releases the lock. Co-tenant writers acquire the same fs-level lock and append to the session file (changing the stat). When the controller reacquires, assertSessionFileFence() sees a fingerprint mismatch and sets the sticky takeoverDetected flag — even though the write was coordinated through the same lock.

Fix

Add a process-scoped write epoch counter to acquireSessionWriteLock() that increments on each lock acquisition. The controller records the epoch at fence activation. On reacquisition, it checks the epoch delta:

• delta == 1 (only controller acquired): fingerprint change = external takeover → throw
• delta > 1 (co-tenants also acquired): fingerprint change = coordinated write → update fence, continue

Cross-process writes don't advance the in-process epoch, so true external takeovers are still detected.

Tests

4 new tests: co-tenant write accepted, external write detected, mixed co-tenant + external detected, multiple co-tenant writes succeed. All 26 existing session-lock tests pass.

Fixes #84071

[clawsweeper]

Thanks for the context here. I swept through the related work, and this is now duplicate or superseded.

Close as superseded: a newer open PR now tracks the same in-process/co-tenant session-write problem with a stronger ownership-aware fence and real filesystem proof, while this branch still has a blocking session-integrity weakness and no real behavior proof.

Canonical path: Close this branch and review or land #84250, or an equivalent ownership-aware fence that accepts trusted same-process locked writes while preserving external-edit negative tests.

So I’m closing this here and keeping the remaining discussion on #84250.

Review details

Best possible solution:

Close this branch and review or land #84250, or an equivalent ownership-aware fence that accepts trusted same-process locked writes while preserving external-edit negative tests.

Do we have a high-confidence way to reproduce the issue?

Yes at source level: current main snapshots the session-file fingerprint at prompt release and throws on any changed fingerprint after reacquire, while legitimate event/hook writers can use the same session-lock path. I did not run a live heartbeat, cron, or channel reproduction in this read-only review.

Is this the best way to solve the issue?

No. The epoch shortcut fixes the false positive by weakening the fence for the whole prompt window; the safer direction is the superseding ownership-aware fingerprint approach in #84250 or equivalent.

Security review:

Security review needs attention: The patch changes the session-integrity fence and can weaken detection of lock-bypassing session-file mutation in a mixed prompt window.

• [medium] Fence accepts mixed-window bypass writes — src/agents/pi-embedded-runner/run/attempt.session-lock.ts:295
  The new epoch branch rebaselines the session fingerprint whenever another in-process lock acquisition happened, even if the file change also includes an external mutation that bypassed the lock before reacquire.
  Confidence: 0.88

What I checked:

• Current main strict fence: Current main records a session-file fingerprint after releaseForPrompt() and throws EmbeddedAttemptSessionTakeoverError on any later fingerprint mismatch after the write lock is reacquired. (src/agents/pi-embedded-runner/run/attempt.session-lock.ts:284, a002c416c7af)
• Current main lock wiring: The embedded runner installs session event and external hook wrappers through sessionLockController.withSessionWriteLock, so legitimate same-session event/hook writers can participate in the same lock path while another attempt is released for prompt I/O. (src/agents/pi-embedded-runner/run/attempt.ts:2374, a002c416c7af)
• PR branch weakens the fence: The PR branch accepts and re-baselines any fingerprint mismatch when the process-local write epoch advanced by more than the controller's own reacquire; its inline comment acknowledges that an external lock-bypassing write in the same prompt window would also be accepted. (src/agents/pi-embedded-runner/run/attempt.session-lock.ts:295, e14edf804fe4)
• PR tests miss the mixed-window failure: The added external-write test first accepts and re-baselines a co-tenant write, then appends externally in a later window; it does not cover an external bypass append and co-tenant lock activity before the same controller reacquires. (src/agents/pi-embedded-runner/run/attempt.session-lock.test.ts:522, e14edf804fe4)
• Canonical superseding PR: The newer open PR fix(agents): tolerate in-process session writes during prompt release #84250 addresses the same in-process session-write class by tracking trusted owned fingerprints, includes real filesystem proof, and adds tests for external edit plus later locked append remaining fail-closed. (src/agents/pi-embedded-runner/run/attempt.session-lock.ts:142, 7008438d978c)
• Feature history provenance: Merged PR Release embedded session write lock before model I/O #82891 introduced the prompt-release session write-lock lifecycle and the central session-lock controller/test files now implicated by this regression cluster. (src/agents/pi-embedded-runner/run/attempt.session-lock.ts:1, 8a060b2904d4)

Likely related people:

• amknight: Merged history for Release embedded session write lock before model I/O #82891 introduced the released-prompt session write-lock lifecycle and fence files now involved in this regression cluster. (role: introduced behavior; confidence: high; commits: 8a060b2904d4, 9a9c557a0252, 96094fb844d0; files: src/agents/pi-embedded-runner/run/attempt.session-lock.ts, src/agents/pi-embedded-runner/run/attempt.ts, src/agents/pi-embedded-runner/run/attempt.session-lock.test.ts)
• tianxiaochannel-oss88: Authored the newer open ownership-aware fence PR that covers the same in-process write class and the external-then-locked negative case. (role: adjacent proposed-fix owner; confidence: medium; commits: 7008438d978c; files: src/agents/pi-embedded-runner/run/attempt.session-lock.ts, src/agents/pi-embedded-runner/run/attempt.session-lock.test.ts)
• kays0x: Authored the related open stricter append-only/content-validation fence PR that changes the same session-lock surface with supplied live proof for the false-takeover cluster. (role: adjacent proposed-fix owner; confidence: medium; commits: ac07599ff6da; files: src/agents/pi-embedded-runner/run/attempt.session-lock.ts, src/agents/pi-embedded-runner/run/attempt.session-lock.test.ts, src/agents/pi-embedded-runner/transcript-file-state.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against a002c416c7af.

[Jerry-Xin]

Rebased on latest upstream/main (b7ba7c3, clean rebase, no conflicts).

[Jerry-Xin]

Thanks for the thorough review. Regarding the P1 finding about epoch-based fence weakness:

Design rationale for the co-tenant epoch shortcut:

The epoch counter (SESSION_WRITE_EPOCHS) is a process-local in-memory Map that increments on each successful lock acquisition. When currentEpoch > fenceWriteEpoch + 1, it means:

• Our own reacquire accounts for exactly 1 increment
• The remaining increment(s) prove at least one other in-process lock holder (heartbeat, cron ingress, channel worker) acquired the session lock during the prompt I/O window

The concern is that a co-tenant's lock acquisition could mask an external (lock-bypassing) session file append in the same window. This is technically correct, but:

1. External bypasses are already a fundamental lock violation — if another process can write to the session file without acquiring the lock, the lock-based protection is broken at a deeper level than this fence can address.
2. The alternative (rejecting all changes when co-tenants are active) recreates the original bug — legitimate heartbeat/cron/channel writes during prompt I/O would keep tripping the takeover guard, stalling the session indefinitely.
3. The attack surface is narrow — the window is the prompt I/O duration, the external writer must bypass the lock, and the co-tenant must also be active in that same window.

I'll add a code comment documenting this deliberate trade-off. Happy to discuss alternative approaches if maintainers prefer a tighter check — for example, tracking a fingerprint chain per epoch, though that would add significant complexity.

[Jerry-Xin]

Rebased on latest upstream/main (48acdd3, clean rebase, no conflicts).

[Jerry-Xin]

Rebased on latest upstream/main (94d8391, clean rebase, no conflicts).

[Jerry-Xin]

Rebased on latest upstream/main (79197b3, clean rebase, no conflicts).

[clawsweeper]

ClawSweeper PR egg

🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat.

Where did the egg go?

• The egg game starts only after the PR passes the real-behavior proof check.
• Before that, no creature or rarity is rolled. The treat waits for real proof.
• This is still just collectible flavor: proof affects review readiness, not creature quality.

[Jerry-Xin]

Rebased on latest upstream/main (a002c41, clean rebase, no conflicts).

[clawsweeper]

ClawSweeper applied the proposed close for this PR.

• Action: closed this PR.
• Close reason: duplicate or superseded.
• Evidence: durable ClawSweeper review.