fix: require ACP metadata for deleted-agent bypass

[shakkernerd]

Summary:

• Tightens the deleted-agent guard for ACP-shaped session keys. ACP key shape alone is no longer treated as proof that a session is an ACP runtime session.
• Preserves the existing fast path for configured agents. If the agent still exists in config, the guard returns before doing ACP metadata or SQLite work.
• Keeps configured acp:binding:* sessions owner-scoped, so a deleted configured owner is still rejected instead of being exempted by ACP metadata.
• Updates sessions.resolve, chat.send, sessions.send, and sessions.steer so deleted-agent validation sees the loaded session entry, not just the session key string.
• Uses persisted ACP metadata to distinguish real ACP runtime sessions from ACP-shaped bridge sessions under missing agents.
• Repairs legacy/case-canonicalized ACP metadata rows when a JSON session key has already moved to the canonical key but the ACP metadata row is still stored under the old key.
• Bounds the metadata repair lookup: exact candidate keys are tried first, then normalized/lowercase lookup, with a case-insensitive SQLite fallback only for rare partial-migration states.

Why:

• ACP bridge sessions can use agent:<id>:acp:... key shapes without persisted SessionAcpMeta.
• Treating that shape as sufficient would let sessions under deleted configured agents bypass the deleted-agent guard incorrectly.
• The fix makes the bypass depend on the runtime metadata that proves the session is actually ACP-owned.

Verification:

• Rebased on latest origin/main.
• Auto-review: clean, no accepted/actionable findings.
• Crabbox AWS cbx_a603919bef5b, run run_15e01e46ecf9:
  • Focused ACP/gateway tests passed: 18 files, 524 tests.
  • pnpm check:changed passed.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 9, 2026, 4:34 PM ET / 20:34 UTC.

Summary
The PR tightens Gateway deleted-agent validation so ACP-shaped session keys bypass only with loaded or persisted ACP metadata, threads session entries through resolve/send paths, and adds SQLite ACP metadata rekey repair coverage.

PR surface: Source +163, Tests +279. Total +442 across 9 files.

Reproducibility: yes. from source: current main returns null for non-binding ACP-shaped keys before checking agent existence, while existing command code says ACP key shape alone is not ownership proof. I did not execute tests because this review is read-only.

Review metrics: 2 noteworthy metrics.

• Deleted-agent validation entry points: 4 updated. sessions.resolve, chat.send, sessions.send, and sessions.steer now pass loaded session evidence into the same guard.
• Runtime ACP metadata repair: 1 added. The new SQLite rekey path changes persisted session metadata during lookup, which matters for upgrade safety.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Confirm maintainer acceptance of runtime ACP metadata rekeying versus a doctor-only migration before merge.

Risk before merge

• [P1] Merging intentionally changes existing behavior by rejecting ACP-shaped bridge sessions under deleted configured agents that current main allowed by key shape alone.
• [P1] The guard can rekey persisted ACP SQLite metadata during runtime lookup, so maintainers should explicitly accept that upgrade/session-state repair path instead of a doctor-only migration.

Maintainer options:

1. Accept guarded hardening (recommended)
   Treat the stricter deleted-agent rejection and bounded ACP metadata repair as the intended upgrade behavior because the patch aligns Gateway with existing metadata-based ACP classification.
2. Move repair out of the guard
   If runtime state mutation during lookup is not acceptable, keep the metadata-gated deleted-agent decision but move ACP metadata rekeying into an explicit migration or doctor repair path.
3. Pause for compatibility policy
   If existing ACP-shaped bridge sessions under deleted agents must remain reachable, pause this PR for a product decision on a separate compatibility mode.

Next step before merge

• [P2] Protected maintainer-labeled PR with compatibility and session-state merge risk should stay in maintainer review rather than be auto-closed or routed to repair.

Security
Cleared: No dependency, CI, secret, permission, or supply-chain surface is broadened; the patch narrows a deleted-agent guard bypass while using existing SQLite state helpers.

Review details

Best possible solution:

Land after maintainer acceptance that metadata-gated ACP ownership and runtime metadata rekeying are the intended upgrade path; otherwise keep the metadata-gated guard and move rekeying to an explicit migration path.

Do we have a high-confidence way to reproduce the issue?

Yes, from source: current main returns null for non-binding ACP-shaped keys before checking agent existence, while existing command code says ACP key shape alone is not ownership proof. I did not execute tests because this review is read-only.

Is this the best way to solve the issue?

Yes for the guard logic: using loaded entry or persisted SessionAcpMeta is the narrowest fix and matches existing ACP runtime classification. The only solution-fit choice left is whether the metadata rekey belongs in this runtime path or an explicit migration path.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against a4e02cd1dd48.

Label changes

Label changes:

• add P2: This is a normal-priority gateway/session bugfix with limited blast radius but meaningful deleted-agent guard impact.
• add merge-risk: 🚨 compatibility: The PR deliberately changes existing ACP-shaped bridge sessions under deleted agents from allowed to rejected.
• add merge-risk: 🚨 session-state: The PR adds runtime SQLite ACP metadata rekeying that can change persisted session-state rows during lookup.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: The contributor proof gate is not applied to this maintainer/member PR; the PR body still records Crabbox validation for the touched behavior.

Label justifications:

• P2: This is a normal-priority gateway/session bugfix with limited blast radius but meaningful deleted-agent guard impact.
• merge-risk: 🚨 compatibility: The PR deliberately changes existing ACP-shaped bridge sessions under deleted agents from allowed to rejected.
• merge-risk: 🚨 session-state: The PR adds runtime SQLite ACP metadata rekeying that can change persisted session-state rows during lookup.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: The contributor proof gate is not applied to this maintainer/member PR; the PR body still records Crabbox validation for the touched behavior.

Evidence reviewed

PR surface:

Source +163, Tests +279. Total +442 across 9 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	5	183	20	+163
Tests	4	287	8	+279
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	9	470	28	+442

What I checked:

• Current main behavior: Current main returns null for any non-binding ACP-shaped session key before checking whether the owning agent still exists, so ACP-shaped bridge keys can bypass the deleted-agent guard by shape alone. (src/gateway/session-utils.ts:929, 52154eda0dd1)
• PR guard behavior: The PR moves the configured-agent fast path before ACP handling and only exempts non-binding ACP keys when loaded entry ACP data or persisted SessionAcpMeta is found. (src/gateway/session-utils.ts:983, 8765f5a545d8)
• Gateway callers pass loaded entry evidence: The PR updates sessions.resolve, chat.send, sessions.send, and sessions.steer to pass the loaded session entry and legacy metadata key into the deleted-agent guard. (src/gateway/server-methods/chat.ts:3083, 8765f5a545d8)
• Metadata repair implementation: The new repair helper only rekeys ACP metadata rows that case-normalize to the target key and whose stored session_id still matches the loaded session entry. (src/acp/runtime/session-meta.ts:254, 8765f5a545d8)
• Regression coverage: Added tests cover confirmed ACP runtime sessions, ACP-shaped bridge sessions without metadata, migrated/case-canonicalized ACP metadata, and key/sessionId/label resolve paths. (src/gateway/sessions-resolve-store.test.ts:352, 8765f5a545d8)
• Existing invariant: Current command/runtime code already documents that ACP key shape alone is not sufficient because ACP bridge sessions can use ACP-shaped keys without SessionAcpMeta. (src/commands/sessions.ts:55, a4e02cd1dd48)

Likely related people:

• scotthuang: git blame and log show the ACP harness bypass and configured ACP binding preservation in the current deleted-agent guard history. (role: introduced current ACP guard behavior; confidence: high; commits: 696c1ecd2068, 52154eda0dd1, 3853eb15af5e; files: src/gateway/session-utils.ts, src/gateway/session-utils.test.ts, src/gateway/sessions-resolve-store.test.ts)
• vincentkoc: git blame shows the core deleted-agent guard skeleton and ACP metadata read helpers came through the recent session/gateway import history. (role: adjacent session and ACP metadata owner; confidence: medium; commits: 25160515e05e; files: src/gateway/session-utils.ts, src/acp/runtime/session-meta.ts)
• shakkernerd: Current-main history includes prior ACP metadata test/helper work in the same runtime metadata files, beyond this PR branch. (role: recent adjacent ACP metadata contributor; confidence: medium; commits: 24da2c39f3b5; files: src/acp/runtime/session-meta.ts, src/acp/runtime/session-meta.test.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.