fix(agents): prefer explicit sessions_send keys

[vincentkoc]

Summary

• let explicit sessionKey targets win when stale label metadata is also present
• keep denied session-id and thread-session-id paths from echoing resolved canonical session keys
• carry forward the useful part of fix(agents): prefer sessionKey in sessions_send #74009 with the review/security fixes applied

Fixes #64699.
Refs #41199.
Supersedes #74009.

Validation

• node scripts/run-vitest.mjs src/agents/tools/sessions.test.ts
• git diff --check
• ./node_modules/.bin/oxfmt --check --threads=1 CHANGELOG.md src/agents/tool-description-presets.ts src/agents/tools/sessions-send-tool.ts src/agents/tools/sessions.test.ts
• direct check:changed script guards/lint/runtime/import lanes passed where runnable in this sparse Codex worktree
• node scripts/check-changed.mjs --dry-run selected core, coreTests, docs; tsgo:core and tsgo:core:test were sparse-skipped by the repo guard because ui/config is not present in this worktree
• .agents/skills/autoreview/scripts/autoreview --mode local

[clawsweeper]

Codex review: needs changes before merge. Reviewed June 10, 2026, 7:22 PM ET / 23:22 UTC.

Summary
The PR makes explicit sessionKey input override redundant label metadata, avoids echoing resolved canonical keys on selected denied paths, updates the model-facing description and snapshots, and adds focused regression tests.

PR surface: Source -6, Tests +104, Docs +1. Total +99 across 10 files.

Reproducibility: yes. Current main has a deterministic early rejection for any sessions_send invocation containing both sessionKey and label, exactly matching the reported failure path.

Review metrics: none identified.

Merge readiness
Overall: 🦐 gold shrimp
Proof: 🌊 off-meta tidepool
Patch quality: 🦐 gold shrimp
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Remove the CHANGELOG.md modification.
• Rerun the focused sessions test and git diff --check after cleanup.

Risk before merge

• [P1] The direct CHANGELOG.md edit can conflict with release generation or create duplicate release notes if merged.

Maintainer options:

1. Decide the mitigation before merge
   Remove the changelog line and retain the focused explicit-key precedence, denial non-disclosure behavior, regression tests, and generated prompt snapshots.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge

• [P2] A mechanical one-line cleanup is required before merge; after that, the protected maintainer-labeled PR can return to normal maintainer landing review.

Security
Cleared: The runtime change reduces canonical session-key disclosure and introduces no dependency, workflow, permission, secret-handling, or new code-execution surface.

Review findings

• [P2] Remove the release-owned changelog entry — CHANGELOG.md:67

Review details

Best possible solution:

Remove the changelog line and retain the focused explicit-key precedence, denial non-disclosure behavior, regression tests, and generated prompt snapshots.

Do we have a high-confidence way to reproduce the issue?

Yes. Current main has a deterministic early rejection for any sessions_send invocation containing both sessionKey and label, exactly matching the reported failure path.

Is this the best way to solve the issue?

Yes, after removing the changelog edit. Giving the explicit key deterministic precedence is narrower and more maintainable than adding parallel tools or complex schema alternatives, and the tests cover the associated disclosure-sensitive denial paths.

Full review comments:

• [P2] Remove the release-owned changelog entry — CHANGELOG.md:67
  Normal PRs must not edit CHANGELOG.md; release generation owns this file. Remove this line to avoid conflicts or duplicate release notes, and retain the release-note context in the PR body or squash message.
  Confidence: 0.99

Overall correctness: patch is incorrect
Overall confidence: 0.97

AGENTS.md: found and applied where relevant.

Codex review notes: reasoning high; reviewed against 1b23e738305c.

Label changes

Label changes:

• add P2: This PR fixes a reproducible agent-to-agent message delivery failure with limited blast radius and one narrow pre-merge cleanup.
• add rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🌊 off-meta tidepool and patch quality is 🦐 gold shrimp.
• add status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: The author is a repository member, so the external-contributor real behavior proof gate does not apply; the submitted focused test validation is supplemental evidence.

Label justifications:

• P2: This PR fixes a reproducible agent-to-agent message delivery failure with limited blast radius and one narrow pre-merge cleanup.
• rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🌊 off-meta tidepool and patch quality is 🦐 gold shrimp.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: The author is a repository member, so the external-contributor real behavior proof gate does not apply; the submitted focused test validation is supplemental evidence.

Evidence reviewed

PR surface:

Source -6, Tests +104, Docs +1. Total +99 across 10 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	2	5	11	-6
Tests	7	120	16	+104
Docs	1	1	0	+1
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	10	126	27	+99

Acceptance criteria:

• [P1] git diff --check.
• [P1] node scripts/run-vitest.mjs src/agents/tools/sessions.test.ts.

What I checked:

• Current-main reproduction: Current main returns Provide either sessionKey or label (not both). before target resolution whenever both fields are present, matching the linked reports. (src/agents/tools/sessions-send-tool.ts:343, 1b23e738305c)
• Narrow runtime repair: The branch removes only the early mutual-exclusion rejection and retains the explicit key as the display value for visibility, thread, and authorization denials. (src/agents/tools/sessions-send-tool.ts:340, 272776bd5d15)
• Regression coverage: The branch covers redundant label precedence, denied session-id resolution, and resolved thread-session-id non-disclosure while preserving label-target behavior. (src/agents/tools/sessions.test.ts:820, 272776bd5d15)
• Release-owned file violation: The branch adds a normal PR release-note entry directly to CHANGELOG.md, although repository policy reserves that file for release generation. (CHANGELOG.md:67, 272776bd5d15)
• Feature provenance: Commit 56e77f6 introduced the sessions label lookup behavior; later history retains the early mutual-exclusion check that this PR repairs. (src/agents/tools/sessions-send-tool.ts:340, 56e77f68432e)
• Codex contract check: Direct inspection of sibling Codex at b39f943a confirmed tool descriptions and input schemas are transported as ordinary tool metadata; the snapshot-only wording update does not require a Codex protocol change. (test/fixtures/agents/prompt-snapshots/codex-runtime-happy-path/codex-dynamic-tools.discord-group.json:1063, b39f943a634a)

Likely related people:

• Peter Steinberger: The file shortlog shows the largest share of sessions-send implementation history, and commit 56e77f6 introduced the label lookup and persistence behavior relevant to this fix. (role: primary feature-history contributor; confidence: high; commits: 56e77f68432e; files: src/agents/tools/sessions-send-tool.ts)
• shushushu: Commit 7926ace most recently carried the current resolution and visibility block on main during adjacent agent-runtime work. (role: recent area contributor; confidence: medium; commits: 7926acee98c3; files: src/agents/tools/sessions-send-tool.ts)
• Vincent Koc: Current-main shortlog shows prior merged contributions to the sessions-send module beyond authorship of this proposal, indicating relevant implementation familiarity. (role: prior area contributor; confidence: medium; commits: 5181e4f7c82b; files: src/agents/tools/sessions-send-tool.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.