fix(core): add separator to agent_space_name to prevent hash collisions

[mvanhorn]

Summary

agent_space_name() computed md5(user_id + agent_id) without a separator, allowing different (user_id, agent_id) pairs to collide when their concatenation matched. For example, ("alice", "bot") and ("aliceb", "ot") both produce md5("alicebot"), mapping to the same agent space.

This adds : as a separator in the hash input across all three implementations (Python SDK, bot server, TypeScript example).

Why this matters

• #595 documents the collision risk with a clear reproduction case
• @qin-ctx confirmed the issue and invited a PR fix
• Hash collisions cause unintended data sharing across agent spaces (memories, skills, workspaces)

Changes

• openviking_cli/session/user_id.py: md5(user_id + agent_id) -> md5(f"{user_id}:{agent_id}")
• bot/vikingbot/openviking_mount/ov_server.py: same fix
• examples/openclaw-memory-plugin/client.ts: same fix (two occurrences)
• tests/cli/test_user_identifier.py: new test covering collision scenario, hash stability, swapped IDs, and format

The : separator is safe because the validation regex [a-zA-Z0-9_-] prevents either field from containing it.

Breaking Change

This changes the hash output for all existing agent spaces. Data stored under the old hash will not be found with the new hash. Options for migration:

1. A one-time migration script that rehashes existing space directories
2. A fallback lookup that checks both old and new hashes during a transition period

Testing

• New test tests/cli/test_user_identifier.py verifies:
  • Previously-colliding pairs now produce different hashes
  • Same pairs still produce identical hashes
  • Swapped (user_id, agent_id) pairs produce different hashes
  • Hash format is 12 hex characters
• ruff format --check and ruff check pass on all changed files

Fixes #595

This contribution was developed with AI assistance (Claude Code).

[CLAassistant]

All committers have signed the CLA.