Skip to content

feat(tools): session ownership model for destructive operations #5833

Open
Open
feat(tools): session ownership model for destructive operations#5833
Assignees
Audacity88
Labels
enhancementNew feature or requestgatewayAuto scope: src/gateway/** changed.needs-maintainer-reviewpriority:p2Medium priorityrisk: highAuto risk: security/runtime/gateway/tools/workflows.securityAuto scope: src/security/** changed.status:blockedBlocked on an external dependency, decision, or prerequisite.toolAuto scope: src/tools/** changed.
@Audacity88

Description

@Audacity88
Audacity88
opened on Apr 17, 2026

Problem

Session keys are not scoped per-agent. Any agent with registered SessionResetTool or SessionDeleteTool can reset or delete sessions belonging to other agents or users.

Current Mitigation

  • Tools not registered in the default tool set (all_tools_with_runtime) — callers must explicitly opt in
  • Both tools enforce SecurityPolicy::enforce_tool_operation(ToolOperation::Act, ...) before executing

What's Needed

A scoping mechanism so destructive session operations are limited to sessions owned by the requesting agent. Possible approaches:

  • Session keys include an agent/owner prefix
  • A session ACL checked at tool execution time
  • SecurityPolicy extended with per-session ownership checks

Context

Metadata

Metadata

Assignees

Labels

enhancementNew feature or requestgatewayAuto scope: src/gateway/** changed.needs-maintainer-reviewpriority:p2Medium priorityrisk: highAuto risk: security/runtime/gateway/tools/workflows.securityAuto scope: src/security/** changed.status:blockedBlocked on an external dependency, decision, or prerequisite.toolAuto scope: src/tools/** changed.

Type

No type

Projects

ZeroClaw Project Board

Status

Backlog

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions