refactor(agents): dedupe workspace and session tool flows

2026-05-10 02:32:44 +00:00 · 2026-02-22 21:18:02 +00:00
parent 2f8c68ae4d
commit 06bdd53658
9 changed files with 227 additions and 128 deletions
--- a/src/agents/tools/sessions-resolution.test.ts
+++ b/src/agents/tools/sessions-resolution.test.ts
@@ -1,11 +1,13 @@
 import { describe, expect, it } from "vitest";
 import type { OpenClawConfig } from "../../config/config.js";
 import {
+  isResolvedSessionVisibleToRequester,
  looksLikeSessionId,
  looksLikeSessionKey,
  resolveDisplaySessionKey,
  resolveInternalSessionKey,
  resolveMainSessionAlias,
+  shouldVerifyRequesterSpawnedSessionVisibility,
  shouldResolveSessionIdInput,
 } from "./sessions-resolution.js";

@@ -75,3 +77,59 @@ describe("session reference shape detection", () => {
    expect(shouldResolveSessionIdInput("random-slug")).toBe(true);
  });
 });
+
+describe("resolved session visibility checks", () => {
+  it("requires spawned-session verification only for sandboxed key-based cross-session access", () => {
+    expect(
+      shouldVerifyRequesterSpawnedSessionVisibility({
+        requesterSessionKey: "agent:main:main",
+        targetSessionKey: "agent:main:worker",
+        restrictToSpawned: true,
+        resolvedViaSessionId: false,
+      }),
+    ).toBe(true);
+    expect(
+      shouldVerifyRequesterSpawnedSessionVisibility({
+        requesterSessionKey: "agent:main:main",
+        targetSessionKey: "agent:main:worker",
+        restrictToSpawned: false,
+        resolvedViaSessionId: false,
+      }),
+    ).toBe(false);
+    expect(
+      shouldVerifyRequesterSpawnedSessionVisibility({
+        requesterSessionKey: "agent:main:main",
+        targetSessionKey: "agent:main:worker",
+        restrictToSpawned: true,
+        resolvedViaSessionId: true,
+      }),
+    ).toBe(false);
+    expect(
+      shouldVerifyRequesterSpawnedSessionVisibility({
+        requesterSessionKey: "agent:main:main",
+        targetSessionKey: "agent:main:main",
+        restrictToSpawned: true,
+        resolvedViaSessionId: false,
+      }),
+    ).toBe(false);
+  });
+
+  it("returns true immediately when spawned-session verification is not required", async () => {
+    await expect(
+      isResolvedSessionVisibleToRequester({
+        requesterSessionKey: "agent:main:main",
+        targetSessionKey: "agent:main:main",
+        restrictToSpawned: true,
+        resolvedViaSessionId: false,
+      }),
+    ).resolves.toBe(true);
+    await expect(
+      isResolvedSessionVisibleToRequester({
+        requesterSessionKey: "agent:main:main",
+        targetSessionKey: "agent:main:other",
+        restrictToSpawned: false,
+        resolvedViaSessionId: false,
+      }),
+    ).resolves.toBe(true);
+  });
+});