fix(session): scope session list to current directory to prevent cross-worktree leakage#16827
Open
andreagroferreira wants to merge 1 commit intoanomalyco:devfrom
Open
Conversation
…s-worktree leakage When multiple git worktrees share the same root commit, they get the same project_id. This causes sessions from different worktrees to appear mixed in the session list. Similarly, the 'global' project (worktree '/') acts as a catch-all bucket, mixing sessions from unrelated directories. Changes: - Default the session list API route to filter by Instance.directory, ensuring sessions are scoped to the active working directory - Fix workspace_id filtering to include sessions with NULL workspace_id (pre-migration sessions) using OR condition instead of strict equality - Use explicit workspaceID input parameter in Session.list() instead of only reading from WorkspaceContext (the param was dead code before) - Add workspaceID query parameter to GET /session/ API route - Pass directory filter in CLI 'session list' command - Allow explicit workspaceID in Session.createNext() input - Add tests for directory scoping, NULL workspace_id handling, and explicit workspaceID in createNext Fixes anomalyco#15678, relates to anomalyco#16744, anomalyco#16137
Contributor
|
The following comment was made by an LLM, it may be inaccurate: Potential Duplicate PRs Found:
These should be reviewed to ensure the current PR isn't duplicating prior work or to understand why previous attempts may need refinement. |
This was referenced Mar 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue for this PR
Closes #15678
Type of change
What does this PR do?
Scopes the session list to the current working directory to prevent cross-worktree session leakage. When multiple worktrees share the same git root commit (same
project_id), sessions from all worktrees appear mixed in the list.Changes:
GET /session/to filter byInstance.directorywhen no directory param is providedNULLvalues (pre-migration sessions) viaOR(eq, isNull)workspaceIDinput param inSession.list()(was dead code) andcreateNext()workspaceIDquery param to session list API routedirectory: Instance.directoryin CLIsession listcommandHow did you verify your code works?
Full test suite: 128 tests across 13 files, 124 pass, 4 skip, 0 fail.
Added 3 new tests in
test/server/session-list.test.ts:workspace_idincluded when filtering by workspaceIDcreateNextaccepts explicit workspaceIDManually verified with worktrees sharing the same root commit — sessions now scoped correctly.
Screenshots / recordings
N/A — no UI changes, backend/API fix only.
Checklist