#15793: fix(sessions): gracefully handle stale cross-agent session file paths
stale
size: XS
Cluster:
Session Management Enhancements
## Summary
- When a user is re-routed from one agent to another via bindings config, the persisted `sessionFile` may point to the previous agent's sessions directory, causing `resolvePathWithinSessionsDir` to throw "Session file path must be within sessions directory"
- Updated `resolveSessionFilePath` to validate the stored path is within the current agent's sessions directory; if not, gracefully falls back to generating a fresh path
- Added test case to verify stale cross-agent session file paths are handled correctly
## Test plan
- [x] Existing tests pass: `npx vitest run src/config/sessions.test.ts` (28 tests passing)
- [x] New test verifies stale cross-agent path fallback behavior
- [ ] Manual test: configure a binding to route a user to a different agent, send a message, confirm no "Session file path must be within sessions directory" error
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- greptile_comment -->
<h2>Greptile Overview</h2>
<h3>Greptile Summary</h3>
This PR updates `resolveSessionFilePath` to detect when a persisted `sessionFile` points outside the current agent’s sessions directory (e.g. after binding-based reroutes) and, in that case, falls back to generating a fresh transcript path under the current agent. It also adds a unit test intended to cover the stale cross-agent path scenario.
The change is localized to session path resolution (`src/config/sessions/paths.ts`) which is used by command execution, usage reporting, and auto-reply session handling throughout the codebase to find the transcript `.jsonl` file for a session.
<h3>Confidence Score: 3/5</h3>
- This PR is close, but the new path containment check is not reliable for absolute paths and could still accept incorrect locations.
- Core behavior change is small and well-targeted, but the containment logic uses `path.resolve(sessionsDir, candidate)` which ignores `sessionsDir` when `candidate` is absolute; combined with a prefix-based `relative.startsWith("..")` check, it can incorrectly treat some out-of-dir paths as valid. The new test also uses substring assertions that don’t robustly validate directory containment across platforms.
- src/config/sessions/paths.ts; src/config/sessions.test.ts
<sub>Last reviewed commit: 57ec7a4</sub>
<!-- greptile_other_comments_section -->
<sub>(2/5) Greptile learns from your feedback when you react with thumbs up/down!</sub>
<!-- /greptile_comment -->
Most Similar PRs
#16061: fix(sessions): tolerate invalid sessionFile metadata
by haoyifan · 2026-02-14
87.1%
#16249: fix(sessions): allow cross-agent session paths in multi-agent bindings
by 0xbrak · 2026-02-14
86.2%
#15744: fix: allow cross-agent session path validation
by scottgl9 · 2026-02-13
86.2%
#15176: fix(sessions): allow channel-routed session IDs and cross-agent paths
by cathrynlavery · 2026-02-13
85.4%
#15941: fix(sessions): allow session file paths from other agents' sessions...
by LiJianLi128 · 2026-02-14
84.9%
#15888: fix: store relative session file paths instead of absolute
by devAnon89 · 2026-02-14
84.5%
#20336: fix(sessions): resolve transcriptPath using agentId when storePath ...
by Limitless2023 · 2026-02-18
83.7%
#20188: fix: Update sessionFile path when rolling to new session in cron jobs
by jriff · 2026-02-18
83.4%
#16171: fix: trust absolute sessionFile paths in multi-agent setups [AI-ass...
by iJaack · 2026-02-14
82.5%
#15792: fix: pass agentId to resolveSessionFilePath in additional call sites
by MisterGuy420 · 2026-02-13
82.1%