[BUG] undo_last() is not session-scoped and can undo actions belonging to other active sessions

[Ridanshi]

Summary

The session cleanup workflow correctly deletes persistent records for the requested session, but it clears the entire in-memory undo stack shared across all active sessions.

As a result, clearing one session silently destroys undo history for unrelated sessions.

Affected File

core/hybrid/action_logger.py

Root Cause

clear_session(session_id) performs a session-scoped SQLite delete:

DELETE FROM action_log WHERE session_id = ?

but then executes:

self._stack.clear()
self._undone_ids.clear()

These structures are global and shared across all sessions.

The database operation is correctly scoped, but the in-memory cleanup is not.

Reproduction

1. Create Session A and log several actions.
2. Create Session B and log several actions.
3. Clear Session B.
4. Attempt to undo actions in Session A.
5. Observe that Session A has lost its undo history despite its records still existing in SQLite.

Expected Behavior

Only the targeted session should lose its undo history.

Actual Behavior

Undo state for all active sessions is removed.

Why This Is Difficult To Detect

Single-session testing behaves correctly.

The issue only appears when multiple active sessions coexist.

Production Impact

• Cross-session state corruption
• Undo functionality unexpectedly disappears
• Multi-user interference
• Inconsistent behavior between memory and persistence layers

Severity

Critical

[Ridanshi]

I investigated this issue and would like to work on a fix.

The current session cleanup workflow removes undo state globally rather than only for the targeted session.

I plan to:

• scope cleanup operations to the affected session
• preserve existing persistence behavior
• add regression coverage for multi-session scenarios

Please assign this issue to me.