Summary
undo_last() operates on a global in-memory action stack and does not filter actions by session.
As a result, one session can undo actions that belong to another session.
Affected Files
- core/hybrid/action_logger.py
- api/routes/actions.py
Root Cause
undo_last() simply pops the most recent action from the global stack.
The API endpoint does not provide session context when invoking undo operations.
This causes the most recently logged action to be undone regardless of ownership.
Reproduction
- Create Session A.
- Create Session B.
- Log an action in Session A.
- Log an action in Session B.
- Trigger undo from Session A.
- Observe that Session B's action is undone.
Expected Behavior
Undo operations should only affect actions belonging to the requesting session.
Actual Behavior
Undo operations can affect foreign sessions.
Why This Is Difficult To Detect
Single-session tests never expose ownership violations.
The bug only appears with concurrent sessions.
Production Impact
- Cross-session corruption
- Unexpected undo behavior
- Ownership violations
- Loss of user trust
Severity
High
Summary
undo_last() operates on a global in-memory action stack and does not filter actions by session.
As a result, one session can undo actions that belong to another session.
Affected Files
Root Cause
undo_last() simply pops the most recent action from the global stack.
The API endpoint does not provide session context when invoking undo operations.
This causes the most recently logged action to be undone regardless of ownership.
Reproduction
Expected Behavior
Undo operations should only affect actions belonging to the requesting session.
Actual Behavior
Undo operations can affect foreign sessions.
Why This Is Difficult To Detect
Single-session tests never expose ownership violations.
The bug only appears with concurrent sessions.
Production Impact
Severity
High