Follow-up to PR #40 review finding 4 (@codexmb): the PASSIVE role is model-followed instructions — a session that ignores its injected context can still post to the room via curl or the IAK MCP tools.
Proposed enforcement boundary:
- The IAK MCP server's room-post tool checks the responder lock before sending: if the calling session does not hold
<notification file>.responder.lock (pid+pstart match), refuse with a clear error naming the current owner and the takeover recipe.
- Optionally the same check in the relay/bridge for agents that post through it.
- Raw curl against the GroupMind API cannot be blocked client-side; full enforcement would need per-session keys server-side — out of scope here, worth a note in the contract discussion for per-agent handle minting (antfarm PR #54).
Also from the review: add a test proving a PASSIVE session's toolpath refuses the post.
🤖 Generated with Claude Code
Follow-up to PR #40 review finding 4 (@codexmb): the PASSIVE role is model-followed instructions — a session that ignores its injected context can still post to the room via curl or the IAK MCP tools.
Proposed enforcement boundary:
<notification file>.responder.lock(pid+pstart match), refuse with a clear error naming the current owner and the takeover recipe.Also from the review: add a test proving a PASSIVE session's toolpath refuses the post.
🤖 Generated with Claude Code