Skip to content

Enforce single-responder lock in the room-send path (not just injected instructions) #42

Description

@ThinkOffApp

Follow-up to PR #40 review finding 4 (@codexmb): the PASSIVE role is model-followed instructions — a session that ignores its injected context can still post to the room via curl or the IAK MCP tools.

Proposed enforcement boundary:

  • The IAK MCP server's room-post tool checks the responder lock before sending: if the calling session does not hold <notification file>.responder.lock (pid+pstart match), refuse with a clear error naming the current owner and the takeover recipe.
  • Optionally the same check in the relay/bridge for agents that post through it.
  • Raw curl against the GroupMind API cannot be blocked client-side; full enforcement would need per-session keys server-side — out of scope here, worth a note in the contract discussion for per-agent handle minting (antfarm PR #54).

Also from the review: add a test proving a PASSIVE session's toolpath refuses the post.

🤖 Generated with Claude Code

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions