Skip to content

fix(session): scope session list to current directory to prevent cross-worktree leakage#16827

Open
andreagroferreira wants to merge 1 commit intoanomalyco:devfrom
andreagroferreira:fix/session-directory-filtering
Open

fix(session): scope session list to current directory to prevent cross-worktree leakage#16827
andreagroferreira wants to merge 1 commit intoanomalyco:devfrom
andreagroferreira:fix/session-directory-filtering

Conversation

@andreagroferreira
Copy link

@andreagroferreira andreagroferreira commented Mar 10, 2026

Issue for this PR

Closes #15678

Type of change

  • Bug fix
  • New feature
  • Refactor / code improvement
  • Documentation

What does this PR do?

Scopes the session list to the current working directory to prevent cross-worktree session leakage. When multiple worktrees share the same git root commit (same project_id), sessions from all worktrees appear mixed in the list.

Changes:

  • Default GET /session/ to filter by Instance.directory when no directory param is provided
  • Fix workspace_id filtering to include NULL values (pre-migration sessions) via OR(eq, isNull)
  • Use explicit workspaceID input param in Session.list() (was dead code) and createNext()
  • Add workspaceID query param to session list API route
  • Pass directory: Instance.directory in CLI session list command

How did you verify your code works?

Full test suite: 128 tests across 13 files, 124 pass, 4 skip, 0 fail.
Added 3 new tests in test/server/session-list.test.ts:

  • Sessions with NULL workspace_id included when filtering by workspaceID
  • Directory filter prevents cross-worktree session leakage
  • createNext accepts explicit workspaceID

Manually verified with worktrees sharing the same root commit — sessions now scoped correctly.

Screenshots / recordings

N/A — no UI changes, backend/API fix only.

Checklist

  • I have tested my changes locally
  • I have not included unrelated changes in this PR

fix(session): scope session list to current directory to prevent cros…
dc90982 
…s-worktree leakage

When multiple git worktrees share the same root commit, they get the same
project_id. This causes sessions from different worktrees to appear mixed
in the session list. Similarly, the 'global' project (worktree '/') acts
as a catch-all bucket, mixing sessions from unrelated directories.

Changes:
- Default the session list API route to filter by Instance.directory,
  ensuring sessions are scoped to the active working directory
- Fix workspace_id filtering to include sessions with NULL workspace_id
  (pre-migration sessions) using OR condition instead of strict equality
- Use explicit workspaceID input parameter in Session.list() instead of
  only reading from WorkspaceContext (the param was dead code before)
- Add workspaceID query parameter to GET /session/ API route
- Pass directory filter in CLI 'session list' command
- Allow explicit workspaceID in Session.createNext() input
- Add tests for directory scoping, NULL workspace_id handling, and
  explicit workspaceID in createNext

Fixes anomalyco#15678, relates to anomalyco#16744, anomalyco#16137
@github-actions
Copy link
Contributor

github-actions bot commented Mar 10, 2026

The following comment was made by an LLM, it may be inaccurate:

Potential Duplicate PRs Found:

  1. PR fix: scope session list and children to current worktree #13960 - "fix: scope session list and children to current worktree"

  2. PR fix: filter CLI sessions by current directory for worktree support #12008 - "fix: filter CLI sessions by current directory for worktree support"

  3. PR fix: list all sessions regardless of git context (#15678) #15772 - "fix: list all sessions regardless of git context (opencode sessions command fails to list historical sessions when run inside a Git repository #15678)"

These should be reviewed to ensure the current PR isn't duplicating prior work or to understand why previous attempts may need refinement.

This was referenced Mar 10, 2026
Open
Open
Open
@axsuul
Copy link

axsuul commented Mar 14, 2026

I need this bad, otherwise I'm forced to run an OpenCode server per project right now in order to get session segregation. That means I'm running 10-20+ OpenCode servers at all times.

@github-actions github-actions bot mentioned this pull request Mar 14, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

opencode sessions command fails to list historical sessions when run inside a Git repository

2 participants

@andreagroferreira @axsuul