Skip to content

feat: support server-owned session IDs with body/header config#167

Merged
jithin23-kv merged 2 commits into
KeyValueSoftwareSystems:masterfrom
jithin23-kv:feat/support-server-owned-session-id
Jul 6, 2026
Merged

feat: support server-owned session IDs with body/header config#167
jithin23-kv merged 2 commits into
KeyValueSoftwareSystems:masterfrom
jithin23-kv:feat/support-server-owned-session-id

Conversation

@jithin23-kv

@jithin23-kv jithin23-kv commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

Problem

Opfor only supported "client-owned" sessions — it mints a session id and sends it in a body
field every turn. Many real agents work the opposite way ("server-owned"): the target itself
mints a session id and returns it in the response (body, header, or cookie), and the client is
expected to echo it back. Against these targets, opfor was sending an id nobody used and
throwing away the id it should have been using — every turn looked like a fresh conversation.
There was also no way to send a session id via a header, and opfor hunt had almost no way to
configure sessions at all.

Solution

Added a session config that supports both directions:

  • send — where opfor puts the session id in a request (body or header)
  • receive — where opfor reads a session id back from a response (body, header, or cookie)

If receive is set, opfor sends no id on turn 1, captures whatever the target returns, and
echoes it on later turns. If receive is not set, it behaves exactly like before (client-owned).
This works the same way across opfor run, opfor hunt, the SDK, and the MCP server. Old
configs using sessionIdField keep working unchanged.

Changes

  • core — new session-handling logic shared by the run path and hunt; session id capture from
    responses (body/header/cookie); session config validation.
  • CLI — setup wizard now asks how sessions work (client vs server-owned, body vs header);
    opfor hunt --target-config <file> lets you configure rich sessions for hunt; hunt's setup UI
    got the same options.
  • SDK / MCP — same session config exposed in both.
  • docs — new docs/sessions.md explaining the whole model, linked from the CLI/SDK/MCP/hunt
    docs.
  • tests — new tests covering capture from body, header, and cookies, on both the run and hunt
    paths.

Issue

N/A

How to test

npm run build && npm run typecheck && npm run lint && npm test

Summary by CodeRabbit

Summary

  • New Features

    • Added structured, stateful session-ID handling for HTTP agent targets with client-owned vs server-owned modes.
    • Supports sending/receiving session IDs via request body, request headers, and set-cookie/cookie.
    • CLI/SDK/MCP/setup UI now accept and generate the new session configuration; opfor hunt adds --target-config.
  • Bug Fixes

    • Improved multi-turn behavior by correctly capturing and reusing server-minted session IDs (with a safe fallback when missing).
  • Documentation

    • Added a dedicated sessions guide and refreshed CLI/MCP/SDK examples and legacy alias notes.
  • Tests

    • Added integration and unit coverage for session planning, injection, and extraction.

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 47f56030-e39c-48c9-abf9-b9930b147ba6

📥 Commits

Reviewing files that changed from the base of the PR and between 051dec9 and 485e3fd.

📒 Files selected for processing (16)
  • core/src/autonomous/target/http.ts
  • core/src/config/schema.ts
  • core/src/execute/agentAttackDriver.ts
  • core/src/execute/types.ts
  • core/src/targets/httpClient.ts
  • core/tests/agentTargetSession.test.ts
  • docs/cli.md
  • docs/sessions.md
  • runners/cli/src/commands/hunt.ts
  • runners/cli/src/commands/setup.ts
  • runners/cli/src/ui/server.ts
  • runners/cli/ui/src/components/SetupPage.tsx
  • runners/mcp/src/index.ts
  • runners/sdk/src/hunt.ts
  • runners/sdk/src/run.ts
  • runners/sdk/src/types.ts
✅ Files skipped from review due to trivial changes (3)
  • core/src/execute/types.ts
  • docs/cli.md
  • docs/sessions.md
🚧 Files skipped from review as they are similar to previous changes (11)
  • runners/cli/src/ui/server.ts
  • core/tests/agentTargetSession.test.ts
  • runners/sdk/src/types.ts
  • core/src/config/schema.ts
  • core/src/execute/agentAttackDriver.ts
  • runners/cli/src/commands/setup.ts
  • runners/cli/ui/src/components/SetupPage.tsx
  • runners/mcp/src/index.ts
  • core/src/targets/httpClient.ts
  • core/src/autonomous/target/http.ts
  • runners/cli/src/commands/hunt.ts

Walkthrough

Introduces structured session configuration for HTTP-based agent targets, including session planning, request injection, and response capture. The change is wired through core execution, autonomous targets, SDK, CLI, MCP setup flows, tests, and updated documentation.

Changes

Session Handling Feature

Layer / File(s) Summary
SessionConfig contracts and schema validation
core/src/execute/types.ts, core/src/autonomous/lib/types.ts, core/src/config/schema.ts
Adds SessionConfig typing, extends target config interfaces, and validates agent target session configuration with parseAgentTarget.
HTTP client session plan resolution and capture
core/src/targets/httpClient.ts
Adds session plan resolution, request/response helpers, and captured session id output from httpSend.
agentTarget request and response wiring
core/src/targets/agentTarget.ts
Applies session config to outbound requests and captures returned session ids through response finishing and callbacks.
Autonomous target and attack driver session tracking
core/src/autonomous/target/http.ts, core/src/execute/agentAttackDriver.ts
Forwards session config into autonomous HTTP targets and reuses captured server session ids across attack turns.
Core session tests
core/tests/agentTargetSession.test.ts, core/tests/autonomousTargetSession.test.ts, core/tests/sessionPlan.test.ts
Adds integration and unit coverage for client-owned and server-owned session flows.
SDK session config integration
runners/sdk/src/hunt.ts, runners/sdk/src/run.ts, runners/sdk/src/index.ts, runners/sdk/src/types.ts
Re-exports SessionConfig and forwards structured session settings through SDK target config mapping.
CLI hunt, setup, and UI session configuration
runners/cli/src/commands/hunt.ts, runners/cli/src/commands/setup.ts, runners/cli/src/ui/server.ts, runners/cli/ui/src/components/SetupPage.tsx
Adds run-style target loading, structured setup collection, UI session derivation, and setup-form session controls.
MCP setup tool session fields
runners/mcp/src/index.ts
Adds agent session send and receive inputs and maps them into SessionConfig for run configuration.
Session handling documentation
docs/sessions.md, AGENTS.md, README.md, docs/cli.md, docs/hunt.md, docs/mcp.md, docs/sdk.md
Adds session handling docs and updates configuration references across project docs.

Estimated code review effort: 4 (Complex) | ~75 minutes

Sequence Diagram(s)

sequenceDiagram
  participant AgentAttackDriver
  participant agentTarget
  participant httpClient
  participant RemoteTarget

  AgentAttackDriver->>httpClient: resolveSessionPlan(targetConfig)
  httpClient-->>AgentAttackDriver: SessionPlan
  AgentAttackDriver->>agentTarget: send(prompt, captureSession)
  agentTarget->>httpClient: applySessionToRequest(plan, sessionId)
  agentTarget->>RemoteTarget: fetch(request)
  RemoteTarget-->>agentTarget: response
  agentTarget->>httpClient: captureSessionFromResponse(response, plan)
  httpClient-->>agentTarget: sessionId
  agentTarget->>AgentAttackDriver: captureSession(sessionId)
  AgentAttackDriver->>agentTarget: next send with reused sessionId
Loading

Possibly related PRs

Suggested reviewers: arunSunnyKVS, achuvyas-kv

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: adding server-owned session ID support with body/header handling.
Description check ✅ Passed The description follows the template well, covering Problem, Solution, Changes, Issue, and How to test with enough detail.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 10

🧹 Nitpick comments (6)
core/tests/agentTargetSession.test.ts (1)

124-139: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Cookie test only checks capture, not the turn-2 echo.

Unlike the body/header server-owned tests, this test doesn't verify that the captured cookie pair is actually echoed back via the Cookie header on turn 2. Adding that assertion would close a coverage gap for a format-sensitive path (raw "name=value" cookie serialization).

✅ Suggested addition
   let captured: string | undefined;
   await target.send("turn1", { sessionId: undefined, captureSession: (id) => (captured = id) });
   assert.equal(captured, "sid=cookie-1");
+
+  await target.send("turn2", { sessionId: captured });
+  assert.equal(received[1].sessionHeader, undefined);
 });
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@core/tests/agentTargetSession.test.ts` around lines 124 - 139, The
server-owned cookie test in agentTargetSession.test.ts only verifies that
`captureSession` receives the cookie pair from the first turn; update the same
test around createAgentTarget and target.send so it also performs a second send
using the captured session and asserts the outgoing Cookie header contains the
echoed raw `sid=cookie-1` value. Reuse the existing test name and the
send/receive session config to validate both capture and turn-2 echo behavior
for the Cookie path.
core/src/execute/agentAttackDriver.ts (1)

160-167: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Make the capture-miss warning actionable.

The message reports what happened but doesn't tell the operator what to check (e.g., verify the target actually returns a session id at the configured receive location, or confirm the target is configured for server-owned sessions at all).

As per coding guidelines: "Write actionable error messages that tell the user what to fix, not just what went wrong."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@core/src/execute/agentAttackDriver.ts` around lines 160 - 167, The
capture-miss warning in agentAttackDriver’s session handling is too generic;
update the log in the branch that checks this.sessionPlan.mode,
capturedSessionId, and warnedCaptureMiss to tell the operator what to verify.
Make the message actionable by pointing them to confirm the target returns a
session id at the configured receive location and that the target is actually
set up for server-owned sessions, while keeping the existing fallback behavior
unchanged.

Source: Coding guidelines

runners/sdk/src/hunt.ts (1)

109-114: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Redundant legacy-to-session conversion; core already does this.

resolveSessionPlan in core already derives send from a raw sessionField/sessionIdField when session is absent (send = source.session?.send ?? (legacyName ? {...} : undefined)). Since this code also passes the raw sessionField through as sessionField:, manually rebuilding session.send here duplicates that fallback logic in two places, risking drift if core's legacy-mapping rule changes.

♻️ Simplify by relying on core's fallback
-    session:
-      options.target.session ??
-      (options.target.sessionField
-        ? { send: { in: "body", name: options.target.sessionField } }
-        : undefined),
+    session: options.target.session,
     sessionField: options.target.session ? undefined : options.target.sessionField,
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@runners/sdk/src/hunt.ts` around lines 109 - 114, The session mapping in
hunt.ts is duplicating core’s legacy fallback logic by rebuilding session.send
from sessionField before passing it onward. Simplify the options object around
the session/sessionField handling so it only forwards the raw sessionField when
session is absent and lets resolveSessionPlan in core derive send itself,
keeping the behavior centralized and avoiding drift.
runners/sdk/src/run.ts (1)

99-105: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Same redundant legacy-to-session derivation as hunt.ts.

resolveSessionPlan already falls back from sessionIdField/sessionField to a {in:"body",name} send object when session is unset (see context snippet from core/src/targets/httpClient.ts). Manually rebuilding it here duplicates that logic.

♻️ Simplify by relying on core's fallback
-    // Prefer the structured `session`; fall back to legacy `sessionField` (body).
-    session:
-      httpTarget.session ??
-      (httpTarget.sessionField
-        ? { send: { in: "body", name: httpTarget.sessionField } }
-        : undefined),
+    session: httpTarget.session,
     sessionIdField: httpTarget.session ? undefined : httpTarget.sessionField,
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@runners/sdk/src/run.ts` around lines 99 - 105, The session mapping in run.ts
duplicates the legacy-to-session fallback already handled by resolveSessionPlan
in the HTTP client core. Update the code around the session/sessionIdField
construction in the run() flow to pass through httpTarget.session and
httpTarget.sessionField directly, and let core/src/targets/httpClient.ts perform
the fallback instead of rebuilding the { in: "body", name } object here. Use the
existing identifiers resolveSessionPlan, session, and sessionIdField to locate
and simplify this logic.
runners/mcp/src/index.ts (1)

428-441: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

receive can be built with name: undefined for body/header, silently disabling capture.

receive = receiveIn ? { in: receiveIn, name: receiveName } : undefined allows receiveIn: "body" or "header" with no receiveName. Per captureSessionFromResponse (core/src/targets/httpClient.ts), a body/header receive without a name always returns undefined, so the LLM-driven setup would silently produce a server-owned session that never actually captures an id. Only "set-cookie" is valid without a name.

♻️ Proposed fix
   const send = sendIn && sendName ? { in: sendIn, name: sendName } : undefined;
-  const receive = receiveIn ? { in: receiveIn, name: receiveName } : undefined;
+  const receive =
+    receiveIn === "set-cookie"
+      ? { in: receiveIn, name: receiveName }
+      : receiveIn && receiveName
+        ? { in: receiveIn, name: receiveName }
+        : undefined;
   if (!send && !receive) return undefined;
   return { send, receive };
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@runners/mcp/src/index.ts` around lines 428 - 441, Update buildSessionConfig
so receive is only created when the inputs are valid for
captureSessionFromResponse: body and header must require a non-empty
receiveName, while set-cookie may omit it. Right now buildSessionConfig in
runners/mcp/src/index.ts can return a receive object with name: undefined, which
later gets ignored and silently disables session capture; validate
receiveIn/receiveName before constructing SessionConfig and return undefined or
omit receive when the combination is invalid. Use the buildSessionConfig
function and the SessionConfig receive shape as the main points to adjust.
runners/cli/ui/src/components/SetupPage.tsx (1)

205-229: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Consider guiding users toward the correct Send config when Set-Cookie is selected.

When sessionReceiveIn === "set-cookie", the target's session id must be echoed via a Cookie header (see runners/cli/src/commands/setup.ts's collectSessionConfig, which auto-selects this). Here the Send location/name fields remain freely editable with no hint, so a user can easily leave them at body/session_id and end up with a broken server-owned session. Consider disabling/pre-filling the Send fields (or showing a note) when Set-Cookie is chosen, consistent with the mapping fix suggested in runners/cli/src/ui/server.ts.

Also applies to: 230-255

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@runners/cli/ui/src/components/SetupPage.tsx` around lines 205 - 229, When
sessionReceiveIn is set to set-cookie in SetupPage, the Send location/name
controls should guide users to the required Cookie header mapping instead of
оставing them editable with a misleading default. Update the SetupPage form
logic for the sessionSendIn/sessionSendName fields to either prefill and lock
them to the correct values or display a clear note tied to the set-cookie case,
matching the behavior in collectSessionConfig and the UI pattern used in
server.ts.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@core/src/autonomous/target/http.ts`:
- Around line 39-59: Add a one-time warning in createTargetClient when the
server-owned session path fails to capture a session id. In the send method,
after httpSend returns, detect the case where plan.mode is "server" but
result.sessionId is missing and emit a single warning using a persistent guard
so it only logs once per client. Reference createTargetClient, send, and the
serverSessions flow so the warning clearly points to the
session.receive/response-path mismatch that leaves later turns with undefined
sessionId.

In `@core/src/config/schema.ts`:
- Around line 104-111: The session schema currently allows receive.in values for
body/header without requiring a usable name, which lets parse succeed even
though captureSessionFromResponse() cannot capture or echo the session id.
Update the session.receive validation in schema.ts to use location-specific
branches so body/header require a non-empty trimmed name while set-cookie
remains optional, and keep the existing legacy send alias behavior unchanged.

In `@core/src/execute/agentAttackDriver.ts`:
- Around line 49-55: Persist the server-owned session state across
AgentAttackDriver resumes by carrying the captured session id and send counter
through AgentAttackContext or the constructor. The reset happens in
AgentAttackDriver when it is rebuilt from initialHistory, so update the
initialization path for capturedSessionId and sendCount so resumed turns in
sessionPlan.mode === "server" reuse the existing conversation instead of sending
undefined and minting a new one.

In `@core/src/execute/types.ts`:
- Around line 10-18: Tighten SessionConfig so it only allows valid session
flows: a server-returned session id should only be representable when paired
with a matching send path, and receive should require name for body/header while
allowing name to be omitted only for set-cookie. Update the SessionConfig type
in types.ts by making the send/receive relationship explicit, and use the
existing SessionConfig symbol to locate and refine the union/type shape so
unusable combinations cannot be expressed.

In `@core/src/targets/httpClient.ts`:
- Around line 236-238: The prompt field selection in httpClient.ts currently
falls back to "prompt" only when promptPath is nullish, so empty or
whitespace-only values still produce a blank key. Update the logic around
setByPath in the request body construction to trim config.promptPath first, then
use "prompt" when the trimmed value is empty. Keep the fix localized to the
prompt path handling in the request-building flow so body assignment and
applySessionToRequest continue to work as-is.

In `@docs/cli.md`:
- Around line 241-242: Update the `target.session` overview in docs/cli.md to
match the actual session contract in the config reference. In the paragraph near
the `target.sessionIdField` note, revise the description in `Target session
handling`/`target.session` so it explicitly includes cookie-based receive
sessions (for example, server-owned sessions captured from `set-cookie`)
alongside body/header handling. Keep the wording aligned with the
`target.session` and `target.sessionIdField` references so the overview and
detailed reference agree.

In `@runners/cli/src/commands/hunt.ts`:
- Around line 333-360: `--session-field` is being ignored whenever
`baseTarget.session` is already present because `target` keeps the structured
session config from the spread and `resolveSessionPlan` prefers it over the
legacy field. Update the `hunt.ts` target assembly so `opts.sessionField` can
override or clear any existing `baseTarget.session`/`sessionField`
configuration, or otherwise ensure the CLI override is converted into the
structured session shape before `resolveSessionPlan` runs. Use the `target`
object construction and `resolveSessionPlan` behavior as the key places to align
the override precedence.

In `@runners/cli/src/commands/setup.ts`:
- Around line 266-286: The receiveName prompt in setup.ts allows blank input for
the body and header session receive modes, which can later cause
captureSessionFromResponse to never match anything. Add validation to the
receiveName input in the session setup flow so that when receiveIn is "body" or
"header" the value is required and cannot be empty, while still allowing an
empty value only for "set-cookie". Keep the logic in collectSessionSend and
SessionConfig["receive"] aligned so the generated receive config always contains
a valid name for body/header modes.

In `@runners/cli/src/ui/server.ts`:
- Around line 17-38: buildSessionFromSetup is not matching the wizard defaults
for server sessions. Update the sessionMode handling in buildSessionFromSetup so
that sessionReceiveIn set to "set-cookie" forces send to use header with the
Cookie name, and for "body" or "header" receive modes do not collapse a blank
sessionReceiveName to undefined; instead use the mode default or validate/reject
the empty value. Keep the change localized to buildSessionFromSetup in server.ts
and preserve the existing client/server shape returned as SessionConfig.

In `@runners/sdk/src/types.ts`:
- Around line 25-28: The JSDoc for the session config is missing cookie support
in the receive direction, so update the comments on both sessionField and
session in the target config types to match the PR behavior. Adjust the wording
in the HttpTargetConfig.session and HuntTargetConfig.session documentation to
say receive supports body, header, or cookie, while keeping the existing
send/client- vs server-owned wording intact.

---

Nitpick comments:
In `@core/src/execute/agentAttackDriver.ts`:
- Around line 160-167: The capture-miss warning in agentAttackDriver’s session
handling is too generic; update the log in the branch that checks
this.sessionPlan.mode, capturedSessionId, and warnedCaptureMiss to tell the
operator what to verify. Make the message actionable by pointing them to confirm
the target returns a session id at the configured receive location and that the
target is actually set up for server-owned sessions, while keeping the existing
fallback behavior unchanged.

In `@core/tests/agentTargetSession.test.ts`:
- Around line 124-139: The server-owned cookie test in
agentTargetSession.test.ts only verifies that `captureSession` receives the
cookie pair from the first turn; update the same test around createAgentTarget
and target.send so it also performs a second send using the captured session and
asserts the outgoing Cookie header contains the echoed raw `sid=cookie-1` value.
Reuse the existing test name and the send/receive session config to validate
both capture and turn-2 echo behavior for the Cookie path.

In `@runners/cli/ui/src/components/SetupPage.tsx`:
- Around line 205-229: When sessionReceiveIn is set to set-cookie in SetupPage,
the Send location/name controls should guide users to the required Cookie header
mapping instead of оставing them editable with a misleading default. Update the
SetupPage form logic for the sessionSendIn/sessionSendName fields to either
prefill and lock them to the correct values or display a clear note tied to the
set-cookie case, matching the behavior in collectSessionConfig and the UI
pattern used in server.ts.

In `@runners/mcp/src/index.ts`:
- Around line 428-441: Update buildSessionConfig so receive is only created when
the inputs are valid for captureSessionFromResponse: body and header must
require a non-empty receiveName, while set-cookie may omit it. Right now
buildSessionConfig in runners/mcp/src/index.ts can return a receive object with
name: undefined, which later gets ignored and silently disables session capture;
validate receiveIn/receiveName before constructing SessionConfig and return
undefined or omit receive when the combination is invalid. Use the
buildSessionConfig function and the SessionConfig receive shape as the main
points to adjust.

In `@runners/sdk/src/hunt.ts`:
- Around line 109-114: The session mapping in hunt.ts is duplicating core’s
legacy fallback logic by rebuilding session.send from sessionField before
passing it onward. Simplify the options object around the session/sessionField
handling so it only forwards the raw sessionField when session is absent and
lets resolveSessionPlan in core derive send itself, keeping the behavior
centralized and avoiding drift.

In `@runners/sdk/src/run.ts`:
- Around line 99-105: The session mapping in run.ts duplicates the
legacy-to-session fallback already handled by resolveSessionPlan in the HTTP
client core. Update the code around the session/sessionIdField construction in
the run() flow to pass through httpTarget.session and httpTarget.sessionField
directly, and let core/src/targets/httpClient.ts perform the fallback instead of
rebuilding the { in: "body", name } object here. Use the existing identifiers
resolveSessionPlan, session, and sessionIdField to locate and simplify this
logic.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 120966d4-622b-4d40-8393-e19a99a081c0

📥 Commits

Reviewing files that changed from the base of the PR and between a3535bd and 051dec9.

📒 Files selected for processing (26)
  • AGENTS.md
  • README.md
  • core/src/autonomous/lib/types.ts
  • core/src/autonomous/target/http.ts
  • core/src/config/schema.ts
  • core/src/execute/agentAttackDriver.ts
  • core/src/execute/types.ts
  • core/src/targets/agentTarget.ts
  • core/src/targets/httpClient.ts
  • core/tests/agentTargetSession.test.ts
  • core/tests/autonomousTargetSession.test.ts
  • core/tests/sessionPlan.test.ts
  • docs/cli.md
  • docs/hunt.md
  • docs/mcp.md
  • docs/sdk.md
  • docs/sessions.md
  • runners/cli/src/commands/hunt.ts
  • runners/cli/src/commands/setup.ts
  • runners/cli/src/ui/server.ts
  • runners/cli/ui/src/components/SetupPage.tsx
  • runners/mcp/src/index.ts
  • runners/sdk/src/hunt.ts
  • runners/sdk/src/index.ts
  • runners/sdk/src/run.ts
  • runners/sdk/src/types.ts

Comment thread core/src/autonomous/target/http.ts
Comment thread core/src/config/schema.ts
Comment thread core/src/execute/agentAttackDriver.ts
Comment thread core/src/execute/types.ts Outdated
Comment thread core/src/targets/httpClient.ts
Comment thread docs/cli.md Outdated
Comment thread runners/cli/src/commands/hunt.ts
Comment thread runners/cli/src/commands/setup.ts Outdated
Comment thread runners/cli/src/ui/server.ts
Comment thread runners/sdk/src/types.ts
Tighten SessionConfig (send required, receive.name required except
set-cookie) so misconfigured sessions fail validation instead of silently
never capturing/echoing an id. Fix set-cookie handling in the hunt setup UI
and MCP session builder, session-id precedence in hunt's --target-config
flag override, a promptPath trim inconsistency in the hunt HTTP client, and
add a capture-miss warning + resume-session plumbing to match the run path.
Also drops redundant legacy-session-fallback duplication in the SDK and
tightens docs/test coverage flagged in review.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@jithin23-kv

Copy link
Copy Markdown
Collaborator Author

Addressed the 6 nitpicks from the review summary as well:

  • core/tests/agentTargetSession.test.ts (124-139) — cookie test now also asserts the turn-2 Cookie header echo, not just capture.
  • core/src/execute/agentAttackDriver.ts (160-167) — capture-miss warning now says what to check (verify the target returns an id at the configured receive location).
  • runners/sdk/src/hunt.ts / run.ts — dropped the redundant legacy-fallback rebuild; now just pass session/sessionField through and let resolveSessionPlan own precedence.
  • runners/mcp/src/index.ts (428-441) — receive now requires a name for body/header; send defaults to mirror receive when unset.
  • runners/cli/ui/src/components/SetupPage.tsx (205-229) — Send fields now show a fixed note instead of staying editable when Set-Cookie is selected.

All in 485e3fd.

@jithin23-kv jithin23-kv merged commit 121edfd into KeyValueSoftwareSystems:master Jul 6, 2026
8 checks passed
@jithin23-kv jithin23-kv deleted the feat/support-server-owned-session-id branch July 6, 2026 10:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants