core.tool_session module

Authenticated tool-call session records — the trust boundary for delegated execution.

The dedicated tools service runs the dangerous / UNSANDBOXED_EXEC / shell tools, and tools/alter_privileges.has_privilege keys authority off user_id. The request envelope carries a user_id, but the tools service must not trust it: anything able to XADD sg:stream:tools could otherwise forge an admin id and escalate.

Instead, the inference tier — which is processing an authenticated platform message — writes the real identity to a short-lived Redis record keyed by the call’s trace_id, and the tools service resolves identity (and therefore privileges) from that record, treating the envelope’s identity fields as an untrusted lookup. A forged request that references an unknown trace_id is rejected (fail-closed); one that references a real trace_id only ever gets that (legitimate, non-attacker) user’s identity. Defense-in-depth, paired with a Redis ACL that restricts XADD sg:stream:tools to inference workers (ops; see scripts/systemd/stargazer-tools.service).

async core.tool_session.write_session(redis, trace_id, identity, ttl=300)[source]

Persist the authenticated identity for trace_id (inference side).

identity should carry the real user_id / guild_id / channel_id / platform (and optional user_aliases) of the message being processed. No-op when trace_id is empty.

Return type:

None

Parameters:

redis (Any)
trace_id (str)
identity (dict[str, Any])
ttl (int)

async core.tool_session.read_session(redis, trace_id)[source]

Return the authenticated identity for trace_id, or None if absent.

Return type:

Optional[dict[str, Any]]

Parameters:

redis (Any)
trace_id (str)