The envelope exposes idempotency_key at src/envelope.rs:111, the event log schema reserves an idempotency table at src/store/schema.sql:37, and the examples describe retrying the same logical command with the same key. The runtime implementation only keeps a per-connection seen_ids set for message ids at src/runtime/server.rs:348, which protects against replaying the exact same envelope id on one connection but does not deduplicate a retried command with a fresh envelope id and the same logical idempotency key. Retrying after a disconnect can therefore start duplicate jobs instead of returning the original acknowledgement or rejecting a conflicting intent.
Fix prompt: Implement logical idempotency at tool.invoke dispatch time. Scope the lookup by authenticated principal or session policy and idempotency key, persist the key to the existing idempotency table or an equivalent runtime store, return the prior job acknowledgement for the same command intent, and reject conflicting payloads under the same key with an appropriate error code. Add integration tests for same-key same-tool retry, same-key different-tool conflict, and retry across a reconnect or new connection.
The envelope exposes
idempotency_keyatsrc/envelope.rs:111, the event log schema reserves an idempotency table atsrc/store/schema.sql:37, and the examples describe retrying the same logical command with the same key. The runtime implementation only keeps a per-connectionseen_idsset for message ids atsrc/runtime/server.rs:348, which protects against replaying the exact same envelope id on one connection but does not deduplicate a retried command with a fresh envelope id and the same logical idempotency key. Retrying after a disconnect can therefore start duplicate jobs instead of returning the original acknowledgement or rejecting a conflicting intent.Fix prompt: Implement logical idempotency at
tool.invokedispatch time. Scope the lookup by authenticated principal or session policy and idempotency key, persist the key to the existing idempotency table or an equivalent runtime store, return the prior job acknowledgement for the same command intent, and reject conflicting payloads under the same key with an appropriate error code. Add integration tests for same-key same-tool retry, same-key different-tool conflict, and retry across a reconnect or new connection.