feat: include endpoints to interact with specific agent sessions

[miguelangarano]

Summary

This PR introduces the ability to interact with and retrieve specific agent sessions directly, bypassing the agent's default active session. This enables clients to multiplex multiple independent conversations with the same agent simultaneously over HTTP or a single WebSocket connection, while keeping the context and memory of each session strictly isolated.

Changes

• New API Endpoints:
  • Added GET /api/sessions/{id} to fetch the conversation history of any specific session.
  • Added POST /api/agents/{id}/sessions/{session_id}/message to send a synchronous message to a specific session.
  • Added POST /api/agents/{id}/sessions/{session_id}/message/stream for SSE streaming to a specific session.
• Kernel Updates:
  • Modified send_message_with_handle_and_blocks and send_message_streaming to accept an optional target_session_id.
  • Updated execute_llm_agent to use the target session if provided, otherwise falling back to the agent's active session.
• WebSocket Enhancements:
  • WS payload can now accept an optional session_id to route messages.
  • Enforced session_id as a mandatory field in all outgoing WS events (typing, text_delta, response, error, etc.) to allow clients to reliably filter and route incoming streams. If the client doesn't provide one, it resolves and returns the agent's active session ID.
• Testing:
  • Added test_specific_session_messaging in api_integration_test.rs to verify session isolation, message routing, and specific session retrieval.

Testing

• cargo clippy --workspace --all-targets -- -D warnings passes
• cargo test --workspace passes
• Live integration tested (if applicable)

Security

• No new unsafe code
• No secrets or API keys in diff
• User input validated at boundaries

[jaberjaber23]

LGTM. Needed feature — session-targeted messaging enables multiplexing independent conversations. Good refactoring (extracts format_session_messages), proper input validation (64KB size limit, UUID parsing), WebSocket session_id routing, and comprehensive integration test. Please rebase on main.

[jaberjaber23]

This PR has merge conflicts. Please rebase onto the latest main branch and resolve conflicts so we can merge.

[jaberjaber23]

Thanks @miguelangarano — endpoints to interact with specific agent sessions are useful, especially for integrations. Branch is CONFLICTING against main right now.

Before re-review:

1. Rebase on current main (post-fix(deps): upgrade wasmtime 41->43 and rumqttc 0.24->0.25 to resolve active CVEs #1041).
2. Authorization / IDOR. The new get_session handler returns the full message history keyed only by session_id. Confirm (and ideally enforce) that the same auth layer protecting send_message is applied here, and consider adding an agent-ownership check so one API caller can't read another agent's session by guessing a session UUID.
3. Input validation. send_message_to_session caps messages at 64KB — good. Also please validate that the caller-provided session_id actually belongs to the agent_id in the route (or reject if mismatched).
4. Rate limiting. These endpoints can drive agent iterations — confirm they're behind the same rate limiter as the existing chat endpoints.

Good feature; just needs the auth story buttoned up. Happy to re-review once rebased.

[jaberjaber23]

Re-reviewing on current head. Code is largely good but needs changes before merge.

Blocker: IDOR on session endpoints.

POST /api/agents/{id}/sessions/{session_id}/message and GET /api/sessions/{session_id} accept any caller-supplied UUID with no ownership check. The kernel path does unwrap_or_else to create a session keyed on the route's agent_id for whatever UUID the caller provides. A caller can read or poison another agent's session by guessing or enumerating UUIDs. Same surface on the WS fallback to Uuid::nil() when the agent is missing.

Required fix: gate every session route through an ownership check that the session belongs to the authenticated user (or to the agent's owner under RBAC). Reuse the auth pattern from POST /api/skills/install.

Other items:

• Branch is DIRTY against main (8b411c2), needs rebase.
• Unrelated rustfmt-only hunks in kernel.rs, web_fetch.rs, web_search.rs plus an mcp.rs transport refactor — please split those out.
• Good: 64KB cap on inbound message size, UUID parse validation, the format_session_messages refactor, one integration test.

Once IDOR is closed and the diff is trimmed, this is mergeable.