Bug: revoke uses wallet address as session token
cmd_revoke creates a fake Session with the wallet address as the token:
let target_session = Session {
token: agent.to_string(), // BUG: wallet address, not a session token
wallet: WalletAddress(agent.to_string()),
...
};The backend's revoke_session handler queries WHERE token = ?1, so it never finds a match and returns "target session not found".
Proposed fix
Self-revoke (no args)
Revokes the current session (from keychain), then wipes the local keychain/file entry. User must init again to get a new session. This is the most common case.
Revoke a child agent (by wallet or alias)
agentkeys revoke 0xCHILD_WALLET
agentkeys revoke my-bot
The backend should look up active sessions by wallet address (not token) and revoke them. This requires a new backend endpoint or modifying revoke_session to accept wallet-based lookups.
Revoke vs teardown semantics
| Command |
What it does |
Wallet survives? |
Credentials survive? |
agentkeys revoke |
Invalidates session token |
Yes |
Yes (but inaccessible without a valid session) |
agentkeys teardown 0xAGENT |
Deletes all credentials + revokes all sessions |
Yes (account exists) |
No |
After revoke: wallet + private key + credentials still exist on the backend. User runs init (same mock token / OAuth) to get a new session for the same wallet.
After teardown: credentials are deleted. User can init again but starts with an empty credential set.
Files to change
crates/agentkeys-cli/src/lib.rs (cmd_revoke) -- fix lookup, support self-revokecrates/agentkeys-cli/src/main.rs -- make agent arg optional for self-revokecrates/agentkeys-mock-server/src/handlers/session.rs -- add revoke-by-wallet lookupdocs/manual-test-stage4.md -- update Test 9 revoke stepwiki/credential-usage.md -- document revoke vs teardown
References
Bug: revoke uses wallet address as session token
cmd_revokecreates a fake Session with the wallet address as the token:The backend's
revoke_sessionhandler queriesWHERE token = ?1, so it never finds a match and returns "target session not found".Proposed fix
Self-revoke (no args)
Revokes the current session (from keychain), then wipes the local keychain/file entry. User must
initagain to get a new session. This is the most common case.Revoke a child agent (by wallet or alias)
The backend should look up active sessions by wallet address (not token) and revoke them. This requires a new backend endpoint or modifying
revoke_sessionto accept wallet-based lookups.Revoke vs teardown semantics
agentkeys revokeagentkeys teardown 0xAGENTAfter
revoke: wallet + private key + credentials still exist on the backend. User runsinit(same mock token / OAuth) to get a new session for the same wallet.After
teardown: credentials are deleted. User caninitagain but starts with an empty credential set.Files to change
crates/agentkeys-cli/src/lib.rs(cmd_revoke) -- fix lookup, support self-revokecrates/agentkeys-cli/src/main.rs-- make agent arg optional for self-revokecrates/agentkeys-mock-server/src/handlers/session.rs-- add revoke-by-wallet lookupdocs/manual-test-stage4.md-- update Test 9 revoke stepwiki/credential-usage.md-- document revoke vs teardownReferences