Strengthen fleet-start! test to verify session-id scoping

krukow · Copilot · krukow · commit af3af5c2472e · 2026-04-04T23:52:29.000+02:00
Assert that fleet-start! always uses the session's own ID and that
user-provided params cannot override it.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/test/github/copilot_sdk/integration_test.clj b/test/github/copilot_sdk/integration_test.clj
@@ -2078,16 +2078,21 @@
       (is (some #(= "session.agent.deselect" (:method %)) @requests)))))
 
 (deftest test-fleet-start
-  (testing "fleet-start! calls session.fleet.start RPC"
+  (testing "fleet-start! calls session.fleet.start RPC with session-id forced"
     (let [requests (atom [])
           _ (mock/set-request-hook! *mock-server*
               (fn [method params]
                 (swap! requests conj {:method method :params params})))
           session (sdk/create-session *test-client*
-                    {:on-permission-request sdk/approve-all})]
-      (session/fleet-start! session {:prompt "do stuff"})
+                    {:on-permission-request sdk/approve-all})
+          session-id (sdk/session-id session)]
+      ;; Pass params that attempt to override session-id
+      (session/fleet-start! session {:prompt "do stuff" :session-id "evil-override"})
       (let [rpcs (filter #(= "session.fleet.start" (:method %)) @requests)]
-        (is (= 1 (count rpcs)))))))
+        (is (= 1 (count rpcs)))
+        ;; Session-id must be the real one, not the override
+        (is (= session-id (:sessionId (:params (first rpcs)))))
+        (is (= "do stuff" (:prompt (:params (first rpcs)))))))))
 
 (deftest test-mcp-config-list
   (testing "mcp-config-list calls mcp.config.list RPC"
