#21568 — POST /session ignores explicit id so duplicate-id handling is unreachable

[ElioNeto]

Description

POST /session accepts an explicit id in the typed API surface, but the server-side session create path ignores it. That makes duplicate-ID hardening unreachable: creating the same explicit session id twice returns 200 twice instead of 200 then 409.

The server already exposes DuplicateIDError / 409 handling, but Session.create does not pass id through to the underlying session creation flow.

Plugins

No response

OpenCode version

0.0.0--202604082020 (reproduced on built local binary)

Steps to reproduce

1. Start the built server with basic auth enabled.
2. POST /session with body { "id": "ses_duplicate_smoke", "title": "one" }.
3. Repeat the same request with the same id.
4. Observe that the second request succeeds instead of returning 409 DuplicateIDError.

Screenshot and/or share link

No response

Operating System

Ubuntu 24.04

Terminal

Ghostty

[ElioNeto]

Resolved via delivery-loop pipeline.

Fix

Added explicit 'id' field to Session.CreateInput schema and passed it through to session creation flow.

Changes

1. Session.CreateInput schema (session.ts): Added optional id field
2. Session.create function: Passes input.id through to createNext
3. HTTP handler (handlers/session.ts): Checks if a session with the given id already exists, returning 400 if it does

Commit: 8aacb1c