Modern AI agents must do more than answer isolated queries—they need to remember context, enforce access rules, and log every action. Open Agent SDK addresses these needs through four specialized subsystems: SessionStore, PermissionPolicy, SandboxSettings, and HookRegistry.
This deep dive examines how these components work together to create agents that preserve conversation history securely while restricting operations to authorized actions. We’ll focus on the first two systems, which handle persistence and permission enforcement—critical features for any production-grade agent.
SessionStore: Preserving Context Between Sessions
Without persistent storage, every agent session vanishes when the process ends. SessionStore solves this by serializing conversation transcripts to disk and restoring them on subsequent runs.
Core Functionality and Storage Structure
SessionStore operates as an asynchronous actor, ensuring thread-safe access to session data. By default, it stores sessions in ~/.open-agent-sdk/sessions/, with each session isolated in its own subdirectory containing a single transcript.json file. Users can override the default path during initialization:
let sessionStore = SessionStore() // Default path
let customStore = SessionStore(sessionsDir: "/custom/path") // Custom locationThe SDK enforces strict file permissions: directories use 0700 (user-only access) while files use 0600 (read/write for owner only). Sessions retain their original creation timestamps while updating modification times on each save.
Five Essential Session Operations
SessionStore provides methods covering the full lifecycle of agent conversations:
- save: Serializes the current message array and metadata to JSON, writing to disk. Metadata includes contextual details like working directory, model name, session summary, and git branch:
try await sessionStore.save(
sessionId: "project-analysis",
messages: conversationHistory,
metadata: PartialSessionMetadata(
cwd: "/workspace/project",
model: "claude-sonnet-4-6",
summary: "Code architecture review",
tag: "development"
)
)- load: Retrieves a session by ID, deserializing the transcript into structured data. Supports pagination to fetch only recent messages when full history isn’t needed:
let recentMessages = try await sessionStore.load(
sessionId: "project-analysis",
limit: 50, // Only fetch last 50 messages
offset: nil
)- list: Returns all sessions sorted by recency, with metadata like ID, summary, message count, and timestamp. Useful for dashboard displays or session selection interfaces.
- fork: Creates a new session copying messages from an existing one, with options to truncate history at a specific point or assign a custom ID:
let newSessionId = try await sessionStore.fork(
sourceSessionId: "project-analysis",
upToMessageIndex: 25 // Copy only first 25 messages
)- delete: Removes an entire session directory and its contents permanently.
Additional helpers include rename for updating session titles and tag for categorizing conversations.
Three Recovery Strategies for Agent Sessions
SessionStore integrates with agent initialization through three recovery modes, each suited to different use cases:
- Explicit session ID recovery: Directly restores a specific session by ID during agent startup.
- Auto-continue recent session: When no ID is provided, the SDK automatically locates and loads the most recently modified session.
- Fork and truncate: Creates a new session branching from an existing one, optionally preserving only a portion of the conversation history.
These modes can operate independently or combine—for example, auto-continuing a session before forking it at a specific message point.
Security Measures in Session Management
SessionStore implements robust validation to prevent path traversal attacks. Session IDs are restricted from containing forbidden characters like forward slashes, backslashes, or parent directory references. Violations trigger descriptive errors:
private func validateSessionId(_ sessionId: String) throws {
guard !sessionId.isEmpty else {
throw SDKError.sessionError(message: "Session ID cannot be empty")
}
for forbidden in ["/", "\\", ".."] {
if sessionId.contains(forbidden) {
throw SDKError.sessionError(
message: "Session ID contains invalid character: '`forbidden`'"
)
}
}
}This ensures agents can safely handle user-provided session identifiers without risking filesystem access outside designated storage paths.
PermissionPolicy: Controlling Agent Capabilities
While SessionStore preserves context, PermissionPolicy determines what actions an agent is allowed to perform. The SDK implements six distinct permission modes, each balancing automation with user control.
Six Permission Modes Explained
The system categorizes permissions into six operational modes:
- default: Requests user confirmation before executing any tool or operation.
- plan: Executes read-only tools automatically while requiring approval for write operations.
- auto: Permits all tool executions except those flagged as dangerous.
- acceptEdits: Automatically applies file edits while seeking confirmation for irreversible actions.
- restricted: Limits operations to a predefined whitelist of safe actions.
- silent: Executes all permitted actions without any user prompts.
Each mode can be configured per-agent or adjusted dynamically based on session context. For instance, a development agent might use the plan mode during code analysis but switch to restricted when handling sensitive customer data.
Building Secure Agents with Open Agent SDK
Open Agent SDK’s SessionStore and PermissionPolicy subsystems provide the foundation for agents that remember context responsibly while respecting operational boundaries. By combining persistent storage with granular permission controls, developers can deploy agents that maintain coherent conversations without compromising security.
As AI agents evolve toward more autonomous and long-running deployments, these features will become increasingly critical. The SDK’s modular design allows teams to tailor session management and permission strategies to their specific requirements—whether building chat interfaces, automated workflows, or collaborative coding assistants.
AI summary
Açık Ajan SDK, modern AI ajanları için güvenli ve yetkilendirilmiş oturumlar oluşturmanıza olanak tanır. SessionStore ve PermissionPolicy sistemlerini derinlemesine inceleyin.
