Expand description
cortex_session_commit MCP tool handler.
Schema (ADR 0045 §4, ADR 0047 §3):
cortex_session_commit(confirmation_token: string)
→ { committed: int, receipt_id: string }This tool promotes all pending_mcp_commit memories to active after
verifying that the caller supplied the operator-provided confirmation token
(ADR 0047 §3). The token is generated at server startup, printed to stderr
only, and never appears in any JSON-RPC response — ensuring that the
commit is always driven by an explicit operator action.
§Auto-commit mode (CORTEX_MCP_AUTO_COMMIT=1)
When cortex serve is started with CORTEX_MCP_AUTO_COMMIT=1 in the
environment, CortexSessionCommitTool is constructed with
auto_commit: true. In that mode the token check is bypassed entirely
and any value (including empty string) is accepted as confirmation_token.
This is an explicit operator override of the ADR 0047 §3 safety guarantee
and MUST only be used in operator-controlled CI contexts.
The bypass is logged at WARN level with the stable invariant
SESSION_COMMIT_AUTO_COMMIT_INVARIANT so operators can grep for it.
§Token comparison
Token comparison uses tokens_equal, a constant-time fold-XOR over all
bytes (ADR 0047 §3). The function always iterates the full length so it
does not short-circuit on length mismatch in a way that leaks timing
information. This path is skipped when auto_commit is true.
§MemoryRepo::commit_pending_mcp
This tool calls MemoryRepo::commit_pending_mcp(now) — a method being
added to cortex-store/src/repo/memories.rs by Lane 1B. The signature:
impl MemoryRepo<'_> {
pub fn commit_pending_mcp(&self, now: DateTime<Utc>) -> StoreResult<usize>
}The method bulk-promotes all rows with status = 'pending_mcp_commit'
to status = 'active' and returns the count of updated rows.
Structs§
- Cortex
Session Commit Tool cortex_session_committool handler.
Constants§
- SESSION_
COMMIT_ AUTO_ COMMIT_ INVARIANT - Stable invariant token emitted when auto-commit mode bypasses the ADR 0047 §3 confirmation-token check.