Describe the bug
A brand-new CLI session, asked to recall recent work (e.g. "what did we work on?"), can return session history from a different project on the same machine. All local sessions share one store (~/.copilot/session-state.json), and recall is ordered by global recency rather than the current project, so the most-recent session from an unrelated project is surfaced. When it happens, that content enters the current session's context and can influence the response.
Affected version
1.0.68
Steps to reproduce the behavior
- In a terminal in Project A, run the CLI and have a short session.
- In a separate terminal in Project B, run a separate session and make it the most recently active one.
- Open a fresh terminal/session in Project A and ask: "what did we last work on?"
- It can answer with Project B's work.
Reproduced in a plain terminal with no editor involved (i.e. not specific to any particular editor integration).
Expected behavior
A fresh session's recall should be scoped to the current project (cwd/repo), or at minimum clearly indicate when it is surfacing another project's session.
Additional context
Actual behavior: Recall resolves across all projects by recency and returns another project's content, with no indication that it crossed a project boundary.
Notes / observations:
- Retrieval is agent-mediated and therefore INTERMITTENT: with an identical setup, one fresh session self-scoped to the current project while another surfaced the globally-most-recent (cross-project) session.
- Recency appears to be driven by the latest turn timestamp, not by a session-level
updated_at field (which can be stale).
- Project attribution can be unreliable: the stored repository value for a session does not always match the session's actual working directory.
Impact: Unrelated project context can enter the current session and steer subsequent responses. Because it is intermittent, a single "it stayed in-project" attempt does not prove the session is safe.
Environment:
- Operating system: Windows
- Copilot CLI version: 1.0.68
Describe the bug
A brand-new CLI session, asked to recall recent work (e.g. "what did we work on?"), can return session history from a different project on the same machine. All local sessions share one store (
~/.copilot/session-state.json), and recall is ordered by global recency rather than the current project, so the most-recent session from an unrelated project is surfaced. When it happens, that content enters the current session's context and can influence the response.Affected version
1.0.68
Steps to reproduce the behavior
Reproduced in a plain terminal with no editor involved (i.e. not specific to any particular editor integration).
Expected behavior
A fresh session's recall should be scoped to the current project (cwd/repo), or at minimum clearly indicate when it is surfacing another project's session.
Additional context
Actual behavior: Recall resolves across all projects by recency and returns another project's content, with no indication that it crossed a project boundary.
Notes / observations:
updated_atfield (which can be stale).Impact: Unrelated project context can enter the current session and steer subsequent responses. Because it is intermittent, a single "it stayed in-project" attempt does not prove the session is safe.
Environment: