What a session owns
A session owns a self-contained set of state. While the session is alive, this state is the entire context in which userspace operates.- Routing identity. The first-hop identity Route uses for outbound traffic. Generated fresh; not derivable from prior sessions.
- Userspace identity surface. Cookies, localStorage, IndexedDB, cache, accept-language, locale, timezone, and the rest of the surfaces enumerated in identity isolation.
- Per-app sandbox roots. A separate filesystem root for each app, mounted from a session-scoped storage area.
- Working memory and ephemeral state. In-memory secrets, tab state, agent context, in-flight messages, IPC channels.
- Per-session keys. Session-scoped key material used by the routing layer and by inter-app IPC.
States and transitions
| State | Description | Transitions to |
|---|---|---|
| Idle | No active session. The system has no userspace identity surface bound. | Bringup |
| Bringup | Session is being assembled: routing identity is generated, sandbox roots are mounted, in-memory keys are derived. | Active, Failed |
| Active | All four enforcement properties hold. Userspace can run. | End, Failed |
| End | User-initiated teardown. Wipe is in progress. | Idle |
| Failed | A required component (typically Route) failed to come up or went unhealthy beyond recovery. Userspace cannot reach the network and is being torn down. | Idle |
End-of-session wipe
What is wiped, in order:- Application processes are signalled to terminate. Apps that hold unsaved state must persist it before the wipe step or lose it.
- Per-app sandbox roots are unmounted.
- Session-scoped storage areas are zeroed and unmounted.
- In-memory key material (routing keys, session keys, derived per-app keys) is overwritten.
- The routing identity is rotated; the prior identity does not appear in the next session.
Carrying state across sessions
State that needs to survive a session is the user’s explicit choice. The mechanisms:- Long-lived contact identities (used by Messenger). These live in a key store that is not part of any session. They are not addressable by network-facing state and are not wiped at session end.
- User-exported artifacts. Files, transaction records, and generated documents the user explicitly saves through the OS export mechanism.
- Durable per-app subtrees. Specific subtrees an app has marked durable, after a user grant. See sandboxed execution.
- OS configuration. System settings (theme, language preference) live outside the session model.
Why the session boundary is load-bearing
The four enforcement properties are only meaningful relative to a session boundary.- Routing privacy without a session boundary is a stable identity rotated at clock intervals, which is correlatable on timing. The user-controlled session boundary anchors when rotation happens.
- Identity isolation without a session boundary is “incognito mode”; the OS keeps state somewhere else.
- Sandboxing without a session boundary is per-app isolation only; cross-session persistence undermines it.
Continue from here
Session identity isolation
The full identity surface and what’s scoped per session.
Sandboxed execution
The execution boundary every app runs inside, and per-app storage roots.