Summary
PdsAgentPool holds authenticated AtpAgent instances in a Map (src/pds/agent.ts:10). Each AtpAgent stores live accessJwt and refreshJwt strings internally (managed by @atproto/api). These are visible in heap dumps or memory inspection tools.
Details
- JWTs are never written to disk by this codebase, which is correct.
- However, they live as plaintext strings in the process heap for the lifetime of the cached agent.
- This is inherent to the
@atproto/api library's session design, not a bug introduced here.
Suggested Fix
- Document this as a known trade-off.
- Consider setting a maximum agent cache TTL to bound JWT lifetime in memory.
- Evaluate whether
@atproto/api provides any mechanism to limit session exposure.
Summary
PdsAgentPoolholds authenticatedAtpAgentinstances in aMap(src/pds/agent.ts:10). EachAtpAgentstores liveaccessJwtandrefreshJwtstrings internally (managed by@atproto/api). These are visible in heap dumps or memory inspection tools.Details
@atproto/apilibrary's session design, not a bug introduced here.Suggested Fix
@atproto/apiprovides any mechanism to limit session exposure.