Intent-Code Divergence
Medium
- Confidence
- 94% confidence
- Finding
- The session account example silently falls back to `generatePrivateKey()` when `SESSION_KEY` is missing, which can cause an automation service to unintentionally use a brand-new identity and lose continuity, auditability, and expected authorization boundaries. In a smart-account/delegation context, that can lead to failed redemptions, mis-bound permissions, orphaned delegations, or operators mistakenly believing a stable backend identity is in use when it is not.
