docs: Fix Vulnerability issues

.agents/skills/ak-dev-new-multimodal-storage/SKILL.md

@@ -128,13 +128,18 @@ class <Backend>AttachmentStore(AttachmentStore):
         """
         key = f"{self._session_id}:{attachment_id}"
         # e.g., self._client.delete(key)
+
+        # IMPORTANT: also remove the ID from the session index so the count
+        # stays accurate and pruning logic works correctly on future saves.
+        # e.g., fetch the index, remove attachment_id, and write it back
         logger.debug(f"Deleted attachment {attachment_id} from <backend>")
 ```
 
 ### Key Implementation Notes
 
 - **Key format**: Use `{session_id}:{attachment_id}` for isolation between sessions
 - **Max attachments pruning**: When `save()` is called and the session exceeds `max_attachments`, delete the oldest entry. Track order via timestamps or a per-session index
+- **Index consistency on delete**: When `delete()` is called, remove the attachment ID from the per-session index in addition to deleting the data entry. Skipping this step causes the index count to drift — the backend will think more attachments exist than actually do, breaking `max_attachments` enforcement on subsequent saves
 - **TTL**: If the backend supports time-based expiry (like Redis TTL or DynamoDB `expiry_time`), use it for automatic cleanup. Read the TTL value from the backend-specific config
 - **Connection management**: Use lazy initialization and connection pooling where possible. The store may be instantiated per-request (inside `AttachmentStorageManager.__init__`)
 - **Serialization**: Attachment dicts must be JSON-serializable. The `data` field contains base64-encoded binary, so all values are strings, floats, or ints