feat(cloud-agent): PR tracking for cloud-agent sessions#2903
Open
kilo-code-bot[bot] wants to merge 6 commits intomainfrom
Open
feat(cloud-agent): PR tracking for cloud-agent sessions#2903kilo-code-bot[bot] wants to merge 6 commits intomainfrom
kilo-code-bot[bot] wants to merge 6 commits intomainfrom
Conversation
kilo-code-bot
Bot
force-pushed
the
convoy/associated-pr-for-cloud-agent-next-sessi/dbccdbdf/head
branch
from
3e32e34 to
cb82fe9
Compare
![kilo-code-bot[bot]](https://avatars.githubusercontent.com/in/2193792?s=60&v=4){kind=small}
Contributor
Author
Code Review SummaryStatus: No Issues Found | Recommendation: Merge Files Reviewed (6 files)
Reviewed by gpt-5.5-2026-04-23 · 15,408,229 tokens |
kilo-code-bot Bot
pushed a commit
that referenced
this pull request
Apr 29, 2026
- Add associatedPr to mobile FetchedSessionData so mobile-session-manager matches the shared type definition. This unblocks the CI typecheck failure on apps/mobile. - refreshAssociatedPullRequest: move ensureOrganizationAccess BEFORE the throttle short-circuit for org-scoped sessions. Previously a removed org member with a stale cli_sessions_v2 row could receive cached PR metadata via the throttle path without a current membership check. Adds a regression test covering the fresh-sentinel case where the throttle previously would have bypassed the check. - upsertCliSessionPullRequestsFromWebhook: introduce WebhookInstallationOwner and require the caller (webhook router) to pass the integration owner. The session SELECT now constrains by organization_id OR kilo_user_id so a webhook from one tenant's installation cannot upsert PR metadata onto a session owned by another tenant that happens to share the same (git_url, git_branch). Adds cross-tenant isolation tests for both org and user ownership, including the slow-path normalization branch.
kilo-code-bot Bot
pushed a commit
that referenced
this pull request
Apr 30, 2026
- Add associatedPr to mobile FetchedSessionData so mobile-session-manager matches the shared type definition. This unblocks the CI typecheck failure on apps/mobile. - refreshAssociatedPullRequest: move ensureOrganizationAccess BEFORE the throttle short-circuit for org-scoped sessions. Previously a removed org member with a stale cli_sessions_v2 row could receive cached PR metadata via the throttle path without a current membership check. Adds a regression test covering the fresh-sentinel case where the throttle previously would have bypassed the check. - upsertCliSessionPullRequestsFromWebhook: introduce WebhookInstallationOwner and require the caller (webhook router) to pass the integration owner. The session SELECT now constrains by organization_id OR kilo_user_id so a webhook from one tenant's installation cannot upsert PR metadata onto a session owned by another tenant that happens to share the same (git_url, git_branch). Adds cross-tenant isolation tests for both org and user ownership, including the slow-path normalization branch.
kilo-code-bot
Bot
force-pushed
the
convoy/associated-pr-for-cloud-agent-next-sessi/dbccdbdf/head
branch
from
124c0b4 to
084f755
Compare
eshurakov
force-pushed
the
convoy/associated-pr-for-cloud-agent-next-sessi/dbccdbdf/head
branch
3 times, most recently
from
f317c03 to
969f7c8
Compare
eshurakov
force-pushed
the
convoy/associated-pr-for-cloud-agent-next-sessi/dbccdbdf/head
branch
2 times, most recently
from
4a65ead to
2785dfc
Compare
eshurakov
changed the title
jrf0110
approved these changes
May 6, 2026
jrf0110
reviewed
May 6, 2026
jrf0110
reviewed
May 6, 2026
jrf0110
approved these changes
May 6, 2026
alex-alecu
reviewed
May 7, 2026
alex-alecu
reviewed
May 7, 2026
alex-alecu
reviewed
May 7, 2026
Contributor
|
@eshurakov please check this thread Kilo-Org/kilocode#9418 (comment) Do you think we should re-use some logic from backend or that it's better to have it separate? |
eshurakov
force-pushed
the
convoy/associated-pr-for-cloud-agent-next-sessi/dbccdbdf/head
branch
from
5f882d2 to
2d23c9c
Compare
…tched query Webhooks now flag review_decision_pending=true instead of fetching the GraphQL reviewDecision inline. The next sidebar list call kicks off a background batch that claims pending rows, fetches all decisions in one aliased GraphQL request, and writes results back.
- Update fetch-pull-request-review-decision.test.ts mock to match the batched aliased GraphQL query format (`data.data.pr0`) after the refactor to `fetchBatchedReviewDecisions`. Fixes the failing CI test. - Re-verify org membership in `getWithRuntimeState` before returning cached PR metadata. A stale `cli_sessions_v2` row with a matching `kilo_user_id` is not proof of current org access; removed members must not receive cached PR metadata. Mirrors the check already present in `refreshAssociatedPullRequest`.
When the refresh path persists a sentinel row because GitHub returned no PR for a branch, the old code set `review_decision_pending = true` unconditionally. The batch review-decision worker filters out rows without `pr_number` and never clears the pending flag, so it would re-claim the same sentinel every two minutes forever. Only mark pending when there is actually a PR whose review decision we still need to fetch.
…s in flight Expose review_decision_pending on associatedPr so the sidebar list query can poll every 5s while any row is awaiting an async review decision fetch, then stop once the batch flushes. Also abandon claimed rows in the batch worker when there is no GitHub integration or no actionable PR, so the pending flag can never hang forever and force the client to poll indefinitely.
Contributor
|
@alex-alecu By reuse you mean the cli and agent manager would get the status from the backend? Or to reuse the actual code? Backend code is quite different in this case as we rely mostly on webhooks and process (for now) only cloud agent sessions. We're also limited by integration added to the kilo with only repositories that user picked. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds infrastructure to associate a GitHub pull request with a cloud-agent-next CLI session.
cli_session_pull_requestsside table (PK =session_id, FK →cli_sessions_v2.session_idwithON DELETE CASCADE) storing PR number, url, state, title, head sha, and last-synced timestamp.UQ_cli_sessions_v2_session_idoncli_sessions_v2.session_idso the FK has a unique target (the base table uses a composite PK(session_id, kilo_user_id)).(git_url, git_branch)to support branch → session lookups.fetchPullRequestForBranchhelper in the GitHub adapter that looks up the most relevant PR for a(owner, repo, branch)triple via an installation token. PrefersopenPRs, mapsmerged_at→"merged"state, returnsnullon 404, and throws a dedicatedGitHubRateLimitError(carryingresetAt) for rate/secondary-rate-limit responses while passing through genuine 403 permission failures unchanged.apps/web/src/tests/setup/__mocks__/updated to mirror the new export surface.Verification
Visual Changes