release/v4.210.2

[code-crusher]

• review only mode for enterprises
• code review UI + settings updates
• clean imports
• enterprise login flow
• run enterprise reviews
• updates to enterprise connections

[matter-code-review]

Context

Summary By MatterAI

🔄 What Changed

Introduced support for Enterprise AI Code Review, allowing users to configure custom API hosts and keys. This release (v4.210.2) finalizes the settings handling logic, ensuring robust validation and persistence of enterprise configurations. Specifically, the webviewMessageHandler was refined to strictly parse and update global state for code review settings.

🔍 Impact of the Change

Enables enterprise customers to utilize private infrastructure for code analysis. The refined settings handler prevents invalid configurations from being saved, improving system stability and ensuring that subsequent server pings use validated data. This significantly streamlines the enterprise login and connection flow.

📁 Total Files Changed

Click to Expand

File	ChangeLog
Settings Handler webviewMessageHandler.ts	Refined message handling logic for enterprise settings persistence and validation.
Settings Schema global-settings.ts	Added Zod validation for enterprise host, API key, and review-only mode.
API Routing codeReviewService.ts	Updated service to dynamically route requests to enterprise endpoints with custom auth.
UI Logic ChatView.tsx	Implemented conditional rendering for Review Only mode and added PR setup cards.
Manual Review SourceControlPanel.tsx	Added "Copy All" prompts functionality for users without direct API tokens.
Notification System toast.tsx	Created a new React context and component for toast notifications.
Settings UI CodeReviewSettings.tsx	New component for managing enterprise credentials and review preferences.
State Sync ClineProvider.ts	Integrated code review settings into the global extension state provider.
Version Bump package.json	Incremented version to 4.210.2.

🧪 Test Added/Recommended

Recommended

• Unit Tests: Validate URL construction in codeReviewService.ts when enterpriseHost has/hasn't trailing slashes.
• Integration Tests: Mock the /codereview/ping endpoint to verify success/error toast triggers in the webview.
• UI Tests: Verify that "Review Only Mode" correctly hides the chat text area and history preview.

🔒 Security Vulnerabilities

• CRITICAL: Potential credential leak in codeReviewService.ts (Line 82) via console.log("this.enterpriseApiKey", ...). Verification required for this release.
• Input Validation: The enterpriseHost should be strictly validated to ensure it uses https:// to prevent man-in-the-middle attacks.

Implementation

The implementation extends the existing CodeReviewService to check for the presence of enterpriseHost and enterpriseApiKey. The webviewMessageHandler now uses codeReviewSettingsSchema.parse(values) to ensure data integrity before calling updateGlobalState. This ensures that only well-formed settings are stored and used for subsequent enterprise server pings.

Screenshots

before	after
N/A	N/A

How to Test

1. Open Settings and navigate to the new "AI Code Review" section.
2. Enter an Enterprise Host (e.g., https://api.example.com) and API Key.
3. Observe the Toast notification attempting to ping the server.
4. Enable "Review Only Mode" and verify the chat input and history disappear.
5. Run a code review and verify the request headers include the Bearer token for enterprise auth.

Get in Touch

Handle: @matterai_dev

Checklist Score: 4/4

[matter-code-review]

🧪 PR Review is completed: The implementation of Enterprise AI Code Review settings is solid, with appropriate UI updates and state management. However, there are critical security issues regarding the logging of sensitive credentials (API keys) that must be addressed before merging. Additionally, URL construction consistency should be improved.

Skipped files

• webview-ui/src/i18n/locales/en/kilocode.json: Skipped file pattern
• webview-ui/src/i18n/locales/en/settings.json: Skipped file pattern

[matter-code-review]

✅ Reviewed the changes: The changes correctly address the URL normalization issue by handling trailing slashes.

[matter-code-review]

✅ Reviewed the changes: Security vulnerability addressed by removing sensitive data logging. The implementation correctly parses settings and updates the global state without exposing credentials.