Skip to content

feat(agents): add separate reviewer GitHub identity (PAT)#154

Merged
zbigniewsobiecki merged 1 commit intodevfrom
feature/separate-reviewer-github-identity
Feb 12, 2026
Merged

feat(agents): add separate reviewer GitHub identity (PAT)#154
zbigniewsobiecki merged 1 commit intodevfrom
feature/separate-reviewer-github-identity

Conversation

@zbigniewsobiecki
Copy link
Copy Markdown
Member

@zbigniewsobiecki zbigniewsobiecki commented Feb 12, 2026

Summary

  • Separate GitHub reviewer identity — Uses AsyncLocalStorage to transparently scope a different Octokit instance to the review agent's async context, letting the review agent submit real PR reviews under a different GitHub user than the one that created the PR
  • Zero gadget changesgetClient() checks AsyncLocalStorage first, so all 9 gadget files and the entire githubClient API surface remain untouched
  • Review agent improvements — Posts an initial "reviewing..." comment on the PR and includes UpdatePRComment gadget so the agent can update it with the review summary

How it works

Review agent calls withGitHubToken(reviewerToken, () => executeAgentLifecycle(...))
  → All githubClient.* calls inside that scope use the reviewer's Octokit
  → Gadgets, buildContext, syntheticCalls all transparently use reviewer identity
  → Scope auto-cleans when lifecycle completes

Changes

Area Files What
Config schema.ts, projects.json Add optional reviewerTokenEnv field; enable for niu + car-dealership
Core client.ts AsyncLocalStorage, withGitHubToken(), getReviewerUser(), scoped getClient()
Review agent review.ts, review.eta Wrap lifecycle in reviewer scope; initial comment + UpdatePRComment
Triggers utils.ts, 4 trigger handlers Extend isSelfAuthored() + "already reviewed" check for reviewer identity
Tests 6 test files AsyncLocalStorage scoping, reviewer identity filtering, schema validation
Docs .env.example Document GITHUB_REVIEWER_TOKEN env var

Graceful fallback

  • No reviewerTokenEnv configured → everything works exactly as before
  • Env var not set → logs warning, falls back to main token
  • getReviewerUser() API call fails → logs warning, returns null, triggers don't filter (safe default)

Test plan

  • npm run typecheck — no type errors
  • npm run lint — no new lint errors
  • npm test — all 459 tests pass (including 8 new ones)
  • CI passes on this PR

🤖 Generated with Claude Code

@zbigniewsobiecki @claude
feat(agents): add separate reviewer GitHub identity with AsyncLocalSt…
6fceb2d 
…orage scoping

GitHub doesn't allow the same user to review their own PR. CASCADE uses
a single GITHUB_TOKEN for everything — creating PRs (implementation agent)
and reviewing them (review agent). This adds a separate reviewer PAT per
project so the review agent operates as a different GitHub user.

Uses Node.js AsyncLocalStorage to transparently scope a different Octokit
instance to the review agent's async context. The existing getClient()
function is the single chokepoint — modifying it to check AsyncLocalStorage
first means zero changes to any gadget files and zero changes to the
githubClient API surface.

Changes:
- Add optional `reviewerTokenEnv` field to project config schema
- Add AsyncLocalStorage-based `withGitHubToken()` for scoped GitHub clients
- Add `getReviewerUser()` with caching for resolving reviewer identity
- Wrap review agent lifecycle in reviewer scope when configured
- Extend `isSelfAuthored()` and check-suite-success trigger to recognize
  reviewer identity (prevents infinite loops and duplicate reviews)
- Review agent now posts initial "reviewing" comment and includes
  UpdatePRComment gadget for updating it with review summary
- Enable reviewer token for niu and car-dealership projects

Graceful fallback: no reviewerTokenEnv → existing behavior unchanged;
env var not set → logs warning, uses main token; API failure → returns
null, triggers don't filter (safe default).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@zbigniewsobiecki zbigniewsobiecki merged commit 2727417 into dev Feb 12, 2026
3 checks passed
@zbigniewsobiecki zbigniewsobiecki deleted the feature/separate-reviewer-github-identity branch February 12, 2026 14:52
@zbigniewsobiecki zbigniewsobiecki mentioned this pull request Feb 12, 2026
Merged
zbigniewsobiecki added a commit that referenced this pull request Feb 12, 2026
@zbigniewsobiecki @claude
fix(router): pass GITHUB_REVIEWER_TOKEN to worker containers
4d12ecb 
The review agent's separate reviewer identity (added in #154) requires
GITHUB_REVIEWER_TOKEN in the worker environment. Without it, the agent
falls back to the main GITHUB_TOKEN, authenticates as the PR author,
and GitHub rejects REQUEST_CHANGES with 422 ("can not request changes
on your own pull request").

Add the token to router secrets, worker container env, and local Docker
runs so the reviewer identity works end-to-end.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@zbigniewsobiecki zbigniewsobiecki mentioned this pull request Feb 12, 2026
Merged
5 tasks
zbigniewsobiecki added a commit that referenced this pull request Feb 12, 2026
@zbigniewsobiecki @claude
fix(router): pass GITHUB_REVIEWER_TOKEN to worker containers (#158)
1b3cc7e 
The review agent's separate reviewer identity (added in #154) requires
GITHUB_REVIEWER_TOKEN in the worker environment. Without it, the agent
falls back to the main GITHUB_TOKEN, authenticates as the PR author,
and GitHub rejects REQUEST_CHANGES with 422 ("can not request changes
on your own pull request").

Add the token to router secrets, worker container env, and local Docker
runs so the reviewer identity works end-to-end.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@zbigniewsobiecki