feat(git-token-service): add Kilo session capability RPCs#4372
Conversation
…emption Introduces opaque, encrypted capability tokens (kka1.*) that let outbound containers call Kilo backend, provider, and session-ingest routes without exposing the underlying user/provider tokens. - kilo-session-capability.ts: encodes/decodes signed capability claims (user/provider tokens, targets, container binding, expiry) - kilo-capability-policy.ts: classifies a redeeming request URL against the capability's allow-listed targets (provider model, org models, backend API, session ingest) and rejects path traversal/encoding tricks or container/session mismatches - index.ts: adds issueKiloSessionCapability and redeemKiloSessionCapability RPCs on GitTokenRPCEntrypoint
Code Review SummaryStatus: No Issues Found | Recommendation: Merge Executive SummaryThis update removes the now-unused Files Reviewed (6 files)
Previous Review Summaries (3 snapshots, latest commit 0f6d9b0)Current summary above is authoritative. Previous snapshots are kept for context only. Previous review (commit 0f6d9b0)Status: No Issues Found | Recommendation: Merge Executive SummaryAll 3 previously flagged issues (backend_api/session_ingest shadowing, unguarded non-string requestUrl, zero-tolerance clock check) are resolved in this update, with matching regression tests added; no new issues found in the changed code. Files Reviewed (5 files)
Previous review (commit b8cf3df)Status: No Issues Found | Recommendation: Merge Executive SummaryAll 3 previously flagged issues (backend_api/session_ingest shadowing, unguarded non-string requestUrl, zero-tolerance clock check) are resolved in this update, with matching regression tests added; no new issues found in the changed code. Files Reviewed (5 files)
Previous review (commit f00f375)Status: 3 Issues Found | Recommendation: Address before merge Executive SummaryThe generic Overview
Issue Details (click to expand)CRITICAL
WARNING
Files Reviewed (6 files)
Reviewed by claude-sonnet-5-20260630 · Input: 34 · Output: 6.9K · Cached: 883.5K Review guidance: REVIEW.md from base branch |
Address review feedback on the Kilo session capability RPCs: - Exclude session-ingest-shaped paths from the backend catch-all and order the session-ingest branch first, so a shared backend/session-ingest origin can no longer serve another session's export/import route as backend_api with the user token. - Fail closed with invalid_upstream_url when requestUrl is not a string, keeping the discriminated-union contract at the WorkerEntrypoint RPC boundary instead of throwing. - Allow a 60s clock-skew tolerance on the issuedAt future check so a freshly issued capability is not spuriously rejected across isolates.
…capability Simplify the Kilo session capability by dropping the optional providerToken field and the per-route credential selection. All redeemed routes now carry the user token, reducing the token surface area and the policy complexity.
Summary
Adds
issueKiloSessionCapabilityandredeemKiloSessionCapabilityRPCs toGitTokenRPCEntrypoint, letting outbound containers call Kilo backend, provider, and session-ingest routes through an opaque encrypted capability instead of holding raw tokens.kilo-session-capability.ts— encodes and decodeskka1.*capability tokens (encrypted, versioned claims: user token, allow-listed targets, container binding, issued/expiry timestamps, max 4h lifetime).kilo-capability-policy.ts— classifies a redeeming request URL against the capability's targets intoprovider_model,organization_models,backend_api, orsession_ingestroute classes, rejecting path-traversal/encoding tricks, session mismatches, and disallowed upstreams.index.ts— wires the two new RPC methods, including container-binding and target-validation checks before delegating to the codec/policy.providerTokenfield so all routes redeem with the user token only.Verification
No manual verification beyond the existing automated test suite. The service-level tests cover issuance, redemption, target classification, token leakage, expiry, container/session binding, and cross-session rejection.
Visual Changes
N/A
Reviewer Notes
The final commit removes the optional
providerTokenand the per-route credential switch.provider_modelandorganization_modelsroutes now use the user token, matching the simplified security model. Confirm that outbound containers do not need a separate provider credential for these upstreams.