Skip to content

feat(git-token-service): add Kilo session capability RPCs#4372

Merged
eshurakov merged 5 commits into
mainfrom
able-hydrangea
Jul 6, 2026
Merged

feat(git-token-service): add Kilo session capability RPCs#4372
eshurakov merged 5 commits into
mainfrom
able-hydrangea

Conversation

@eshurakov

@eshurakov eshurakov commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds issueKiloSessionCapability and redeemKiloSessionCapability RPCs to GitTokenRPCEntrypoint, letting outbound containers call Kilo backend, provider, and session-ingest routes through an opaque encrypted capability instead of holding raw tokens.

  • kilo-session-capability.ts — encodes and decodes kka1.* capability tokens (encrypted, versioned claims: user token, allow-listed targets, container binding, issued/expiry timestamps, max 4h lifetime).
  • kilo-capability-policy.ts — classifies a redeeming request URL against the capability's targets into provider_model, organization_models, backend_api, or session_ingest route classes, rejecting path-traversal/encoding tricks, session mismatches, and disallowed upstreams.
  • index.ts — wires the two new RPC methods, including container-binding and target-validation checks before delegating to the codec/policy.
  • Follow-up fixes tighten cross-session redemption safety, correctly handle shared backend/session-ingest origins, and remove the short-lived providerToken field so all routes redeem with the user token only.

Verification

No manual verification beyond the existing automated test suite. The service-level tests cover issuance, redemption, target classification, token leakage, expiry, container/session binding, and cross-session rejection.

Visual Changes

N/A

Reviewer Notes

The final commit removes the optional providerToken and the per-route credential switch. provider_model and organization_models routes now use the user token, matching the simplified security model. Confirm that outbound containers do not need a separate provider credential for these upstreams.

…emption

Introduces opaque, encrypted capability tokens (kka1.*) that let
outbound containers call Kilo backend, provider, and session-ingest
routes without exposing the underlying user/provider tokens.

- kilo-session-capability.ts: encodes/decodes signed capability claims
  (user/provider tokens, targets, container binding, expiry)
- kilo-capability-policy.ts: classifies a redeeming request URL against
  the capability's allow-listed targets (provider model, org models,
  backend API, session ingest) and rejects path traversal/encoding
  tricks or container/session mismatches
- index.ts: adds issueKiloSessionCapability and
  redeemKiloSessionCapability RPCs on GitTokenRPCEntrypoint
Comment thread services/git-token-service/src/kilo-capability-policy.ts Outdated
Comment thread services/git-token-service/src/index.ts
Comment thread services/git-token-service/src/kilo-session-capability.ts Outdated
@kilo-code-bot

kilo-code-bot Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Executive Summary

This update removes the now-unused providerToken field and per-route credential switch, simplifying provider_model/organization_models redemption to always use the user token; the change is clean, consistent across types/tests, and introduces no new issues. All 3 previously flagged issues (backend_api/session_ingest shadowing, unguarded non-string requestUrl, zero-tolerance clock check) remain fixed.

Files Reviewed (6 files)
  • services/git-token-service/src/kilo-capability-policy.ts - unchanged in this increment beyond credential field removal from the classification result type
  • services/git-token-service/src/kilo-session-capability.ts - providerToken field removed from claims/subject schema, no behavior change to validation or clock-skew handling
  • services/git-token-service/src/index.ts - redeemKiloSessionCapability now always authorizes with claims.userToken, removing the dead provider/user credential branch
  • services/git-token-service/src/kilo-capability-policy.test.ts - updated to drop credential assertions, still covers route classification and shared-origin shadow guard
  • services/git-token-service/src/kilo-session-capability.test.ts - updated to drop providerToken fixtures/assertions
  • services/git-token-service/src/index.test.ts - updated to redeem with the user token for provider routes; removed now-invalid provider-token fallback test
Previous Review Summaries (3 snapshots, latest commit 0f6d9b0)

Current summary above is authoritative. Previous snapshots are kept for context only.

Previous review (commit 0f6d9b0)

Status: No Issues Found | Recommendation: Merge

Executive Summary

All 3 previously flagged issues (backend_api/session_ingest shadowing, unguarded non-string requestUrl, zero-tolerance clock check) are resolved in this update, with matching regression tests added; no new issues found in the changed code.

Files Reviewed (5 files)
  • services/git-token-service/src/kilo-capability-policy.ts - fixed: backend_api catch-all now excludes session-ingest-shaped paths via isSessionIngestShapedRoute, and classifyKiloCapabilityRequest now fails closed with invalid_upstream_url for a non-string requestUrl
  • services/git-token-service/src/kilo-session-capability.ts - fixed: added KILO_SESSION_CAPABILITY_CLOCK_SKEW_TOLERANCE_MS grace window to the issuedAt future-timestamp check
  • services/git-token-service/src/kilo-capability-policy.test.ts - added regression tests for shared-origin shadowing and non-string request URL
  • services/git-token-service/src/kilo-session-capability.test.ts - added regression tests for clock-skew tolerance boundaries
  • services/git-token-service/src/index.test.ts - added end-to-end regression test for cross-session ingest shadowing via redeemKiloSessionCapability

Previous review (commit b8cf3df)

Status: No Issues Found | Recommendation: Merge

Executive Summary

All 3 previously flagged issues (backend_api/session_ingest shadowing, unguarded non-string requestUrl, zero-tolerance clock check) are resolved in this update, with matching regression tests added; no new issues found in the changed code.

Files Reviewed (5 files)
  • services/git-token-service/src/kilo-capability-policy.ts - fixed: backend_api catch-all now excludes session-ingest-shaped paths via isSessionIngestShapedRoute, and classifyKiloCapabilityRequest now fails closed with invalid_upstream_url for a non-string requestUrl
  • services/git-token-service/src/kilo-session-capability.ts - fixed: added KILO_SESSION_CAPABILITY_CLOCK_SKEW_TOLERANCE_MS grace window to the issuedAt future-timestamp check
  • services/git-token-service/src/kilo-capability-policy.test.ts - added regression tests for shared-origin shadowing and non-string request URL
  • services/git-token-service/src/kilo-session-capability.test.ts - added regression tests for clock-skew tolerance boundaries
  • services/git-token-service/src/index.test.ts - added end-to-end regression test for cross-session ingest shadowing via redeemKiloSessionCapability

Previous review (commit f00f375)

Status: 3 Issues Found | Recommendation: Address before merge

Executive Summary

The generic backend_api route in kilo-capability-policy.ts can shadow the session-ingest cross-session guard whenever backendBaseUrl and sessionIngestBaseUrl share an origin, allowing a container to redeem its capability against another Kilo session's export/import endpoint.

Overview

Severity Count
CRITICAL 1
WARNING 2
SUGGESTION 0
Issue Details (click to expand)

CRITICAL

File Line Issue
services/git-token-service/src/kilo-capability-policy.ts 152 Generic backend_api branch has no exclusion for session-ingest-shaped paths, so it can shadow the session_ingest branch's kiloSessionId check when the two targets share an origin, permitting cross-session redemption.

WARNING

File Line Issue
services/git-token-service/src/index.ts 1113 classifyKiloCapabilityRequest is called without a try/catch; a non-string requestUrl at the RPC boundary throws instead of returning the typed failure result every other branch returns.
services/git-token-service/src/kilo-session-capability.ts 113 Zero-tolerance issuedAt > Date.now() check has no grace window, so routine clock skew between issuing and redeeming instances can spuriously reject a legitimately-issued capability.
Files Reviewed (6 files)
  • services/git-token-service/src/index.ts - 1 issue
  • services/git-token-service/src/index.test.ts
  • services/git-token-service/src/kilo-capability-policy.ts - 1 issue
  • services/git-token-service/src/kilo-capability-policy.test.ts
  • services/git-token-service/src/kilo-session-capability.ts - 1 issue
  • services/git-token-service/src/kilo-session-capability.test.ts

Fix these issues in Kilo Cloud


Reviewed by claude-sonnet-5-20260630 · Input: 34 · Output: 6.9K · Cached: 883.5K

Review guidance: REVIEW.md from base branch main

Address review feedback on the Kilo session capability RPCs:

- Exclude session-ingest-shaped paths from the backend catch-all and
  order the session-ingest branch first, so a shared backend/session-ingest
  origin can no longer serve another session's export/import route as
  backend_api with the user token.
- Fail closed with invalid_upstream_url when requestUrl is not a string,
  keeping the discriminated-union contract at the WorkerEntrypoint RPC
  boundary instead of throwing.
- Allow a 60s clock-skew tolerance on the issuedAt future check so a
  freshly issued capability is not spuriously rejected across isolates.
@eshurakov eshurakov changed the title GitTokenService - Add Kilo Session Capability Rpcs GitTokenService - Add Kilo Session Capability RPCs Jul 6, 2026
eshurakov added 2 commits July 6, 2026 10:37
…capability

Simplify the Kilo session capability by dropping the optional providerToken
field and the per-route credential selection. All redeemed routes now carry
the user token, reducing the token surface area and the policy complexity.
@eshurakov eshurakov changed the title GitTokenService - Add Kilo Session Capability RPCs refactor(git-token-service): remove provider token from Kilo session capability Jul 6, 2026
@eshurakov eshurakov changed the title refactor(git-token-service): remove provider token from Kilo session capability feat(git-token-service): add Kilo session capability RPCs Jul 6, 2026
@eshurakov eshurakov merged commit dbe6c56 into main Jul 6, 2026
15 checks passed
@eshurakov eshurakov deleted the able-hydrangea branch July 6, 2026 11:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants