Skip to content

GitTokenService - Add Kilo Session Capability Rpcs#4372

Open
eshurakov wants to merge 2 commits into
mainfrom
able-hydrangea
Open

GitTokenService - Add Kilo Session Capability Rpcs#4372
eshurakov wants to merge 2 commits into
mainfrom
able-hydrangea

Conversation

@eshurakov

Copy link
Copy Markdown
Contributor

Summary

Adds issueKiloSessionCapability and redeemKiloSessionCapability RPCs to GitTokenRPCEntrypoint in the git-token-service, letting outbound containers call Kilo backend/provider/session-ingest routes through an opaque encrypted capability instead of holding raw user/provider tokens.

  • kilo-session-capability.ts — encodes and decodes kka1.* capability tokens (encrypted, versioned claims: user/provider tokens, allow-listed targets, container binding, issued/expiry timestamps, max 4h lifetime).
  • kilo-capability-policy.ts — classifies a redeeming request URL against the capability's targets into provider_model, organization_models, backend_api, or session_ingest route classes, selecting the right credential (user vs. provider token) and rejecting path-traversal/encoding tricks, session mismatches, and disallowed upstreams.
  • index.ts — wires the two new RPC methods, including container-binding and target-validation checks before delegating to the codec/policy.

Verification

  • Not manually tested against a live deployment; verified via the automated unit tests added for issuance, redemption, and policy classification (see commit).

Visual Changes

N/A

Reviewer Notes

  • Capability payload never includes the plaintext user/provider token in the encoded string prefix (kka1.); tests assert the encrypted output doesn't contain the raw tokens.
  • classifyKiloCapabilityRequest is the security-sensitive surface — it guards against path traversal (encoded ../, %2f, backslashes) and cross-session/cross-container redemption.

…emption

Introduces opaque, encrypted capability tokens (kka1.*) that let
outbound containers call Kilo backend, provider, and session-ingest
routes without exposing the underlying user/provider tokens.

- kilo-session-capability.ts: encodes/decodes signed capability claims
  (user/provider tokens, targets, container binding, expiry)
- kilo-capability-policy.ts: classifies a redeeming request URL against
  the capability's allow-listed targets (provider model, org models,
  backend API, session ingest) and rejects path traversal/encoding
  tricks or container/session mismatches
- index.ts: adds issueKiloSessionCapability and
  redeemKiloSessionCapability RPCs on GitTokenRPCEntrypoint
Comment thread services/git-token-service/src/kilo-capability-policy.ts Outdated
Comment thread services/git-token-service/src/index.ts
Comment thread services/git-token-service/src/kilo-session-capability.ts Outdated
@kilo-code-bot

kilo-code-bot Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Executive Summary

All 3 previously flagged issues (backend_api/session_ingest shadowing, unguarded non-string requestUrl, zero-tolerance clock check) are resolved in this update, with matching regression tests added; no new issues found in the changed code.

Files Reviewed (5 files)
  • services/git-token-service/src/kilo-capability-policy.ts - fixed: backend_api catch-all now excludes session-ingest-shaped paths via isSessionIngestShapedRoute, and classifyKiloCapabilityRequest now fails closed with invalid_upstream_url for a non-string requestUrl
  • services/git-token-service/src/kilo-session-capability.ts - fixed: added KILO_SESSION_CAPABILITY_CLOCK_SKEW_TOLERANCE_MS grace window to the issuedAt future-timestamp check
  • services/git-token-service/src/kilo-capability-policy.test.ts - added regression tests for shared-origin shadowing and non-string request URL
  • services/git-token-service/src/kilo-session-capability.test.ts - added regression tests for clock-skew tolerance boundaries
  • services/git-token-service/src/index.test.ts - added end-to-end regression test for cross-session ingest shadowing via redeemKiloSessionCapability
Previous Review Summary (commit f00f375)

Current summary above is authoritative. Previous snapshots are kept for context only.

Previous review (commit f00f375)

Status: 3 Issues Found | Recommendation: Address before merge

Executive Summary

The generic backend_api route in kilo-capability-policy.ts can shadow the session-ingest cross-session guard whenever backendBaseUrl and sessionIngestBaseUrl share an origin, allowing a container to redeem its capability against another Kilo session's export/import endpoint.

Overview

Severity Count
CRITICAL 1
WARNING 2
SUGGESTION 0
Issue Details (click to expand)

CRITICAL

File Line Issue
services/git-token-service/src/kilo-capability-policy.ts 152 Generic backend_api branch has no exclusion for session-ingest-shaped paths, so it can shadow the session_ingest branch's kiloSessionId check when the two targets share an origin, permitting cross-session redemption.

WARNING

File Line Issue
services/git-token-service/src/index.ts 1113 classifyKiloCapabilityRequest is called without a try/catch; a non-string requestUrl at the RPC boundary throws instead of returning the typed failure result every other branch returns.
services/git-token-service/src/kilo-session-capability.ts 113 Zero-tolerance issuedAt > Date.now() check has no grace window, so routine clock skew between issuing and redeeming instances can spuriously reject a legitimately-issued capability.
Files Reviewed (6 files)
  • services/git-token-service/src/index.ts - 1 issue
  • services/git-token-service/src/index.test.ts
  • services/git-token-service/src/kilo-capability-policy.ts - 1 issue
  • services/git-token-service/src/kilo-capability-policy.test.ts
  • services/git-token-service/src/kilo-session-capability.ts - 1 issue
  • services/git-token-service/src/kilo-session-capability.test.ts

Fix these issues in Kilo Cloud


Reviewed by claude-sonnet-5-20260630 · Input: 38 · Output: 7.7K · Cached: 891.6K

Review guidance: REVIEW.md from base branch main

Address review feedback on the Kilo session capability RPCs:

- Exclude session-ingest-shaped paths from the backend catch-all and
  order the session-ingest branch first, so a shared backend/session-ingest
  origin can no longer serve another session's export/import route as
  backend_api with the user token.
- Fail closed with invalid_upstream_url when requestUrl is not a string,
  keeping the discriminated-union contract at the WorkerEntrypoint RPC
  boundary instead of throwing.
- Allow a 60s clock-skew tolerance on the issuedAt future check so a
  freshly issued capability is not spuriously rejected across isolates.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant