GitTokenService - Add Kilo Session Capability Rpcs#4372
Conversation
…emption Introduces opaque, encrypted capability tokens (kka1.*) that let outbound containers call Kilo backend, provider, and session-ingest routes without exposing the underlying user/provider tokens. - kilo-session-capability.ts: encodes/decodes signed capability claims (user/provider tokens, targets, container binding, expiry) - kilo-capability-policy.ts: classifies a redeeming request URL against the capability's allow-listed targets (provider model, org models, backend API, session ingest) and rejects path traversal/encoding tricks or container/session mismatches - index.ts: adds issueKiloSessionCapability and redeemKiloSessionCapability RPCs on GitTokenRPCEntrypoint
Code Review SummaryStatus: No Issues Found | Recommendation: Merge Executive SummaryAll 3 previously flagged issues (backend_api/session_ingest shadowing, unguarded non-string requestUrl, zero-tolerance clock check) are resolved in this update, with matching regression tests added; no new issues found in the changed code. Files Reviewed (5 files)
Previous Review Summary (commit f00f375)Current summary above is authoritative. Previous snapshots are kept for context only. Previous review (commit f00f375)Status: 3 Issues Found | Recommendation: Address before merge Executive SummaryThe generic Overview
Issue Details (click to expand)CRITICAL
WARNING
Files Reviewed (6 files)
Reviewed by claude-sonnet-5-20260630 · Input: 38 · Output: 7.7K · Cached: 891.6K Review guidance: REVIEW.md from base branch |
Address review feedback on the Kilo session capability RPCs: - Exclude session-ingest-shaped paths from the backend catch-all and order the session-ingest branch first, so a shared backend/session-ingest origin can no longer serve another session's export/import route as backend_api with the user token. - Fail closed with invalid_upstream_url when requestUrl is not a string, keeping the discriminated-union contract at the WorkerEntrypoint RPC boundary instead of throwing. - Allow a 60s clock-skew tolerance on the issuedAt future check so a freshly issued capability is not spuriously rejected across isolates.
Summary
Adds
issueKiloSessionCapabilityandredeemKiloSessionCapabilityRPCs toGitTokenRPCEntrypointin the git-token-service, letting outbound containers call Kilo backend/provider/session-ingest routes through an opaque encrypted capability instead of holding raw user/provider tokens.kilo-session-capability.ts— encodes and decodeskka1.*capability tokens (encrypted, versioned claims: user/provider tokens, allow-listed targets, container binding, issued/expiry timestamps, max 4h lifetime).kilo-capability-policy.ts— classifies a redeeming request URL against the capability's targets intoprovider_model,organization_models,backend_api, orsession_ingestroute classes, selecting the right credential (user vs. provider token) and rejecting path-traversal/encoding tricks, session mismatches, and disallowed upstreams.index.ts— wires the two new RPC methods, including container-binding and target-validation checks before delegating to the codec/policy.Verification
Visual Changes
N/A
Reviewer Notes
kka1.); tests assert the encrypted output doesn't contain the raw tokens.classifyKiloCapabilityRequestis the security-sensitive surface — it guards against path traversal (encoded../,%2f, backslashes) and cross-session/cross-container redemption.