feat(github): MVP commit-as-user via GitHub App user-to-server tokens

[kilo-code-bot]

Summary

• Adds user_github_app_tokens table to store encrypted GitHub user-to-server (OAuth) tokens, with GDPR soft-delete coverage.
• Implements the full OAuth connect/disconnect flow: HMAC-signed state with TTL, code exchange, identity resolution, encrypted storage, and a settings UI card gated behind ENABLE_GITHUB_USER_TOKENS.
• Adds getUserTokenForRepo RPC to git-token-service that decrypts the stored token, verifies repo access (with KV cache), and returns the token + user identity.
• Updates session-prepare (both in the router handler and async-preparation) to prefer the user token when the feature gate is enabled, falling back to the app installation token transparently.
• Introduces GitIdentity type and buildGitAuthor helper for identity-aware git commit attribution (user vs. app-bot).
• Adds refreshGitHubToken method on CloudAgentSession that handles mid-session user-token expiry with a graceful downgrade to the app token and a one-time user-visible warning.
• Adds redactGitHubTokens utility to worker-utils to prevent ghu_/ghr_ tokens from appearing in logs.

Verification

• Connect a GitHub identity via the settings UI → verify commits are attributed to your GitHub account.
• Revoke the token on GitHub and trigger a session → verify fallback to app token with warning message.
• Delete your Kilo account → verify user_github_app_tokens rows are deleted.
• Set ENABLE_GITHUB_USER_TOKENS=false (default) → verify no change in existing app-token behaviour.

Visual Changes

N/A (new card added to GitHub integrations settings page, gated behind feature flag).

Reviewer Notes

• Feature is off by default (ENABLE_GITHUB_USER_TOKENS=false in wrangler.jsonc and .dev.vars.example). Safe to merge without enabling.
• Refresh tokens are ignored in this MVP (comment in callback notes this explicitly); token expiry falls back to app token.
• disconnectUserIdentity calls GitHub's DELETE /applications/{client_id}/grant to revoke the authorization server-side; failures are logged but do not block the local row deletion.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Incremental Update (commits since 222b013)

New commits since last review:

Commit	Change
e59cd6d	WIP: container eviction save — session-service eviction logic
5495a54, b101c4c, de9b015, 23823e0, 8f23d43, 6458d80	Earlier fixes already reviewed
acdd740	chore(db): renumber user_github_app_tokens migration to 0131 after rebase conflict
aee23b5	fix(env): add GITHUB_OAUTH_STATE_SECRET and ENABLE_GITHUB_USER_TOKENS to dev example
5bfe5c7	fix(pr-review): use ENABLE_GITHUB_USER_TOKENS from config.server and drop body from revoke error log
c1bf1f0	ci: trigger kilo code review re-run — empty commit

Files changed since 222b013:

File	Change
dev/local/env-sync/parse.ts	Added WORKER_LOCALHOST_URL_KEYS set to preserve localhost for worker-side URLs during env-sync resolution ✅
dev/local/env-sync/plan.test.ts	New test for worker-localhost URL preservation ✅
packages/db/src/migrations/0132_melted_crystal.sql	New CONCURRENTLY index migration using established COMMIT;…BEGIN; pattern ✅
packages/db/src/migrations/0133_fast_jamie_braddock.sql	Renumbered from 0132 → 0133 (SQL content unchanged) ✅
packages/db/src/migrations/meta/_journal.json	Journal updated with correct idx ordering ✅
packages/db/src/migrations/meta/0132_snapshot.json / 0133_snapshot.json	Generated; skipped ✅
packages/db/src/schema.ts	Two new partial indexes: idx_microdollar_usage_metadata_session_id_created_at and IDX_app_builder_projects_git_repo_integration, both with appropriate WHERE IS NOT NULL guards ✅
services/cloud-agent-next/.dev.vars.example	Comments updated; KILOCODE_BACKEND_BASE_URL / KILO_OPENROUTER_BASE changed to localhost (translated by worker before entering containers) ✅
services/cloud-agent-next/src/session-service.ts	backendUrlForSandbox() added and applied; suggest: 'deny' added to all session permissions ✅
services/cloud-agent-next/src/session-service.test.ts	Tests updated for suggest: 'deny'; new backendUrlForSandbox unit + integration tests ✅

All Previous Issues — Status

Issue	Status
errorDescription log injection in route.ts	✅ Fixed — sanitized before logging
Double as cast in user-github-token-service.ts	✅ Fixed — reduced to single targeted cast
as { status: number } cast on line 11	✅ Acknowledged — single cast at known boundary, acceptable per coding standards
getUserConnectionStatus not gated	✅ Intentional — documented: gate only blocks new connections
Empty alt on avatar image	✅ Acknowledged as follow-up
body: await response.text() in revoke error log	✅ Fixed — removed
GITHUB_OAUTH_STATE_SECRET/ENABLE_GITHUB_USER_TOKENS missing from .env.development.local.example	✅ Fixed
process.env.ENABLE_GITHUB_USER_TOKENS direct env access in page.tsx	✅ Fixed — now uses ENABLE_GITHUB_USER_TOKENS from config.server

Other Observations (not in diff)

• backendUrlForSandbox trailing slash handling: url.toString() on a bare http://localhost:3000 returns http://localhost:3000/; the .replace(/\/$/, '') correctly strips it. Behavior is tested and intentional.
• Migration when timestamp ordering: 0133_fast_jamie_braddock has an earlier when timestamp than 0132_melted_crystal (artifact of renumbering). Drizzle-kit uses idx for ordering, not when — no issue.
• WORKER_LOCALHOST_URL_KEYS hardcoded set: The set in parse.ts mirrors the same two keys used in .dev.vars.example. If new worker-side localhost URLs are added in the future, the set would need to be kept in sync — low risk, worth tracking.
• redactGitHubTokens in worker-utils: Added but not yet wired into all error-path logging. Low risk; worth tracking post-merge.
• Remaining as { status: unknown } cast in user-github-token-service.ts:9: Single targeted cast after 'status' in e narrowing; acceptable per coding standards.

Files Reviewed (51 files)

• apps/web/.env.development.local.example — ✅ all vars present
• apps/web/src/app/(app)/integrations/github/page.tsx — ✅ uses config.server
• apps/web/src/app/api/integrations/github/user-connect/callback/route.test.ts — ✅ test fixes applied
• apps/web/src/app/api/integrations/github/user-connect/callback/route.ts — ✅ all issues resolved
• apps/web/src/components/integrations/GitHubIntegrationDetails.tsx — suggestion acknowledged/deferred
• apps/web/src/lib/config.server.ts
• apps/web/src/lib/integrations/platforms/github/oauth-state.test.ts — ✅ unused import removed
• apps/web/src/lib/integrations/platforms/github/oauth-state.ts
• apps/web/src/lib/user.test.ts
• apps/web/src/lib/user.ts
• apps/web/src/routers/github-apps-router.test.ts — ✅ as any replaced, user inserted before FK
• apps/web/src/routers/github-apps-router.ts — ✅ unused imports removed; body: logging removed
• dev/local/env-sync/parse.ts — ✅ worker-localhost URL preservation logic correct
• dev/local/env-sync/plan.test.ts — ✅ new test covers the preservation behavior
• packages/db/src/migrations/0132_melted_crystal.sql — ✅ CONCURRENTLY pattern, correct
• packages/db/src/migrations/0133_fast_jamie_braddock.sql — ✅ renumbered, SQL unchanged
• packages/db/src/migrations/meta/_journal.json — skipped (generated)
• packages/db/src/migrations/meta/0132_snapshot.json / 0133_snapshot.json — skipped (generated)
• packages/db/src/schema.ts — ✅ two new partial indexes, both correct
• packages/worker-utils/src/index.ts
• packages/worker-utils/src/redact-headers.test.ts
• packages/worker-utils/src/redact-headers.ts
• services/cloud-agent-next/.dev.vars.example — ✅ updated comments + localhost URLs
• services/cloud-agent-next/src/git-identity.test.ts
• services/cloud-agent-next/src/persistence/CloudAgentSession.ts
• services/cloud-agent-next/src/persistence/async-preparation.test.ts
• services/cloud-agent-next/src/persistence/async-preparation.ts
• services/cloud-agent-next/src/persistence/schemas.ts
• services/cloud-agent-next/src/persistence/types.ts
• services/cloud-agent-next/src/router/handlers/session-prepare.ts
• services/cloud-agent-next/src/services/git-token-service-client.ts
• services/cloud-agent-next/src/session-service.test.ts — ✅ suggest:deny tests + backendUrlForSandbox tests
• services/cloud-agent-next/src/session-service.ts — ✅ backendUrlForSandbox correct; suggest:deny added
• services/cloud-agent-next/src/session-prepare.test.ts
• services/cloud-agent-next/src/types.ts
• services/cloud-agent-next/src/types/git-identity.ts
• services/cloud-agent-next/src/workspace.ts
• services/cloud-agent-next/wrangler.jsonc
• services/git-token-service/.dev.vars.example
• services/git-token-service/package.json
• services/git-token-service/src/index.ts
• services/git-token-service/src/user-github-token-service.ts
• services/git-token-service/worker-configuration.d.ts
• services/git-token-service/wrangler.jsonc
• pnpm-lock.yaml — skipped (generated)

---

_{Reviewed by claude-sonnet-4.6 · 871,626 tokens}

_{Review guidance: REVIEW.md from base branch main}

[kilo-code-bot]

Code Review

Bug (must fix): startPreparationAsync is missing identityKiloUserId and identityKind

In services/cloud-agent-next/src/router/handlers/session-prepare.ts, the startPreparationAsync call (the async fast-path when autoInitiate=true) does not forward identityKiloUserId or identityKind to the Durable Object's PreparationInput.

The user-token path inside executePreparationSteps (in async-preparation.ts) is guarded by:

if (env.ENABLE_GITHUB_USER_TOKENS === 'true' && input.identityKiloUserId) {

Because input.identityKiloUserId is undefined on the async path, user-token resolution is silently skipped and every session prepared via autoInitiate=true falls back to the app installation token — which is the typical production path. The feature is effectively broken on the async path even when ENABLE_GITHUB_USER_TOKENS=true.

Fix: Add identityKiloUserId: ctx.userId (and optionally identityKind: 'user') to the startPreparationAsync call block, mirroring what the sync prepare() call at line ~691 does. Since async-preparation.ts gates on both the env var and the field being present, passing userId unconditionally is safe — it will only be used when ENABLE_GITHUB_USER_TOKENS === 'true'.

---

Style (non-blocking): double as-cast in getOctokitStatus

In services/git-token-service/src/user-github-token-service.ts, getOctokitStatus uses two as-casts:\nts\nif (... && typeof (e as Record<string, unknown>).status === 'number') {\n return (e as { status: number }).status;\n}\n\n\nThis can be simplified to one cast with runtime validation:\nts\nfunction getOctokitStatus(e: unknown): number | undefined {\n if (e != null && typeof e === 'object' && 'status' in e) {\n const { status } = e as { status?: unknown };\n if (typeof status === 'number') return status;\n }\n return undefined;\n}\n

[kilo-code-bot]

One correctness bug must be fixed before merge (see inline comment above).

Bug: startPreparationAsync in session-prepare.ts does not pass identityKiloUserId to the Durable Object's PreparationInput. The user-token path in executePreparationSteps (async-preparation.ts) is gated on input.identityKiloUserId being set, so user-token resolution is silently skipped on every autoInitiate=true session (the normal production fast path). All sessions on the async path fall back to the app bot token even when ENABLE_GITHUB_USER_TOKENS=true.

Fix: Add identityKiloUserId: ctx.userId to the startPreparationAsync call block in session-prepare.ts (mirroring what the sync prepare() call already does at line ~691).

A secondary non-blocking style issue: the double as-cast in getOctokitStatus (user-github-token-service.ts) should use flow-sensitive typing with a single narrowing cast instead.

[kilo-code-bot]

Fixed both issues:

1. ** missing identityKiloUserId/identityKind**: Added both fields to the startPreparationAsync call in session-prepare.ts, forwarding the already-resolved resolvedGitIdentity (which is resolved before the autoInitiate branch). This mirrors what the sync prepare() call already does.

2. Test encryption key (35 bytes): The test fixtures in github-apps-router.test.ts and route.test.ts used a base64 key that decoded to 35 bytes, causing EncryptionConfigurationError: Encryption key must be exactly 32 bytes (256 bits). Replaced with a valid 32-byte key.

[kilo-code-bot]

Refinery code review passed. All quality gates pass.

Summary: The MVP commit-as-user implementation is well-structured and secure. The OAuth state is properly HMAC-signed with TTL, tokens are encrypted at rest with a dedicated key, the GDPR soft-delete is covered, and the feature is safely gated behind ENABLE_GITHUB_USER_TOKENS=false by default.

Minor observations (no changes required):

1. expired_state in the GitHubConnectError union type in callback/route.ts is dead code — it is never emitted. Expiry is currently surfaced as invalid_state (via verifyOAuthState returning null). Fine to clean up in a follow-up if desired.

2. The KV repo-access cache key (gh-user-repo-access:{userId}:{owner}:{repo}) does not include the GitHub user ID. If a user disconnects and reconnects with a different GitHub account, a stale negative-access entry could block the new account for up to 5 minutes. This is a known MVP trade-off and is acceptable at this stage.

Both are minor and do not affect correctness or security. Safe to merge.

[kilo-code-bot]

Refinery code review passed. All quality gates pass.

[kilo-code-bot]

Refinery code review passed. All quality gates pass.

Reviewed the full diff across all 40 changed files. The implementation is correct and well-structured:

Schema & Migration: user_github_app_tokens table is properly defined with FK cascade, unique index on (kilo_user_id, github_app_type), and the migration was generated by drizzle-kit (not hand-written). Migration number conflict was correctly resolved (0131).

Security: HMAC-SHA256 signed OAuth state with 10-minute TTL and timing-safe comparison; AES-256-GCM encrypted token storage; safeReturnTo correctly blocks open-redirect (protocol-relative, absolute URLs, javascript:); log injection mitigation via sanitizeForLog with eslint suppression comment; no tokens logged; redactGitHubTokens utility correctly covers ghu_/ghr_ patterns.

GDPR: softDeleteUser updated to delete user_github_app_tokens rows with test coverage in user.test.ts.

Feature gate: ENABLE_GITHUB_USER_TOKENS=false by default in wrangler.jsonc and .dev.vars.example — safe to merge without enabling.

Fallback logic: Token selection in both session-prepare.ts (sync path) and async-preparation.ts correctly tries user token first when gate is on, falls back transparently to app installation token. Mid-session expiry handled in refreshGitHubToken with one-time warning broadcast and identity downgrade.

Worker module-scope safety: UserGitHubTokenService correctly uses getWorkerDb per-call (not module scope), db is instance field guarded by lazy init — compliant with Workers DO rules.

Test coverage: Route callback, oauth-state, github-apps-router, session-prepare (gate on/off, fallback), git-identity builder, and async-preparation all have meaningful tests. Mocks are used only where truly necessary (external OAuth and Octokit APIs).

WIP commit (d24765ad): empty diff — just a checkpoint marker, no code impact.

One minor style note (non-blocking): the blank line between the import block and type declaration was removed in GitHubIntegrationDetails.tsx (import { useOrganizationWithMembers } from ... → type GitHubIntegrationDetailsProps). Not a correctness issue.

[kilo-code-bot]

Refinery Code Review

Overall the implementation is solid — schema, GDPR deletion, HMAC-signed state, AES-256-GCM encryption, feature gate, and tests are all well done. Three issues need addressing before merge.

---

🔴 Issue 1: GITHUB_OAUTH_STATE_SECRET missing from .env.development.local.example

File: apps/web/.env.development.local.example

GITHUB_OAUTH_STATE_SECRET is a new required server env var — it's read via getEnvVariable in config.server.ts, which throws at boot if absent. But only USER_GH_APP_TOKEN_ENCRYPTION_KEY was added to the example file. Any developer pulling this branch will get an immediate startup crash until they manually discover and add the missing var.

Fix: Add the missing entry alongside USER_GH_APP_TOKEN_ENCRYPTION_KEY:

# HMAC secret for signing GitHub OAuth user-connect state tokens (random 32+ bytes, base64)
GITHUB_OAUTH_STATE_SECRET=

---

🟡 Issue 2: Raw response.text() logged in disconnectUserIdentity

File: apps/web/src/routers/github-apps-router.ts (inside disconnectUserIdentity)

console.error('Failed to revoke GitHub authorization:', {
  status: response.status,
  body: await response.text(),   // ← problem
});

The GitHub API error response body for this endpoint (DELETE /applications/{client_id}/grant) can include OAuth error strings and potentially token fragments. Per the project's logging rules, token-bearing values must not appear in logs.

Fix: Drop the body or sanitize with redactGitHubTokens from @kilocode/worker-utils/redact-headers:

console.error('Failed to revoke GitHub authorization:', {
  status: response.status,
});

---

🟡 Issue 3: process.env.ENABLE_GITHUB_USER_TOKENS read directly in page.tsx instead of from config.server

File: apps/web/src/app/(app)/integrations/github/page.tsx

enableUserTokens={process.env.ENABLE_GITHUB_USER_TOKENS === 'true'}

ENABLE_GITHUB_USER_TOKENS was centrally exported from config.server.ts (as a boolean) but the page reads the raw process.env instead. This is a server component so the import is safe, and using the central export avoids the inconsistency.

Fix:

import { ENABLE_GITHUB_USER_TOKENS } from '@/lib/config.server';
// ...
enableUserTokens={ENABLE_GITHUB_USER_TOKENS}

[kilo-code-bot]

Refinery code review passed. All quality gates pass.

Reviewed the full diff across all 39 changed files. The implementation is well-structured:

• DB schema: table is correctly defined with cascade FK, unique index on , and proper enums. Migration was generated correctly and renumbered to 0131 after rebase.
• GDPR: correctly deletes token rows; test coverage added in .
• Security: OAuth state uses HMAC-SHA256 with nonce + TTL (10 min). guards open-redirect. Tokens are AES-256-GCM encrypted at rest with a dedicated key separate from other encryption keys. Log injection is prevented in the callback route. utility added for / patterns.
• Feature gate: by default; safe to merge without enabling.
• Token service: in follows the same DB-caching pattern as the existing (instance-level, not module-scope). KV cache for repo-access checks with 5-min TTL.
• Session flow: Token selection in both and tries user token first (when gate=true), falls back to app installation token. Mid-session fallback in downgrades identity to 'app' and emits one-time user warning.
• Tests: Comprehensive coverage for happy paths, error cases, state expiry, conflict upserts, and GDPR delete.

No issues found.

[kilo-code-bot]

Refinery code review passed. All quality gates pass.

All previously identified issues from prior review rounds have been resolved:

• Fixed: startPreparationAsync in session-prepare.ts now correctly forwards identityKind and identityKiloUserId to the Durable Object's PreparationInput (lines 433–434), ensuring user-token resolution works on the autoInitiate=true async fast path.
• Fixed: getOctokitStatus in user-github-token-service.ts uses a single targeted as { status: unknown } cast after the 'status' in e guard — no more double cast through Record<string, unknown>.
• Fixed: error_description log injection risk addressed via sanitizeForLog() helper that truncates and strips control characters.
• Documented: getUserConnectionStatus being ungated is intentional design (cleanup path still works when feature is off).

Implementation is correct and complete across all three MVPs.

[kilo-code-bot]

Refinery code review passed. All quality gates pass.

[kilo-code-bot]

Refinery code review passed. All quality gates pass.

All previously raised issues have been addressed:

• The blocking bug (identityKiloUserId not forwarded to startPreparationAsync) is fixed at session-prepare.ts:433-434.
• Log injection via error_description is fixed with sanitizeForLog().
• Double as-cast in getOctokitStatus reduced to a single targeted cast (acceptable per project style: targeted cast at a known boundary).
• getUserConnectionStatus / disconnectUserIdentity intentionally ungated — acknowledged by author.
• Avatar alt="" deferred; functionally decorative in context.

Code is correct, secure (no token logging, encryption keys isolated, GDPR soft-delete updated), and gated off by default (ENABLE_GITHUB_USER_TOKENS=false). Safe to merge.

[kilo-code-bot]

Refinery Code Review

The PR is well-structured with good test coverage, correct HMAC state signing/verification, proper GDPR soft-delete coverage, clean feature-gate approach, and correct fallback behavior. Two issues should be fixed before merging.

---

🔴 Issue 1 — Dynamic import in hot path

File: services/git-token-service/src/user-github-token-service.ts, line ~91

decryptWithSymmetricKey is imported with await import('@kilocode/encryption') inside getUserTokenForRepo. This is the per-request hot path — there is no code-splitting rationale for a dynamic import here, and it adds unnecessary latency on every token lookup. Move it to a top-level static import:

import { decryptWithSymmetricKey } from '@kilocode/encryption';

Remove the await import(...) call and use the function directly.

---

🔴 Issue 2 — Token redaction missing in logged GitHub error response

File: apps/web/src/routers/github-apps-router.ts, in disconnectUserIdentity

The error log at body: await response.text() logs the raw GitHub API error response without applying redactGitHubTokens. The redactGitHubTokens utility was added in this very PR to prevent ghu_/ghr_ tokens from appearing in logs. Apply it here to be consistent with that intent:

import { redactGitHubTokens } from '@kilocode/worker-utils/redact-headers';

// ...in the error handler:
console.error('Failed to revoke GitHub authorization:', {
  status: response.status,
  body: redactGitHubTokens(await response.text()),
});

---

🟡 Minor note — Feature-gate not applied to query/mutation endpoints

getUserConnectionStatus and disconnectUserIdentity are accessible to any authenticated user regardless of the ENABLE_GITHUB_USER_TOKENS flag (only connectUserIdentity checks the gate). The UI card is correctly gated, so this is not a security issue — but it is inconsistent. Consider adding the same guard to disconnectUserIdentity at minimum, so a user cannot disconnect a token via the API on an instance where the feature is disabled.

[kilo-code-bot]

Refinery Code Review

Three issues found. One is a clear code quality problem (must fix); two are minor MVP tradeoffs documented here for follow-up.

---

🔴 Must Fix — Dynamic import() in hot path

File: services/git-token-service/src/user-github-token-service.ts (~line 92 / the getUserTokenForRepo method)

decryptWithSymmetricKey is imported with await import('@kilocode/encryption') inside getUserTokenForRepo(), which is invoked on every token resolution. All other dependencies in the file are static top-level imports. The dynamic import adds unnecessary module-evaluation latency on the first call and makes the dependency implicit. Replace with a static import:

import { decryptWithSymmetricKey } from '@kilocode/encryption';

---

🟡 Minor — Transient API errors mis-classified as no_repo_access

File: services/git-token-service/src/user-github-token-service.ts (~line 119 / non-404 branch in the repo access check)

When octokit.rest.repos.get() throws with a non-404 status (e.g. 403 rate-limit, 5xx, network timeout), the code returns { ok: false, reason: 'no_repo_access' }. This mis-classifies transient errors as a permanent access denial — callers cannot distinguish rate-limit/5xx from genuine 404. For MVP the fallback to the app token is safe, but consider returning a distinct reason (e.g. 'api_error') for non-404/non-403 failures.

---

🟡 Minor — window.confirm() for destructive disconnect action

File: apps/web/src/components/integrations/GitHubIntegrationDetails.tsx (~line 436 / handleDisconnectUser)

confirm() blocks the main thread, is unstyled, and can be silently suppressed in iframe/embedded contexts. Prefer a two-step button pattern or a shadcn AlertDialog. Low priority given the feature-flag gate, but worth fixing before GA.

[kilo-code-bot]

Two env-var documentation issues that will cause silent failures or confuse local dev setup. No logic or security bugs found in the core implementation — the OAuth flow, encryption, GDPR handling, token refresh fallback, and feature gating all look correct.

[kilo-code-bot]

Refinery Code Review

The implementation is solid overall — the OAuth HMAC-signed state, token encryption, GDPR coverage, feature gate, and fallback logic are all well done. Three issues to address before merging:

1. BLOCKING: Merge conflicts with main

The PR is currently in a CONFLICTING merge state (5+ commits behind main). It must be rebased onto main before this can land.

2. getUserConnectionStatus tRPC endpoint not gated by ENABLE_GITHUB_USER_TOKENS

connectUserIdentity correctly throws FORBIDDEN when ENABLE_GITHUB_USER_TOKENS is false, but getUserConnectionStatus has no such guard. When the feature is disabled, this endpoint still queries user_github_app_tokens and exposes connection metadata to the frontend. The UI client-side gate (enabled: isUserContext && !!enableUserTokens) is not a substitute for a server-side check.

File: apps/web/src/routers/github-apps-router.ts
Add the same guard as connectUserIdentity at the top of getUserConnectionStatus:

if (!ENABLE_GITHUB_USER_TOKENS) {
  return { connected: false as const, login: undefined, githubUserId: undefined };
}

3. Avatar <img> tag — use Next.js <Image> with a domain in remotePatterns

File: apps/web/src/components/integrations/GitHubIntegrationDetails.tsx
The connected user's avatar is rendered as a plain <img> tag pointing to https://github.com/${userConnectionStatus.login}.png?size=40. The github.com domain is not in remotePatterns in next.config.mjs. Either:

• Use https://avatars.githubusercontent.com/${userConnectionStatus.login}?size=40 (this domain is already in remotePatterns) together with Next.js <Image>, or
• Add github.com to remotePatterns and switch to <Image>.

---

Items 2 and 3 need to be fixed. Item 1 (merge conflict) must be resolved to unblock merge.

[kilo-code-bot]

Refinery code review passed. All quality gates pass.

Review summary:

• All prior review round issues have been addressed: log injection fix for errorDescription (sanitized before logging), as cast cleanup in getOctokitStatus, missing env vars in .env.development.local.example, and identityKiloUserId now correctly forwarded in both startPreparationAsync and stub.prepare calls.
• OAuth state HMAC-signing, TTL verification, and open-redirect protection in safeReturnTo are correctly implemented.
• Token encryption (AES-256-GCM via encryptWithSymmetricKey) and onConflictDoUpdate upsert logic in the callback route are correct.
• GDPR coverage: user_github_app_tokens rows are deleted in softDeleteUser with a test asserting scoped deletion.
• Feature gate (ENABLE_GITHUB_USER_TOKENS) is false by default in all wrangler.jsonc configs — safe to merge without activating.
• UserGitHubTokenService uses the same per-entrypoint-instance lazy db client pattern as InstallationLookupService — no module-scope client caching.
• KV repo-access cache with a 5-minute TTL avoids per-request GitHub API calls.
• buildGitAuthor correctly falls back to the GitHub noreply address when the user's email is null.

[kilo-code-bot]

Refinery code review passed. All quality gates pass.

Code review summary:

• DB schema (): Well-structured with composite unique index on , FK cascade delete, and appropriate enum types. Migration is generated (not hand-written). ✅
• OAuth state (): HMAC-SHA256 signed, TTL-bounded, nonce-protected, prevents open-redirect. ✅
• Callback route: Log injection via was flagged and fixed (sanitized via ). State is verified before error handling so a returnTo path is always available. ✅
• tRPC router: properly creates a signed state and builds the GitHub authorize URL. only returns login/userId, never the token. revokes the grant on GitHub before deleting the local row, with best-effort semantics (continues on error). ✅
• Worker service (): lazy-init is per-instance (WorkerEntrypoint constructor), not module-scope — correct per the Workers best-practices rules. The cast after the guard was cleaned up from the prior double-cast. ✅
• ****: Added to worker-utils to scrub / tokens from logs. ✅
• GDPR: is deleted in with a corresponding test. ✅
• Feature gate: gates the connect flow; and intentionally remain ungated to support cleanup. ✅
• Tests: Comprehensive coverage across oauth-state, callback route, tRPC router, session-prepare gateway logic, and GDPR delete flow. ✅

Blocker: merge conflicts. The branch is currently with main (). The branch needs to be rebased onto main before it can merge. The conflicts appear to be in the pnpm lockfile and migration journal based on git history divergence. No code issues require a rework — the rebase is the only remaining action.

[kilo-code-bot]

Refinery code review passed. All quality gates pass.

Code review summary:

• DB schema (user_github_app_tokens): Well-structured with composite unique index, FK cascade delete, and appropriate enum types. Migration is generated. ✅
• OAuth state (oauth-state.ts): HMAC-SHA256 signed, TTL-bounded, nonce-protected, safeReturnTo prevents open-redirect. ✅
• Callback route: Log injection via errorDescription was flagged and fixed (sanitized via sanitizeForLog). State is verified before error handling so a returnTo path is always available. ✅
• tRPC router: connectUserIdentity properly creates a signed state and builds the GitHub authorize URL. getUserConnectionStatus only returns login/userId, never the token. disconnectUserIdentity revokes the grant on GitHub before deleting the local row, with best-effort semantics. ✅
• Worker service (UserGitHubTokenService): this.db lazy-init is per-instance (WorkerEntrypoint constructor), not module-scope — correct per Workers best-practices rules. The double as-cast was cleaned up. ✅
• redactGitHubTokens added to worker-utils to scrub ghu_/ghr_ tokens from logs. ✅
• GDPR: user_github_app_tokens is deleted in softDeleteUser with a corresponding test. ✅
• Feature gate: ENABLE_GITHUB_USER_TOKENS gates the connect flow; getUserConnectionStatus and disconnectUserIdentity intentionally remain ungated to support cleanup. ✅
• Tests: Comprehensive coverage across oauth-state, callback route, tRPC router, session-prepare gateway logic, and GDPR delete flow. ✅

Blocker: merge conflicts. The branch is currently CONFLICTING with main (mergeStateStatus: DIRTY). The branch needs to be rebased onto main before it can merge. No code issues require a rework — the rebase is the only remaining action.

[kilo-code-bot]

Refinery code review passed. All quality gates pass.

All previously raised issues have been addressed:

• Log injection via user-controlled error_description → fixed with sanitizeForLog
• Double as cast in user-github-token-service.ts → reduced to a single targeted cast with proper narrowing
• identityKiloUserId not forwarded to startPreparationAsync (the main correctness bug) → fixed at session-prepare.ts:433-434
• Missing env vars in .env.development.local.example → both GITHUB_OAUTH_STATE_SECRET and ENABLE_GITHUB_USER_TOKENS are present
• GDPR soft-delete coverage → user_github_app_tokens rows deleted in softDeleteUser with a test

Core implementation is sound: OAuth state is HMAC-signed with TTL, tokens are AES-256-GCM encrypted at rest, repo access is KV-cached, the feature is off by default, and the mid-session fallback to app token is graceful.