Conversation
Wrap the bot.webhooks.github call in after() with try/catch so unhandled exceptions from the chat adapter are surfaced to Sentry instead of being silently dropped.
Replace the manual last-page / previous-page pagination dance with a single octokit call using sort=created&direction=desc. GitHub already supports returning the newest comments first, so one request suffices.
The review-thread context helper previously paged through every review comment on the pull request with no upper bound. For PRs with thousands of review comments this produced a long cascade of API calls on every bot mention. Cap at 500 comments (5 pages of 100) and log when the cap is reached so we can spot pathological PRs.
Both /github/link and the bot-link branch of the GitHub App callback were hard-coded to 'standard' credentials, so account linking would fail for installations of the lite app. Look up the integration by installation_id and pick credentials / exchange the OAuth code using its stored github_app_type.
![kilo-code-bot[bot]](https://avatars.githubusercontent.com/in/2193792?s=60&v=4){kind=small}
| const [platformIntegration, kiloUserId] = await Promise.all([ | ||
| getPlatformIntegration(identity), | ||
| resolveKiloUserId(chatBot.getState(), identity), | ||
| resolveKiloUserId(chatBot.getState(), userIdentity), |
Contributor
There was a problem hiding this comment.
WARNING: GitHub user links bypass per-installation access checks
GitHub links are now resolved with a global user-level identity, so once a GitHub account is linked through one installation, the same kiloUserId is accepted for mentions in any other GitHub installation before verifying that the Kilo user can access that integration owner. processLinkedMessage then runs with the target platformIntegration and org headers, which can let a user trigger work scoped/billed to an org they are not a Kilo member of. Please re-check org membership or user ownership for the resolved user against platformIntegration before processing the message.
Contributor
Code Review SummaryStatus: 1 Issue Found | Recommendation: Address before merge Overview
Issue Details (click to expand)WARNING
Other Observations (not in diff)Issues found in unchanged code that cannot receive inline comments:
Files Reviewed (26 files)
Reviewed by gpt-5.5-20260423 · 3,282,191 tokens |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Verification
N/A (no manual verification performed).
Visual Changes
N/A
Reviewer Notes
pull_requestwebhook path.