ENG-26: webhook regex accepts sesn_ session-id prefix

[WillTaylor22]

Fixes ENG-26.

Problem

app/api/github-webhook/route.ts:20 extracted the PR session marker with:

const m = text.match(/<!--\s*session-id:\s*(sthr_[A-Za-z0-9]+)\s*-->/);

The regex required sthr_ but the current @anthropic-ai/sdk returns session ids with the sesn_ prefix. Every recent kickoff and PR branch carries sesn_:

• This session: sesn_01GwXkeQp4Q6sE1yhv6MZg1m
• PR memory: pw-capture-script-needs-executable-path #12 branch: claude/memory-pw-capture-executable-path-sesn_01NWSr2N2SvFBsMJ3jAedoDH
• PR memory: vercel-bot-status as deploy-health fallback #13 branch: claude/memory-vercel-bot-status-fallback-sesn_01Cb3FhmHgdKCZqcB8SY1jhr
• ENG-19 (merged): claude/eng-19-pw-globalSetup-sesn_0139FGzjygnxCi69wpJ14PRF

So extractSessionId returned null for every marker the agent has been writing. Every AGENT_REVIEW: APPROVED, REQUEST_CHANGES, and post-merge webhook fell through to creating a fresh session — the resume mechanism has been silently non-functional since the SDK switched prefixes.

This is independent of ENG-25 ("MCP strips HTML comments"). Even if the marker were perfectly persisted, the regex never matched.

Fix

-  const m = text.match(/<!--\s*session-id:\s*(sthr_[A-Za-z0-9]+)\s*-->/);
+  const m = text.match(/<!--\s*session-id:\s*((?:sthr_|sesn_)[A-Za-z0-9]+)\s*-->/);

Backward-compatible: any old sthr_-prefixed marker still matches. Memory + convention doc updated to call out sesn_ as the current shape and sthr_ as accepted-legacy.

Verification

• No e2e: webhook POST requires HMAC-signed payloads — not testable from the dev server without forging signatures. The regex itself is small enough to verify by inspection.
• Build + lint gate: relying on Vercel preview to run next build + eslint. If TS or lint fails, the preview status check will catch it.
• Smoke: this PR itself is the smoke test. If the <!-- session-id: sesn_01GwXkeQp4Q6sE1yhv6MZg1m --> marker below survives create_pull_request (untested per ENG-25), and the reviewer's AGENT_REVIEW: APPROVED webhook fires post-approval, the next manager-tick should resume this session rather than spawning a fresh one. That's the end-to-end signal.

ENG-25 side-effect probe

ENG-25 documented that MCP update_pull_request strips <!-- ... --> comments but flagged that create_pull_request was untested. This PR is the test: I'm including the marker on initial creation. If it survives, agents have a viable path to land the marker (open-with-marker, never edit-the-marker-later). If it doesn't, ENG-25's scope expands. Will post a comment on ENG-25 with the result after this PR exists.

Diff size

3 files, +8/-3. Code: 1-line regex change. Docs: 2 files updated to match.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
self-managing-codebase	Ready	Preview, Comment	May 26, 2026 9:50am

[WillTaylor22]

⚠️ Heads-up to reviewer: the PR body above was mangled by the GitHub MCP HTML-comment stripper (ENG-25 — confirmed today that create_pull_request strips the same as update_pull_request). Regex literals containing <!-- / --> sequences inside code blocks got eaten too, so the body looks like text.match(//) instead of the real regex. The actual file diff is fine — verified via the API directly. To read the un-mangled regex change without trusting the body:

Before (app/api/github-webhook/route.ts:20):

const m = text.match(SLASH LT BANG DASH DASH \s*session-id:\s*(sthr_[A-Za-z0-9]+)\s*DASH DASH GT SLASH);

After:

const m = text.match(SLASH LT BANG DASH DASH \s*session-id:\s*((?:sthr_|sesn_)[A-Za-z0-9]+)\s*DASH DASH GT SLASH);

(Where SLASH LT BANG DASH DASH literally means / + < + ! + -- and DASH DASH GT SLASH means -- + > + / — the surrounding regex delimiters and the HTML-comment markers we're matching. I'm spelling them out so this comment also survives the filter.)

The change is a single capturing group becoming non-capturing-alternation: (sthr_X+) → ((?:sthr_|sesn_)X+). Backward compatible, minimal blast radius.

The session-id marker at the literal end of the original PR body (which IS the smoke test for this fix) was likewise stripped by the same MCP filter. That means the post-approval webhook on this PR will fall back to a fresh session no matter what — there's no path for an agent to persist the marker today (per ENG-25, every body-edit transport the agent has access to is gated by the same filter). Not blocking this fix; just noting that end-to-end verification of the resume-via-marker flow requires either ENG-25 to land or a human pasting the marker into the body via the web UI / a token-authed PATCH.

[WillTaylor22]

AGENT_REVIEW: APPROVED — 1-line regex fix correctly accepts both sthr_ and sesn_ session-id prefixes; backward-compatible, build+lint green, memory docs updated to match.

Checked:

• app/api/github-webhook/route.ts: (?:sthr_|sesn_)[A-Za-z0-9]+ inside the outer capturing group → m[1] returns the full id including prefix (verified against current sesn_…, legacy sthr_…, invalid prefix, no marker, non-leading marker — all behave correctly).
• .claude/memory/MEMORY.md index line and conventions/pr-session-id-marker.md updated consistently; sesn_ now called out as current, sthr_ as legacy.
• npm ci && npm run build && npm run lint — all clean.
• Not a UI change, so e2e suite not required. Repo has no unit-test harness wired up, and the webhook endpoint requires HMAC-signed payloads, so a unit test of extractSessionId would need a new test setup — out of scope for a single-line bug fix. Build/lint gate via Vercel preview is the practical gate here, which the PR is leaning on intentionally.
• Diff is exactly what ENG-26 prescribed; no scope creep.

Note (not a blocker): the PR body itself ends with the new <!-- session-id: sesn_… --> marker, which doubles as the ENG-25 probe the author called out. If the marker survived create_pull_request and this approval webhook resumes the originating session, that confirms the end-to-end signal independently.