refactor(cloud-agent-next): migrate to git-token-service RPC

Replace the in-worker GitHubTokenService and InstallationLookupService
with calls to the shared git-token-service Worker via a GIT_TOKEN_SERVICE
service binding, and drop the now-redundant token fetching in the web
app routers.

- Wire GIT_TOKEN_SERVICE binding in wrangler.jsonc; drop GITHUB_APP_ID,
  GITHUB_LITE_APP_ID, and GITHUB_TOKEN_CACHE KV bindings. Restore the
  HYPERDRIVE binding for an upcoming feature.
- Resolve GitHub tokens for repo + managed GitLab tokens through a new
  shared helper (src/services/git-token-service-client.ts) used from
  both session-prepare and async-preparation paths.
- Persist gitlabTokenManaged in session metadata so the DO can refresh
  GitLab tokens on startExecutionV2 via refreshManagedGitLabToken.
  Successful refreshes are persisted via updateGitToken so later
  transient failures fall back to the last-known working token instead
  of the stale prepare-time token. Treat gitlabTokenManaged ===
  undefined as managed for backwards compatibility with pre-existing
  sessions.
- Fail closed on GitLab access revocation: no_integration_found and
  invalid_org_id reasons throw BAD_REQUEST at session prepare and
  startExecutionV2 instead of falling back to the stored token, so the
  session cannot keep using a managed token after the integration or
  org access was removed. Transient failures retain the last-known
  token fallback.
- Parameterize DurableObject<WorkerEnv> on the base class, removing 28
  'as unknown as WorkerEnv' casts in CloudAgentSession and aligning
  with the rest of the repo's DO pattern.
- Extract cloudflare-git-token-service into a standalone
  'git-token-service' dev group shared by cloud-agent, app-builder, and
  gastown. Switch its dev script to 'wrangler dev --env dev' so the
  locally-running worker is named 'git-token-service-dev', matching
  what cloud-agent-next and the security workers reference in their
  dev service bindings.
- Web routers (personal + org) no longer fetch GitHub/GitLab tokens
  for prepareSession/sendMessage — cloud-agent-next handles token
  resolution and refresh centrally.

Author: eshurakov

apps/web/src/routers/cloud-agent-next-router.ts

@@ -10,12 +10,8 @@ import {
   mergeProfileConfiguration,
   ProfileNotFoundError,
 } from '@/lib/agent/profile-session-config';
+import { fetchGitHubRepositoriesForUser } from '@/lib/cloud-agent/github-integration-helpers';
 import {
-  getGitHubTokenForUser,
-  fetchGitHubRepositoriesForUser,
-} from '@/lib/cloud-agent/github-integration-helpers';
-import {
-  getGitLabTokenForUser,
   getGitLabInstanceUrlForUser,
   buildGitLabCloneUrl,
   fetchGitLabRepositoriesForUser,
@@ -80,28 +76,19 @@ export const cloudAgentNextRouter = createTRPCRouter({
           setupCommands,
         });
 
-        // Determine git source: GitLab uses gitUrl/gitToken, GitHub uses githubRepo/githubToken
+        // Determine git source: GitLab uses gitUrl, GitHub uses githubRepo.
+        // Tokens are resolved inside cloud-agent-next via GIT_TOKEN_SERVICE.
         let gitParams: {
           githubRepo?: string;
           gitUrl?: string;
-          gitToken?: string;
           platform?: 'github' | 'gitlab';
         };
 
         if (gitlabProject) {
-          // GitLab flow: convert gitlabProject to gitUrl + gitToken
-          const gitToken = await getGitLabTokenForUser(ctx.user.id);
-          if (!gitToken) {
-            throw new TRPCError({
-              code: 'BAD_REQUEST',
-              message: 'No GitLab integration found. Please connect your GitLab account first.',
-            });
-          }
           const instanceUrl = await getGitLabInstanceUrlForUser(ctx.user.id);
           const gitUrl = buildGitLabCloneUrl(gitlabProject, instanceUrl);
-          gitParams = { gitUrl, gitToken, platform: PLATFORM.GITLAB };
+          gitParams = { gitUrl, platform: PLATFORM.GITLAB };
         } else {
-          // GitHub flow: use githubRepo (token will be fetched in cloud-agent-next)
           gitParams = { githubRepo, platform: PLATFORM.GITHUB };
         }
 
@@ -163,29 +150,10 @@ export const cloudAgentNextRouter = createTRPCRouter({
       const authToken = generateCloudAgentToken(ctx.user);
       const client = createCloudAgentNextClient(authToken);
 
-      // Determine platform to fetch the correct token
-      const session = await client.getSession(input.cloudAgentSessionId);
-      let githubToken: string | undefined;
-      let gitToken: string | undefined;
-
-      if (session.platform === 'gitlab') {
-        gitToken = await getGitLabTokenForUser(ctx.user.id);
-        if (!gitToken) {
-          throw new TRPCError({
-            code: 'BAD_REQUEST',
-            message: 'No GitLab integration found. Please connect your GitLab account first.',
-          });
-        }
-      } else {
-        githubToken = await getGitHubTokenForUser(ctx.user.id);
-      }
-
+      // Tokens are refreshed inside cloud-agent-next (GitHub App installation
+      // for GitHub, GIT_TOKEN_SERVICE for managed GitLab).
       try {
-        return await client.sendMessage({
-          ...input,
-          githubToken,
-          gitToken,
-        });
+        return await client.sendMessage(input);
       } catch (error) {
         rethrowAsPaymentRequired(error);
         throw error;

apps/web/src/routers/organizations/organization-cloud-agent-next-router.ts

@@ -14,12 +14,8 @@ import {
   organizationMemberProcedure,
   organizationMemberMutationProcedure,
 } from '@/routers/organizations/utils';
+import { fetchGitHubRepositoriesForOrganization } from '@/lib/cloud-agent/github-integration-helpers';
 import {
-  getGitHubTokenForOrganization,
-  fetchGitHubRepositoriesForOrganization,
-} from '@/lib/cloud-agent/github-integration-helpers';
-import {
-  getGitLabTokenForOrganization,
   getGitLabInstanceUrlForOrganization,
   buildGitLabCloneUrl,
   fetchGitLabRepositoriesForOrganization,
@@ -141,28 +137,19 @@ export const organizationCloudAgentNextRouter = createTRPCRouter({
           setupCommands,
         });
 
-        // Determine git source: GitLab uses gitUrl/gitToken, GitHub uses githubRepo
+        // Determine git source: GitLab uses gitUrl, GitHub uses githubRepo.
+        // Tokens are resolved inside cloud-agent-next via GIT_TOKEN_SERVICE.
         let gitParams: {
           githubRepo?: string;
           gitUrl?: string;
-          gitToken?: string;
           platform?: 'github' | 'gitlab';
         };
 
         if (gitlabProject) {
-          // GitLab flow: convert gitlabProject to gitUrl + gitToken
-          const gitToken = await getGitLabTokenForOrganization(organizationId);
-          if (!gitToken) {
-            throw new TRPCError({
-              code: 'BAD_REQUEST',
-              message: 'No GitLab integration found. Please connect your GitLab account first.',
-            });
-          }
           const instanceUrl = await getGitLabInstanceUrlForOrganization(organizationId);
           const gitUrl = buildGitLabCloneUrl(gitlabProject, instanceUrl);
-          gitParams = { gitUrl, gitToken, platform: PLATFORM.GITLAB };
+          gitParams = { gitUrl, platform: PLATFORM.GITLAB };
         } else {
-          // GitHub flow: use githubRepo (token will be fetched in cloud-agent-next)
           gitParams = { githubRepo, platform: PLATFORM.GITHUB };
         }
 
@@ -226,30 +213,19 @@ export const organizationCloudAgentNextRouter = createTRPCRouter({
       const authToken = generateCloudAgentToken(ctx.user);
       const client = createCloudAgentNextClient(authToken);
 
-      const { organizationId, ...messageInput } = input;
-
-      // Determine platform to fetch the correct token
-      const session = await client.getSession(messageInput.cloudAgentSessionId);
-      let githubToken: string | undefined;
-      let gitToken: string | undefined;
-
-      if (session.platform === 'gitlab') {
-        gitToken = await getGitLabTokenForOrganization(organizationId);
-        if (!gitToken) {
-          throw new TRPCError({
-            code: 'BAD_REQUEST',
-            message: 'No GitLab integration found. Please connect your GitLab account first.',
-          });
-        }
-      } else {
-        githubToken = await getGitHubTokenForOrganization(organizationId);
-      }
-
+      // Tokens are refreshed inside cloud-agent-next (GitHub App installation
+      // for GitHub, GIT_TOKEN_SERVICE for managed GitLab). organizationId is
+      // consumed by the membership middleware; it is not forwarded.
       try {
         return await client.sendMessage({
-          ...messageInput,
-          githubToken,
-          gitToken,
+          cloudAgentSessionId: input.cloudAgentSessionId,
+          prompt: input.prompt,
+          mode: input.mode,
+          model: input.model,
+          variant: input.variant,
+          autoCommit: input.autoCommit,
+          messageId: input.messageId,
+          images: input.images,
         });
       } catch (error) {
         rethrowAsPaymentRequired(error);

dev/local/services.ts

@@ -15,11 +15,22 @@ type ServiceGroup = {
 
 const groups: ServiceGroup[] = [
   { id: 'core', label: 'Core', alwaysOn: true },
-  { id: 'kiloclaw', label: 'KiloClaw', alwaysOn: false, sectionBreakBefore: true },
-  { id: 'cloud-agent', label: 'Cloud Agent', alwaysOn: false },
+  {
+    id: 'git-token-service',
+    label: 'Git Tokens',
+    alwaysOn: false,
+    sectionBreakBefore: true,
+  },
+  { id: 'kiloclaw', label: 'KiloClaw', alwaysOn: false },
+  {
+    id: 'cloud-agent',
+    label: 'Cloud Agent',
+    alwaysOn: false,
+    groupDependsOn: ['git-token-service'],
+  },
   { id: 'code-review', label: 'Code Review', alwaysOn: false, groupDependsOn: ['cloud-agent'] },
   { id: 'app-builder', label: 'App Builder', alwaysOn: false, groupDependsOn: ['cloud-agent'] },
-  { id: 'gastown', label: 'Gastown', alwaysOn: false },
+  { id: 'gastown', label: 'Gastown', alwaysOn: false, groupDependsOn: ['git-token-service'] },
   {
     id: 'auto-triage',
     label: 'Auto Triage',
@@ -59,7 +70,7 @@ const serviceMeta: Record<string, ServiceMeta> = {
   // cloud-agent
   'cloud-agent-next': {
     group: 'cloud-agent',
-    dependsOn: ['postgres', 'nextjs', 'cloudflare-session-ingest'],
+    dependsOn: ['postgres', 'nextjs', 'cloudflare-session-ingest', 'cloudflare-git-token-service'],
     dir: 'services/cloud-agent-next',
     useLanIp: true,
   },
@@ -73,6 +84,12 @@ const serviceMeta: Record<string, ServiceMeta> = {
     dependsOn: ['postgres'],
     dir: 'services/session-ingest',
   },
+  // git-token-service (shared by cloud-agent, app-builder, gastown)
+  'cloudflare-git-token-service': {
+    group: 'git-token-service',
+    dependsOn: ['postgres'],
+    dir: 'services/git-token-service',
+  },
   // app-builder
   'app-builder-tunnel': { group: 'app-builder', dependsOn: [] },
   'cloudflare-app-builder': {
@@ -86,11 +103,6 @@ const serviceMeta: Record<string, ServiceMeta> = {
     dependsOn: ['postgres'],
     dir: 'services/db-proxy',
   },
-  'cloudflare-git-token-service': {
-    group: 'app-builder',
-    dependsOn: ['postgres'],
-    dir: 'services/git-token-service',
-  },
   // code-review
   'cloudflare-code-review-infra': {
     group: 'code-review',

pnpm-lock.yaml

@@ -49,22 +49,7 @@ PER_SESSION_SANDBOX_ORG_IDS=
 GITHUB_APP_SLUG=kiloconnect-development
 GITHUB_APP_BOT_USER_ID=242397087
 
-# GitHub App credentials for generating installation access tokens
-# Used by GitHubTokenService to authenticate with GitHub API on behalf of app installations
-# GITHUB_APP_ID: The numeric App ID from GitHub App settings
-# GITHUB_APP_PRIVATE_KEY: The raw PKCS#8 private key (use \n for newlines in env var)
-# Note that the nextjs app uses PKCS#1 but the worker uses WebCrypto and requires a PKCS#8
-GITHUB_APP_ID=2245043
-# @pkcs8
-GITHUB_APP_PRIVATE_KEY=
-
-# GitHub Lite App credentials (for OSS organizations with read-only permissions)
-# Same format as standard app credentials above
-GITHUB_LITE_APP_ID=
-# @pkcs8
-GITHUB_LITE_APP_PRIVATE_KEY=
-
-# GitHub Lite App slug and bot user ID for git commit attribution (optional)
+# GitHub Lite App identity for git commit attribution on OSS organizations (optional)
 GITHUB_LITE_APP_SLUG=
 GITHUB_LITE_APP_BOT_USER_ID=
 

services/cloud-agent-next/.dev.vars.example

@@ -4,7 +4,7 @@ This file provides guidance to AI coding agents working in this repository.
 
 ## Project Overview
 
-Cloudflare Worker that powers Kilocode Cloud Agents. It exposes a tRPC API for session preparation and execution, streams output over WebSockets, and runs the Kilocode CLI inside Cloudflare Sandbox containers. Durable Objects track sessions; Hyperdrive is used for Postgres lookups (for example, GitHub App installation IDs). The wrapper in `wrapper/` is a core component that brokers Kilocode CLI events into the worker’s `/ingest` WebSocket and handles job lifecycle.
+Cloudflare Worker that powers Kilocode Cloud Agents. It exposes a tRPC API for session preparation and execution, streams output over WebSockets, and runs the Kilocode CLI inside Cloudflare Sandbox containers. Durable Objects track sessions; git tokens (GitHub App installation tokens, managed GitLab tokens) are resolved via the shared `git-token-service` Worker. The wrapper in `wrapper/` is a core component that brokers Kilocode CLI events into the worker’s `/ingest` WebSocket and handles job lifecycle.
 
 ## Development Commands
 
@@ -108,7 +108,7 @@ This pattern blocks API endpoints from running for external contributors who don
 - `src/persistence/` - Durable Object schema + migrations
 - `src/websocket/` - WebSocket ingest + filters
 - `src/utils/` - Shared helpers (encryption, retries, SQL helpers)
-- `wrangler.jsonc` - Bindings: R2, Hyperdrive, KV, queues, containers
+- `wrangler.jsonc` - Bindings: R2, Hyperdrive, queues, containers, service bindings (`SESSION_INGEST`, `GIT_TOKEN_SERVICE`)
 - `vitest.config.ts` - Unit test config
 - `vitest.workers.config.ts` - Integration test config
 - `wrapper/` - Wrapper build shipped into the sandbox

services/cloud-agent-next/AGENTS.md

@@ -832,28 +832,21 @@ This enables:
 
 #### GitHub App Token Generation
 
-For V2 routes (`sendMessageV2`, `initiateFromKilocodeSessionV2`), the cloud-agent generates GitHub App installation tokens on-demand.
+For V2 routes (`sendMessageV2`, `initiateFromKilocodeSessionV2`), the cloud-agent resolves GitHub App installation tokens via the shared `git-token-service` Worker (`GIT_TOKEN_SERVICE` service binding).
 
 **How it works:**
 
-1. **Automatic installation lookup**: The worker automatically looks up the GitHub App installation ID from the database via Hyperdrive. The lookup verifies the user has access to the repository's organization.
-2. **On-demand token generation**: When execution starts, `GitHubTokenService` generates a fresh token using `@octokit/auth-app`
-3. **KV caching**: Tokens are cached in Cloudflare KV with 30-minute TTL (tokens valid for 1 hour)
-4. **Cache key format**: `github-token:installation:{installationId}`
+1. **Delegated resolution**: The worker calls `git-token-service` RPC (see `src/services/git-token-service-client.ts`) to look up the installation ID for the repo and mint an installation access token. Token caching and GitHub App credentials live in `git-token-service`.
+2. **Managed GitLab tokens**: The same client resolves and refreshes managed GitLab tokens; `gitlabTokenManaged` is persisted in session metadata so the session DO can refresh it on `startExecutionV2`.
 
 **Configuration:**
 
-The worker requires these environment variables:
-
-- `GITHUB_APP_ID`: GitHub App ID (configured in `wrangler.jsonc`)
-- `GITHUB_APP_PRIVATE_KEY`: RSA private key for the GitHub App (set via `wrangler secret put`)
-- `GITHUB_TOKEN_CACHE`: KV namespace binding for token caching
-- `HYPERDRIVE`: Hyperdrive binding for database access (installation ID lookup)
+- `GIT_TOKEN_SERVICE`: service binding to the `git-token-service` Worker (prod) / `git-token-service-dev` (dev). Configured in `wrangler.jsonc`.
+- `GITHUB_APP_SLUG` / `GITHUB_APP_BOT_USER_ID` (and the Lite equivalents): used only for git commit author attribution — not for token generation.
 
 **Benefits:**
 
-- No need to pass `githubInstallationId` — automatically resolved from database
-- Tokens generated closer to where they're used (reduced latency)
+- No need to pass `githubInstallationId` — resolved centrally by `git-token-service`
+- GitHub App credentials and token cache kept in a single shared Worker
 - Fresh tokens on-demand rather than at session start
-- Rate limit protection via KV caching
 - No token expiry issues during long sessions

services/cloud-agent-next/README.md

@@ -29,10 +29,8 @@
   "dependencies": {
     "@cloudflare/sandbox": "0.8.9",
     "@hono/trpc-server": "^0.4.2",
-    "@kilocode/db": "workspace:*",
     "@kilocode/encryption": "workspace:*",
     "@kilocode/worker-utils": "workspace:*",
-    "@octokit/auth-app": "catalog:",
     "@trpc/server": "catalog:",
     "drizzle-orm": "catalog:",
     "hono": "catalog:",