feat(cloud-agent): sandbox gh token refresh via refresh-session#2450
Merged
Conversation
tatoalo
force-pushed
the
feat/log-sandbox-credential-refresh
branch
from
4e2e150 to
7fe3cb4
Compare
Contributor
Prompt To Fix All With AIFix the following 3 code review issues. Work through them one at a time, proposing concise fixes.
---
### Issue 1 of 3
packages/agent/src/utils/github-token.test.ts:15-25
**Prefer parameterised tests for the happy-path token-variable cases**
The two cases that exercise `GH_TOKEN` vs `GITHUB_TOKEN` precedence share the same structure and could be expressed as a single `it.each` table, keeping the distinct-behaviour tests (missing file, live-read, empty value) as individual `it` blocks. This also makes it easy to add new token variable names later without copy-paste.
### Issue 2 of 3
packages/agent/src/utils/github-token.test.ts:1-5
**`resolveGithubToken` — the public API — has no tests**
The test suite only exercises `readGithubTokenFromSandboxEnvFile` directly. `resolveGithubToken` adds an important second layer: it falls back to `readGithubTokenFromEnv()` (process env) when the sandbox file is absent. That fallback branch — the path taken in local/desktop environments — has no coverage, so a regression there (e.g. if the `??` chain were accidentally short-circuited) would go undetected.
### Issue 3 of 3
packages/agent/src/utils/github-token.ts:16
**Synchronous disk read on every tool invocation**
`readFileSync` blocks the Node.js event loop for the duration of the file read. Because `resolveGithubToken()` is called inside the async `signed-commit` handler (and similarly in `claude-agent` / `codex-agent`), every commit triggers a sync I/O operation. For a small `/tmp` file this is unlikely to be a problem in practice, but if token resolution is ever called from a hot path, consider switching to `fs.promises.readFile` and making the function async to stay non-blocking.
Reviews (1): Last reviewed commit: "feat(cloud-agent): sandbox gh token refr..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
joshsny
approved these changes
Jun 1, 2026
tatoalo
force-pushed
the
feat/log-sandbox-credential-refresh
branch
from
7fe3cb4 to
9b0e6bd
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
agent-server's process env is frozen at launch, so its in-process tools (e.g. the signed-commit tool) kept
using the stale launch-time token after a rotation and nothing in the run log signalled that a refresh had happened.
Changes
a mid-session rotation without rebuilding the session (
signed-commit, claude/codex adapters)