feat(cloud-agent): expand Kilo facade session API

[eshurakov]

Summary

• Expand the public Kilo SDK facade with root-scoped session status, exact-message reads, slash commands, and question, permission, and suggestion interactions while preserving Cloud Agent ownership, admission, and lifecycle semantics.
• Make session listing repository-aware and expose durable bootstrap session/message state until authoritative Kilo data is available, including unbounded transcript reads.
• Keep public session metadata current through an authenticated Session Ingest WebSocket feed, with bounded reconnect, reconciliation, and stale-update suppression.
• Architecturally, split the per-user facade into an explicit dispatcher and focused route handlers, add shared Session Ingest contracts/materialization paths, and add a concurrent repository lookup index with immutable normalized repository identity.

Verification

• Manually verified locally via kilocode/hexagonal-cartoon.
• Add any additional manual verification details.

Visual Changes

N/A

Reviewer Notes

• Focus review on cross-service authorization and ownership boundaries, immutable repository identity during creation/ingest races, and live-versus-persisted metadata convergence.
• The generated migration adds a partial concurrent index for mapped Cloud Agent root sessions.
• Session creation and blocking prompt APIs remain intentionally unsupported; lifecycle-affecting mutations continue through Cloud Agent durable coordination.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Executive Summary

Incremental review (new commit d359572a) covers substantial new surface area — getCloudAgentRootSessionMessage, listCloudAgentRootSessionsByGitUrl, WebSocket metadata feed (FacadeMetadataFeed/FacadeMetadataProjector), repository identity enforcement in createSessionForCloudAgent, and the SessionIngestRPC entrypoint refactor — with no new issues found.

Previously Flagged Issues — All Resolved

File	Issue	Status
services/cloud-agent-next/src/kilo-facade/user-kilo-facade.ts	WARNING: catch {} fell through to partial reconciliation on listCloudAgentRootSessions failure	✅ Fixed — retries once with delay, returns null on second failure
services/cloud-agent-next/src/kilo-facade/user-kilo-facade.ts	SUGGESTION: Redundant boolean short-circuit in .map() producing (string | false)[]	✅ Fixed — replaced with .flatMap()

Files Reviewed (incremental diff)

• services/cloud-agent-next/src/kilo-facade/user-kilo-facade.ts — metadata feed, reconciliation retry logic intact
• services/cloud-agent-next/src/kilo-facade/metadata-feed.ts — WebSocket lifecycle, timer cleanup correct, no leaks
• services/cloud-agent-next/src/kilo-facade/metadata-projector.ts — refresh timer cleanup in stop() correct
• services/cloud-agent-next/src/kilo-facade/handlers/session-list/handler.ts — gitUrl validation correct
• services/cloud-agent-next/src/kilo-facade/handlers/session-message/handler.ts — getCloudAgentRootSessionMessage integration correct
• services/session-ingest/src/session-ingest-rpc.ts — identity conflict guard, double-normalization design correct; TOCTOU race handled atomically via setWhere
• services/session-ingest/src/internal-user-events-entrypoint.ts — path routing in fetch() override correct
• services/session-ingest/src/internal-user-events.ts — auth enforced via timing-safe secret comparison
• services/session-ingest/src/dos/kilo-sdk-materialization.ts — readKiloSdkMessage bounds, race, and identity checks correct
• services/session-ingest/src/queue-consumer.ts — preserveCloudAgentRootGitUrl + applyMetadataChanges git URL guard correct
• packages/session-ingest-contracts/src/rpc-contract.ts — safeRepositoryUrlSchema, new schemas well-formed
• packages/worker-utils/src/normalize-git-url.ts — normalization logic correct
• packages/db/src/migrations/0163_busy_edwin_jarvis.sql — CREATE INDEX CONCURRENTLY with partial predicate, correctly wrapped in COMMIT/BEGIN
• Test files — comprehensive coverage of identity conflict, race, bounds, and WebSocket paths

---

_{Reviewed by claude-4.6-sonnet-20260217 · 2,597,793 tokens}

_{Review guidance: REVIEW.md from base branch main}