Skip to content

Scope hosted memory by GitHub App installation or tenant #98

Description

@romgenie

Local source: coven-code/issues/02-scope-memory-by-github-app-installation.md

Summary

Hosted review memory must be keyed by GitHub App installation or tenant. Repository-level scoping alone is not enough because two customers can install the reviewer on repositories with the same owner/repo name in different GitHub Enterprise contexts, mirrors, or future multi-tenant deployments.

Current Evidence

  • team_memory_sync.rs has a repo: String field and sends it as ?repo=....
  • settings_sync.rs syncs user settings and memory against a user-centric endpoint.
  • Account structs elsewhere include identity fields such as organization_uuid, but memory loaders and sync paths do not use a tenant or installation identifier.

Problem

Without installation or tenant scoping, memory for one installation can become visible to another if server-side keys collide, configuration is reused, or a hosted worker shares local state. This is a cross-tenant data leak risk.

Proposed Design

Introduce a hosted memory scope structure:

pub struct HostedMemoryScope {
    pub tenant_id: String,
    pub installation_id: String,
    pub repo_id: String,
    pub repo_full_name: String,
}

Use this scope for:

  • Memory directory resolution.
  • Transcript directory resolution.
  • Team memory sync keys.
  • Audit logs.
  • Memory provenance records.

The path should avoid raw user input where possible:

<memory-root>/tenants/<tenant-id>/installations/<installation-id>/repos/<repo-id>/

repo_full_name is useful metadata, but repo_id or installation plus repo database id should be the stable key.

Acceptance Criteria

  • Hosted memory APIs require tenant and installation identifiers.
  • Memory and transcript paths include tenant and installation identifiers.
  • Tests prove two installations of the same repo name do not share memory.
  • Tests prove two repos in the same installation do not share memory.
  • Team memory sync uses installation/tenant scope in addition to repo.
  • Existing local mode APIs remain available without tenant scope.

Security Notes

Do not infer tenant identity from repo name. Treat tenant/install identity as explicit context from the GitHub App control plane.

Metadata

Metadata

Assignees

Labels

hosted-modeHosted review mode (GitHub App reviewer) worksecuritySecurity-sensitive issue or work

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions