Local source: coven-code/issues/02-scope-memory-by-github-app-installation.md
Summary
Hosted review memory must be keyed by GitHub App installation or tenant. Repository-level scoping alone is not enough because two customers can install the reviewer on repositories with the same owner/repo name in different GitHub Enterprise contexts, mirrors, or future multi-tenant deployments.
Current Evidence
team_memory_sync.rs has a repo: String field and sends it as ?repo=....
settings_sync.rs syncs user settings and memory against a user-centric endpoint.
- Account structs elsewhere include identity fields such as
organization_uuid, but memory loaders and sync paths do not use a tenant or installation identifier.
Problem
Without installation or tenant scoping, memory for one installation can become visible to another if server-side keys collide, configuration is reused, or a hosted worker shares local state. This is a cross-tenant data leak risk.
Proposed Design
Introduce a hosted memory scope structure:
pub struct HostedMemoryScope {
pub tenant_id: String,
pub installation_id: String,
pub repo_id: String,
pub repo_full_name: String,
}
Use this scope for:
- Memory directory resolution.
- Transcript directory resolution.
- Team memory sync keys.
- Audit logs.
- Memory provenance records.
The path should avoid raw user input where possible:
<memory-root>/tenants/<tenant-id>/installations/<installation-id>/repos/<repo-id>/
repo_full_name is useful metadata, but repo_id or installation plus repo database id should be the stable key.
Acceptance Criteria
- Hosted memory APIs require tenant and installation identifiers.
- Memory and transcript paths include tenant and installation identifiers.
- Tests prove two installations of the same repo name do not share memory.
- Tests prove two repos in the same installation do not share memory.
- Team memory sync uses installation/tenant scope in addition to repo.
- Existing local mode APIs remain available without tenant scope.
Security Notes
Do not infer tenant identity from repo name. Treat tenant/install identity as explicit context from the GitHub App control plane.
Local source:
coven-code/issues/02-scope-memory-by-github-app-installation.mdSummary
Hosted review memory must be keyed by GitHub App installation or tenant. Repository-level scoping alone is not enough because two customers can install the reviewer on repositories with the same owner/repo name in different GitHub Enterprise contexts, mirrors, or future multi-tenant deployments.
Current Evidence
team_memory_sync.rshas arepo: Stringfield and sends it as?repo=....settings_sync.rssyncs user settings and memory against a user-centric endpoint.organization_uuid, but memory loaders and sync paths do not use a tenant or installation identifier.Problem
Without installation or tenant scoping, memory for one installation can become visible to another if server-side keys collide, configuration is reused, or a hosted worker shares local state. This is a cross-tenant data leak risk.
Proposed Design
Introduce a hosted memory scope structure:
Use this scope for:
The path should avoid raw user input where possible:
repo_full_nameis useful metadata, butrepo_idor installation plus repo database id should be the stable key.Acceptance Criteria
Security Notes
Do not infer tenant identity from repo name. Treat tenant/install identity as explicit context from the GitHub App control plane.