feat: Add strict guardrails for Cloud Code Reviewer to prevent it from pushing code

[alex-alecu]

Code Review Read-Only Guardrails

The Cloud Code Reviewer currently runs with the same permissions as a regular cloud agent session. That means the LLM can git push, npm install, merge PRs, or run test suites — none of which it should be doing during a review.

This PR locks down code-review sessions to read-only. It works by detecting createdOnPlatform: 'code-review' and applying a strict command policy before the Kilo CLI session starts.

What changed

Command policy for code-review sessions — When a session is created with createdOnPlatform === 'code-review', the Kilo config now gets a restricted autoApproval block:

• File writes are disabled and protected paths are enforced.
• Only read-oriented commands are in the allow-list (ls, cat, grep, git, gh, find, etc.).
• Mutating commands are explicitly denied: git commit, git push, git merge, gh pr merge, npm install, pytest, and ~20 more patterns.

This is applied in three places to cover all session-creation paths:

• cloud-agent/src/workspace.ts — the legacy cloud-agent path. The previously inlined allow/deny lists are refactored into a getCommandPolicy() function that returns either the default policy or the read-only one.
• cloud-agent-next/src/session-service.ts — the cloud-agent-next path. Same idea, new getCommandGuardPolicy() function that builds the restricted config block.
• cloudflare-code-review-infra/src/code-review-orchestrator.ts — the orchestrator now passes createdOnPlatform: 'code-review' when calling prepareSession, and logs a warning whenever the agent requests execution of a command matching the risky patterns (for observability, not blocking — the blocking happens in the CLI config).

createdOnPlatform threaded through session state — The cloud-agent session service now persists createdOnPlatform in metadata so the policy can be re-applied on warm starts and session resumption.

[kilo-code-bot]

Code Review Summary

Status: 2 Issues Found | Recommendation: Address before merge

Overview

Severity	Count
CRITICAL	0
WARNING	0
SUGGESTION	2

Issue Details (click to expand)

SUGGESTION

File	Line	Issue
cloud-agent/src/workspace.ts	110	Missing git rm, git clean, git branch -D from denied command patterns — these destructive git subcommands bypass write protection since they execute as shell commands
cloud-agent-next/src/session-service.ts	92	Same gap — git rm, git clean, git branch -D not in denied patterns

Other Observations (not in diff)

Issues found in unchanged code that cannot receive inline comments:

File	Line	Issue
cloud-agent-next/src/session-service.ts	863-877	The initiate method's saveSessionMetadata call does not include createdOnPlatform in the data object. This means if a session is created via initiate (not prepareSession → initiateFromKiloSession), createdOnPlatform won't be persisted to the Durable Object. On resume, the command guard policy won't be re-applied. This is inconsistent with cloud-agent/src/session-service.ts which does persist it (line 727). In practice, code-review sessions go through the prepare flow so this may not be triggered today, but it's a latent bug if initiate is ever called directly with createdOnPlatform.

Files Reviewed (8 files)

• cloud-agent-next/src/session-service.ts - 1 inline + 1 observation
• cloud-agent-next/src/session-service.test.ts - 0 issues
• cloud-agent/src/workspace.ts - 1 inline
• cloud-agent/src/workspace.test.ts - 0 issues
• cloud-agent/src/session-service.ts - 0 issues
• cloud-agent/src/session-service.test.ts - 0 issues
• cloud-agent/src/persistence/types.ts - 0 issues
• cloudflare-code-review-infra/src/code-review-orchestrator.ts - 0 issues

Fix these issues in Kilo Cloud

[RSO]

I'm not sure if I'm the right person to decide on whether this is a good idea or not 🤔. Did you test this locally?