fix(vscode): route worktree permission approvals correctly

[marius-kilocode]

Agent Manager worktree sessions can request permission before their in-memory session mapping is registered. Replies then fall back to the workspace root instead of the worktree backend that owns the request, leaving background agents blocked even after Run is clicked.

Preserve the authoritative SSE directory before session filtering and use it for manual and runtime auto-approve replies. This keeps root worktree sessions and child subagents routed to the backend instance that created the permission request.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Overview

The fix correctly resolves the race condition where a permission.asked SSE event arrives before the corresponding worktree session mapping is registered. By moving the permissionDirectories.set/delete calls from handleEvent (post-filter) into the filter predicate itself, the directory is recorded unconditionally — ensuring manual and auto-approve replies are routed to the correct backend instance regardless of session registration timing.

The approach is sound:

• Recording in the filter (rather than the handler) is intentional and necessary — the session won't be in trackedSessionIds yet when the event arrives, so the handler would never be reached
• permission.replied cleanup in the filter is also correct and safe — Map.delete on a missing key is a no-op
• prunePermissionDirectories (called from fetchAndSendPendingPermissions) provides bounded cleanup for any entries that accumulate from untracked or pre-registration events
• toggle-auto-approve similarly uses directory ?? resolve(sessionID) — the SSE-provided directory takes precedence over the session-based fallback

One observation (not a blocker): the filter function now carries side effects (state mutation), which is an unusual contract for a predicate. This is the right trade-off here, but worth a comment noting that the mutation is intentional and must precede the return value — the existing comment already covers this well.

Test coverage is solid: new tests in both auto-approve.test.ts and permission-recovery.test.ts directly exercise the pre-registration scenario and the SSE-directory-over-session-fallback behavior. Changeset is present and user-facing.

Files Reviewed (5 files)

• .changeset/route-worktree-permissions.md
• packages/kilo-vscode/src/KiloProvider.ts
• packages/kilo-vscode/src/commands/toggle-auto-approve.ts
• packages/kilo-vscode/tests/unit/auto-approve.test.ts
• packages/kilo-vscode/tests/unit/permission-recovery.test.ts

Fix these issues in Kilo Cloud

---

_{Reviewed by claude-4.6-sonnet-20260217 · 1,125,380 tokens}

_{Review guidance: REVIEW.md from base branch main}