@posthog/agent 2.3.647 → 2.3.656

package/src/server/agent-server.test.ts

@@ -900,10 +900,8 @@ describe("AgentServer HTTP Mode", () => {
       expect(prompt).toContain(
         "gh pr checkout https://github.com/org/repo/pull/1",
       );
-      expect(prompt).toContain(
-        "Stage and commit all changes with a clear commit message",
-      );
-      expect(prompt).toContain("Push to the existing PR branch");
+      expect(prompt).toContain("git_signed_commit");
+      expect(prompt).toContain("Committing (signed commits required)");
       expect(prompt).not.toContain("Create a draft pull request");
       // Review-comment thread handling: reply + resolve
       expect(prompt).toContain("review thread");

package/src/server/agent-server.ts

@@ -25,6 +25,7 @@ import {
   type AgentErrorClassification,
   classifyAgentError,
 } from "../adapters/error-classification";
+import { SIGNED_COMMIT_QUALIFIED_TOOL_NAME } from "../adapters/signed-commit-shared";
 import type { PermissionMode } from "../execution-mode";
 import { DEFAULT_CODEX_MODEL } from "../gateway-models";
 import { HandoffCheckpointTracker } from "../handoff-checkpoint";
@@ -47,7 +48,11 @@ import type {
 } from "../types";
 import { resourceLink } from "../utils/acp-content";
 import { AsyncMutex } from "../utils/async-mutex";
-import { type GatewayProduct, getLlmGatewayUrl } from "../utils/gateway";
+import {
+  buildGatewayPropertyHeaders,
+  getLlmGatewayUrl,
+  resolveGatewayProduct,
+} from "../utils/gateway";
 import { Logger } from "../utils/logger";
 import { logAgentshRuntimeInfo } from "./agentsh-runtime";
 import {
@@ -844,7 +849,13 @@ export class AgentServer {
       }),
     ]);
 
-    this.configureEnvironment({ isInternal: preTask?.internal === true });
+    this.configureEnvironment({
+      isInternal: preTask?.internal === true,
+      originProduct: preTask?.origin_product,
+      taskId: payload.task_id,
+      taskRunId: payload.run_id,
+      taskUserId: payload.user_id,
+    });
 
     const prUrl = getTaskRunStateString(preTaskRun, "slack_notified_pr_url");
 
@@ -949,6 +960,7 @@ export class AgentServer {
       _meta: {
         sessionId: payload.run_id,
         taskRunId: payload.run_id,
+        taskId: payload.task_id,
         systemPrompt: sessionSystemPrompt,
         ...(this.config.model && { model: this.config.model }),
         allowedDomains: this.config.allowedDomains,
@@ -1599,24 +1611,21 @@ export class AgentServer {
   private buildCloudSystemPrompt(prUrl?: string | null): string {
     const taskId = this.config.taskId;
     const shouldAutoCreatePr = this.shouldAutoPublishCloudChanges();
-    const attributionInstructions = `
-## Attribution
-Do NOT use Claude Code's default attribution (no "Co-Authored-By" trailers, no "Generated with [Claude Code]" lines).
+    const signedCommitInstructions = `
+## Committing (signed commits required)
+Commits MUST be signed. \`git commit\` and \`git push\` are blocked in this environment.
+To commit: stage your changes with \`git add\`, then call the \`git_signed_commit\` tool (full
+name \`${SIGNED_COMMIT_QUALIFIED_TOOL_NAME}\`) with a \`message\` (and optional \`body\`/\`paths\`).
+It creates a GitHub-signed ("Verified") commit on the branch and keeps your local checkout in
+sync. To start a new branch, pass \`branch\` (prefixed with \`posthog-code/\`) — the tool creates
+it on the remote for you.
 
-If you create a commit, add the following trailers to the commit message (after a blank line at the end):
+## Attribution
+Do NOT add "Co-Authored-By" trailers or "Generated with [Claude Code]" lines to your
+commit messages. The \`git_signed_commit\` tool automatically appends the only trailers
+we want:
   Generated-By: PostHog Code
-  Task-Id: ${taskId}
-
-Example:
-\`\`\`
-git commit -m "$(cat <<'EOF'
-fix: resolve login redirect loop
-
-Generated-By: PostHog Code
-Task-Id: ${taskId}
-EOF
-)"
-\`\`\``;
+  Task-Id: ${taskId}`;
 
     if (prUrl) {
       if (!shouldAutoCreatePr) {
@@ -1630,7 +1639,7 @@ Do the requested work, but stop with local changes ready for review.
 Important:
 - Do NOT create new commits, push to the branch, or update the pull request unless the user explicitly asks.
 - Do NOT create a new branch or a new pull request.
-${attributionInstructions}
+${signedCommitInstructions}
 `;
       }
 
@@ -1641,9 +1650,8 @@ This task already has an open pull request: ${prUrl}
 
 After completing the requested changes:
 1. Check out the existing PR branch with \`gh pr checkout ${prUrl}\`
-2. Stage and commit all changes with a clear commit message
-3. Push to the existing PR branch
-4. For every PR review comment or review thread you addressed, treat the thread as done only after BOTH of these:
+2. Stage your changes with \`git add\`, then call the \`git_signed_commit\` tool with a clear \`message\` (do NOT use \`git commit\`/\`git push\` — they are blocked). This commits to the existing PR branch.
+3. For every PR review comment or review thread you addressed, treat the thread as done only after BOTH of these:
    - Reply on the thread with a short note describing what changed (reference the commit SHA when useful) using \`gh api -X POST /repos/{owner}/{repo}/pulls/{n}/comments/{id}/replies -f body='...'\`.
    - Resolve the thread via the \`resolveReviewThread\` GraphQL mutation: \`gh api graphql -f query='mutation($id:ID!){resolveReviewThread(input:{threadId:$id}){thread{isResolved}}}' -f id="<thread-node-id>"\`.
    List unresolved threads first with \`gh api graphql -f query='{repository(owner:"<owner>",name:"<repo>"){pullRequest(number:<n>){reviewThreads(first:100){nodes{id isResolved comments(first:1){nodes{body}}}}}}}'\` so you can resolve each one you fixed.
@@ -1651,7 +1659,7 @@ After completing the requested changes:
 Important:
 - Do NOT create a new branch or a new pull request.
 - Do NOT push fixes for review comments without replying to and resolving each related thread.
-${attributionInstructions}
+${signedCommitInstructions}
 `;
     }
 
@@ -1666,7 +1674,7 @@ When the user asks for code changes:
 When the user explicitly asks to clone or work in a GitHub repository:
 - Clone the repository into /tmp/workspace/repos/<owner>/<repo> using \`gh repo clone <owner>/<repo> /tmp/workspace/repos/<owner>/<repo>\`
 - Work from inside that cloned repository for follow-up code changes
-- If the user explicitly asks you to open or update a pull request, create a branch, commit the requested changes, push it, and open a draft pull request from inside the clone. Before opening the PR, check the cloned repo for a PR template at \`.github/pull_request_template.md\` (or variants; fall back to the org's \`.github\` repo via \`gh api\`) and use it as the body structure, and search for matching open issues with \`gh issue list --search\` to include \`Closes #<n>\` / \`Refs #<n>\` links.
+- If the user explicitly asks you to open or update a pull request, create a branch, stage your changes with \`git add\` and commit them with the \`git_signed_commit\` tool (do NOT use \`git commit\`/\`git push\` — they are blocked), and open a draft pull request from inside the clone. Before opening the PR, check the cloned repo for a PR template at \`.github/pull_request_template.md\` (or variants; fall back to the org's \`.github\` repo via \`gh api\`) and use it as the body structure, and search for matching open issues with \`gh issue list --search\` to include \`Closes #<n>\` / \`Refs #<n>\` links.
 - Do NOT create branches, commits, push changes, or open pull requests unless the user explicitly asks for that`;
 
       return `
@@ -1686,7 +1694,7 @@ ${publishInstructions}
 
 Important:
 - Prefer using MCP tools to answer questions with real data over giving generic advice.
-${attributionInstructions}
+${signedCommitInstructions}
 `;
     }
 
@@ -1698,7 +1706,7 @@ Do the requested work, but stop with local changes ready for review.
 
 Important:
 - Do NOT create a branch, commit, push, or open a pull request unless the user explicitly asks.
-${attributionInstructions}
+${signedCommitInstructions}
 `;
     }
 
@@ -1706,14 +1714,13 @@ ${attributionInstructions}
 # Cloud Task Execution
 
 After completing the requested changes:
-1. Create a new branch prefixed with \`posthog-code/\` (e.g. \`posthog-code/fix-login-redirect\`) based on the work done
-2. Stage and commit all changes with a clear commit message
-3. Push the branch to origin
-4. Before opening the PR, prepare the body:
+1. Pick a new branch name prefixed with \`posthog-code/\` (e.g. \`posthog-code/fix-login-redirect\`)
+2. Stage your changes with \`git add\`, then call the \`git_signed_commit\` tool with \`branch\` set to that name and a clear \`message\` (do NOT use \`git commit\`/\`git push\` — they are blocked). The tool creates the branch on the remote and a signed commit on it.
+3. Before opening the PR, prepare the body:
    - Check the repo for a PR template at \`.github/pull_request_template.md\` (also try \`.github/PULL_REQUEST_TEMPLATE.md\`, \`docs/pull_request_template.md\`, and root variants). If one exists, use its exact section headings as the PR body — do NOT fall back to a generic Summary/Test plan format.
    - If no repo-level template exists, check the org's \`.github\` repo via \`gh api /repos/<owner>/.github/contents/.github/pull_request_template.md\` (and other common paths) and use that as a fallback.
    - Search for matching open issues with \`gh issue list --state open --search '<keywords>'\` (derive keywords from the branch name, commits, and changed files; \`gh issue view <n>\` to confirm relevance). For every issue this PR would resolve, include a \`Closes #<n>\` line in the body so GitHub auto-links and auto-closes it on merge. For issues that are related but not fully resolved, use \`Refs #<n>\` instead.
-5. Create a draft pull request using \`gh pr create --draft${this.config.baseBranch ? ` --base ${this.config.baseBranch}` : ""}\` with a descriptive title and the body prepared above. Add the following footer at the end of the PR description:
+4. Create a draft pull request using \`gh pr create --draft${this.config.baseBranch ? ` --base ${this.config.baseBranch}` : ""}\` with a descriptive title and the body prepared above. Add the following footer at the end of the PR description:
 \`\`\`
 ---
 *Created with [PostHog Code](https://posthog.com/code?ref=pr)*
@@ -1721,7 +1728,7 @@ After completing the requested changes:
 
 Important:
 - Always create the PR as a draft. Do not ask for confirmation.
-${attributionInstructions}
+${signedCommitInstructions}
 `;
   }
 
@@ -1804,18 +1811,35 @@ ${attributionInstructions}
 
   private configureEnvironment({
     isInternal = false,
+    originProduct,
+    taskId,
+    taskRunId,
+    taskUserId,
   }: {
     isInternal?: boolean;
+    originProduct?: string | null;
+    taskId?: string | null;
+    taskRunId?: string | null;
+    taskUserId?: number | null;
   } = {}): void {
     const { apiKey, apiUrl, projectId } = this.config;
-    const product: GatewayProduct = isInternal
-      ? "background_agents"
-      : "posthog_code";
+    const product = resolveGatewayProduct({ isInternal, originProduct });
     const gatewayUrl =
       process.env.LLM_GATEWAY_URL || getLlmGatewayUrl(apiUrl, product);
     const openaiBaseUrl = gatewayUrl.endsWith("/v1")
       ? gatewayUrl
       : `${gatewayUrl}/v1`;
+    // Forward task metadata as `x-posthog-property-*` headers so the gateway
+    // lifts them onto the $ai_generation event. Routes through the Anthropic
+    // SDK's ANTHROPIC_CUSTOM_HEADERS env var; the OpenAI/codex path has no
+    // equivalent today.
+    const customHeaders = buildGatewayPropertyHeaders({
+      task_origin_product: originProduct,
+      task_internal: isInternal,
+      task_id: taskId,
+      task_run_id: taskRunId,
+      task_user_id: taskUserId,
+    });
 
     Object.assign(process.env, {
       // PostHog
@@ -1828,6 +1852,7 @@ ${attributionInstructions}
       ANTHROPIC_API_KEY: apiKey,
       ANTHROPIC_AUTH_TOKEN: apiKey,
       ANTHROPIC_BASE_URL: gatewayUrl,
+      ANTHROPIC_CUSTOM_HEADERS: customHeaders,
       // OpenAI (for models like GPT-4, o1, etc.)
       OPENAI_API_KEY: apiKey,
       OPENAI_BASE_URL: openaiBaseUrl,

package/src/types.ts

@@ -37,7 +37,8 @@ export interface Task {
     | "eval_clusters"
     | "user_created"
     | "support_queue"
-    | "session_summaries";
+    | "session_summaries"
+    | "signal_report";
   github_integration?: number | null;
   repository: string; // Format: "organization/repository" (e.g., "posthog/posthog-js")
   json_schema?: Record<string, unknown> | null; // JSON schema for task output validation

package/src/utils/common.ts

@@ -1,3 +1,4 @@
+import { readGithubTokenFromEnv } from "@posthog/git/signed-commit";
 import type { Logger } from "./logger";
 
 /**
@@ -25,6 +26,19 @@ export const IS_ROOT =
 
 export const ALLOW_BYPASS = !IS_ROOT || !!process.env.IS_SANDBOX;
 
+/**
+ * A cloud sandbox run, as opposed to a local desktop session. Cloud sandboxes
+ * always set IS_SANDBOX and carry a taskRunId; desktop sessions have neither.
+ */
+export function isCloudRun(meta: { taskRunId?: string } | undefined): boolean {
+  return !!process.env.IS_SANDBOX || !!meta?.taskRunId;
+}
+
+/** The GitHub token available to the sandbox, if any. */
+export function resolveGithubToken(): string | undefined {
+  return readGithubTokenFromEnv();
+}
+
 export function unreachable(value: never, logger: Logger): void {
   let valueAsString: string;
   try {

package/src/utils/gateway.test.ts

@@ -0,0 +1,70 @@
+import { describe, expect, it } from "vitest";
+import { buildGatewayPropertyHeaders, resolveGatewayProduct } from "./gateway";
+
+describe("resolveGatewayProduct", () => {
+  it.each([
+    { isInternal: false, originProduct: undefined, expected: "posthog_code" },
+    {
+      isInternal: undefined,
+      originProduct: undefined,
+      expected: "posthog_code",
+    },
+    {
+      isInternal: false,
+      originProduct: "signal_report",
+      expected: "posthog_code",
+    },
+    {
+      isInternal: true,
+      originProduct: undefined,
+      expected: "background_agents",
+    },
+    {
+      isInternal: true,
+      originProduct: "session_summaries",
+      expected: "background_agents",
+    },
+    { isInternal: true, originProduct: "signal_report", expected: "signals" },
+  ] as const)(
+    "isInternal=$isInternal originProduct=$originProduct -> $expected",
+    ({ isInternal, originProduct, expected }) => {
+      expect(resolveGatewayProduct({ isInternal, originProduct })).toBe(
+        expected,
+      );
+    },
+  );
+});
+
+describe("buildGatewayPropertyHeaders", () => {
+  it("renders each property as an x-posthog-property header line", () => {
+    expect(
+      buildGatewayPropertyHeaders({
+        task_origin_product: "signal_report",
+        task_internal: true,
+      }),
+    ).toBe(
+      "x-posthog-property-task_origin_product: signal_report\nx-posthog-property-task_internal: true",
+    );
+  });
+
+  it("drops null and undefined values but keeps falsy primitives", () => {
+    expect(
+      buildGatewayPropertyHeaders({
+        task_origin_product: null,
+        task_internal: false,
+        task_count: 0,
+      }),
+    ).toBe(
+      "x-posthog-property-task_internal: false\nx-posthog-property-task_count: 0",
+    );
+  });
+
+  it("returns an empty string when no usable properties remain", () => {
+    expect(
+      buildGatewayPropertyHeaders({
+        task_origin_product: null,
+        task_internal: undefined,
+      }),
+    ).toBe("");
+  });
+});

package/src/utils/gateway.ts

@@ -1,4 +1,34 @@
-export type GatewayProduct = "posthog_code" | "background_agents";
+export type GatewayProduct = "posthog_code" | "background_agents" | "signals";
+
+export function resolveGatewayProduct({
+  isInternal,
+  originProduct,
+}: {
+  isInternal?: boolean;
+  originProduct?: string | null;
+} = {}): GatewayProduct {
+  if (isInternal) {
+    return originProduct === "signal_report" ? "signals" : "background_agents";
+  }
+  return "posthog_code";
+}
+
+/**
+ * Build `x-posthog-property-<name>: <value>` header lines that the LLM
+ * gateway lifts onto the `$ai_generation` event it captures for each call
+ * (see `services/llm-gateway/src/llm_gateway/request_context.py`).
+ *
+ * Returns a newline-joined string ready for `ANTHROPIC_CUSTOM_HEADERS`.
+ * `null`/`undefined` property values are dropped.
+ */
+export function buildGatewayPropertyHeaders(
+  properties: Record<string, string | number | boolean | null | undefined>,
+): string {
+  return Object.entries(properties)
+    .filter(([, value]) => value !== null && value !== undefined)
+    .map(([key, value]) => `x-posthog-property-${key}: ${value}`)
+    .join("\n");
+}
 
 function getGatewayBaseUrl(posthogHost: string): string {
   const url = new URL(posthogHost);