chore(dev): cloud reviews local testing E2E

[alex-alecu]

Summary

• Add a local fake-provider review webhook harness for GitHub and GitLab that exercises Next.js, code-review infra, cloud-agent-next, sandbox bootstrap, and fake-LLM prompt capture without real repositories.
• Track canonical webhook fixture JSON files and add a seed command that refreshes fixture integrations, agent config, and replay payloads.
• Document the full local workflow, callback secret handling, fake repository behavior, and replay commands in dev/AGENTS.md.

Verification

• Ran the local fake-provider GitHub and GitLab webhook replay flow with fake-LLM prompt capture enabled.
• Confirmed both fixture reviews completed locally with no review error message after callback delivery.

Visual Changes

N/A

Reviewer Notes

• The fake-provider path is opt-in through CODE_REVIEW_LOCAL_FAKE_PROVIDER=1; production provider behavior is unchanged.
• dev/review/fixtures/*.json is intentionally tracked despite the broader dev fixture ignore rule.

[kilo-code-bot]

WARNING: Local fake mode still reaches GitHub on synchronize

useLocalFakeProvider is only consulted after shouldSkipSynchronizeForMergeCommit() runs. On pull_request.synchronize, that helper still calls isMergeCommit(), which generates an installation token and hits git.getCommit. This breaks the CODE_REVIEW_LOCAL_FAKE_PROVIDER=1 contract of avoiding real provider access, so replaying captured synchronize payloads can still fail against the seeded fake integration.

---

Reply with @kilocode-bot fix it to have Kilo Code address this issue.

[kilo-code-bot]

WARNING: Local fake mode still reaches GitLab on update paths

useLocalFakeProvider is only computed after the earlier update-path provider calls. merge_request.update still runs getValidGitLabToken() and isMergeCommit(), and the cancelled-review cleanup above can still call getOrCreateProjectAccessToken() plus setCommitStatus() before this guard is checked. That means the fake-provider workflow can still require a real GitLab token and instance even though this mode is documented as avoiding provider API access.

---

Reply with @kilocode-bot fix it to have Kilo Code address this issue.

[kilo-code-bot]

Code Review Summary

Status: 2 Issues Found | Recommendation: Address before merge

Fix these issues in Kilo Cloud

Overview

Severity	Count
CRITICAL	0
WARNING	2
SUGGESTION	0

Issue Details (click to expand)

WARNING

File	Line	Issue
apps/web/src/lib/integrations/platforms/github/webhook-handlers/pull-request-handler.ts	159	Local fake-provider mode still performs GitHub API reads on pull_request.synchronize before the guard is applied.
apps/web/src/lib/integrations/platforms/gitlab/webhook-handlers/merge-request-handler.ts	325	Local fake-provider mode still performs GitLab token/status work on merge_request.update paths before the guard is applied.

Files Reviewed (20 files)

• .gitignore - 0 issues
• apps/web/src/app/api/webhooks/github/route.ts - 0 issues
• apps/web/src/lib/code-reviews/local-dev.ts - 0 issues
• apps/web/src/lib/code-reviews/triggers/prepare-review-payload.ts - 0 issues
• apps/web/src/lib/integrations/platforms/github/webhook-handlers/installation-handler.ts - 0 issues
• apps/web/src/lib/integrations/platforms/github/webhook-handlers/pull-request-handler.ts - 1 issue
• apps/web/src/lib/integrations/platforms/gitlab/webhook-handlers/merge-request-handler.ts - 1 issue
• dev/AGENTS.md - 0 issues
• dev/local/cli.ts - 0 issues
• dev/local/services.ts - 0 issues
• dev/review/fixtures/github-pull-request-opened.json - 0 issues
• dev/review/fixtures/gitlab-merge-request-open.json - 0 issues
• dev/review/test-review-webhook.sh - 0 issues
• dev/seed/review/webhook-fixtures.ts - 0 issues
• services/cloud-agent-next/.dev.vars.example - 0 issues
• services/cloud-agent-next/src/agent-sandbox/cloudflare/cloudflare-agent-sandbox.ts - 0 issues
• services/cloud-agent-next/src/persistence/types.ts - 0 issues
• services/cloud-agent-next/src/session-service.ts - 0 issues
• services/cloud-agent-next/src/types.ts - 0 issues
• services/cloud-agent-next/test/e2e/fake-llm-server.ts - 0 issues

---

_{Reviewed by gpt-5.4-20260305 · Input: 192.9K · Output: 20.2K · Cached: 2.7M}

_{Review guidance: REVIEW.md from base branch main}