fix(auth): add web session pepper revocation

[RSO]

Summary

• Adds a nullable web_session_pepper to user records so browser sessions can be invalidated independently from API tokens.
• Stores and validates the web-session pepper in NextAuth JWT sessions, with logout flows rotating only web sessions.
• Preserves reset-token-and-sign-out behavior by rotating both API-token and web-session peppers during user/admin API token resets.

Verification

• Signed in on two different browsers
• Signed out
• Verified other browser was signed out as well

Reviewer Notes

• Deploy the additive migration before routing traffic to code that reads web_session_pepper.
• Existing browser sessions remain valid until the user's web_session_pepper is first rotated because legacy missing pepper values normalize to null.
• Normal web logout does not revoke CLI/device/API tokens; API token reset still signs out web sessions everywhere.

[kilo-code-bot]

Code Review Summary

Status: 4 Issues Found | Recommendation: Address before merge

Overview

Severity	Count
CRITICAL	0
WARNING	4
SUGGESTION	0

Issue Details (click to expand)

WARNING

File	Line	Issue
packages/db/src/migrations/0105_married_harry_osborn.sql	3	Full-table UPDATE backfill rewrites all kilocode_users rows in one migration statement.

Resolved previously reported issue:

• apps/web/src/lib/user.ts now rotates peppers during soft delete, so the legacy-session revocation bug no longer reproduces.

Fix these issues in Kilo Cloud

Other Observations (not in diff)

Issues found in unchanged code that cannot receive inline comments:

File	Line	Issue
apps/web/src/lib/ai-gateway/context-overflow.ts	89	The estimate-based context-overflow rewrite now only runs for HTTP 500 responses, so oversized requests returned as generic 400/413-style upstream failures will stop surfacing as context_length_exceeded.
apps/web/src/components/profile/IntegrationsCard.tsx	123	The profile UI no longer exposes SignOutBrowserSessionsDialog, leaving the self-service browser-session revocation mutation unreachable.
apps/web/src/routers/admin-router.ts	481	resetToMagicLinkLogin removes auth providers without rotating web_session_pepper, so existing browser sessions stay authenticated until expiry.

Files Reviewed (17 files)

• apps/web/src/lib/ai-gateway/context-overflow.ts - 1 issue outside diff
• apps/web/src/lib/ai-gateway/llm-proxy-helpers.ts - 0 issues
• apps/web/src/lib/ai-gateway/api-request-log-errors.ts - 0 issues
• apps/web/src/lib/ai-gateway/handleRequestLogging.ts - 0 issues
• apps/web/src/lib/ai-gateway/processUsage.ts - 0 issues
• apps/web/src/lib/ai-gateway/processUsage.types.ts - 0 issues
• apps/web/src/lib/ai-gateway/providers/index.ts - 0 issues
• apps/web/src/lib/ai-gateway/providers/direct-byok/index.ts - 0 issues
• apps/web/src/lib/ai-gateway/processUsage.responses.ts - 0 issues
• apps/web/src/lib/ai-gateway/processUsage.messages.ts - 0 issues
• packages/db/src/migrations/0104_chubby_plazm.sql - 0 issues
• packages/db/src/migrations/0105_married_harry_osborn.sql - 1 issue
• packages/db/src/migrations/meta/0104_snapshot.json - 0 issues
• packages/db/src/migrations/meta/0105_snapshot.json - 0 issues
• packages/db/src/migrations/meta/_journal.json - 0 issues
• packages/db/src/schema.ts - 0 issues
• packages/db/src/schema-types.ts - 0 issues

---

_{Reviewed by gpt-5.4-20260305 · 1,724,588 tokens}

[kilo-code-bot]

WARNING: Full-table backfill runs in one migration statement

This UPDATE rewrites every row in kilocode_users in a single deploy-time migration step. On a populated users table that can become a long-running backfill and hold locks for a while, so this is safer to batch or run out-of-band instead of doing it as one transaction-scoped migration statement.