review: drip-182 batch 2 — BerriAI/litellm#26793, google-gemini/gemini-cli#26208+26207

- BerriAI/litellm#26793 feat(proxy): durable agent workflow run tracking (needs-discussion — sequence-number race + missing tenancy scoping + Prisma error leak)
- google-gemini/gemini-cli#26208 fix: suppress duplicate extension warnings (merge-after-nits)
- google-gemini/gemini-cli#26207 Add @ mention the gemini robot (request-changes — critique-semantics flip + comment-step if guard regression + PAT scope concern)

Author: Bojun-Vvibe

reviews/2026-W18/drip-182/BerriAI-litellm-pr-26793.md

@@ -0,0 +1,64 @@
+---
+pr: BerriAI/litellm#26793
+sha: 9d9efc1afba6fd1d6421f775a9a150524ad27a5c
+verdict: needs-discussion
+reviewed_at: 2026-04-29T18:31:00Z
+---
+
+# feat(proxy): durable agent workflow run tracking via /v1/workflows/runs
+
+## Context
+
+Adds three new Prisma models (`LiteLLM_WorkflowRun`,
+`LiteLLM_WorkflowEvent`, `LiteLLM_WorkflowMessage`) and 8 REST endpoints
+under `/v1/workflows/runs` in
+`litellm/proxy/management_endpoints/workflow_management_endpoints.py`.
+The motivating use case: long-running agents (the PR mentions
+"shin-builder") whose conversation state and step history were
+in-memory only, so a process restart wiped everything.
+
+## What's good
+
+- Generic schema design — `workflow_type`, `step_name`, and `data` are
+  caller-defined strings/JSON. No hardcoded stage names baked into
+  the proxy. The status auto-update map (`_EVENT_STATUS_MAP` at the top
+  of the file: `step.started→running`, `hook.waiting→paused`, etc.)
+  is small and overridable via `PATCH /v1/workflows/runs/{run_id}`.
+- The `session_id` bridge to `LiteLLM_SpendLogs.session_id` is a clean
+  reuse: existing `/ui/spend_logs/view_session_spend_logs?session_id=`
+  works for free. No new cost-tracking machinery needed.
+- Comma-separated status filter (`?status=running,paused`) handled
+  cleanly in `list_workflow_runs`: splits and emits `{"in": statuses}`
+  only when there's more than one. That's the correct Prisma idiom.
+
+## Concerns
+
+1. **Sequence number race.** `_get_next_sequence_number` does
+   `MAX(sequence_number) + 1` then the caller does an insert. Two
+   concurrent appenders racing on the same `run_id` will both compute
+   the same next value and one will conflict on the unique index (or
+   silently overwrite, depending on schema constraints not shown in
+   the diff). For an agent that may have multiple step emitters or
+   hook receivers, this is a real failure mode. Either:
+   (a) wrap the read+insert in a Prisma transaction with
+       `SERIALIZABLE` isolation, or
+   (b) use a Postgres sequence / `RETURNING sequence_number` with a
+       partitioned-by-run sequence.
+2. **No authorization scoping.** All endpoints depend on
+   `user_api_key_auth` but don't filter `where` by the calling key's
+   tenant/team. Any authenticated key can `GET /v1/workflows/runs/{any_id}`
+   and read another team's conversation. The conversation-message table
+   stores full content (the PR explicitly notes spend logs truncate at
+   `MAX_STRING_LENGTH_PROMPT_IN_DB` while this doesn't), so the blast
+   radius of a missing scope check is high.
+3. **`raise HTTPException(status_code=500, detail=str(e))`** leaks
+   raw Prisma error messages (table names, column names, sometimes
+   query fragments) to the caller. Standard advice: log with
+   `verbose_proxy_logger.exception(...)` (already done) and return
+   a generic 500 message.
+
+## Verdict
+
+`needs-discussion` — the data model and endpoint shape are good, but
+the concurrency model and tenancy scoping need to be settled before
+this goes live. The error-leak issue is a small follow-up.

reviews/2026-W18/drip-182/google-gemini-gemini-cli-pr-26207.md

@@ -0,0 +1,76 @@
+---
+pr: google-gemini/gemini-cli#26207
+sha: 16ff1e342a67de573d2301ebe22d27e9ed96daf5
+verdict: request-changes
+reviewed_at: 2026-04-29T18:31:00Z
+---
+
+# Add the ability to @ mention the gemini robot
+
+## Context
+
+Extends `.github/workflows/gemini-cli-bot-brain.yml` to fire on
+`issue_comment` events when a maintainer `@gemini-cli-robot` mentions
+the bot. The bot then loads `tools/gemini-cli-bot/brain/interactive.md`,
+runs in `ENABLE_PRS=true` mode, and is permitted to post comments and
+push to `bot/`-prefixed branches via the
+`GEMINI_CLI_ROBOT_GITHUB_PAT` secret.
+
+## What's good
+
+- The trigger guard at the job level is the right shape — uses
+  `contains(fromJSON('["COLLABORATOR", "MEMBER", "OWNER"]'), github.event.comment.author_association)`
+  to gate on association rather than username, which is harder to
+  spoof. The reasoning job is also `permissions: contents: read`,
+  so the LLM call itself can't push.
+- `concurrency.group` now includes `github.event.issue.number || …`
+  so two concurrent maintainer mentions on different issues don't
+  cancel each other.
+- The `<untrusted_context>...</untrusted_context>` wrapper around
+  the comment body and `gh issue view` output in `trigger_context.md`
+  is the correct prompt-injection mitigation idiom, and concatenating
+  it *before* the system prompt keeps untrusted text from clobbering
+  later instructions.
+- The push-time branch guard (`if [[ ! "$BRANCH_NAME" =~ ^bot/ ]]; then exit 1; fi`)
+  and the comment-time author guard (`PR_AUTHOR=$(gh pr view "$PR_NUM" --json author --jq '.author.login'); if [ "$PR_AUTHOR" != "gemini-cli-robot" ]; then exit 1; fi`)
+  are the right safety belt for the publish phase.
+
+## Concerns
+
+1. **Critique semantics inverted.** The previous code rejected on
+   `[REJECTED]` *or* non-zero exit, defaulted to approve. The new
+   code rejects on anything that isn't *explicitly* `[APPROVED]` and
+   also lacks `[REJECTED]`. That's a stronger gate (good), but the
+   comment "Critique failed, rejected, or did not explicitly approve
+   changes" hides the fact that this is now a fail-closed contract.
+   Maintainers who relied on the old "neutral = approve" semantics
+   for their own dispatched runs will see silent skips. Worth a
+   release note.
+2. **`Post PR/Issue Comment` step lost its `if:` guard.** Old code
+   had `if: "${{ github.event.inputs.enable_prs == 'true' }}"`. The
+   new step runs unconditionally — it's safe because the inner `if [ -s ... ]`
+   tests check for content, but on a scheduled run with no comment
+   artifact you now do extra work and the step shows green-with-noop
+   in the UI. Minor but a regression in clarity.
+3. **`gh issue view ... 2>/dev/null || gh pr view "$TRIGGER_ISSUE_NUMBER"`**
+   — if both fail (deleted issue, permissions hiccup), the script
+   keeps going with empty trigger context. The bot then operates
+   blind on whatever `interactive.md` says by default. Should
+   `set -e` or explicitly check `[ -s trigger_context.md ]` before
+   proceeding.
+4. **PAT scope.** `GEMINI_CLI_ROBOT_GITHUB_PAT` now ships into a
+   workflow that any maintainer comment can trigger. If a
+   compromised maintainer account exists, this is a remote command
+   execution into the bot's branch space. The `bot/` prefix limits
+   the blast radius but doesn't eliminate it. Consider narrowing
+   the PAT to `contents: write` on `refs/heads/bot/*` only via a
+   GitHub App installation token rather than a long-lived PAT.
+
+## Verdict
+
+`request-changes` — the security model is mostly sound, but the
+critique-result semantics flip needs an explicit comment in the
+diff, the comment-step `if:` guard should be restored, and the
+unconditional fall-through when both `gh issue view` and `gh pr view`
+fail needs to abort. The PAT-vs-App-token discussion is a separate
+follow-up but worth raising before this lands.

reviews/2026-W18/drip-182/google-gemini-gemini-cli-pr-26208.md

@@ -0,0 +1,62 @@
+---
+pr: google-gemini/gemini-cli#26208
+sha: baeccee504acbf3d57aac0836ce3d2720f83c107
+verdict: merge-after-nits
+reviewed_at: 2026-04-29T18:31:00Z
+---
+
+# fix: suppress duplicate extension warnings during startup
+
+## Context
+
+`gemini.tsx` calls `loadCliConfig` twice during startup — once for
+`partialConfig` (auth/sandbox bootstrap) and once for the full
+interactive session. Both calls were unconditionally instantiating
+`new ExtensionManager(...)` and calling `loadExtensions()`, which
+emits warnings (missing settings, MCP deprecations) through
+`coreEvents`. Result: every warning bubble showed twice. Fix in
+`packages/cli/src/config/config.ts` adds a `skipExtensions?: boolean`
+to `LoadCliConfigOptions` and the bootstrap call passes `true`.
+
+## What's good
+
+- Targeted, minimal change. Only the bootstrap call is opted out
+  (`packages/cli/src/gemini.tsx` line 410: `skipExtensions: true`),
+  and the second/interactive call still loads extensions normally.
+- The `SimpleExtensionLoader([])` fallback at config.ts line 681
+  (`const finalExtensionLoader = extensionManager ?? new SimpleExtensionLoader([])`)
+  preserves the type contract for downstream consumers
+  (`loadServerHierarchicalMemory`, the final `Config` object's
+  `extensionLoader` field). Good defensive choice — avoids forcing
+  every callsite to handle `undefined`.
+- Optional chaining on `extensionManager?.getExtensions()?.find(...)`
+  for `extensionPlanSettings` is correct: if extensions are skipped,
+  there are no plan settings to find.
+
+## Concerns / nits
+
+1. **`pr_body.md` checked in.** The diff includes a top-level
+   `pr_body.md` file that's just the PR description duplicated.
+   That's almost certainly an accident from a `gh pr create
+   --body-file pr_body.md` workflow. Should be removed before merge
+   (or `.gitignore`d).
+2. **`skipExtensions` semantics aren't tested in this diff.** The PR
+   description references a manual test file path
+   (`packages/cli/src/config/skipExtensions.test.ts`) but the diff
+   shown doesn't contain it. Either add the test or update the PR
+   body — saying "added/updated tests" is checked in the checklist
+   but the test isn't visible.
+3. **Subtle behavior change.** When `skipExtensions: true`,
+   `extensionPlanSettings` is `undefined`, so any setting that
+   *only* comes from an extension plan (e.g. plan-injected
+   `includeDirectories`) is silently absent during the bootstrap
+   pass. If anything in the auth/sandbox bootstrap actually consults
+   that, this becomes a regression. Worth a quick audit of what
+   `partialConfig` is used for between those two `loadCliConfig`
+   calls.
+
+## Verdict
+
+`merge-after-nits` — remove the stray `pr_body.md`, add or point to
+the actual test, and confirm bootstrap-phase consumers don't depend
+on extension plan settings.