From 90f298ce6d3fa5f16d84e2e884f7aeb00462221e Mon Sep 17 00:00:00 2001
From: Will <wrftaylor@gmail.com>
Date: Tue, 26 May 2026 10:49:03 +0100
Subject: [PATCH] ENG-26: accept `sesn_` session-id prefix in webhook regex
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The webhook session-id extractor in app/api/github-webhook/route.ts
only matched `sthr_`-prefixed ids, but the current `@anthropic-ai/sdk`
returns session ids with the `sesn_` prefix. So `extractSessionId`
returned null for every marker the agent has actually been writing,
and every `AGENT_REVIEW: APPROVED`, `REQUEST_CHANGES`, and post-merge
webhook fell back to creating a fresh session instead of resuming the
originating one.

Fix: regex now accepts either prefix:
  (?:sthr_|sesn_)[A-Za-z0-9]+

Backward-compatible — any old `sthr_`-prefixed marker still matches.

Also updated the convention doc and the MEMORY.md hook to reflect
that both prefixes are accepted (with `sesn_` called out as the
current shape).

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
---
 .claude/memory/MEMORY.md                           | 3 ++-
 .claude/memory/conventions/pr-session-id-marker.md | 6 +++++-
 app/api/github-webhook/route.ts                    | 2 +-
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/.claude/memory/MEMORY.md b/.claude/memory/MEMORY.md
index 17e87ea..1f8b851 100644
--- a/.claude/memory/MEMORY.md
+++ b/.claude/memory/MEMORY.md
@@ -7,11 +7,12 @@ Keep this file under 200 lines — anything longer is content bloat, not memory.
 - [learnings/sentry-mcp-no-comment-tool](learnings/2026-05-26-sentry-mcp-no-comment-tool.md) — Sentry MCP can't comment on issues; back-link from Linear only
 - [learnings/vercel-blocks-unknown-author-email](learnings/2026-05-26-vercel-blocks-unknown-author-email.md) — Vercel preview deploys block when commit author email has no GitHub account; use the noreply alias
 - [learnings/sandbox-cant-clone-private-repo](learnings/2026-05-26-sandbox-cant-clone-private-repo.md) — Don't `git clone` from sandbox bash; the `github_repository` resource is auth'd, raw `git clone` is not
+- [learnings/github-mcp-strips-html-comments](learnings/2026-05-26-github-mcp-strips-html-comments.md) — `update_pull_request` silently strips `<!-- ... -->` from PR bodies; session-id marker can't be set by agent (ENG-25)
 
 ## Decisions
 - [decisions/mcp-for-small-writes-checkout-for-big](decisions/2026-05-26-mcp-for-small-writes-checkout-for-big.md) — Single-file writes go through GitHub MCP; multi-file or test-needing changes use the mounted checkout + `git push`
 - [decisions/two-agent-builder-reviewer](decisions/2026-05-25-two-agent-builder-reviewer.md) — Separate agents for build vs. review so the reviewer reads diffs cold
 
 ## Conventions
-- [conventions/pr-session-id-marker](conventions/pr-session-id-marker.md) — PR body MUST end with `<!-- session-id: sthr_... -->` so webhooks can resume
+- [conventions/pr-session-id-marker](conventions/pr-session-id-marker.md) — PR body MUST end with `<!-- session-id: sesn_... -->` (or legacy `sthr_...`) so webhooks can resume
 - [conventions/agent-review-marker](conventions/agent-review-marker.md) — Reviewer's verdict goes on the first line as `AGENT_REVIEW: APPROVED|REQUEST_CHANGES|ESCALATE — <rationale>`
diff --git a/.claude/memory/conventions/pr-session-id-marker.md b/.claude/memory/conventions/pr-session-id-marker.md
index 8b41f69..b6afcef 100644
--- a/.claude/memory/conventions/pr-session-id-marker.md
+++ b/.claude/memory/conventions/pr-session-id-marker.md
@@ -4,7 +4,7 @@ Every PR opened by the manager MUST end with this HTML comment as the
 **last line** of the PR body:
 
 ```
-<!-- session-id: sthr_xxxxxxxxxxxxxxxx -->
+<!-- session-id: sesn_xxxxxxxxxxxxxxxx -->
 ```
 
 The `/api/github-webhook` route extracts this marker when a webhook
@@ -18,3 +18,7 @@ Functional but wasteful.
 
 The kickoff `user.message` includes the actual session id. Substitute
 it verbatim; don't paraphrase or omit.
+
+The regex in `app/api/github-webhook/route.ts` accepts either
+`sesn_` (current SDK prefix) or `sthr_` (legacy) — both are valid.
+Use whatever the kickoff hands you.
diff --git a/app/api/github-webhook/route.ts b/app/api/github-webhook/route.ts
index 6f8aa98..7814c9e 100644
--- a/app/api/github-webhook/route.ts
+++ b/app/api/github-webhook/route.ts
@@ -17,7 +17,7 @@ function verifySignature(rawBody: string, sigHeader: string | null, secret: stri
 
 function extractSessionId(text: string | undefined | null): string | null {
   if (!text) return null;
-  const m = text.match(/<!--\s*session-id:\s*(sthr_[A-Za-z0-9]+)\s*-->/);
+  const m = text.match(/<!--\s*session-id:\s*((?:sthr_|sesn_)[A-Za-z0-9]+)\s*-->/);
   return m?.[1] ?? null;
 }