fix(gastown): propagate KILOCODE_TOKEN refresh to running containers

[jrf0110]

Summary

Fixes KILOCODE_TOKEN not being refreshed on running containers (#1472). Closes 4 propagation gaps where token updates were not reaching the container, plus adds proactive alarm-based refresh:

1. syncConfigToContainer() — Added KILOCODE_TOKEN to the env mapping so config updates propagate to the container via setEnvVar.
2. LIVE_ENV_KEYS — Added KILOCODE_TOKEN so model hot-swaps read the current process.env value instead of the stale startup snapshot.
3. CONFIG_ENV_MAP — Added kilocode_token → KILOCODE_TOKEN mapping in the model update handler so process.env stays current before SDK server restart.
4. refreshContainerToken mutation — Now also remints KILOCODE_TOKEN via mintKilocodeToken and pushes it via updateTownConfig + syncConfigToContainer, so the "Refresh Token" button actually resolves 401s.
5. Alarm loop — Added refreshKilocodeTokenIfExpiring() that checks daily and proactively remints when within 7 days of the 30-day expiry, using decoded JWT payload claims to reconstruct user identity.

Verification

• Code review: all additions follow existing patterns (CONFIG_ENV_MAP, LIVE_ENV_KEYS, syncConfigToContainer env mapping)
• Verified imports resolve to existing exports (generateKiloApiToken, resolveSecret, mintKilocodeToken, userFromCtx)
• Verified function signatures match call sites
• No build artifacts or generated files in diff
• JWT decoding uses Zod validation at IO boundary per project conventions

Visual Changes

N/A

Reviewer Notes

• The refreshKilocodeTokenIfExpiring method decodes the JWT payload without signature verification — this is intentional since the DO is reading its own stored token to extract claims for re-signing. The Zod schema validates the parsed payload shape.
• The throttle (lastKilocodeTokenCheckAt) resets on DO restart, which is fine — worst case is an extra check on first alarm after restart.
• All 4 propagation fixes are simple 1-line additions to existing arrays/sets; the alarm-based refresh is the only substantial new code (~70 lines).

[kilo-code-bot]

Code Review Summary

Status: 2 Issues Found | Recommendation: Address before merge

Overview

Severity	Count
CRITICAL	0
WARNING	2
SUGGESTION	0

Issue Details (click to expand)

WARNING

File	Line	Issue
cloudflare-gastown/src/dos/Town.do.ts	3380	Proactive token remint only updates stored container env, so the running SDK server keeps the expired KILOCODE_TOKEN until restart/model swap.
cloudflare-gastown/src/trpc/router.ts	1025	Manual refresh re-mints kilocode_token as the current caller instead of the town credential owner, which can overwrite owner-scoped org credentials.

Fix these issues in Kilo Cloud

Other Observations (not in diff)

N/A

Files Reviewed (4 files)

• cloudflare-gastown/src/dos/Town.do.ts - 1 issue
• cloudflare-gastown/src/trpc/router.ts - 1 issue
• cloudflare-gastown/container/src/control-server.ts - 0 issues
• cloudflare-gastown/container/src/process-manager.ts - 0 issues

---

_{Reviewed by gpt-5.4-20260305 · 1,634,757 tokens}