Code review that actually runs the code. Merge pull requests that do what they say they do.

Get started
Fix OAuth session handling and add token refresh #142
Open orpheus[bot] wants to merge into main from orpheus/gentle-nocturne
O orpheus[bot] requested changes 2 minutes ago

Issue found: TokenRefreshMiddleware silently swallows expired tokens instead of triggering a re-auth flow, because it catches jwt.ExpiredSignatureError and returns None without clearing the session cookie.

This PR should not be merged until the middleware propagates expiry to the session layer. The fix is straightforward: replace the bare return None with request.session.clear() followed by a redirect to /auth/login.

What happens

  • Expired token returns 200 with stale user data instead of redirecting to login
  • Valid token refresh works correctly for tokens within the refresh window
  • New login flow generates correct session cookie with expected claims
  • All 9 auth middleware tests pass

▸ Detailed evidence

+3
All checks passed

The problem.

Your job as a software engineer is to deliver code that works. Agents have gotten remarkably good at writing plausible looking code. And since current PR review agents are not capable of running the code that they review, they can't tell whether code works or just looks like it does.

Two barriers to proving code works.

Infra

Agents don't have the permissions and tools required to check their work.

Intent

Even when agents can verify, they don't. They write and run irrelevant tests, skip the happy path, and tell themselves things work.

Our solution.

Orpheus helps set up your testing agent's environment so they can actually run the code they review. And we use defence in depth to get your verification agents not to lie to themselves, or to you.

Your attention is all you need.

Agent written code can be overwhelming. Orpheus takes care of demonstrating that it works, so that you can focus on what's important.

Get started