Auto-start review sessions for opted-in repos

[dhilgaertner]

Summary

• Adds a per-workspace Auto-Review Repos CSV field (next to Always Include Repos) in the Workspace editor.
• When IssueTracker detects a new review request whose repo slug matches any workspace's autoReviewRepos (case-insensitive), AppDelegate automatically kicks off SessionService.createReviewSession(prURL:) — the same path as the manual Start Review button.
• Dedups via the existing ReviewRequest.reviewSessionID cross-reference, so app restarts don't create duplicate sessions. Normal review-request notifications still fire.

Test plan

• make build — clean build
• swift test --package-path Packages/CrowCore — 114 tests pass, including new workspaceAutoReviewReposRoundTrip and workspaceAutoReviewReposDefaultsEmptyWhenKeyMissing
• Open Settings → Workspaces → edit a workspace, set Auto-Review Repos to org/repo, save
• Trigger a review request on that repo; within ~60s verify a review session auto-appears in the sidebar and is selected
• Restart the app with the review still open — confirm no second session is created (dedup)
• Clear the repo from the setting — confirm new review requests only notify, don't auto-create

Closes #193

🤖 Generated with Claude Code

[dgershman]

Code & Security Review

Critical Issues

None.

Security Review

Strengths:

• Case-insensitive repo matching (lowercased()) prevents bypass via casing differences.
• Dedup via reviewSessionID cross-reference prevents duplicate sessions on app restart.
• No user-controlled input reaches shell commands — createReviewSession uses the existing trusted request.url and the PR URL is parsed/validated before use.
• The onNewReviewRequests callback runs on the @MainActor (both IssueTracker and AppDelegate are @MainActor-isolated), so accessing appConfig is thread-safe.

Concerns:

• None identified.

Code Quality

Model layer (AppConfig.swift) — Clean addition. Custom init(from:) with decodeIfPresent + ?? [] handles backward compatibility with existing config files gracefully. The explicit CodingKeys enum is the right approach since the default synthesized Codable won't use decodeIfPresent.

Tests (AppConfigTests.swift) — Good coverage: round-trip encoding/decoding and the legacy-config-missing-key case. The legacy test also validates that alwaysInclude defaults correctly, which is a nice bonus.

UI (WorkspaceFormView.swift) — Straightforward mirror of the existing alwaysInclude CSV field. Parsing logic (split → trim → filter empty) is consistent with the existing pattern. Frame bump from 300→400 height accommodates the new field.

Auto-start logic (AppDelegate.swift) — The enabledRepos list is recomputed inside the loop on each call rather than cached outside, but since onNewReviewRequests only fires with genuinely new requests (delta detection in IssueTracker), the batch size is always small so this is fine.

Minor observation (non-blocking): If two new review requests for the same auto-review repo arrive in a single polling cycle (e.g., two PRs opened simultaneously), both would pass the reviewSessionID == nil guard and spawn separate createReviewSession tasks. This is an extremely unlikely edge case and each session would still be valid — just noting it for awareness. Not worth adding complexity to handle.

Summary Table

Priority	Issue
🟢	Consider caching enabledRepos outside the loop if the workspace list grows large (not needed now)
🟢	Theoretical double-session if two PRs from same repo arrive in one poll cycle (extremely unlikely)

Recommendation: Approve — clean, well-tested feature addition with correct backward compatibility handling and no security concerns.