Extract workflow runner to ../relayflows; split cloud + relayfile concerns#1000
Merged
Conversation
Workflows have moved to ../relayflows. This change removes the workflow runner, types, YAML definitions, examples, docs, and broker-side workflow tests from this repo. Existing imports keep working through compat shims: - packages/sdk/src/workflows/index.ts now re-exports from @relayflows/core - @agent-relay/workflow-types becomes a thin re-export of @relayflows/core/schema - @agent-relay/sdk gains a @relayflows/core dependency - @agent-relay/sdk gets ./provisioner and ./provisioner/mount subpath exports so relayflows can consume them without reaching into internals - CLI's resolveTemplatesDir now reads from @relayflows/core's package github-primitive and slack-primitive workflow-step adapters stay in this repo; they continue importing @agent-relay/workflow-types (which is now a shim that re-exports from @relayflows/core). Note: @relayflows/core is not yet published. Local development needs npm link against ../relayflows/packages/core, or a publish, before typecheck/install will resolve.
Three changes that move workflow-aware code out of @agent-relay/sdk and into @relayflows/core: 1. Extract general permission + CLI primitives into a new `packages/sdk/src/permissions.ts` module. Previously these types (AgentCli, AgentPermissions, AgentPreset, AccessPreset, FilePermissions, NetworkPermission, PermissionProfileDefinition, CompiledAgentPermissions, PermissionSource) lived in `workflows/types.ts`, even though the provisioner, cli-resolver, and cli-registry needed them. They are not workflow-specific — they describe agent identity and access. Exposed via `@agent-relay/sdk/permissions` and re-exported from the barrel. 2. Move `provisionWorkflowAgents` (and its WorkflowProvisionConfig, ProvisionResult, AgentProvisionMap types) out of the SDK provisioner. It composes SDK primitives (compileAgentScopes, mintAgentToken, seedWorkspace, ensureRelayfileMount, audit) into the workflow-shaped orchestration that the runner needs — it belongs in relayflows. The SDK keeps the generic primitives. 3. Move workflow-flavored SDK tests (yaml-validation, swarm-coordinator, resume-fallback, idle-nudge, file-db, e2e-owner-review, completion-pipeline, start-from, builder-deterministic, error-scenarios, provisioner/audit) into @relayflows/core. They test workflow behavior; the SDK has no workflow surface. Subpath exports cleanup: - Add `./permissions` subpath - Drop the `./provisioner` (barrel) and `./provisioner/mount` subpaths I added earlier as workarounds; relayflows now consumes these primitives from the main `@agent-relay/sdk` entrypoint (`./provisioner/seeder`, `./provisioner/local-jwks`, and `./provisioner/token` stay because CLI commands use them directly).
Removes all paths that pulled @relayflows/core (or @agent-relay/workflow-types as a transitive proxy) into relay: - Delete @agent-relay/workflow-types package (the compat shim) - Delete @agent-relay/sdk's ./workflows subpath export and the packages/sdk/src/workflows/ shim directory - Drop @relayflows/core from @agent-relay/sdk dependencies - Delete workflow-step.ts adapters in github/slack/browser primitives (moved to @relayflows/core/integrations/*) - Drop @agent-relay/workflow-types from primitive package.jsons - Strip createGitHubStep/createSlackStep from SDK barrel and drop the corresponding re-exports - Remove `relay run` (workflow runner) and `relay workflows` (templates) CLI commands — replaced by `relayflows run` - Delete setup.test.ts (covered the deleted CLI surface) - Drop browser-primitive's MCP `browser.step.execute` / `browser_step_execute` tools (step execution is workflow-side) - Strip path mappings for workflow-types and workflow-step files from SDK tsconfigs - Drop workflow-types build from root typecheck script - Update docs to reference @relayflows/core for workflow APIs Dependency direction is now one-way: relayflows -> @agent-relay/sdk (no arrow back)
Creates a new public workspace package, @agent-relay/cloud-sdk, that
owns the cross-product identity + provisioning concerns previously
embedded in @agent-relay/sdk:
- Permission types + scope compiler (AgentPermissions, AgentCli,
compileAgentScopes, resolveAgentPermissions, ...)
- JWT minting + local JWKS key management (mintAgentToken,
LocalJwksSigningKey, createLocalJwksKeyPair, importPrivateKeyPem)
- Relayfile workspace + ACL seeding (seedWorkspace, seedWorkflowAcls,
createWorkspaceIfNeeded — RelayFileClient wrappers)
- Relayfile-mount management (ensureRelayfileMount + MountHandle)
- Permission audit log (PermissionAuditLog,
getDefaultPermissionAuditPath)
These never belonged in the broker SDK — they're shared across the
agent-relay product family (relayfile, relayauth, relaycast,
relayflows) and any tool that mints scoped tokens or provisions
relayfile workspaces against an Agent Relay account.
After this move:
@agent-relay/sdk — broker, PTY, protocol, AgentRelay client
@agent-relay/cloud-sdk — cross-product identity + provisioning
@agent-relay/sdk depends on @agent-relay/cloud-sdk only for the
AgentCli type (used by cli-resolver and cli-registry).
Consumers updated:
- relay CLI's `on provision` / `on start` (subpath imports redirected)
- removed obsolete @agent-relay/sdk/{provisioner,permissions}
subpath exports and the corresponding workspace path mappings
- typecheck script builds cloud-sdk between cloud and SDK
provisioner-mount.test.ts (which actually tests provisionWorkflowAgents,
not the SDK) moves into relayflows.
…→ @relayfile/sdk Consolidates the cross-product identity, permission, and provisioning layer into the existing @agent-relay/cloud package, and pushes the relayfile-server primitives (seeder, mount) into @relayfile/sdk where they belong (open PR: AgentWorkforce/relayfile#208). Net effect: @agent-relay/cloud-sdk goes away, the package graph collapses to: @agent-relay/sdk ── broker, PTY, protocol (uses AgentCli from cloud) @agent-relay/cloud ── auth, identity, permissions, tokens, JWKS, compiler, audit, workspaces, ssh, proactive @relayfile/sdk ── relayfile client + workspace seeding + mount (pending @relayfile/sdk@0.8.0 release) Moves into @agent-relay/cloud: - permissions.ts (AgentPermissions, AgentCli, AccessPreset, ...) - compiler.ts (compileAgentScopes, resolveAgentPermissions, ...) - token.ts (mintAgentToken, DEFAULT_ADMIN_SCOPES) - local-jwks.ts (createLocalJwksKeyPair, importPrivateKeyPem) - audit.ts (PermissionAuditLog, getDefaultPermissionAuditPath) - provisioning-types.ts (ProvisionSummary, CompileInput, CompiledAgentScopes) Updates: - cloud/index.ts re-exports all of the above - cloud/package.json adds ./permissions, ./token, ./local-jwks, ./compiler, ./audit subpath exports - SDK's cli-resolver/cli-registry import AgentCli from @agent-relay/cloud - CLI on/provision + on/start + start.test.ts import from @agent-relay/cloud - workspace path mappings in tsconfigs drop cloud-sdk - root typecheck script drops cloud-sdk build step Drop unused convenience types `SeedAclOptions`, `SeedWorkspaceOptions`, and `AgentAclSummary` (no consumer ever used them). The seeder.ts + mount.ts files and their tests are removed from this repo entirely; they'll come back via @relayfile/sdk@0.8.0 once relayfile#208 merges.
- packages/cli/src/cli/commands/on/start.ts:24 was importing seedWorkspace from @agent-relay/cloud, but seedWorkspace was removed from cloud (it lives in @relayfile/sdk/workspace-seeder now). The CLI already has a local seedWorkspace in ./workspace.js with the same signature; reuse it. - packages/cloud/src/index.ts didn't re-export createLocalJwks, exportPrivateKeyPem, RELAYAUTH_JWKS_URL_ENV, LocalJwks, or LocalJwksKeyPair from local-jwks.js. relay's CLI 'on start' command needs them. - packages/sdk/package.json prebuild script still referenced the deleted packages/workflow-types directory. Removed. Workspace-wide typecheck is green.
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
Contributor
|
Important Review skippedToo many files! This PR contains 248 files, which is 98 over the limit of 150. To get a review, narrow the scope: ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (248)
You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4ec5e7be20
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| @@ -1,615 +0,0 @@ | |||
| import type { RunnerStepExecutor, WorkflowStep } from '@agent-relay/workflow-types'; | |||
There was a problem hiding this comment.
Deleting this module without updating packages/github-primitive/package.json leaves exports['./workflow-step'] pointing at dist/workflow-step.js, which will no longer be built or published. Any consumer importing @agent-relay/github-primitive/workflow-step will now fail at runtime with module resolution errors instead of a cleanly removed API surface.
Useful? React with 👍 / 👎.
| @@ -1,469 +0,0 @@ | |||
| import type { RunnerStepExecutor, WorkflowStep } from '@agent-relay/workflow-types'; | |||
There was a problem hiding this comment.
This file is removed, but packages/slack-primitive/package.json still exports ./workflow-step, so published package metadata now references a non-existent build artifact. In addition, existing tests in packages/slack-primitive/src/__tests__ still import ../workflow-step.js, so slack-primitive test runs will fail once dependencies are available.
Useful? React with 👍 / 👎.
| @@ -1,602 +0,0 @@ | |||
| import type { RunnerStepExecutor, WorkflowStep } from '@agent-relay/sdk/workflows'; | |||
There was a problem hiding this comment.
Removing this module without removing the corresponding ./workflow-step entry from packages/browser-primitive/package.json leaves the package exporting a path that no longer exists in dist. Consumers that import @agent-relay/browser-primitive/workflow-step will hit runtime import failures.
Useful? React with 👍 / 👎.
- Remove broken `./workflow-step` exports from browser/github/slack-primitive package.json (modules were deleted). Drop matching tests + doc snippets. - Convert cloud-sdk's node:test files (compiler/token/token-factory) to vitest so they actually run under the cloud package's `npm test`. - Fix start.test.ts mock of @agent-relay/cloud — preserve real exports so imports for createLocalJwksKeyPair still resolve. - Drop bootstrap.test.ts entries for the workflow runner commands (`run`, `workflows`) that no longer exist. - Delete obsolete CI workflows (workflow-reliability, workflow-validation, relay-cleanroom-hardening) and the cleanroom shell script — they all invoked removed code paths. - Strip workflow-types from publish.yml, vitest.config alias list, and the SDK's removed run-script.test.ts pipeline.
Member
Author
|
Pushed cc1d182 addressing CI failures and Codex review: CI fixes
Codex P1 findings (all addressed)
Local |
`reference-workflows.mdx` and `cli-workflows.mdx` were deleted with the workflow runner, but the docs nav still listed their slugs in `getAllDocSlugs()`. Next.js called `generateStaticParams()` for both and hit ENOENT trying to read the MDX, failing the Preview Web build. - Remove both slugs from `web/lib/docs-nav.ts` (sidebar groups + ALL_SLUGS). - Drop the matching icon entries and the now-unused `Workflow` lucide import from `DocsNav.tsx`. - Prune `<Card href="/docs/reference-workflows">` / `cli-workflows` blocks and the `[Workflow Reference](...)` bullets from the surviving MDX pages that pointed at them. - Repoint the footer "Advanced" link to `/docs/cloud`, the new first page in that nav group.
Contributor
|
Preview deployed!
This preview will be cleaned up when the PR is merged or closed. |
Member
Author
|
Pushed 3f2a3f9 — fixes the Preview Web (SST) failure. The Next.js build was iterating
CI status on latest commit: 46 success, 2 skipped (Swift SDK Tests / Cleanup Preview), 1 neutral (cubic). Zero failures. PR shows |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Major architectural cleanup. Splits Agent Relay's monorepo into a one-way dependency graph and moves the workflow runner into a dedicated sibling repo (
AgentWorkforce/relayflows).End state — each package has one concern:
No more circular deps. The arrow points one way:
relayflows → agent-relay.What's removed
packages/workflow-types/— shim package deleted; types are in@relayflows/core/schemapackages/sdk/src/workflows/— workflow runner moved to@relayflows/corepackages/sdk/src/provisioner/— moved to@agent-relay/cloud(and onward, where relayfile-flavored bits went to@relayfile/sdk@0.8.0)workflow-step.tsfiles in github/slack/browser primitives — workflow adapters moved to@relayflows/core/integrations/*relay run(workflow runner) andrelay workflows(templates) CLI commands — replaced byrelayflows runcreateGitHubStep/createSlackStepre-exports from SDK barrelbrowser-primitive's MCPbrowser.step.executetool (step execution is workflow-side)yaml-validation,swarm-coordinator,resume-fallback,idle-nudge,file-db,e2e-owner-review,completion-pipeline,start-from,builder-deterministic,error-scenarios,provisioner-mount,provisioner/audit) — moved to relayflowsCompanion PRs / releases (already landed)
AgentWorkforce/relayfile#208→ `@relayfile/sdk@0.8.0` (merged + published — contains `workspace-seeder` + `workspace-mount`)After this merges
Test plan
🤖 Generated with Claude Code