pass the model by khaliqgant · Pull Request #392 · AgentWorkforce/relay

khaliqgant · 2026-02-09T12:36:21Z

Fixes Wire up model passthrough in spawn() #389
Allows hot swapping model for an agent
Relates to Multiple repos per workspace unlock relay-dashboard#26

        log.warn(`Could not resolve path for '${commandName}', spawn may fail`);
      }

+      // Track the effective model for this spawn.


In general terms, the fix is to stop using Math.random() for generating agent names and replace it with a cryptographically secure pseudo-random source. On Node.js, this means using the crypto module (for example, crypto.randomInt, or deriving an index from crypto.randomBytes) instead of Math.random(). We must ensure that the selection of indices remains uniform and within array bounds, and that we keep the public API (generateAgentName, generateUniqueAgentName, isValidAgentName) unchanged.

Concretely, we will modify packages/utils/src/name-generator.ts:

Add an import of Node’s built-in crypto module at the top of the file.

Replace the use of Math.floor(Math.random() * ADJECTIVES.length) and the analogous call for NOUNS in generateAgentName with crypto.randomInt(ADJECTIVES.length) and crypto.randomInt(NOUNS.length), respectively. crypto.randomInt(max) returns an integer in [0, max), so this is a drop-in replacement for indexing arrays.

Replace the fallback suffix generation in generateUniqueAgentName that currently uses Math.floor(Math.random() * 1000) with crypto.randomInt(1000).

These changes stay entirely within packages/utils/src/name-generator.ts, do not affect the external interface, and remove all insecure Math.random() usages that CodeQL traces into the spawner. No changes to src/cli/index.ts, packages/config/src/shadow-config.ts, or packages/bridge/src/spawner.ts are required because they simply consume the already-generated names.

        log.warn(`Could not resolve path for '${commandName}', spawn may fail`);
      }

+      // Track the effective model for this spawn.


General approach: Replace usage of Math.random() in name-generator.ts with a cryptographically secure random source. In Node.js we can use crypto.randomInt (or crypto.randomBytes), which provides unbiased, cryptographically strong integers. This keeps the API the same (still returns a deterministic string format) while strengthening the randomness. No changes are needed in src/cli/index.ts, packages/config/src/shadow-config.ts, or packages/bridge/src/spawner.ts; they can continue to consume generated names exactly as before.

Best concrete fix:

In packages/utils/src/name-generator.ts, import randomInt from Node’s crypto module.

Replace Math.floor(Math.random() * ADJECTIVES.length) and Math.floor(Math.random() * NOUNS.length) with randomInt(ADJECTIVES.length) and randomInt(NOUNS.length).

Replace the fallback suffix Math.floor(Math.random() * 1000) with randomInt(1000).

These are minimal edits that preserve all external behavior (same ranges, same string format) while using a cryptographically secure PRNG.

No changes are needed to spawner.ts, since it simply receives cli as a parameter; strengthening the randomness at source (name generation) handles all the variants CodeQL reported.

        log.warn(`Could not resolve path for '${commandName}', spawn may fail`);
      }

+      // Track the effective model for this spawn.


General fix: Replace all uses of Math.random() in packages/utils/src/name-generator.ts with a cryptographically secure random source. On Node, use crypto.randomInt for unbiased integer selection and suffix generation.

Best concrete fix:

In packages/utils/src/name-generator.ts, import Node’s crypto module.

Implement a small helper getRandomInt(max: number): number that calls crypto.randomInt(max).

Use getRandomInt(ADJECTIVES.length) and getRandomInt(NOUNS.length) instead of Math.floor(Math.random() * ...).

For the numeric suffix in generateUniqueAgentName, use getRandomInt(1000) instead of Math.floor(Math.random() * 1000).

Do not change any function signatures or exported names; the only behavioral change is that randomness becomes cryptographically secure.

Only packages/utils/src/name-generator.ts needs code changes; the spawner and CLI code can stay as is.

devin-ai-integration

Devin Review found 1 potential issue.

View 8 additional findings in Devin Review.

Addresses PR review feedback — validateModelForCli now checks the normalized model name against validModels rather than the raw input, ensuring aliases like 'claude-opus-4' are correctly validated. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

pass the model

f4e6bf8

github-advanced-security AI found potential problems Feb 9, 2026

View reviewed changes

devin-ai-integration Bot reviewed Feb 9, 2026

View reviewed changes

Comment thread packages/utils/src/model-commands.ts Outdated

khaliqgant requested a review from willwashburn February 9, 2026 21:56

khaliqgant merged commit 953d7c5 into main Feb 11, 2026
31 of 32 checks passed

khaliqgant deleted the model-hotswap branch February 11, 2026 08:26

@@ -3,6 +3,8 @@
              * Inspired by mcp_agent_mail's approach.
              */
+            import crypto from 'node:crypto';
             const ADJECTIVES = [
               'Blue', 'Green', 'Red', 'Purple', 'Golden', 'Silver', 'Crystal', 'Amber',
               'Coral', 'Jade', 'Ruby', 'Sapphire', 'Emerald', 'Onyx', 'Pearl', 'Copper',
@@ -29,8 +31,8 @@
              * Generate a random agent name (AdjectiveNoun format).
              */
             export function generateAgentName(): string {
-              const adjective = ADJECTIVES[Math.floor(Math.random() * ADJECTIVES.length)];
-              const noun = NOUNS[Math.floor(Math.random() * NOUNS.length)];
+              const adjective = ADJECTIVES[crypto.randomInt(ADJECTIVES.length)];
+              const noun = NOUNS[crypto.randomInt(NOUNS.length)];
               return `${adjective}${noun}`;
             }
@@ -45,7 +47,7 @@
                 }
               }
               // Fallback: append random suffix
-              return `${generateAgentName()}${Math.floor(Math.random() * 1000)}`;
+              return `${generateAgentName()}${crypto.randomInt(1000)}`;
             }
             /**

@@ -3,6 +3,8 @@
              * Inspired by mcp_agent_mail's approach.
              */
+            import { randomInt } from 'node:crypto';
             const ADJECTIVES = [
               'Blue', 'Green', 'Red', 'Purple', 'Golden', 'Silver', 'Crystal', 'Amber',
               'Coral', 'Jade', 'Ruby', 'Sapphire', 'Emerald', 'Onyx', 'Pearl', 'Copper',
@@ -29,8 +31,8 @@
              * Generate a random agent name (AdjectiveNoun format).
              */
             export function generateAgentName(): string {
-              const adjective = ADJECTIVES[Math.floor(Math.random() * ADJECTIVES.length)];
-              const noun = NOUNS[Math.floor(Math.random() * NOUNS.length)];
+              const adjective = ADJECTIVES[randomInt(ADJECTIVES.length)];
+              const noun = NOUNS[randomInt(NOUNS.length)];
               return `${adjective}${noun}`;
             }
@@ -45,7 +47,7 @@
                 }
               }
               // Fallback: append random suffix
-              return `${generateAgentName()}${Math.floor(Math.random() * 1000)}`;
+              return `${generateAgentName()}${randomInt(1000)}`;
             }
             /**

@@ -3,6 +3,8 @@
              * Inspired by mcp_agent_mail's approach.
              */
+            import crypto from 'node:crypto';
             const ADJECTIVES = [
               'Blue', 'Green', 'Red', 'Purple', 'Golden', 'Silver', 'Crystal', 'Amber',
               'Coral', 'Jade', 'Ruby', 'Sapphire', 'Emerald', 'Onyx', 'Pearl', 'Copper',
@@ -25,12 +27,16 @@
               'Star', 'Moon', 'Sun', 'Comet', 'Cloud', 'Storm', 'Thunder', 'Lightning',
             ];
+            function getRandomInt(max: number): number {
+              return crypto.randomInt(max);
+            }
             /**
              * Generate a random agent name (AdjectiveNoun format).
              */
             export function generateAgentName(): string {
-              const adjective = ADJECTIVES[Math.floor(Math.random() * ADJECTIVES.length)];
-              const noun = NOUNS[Math.floor(Math.random() * NOUNS.length)];
+              const adjective = ADJECTIVES[getRandomInt(ADJECTIVES.length)];
+              const noun = NOUNS[getRandomInt(NOUNS.length)];
               return `${adjective}${noun}`;
             }
@@ -45,7 +47,7 @@
                 }
               }
               // Fallback: append random suffix
-              return `${generateAgentName()}${Math.floor(Math.random() * 1000)}`;
+              return `${generateAgentName()}${getRandomInt(1000)}`;
             }
             /**

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

pass the model#392

pass the model#392
khaliqgant merged 2 commits into
mainfrom
model-hotswap

khaliqgant commented Feb 9, 2026 •

edited

Loading

Uh oh!

Check failure

Copilot Autofix

Check failure

Copilot Autofix

Check failure

Copilot Autofix

devin-ai-integration Bot left a comment

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

khaliqgant commented Feb 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Check failure

Uh oh!

Uh oh!

Copilot Autofix

Check failure

Uh oh!

Uh oh!

Copilot Autofix

Check failure

Uh oh!

Uh oh!

Copilot Autofix

devin-ai-integration Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

khaliqgant commented Feb 9, 2026 •

edited

Loading