include broker sdk

[khaliqgant]

---

[devin-ai-integration]

Devin Review found 1 potential issue.

View 4 additional findings in Devin Review.

[devin-ai-integration]

🔴 Missing yaml dependency in root package.json — broker-sdk will fail at runtime when installed globally

The @agent-relay/broker-sdk package (directory packages/sdk-ts) depends on yaml (used in packages/sdk-ts/src/workflows/runner.ts:12, packages/sdk-ts/src/workflows/builder.ts:1, packages/sdk-ts/src/workflows/templates.ts:4), but yaml is not listed in the root package.json dependencies.

Root Cause: directory name vs package name mismatch breaks the audit safety net

When @agent-relay/broker-sdk is added to bundledDependencies, npm will bundle the package itself into the tarball. However, npm's bundledDependencies does not include transitive dependencies — those must be hoisted to the root dependencies.

The project has an audit script (scripts/audit-bundled-deps.mjs) designed to catch exactly this problem, but it has a flaw: it strips the @agent-relay/ prefix from bundled package names and matches against directory names in packages/. Since the package is named @agent-relay/broker-sdk but lives in the packages/sdk-ts directory, the audit script never checks it:

// audit-bundled-deps.mjs:20 — strips prefix to get "broker-sdk"
.map(name => name.replace('@agent-relay/', ''))

// audit-bundled-deps.mjs:35 — but directory is "sdk-ts", not "broker-sdk"
if (!bundledPackages.has(pkg)) return;  // skips sdk-ts!

As a result, yaml (and potentially future deps) are silently missed. When users run npm install -g agent-relay, the yaml package won't be available, and import { parse as parseYaml } from 'yaml' in packages/sdk-ts/src/workflows/runner.ts:12 will throw a runtime ERR_MODULE_NOT_FOUND error.

Impact: Workflow features (runWorkflow, workflow builder, template resolution) will crash at runtime for globally-installed users.

Prompt for agents

Two changes are needed:

1. In package.json, add "yaml" to the root dependencies (around line 189, near the other dependencies). Add: "yaml": "^2.7.0" to the "dependencies" object.

2. In scripts/audit-bundled-deps.mjs, fix the directory-name matching logic so it works when the npm package name doesn't match the directory name. Instead of stripping the @agent-relay/ prefix and matching against directory names, read each package's package.json "name" field and compare against the bundledDependencies list directly. For example, change lines 18-21 and 33-35 to:

  const bundledNames = new Set(rootPkg.bundledDependencies || rootPkg.bundleDependencies || []);

  packages.forEach(pkg => {
    const pkgJson = JSON.parse(fs.readFileSync(path.join('packages', pkg, 'package.json'), 'utf-8'));
    if (!bundledNames.has(pkgJson.name)) return;
    // ... rest of the audit logic
  });

---

Was this helpful? React with 👍 or 👎 to provide feedback.