Skip to content

migration: relay on + provisioner SDK mint RS256 tokens via local JWKS#779

Merged
khaliqgant merged 3 commits intomainfrom
relay-on-rs256-local-jwks
Apr 24, 2026
Merged

migration: relay on + provisioner SDK mint RS256 tokens via local JWKS#779
khaliqgant merged 3 commits intomainfrom
relay-on-rs256-local-jwks

Conversation

@kjgbot
Copy link
Copy Markdown
Contributor

@kjgbot kjgbot commented Apr 24, 2026

What changed

  • Added a local JWKS helper that generates an RSA keypair, serves the public JWK, and exposes signer metadata.
  • Migrated agent-relay on token minting and provisioner SDK token minting from HS256/shared-secret signing to RS256/private-key signing with kid.
  • Propagated RELAYAUTH_JWKS_URL to local service, mount, and agent subprocess envs; agent envs also receive the local RS256 signing key metadata for nested workflow provisioning.
  • Updated provisioner token APIs and tests for the breaking { privateKey, kid } signature.

Why

Relayfile rejects HS256 after relayfile#60, and relayauth is purging HS256 support. The local on flow needs tokens signed by a JWKS-backed RS256 key so local relayfile/relayauth verifiers can trust them.

Breaking SDK change

mintAgentToken({ secret, ... }) and WorkflowTokenFactory(secret, workspace, ...) now require RS256 signer inputs: { privateKey, kid, ... } / new WorkflowTokenFactory(privateKey, kid, workspace, ...). provisionWorkflowAgents() now takes tokenSigningKey instead of secret.

Test plan

  • npx vitest run src/cli/commands/on/start.test.ts src/cli/commands/on/services.test.ts packages/sdk/src/provisioner/__tests__/token-factory.test.ts packages/sdk/src/provisioner/__tests__/token.test.ts packages/sdk/src/provisioner/__tests__/audit.test.ts packages/sdk/src/__tests__/provisioner-mount.test.ts
  • npx tsc -p packages/sdk/tsconfig.build.json --noEmit
  • npx tsx --test packages/sdk/src/provisioner/__tests__/token-factory.test.ts packages/sdk/src/provisioner/__tests__/token.test.ts packages/sdk/src/provisioner/__tests__/audit.test.ts
  • npm run build
  • npx tsx src/cli/index.ts on --help

Open in Devin Review

devin-ai-integration[bot]

This comment was marked as resolved.

Wrap goOnTheRelay body after createLocalJwks() in a top-level
try/finally so the JWKS HTTP server is shut down even when
ensureServices, requestWorkspaceSession, launchOnMount, or the FUSE
setup throws. Removes the per-branch shutdown calls now handled by the
outer finally.

Addresses Devin review finding on #779.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@khaliqgant khaliqgant merged commit 86925d6 into main Apr 24, 2026
45 checks passed
@khaliqgant khaliqgant deleted the relay-on-rs256-local-jwks branch April 24, 2026 10:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants