Skip to content

migration: relay on + provisioner SDK mint RS256 tokens via local JWKS#779

Merged
khaliqgant merged 3 commits intomainfrom
relay-on-rs256-local-jwks
Apr 24, 2026
Merged

migration: relay on + provisioner SDK mint RS256 tokens via local JWKS#779
khaliqgant merged 3 commits intomainfrom
relay-on-rs256-local-jwks

Conversation

@kjgbot
Copy link
Copy Markdown
Contributor

@kjgbot kjgbot commented Apr 24, 2026
edited by devin-ai-integration Bot
Loading

What changed

  • Added a local JWKS helper that generates an RSA keypair, serves the public JWK, and exposes signer metadata.
  • Migrated agent-relay on token minting and provisioner SDK token minting from HS256/shared-secret signing to RS256/private-key signing with kid.
  • Propagated RELAYAUTH_JWKS_URL to local service, mount, and agent subprocess envs; agent envs also receive the local RS256 signing key metadata for nested workflow provisioning.
  • Updated provisioner token APIs and tests for the breaking { privateKey, kid } signature.

Why

Relayfile rejects HS256 after relayfile#60, and relayauth is purging HS256 support. The local on flow needs tokens signed by a JWKS-backed RS256 key so local relayfile/relayauth verifiers can trust them.

Breaking SDK change

mintAgentToken({ secret, ... }) and WorkflowTokenFactory(secret, workspace, ...) now require RS256 signer inputs: { privateKey, kid, ... } / new WorkflowTokenFactory(privateKey, kid, workspace, ...). provisionWorkflowAgents() now takes tokenSigningKey instead of secret.

Test plan

  • npx vitest run src/cli/commands/on/start.test.ts src/cli/commands/on/services.test.ts packages/sdk/src/provisioner/__tests__/token-factory.test.ts packages/sdk/src/provisioner/__tests__/token.test.ts packages/sdk/src/provisioner/__tests__/audit.test.ts packages/sdk/src/__tests__/provisioner-mount.test.ts
  • npx tsc -p packages/sdk/tsconfig.build.json --noEmit
  • npx tsx --test packages/sdk/src/provisioner/__tests__/token-factory.test.ts packages/sdk/src/provisioner/__tests__/token.test.ts packages/sdk/src/provisioner/__tests__/audit.test.ts
  • npm run build
  • npx tsx src/cli/index.ts on --help
Open in Devin Review

devin-ai-integration[bot]

This comment was marked as resolved.

Sign in to view

@claude
fix(on): shut down local JWKS server on all error paths
acf3f9f 
Wrap goOnTheRelay body after createLocalJwks() in a top-level
try/finally so the JWKS HTTP server is shut down even when
ensureServices, requestWorkspaceSession, launchOnMount, or the FUSE
setup throws. Removes the per-branch shutdown calls now handled by the
outer finally.

Addresses Devin review finding on #779.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@khaliqgant khaliqgant merged commit 86925d6 into main Apr 24, 2026
45 checks passed
@khaliqgant khaliqgant deleted the relay-on-rs256-local-jwks branch April 24, 2026 10:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

@khaliqgant khaliqgant Awaiting requested review from khaliqgant khaliqgant is a code owner

@willwashburn willwashburn Awaiting requested review from willwashburn willwashburn is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kjgbot @khaliqgant