feat(cloud): pass env vars to scheduled workflows

[khaliqgant]

Summary

• add repeatable --env KEY=VALUE support to agent-relay cloud schedule
• propagate scheduled env vars into workflowRequest.envSecrets for the Cloud schedule API
• cover CLI parsing and schedule request payload behavior

Test plan

• npx vitest run src/cli/commands/cloud.test.ts packages/cloud/src/workflows.test.ts

Notes

• Leaves existing local dirty files out of this PR: .trajectories/index.json, package-lock.json.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR extends workflow scheduling to support environment secrets. A new envSecrets field is added to the type contract, the cloud SDK conditionally forwards it in API requests, and the CLI accepts repeatable --env KEY=VALUE arguments that are validated and passed through to the SDK.

Changes

Environment secrets support for scheduled workflows

Layer / File(s)	Summary
Type contract for environment secrets packages/cloud/src/types.ts	ScheduleWorkflowOptions adds an optional envSecrets field (Record<string, string>) for environment secret key-value pairs.
Cloud SDK scheduling with environment secrets packages/cloud/src/workflows.ts, packages/cloud/src/workflows.test.ts	scheduleWorkflow conditionally includes envSecrets in the /api/v1/workflows/schedules request payload when provided; tests expect the field in both the cron schedule creation and workflow request assertions.
CLI environment variable parsing src/cli/commands/cloud.ts	parseEnvAssignment helper validates and accumulates repeated --env KEY=VALUE arguments into a record, enforcing the KEY=VALUE format and shell-safe variable-name syntax.
CLI schedule command with environment secrets src/cli/commands/cloud.ts, src/cli/commands/cloud.test.ts	Adds repeatable --env <KEY=VALUE> option to cloud schedule, wires parsed variables to scheduleWorkflow via envSecrets, and tests verify correct handling of valid assignments and rejection of malformed input.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐇 A rabbit hops through secrets bright,
Each --env a key in sight,
From CLI through the cloud it flies,
Where workflows bloom and schedules rise.
Hop, hop, hop—the secrets flow! 🌙

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding environment variable support to scheduled workflows in the cloud module.
Description check	✅ Passed	The description covers the main objectives and includes a test plan, but lacks the template structure with checkboxes and screenshots section.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/cloud-schedule-env

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 3 additional findings.

[coderabbitai]

🧹 Nitpick comments (1)

packages/cloud/src/workflows.ts (1)

688-690: ⚡ Quick win

Validate envSecrets in the SDK entrypoint for non-CLI callers.

Line 688 forwards envSecrets as-is. Since scheduleWorkflow is public, callers can bypass CLI parsing and send invalid keys, which shifts failures to the API layer. Adding the same key validation here gives deterministic client-side errors and keeps CLI/SDK behavior aligned.

Suggested patch

+const ENV_SECRET_KEY_RE = /^[A-Za-z_][A-Za-z0-9_]*$/;
+
+function validateEnvSecrets(envSecrets?: Record<string, string>): void {
+  if (!envSecrets) return;
+  for (const [key, value] of Object.entries(envSecrets)) {
+    if (!ENV_SECRET_KEY_RE.test(key)) {
+      throw new Error(`Invalid environment variable name: ${key || '(empty)'}`);
+    }
+    if (typeof value !== 'string') {
+      throw new Error(`Invalid environment variable value for ${key}.`);
+    }
+  }
+}
+
 export async function scheduleWorkflow(
   workflowArg: string,
   options: ScheduleWorkflowOptions = {}
 ): Promise<WorkflowSchedule> {
+  validateEnvSecrets(options.envSecrets);
   const hasCron = typeof options.cron === 'string' && options.cron.trim().length > 0;

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/cloud/src/workflows.ts` around lines 688 - 690, scheduleWorkflow
currently forwards options.envSecrets directly; add client-side validation of
envSecrets keys (same rules the CLI uses) before including them in the payload
so invalid keys are rejected early. Inside scheduleWorkflow (or a small helper
like validateEnvSecretsKey/validateEnvSecrets), check options.envSecrets exists
and iterate its keys, enforcing the allowed pattern/whitelist used by the CLI
(reject empty keys, disallowed characters, or reserved names) and throw a clear
synchronous error if any key is invalid; only include envSecrets in the
forwarded object when validation passes. This keeps SDK and CLI behavior aligned
and prevents malformed keys from being sent to the API.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@packages/cloud/src/workflows.ts`:
- Around line 688-690: scheduleWorkflow currently forwards options.envSecrets
directly; add client-side validation of envSecrets keys (same rules the CLI
uses) before including them in the payload so invalid keys are rejected early.
Inside scheduleWorkflow (or a small helper like
validateEnvSecretsKey/validateEnvSecrets), check options.envSecrets exists and
iterate its keys, enforcing the allowed pattern/whitelist used by the CLI
(reject empty keys, disallowed characters, or reserved names) and throw a clear
synchronous error if any key is invalid; only include envSecrets in the
forwarded object when validation passes. This keeps SDK and CLI behavior aligned
and prevents malformed keys from being sent to the API.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 172a413a-6f7e-4305-a65e-8b6a171a2c87

📥 Commits

Reviewing files that changed from the base of the PR and between 7408bb6 and 58e6f6a.

📒 Files selected for processing (5)

• packages/cloud/src/types.ts
• packages/cloud/src/workflows.test.ts
• packages/cloud/src/workflows.ts
• src/cli/commands/cloud.test.ts
• src/cli/commands/cloud.ts