spec: API keys + RS256 production migration

[khaliqgant]

Why now

Production relayauth is two pieces short of what its own specs already assume:

1. specs/token-format.md mandates RS256 / EdDSA. Production signs HS256. Every spec-compliant verifier (including @relayauth/sdk's TokenVerifier at verify.js:184-200) refuses HS256 outright.
2. The /v1/api-keys endpoint family is declared in the OpenAPI spec and the contract test, but the routes don't exist and there's no api_keys table.

The user-visible failure that surfaced this: cloud's specialist worker adopted RS256/JWKS-style auth on /a2a/rpc (cloud #267); sage was supposed to mint via relayauth and present a bearer; the chain breaks because relayauth can't issue what the verifier requires and there's no API key path for sage to authenticate to relayauth in the first place.

End-result in production: sage's specialist tool calls 401 every time, harness hits max_iterations_reached, sage falls back to "I could not complete that request right now." in Slack. Tracked across cloud #267, sage #97, cloud #280.

What's in the spec

Four-phase migration:

1. API keys — POST /v1/api-keys + GET + revoke, api_keys table, x-api-key auth middleware, accept-either bearer/api-key on identity + token routes.
2. RS256 — switch signing to RS256, publish RSA public key in JWKS, keep HS256 entry alongside during transition.
3. Cutover — verifier-first deploy (dual-accept), signer cutover, HS256 sunset after 1h TTL window.
4. Bootstrap — admin generates a sage→relayauth API key once via the new endpoint, drops it into GitHub Actions secrets, sage and cloud PRs chain through automatically.

Risks, mitigations, and open questions inline. The hardest operational piece is that relayauth has no CD workflow today — separate spec issue should track that as a hard prerequisite before the cutover lands.

Asking for review on

• Token signing key storage approach (operator-generated vs. self-bootstrap)
• Whether POST /v1/api-keys itself should accept x-api-key auth (currently bearer-only to keep the bootstrap chain explicit)
• The phased cutover order — particularly whether 1h TTL is short enough to avoid needing longer dual-accept
• The non-blocking but real operational gap: relayauth production has no CD workflow

🤖 Generated with Claude Code

---

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 2 additional findings.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: dfbef0d03e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Enforce directory boundary in file-scope matching

The prefix check in /v1/authorize/file can grant access to sibling paths that merely share a textual prefix. For example, a token with relayfile:fs:read:/frontend/* will pass for a request like relayfile:fs:read:/frontendevil/secrets.txt because requestedPath.startsWith(scopePath) is true for /frontendevil vs /frontend. This turns the new authorization route into an over-permissive matcher and can incorrectly allow reads outside the intended directory tree.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Preserve denied outcome when summarizing scope checks

The scope.check formatter now always renders an allowed message whenever any relayfile scopes are present, even if payload.result is denied. authenticateAndAuthorize emits denied scope.check events before scope.denied, so this causes the event feed to show contradictory success text for failed authorization attempts, which makes debugging authorization behavior unreliable.

Useful? React with 👍 / 👎.

[devin-ai-integration]

Devin Review found 2 new potential issues.

View 9 additional findings in Devin Review.

[devin-ai-integration]

🔴 get_state reads the full nested object instead of .status, so phases are never recognized as already passed

set_state at line 97 writes a nested object {status: $status, ts: $ts} under each phase ID, but get_state at line 88 reads .[$id] which returns the entire object (e.g. {"status":"passed","ts":"2026-..."}), not just the status string. This means the comparison at scripts/run-rs256-migration.sh:217 (if [ "$state" = "passed" ]) will never be true, completely breaking the "pick up where we left off" behavior. Every re-invocation of the script will re-run all phases from the beginning, including re-running agent-relay workflows and re-branching/committing/PRing in git — potentially destructive for already-merged work.

Suggested change

	jq -r --arg id "$id" '.[$id] // "pending"' "$STATE_FILE"
	jq -r --arg id "$id" '.[$id].status // "pending"' "$STATE_FILE"

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

🔴 curl -f causes precondition check to fail on the expected HTTP 401 response

The precondition check at line 38 uses curl -fsS to verify the /v1/api-keys endpoint is deployed. The comment on line 39 says "Without auth this should be 401, not 404" — the intent is to distinguish between 401 (endpoint exists, requires auth) and 404 (endpoint not deployed). However, the -f flag causes curl to exit with code 22 for any HTTP error including 401. Combined with set -e on line 36, this aborts the entire precondition step on the expected 401 response, making the workflow un-runnable even when all preconditions are actually met.

Prompt for agents

The problem is in the `preconditions` step command in `workflows/123-bootstrap-sage-key-phase4.ts`, around line 36-38. The curl command uses `-f` which makes curl exit non-zero on HTTP 401, but 401 is the expected/successful response (it proves the endpoint is deployed and requires auth). Combined with `set -e`, this kills the entire precondition check.

To fix: Remove the `-f` flag from the curl call and instead capture the HTTP status code, then check it explicitly. For example, replace the curl line with something like:

  status=$(curl -sS -o /dev/null -w '%{http_code}' https://api.relayauth.dev/v1/api-keys -X POST -H 'content-type: application/json' -d '{}') ;
  if [ "$status" = "404" ]; then echo "ENDPOINT_NOT_DEPLOYED (got 404)"; exit 1; fi ;
  echo "HTTP $status (endpoint exists)" ;

This allows 401 (and other non-404 responses) to pass while correctly failing on 404.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[khaliqgant]

How to run

Single CLI entrypoint executes phases 118-123 in order with branch + commit + PR per repo.

One-shot (full migration)

cd /path/to/relayauth
./scripts/run-rs256-migration.sh

That's it. The runner branches each affected repo off origin/main, runs the workflow, commits the diff, pushes, and opens a PR. Hard pause before phase 122 (HIGH-risk crypto cutover) requires you to type PROCEED.

Common flags

# Preview what would happen, no changes
./scripts/run-rs256-migration.sh --dry-run

# Resume from a specific phase (state is persisted between runs)
./scripts/run-rs256-migration.sh --from 120

# Run a single phase
./scripts/run-rs256-migration.sh --only 119

# Commit but don't open PRs (useful for local iteration)
./scripts/run-rs256-migration.sh --skip-pr

# Skip the HIGH-risk pre-cutover human pause (only for testing in dev/staging)
./scripts/run-rs256-migration.sh --no-pause

Repo paths

The runner expects two repos checked out side-by-side. Override with env vars if your layout differs:

RELAYAUTH_REPO=~/work/relayauth \
CLOUD_REPO=~/work/cloud \
./scripts/run-rs256-migration.sh

Defaults: /Users/khaliqgant/Projects/AgentWorkforce/{relayauth,cloud}.

Prereqs

• agent-relay CLI on PATH
• gh (GitHub CLI) authenticated against AgentWorkforce/{relayauth,cloud}
• jq for state-file parsing
• Both repos checked out on a clean working tree (uncommitted changes will fail the branch checkout)

What gets opened

7 PRs total across two repos, one per phase per affected repo:

Phase	Repo	Branch
118	relayauth	migration/rs256/118-tokens-route
119	relayauth + cloud	migration/rs256/119-api-keys (paired)
120	relayauth	migration/rs256/120-rs256-signing
121	relayauth	migration/rs256/121-sdk-dual-verify
122	cloud	migration/rs256/122-cutover-infra
123	cloud	migration/rs256/123-bootstrap-runbook

Each PR body references this spec + the run order. The workflow's strict review template (implementer self-review + 2 specialist peer reviewers + architect synthesis + approval gate) gates the commit — PRs only open if the gate passed.

State + recovery

Progress is checkpointed in .rs256-migration-state.json (in the relayauth repo root). Re-running the script skips already-passed phases. If a workflow's approval gate fails, the runner exits 1 and the branch is preserved so you can investigate and re-run.

Operator window for phase 122

Phase 122 (cryptographic cutover) has three internal human go/no-go gates that block on touch-files:

touch /path/to/relayauth/.cutover-step1-approved   # after RSA key in JWKS confirmed
touch /path/to/relayauth/.cutover-step2-approved   # after signer flip + healthy tail
touch /path/to/relayauth/.cutover-step3-approved   # after HS256 sunset confirmed

Each gate prints exactly what to verify (curl JWKS, tail workers, etc.) before you mark it approved. There's also a 90-minute soak window between steps 2 and 3 — abort with touch .cutover-soak-aborted if anything looks off.