Skip to content

fix(cli): handle messaging-only workspaces#350

Merged
khaliqgant merged 2 commits into
mainfrom
fix/messaging-only-workspace-resolution
Jul 13, 2026
Merged

fix(cli): handle messaging-only workspaces#350
khaliqgant merged 2 commits into
mainfrom
fix/messaging-only-workspace-resolution

Conversation

@khaliqgant

@khaliqgant khaliqgant commented Jul 13, 2026

Copy link
Copy Markdown
Member

Summary

  • Detect the messaging-only case precisely: only an Agent Relay Cloud workspace-resolver 404 followed by a successful authenticated Relaycast GET /v1/workspace is classified as Relaycast-only.
  • Replace the opaque resolver 404 with an actionable error that explains the workspace is not Relayfile-backed and points to relayfile setup --workspace <name>.
  • Distinguish invalid or unknown keys when Relaycast rejects the key, with separate remediation and no key leakage.
  • Add opt-in relayfile login --provision-messaging-only, which uses Relayfile's existing Cloud POST /api/v1/workspaces create path, mints and persists delegated credentials, and continues with the new Relayfile workspace.

Two-plane rationale

Agent Relay messaging workspaces and Cloud/Relayfile workspaces intentionally live on separate planes. This change does not modify Relay or Cloud, does not adopt a Relaycast key into Cloud, and does not rewrite the active Agent Relay workspace. The provisioning request contains only the workspace name; Cloud creates an independent Relayfile-backed workspace with its own rw_... identity.

Validation

  • go build ./...
  • go test ./cmd/relayfile-cli -count=1
  • go test ./...

New tests cover the actionable messaging-only error (including absence of the opaque 404 and key), invalid-key non-misclassification, and the separate Cloud-create/delegated-credential path.

Review in cubic

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@khaliqgant, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 25 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 128488c2-b498-441a-8d43-8faf94afffd2

📥 Commits

Reviewing files that changed from the base of the PR and between e3b3c5c and 1d642bf.

📒 Files selected for processing (4)
  • cmd/relayfile-cli/main.go
  • cmd/relayfile-cli/main_test.go
  • cmd/relayfile-cli/testdata/cloud-workspace-not-found.json
  • docs/cli-design.md
📝 Walkthrough

Walkthrough

relayfile-cli now identifies Relaycast-only workspaces, verifies workspace keys through Relaycast, and can provision a separate Relayfile-backed workspace during relayfile login with delegated credentials and persisted workspace state.

Changes

Messaging-only workspace provisioning

Layer / File(s) Summary
Workspace-key classification and verification
cmd/relayfile-cli/main.go, cmd/relayfile-cli/main_test.go
Resolver failures are validated through Relaycast and classified as messaging-only or invalid workspace keys with typed remediation errors and corresponding tests.
Delegated credential provisioning
cmd/relayfile-cli/main.go
Options-aware bootstrapping creates a Relayfile-backed workspace, mints delegated join tokens, persists credentials, and records the provisioned workspace.
Login flag and flow integration
cmd/relayfile-cli/main.go, cmd/relayfile-cli/main_test.go
relayfile login adds and validates --provision-messaging-only, clears stale credentials, reports the provisioning result, and tests the complete flow.

Estimated code review effort: 4 (Complex) | ~45 minutes

Sequence Diagram(s)

sequenceDiagram
  participant User
  participant relayfileLogin
  participant AgentRelayResolver
  participant RelaycastAPI
  participant RelayfileCloud
  participant CredentialStore
  User->>relayfileLogin: login --provision-messaging-only
  relayfileLogin->>AgentRelayResolver: resolve active workspace
  AgentRelayResolver-->>relayfileLogin: messaging-only workspace error
  relayfileLogin->>RelaycastAPI: verify workspace key
  RelaycastAPI-->>relayfileLogin: messaging-only workspace
  relayfileLogin->>RelayfileCloud: create Relayfile workspace
  RelayfileCloud-->>relayfileLogin: workspace and delegated token
  relayfileLogin->>CredentialStore: persist workspace and credentials
  CredentialStore-->>User: login success guidance
Loading

Possibly related PRs

Poem

A rabbit hops through Relaycast bright,
Finds a workspace keyed just right.
When messaging is all it can do,
Relayfile grows a workspace anew.
Tokens tucked safely, login sings—
“Provisioned!” says the bunny, and springs.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the main change: handling messaging-only workspaces in the CLI.
Description check ✅ Passed The description directly describes the workspace classification, error handling, and provisioning changes in the PR.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/messaging-only-workspace-resolution

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown

Relayfile Eval Review

Run: .relayfile/evals/runs/2026-07-13T14-39-25-442Z-HEAD-provider
Mode: provider
Git SHA: 8e6ee6b

Passed: 4 | Needs human: 0 | Reviewable: 0 | Missing output: 0 | Failed: 0 | Skipped: 0

Human Review Cases

No reviewable human-review cases captured Relayfile output.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces support for detecting and handling messaging-only (Relaycast-only) workspaces. It adds error classification logic to identify when an active workspace is messaging-only or has an invalid key, and introduces a --provision-messaging-only flag to automatically provision a separate Relayfile-backed workspace. The feedback suggests wrapping the validation error with %w instead of %v in fmt.Errorf to follow Go best practices.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread cmd/relayfile-cli/main.go
Comment on lines +1316 to +1319
return fmt.Errorf(
"the active Agent Relay workspace could not be resolved through Cloud, and Relayfile could not verify it with Relaycast: %v. Check network connectivity and try again",
validationErr,
)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

In Go, it is a best practice to wrap errors using %w instead of %v in fmt.Errorf when returning wrapped errors. This allows callers to inspect the underlying error using errors.Is or errors.As.

Suggested change
return fmt.Errorf(
"the active Agent Relay workspace could not be resolved through Cloud, and Relayfile could not verify it with Relaycast: %v. Check network connectivity and try again",
validationErr,
)
return fmt.Errorf(
"the active Agent Relay workspace could not be resolved through Cloud, and Relayfile could not verify it with Relaycast: %w. Check network connectivity and try again",
validationErr,
)

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e3b3c5caee

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread cmd/relayfile-cli/main.go Outdated
relayfileDefaultVersion = "0.10.17"
defaultServerURL = "https://file.agentrelay.com"
defaultCloudAPIURL = "https://agentrelay.com/cloud"
defaultRelaycastAPIURL = "https://gateway.relaycast.dev"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Point the Relaycast verifier at the hosted origin

When neither RELAYCAST_BASE_URL nor RELAY_BASE_URL is set, validateRelaycastWorkspaceKey will call https://gateway.relaycast.dev/v1/workspace. The published Relaycast OpenAPI server is https://cast.agentrelay.com/v1 (https://github.com/AgentWorkforce/relaycast/blob/main/openapi.yaml), so default installs send the validation request to the wrong origin and a messaging-only active workspace falls through as an unverifiable error instead of enabling the actionable message or --provision-messaging-only path. Default to the Relaycast hosted origin that this code appends /v1 to, or derive it from Agent Relay.

Useful? React with 👍 / 👎.

Comment thread cmd/relayfile-cli/main.go

var relayIntegrationBindingsMu sync.Mutex

var agentRelayWorkspaceKeyInResolverError = regexp.MustCompile(`(?:[?&]key=|/api/v1/workspaces/)(rk_live_[A-Za-z0-9_-]+)`)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Accept rk_test workspace keys in classification

In staging/dev, Relaycast workspace keys can be rk_test_* per the Relaycast OpenAPI, but this regexp only extracts rk_live_* and the later prefix check repeats that restriction. When Agent Relay's resolver 404 includes an rk_test_* key, the error won't be classified or redacted, so users see the opaque resolver failure (including the key) instead of the invalid-key/messaging-only remediation. Match all Relaycast workspace key prefixes the API accepts.

Useful? React with 👍 / 👎.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/relayfile-cli/main.go`:
- Around line 112-114: Update agentRelayMessagingOnlyWorkspaceError and the
--workspace validation flow to retain the Relaycast workspace data.id alongside
messagingOnly.Name, then accept either the supplied workspace name or ID when
validating provision-messaging-only login. Preserve the existing typed-error
behavior and add coverage for the workspace-ID form in the relevant tests.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 0573c365-42eb-44b3-94dd-098cd5747441

📥 Commits

Reviewing files that changed from the base of the PR and between 941138b and e3b3c5c.

📒 Files selected for processing (2)
  • cmd/relayfile-cli/main.go
  • cmd/relayfile-cli/main_test.go

Comment thread cmd/relayfile-cli/main.go
Comment on lines +112 to +114
type agentRelayMessagingOnlyWorkspaceError struct {
Name string
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Preserve the Relaycast workspace ID when validating --workspace.

--workspace accepts a name or ID (Line 2297), but validation discards data.id and compares only against messagingOnly.Name. Consequently, login --workspace <relaycast-id> --provision-messaging-only rejects the authenticated active workspace. Carry the ID in the typed error, accept either name or ID, and cover the ID form in tests.

Also applies to: 1334-1362, 1937-1942

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/relayfile-cli/main.go` around lines 112 - 114, Update
agentRelayMessagingOnlyWorkspaceError and the --workspace validation flow to
retain the Relaycast workspace data.id alongside messagingOnly.Name, then accept
either the supplied workspace name or ID when validating
provision-messaging-only login. Preserve the existing typed-error behavior and
add coverage for the workspace-ID form in the relevant tests.

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3 issues found across 2 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="cmd/relayfile-cli/main.go">

<violation number="1" location="cmd/relayfile-cli/main.go:50">
P1: The default Relaycast API URL `https://gateway.relaycast.dev` is a legacy domain that is being decommissioned. The current production Relaycast server is `https://cast.agentrelay.com`. With this default, the messaging-only workspace validation will fail on default installs (no env override), causing a verified messaging-only workspace to fall through as a network/verification error rather than triggering the actionable remediation message or `--provision-messaging-only` path.

Update to `https://cast.agentrelay.com` to match the published OpenAPI server URL.</violation>

<violation number="2" location="cmd/relayfile-cli/main.go:65">
P2: The regex and subsequent prefix check only handle `rk_live_*` workspace keys. If staging/dev environments use keys with a different prefix (e.g., `rk_test_*`), those will not be extracted or classified, causing the opaque resolver error—including the key itself—to be shown to users instead of the actionable remediation message. Consider matching all valid Relaycast key prefixes to ensure proper classification and key redaction in non-production environments.</violation>

<violation number="3" location="cmd/relayfile-cli/main.go:1938">
P2: The messaging-only workspace validation only compares `workspaceValue` against `messagingOnly.Name`, but `--workspace` accepts both a name and an ID. If a user passes `--workspace <relaycast-id>` with `--provision-messaging-only`, this comparison will always fail and reject the request even though the workspace is correctly authenticated. Consider also storing the Relaycast workspace ID in `agentRelayMessagingOnlyWorkspaceError` (from `payload.Data.ID` in `validateRelaycastWorkspaceKey`) and accepting either name or ID in this comparison.</violation>
</file>

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread cmd/relayfile-cli/main.go Outdated
relayfileDefaultVersion = "0.10.17"
defaultServerURL = "https://file.agentrelay.com"
defaultCloudAPIURL = "https://agentrelay.com/cloud"
defaultRelaycastAPIURL = "https://gateway.relaycast.dev"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: The default Relaycast API URL https://gateway.relaycast.dev is a legacy domain that is being decommissioned. The current production Relaycast server is https://cast.agentrelay.com. With this default, the messaging-only workspace validation will fail on default installs (no env override), causing a verified messaging-only workspace to fall through as a network/verification error rather than triggering the actionable remediation message or --provision-messaging-only path.

Update to https://cast.agentrelay.com to match the published OpenAPI server URL.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At cmd/relayfile-cli/main.go, line 50:

<comment>The default Relaycast API URL `https://gateway.relaycast.dev` is a legacy domain that is being decommissioned. The current production Relaycast server is `https://cast.agentrelay.com`. With this default, the messaging-only workspace validation will fail on default installs (no env override), causing a verified messaging-only workspace to fall through as a network/verification error rather than triggering the actionable remediation message or `--provision-messaging-only` path.

Update to `https://cast.agentrelay.com` to match the published OpenAPI server URL.</comment>

<file context>
@@ -46,6 +47,7 @@ const (
 	relayfileDefaultVersion = "0.10.17"
 	defaultServerURL        = "https://file.agentrelay.com"
 	defaultCloudAPIURL      = "https://agentrelay.com/cloud"
+	defaultRelaycastAPIURL  = "https://gateway.relaycast.dev"
 	defaultObserverURL      = "https://agentrelay.com/observer/file"
 	minAgentRelayCLIVersion = "8.7.0"
</file context>
Suggested change
defaultRelaycastAPIURL = "https://gateway.relaycast.dev"
defaultRelaycastAPIURL = "https://cast.agentrelay.com"

Comment thread cmd/relayfile-cli/main_test.go
Comment thread cmd/relayfile-cli/main.go

var relayIntegrationBindingsMu sync.Mutex

var agentRelayWorkspaceKeyInResolverError = regexp.MustCompile(`(?:[?&]key=|/api/v1/workspaces/)(rk_live_[A-Za-z0-9_-]+)`)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: The regex and subsequent prefix check only handle rk_live_* workspace keys. If staging/dev environments use keys with a different prefix (e.g., rk_test_*), those will not be extracted or classified, causing the opaque resolver error—including the key itself—to be shown to users instead of the actionable remediation message. Consider matching all valid Relaycast key prefixes to ensure proper classification and key redaction in non-production environments.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At cmd/relayfile-cli/main.go, line 65:

<comment>The regex and subsequent prefix check only handle `rk_live_*` workspace keys. If staging/dev environments use keys with a different prefix (e.g., `rk_test_*`), those will not be extracted or classified, causing the opaque resolver error—including the key itself—to be shown to users instead of the actionable remediation message. Consider matching all valid Relaycast key prefixes to ensure proper classification and key redaction in non-production environments.</comment>

<file context>
@@ -60,6 +62,8 @@ var relayfileVersion = relayfileDefaultVersion
 
 var relayIntegrationBindingsMu sync.Mutex
 
+var agentRelayWorkspaceKeyInResolverError = regexp.MustCompile(`(?:[?&]key=|/api/v1/workspaces/)(rk_live_[A-Za-z0-9_-]+)`)
+
 // defaultJoinScopes are the scopes minted for every delegated-credential
</file context>

Comment thread cmd/relayfile-cli/main.go
return workspaceRecord{}, "", false, err
}
requested := strings.TrimSpace(workspaceValue)
if requested != "" && !strings.EqualFold(requested, "active") && requested != strings.TrimSpace(messagingOnly.Name) {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: The messaging-only workspace validation only compares workspaceValue against messagingOnly.Name, but --workspace accepts both a name and an ID. If a user passes --workspace <relaycast-id> with --provision-messaging-only, this comparison will always fail and reject the request even though the workspace is correctly authenticated. Consider also storing the Relaycast workspace ID in agentRelayMessagingOnlyWorkspaceError (from payload.Data.ID in validateRelaycastWorkspaceKey) and accepting either name or ID in this comparison.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At cmd/relayfile-cli/main.go, line 1938:

<comment>The messaging-only workspace validation only compares `workspaceValue` against `messagingOnly.Name`, but `--workspace` accepts both a name and an ID. If a user passes `--workspace <relaycast-id>` with `--provision-messaging-only`, this comparison will always fail and reject the request even though the workspace is correctly authenticated. Consider also storing the Relaycast workspace ID in `agentRelayMessagingOnlyWorkspaceError` (from `payload.Data.ID` in `validateRelaycastWorkspaceKey`) and accepting either name or ID in this comparison.</comment>

<file context>
@@ -1812,21 +1914,39 @@ func delegatedRelayfileTokenViaCloud(cloud cloudCredentials, workspaceID, agentN
+			return workspaceRecord{}, "", false, err
+		}
+		requested := strings.TrimSpace(workspaceValue)
+		if requested != "" && !strings.EqualFold(requested, "active") && requested != strings.TrimSpace(messagingOnly.Name) {
+			return workspaceRecord{}, "", false, fmt.Errorf("active messaging-only Agent Relay workspace %q does not match requested workspace %q", messagingOnly.Name, workspaceValue)
+		}
</file context>

@agent-relay-code

Copy link
Copy Markdown
Contributor

ℹ️ pr-reviewer: review only — no file changes were applied to the PR (nothing to commit after review). The notes below are advisory and were not pushed.

Review: PR #350 — fix(cli): handle messaging-only workspaces

Summary

This PR adds handling for the case where the active Agent Relay workspace is "messaging-only" (Relaycast-only, not Relayfile-backed). When agent-relay workspace active --json fails to resolve through Cloud with a 404 workspace not found, the CLI now:

  • extracts the rk_live_* workspace key from the resolver error,
  • validates it against Relaycast (GET /v1/workspace),
  • classifies the failure into a friendly, actionable error (agentRelayMessagingOnlyWorkspaceError vs agentRelayInvalidWorkspaceKeyError),
  • and, with the new login --provision-messaging-only flag, provisions a separate Relayfile-backed workspace.

The scope is confined to cmd/relayfile-cli/main.go and its test file. No provider-mutation/ingest paths (digest contract) and no internal/httpapi/server.go handlers (OpenAPI contract) are touched, so those repo rules don't apply.

Verification

Ran the canonical CI steps end-to-end with Go 1.22 (the version pinned in .github/workflows/ci.yml):

  • go build ./... — passes
  • go vet ./cmd/relayfile-cli/ — clean
  • go test ./...all packages pass (relayfile-cli suite incl. the 3 new tests green)

Traced all callers of the changed functions:

  • bootstrapDelegatedCredentialsFromAgentRelayWithOptions is new; the old 3-return bootstrapDelegatedCredentialsFromAgentRelay wrapper is preserved, so its other callers (main.go:2037, main.go:4104) are unaffected.
  • ensureWorkspaceForSetup, persistDelegatedWorkspace, delegatedRelayfileTokenViaCloud signatures all match their usage.
  • All imports used by the diff (regexp, context, net/http, etc.) are already present.

Safety assessment

The change preserves fail-closed semantics — this is a security-sensitive area (credential/workspace resolution), and I checked it carefully:

  • classifyAgentRelayActiveWorkspaceError returns the original error whenever the pattern doesn't match, when the key can't be extracted, or when Relaycast validation errors out. It never converts a failure into a success/default path.
  • Unauthorized/Forbidden/NotFound from Relaycast map to agentRelayInvalidWorkspaceKeyError (a failure), not a permissive fallthrough. The TestActiveWorkspaceFromAgentRelayDoesNotMisclassifyInvalidKey test guards this.
  • Only HTTP 200 from Relaycast produces the messaging-only classification that can trigger provisioning; provisioning still requires the explicit opt-in flag.
  • Opaque resolver details (404, raw key) are deliberately kept out of user-facing messages, and tests assert the key doesn't leak.

No changes were made to lifecycle, termination, reaper, in-flight, dispatch, or broker-ownership code.

Auto-applied fixes

None. The diff is mechanically clean (gofmt-aligned flag map, correct import ordering) and builds/tests pass as-is. There were no lint/format/typo issues to fix.

Addressed comments

  • No bot or human review comments were present in .workforce/context.json or any accompanying data, so there are no review threads to account for. The PR has no recorded prior human review/approval.

Advisory Notes

  • Minor (non-blocking): provisionRelayfileWorkspaceForMessagingOnly passes record.LocalDir to persistDelegatedWorkspace, whereas the standard delegated path passes "". For a newly created workspace LocalDir is empty so behavior matches; for a pre-existing local record it preserves the existing dir. This looks intentional, but it's a subtle asymmetry worth a one-line comment for future readers. I left the code unchanged (behavioral judgment call, out of scope for a mechanical fix).
  • Observation: validateRelaycastWorkspaceKey treats a JSON decode failure on a 200 response as "valid key, unknown name" (documented in the code comment). Reasonable, since an authenticated 200 already proves validity. No change needed.

Verdict

The change is well-scoped, correctly preserves fail-closed behavior, has focused test coverage, and the full build + test suite passes. I could not confirm the state of GitHub CI checks or PR mergeability from within this sandbox (those are reported separately by cloud), so I am not asserting the PR is fully clear for a human hand-off.

@khaliqgant khaliqgant merged commit b283ab6 into main Jul 13, 2026
10 checks passed
@khaliqgant khaliqgant deleted the fix/messaging-only-workspace-resolution branch July 13, 2026 15:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant