Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Shadow review (claude-2) — #1028 Fix 1/2/3 runtime

Reviewed at HEAD 81e8e3d (incl. 4712f1a, 069b4ab), cross-checked line-by-line against cloud origin/main for the contract surface. Note: CodeRabbit reported SUCCESS but was rate-limited and did not actually review this PR — so cubic + this pass are the only substantive review here.

Fix 1 — ctx.workflow (cloud-defaults.ts): runtime side correct ✅

The POST/poll wiring, status mapping, and result extraction match cloud's actual contract (verified against workflows/callback/route.ts:47-48 + workflows/runs/[runId]/route.ts):

• Status enum maps cloud's real values: completed→success, failed/cancelled→failure; pending/running non-terminal; unknown→keep-polling. (Originally the runtime only recognized success/failure, so completion() would have spun to the timeout on every real run and never returned — fixed in 81e8e3d.)
• Reads body.result (cloud stores the result under result, not output) and surfaces patches, so the PR URL at patches[].pushedTo.prUrl is reachable from completion().output.
• completion() timeout = 90m, covering the bundled 75m small-issue workflow.
• Robustness: 15s per-request AbortController timeout; up to 3 consecutive transient retries (network/timeout/429/5xx) with fail-loud on 401/403 so token expiry isn't masked.

⚠️ Cross-repo dependency (gates E2E, not this PR's code). Fix 1 only works once the cloud side lands (tracked with the cloud PR):

1. workflows/run/route.ts:581-588 currently gates the workspace path on a per-process crypto.randomUUID() header (route.ts:98) that a sandbox can't reproduce → 403. Cloud is switching to accept a verified workflow:invoke:write token without the random-header coupling.
2. The minted workspace token needs both workflow:invoke:write (POST) and workflow:runs:read (the GET poll route, runs/[runId]/route.ts:16) — workflow:invoke:read does not satisfy the poll route. Cloud is updating the token scopes + bumping TTL to 2h.

Runtime now sends the correct header name x-agentworkforce-workspace-workflow-invocation (4712f1a).

Fix 2 — slack/linear/notion/jira wiring: correct ✅ — two minor notes

• slack and jira are gated on WORKFORCE_WORKSPACE_TOKEN being present; if it's absent they're silently not wired (no ctx.slack, no diagnostic). Consider a debug log so a missing token is diagnosable rather than surfacing as a bare "ctx.slack is undefined".
• The github client's cloudApiToken precedence flipped to prefer WORKFORCE_WORKSPACE_TOKEN over WORKFORCE_AGENT_TOKEN (was the reverse). Intended? It changes which token authenticates github writebacks when both are set.

Fix 3 — writeback timeout (request.ts): correct ✅

Default 3000ms (DEFAULT_WRITEBACK_TIMEOUT_MS), 0→fire-and-forget, bounded poll loop (deadline = now + timeoutMs) — no unbounded hang. Env override WORKFORCE_RELAYFILE_WRITEBACK_TIMEOUT_MS is plumbed, and ="0" correctly re-disables (numberFromEnv preserves 0). The default now flips every integration write from instant to up-to-3s-blocking — bounded + intended (it's how post()/comment() return the real ts).

Verdict

Runtime side LGTM, pending the cloud PR landing the auth/scope/TTL changes above (I'm reviewing that separately). The pre-existing packages/cli/src/cli.ts(1984,70) MountHandle typecheck failure is unrelated to this PR (documented in #135) and not attributable here.