chore(harness): prune transitive deps from iii.worker.yaml

[ytallo]

Summary

• Drop transitive deps from harness/iii.worker.yaml: auth-credentials, session, hook-fanout, provider-router, llm-budget. Each is already pulled in by another declared dep (providers, turn-orchestrator, provider-router).
• Group iii-* engine deps first for readability.
• 19 → 14 declared deps.

EXPECTED_WORKERS (generated by harness/build.rs from this manifest) shrinks accordingly, so the workers strip in the UI tracks only direct deps. The pruned workers still run on the bus via their parents.

Test plan

• cargo build clean
• cargo test --lib — 41/41 pass (including expected_workers_includes_approval_gate and expected_workers_includes_shell_consolidated guards)
• CI green

Summary by CodeRabbit

• Chores
  • Updated internal worker configuration and dependency management.

[github-actions]

skill-check — worker

0 verified, 25 skipped (no docs/).

Layer	Result
structure	✓
vale	✓
ai	✓

Three for three. Nicely done.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR updates the worker harness configuration file by modifying the dependencies list. It adds iii-sandbox as a new dependency and reorders several crates including sandboxing, orchestration, and provider components while removing five previously listed dependencies.

Changes

Worker Dependencies Configuration

Layer / File(s)	Summary
Worker dependencies configuration harness/iii.worker.yaml	The dependencies section is updated to include iii-sandbox and reorder iii-directory, turn-orchestrator, models-catalog, policy-denylist, shell, provider-anthropic, provider-openai, and approval-gate. Previous dependencies provider-router, session, hook-fanout, auth-credentials, and llm-budget are removed.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• iii-hq/workers#121: Updates harness-bundle workflows to publish every bundled dependency from the worker configuration, making the release behavior dependent on the dependency set being changed by this PR.

Suggested reviewers

• sergiofilhowz

Poem

🐰 A sandbox springs to life so fine,
Dependencies align in perfect line.
Old crates depart, new paths emerge bright,
The worker harness hops forward—all right! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: pruning transitive dependencies from the harness configuration file. It is concise, specific, and clearly describes the primary modification in the pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/harness-prune-transitive-deps

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

harness/iii.worker.yaml (1)

16-30: ⚠️ Potential issue | 🟠 Major | ⚖️ Poor tradeoff

Reconsider removing session, hook-fanout, provider-router, and llm-budget from the deployment manifest.

The PR claims these were removed because they're pulled in transitively by other dependencies. However, harness/iii.worker.yaml is a runtime worker deployment manifest, not a Cargo dependency list. While auth-credentials is genuinely transitive via provider-anthropic and provider-openai Cargo packages, the other four removed workers (session, hook-fanout, provider-router, and llm-budget) do not appear as dependencies in any Cargo.toml files and are explicitly referenced in harness documentation (ARCHITECTURE.md, skill.md) and code (fanout.rs) as required peers.

Removing them from the manifest means they won't be deployed alongside the harness unless deployed separately—they won't be automatically available at runtime. Tests pass because the harness binary itself doesn't compile-depend on them (the interface comes from iii-sdk), but the harness is documented to expect these workers to be present during operation. Clarify whether this is intentional (workers will be deployed through other means) or if the removal is premature.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@harness/iii.worker.yaml` around lines 16 - 30, The deployment manifest
removed four runtime workers (session, hook-fanout, provider-router, llm-budget)
that are expected at runtime by the harness (see ARCHITECTURE.md, skill.md, and
fanout.rs) even though they are not Cargo transitive dependencies; restore these
worker entries in harness/iii.worker.yaml (add back session, hook-fanout,
provider-router, and llm-budget) so they are deployed with the harness, or if
the removal is intentional, update ARCHITECTURE.md, skill.md, and any references
in fanout.rs/iii-sdk to document the new deployment plan and where those
services will be provisioned instead; ensure auth-credentials remains handled
transitively via provider-anthropic/provider-openai if that is correct.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@harness/iii.worker.yaml`:
- Around line 16-30: The deployment manifest removed four runtime workers
(session, hook-fanout, provider-router, llm-budget) that are expected at runtime
by the harness (see ARCHITECTURE.md, skill.md, and fanout.rs) even though they
are not Cargo transitive dependencies; restore these worker entries in
harness/iii.worker.yaml (add back session, hook-fanout, provider-router, and
llm-budget) so they are deployed with the harness, or if the removal is
intentional, update ARCHITECTURE.md, skill.md, and any references in
fanout.rs/iii-sdk to document the new deployment plan and where those services
will be provisioned instead; ensure auth-credentials remains handled
transitively via provider-anthropic/provider-openai if that is correct.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6338bca5-a661-4f17-b247-0328473cce36

📥 Commits

Reviewing files that changed from the base of the PR and between 4bafb01 and b44718c.

📒 Files selected for processing (1)

• harness/iii.worker.yaml