agent-relay-runner 0.20.0 → 0.22.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-relay-runner",
-  "version": "0.20.0",
+  "version": "0.22.0",
   "description": "Unified provider lifecycle runner for Agent Relay",
   "type": "module",
   "bin": {
@@ -20,7 +20,7 @@
     "directory": "runner"
   },
   "dependencies": {
-    "agent-relay-sdk": "0.2.11"
+    "agent-relay-sdk": "0.2.13"
   },
   "devDependencies": {
     "@types/bun": "latest",

package/plugins/claude/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "agent-relay-runner",
   "description": "Thin Agent Relay runner bridge for Claude Code",
-  "version": "0.20.0",
+  "version": "0.22.0",
   "agentRelayContracts": {
     "providerPluginProtocol": 1
   }

package/src/adapter.ts

@@ -159,7 +159,7 @@ export function profileAllowsRelayFeature(config: RunnerSpawnConfig, feature: ke
   return config.agentProfile?.relay?.[feature] !== false;
 }
 
-export const RELAY_CONTEXT = `[agent-relay] You are connected to Agent Relay, a real-time message bus between agents and users. When you receive a relay message: read it, do what it asks, and reply through the relay when a text response is needed. Use agent-relay /react <messageId> <emoji> for lightweight acknowledgement or approval. If Relay MCP tools are available, prefer relay_reply, relay_get_message, relay_get_thread, relay_send_message, relay_upload_artifact, relay_attach_artifact, relay_agent_status, relay_spawn_agent, and relay_shutdown_agent. CLI fallback: agent-relay /reply <messageId> --stdin < response.md; if a delivered message says it was truncated, fetch the full body with: agent-relay get-message <messageId>. For command details, run: agent-relay /guide`;
+export const RELAY_CONTEXT = `[agent-relay] You are connected to Agent Relay, a real-time message bus between agents and users. When you receive a relay message: read it, do what it asks, and reply through the relay when a text response is needed. Use agent-relay /react <messageId> <emoji> for lightweight acknowledgement or approval. If Relay MCP tools are available, prefer relay_reply, relay_get_message, relay_get_thread, relay_send_message, relay_upload_artifact, relay_attach_artifact, relay_agent_status, relay_find_agents, relay_spawn_agent, and relay_shutdown_agent. You never need to know or pass your own agent id — relay fills it from your token; use relay_whoami only if you need to reason about yourself. relay_spawn_agent / relay_shutdown_agent only appear if your profile grants spawning (a live-children quota); when present you can stand up long-living child agents and shut down your own — find them later with relay_find_agents spawnedBy:me. CLI fallback: agent-relay /reply <messageId> --stdin < response.md; if a delivered message says it was truncated, fetch the full body with: agent-relay get-message <messageId>. For command details, run: agent-relay /guide`;
 
 const PROVIDER_MESSAGE_BODY_PREVIEW_CHARS = 4000;
 

package/src/adapters/codex.ts

@@ -17,6 +17,8 @@ function codexRelayContextBlock(): string {
 import { prepareCodexProfileHome, profileUsesHostProviderGlobals } from "../profile-home";
 import { CodexAppClient, type ClientEvent } from "./codex-client";
 
+export const DEFAULT_CODEX_TOOL_OUTPUT_TOKEN_LIMIT = 12_000;
+
 type PendingCodexApproval = {
   id: string;
   requestId: string | number;
@@ -260,6 +262,7 @@ export class CodexAdapter implements ProviderAdapter {
         ...codexApprovalConfigArgs(config.approvalMode),
         ...(profileAllowsRelayFeature(config, "skills") ? bundledSkillConfigArgs() : []),
         ...(profileAllowsRelayFeature(config, "mcp") ? relayMcpCodexConfigArgs(config.relayUrl) : []),
+        ...codexToolOutputTokenLimitConfigArgs(config),
         ...codexManagedConfigArgs(),
         "--listen",
         appServerUrl,
@@ -917,6 +920,21 @@ export function codexAppServerConfigArgs(...argLists: string[][]): string[] {
   return result;
 }
 
+export function codexToolOutputTokenLimitConfigArgs(config: Pick<RunnerSpawnConfig, "agentProfile">): string[] {
+  const configured = codexToolOutputTokenLimit(config.agentProfile?.providerOptions);
+  if (configured === null) return [];
+  const limit = configured ?? DEFAULT_CODEX_TOOL_OUTPUT_TOKEN_LIMIT;
+  return ["-c", `tool_output_token_limit=${limit}`];
+}
+
+function codexToolOutputTokenLimit(providerOptions: unknown): number | null | undefined {
+  if (!isRecord(providerOptions)) return undefined;
+  const codex = providerOptions.codex;
+  if (!isRecord(codex)) return undefined;
+  const limit = codex.toolOutputTokenLimit;
+  return typeof limit === "number" || limit === null ? limit : undefined;
+}
+
 
 async function connectWithRetry(client: CodexAppClient, attempts = 40): Promise<void> {
   // Give the freshly-spawned app-server a moment to bind its socket before the

package/src/outbox.ts

@@ -248,6 +248,10 @@ export class Outbox {
     }
   }
 
+  // Pure per-row delay calc: the attempt count lives in SQLite (one outbox row
+  // at a time may be due), so this stays a stateless function rather than the
+  // stateful SDK ReconnectionManager (single in-memory counter) used for the
+  // orchestrator/voice reconnect loops — different model, deliberately not shared.
   private backoff(attempts: number): number {
     const exp = Math.min(this.maxBackoffMs, this.baseBackoffMs * 2 ** (attempts - 1));
     return Math.round(exp / 2 + Math.random() * (exp / 2)); // full-ish jitter, never below half

package/src/relay-instructions.ts

@@ -58,7 +58,8 @@ export function workspaceLifecycleNote(input: { mode?: string | null; branch?: s
   const base = input.baseRef ? `\`${input.baseRef}\`` : "the base branch";
   return [
     `[agent-relay] Isolated workspace: you are in a git worktree on branch ${branch}, based on ${base} — NOT the main checkout. Other agents may work in parallel and land to ${base}, so ${base} will move under you. That is expected; don't fight it.`,
-    `Do NOT push this branch yourself — not with \`git push\`, not with \`tl push\` or any other push wrapper, and do not manually rebase or merge. A steward may be auto-rebasing this branch in the background; pushing concurrently races it and can leave the worktree mid-rebase. Just commit your work here. When the task is done, run \`agent-relay workspace ready\` — Relay rebases onto the latest ${base}, lands your work, and pushes for you. (\`agent-relay workspace status\` shows the current state.)`,
+    `Do NOT push this branch yourself — not with \`git push\`, not with \`tl push\` or any other push wrapper, and do not manually rebase or merge. A steward may be auto-rebasing this branch in the background; pushing concurrently races it and can leave the worktree mid-rebase. Just commit your work here. When the task is done, run \`agent-relay workspace ready\` — Relay rebases onto the latest ${base}, lands your work, and pushes for you. If the installed \`agent-relay\` binary is stale and says the workspace command is unknown, run the repo-local fallback: \`bun src/index.ts workspace ready\`.`,
+    `After \`ready\`, the status becomes \`review_requested\` — this is the NORMAL, healthy hand-off state, NOT an escalation or a stall. Relay auto-merges clean rebases roughly every 2 minutes; a steward agent is spawned (after a short delay) ONLY if it can't land deterministically, so seeing no steward means it's working, not stuck. Wait with \`agent-relay workspace status --wait\` (it returns the moment your branch lands). On landing you'll be moved onto a fresh rebased branch whose name gains a \`--N\` suffix — expected, keep working there. Never \`cd\` into the main checkout, and never merge/push/resolve conflicts yourself — Relay and the steward own all of that. \`agent-relay workspace status\` anytime shows your current state and the next step.`,
   ].join("\n");
 }
 

package/src/relay-mcp.ts

@@ -3,11 +3,21 @@
 // server name, and token-handling rules live in exactly one place.
 //
 // Token handling: the bearer token is NEVER placed in argv (it would leak via `ps`
-// and the agent's own process inspection). Claude expands `${AGENT_RELAY_TOKEN}`
+// and the agent's own process inspection). Claude expands `${AGENT_RELAY_SESSION_TOKEN}`
 // from the env at MCP-config parse time; Codex reads it from the named env var.
-
+//
+// Why a dedicated var and NOT `AGENT_RELAY_TOKEN`: a managed session inherits the
+// runner's scoped, identity-bearing session token, but Claude Code applies a rig/user
+// `settings.json` `env` block OVER the inherited env. A rig that sets
+// `env.AGENT_RELAY_TOKEN` (e.g. to the admin token, for interactive CLI use) would
+// clobber the scoped token at parse time, so the relay MCP connection authenticates as
+// the `server` actor with no agent identity — `relay_whoami` returns null and
+// `relay_send_message` demands a `from` it can't supply (#233). The runner exports the
+// scoped token under this dedicated name that rigs don't set, so nothing on the host can
+// hijack the managed agent's identity.
 export const RELAY_MCP_SERVER_NAME = "agent-relay";
 export const RELAY_MCP_PATH = "/api/mcp";
+export const RELAY_MCP_TOKEN_ENV = "AGENT_RELAY_SESSION_TOKEN";
 
 export function relayMcpEndpoint(relayUrl: string): string {
   return `${relayUrl.replace(/\/+$/, "")}${RELAY_MCP_PATH}`;
@@ -24,7 +34,7 @@ export function relayMcpClaudeConfigArg(relayUrl: string): string[] {
         [RELAY_MCP_SERVER_NAME]: {
           type: "http",
           url: relayMcpEndpoint(relayUrl),
-          headers: { Authorization: "Bearer ${AGENT_RELAY_TOKEN}" },
+          headers: { Authorization: `Bearer \${${RELAY_MCP_TOKEN_ENV}}` },
         },
       },
     }),
@@ -39,7 +49,7 @@ export function relayMcpCodexConfigArgs(relayUrl: string): string[] {
     "-c",
     `${key}.url=${tomlString(relayMcpEndpoint(relayUrl))}`,
     "-c",
-    `${key}.bearer_token_env_var=${tomlString("AGENT_RELAY_TOKEN")}`,
+    `${key}.bearer_token_env_var=${tomlString(RELAY_MCP_TOKEN_ENV)}`,
   ];
 }
 

package/src/runner.ts

@@ -14,6 +14,7 @@ import { Outbox, type OutboxRecord } from "./outbox";
 import { extractLastAssistantTurn, extractFinalAssistantMessage, extractHookAssistantMessage, extractLatestTurnSteps, transcriptLooksComplete, analyzeSession } from "./adapters/claude-transcript";
 import { agentProfileProjectionReport } from "./profile-projection";
 import { profileUsesHostProviderGlobals } from "./profile-home";
+import { RELAY_MCP_TOKEN_ENV } from "./relay-mcp";
 import { runtimeMetadata } from "./version";
 import { logger, parseLogLevel } from "./logger";
 import { ensureSessionScratch, reapSessionScratch, sweepStaleSessions, type SessionScratchLayout } from "./session-scratch";
@@ -368,6 +369,11 @@ export class AgentRunner {
       AGENT_RELAY_URL: this.options.relayUrl,
       AGENT_RELAY_APPROVAL: this.options.approvalMode,
       ...(this.currentToken ? { AGENT_RELAY_TOKEN: this.currentToken } : {}),
+      // Dedicated, un-clobberable credential for the injected relay MCP endpoint. A rig's
+      // settings.json `env.AGENT_RELAY_TOKEN` would override the scoped token above at
+      // MCP-parse time → server-actor auth, no identity (#233). The MCP config references
+      // ${AGENT_RELAY_SESSION_TOKEN}, which rigs never set. See runner/src/relay-mcp.ts.
+      ...(this.currentToken ? { [RELAY_MCP_TOKEN_ENV]: this.currentToken } : {}),
       ...(this.currentTokenJti ? { AGENT_RELAY_TOKEN_JTI: this.currentTokenJti } : {}),
       ...(this.currentTokenProfileId ? { AGENT_RELAY_TOKEN_PROFILE: this.currentTokenProfileId } : {}),
       ...(this.currentTokenExpiresAt ? { AGENT_RELAY_TOKEN_EXPIRES_AT: String(this.currentTokenExpiresAt) } : {}),