agent-relay 4.0.2 → 4.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (175) hide show
  1. package/bin/agent-relay-broker-darwin-arm64 +0 -0
  2. package/bin/agent-relay-broker-darwin-x64 +0 -0
  3. package/bin/agent-relay-broker-linux-arm64 +0 -0
  4. package/bin/agent-relay-broker-linux-x64 +0 -0
  5. package/dist/index.cjs +7906 -2084
  6. package/dist/packages/sdk/src/provisioner/seeder.d.ts +17 -0
  7. package/dist/packages/sdk/src/provisioner/seeder.d.ts.map +1 -0
  8. package/dist/packages/sdk/src/provisioner/seeder.js +419 -0
  9. package/dist/packages/sdk/src/provisioner/seeder.js.map +1 -0
  10. package/dist/packages/sdk/src/provisioner/token.d.ts +38 -0
  11. package/dist/packages/sdk/src/provisioner/token.d.ts.map +1 -0
  12. package/dist/packages/sdk/src/provisioner/token.js +74 -0
  13. package/dist/packages/sdk/src/provisioner/token.js.map +1 -0
  14. package/dist/src/cli/commands/core.d.ts.map +1 -1
  15. package/dist/src/cli/commands/core.js +7 -3
  16. package/dist/src/cli/commands/core.js.map +1 -1
  17. package/dist/src/cli/commands/on/provision.d.ts.map +1 -1
  18. package/dist/src/cli/commands/on/provision.js +8 -3
  19. package/dist/src/cli/commands/on/provision.js.map +1 -1
  20. package/dist/src/cli/commands/on/start.d.ts +3 -0
  21. package/dist/src/cli/commands/on/start.d.ts.map +1 -1
  22. package/dist/src/cli/commands/on/start.js +113 -84
  23. package/dist/src/cli/commands/on/start.js.map +1 -1
  24. package/dist/src/cli/commands/on/symlink-mount.d.ts +12 -0
  25. package/dist/src/cli/commands/on/symlink-mount.d.ts.map +1 -0
  26. package/dist/src/cli/commands/on/symlink-mount.js +304 -0
  27. package/dist/src/cli/commands/on/symlink-mount.js.map +1 -0
  28. package/dist/src/cli/commands/on.d.ts.map +1 -1
  29. package/dist/src/cli/commands/on.js +3 -0
  30. package/dist/src/cli/commands/on.js.map +1 -1
  31. package/install.sh +4 -0
  32. package/package.json +9 -9
  33. package/packages/acp-bridge/package.json +2 -2
  34. package/packages/brand/package.json +1 -1
  35. package/packages/cloud/package.json +2 -2
  36. package/packages/config/package.json +1 -1
  37. package/packages/hooks/package.json +4 -4
  38. package/packages/memory/package.json +2 -2
  39. package/packages/openclaw/package.json +2 -2
  40. package/packages/policy/package.json +2 -2
  41. package/packages/sdk/dist/client.d.ts +3 -10
  42. package/packages/sdk/dist/client.d.ts.map +1 -1
  43. package/packages/sdk/dist/client.js +2 -0
  44. package/packages/sdk/dist/client.js.map +1 -1
  45. package/packages/sdk/dist/provisioner/__tests__/audit.test.d.ts +2 -0
  46. package/packages/sdk/dist/provisioner/__tests__/audit.test.d.ts.map +1 -0
  47. package/packages/sdk/dist/provisioner/__tests__/audit.test.js +45 -0
  48. package/packages/sdk/dist/provisioner/__tests__/audit.test.js.map +1 -0
  49. package/packages/sdk/dist/provisioner/__tests__/compiler.test.d.ts +2 -0
  50. package/packages/sdk/dist/provisioner/__tests__/compiler.test.d.ts.map +1 -0
  51. package/packages/sdk/dist/provisioner/__tests__/compiler.test.js +345 -0
  52. package/packages/sdk/dist/provisioner/__tests__/compiler.test.js.map +1 -0
  53. package/packages/sdk/dist/provisioner/__tests__/presets.test.d.ts +2 -0
  54. package/packages/sdk/dist/provisioner/__tests__/presets.test.d.ts.map +1 -0
  55. package/packages/sdk/dist/provisioner/__tests__/presets.test.js +23 -0
  56. package/packages/sdk/dist/provisioner/__tests__/presets.test.js.map +1 -0
  57. package/packages/sdk/dist/provisioner/__tests__/seeder.test.d.ts +2 -0
  58. package/packages/sdk/dist/provisioner/__tests__/seeder.test.d.ts.map +1 -0
  59. package/packages/sdk/dist/provisioner/__tests__/seeder.test.js +224 -0
  60. package/packages/sdk/dist/provisioner/__tests__/seeder.test.js.map +1 -0
  61. package/packages/sdk/dist/provisioner/__tests__/tar-seeder.test.d.ts +2 -0
  62. package/packages/sdk/dist/provisioner/__tests__/tar-seeder.test.d.ts.map +1 -0
  63. package/packages/sdk/dist/provisioner/__tests__/tar-seeder.test.js +191 -0
  64. package/packages/sdk/dist/provisioner/__tests__/tar-seeder.test.js.map +1 -0
  65. package/packages/sdk/dist/provisioner/__tests__/token-factory.test.d.ts +2 -0
  66. package/packages/sdk/dist/provisioner/__tests__/token-factory.test.d.ts.map +1 -0
  67. package/packages/sdk/dist/provisioner/__tests__/token-factory.test.js +127 -0
  68. package/packages/sdk/dist/provisioner/__tests__/token-factory.test.js.map +1 -0
  69. package/packages/sdk/dist/provisioner/__tests__/token.test.d.ts +2 -0
  70. package/packages/sdk/dist/provisioner/__tests__/token.test.d.ts.map +1 -0
  71. package/packages/sdk/dist/provisioner/__tests__/token.test.js +44 -0
  72. package/packages/sdk/dist/provisioner/__tests__/token.test.js.map +1 -0
  73. package/packages/sdk/dist/provisioner/audit.d.ts +19 -0
  74. package/packages/sdk/dist/provisioner/audit.d.ts.map +1 -0
  75. package/packages/sdk/dist/provisioner/audit.js +74 -0
  76. package/packages/sdk/dist/provisioner/audit.js.map +1 -0
  77. package/packages/sdk/dist/provisioner/compiler.d.ts +23 -0
  78. package/packages/sdk/dist/provisioner/compiler.d.ts.map +1 -0
  79. package/packages/sdk/dist/provisioner/compiler.js +355 -0
  80. package/packages/sdk/dist/provisioner/compiler.js.map +1 -0
  81. package/packages/sdk/dist/provisioner/index.d.ts +9 -0
  82. package/packages/sdk/dist/provisioner/index.d.ts.map +1 -0
  83. package/packages/sdk/dist/provisioner/index.js +266 -0
  84. package/packages/sdk/dist/provisioner/index.js.map +1 -0
  85. package/packages/sdk/dist/provisioner/mount.d.ts +14 -0
  86. package/packages/sdk/dist/provisioner/mount.d.ts.map +1 -0
  87. package/packages/sdk/dist/provisioner/mount.js +329 -0
  88. package/packages/sdk/dist/provisioner/mount.js.map +1 -0
  89. package/packages/sdk/dist/provisioner/seeder.d.ts +17 -0
  90. package/packages/sdk/dist/provisioner/seeder.d.ts.map +1 -0
  91. package/packages/sdk/dist/provisioner/seeder.js +419 -0
  92. package/packages/sdk/dist/provisioner/seeder.js.map +1 -0
  93. package/packages/sdk/dist/provisioner/token.d.ts +38 -0
  94. package/packages/sdk/dist/provisioner/token.d.ts.map +1 -0
  95. package/packages/sdk/dist/provisioner/token.js +74 -0
  96. package/packages/sdk/dist/provisioner/token.js.map +1 -0
  97. package/packages/sdk/dist/provisioner/types.d.ts +133 -0
  98. package/packages/sdk/dist/provisioner/types.d.ts.map +1 -0
  99. package/packages/sdk/dist/provisioner/types.js +2 -0
  100. package/packages/sdk/dist/provisioner/types.js.map +1 -0
  101. package/packages/sdk/dist/relay.d.ts +6 -0
  102. package/packages/sdk/dist/relay.d.ts.map +1 -1
  103. package/packages/sdk/dist/relay.js +17 -5
  104. package/packages/sdk/dist/relay.js.map +1 -1
  105. package/packages/sdk/dist/types.d.ts +9 -0
  106. package/packages/sdk/dist/types.d.ts.map +1 -1
  107. package/packages/sdk/dist/workflows/__tests__/e2e-permissions.test.d.ts +2 -0
  108. package/packages/sdk/dist/workflows/__tests__/e2e-permissions.test.d.ts.map +1 -0
  109. package/packages/sdk/dist/workflows/__tests__/e2e-permissions.test.js +331 -0
  110. package/packages/sdk/dist/workflows/__tests__/e2e-permissions.test.js.map +1 -0
  111. package/packages/sdk/dist/workflows/__tests__/permission-types.test.d.ts +2 -0
  112. package/packages/sdk/dist/workflows/__tests__/permission-types.test.d.ts.map +1 -0
  113. package/packages/sdk/dist/workflows/__tests__/permission-types.test.js +124 -0
  114. package/packages/sdk/dist/workflows/__tests__/permission-types.test.js.map +1 -0
  115. package/packages/sdk/dist/workflows/__tests__/permissions-integration.test.d.ts +2 -0
  116. package/packages/sdk/dist/workflows/__tests__/permissions-integration.test.d.ts.map +1 -0
  117. package/packages/sdk/dist/workflows/__tests__/permissions-integration.test.js +526 -0
  118. package/packages/sdk/dist/workflows/__tests__/permissions-integration.test.js.map +1 -0
  119. package/packages/sdk/dist/workflows/dry-run-format.d.ts.map +1 -1
  120. package/packages/sdk/dist/workflows/dry-run-format.js +8 -0
  121. package/packages/sdk/dist/workflows/dry-run-format.js.map +1 -1
  122. package/packages/sdk/dist/workflows/runner.d.ts +14 -0
  123. package/packages/sdk/dist/workflows/runner.d.ts.map +1 -1
  124. package/packages/sdk/dist/workflows/runner.js +455 -6
  125. package/packages/sdk/dist/workflows/runner.js.map +1 -1
  126. package/packages/sdk/dist/workflows/types.d.ts +190 -0
  127. package/packages/sdk/dist/workflows/types.d.ts.map +1 -1
  128. package/packages/sdk/dist/workflows/types.js +29 -0
  129. package/packages/sdk/dist/workflows/types.js.map +1 -1
  130. package/packages/sdk/package.json +6 -2
  131. package/packages/sdk/src/__tests__/orchestration-upgrades.test.ts +123 -1
  132. package/packages/sdk/src/__tests__/provisioner-mount.test.ts +126 -0
  133. package/packages/sdk/src/__tests__/spawn-token.test.ts +41 -0
  134. package/packages/sdk/src/__tests__/workflow-runner.test.ts +77 -45
  135. package/packages/sdk/src/client.ts +4 -8
  136. package/packages/sdk/src/provisioner/__tests__/audit.test.ts +62 -0
  137. package/packages/sdk/src/provisioner/__tests__/compiler.test.ts +369 -0
  138. package/packages/sdk/src/provisioner/__tests__/presets.test.ts +25 -0
  139. package/packages/sdk/src/provisioner/__tests__/seeder.test.ts +284 -0
  140. package/packages/sdk/src/provisioner/__tests__/tar-seeder.test.ts +249 -0
  141. package/packages/sdk/src/provisioner/__tests__/token-factory.test.ts +172 -0
  142. package/packages/sdk/src/provisioner/__tests__/token.test.ts +53 -0
  143. package/packages/sdk/src/provisioner/audit.ts +104 -0
  144. package/packages/sdk/src/provisioner/compiler.ts +498 -0
  145. package/packages/sdk/src/provisioner/index.ts +332 -0
  146. package/packages/sdk/src/provisioner/mount.ts +419 -0
  147. package/packages/sdk/src/provisioner/seeder.ts +571 -0
  148. package/packages/sdk/src/provisioner/token.ts +112 -0
  149. package/packages/sdk/src/provisioner/types.ts +188 -0
  150. package/packages/sdk/src/relay.ts +31 -9
  151. package/packages/sdk/src/types.ts +9 -0
  152. package/packages/sdk/src/workflows/__tests__/e2e-permissions.test.ts +407 -0
  153. package/packages/sdk/src/workflows/__tests__/fixtures/.agentignore +2 -0
  154. package/packages/sdk/src/workflows/__tests__/fixtures/.reader.agentreadonly +2 -0
  155. package/packages/sdk/src/workflows/__tests__/fixtures/permission-test.yaml +42 -0
  156. package/packages/sdk/src/workflows/__tests__/permission-types.test.ts +154 -0
  157. package/packages/sdk/src/workflows/__tests__/permissions-integration.test.ts +649 -0
  158. package/packages/sdk/src/workflows/builtin-templates/bug-fix.yaml +13 -9
  159. package/packages/sdk/src/workflows/builtin-templates/code-review.yaml +12 -8
  160. package/packages/sdk/src/workflows/builtin-templates/competitive.yaml +11 -7
  161. package/packages/sdk/src/workflows/builtin-templates/documentation.yaml +16 -8
  162. package/packages/sdk/src/workflows/builtin-templates/feature-dev.yaml +13 -9
  163. package/packages/sdk/src/workflows/builtin-templates/refactor.yaml +13 -9
  164. package/packages/sdk/src/workflows/builtin-templates/review-loop.yaml +14 -10
  165. package/packages/sdk/src/workflows/builtin-templates/security-audit.yaml +19 -9
  166. package/packages/sdk/src/workflows/dry-run-format.ts +14 -1
  167. package/packages/sdk/src/workflows/runner.ts +559 -6
  168. package/packages/sdk/src/workflows/schema.json +204 -114
  169. package/packages/sdk/src/workflows/types.ts +266 -1
  170. package/packages/sdk/vitest.config.ts +5 -1
  171. package/packages/sdk-py/pyproject.toml +1 -1
  172. package/packages/telemetry/package.json +1 -1
  173. package/packages/trajectory/package.json +2 -2
  174. package/packages/user-directory/package.json +2 -2
  175. package/packages/utils/package.json +2 -2
package/packages/sdk/src/provisioner/types.ts ADDED
@@ -0,0 +1,188 @@
1
+ import type {
2
+ AccessPreset,
3
+ AgentPermissions,
4
+ CompiledAgentPermissions,
5
+ FilePermissions,
6
+ PermissionSource,
7
+ } from '../workflows/types.js';
8
+ import type { MountHandle } from './mount.js';
9
+
10
+ // ── Input Configuration ────────────────────────────────────────────────────
11
+
12
+ /** Configuration for provisioning workflow agents. */
13
+ export interface WorkflowProvisionConfig {
14
+ /** HMAC secret used to sign JWT tokens. */
15
+ secret: string;
16
+
17
+ /** Workspace identifier (e.g. 'my-project'). */
18
+ workspace: string;
19
+
20
+ /** Absolute path to the project directory. */
21
+ projectDir: string;
22
+
23
+ /** Base URL of the relayfile server (e.g. 'http://127.0.0.1:4080'). */
24
+ relayfileBaseUrl: string;
25
+
26
+ /**
27
+ * Agents to provision, keyed by agent name.
28
+ * Each entry carries the AgentPermissions from relay.yaml.
29
+ * When empty/undefined, agents are auto-discovered from dotfiles.
30
+ */
31
+ agents?: Record<string, AgentPermissions>;
32
+
33
+ /** JWT token TTL in seconds. Default: 7200 (2 hours). */
34
+ tokenTtlSeconds?: number;
35
+
36
+ /**
37
+ * Directories to exclude from workspace seeding.
38
+ * Defaults: ['.relay', '.git', 'node_modules'].
39
+ */
40
+ excludeDirs?: string[];
41
+
42
+ /**
43
+ * When true, skip workspace creation and file seeding.
44
+ * Useful when only tokens/ACL are needed.
45
+ */
46
+ skipSeeding?: boolean;
47
+
48
+ /**
49
+ * Admin scopes for the workspace management token.
50
+ * Uses DEFAULT_ADMIN_SCOPES when omitted.
51
+ */
52
+ adminScopes?: string[];
53
+
54
+ /** Optional explicit relayfile-mount binary path. */
55
+ mountBinaryPath?: string;
56
+
57
+ /** Base directory for per-agent mount points. Defaults to <projectDir>/.relay. */
58
+ mountBaseDir?: string;
59
+
60
+ /** When true, skip starting relayfile mount processes. */
61
+ skipMount?: boolean;
62
+
63
+ /** When true, print a short audit summary to stdout after provisioning. */
64
+ verbose?: boolean;
65
+ }
66
+
67
+ // ── Output ─────────────────────────────────────────────────────────────────
68
+
69
+ /** Aggregate counts for compiled permissions across provisioned agents. */
70
+ export interface ProvisionSummary {
71
+ readonly: number;
72
+ readwrite: number;
73
+ denied: number;
74
+ customScopes: number;
75
+ }
76
+
77
+ /** Convenience shape for a single agent's compiled scopes. */
78
+ export interface CompiledAgentScopes {
79
+ /** Agent name. */
80
+ agentName: string;
81
+
82
+ /** Workspace identifier. */
83
+ workspace: string;
84
+
85
+ /** Final token scopes after compilation. */
86
+ scopes: string[];
87
+
88
+ /** Directory ACL rules derived from the compiled permissions. */
89
+ acl: Record<string, string[]>;
90
+
91
+ /** Counts for the compiled access model. */
92
+ summary: ProvisionSummary;
93
+ }
94
+
95
+ /** Result of a single agent's provisioning. */
96
+ export interface AgentProvisionResult {
97
+ /** Agent name. */
98
+ name: string;
99
+
100
+ /** Absolute path to the written JWT file (.relay/tokens/<name>.jwt). */
101
+ tokenPath: string;
102
+
103
+ /** The raw JWT string. */
104
+ token: string;
105
+
106
+ /** Scopes baked into the token. */
107
+ scopes: string[];
108
+
109
+ /** Full compiled permissions (for audit / dry-run output). */
110
+ compiled: CompiledAgentPermissions;
111
+
112
+ /** Absolute path to the mounted relayfile workspace for this agent, when active. */
113
+ mountPoint?: string;
114
+ }
115
+
116
+ /** Map of agent names to minted JWT strings. */
117
+ export type AgentTokenMap = Record<string, string>;
118
+
119
+ /** Map of agent names to their provisioning result. */
120
+ export type AgentProvisionMap = Record<string, AgentProvisionResult>;
121
+
122
+ /** Aggregate result of provisionWorkflowAgents(). */
123
+ export interface ProvisionResult {
124
+ /** Per-agent results, keyed by agent name. */
125
+ agents: AgentProvisionMap;
126
+
127
+ /** Ordered list of agent names (matches iteration order). */
128
+ agentNames: string[];
129
+
130
+ /** Workspace-level admin token (used for seeding). */
131
+ adminToken: string;
132
+
133
+ /** Number of files seeded to the relayfile workspace. */
134
+ seededFileCount: number;
135
+
136
+ /** Number of ACL directory rules seeded. */
137
+ seededAclCount: number;
138
+
139
+ /** Aggregate summary across all agents. */
140
+ summary: ProvisionSummary;
141
+
142
+ /** Per-agent mounted workspace handles. */
143
+ mounts: Map<string, MountHandle>;
144
+
145
+ /** Per-agent minted JWT strings. */
146
+ tokens: Map<string, string>;
147
+
148
+ /** Per-agent compiled token scopes. */
149
+ scopes: Map<string, string[]>;
150
+ }
151
+
152
+ // ── Compiler Types ─────────────────────────────────────────────────────────
153
+
154
+ /** Input to the permission compiler for a single agent. */
155
+ export interface CompileInput {
156
+ agentName: string;
157
+ workspace: string;
158
+ projectDir: string;
159
+ permissions: AgentPermissions;
160
+ }
161
+
162
+ // ── Seeder Types ───────────────────────────────────────────────────────────
163
+
164
+ /** Options for the ACL seeder. */
165
+ export interface SeedAclOptions {
166
+ relayfileBaseUrl: string;
167
+ token: string;
168
+ workspace: string;
169
+ aclRules: Record<string, string[]>;
170
+ }
171
+
172
+ /** Options for workspace file seeding. */
173
+ export interface SeedWorkspaceOptions {
174
+ relayfileBaseUrl: string;
175
+ token: string;
176
+ workspace: string;
177
+ projectDir: string;
178
+ excludeDirs: string[];
179
+ }
180
+
181
+ /** Minimal debug summary written alongside compiled ACL output. */
182
+ export interface AgentAclSummary {
183
+ name: string;
184
+ summary: Pick<ProvisionSummary, 'readonly' | 'readwrite' | 'denied'>;
185
+ }
186
+
187
+ // Re-export upstream types for convenience.
188
+ export type { AccessPreset, AgentPermissions, CompiledAgentPermissions, FilePermissions, PermissionSource };
package/packages/sdk/src/relay.ts CHANGED
@@ -29,11 +29,7 @@ import path from 'node:path';
29
29
 
30
30
  import { RelayCast } from '@relaycast/sdk';
31
31
 
32
- import {
33
- AgentRelayClient,
34
- type AgentRelayBrokerInitArgs,
35
- type AgentRelaySpawnOptions,
36
- } from './client.js';
32
+ import { AgentRelayClient, type AgentRelayBrokerInitArgs, type AgentRelaySpawnOptions } from './client.js';
37
33
  import { AgentRelayProtocolError } from './transport.js';
38
34
  import type { SendMessageInput, SpawnPtyInput } from './types.js';
39
35
  import type {
@@ -220,6 +216,9 @@ export interface SpawnOptions extends SpawnLifecycleHooks {
220
216
  shadowMode?: string;
221
217
  idleThresholdSecs?: number;
222
218
  restartPolicy?: RestartPolicy;
219
+ /** JWT token for relayauth/relayfile permissions. When set, the broker
220
+ * injects RELAY_AGENT_TOKEN into the agent's environment. */
221
+ agentToken?: string;
223
222
  /** When true, skip injecting the relay MCP configuration and protocol prompt into the spawned agent.
224
223
  * Useful for minor tasks where relay messaging is not needed, saving tokens. */
225
224
  skipRelayPrompt?: boolean;
@@ -298,6 +297,9 @@ export interface SpawnerSpawnOptions extends SpawnLifecycleHooks {
298
297
  task?: string;
299
298
  model?: string;
300
299
  cwd?: string;
300
+ /** JWT token for relayauth/relayfile permissions. When set, the broker
301
+ * injects RELAY_AGENT_TOKEN into the agent's environment. */
302
+ agentToken?: string;
301
303
  /** When true, skip injecting the relay MCP configuration and protocol prompt into the spawned agent.
302
304
  * Useful for minor tasks where relay messaging is not needed, saving tokens. */
303
305
  skipRelayPrompt?: boolean;
@@ -584,6 +586,7 @@ export class AgentRelay {
584
586
  model: input.model,
585
587
  cwd: input.cwd,
586
588
  team: input.team,
589
+ agentToken: input.agentToken,
587
590
  shadowOf: input.shadowOf,
588
591
  shadowMode: input.shadowMode,
589
592
  idleThresholdSecs: input.idleThresholdSecs,
@@ -626,6 +629,7 @@ export class AgentRelay {
626
629
  model: options?.model,
627
630
  cwd: options?.cwd,
628
631
  team: options?.team,
632
+ agentToken: options?.agentToken,
629
633
  shadowOf: options?.shadowOf,
630
634
  shadowMode: options?.shadowMode,
631
635
  idleThresholdSecs: options?.idleThresholdSecs,
@@ -1124,7 +1128,11 @@ export class AgentRelay {
1124
1128
  const workspaceId = this.getResolvedWorkspaceId();
1125
1129
  if (workspaceId) {
1126
1130
  this.applyWorkspaceEnv(workspaceId, this.relayApiKey);
1127
- try { this.persistWorkspaceMapping(workspaceId, this.relayApiKey); } catch { /* non-critical */ }
1131
+ try {
1132
+ this.persistWorkspaceMapping(workspaceId, this.relayApiKey);
1133
+ } catch {
1134
+ /* non-critical */
1135
+ }
1128
1136
  } else {
1129
1137
  this.wireRelaycastBaseUrl();
1130
1138
  }
@@ -1141,7 +1149,11 @@ export class AgentRelay {
1141
1149
  this.relayApiKey = resolvedKey;
1142
1150
  this.resolvedWorkspaceId = requestedWorkspaceId;
1143
1151
  this.applyWorkspaceEnv(requestedWorkspaceId, resolvedKey);
1144
- try { this.persistWorkspaceMapping(requestedWorkspaceId, resolvedKey); } catch { /* non-critical */ }
1152
+ try {
1153
+ this.persistWorkspaceMapping(requestedWorkspaceId, resolvedKey);
1154
+ } catch {
1155
+ /* non-critical */
1156
+ }
1145
1157
  return;
1146
1158
  }
1147
1159
 
@@ -1153,7 +1165,11 @@ export class AgentRelay {
1153
1165
  this.relayApiKey = resolvedKey;
1154
1166
  this.resolvedWorkspaceId = resolvedWorkspaceId;
1155
1167
  this.applyWorkspaceEnv(resolvedWorkspaceId, resolvedKey);
1156
- try { this.persistWorkspaceMapping(resolvedWorkspaceId, resolvedKey); } catch { /* non-critical */ }
1168
+ try {
1169
+ this.persistWorkspaceMapping(resolvedWorkspaceId, resolvedKey);
1170
+ } catch {
1171
+ /* non-critical */
1172
+ }
1157
1173
  }
1158
1174
 
1159
1175
  /** Inject relaycastBaseUrl into broker env. Explicit option wins over inherited env. */
@@ -1190,7 +1206,11 @@ export class AgentRelay {
1190
1206
  const workspaceId = this.getResolvedWorkspaceId();
1191
1207
  if (workspaceId) {
1192
1208
  this.applyWorkspaceEnv(workspaceId, c.workspaceKey);
1193
- try { this.persistWorkspaceMapping(workspaceId, c.workspaceKey); } catch { /* non-critical */ }
1209
+ try {
1210
+ this.persistWorkspaceMapping(workspaceId, c.workspaceKey);
1211
+ } catch {
1212
+ /* non-critical */
1213
+ }
1194
1214
  }
1195
1215
  }
1196
1216
  this.wireEvents(c);
@@ -1582,6 +1602,7 @@ export class AgentRelay {
1582
1602
  task,
1583
1603
  model: options?.model,
1584
1604
  cwd: options?.cwd,
1605
+ agentToken: options?.agentToken,
1585
1606
  skipRelayPrompt: options?.skipRelayPrompt,
1586
1607
  onStart: options?.onStart,
1587
1608
  onSuccess: options?.onSuccess,
@@ -1606,6 +1627,7 @@ export class AgentRelay {
1606
1627
  args,
1607
1628
  channels,
1608
1629
  task,
1630
+ agentToken: options?.agentToken,
1609
1631
  skipRelayPrompt: options?.skipRelayPrompt,
1610
1632
  });
1611
1633
  } catch (error) {
package/packages/sdk/src/types.ts CHANGED
@@ -19,6 +19,9 @@ export interface SpawnPtyInput {
19
19
  restartPolicy?: RestartPolicy;
20
20
  continueFrom?: string;
21
21
  skipRelayPrompt?: boolean;
22
+ /** JWT token for relayauth/relayfile permissions. When set, the broker
23
+ * injects RELAY_AGENT_TOKEN into the agent's environment. */
24
+ agentToken?: string;
22
25
  }
23
26
 
24
27
  export interface SpawnHeadlessInput {
@@ -28,6 +31,9 @@ export interface SpawnHeadlessInput {
28
31
  channels?: string[];
29
32
  task?: string;
30
33
  skipRelayPrompt?: boolean;
34
+ /** JWT token for relayauth/relayfile permissions. When set, the broker
35
+ * injects RELAY_AGENT_TOKEN into the agent's environment. */
36
+ agentToken?: string;
31
37
  }
32
38
 
33
39
  export type AgentTransport = 'pty' | 'headless';
@@ -48,6 +54,9 @@ export interface SpawnProviderInput {
48
54
  restartPolicy?: RestartPolicy;
49
55
  continueFrom?: string;
50
56
  skipRelayPrompt?: boolean;
57
+ /** JWT token for relayauth/relayfile permissions. When set, the broker
58
+ * injects RELAY_AGENT_TOKEN into the agent's environment. */
59
+ agentToken?: string;
51
60
  }
52
61
 
53
62
  export interface SendMessageInput {