agent-relay 4.0.2 → 4.0.3

package/packages/sdk/src/workflows/builtin-templates/code-review.yaml

@@ -1,6 +1,6 @@
-version: "1.0"
+version: '1.0'
 name: code-review
-description: "Blueprint-style parallel code review with deterministic diff capture."
+description: 'Blueprint-style parallel code review with deterministic diff capture.'
 swarm:
   pattern: fan-out
   maxConcurrency: 4
@@ -13,26 +13,30 @@ swarm:
 agents:
   - name: lead
     cli: claude
-    role: "Aggregates review output and final recommendations"
+    role: 'Aggregates review output and final recommendations'
+    permissions: { access: full }
   - name: reviewer-architecture
     cli: codex
-    role: "Assesses architecture and maintainability"
+    role: 'Assesses architecture and maintainability'
+    permissions: { access: readonly }
     interactive: false
   - name: reviewer-correctness
     cli: claude
-    role: "Assesses correctness and testing"
+    role: 'Assesses correctness and testing'
+    permissions: { access: readonly }
     interactive: false
   - name: reviewer-security
     cli: gemini
-    role: "Assesses security posture and abuse resistance"
+    role: 'Assesses security posture and abuse resistance'
+    permissions: { access: readonly }
     interactive: false
 workflows:
   - name: parallel-review
-    description: "Run focused reviews in parallel and synthesize final guidance."
+    description: 'Run focused reviews in parallel and synthesize final guidance.'
     onError: fail
     preflight:
       - command: git diff --stat HEAD~1 2>/dev/null || git diff --stat 2>/dev/null || echo "No diff available"
-        description: "Check there are changes to review"
+        description: 'Check there are changes to review'
     steps:
       # Deterministic: Capture diff for review
       - name: capture-diff

package/packages/sdk/src/workflows/builtin-templates/competitive.yaml

@@ -1,6 +1,6 @@
-version: "1.0"
+version: '1.0'
 name: competitive
-description: "Multiple agents independently implement solutions, then compare and select the best approach."
+description: 'Multiple agents independently implement solutions, then compare and select the best approach.'
 swarm:
   pattern: competitive
   maxConcurrency: 4
@@ -9,19 +9,23 @@ swarm:
 agents:
   - name: lead
     cli: claude
-    role: "Defines spec, judges implementations, and selects winner"
+    role: 'Defines spec, judges implementations, and selects winner'
+    permissions: { access: readwrite }
   - name: team-alpha
     cli: claude
-    role: "Independent implementation team A"
+    role: 'Independent implementation team A'
+    permissions: { access: readwrite }
   - name: team-beta
     cli: codex
-    role: "Independent implementation team B"
+    role: 'Independent implementation team B'
+    permissions: { access: readwrite }
   - name: team-gamma
     cli: gemini
-    role: "Independent implementation team C"
+    role: 'Independent implementation team C'
+    permissions: { access: readwrite }
 workflows:
   - name: competitive-build
-    description: "Independent parallel implementations followed by comparison and selection."
+    description: 'Independent parallel implementations followed by comparison and selection.'
     onError: fail
     steps:
       - name: define-spec

package/packages/sdk/src/workflows/builtin-templates/documentation.yaml

@@ -1,6 +1,6 @@
-version: "1.0"
+version: '1.0'
 name: documentation
-description: "Blueprint-style documentation workflow with deterministic file operations."
+description: 'Blueprint-style documentation workflow with deterministic file operations.'
 swarm:
   pattern: handoff
   maxConcurrency: 1
@@ -13,26 +13,34 @@ swarm:
 agents:
   - name: lead
     cli: claude
-    role: "Owns final editorial sign-off"
+    role: 'Owns final editorial sign-off'
   - name: researcher
     cli: codex
-    role: "Collects technical context and source details"
+    role: 'Collects technical context and source details'
     interactive: false
   - name: writer
     cli: codex
-    role: "Drafts user-facing documentation"
+    role: 'Drafts user-facing documentation'
+    permissions:
+      access: readwrite
+      files:
+        write: ['docs/**', '*.md', 'web/content/**']
     interactive: false
   - name: editor
     cli: claude
-    role: "Edits for accuracy, clarity, and structure"
+    role: 'Edits for accuracy, clarity, and structure'
+    permissions:
+      access: readwrite
+      files:
+        write: ['docs/**', '*.md', 'web/content/**']
 workflows:
   - name: docs-production
-    description: "Gather context, draft docs, edit, and publish summary."
+    description: 'Gather context, draft docs, edit, and publish summary.'
     onError: skip
     preflight:
       - command: git status --porcelain
         failIf: non-empty
-        description: "Ensure working directory is clean"
+        description: 'Ensure working directory is clean'
     steps:
       # Deterministic: List existing docs
       - name: list-docs

package/packages/sdk/src/workflows/builtin-templates/feature-dev.yaml

@@ -1,6 +1,6 @@
-version: "1.0"
+version: '1.0'
 name: feature-dev
-description: "Blueprint-style feature development with deterministic quality gates."
+description: 'Blueprint-style feature development with deterministic quality gates.'
 swarm:
   pattern: hub-spoke
   maxConcurrency: 2
@@ -13,28 +13,32 @@ swarm:
 agents:
   - name: lead
     cli: claude
-    role: "Lead engineer coordinating delivery"
+    role: 'Lead engineer coordinating delivery'
+    permissions: { access: full }
   - name: planner
     cli: codex
-    role: "Plans implementation and acceptance criteria"
+    role: 'Plans implementation and acceptance criteria'
+    permissions: { access: readonly }
     interactive: false
   - name: developer
     cli: codex
-    role: "Implements planned changes"
+    role: 'Implements planned changes'
+    permissions: { access: readwrite }
     interactive: false
   - name: reviewer
     cli: claude
-    role: "Reviews code quality and release risk"
+    role: 'Reviews code quality and release risk'
+    permissions: { access: readonly }
 workflows:
   - name: feature-delivery
-    description: "Plan, implement, review, and finalize a feature request with quality gates."
+    description: 'Plan, implement, review, and finalize a feature request with quality gates.'
     onError: retry
     preflight:
       - command: git status --porcelain
         failIf: non-empty
-        description: "Ensure working directory is clean"
+        description: 'Ensure working directory is clean'
       - command: npm run type-check 2>/dev/null || echo "skip"
-        description: "Run type checking if available"
+        description: 'Run type checking if available'
     steps:
       # Agent: Planning
       - name: plan

package/packages/sdk/src/workflows/builtin-templates/refactor.yaml

@@ -1,6 +1,6 @@
-version: "1.0"
+version: '1.0'
 name: refactor
-description: "Blueprint-style refactor workflow with deterministic quality gates."
+description: 'Blueprint-style refactor workflow with deterministic quality gates.'
 swarm:
   pattern: hierarchical
   maxConcurrency: 2
@@ -13,28 +13,32 @@ swarm:
 agents:
   - name: lead
     cli: claude
-    role: "Owns scope, sequencing, and acceptance"
+    role: 'Owns scope, sequencing, and acceptance'
+    permissions: { access: full }
   - name: architect
     cli: codex
-    role: "Designs target architecture and migration plan"
+    role: 'Designs target architecture and migration plan'
+    permissions: { access: readwrite }
     interactive: false
   - name: refactorer
     cli: codex
-    role: "Executes scoped refactor changes"
+    role: 'Executes scoped refactor changes'
+    permissions: { access: readwrite }
     interactive: false
   - name: tester
     cli: claude
-    role: "Validates behavior parity and risk"
+    role: 'Validates behavior parity and risk'
+    permissions: { access: readonly }
 workflows:
   - name: refactor-execution
-    description: "Analyze current system, design approach, refactor, and validate."
+    description: 'Analyze current system, design approach, refactor, and validate.'
     onError: retry
     preflight:
       - command: git status --porcelain
         failIf: non-empty
-        description: "Ensure working directory is clean"
+        description: 'Ensure working directory is clean'
       - command: npm test 2>/dev/null || echo "baseline"
-        description: "Capture baseline test results"
+        description: 'Capture baseline test results'
     steps:
       # Agent: Analyze current design
       - name: analyze

package/packages/sdk/src/workflows/builtin-templates/review-loop.yaml

@@ -1,6 +1,6 @@
-version: "1.0"
+version: '1.0'
 name: review-loop
-description: "Implement a task with automated multi-perspective code review loop. Inspired by claude-review-loop pattern."
+description: 'Implement a task with automated multi-perspective code review loop. Inspired by claude-review-loop pattern.'
 swarm:
   pattern: review-loop
   maxConcurrency: 4
@@ -13,22 +13,26 @@ swarm:
 agents:
   - name: implementer
     cli: claude
-    role: "Senior developer implementing the task and addressing review feedback"
+    role: 'Senior developer implementing the task and addressing review feedback'
+    permissions: { access: full }
   - name: reviewer-diff
     cli: codex
-    role: "Code quality reviewer focusing on git diff, tests, and potential bugs"
+    role: 'Code quality reviewer focusing on git diff, tests, and potential bugs'
+    permissions: { access: readonly }
     interactive: false
   - name: reviewer-architecture
     cli: claude
-    role: "Architecture and design reviewer assessing structure and maintainability"
+    role: 'Architecture and design reviewer assessing structure and maintainability'
+    permissions: { access: readonly }
     interactive: false
   - name: reviewer-security
     cli: codex
-    role: "Security reviewer checking for OWASP Top 10 vulnerabilities"
+    role: 'Security reviewer checking for OWASP Top 10 vulnerabilities'
+    permissions: { access: readonly }
     interactive: false
 workflows:
   - name: review-loop-workflow
-    description: "Implement task, run parallel reviews, consolidate feedback, and address issues."
+    description: 'Implement task, run parallel reviews, consolidate feedback, and address issues.'
     onError: fail
     steps:
       # Phase 1: Implementation
@@ -82,7 +86,7 @@ workflows:
           - If issues found: REVIEW:ISSUES followed by numbered list of issues
         verification:
           type: output_contains
-          value: "REVIEW:"
+          value: 'REVIEW:'
 
       - name: review-architecture
         type: agent
@@ -107,7 +111,7 @@ workflows:
           - If issues found: REVIEW:ISSUES followed by numbered list of issues
         verification:
           type: output_contains
-          value: "REVIEW:"
+          value: 'REVIEW:'
 
       - name: review-security
         type: agent
@@ -133,7 +137,7 @@ workflows:
           - If vulnerabilities found: REVIEW:ISSUES followed by numbered list with severity
         verification:
           type: output_contains
-          value: "REVIEW:"
+          value: 'REVIEW:'
 
       # Phase 3: Consolidate reviews
       - name: consolidate

package/packages/sdk/src/workflows/builtin-templates/security-audit.yaml

@@ -1,6 +1,6 @@
-version: "1.0"
+version: '1.0'
 name: security-audit
-description: "Blueprint-style security assessment with deterministic scanning and agent triage."
+description: 'Blueprint-style security assessment with deterministic scanning and agent triage.'
 swarm:
   pattern: pipeline
   maxConcurrency: 1
@@ -13,26 +13,36 @@ swarm:
 agents:
   - name: lead
     cli: claude
-    role: "Owns final risk sign-off and recommendations"
+    role: 'Owns final risk sign-off and recommendations'
+    permissions: { access: full }
   - name: analyst
     cli: claude
-    role: "Prioritizes findings and recommends mitigations"
+    role: 'Prioritizes findings and recommends mitigations'
+    permissions:
+      access: readonly
+      files:
+        deny: ['.env', 'secrets/**', '*.pem', '*.key']
   - name: remediator
     cli: codex
-    role: "Implements approved remediations"
+    role: 'Implements approved remediations'
+    permissions: { access: readwrite }
     interactive: false
   - name: verifier
     cli: gemini
-    role: "Verifies fixes and residual exposure"
+    role: 'Verifies fixes and residual exposure'
+    permissions:
+      access: readonly
+      files:
+        deny: ['.env', 'secrets/**', '*.pem', '*.key']
 workflows:
   - name: audit-pipeline
-    description: "Scan, triage, remediate, verify, and report security posture."
+    description: 'Scan, triage, remediate, verify, and report security posture.'
     onError: fail
     preflight:
       - command: npm audit --json 2>/dev/null | head -100 || echo "{}"
-        description: "Run npm audit preflight check"
+        description: 'Run npm audit preflight check'
       - command: git diff --check 2>/dev/null || echo "clean"
-        description: "Check for whitespace errors"
+        description: 'Check for whitespace errors'
     steps:
       # Deterministic: Run npm audit
       - name: scan-npm

package/packages/sdk/src/workflows/dry-run-format.ts

@@ -26,7 +26,20 @@ export function formatDryRunReport(report: DryRunReport): string {
     for (const agent of report.agents) {
       const stepLabel = agent.stepCount === 1 ? '1 step' : `${agent.stepCount} steps`;
       const cwdInfo = agent.cwd ? ` [cwd: ${agent.cwd}]` : '';
-      lines.push(`  ${agent.name.padEnd(maxNameLen)}  ${agent.cli.padEnd(maxCliLen)}  ${stepLabel}${cwdInfo}`);
+      lines.push(
+        `  ${agent.name.padEnd(maxNameLen)}  ${agent.cli.padEnd(maxCliLen)}  ${stepLabel}${cwdInfo}`
+      );
+    }
+    lines.push('');
+  }
+
+  // Permissions
+  if (report.permissions && report.permissions.length > 0) {
+    lines.push(`Permissions (${report.permissions.length} agents):`);
+    for (const perm of report.permissions) {
+      lines.push(
+        `  ${perm.agent}: ${perm.access} (read: ${perm.readPaths}, write: ${perm.writePaths}, deny: ${perm.denyPaths}, scopes: ${perm.scopes}) [${perm.source}]`
+      );
     }
     lines.push('');
   }