migration(0004): backfill workspace_token kind for cloud-agent-box keys

[khaliqgant]

Summary

The pre-#42 /v1/tokens/workspace route in @relayauth/server@0.2.9 stored rows in api_keys with kind='api_key' and workspace_id=NULL even when the caller requested a workspace token. The key value carries the relay_ws_ prefix and is accepted by the apiKeyAuth middleware, but resolveWorkspaceToken (used by /v1/tokens/path) rejects them because kind != 'workspace_token' — surfacing as 401 workspace_token_required in the cloud-agent box-warm flow.

The route fix that correctly sets kind/workspace_id at mint time is already in main via #42 (feat(tokens): implement path-scoped relayfile tokens). This migration cleans up rows that were stored incorrectly under the old route so they resolve as workspace tokens once the new code is deployed.

Scope

UPDATE api_keys
SET kind = 'workspace_token',
    workspace_id = SUBSTR(name, LENGTH('cloud-agent-box:') + 1)
WHERE name LIKE 'cloud-agent-box:%'
  AND kind = 'api_key'
  AND revoked_at IS NULL;

Only rows matching the documented cloud-agent-box:<workspaceId> shape (cloud-web-worker mint pattern, see cloud:packages/web/lib/relay-workspaces.ts:mintRelayAuthWorkspaceToken). Idempotent — the kind='api_key' AND revoked_at IS NULL guards make re-runs harmless.

How this surfaces

Pear's cloud-agent attach flow (cloud-web-worker → relayauth /v1/tokens/workspace → relayauth /v1/tokens/path) was failing with workspace_token_required. Manual D1 patches in prod confirmed: once these rows are corrected (and the new route code is deployed), the box-warm chain completes and Pear attaches.

Release / deploy chain

1. ✅ This migration merged into relayauth main.
2. Publish a new @relayauth/server release (e.g. 0.3.0) including this migration + the feat(tokens): implement path-scoped relayfile tokens #42 route fix.
3. Bump @relayauth/server in AgentWorkforce/cloud (follow-up PR).
4. Cloud deploy → runs new migrations against relayauth D1 in each stage + deploys the worker with the kind-correct route. New mints land with kind='workspace_token' directly; this migration only catches the leftover bad rows.

🤖 Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@khaliqgant has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 24 minutes and 14 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 1ed36bf1-eed8-477b-aac7-fcf7e6d13a5e

📥 Commits

Reviewing files that changed from the base of the PR and between cbcd475 and f557146.

📒 Files selected for processing (1)

• packages/server/src/db/migrations/0004_workspace_token_kind_backfill.sql

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/0004-workspace-token-kind-backfill

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[khaliqgant]

Closing — this migration leaks consumer-specific naming (cloud-agent-box:<workspaceId>) into the OSS relayauth repo. The route-side fix (#42) is already in main and is the right relayauth-side change; the data cleanup for stale rows belongs in the consumer (cloud) that owns the naming convention. Moving the backfill to AgentWorkforce/cloud.