fix(cli): refresh lockfile for cloud workspace version

[khaliqgant]

Summary

• refresh package-lock workspace metadata from 8.6.0 to 8.7.0
• remove the stale nested packages/cli/node_modules/@agent-relay/cloud@8.6.0 lock entry that shadowed the workspace package at packaged CLI runtime
• keep the fix lockfile-only; no syncpack/version-policy cleanup included

Validation

• npm ci
• npm run build:core
• node packages/cli/dist/cli/index.js --version -> 8.7.0
• (cd packages/cli && node dist/cli/index.js --version) -> 8.7.0
• npm run pack:validate

Notes

This forward-fixes the packaged CLI crash after #1119 where ensureCloudSession existed in source/workspace @agent-relay/cloud@8.7.0, but the stale lock installed a nested @agent-relay/cloud@8.6.0 under packages/cli/node_modules.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 8f5c4fca-8f06-4329-9632-0ef29349eb08

📥 Commits

Reviewing files that changed from the base of the PR and between 8bf3b47 and 1a38587.

📒 Files selected for processing (1)

• .agentworkforce/trajectories/active/traj_b1jrutolckfb/trajectory.json

✅ Files skipped from review due to trivial changes (1)

• .agentworkforce/trajectories/active/traj_b1jrutolckfb/trajectory.json

---

📝 Walkthrough

Walkthrough

This PR updates a trajectory JSON by appending two events: a decision noting PR 1123's lockfile is reproducible from current manifests, and a reflection stating the review is complete with CI passing.

Changes

Trajectory Review Documentation

Layer / File(s)	Summary
Trajectory decision and reflection entries .agentworkforce/trajectories/active/traj_b1jrutolckfb/trajectory.json	Appends a decision entry confirming PR 1123 lockfile reproducibility and a reflection entry documenting review completion with CI validation and lockfile-only change confirmation.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A lockfile checked, the logs ran clean,
A decision logged, a reflection seen.
The trajectory notes the green-lit sign,
PR 1123 — all set and fine. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: refreshing the lockfile for the cloud workspace version upgrade.
Description check	✅ Passed	The description includes a detailed Summary section, comprehensive Validation section with multiple test steps, and Notes explaining the context. It goes beyond the template's minimal requirements.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/cli-cloud-lockfile

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates the package versions across the monorepo from 8.6.0 to 8.7.0 in package-lock.json, including dependencies for CLI, cloud, config, harness-driver, policy, sdk, telemetry, and utils packages. It also cleans up a nested dependency of @agent-relay/cloud under packages/cli. No review comments were provided, and there is no feedback to address.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[agent-relay-code]

Reviewed PR #1123. No PR-scoped breakage found, so I made no file edits.

The lockfile-only change is consistent with the current workspace manifests: all relevant workspace entries are 8.7.0, and the stale packages/cli/node_modules/@agent-relay/cloud lock entry is gone.

Addressed Comments

• coderabbitai[bot]: raised no code finding; review was skipped because package-lock.json is excluded by its path filters. No change needed.
• gemini-code-assist[bot]: summarized the lockfile version update and stated no review comments were provided. No change needed.

Validation

• npm install --package-lock-only --ignore-scripts: passed.
• npm ci: passed.
• npm test: passed, including build plus Vitest suite.
• npm run typecheck: passed.
• npm run lint: passed with existing warnings only.
• npx prettier --check package-lock.json: passed.
• Observed GitHub workflow runs for the PR head commit all completed successfully.
• GitHub API reports the PR is mergeable with mergeable_state: clean.

Advisory Notes

• npm run format:check over the full local workspace fails on local connector/export JSON paths outside this PR, while the PR’s changed file formats cleanly and the GitHub Prettier workflow is successful.
• npm run syncpack reports pre-existing manifest range mismatches outside this lockfile-only PR; I did not change package manifests because that would be unrelated scope.

[agent-relay-code]

Reviewed PR #1123 and made one scoped fix: formatted the changed trajectory JSON so the PR-changed files pass Prettier. The lockfile itself was reproducible from current manifests and stayed unchanged through validation.

Addressed comments

• coderabbitai[bot]: raised no code finding; it noted package-lock.json was excluded by path filters. No change needed.
• gemini-code-assist[bot]: stated no review comments were provided. No change needed.
• agent-relay-code[bot]: prior summary said no PR-scoped edits were needed; current checkout had a PR-scoped Prettier failure in .agentworkforce/trajectories/active/traj_b1jrutolckfb/trajectory.json, fixed in .agentworkforce/trajectories/active/traj_b1jrutolckfb/trajectory.json:1.

Validation

• npm install --package-lock-only --ignore-scripts: passed; package-lock.json hash unchanged.
• npm ci: passed.
• npm test: passed, 65 files passed, 1 skipped.
• npm run test:coverage: passed.
• npm run typecheck: passed.
• npm run lint: passed with existing warnings only.
• npx prettier --check package-lock.json .agentworkforce/trajectories/active/traj_b1jrutolckfb/trajectory.json: passed.
• node packages/cli/dist/cli/index.js --version and package-local version command both returned 8.7.0.
• npm run pack:validate: passed.
• Lockfile check confirmed all Agent Relay package entries are 8.7.0 and packages/cli/node_modules/@agent-relay/cloud is absent.

Advisory Notes

• npm run format:check still fails on unrelated local connector/export metadata under github/ and slack/; I left those untouched because they are outside this PR.
• GitHub reports the PR is mergeable, and CodeRabbit status is success, but all current GitHub Actions workflow runs for the latest head are action_required with no jobs executed. Because required checks have not completed passing, I am not marking this READY.

[agent-relay-code]

Reviewed PR #1123 and made one scoped fix: regenerated package-lock.json with the repo-declared npm@10.5.1. That added missing npm-generated "peer": true markers to the Rollup/esbuild platform package entries, making the lockfile stable under npm install --package-lock-only.

Addressed comments

• coderabbitai[bot]: raised no actionable finding. No code change needed.
• gemini-code-assist[bot]: stated no review comments were provided. No code change needed.
• agent-relay-code[bot] prior summary: said no PR-scoped edits were needed, but current checkout was not fully reproducible with npm@10.5.1; fixed in package-lock.json:1614.
• agent-relay-code[bot] follow-up: noted trajectory formatting; current PR trajectory file is formatted, verified at .agentworkforce/trajectories/active/traj_b1jrutolckfb/trajectory.json:1.

Validation

• npx -p npm@10.5.1 npm install --package-lock-only --ignore-scripts: passed and left package-lock.json unchanged after regeneration.
• npm ci --ignore-scripts --no-audit --fund=false: passed after clearing the local npm cache.
• npm rebuild: passed.
• npm test: passed, 65 files passed, 1 skipped.
• npm run test:coverage: passed.
• npm run typecheck: passed.
• npm run lint: passed with existing warnings only.
• npm run pack:validate: passed when run serially.
• npx prettier --check package-lock.json .agentworkforce/trajectories/active/traj_b1jrutolckfb/trajectory.json: passed.
• CLI version checks returned 8.7.0.

Advisory Notes

• Plain npm ci in this sandbox exited abnormally during dependency extraction; the install completed with scripts disabled, and npm rebuild then exercised dependency rebuild scripts successfully.
• Full npm run format:check still fails on unrelated local connector/export metadata under github/ and slack/; PR-changed files format cleanly.
• GitHub connector only reports CodeRabbit status as success for the current head; I did not verify all GitHub Actions checks as completed/passing, so I am not marking this READY.

[agent-relay-code]

✅ pr-reviewer applied fixes — committed and pushed 9a44272 to this PR. The notes below describe what changed.

Reviewed PR #1123 and made one scoped fix: regenerated package-lock.json with the repo-declared npm@10.5.1. That added missing npm-generated "peer": true markers to the Rollup/esbuild platform package entries, making the lockfile stable under npm install --package-lock-only.

Addressed comments

• coderabbitai[bot]: raised no actionable finding. No code change needed.
• gemini-code-assist[bot]: stated no review comments were provided. No code change needed.
• agent-relay-code[bot] prior summary: said no PR-scoped edits were needed, but current checkout was not fully reproducible with npm@10.5.1; fixed in package-lock.json:1614.
• agent-relay-code[bot] follow-up: noted trajectory formatting; current PR trajectory file is formatted, verified at .agentworkforce/trajectories/active/traj_b1jrutolckfb/trajectory.json:1.

Validation

• npx -p npm@10.5.1 npm install --package-lock-only --ignore-scripts: passed and left package-lock.json unchanged after regeneration.
• npm ci --ignore-scripts --no-audit --fund=false: passed after clearing the local npm cache.
• npm rebuild: passed.
• npm test: passed, 65 files passed, 1 skipped.
• npm run test:coverage: passed.
• npm run typecheck: passed.
• npm run lint: passed with existing warnings only.
• npm run pack:validate: passed when run serially.
• npx prettier --check package-lock.json .agentworkforce/trajectories/active/traj_b1jrutolckfb/trajectory.json: passed.
• CLI version checks returned 8.7.0.

Advisory Notes

• Plain npm ci in this sandbox exited abnormally during dependency extraction; the install completed with scripts disabled, and npm rebuild then exercised dependency rebuild scripts successfully.
• Full npm run format:check still fails on unrelated local connector/export metadata under github/ and slack/; PR-changed files format cleanly.
• GitHub connector only reports CodeRabbit status as success for the current head; I did not verify all GitHub Actions checks as completed/passing, so I am not marking this READY.