Pin Relaycast SDK for publish installs

[khaliqgant]

Summary

• Pin @relaycast/sdk to 4.1.1 in agent-relay and @agent-relay/sdk runtime dependencies
• Update the lockfile specs and changelog so publish-time reinstalls do not float to @relaycast/sdk@4.1.2 while @relaycast/types@4.1.2 is unavailable or still propagating
• Record the trajectory for the publish fix

Validation

• npm ci --ignore-scripts
• Temp no-lock install probe resolves @relaycast/sdk 4.1.1 and @relaycast/types 4.1.1
• npm --prefix packages/sdk run check
• git diff --check

[gemini-code-assist]

Code Review

This pull request pins the @relaycast/sdk dependency to the exact version 4.1.1 in both the CLI and SDK packages to prevent publish-time installation failures from resolving unavailable sibling @relaycast/types versions. The reviewer advises against pinning dependencies in library packages like @agent-relay/sdk due to dependency deduplication issues for downstream consumers, suggesting instead to keep the caret range in the library package and handle pinning via overrides or solely within the CLI package.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

Pinning dependencies in a library package (like @agent-relay/sdk) is generally discouraged as it prevents npm/yarn from deduplicating dependencies for downstream consumers. If a consumer project uses a different version of @relaycast/sdk (e.g., 4.1.2), it will force duplicate installations of @relaycast/sdk and can lead to type mismatches or runtime issues if the SDK relies on singletons or global state.

If the goal is to prevent publish-time floating of dependencies during the build/publish process, consider using npm overrides (or yarn resolutions) in the root package.json or pinning it only in the CLI/application package (packages/cli/package.json), while keeping a caret range (e.g., ^4.1.1) in the library's package.json.

Suggested change

	"@relaycast/sdk": "4.1.1"
	"@relaycast/sdk": "^4.1.1"

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: ad7bfc5d-6d57-4e3a-9480-3f9a3fed0365

📥 Commits

Reviewing files that changed from the base of the PR and between 017cac1 and 49b9672.

📒 Files selected for processing (2)

• .agentworkforce/trajectories/completed/2026-06/traj_4776jew2lb3z/summary.md
• .agentworkforce/trajectories/completed/2026-06/traj_4776jew2lb3z/trajectory.json

✅ Files skipped from review due to trivial changes (2)

• .agentworkforce/trajectories/completed/2026-06/traj_4776jew2lb3z/trajectory.json
• .agentworkforce/trajectories/completed/2026-06/traj_4776jew2lb3z/summary.md

---

📝 Walkthrough

Walkthrough

Pins the @relaycast/sdk dependency from ^4.1.1 to exact version 4.1.1 in both packages/cli/package.json and packages/sdk/package.json. Adds a CHANGELOG entry under Fixed and two agent trajectory artifact files recording the decision and completion metadata.

Changes

Pin @relaycast/sdk to exact version 4.1.1

Layer / File(s)	Summary
Exact version pin in cli and sdk packages packages/cli/package.json, packages/sdk/package.json, CHANGELOG.md	@relaycast/sdk dependency changed from ^4.1.1 to 4.1.1 in both packages. CHANGELOG adds a Fixed bullet describing the pin to prevent publish-time resolution of an unavailable @relaycast/types version.
Agent trajectory records .agentworkforce/trajectories/completed/2026-06/traj_4776jew2lb3z/summary.md, .agentworkforce/trajectories/completed/2026-06/traj_4776jew2lb3z/trajectory.json	New summary.md and trajectory.json added, capturing the completed workflow run, the pinning decision event, retrospective, timestamps, and trace metadata.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• AgentWorkforce/relay#1133: Directly modifies the same @relaycast/sdk dependency in packages/cli/package.json and packages/sdk/package.json, targeting an earlier 4.0.0 version.
• AgentWorkforce/relay#1135: Addresses publish-time issues caused by @relaycast/sdk dependency resolution by adjusting CLI MCP startup test mocking to prevent duplicate nested SDK conflicts.
• AgentWorkforce/relay#1163: Also pins @relaycast/sdk at version 4.1.1 in both packages/cli/package.json and packages/sdk/package.json as part of a broader change set.

Poem

🐇 A caret once floated, unchecked and free,
Drifting to versions that shouldn't yet be.
So I pinned it exact — 4.1.1!
No more missing types when the publish was run.
Tight versions make happy bunnies. 🎉

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description covers the summary and validation steps, but the Test Plan section from the template is missing, with no explicit test checklist items marked.	Add the Test Plan section with checkboxes to indicate whether tests were added/updated and if manual testing was completed, as specified in the repository template.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: pinning the Relaycast SDK version to prevent publish installs from resolving an unavailable dependency version.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/pin-relaycast-sdk-publish-main

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[agent-relay-code]

Working tree is clean. My review is complete. The PR is a clean, minimal, mechanical dependency-pin change that I verified end-to-end.

Summary

PR #1173 pins @relaycast/sdk from ^4.1.1 to exact 4.1.1 in packages/cli/package.json, packages/sdk/package.json, and the corresponding package-lock.json entries, plus a CHANGELOG note and a trajectory record. The stated goal is to stop publish-time npm install from floating to a newer @relaycast/sdk whose sibling @relaycast/types version may not have propagated.

Verification performed:

• Diff matches checkout — all three package.json/lock edits are present and correct; resolved versions in the lock are already 4.1.1 for both workspaces (packages/sdk, packages/cli).
• Lockfile consistency — npm ci --dry-run resolves the full tree (1289 packages) and exits cleanly; npm install --package-lock-only --dry-run reports "up to date". CI's npm ci gate will accept the lockfile.
• syncpack — no @relaycast/sdk mismatches; all three pins agree at 4.1.1. The sameRange policy only governs @agent-relay/**. (Pre-existing @types/node/typescript/zod syncpack issues are unrelated and not in the required CI path.)
• prettier — changed files pass --check.
• CHANGELOG — correctly placed under [Unreleased] → Fixed, concise and impact-first.

No code edits made — the change is correct and mechanical; nothing required fixing.

Advisory Notes

• Pre-existing lockfile drift (not in this PR's scope): the committed package-lock.json still records @agent-relay/* workspace version fields as 8.8.5 while package.json files are 8.9.0 (introduced by the earlier chore(release): v8.9.0 commit, present at base SHA ac8d700). npm ci tolerates this, so it is not blocking, but a future npm install will rewrite ~42 lines to 8.9.0. Worth a separate housekeeping commit to regenerate the lock; it does not belong in this dependency-pin PR.

Addressed comments

• No bot or human review comments are present in .workforce/context.json or the PR metadata, so there were no comment threads to resolve.

The PR is correct and self-contained, but I cannot confirm from this sandbox that all required CI checks have completed and passed or that GitHub reports it mergeable (those are post-harness, cloud-reported states). I am therefore not printing READY.

[agent-relay-code]

ℹ️ pr-reviewer: review only — no file changes were applied to the PR (nothing to commit after review). The notes below are advisory and were not pushed.

CI uses npm ci extensively. npm ci validates that package-lock.json is in sync with the package.json files and fails otherwise.

Important check: the committed lockfile already had pre-existing 8.8.5 vs 8.9.0 version drift (lockfile says 8.8.5, package.json says 8.9.0). If npm ci strictly enforced workspace versions, that drift would already fail CI — but since the base branch (f9a7ef77) presumably passes CI, npm ci tolerates this particular drift (npm ci primarily validates the dependency graph/external specs, and the local workspace version field isn't the failure trigger here). This PR doesn't change that drift, so it doesn't introduce or worsen any npm ci failure. The only lockfile lines this PR changed are the @relaycast/sdk spec lines, which are now consistent (4.1.1 everywhere).

This is a clean, correct, narrowly-scoped PR. My review is complete.

Review Summary

PR #1173 pins @relaycast/sdk from ^4.1.1 to exact 4.1.1 in packages/cli/package.json and packages/sdk/package.json, updates package-lock.json accordingly, and adds a CHANGELOG entry plus trajectory records.

Verdict: Correct and well-scoped. No code changes needed.

What I verified against the current checkout:

• Both package.json @relaycast/sdk specs are pinned to 4.1.1 (packages/cli/package.json:53, packages/sdk/package.json:62).
• Lockfile is consistent: the packages/cli and packages/sdk lockfile entries both declare @relaycast/sdk: "4.1.1", and the resolved @relaycast/sdk node is 4.1.1. npm install --package-lock-only reports "up to date" — the pin is satisfied.
• The fix's rationale holds: publish.yml:434-435 does rm -rf ... package-lock.json && npm install, so a caret range could float to a @relaycast/sdk release whose sibling @relaycast/types hasn't propagated. Exact pinning prevents that. This is a fail-safe dependency hardening change, not a behavior/logic change.
• No conflict with other workspaces using @relaycast/sdk: "^1.1.0" (a different major, isolated in their own node_modules).
• CHANGELOG entry is impact-first and correctly placed under ### Fixed, per the changelog rule.
• Trajectory files under .agentworkforce/trajectories/ are correctly tracked per CLAUDE.md.

What I did NOT change:

• I ran a lockfile regeneration which rewrote 85 unrelated lines (pre-existing 8.8.5 → 8.9.0 workspace-version drift and an extraneous marker removal). That churn is out of scope for this PR, so I git restored the lockfile back to the PR's committed state. The working tree is clean.

Addressed comments

• No bot or human review comments were present in .workforce/context.json to address.

Advisory Notes

• The committed package-lock.json carries pre-existing workspace-version drift (lockfile lists several workspaces at 8.8.5 while their package.json files are at 8.9.0), and a stray "extraneous": true marker on @clack/prompts/node_modules/is-unicode-supported. This predates and is unrelated to this PR (the publish workflow regenerates the lockfile at release time anyway). A separate maintenance PR could run npm install on main to resync it. I deliberately left it untouched to avoid expanding this dependency-pin PR's scope.

This is a mechanical, low-risk dependency pin that is internally consistent and matches its stated intent. It needs a human to merge, but I cannot confirm CI status or mergeability from this sandbox, so I am not printing the ready signal.

[khaliqgant]

Closing this pinning approach. @relaycast/types@4.1.2 is now published, so the replacement no-pin fix is #1174, which bumps the caret range to ^4.1.2 and refreshes the lockfile.