chore(deps): upgrade @posthog/next + restore lockfile platform binaries

[willwashburn]

Summary

Two changes, both about unblocking the web build:

1. Bump @posthog/next from ^0.1.0 to ^0.4.61 — 0.1.0 was the package's initial release (2026-03-06), six months stale. 60+ patch versions of fixes since. The public API surface we use (PostHogProvider, postHogMiddleware, PostHogPageView) is unchanged.
2. Rebuild the lockfile from a known-good pre-fix(deps): pin next via overrides to dedupe duplicate install #937 base — when fix(deps): pin next via overrides to dedupe duplicate install #937's lockfile regen ran on darwin-arm64, npm bug #4828 stripped Linux platform binaries (@tailwindcss/oxide-linux-*, @img/sharp-linux-*) from package-lock.json. Without those entries, npm ci on CI's Linux runners can't install the native bindings, and next build errors with:

   Cannot find native binding. npm has a bug related to optional dependencies.
       at Object.<anonymous> (.../node_modules/@tailwindcss/oxide/index.js:559:11)
   

   This is currently breaking the Deploy Web (SST) workflow on main (run 26251818073).

Verification

• Lockfile contains 5 @tailwindcss/oxide-linux-* entries and 8 @img/sharp-linux-* entries
• Lockfile contains a single next tarball entry (15.5.18) — scoped override still effective
• npm ci && cd web && npx next build succeeds locally (75 static pages, typecheck clean)
• CI: Preview Web (SST) green on this PR
• CI: Deploy Web (SST) green on merge to main

Why bundle both fixes

Splitting would mean a hotfix PR for the lockfile, then this one rebased on it. Same lockfile churn either way, and main deploys are broken right now — getting both through one review is faster. The @posthog/next bump is independently safe; the lockfile diff is large but mechanical (it's a regen, not a hand-edit).

🤖 Generated with Claude Code

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 01ef5101-c56a-44b6-ab6f-c04b6499b3f7

📥 Commits

Reviewing files that changed from the base of the PR and between 3f5f5e9 and 866d36d.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• web/package.json

✅ Files skipped from review due to trivial changes (1)

• web/package.json

---

📝 Walkthrough

Walkthrough

The @posthog/next analytics library dependency in the web package is bumped from ^0.1.0 to ^0.4.61. This is a straightforward version update with no code or configuration changes elsewhere.

Changes

PostHog Next Dependency Update

Layer / File(s)	Summary
PostHog Next version upgrade web/package.json	@posthog/next dependency version updated from ^0.1.0 to ^0.4.61.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• AgentWorkforce/relay#937: Coordinates dependency versions for @posthog/next/next via npm overrides.

Suggested reviewers

• khaliqgant

Poem

🐰 A version bump so small and neat,
PostHog analytics, now complete!
From 0.1.0 to point-four-six-one,
The web package's update is done! 📊✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 8.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main changes: bumping @posthog/next and restoring lockfile platform binaries to fix Linux build issues.
Description check	✅ Passed	The description is comprehensive and well-structured, covering Summary and Test Plan sections with detailed explanations, verification steps, and rationale.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/upgrade-posthog-next

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/cloud/src/workflows.ts (1)

988-1014: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Validate workflowStorage.backend before choosing the upload path.

isCloudApiWorkflowStorage() trusts prepared.workflowStorage?.backend, but isPrepareWorkflowResponse() never validates that field. If the prepare payload drifts or is malformed, this will silently fall back to the S3 branch instead of failing fast on an invalid response.

Suggested fix

 function isPrepareWorkflowResponse(payload: unknown): payload is PrepareWorkflowResponse {
   if (!payload || typeof payload !== 'object' || Array.isArray(payload)) {
     return false;
   }

   const record = payload as Record<string, unknown>;
   const s3Creds = record.s3Credentials;
   if (!s3Creds || typeof s3Creds !== 'object' || Array.isArray(s3Creds)) {
     return false;
   }

   const creds = s3Creds as Record<string, unknown>;
+  const workflowStorage = record.workflowStorage;
+  const hasValidWorkflowStorage =
+    workflowStorage === undefined ||
+    (workflowStorage &&
+      typeof workflowStorage === 'object' &&
+      !Array.isArray(workflowStorage) &&
+      (((workflowStorage as { backend?: unknown }).backend === undefined) ||
+        (workflowStorage as { backend?: unknown }).backend === 's3' ||
+        (workflowStorage as { backend?: unknown }).backend === 'cloud-api'));
   return (
     typeof record.runId === 'string' &&
     typeof record.s3CodeKey === 'string' &&
     typeof creds.accessKeyId === 'string' &&
     typeof creds.secretAccessKey === 'string' &&
     typeof creds.sessionToken === 'string' &&
     typeof creds.bucket === 'string' &&
     typeof creds.prefix === 'string' &&
-    (creds.backend === undefined || creds.backend === 's3' || creds.backend === 'cloud-api')
+    (creds.backend === undefined || creds.backend === 's3' || creds.backend === 'cloud-api') &&
+    hasValidWorkflowStorage
   );
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/cloud/src/workflows.ts` around lines 988 - 1014, The type guard
isPrepareWorkflowResponse must also validate prepared.workflowStorage.backend so
callers like isCloudApiWorkflowStorage don't rely on an unchecked field; update
isPrepareWorkflowResponse to check that if workflowStorage exists and is an
object then workflowStorage.backend is either undefined, 's3', or 'cloud-api'
(mirroring the check for s3Credentials.backend) and any other required
workflowStorage shape you expect, and then keep isCloudApiWorkflowStorage using
prepared.workflowStorage?.backend === 'cloud-api' ||
prepared.s3Credentials.backend === 'cloud-api' so it only runs against validated
values.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@CHANGELOG.md`:
- Line 109: Rewrite the changelog bullet for the agent-relay change to be
impact-first and drop PR references: replace "- **Add --broker-name override to
`agent-relay up` (`#939`)** (`#939`)" with a concise user-facing statement like
"agent-relay up: add --broker-name to override the broker name" (no PR number),
and apply the same transformation to the other nearby bullets that include
PR/issue IDs (the other entries that list PR numbers), ensuring each line is a
single short, impact-focused sentence describing the shipped behavior.

---

Outside diff comments:
In `@packages/cloud/src/workflows.ts`:
- Around line 988-1014: The type guard isPrepareWorkflowResponse must also
validate prepared.workflowStorage.backend so callers like
isCloudApiWorkflowStorage don't rely on an unchecked field; update
isPrepareWorkflowResponse to check that if workflowStorage exists and is an
object then workflowStorage.backend is either undefined, 's3', or 'cloud-api'
(mirroring the check for s3Credentials.backend) and any other required
workflowStorage shape you expect, and then keep isCloudApiWorkflowStorage using
prepared.workflowStorage?.backend === 'cloud-api' ||
prepared.s3Credentials.backend === 'cloud-api' so it only runs against validated
values.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 102555d8-1f97-41cd-9280-bc687a5be100

📥 Commits

Reviewing files that changed from the base of the PR and between f9b4839 and 17da570.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (37)

• CHANGELOG.md
• package.json
• packages/acp-bridge/package.json
• packages/agent/package.json
• packages/brand/package.json
• packages/broker-darwin-arm64/package.json
• packages/broker-darwin-x64/package.json
• packages/broker-linux-arm64/package.json
• packages/broker-linux-x64/package.json
• packages/broker-win32-x64/package.json
• packages/browser-primitive/package.json
• packages/cloud/package.json
• packages/cloud/src/workflows.test.ts
• packages/cloud/src/workflows.ts
• packages/config/package.json
• packages/credential-proxy/package.json
• packages/events/package.json
• packages/gateway/package.json
• packages/github-primitive/package.json
• packages/hooks/package.json
• packages/memory/package.json
• packages/openclaw/package.json
• packages/personas/package.json
• packages/policy/package.json
• packages/sdk-py/pyproject.toml
• packages/sdk/package.json
• packages/slack-primitive/package.json
• packages/telemetry/package.json
• packages/trajectory/package.json
• packages/user-directory/package.json
• packages/utils/package.json
• packages/workflow-types/package.json
• src/cli/commands/core.test.ts
• src/cli/commands/core.ts
• src/cli/lib/broker-lifecycle.ts
• src/cli/lib/client-factory.ts
• web/package.json

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Make these release bullets impact-first and remove PR references.

These entries currently include PR IDs and don’t clearly state the practical shipped effect per command/API.

✍️ Suggested rewrite

- - **Add --broker-name override to `agent-relay up` (`#939`)** (`#939`)
+ - `agent-relay up --broker-name` lets users target a non-default broker identity at startup.

- - **Upload workflow code through cloud storage API (`#938`)** (`#938`)
- - **Pass env vars to scheduled workflows (`#935`)** (`#935`)
+ - `@agent-relay/cloud` workflow uploads can use the cloud storage API backend for code object upload.
+ - Scheduled workflows now receive configured environment variables at runtime.

As per coding guidelines, "Changelog entries should be concise and impact-first, with one short bullet per user-visible change... Drop issue/PR links..."

Also applies to: 121-122

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CHANGELOG.md` at line 109, Rewrite the changelog bullet for the agent-relay
change to be impact-first and drop PR references: replace "- **Add --broker-name
override to `agent-relay up` (`#939`)** (`#939`)" with a concise user-facing
statement like "agent-relay up: add --broker-name to override the broker name"
(no PR number), and apply the same transformation to the other nearby bullets
that include PR/issue IDs (the other entries that list PR numbers), ensuring
each line is a single short, impact-focused sentence describing the shipped
behavior.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 17da570fd1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Accept cloud-api prepare payloads without legacy S3 creds

When workflowStorage.backend is cloud-api, this validator still requires the full legacy S3 credential shape (accessKeyId/secretAccessKey/sessionToken/bucket/prefix) before runWorkflow proceeds. If the prepare endpoint returns cloud-storage mode without S3 creds (a common hardening pattern once uploads move behind API endpoints), the client throws Workflow prepare response was not valid JSON. and never attempts the API upload path. The cloud-api branch should validate a cloud-api-specific payload instead of enforcing S3 fields unconditionally.

Useful? React with 👍 / 👎.