feat(packages): host @agentworkforce/daytona-runner in workforce

[khaliqgant]

Summary

Relocate the Daytona runtime adapter from the private cloud monorepo (where cloud#543 mistakenly placed it) into workforce — the canonical OSS publishing surface per the deploy-v1 codex spec.

Today cloud's deploy is broken in part because cloud's workspace build order doesn't build daytona-runner before core. The proper fix is to make workforce the canonical home + publishing surface so cloud can consume it as a published npm package instead of as a private workspace sibling.

Why

Same OSS/private-monorepo split that AgentWorkforce/relay#844 just resolved for @agent-relay/events + @agent-relay/agent. Platform-agnostic packages live in the OSS repo where they get provenance attestation; cloud-specific extensions stay in cloud. daytona-runner is platform-agnostic — it depends only on @daytonaio/sdk (peer dep) and has zero @cloud/* imports.

Source

All files under packages/daytona-runner/src/ copied verbatim from cloud/packages/daytona-runner/src/:

• auth.ts — Daytona auth helpers (apiKey vs JWT+org)
• types.ts — WorkflowRuntime, RuntimeHandle, etc.
• runtime.ts — DaytonaRuntime class
• index.ts — public barrel
• runtime.test.ts — node:test smoke suite

Zero @cloud/* leaks confirmed — the package was already extracted clean for this exact transition.

Test file got one minor type-narrowing tweak (assert.ok('apiKey' in resolved, ...) before reading resolved.apiKey) because workforce's tsconfig builds *.test.ts into dist/ whereas cloud's tsconfig excluded them. No behavior change.

Changes since first push

• Renamed package from @workforce/daytona-runner → @agentworkforce/daytona-runner. The original @workforce/* scope is unclaimed on npm and didn't match any other published surface in this repo. Aligning with @agentworkforce/* (persona-kit, workload-router, cli, runtime, deploy, agentworkforce umbrella) eliminates the platform-team coordination round-trip (new scope, OIDC registration, separate workflow track).
• Added daytona-runner to the existing publish workflow's allow-list.

Publish posture

• Scope: @agentworkforce/daytona-runner — joins the existing @agentworkforce/* published surface.
• Lockstep: Slots into .github/workflows/publish.yml's allow-list (packages=persona-kit workload-router cli agentworkforce daytona-runner). The umbrella lockstep heals its local version up to the published baseline at publish time, so the 0.1.0 field is just a placeholder.
• No new infra required: existing OIDC trusted-publisher registration on npm already covers the @agentworkforce scope. No new scope to claim, no new workflow track, no new trusted-publisher row.
• publishConfig: { "access": "public", "provenance": true } — matches the rest of the surface.
• Peer dep: @daytonaio/sdk@^0.148.0 (parity with cloud).

The first npm release of @agentworkforce/daytona-runner will happen on the next umbrella publish run after this merges.

Companion PR (cloud)

A parallel agent is opening chore/consume-published-daytona-runner on cloud to delete cloud/packages/daytona-runner and bump the dep to @agentworkforce/daytona-runner. That cloud PR is blocked on this PR + the first publish landing.

Verification

Run locally in the worktree:

corepack pnpm install
corepack pnpm --filter @agentworkforce/daytona-runner build
corepack pnpm --filter @agentworkforce/daytona-runner typecheck
corepack pnpm --filter @agentworkforce/daytona-runner test
corepack pnpm -r run build && corepack pnpm run typecheck
corepack pnpm -r run test

Results:

• Package build: clean
• Package typecheck: clean
• Package test: 5/5 pass, 1 skipped (Daytona smoke requires DAYTONA_API_KEY)
• Whole-repo build: all packages build
• Whole-repo typecheck: all packages typecheck (post-build, same order CI uses)
• Whole-repo tests: all green (persona-kit / workload-router / runtime / deploy / cli / agentworkforce / daytona-runner)

🤖 Generated with Claude Code

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: db7d7238-6dd5-4d4b-a332-aa6a52647b2e

📥 Commits

Reviewing files that changed from the base of the PR and between 96ba712 and dd25310.

📒 Files selected for processing (1)

• .github/workflows/publish.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/publish.yml

---

📝 Walkthrough

Walkthrough

This PR introduces the @agentworkforce/daytona-runner package, a Daytona-backed WorkflowRuntime adapter. It includes runtime contract types, authentication helpers, a DaytonaRuntime class managing sandbox lifecycle and command execution, package config/docs, tests, and publish workflow updates.

Changes

Daytona Runtime Package

Layer / File(s)	Summary
Runtime Type Contracts packages/daytona-runner/src/types.ts	Defines WorkflowRuntime interface, RuntimeCapabilities, LaunchOptions, RuntimeHandle, ExecOptions, ExecResult, and IsolationLevel type that establish the runtime adapter contract.
Authentication Module packages/daytona-runner/src/auth.ts	Implements DaytonaAuthCredentials type and helper functions: resolveDaytonaAuthCredentials validates and normalizes API key or JWT+organization credentials; applyDaytonaAuthEnv applies resolved credentials to environment variables while cleaning up opposite-mode keys.
DaytonaRuntime Implementation packages/daytona-runner/src/runtime.ts	Implements DaytonaRuntime class that manages sandbox lifecycle (launch with optional snapshot fallback, attach external sandboxes, destroy with proper cleanup), executes commands with timeout conversion, handles file upload/download, and resolves home directories with configurable fallback.
Package Configuration, Documentation, and Public API packages/daytona-runner/package.json, packages/daytona-runner/tsconfig.json, packages/daytona-runner/README.md, packages/daytona-runner/src/index.ts, packages/daytona-runner/.gitignore	Defines ESM package metadata, TypeScript build configuration, installation/usage/exports documentation, and barrel re-exports of runtime, auth, and type APIs as the public surface.
Tests and Validation packages/daytona-runner/src/runtime.test.ts	Verifies public barrel exports, validates resolveDaytonaAuthCredentials normalization and applyDaytonaAuthEnv environment behavior, and includes integration smoke test that launches a sandbox and executes a command when DAYTONA_API_KEY is set.
Workflow Integration .github/workflows/publish.yml	Adds daytona-runner to the target packages list in the "Resolve target packages" step and to packageOrder for release notes, making it subject to healing, version bumping, changelog generation, tagging, and publishing in the publish workflow.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• AgentWorkforce/workforce#37: Modified the publish workflow package selection/order that this PR extends by adding daytona-runner.
• AgentWorkforce/workforce#80: Related changes to the same publish workflow (packages output and packageOrder) overlapping with this update.

🐰 A runner arrived with paws so spry,
Sandboxes hum beneath the sky,
Keys and tokens neatly set,
Tests nod "ok" — no more sweat,
Docs and publish sing "ready" nigh.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat(packages): host @agentworkforce/daytona-runner in workforce' clearly and concisely summarizes the main change: introducing and hosting the daytona-runner package in the workforce repository as part of the @agentworkforce publishing surface.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, explaining the relocation of daytona-runner from cloud to workforce, the rationale, implementation details, and verification steps performed.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/daytona-runner-package

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/publish.yml (1)

692-696: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add daytona-runner to release-note sort order.

Line 692’s packageOrder omits daytona-runner, so Line 696 sorts it with index -1 and places it out of intended order. Add it to keep release notes deterministic.

Suggested patch

-          const packageOrder = ['persona-kit', 'workload-router', 'cli', 'agentworkforce'];
+          const packageOrder = ['persona-kit', 'workload-router', 'cli', 'daytona-runner', 'agentworkforce'];

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish.yml around lines 692 - 696, The packageOrder array
used to sort release-note entries (symbol packageOrder) is missing
"daytona-runner", causing entries parsed from versionsRaw and processed into
entries to get index -1 and be ordered incorrectly; update the packageOrder
constant (the array literal assigned to packageOrder) to include
"daytona-runner" in the desired position among
['persona-kit','workload-router','cli','agentworkforce'] so the
sort((a,b)=>packageOrder.indexOf(a.pkg)-packageOrder.indexOf(b.pkg)) produces a
deterministic order for entries.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/publish.yml:
- Around line 692-696: The packageOrder array used to sort release-note entries
(symbol packageOrder) is missing "daytona-runner", causing entries parsed from
versionsRaw and processed into entries to get index -1 and be ordered
incorrectly; update the packageOrder constant (the array literal assigned to
packageOrder) to include "daytona-runner" in the desired position among
['persona-kit','workload-router','cli','agentworkforce'] so the
sort((a,b)=>packageOrder.indexOf(a.pkg)-packageOrder.indexOf(b.pkg)) produces a
deterministic order for entries.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: a19af361-9b8e-4ff8-9516-f276bba7045d

📥 Commits

Reviewing files that changed from the base of the PR and between a3d8f5f and 73fe39a.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (10)

• .github/workflows/publish.yml
• packages/daytona-runner/.gitignore
• packages/daytona-runner/README.md
• packages/daytona-runner/package.json
• packages/daytona-runner/src/auth.ts
• packages/daytona-runner/src/index.ts
• packages/daytona-runner/src/runtime.test.ts
• packages/daytona-runner/src/runtime.ts
• packages/daytona-runner/src/types.ts
• packages/daytona-runner/tsconfig.json

[devin-ai-integration]

Devin Review found 1 potential issue.

View 5 additional findings in Devin Review.

[devin-ai-integration]

🟡 daytona-runner missing from packageOrder causes incorrect release notes sorting

daytona-runner is added to the publish packages list at line 92, but the packageOrder array in the build-release-notes.mjs script at .github/workflows/publish.yml:692 is not updated to include it. Since packageOrder.indexOf('daytona-runner') returns -1, the .sort((a, b) => packageOrder.indexOf(a.pkg) - packageOrder.indexOf(b.pkg)) comparison will sort daytona-runner before all other packages (-1 - 0 = -1, -1 - 1 = -2, etc.), placing it first in the GitHub Release notes instead of at a logical position.

Prompt for agents

The packages list at line 92 now includes daytona-runner, but the packageOrder array in the build-release-notes.mjs script (around line 692 of .github/workflows/publish.yml) still only contains ['persona-kit', 'workload-router', 'cli', 'agentworkforce']. This array is used to sort entries in the GitHub Release notes. Since daytona-runner is not present, Array.indexOf returns -1, which sorts it before all other packages in the release notes.

To fix: add 'daytona-runner' to the packageOrder array at the appropriate position (e.g. after 'agentworkforce' or wherever it logically belongs). Also update the comment on lines 88-91 which states agentworkforce must publish last, since daytona-runner now publishes after it.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[khaliqgant]

Addressed in dd25310 — moved daytona-runner before agentworkforce in the publish list and added it to packageOrder at the matching position. This preserves the existing "agentworkforce must publish last" invariant the comment on lines 88-91 already documents, and makes release-notes sort deterministic instead of falling to the front via indexOf -1.