Add managed harness source alias

[kjgbot]

Summary

• add canonical managed harness source spelling for the workforce-managed/relay_managed credential path
• keep legacy plan accepted at CLI/env/resolver boundaries and normalize it to managed
• update help, prompts, errors, docs, and tests to prefer managed

Verification

• pnpm --filter @agentworkforce/deploy test
• pnpm --filter @agentworkforce/cli test
• pnpm test
• pnpm typecheck
• pnpm lint
• git diff --check

Note: local pnpm install --frozen-lockfile was needed first because node_modules had stale/missing workspace dependencies; it completed without lockfile changes.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: c49dd26c-09e0-4a5a-baf0-d90f1eb6b5a2

📥 Commits

Reviewing files that changed from the base of the PR and between 8d890d1 and b45a7d4.

📒 Files selected for processing (9)

• docs/plans/deploy-v1-credentials-runtime-checklist.md
• packages/cli/src/deploy-command.test.ts
• packages/cli/src/deploy-command.ts
• packages/deploy/src/deploy.test.ts
• packages/deploy/src/deploy.ts
• packages/deploy/src/modes/cloud-subscription.test.ts
• packages/deploy/src/modes/cloud.test.ts
• packages/deploy/src/modes/cloud/index.ts
• packages/deploy/src/types.ts

---

📝 Walkthrough

Walkthrough

The deploy CLI, cloud deploy flow, and subscription validation now accept managed as the canonical harness source while treating plan as a legacy alias. Types, prompts, error messages, and tests were updated to route managed credentials and preserve subscription restrictions.

Changes

Managed harness-source rollout

Layer / File(s)	Summary
CLI contract and parsing packages/deploy/src/types.ts, packages/cli/src/deploy-command.ts, packages/cli/src/deploy-command.test.ts, docs/plans/deploy-v1-credentials-runtime-checklist.md	DeployOptions and ModeLaunchInput accept managed; the deploy flag help, parser, tests, and runtime checklist normalize legacy plan to managed.
Cloud harness normalization and subscription rules packages/deploy/src/modes/cloud/index.ts, packages/deploy/src/modes/cloud-subscription.test.ts	Cloud mode resolves plan to canonical managed, updates prompt and error text, saves managed credentials on the managed route, and rejects managed for subscription-backed runs; tests cover managed, legacy alias, and env alias cases.
Deploy subscription validation packages/deploy/src/deploy.ts, packages/deploy/src/deploy.test.ts	validateSubscriptionSupport accepts the expanded harness-source union, and dry-run tests separate managed-credentials rejections from the legacy plan alias.
Managed credential routing tests packages/deploy/src/modes/cloud.test.ts	Cloud launch tests switch the managed credential baseline, verify /provider-credentials/managed, and add legacy plan alias coverage for provider-credential selection.
OAuth and env-driven launch paths packages/deploy/src/modes/cloud.test.ts	OAuth probe, reconnect, polling, stop, and preflight tests switch their harness-source defaults and env inputs to managed while keeping the existing failure and probe expectations.
Credential-selection stamping coverage packages/deploy/src/modes/cloud.test.ts	Credential-selection stamping tests update the managed baseline and keep the existing anthropic and openai stamping assertions.

Sequence Diagram(s)

sequenceDiagram
  participant User
  participant parseDeployArgs
  participant expectHarnessSourceFlag
  participant resolveHarnessSource
  participant ensureHarnessReady
  participant providerCredentialsManaged
  User->>parseDeployArgs: `--harness-source plan`
  parseDeployArgs->>expectHarnessSourceFlag: validate flag value
  expectHarnessSourceFlag-->>parseDeployArgs: normalize to `managed`
  parseDeployArgs->>resolveHarnessSource: pass `harnessSource: managed`
  resolveHarnessSource->>ensureHarnessReady: select canonical managed source
  ensureHarnessReady->>providerCredentialsManaged: save `relay_managed`

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• AgentWorkforce/workforce#228: Updates the same cloud subscription harness-source contract and legacy plan handling.

Poem

🐇 I hopped through the deploy trail bright,
and found managed gleaming in the light.
Old plan left footprints in the dew,
while tests and clouds hopped cleanly through.
Carrots for all, and a tidy new cue!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 6.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly reflects the main change: introducing a managed harness source alias.
Description check	✅ Passed	The description matches the changeset and accurately summarizes the managed alias and legacy plan handling.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/managed-harness-source

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[gemini-code-assist]

Code Review

This pull request renames the --harness-source option value plan to managed across the CLI and deployment packages, while retaining plan as a legacy alias. It updates the CLI argument parser, normalization logic, environment variable handling, and associated tests to ensure backward compatibility. I have no feedback to provide as there are no review comments and the implementation is clean and well-tested.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[agent-relay-code]

ℹ️ pr-reviewer: review only — no file changes were applied to the PR (nothing to commit after review). The notes below are advisory and were not pushed.

I made no edits — the PR is clean, internally consistent, and passes the full CI sequence. Here is my review.

Summary

PR #257 renames the cloud harness credential source plan → managed, keeping plan as a backward-compatible legacy alias. The change touches the CLI flag parser, the deploy orchestrator types, and the cloud mode resolver, plus docs and tests.

I traced harnessSource/HarnessSource across all packages, verified the type and control-flow consistency, and ran the repo's canonical CI sequence (build, lint, typecheck, test) end to end. Everything passes. I made no code edits.

Findings (all clear)

• Alias normalization is correct and centralized. expectHarnessSource (cloud/index.ts:1093) accepts managed|plan|byok|oauth and funnels through normalizeHarnessSource (cloud/index.ts:1101), collapsing plan→managed. The CLI's expectHarnessSourceFlag (deploy-command.ts:418) does the same independently. Slightly redundant but harmless; not a defect.
• No fail-open / safety regressions. resolveSubscriptionHarnessSource (cloud/index.ts:610) still throws for both managed and the plan alias when useSubscription:true, because normalization runs before the === 'managed' guard. The Exclude<CanonicalHarnessSource, 'managed'> return type is sound since managed throws. Error-path strings updated consistently to managed|byok|oauth.
• CanonicalHarnessSource type (cloud/index.ts:29) correctly excludes plan from the resolved/internal surface while the public HarnessSource and DeployOptions.harnessSource retain plan for input compatibility.
• expectHarnessSourceFlag typechecks because die returns never (deploy-command.ts:610); the no-return fall-through is fine.
• No missed call sites. Other 'plan' hits (persona-kit permissions.mode: 'plan', schema, generated workflow artifacts) are an unrelated permission-mode concept, untouched and unaffected.
• Docs (deploy-v1-credentials-runtime-checklist.md) and the --help usage text are updated to match.

CI verification (with PR changes in working tree)

• Build: pass
• Lint: pass
• Typecheck (incl. examples): pass
• Test: pass — deploy 213/213, cli 271/271, all packages 0 failures

Addressed comments

• No bot or human review comments were present in .workforce/ (no comments file; context.json carries only PR metadata). Nothing to reconcile.

Advisory Notes

• None. The change is self-contained and matches the PR's stated purpose.

This PR is internally consistent and passes the full CI command locally. I cannot confirm the live GitHub check/merge-conflict status from this sandbox, so I'm not declaring it human-ready on that basis.

[agent-relay-code]

ℹ️ pr-reviewer: review only — no file changes were applied to the PR (nothing to commit after review). The notes below are advisory and were not pushed.

These matches are coincidental (e.g. "HarnessSource" substring or unrelated). The HarnessSource type is internal to deploy and only re-derived in the CLI via DeployOptions['harnessSource']. The CLI uses expectHarnessSourceFlag returning DeployOptions['harnessSource'], which is the union including 'managed'. Everything is consistent and both packages pass full CI.

My review is complete. Here is the summary.

---

Review: PR #257 — Add managed harness source alias

Summary

This PR renames the canonical cloud harness credential source from plan to managed, keeping plan as a backward-compatible legacy alias. The change is well-scoped and internally consistent:

• HarnessSource type widened to 'managed' | 'plan' | 'byok' | 'oauth', with a new CanonicalHarnessSource = Exclude<HarnessSource, 'plan'> so post-normalization code never sees 'plan'.
• normalizeHarnessSource() maps plan → managed; expectHarnessSource() (deploy) and expectHarnessSourceFlag() (CLI) both accept all four and normalize.
• User-facing strings, prompts, and the --harness-source help text updated to managed|byok|oauth (legacy alias: plan).
• Subscription path still correctly rejects managed (and thus plan, since it normalizes first) with the fail-closed "use oauth/byok" error — no safety default was flipped.

Verification

Installed dependencies and ran the canonical CI commands (tsc build + node --test) end to end for both affected packages and their workspace dependency graph:

• @agentworkforce/deploy: build clean, 213/213 tests pass.
• @agentworkforce/cli: build clean (after building the workspace deps it imports), 271/271 tests pass, including the two new parseDeployArgs cases.

Traced 'plan' / harnessSource / HarnessSource across the whole repo: no missed call sites. Other plan matches (persona-kit, input-values, schemas) are unrelated to harness-source. The legacy 'plan' literal still typechecks everywhere because it remains in the union.

Findings

No blocking issues. No semantic/safety defaults changed. No mechanical fixes were needed — the diff is clean (lint/typecheck/tests all green), so I made no edits to the working tree.

One minor observation, advisory only (not changed):

Advisory Notes

• The DeployOptions/ModeLaunchInput public harnessSource types still expose 'plan' as an accepted value (packages/deploy/src/types.ts:29,145). This is intentional for backward compatibility, but means external callers can still pass 'plan' programmatically. If/when the alias is eventually retired, those public types and the CLI/env normalizers are the removal points. No action for this PR.

Addressed comments

• No bot or reviewer comments were present (.workforce/ contains only pr.diff, changed-files.txt, and context.json; context.json lists no review threads). Nothing to address.

The PR is mechanically sound and fully green in the build/test commands CI runs. It has no human review yet and the remaining merge decision (accepting the plan→managed rename plus the documented legacy-alias contract) requires human judgment.

[kjgbot]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.