docs(api): document POST /v1/tokens/path endpoint (chain follow-up)

[khaliqgant]

Summary

Catch-up PR — landed on the chain branch after PR #38 (M1-M2 agent tokens) was merged.

Single commit: documents the POST /v1/tokens/path endpoint (path-scoped token issuance, per spec §6.1 — multi-agent ACLs introduced in M5).

Context

This branch (agent-relay/proactive-runtime-chain-1778505408) is the shared chain branch all 7 proactive-runtime PRs build from. After #38 squash-merged into main, the M5 milestone added this docs commit to the chain. Re-merged with the latest main here to pick up the v0.2.8 release.

Test plan

• Reviewer: confirm doc matches the actual route handler in packages/server/src/routes/tokens.ts

🤖 Generated with Claude Code

[coderabbitai]

📝 Walkthrough

Walkthrough

The README's "Proactive Runtime Token Contract" section is updated to document POST /v1/tokens/path as implemented in M1. The endpoint description replaces the prior reserved note with details on path-scoped token issuance: workspace token authentication, relay_pa_* token prefix, scope intersection with requested paths, and path pattern normalization rules.

Changes

API Documentation Update

Layer / File(s)	Summary
POST /v1/tokens/path endpoint documentation README.md	Documentation for the path-scoped token endpoint updated to describe actual M1 implementation: token issuance flow (relay_pa_* prefix), relayfile:fs:* scope intersection with requested paths, and path pattern normalization (e.g., /linear/issues/** → /linear/issues/*).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

📖 A rabbit reads the docs with glee,
Path tokens now for all to see,
With scopes aligned and patterns neat,
The M1 contract's now complete! 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: documenting the POST /v1/tokens/path endpoint for API.
Description check	✅ Passed	The description is clearly related to the changeset, providing context about the chain branch, the documented endpoint, and testing guidance.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch agent-relay/proactive-runtime-chain-1778505408

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

README.md (1)

60-61: ⚡ Quick win

Consider documenting additional endpoint details.

The PathTokenIssueRequest type (lines 49-55) includes several fields beyond paths, such as:

• agentId (required)
• scopes (optional)
• audience (optional)
• expiresIn (optional)

The current documentation only explains the paths parameter and scope intersection behavior. Consider adding clarification about:

1. Whether agentId is required for path tokens (the type suggests it is)
2. If expiresIn has the same 3600s cap as agent tokens
3. How the optional scopes parameter interacts with workspace scopes and requested paths
4. Error cases (e.g., invalid paths, no scope overlap between workspace token and requested paths)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@README.md` around lines 60 - 61, Update the README to fully document
PathTokenIssueRequest and token behavior for POST /v1/tokens/path and POST
/v1/tokens/refresh: state that agentId is required for path tokens (referencing
PathTokenIssueRequest.agentId), document the semantics and limits of expiresIn
(e.g., whether it shares the 3600s cap used by agent tokens and what happens if
a larger value is requested), explain how optional scopes
(PathTokenIssueRequest.scopes) are intersected with the workspace token scopes
and with requested paths to produce the final relay_pa_* token scopes, note
whether audience (PathTokenIssueRequest.audience) is propagated or validated,
and list error cases returned (invalid paths, no scope overlap, missing agentId,
expiresIn too large) and the expected status codes/messages from /v1/tokens/path
and token rotation behavior for /v1/tokens/refresh.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@README.md`:
- Line 60: The README currently documents behavior for the POST /v1/tokens/path
endpoint that is not implemented; update the README.md sentence to clearly mark
this as planned/not-yet-implemented (or remove it) so docs match runtime
behavior, referencing that the route handler for POST /v1/tokens/path currently
returns a 501 Not Implemented; if you choose to implement instead, add code to
the POST /v1/tokens/path handler to accept the workspace token via x-api-key,
generate the short-lived relay_pa_* token pair and compute relayfile:fs:* scope
intersections with the requested paths before returning the tokens.

---

Nitpick comments:
In `@README.md`:
- Around line 60-61: Update the README to fully document PathTokenIssueRequest
and token behavior for POST /v1/tokens/path and POST /v1/tokens/refresh: state
that agentId is required for path tokens (referencing
PathTokenIssueRequest.agentId), document the semantics and limits of expiresIn
(e.g., whether it shares the 3600s cap used by agent tokens and what happens if
a larger value is requested), explain how optional scopes
(PathTokenIssueRequest.scopes) are intersected with the workspace token scopes
and with requested paths to produce the final relay_pa_* token scopes, note
whether audience (PathTokenIssueRequest.audience) is propagated or validated,
and list error cases returned (invalid paths, no scope overlap, missing agentId,
expiresIn too large) and the expected status codes/messages from /v1/tokens/path
and token rotation behavior for /v1/tokens/refresh.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 774fe7ed-b034-49a0-a906-514541b9139b

📥 Commits

Reviewing files that changed from the base of the PR and between 385674d and 3746adf.

📒 Files selected for processing (1)

• README.md

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify POST /v1/tokens/path implementation matches documentation

# Check the route handler implementation
echo "=== Route handler for POST /v1/tokens/path ==="
ast-grep --pattern $'app.post($$$, "/v1/tokens/path", $$$)'

echo -e "\n=== Token prefix and authentication details ==="
# Look for relay_pa_ token prefix generation
rg -n -C5 'relay_pa_' --type=ts

echo -e "\n=== Path scope intersection logic ==="
# Look for scope intersection with paths
rg -n -C5 'intersect|paths' packages/server/src/routes/tokens.ts --type=ts

echo -e "\n=== Workspace token authentication ==="
# Verify x-api-key header usage
rg -n -C3 'x-api-key' packages/server/src/routes/tokens.ts --type=ts

Repository: AgentWorkforce/relayauth

Length of output: 243

---

🏁 Script executed:

#!/bin/bash
# Check if the file exists and explore structure
echo "=== Checking for tokens.ts file ==="
find . -name "tokens.ts" -o -name "tokens.js" 2>/dev/null | head -20

echo -e "\n=== Repository structure ==="
ls -la packages/server/src/routes/ 2>/dev/null || echo "Directory not found, checking alternatives..."

echo -e "\n=== Looking for any route files ==="
find packages -name "*.ts" -path "*/routes/*" 2>/dev/null | head -20

echo -e "\n=== Checking main server file ==="
find packages/server/src -name "*.ts" -type f | head -20

Repository: AgentWorkforce/relayauth

Length of output: 2936

---

🏁 Script executed:

#!/bin/bash
# Check file size and read tokens.ts to find POST /v1/tokens/path implementation
echo "=== File size ==="
wc -l packages/server/src/routes/tokens.ts

echo -e "\n=== Reading tokens.ts file ==="
cat -n packages/server/src/routes/tokens.ts

Repository: AgentWorkforce/relayauth

Length of output: 37526

---

The POST /v1/tokens/path endpoint is not yet implemented.

The documentation describes functionality that does not currently exist in the codebase. The actual route handler (lines 312–315 of packages/server/src/routes/tokens.ts) returns a 501 Not Implemented error. There is no logic for accepting workspace tokens, generating relay_pa_* tokens, or intersecting scopes with requested paths. The documentation should either be removed or clearly marked as describing planned functionality, not current behavior.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@README.md` at line 60, The README currently documents behavior for the POST
/v1/tokens/path endpoint that is not implemented; update the README.md sentence
to clearly mark this as planned/not-yet-implemented (or remove it) so docs match
runtime behavior, referencing that the route handler for POST /v1/tokens/path
currently returns a 501 Not Implemented; if you choose to implement instead, add
code to the POST /v1/tokens/path handler to accept the workspace token via
x-api-key, generate the short-lived relay_pa_* token pair and compute
relayfile:fs:* scope intersections with the requested paths before returning the
tokens.

[devin-ai-integration]

Devin Review found 1 potential issue.

View 6 additional findings in Devin Review.

[devin-ai-integration]

🟡 README documents POST /v1/tokens/path as functional but implementation returns 501

The README at line 60 states that POST /v1/tokens/path "accepts that same workspace token via x-api-key and returns a short-lived relay_pa_* token pair whose relayfile:fs:* scopes are intersected with the requested paths", and line 63 further describes path normalization behavior. However, the actual implementation at packages/server/src/routes/tokens.ts:312-315 is a hard-coded 501 stub returning { error: "path_scoped_tokens_not_implemented", code: "not_implemented" }. The previous README correctly documented this as reserved for M5 and deliberately returning 501. This PR replaced that accurate description with documentation that claims the endpoint is fully functional, misleading users and SDK consumers.

Suggested change

	- `POST /v1/tokens/path` accepts that same workspace token via `x-api-key` and returns a short-lived `relay_pa_*` token pair whose `relayfile:fs:*` scopes are intersected with the requested `paths`.
	- `POST /v1/tokens/path` is reserved for path-scoped tokens. It currently returns `501 { error: "path_scoped_tokens_not_implemented", code: "not_implemented" }`. When implemented, it will accept the workspace token via `x-api-key` and return a short-lived `relay_pa_*` token pair whose `relayfile:fs:*` scopes are intersected with the requested `paths`.

---

Was this helpful? React with 👍 or 👎 to provide feedback.