feat: wire network to OpenShell create workspace

[jeffmaury]

Fixes #2235

[coderabbitai]

Warning

Review limit reached

@jeffmaury, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 20 minutes and 55 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses rolling per-developer review limits. Reviews become available again as older review attempts age out of the rolling limit window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 266b7e97-c9af-47e2-bb69-5f70c00fc407

📥 Commits

Reviewing files that changed from the base of the PR and between 503f89c and 3f05d10.

📒 Files selected for processing (4)

• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts
• packages/main/src/plugin/openshell-cli/openshell-network-policy.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-network-policy.ts

📝 Walkthrough

Walkthrough

Adds a PolicyUpdateOptions interface to the API package, introduces a new openshell-network-policy module with Zod schemas and builder helpers that derive policy update parameters from NetworkConfiguration, adds a policyUpdate method to OpenshellCli, and wires the policy update call into the OpenShell sandbox creation flow in AgentWorkspaceManager.

Changes

OpenShell Network Policy Update

Layer / File(s)	Summary
PolicyUpdateOptions interface and Zod schemas packages/api/src/openshell-gateway-info.ts, packages/main/src/plugin/openshell-cli/openshell-network-policy.ts	Defines the PolicyUpdateOptions TypeScript interface with sandboxName (required) and optional fields, plus Zod schemas and output types for REST/GraphQL allow/deny rules, endpoints, and the top-level OpenShell policy structure.
Network policy builder helpers and tests packages/main/src/plugin/openshell-cli/openshell-network-policy.ts, packages/main/src/plugin/openshell-cli/openshell-network-policy.spec.ts	Adds buildNetworkPolicyEndpoints (converts hosts to port-80/443 endpoint strings with :full suffix) and buildNetworkPolicyOperations (constructs PolicyUpdateOptions removing kdn-network, conditionally adding endpoints with binary: '/**' and wait: true), with full test coverage for allow/deny/empty-host cases.
OpenshellCli.policyUpdate method and tests packages/main/src/plugin/openshell-cli/openshell-cli.ts, packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts	Adds policyUpdate(options) to OpenshellCli that assembles openshell policy update <sandboxName> CLI arguments from optional fields and delegates to runCli, with tests covering individual flags, combined flag ordering, and failure propagation.
Sandbox creation wiring and integration tests packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts, packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts	Adds a conditional block in createOpenshell that calls openshellCli.policyUpdate when buildNetworkPolicyOperations returns operations for the created sandbox's network, with selective error handling (ignore remove-rule failures, propagate add-endpoint failures after sandbox rollback), and integration tests for deny+hosts, no-op cases, and error scenarios.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• openkaiden/kaiden#1557: This PR wires the selected network (mode/hosts) into workspace creation/persistence, which the main PR consumes to generate OpenShell policyUpdate operations.
• openkaiden/kaiden#2020: The main PR extends the OpenshellCli wrapper by adding a new policyUpdate() method that reuses the wrapper's existing CLI execution helpers.
• openkaiden/kaiden#2187: Both PRs modify the OpenShell sandbox creation flow in AgentWorkspaceManager.createOpenshell, so the main PR's network-policy application is directly intertwined with the retrieved PR's broader OpenShell setup refactor.

Suggested reviewers

• fbricon
• benoitf
• gastoner

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: wiring network configuration into OpenShell workspace creation.
Description check	✅ Passed	The description references issue #2235, which matches the network-wiring changes in this PR.
Linked Issues check	✅ Passed	The changes add network policy handling and apply it during OpenShell workspace creation, matching #2235.
Out of Scope Changes check	✅ Passed	The added CLI, policy helpers, and tests all support the OpenShell network-create feature and appear in scope.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts`:
- Around line 196-200: The policyUpdate operation in the policy update flow is
missing explicit engineId parameter for cross-engine routing identification.
Thread the engineId through the container-policy update path by first
identifying where engineId is available in the current scope (likely from
workspace or a parent context), then pass it as a parameter to the
buildNetworkPolicyUpdateOptions function, and ensure that function includes
engineId in the returned policyUpdateOptions object so that when
this.openshellCli.policyUpdate is called, the options contain the explicit
engineId for proper engine routing.
- Around line 200-201: The policyUpdate call in openshellCli.policyUpdate() can
fail and leave the sandbox created in the preceding lines (187-194) in an
orphaned state. Wrap the policyUpdate call in a try-catch block and add a
compensating cleanup action in the catch handler to delete the sandbox that was
created, ensuring state consistency even when policy update fails. Perform the
cleanup as best-effort (catching and logging any errors from the cleanup itself)
before re-throwing the original error.

In `@packages/main/src/plugin/openshell-cli/openshell-network-policy.ts`:
- Around line 139-155: The buildNetworkPolicyUpdateOptions function removes the
old rule via removeRule but does not set ruleName when adding new endpoints. Add
the ruleName property to the returned PolicyUpdateOptions object with the value
NETWORK_RULE_NAME to ensure endpoints are added to the newly created kdn-network
rule instead of creating a rule with an auto-generated name. Include ruleName in
the object alongside removeRule and addEndpoints to match the pattern shown in
the test file.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3ff84e1f-3e0c-40a1-abc9-f8e6cb02282e

📥 Commits

Reviewing files that changed from the base of the PR and between 677e04b and f746685.

📒 Files selected for processing (7)

• packages/api/src/openshell-gateway-info.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.ts
• packages/main/src/plugin/openshell-cli/openshell-network-policy.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-network-policy.ts

📜 Review details

⏰ Context from checks skipped due to timeout. (10)

• GitHub Check: smoke-e2e-tests (prod) / ubuntu-24.04 (ollama)
• GitHub Check: unit tests / macos-15
• GitHub Check: smoke-e2e-tests (dev) / ubuntu-24.04 (ollama)
• GitHub Check: macOS
• GitHub Check: typecheck
• GitHub Check: unit tests / windows-2022
• GitHub Check: Windows
• GitHub Check: unit tests / ubuntu-24.04
• GitHub Check: linter, formatters
• GitHub Check: Linux

🧰 Additional context used

📓 Path-based instructions (4)

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

Use /@/ path aliases instead of relative paths for imports outside the current directory's module group; use relative imports only for sibling modules within the same directory

Files:

• packages/api/src/openshell-gateway-info.ts
• packages/main/src/plugin/openshell-cli/openshell-network-policy.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-network-policy.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts

**/*.spec.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.spec.{ts,tsx,js,jsx}: Use test() instead of it() for test cases in Vitest unit tests
Use vi.mock(import('...')) for auto-mocking modules in unit tests; avoid manual mock factories when possible
Use vi.resetAllMocks() in beforeEach hooks instead of vi.clearAllMocks() for resetting mocks between tests
When an auto-mocked function or class method needs a real implementation, use vi.mocked(...) with the prototype pattern for class methods: vi.mocked(MyClass.prototype.myMethod).mockImplementation(...)

Files:

• packages/main/src/plugin/openshell-cli/openshell-network-policy.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts

packages/main/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

packages/main/src/**/*.{ts,tsx}: Use ipcHandle() to expose handlers in the main process with naming convention <registry-name>:<action> (e.g., container-provider-registry:listContainers)
Use apiSender.send() to send events from main process to renderer for real-time updates
Long-running operations should use TaskManager.createTask() with title and action configuration

Files:

• packages/main/src/plugin/openshell-cli/openshell-network-policy.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-network-policy.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts

packages/{main,renderer,preload}/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Container operations must include engineId parameter to identify the container engine

Files:

• packages/main/src/plugin/openshell-cli/openshell-network-policy.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-network-policy.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts

🧠 Learnings (2)

📚 Learning: 2026-05-12T17:14:02.153Z

Learnt from: MarsKubeX
Repo: openkaiden/kaiden PR: 1850
File: packages/renderer/src/lib/agent-workspaces/AgentWorkspaceList.svelte:66-70
Timestamp: 2026-05-12T17:14:02.153Z
Learning: When reviewing code that uses `AgentWorkspaceSummaryUI.runtime`, treat it as a required, non-null `string` per the `openkaiden/kdn-api` 0.12.0 schema. Therefore, code like `a.runtime.localeCompare(b.runtime)` is safe and should not trigger warnings about possible `undefined`/`null` values or suggestions to use nullish coalescing/optional chaining for `runtime` (unless the current local types still mark `runtime` as optional, indicating a schema/version mismatch).

Applied to files:

• packages/api/src/openshell-gateway-info.ts
• packages/main/src/plugin/openshell-cli/openshell-network-policy.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-network-policy.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts

📚 Learning: 2026-03-09T08:47:09.657Z

Learnt from: benoitf
Repo: kortex-hub/kortex PR: 1077
File: packages/main/src/plugin/skill/skill-manager.ts:80-109
Timestamp: 2026-03-09T08:47:09.657Z
Learning: In the kortex-hub/kortex repository, IPC handlers (via ipcHandle()) may be registered directly inside feature manager/service classes (e.g., SkillManager in packages/main/src/plugin/skill/skill-manager.ts) rather than exclusively in packages/main/src/plugin/index.ts. Treat this as an accepted design pattern for files under the plugin directory. Reviewers should not require centralization in index.ts; allow IPC registration proximity to the feature that owns the handler. When reviewing code, accept direct ipcHandle() registrations inside feature managers and ensure the pattern is consistently applied across similar feature-manager modules.

Applied to files:

• packages/main/src/plugin/openshell-cli/openshell-network-policy.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-network-policy.ts
• packages/main/src/plugin/openshell-cli/openshell-cli.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts

🪛 OpenGrep (1.22.0)

packages/main/src/plugin/openshell-cli/openshell-network-policy.ts

[WARNING] 114-114: Sequelize.literal() with dynamic input can lead to SQL injection. Use parameterized queries or model methods instead.

(coderabbit.sql-injection.sequelize-literal)

🔇 Additional comments (5)

packages/api/src/openshell-gateway-info.ts (1)

94-102: LGTM!

packages/main/src/plugin/openshell-cli/openshell-network-policy.spec.ts (1)

74-87: ⚡ Quick win

Test verifies current behavior but may need update if ruleName is added.

This test verifies the exact structure of the returned PolicyUpdateOptions object. If the implementation is updated to include ruleName: 'kdn-network' (as suggested in the previous file review), this test expectation will need to be updated accordingly.

Potential test update if ruleName is added

    expect(options).toEqual({
      sandboxName: 'my-sandbox',
+     ruleName: 'kdn-network',
      removeRule: 'kdn-network',
      addEndpoints: ['registry.npmjs.org:443:full', 'registry.npmjs.org:80:full'],
      binary: '/**',
      wait: true,
    });

packages/main/src/plugin/openshell-cli/openshell-cli.ts (1)

32-32: LGTM!

Also applies to: 49-51, 193-216

packages/main/src/plugin/openshell-cli/openshell-cli.spec.ts (1)

401-524: LGTM!

packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts (1)

571-636: LGTM!

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[bmahabirbu]

LGTM codewise

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts (1)

198-203: 🗄️ Data Integrity & Integration | 🟠 Major | 🏗️ Heavy lift

Thread engineId through this policy-update container operation.

Line 198 builds operations without engine identity, and Line 202 executes a container policy mutation without engineId. That violates the cross-layer container contract and can break routing in multi-engine setups.

As per coding guidelines, Container operations must include engineId parameter to identify the container engine.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts` around
lines 198 - 203, The container policy-update path is missing the engine
identity, which breaks the cross-layer container contract in multi-engine
setups. Update the operation construction and execution flow in
agent-workspace-manager around buildNetworkPolicyOperations and
this.openshellCli.policyUpdate so the generated operation carries engineId and
the policyUpdate call receives it as part of the container operation payload.
Ensure every container-related policy mutation in this loop threads engineId
through consistently.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts`:
- Around line 200-205: The remove-only policy update path in
AgentWorkspaceManager is swallowing every exception, which can hide real
auth/transport/CLI failures. Tighten the catch around this
openshellCli.policyUpdate call so it only ignores the expected “rule not found”
case on fresh sandboxes, and lets all other errors propagate or be reported; use
the existing op.removeRule / op.addEndpoints guard and the policyUpdate method
in agent-workspace-manager.ts to locate the block.

In `@packages/main/src/plugin/openshell-cli/openshell-network-policy.spec.ts`:
- Around line 95-100: The expectation in the openshell network policy spec is
missing the returned ruleName field, so update the assertion for the add
operation to include the builder’s ruleName value. Use the existing ops[1] check
in openshell-network-policy.spec.ts and keep the rest of the expected shape
unchanged so the test validates the full contract.

---

Duplicate comments:
In `@packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts`:
- Around line 198-203: The container policy-update path is missing the engine
identity, which breaks the cross-layer container contract in multi-engine
setups. Update the operation construction and execution flow in
agent-workspace-manager around buildNetworkPolicyOperations and
this.openshellCli.policyUpdate so the generated operation carries engineId and
the policyUpdate call receives it as part of the container operation payload.
Ensure every container-related policy mutation in this loop threads engineId
through consistently.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 43b40172-d1c0-47b8-baaa-d4a30efabf33

📥 Commits

Reviewing files that changed from the base of the PR and between f746685 and 503f89c.

📒 Files selected for processing (4)

• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts
• packages/main/src/plugin/openshell-cli/openshell-network-policy.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-network-policy.ts

📜 Review details

⏰ Context from checks skipped due to timeout. (9)

• GitHub Check: unit tests / macos-15
• GitHub Check: unit tests / ubuntu-24.04
• GitHub Check: smoke-e2e-tests (prod) / ubuntu-24.04 (ollama)
• GitHub Check: Windows
• GitHub Check: smoke-e2e-tests (dev) / ubuntu-24.04 (ollama)
• GitHub Check: linter, formatters
• GitHub Check: unit tests / windows-2022
• GitHub Check: macOS
• GitHub Check: Linux

🧰 Additional context used

📓 Path-based instructions (4)

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

Use /@/ path aliases instead of relative paths for imports outside the current directory's module group; use relative imports only for sibling modules within the same directory

Files:

• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts
• packages/main/src/plugin/openshell-cli/openshell-network-policy.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-network-policy.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts

packages/main/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

packages/main/src/**/*.{ts,tsx}: Use ipcHandle() to expose handlers in the main process with naming convention <registry-name>:<action> (e.g., container-provider-registry:listContainers)
Use apiSender.send() to send events from main process to renderer for real-time updates
Long-running operations should use TaskManager.createTask() with title and action configuration

Files:

• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts
• packages/main/src/plugin/openshell-cli/openshell-network-policy.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-network-policy.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts

packages/{main,renderer,preload}/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Container operations must include engineId parameter to identify the container engine

Files:

• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts
• packages/main/src/plugin/openshell-cli/openshell-network-policy.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-network-policy.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts

**/*.spec.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.spec.{ts,tsx,js,jsx}: Use test() instead of it() for test cases in Vitest unit tests
Use vi.mock(import('...')) for auto-mocking modules in unit tests; avoid manual mock factories when possible
Use vi.resetAllMocks() in beforeEach hooks instead of vi.clearAllMocks() for resetting mocks between tests
When an auto-mocked function or class method needs a real implementation, use vi.mocked(...) with the prototype pattern for class methods: vi.mocked(MyClass.prototype.myMethod).mockImplementation(...)

Files:

• packages/main/src/plugin/openshell-cli/openshell-network-policy.spec.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts

🧠 Learnings (2)

📚 Learning: 2026-03-09T08:47:09.657Z

Learnt from: benoitf
Repo: kortex-hub/kortex PR: 1077
File: packages/main/src/plugin/skill/skill-manager.ts:80-109
Timestamp: 2026-03-09T08:47:09.657Z
Learning: In the kortex-hub/kortex repository, IPC handlers (via ipcHandle()) may be registered directly inside feature manager/service classes (e.g., SkillManager in packages/main/src/plugin/skill/skill-manager.ts) rather than exclusively in packages/main/src/plugin/index.ts. Treat this as an accepted design pattern for files under the plugin directory. Reviewers should not require centralization in index.ts; allow IPC registration proximity to the feature that owns the handler. When reviewing code, accept direct ipcHandle() registrations inside feature managers and ensure the pattern is consistently applied across similar feature-manager modules.

Applied to files:

• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts
• packages/main/src/plugin/openshell-cli/openshell-network-policy.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-network-policy.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts

📚 Learning: 2026-05-12T17:14:02.153Z

Learnt from: MarsKubeX
Repo: openkaiden/kaiden PR: 1850
File: packages/renderer/src/lib/agent-workspaces/AgentWorkspaceList.svelte:66-70
Timestamp: 2026-05-12T17:14:02.153Z
Learning: When reviewing code that uses `AgentWorkspaceSummaryUI.runtime`, treat it as a required, non-null `string` per the `openkaiden/kdn-api` 0.12.0 schema. Therefore, code like `a.runtime.localeCompare(b.runtime)` is safe and should not trigger warnings about possible `undefined`/`null` values or suggestions to use nullish coalescing/optional chaining for `runtime` (unless the current local types still mark `runtime` as optional, indicating a schema/version mismatch).

Applied to files:

• packages/main/src/plugin/agent-workspace/agent-workspace-manager.ts
• packages/main/src/plugin/openshell-cli/openshell-network-policy.spec.ts
• packages/main/src/plugin/openshell-cli/openshell-network-policy.ts
• packages/main/src/plugin/agent-workspace/agent-workspace-manager.spec.ts

🔇 Additional comments (1)

packages/main/src/plugin/openshell-cli/openshell-network-policy.ts (1)

127-137: LGTM!

Also applies to: 139-162

[jeffmaury]

@coderabbitai resolve

[coderabbitai]

✅ Action performed

Comments resolved and changes approved.