Add custom digest SDK and CLI

[khaliqgant]

Summary

• add SDK digest function deployment/list/detail/disable/log APIs on WorkspaceHandle
• add relayfile digest function CLI commands backed by Cloud digest-functions endpoints
• add local digest test rendering/runtime support with deterministic wasm runner tests

Verification

• go test ./internal/... ./cmd/relayfile-cli
• npm --prefix packages/sdk/typescript test
• npm --prefix packages/sdk/typescript run typecheck
• git diff --check

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 2da0f62d-2e76-4590-9f75-a4e08a3f8132

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/custom-digest-functions-ricky

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[devin-ai-integration]

Devin Review found 3 potential issues.

View 6 additional findings in Devin Review.

[devin-ai-integration]

🔴 Double-escaped regex in JS globToRegExp breaks path matching for patterns with dots

The globToRegExp function in the digest function test runner script (digestFunctionRunnerScript) double-escapes regex special characters. Since the script is embedded in a Go raw string (backtick-delimited), the text "\\\\" on line 657 is delivered literally to JavaScript as "\\\\". JavaScript interprets "\\\\" as the 2-character string \\, so "\\\\" + ch produces \\<ch>. In a regex, \\. means "match literal backslash, then any character" — not "match literal dot".

This causes globToRegExp to produce incorrect regexes for any glob pattern containing ., +, ^, $, |, (, ), [, ], {, or }. For example, the glob *.md generates regex ^[^/]*\\.md$ which requires a literal backslash before d, so it never matches readme.md. The existing test passes only because the pattern /notion/databases/eng-roadmap/* is matched by the endsWith("/*") shortcut in matchesPath, never hitting globToRegExp.

Suggested change

	out += "\\\\" + ch;
	out += "\\" + ch;

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[khaliqgant]

Fixed in fbb71fe by changing the embedded JS escape to a single regex escape and adding TestDigestFunctionTestMatchesDotGlobPatterns for *.md fixtures.

[devin-ai-integration]

🟡 isOOM heuristic matches any error mentioning "memory", misclassifying non-OOM errors

The isOOM function at internal/wasmrun/wasmrun.go:327 uses strings.Contains(msg, "memory") as a catch-all, which matches any error whose message contains the substring "memory". This incorrectly classifies non-OOM errors as out-of-memory. For example, engine.go:62 can return "wasmrun: guest module exposes no memory" when a WASM module doesn't export a memory section — this is a module configuration error, not an out-of-memory condition. The isOOM check would classify it as OOM, causing a misleading WarningOOM to appear in digest warnings instead of a generic error warning.

Suggested change

	func isOOM(err error) bool {
	msg := strings.ToLower(err.Error())
	return strings.Contains(msg, "out of memory") || strings.Contains(msg, "oom") || strings.Contains(msg, "memory")
	}
	func isOOM(err error) bool {
	msg := strings.ToLower(err.Error())
	return strings.Contains(msg, "out of memory") || strings.Contains(msg, "oom") || strings.Contains(msg, "memory limit")
	}

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[khaliqgant]

Fixed in fbb71fe by narrowing OOM detection to out-of-memory/oom/memory-limit wording and adding TestEngineInvokeDoesNotClassifyMissingMemoryAsOOM.

[devin-ai-integration]

🟡 Cache Options.Verify field is non-functional — verification cannot be disabled

In cache.go:90, c.verify is unconditionally set to true. The subsequent if opts.Verify { c.verify = true } on lines 93–95 only ever sets it to true again. As a result, the Verify field in the public Options struct is dead — setting Options{Verify: false} has no effect, and verification is always enabled. The intent appears to be that verify defaults to true but could be disabled, or alternatively that the opts.Verify assignment should replace the hardcoded default. Either way, the current code makes the Verify option misleading.

Suggested change

	verify: true,
	now: time.Now,
	}
	if opts.Verify {
	c.verify = true
	}
	verify: true,
	now: time.Now,
	}

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[khaliqgant]

Fixed in fbb71fe by removing the misleading Options.Verify field and dead assignment; the cache now always verifies sidecar integrity as the implementation already required.