@agent-native/core 0.48.4 → 0.49.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (122) hide show
  1. package/dist/agent/context-xray/actions/context-evict.d.ts +1 -1
  2. package/dist/agent/context-xray/actions/context-pin.d.ts +1 -1
  3. package/dist/agent/context-xray/actions/context-report.d.ts +4 -4
  4. package/dist/agent/context-xray/actions/context-restore.d.ts +1 -1
  5. package/dist/application-state/handlers.d.ts +2 -2
  6. package/dist/application-state/handlers.d.ts.map +1 -1
  7. package/dist/cli/app-skill.d.ts +157 -0
  8. package/dist/cli/app-skill.d.ts.map +1 -0
  9. package/dist/cli/app-skill.js +17 -7
  10. package/dist/cli/app-skill.js.map +1 -1
  11. package/dist/cli/audit-agent-web.d.ts +2 -0
  12. package/dist/cli/audit-agent-web.d.ts.map +1 -0
  13. package/dist/cli/code-agent-connector.d.ts +17 -0
  14. package/dist/cli/code-agent-connector.d.ts.map +1 -0
  15. package/dist/cli/code.d.ts +66 -0
  16. package/dist/cli/code.d.ts.map +1 -0
  17. package/dist/cli/connect.d.ts +168 -0
  18. package/dist/cli/connect.d.ts.map +1 -0
  19. package/dist/cli/connect.js +118 -30
  20. package/dist/cli/connect.js.map +1 -1
  21. package/dist/cli/context-xray-local.d.ts +16 -0
  22. package/dist/cli/context-xray-local.d.ts.map +1 -0
  23. package/dist/cli/create-workspace.d.ts +8 -0
  24. package/dist/cli/create-workspace.d.ts.map +1 -0
  25. package/dist/cli/index.d.ts +3 -0
  26. package/dist/cli/index.d.ts.map +1 -0
  27. package/dist/cli/info.d.ts +2 -0
  28. package/dist/cli/info.d.ts.map +1 -0
  29. package/dist/cli/mcp-config-writers.d.ts +108 -0
  30. package/dist/cli/mcp-config-writers.d.ts.map +1 -0
  31. package/dist/cli/mcp-config-writers.js +143 -0
  32. package/dist/cli/mcp-config-writers.js.map +1 -1
  33. package/dist/cli/mcp.d.ts +16 -0
  34. package/dist/cli/mcp.d.ts.map +1 -0
  35. package/dist/cli/mcp.js +10 -10
  36. package/dist/cli/mcp.js.map +1 -1
  37. package/dist/cli/migrate.d.ts +38 -0
  38. package/dist/cli/migrate.d.ts.map +1 -0
  39. package/dist/cli/plan-local.d.ts +43 -0
  40. package/dist/cli/plan-local.d.ts.map +1 -0
  41. package/dist/cli/plan-publish-store.d.ts +62 -0
  42. package/dist/cli/plan-publish-store.d.ts.map +1 -0
  43. package/dist/cli/pr-visual-recap-workflow.d.ts +11 -0
  44. package/dist/cli/pr-visual-recap-workflow.d.ts.map +1 -0
  45. package/dist/cli/pr-visual-recap-workflow.js +1 -1
  46. package/dist/cli/pr-visual-recap-workflow.js.map +1 -1
  47. package/dist/cli/recap.d.ts +453 -0
  48. package/dist/cli/recap.d.ts.map +1 -0
  49. package/dist/cli/recap.js +228 -95
  50. package/dist/cli/recap.js.map +1 -1
  51. package/dist/cli/skills.d.ts +193 -0
  52. package/dist/cli/skills.d.ts.map +1 -0
  53. package/dist/cli/skills.js +369 -171
  54. package/dist/cli/skills.js.map +1 -1
  55. package/dist/cli/telemetry.d.ts +13 -0
  56. package/dist/cli/telemetry.d.ts.map +1 -0
  57. package/dist/cli/telemetry.js +115 -0
  58. package/dist/cli/telemetry.js.map +1 -0
  59. package/dist/cli/workspace-dev.d.ts +96 -0
  60. package/dist/cli/workspace-dev.d.ts.map +1 -0
  61. package/dist/client/blocks/library/AnnotatedCodeBlock.d.ts.map +1 -1
  62. package/dist/client/blocks/library/AnnotatedCodeBlock.js +15 -7
  63. package/dist/client/blocks/library/AnnotatedCodeBlock.js.map +1 -1
  64. package/dist/client/blocks/library/DiffBlock.d.ts.map +1 -1
  65. package/dist/client/blocks/library/DiffBlock.js +17 -10
  66. package/dist/client/blocks/library/DiffBlock.js.map +1 -1
  67. package/dist/client/blocks/library/annotation-rail.d.ts +5 -0
  68. package/dist/client/blocks/library/annotation-rail.d.ts.map +1 -1
  69. package/dist/client/blocks/library/annotation-rail.js +6 -0
  70. package/dist/client/blocks/library/annotation-rail.js.map +1 -1
  71. package/dist/client/blocks/types.d.ts +5 -0
  72. package/dist/client/blocks/types.d.ts.map +1 -1
  73. package/dist/client/blocks/types.js.map +1 -1
  74. package/dist/extensions/schema.d.ts +54 -54
  75. package/dist/extensions/slots/schema.d.ts +13 -13
  76. package/dist/file-upload/actions/upload-image.d.ts +4 -4
  77. package/dist/mcp/actions/create-org-service-token.d.ts +1 -1
  78. package/dist/mcp/actions/list-org-service-tokens.d.ts +7 -7
  79. package/dist/mcp/build-server.d.ts +12 -12
  80. package/dist/mcp/build-server.d.ts.map +1 -1
  81. package/dist/mcp/build-server.js.map +1 -1
  82. package/dist/mcp/connect-route.js +1 -1
  83. package/dist/mcp/connect-route.js.map +1 -1
  84. package/dist/mcp/oauth-route.d.ts +10 -0
  85. package/dist/mcp/oauth-route.d.ts.map +1 -1
  86. package/dist/mcp/oauth-route.js +34 -3
  87. package/dist/mcp/oauth-route.js.map +1 -1
  88. package/dist/mcp/oauth-store.d.ts +15 -1
  89. package/dist/mcp/oauth-store.d.ts.map +1 -1
  90. package/dist/mcp/oauth-store.js +60 -4
  91. package/dist/mcp/oauth-store.js.map +1 -1
  92. package/dist/mcp/oauth-token.d.ts +3 -1
  93. package/dist/mcp/oauth-token.d.ts.map +1 -1
  94. package/dist/mcp/oauth-token.js +78 -6
  95. package/dist/mcp/oauth-token.js.map +1 -1
  96. package/dist/mcp/server.d.ts.map +1 -1
  97. package/dist/mcp/server.js +8 -6
  98. package/dist/mcp/server.js.map +1 -1
  99. package/dist/observability/routes.d.ts +11 -11
  100. package/dist/org/handlers.d.ts +7 -11
  101. package/dist/org/handlers.d.ts.map +1 -1
  102. package/dist/secrets/schema.d.ts +7 -7
  103. package/dist/server/csrf.d.ts +1 -1
  104. package/dist/server/csrf.d.ts.map +1 -1
  105. package/dist/server/poll-events.d.ts +1 -1
  106. package/dist/server/security-headers.d.ts +1 -1
  107. package/dist/server/security-headers.d.ts.map +1 -1
  108. package/dist/sharing/actions/list-resource-shares.d.ts +3 -3
  109. package/dist/sharing/actions/set-resource-visibility.d.ts +2 -2
  110. package/dist/sharing/actions/share-resource.d.ts +4 -4
  111. package/dist/sharing/actions/unshare-resource.d.ts +1 -1
  112. package/dist/sharing/schema.d.ts +12 -12
  113. package/dist/templates/workspace-core/.agents/skills/authentication/SKILL.md +2 -2
  114. package/dist/templates/workspace-core/.agents/skills/external-agents/SKILL.md +6 -6
  115. package/dist/templates/workspace-core/.agents/skills/external-agents/references/mcp-apps-embedding.md +2 -2
  116. package/dist/workspace-files/schema.d.ts +8 -8
  117. package/docs/content/external-agents.md +14 -0
  118. package/docs/content/plan-plugin.md +16 -7
  119. package/package.json +5 -1
  120. package/src/templates/workspace-core/.agents/skills/authentication/SKILL.md +2 -2
  121. package/src/templates/workspace-core/.agents/skills/external-agents/SKILL.md +6 -6
  122. package/src/templates/workspace-core/.agents/skills/external-agents/references/mcp-apps-embedding.md +2 -2
package/dist/cli/mcp.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"mcp.js","sourceRoot":"","sources":["../../src/cli/mcp.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EACL,iBAAiB,EACjB,qBAAqB,EACrB,gBAAgB,GACjB,MAAM,6BAA6B,CAAC;AAErC,MAAM,kBAAkB,GAAG,cAAc,CAAC;AAG1C,MAAM,OAAO,GAAe;IAC1B,aAAa;IACb,iBAAiB;IACjB,OAAO;IACP,QAAQ;CACT,CAAC;AAYF,SAAS,SAAS,CAAC,IAAc;IAC/B,MAAM,GAAG,GAAe,EAAE,CAAC,EAAE,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IACpE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,MAAM,GAAG,GAAG,CAAC,IAAY,EAAsB,EAAE;YAC/C,IAAI,CAAC,KAAK,IAAI;gBAAE,OAAO,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;YACjC,IAAI,CAAC,CAAC,UAAU,CAAC,GAAG,IAAI,GAAG,CAAC;gBAAE,OAAO,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YAC9D,OAAO,SAAS,CAAC;QACnB,CAAC,CAAC;QACF,IAAI,CAAqB,CAAC;QAC1B,IAAI,CAAC,CAAC,GAAG,GAAG,CAAC,UAAU,CAAC,CAAC,KAAK,SAAS;YAAE,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;aACnD,IAAI,CAAC,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,CAAC,KAAK,SAAS;YAAE,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC;aAClD,IAAI,CAAC,CAAC,GAAG,GAAG,CAAC,QAAQ,CAAC,CAAC,KAAK,SAAS;YAAE,GAAG,CAAC,IAAI,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;aAC5D,IAAI,CAAC,CAAC,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,SAAS;YAAE,GAAG,CAAC,KAAK,GAAG,CAAC,CAAC;aACtD,IAAI,CAAC,KAAK,cAAc;YAAE,GAAG,CAAC,UAAU,GAAG,IAAI,CAAC;aAChD,IAAI,CAAC,KAAK,UAAU;YAAE,GAAG,CAAC,MAAM,GAAG,IAAI,CAAC;aACxC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC7C,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,MAAM,CAAC,GAAW;IACzB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC;AACnC,CAAC;AACD,SAAS,MAAM,CAAC,GAAW;IACzB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC;AACnC,CAAC;AAED,8EAA8E;AAC9E,sEAAsE;AACtE,8EAA8E;AAE9E,uEAAuE;AACvE,SAAS,UAAU,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE;IACrC,OAAO,iBAAiB,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;AACrD,CAAC;AAED,yEAAyE;AACzE,SAAS,WAAW,CAAC,OAAe;IAClC,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;IAC/C,IAAI,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;AACpC,CAAC;AAED,SAAS,WAAW,CAAC,IAAY;IAC/B,IAAI,CAAC;QACH,OAAO,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,4EAA4E;AAC5E,SAAS,WAAW,CAAC,OAAe,EAAE,GAAW;IAC/C,IAAI,KAAyB,CAAC;IAC9B,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1C,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC;QACzD,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;YACtB,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;GAIG;AACH,SAAS,SAAS,CAChB,IAAY,EACZ,GAAW,EACX,KAAa,EACb,KAAK,GAAG,KAAK;IAEb,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,QAAQ,GAAG,WAAW,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IAC3C,IAAI,QAAQ,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;IAEnE,MAAM,IAAI,GAAG,GAAG,GAAG,IAAI,KAAK,EAAE,CAAC;IAC/B,IAAI,IAAY,CAAC;IACjB,IAAI,IAAI,MAAM,CAAC,QAAQ,GAAG,OAAO,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QACtD,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,MAAM,CAAC,QAAQ,GAAG,UAAU,EAAE,GAAG,CAAC,EAAE,IAAI,CAAC,CAAC;IACvE,CAAC;SAAM,CAAC;QACN,IAAI;YACF,OAAO,CAAC,MAAM,KAAK,CAAC;gBAClB,CAAC,CAAC,GAAG,IAAI,IAAI;gBACb,CAAC,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,KAAK,IAAI,IAAI,CAAC;IACpD,CAAC;IACD,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC5B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;AAClC,CAAC;AAED,SAAS,aAAa;IACpB,OAAO,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACtD,CAAC;AAED;;;GAGG;AACH,SAAS,gBAAgB,CACvB,GAAW,EACX,MAAM,GAAG,KAAK;IAEd,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;IAChC,MAAM,IAAI,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;IAClC,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,QAAQ,GAAG,WAAW,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;IACtD,IAAI,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC;QACxB,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IACnD,CAAC;IACD,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;IAC9B,SAAS,CAAC,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;IAC7C,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AACxC,CAAC;AAED,8EAA8E;AAC9E,4BAA4B;AAC5B,8EAA8E;AAE9E;;;;;GAKG;AACH,SAAS,eAAe,CAAC,GAAW;IAClC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;IAChC,MAAM,OAAO,GACX,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QAC7C,IAAI;QACJ,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;IAC1C,KAAK,MAAM,GAAG,IAAI,CAAC,sBAAsB,EAAE,SAAS,EAAE,iBAAiB,CAAC,EAAE,CAAC;QACzE,MAAM,CAAC,GAAG,WAAW,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACpC,IAAI,CAAC,CAAC;YAAE,SAAS;QACjB,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC;YACrB,IAAI,CAAC,oCAAoC,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC3D,OAAO,GAAG,CAAC,CAAC,MAAM,oBAAoB,CAAC;YACzC,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,mBAAmB;QACrB,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,aAAa,CAAC,GAAW;IACtC,+DAA+D;IAC/D,MAAM,KAAK,GACT,OAAO,CAAC,GAAG,CAAC,wBAAwB;QACpC,OAAO,CAAC,GAAG,CAAC,WAAW;QACvB,iBAAiB,CAAC;IACpB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC;QAC5B,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;QAChC,MAAM,OAAO,GACX,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;YAC7C,IAAI;YACJ,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,WAAW,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QAClD,IAAI,MAAM;YAAE,OAAO,CAAC,GAAG,CAAC,UAAU,GAAG,MAAM,CAAC;IAC9C,CAAC;IACD,IAAI,CAAC;QACH,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;QAC1D,OAAO,MAAM,YAAY,CAAC,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE;YACrD,kBAAkB,EAAE,IAAI;YACxB,SAAS,EAAE,KAAK;SACjB,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,MAAM,CACJ,kCAAkC,GAAG,EAAE,OAAO,IAAI,GAAG,KAAK;YACxD,sEAAsE,CACzE,CAAC;QACF,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,yCAAyC;AACzC,8EAA8E;AAE9E;;;;;;;;GAQG;AACH,SAAS,gBAAgB;IACvB,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;AACxD,CAAC;AAED,SAAS,uBAAuB,CAAC,GAAW;IAC1C,OAAO,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,WAAW,CAAC,CAAC;AACjD,CAAC;AACD,SAAS,oBAAoB;IAC3B,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,cAAc,CAAC,CAAC;AACjD,CAAC;AACD,SAAS,eAAe;IACtB,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC;IACjD,IAAI,SAAS;QAAE,OAAO,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;IAC1D,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAC;AAC1D,CAAC;AAWD,8EAA8E;AAC9E,SAAS,oBAAoB,CAAC,CAAoB;IAChD,IAAI,CAAC,CAAC,SAAS,EAAE,CAAC;QAChB,OAAO;YACL,IAAI,EAAE,MAAM;YACZ,GAAG,EAAE,CAAC,CAAC,SAAS;YAChB,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,CAAC,CAAC,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACxE,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IAC9B,IAAI,CAAC,CAAC,KAAK;QAAE,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;IACzC,IAAI,CAAC,CAAC,UAAU;QAAE,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAC5C,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,IAAI,CAAC,CAAC,KAAK;QAAE,GAAG,CAAC,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC;IACxC,IAAI,CAAC,CAAC,UAAU;QAAE,GAAG,CAAC,wBAAwB,GAAG,CAAC,CAAC,UAAU,CAAC;IAC9D,OAAO;QACL,OAAO,EAAE,cAAc;QACvB,IAAI;QACJ,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC5C,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,IAAY;IAChC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAC3C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,OAAO,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;IAC5D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,6EAA6E;AAC7E,SAAS,iBAAiB,CACxB,IAAY,EACZ,IAAY,EACZ,KAAqC;IAErC,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IAClC,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,OAAO,MAAM,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;QAChE,MAAM,CAAC,UAAU,GAAG,EAAE,CAAC;IACzB,CAAC;IACD,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QACnB,OAAO,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;IACjC,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC;IAClC,CAAC;IACD,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;AAChE,CAAC;AAED,SAAS,eAAe,CAAC,IAAY,EAAE,IAAY;IACjD,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IAClC,OAAO,CAAC,CAAC,MAAM,EAAE,UAAU,IAAI,IAAI,IAAI,MAAM,CAAC,UAAU,CAAC;AAC3D,CAAC;AAED,6EAA6E;AAE7E,SAAS,SAAS,CAAC,CAAS;IAC1B,OAAO,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,GAAG,CAAC;AAC9D,CAAC;AAED,SAAS,cAAc,CAAC,IAAY;IAClC,OAAO,gBAAgB,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC;AAC5C,CAAC;AAED,SAAS,oBAAoB,CAAC,IAAY;IACxC,OAAO,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,gBAAgB,IAAI,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;AACxE,CAAC;AAED,SAAS,eAAe,CAAC,IAAY,EAAE,CAAoB;IACzD,MAAM,KAAK,GAAa,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC;IAC/C,IAAI,CAAC,CAAC,SAAS,EAAE,CAAC;QAChB,KAAK,CAAC,IAAI,CAAC,SAAS,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QAC9C,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC;YACZ,KAAK,CAAC,IAAI,CACR,sCAAsC,SAAS,CAC7C,UAAU,CAAC,CAAC,KAAK,EAAE,CACpB,IAAI,CACN,CAAC;QACJ,CAAC;QACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IACjC,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IAC9B,IAAI,CAAC,CAAC,KAAK;QAAE,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;IACzC,IAAI,CAAC,CAAC,UAAU;QAAE,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAC5C,KAAK,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;IACvC,KAAK,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACzD,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,IAAI,CAAC,CAAC,KAAK;QAAE,GAAG,CAAC,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC;IACxC,IAAI,CAAC,CAAC,UAAU;QAAE,GAAG,CAAC,wBAAwB,GAAG,CAAC,CAAC,UAAU,CAAC;IAC9D,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC;aAC/B,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,MAAM,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC;aACzC,IAAI,CAAC,IAAI,CAAC,CAAC;QACd,KAAK,CAAC,IAAI,CAAC,WAAW,MAAM,IAAI,CAAC,CAAC;IACpC,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;AACjC,CAAC;AAED;;;;GAIG;AACH,SAAS,eAAe,CACtB,IAAY,EACZ,IAAY,EACZ,KAAoB;IAEpB,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,IAAI,CAAC;QACH,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,GAAG,EAAE,CAAC;IACf,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,GAAG,CACrB,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CACvD,OAAO,CACI,CACd,CAAC;IACF,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IACrC,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,IAAI,OAAO,GAAG,KAAK,CAAC;IACpB,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;QACxB,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;YAC7B,oEAAoE;YACpE,OAAO,GAAG,IAAI,CAAC;YACf,CAAC,EAAE,CAAC;YACJ,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBAAE,CAAC,EAAE,CAAC;YACzD,SAAS;QACX,CAAC;QACD,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACf,CAAC,EAAE,CAAC;IACN,CAAC;IAED,IAAI,IAAI,GAAG,GAAG;SACX,IAAI,CAAC,IAAI,CAAC;SACV,OAAO,CAAC,SAAS,EAAE,MAAM,CAAC;SAC1B,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IACzB,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QACnB,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QAClC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC,MAAM;YAAE,IAAI,IAAI,IAAI,CAAC;QACrC,IAAI,IAAI,KAAK,CAAC;IAChB,CAAC;IACD,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,OAAO;QAAE,OAAO,CAAC,gBAAgB;IAExD,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;AAC9B,CAAC;AAED,SAAS,aAAa,CAAC,IAAY,EAAE,IAAY;IAC/C,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAC/C,MAAM,OAAO,GAAG,IAAI,GAAG,CACrB,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CACvD,OAAO,CACI,CACd,CAAC;QACF,OAAO,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IACzE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,sCAAsC;AACtC,8EAA8E;AAE9E,SAAS,aAAa,CACpB,MAAgB,EAChB,GAAW,EACX,KAAyB;IAEzB,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,aAAa,CAAC;QACnB,KAAK,iBAAiB;YACpB,OAAO,KAAK,KAAK,MAAM;gBACrB,CAAC,CAAC,oBAAoB,EAAE;gBACxB,CAAC,CAAC,uBAAuB,CAAC,GAAG,CAAC,CAAC;QACnC,KAAK,QAAQ;YACX,OAAO,gBAAgB,EAAE,CAAC;QAC5B,KAAK,OAAO;YACV,OAAO,eAAe,EAAE,CAAC;IAC7B,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,KAAa;IAClC,OAAO,GAAG,kBAAkB,IAAI,KAAK,EAAE,CAAC;AAC1C,CAAC;AAED,SAAS,gBAAgB,CACvB,MAAgB,EAChB,MAAyB,EACzB,GAAW,EACX,KAAyB;IAEzB,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC;IAC/B,MAAM,IAAI,GAAG,aAAa,CAAC,MAAM,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;IAC/C,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACvB,eAAe,CAAC,IAAI,EAAE,IAAI,EAAE,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;IAC7D,CAAC;SAAM,CAAC;QACN,iBAAiB,CAAC,IAAI,EAAE,IAAI,EAAE,oBAAoB,CAAC,MAAM,CAAC,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,kBAAkB,CACzB,MAAgB,EAChB,KAAa,EACb,GAAW,EACX,KAAyB;IAEzB,MAAM,IAAI,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;IAClC,MAAM,IAAI,GAAG,aAAa,CAAC,MAAM,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;IAC/C,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QACtC,IAAI,GAAG;YAAE,eAAe,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;QAC3C,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;IAChC,CAAC;IACD,MAAM,GAAG,GAAG,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IACxC,IAAI,GAAG;QAAE,iBAAiB,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;IAC7C,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;AAChC,CAAC;AAED,SAAS,cAAc,CAAC,MAAgB,EAAE,KAAa,EAAE,GAAW;IAClE,MAAM,IAAI,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;IAClC,gEAAgE;IAChE,IAAI,MAAM,KAAK,aAAa,IAAI,MAAM,KAAK,iBAAiB,EAAE,CAAC;QAC7D,OAAO,CACL,eAAe,CAAC,uBAAuB,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC;YACnD,eAAe,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAC9C,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,KAAK,QAAQ;QAAE,OAAO,eAAe,CAAC,gBAAgB,EAAE,EAAE,IAAI,CAAC,CAAC;IAC1E,OAAO,aAAa,CAAC,eAAe,EAAE,EAAE,IAAI,CAAC,CAAC;AAChD,CAAC;AAED,8EAA8E;AAC9E,cAAc;AACd,8EAA8E;AAE9E,KAAK,UAAU,QAAQ,CAAC,CAAa;IACnC,MAAM,WAAW,CAAC;QAChB,KAAK,EAAE,CAAC,CAAC,GAAG;QACZ,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,UAAU,EAAE,CAAC,CAAC,UAAU;KACzB,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,CAAa;IACrC,MAAM,MAAM,GAAG,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,WAAW,EAAc,CAAC;IAC1D,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC9B,MAAM,CACJ,4CAA4C,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG;YAC9D,qCAAqC,CACxC,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IAE1B,0EAA0E;IAC1E,IAAI,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC;IAClB,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC;YACtD,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC;QACzB,CAAC;QAAC,MAAM,CAAC;YACP,KAAK,GAAG,KAAK,CAAC;QAChB,CAAC;IACH,CAAC;IACD,MAAM,UAAU,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;IAExC,MAAM,SAAS,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC;IAExD,IAAI,KAAyB,CAAC;IAC9B,IAAI,SAAS,EAAE,CAAC;QACd,KAAK,GAAG,MAAM,aAAa,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,CAAC,+BAA+B,SAAS,EAAE,CAAC,CAAC;IACrD,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,GAAG,gBAAgB,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACvC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC;QAChB,MAAM,CACJ,CAAC,CAAC,OAAO;YACP,CAAC,CAAC,+BAA+B,CAAC,CAAC,IAAI,EAAE;YACzC,CAAC,CAAC,sCAAsC,CAAC,CAAC,IAAI,EAAE,CACnD,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAsB;QAChC,UAAU;QACV,KAAK,EAAE,KAAM;QACb,KAAK;QACL,UAAU;QACV,SAAS;QACT,UAAU,EAAE,CAAC,CAAC,UAAU;KACzB,CAAC;IAEF,MAAM,IAAI,GAAG,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;IAC5D,MAAM,CAAC,cAAc,UAAU,SAAS,MAAM,MAAM,IAAI,EAAE,CAAC,CAAC;IAC5D,MAAM,CACJ,SAAS;QACP,CAAC,CAAC,iBAAiB,SAAS,GAAG;QAC/B,CAAC,CAAC,+CAA+C,KAAK,GAClD,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,EACnC,GAAG,CACR,CAAC;IACF,MAAM,CAAC,aAAa,MAAM,iCAAiC,CAAC,CAAC;AAC/D,CAAC;AAED,SAAS,YAAY,CAAC,CAAa;IACjC,MAAM,MAAM,GAAG,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,WAAW,EAAc,CAAC;IAC1D,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC9B,MAAM,CACJ,8CAA8C,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG;YAChE,cAAc,CACjB,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IAC1B,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,IAAI,KAAK,CAAC;IAC7B,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,kBAAkB,CAAC,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;IAC1E,MAAM,CACJ,OAAO;QACL,CAAC,CAAC,YAAY,aAAa,CAAC,KAAK,CAAC,UAAU,MAAM,MAAM,IAAI,EAAE;QAC9D,CAAC,CAAC,OAAO,aAAa,CAAC,KAAK,CAAC,qBAAqB,MAAM,KAAK,IAAI,oBAAoB,CACxF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,SAAS;IACtB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IAC1B,IAAI,KAAK,GAAG,KAAK,CAAC;IAClB,IAAI,MAAM,GAAG,mBAAmB,CAAC;IACjC,IAAI,IAAwB,CAAC;IAC7B,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC;QACtD,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC;QACvB,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC;QACzB,MAAM,EAAE,GAAG,MAAM,gBAAgB,CAAC,GAAG,CAAC,CAAC;QACvC,IAAI,GAAG,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,KAAK,CAAC,EAAE,IAAI,CAAC;IACnD,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,MAAM,CAAC,4BAA4B,GAAG,EAAE,OAAO,IAAI,GAAG,EAAE,CAAC,CAAC;IAC5D,CAAC;IAED,MAAM,SAAS,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;IAChC,MAAM,UAAU,GACd,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QAC7C,IAAI;QACJ,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;IAC1C,MAAM,QAAQ,GAAG,CAAC,CAAC,WAAW,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;IAC3D,MAAM,MAAM,GACV,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,CAAC,CAAC,WAAW,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;IAEtE,MAAM,CAAC,yBAAyB,CAAC,CAAC;IAClC,MAAM,CAAC,iBAAiB,KAAK,EAAE,CAAC,CAAC;IACjC,MAAM,CACJ,SAAS;QACP,CAAC,CAAC,iBAAiB,SAAS,WAAW;QACvC,CAAC,CAAC,iBAAiB,MAAM,qBACrB,IAAI,CAAC,CAAC,CAAC,UAAU,IAAI,GAAG,CAAC,CAAC,CAAC,EAC7B,EAAE,CACP,CAAC;IACF,MAAM,CAAC,mBAAmB,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,SAAS,CAAC,CAAC;IACjE,MAAM,CAAC,mBAAmB,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC;IACxD,MAAM,CAAC,YAAY,CAAC,CAAC;IACrB,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,MAAM,OAAO,GAAG,cAAc,CAAC,MAAM,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;QACnD,MAAM,CAAC,OAAO,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,OAAO,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;IACrE,CAAC;AACH,CAAC;AAED,SAAS,QAAQ,CAAC,CAAa;IAC7B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IAC1B,MAAM,CAAC,GAAG,gBAAgB,CAAC,GAAG,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;IAC1C,MAAM,CACJ,CAAC,CAAC,MAAM;QACN,CAAC,CAAC,2BAA2B,CAAC,CAAC,IAAI,EAAE;QACrC,CAAC,CAAC,CAAC,CAAC,OAAO;YACT,CAAC,CAAC,+BAA+B,CAAC,CAAC,IAAI,EAAE;YACzC,CAAC,CAAC,iBAAiB,CAAC,CAAC,IAAI,IAAI,CAClC,CAAC;IACF,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IAChB,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC;QACb,MAAM,CACJ,uEAAuE;YACrE,wBAAwB,CAC3B,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,IAAI,GAAG;;;;;;;;;;;;;;;;;;sEAkByD,CAAC;AAEvE,MAAM,CAAC,KAAK,UAAU,MAAM,CAAC,IAAc;IACzC,MAAM,CAAC,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;IAC1B,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAEnB,QAAQ,GAAG,EAAE,CAAC;QACZ,KAAK,OAAO;YACV,MAAM,QAAQ,CAAC,CAAC,CAAC,CAAC;YAClB,OAAO;QACT,KAAK,SAAS;YACZ,MAAM,UAAU,CAAC,CAAC,CAAC,CAAC;YACpB,OAAO;QACT,KAAK,WAAW;YACd,YAAY,CAAC,CAAC,CAAC,CAAC;YAChB,OAAO;QACT,KAAK,QAAQ;YACX,MAAM,SAAS,EAAE,CAAC;YAClB,OAAO;QACT,KAAK,OAAO;YACV,QAAQ,CAAC,CAAC,CAAC,CAAC;YACZ,OAAO;QACT,KAAK,SAAS,CAAC;QACf,KAAK,QAAQ,CAAC;QACd,KAAK,IAAI,CAAC;QACV,KAAK,MAAM;YACT,MAAM,CAAC,IAAI,CAAC,CAAC;YACb,OAAO;QACT;YACE,MAAM,CAAC,2BAA2B,GAAG,EAAE,CAAC,CAAC;YACzC,MAAM,CAAC,IAAI,CAAC,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;AACH,CAAC","sourcesContent":["/**\n * `agent-native mcp <subcommand>` — connect external coding agents (Claude\n * Code desktop & CLI, Claude Cowork, Codex) to this agent-native app/workspace\n * over MCP.\n *\n * serve Run the MCP stdio transport (this is what client configs spawn).\n * install Provision a token + write the client's MCP config idempotently.\n * uninstall Remove the named entry from a client's MCP config.\n * status Print resolved MCP URL/port, token state, and per-client entries.\n * token Print or rotate the local ACCESS_TOKEN in the workspace .env.\n *\n * Node-only CLI module. Hand-rolled `.env` upsert + minimal TOML block merge\n * keep this dependency-free (no new npm deps).\n */\n\nimport crypto from \"node:crypto\";\nimport fs from \"node:fs\";\nimport os from \"node:os\";\nimport path from \"node:path\";\n\nimport { runMCPStdio } from \"../mcp/stdio.js\";\nimport { writeFileAtomic } from \"./mcp-config-writers.js\";\nimport {\n findWorkspaceRoot,\n resolveLocalAppOrigin,\n resolveWorkspace,\n} from \"../mcp/workspace-resolve.js\";\n\nconst SERVER_NAME_PREFIX = \"agent-native\";\n\ntype ClientId = \"claude-code\" | \"claude-code-cli\" | \"codex\" | \"cowork\";\nconst CLIENTS: ClientId[] = [\n \"claude-code\",\n \"claude-code-cli\",\n \"codex\",\n \"cowork\",\n];\n\ninterface ParsedArgs {\n _: string[];\n client?: string;\n app?: string;\n port?: number;\n scope?: string;\n standalone: boolean;\n rotate: boolean;\n}\n\nfunction parseArgs(argv: string[]): ParsedArgs {\n const out: ParsedArgs = { _: [], standalone: false, rotate: false };\n for (let i = 0; i < argv.length; i++) {\n const a = argv[i];\n const eat = (flag: string): string | undefined => {\n if (a === flag) return argv[++i];\n if (a.startsWith(`${flag}=`)) return a.slice(flag.length + 1);\n return undefined;\n };\n let v: string | undefined;\n if ((v = eat(\"--client\")) !== undefined) out.client = v;\n else if ((v = eat(\"--app\")) !== undefined) out.app = v;\n else if ((v = eat(\"--port\")) !== undefined) out.port = Number(v);\n else if ((v = eat(\"--scope\")) !== undefined) out.scope = v;\n else if (a === \"--standalone\") out.standalone = true;\n else if (a === \"--rotate\") out.rotate = true;\n else if (!a.startsWith(\"-\")) out._.push(a);\n }\n return out;\n}\n\nfunction logErr(msg: string): void {\n process.stderr.write(`${msg}\\n`);\n}\nfunction logOut(msg: string): void {\n process.stdout.write(`${msg}\\n`);\n}\n\n// ---------------------------------------------------------------------------\n// .env token provisioning (local dev) — hand-rolled idempotent upsert\n// ---------------------------------------------------------------------------\n\n/** Workspace root (or cwd for a standalone app) — where .env lives. */\nfunction envBaseDir(cwd = process.cwd()): string {\n return findWorkspaceRoot(cwd) ?? path.resolve(cwd);\n}\n\n/** Prefer .env.local, else .env. Returns the path we should write to. */\nfunction envFilePath(baseDir: string): string {\n const local = path.join(baseDir, \".env.local\");\n if (fs.existsSync(local)) return local;\n return path.join(baseDir, \".env\");\n}\n\nfunction readEnvFile(file: string): string {\n try {\n return fs.readFileSync(file, \"utf-8\");\n } catch {\n return \"\";\n }\n}\n\n/** Read a single key from a dotenv-format string (last assignment wins). */\nfunction getEnvValue(content: string, key: string): string | undefined {\n let found: string | undefined;\n for (const line of content.split(/\\r?\\n/)) {\n const m = line.match(/^\\s*([A-Z0-9_]+)\\s*=\\s*(.*)\\s*$/i);\n if (m && m[1] === key) {\n found = m[2].replace(/^[\"']|[\"']$/g, \"\");\n }\n }\n return found;\n}\n\n/**\n * Idempotently set `key=value` in the dotenv file. If the key already exists\n * we leave it untouched unless `force` is set (used by `token --rotate`).\n * Never clobbers an existing token implicitly.\n */\nfunction upsertEnv(\n file: string,\n key: string,\n value: string,\n force = false,\n): { changed: boolean; value: string } {\n const content = readEnvFile(file);\n const existing = getEnvValue(content, key);\n if (existing && !force) return { changed: false, value: existing };\n\n const line = `${key}=${value}`;\n let next: string;\n if (new RegExp(`^\\\\s*${key}\\\\s*=`, \"m\").test(content)) {\n next = content.replace(new RegExp(`^\\\\s*${key}\\\\s*=.*$`, \"m\"), line);\n } else {\n next =\n content.length === 0\n ? `${line}\\n`\n : `${content.replace(/\\n*$/, \"\")}\\n${line}\\n`;\n }\n writeFileAtomic(file, next);\n return { changed: true, value };\n}\n\nfunction generateToken(): string {\n return crypto.randomBytes(24).toString(\"base64url\");\n}\n\n/**\n * Ensure a local ACCESS_TOKEN exists in the workspace .env and return it.\n * Existing tokens are reused (never clobbered). Set `rotate` to replace it.\n */\nfunction ensureLocalToken(\n cwd: string,\n rotate = false,\n): { token: string; file: string; created: boolean } {\n const baseDir = envBaseDir(cwd);\n const file = envFilePath(baseDir);\n const content = readEnvFile(file);\n const existing = getEnvValue(content, \"ACCESS_TOKEN\");\n if (existing && !rotate) {\n return { token: existing, file, created: false };\n }\n const token = generateToken();\n upsertEnv(file, \"ACCESS_TOKEN\", token, true);\n return { token, file, created: true };\n}\n\n// ---------------------------------------------------------------------------\n// Hosted vs local detection\n// ---------------------------------------------------------------------------\n\n/**\n * Detect a hosted deployment URL. When the workspace .env points at a hosted\n * origin (APP_URL / BETTER_AUTH_URL with a non-localhost host) we write an\n * `http` client entry pointing at `<origin>/_agent-native/mcp` with a JWT\n * bearer instead of a stdio entry.\n */\nfunction detectHostedUrl(cwd: string): string | undefined {\n const baseDir = envBaseDir(cwd);\n const content =\n readEnvFile(path.join(baseDir, \".env.local\")) +\n \"\\n\" +\n readEnvFile(path.join(baseDir, \".env\"));\n for (const key of [\"AGENT_NATIVE_MCP_URL\", \"APP_URL\", \"BETTER_AUTH_URL\"]) {\n const v = getEnvValue(content, key);\n if (!v) continue;\n try {\n const u = new URL(v);\n if (!/^(localhost|127\\.0\\.0\\.1|\\[::1\\])$/.test(u.hostname)) {\n return `${u.origin}/_agent-native/mcp`;\n }\n } catch {\n // not a URL — skip\n }\n }\n return undefined;\n}\n\nasync function mintHostedJwt(cwd: string): Promise<string | undefined> {\n // Reuse the existing A2A signer — do not reinvent JWT minting.\n const owner =\n process.env.AGENT_NATIVE_OWNER_EMAIL ||\n process.env.OWNER_EMAIL ||\n \"owner@localhost\";\n if (!process.env.A2A_SECRET) {\n const baseDir = envBaseDir(cwd);\n const content =\n readEnvFile(path.join(baseDir, \".env.local\")) +\n \"\\n\" +\n readEnvFile(path.join(baseDir, \".env\"));\n const secret = getEnvValue(content, \"A2A_SECRET\");\n if (secret) process.env.A2A_SECRET = secret;\n }\n try {\n const { signA2AToken } = await import(\"../a2a/client.js\");\n return await signA2AToken(owner, undefined, undefined, {\n preferGlobalSecret: true,\n expiresIn: \"30d\",\n });\n } catch (err: any) {\n logErr(\n ` Could not mint a hosted JWT (${err?.message ?? err}). ` +\n `Set A2A_SECRET in your workspace .env, or use the local stdio entry.`,\n );\n return undefined;\n }\n}\n\n// ---------------------------------------------------------------------------\n// Client config file locations + writers\n// ---------------------------------------------------------------------------\n\n/**\n * Cowork consumes MCP exactly like Claude Code (same JSON server-entry\n * shape). The exact on-disk config path for Cowork may differ across builds —\n * this is the best-known location. **Confirm before relying on it in\n * production.** It is validated against the Claude Code JSON format below.\n *\n * Resolved lazily (not as a module-level constant) so `os.homedir()` reflects\n * the current `$HOME` rather than the value at module-load time.\n */\nfunction coworkConfigPath(): string {\n return path.join(os.homedir(), \".cowork\", \"mcp.json\");\n}\n\nfunction claudeCodeProjectConfig(cwd: string): string {\n return path.join(envBaseDir(cwd), \".mcp.json\");\n}\nfunction claudeCodeUserConfig(): string {\n return path.join(os.homedir(), \".claude.json\");\n}\nfunction codexConfigPath(): string {\n const codexHome = process.env.CODEX_HOME?.trim();\n if (codexHome) return path.join(codexHome, \"config.toml\");\n return path.join(os.homedir(), \".codex\", \"config.toml\");\n}\n\ninterface ServerEntryInputs {\n serverName: string;\n appId: string;\n token?: string;\n ownerEmail?: string;\n hostedUrl?: string;\n standalone: boolean;\n}\n\n/** The stdio (or http) server entry — shared by Claude Code & Cowork JSON. */\nfunction buildJsonServerEntry(i: ServerEntryInputs): Record<string, unknown> {\n if (i.hostedUrl) {\n return {\n type: \"http\",\n url: i.hostedUrl,\n ...(i.token ? { headers: { Authorization: `Bearer ${i.token}` } } : {}),\n };\n }\n const args = [\"mcp\", \"serve\"];\n if (i.appId) args.push(\"--app\", i.appId);\n if (i.standalone) args.push(\"--standalone\");\n const env: Record<string, string> = {};\n if (i.token) env.ACCESS_TOKEN = i.token;\n if (i.ownerEmail) env.AGENT_NATIVE_OWNER_EMAIL = i.ownerEmail;\n return {\n command: \"agent-native\",\n args,\n ...(Object.keys(env).length ? { env } : {}),\n };\n}\n\nfunction readJsonFile(file: string): Record<string, any> {\n try {\n const raw = fs.readFileSync(file, \"utf-8\");\n const parsed = JSON.parse(raw);\n return parsed && typeof parsed === \"object\" ? parsed : {};\n } catch {\n return {};\n }\n}\n\n/** Idempotently write `mcpServers[name] = entry` into a JSON config file. */\nfunction writeJsonMcpEntry(\n file: string,\n name: string,\n entry: Record<string, unknown> | null,\n): void {\n const config = readJsonFile(file);\n if (!config.mcpServers || typeof config.mcpServers !== \"object\") {\n config.mcpServers = {};\n }\n if (entry === null) {\n delete config.mcpServers[name];\n } else {\n config.mcpServers[name] = entry;\n }\n writeFileAtomic(file, JSON.stringify(config, null, 2) + \"\\n\");\n}\n\nfunction hasJsonMcpEntry(file: string, name: string): boolean {\n const config = readJsonFile(file);\n return !!config?.mcpServers && name in config.mcpServers;\n}\n\n// --- Codex TOML (hand-rolled minimal block merge, no new dep) -------------\n\nfunction tomlQuote(s: string): string {\n return `\"${s.replace(/\\\\/g, \"\\\\\\\\\").replace(/\"/g, '\\\\\"')}\"`;\n}\n\nfunction codexMcpHeader(name: string): string {\n return `[mcp_servers.${tomlQuote(name)}]`;\n}\n\nfunction legacyCodexMcpHeader(name: string): string | null {\n return /^[A-Za-z0-9_-]+$/.test(name) ? `[mcp_servers.${name}]` : null;\n}\n\nfunction buildCodexBlock(name: string, i: ServerEntryInputs): string {\n const lines: string[] = [codexMcpHeader(name)];\n if (i.hostedUrl) {\n lines.push(`url = ${tomlQuote(i.hostedUrl)}`);\n if (i.token) {\n lines.push(\n `http_headers = { \"Authorization\" = ${tomlQuote(\n `Bearer ${i.token}`,\n )} }`,\n );\n }\n return lines.join(\"\\n\") + \"\\n\";\n }\n\n const args = [\"mcp\", \"serve\"];\n if (i.appId) args.push(\"--app\", i.appId);\n if (i.standalone) args.push(\"--standalone\");\n lines.push(`command = \"agent-native\"`);\n lines.push(`args = [${args.map(tomlQuote).join(\", \")}]`);\n const env: Record<string, string> = {};\n if (i.token) env.ACCESS_TOKEN = i.token;\n if (i.ownerEmail) env.AGENT_NATIVE_OWNER_EMAIL = i.ownerEmail;\n if (Object.keys(env).length) {\n const inline = Object.entries(env)\n .map(([k, v]) => `${k} = ${tomlQuote(v)}`)\n .join(\", \");\n lines.push(`env = { ${inline} }`);\n }\n return lines.join(\"\\n\") + \"\\n\";\n}\n\n/**\n * Replace (or append) the `[mcp_servers.<name>]` block in a TOML file\n * without disturbing other content. We treat a block as the header line plus\n * every following line until the next top-level `[` table header or EOF.\n */\nfunction writeCodexBlock(\n file: string,\n name: string,\n block: string | null,\n): void {\n let content = \"\";\n try {\n content = fs.readFileSync(file, \"utf-8\");\n } catch {\n content = \"\";\n }\n\n const headers = new Set(\n [codexMcpHeader(name), legacyCodexMcpHeader(name)].filter(\n Boolean,\n ) as string[],\n );\n const lines = content.split(/\\r?\\n/);\n const out: string[] = [];\n let i = 0;\n let removed = false;\n while (i < lines.length) {\n const line = lines[i];\n if (headers.has(line.trim())) {\n // Skip this block entirely (header + body until next table header).\n removed = true;\n i++;\n while (i < lines.length && !/^\\s*\\[/.test(lines[i])) i++;\n continue;\n }\n out.push(line);\n i++;\n }\n\n let next = out\n .join(\"\\n\")\n .replace(/\\n{3,}/g, \"\\n\\n\")\n .replace(/\\n*$/, \"\\n\");\n if (block !== null) {\n next = next.replace(/\\n*$/, \"\\n\");\n if (next.trim().length) next += \"\\n\";\n next += block;\n }\n if (block === null && !removed) return; // nothing to do\n\n writeFileAtomic(file, next);\n}\n\nfunction codexHasBlock(file: string, name: string): boolean {\n try {\n const content = fs.readFileSync(file, \"utf-8\");\n const headers = new Set(\n [codexMcpHeader(name), legacyCodexMcpHeader(name)].filter(\n Boolean,\n ) as string[],\n );\n return content.split(/\\r?\\n/).some((line) => headers.has(line.trim()));\n } catch {\n return false;\n }\n}\n\n// ---------------------------------------------------------------------------\n// Per-client install/uninstall/status\n// ---------------------------------------------------------------------------\n\nfunction configPathFor(\n client: ClientId,\n cwd: string,\n scope: string | undefined,\n): string {\n switch (client) {\n case \"claude-code\":\n case \"claude-code-cli\":\n return scope === \"user\"\n ? claudeCodeUserConfig()\n : claudeCodeProjectConfig(cwd);\n case \"cowork\":\n return coworkConfigPath();\n case \"codex\":\n return codexConfigPath();\n }\n}\n\nfunction serverNameFor(appId: string): string {\n return `${SERVER_NAME_PREFIX}-${appId}`;\n}\n\nfunction installForClient(\n client: ClientId,\n inputs: ServerEntryInputs,\n cwd: string,\n scope: string | undefined,\n): string {\n const name = inputs.serverName;\n const file = configPathFor(client, cwd, scope);\n if (client === \"codex\") {\n writeCodexBlock(file, name, buildCodexBlock(name, inputs));\n } else {\n writeJsonMcpEntry(file, name, buildJsonServerEntry(inputs));\n }\n return file;\n}\n\nfunction uninstallForClient(\n client: ClientId,\n appId: string,\n cwd: string,\n scope: string | undefined,\n): { file: string; removed: boolean } {\n const name = serverNameFor(appId);\n const file = configPathFor(client, cwd, scope);\n if (client === \"codex\") {\n const had = codexHasBlock(file, name);\n if (had) writeCodexBlock(file, name, null);\n return { file, removed: had };\n }\n const had = hasJsonMcpEntry(file, name);\n if (had) writeJsonMcpEntry(file, name, null);\n return { file, removed: had };\n}\n\nfunction clientHasEntry(client: ClientId, appId: string, cwd: string): boolean {\n const name = serverNameFor(appId);\n // Check both scopes for Claude Code so `status` is informative.\n if (client === \"claude-code\" || client === \"claude-code-cli\") {\n return (\n hasJsonMcpEntry(claudeCodeProjectConfig(cwd), name) ||\n hasJsonMcpEntry(claudeCodeUserConfig(), name)\n );\n }\n if (client === \"cowork\") return hasJsonMcpEntry(coworkConfigPath(), name);\n return codexHasBlock(codexConfigPath(), name);\n}\n\n// ---------------------------------------------------------------------------\n// Subcommands\n// ---------------------------------------------------------------------------\n\nasync function cmdServe(p: ParsedArgs): Promise<void> {\n await runMCPStdio({\n appId: p.app,\n port: p.port,\n standalone: p.standalone,\n });\n}\n\nasync function cmdInstall(p: ParsedArgs): Promise<void> {\n const client = (p.client ?? \"\").toLowerCase() as ClientId;\n if (!CLIENTS.includes(client)) {\n logErr(\n `Usage: agent-native mcp install --client ${CLIENTS.join(\"|\")} ` +\n `[--app <id>] [--scope user|project]`,\n );\n process.exit(1);\n }\n const cwd = process.cwd();\n\n // Resolve which app this entry targets (default = workspace default app).\n let appId = p.app;\n if (!appId) {\n try {\n const resolved = await resolveLocalAppOrigin({ cwd });\n appId = resolved.appId;\n } catch {\n appId = \"app\";\n }\n }\n const serverName = serverNameFor(appId);\n\n const hostedUrl = detectHostedUrl(cwd);\n const ownerEmail = process.env.AGENT_NATIVE_OWNER_EMAIL;\n\n let token: string | undefined;\n if (hostedUrl) {\n token = await mintHostedJwt(cwd);\n logOut(`Detected hosted deployment: ${hostedUrl}`);\n } else {\n const t = ensureLocalToken(cwd, false);\n token = t.token;\n logOut(\n t.created\n ? `Provisioned ACCESS_TOKEN in ${t.file}`\n : `Reusing existing ACCESS_TOKEN from ${t.file}`,\n );\n }\n\n const inputs: ServerEntryInputs = {\n serverName,\n appId: appId!,\n token,\n ownerEmail,\n hostedUrl,\n standalone: p.standalone,\n };\n\n const file = installForClient(client, inputs, cwd, p.scope);\n logOut(`Installed \"${serverName}\" for ${client} → ${file}`);\n logOut(\n hostedUrl\n ? ` Mode: http (${hostedUrl})`\n : ` Mode: stdio (agent-native mcp serve --app ${appId}${\n p.standalone ? \" --standalone\" : \"\"\n })`,\n );\n logOut(` Restart ${client} to pick up the new MCP server.`);\n}\n\nfunction cmdUninstall(p: ParsedArgs): void {\n const client = (p.client ?? \"\").toLowerCase() as ClientId;\n if (!CLIENTS.includes(client)) {\n logErr(\n `Usage: agent-native mcp uninstall --client ${CLIENTS.join(\"|\")} ` +\n `[--app <id>]`,\n );\n process.exit(1);\n }\n const cwd = process.cwd();\n const appId = p.app ?? \"app\";\n const { file, removed } = uninstallForClient(client, appId, cwd, p.scope);\n logOut(\n removed\n ? `Removed \"${serverNameFor(appId)}\" from ${client} → ${file}`\n : `No \"${serverNameFor(appId)}\" entry found for ${client} (${file}) — nothing to do.`,\n );\n}\n\nasync function cmdStatus(): Promise<void> {\n const cwd = process.cwd();\n let appId = \"app\";\n let origin = \"(app not running)\";\n let port: number | undefined;\n try {\n const resolved = await resolveLocalAppOrigin({ cwd });\n appId = resolved.appId;\n origin = resolved.origin;\n const ws = await resolveWorkspace(cwd);\n port = ws.apps.find((a) => a.id === appId)?.port;\n } catch (err: any) {\n logErr(` Could not resolve app: ${err?.message ?? err}`);\n }\n\n const hostedUrl = detectHostedUrl(cwd);\n const baseDir = envBaseDir(cwd);\n const envContent =\n readEnvFile(path.join(baseDir, \".env.local\")) +\n \"\\n\" +\n readEnvFile(path.join(baseDir, \".env\"));\n const hasToken = !!getEnvValue(envContent, \"ACCESS_TOKEN\");\n const hasA2A =\n !!process.env.A2A_SECRET || !!getEnvValue(envContent, \"A2A_SECRET\");\n\n logOut(`Agent-Native MCP status`);\n logOut(` App: ${appId}`);\n logOut(\n hostedUrl\n ? ` MCP URL: ${hostedUrl} (hosted)`\n : ` MCP URL: ${origin}/_agent-native/mcp${\n port ? ` (port ${port})` : \"\"\n }`,\n );\n logOut(` ACCESS_TOKEN: ${hasToken ? \"set\" : \"not set\"} (.env)`);\n logOut(` A2A_SECRET: ${hasA2A ? \"set\" : \"not set\"}`);\n logOut(` Clients:`);\n for (const client of CLIENTS) {\n const present = clientHasEntry(client, appId, cwd);\n logOut(` ${client.padEnd(18)} ${present ? \"configured\" : \"—\"}`);\n }\n}\n\nfunction cmdToken(p: ParsedArgs): void {\n const cwd = process.cwd();\n const t = ensureLocalToken(cwd, p.rotate);\n logOut(\n p.rotate\n ? `Rotated ACCESS_TOKEN in ${t.file}`\n : t.created\n ? `Provisioned ACCESS_TOKEN in ${t.file}`\n : `ACCESS_TOKEN (${t.file}):`,\n );\n logOut(t.token);\n if (p.rotate) {\n logOut(\n ` Re-run \\`agent-native mcp install --client <c>\\` so client configs ` +\n `pick up the new token.`,\n );\n }\n}\n\nconst HELP = `agent-native mcp — connect external coding agents over MCP\n\nUsage:\n agent-native mcp serve [--app <id>] [--port <n>] [--standalone]\n Run the MCP stdio transport (what client configs spawn).\n Default: proxy to the running local app; --standalone builds from disk.\n\n agent-native mcp install --client <c> [--app <id>] [--scope user|project]\n Provision a token and write the client's MCP config (idempotent).\n Clients: claude-code, claude-code-cli, codex, cowork\n\n agent-native mcp uninstall --client <c> [--app <id>]\n Remove the named MCP entry from a client's config (idempotent).\n\n agent-native mcp status\n Show resolved MCP URL/port, token state, and per-client entries.\n\n agent-native mcp token [--rotate]\n Print (or rotate) the local ACCESS_TOKEN in the workspace .env.`;\n\nexport async function runMcp(args: string[]): Promise<void> {\n const p = parseArgs(args);\n const sub = p._[0];\n\n switch (sub) {\n case \"serve\":\n await cmdServe(p);\n return;\n case \"install\":\n await cmdInstall(p);\n return;\n case \"uninstall\":\n cmdUninstall(p);\n return;\n case \"status\":\n await cmdStatus();\n return;\n case \"token\":\n cmdToken(p);\n return;\n case undefined:\n case \"--help\":\n case \"-h\":\n case \"help\":\n logOut(HELP);\n return;\n default:\n logErr(`Unknown mcp subcommand: ${sub}`);\n logOut(HELP);\n process.exit(1);\n }\n}\n"]}
1
+ {"version":3,"file":"mcp.js","sourceRoot":"","sources":["../../src/cli/mcp.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EACL,iBAAiB,EACjB,qBAAqB,EACrB,gBAAgB,GACjB,MAAM,6BAA6B,CAAC;AAErC,MAAM,kBAAkB,GAAG,cAAc,CAAC;AAG1C,MAAM,OAAO,GAAe;IAC1B,aAAa;IACb,iBAAiB;IACjB,OAAO;IACP,QAAQ;CACT,CAAC;AAYF,SAAS,SAAS,CAAC,IAAc;IAC/B,MAAM,GAAG,GAAe,EAAE,CAAC,EAAE,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IACpE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,MAAM,GAAG,GAAG,CAAC,IAAY,EAAsB,EAAE;YAC/C,IAAI,CAAC,KAAK,IAAI;gBAAE,OAAO,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;YACjC,IAAI,CAAC,CAAC,UAAU,CAAC,GAAG,IAAI,GAAG,CAAC;gBAAE,OAAO,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YAC9D,OAAO,SAAS,CAAC;QACnB,CAAC,CAAC;QACF,IAAI,CAAqB,CAAC;QAC1B,IAAI,CAAC,CAAC,GAAG,GAAG,CAAC,UAAU,CAAC,CAAC,KAAK,SAAS;YAAE,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;aACnD,IAAI,CAAC,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,CAAC,KAAK,SAAS;YAAE,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC;aAClD,IAAI,CAAC,CAAC,GAAG,GAAG,CAAC,QAAQ,CAAC,CAAC,KAAK,SAAS;YAAE,GAAG,CAAC,IAAI,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;aAC5D,IAAI,CAAC,CAAC,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,SAAS;YAAE,GAAG,CAAC,KAAK,GAAG,CAAC,CAAC;aACtD,IAAI,CAAC,KAAK,cAAc;YAAE,GAAG,CAAC,UAAU,GAAG,IAAI,CAAC;aAChD,IAAI,CAAC,KAAK,UAAU;YAAE,GAAG,CAAC,MAAM,GAAG,IAAI,CAAC;aACxC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC7C,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,MAAM,CAAC,GAAW;IACzB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC;AACnC,CAAC;AACD,SAAS,MAAM,CAAC,GAAW;IACzB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC;AACnC,CAAC;AAED,8EAA8E;AAC9E,sEAAsE;AACtE,8EAA8E;AAE9E,uEAAuE;AACvE,SAAS,UAAU,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE;IACrC,OAAO,iBAAiB,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;AACrD,CAAC;AAED,yEAAyE;AACzE,SAAS,WAAW,CAAC,OAAe;IAClC,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;IAC/C,IAAI,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;AACpC,CAAC;AAED,SAAS,WAAW,CAAC,IAAY;IAC/B,IAAI,CAAC;QACH,OAAO,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,4EAA4E;AAC5E,SAAS,WAAW,CAAC,OAAe,EAAE,GAAW;IAC/C,IAAI,KAAyB,CAAC;IAC9B,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1C,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC;QACzD,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;YACtB,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;GAIG;AACH,SAAS,SAAS,CAChB,IAAY,EACZ,GAAW,EACX,KAAa,EACb,KAAK,GAAG,KAAK;IAEb,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,QAAQ,GAAG,WAAW,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IAC3C,IAAI,QAAQ,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;IAEnE,MAAM,IAAI,GAAG,GAAG,GAAG,IAAI,KAAK,EAAE,CAAC;IAC/B,IAAI,IAAY,CAAC;IACjB,IAAI,IAAI,MAAM,CAAC,QAAQ,GAAG,OAAO,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QACtD,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,MAAM,CAAC,QAAQ,GAAG,UAAU,EAAE,GAAG,CAAC,EAAE,IAAI,CAAC,CAAC;IACvE,CAAC;SAAM,CAAC;QACN,IAAI;YACF,OAAO,CAAC,MAAM,KAAK,CAAC;gBAClB,CAAC,CAAC,GAAG,IAAI,IAAI;gBACb,CAAC,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,KAAK,IAAI,IAAI,CAAC;IACpD,CAAC;IACD,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC5B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;AAClC,CAAC;AAED,SAAS,aAAa;IACpB,OAAO,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACtD,CAAC;AAED;;;GAGG;AACH,SAAS,gBAAgB,CACvB,GAAW,EACX,MAAM,GAAG,KAAK;IAEd,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;IAChC,MAAM,IAAI,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;IAClC,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,QAAQ,GAAG,WAAW,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;IACtD,IAAI,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC;QACxB,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IACnD,CAAC;IACD,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;IAC9B,SAAS,CAAC,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;IAC7C,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AACxC,CAAC;AAED,8EAA8E;AAC9E,4BAA4B;AAC5B,8EAA8E;AAE9E;;;;;GAKG;AACH,SAAS,eAAe,CAAC,GAAW;IAClC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;IAChC,MAAM,OAAO,GACX,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QAC7C,IAAI;QACJ,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;IAC1C,KAAK,MAAM,GAAG,IAAI,CAAC,sBAAsB,EAAE,SAAS,EAAE,iBAAiB,CAAC,EAAE,CAAC;QACzE,MAAM,CAAC,GAAG,WAAW,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACpC,IAAI,CAAC,CAAC;YAAE,SAAS;QACjB,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC;YACrB,IAAI,CAAC,oCAAoC,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC3D,OAAO,GAAG,CAAC,CAAC,MAAM,oBAAoB,CAAC;YACzC,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,mBAAmB;QACrB,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,aAAa,CAAC,GAAW;IACtC,+DAA+D;IAC/D,MAAM,KAAK,GACT,OAAO,CAAC,GAAG,CAAC,wBAAwB;QACpC,OAAO,CAAC,GAAG,CAAC,WAAW;QACvB,iBAAiB,CAAC;IACpB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC;QAC5B,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;QAChC,MAAM,OAAO,GACX,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;YAC7C,IAAI;YACJ,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,WAAW,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QAClD,IAAI,MAAM;YAAE,OAAO,CAAC,GAAG,CAAC,UAAU,GAAG,MAAM,CAAC;IAC9C,CAAC;IACD,IAAI,CAAC;QACH,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;QAC1D,OAAO,MAAM,YAAY,CAAC,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE;YACrD,kBAAkB,EAAE,IAAI;YACxB,SAAS,EAAE,KAAK;SACjB,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,MAAM,CACJ,kCAAkC,GAAG,EAAE,OAAO,IAAI,GAAG,KAAK;YACxD,sEAAsE,CACzE,CAAC;QACF,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,yCAAyC;AACzC,8EAA8E;AAE9E;;;;;;;;GAQG;AACH,SAAS,gBAAgB;IACvB,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;AACxD,CAAC;AAED,SAAS,uBAAuB,CAAC,GAAW;IAC1C,OAAO,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,WAAW,CAAC,CAAC;AACjD,CAAC;AACD,SAAS,oBAAoB;IAC3B,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,cAAc,CAAC,CAAC;AACjD,CAAC;AACD,SAAS,eAAe;IACtB,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC;IACjD,IAAI,SAAS;QAAE,OAAO,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;IAC1D,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAC;AAC1D,CAAC;AAWD,8EAA8E;AAC9E,SAAS,oBAAoB,CAAC,CAAoB;IAChD,IAAI,CAAC,CAAC,SAAS,EAAE,CAAC;QAChB,OAAO;YACL,IAAI,EAAE,MAAM;YACZ,GAAG,EAAE,CAAC,CAAC,SAAS;YAChB,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,CAAC,CAAC,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACxE,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IAC9B,IAAI,CAAC,CAAC,KAAK;QAAE,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;IACzC,IAAI,CAAC,CAAC,UAAU;QAAE,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAC5C,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,IAAI,CAAC,CAAC,KAAK;QAAE,GAAG,CAAC,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC;IACxC,IAAI,CAAC,CAAC,UAAU;QAAE,GAAG,CAAC,wBAAwB,GAAG,CAAC,CAAC,UAAU,CAAC;IAC9D,OAAO;QACL,OAAO,EAAE,cAAc;QACvB,IAAI;QACJ,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC5C,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,IAAY;IAChC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAC3C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,OAAO,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;IAC5D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,6EAA6E;AAC7E,SAAS,iBAAiB,CACxB,IAAY,EACZ,IAAY,EACZ,KAAqC;IAErC,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IAClC,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,OAAO,MAAM,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;QAChE,MAAM,CAAC,UAAU,GAAG,EAAE,CAAC;IACzB,CAAC;IACD,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QACnB,OAAO,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;IACjC,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC;IAClC,CAAC;IACD,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;AAChE,CAAC;AAED,SAAS,eAAe,CAAC,IAAY,EAAE,IAAY;IACjD,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IAClC,OAAO,CAAC,CAAC,MAAM,EAAE,UAAU,IAAI,IAAI,IAAI,MAAM,CAAC,UAAU,CAAC;AAC3D,CAAC;AAED,6EAA6E;AAE7E,SAAS,SAAS,CAAC,CAAS;IAC1B,OAAO,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,GAAG,CAAC;AAC9D,CAAC;AAED,SAAS,cAAc,CAAC,IAAY;IAClC,OAAO,gBAAgB,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC;AAC5C,CAAC;AAED,SAAS,oBAAoB,CAAC,IAAY;IACxC,OAAO,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,gBAAgB,IAAI,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;AACxE,CAAC;AAED,SAAS,eAAe,CAAC,IAAY,EAAE,CAAoB;IACzD,MAAM,KAAK,GAAa,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC;IAC/C,IAAI,CAAC,CAAC,SAAS,EAAE,CAAC;QAChB,KAAK,CAAC,IAAI,CAAC,SAAS,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QAC9C,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC;YACZ,KAAK,CAAC,IAAI,CACR,sCAAsC,SAAS,CAC7C,UAAU,CAAC,CAAC,KAAK,EAAE,CACpB,IAAI,CACN,CAAC;QACJ,CAAC;QACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IACjC,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IAC9B,IAAI,CAAC,CAAC,KAAK;QAAE,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;IACzC,IAAI,CAAC,CAAC,UAAU;QAAE,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAC5C,KAAK,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;IACvC,KAAK,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACzD,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,IAAI,CAAC,CAAC,KAAK;QAAE,GAAG,CAAC,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC;IACxC,IAAI,CAAC,CAAC,UAAU;QAAE,GAAG,CAAC,wBAAwB,GAAG,CAAC,CAAC,UAAU,CAAC;IAC9D,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC;aAC/B,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,MAAM,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC;aACzC,IAAI,CAAC,IAAI,CAAC,CAAC;QACd,KAAK,CAAC,IAAI,CAAC,WAAW,MAAM,IAAI,CAAC,CAAC;IACpC,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;AACjC,CAAC;AAED;;;;GAIG;AACH,SAAS,eAAe,CACtB,IAAY,EACZ,IAAY,EACZ,KAAoB;IAEpB,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,IAAI,CAAC;QACH,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,GAAG,EAAE,CAAC;IACf,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,GAAG,CACrB,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CACvD,OAAO,CACI,CACd,CAAC;IACF,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IACrC,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,IAAI,OAAO,GAAG,KAAK,CAAC;IACpB,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;QACxB,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;YAC7B,oEAAoE;YACpE,OAAO,GAAG,IAAI,CAAC;YACf,CAAC,EAAE,CAAC;YACJ,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBAAE,CAAC,EAAE,CAAC;YACzD,SAAS;QACX,CAAC;QACD,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACf,CAAC,EAAE,CAAC;IACN,CAAC;IAED,IAAI,IAAI,GAAG,GAAG;SACX,IAAI,CAAC,IAAI,CAAC;SACV,OAAO,CAAC,SAAS,EAAE,MAAM,CAAC;SAC1B,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IACzB,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QACnB,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QAClC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC,MAAM;YAAE,IAAI,IAAI,IAAI,CAAC;QACrC,IAAI,IAAI,KAAK,CAAC;IAChB,CAAC;IACD,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,OAAO;QAAE,OAAO,CAAC,gBAAgB;IAExD,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;AAC9B,CAAC;AAED,SAAS,aAAa,CAAC,IAAY,EAAE,IAAY;IAC/C,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAC/C,MAAM,OAAO,GAAG,IAAI,GAAG,CACrB,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CACvD,OAAO,CACI,CACd,CAAC;QACF,OAAO,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IACzE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,sCAAsC;AACtC,8EAA8E;AAE9E,SAAS,aAAa,CACpB,MAAgB,EAChB,GAAW,EACX,KAAyB;IAEzB,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,aAAa,CAAC;QACnB,KAAK,iBAAiB;YACpB,OAAO,KAAK,KAAK,MAAM;gBACrB,CAAC,CAAC,oBAAoB,EAAE;gBACxB,CAAC,CAAC,uBAAuB,CAAC,GAAG,CAAC,CAAC;QACnC,KAAK,QAAQ;YACX,OAAO,gBAAgB,EAAE,CAAC;QAC5B,KAAK,OAAO;YACV,OAAO,eAAe,EAAE,CAAC;IAC7B,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,KAAa;IAClC,OAAO,GAAG,kBAAkB,IAAI,KAAK,EAAE,CAAC;AAC1C,CAAC;AAED,SAAS,gBAAgB,CACvB,MAAgB,EAChB,MAAyB,EACzB,GAAW,EACX,KAAyB;IAEzB,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC;IAC/B,MAAM,IAAI,GAAG,aAAa,CAAC,MAAM,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;IAC/C,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACvB,eAAe,CAAC,IAAI,EAAE,IAAI,EAAE,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;IAC7D,CAAC;SAAM,CAAC;QACN,iBAAiB,CAAC,IAAI,EAAE,IAAI,EAAE,oBAAoB,CAAC,MAAM,CAAC,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,kBAAkB,CACzB,MAAgB,EAChB,KAAa,EACb,GAAW,EACX,KAAyB;IAEzB,MAAM,IAAI,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;IAClC,MAAM,IAAI,GAAG,aAAa,CAAC,MAAM,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;IAC/C,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QACtC,IAAI,GAAG;YAAE,eAAe,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;QAC3C,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;IAChC,CAAC;IACD,MAAM,GAAG,GAAG,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IACxC,IAAI,GAAG;QAAE,iBAAiB,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;IAC7C,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;AAChC,CAAC;AAED,SAAS,cAAc,CAAC,MAAgB,EAAE,KAAa,EAAE,GAAW;IAClE,MAAM,IAAI,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;IAClC,gEAAgE;IAChE,IAAI,MAAM,KAAK,aAAa,IAAI,MAAM,KAAK,iBAAiB,EAAE,CAAC;QAC7D,OAAO,CACL,eAAe,CAAC,uBAAuB,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC;YACnD,eAAe,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAC9C,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,KAAK,QAAQ;QAAE,OAAO,eAAe,CAAC,gBAAgB,EAAE,EAAE,IAAI,CAAC,CAAC;IAC1E,OAAO,aAAa,CAAC,eAAe,EAAE,EAAE,IAAI,CAAC,CAAC;AAChD,CAAC;AAED,8EAA8E;AAC9E,cAAc;AACd,8EAA8E;AAE9E,KAAK,UAAU,QAAQ,CAAC,CAAa;IACnC,MAAM,WAAW,CAAC;QAChB,KAAK,EAAE,CAAC,CAAC,GAAG;QACZ,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,UAAU,EAAE,CAAC,CAAC,UAAU;KACzB,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,CAAa;IACrC,MAAM,MAAM,GAAG,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,WAAW,EAAc,CAAC;IAC1D,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC9B,MAAM,CACJ,6DAA6D,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG;YAC/E,qCAAqC,CACxC,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IAE1B,0EAA0E;IAC1E,IAAI,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC;IAClB,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC;YACtD,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC;QACzB,CAAC;QAAC,MAAM,CAAC;YACP,KAAK,GAAG,KAAK,CAAC;QAChB,CAAC;IACH,CAAC;IACD,MAAM,UAAU,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;IAExC,MAAM,SAAS,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC;IAExD,IAAI,KAAyB,CAAC;IAC9B,IAAI,SAAS,EAAE,CAAC;QACd,KAAK,GAAG,MAAM,aAAa,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,CAAC,+BAA+B,SAAS,EAAE,CAAC,CAAC;IACrD,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,GAAG,gBAAgB,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACvC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC;QAChB,MAAM,CACJ,CAAC,CAAC,OAAO;YACP,CAAC,CAAC,+BAA+B,CAAC,CAAC,IAAI,EAAE;YACzC,CAAC,CAAC,sCAAsC,CAAC,CAAC,IAAI,EAAE,CACnD,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAsB;QAChC,UAAU;QACV,KAAK,EAAE,KAAM;QACb,KAAK;QACL,UAAU;QACV,SAAS;QACT,UAAU,EAAE,CAAC,CAAC,UAAU;KACzB,CAAC;IAEF,MAAM,IAAI,GAAG,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;IAC5D,MAAM,CAAC,cAAc,UAAU,SAAS,MAAM,MAAM,IAAI,EAAE,CAAC,CAAC;IAC5D,MAAM,CACJ,SAAS;QACP,CAAC,CAAC,iBAAiB,SAAS,GAAG;QAC/B,CAAC,CAAC,gEAAgE,KAAK,GACnE,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,EACnC,GAAG,CACR,CAAC;IACF,MAAM,CAAC,aAAa,MAAM,iCAAiC,CAAC,CAAC;AAC/D,CAAC;AAED,SAAS,YAAY,CAAC,CAAa;IACjC,MAAM,MAAM,GAAG,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,WAAW,EAAc,CAAC;IAC1D,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC9B,MAAM,CACJ,+DAA+D,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG;YACjF,cAAc,CACjB,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IAC1B,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,IAAI,KAAK,CAAC;IAC7B,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,kBAAkB,CAAC,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;IAC1E,MAAM,CACJ,OAAO;QACL,CAAC,CAAC,YAAY,aAAa,CAAC,KAAK,CAAC,UAAU,MAAM,MAAM,IAAI,EAAE;QAC9D,CAAC,CAAC,OAAO,aAAa,CAAC,KAAK,CAAC,qBAAqB,MAAM,KAAK,IAAI,oBAAoB,CACxF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,SAAS;IACtB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IAC1B,IAAI,KAAK,GAAG,KAAK,CAAC;IAClB,IAAI,MAAM,GAAG,mBAAmB,CAAC;IACjC,IAAI,IAAwB,CAAC;IAC7B,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC;QACtD,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC;QACvB,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC;QACzB,MAAM,EAAE,GAAG,MAAM,gBAAgB,CAAC,GAAG,CAAC,CAAC;QACvC,IAAI,GAAG,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,KAAK,CAAC,EAAE,IAAI,CAAC;IACnD,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,MAAM,CAAC,4BAA4B,GAAG,EAAE,OAAO,IAAI,GAAG,EAAE,CAAC,CAAC;IAC5D,CAAC;IAED,MAAM,SAAS,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;IAChC,MAAM,UAAU,GACd,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QAC7C,IAAI;QACJ,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;IAC1C,MAAM,QAAQ,GAAG,CAAC,CAAC,WAAW,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;IAC3D,MAAM,MAAM,GACV,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,CAAC,CAAC,WAAW,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;IAEtE,MAAM,CAAC,yBAAyB,CAAC,CAAC;IAClC,MAAM,CAAC,iBAAiB,KAAK,EAAE,CAAC,CAAC;IACjC,MAAM,CACJ,SAAS;QACP,CAAC,CAAC,iBAAiB,SAAS,WAAW;QACvC,CAAC,CAAC,iBAAiB,MAAM,qBACrB,IAAI,CAAC,CAAC,CAAC,UAAU,IAAI,GAAG,CAAC,CAAC,CAAC,EAC7B,EAAE,CACP,CAAC;IACF,MAAM,CAAC,mBAAmB,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,SAAS,CAAC,CAAC;IACjE,MAAM,CAAC,mBAAmB,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC;IACxD,MAAM,CAAC,YAAY,CAAC,CAAC;IACrB,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,MAAM,OAAO,GAAG,cAAc,CAAC,MAAM,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;QACnD,MAAM,CAAC,OAAO,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,OAAO,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;IACrE,CAAC;AACH,CAAC;AAED,SAAS,QAAQ,CAAC,CAAa;IAC7B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IAC1B,MAAM,CAAC,GAAG,gBAAgB,CAAC,GAAG,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;IAC1C,MAAM,CACJ,CAAC,CAAC,MAAM;QACN,CAAC,CAAC,2BAA2B,CAAC,CAAC,IAAI,EAAE;QACrC,CAAC,CAAC,CAAC,CAAC,OAAO;YACT,CAAC,CAAC,+BAA+B,CAAC,CAAC,IAAI,EAAE;YACzC,CAAC,CAAC,iBAAiB,CAAC,CAAC,IAAI,IAAI,CAClC,CAAC;IACF,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IAChB,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC;QACb,MAAM,CACJ,wFAAwF;YACtF,wBAAwB,CAC3B,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,IAAI,GAAG;;;;;;;;;;;;;;;;;;sEAkByD,CAAC;AAEvE,MAAM,CAAC,KAAK,UAAU,MAAM,CAAC,IAAc;IACzC,MAAM,CAAC,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;IAC1B,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAEnB,QAAQ,GAAG,EAAE,CAAC;QACZ,KAAK,OAAO;YACV,MAAM,QAAQ,CAAC,CAAC,CAAC,CAAC;YAClB,OAAO;QACT,KAAK,SAAS;YACZ,MAAM,UAAU,CAAC,CAAC,CAAC,CAAC;YACpB,OAAO;QACT,KAAK,WAAW;YACd,YAAY,CAAC,CAAC,CAAC,CAAC;YAChB,OAAO;QACT,KAAK,QAAQ;YACX,MAAM,SAAS,EAAE,CAAC;YAClB,OAAO;QACT,KAAK,OAAO;YACV,QAAQ,CAAC,CAAC,CAAC,CAAC;YACZ,OAAO;QACT,KAAK,SAAS,CAAC;QACf,KAAK,QAAQ,CAAC;QACd,KAAK,IAAI,CAAC;QACV,KAAK,MAAM;YACT,MAAM,CAAC,IAAI,CAAC,CAAC;YACb,OAAO;QACT;YACE,MAAM,CAAC,2BAA2B,GAAG,EAAE,CAAC,CAAC;YACzC,MAAM,CAAC,IAAI,CAAC,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;AACH,CAAC","sourcesContent":["/**\n * `agent-native mcp <subcommand>` — connect external coding agents (Claude\n * Code desktop & CLI, Claude Cowork, Codex) to this agent-native app/workspace\n * over MCP.\n *\n * serve Run the MCP stdio transport (this is what client configs spawn).\n * install Provision a token + write the client's MCP config idempotently.\n * uninstall Remove the named entry from a client's MCP config.\n * status Print resolved MCP URL/port, token state, and per-client entries.\n * token Print or rotate the local ACCESS_TOKEN in the workspace .env.\n *\n * Node-only CLI module. Hand-rolled `.env` upsert + minimal TOML block merge\n * keep this dependency-free (no new npm deps).\n */\n\nimport crypto from \"node:crypto\";\nimport fs from \"node:fs\";\nimport os from \"node:os\";\nimport path from \"node:path\";\n\nimport { runMCPStdio } from \"../mcp/stdio.js\";\nimport { writeFileAtomic } from \"./mcp-config-writers.js\";\nimport {\n findWorkspaceRoot,\n resolveLocalAppOrigin,\n resolveWorkspace,\n} from \"../mcp/workspace-resolve.js\";\n\nconst SERVER_NAME_PREFIX = \"agent-native\";\n\ntype ClientId = \"claude-code\" | \"claude-code-cli\" | \"codex\" | \"cowork\";\nconst CLIENTS: ClientId[] = [\n \"claude-code\",\n \"claude-code-cli\",\n \"codex\",\n \"cowork\",\n];\n\ninterface ParsedArgs {\n _: string[];\n client?: string;\n app?: string;\n port?: number;\n scope?: string;\n standalone: boolean;\n rotate: boolean;\n}\n\nfunction parseArgs(argv: string[]): ParsedArgs {\n const out: ParsedArgs = { _: [], standalone: false, rotate: false };\n for (let i = 0; i < argv.length; i++) {\n const a = argv[i];\n const eat = (flag: string): string | undefined => {\n if (a === flag) return argv[++i];\n if (a.startsWith(`${flag}=`)) return a.slice(flag.length + 1);\n return undefined;\n };\n let v: string | undefined;\n if ((v = eat(\"--client\")) !== undefined) out.client = v;\n else if ((v = eat(\"--app\")) !== undefined) out.app = v;\n else if ((v = eat(\"--port\")) !== undefined) out.port = Number(v);\n else if ((v = eat(\"--scope\")) !== undefined) out.scope = v;\n else if (a === \"--standalone\") out.standalone = true;\n else if (a === \"--rotate\") out.rotate = true;\n else if (!a.startsWith(\"-\")) out._.push(a);\n }\n return out;\n}\n\nfunction logErr(msg: string): void {\n process.stderr.write(`${msg}\\n`);\n}\nfunction logOut(msg: string): void {\n process.stdout.write(`${msg}\\n`);\n}\n\n// ---------------------------------------------------------------------------\n// .env token provisioning (local dev) — hand-rolled idempotent upsert\n// ---------------------------------------------------------------------------\n\n/** Workspace root (or cwd for a standalone app) — where .env lives. */\nfunction envBaseDir(cwd = process.cwd()): string {\n return findWorkspaceRoot(cwd) ?? path.resolve(cwd);\n}\n\n/** Prefer .env.local, else .env. Returns the path we should write to. */\nfunction envFilePath(baseDir: string): string {\n const local = path.join(baseDir, \".env.local\");\n if (fs.existsSync(local)) return local;\n return path.join(baseDir, \".env\");\n}\n\nfunction readEnvFile(file: string): string {\n try {\n return fs.readFileSync(file, \"utf-8\");\n } catch {\n return \"\";\n }\n}\n\n/** Read a single key from a dotenv-format string (last assignment wins). */\nfunction getEnvValue(content: string, key: string): string | undefined {\n let found: string | undefined;\n for (const line of content.split(/\\r?\\n/)) {\n const m = line.match(/^\\s*([A-Z0-9_]+)\\s*=\\s*(.*)\\s*$/i);\n if (m && m[1] === key) {\n found = m[2].replace(/^[\"']|[\"']$/g, \"\");\n }\n }\n return found;\n}\n\n/**\n * Idempotently set `key=value` in the dotenv file. If the key already exists\n * we leave it untouched unless `force` is set (used by `token --rotate`).\n * Never clobbers an existing token implicitly.\n */\nfunction upsertEnv(\n file: string,\n key: string,\n value: string,\n force = false,\n): { changed: boolean; value: string } {\n const content = readEnvFile(file);\n const existing = getEnvValue(content, key);\n if (existing && !force) return { changed: false, value: existing };\n\n const line = `${key}=${value}`;\n let next: string;\n if (new RegExp(`^\\\\s*${key}\\\\s*=`, \"m\").test(content)) {\n next = content.replace(new RegExp(`^\\\\s*${key}\\\\s*=.*$`, \"m\"), line);\n } else {\n next =\n content.length === 0\n ? `${line}\\n`\n : `${content.replace(/\\n*$/, \"\")}\\n${line}\\n`;\n }\n writeFileAtomic(file, next);\n return { changed: true, value };\n}\n\nfunction generateToken(): string {\n return crypto.randomBytes(24).toString(\"base64url\");\n}\n\n/**\n * Ensure a local ACCESS_TOKEN exists in the workspace .env and return it.\n * Existing tokens are reused (never clobbered). Set `rotate` to replace it.\n */\nfunction ensureLocalToken(\n cwd: string,\n rotate = false,\n): { token: string; file: string; created: boolean } {\n const baseDir = envBaseDir(cwd);\n const file = envFilePath(baseDir);\n const content = readEnvFile(file);\n const existing = getEnvValue(content, \"ACCESS_TOKEN\");\n if (existing && !rotate) {\n return { token: existing, file, created: false };\n }\n const token = generateToken();\n upsertEnv(file, \"ACCESS_TOKEN\", token, true);\n return { token, file, created: true };\n}\n\n// ---------------------------------------------------------------------------\n// Hosted vs local detection\n// ---------------------------------------------------------------------------\n\n/**\n * Detect a hosted deployment URL. When the workspace .env points at a hosted\n * origin (APP_URL / BETTER_AUTH_URL with a non-localhost host) we write an\n * `http` client entry pointing at `<origin>/_agent-native/mcp` with a JWT\n * bearer instead of a stdio entry.\n */\nfunction detectHostedUrl(cwd: string): string | undefined {\n const baseDir = envBaseDir(cwd);\n const content =\n readEnvFile(path.join(baseDir, \".env.local\")) +\n \"\\n\" +\n readEnvFile(path.join(baseDir, \".env\"));\n for (const key of [\"AGENT_NATIVE_MCP_URL\", \"APP_URL\", \"BETTER_AUTH_URL\"]) {\n const v = getEnvValue(content, key);\n if (!v) continue;\n try {\n const u = new URL(v);\n if (!/^(localhost|127\\.0\\.0\\.1|\\[::1\\])$/.test(u.hostname)) {\n return `${u.origin}/_agent-native/mcp`;\n }\n } catch {\n // not a URL — skip\n }\n }\n return undefined;\n}\n\nasync function mintHostedJwt(cwd: string): Promise<string | undefined> {\n // Reuse the existing A2A signer — do not reinvent JWT minting.\n const owner =\n process.env.AGENT_NATIVE_OWNER_EMAIL ||\n process.env.OWNER_EMAIL ||\n \"owner@localhost\";\n if (!process.env.A2A_SECRET) {\n const baseDir = envBaseDir(cwd);\n const content =\n readEnvFile(path.join(baseDir, \".env.local\")) +\n \"\\n\" +\n readEnvFile(path.join(baseDir, \".env\"));\n const secret = getEnvValue(content, \"A2A_SECRET\");\n if (secret) process.env.A2A_SECRET = secret;\n }\n try {\n const { signA2AToken } = await import(\"../a2a/client.js\");\n return await signA2AToken(owner, undefined, undefined, {\n preferGlobalSecret: true,\n expiresIn: \"30d\",\n });\n } catch (err: any) {\n logErr(\n ` Could not mint a hosted JWT (${err?.message ?? err}). ` +\n `Set A2A_SECRET in your workspace .env, or use the local stdio entry.`,\n );\n return undefined;\n }\n}\n\n// ---------------------------------------------------------------------------\n// Client config file locations + writers\n// ---------------------------------------------------------------------------\n\n/**\n * Cowork consumes MCP exactly like Claude Code (same JSON server-entry\n * shape). The exact on-disk config path for Cowork may differ across builds —\n * this is the best-known location. **Confirm before relying on it in\n * production.** It is validated against the Claude Code JSON format below.\n *\n * Resolved lazily (not as a module-level constant) so `os.homedir()` reflects\n * the current `$HOME` rather than the value at module-load time.\n */\nfunction coworkConfigPath(): string {\n return path.join(os.homedir(), \".cowork\", \"mcp.json\");\n}\n\nfunction claudeCodeProjectConfig(cwd: string): string {\n return path.join(envBaseDir(cwd), \".mcp.json\");\n}\nfunction claudeCodeUserConfig(): string {\n return path.join(os.homedir(), \".claude.json\");\n}\nfunction codexConfigPath(): string {\n const codexHome = process.env.CODEX_HOME?.trim();\n if (codexHome) return path.join(codexHome, \"config.toml\");\n return path.join(os.homedir(), \".codex\", \"config.toml\");\n}\n\ninterface ServerEntryInputs {\n serverName: string;\n appId: string;\n token?: string;\n ownerEmail?: string;\n hostedUrl?: string;\n standalone: boolean;\n}\n\n/** The stdio (or http) server entry — shared by Claude Code & Cowork JSON. */\nfunction buildJsonServerEntry(i: ServerEntryInputs): Record<string, unknown> {\n if (i.hostedUrl) {\n return {\n type: \"http\",\n url: i.hostedUrl,\n ...(i.token ? { headers: { Authorization: `Bearer ${i.token}` } } : {}),\n };\n }\n const args = [\"mcp\", \"serve\"];\n if (i.appId) args.push(\"--app\", i.appId);\n if (i.standalone) args.push(\"--standalone\");\n const env: Record<string, string> = {};\n if (i.token) env.ACCESS_TOKEN = i.token;\n if (i.ownerEmail) env.AGENT_NATIVE_OWNER_EMAIL = i.ownerEmail;\n return {\n command: \"agent-native\",\n args,\n ...(Object.keys(env).length ? { env } : {}),\n };\n}\n\nfunction readJsonFile(file: string): Record<string, any> {\n try {\n const raw = fs.readFileSync(file, \"utf-8\");\n const parsed = JSON.parse(raw);\n return parsed && typeof parsed === \"object\" ? parsed : {};\n } catch {\n return {};\n }\n}\n\n/** Idempotently write `mcpServers[name] = entry` into a JSON config file. */\nfunction writeJsonMcpEntry(\n file: string,\n name: string,\n entry: Record<string, unknown> | null,\n): void {\n const config = readJsonFile(file);\n if (!config.mcpServers || typeof config.mcpServers !== \"object\") {\n config.mcpServers = {};\n }\n if (entry === null) {\n delete config.mcpServers[name];\n } else {\n config.mcpServers[name] = entry;\n }\n writeFileAtomic(file, JSON.stringify(config, null, 2) + \"\\n\");\n}\n\nfunction hasJsonMcpEntry(file: string, name: string): boolean {\n const config = readJsonFile(file);\n return !!config?.mcpServers && name in config.mcpServers;\n}\n\n// --- Codex TOML (hand-rolled minimal block merge, no new dep) -------------\n\nfunction tomlQuote(s: string): string {\n return `\"${s.replace(/\\\\/g, \"\\\\\\\\\").replace(/\"/g, '\\\\\"')}\"`;\n}\n\nfunction codexMcpHeader(name: string): string {\n return `[mcp_servers.${tomlQuote(name)}]`;\n}\n\nfunction legacyCodexMcpHeader(name: string): string | null {\n return /^[A-Za-z0-9_-]+$/.test(name) ? `[mcp_servers.${name}]` : null;\n}\n\nfunction buildCodexBlock(name: string, i: ServerEntryInputs): string {\n const lines: string[] = [codexMcpHeader(name)];\n if (i.hostedUrl) {\n lines.push(`url = ${tomlQuote(i.hostedUrl)}`);\n if (i.token) {\n lines.push(\n `http_headers = { \"Authorization\" = ${tomlQuote(\n `Bearer ${i.token}`,\n )} }`,\n );\n }\n return lines.join(\"\\n\") + \"\\n\";\n }\n\n const args = [\"mcp\", \"serve\"];\n if (i.appId) args.push(\"--app\", i.appId);\n if (i.standalone) args.push(\"--standalone\");\n lines.push(`command = \"agent-native\"`);\n lines.push(`args = [${args.map(tomlQuote).join(\", \")}]`);\n const env: Record<string, string> = {};\n if (i.token) env.ACCESS_TOKEN = i.token;\n if (i.ownerEmail) env.AGENT_NATIVE_OWNER_EMAIL = i.ownerEmail;\n if (Object.keys(env).length) {\n const inline = Object.entries(env)\n .map(([k, v]) => `${k} = ${tomlQuote(v)}`)\n .join(\", \");\n lines.push(`env = { ${inline} }`);\n }\n return lines.join(\"\\n\") + \"\\n\";\n}\n\n/**\n * Replace (or append) the `[mcp_servers.<name>]` block in a TOML file\n * without disturbing other content. We treat a block as the header line plus\n * every following line until the next top-level `[` table header or EOF.\n */\nfunction writeCodexBlock(\n file: string,\n name: string,\n block: string | null,\n): void {\n let content = \"\";\n try {\n content = fs.readFileSync(file, \"utf-8\");\n } catch {\n content = \"\";\n }\n\n const headers = new Set(\n [codexMcpHeader(name), legacyCodexMcpHeader(name)].filter(\n Boolean,\n ) as string[],\n );\n const lines = content.split(/\\r?\\n/);\n const out: string[] = [];\n let i = 0;\n let removed = false;\n while (i < lines.length) {\n const line = lines[i];\n if (headers.has(line.trim())) {\n // Skip this block entirely (header + body until next table header).\n removed = true;\n i++;\n while (i < lines.length && !/^\\s*\\[/.test(lines[i])) i++;\n continue;\n }\n out.push(line);\n i++;\n }\n\n let next = out\n .join(\"\\n\")\n .replace(/\\n{3,}/g, \"\\n\\n\")\n .replace(/\\n*$/, \"\\n\");\n if (block !== null) {\n next = next.replace(/\\n*$/, \"\\n\");\n if (next.trim().length) next += \"\\n\";\n next += block;\n }\n if (block === null && !removed) return; // nothing to do\n\n writeFileAtomic(file, next);\n}\n\nfunction codexHasBlock(file: string, name: string): boolean {\n try {\n const content = fs.readFileSync(file, \"utf-8\");\n const headers = new Set(\n [codexMcpHeader(name), legacyCodexMcpHeader(name)].filter(\n Boolean,\n ) as string[],\n );\n return content.split(/\\r?\\n/).some((line) => headers.has(line.trim()));\n } catch {\n return false;\n }\n}\n\n// ---------------------------------------------------------------------------\n// Per-client install/uninstall/status\n// ---------------------------------------------------------------------------\n\nfunction configPathFor(\n client: ClientId,\n cwd: string,\n scope: string | undefined,\n): string {\n switch (client) {\n case \"claude-code\":\n case \"claude-code-cli\":\n return scope === \"user\"\n ? claudeCodeUserConfig()\n : claudeCodeProjectConfig(cwd);\n case \"cowork\":\n return coworkConfigPath();\n case \"codex\":\n return codexConfigPath();\n }\n}\n\nfunction serverNameFor(appId: string): string {\n return `${SERVER_NAME_PREFIX}-${appId}`;\n}\n\nfunction installForClient(\n client: ClientId,\n inputs: ServerEntryInputs,\n cwd: string,\n scope: string | undefined,\n): string {\n const name = inputs.serverName;\n const file = configPathFor(client, cwd, scope);\n if (client === \"codex\") {\n writeCodexBlock(file, name, buildCodexBlock(name, inputs));\n } else {\n writeJsonMcpEntry(file, name, buildJsonServerEntry(inputs));\n }\n return file;\n}\n\nfunction uninstallForClient(\n client: ClientId,\n appId: string,\n cwd: string,\n scope: string | undefined,\n): { file: string; removed: boolean } {\n const name = serverNameFor(appId);\n const file = configPathFor(client, cwd, scope);\n if (client === \"codex\") {\n const had = codexHasBlock(file, name);\n if (had) writeCodexBlock(file, name, null);\n return { file, removed: had };\n }\n const had = hasJsonMcpEntry(file, name);\n if (had) writeJsonMcpEntry(file, name, null);\n return { file, removed: had };\n}\n\nfunction clientHasEntry(client: ClientId, appId: string, cwd: string): boolean {\n const name = serverNameFor(appId);\n // Check both scopes for Claude Code so `status` is informative.\n if (client === \"claude-code\" || client === \"claude-code-cli\") {\n return (\n hasJsonMcpEntry(claudeCodeProjectConfig(cwd), name) ||\n hasJsonMcpEntry(claudeCodeUserConfig(), name)\n );\n }\n if (client === \"cowork\") return hasJsonMcpEntry(coworkConfigPath(), name);\n return codexHasBlock(codexConfigPath(), name);\n}\n\n// ---------------------------------------------------------------------------\n// Subcommands\n// ---------------------------------------------------------------------------\n\nasync function cmdServe(p: ParsedArgs): Promise<void> {\n await runMCPStdio({\n appId: p.app,\n port: p.port,\n standalone: p.standalone,\n });\n}\n\nasync function cmdInstall(p: ParsedArgs): Promise<void> {\n const client = (p.client ?? \"\").toLowerCase() as ClientId;\n if (!CLIENTS.includes(client)) {\n logErr(\n `Usage: npx @agent-native/core@latest mcp install --client ${CLIENTS.join(\"|\")} ` +\n `[--app <id>] [--scope user|project]`,\n );\n process.exit(1);\n }\n const cwd = process.cwd();\n\n // Resolve which app this entry targets (default = workspace default app).\n let appId = p.app;\n if (!appId) {\n try {\n const resolved = await resolveLocalAppOrigin({ cwd });\n appId = resolved.appId;\n } catch {\n appId = \"app\";\n }\n }\n const serverName = serverNameFor(appId);\n\n const hostedUrl = detectHostedUrl(cwd);\n const ownerEmail = process.env.AGENT_NATIVE_OWNER_EMAIL;\n\n let token: string | undefined;\n if (hostedUrl) {\n token = await mintHostedJwt(cwd);\n logOut(`Detected hosted deployment: ${hostedUrl}`);\n } else {\n const t = ensureLocalToken(cwd, false);\n token = t.token;\n logOut(\n t.created\n ? `Provisioned ACCESS_TOKEN in ${t.file}`\n : `Reusing existing ACCESS_TOKEN from ${t.file}`,\n );\n }\n\n const inputs: ServerEntryInputs = {\n serverName,\n appId: appId!,\n token,\n ownerEmail,\n hostedUrl,\n standalone: p.standalone,\n };\n\n const file = installForClient(client, inputs, cwd, p.scope);\n logOut(`Installed \"${serverName}\" for ${client} → ${file}`);\n logOut(\n hostedUrl\n ? ` Mode: http (${hostedUrl})`\n : ` Mode: stdio (npx @agent-native/core@latest mcp serve --app ${appId}${\n p.standalone ? \" --standalone\" : \"\"\n })`,\n );\n logOut(` Restart ${client} to pick up the new MCP server.`);\n}\n\nfunction cmdUninstall(p: ParsedArgs): void {\n const client = (p.client ?? \"\").toLowerCase() as ClientId;\n if (!CLIENTS.includes(client)) {\n logErr(\n `Usage: npx @agent-native/core@latest mcp uninstall --client ${CLIENTS.join(\"|\")} ` +\n `[--app <id>]`,\n );\n process.exit(1);\n }\n const cwd = process.cwd();\n const appId = p.app ?? \"app\";\n const { file, removed } = uninstallForClient(client, appId, cwd, p.scope);\n logOut(\n removed\n ? `Removed \"${serverNameFor(appId)}\" from ${client} → ${file}`\n : `No \"${serverNameFor(appId)}\" entry found for ${client} (${file}) — nothing to do.`,\n );\n}\n\nasync function cmdStatus(): Promise<void> {\n const cwd = process.cwd();\n let appId = \"app\";\n let origin = \"(app not running)\";\n let port: number | undefined;\n try {\n const resolved = await resolveLocalAppOrigin({ cwd });\n appId = resolved.appId;\n origin = resolved.origin;\n const ws = await resolveWorkspace(cwd);\n port = ws.apps.find((a) => a.id === appId)?.port;\n } catch (err: any) {\n logErr(` Could not resolve app: ${err?.message ?? err}`);\n }\n\n const hostedUrl = detectHostedUrl(cwd);\n const baseDir = envBaseDir(cwd);\n const envContent =\n readEnvFile(path.join(baseDir, \".env.local\")) +\n \"\\n\" +\n readEnvFile(path.join(baseDir, \".env\"));\n const hasToken = !!getEnvValue(envContent, \"ACCESS_TOKEN\");\n const hasA2A =\n !!process.env.A2A_SECRET || !!getEnvValue(envContent, \"A2A_SECRET\");\n\n logOut(`Agent-Native MCP status`);\n logOut(` App: ${appId}`);\n logOut(\n hostedUrl\n ? ` MCP URL: ${hostedUrl} (hosted)`\n : ` MCP URL: ${origin}/_agent-native/mcp${\n port ? ` (port ${port})` : \"\"\n }`,\n );\n logOut(` ACCESS_TOKEN: ${hasToken ? \"set\" : \"not set\"} (.env)`);\n logOut(` A2A_SECRET: ${hasA2A ? \"set\" : \"not set\"}`);\n logOut(` Clients:`);\n for (const client of CLIENTS) {\n const present = clientHasEntry(client, appId, cwd);\n logOut(` ${client.padEnd(18)} ${present ? \"configured\" : \"—\"}`);\n }\n}\n\nfunction cmdToken(p: ParsedArgs): void {\n const cwd = process.cwd();\n const t = ensureLocalToken(cwd, p.rotate);\n logOut(\n p.rotate\n ? `Rotated ACCESS_TOKEN in ${t.file}`\n : t.created\n ? `Provisioned ACCESS_TOKEN in ${t.file}`\n : `ACCESS_TOKEN (${t.file}):`,\n );\n logOut(t.token);\n if (p.rotate) {\n logOut(\n ` Re-run \\`npx @agent-native/core@latest mcp install --client <c>\\` so client configs ` +\n `pick up the new token.`,\n );\n }\n}\n\nconst HELP = `npx @agent-native/core@latest mcp — connect external coding agents over MCP\n\nUsage:\n npx @agent-native/core@latest mcp serve [--app <id>] [--port <n>] [--standalone]\n Run the MCP stdio transport (what client configs spawn).\n Default: proxy to the running local app; --standalone builds from disk.\n\n npx @agent-native/core@latest mcp install --client <c> [--app <id>] [--scope user|project]\n Provision a token and write the client's MCP config (idempotent).\n Clients: claude-code, claude-code-cli, codex, cowork\n\n npx @agent-native/core@latest mcp uninstall --client <c> [--app <id>]\n Remove the named MCP entry from a client's config (idempotent).\n\n npx @agent-native/core@latest mcp status\n Show resolved MCP URL/port, token state, and per-client entries.\n\n npx @agent-native/core@latest mcp token [--rotate]\n Print (or rotate) the local ACCESS_TOKEN in the workspace .env.`;\n\nexport async function runMcp(args: string[]): Promise<void> {\n const p = parseArgs(args);\n const sub = p._[0];\n\n switch (sub) {\n case \"serve\":\n await cmdServe(p);\n return;\n case \"install\":\n await cmdInstall(p);\n return;\n case \"uninstall\":\n cmdUninstall(p);\n return;\n case \"status\":\n await cmdStatus();\n return;\n case \"token\":\n cmdToken(p);\n return;\n case undefined:\n case \"--help\":\n case \"-h\":\n case \"help\":\n logOut(HELP);\n return;\n default:\n logErr(`Unknown mcp subcommand: ${sub}`);\n logOut(HELP);\n process.exit(1);\n }\n}\n"]}
package/dist/cli/migrate.d.ts ADDED
@@ -0,0 +1,38 @@
1
+ type MigrateSubcommand = "resume" | "status" | "stop" | "ui";
2
+ type SourceKind = "path" | "url" | "description";
3
+ export interface MigrateCliOptions {
4
+ subcommand?: MigrateSubcommand;
5
+ source?: string;
6
+ sourcePath?: string;
7
+ sourceUrl?: string;
8
+ sourceDescription?: string;
9
+ workbench?: string;
10
+ output?: string;
11
+ appName?: string;
12
+ target?: string;
13
+ planOnly?: boolean;
14
+ planFile?: string;
15
+ emit?: boolean;
16
+ emitDir?: string;
17
+ appSurface?: boolean;
18
+ last?: boolean;
19
+ help?: boolean;
20
+ }
21
+ export interface SourceSpec {
22
+ kind: SourceKind;
23
+ value: string;
24
+ sourceRoot?: string;
25
+ description?: string;
26
+ }
27
+ export interface EmitDossierResult {
28
+ dossierRoot: string;
29
+ files: string[];
30
+ source: SourceSpec;
31
+ usedMigrateHelpers: boolean;
32
+ }
33
+ export declare function parseMigrateArgs(argv: string[]): MigrateCliOptions;
34
+ export declare function runMigrate(argv: string[]): Promise<void>;
35
+ export declare function emitOwnAgentDossier(opts: MigrateCliOptions, cwd?: string): Promise<EmitDossierResult>;
36
+ export declare function isExpectedMigrationCliError(error: unknown): boolean;
37
+ export {};
38
+ //# sourceMappingURL=migrate.d.ts.map
package/dist/cli/migrate.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"migrate.d.ts","sourceRoot":"","sources":["../../src/cli/migrate.ts"],"names":[],"mappings":"AAkCA,KAAK,iBAAiB,GAAG,QAAQ,GAAG,QAAQ,GAAG,MAAM,GAAG,IAAI,CAAC;AAC7D,KAAK,UAAU,GAAG,MAAM,GAAG,KAAK,GAAG,aAAa,CAAC;AAEjD,MAAM,WAAW,iBAAiB;IAChC,UAAU,CAAC,EAAE,iBAAiB,CAAC;IAC/B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,UAAU,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,MAAM,EAAE,UAAU,CAAC;IACnB,kBAAkB,EAAE,OAAO,CAAC;CAC7B;AA2DD,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,iBAAiB,CAoFlE;AAED,wBAAsB,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAmD9D;AAED,wBAAsB,mBAAmB,CACvC,IAAI,EAAE,iBAAiB,EACvB,GAAG,SAAgB,GAClB,OAAO,CAAC,iBAAiB,CAAC,CAsF5B;AAED,wBAAgB,2BAA2B,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAQnE"}
package/dist/cli/plan-local.d.ts ADDED
@@ -0,0 +1,43 @@
1
+ /**
2
+ * DB-free local plan helpers.
3
+ *
4
+ * These commands are intentionally separate from the Plan app actions. They do
5
+ * not call MCP, HTTP, SQLite, or the Plan template runtime; they only read and
6
+ * write local files so privacy-focused users have an auditable no-DB path.
7
+ */
8
+ type LocalPlanKind = "plan" | "recap";
9
+ type LocalPlanFiles = {
10
+ dir: string;
11
+ planMdx: string;
12
+ canvasMdx?: string;
13
+ prototypeMdx?: string;
14
+ stateJson?: string;
15
+ };
16
+ type LocalPlanPreviewInput = {
17
+ dir: string;
18
+ kind?: LocalPlanKind;
19
+ title?: string;
20
+ brief?: string;
21
+ };
22
+ type LocalPlanPreviewResult = {
23
+ ok: true;
24
+ dir: string;
25
+ out: string;
26
+ url: string;
27
+ title: string;
28
+ kind: LocalPlanKind;
29
+ files: string[];
30
+ };
31
+ export declare function localPlanFolderName(title: string): string;
32
+ export declare function readLocalPlanFiles(dir: string): LocalPlanFiles;
33
+ export declare function buildLocalPlanPreviewHtml(input: LocalPlanPreviewInput): string;
34
+ export declare function writeLocalPlanPreview(input: {
35
+ dir: string;
36
+ out?: string;
37
+ kind?: LocalPlanKind;
38
+ title?: string;
39
+ brief?: string;
40
+ }): LocalPlanPreviewResult;
41
+ export declare function runPlan(argv: string[]): Promise<void>;
42
+ export {};
43
+ //# sourceMappingURL=plan-local.d.ts.map
package/dist/cli/plan-local.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"plan-local.d.ts","sourceRoot":"","sources":["../../src/cli/plan-local.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,KAAK,aAAa,GAAG,MAAM,GAAG,OAAO,CAAC;AAEtC,KAAK,cAAc,GAAG;IACpB,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,KAAK,qBAAqB,GAAG;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,CAAC,EAAE,aAAa,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,KAAK,sBAAsB,GAAG;IAC5B,EAAE,EAAE,IAAI,CAAC;IACT,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,aAAa,CAAC;IACpB,KAAK,EAAE,MAAM,EAAE,CAAC;CACjB,CAAC;AAyCF,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAUzD;AA8KD,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,cAAc,CAiB9D;AAED,wBAAgB,yBAAyB,CACvC,KAAK,EAAE,qBAAqB,GAC3B,MAAM,CA2GR;AAED,wBAAgB,qBAAqB,CAAC,KAAK,EAAE;IAC3C,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,aAAa,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,GAAG,sBAAsB,CA2BzB;AAkID,wBAAsB,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CA0C3D"}
package/dist/cli/plan-publish-store.d.ts ADDED
@@ -0,0 +1,62 @@
1
+ /**
2
+ * Canonical publish-token store for the local Plans server.
3
+ *
4
+ * `agent-native connect <hosted-url>` mints a bearer token and writes it into
5
+ * each coding agent's per-client MCP config (`.mcp.json` / Codex `config.toml`
6
+ * via `mcp-config-writers`). Those files are client-specific, so the local Plans
7
+ * server cannot read them for a server-to-server publish.
8
+ *
9
+ * To close that seam, the connect flow ALSO writes a single canonical record to
10
+ * `~/.agent-native/plan-publish.json` whenever it authenticates a first-party
11
+ * Plans app. The local server's `publish-visual-plan` action reads the exact
12
+ * same file (see `templates/plan/server/lib/plan-publish.ts`):
13
+ *
14
+ * { "url": "https://plan.agent-native.com", "token": "<bearer>" }
15
+ *
16
+ * This mirrors the existing device-token precedent in
17
+ * `code-agent-connector.ts` (`~/.agent-native/remote-device.json`): home-dir
18
+ * JSON, env-overridable path, atomic 0600 write. The write is additive — it
19
+ * merges into any existing file rather than clobbering sibling keys — and
20
+ * best-effort, since persisting MCP config is the primary contract and a failed
21
+ * canonical write must never fail the connect.
22
+ */
23
+ /**
24
+ * Absolute path to the canonical publish-token file. Honors
25
+ * `PLAN_PUBLISH_CONFIG_PATH` so connect and the local server agree on the
26
+ * location in tests and custom setups; defaults to
27
+ * `~/.agent-native/plan-publish.json`.
28
+ */
29
+ export declare function planPublishConfigPath(): string;
30
+ /**
31
+ * Whether `url`'s host is the first-party Agent-Native Plans app whose token
32
+ * we should mirror to the canonical publish file. Only the hosted Plans app
33
+ * (`plan.agent-native.com`) qualifies — mirroring tokens for other
34
+ * agent-native subdomains (assets, mail, …) would silently overwrite the
35
+ * canonical Plans endpoint with the wrong URL+token each time `connect --all`
36
+ * runs last-write-wins. A custom self-hosted origin (ngrok, localhost, a
37
+ * private deployment) is intentionally excluded: the user can still point the
38
+ * server at it via `PLAN_PUBLISH_URL` / `PLAN_PUBLISH_TOKEN` env vars.
39
+ */
40
+ export declare function isFirstPartyPlanHost(url: string): boolean;
41
+ /**
42
+ * Merge `{ url, token }` into the canonical publish file without clobbering any
43
+ * other keys the file already holds. Best-effort: returns the written path on
44
+ * success, or `null` if the write failed or the inputs were unusable.
45
+ *
46
+ * `filePath` is injectable for tests; production callers omit it and get the
47
+ * env-overridable home-dir path.
48
+ */
49
+ export declare function writePlanPublishAuth(params: {
50
+ url: string;
51
+ token: string;
52
+ }, filePath?: string): string | null;
53
+ /**
54
+ * Read the canonical Plans publish auth written by `agent-native connect`.
55
+ * Returns `null` for missing/corrupt/incomplete files so callers can treat the
56
+ * publish token as optional and guide the user to reconnect.
57
+ */
58
+ export declare function readPlanPublishAuth(filePath?: string): {
59
+ url: string;
60
+ token: string;
61
+ } | null;
62
+ //# sourceMappingURL=plan-publish-store.d.ts.map
package/dist/cli/plan-publish-store.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"plan-publish-store.d.ts","sourceRoot":"","sources":["../../src/cli/plan-publish-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AASH;;;;;GAKG;AACH,wBAAgB,qBAAqB,IAAI,MAAM,CAK9C;AAED;;;;;;;;;GASG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAOzD;AAMD;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAClC,MAAM,EAAE;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,EACtC,QAAQ,GAAE,MAAgC,GACzC,MAAM,GAAG,IAAI,CAmCf;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CACjC,QAAQ,GAAE,MAAgC,GACzC;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAgBvC"}
package/dist/cli/pr-visual-recap-workflow.d.ts ADDED
@@ -0,0 +1,11 @@
1
+ /**
2
+ * Bundled copy of .github/workflows/pr-visual-recap.yml so the CLI can write the
3
+ * PR Visual Recap workflow into a user repo via
4
+ * `agent-native skills add visual-plan --with-github-action`.
5
+ *
6
+ * AUTO-GENERATED — keep byte-identical with the source workflow. A sync test in
7
+ * recap.spec.ts fails if these drift. Regenerate from the YAML with the snippet
8
+ * in recap.spec.ts.
9
+ */
10
+ export declare const PR_VISUAL_RECAP_WORKFLOW_YML = "name: PR Visual Recap\n\n# Visual code review: a coding agent runs the repo's visual-recap skill over the\n# PR diff, publishes a plan, and upserts one sticky comment with a screenshot.\n# Plain `pull_request` (NOT `pull_request_target`) so fork code never sees secrets.\n\non:\n pull_request:\n types: [opened, synchronize, reopened, ready_for_review]\n\npermissions:\n contents: read\n\nconcurrency:\n group: pr-visual-recap-${{ github.event.pull_request.number }}\n cancel-in-progress: true\n\nenv:\n VISUAL_RECAP_AGENT: ${{ vars.VISUAL_RECAP_AGENT || 'claude' }}\n VISUAL_RECAP_SKILL_SOURCE: ${{ vars.VISUAL_RECAP_SKILL_SOURCE || 'auto' }}\n\njobs:\n gate:\n name: Gate\n runs-on: ubuntu-latest\n timeout-minutes: 10\n permissions:\n contents: read\n issues: write\n pull-requests: write\n outputs:\n run: ${{ steps.decide.outputs.run }}\n agent: ${{ steps.decide.outputs.agent }}\n steps:\n - id: decide\n uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0\n env:\n # Presence-only signals \u2014 never expose secret VALUES to the gate.\n HAS_PLAN: ${{ secrets.PLAN_RECAP_TOKEN != '' }}\n HAS_ANTHROPIC: ${{ secrets.ANTHROPIC_API_KEY != '' }}\n HAS_OPENAI: ${{ secrets.OPENAI_API_KEY != '' }}\n AGENT: ${{ env.VISUAL_RECAP_AGENT }}\n VISUAL_RECAP_MODEL: ${{ vars.VISUAL_RECAP_MODEL }}\n HEAD_SHA: ${{ github.event.pull_request.head.sha }}\n with:\n script: |\n const pr = context.payload.pull_request;\n const reasons = [];\n\n if (!pr) reasons.push('no pull_request payload');\n if (pr && pr.draft) reasons.push('draft PR');\n\n // Fork PRs run with no secrets, so publishing would fail anyway \u2014 skip.\n const headRepo = pr && pr.head && pr.head.repo && pr.head.repo.full_name;\n if (pr && headRepo && headRepo !== process.env.GITHUB_REPOSITORY) {\n reasons.push(`fork PR (${headRepo})`);\n }\n\n const login = (pr && pr.user && pr.user.login || '').toLowerCase();\n const botAuthors = ['dependabot[bot]', 'dependabot', 'renovate[bot]', 'renovate'];\n if (botAuthors.includes(login)) reasons.push(`bot author (${login})`);\n if (pr && pr.user && pr.user.type === 'Bot') reasons.push('bot author (type=Bot)');\n\n if (process.env.HAS_PLAN !== 'true') reasons.push('PLAN_RECAP_TOKEN not configured');\n\n // Normalize + validate the agent so a mis-cased value can't pass the\n // gate and then match neither agent step below.\n const agent = (process.env.AGENT || 'claude').toLowerCase();\n if (agent !== 'claude' && agent !== 'codex') {\n reasons.push(`unsupported VISUAL_RECAP_AGENT \"${process.env.AGENT}\" (expected \"claude\" or \"codex\")`);\n } else if (agent === 'codex') {\n if (process.env.HAS_OPENAI !== 'true') reasons.push('OPENAI_API_KEY not configured (codex backend)');\n } else {\n if (process.env.HAS_ANTHROPIC !== 'true') reasons.push('ANTHROPIC_API_KEY not configured (claude backend)');\n }\n\n // Validate the model before it reaches the agent CLI.\n const model = process.env.VISUAL_RECAP_MODEL || '';\n if (model && !/^[a-zA-Z0-9._-]{1,80}$/.test(model)) {\n reasons.push(`invalid VISUAL_RECAP_MODEL value (must match [a-zA-Z0-9._-]{1,80})`);\n }\n\n // Self-modifying guard, evaluated in the trusted gate (runs NO\n // PR-checked-out code): skip the ENTIRE job if the PR touches the\n // workflow, skill, local CLI, or any agent config the runner loads,\n // so a PR can't rewrite what runs and exfiltrate secrets.\n if (pr) {\n try {\n const files = await github.paginate(github.rest.pulls.listFiles, {\n owner: context.repo.owner,\n repo: context.repo.repo,\n pull_number: pr.number,\n per_page: 100,\n });\n const isAgentNativeMonorepo = context.repo.owner === 'BuilderIO' && context.repo.repo === 'agent-native';\n const isSensitive = (p) =>\n p === '.github/workflows/pr-visual-recap.yml' ||\n /(^|\\/)skills\\/visual-(recap|plan|plans)\\//.test(p) ||\n /(^|\\/)\\.claude\\//.test(p) ||\n /(^|\\/)CLAUDE\\.md$/.test(p) ||\n /(^|\\/)AGENTS\\.md$/.test(p) ||\n /(^|\\/)\\.mcp\\.json$/.test(p) ||\n (isAgentNativeMonorepo && /(^|\\/)packages\\/core\\//.test(p));\n const hits = files.map((f) => f.filename).filter(isSensitive);\n if (hits.length) {\n reasons.push(`PR modifies recap-control files (${hits.slice(0, 3).join(', ')}${hits.length > 3 ? ', \u2026' : ''}) \u2014 skipping so untrusted PR code never runs with secrets`);\n }\n } catch (e) {\n // Fail closed: if the file list can't be read, skip.\n reasons.push(`could not list PR files for the self-modifying guard (${e.message}); skipping to be safe`);\n }\n }\n\n const run = reasons.length === 0;\n core.setOutput('run', run ? 'true' : 'false');\n core.setOutput('agent', agent);\n core.info(run ? `Visual recap will run (${agent}).` : `Visual recap skipped: ${reasons.join('; ')}`);\n\n // When skipping, refresh an EXISTING sticky recap comment with a\n // short skip line so it does not silently go stale. Never create a\n // new comment (no spam for repos where the recap has never run).\n if (!run && pr) {\n try {\n const MARKER = '<!-- pr-visual-recap -->';\n const { data: comments } = await github.rest.issues.listComments({\n owner: context.repo.owner,\n repo: context.repo.repo,\n issue_number: pr.number,\n per_page: 100,\n });\n const existing = comments.find(\n (c) => c.user && c.user.type === 'Bot' && c.body && c.body.includes(MARKER)\n );\n if (existing) {\n const headShort = (process.env.HEAD_SHA || '').slice(0, 7);\n const shaRef = headShort ? `\\`${headShort}\\`` : 'latest push';\n const primaryReason = reasons.filter(\n (r) => !r.startsWith('could not list PR files for the self-modifying guard')\n )[0] || reasons[0] || 'skipped';\n const skipLine = `_Recap skipped for ${shaRef}: ${primaryReason}._`;\n const withoutPrev = (existing.body || '')\n .split('\\n')\n .filter((l) => !/_Recap skipped for .+_$/.test(l.trim()))\n .join('\\n')\n .trimEnd();\n const updatedBody = `${withoutPrev}\\n\\n${skipLine}`;\n await github.rest.issues.updateComment({\n owner: context.repo.owner,\n repo: context.repo.repo,\n comment_id: existing.id,\n body: updatedBody,\n });\n }\n } catch (e) {\n core.warning(`Could not update recap skip comment: ${e.message}`);\n }\n }\n\n recap:\n name: Generate visual recap\n needs: gate\n if: needs.gate.outputs.run == 'true'\n runs-on: ubuntu-latest\n timeout-minutes: 30\n permissions:\n checks: write\n contents: read\n issues: write\n pull-requests: write\n env:\n PLAN_RECAP_APP_URL: ${{ secrets.PLAN_RECAP_APP_URL || 'https://plan.agent-native.com' }}\n PLAN_RECAP_TOKEN: ${{ secrets.PLAN_RECAP_TOKEN }}\n GH_TOKEN: ${{ github.token }}\n PR_NUMBER: ${{ github.event.pull_request.number }}\n HEAD_SHA: ${{ github.event.pull_request.head.sha }}\n VISUAL_RECAP_MODEL: ${{ vars.VISUAL_RECAP_MODEL }}\n VISUAL_RECAP_REASONING: ${{ vars.VISUAL_RECAP_REASONING }}\n VISUAL_RECAP_SKILL_SOURCE: ${{ vars.VISUAL_RECAP_SKILL_SOURCE || 'auto' }}\n steps:\n - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n with:\n fetch-depth: 0\n # This job runs an agent over untrusted PR diff; don't leave the token\n # in .git/config (it uses GH_TOKEN for gh API calls, never git push).\n persist-credentials: false\n\n # Dogfood local source inside this monorepo, else the published package.\n # The pnpm steps run ONLY on the local path so npm/yarn consumer repos\n # (no pnpm-lock.yaml) fall back to `npx @agent-native/core`.\n - name: Resolve recap CLI\n id: cli\n env:\n # Optional: pin the consumer CLI version (e.g. \"1.2.3\"). Defaults to\n # \"latest\" when unset. Set via repository variable RECAP_CLI_VERSION.\n RECAP_CLI_VERSION: ${{ vars.RECAP_CLI_VERSION || 'latest' }}\n run: |\n if [ -f packages/core/src/cli/index.ts ]; then\n echo \"RECAP_CLI=pnpm exec tsx packages/core/src/cli/index.ts\" >> \"$GITHUB_ENV\"\n echo \"local=true\" >> \"$GITHUB_OUTPUT\"\n else\n echo \"RECAP_CLI=npx -y @agent-native/core@${RECAP_CLI_VERSION}\" >> \"$GITHUB_ENV\"\n echo \"local=false\" >> \"$GITHUB_OUTPUT\"\n fi\n\n - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8\n if: steps.cli.outputs.local == 'true'\n\n - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0\n with:\n node-version: \"22\"\n cache: ${{ steps.cli.outputs.local == 'true' && 'pnpm' || '' }}\n\n - name: Install workspace (local source only)\n if: steps.cli.outputs.local == 'true'\n run: pnpm install --frozen-lockfile --ignore-scripts\n\n - name: Start visual recap check\n id: recap_check\n continue-on-error: true\n run: |\n set -uo pipefail\n $RECAP_CLI recap check start --sha \"$HEAD_SHA\" --workflow-url \"$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\"\n\n - name: Collect bounded diff\n id: diff\n env:\n BASE_SHA: ${{ github.event.pull_request.base.sha }}\n run: |\n set -euo pipefail\n $RECAP_CLI recap collect-diff --base \"$BASE_SHA\" --head \"$HEAD_SHA\" --out recap.diff --stat recap.stat\n\n - name: Probe plan-app auth\n id: auth_probe\n if: steps.diff.outputs.tiny != 'true'\n continue-on-error: true\n run: |\n set -uo pipefail\n # Hit the plan app's action surface with the publish token. A 401 means\n # the token is expired/revoked; surface it in the sticky comment so the\n # repo owner knows to re-mint it instead of seeing a generic failure.\n HTTP_STATUS=$(node -e '\n const https = require(\"https\");\n const url = new URL(\"/_agent-native/actions/record-recap-usage\", process.env.PLAN_RECAP_APP_URL || \"https://plan.agent-native.com\");\n const req = https.request(url, { method: \"POST\", headers: { \"authorization\": \"Bearer \" + process.env.PLAN_RECAP_TOKEN, \"content-type\": \"application/json\" }, timeout: 8000 }, (res) => { process.stdout.write(String(res.statusCode)); req.destroy(); });\n req.on(\"error\", () => process.stdout.write(\"0\"));\n req.end(JSON.stringify({ planId: \"__probe__\" }));\n ' 2>/dev/null || echo \"0\")\n if [ \"$HTTP_STATUS\" = \"401\" ]; then\n echo \"auth_failed=true\" >> \"$GITHUB_OUTPUT\"\n else\n echo \"auth_failed=false\" >> \"$GITHUB_OUTPUT\"\n fi\n\n - name: Secret scan\n id: scan\n if: steps.diff.outputs.tiny != 'true'\n run: |\n set -uo pipefail\n # Fail CLOSED: a scanner error or invalid JSON suppresses the diff so a\n # credential-bearing diff is never handed to the agent / plan service.\n if ! SCAN_JSON=\"$($RECAP_CLI recap scan --diff recap.diff)\"; then\n SCAN_JSON='{\"suppressed\":true,\"reason\":\"secret scan failed to run; failing closed\"}'\n fi\n {\n echo 'json<<__RECAP_SCAN_EOF__'\n echo \"$SCAN_JSON\"\n echo '__RECAP_SCAN_EOF__'\n } >> \"$GITHUB_OUTPUT\"\n SUPPRESSED=$(node -e 'try{process.stdout.write(JSON.parse(process.argv[1]).suppressed?\"true\":\"false\")}catch{process.stdout.write(\"true\")}' \"$SCAN_JSON\")\n echo \"suppressed=$SUPPRESSED\" >> \"$GITHUB_OUTPUT\"\n\n - name: Read previous plan id\n id: prev\n continue-on-error: true\n run: |\n set -euo pipefail\n PLAN_ID=\"$($RECAP_CLI recap comment find-plan-id --repo \"$GITHUB_REPOSITORY\" --issue \"$PR_NUMBER\" --token \"$GH_TOKEN\")\"\n echo \"plan_id=$PLAN_ID\" >> \"$GITHUB_OUTPUT\"\n\n - name: Build recap prompt\n id: prompt\n if: steps.diff.outputs.tiny != 'true' && steps.scan.outputs.suppressed != 'true'\n env:\n # Pass step outputs via env, NOT ${{ }} interpolation into the run body:\n # the prev plan id is parsed from a PR comment and could inject shell.\n PREV_PLAN_ID: ${{ steps.prev.outputs.plan_id }}\n DIFF_HUGE: ${{ steps.diff.outputs.huge }}\n run: |\n set -euo pipefail\n ARGS=(--diff recap.diff --stat recap.stat --pr \"$PR_NUMBER\" --repo \"$GITHUB_REPOSITORY\" --head \"$HEAD_SHA\" --app-url \"$PLAN_RECAP_APP_URL\" --skill-source \"$VISUAL_RECAP_SKILL_SOURCE\" --out recap-prompt.md)\n if [ \"${DIFF_HUGE:-}\" = \"true\" ]; then ARGS+=(--huge); fi\n if [ -n \"${PREV_PLAN_ID:-}\" ]; then ARGS+=(--prev-plan-id \"$PREV_PLAN_ID\"); fi\n $RECAP_CLI recap build-prompt \"${ARGS[@]}\"\n\n - name: Run agent (Claude Code)\n id: claude\n if: needs.gate.outputs.agent == 'claude' && steps.diff.outputs.tiny != 'true' && steps.scan.outputs.suppressed != 'true'\n continue-on-error: true\n env:\n ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}\n run: |\n set -uo pipefail\n MCP_CONFIG=\"$RUNNER_TEMP/plan-mcp.json\"\n $RECAP_CLI recap mcp-config --agent claude --app-url \"$PLAN_RECAP_APP_URL\" --out \"$MCP_CONFIG\"\n CLAUDE_ARGS=(-p \"$(cat recap-prompt.md)\" --mcp-config \"$MCP_CONFIG\" --allowedTools \"Read,Write,Bash(git diff:*),mcp__plan__get-plan-blocks,mcp__plan__create-visual-recap,mcp__plan__set-resource-visibility\" --permission-mode dontAsk --output-format json)\n if [ -n \"${VISUAL_RECAP_MODEL:-}\" ]; then CLAUDE_ARGS+=(--model \"$VISUAL_RECAP_MODEL\"); fi\n npx -y @anthropic-ai/claude-code@2 \"${CLAUDE_ARGS[@]}\" > claude-result.json || true\n rm -f \"$MCP_CONFIG\" || true\n\n - name: Run agent (Codex)\n id: codex\n if: needs.gate.outputs.agent == 'codex' && steps.diff.outputs.tiny != 'true' && steps.scan.outputs.suppressed != 'true'\n continue-on-error: true\n env:\n OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}\n run: |\n set -uo pipefail\n $RECAP_CLI recap mcp-config --agent codex --app-url \"$PLAN_RECAP_APP_URL\"\n # `codex login` writes ~/.codex/auth.json (the bare env var is dropped on\n # the gpt-5.5 wss transport); stdin keeps the key out of process args.\n printenv OPENAI_API_KEY | npx -y @openai/codex@0 login --with-api-key || true\n # The runner is itself an ephemeral sandbox; bypass Codex's own sandbox\n # (bubblewrap can't init here) and approval gate (cancels the MCP write).\n CODEX_ARGS=(exec --dangerously-bypass-approvals-and-sandbox --skip-git-repo-check)\n if [ -n \"${VISUAL_RECAP_MODEL:-}\" ]; then CODEX_ARGS+=(--model \"$VISUAL_RECAP_MODEL\"); fi\n # Validate reasoning against the enum before embedding it in the TOML override.\n case \"${VISUAL_RECAP_REASONING:-}\" in\n none|minimal|low|medium|high|xhigh)\n CODEX_ARGS+=(-c \"model_reasoning_effort=\\\"$VISUAL_RECAP_REASONING\\\"\") ;;\n \"\") ;;\n *) echo \"Ignoring invalid VISUAL_RECAP_REASONING: $VISUAL_RECAP_REASONING\" ;;\n esac\n npx -y @openai/codex@0 \"${CODEX_ARGS[@]}\" --json \"$(cat recap-prompt.md)\" | tee codex-events.jsonl || true\n\n - name: Read plan URL\n id: url\n if: steps.diff.outputs.tiny != 'true' && steps.scan.outputs.suppressed != 'true'\n run: |\n set -uo pipefail\n PLAN_URL=\"\"\n if [ -f recap-url.txt ]; then PLAN_URL=\"$(tr -d '\\r\\n' < recap-url.txt | tr -d ' ')\"; fi\n # recap-url.txt is agent-written -> untrusted. Rebuild a canonical\n # recap URL from the trusted app base and a strictly validated plan id,\n # preserving path-prefixed self-hosted mounts.\n CANONICAL_URL=$(PLAN_URL=\"$PLAN_URL\" node <<'NODE'\n try {\n const raw = process.env.PLAN_URL || \"\";\n const trusted = new URL(process.env.PLAN_RECAP_APP_URL || \"https://plan.agent-native.com\");\n const parsed = /^https?:\\/\\//i.test(raw)\n ? new URL(raw)\n : new URL(raw, trusted);\n if (parsed.origin !== trusted.origin) {\n process.exit(0);\n }\n\n const base = trusted.pathname.replace(/\\/$/, \"\");\n const paths = [parsed.pathname];\n if (base && parsed.pathname.startsWith(`${base}/`)) {\n paths.push(parsed.pathname.slice(base.length) || \"/\");\n }\n\n for (const path of paths) {\n const match = path.match(/^\\/(?:plans|recaps)\\/([A-Za-z0-9_-]+)\\/?$/);\n if (match) {\n process.stdout.write(`${trusted.origin}${base}/recaps/${match[1]}`);\n break;\n }\n }\n } catch {\n process.exit(0);\n }\n NODE\n )\n if [ -n \"$CANONICAL_URL\" ]; then\n echo \"plan_url=$CANONICAL_URL\" >> \"$GITHUB_OUTPUT\"; echo \"ok=true\" >> \"$GITHUB_OUTPUT\"\n else\n echo \"plan_url=\" >> \"$GITHUB_OUTPUT\"; echo \"ok=false\" >> \"$GITHUB_OUTPUT\"\n fi\n\n - name: Summarize agent failure\n id: agent_summary\n if: steps.url.outputs.ok != 'true' && steps.diff.outputs.tiny != 'true' && steps.scan.outputs.suppressed != 'true'\n continue-on-error: true\n env:\n RECAP_AGENT: ${{ needs.gate.outputs.agent }}\n run: |\n set -uo pipefail\n RESULT=claude-result.json\n if [ \"$RECAP_AGENT\" = \"codex\" ]; then RESULT=codex-events.jsonl; fi\n $RECAP_CLI recap agent-summary --agent \"$RECAP_AGENT\" --result-file \"$RESULT\" || true\n\n - name: Attach usage\n if: steps.url.outputs.ok == 'true'\n continue-on-error: true\n env:\n PLAN_URL: ${{ steps.url.outputs.plan_url }}\n # Use the gate-normalized agent so \"Codex\" still selects the right file.\n RECAP_AGENT: ${{ needs.gate.outputs.agent }}\n run: |\n set -uo pipefail\n RESULT=claude-result.json\n if [ \"$RECAP_AGENT\" = \"codex\" ]; then RESULT=codex-events.jsonl; fi\n if [ -f \"$RESULT\" ]; then $RECAP_CLI recap usage --plan-url \"$PLAN_URL\" --agent \"$RECAP_AGENT\" --result-file \"$RESULT\" --model \"${VISUAL_RECAP_MODEL:-}\" --app-url \"$PLAN_RECAP_APP_URL\" --token \"$PLAN_RECAP_TOKEN\" || true; fi\n\n - name: Cache Playwright browsers\n if: steps.url.outputs.ok == 'true'\n uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3\n with:\n path: ~/.cache/ms-playwright\n key: playwright-1-${{ runner.os }}\n\n - name: Screenshot + upload\n id: shot\n if: steps.url.outputs.ok == 'true'\n continue-on-error: true\n env:\n # recap-url.txt is untrusted agent output; pass via env, never ${{ }}.\n PLAN_URL: ${{ steps.url.outputs.plan_url }}\n run: |\n set -uo pipefail\n pnpm exec playwright install --with-deps chromium 2>/dev/null || npx -y playwright@1 install --with-deps chromium || true\n SHOT_JSON=\"$($RECAP_CLI recap shot --url \"$PLAN_URL\" --token \"$PLAN_RECAP_TOKEN\" --app-url \"$PLAN_RECAP_APP_URL\" --out recap.png || echo '{}')\"\n IMAGE_URL=$(node -e 'try{process.stdout.write(JSON.parse(process.argv[1]).imageUrl||\"\")}catch{process.stdout.write(\"\")}' \"$SHOT_JSON\")\n echo \"image_url=$IMAGE_URL\" >> \"$GITHUB_OUTPUT\"\n if [ -f recap.png ]; then echo \"captured=true\" >> \"$GITHUB_OUTPUT\"; else echo \"captured=false\" >> \"$GITHUB_OUTPUT\"; fi\n\n - name: Upload recap screenshot artifact\n if: steps.shot.outputs.captured == 'true'\n uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1\n with:\n name: pr-visual-recap-${{ github.event.pull_request.number }}\n path: recap.png\n if-no-files-found: ignore\n retention-days: 14\n\n - name: Upsert sticky comment\n if: always()\n continue-on-error: true\n env:\n PLAN_URL: ${{ steps.url.outputs.plan_url }}\n RECAP_IMAGE_URL: ${{ steps.shot.outputs.image_url }}\n SUPPRESSED: ${{ steps.scan.outputs.suppressed }}\n SUPPRESSED_JSON: ${{ steps.scan.outputs.json }}\n DIFF_HUGE: ${{ steps.diff.outputs.huge }}\n DIFF_TINY: ${{ steps.diff.outputs.tiny }}\n PREV_PLAN_ID: ${{ steps.prev.outputs.plan_id }}\n RECAP_AUTH_FAILED: ${{ steps.auth_probe.outputs.auth_failed }}\n RECAP_AGENT_SUMMARY: ${{ steps.agent_summary.outputs.summary }}\n run: |\n set -euo pipefail\n ARGS=(recap comment upsert --repo \"$GITHUB_REPOSITORY\" --issue \"$PR_NUMBER\" --token \"$GH_TOKEN\")\n # On a tiny diff, only REFRESH an existing comment, never create one.\n if [ \"${DIFF_TINY:-}\" = \"true\" ]; then ARGS+=(--update-only); fi\n $RECAP_CLI \"${ARGS[@]}\"\n\n - name: Complete visual recap check\n if: always() && steps.recap_check.outputs.check_run_id != ''\n continue-on-error: true\n env:\n # Untrusted/step values via env (NOT ${{ }}-interpolated into the run\n # body): the agent-written plan URL and the scan JSON could inject shell.\n CHECK_RUN_ID: ${{ steps.recap_check.outputs.check_run_id }}\n PLAN_OK: ${{ steps.url.outputs.ok }}\n PLAN_URL: ${{ steps.url.outputs.plan_url }}\n SUPPRESSED: ${{ steps.scan.outputs.suppressed }}\n SUPPRESSED_JSON: ${{ steps.scan.outputs.json }}\n DIFF_HUGE: ${{ steps.diff.outputs.huge }}\n DIFF_TINY: ${{ steps.diff.outputs.tiny }}\n RECAP_AGENT_SUMMARY: ${{ steps.agent_summary.outputs.summary }}\n run: |\n set -uo pipefail\n $RECAP_CLI recap check complete \\\n --check-run-id \"$CHECK_RUN_ID\" \\\n --plan-ok \"$PLAN_OK\" \\\n --plan-url \"$PLAN_URL\" \\\n --suppressed \"$SUPPRESSED\" \\\n --suppressed-json \"$SUPPRESSED_JSON\" \\\n --huge \"$DIFF_HUGE\" \\\n --tiny \"$DIFF_TINY\" \\\n --failure-summary \"$RECAP_AGENT_SUMMARY\" \\\n --workflow-url \"$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\"\n";
11
+ //# sourceMappingURL=pr-visual-recap-workflow.d.ts.map
package/dist/cli/pr-visual-recap-workflow.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"pr-visual-recap-workflow.d.ts","sourceRoot":"","sources":["../../src/cli/pr-visual-recap-workflow.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,eAAO,MAAM,4BAA4B,mmvBACy7uB,CAAC"}
package/dist/cli/pr-visual-recap-workflow.js CHANGED
@@ -7,5 +7,5 @@
7
7
  * recap.spec.ts fails if these drift. Regenerate from the YAML with the snippet
8
8
  * in recap.spec.ts.
9
9
  */
10
- export const PR_VISUAL_RECAP_WORKFLOW_YML = 'name: PR Visual Recap\n\n# Visual code review: a coding agent runs the repo\'s visual-recap skill over the\n# PR diff, publishes a plan, and upserts one sticky comment with a screenshot.\n# Plain `pull_request` (NOT `pull_request_target`) so fork code never sees secrets.\n\non:\n pull_request:\n types: [opened, synchronize, reopened, ready_for_review]\n\npermissions:\n contents: read\n\nconcurrency:\n group: pr-visual-recap-${{ github.event.pull_request.number }}\n cancel-in-progress: true\n\nenv:\n VISUAL_RECAP_AGENT: ${{ vars.VISUAL_RECAP_AGENT || \'claude\' }}\n VISUAL_RECAP_SKILL_SOURCE: ${{ vars.VISUAL_RECAP_SKILL_SOURCE || \'auto\' }}\n\njobs:\n gate:\n name: Gate\n runs-on: ubuntu-latest\n timeout-minutes: 10\n permissions:\n contents: read\n issues: write\n pull-requests: write\n outputs:\n run: ${{ steps.decide.outputs.run }}\n agent: ${{ steps.decide.outputs.agent }}\n steps:\n - id: decide\n uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0\n env:\n # Presence-only signals — never expose secret VALUES to the gate.\n HAS_PLAN: ${{ secrets.PLAN_RECAP_TOKEN != \'\' }}\n HAS_ANTHROPIC: ${{ secrets.ANTHROPIC_API_KEY != \'\' }}\n HAS_OPENAI: ${{ secrets.OPENAI_API_KEY != \'\' }}\n AGENT: ${{ env.VISUAL_RECAP_AGENT }}\n VISUAL_RECAP_MODEL: ${{ vars.VISUAL_RECAP_MODEL }}\n HEAD_SHA: ${{ github.event.pull_request.head.sha }}\n with:\n script: |\n const pr = context.payload.pull_request;\n const reasons = [];\n\n if (!pr) reasons.push(\'no pull_request payload\');\n if (pr && pr.draft) reasons.push(\'draft PR\');\n\n // Fork PRs run with no secrets, so publishing would fail anyway — skip.\n const headRepo = pr && pr.head && pr.head.repo && pr.head.repo.full_name;\n if (pr && headRepo && headRepo !== process.env.GITHUB_REPOSITORY) {\n reasons.push(`fork PR (${headRepo})`);\n }\n\n const login = (pr && pr.user && pr.user.login || \'\').toLowerCase();\n const botAuthors = [\'dependabot[bot]\', \'dependabot\', \'renovate[bot]\', \'renovate\'];\n if (botAuthors.includes(login)) reasons.push(`bot author (${login})`);\n if (pr && pr.user && pr.user.type === \'Bot\') reasons.push(\'bot author (type=Bot)\');\n\n if (process.env.HAS_PLAN !== \'true\') reasons.push(\'PLAN_RECAP_TOKEN not configured\');\n\n // Normalize + validate the agent so a mis-cased value can\'t pass the\n // gate and then match neither agent step below.\n const agent = (process.env.AGENT || \'claude\').toLowerCase();\n if (agent !== \'claude\' && agent !== \'codex\') {\n reasons.push(`unsupported VISUAL_RECAP_AGENT "${process.env.AGENT}" (expected "claude" or "codex")`);\n } else if (agent === \'codex\') {\n if (process.env.HAS_OPENAI !== \'true\') reasons.push(\'OPENAI_API_KEY not configured (codex backend)\');\n } else {\n if (process.env.HAS_ANTHROPIC !== \'true\') reasons.push(\'ANTHROPIC_API_KEY not configured (claude backend)\');\n }\n\n // Validate the model before it reaches the agent CLI.\n const model = process.env.VISUAL_RECAP_MODEL || \'\';\n if (model && !/^[a-zA-Z0-9._-]{1,80}$/.test(model)) {\n reasons.push(`invalid VISUAL_RECAP_MODEL value (must match [a-zA-Z0-9._-]{1,80})`);\n }\n\n // Self-modifying guard, evaluated in the trusted gate (runs NO\n // PR-checked-out code): skip the ENTIRE job if the PR touches the\n // workflow, skill, local CLI, or any agent config the runner loads,\n // so a PR can\'t rewrite what runs and exfiltrate secrets.\n if (pr) {\n try {\n const files = await github.paginate(github.rest.pulls.listFiles, {\n owner: context.repo.owner,\n repo: context.repo.repo,\n pull_number: pr.number,\n per_page: 100,\n });\n const isAgentNativeMonorepo = context.repo.owner === \'BuilderIO\' && context.repo.repo === \'agent-native\';\n const isSensitive = (p) =>\n p === \'.github/workflows/pr-visual-recap.yml\' ||\n /(^|\\/)skills\\/visual-(recap|plan|plans)\\//.test(p) ||\n /(^|\\/)\\.claude\\//.test(p) ||\n /(^|\\/)CLAUDE\\.md$/.test(p) ||\n /(^|\\/)AGENTS\\.md$/.test(p) ||\n /(^|\\/)\\.mcp\\.json$/.test(p) ||\n (isAgentNativeMonorepo && /(^|\\/)packages\\/core\\//.test(p));\n const hits = files.map((f) => f.filename).filter(isSensitive);\n if (hits.length) {\n reasons.push(`PR modifies recap-control files (${hits.slice(0, 3).join(\', \')}${hits.length > 3 ? \', …\' : \'\'}) — skipping so untrusted PR code never runs with secrets`);\n }\n } catch (e) {\n // Fail closed: if the file list can\'t be read, skip.\n reasons.push(`could not list PR files for the self-modifying guard (${e.message}); skipping to be safe`);\n }\n }\n\n const run = reasons.length === 0;\n core.setOutput(\'run\', run ? \'true\' : \'false\');\n core.setOutput(\'agent\', agent);\n core.info(run ? `Visual recap will run (${agent}).` : `Visual recap skipped: ${reasons.join(\'; \')}`);\n\n // When skipping, refresh an EXISTING sticky recap comment with a\n // short skip line so it does not silently go stale. Never create a\n // new comment (no spam for repos where the recap has never run).\n if (!run && pr) {\n try {\n const MARKER = \'<!-- pr-visual-recap -->\';\n const { data: comments } = await github.rest.issues.listComments({\n owner: context.repo.owner,\n repo: context.repo.repo,\n issue_number: pr.number,\n per_page: 100,\n });\n const existing = comments.find(\n (c) => c.user && c.user.type === \'Bot\' && c.body && c.body.includes(MARKER)\n );\n if (existing) {\n const headShort = (process.env.HEAD_SHA || \'\').slice(0, 7);\n const shaRef = headShort ? `\\`${headShort}\\`` : \'latest push\';\n const primaryReason = reasons.filter(\n (r) => !r.startsWith(\'could not list PR files for the self-modifying guard\')\n )[0] || reasons[0] || \'skipped\';\n const skipLine = `_Recap skipped for ${shaRef}: ${primaryReason}._`;\n const withoutPrev = (existing.body || \'\')\n .split(\'\\n\')\n .filter((l) => !/_Recap skipped for .+_$/.test(l.trim()))\n .join(\'\\n\')\n .trimEnd();\n const updatedBody = `${withoutPrev}\\n\\n${skipLine}`;\n await github.rest.issues.updateComment({\n owner: context.repo.owner,\n repo: context.repo.repo,\n comment_id: existing.id,\n body: updatedBody,\n });\n }\n } catch (e) {\n core.warning(`Could not update recap skip comment: ${e.message}`);\n }\n }\n\n recap:\n name: Generate visual recap\n needs: gate\n if: needs.gate.outputs.run == \'true\'\n runs-on: ubuntu-latest\n timeout-minutes: 30\n permissions:\n checks: write\n contents: read\n issues: write\n pull-requests: write\n env:\n PLAN_RECAP_APP_URL: ${{ secrets.PLAN_RECAP_APP_URL || \'https://plan.agent-native.com\' }}\n PLAN_RECAP_TOKEN: ${{ secrets.PLAN_RECAP_TOKEN }}\n GH_TOKEN: ${{ github.token }}\n PR_NUMBER: ${{ github.event.pull_request.number }}\n HEAD_SHA: ${{ github.event.pull_request.head.sha }}\n VISUAL_RECAP_MODEL: ${{ vars.VISUAL_RECAP_MODEL }}\n VISUAL_RECAP_REASONING: ${{ vars.VISUAL_RECAP_REASONING }}\n VISUAL_RECAP_SKILL_SOURCE: ${{ vars.VISUAL_RECAP_SKILL_SOURCE || \'auto\' }}\n steps:\n - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n with:\n fetch-depth: 0\n # This job runs an agent over untrusted PR diff; don\'t leave the token\n # in .git/config (it uses GH_TOKEN for gh API calls, never git push).\n persist-credentials: false\n\n # Dogfood local source inside this monorepo, else the published package.\n # The pnpm steps run ONLY on the local path so npm/yarn consumer repos\n # (no pnpm-lock.yaml) fall back to `npx @agent-native/core`.\n - name: Resolve recap CLI\n id: cli\n env:\n # Optional: pin the consumer CLI version (e.g. "1.2.3"). Defaults to\n # "latest" when unset. Set via repository variable RECAP_CLI_VERSION.\n RECAP_CLI_VERSION: ${{ vars.RECAP_CLI_VERSION || \'latest\' }}\n run: |\n if [ -f packages/core/src/cli/index.ts ]; then\n echo "RECAP_CLI=pnpm exec tsx packages/core/src/cli/index.ts" >> "$GITHUB_ENV"\n echo "local=true" >> "$GITHUB_OUTPUT"\n else\n echo "RECAP_CLI=npx -y @agent-native/core@${RECAP_CLI_VERSION}" >> "$GITHUB_ENV"\n echo "local=false" >> "$GITHUB_OUTPUT"\n fi\n\n - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8\n if: steps.cli.outputs.local == \'true\'\n\n - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0\n with:\n node-version: "22"\n cache: ${{ steps.cli.outputs.local == \'true\' && \'pnpm\' || \'\' }}\n\n - name: Install workspace (local source only)\n if: steps.cli.outputs.local == \'true\'\n run: pnpm install --frozen-lockfile --ignore-scripts\n\n - name: Start visual recap check\n id: recap_check\n continue-on-error: true\n run: |\n set -uo pipefail\n $RECAP_CLI recap check start --sha "$HEAD_SHA" --workflow-url "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"\n\n - name: Collect bounded diff\n id: diff\n env:\n BASE_SHA: ${{ github.event.pull_request.base.sha }}\n run: |\n set -euo pipefail\n $RECAP_CLI recap collect-diff --base "$BASE_SHA" --head "$HEAD_SHA" --out recap.diff --stat recap.stat\n\n - name: Probe plan-app auth\n id: auth_probe\n if: steps.diff.outputs.tiny != \'true\'\n continue-on-error: true\n run: |\n set -uo pipefail\n # Hit the plan app\'s action surface with the publish token. A 401 means\n # the token is expired/revoked; surface it in the sticky comment so the\n # repo owner knows to re-mint it instead of seeing a generic failure.\n HTTP_STATUS=$(node -e \'\n const https = require("https");\n const url = new URL("/_agent-native/actions/record-recap-usage", process.env.PLAN_RECAP_APP_URL || "https://plan.agent-native.com");\n const req = https.request(url, { method: "POST", headers: { "authorization": "Bearer " + process.env.PLAN_RECAP_TOKEN, "content-type": "application/json" }, timeout: 8000 }, (res) => { process.stdout.write(String(res.statusCode)); req.destroy(); });\n req.on("error", () => process.stdout.write("0"));\n req.end(JSON.stringify({ planId: "__probe__" }));\n \' 2>/dev/null || echo "0")\n if [ "$HTTP_STATUS" = "401" ]; then\n echo "auth_failed=true" >> "$GITHUB_OUTPUT"\n else\n echo "auth_failed=false" >> "$GITHUB_OUTPUT"\n fi\n\n - name: Secret scan\n id: scan\n if: steps.diff.outputs.tiny != \'true\'\n run: |\n set -uo pipefail\n # Fail CLOSED: a scanner error or invalid JSON suppresses the diff so a\n # credential-bearing diff is never handed to the agent / plan service.\n if ! SCAN_JSON="$($RECAP_CLI recap scan --diff recap.diff)"; then\n SCAN_JSON=\'{"suppressed":true,"reason":"secret scan failed to run; failing closed"}\'\n fi\n {\n echo \'json<<__RECAP_SCAN_EOF__\'\n echo "$SCAN_JSON"\n echo \'__RECAP_SCAN_EOF__\'\n } >> "$GITHUB_OUTPUT"\n SUPPRESSED=$(node -e \'try{process.stdout.write(JSON.parse(process.argv[1]).suppressed?"true":"false")}catch{process.stdout.write("true")}\' "$SCAN_JSON")\n echo "suppressed=$SUPPRESSED" >> "$GITHUB_OUTPUT"\n\n - name: Read previous plan id\n id: prev\n continue-on-error: true\n run: |\n set -euo pipefail\n PLAN_ID="$($RECAP_CLI recap comment find-plan-id --repo "$GITHUB_REPOSITORY" --issue "$PR_NUMBER" --token "$GH_TOKEN")"\n echo "plan_id=$PLAN_ID" >> "$GITHUB_OUTPUT"\n\n - name: Build recap prompt\n id: prompt\n if: steps.diff.outputs.tiny != \'true\' && steps.scan.outputs.suppressed != \'true\'\n env:\n # Pass step outputs via env, NOT ${{ }} interpolation into the run body:\n # the prev plan id is parsed from a PR comment and could inject shell.\n PREV_PLAN_ID: ${{ steps.prev.outputs.plan_id }}\n DIFF_HUGE: ${{ steps.diff.outputs.huge }}\n run: |\n set -euo pipefail\n ARGS=(--diff recap.diff --stat recap.stat --pr "$PR_NUMBER" --repo "$GITHUB_REPOSITORY" --head "$HEAD_SHA" --app-url "$PLAN_RECAP_APP_URL" --skill-source "$VISUAL_RECAP_SKILL_SOURCE" --out recap-prompt.md)\n if [ "${DIFF_HUGE:-}" = "true" ]; then ARGS+=(--huge); fi\n if [ -n "${PREV_PLAN_ID:-}" ]; then ARGS+=(--prev-plan-id "$PREV_PLAN_ID"); fi\n $RECAP_CLI recap build-prompt "${ARGS[@]}"\n\n - name: Run agent (Claude Code)\n id: claude\n if: needs.gate.outputs.agent == \'claude\' && steps.diff.outputs.tiny != \'true\' && steps.scan.outputs.suppressed != \'true\'\n continue-on-error: true\n env:\n ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}\n run: |\n set -uo pipefail\n MCP_CONFIG="$RUNNER_TEMP/plan-mcp.json"\n $RECAP_CLI recap mcp-config --agent claude --app-url "$PLAN_RECAP_APP_URL" --out "$MCP_CONFIG"\n CLAUDE_ARGS=(-p "$(cat recap-prompt.md)" --mcp-config "$MCP_CONFIG" --allowedTools "Read,Write,Bash(git diff:*),mcp__plan__get-plan-blocks,mcp__plan__create-visual-recap,mcp__plan__set-resource-visibility" --permission-mode dontAsk --output-format json)\n if [ -n "${VISUAL_RECAP_MODEL:-}" ]; then CLAUDE_ARGS+=(--model "$VISUAL_RECAP_MODEL"); fi\n npx -y @anthropic-ai/claude-code@2 "${CLAUDE_ARGS[@]}" > claude-result.json || true\n rm -f "$MCP_CONFIG" || true\n\n - name: Run agent (Codex)\n id: codex\n if: needs.gate.outputs.agent == \'codex\' && steps.diff.outputs.tiny != \'true\' && steps.scan.outputs.suppressed != \'true\'\n continue-on-error: true\n env:\n OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}\n run: |\n set -uo pipefail\n $RECAP_CLI recap mcp-config --agent codex --app-url "$PLAN_RECAP_APP_URL"\n # `codex login` writes ~/.codex/auth.json (the bare env var is dropped on\n # the gpt-5.5 wss transport); stdin keeps the key out of process args.\n printenv OPENAI_API_KEY | npx -y @openai/codex@0 login --with-api-key || true\n # The runner is itself an ephemeral sandbox; bypass Codex\'s own sandbox\n # (bubblewrap can\'t init here) and approval gate (cancels the MCP write).\n CODEX_ARGS=(exec --dangerously-bypass-approvals-and-sandbox --skip-git-repo-check)\n if [ -n "${VISUAL_RECAP_MODEL:-}" ]; then CODEX_ARGS+=(--model "$VISUAL_RECAP_MODEL"); fi\n # Validate reasoning against the enum before embedding it in the TOML override.\n case "${VISUAL_RECAP_REASONING:-}" in\n none|minimal|low|medium|high|xhigh)\n CODEX_ARGS+=(-c "model_reasoning_effort=\\"$VISUAL_RECAP_REASONING\\"") ;;\n "") ;;\n *) echo "Ignoring invalid VISUAL_RECAP_REASONING: $VISUAL_RECAP_REASONING" ;;\n esac\n npx -y @openai/codex@0 "${CODEX_ARGS[@]}" --json "$(cat recap-prompt.md)" | tee codex-events.jsonl || true\n\n - name: Read plan URL\n id: url\n if: steps.diff.outputs.tiny != \'true\' && steps.scan.outputs.suppressed != \'true\'\n run: |\n set -uo pipefail\n PLAN_URL=""\n if [ -f recap-url.txt ]; then PLAN_URL="$(tr -d \'\\r\\n\' < recap-url.txt | tr -d \' \')"; fi\n # recap-url.txt is agent-written -> untrusted. Rebuild a canonical\n # recap URL from the trusted app base and a strictly validated plan id,\n # preserving path-prefixed self-hosted mounts.\n CANONICAL_URL=$(PLAN_URL="$PLAN_URL" node <<\'NODE\'\n try {\n const raw = process.env.PLAN_URL || "";\n const trusted = new URL(process.env.PLAN_RECAP_APP_URL || "https://plan.agent-native.com");\n const parsed = /^https?:\\/\\//i.test(raw)\n ? new URL(raw)\n : new URL(raw, trusted);\n if (parsed.origin !== trusted.origin) {\n process.exit(0);\n }\n\n const base = trusted.pathname.replace(/\\/$/, "");\n const paths = [parsed.pathname];\n if (base && parsed.pathname.startsWith(`${base}/`)) {\n paths.push(parsed.pathname.slice(base.length) || "/");\n }\n\n for (const path of paths) {\n const match = path.match(/^\\/(?:plans|recaps)\\/([A-Za-z0-9_-]+)\\/?$/);\n if (match) {\n process.stdout.write(`${trusted.origin}${base}/recaps/${match[1]}`);\n break;\n }\n }\n } catch {\n process.exit(0);\n }\n NODE\n )\n if [ -n "$CANONICAL_URL" ]; then\n echo "plan_url=$CANONICAL_URL" >> "$GITHUB_OUTPUT"; echo "ok=true" >> "$GITHUB_OUTPUT"\n else\n echo "plan_url=" >> "$GITHUB_OUTPUT"; echo "ok=false" >> "$GITHUB_OUTPUT"\n fi\n\n - name: Attach usage\n if: steps.url.outputs.ok == \'true\'\n continue-on-error: true\n env:\n PLAN_URL: ${{ steps.url.outputs.plan_url }}\n # Use the gate-normalized agent so "Codex" still selects the right file.\n RECAP_AGENT: ${{ needs.gate.outputs.agent }}\n run: |\n set -uo pipefail\n RESULT=claude-result.json\n if [ "$RECAP_AGENT" = "codex" ]; then RESULT=codex-events.jsonl; fi\n if [ -f "$RESULT" ]; then $RECAP_CLI recap usage --plan-url "$PLAN_URL" --agent "$RECAP_AGENT" --result-file "$RESULT" --model "${VISUAL_RECAP_MODEL:-}" --app-url "$PLAN_RECAP_APP_URL" --token "$PLAN_RECAP_TOKEN" || true; fi\n\n - name: Cache Playwright browsers\n if: steps.url.outputs.ok == \'true\'\n uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3\n with:\n path: ~/.cache/ms-playwright\n key: playwright-1-${{ runner.os }}\n\n - name: Screenshot + upload\n id: shot\n if: steps.url.outputs.ok == \'true\'\n continue-on-error: true\n env:\n # recap-url.txt is untrusted agent output; pass via env, never ${{ }}.\n PLAN_URL: ${{ steps.url.outputs.plan_url }}\n run: |\n set -uo pipefail\n pnpm exec playwright install --with-deps chromium 2>/dev/null || npx -y playwright@1 install --with-deps chromium || true\n SHOT_JSON="$($RECAP_CLI recap shot --url "$PLAN_URL" --token "$PLAN_RECAP_TOKEN" --app-url "$PLAN_RECAP_APP_URL" --out recap.png || echo \'{}\')"\n IMAGE_URL=$(node -e \'try{process.stdout.write(JSON.parse(process.argv[1]).imageUrl||"")}catch{process.stdout.write("")}\' "$SHOT_JSON")\n echo "image_url=$IMAGE_URL" >> "$GITHUB_OUTPUT"\n if [ -f recap.png ]; then echo "captured=true" >> "$GITHUB_OUTPUT"; else echo "captured=false" >> "$GITHUB_OUTPUT"; fi\n\n - name: Upload recap screenshot artifact\n if: steps.shot.outputs.captured == \'true\'\n uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1\n with:\n name: pr-visual-recap-${{ github.event.pull_request.number }}\n path: recap.png\n if-no-files-found: ignore\n retention-days: 14\n\n - name: Upsert sticky comment\n if: always()\n continue-on-error: true\n env:\n PLAN_URL: ${{ steps.url.outputs.plan_url }}\n RECAP_IMAGE_URL: ${{ steps.shot.outputs.image_url }}\n SUPPRESSED: ${{ steps.scan.outputs.suppressed }}\n SUPPRESSED_JSON: ${{ steps.scan.outputs.json }}\n DIFF_HUGE: ${{ steps.diff.outputs.huge }}\n DIFF_TINY: ${{ steps.diff.outputs.tiny }}\n PREV_PLAN_ID: ${{ steps.prev.outputs.plan_id }}\n RECAP_AUTH_FAILED: ${{ steps.auth_probe.outputs.auth_failed }}\n run: |\n set -euo pipefail\n ARGS=(recap comment upsert --repo "$GITHUB_REPOSITORY" --issue "$PR_NUMBER" --token "$GH_TOKEN")\n # On a tiny diff, only REFRESH an existing comment, never create one.\n if [ "${DIFF_TINY:-}" = "true" ]; then ARGS+=(--update-only); fi\n $RECAP_CLI "${ARGS[@]}"\n\n - name: Complete visual recap check\n if: always() && steps.recap_check.outputs.check_run_id != \'\'\n continue-on-error: true\n env:\n # Untrusted/step values via env (NOT ${{ }}-interpolated into the run\n # body): the agent-written plan URL and the scan JSON could inject shell.\n CHECK_RUN_ID: ${{ steps.recap_check.outputs.check_run_id }}\n PLAN_OK: ${{ steps.url.outputs.ok }}\n PLAN_URL: ${{ steps.url.outputs.plan_url }}\n SUPPRESSED: ${{ steps.scan.outputs.suppressed }}\n SUPPRESSED_JSON: ${{ steps.scan.outputs.json }}\n DIFF_HUGE: ${{ steps.diff.outputs.huge }}\n DIFF_TINY: ${{ steps.diff.outputs.tiny }}\n run: |\n set -uo pipefail\n $RECAP_CLI recap check complete \\\n --check-run-id "$CHECK_RUN_ID" \\\n --plan-ok "$PLAN_OK" \\\n --plan-url "$PLAN_URL" \\\n --suppressed "$SUPPRESSED" \\\n --suppressed-json "$SUPPRESSED_JSON" \\\n --huge "$DIFF_HUGE" \\\n --tiny "$DIFF_TINY" \\\n --workflow-url "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"\n';
10
+ export const PR_VISUAL_RECAP_WORKFLOW_YML = 'name: PR Visual Recap\n\n# Visual code review: a coding agent runs the repo\'s visual-recap skill over the\n# PR diff, publishes a plan, and upserts one sticky comment with a screenshot.\n# Plain `pull_request` (NOT `pull_request_target`) so fork code never sees secrets.\n\non:\n pull_request:\n types: [opened, synchronize, reopened, ready_for_review]\n\npermissions:\n contents: read\n\nconcurrency:\n group: pr-visual-recap-${{ github.event.pull_request.number }}\n cancel-in-progress: true\n\nenv:\n VISUAL_RECAP_AGENT: ${{ vars.VISUAL_RECAP_AGENT || \'claude\' }}\n VISUAL_RECAP_SKILL_SOURCE: ${{ vars.VISUAL_RECAP_SKILL_SOURCE || \'auto\' }}\n\njobs:\n gate:\n name: Gate\n runs-on: ubuntu-latest\n timeout-minutes: 10\n permissions:\n contents: read\n issues: write\n pull-requests: write\n outputs:\n run: ${{ steps.decide.outputs.run }}\n agent: ${{ steps.decide.outputs.agent }}\n steps:\n - id: decide\n uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0\n env:\n # Presence-only signals — never expose secret VALUES to the gate.\n HAS_PLAN: ${{ secrets.PLAN_RECAP_TOKEN != \'\' }}\n HAS_ANTHROPIC: ${{ secrets.ANTHROPIC_API_KEY != \'\' }}\n HAS_OPENAI: ${{ secrets.OPENAI_API_KEY != \'\' }}\n AGENT: ${{ env.VISUAL_RECAP_AGENT }}\n VISUAL_RECAP_MODEL: ${{ vars.VISUAL_RECAP_MODEL }}\n HEAD_SHA: ${{ github.event.pull_request.head.sha }}\n with:\n script: |\n const pr = context.payload.pull_request;\n const reasons = [];\n\n if (!pr) reasons.push(\'no pull_request payload\');\n if (pr && pr.draft) reasons.push(\'draft PR\');\n\n // Fork PRs run with no secrets, so publishing would fail anyway — skip.\n const headRepo = pr && pr.head && pr.head.repo && pr.head.repo.full_name;\n if (pr && headRepo && headRepo !== process.env.GITHUB_REPOSITORY) {\n reasons.push(`fork PR (${headRepo})`);\n }\n\n const login = (pr && pr.user && pr.user.login || \'\').toLowerCase();\n const botAuthors = [\'dependabot[bot]\', \'dependabot\', \'renovate[bot]\', \'renovate\'];\n if (botAuthors.includes(login)) reasons.push(`bot author (${login})`);\n if (pr && pr.user && pr.user.type === \'Bot\') reasons.push(\'bot author (type=Bot)\');\n\n if (process.env.HAS_PLAN !== \'true\') reasons.push(\'PLAN_RECAP_TOKEN not configured\');\n\n // Normalize + validate the agent so a mis-cased value can\'t pass the\n // gate and then match neither agent step below.\n const agent = (process.env.AGENT || \'claude\').toLowerCase();\n if (agent !== \'claude\' && agent !== \'codex\') {\n reasons.push(`unsupported VISUAL_RECAP_AGENT "${process.env.AGENT}" (expected "claude" or "codex")`);\n } else if (agent === \'codex\') {\n if (process.env.HAS_OPENAI !== \'true\') reasons.push(\'OPENAI_API_KEY not configured (codex backend)\');\n } else {\n if (process.env.HAS_ANTHROPIC !== \'true\') reasons.push(\'ANTHROPIC_API_KEY not configured (claude backend)\');\n }\n\n // Validate the model before it reaches the agent CLI.\n const model = process.env.VISUAL_RECAP_MODEL || \'\';\n if (model && !/^[a-zA-Z0-9._-]{1,80}$/.test(model)) {\n reasons.push(`invalid VISUAL_RECAP_MODEL value (must match [a-zA-Z0-9._-]{1,80})`);\n }\n\n // Self-modifying guard, evaluated in the trusted gate (runs NO\n // PR-checked-out code): skip the ENTIRE job if the PR touches the\n // workflow, skill, local CLI, or any agent config the runner loads,\n // so a PR can\'t rewrite what runs and exfiltrate secrets.\n if (pr) {\n try {\n const files = await github.paginate(github.rest.pulls.listFiles, {\n owner: context.repo.owner,\n repo: context.repo.repo,\n pull_number: pr.number,\n per_page: 100,\n });\n const isAgentNativeMonorepo = context.repo.owner === \'BuilderIO\' && context.repo.repo === \'agent-native\';\n const isSensitive = (p) =>\n p === \'.github/workflows/pr-visual-recap.yml\' ||\n /(^|\\/)skills\\/visual-(recap|plan|plans)\\//.test(p) ||\n /(^|\\/)\\.claude\\//.test(p) ||\n /(^|\\/)CLAUDE\\.md$/.test(p) ||\n /(^|\\/)AGENTS\\.md$/.test(p) ||\n /(^|\\/)\\.mcp\\.json$/.test(p) ||\n (isAgentNativeMonorepo && /(^|\\/)packages\\/core\\//.test(p));\n const hits = files.map((f) => f.filename).filter(isSensitive);\n if (hits.length) {\n reasons.push(`PR modifies recap-control files (${hits.slice(0, 3).join(\', \')}${hits.length > 3 ? \', …\' : \'\'}) — skipping so untrusted PR code never runs with secrets`);\n }\n } catch (e) {\n // Fail closed: if the file list can\'t be read, skip.\n reasons.push(`could not list PR files for the self-modifying guard (${e.message}); skipping to be safe`);\n }\n }\n\n const run = reasons.length === 0;\n core.setOutput(\'run\', run ? \'true\' : \'false\');\n core.setOutput(\'agent\', agent);\n core.info(run ? `Visual recap will run (${agent}).` : `Visual recap skipped: ${reasons.join(\'; \')}`);\n\n // When skipping, refresh an EXISTING sticky recap comment with a\n // short skip line so it does not silently go stale. Never create a\n // new comment (no spam for repos where the recap has never run).\n if (!run && pr) {\n try {\n const MARKER = \'<!-- pr-visual-recap -->\';\n const { data: comments } = await github.rest.issues.listComments({\n owner: context.repo.owner,\n repo: context.repo.repo,\n issue_number: pr.number,\n per_page: 100,\n });\n const existing = comments.find(\n (c) => c.user && c.user.type === \'Bot\' && c.body && c.body.includes(MARKER)\n );\n if (existing) {\n const headShort = (process.env.HEAD_SHA || \'\').slice(0, 7);\n const shaRef = headShort ? `\\`${headShort}\\`` : \'latest push\';\n const primaryReason = reasons.filter(\n (r) => !r.startsWith(\'could not list PR files for the self-modifying guard\')\n )[0] || reasons[0] || \'skipped\';\n const skipLine = `_Recap skipped for ${shaRef}: ${primaryReason}._`;\n const withoutPrev = (existing.body || \'\')\n .split(\'\\n\')\n .filter((l) => !/_Recap skipped for .+_$/.test(l.trim()))\n .join(\'\\n\')\n .trimEnd();\n const updatedBody = `${withoutPrev}\\n\\n${skipLine}`;\n await github.rest.issues.updateComment({\n owner: context.repo.owner,\n repo: context.repo.repo,\n comment_id: existing.id,\n body: updatedBody,\n });\n }\n } catch (e) {\n core.warning(`Could not update recap skip comment: ${e.message}`);\n }\n }\n\n recap:\n name: Generate visual recap\n needs: gate\n if: needs.gate.outputs.run == \'true\'\n runs-on: ubuntu-latest\n timeout-minutes: 30\n permissions:\n checks: write\n contents: read\n issues: write\n pull-requests: write\n env:\n PLAN_RECAP_APP_URL: ${{ secrets.PLAN_RECAP_APP_URL || \'https://plan.agent-native.com\' }}\n PLAN_RECAP_TOKEN: ${{ secrets.PLAN_RECAP_TOKEN }}\n GH_TOKEN: ${{ github.token }}\n PR_NUMBER: ${{ github.event.pull_request.number }}\n HEAD_SHA: ${{ github.event.pull_request.head.sha }}\n VISUAL_RECAP_MODEL: ${{ vars.VISUAL_RECAP_MODEL }}\n VISUAL_RECAP_REASONING: ${{ vars.VISUAL_RECAP_REASONING }}\n VISUAL_RECAP_SKILL_SOURCE: ${{ vars.VISUAL_RECAP_SKILL_SOURCE || \'auto\' }}\n steps:\n - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n with:\n fetch-depth: 0\n # This job runs an agent over untrusted PR diff; don\'t leave the token\n # in .git/config (it uses GH_TOKEN for gh API calls, never git push).\n persist-credentials: false\n\n # Dogfood local source inside this monorepo, else the published package.\n # The pnpm steps run ONLY on the local path so npm/yarn consumer repos\n # (no pnpm-lock.yaml) fall back to `npx @agent-native/core`.\n - name: Resolve recap CLI\n id: cli\n env:\n # Optional: pin the consumer CLI version (e.g. "1.2.3"). Defaults to\n # "latest" when unset. Set via repository variable RECAP_CLI_VERSION.\n RECAP_CLI_VERSION: ${{ vars.RECAP_CLI_VERSION || \'latest\' }}\n run: |\n if [ -f packages/core/src/cli/index.ts ]; then\n echo "RECAP_CLI=pnpm exec tsx packages/core/src/cli/index.ts" >> "$GITHUB_ENV"\n echo "local=true" >> "$GITHUB_OUTPUT"\n else\n echo "RECAP_CLI=npx -y @agent-native/core@${RECAP_CLI_VERSION}" >> "$GITHUB_ENV"\n echo "local=false" >> "$GITHUB_OUTPUT"\n fi\n\n - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8\n if: steps.cli.outputs.local == \'true\'\n\n - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0\n with:\n node-version: "22"\n cache: ${{ steps.cli.outputs.local == \'true\' && \'pnpm\' || \'\' }}\n\n - name: Install workspace (local source only)\n if: steps.cli.outputs.local == \'true\'\n run: pnpm install --frozen-lockfile --ignore-scripts\n\n - name: Start visual recap check\n id: recap_check\n continue-on-error: true\n run: |\n set -uo pipefail\n $RECAP_CLI recap check start --sha "$HEAD_SHA" --workflow-url "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"\n\n - name: Collect bounded diff\n id: diff\n env:\n BASE_SHA: ${{ github.event.pull_request.base.sha }}\n run: |\n set -euo pipefail\n $RECAP_CLI recap collect-diff --base "$BASE_SHA" --head "$HEAD_SHA" --out recap.diff --stat recap.stat\n\n - name: Probe plan-app auth\n id: auth_probe\n if: steps.diff.outputs.tiny != \'true\'\n continue-on-error: true\n run: |\n set -uo pipefail\n # Hit the plan app\'s action surface with the publish token. A 401 means\n # the token is expired/revoked; surface it in the sticky comment so the\n # repo owner knows to re-mint it instead of seeing a generic failure.\n HTTP_STATUS=$(node -e \'\n const https = require("https");\n const url = new URL("/_agent-native/actions/record-recap-usage", process.env.PLAN_RECAP_APP_URL || "https://plan.agent-native.com");\n const req = https.request(url, { method: "POST", headers: { "authorization": "Bearer " + process.env.PLAN_RECAP_TOKEN, "content-type": "application/json" }, timeout: 8000 }, (res) => { process.stdout.write(String(res.statusCode)); req.destroy(); });\n req.on("error", () => process.stdout.write("0"));\n req.end(JSON.stringify({ planId: "__probe__" }));\n \' 2>/dev/null || echo "0")\n if [ "$HTTP_STATUS" = "401" ]; then\n echo "auth_failed=true" >> "$GITHUB_OUTPUT"\n else\n echo "auth_failed=false" >> "$GITHUB_OUTPUT"\n fi\n\n - name: Secret scan\n id: scan\n if: steps.diff.outputs.tiny != \'true\'\n run: |\n set -uo pipefail\n # Fail CLOSED: a scanner error or invalid JSON suppresses the diff so a\n # credential-bearing diff is never handed to the agent / plan service.\n if ! SCAN_JSON="$($RECAP_CLI recap scan --diff recap.diff)"; then\n SCAN_JSON=\'{"suppressed":true,"reason":"secret scan failed to run; failing closed"}\'\n fi\n {\n echo \'json<<__RECAP_SCAN_EOF__\'\n echo "$SCAN_JSON"\n echo \'__RECAP_SCAN_EOF__\'\n } >> "$GITHUB_OUTPUT"\n SUPPRESSED=$(node -e \'try{process.stdout.write(JSON.parse(process.argv[1]).suppressed?"true":"false")}catch{process.stdout.write("true")}\' "$SCAN_JSON")\n echo "suppressed=$SUPPRESSED" >> "$GITHUB_OUTPUT"\n\n - name: Read previous plan id\n id: prev\n continue-on-error: true\n run: |\n set -euo pipefail\n PLAN_ID="$($RECAP_CLI recap comment find-plan-id --repo "$GITHUB_REPOSITORY" --issue "$PR_NUMBER" --token "$GH_TOKEN")"\n echo "plan_id=$PLAN_ID" >> "$GITHUB_OUTPUT"\n\n - name: Build recap prompt\n id: prompt\n if: steps.diff.outputs.tiny != \'true\' && steps.scan.outputs.suppressed != \'true\'\n env:\n # Pass step outputs via env, NOT ${{ }} interpolation into the run body:\n # the prev plan id is parsed from a PR comment and could inject shell.\n PREV_PLAN_ID: ${{ steps.prev.outputs.plan_id }}\n DIFF_HUGE: ${{ steps.diff.outputs.huge }}\n run: |\n set -euo pipefail\n ARGS=(--diff recap.diff --stat recap.stat --pr "$PR_NUMBER" --repo "$GITHUB_REPOSITORY" --head "$HEAD_SHA" --app-url "$PLAN_RECAP_APP_URL" --skill-source "$VISUAL_RECAP_SKILL_SOURCE" --out recap-prompt.md)\n if [ "${DIFF_HUGE:-}" = "true" ]; then ARGS+=(--huge); fi\n if [ -n "${PREV_PLAN_ID:-}" ]; then ARGS+=(--prev-plan-id "$PREV_PLAN_ID"); fi\n $RECAP_CLI recap build-prompt "${ARGS[@]}"\n\n - name: Run agent (Claude Code)\n id: claude\n if: needs.gate.outputs.agent == \'claude\' && steps.diff.outputs.tiny != \'true\' && steps.scan.outputs.suppressed != \'true\'\n continue-on-error: true\n env:\n ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}\n run: |\n set -uo pipefail\n MCP_CONFIG="$RUNNER_TEMP/plan-mcp.json"\n $RECAP_CLI recap mcp-config --agent claude --app-url "$PLAN_RECAP_APP_URL" --out "$MCP_CONFIG"\n CLAUDE_ARGS=(-p "$(cat recap-prompt.md)" --mcp-config "$MCP_CONFIG" --allowedTools "Read,Write,Bash(git diff:*),mcp__plan__get-plan-blocks,mcp__plan__create-visual-recap,mcp__plan__set-resource-visibility" --permission-mode dontAsk --output-format json)\n if [ -n "${VISUAL_RECAP_MODEL:-}" ]; then CLAUDE_ARGS+=(--model "$VISUAL_RECAP_MODEL"); fi\n npx -y @anthropic-ai/claude-code@2 "${CLAUDE_ARGS[@]}" > claude-result.json || true\n rm -f "$MCP_CONFIG" || true\n\n - name: Run agent (Codex)\n id: codex\n if: needs.gate.outputs.agent == \'codex\' && steps.diff.outputs.tiny != \'true\' && steps.scan.outputs.suppressed != \'true\'\n continue-on-error: true\n env:\n OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}\n run: |\n set -uo pipefail\n $RECAP_CLI recap mcp-config --agent codex --app-url "$PLAN_RECAP_APP_URL"\n # `codex login` writes ~/.codex/auth.json (the bare env var is dropped on\n # the gpt-5.5 wss transport); stdin keeps the key out of process args.\n printenv OPENAI_API_KEY | npx -y @openai/codex@0 login --with-api-key || true\n # The runner is itself an ephemeral sandbox; bypass Codex\'s own sandbox\n # (bubblewrap can\'t init here) and approval gate (cancels the MCP write).\n CODEX_ARGS=(exec --dangerously-bypass-approvals-and-sandbox --skip-git-repo-check)\n if [ -n "${VISUAL_RECAP_MODEL:-}" ]; then CODEX_ARGS+=(--model "$VISUAL_RECAP_MODEL"); fi\n # Validate reasoning against the enum before embedding it in the TOML override.\n case "${VISUAL_RECAP_REASONING:-}" in\n none|minimal|low|medium|high|xhigh)\n CODEX_ARGS+=(-c "model_reasoning_effort=\\"$VISUAL_RECAP_REASONING\\"") ;;\n "") ;;\n *) echo "Ignoring invalid VISUAL_RECAP_REASONING: $VISUAL_RECAP_REASONING" ;;\n esac\n npx -y @openai/codex@0 "${CODEX_ARGS[@]}" --json "$(cat recap-prompt.md)" | tee codex-events.jsonl || true\n\n - name: Read plan URL\n id: url\n if: steps.diff.outputs.tiny != \'true\' && steps.scan.outputs.suppressed != \'true\'\n run: |\n set -uo pipefail\n PLAN_URL=""\n if [ -f recap-url.txt ]; then PLAN_URL="$(tr -d \'\\r\\n\' < recap-url.txt | tr -d \' \')"; fi\n # recap-url.txt is agent-written -> untrusted. Rebuild a canonical\n # recap URL from the trusted app base and a strictly validated plan id,\n # preserving path-prefixed self-hosted mounts.\n CANONICAL_URL=$(PLAN_URL="$PLAN_URL" node <<\'NODE\'\n try {\n const raw = process.env.PLAN_URL || "";\n const trusted = new URL(process.env.PLAN_RECAP_APP_URL || "https://plan.agent-native.com");\n const parsed = /^https?:\\/\\//i.test(raw)\n ? new URL(raw)\n : new URL(raw, trusted);\n if (parsed.origin !== trusted.origin) {\n process.exit(0);\n }\n\n const base = trusted.pathname.replace(/\\/$/, "");\n const paths = [parsed.pathname];\n if (base && parsed.pathname.startsWith(`${base}/`)) {\n paths.push(parsed.pathname.slice(base.length) || "/");\n }\n\n for (const path of paths) {\n const match = path.match(/^\\/(?:plans|recaps)\\/([A-Za-z0-9_-]+)\\/?$/);\n if (match) {\n process.stdout.write(`${trusted.origin}${base}/recaps/${match[1]}`);\n break;\n }\n }\n } catch {\n process.exit(0);\n }\n NODE\n )\n if [ -n "$CANONICAL_URL" ]; then\n echo "plan_url=$CANONICAL_URL" >> "$GITHUB_OUTPUT"; echo "ok=true" >> "$GITHUB_OUTPUT"\n else\n echo "plan_url=" >> "$GITHUB_OUTPUT"; echo "ok=false" >> "$GITHUB_OUTPUT"\n fi\n\n - name: Summarize agent failure\n id: agent_summary\n if: steps.url.outputs.ok != \'true\' && steps.diff.outputs.tiny != \'true\' && steps.scan.outputs.suppressed != \'true\'\n continue-on-error: true\n env:\n RECAP_AGENT: ${{ needs.gate.outputs.agent }}\n run: |\n set -uo pipefail\n RESULT=claude-result.json\n if [ "$RECAP_AGENT" = "codex" ]; then RESULT=codex-events.jsonl; fi\n $RECAP_CLI recap agent-summary --agent "$RECAP_AGENT" --result-file "$RESULT" || true\n\n - name: Attach usage\n if: steps.url.outputs.ok == \'true\'\n continue-on-error: true\n env:\n PLAN_URL: ${{ steps.url.outputs.plan_url }}\n # Use the gate-normalized agent so "Codex" still selects the right file.\n RECAP_AGENT: ${{ needs.gate.outputs.agent }}\n run: |\n set -uo pipefail\n RESULT=claude-result.json\n if [ "$RECAP_AGENT" = "codex" ]; then RESULT=codex-events.jsonl; fi\n if [ -f "$RESULT" ]; then $RECAP_CLI recap usage --plan-url "$PLAN_URL" --agent "$RECAP_AGENT" --result-file "$RESULT" --model "${VISUAL_RECAP_MODEL:-}" --app-url "$PLAN_RECAP_APP_URL" --token "$PLAN_RECAP_TOKEN" || true; fi\n\n - name: Cache Playwright browsers\n if: steps.url.outputs.ok == \'true\'\n uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3\n with:\n path: ~/.cache/ms-playwright\n key: playwright-1-${{ runner.os }}\n\n - name: Screenshot + upload\n id: shot\n if: steps.url.outputs.ok == \'true\'\n continue-on-error: true\n env:\n # recap-url.txt is untrusted agent output; pass via env, never ${{ }}.\n PLAN_URL: ${{ steps.url.outputs.plan_url }}\n run: |\n set -uo pipefail\n pnpm exec playwright install --with-deps chromium 2>/dev/null || npx -y playwright@1 install --with-deps chromium || true\n SHOT_JSON="$($RECAP_CLI recap shot --url "$PLAN_URL" --token "$PLAN_RECAP_TOKEN" --app-url "$PLAN_RECAP_APP_URL" --out recap.png || echo \'{}\')"\n IMAGE_URL=$(node -e \'try{process.stdout.write(JSON.parse(process.argv[1]).imageUrl||"")}catch{process.stdout.write("")}\' "$SHOT_JSON")\n echo "image_url=$IMAGE_URL" >> "$GITHUB_OUTPUT"\n if [ -f recap.png ]; then echo "captured=true" >> "$GITHUB_OUTPUT"; else echo "captured=false" >> "$GITHUB_OUTPUT"; fi\n\n - name: Upload recap screenshot artifact\n if: steps.shot.outputs.captured == \'true\'\n uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1\n with:\n name: pr-visual-recap-${{ github.event.pull_request.number }}\n path: recap.png\n if-no-files-found: ignore\n retention-days: 14\n\n - name: Upsert sticky comment\n if: always()\n continue-on-error: true\n env:\n PLAN_URL: ${{ steps.url.outputs.plan_url }}\n RECAP_IMAGE_URL: ${{ steps.shot.outputs.image_url }}\n SUPPRESSED: ${{ steps.scan.outputs.suppressed }}\n SUPPRESSED_JSON: ${{ steps.scan.outputs.json }}\n DIFF_HUGE: ${{ steps.diff.outputs.huge }}\n DIFF_TINY: ${{ steps.diff.outputs.tiny }}\n PREV_PLAN_ID: ${{ steps.prev.outputs.plan_id }}\n RECAP_AUTH_FAILED: ${{ steps.auth_probe.outputs.auth_failed }}\n RECAP_AGENT_SUMMARY: ${{ steps.agent_summary.outputs.summary }}\n run: |\n set -euo pipefail\n ARGS=(recap comment upsert --repo "$GITHUB_REPOSITORY" --issue "$PR_NUMBER" --token "$GH_TOKEN")\n # On a tiny diff, only REFRESH an existing comment, never create one.\n if [ "${DIFF_TINY:-}" = "true" ]; then ARGS+=(--update-only); fi\n $RECAP_CLI "${ARGS[@]}"\n\n - name: Complete visual recap check\n if: always() && steps.recap_check.outputs.check_run_id != \'\'\n continue-on-error: true\n env:\n # Untrusted/step values via env (NOT ${{ }}-interpolated into the run\n # body): the agent-written plan URL and the scan JSON could inject shell.\n CHECK_RUN_ID: ${{ steps.recap_check.outputs.check_run_id }}\n PLAN_OK: ${{ steps.url.outputs.ok }}\n PLAN_URL: ${{ steps.url.outputs.plan_url }}\n SUPPRESSED: ${{ steps.scan.outputs.suppressed }}\n SUPPRESSED_JSON: ${{ steps.scan.outputs.json }}\n DIFF_HUGE: ${{ steps.diff.outputs.huge }}\n DIFF_TINY: ${{ steps.diff.outputs.tiny }}\n RECAP_AGENT_SUMMARY: ${{ steps.agent_summary.outputs.summary }}\n run: |\n set -uo pipefail\n $RECAP_CLI recap check complete \\\n --check-run-id "$CHECK_RUN_ID" \\\n --plan-ok "$PLAN_OK" \\\n --plan-url "$PLAN_URL" \\\n --suppressed "$SUPPRESSED" \\\n --suppressed-json "$SUPPRESSED_JSON" \\\n --huge "$DIFF_HUGE" \\\n --tiny "$DIFF_TINY" \\\n --failure-summary "$RECAP_AGENT_SUMMARY" \\\n --workflow-url "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"\n';
11
11
  //# sourceMappingURL=pr-visual-recap-workflow.js.map