@agent-native/core 0.49.6 → 0.49.9

package/dist/cli/recap.js

@@ -1319,6 +1319,7 @@ export function buildRecapPrompt(input) {
     else {
         lines.push("## Publish (this is the only way to produce output)");
         lines.push(`The \`plan\` MCP server is configured for you. Call its tools by name (your host may expose them as \`get-plan-blocks\` / \`create-visual-recap\` or \`mcp__plan__get-plan-blocks\` / \`mcp__plan__create-visual-recap\` — same tools).`);
+        lines.push("This is a one-shot GitHub Actions run. Do not schedule wakeups, reminders, follow-ups, or retries in another turn; either publish the recap and write `recap-url.txt` in this process, or report the MCP/tool failure plainly.");
         lines.push("First call `get-plan-blocks`, then call `create-visual-recap`. If `create-visual-recap` is available but `get-plan-blocks` is not, the Plan MCP is connected but the block-registry tool is not visible to this runner. Report that the runner must expose `get-plan-blocks` through the workflow/tool allowlist or compact MCP catalog; do not describe that case as a disconnected Plan MCP.");
         lines.push(`1. Call the **create-visual-recap** tool on the \`plan\` MCP server with grounded MDX derived ONLY from the real diff, passing \`visibility: "org"\` so the recap is published org-scoped (never public) server-side${input.prevPlanId
             ? `, and also passing \`planId: "${input.prevPlanId}"\` so this REPLACES the existing recap plan`
@@ -1939,18 +1940,13 @@ function recoverRecapFailureEnv(env = process.env) {
     return recovered;
 }
 /**
- * Files that, if a PR touches them, would let that PR rewrite what the trusted
- * recap job runs (the workflow itself, the skill, the local CLI, or any agent
- * config the runner loads) — so the whole job is skipped, not just the agent
- * step, to keep untrusted PR code away from the publish/API secrets.
- *
- * The `packages/core/**` rule is scoped to the BuilderIO/agent-native monorepo
- * (where packages/core IS the recap CLI source) so that consumer repos with an
- * unrelated `packages/core/` directory are not silently gated. Pass the
- * `repository` ("owner/name") to apply that scoping; omit it to match the old
- * unconditional behaviour (safe for the gate's self-test).
+ * Files that, if a PR touches them, would let that PR rewrite the workflow,
+ * skill, or agent config the trusted recap job loads. The workflow runs the
+ * recap CLI from trusted base-branch source (or an installed package), so normal
+ * package code such as `packages/core/**` can be recapped without executing
+ * PR-modified CLI code.
  */
-export function isRecapSensitivePath(p, repository) {
+export function isRecapSensitivePath(p) {
     if (p === ".github/workflows/pr-visual-recap.yml" ||
         /(^|\/)skills\/visual-(recap|plan|plans)\//.test(p) ||
         /(^|\/)\.claude\//.test(p) ||
@@ -1959,12 +1955,6 @@ export function isRecapSensitivePath(p, repository) {
         /(^|\/)\.mcp\.json$/.test(p)) {
         return true;
     }
-    // packages/core is the recap-CLI source only in the agent-native monorepo.
-    // In consumer repos an unrelated packages/core/ must not gate recaps.
-    const isAgentNativeMonorepo = !repository || repository === "BuilderIO/agent-native";
-    if (isAgentNativeMonorepo && /(^|\/)packages\/core\//.test(p)) {
-        return true;
-    }
     return false;
 }
 /**
@@ -2025,11 +2015,11 @@ export function evaluateRecapGate(input) {
         reasons.push("invalid VISUAL_RECAP_MODEL value (must match [a-zA-Z0-9._-]{1,80})");
     }
     // Self-modifying guard: if this PR changes the workflow, the
-    // visual-recap/visual-plan skill, the local CLI (packages/core), or any agent
-    // config the runner would load (.claude/**, CLAUDE.md, .mcp.json), skip the
-    // ENTIRE job — not just the agent — so a PR can never rewrite what runs
-    // (skill, hooks, settings, CLI) and exfiltrate the publish/API secrets.
-    const hits = input.changedFiles.filter((p) => isRecapSensitivePath(p, input.repository));
+    // visual-recap/visual-plan skill, or any agent config the runner would load
+    // (.claude/**, CLAUDE.md, .mcp.json), skip the ENTIRE job — not just the
+    // agent — so a PR can never rewrite what runs (skill, hooks, settings) and
+    // exfiltrate the publish/API secrets.
+    const hits = input.changedFiles.filter((p) => isRecapSensitivePath(p));
     if (hits.length) {
         reasons.push(`PR modifies recap-control files (${hits.slice(0, 3).join(", ")}${hits.length > 3 ? ", …" : ""}) — skipping so untrusted PR code never runs with secrets`);
     }
@@ -2716,8 +2706,8 @@ Usage:
     files from the GitHub REST API (paged, with GH_TOKEN/GITHUB_TOKEN). Skips
     drafts, forks, bot authors, the missing-secret case, an invalid agent/model,
     and any PR that touches recap-control files (the workflow, the skill,
-    packages/core, .claude/**, CLAUDE.md, AGENTS.md, .mcp.json) — failing CLOSED
-    on any file-list error. Writes run=<true|false> and agent=<claude|codex> to
+    .claude/**, CLAUDE.md, AGENTS.md, .mcp.json) — failing CLOSED on any
+    file-list error. Writes run=<true|false> and agent=<claude|codex> to
     $GITHUB_OUTPUT.
   npx @agent-native/core@latest recap agent-summary
     Read the captured Claude/Codex result file and write a sanitized one-line