@bridge_gpt/mcp-server 0.1.16 → 0.2.0

package/build/start-tickets.js

@@ -53,7 +53,10 @@
  * unit-testable on Linux CI without spawning real commands or terminals.
  */
 import { execFile } from "child_process";
+import { readFile, writeFile, mkdir } from "fs/promises";
 import path from "path";
+import { VERSION } from "./version.generated.js";
+import { provisionMcpRegistrationsForCreatedWorktrees, } from "./mcp-provisioning.js";
 // Per-OS prerequisite knowledge + low-level command probes live in the shared
 // prereqs module so `runPreflight` (enforce) and the read-only `doctor` (render)
 // can never drift. `start-tickets.ts` imports VALUES from there; the prereqs
@@ -75,6 +78,10 @@ export const DEFAULT_MAX_PARALLEL = 3;
 export const DEFAULT_TMUX_SESSION_PREFIX = "bridge-start-tickets";
 /** Environment variable overriding the tmux session-name prefix. */
 export const TMUX_SESSION_OVERRIDE_ENV = "BAPI_TMUX_SESSION";
+/** Return a copy of `row` with `warning` appended; never mutates the input. */
+export function appendSummaryRowWarning(row, warning) {
+    return { ...row, warnings: [...(row.warnings ?? []), warning] };
+}
 // ---------------------------------------------------------------------------
 // Usage / argument parsing
 // ---------------------------------------------------------------------------
@@ -89,7 +96,8 @@ export function getStartTicketsUsage() {
         "  --terminal terminal|iterm   Override the macOS terminal app (default: auto-detect via $TERM_PROGRAM); honored on macOS only",
         "  --dry-run                   Print intended actions; create no worktrees, open no tabs",
         "  --branch KEY=BRANCH         Use BRANCH instead of feature/KEY for that ticket (repeatable)",
-        "  --no-refresh-main           Skip 'git fetch origin main' + fast-forward of local main",
+        "  --base-branch BRANCH        Cut new worktrees from BRANCH and refresh origin/BRANCH (default: main)",
+        "  --no-refresh-main           Skip refresh of the configured base branch (default main); historical name retained for backward compatibility",
         "  --max-parallel N            Max worktrees to create concurrently (default: 3)",
         "  -h, --help                  Show this help",
         "",
@@ -116,9 +124,11 @@ export function parseStartTicketsArgs(argv) {
     }
     let terminal;
     let dryRun = false;
+    let autoApprove = false;
     let refreshMain = true;
     let maxParallelRaw;
     let agentName = DEFAULT_AGENT_NAME;
+    let baseBranch = "main";
     const branchEntries = [];
     const keys = [];
     for (let i = 0; i < argv.length; i++) {
@@ -198,10 +208,36 @@ export function parseStartTicketsArgs(argv) {
             branchEntries.push(value);
             continue;
         }
+        if (arg === "--base-branch" || arg.startsWith("--base-branch=")) {
+            let value;
+            if (arg.startsWith("--base-branch=")) {
+                value = arg.slice("--base-branch=".length);
+            }
+            else {
+                // For the space-separated form, reject a following option token so we
+                // don't silently consume "--dry-run" (etc.) as the branch value.
+                const next = i + 1 < argv.length ? argv[i + 1] : undefined;
+                if (next === undefined || next.startsWith("-")) {
+                    return { status: "error", message: "--base-branch requires a value (a branch name)." };
+                }
+                value = takeValue();
+            }
+            const trimmed = (value ?? "").trim();
+            const error = validateBranchName(trimmed);
+            if (error) {
+                return { status: "error", message: `Invalid --base-branch value: ${error}` };
+            }
+            baseBranch = trimmed;
+            continue;
+        }
         if (arg === "--dry-run") {
             dryRun = true;
             continue;
         }
+        if (arg === "--auto") {
+            autoApprove = true;
+            continue;
+        }
         if (arg === "--no-refresh-main") {
             refreshMain = false;
             continue;
@@ -277,13 +313,15 @@ export function parseStartTicketsArgs(argv) {
     }
     return {
         status: "ok",
-        options: { keys, terminal, dryRun, refreshMain, maxParallel, branchOverrides, agentName },
+        options: { keys, terminal, dryRun, autoApprove, refreshMain, maxParallel, branchOverrides, agentName, baseBranch },
     };
 }
 /** Returns an error string for an unsafe branch name, or null when valid. */
-function validateBranchName(branch) {
-    if (branch.length === 0)
+export function validateBranchName(branch) {
+    if (branch.trim().length === 0)
         return "branch name must not be empty.";
+    if (branch.length > 255)
+        return "branch name must be 255 characters or fewer.";
     if (branch.startsWith("-"))
         return "branch name must not start with '-'.";
     // Reject ASCII control characters (0x00-0x1F and 0x7F) without embedding
@@ -343,7 +381,7 @@ export function getDefaultSpawnTerminalTabForPlatform(platform) {
  * are always honored). Returns a structured error for unsupported platforms;
  * never throws.
  */
-export function resolveStartTicketsPlatformConfig(deps, agent) {
+export function resolveStartTicketsPlatformConfig(deps, agent, autoApprove = false) {
     if (!isSupportedStartTicketsPlatform(deps.platform)) {
         return { ok: false, error: unsupportedPlatformMessage(deps.platform) };
     }
@@ -353,7 +391,7 @@ export function resolveStartTicketsPlatformConfig(deps, agent) {
         config: {
             platform,
             worktrunkBinary: resolveWorktrunkBinary(platform, deps.env),
-            buildAgentShellCommand: (key, worktreePath) => buildAgentShellCommand(agent, key, worktreePath, platform),
+            buildAgentShellCommand: (key, worktreePath) => buildAgentShellCommand(agent, key, worktreePath, platform, autoApprove),
             spawnTerminalTab: deps.spawnTerminalTab,
         },
     };
@@ -522,84 +560,106 @@ export function parseGitWorktreeList(output) {
         entries.push(current);
     return entries;
 }
-/** Return the worktree path owning branch `main`, or null. */
-export function findMainWorktreePath(entries) {
+/** Return the worktree path owning branch `baseBranch`, or null. */
+export function findBaseWorktreePath(entries, baseBranch) {
     for (const entry of entries) {
-        if (entry.branch === "main")
+        if (entry.branch === baseBranch)
             return entry.path;
     }
     return null;
 }
 /**
- * Fetch origin/main and fast-forward local `main`. No-op when `refreshMain` is
- * false. Handles both checkout states:
+ * Compatibility wrapper: returns the worktree path owning branch `main`, or
+ * null. Defers to {@link findBaseWorktreePath} so the `main` and non-main paths
+ * stay identical.
+ */
+export function findMainWorktreePath(entries) {
+    return findBaseWorktreePath(entries, "main");
+}
+/**
+ * Fetch origin/<baseBranch> and fast-forward the local base branch. No-op when
+ * `refreshMain` is false. (The option key keeps its historical name so the
+ * `--no-refresh-main` user-facing flag remains backward-compatible; the
+ * behavior now follows whatever `baseBranch` resolves to, default `"main"`.)
+ *
+ * Handles both checkout states:
  *
- *  - `main` IS checked out in a worktree → `git merge --ff-only` inside that
- *    worktree, so its index/working tree stay consistent (git forbids
+ *  - `<baseBranch>` IS checked out in a worktree → `git merge --ff-only` inside
+ *    that worktree, so its index/working tree stay consistent (git forbids
  *    force-moving a checked-out branch ref).
- *  - `main` is NOT checked out anywhere (e.g. the primary checkout is on a
- *    feature/chore branch) → fast-forward the ref directly with
+ *  - `<baseBranch>` is NOT checked out anywhere (e.g. the primary checkout is
+ *    on a feature/chore branch) → fast-forward the ref directly with
  *    `git branch --force`, since no working tree depends on it. This is guarded
- *    by an ancestry check so a diverged local `main` is never clobbered, and it
- *    creates `main` from origin/main when no local ref exists yet.
+ *    by an ancestry check so a diverged local base is never clobbered, and it
+ *    creates the local base ref from origin when no local ref exists yet.
  *
  * Returns a structured failure for any expected problem (fetch failure, diverged
- * main, or a failed ref update).
+ * base branch, or a failed ref update).
  */
-export async function refreshMainBranch(deps, options) {
+export async function refreshBaseBranch(deps, options) {
     if (!options.refreshMain)
         return { ok: true };
-    const fetch = await deps.runCommand("git", ["fetch", "origin", "main"], {
+    const baseBranch = options.baseBranch;
+    const originRef = `origin/${baseBranch}`;
+    const fetch = await deps.runCommand("git", ["fetch", "origin", baseBranch], {
         cwd: deps.cwd,
     });
     if (!commandSucceeded(fetch)) {
         return {
             ok: false,
-            error: "git fetch origin main failed. Check your network and 'git remote get-url origin', or pass --no-refresh-main to skip.",
+            error: `git fetch origin ${baseBranch} failed. Check your network and 'git remote get-url origin', or pass --no-refresh-main to skip.`,
         };
     }
     const list = await deps.runCommand("git", ["worktree", "list", "--porcelain"], { cwd: deps.cwd });
     if (!commandSucceeded(list)) {
         return {
             ok: false,
-            error: "git worktree list --porcelain failed; cannot locate the main worktree.",
+            error: `git worktree list --porcelain failed; cannot locate the ${baseBranch} worktree.`,
         };
     }
-    const mainPath = findMainWorktreePath(parseGitWorktreeList(list.stdout));
-    // `main` is checked out somewhere: fast-forward it in place. git refuses to
+    const basePath = findBaseWorktreePath(parseGitWorktreeList(list.stdout), baseBranch);
+    // `<baseBranch>` is checked out somewhere: fast-forward it in place. git refuses to
     // force-move a checked-out branch ref, so we must go through merge.
-    if (mainPath) {
-        const merge = await deps.runCommand("git", ["merge", "--ff-only", "origin/main"], { cwd: mainPath });
+    if (basePath) {
+        const merge = await deps.runCommand("git", ["merge", "--ff-only", originRef], { cwd: basePath });
         if (!commandSucceeded(merge)) {
             return {
                 ok: false,
-                error: `Local main has diverged from origin/main (checked out at ${mainPath}). Resolve the divergence manually, or rerun with --no-refresh-main.`,
+                error: `Local ${baseBranch} has diverged from ${originRef} (checked out at ${basePath}). Resolve the divergence manually, or rerun with --no-refresh-main.`,
             };
         }
         return { ok: true };
     }
-    // `main` is not checked out in any worktree. No working tree depends on the
-    // ref, so fast-forward it directly — but only when it is a true fast-forward,
-    // never clobbering local-only commits. When local `main` does not exist yet,
-    // create it from origin/main.
-    if (await branchExists(deps, "main")) {
-        const ancestor = await deps.runCommand("git", ["merge-base", "--is-ancestor", "main", "origin/main"], { cwd: deps.cwd });
+    // `<baseBranch>` is not checked out in any worktree. No working tree depends
+    // on the ref, so fast-forward it directly — but only when it is a true
+    // fast-forward, never clobbering local-only commits. When the local base ref
+    // does not exist yet, create it from origin.
+    if (await branchExists(deps, baseBranch)) {
+        const ancestor = await deps.runCommand("git", ["merge-base", "--is-ancestor", baseBranch, originRef], { cwd: deps.cwd });
         if (!commandSucceeded(ancestor)) {
             return {
                 ok: false,
-                error: "Local main has diverged from origin/main. Resolve the divergence manually, or rerun with --no-refresh-main.",
+                error: `Local ${baseBranch} has diverged from ${originRef}. Resolve the divergence manually, or rerun with --no-refresh-main.`,
             };
         }
     }
-    const update = await deps.runCommand("git", ["branch", "--force", "main", "origin/main"], { cwd: deps.cwd });
+    const update = await deps.runCommand("git", ["branch", "--force", baseBranch, originRef], { cwd: deps.cwd });
     if (!commandSucceeded(update)) {
         return {
             ok: false,
-            error: "Failed to fast-forward local main to origin/main. Resolve manually, or rerun with --no-refresh-main.",
+            error: `Failed to fast-forward local ${baseBranch} to ${originRef}. Resolve manually, or rerun with --no-refresh-main.`,
         };
     }
     return { ok: true };
 }
+/**
+ * Compatibility wrapper around {@link refreshBaseBranch} that preserves the
+ * historical `refreshMainBranch(deps, { refreshMain })` signature for callers
+ * that target `main` specifically.
+ */
+export async function refreshMainBranch(deps, options) {
+    return refreshBaseBranch(deps, { refreshMain: options.refreshMain, baseBranch: "main" });
+}
 // ---------------------------------------------------------------------------
 // Concurrency + worktree creation
 // ---------------------------------------------------------------------------
@@ -643,11 +703,11 @@ export async function branchExists(deps, branch) {
  * tab spawning separately. The args are platform-agnostic; only the binary
  * differs (`wt` vs `git-wt`).
  */
-export function buildWtSwitchArgs(branch, exists) {
+export function buildWtSwitchArgs(branch, exists, baseBranch = "main") {
     if (exists) {
         return ["switch", "-y", branch, "--format=json"];
     }
-    return ["switch", "--create", "-y", branch, "--format=json"];
+    return ["switch", "--create", "-y", branch, "-b", baseBranch, "--format=json"];
 }
 /** Return the Node `path` API matching a platform (`win32` vs POSIX). */
 export function pathApiForPlatform(platform) {
@@ -698,11 +758,11 @@ function pickWorktreePathField(parsed) {
  * success (with key, branch, path) or a `create-failed` row on any expected
  * failure — never throws for per-ticket problems.
  */
-export async function createWorktreeForTicket(deps, key, branchOverrides, worktrunkBinary) {
+export async function createWorktreeForTicket(deps, key, branchOverrides, worktrunkBinary, baseBranch = "main") {
     const branch = resolveBranchForTicket(key, branchOverrides);
     try {
         const exists = await branchExists(deps, branch);
-        const args = buildWtSwitchArgs(branch, exists);
+        const args = buildWtSwitchArgs(branch, exists, baseBranch);
         const result = await deps.runCommand(worktrunkBinary, args, { cwd: deps.cwd });
         if (!commandSucceeded(result)) {
             const reason = (result.stderr || result.stdout || "").trim();
@@ -728,14 +788,18 @@ export async function createWorktreeForTicket(deps, key, branchOverrides, worktr
  * aborting the run.
  */
 export async function createWorktrees(deps, options, worktrunkBinary) {
-    return runWithConcurrency(options.keys, options.maxParallel, (key) => createWorktreeForTicket(deps, key, options.branchOverrides, worktrunkBinary));
+    return runWithConcurrency(options.keys, options.maxParallel, (key) => createWorktreeForTicket(deps, key, options.branchOverrides, worktrunkBinary, options.baseBranch));
 }
 // ---------------------------------------------------------------------------
 // Per-platform shell-command construction
 // ---------------------------------------------------------------------------
-/** The starter prompt handed to the selected agent. Identical for every agent. */
-export function buildAgentPrompt(key) {
-    return `/implement-ticket ${key}`;
+/**
+ * The starter prompt handed to the selected agent. Identical for every agent.
+ * When `autoApprove` is set, the implementation agent runs hands-off
+ * (`/implement-ticket <KEY> --auto`) — used by full-automation chains.
+ */
+export function buildAgentPrompt(key, opts = {}) {
+    return `/implement-ticket ${key}${opts.autoApprove ? " --auto" : ""}`;
 }
 /**
  * Build the agent invocation (`<command> <quotedPrompt>`) for the agent's prompt
@@ -754,13 +818,13 @@ export function buildAgentInvocation(agent, prompt, quote) {
     }
 }
 /** POSIX agent shell command: `cd '<path>' && <agent> '<prompt>'`. */
-export function buildPosixAgentShellCommand(agent, key, worktreePath) {
-    const invocation = buildAgentInvocation(agent, buildAgentPrompt(key), (p) => `'${shSquoteInner(p)}'`);
+export function buildPosixAgentShellCommand(agent, key, worktreePath, autoApprove = false) {
+    const invocation = buildAgentInvocation(agent, buildAgentPrompt(key, { autoApprove }), (p) => `'${shSquoteInner(p)}'`);
     return `cd '${shSquoteInner(worktreePath)}' && ${invocation}`;
 }
 /** PowerShell agent shell command: `Set-Location -LiteralPath '<path>'; <agent> '<prompt>'`. */
-export function buildPowerShellAgentShellCommand(agent, key, worktreePath) {
-    const invocation = buildAgentInvocation(agent, buildAgentPrompt(key), powershellSquote);
+export function buildPowerShellAgentShellCommand(agent, key, worktreePath, autoApprove = false) {
+    const invocation = buildAgentInvocation(agent, buildAgentPrompt(key, { autoApprove }), powershellSquote);
     return `Set-Location -LiteralPath ${powershellSquote(worktreePath)}; ${invocation}`;
 }
 /**
@@ -769,10 +833,10 @@ export function buildPowerShellAgentShellCommand(agent, key, worktreePath) {
  * dry-run fallback). The selected `agent` (never a module-level constant)
  * determines the launched command.
  */
-export function buildAgentShellCommand(agent, key, worktreePath, platform = "darwin") {
+export function buildAgentShellCommand(agent, key, worktreePath, platform = "darwin", autoApprove = false) {
     if (platform === "win32")
-        return buildPowerShellAgentShellCommand(agent, key, worktreePath);
-    return buildPosixAgentShellCommand(agent, key, worktreePath);
+        return buildPowerShellAgentShellCommand(agent, key, worktreePath, autoApprove);
+    return buildPosixAgentShellCommand(agent, key, worktreePath, autoApprove);
 }
 // ---------------------------------------------------------------------------
 // macOS terminal spawning (behind the injected boundary)
@@ -1048,25 +1112,47 @@ export function buildDryRunResults(keys, overrides) {
  * PowerShell on Windows, `wt` + POSIX on macOS/Linux, and a non-throwing `wt` +
  * POSIX fallback for unsupported platforms.
  */
-export function getDryRunPlatformDetails(agent, platform = process.platform, env = process.env) {
+export function getDryRunPlatformDetails(agent, platform = process.platform, env = process.env, autoApprove = false) {
     return {
         worktrunkBinary: resolveWorktrunkBinary(platform, env),
-        buildAgentShellCommand: (key, worktreePath) => buildAgentShellCommand(agent, key, worktreePath, platform),
+        buildAgentShellCommand: (key, worktreePath) => buildAgentShellCommand(agent, key, worktreePath, platform, autoApprove),
     };
 }
+/**
+ * Build the dry-run preview of the secret-free MCP provisioning that
+ * `start-tickets` would perform for a worktree whose `.bridge/config` includes
+ * the `bapi` target. Lists both registration files and the version-pinned shim
+ * command. Pure formatting — implies no credentials and writes no files.
+ */
+export function buildDryRunMcpProvisioningLines(worktreePath, platform = process.platform) {
+    const api = platform === "win32" ? path.win32 : path.posix;
+    const mcpJson = api.join(worktreePath, ".mcp.json");
+    const cursorJson = api.join(worktreePath, ".cursor", "mcp.json");
+    const shim = `npx -y @bridge_gpt/mcp-server@${VERSION} mcp-invoke --target <target> --project-root ${worktreePath}`;
+    return [
+        "DRY-RUN:   MCP provisioning (target-driven from .bridge/config — bapi plus any",
+        "DRY-RUN:   supported Tier-2 target such as sfcc): would write a secret-free shim",
+        "DRY-RUN:   entry per target to",
+        `DRY-RUN:     ${mcpJson}`,
+        `DRY-RUN:     ${cursorJson}`,
+        `DRY-RUN:     ${shim}`,
+    ];
+}
 /**
  * Build the user-facing dry-run detail lines for one ticket, rendering the
- * platform-correct Worktrunk binary and the selected agent's shell command. Pure
- * platform formatting only — no preflight, no routing failures.
+ * platform-correct Worktrunk binary, the selected agent's shell command, and
+ * the secret-free MCP provisioning preview. Pure platform formatting only — no
+ * preflight, no routing failures.
  */
-export function buildDryRunDetailLines(agent, key, branch, platform = process.platform, env = process.env) {
-    const { worktrunkBinary, buildAgentShellCommand: build } = getDryRunPlatformDetails(agent, platform, env);
-    const wtArgs = buildWtSwitchArgs(branch, false);
+export function buildDryRunDetailLines(agent, key, branch, platform = process.platform, env = process.env, baseBranch = "main", autoApprove = false) {
+    const { worktrunkBinary, buildAgentShellCommand: build } = getDryRunPlatformDetails(agent, platform, env, autoApprove);
+    const wtArgs = buildWtSwitchArgs(branch, false, baseBranch);
     const agentInvocation = build(key, "<worktree-path>");
     return [
         `DRY-RUN: ${key} -> branch=${branch}`,
         `DRY-RUN:   ${worktrunkBinary} ${wtArgs.join(" ")}`,
         `DRY-RUN:   ${agentInvocation}`,
+        ...buildDryRunMcpProvisioningLines("<worktree-path>", platform),
     ];
 }
 /**
@@ -1083,13 +1169,30 @@ export function formatSummaryReport(rows) {
             line += `  path=${row.path}`;
         lines.push(line);
     }
-    const failures = rows.filter((r) => r.status === "create-failed" || r.status === "spawn-failed");
-    if (failures.length > 0) {
+    // Warnings section: create/spawn-failed row errors AND any non-fatal
+    // per-row provisioning warnings. Identical error/warning text for the same
+    // row is emitted only once.
+    const warningLines = [];
+    for (const row of rows) {
+        const messages = [];
+        if (row.status === "create-failed" || row.status === "spawn-failed") {
+            messages.push(row.error ?? row.status);
+        }
+        for (const warning of row.warnings ?? []) {
+            messages.push(warning);
+        }
+        const seen = new Set();
+        for (const message of messages) {
+            if (seen.has(message))
+                continue;
+            seen.add(message);
+            warningLines.push(`  ${row.key}: ${message}`);
+        }
+    }
+    if (warningLines.length > 0) {
         lines.push("");
         lines.push("Warnings:");
-        for (const row of failures) {
-            lines.push(`  ${row.key}: ${row.error ?? row.status}`);
-        }
+        lines.push(...warningLines);
     }
     return lines.join("\n");
 }
@@ -1101,7 +1204,38 @@ export function formatSummaryReport(rows) {
  * using the platform-correct shell builder. Global preflight/refresh failures
  * are returned as `{ ok: false }`; per-ticket failures stay in the rows.
  */
-export async function orchestrateStartTickets(deps, options) {
+/**
+ * Build the `mcp-provisioning` filesystem boundary from `StartTicketsDeps`.
+ * Provisioning needs real `fs/promises` ops (not part of the command-runner DI
+ * boundary), but inherits the platform and cwd from the orchestration deps.
+ */
+export function buildMcpProvisioningDeps(deps) {
+    return {
+        readFile: (filePath) => readFile(filePath, "utf-8"),
+        writeFile: (filePath, data) => writeFile(filePath, data, "utf-8"),
+        mkdir: (dirPath, options) => mkdir(dirPath, options),
+        platform: deps.platform,
+        cwd: deps.cwd,
+    };
+}
+/**
+ * Tier-3 file-credential materialization seam.
+ *
+ * The committed `.bridge/config` schema does not (yet) declare file-credential
+ * entries — Tier-3 file materialization is a gated seam (see
+ * `credential-materialization.ts`, whose Windows worktree-visible copy remains
+ * disabled pending the open context-vs-server-only design decision). With no
+ * file-credential configuration there is nothing to materialize, so the default
+ * is a safe pass-through. The seam exists so `orchestrateStartTickets` calls it
+ * in the correct order — AFTER MCP registration provisioning and BEFORE tab
+ * spawning — once the schema and the design decision are resolved. Per-row
+ * failures must mark only the affected row `spawn-failed`; normal symlinks are
+ * never torn down on completion.
+ */
+export async function materializeFileCredentialsForCreatedWorktrees(rows, _deps) {
+    return rows;
+}
+export async function orchestrateStartTickets(deps, options, overrides = {}) {
     if (options.dryRun) {
         return { ok: true, rows: buildDryRunResults(options.keys, options.branchOverrides) };
     }
@@ -1117,15 +1251,33 @@ export async function orchestrateStartTickets(deps, options) {
     const preflight = await runPreflight(deps, options);
     if (!preflight.ok)
         return { ok: false, error: preflight.error };
-    const platformConfig = resolveStartTicketsPlatformConfig(deps, agent);
+    const platformConfig = resolveStartTicketsPlatformConfig(deps, agent, options.autoApprove);
     if (!platformConfig.ok)
         return { ok: false, error: platformConfig.error };
-    const refresh = await refreshMainBranch(deps, options);
+    const refresh = await refreshBaseBranch(deps, {
+        refreshMain: options.refreshMain,
+        baseBranch: options.baseBranch,
+    });
     if (!refresh.ok)
         return { ok: false, error: refresh.error };
-    const created = await createWorktrees(deps, options, platformConfig.config.worktrunkBinary);
-    const terminal = detectTerminal(options.terminal, deps.env);
-    const rows = await spawnTabsForCreatedWorktrees(deps, created, terminal, platformConfig.config.buildAgentShellCommand);
+    const createWorktreesFn = overrides.createWorktrees ?? createWorktrees;
+    const provisionFn = overrides.provisionMcpRegistrations ??
+        ((rows, d) => provisionMcpRegistrationsForCreatedWorktrees(rows, buildMcpProvisioningDeps(d)));
+    const materializeFn = overrides.materializeFileCredentials ?? materializeFileCredentialsForCreatedWorktrees;
+    const detectTerminalFn = overrides.detectTerminal ?? detectTerminal;
+    const spawnTabsFn = overrides.spawnTabsForCreatedWorktrees ?? spawnTabsForCreatedWorktrees;
+    const created = await createWorktreesFn(deps, options, platformConfig.config.worktrunkBinary);
+    // Synchronously provision secret-free worktree MCP registrations after
+    // worktree creation and before launching the agent tab. Per-worktree
+    // provisioning failures mark only that row `spawn-failed` (skipped by the
+    // spawn step below) — they never abort the whole run.
+    const provisioned = await provisionFn(created, deps);
+    // Materialize any Tier-3 file credentials AFTER MCP registration provisioning
+    // and BEFORE tab spawning (currently a pass-through seam; see
+    // materializeFileCredentialsForCreatedWorktrees).
+    const materialized = await materializeFn(provisioned, deps);
+    const terminal = detectTerminalFn(options.terminal, deps.env);
+    const rows = await spawnTabsFn(deps, materialized, terminal, platformConfig.config.buildAgentShellCommand);
     return { ok: true, rows };
 }
 /** Platform-specific guidance printed when one or more tabs fail to spawn. */
@@ -1179,7 +1331,7 @@ export async function runStartTicketsCli(argv, overrides = {}) {
     if (options.dryRun) {
         for (const key of options.keys) {
             const branch = resolveBranchForTicket(key, options.branchOverrides);
-            for (const line of buildDryRunDetailLines(agent, key, branch, deps.platform, deps.env)) {
+            for (const line of buildDryRunDetailLines(agent, key, branch, deps.platform, deps.env, options.baseBranch, options.autoApprove)) {
                 log(line);
             }
         }

package/build/third-party-mcp-targets.js

@@ -0,0 +1,75 @@
+/**
+ * Tier-2 third-party MCP target metadata + atomic env injection.
+ *
+ * Known third-party MCP targets (e.g. Salesforce `b2c-dx-mcp` via `sfcc`) are
+ * declared here as additive, data-only definitions: each names the secret env
+ * keys it needs. Provisioning and `mcp-invoke` consume these definitions without
+ * any target-specific branching, so adding a future Tier-2 target is a matter of
+ * adding one entry to the registry below.
+ *
+ * Credential resolution is delegated to the generic
+ * {@link resolveCredentialBundle}; the resulting env overlay is ATOMIC — either
+ * every required key resolves or the whole overlay fails. A half overlay (one of
+ * an `SFCC_CLIENT_ID`/`SFCC_CLIENT_SECRET` pair) is never returned. No secret
+ * value ever appears in an error message.
+ */
+import { resolveCredentialBundle, } from "./credential-store.js";
+// ---------------------------------------------------------------------------
+// Registry — additive; add a new entry to support a new Tier-2 target.
+// ---------------------------------------------------------------------------
+const THIRD_PARTY_TARGETS = {
+    sfcc: {
+        target: "sfcc",
+        requiredEnvKeys: ["SFCC_CLIENT_ID", "SFCC_CLIENT_SECRET"],
+    },
+};
+/** Return the definition for a supported Tier-2 target, or `undefined`. */
+export function getThirdPartyTargetDefinition(target) {
+    return THIRD_PARTY_TARGETS[target];
+}
+/** List all supported Tier-2 target identifiers. */
+export function getSupportedThirdPartyTargets() {
+    return Object.keys(THIRD_PARTY_TARGETS);
+}
+// ---------------------------------------------------------------------------
+// Manifest entry validation
+// ---------------------------------------------------------------------------
+/**
+ * Validate that a parsed manifest entry for a Tier-2 target declares everything
+ * needed to launch it: a non-empty `command`, an `args` array, and a non-empty
+ * `secret_bundle`. Errors name only the missing field, never any value.
+ */
+export function validateThirdPartyTargetManifestEntry(entry) {
+    if (entry.command === undefined || entry.command.trim().length === 0) {
+        return { ok: false, error: `target '${entry.target}' requires a non-empty command` };
+    }
+    if (entry.args === undefined) {
+        return { ok: false, error: `target '${entry.target}' requires an args array` };
+    }
+    if (entry.secretBundle === undefined || entry.secretBundle.trim().length === 0) {
+        return { ok: false, error: `target '${entry.target}' requires a non-empty secret_bundle` };
+    }
+    return { ok: true };
+}
+// ---------------------------------------------------------------------------
+// Atomic env resolution
+// ---------------------------------------------------------------------------
+/**
+ * Resolve the complete env overlay a Tier-2 target needs from its secret bundle.
+ * Delegates to {@link resolveCredentialBundle}; because that resolver fails
+ * unless every required key resolves, the returned overlay is atomic — there is
+ * no code path that returns a partial set of the target's secrets. Parent env
+ * values override store values key-by-key (handled by the generic resolver).
+ * Errors are secret-free and name the missing key(s).
+ */
+export async function resolveThirdPartyTargetEnv(definition, secretBundle, deps) {
+    const result = await resolveCredentialBundle(secretBundle, definition.requiredEnvKeys, deps);
+    if (!result.ok) {
+        return { ok: false, error: result.error };
+    }
+    const env = {};
+    for (const key of definition.requiredEnvKeys) {
+        env[key] = result.values[key];
+    }
+    return { ok: true, env };
+}

package/build/version.generated.js

@@ -1,2 +1,2 @@
 // AUTO-GENERATED — do not edit manually. Regenerate with: npm run build
-export const VERSION = "0.1.16";
+export const VERSION = "0.2.0";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bridge_gpt/mcp-server",
-  "version": "0.1.16",
+  "version": "0.2.0",
   "description": "Bridge API MCP server — exposes Jira endpoints as MCP tools for Claude Code agents",
   "license": "MIT",
   "type": "module",
@@ -12,6 +12,7 @@
     "!build/**/*.test.js",
     "!build/integration/**",
     "pipelines/",
+    "smoke-test/",
     "README.md",
     "LICENSE"
   ],
@@ -19,18 +20,17 @@
     "build": "node scripts/bundle-version.js && node scripts/bundle-pipelines.js && node scripts/bundle-commands.js && node scripts/bundle-agents.js && tsc",
     "postbuild": "node scripts/prepend-shebang.cjs",
     "start": "node build/index.js",
-    "test": "node --test build/pipeline-utils.test.js build/update-check.test.js build/cli-upgrade.test.js build/decision-page-schema.test.js build/decision-page-template.test.js build/bundle-pipelines.test.js build/instructions-contract.test.js build/pipeline-orchestrator-persistence.test.js build/pipeline-orchestrator-execution.test.js build/pipeline-orchestrator-integration.test.js build/index-static.test.js build/start-tickets.test.js build/agent-registry.test.js build/start-tickets-prereqs.test.js build/doctor.test.js build/package-static.test.js",
-    "test:integration": "node --test build/integration/refresh-main.integration.test.js build/integration/start-tickets.integration.test.js build/integration/doctor.integration.test.js",
+    "test": "node --test build/pipeline-utils.test.js build/update-check.test.js build/cli-upgrade.test.js build/decision-page-schema.test.js build/decision-page-template.test.js build/bundle-pipelines.test.js build/instructions-contract.test.js build/pipeline-orchestrator-persistence.test.js build/pipeline-orchestrator-execution.test.js build/pipeline-orchestrator-integration.test.js build/index-static.test.js build/index-resolvers.test.js build/index-project-root.test.js build/index-pipelines.test.js build/index.test.js build/bridge-config.test.js build/credential-store.test.js build/mcp-invoke.test.js build/mcp-provisioning.test.js build/third-party-mcp-targets.test.js build/git-ignore-utils.test.js build/credential-materialization.test.js build/mcp-registration-doctor.test.js build/secret-safety.test.js build/start-tickets.test.js build/start-tickets-base-branch.test.js build/agent-registry.test.js build/start-tickets-prereqs.test.js build/doctor.test.js build/package-static.test.js build/chain-utils.test.js build/chain-orchestrator.test.js build/scheduler-backends/types.test.js build/scheduler-backends/escaping.test.js build/scheduler-backends/launchd.test.js build/scheduler-backends/task-scheduler.test.js build/scheduler-backends/systemd-user.test.js build/scheduler-backends/at-fallback.test.js build/scheduler-backends/index.test.js build/agent-launchers/claude.test.js build/agent-launchers/index.test.js build/schedule-store.test.js build/schedule-run.test.js build/agent-capabilities/cli.test.js build/agent-capabilities/runner.test.js build/agent-capabilities/probes.test.js build/agent-capabilities/reporter.test.js && node --experimental-test-module-mocks --test build/index-heavy-read-truncation.test.js build/index-artifacts.test.js build/index-brainstorm-filenames.test.js build/index-output-path.test.js build/index-generate-decision-page.test.js build/index-generate-decision-page.integration.test.js",
+    "test:integration": "node --test build/integration/refresh-main.integration.test.js build/integration/start-tickets.integration.test.js build/integration/doctor.integration.test.js build/integration/agent-capabilities.integration.test.js",
     "prepublishOnly": "npm run build && node scripts/verify-shebang.cjs"
   },
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.26.0",
-    "zod": "^3.25.0"
+    "@modelcontextprotocol/sdk": "^1.29.0",
+    "zod": "^4.4.3"
   },
   "devDependencies": {
-    "@types/node": "^22.0.0",
-    "typescript": "^5.7.0",
-    "undici": "^6.25.0"
+    "@types/node": "^25.9.1",
+    "typescript": "^6.0.3"
   },
   "engines": {
     "node": ">=18.0.0"