@codyswann/lisa 2.178.0 → 2.178.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/plugins/lisa/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa/.codex-plugin/plugin.json +1 -1
- package/plugins/lisa/skills/analyze-claude-remote/SKILL.md +39 -5
- package/plugins/lisa/skills/generate-claude-remote-build-script/SKILL.md +20 -7
- package/plugins/lisa-agy/plugin.json +1 -1
- package/plugins/lisa-agy/skills/analyze-claude-remote/SKILL.md +39 -5
- package/plugins/lisa-agy/skills/generate-claude-remote-build-script/SKILL.md +20 -7
- package/plugins/lisa-cdk/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-cdk/.codex-plugin/plugin.json +1 -1
- package/plugins/lisa-cdk-agy/plugin.json +1 -1
- package/plugins/lisa-cdk-copilot/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-cdk-cursor/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-copilot/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-copilot/skills/analyze-claude-remote/SKILL.md +39 -5
- package/plugins/lisa-copilot/skills/generate-claude-remote-build-script/SKILL.md +20 -7
- package/plugins/lisa-cursor/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-cursor/skills/analyze-claude-remote/SKILL.md +39 -5
- package/plugins/lisa-cursor/skills/generate-claude-remote-build-script/SKILL.md +20 -7
- package/plugins/lisa-expo/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-expo/.codex-plugin/plugin.json +1 -1
- package/plugins/lisa-expo-agy/plugin.json +1 -1
- package/plugins/lisa-expo-copilot/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-expo-cursor/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-harper-fabric/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-harper-fabric/.codex-plugin/plugin.json +1 -1
- package/plugins/lisa-harper-fabric-agy/plugin.json +1 -1
- package/plugins/lisa-harper-fabric-copilot/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-harper-fabric-cursor/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-nestjs/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-nestjs/.codex-plugin/plugin.json +1 -1
- package/plugins/lisa-nestjs-agy/plugin.json +1 -1
- package/plugins/lisa-nestjs-copilot/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-nestjs-cursor/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-openclaw/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-openclaw/.codex-plugin/plugin.json +1 -1
- package/plugins/lisa-openclaw-agy/plugin.json +1 -1
- package/plugins/lisa-openclaw-copilot/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-openclaw-cursor/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-phaser/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-phaser/.codex-plugin/plugin.json +1 -1
- package/plugins/lisa-phaser-agy/plugin.json +1 -1
- package/plugins/lisa-phaser-copilot/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-phaser-cursor/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-rails/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-rails/.codex-plugin/plugin.json +1 -1
- package/plugins/lisa-rails-agy/plugin.json +1 -1
- package/plugins/lisa-rails-copilot/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-rails-cursor/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-typescript/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-typescript/.codex-plugin/plugin.json +1 -1
- package/plugins/lisa-typescript-agy/plugin.json +1 -1
- package/plugins/lisa-typescript-copilot/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-typescript-cursor/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-wiki/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-wiki/.codex-plugin/plugin.json +1 -1
- package/plugins/lisa-wiki-agy/plugin.json +1 -1
- package/plugins/lisa-wiki-copilot/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-wiki-cursor/.claude-plugin/plugin.json +1 -1
- package/plugins/src/base/skills/analyze-claude-remote/SKILL.md +39 -5
- package/plugins/src/base/skills/generate-claude-remote-build-script/SKILL.md +20 -7
package/package.json
CHANGED
|
@@ -91,7 +91,7 @@
|
|
|
91
91
|
"ws": ">=8.20.1"
|
|
92
92
|
},
|
|
93
93
|
"name": "@codyswann/lisa",
|
|
94
|
-
"version": "2.178.
|
|
94
|
+
"version": "2.178.1",
|
|
95
95
|
"description": "Claude Code governance framework that applies guardrails, guidance, and automated enforcement to projects",
|
|
96
96
|
"main": "dist/index.js",
|
|
97
97
|
"exports": {
|
|
@@ -148,9 +148,14 @@ Group the findings as:
|
|
|
148
148
|
7. **Platform constraints** — surface the non-config constraints as `GAP`/`RISK` so the user is
|
|
149
149
|
not surprised: routines run with no interactive permission prompts and cannot ask the user
|
|
150
150
|
mid-run; interactive auth (SSO/OAuth browser, keychain) is unavailable; GitHub org IP
|
|
151
|
-
allowlisting blocks cloud sessions;
|
|
152
|
-
|
|
153
|
-
|
|
151
|
+
allowlisting blocks cloud sessions; raw GitHub clone/fetch/push operations are handled by
|
|
152
|
+
Claude's connected-GitHub proxy/identity and do not need a separate PAT; the `gh` CLI is not the
|
|
153
|
+
same substrate and still needs `GH_TOKEN`; outbound traffic is controlled by the routine
|
|
154
|
+
environment network tier, where the default Trusted tier includes common development domains and
|
|
155
|
+
package registries but arbitrary integration hosts need Custom or Full access; environment
|
|
156
|
+
variables and setup scripts are stored in the cloud environment configuration and are visible to
|
|
157
|
+
anyone who can edit that environment; resource limits (~4 vCPU / 16 GB RAM / 30 GB disk); no
|
|
158
|
+
desktop/computer-use; no statusline/theme rendering.
|
|
154
159
|
|
|
155
160
|
8. **Host-project app needs** — note any build/test/run command a routine would invoke and any
|
|
156
161
|
runtime service it depends on (database, queue, external API) that will not exist in a fresh
|
|
@@ -168,9 +173,18 @@ unsuffixed `…_TOKEN`/`…_KEY` is the simplest to set in a single-account rout
|
|
|
168
173
|
|
|
169
174
|
### GitHub — `tracker: github` and/or `source: github`
|
|
170
175
|
- Headless substrate: `gh` CLI authed by token (every Lisa GitHub script gates on `gh auth status`).
|
|
171
|
-
-
|
|
176
|
+
- Platform substrate: Claude's connected-GitHub proxy/identity authenticates raw git
|
|
177
|
+
clone/fetch/push for repositories the routine can access. Do not ask for a PAT solely for raw git
|
|
178
|
+
or sibling-repo clones.
|
|
179
|
+
- Env: `GH_TOKEN` for the `gh` CLI only; set it because Lisa's PR/issue lifecycle shells out to
|
|
180
|
+
`gh`. Do not describe it as required for raw git clone/fetch/push.
|
|
172
181
|
- Acquire: fine-grained — `https://github.com/settings/personal-access-tokens`; classic — `https://github.com/settings/tokens`.
|
|
173
|
-
- Access: fine-grained → Repository access to the
|
|
182
|
+
- Access: fine-grained → Repository access to the repo(s) where Lisa will run `gh` commands (the
|
|
183
|
+
project repo, and the Lisa repo only if filing Lisa issues); Repository permissions: Contents R/W,
|
|
184
|
+
Issues R/W, Pull requests R/W, Metadata R (mandatory); add Workflows R/W only if editing
|
|
185
|
+
`.github/workflows`, and Organization → Projects R/W only if using ProjectV2. Do not include
|
|
186
|
+
sibling repos that are only cloned/fetched with raw git. Classic equivalent: `repo` + `workflow`
|
|
187
|
+
(+ `project`, `read:org` for boards). The identity must hold WRITE/MAINTAIN/ADMIN on the repo.
|
|
174
188
|
|
|
175
189
|
### JIRA — `tracker: jira`
|
|
176
190
|
- Headless substrate: `jira-cli` + curl (Basic auth). The acli and Atlassian-MCP tiers need prior interactive/OAuth auth → not viable headless.
|
|
@@ -242,6 +256,18 @@ so the generator can render acquisition comments into its template:
|
|
|
242
256
|
{ "name": "linear-server", "transport": "http", "auth": "oauth", "headlessUsable": false, "replacedBy": "LINEAR_API_KEY + Linear GraphQL", "dormant": true }
|
|
243
257
|
],
|
|
244
258
|
"gaps": [ "auto-memory not synced to cloud", "bun package fetch behind proxy", "OS keychain absent — env-var token form only" ],
|
|
259
|
+
"platform": {
|
|
260
|
+
"githubProxy": {
|
|
261
|
+
"rawGitAuthenticated": true,
|
|
262
|
+
"crossRepoAccess": "repositories reachable by the connected GitHub identity/routine access do not need a PAT for raw git",
|
|
263
|
+
"ghCliNeedsToken": true
|
|
264
|
+
},
|
|
265
|
+
"secretsVisibility": "environment variables and setup scripts are visible to environment editors"
|
|
266
|
+
},
|
|
267
|
+
"networkAccess": {
|
|
268
|
+
"tier": "custom",
|
|
269
|
+
"allowlistDomains": []
|
|
270
|
+
},
|
|
245
271
|
"allowlistDomains": []
|
|
246
272
|
}
|
|
247
273
|
```
|
|
@@ -269,5 +295,13 @@ so the generator can render acquisition comments into its template:
|
|
|
269
295
|
Lisa's `setup-*` skills) — transcribe them exactly; never guess at the access a token needs.
|
|
270
296
|
- For the active `tracker`/`source`, always report the **env-var** form of the secret, never the OS
|
|
271
297
|
keychain form — keychain reads do not work in a cloud routine.
|
|
298
|
+
- For GitHub, keep the split explicit: raw git uses the platform GitHub proxy/identity, while
|
|
299
|
+
`GH_TOKEN` is for `gh` CLI commands. Sibling repos that are only cloned or fetched with raw git do
|
|
300
|
+
not belong in the token scope.
|
|
301
|
+
- Add GitHub/npm/PyPI/Docker Hub/common development domains to neither `allowlistDomains` nor
|
|
302
|
+
`networkAccess.allowlistDomains`; those are covered by the routine environment's default Trusted
|
|
303
|
+
list. Only non-default integration hosts require Custom-network allowlisting.
|
|
304
|
+
- Always include a `RISK`/`GAP` finding when environment secrets or setup scripts would be visible
|
|
305
|
+
to environment editors; never imply the generated script can hide them.
|
|
272
306
|
- A browser-OAuth MCP (or interactively-authed CLI) backing an active integration is a `GAP`; the
|
|
273
307
|
remediation is its token substrate from the table, not "authenticate the MCP".
|
|
@@ -30,8 +30,9 @@ tracker/source, plus the host project's own package manager and tooling — not
|
|
|
30
30
|
## Procedure
|
|
31
31
|
|
|
32
32
|
1. **Inventory.** Invoke `/lisa:analyze-claude-remote --json` and parse its machine-readable
|
|
33
|
-
inventory block (`packageManager`, `tools`, `env`, `mcp`, `gaps`, `
|
|
34
|
-
analysis cannot run, stop and report why — never
|
|
33
|
+
inventory block (`packageManager`, `tools`, `env`, `mcp`, `gaps`, `platform`,
|
|
34
|
+
`networkAccess`, `allowlistDomains`). If the analysis cannot run, stop and report why — never
|
|
35
|
+
emit a script from guesses.
|
|
35
36
|
|
|
36
37
|
2. **Compose the setup script** from the inventory. The script must be:
|
|
37
38
|
- **Idempotent & detect-before-install** — every install guarded by a `command -v <tool>` check
|
|
@@ -62,11 +63,17 @@ tracker/source, plus the host project's own package manager and tooling — not
|
|
|
62
63
|
where to get the token and what permissions it needs. Emit only the **env-var form** of the name
|
|
63
64
|
that the analysis reported (including any per-account suffixed form like `LINEAR_API_KEY_<slug>`);
|
|
64
65
|
never emit a keychain instruction — keychain does not exist in a cloud routine.
|
|
66
|
+
When the entry is `GH_TOKEN`, add a comment from `platform.githubProxy` clarifying that the token
|
|
67
|
+
is for `gh` CLI commands against the project/Lisa repos, not for raw git clone/fetch/push or
|
|
68
|
+
sibling repos reachable through the routine's GitHub proxy.
|
|
65
69
|
|
|
66
70
|
4. **Emit the allowlist + gaps notice.** List any custom domains the setup or runtime reaches
|
|
67
|
-
(from `allowlistDomains
|
|
68
|
-
|
|
69
|
-
|
|
71
|
+
(from `networkAccess.allowlistDomains`, falling back to legacy `allowlistDomains`) that the user
|
|
72
|
+
must add when the environment needs Custom network access. Do not include default Trusted domains
|
|
73
|
+
such as GitHub, npm/PyPI registries, or Docker Hub. Echo the `gaps` from the analysis
|
|
74
|
+
(auto-memory not synced, interactive-auth/stdio-MCP unavailable, etc.) and the
|
|
75
|
+
`platform.secretsVisibility` warning as a header comment so the user knows what the script
|
|
76
|
+
**cannot** fix.
|
|
70
77
|
|
|
71
78
|
5. **Write and report.** Write the script to `--out` (default `scripts/claude-remote-setup.sh`),
|
|
72
79
|
`chmod +x` it, and print: the path, a one-line summary of what it installs and which env vars to
|
|
@@ -92,9 +99,11 @@ shape, not a fixed payload):
|
|
|
92
99
|
# # --- credentials for the active tracker/source (set in the environment UI) ---
|
|
93
100
|
# # Acquire: https://github.com/settings/personal-access-tokens
|
|
94
101
|
# # Access: fine-grained PAT on target repo: Contents R/W, Issues R/W, Pull requests R/W, Metadata R
|
|
102
|
+
# # Note: GH_TOKEN is for gh CLI only. Raw git uses Claude's connected-GitHub proxy/identity;
|
|
103
|
+
# # sibling repos reached only by raw git do not need to be in this token scope.
|
|
95
104
|
# - GH_TOKEN=<token> # REQUIRED, github is the active tracker+source
|
|
96
|
-
# NETWORK: allowlist these domains
|
|
97
|
-
# - <allowlistDomains, if any>
|
|
105
|
+
# NETWORK: set the environment to Custom and allowlist these non-default domains if not on Full:
|
|
106
|
+
# - <networkAccess.allowlistDomains, if any>
|
|
98
107
|
set -uo pipefail
|
|
99
108
|
|
|
100
109
|
need() { command -v "$1" >/dev/null 2>&1; }
|
|
@@ -152,8 +161,12 @@ to stop are: the analysis could not run, or the `--out` path is not writable.
|
|
|
152
161
|
- Never write real secret values into the script or template — names and placeholders only.
|
|
153
162
|
- For active tracker/source credentials, carry the analysis's `Acquire:` URL and `Access:` scope into
|
|
154
163
|
the template as comments, and emit only the env-var form of the name — never a keychain command.
|
|
164
|
+
- For `GH_TOKEN`, preserve the analysis's GitHub proxy split: it is for `gh` CLI commands only, and
|
|
165
|
+
raw git/cross-repo clone guidance must not expand the token scope to sibling repositories.
|
|
155
166
|
- Never emit an install for a tool the analysis did not surface, and never install `OPTIONAL` tools
|
|
156
167
|
unless `--include-optional` is set.
|
|
168
|
+
- Prefer `networkAccess.allowlistDomains` over legacy top-level `allowlistDomains`; never emit
|
|
169
|
+
domains already covered by the routine environment's default Trusted list.
|
|
157
170
|
- Keep the script idempotent and detect-before-install so it is safe to re-run and cache.
|
|
158
171
|
- Preserve the inventory's `REQUIRED` vs `OPTIONAL` distinction in both fail-behavior (fatal vs
|
|
159
172
|
warn) and section placement.
|
|
@@ -148,9 +148,14 @@ Group the findings as:
|
|
|
148
148
|
7. **Platform constraints** — surface the non-config constraints as `GAP`/`RISK` so the user is
|
|
149
149
|
not surprised: routines run with no interactive permission prompts and cannot ask the user
|
|
150
150
|
mid-run; interactive auth (SSO/OAuth browser, keychain) is unavailable; GitHub org IP
|
|
151
|
-
allowlisting blocks cloud sessions;
|
|
152
|
-
|
|
153
|
-
|
|
151
|
+
allowlisting blocks cloud sessions; raw GitHub clone/fetch/push operations are handled by
|
|
152
|
+
Claude's connected-GitHub proxy/identity and do not need a separate PAT; the `gh` CLI is not the
|
|
153
|
+
same substrate and still needs `GH_TOKEN`; outbound traffic is controlled by the routine
|
|
154
|
+
environment network tier, where the default Trusted tier includes common development domains and
|
|
155
|
+
package registries but arbitrary integration hosts need Custom or Full access; environment
|
|
156
|
+
variables and setup scripts are stored in the cloud environment configuration and are visible to
|
|
157
|
+
anyone who can edit that environment; resource limits (~4 vCPU / 16 GB RAM / 30 GB disk); no
|
|
158
|
+
desktop/computer-use; no statusline/theme rendering.
|
|
154
159
|
|
|
155
160
|
8. **Host-project app needs** — note any build/test/run command a routine would invoke and any
|
|
156
161
|
runtime service it depends on (database, queue, external API) that will not exist in a fresh
|
|
@@ -168,9 +173,18 @@ unsuffixed `…_TOKEN`/`…_KEY` is the simplest to set in a single-account rout
|
|
|
168
173
|
|
|
169
174
|
### GitHub — `tracker: github` and/or `source: github`
|
|
170
175
|
- Headless substrate: `gh` CLI authed by token (every Lisa GitHub script gates on `gh auth status`).
|
|
171
|
-
-
|
|
176
|
+
- Platform substrate: Claude's connected-GitHub proxy/identity authenticates raw git
|
|
177
|
+
clone/fetch/push for repositories the routine can access. Do not ask for a PAT solely for raw git
|
|
178
|
+
or sibling-repo clones.
|
|
179
|
+
- Env: `GH_TOKEN` for the `gh` CLI only; set it because Lisa's PR/issue lifecycle shells out to
|
|
180
|
+
`gh`. Do not describe it as required for raw git clone/fetch/push.
|
|
172
181
|
- Acquire: fine-grained — `https://github.com/settings/personal-access-tokens`; classic — `https://github.com/settings/tokens`.
|
|
173
|
-
- Access: fine-grained → Repository access to the
|
|
182
|
+
- Access: fine-grained → Repository access to the repo(s) where Lisa will run `gh` commands (the
|
|
183
|
+
project repo, and the Lisa repo only if filing Lisa issues); Repository permissions: Contents R/W,
|
|
184
|
+
Issues R/W, Pull requests R/W, Metadata R (mandatory); add Workflows R/W only if editing
|
|
185
|
+
`.github/workflows`, and Organization → Projects R/W only if using ProjectV2. Do not include
|
|
186
|
+
sibling repos that are only cloned/fetched with raw git. Classic equivalent: `repo` + `workflow`
|
|
187
|
+
(+ `project`, `read:org` for boards). The identity must hold WRITE/MAINTAIN/ADMIN on the repo.
|
|
174
188
|
|
|
175
189
|
### JIRA — `tracker: jira`
|
|
176
190
|
- Headless substrate: `jira-cli` + curl (Basic auth). The acli and Atlassian-MCP tiers need prior interactive/OAuth auth → not viable headless.
|
|
@@ -242,6 +256,18 @@ so the generator can render acquisition comments into its template:
|
|
|
242
256
|
{ "name": "linear-server", "transport": "http", "auth": "oauth", "headlessUsable": false, "replacedBy": "LINEAR_API_KEY + Linear GraphQL", "dormant": true }
|
|
243
257
|
],
|
|
244
258
|
"gaps": [ "auto-memory not synced to cloud", "bun package fetch behind proxy", "OS keychain absent — env-var token form only" ],
|
|
259
|
+
"platform": {
|
|
260
|
+
"githubProxy": {
|
|
261
|
+
"rawGitAuthenticated": true,
|
|
262
|
+
"crossRepoAccess": "repositories reachable by the connected GitHub identity/routine access do not need a PAT for raw git",
|
|
263
|
+
"ghCliNeedsToken": true
|
|
264
|
+
},
|
|
265
|
+
"secretsVisibility": "environment variables and setup scripts are visible to environment editors"
|
|
266
|
+
},
|
|
267
|
+
"networkAccess": {
|
|
268
|
+
"tier": "custom",
|
|
269
|
+
"allowlistDomains": []
|
|
270
|
+
},
|
|
245
271
|
"allowlistDomains": []
|
|
246
272
|
}
|
|
247
273
|
```
|
|
@@ -269,5 +295,13 @@ so the generator can render acquisition comments into its template:
|
|
|
269
295
|
Lisa's `setup-*` skills) — transcribe them exactly; never guess at the access a token needs.
|
|
270
296
|
- For the active `tracker`/`source`, always report the **env-var** form of the secret, never the OS
|
|
271
297
|
keychain form — keychain reads do not work in a cloud routine.
|
|
298
|
+
- For GitHub, keep the split explicit: raw git uses the platform GitHub proxy/identity, while
|
|
299
|
+
`GH_TOKEN` is for `gh` CLI commands. Sibling repos that are only cloned or fetched with raw git do
|
|
300
|
+
not belong in the token scope.
|
|
301
|
+
- Add GitHub/npm/PyPI/Docker Hub/common development domains to neither `allowlistDomains` nor
|
|
302
|
+
`networkAccess.allowlistDomains`; those are covered by the routine environment's default Trusted
|
|
303
|
+
list. Only non-default integration hosts require Custom-network allowlisting.
|
|
304
|
+
- Always include a `RISK`/`GAP` finding when environment secrets or setup scripts would be visible
|
|
305
|
+
to environment editors; never imply the generated script can hide them.
|
|
272
306
|
- A browser-OAuth MCP (or interactively-authed CLI) backing an active integration is a `GAP`; the
|
|
273
307
|
remediation is its token substrate from the table, not "authenticate the MCP".
|
|
@@ -30,8 +30,9 @@ tracker/source, plus the host project's own package manager and tooling — not
|
|
|
30
30
|
## Procedure
|
|
31
31
|
|
|
32
32
|
1. **Inventory.** Invoke `/lisa:analyze-claude-remote --json` and parse its machine-readable
|
|
33
|
-
inventory block (`packageManager`, `tools`, `env`, `mcp`, `gaps`, `
|
|
34
|
-
analysis cannot run, stop and report why — never
|
|
33
|
+
inventory block (`packageManager`, `tools`, `env`, `mcp`, `gaps`, `platform`,
|
|
34
|
+
`networkAccess`, `allowlistDomains`). If the analysis cannot run, stop and report why — never
|
|
35
|
+
emit a script from guesses.
|
|
35
36
|
|
|
36
37
|
2. **Compose the setup script** from the inventory. The script must be:
|
|
37
38
|
- **Idempotent & detect-before-install** — every install guarded by a `command -v <tool>` check
|
|
@@ -62,11 +63,17 @@ tracker/source, plus the host project's own package manager and tooling — not
|
|
|
62
63
|
where to get the token and what permissions it needs. Emit only the **env-var form** of the name
|
|
63
64
|
that the analysis reported (including any per-account suffixed form like `LINEAR_API_KEY_<slug>`);
|
|
64
65
|
never emit a keychain instruction — keychain does not exist in a cloud routine.
|
|
66
|
+
When the entry is `GH_TOKEN`, add a comment from `platform.githubProxy` clarifying that the token
|
|
67
|
+
is for `gh` CLI commands against the project/Lisa repos, not for raw git clone/fetch/push or
|
|
68
|
+
sibling repos reachable through the routine's GitHub proxy.
|
|
65
69
|
|
|
66
70
|
4. **Emit the allowlist + gaps notice.** List any custom domains the setup or runtime reaches
|
|
67
|
-
(from `allowlistDomains
|
|
68
|
-
|
|
69
|
-
|
|
71
|
+
(from `networkAccess.allowlistDomains`, falling back to legacy `allowlistDomains`) that the user
|
|
72
|
+
must add when the environment needs Custom network access. Do not include default Trusted domains
|
|
73
|
+
such as GitHub, npm/PyPI registries, or Docker Hub. Echo the `gaps` from the analysis
|
|
74
|
+
(auto-memory not synced, interactive-auth/stdio-MCP unavailable, etc.) and the
|
|
75
|
+
`platform.secretsVisibility` warning as a header comment so the user knows what the script
|
|
76
|
+
**cannot** fix.
|
|
70
77
|
|
|
71
78
|
5. **Write and report.** Write the script to `--out` (default `scripts/claude-remote-setup.sh`),
|
|
72
79
|
`chmod +x` it, and print: the path, a one-line summary of what it installs and which env vars to
|
|
@@ -92,9 +99,11 @@ shape, not a fixed payload):
|
|
|
92
99
|
# # --- credentials for the active tracker/source (set in the environment UI) ---
|
|
93
100
|
# # Acquire: https://github.com/settings/personal-access-tokens
|
|
94
101
|
# # Access: fine-grained PAT on target repo: Contents R/W, Issues R/W, Pull requests R/W, Metadata R
|
|
102
|
+
# # Note: GH_TOKEN is for gh CLI only. Raw git uses Claude's connected-GitHub proxy/identity;
|
|
103
|
+
# # sibling repos reached only by raw git do not need to be in this token scope.
|
|
95
104
|
# - GH_TOKEN=<token> # REQUIRED, github is the active tracker+source
|
|
96
|
-
# NETWORK: allowlist these domains
|
|
97
|
-
# - <allowlistDomains, if any>
|
|
105
|
+
# NETWORK: set the environment to Custom and allowlist these non-default domains if not on Full:
|
|
106
|
+
# - <networkAccess.allowlistDomains, if any>
|
|
98
107
|
set -uo pipefail
|
|
99
108
|
|
|
100
109
|
need() { command -v "$1" >/dev/null 2>&1; }
|
|
@@ -152,8 +161,12 @@ to stop are: the analysis could not run, or the `--out` path is not writable.
|
|
|
152
161
|
- Never write real secret values into the script or template — names and placeholders only.
|
|
153
162
|
- For active tracker/source credentials, carry the analysis's `Acquire:` URL and `Access:` scope into
|
|
154
163
|
the template as comments, and emit only the env-var form of the name — never a keychain command.
|
|
164
|
+
- For `GH_TOKEN`, preserve the analysis's GitHub proxy split: it is for `gh` CLI commands only, and
|
|
165
|
+
raw git/cross-repo clone guidance must not expand the token scope to sibling repositories.
|
|
155
166
|
- Never emit an install for a tool the analysis did not surface, and never install `OPTIONAL` tools
|
|
156
167
|
unless `--include-optional` is set.
|
|
168
|
+
- Prefer `networkAccess.allowlistDomains` over legacy top-level `allowlistDomains`; never emit
|
|
169
|
+
domains already covered by the routine environment's default Trusted list.
|
|
157
170
|
- Keep the script idempotent and detect-before-install so it is safe to re-run and cache.
|
|
158
171
|
- Preserve the inventory's `REQUIRED` vs `OPTIONAL` distinction in both fail-behavior (fatal vs
|
|
159
172
|
warn) and section placement.
|
|
@@ -148,9 +148,14 @@ Group the findings as:
|
|
|
148
148
|
7. **Platform constraints** — surface the non-config constraints as `GAP`/`RISK` so the user is
|
|
149
149
|
not surprised: routines run with no interactive permission prompts and cannot ask the user
|
|
150
150
|
mid-run; interactive auth (SSO/OAuth browser, keychain) is unavailable; GitHub org IP
|
|
151
|
-
allowlisting blocks cloud sessions;
|
|
152
|
-
|
|
153
|
-
|
|
151
|
+
allowlisting blocks cloud sessions; raw GitHub clone/fetch/push operations are handled by
|
|
152
|
+
Claude's connected-GitHub proxy/identity and do not need a separate PAT; the `gh` CLI is not the
|
|
153
|
+
same substrate and still needs `GH_TOKEN`; outbound traffic is controlled by the routine
|
|
154
|
+
environment network tier, where the default Trusted tier includes common development domains and
|
|
155
|
+
package registries but arbitrary integration hosts need Custom or Full access; environment
|
|
156
|
+
variables and setup scripts are stored in the cloud environment configuration and are visible to
|
|
157
|
+
anyone who can edit that environment; resource limits (~4 vCPU / 16 GB RAM / 30 GB disk); no
|
|
158
|
+
desktop/computer-use; no statusline/theme rendering.
|
|
154
159
|
|
|
155
160
|
8. **Host-project app needs** — note any build/test/run command a routine would invoke and any
|
|
156
161
|
runtime service it depends on (database, queue, external API) that will not exist in a fresh
|
|
@@ -168,9 +173,18 @@ unsuffixed `…_TOKEN`/`…_KEY` is the simplest to set in a single-account rout
|
|
|
168
173
|
|
|
169
174
|
### GitHub — `tracker: github` and/or `source: github`
|
|
170
175
|
- Headless substrate: `gh` CLI authed by token (every Lisa GitHub script gates on `gh auth status`).
|
|
171
|
-
-
|
|
176
|
+
- Platform substrate: Claude's connected-GitHub proxy/identity authenticates raw git
|
|
177
|
+
clone/fetch/push for repositories the routine can access. Do not ask for a PAT solely for raw git
|
|
178
|
+
or sibling-repo clones.
|
|
179
|
+
- Env: `GH_TOKEN` for the `gh` CLI only; set it because Lisa's PR/issue lifecycle shells out to
|
|
180
|
+
`gh`. Do not describe it as required for raw git clone/fetch/push.
|
|
172
181
|
- Acquire: fine-grained — `https://github.com/settings/personal-access-tokens`; classic — `https://github.com/settings/tokens`.
|
|
173
|
-
- Access: fine-grained → Repository access to the
|
|
182
|
+
- Access: fine-grained → Repository access to the repo(s) where Lisa will run `gh` commands (the
|
|
183
|
+
project repo, and the Lisa repo only if filing Lisa issues); Repository permissions: Contents R/W,
|
|
184
|
+
Issues R/W, Pull requests R/W, Metadata R (mandatory); add Workflows R/W only if editing
|
|
185
|
+
`.github/workflows`, and Organization → Projects R/W only if using ProjectV2. Do not include
|
|
186
|
+
sibling repos that are only cloned/fetched with raw git. Classic equivalent: `repo` + `workflow`
|
|
187
|
+
(+ `project`, `read:org` for boards). The identity must hold WRITE/MAINTAIN/ADMIN on the repo.
|
|
174
188
|
|
|
175
189
|
### JIRA — `tracker: jira`
|
|
176
190
|
- Headless substrate: `jira-cli` + curl (Basic auth). The acli and Atlassian-MCP tiers need prior interactive/OAuth auth → not viable headless.
|
|
@@ -242,6 +256,18 @@ so the generator can render acquisition comments into its template:
|
|
|
242
256
|
{ "name": "linear-server", "transport": "http", "auth": "oauth", "headlessUsable": false, "replacedBy": "LINEAR_API_KEY + Linear GraphQL", "dormant": true }
|
|
243
257
|
],
|
|
244
258
|
"gaps": [ "auto-memory not synced to cloud", "bun package fetch behind proxy", "OS keychain absent — env-var token form only" ],
|
|
259
|
+
"platform": {
|
|
260
|
+
"githubProxy": {
|
|
261
|
+
"rawGitAuthenticated": true,
|
|
262
|
+
"crossRepoAccess": "repositories reachable by the connected GitHub identity/routine access do not need a PAT for raw git",
|
|
263
|
+
"ghCliNeedsToken": true
|
|
264
|
+
},
|
|
265
|
+
"secretsVisibility": "environment variables and setup scripts are visible to environment editors"
|
|
266
|
+
},
|
|
267
|
+
"networkAccess": {
|
|
268
|
+
"tier": "custom",
|
|
269
|
+
"allowlistDomains": []
|
|
270
|
+
},
|
|
245
271
|
"allowlistDomains": []
|
|
246
272
|
}
|
|
247
273
|
```
|
|
@@ -269,5 +295,13 @@ so the generator can render acquisition comments into its template:
|
|
|
269
295
|
Lisa's `setup-*` skills) — transcribe them exactly; never guess at the access a token needs.
|
|
270
296
|
- For the active `tracker`/`source`, always report the **env-var** form of the secret, never the OS
|
|
271
297
|
keychain form — keychain reads do not work in a cloud routine.
|
|
298
|
+
- For GitHub, keep the split explicit: raw git uses the platform GitHub proxy/identity, while
|
|
299
|
+
`GH_TOKEN` is for `gh` CLI commands. Sibling repos that are only cloned or fetched with raw git do
|
|
300
|
+
not belong in the token scope.
|
|
301
|
+
- Add GitHub/npm/PyPI/Docker Hub/common development domains to neither `allowlistDomains` nor
|
|
302
|
+
`networkAccess.allowlistDomains`; those are covered by the routine environment's default Trusted
|
|
303
|
+
list. Only non-default integration hosts require Custom-network allowlisting.
|
|
304
|
+
- Always include a `RISK`/`GAP` finding when environment secrets or setup scripts would be visible
|
|
305
|
+
to environment editors; never imply the generated script can hide them.
|
|
272
306
|
- A browser-OAuth MCP (or interactively-authed CLI) backing an active integration is a `GAP`; the
|
|
273
307
|
remediation is its token substrate from the table, not "authenticate the MCP".
|
|
@@ -30,8 +30,9 @@ tracker/source, plus the host project's own package manager and tooling — not
|
|
|
30
30
|
## Procedure
|
|
31
31
|
|
|
32
32
|
1. **Inventory.** Invoke `/lisa:analyze-claude-remote --json` and parse its machine-readable
|
|
33
|
-
inventory block (`packageManager`, `tools`, `env`, `mcp`, `gaps`, `
|
|
34
|
-
analysis cannot run, stop and report why — never
|
|
33
|
+
inventory block (`packageManager`, `tools`, `env`, `mcp`, `gaps`, `platform`,
|
|
34
|
+
`networkAccess`, `allowlistDomains`). If the analysis cannot run, stop and report why — never
|
|
35
|
+
emit a script from guesses.
|
|
35
36
|
|
|
36
37
|
2. **Compose the setup script** from the inventory. The script must be:
|
|
37
38
|
- **Idempotent & detect-before-install** — every install guarded by a `command -v <tool>` check
|
|
@@ -62,11 +63,17 @@ tracker/source, plus the host project's own package manager and tooling — not
|
|
|
62
63
|
where to get the token and what permissions it needs. Emit only the **env-var form** of the name
|
|
63
64
|
that the analysis reported (including any per-account suffixed form like `LINEAR_API_KEY_<slug>`);
|
|
64
65
|
never emit a keychain instruction — keychain does not exist in a cloud routine.
|
|
66
|
+
When the entry is `GH_TOKEN`, add a comment from `platform.githubProxy` clarifying that the token
|
|
67
|
+
is for `gh` CLI commands against the project/Lisa repos, not for raw git clone/fetch/push or
|
|
68
|
+
sibling repos reachable through the routine's GitHub proxy.
|
|
65
69
|
|
|
66
70
|
4. **Emit the allowlist + gaps notice.** List any custom domains the setup or runtime reaches
|
|
67
|
-
(from `allowlistDomains
|
|
68
|
-
|
|
69
|
-
|
|
71
|
+
(from `networkAccess.allowlistDomains`, falling back to legacy `allowlistDomains`) that the user
|
|
72
|
+
must add when the environment needs Custom network access. Do not include default Trusted domains
|
|
73
|
+
such as GitHub, npm/PyPI registries, or Docker Hub. Echo the `gaps` from the analysis
|
|
74
|
+
(auto-memory not synced, interactive-auth/stdio-MCP unavailable, etc.) and the
|
|
75
|
+
`platform.secretsVisibility` warning as a header comment so the user knows what the script
|
|
76
|
+
**cannot** fix.
|
|
70
77
|
|
|
71
78
|
5. **Write and report.** Write the script to `--out` (default `scripts/claude-remote-setup.sh`),
|
|
72
79
|
`chmod +x` it, and print: the path, a one-line summary of what it installs and which env vars to
|
|
@@ -92,9 +99,11 @@ shape, not a fixed payload):
|
|
|
92
99
|
# # --- credentials for the active tracker/source (set in the environment UI) ---
|
|
93
100
|
# # Acquire: https://github.com/settings/personal-access-tokens
|
|
94
101
|
# # Access: fine-grained PAT on target repo: Contents R/W, Issues R/W, Pull requests R/W, Metadata R
|
|
102
|
+
# # Note: GH_TOKEN is for gh CLI only. Raw git uses Claude's connected-GitHub proxy/identity;
|
|
103
|
+
# # sibling repos reached only by raw git do not need to be in this token scope.
|
|
95
104
|
# - GH_TOKEN=<token> # REQUIRED, github is the active tracker+source
|
|
96
|
-
# NETWORK: allowlist these domains
|
|
97
|
-
# - <allowlistDomains, if any>
|
|
105
|
+
# NETWORK: set the environment to Custom and allowlist these non-default domains if not on Full:
|
|
106
|
+
# - <networkAccess.allowlistDomains, if any>
|
|
98
107
|
set -uo pipefail
|
|
99
108
|
|
|
100
109
|
need() { command -v "$1" >/dev/null 2>&1; }
|
|
@@ -152,8 +161,12 @@ to stop are: the analysis could not run, or the `--out` path is not writable.
|
|
|
152
161
|
- Never write real secret values into the script or template — names and placeholders only.
|
|
153
162
|
- For active tracker/source credentials, carry the analysis's `Acquire:` URL and `Access:` scope into
|
|
154
163
|
the template as comments, and emit only the env-var form of the name — never a keychain command.
|
|
164
|
+
- For `GH_TOKEN`, preserve the analysis's GitHub proxy split: it is for `gh` CLI commands only, and
|
|
165
|
+
raw git/cross-repo clone guidance must not expand the token scope to sibling repositories.
|
|
155
166
|
- Never emit an install for a tool the analysis did not surface, and never install `OPTIONAL` tools
|
|
156
167
|
unless `--include-optional` is set.
|
|
168
|
+
- Prefer `networkAccess.allowlistDomains` over legacy top-level `allowlistDomains`; never emit
|
|
169
|
+
domains already covered by the routine environment's default Trusted list.
|
|
157
170
|
- Keep the script idempotent and detect-before-install so it is safe to re-run and cache.
|
|
158
171
|
- Preserve the inventory's `REQUIRED` vs `OPTIONAL` distinction in both fail-behavior (fatal vs
|
|
159
172
|
warn) and section placement.
|
|
@@ -148,9 +148,14 @@ Group the findings as:
|
|
|
148
148
|
7. **Platform constraints** — surface the non-config constraints as `GAP`/`RISK` so the user is
|
|
149
149
|
not surprised: routines run with no interactive permission prompts and cannot ask the user
|
|
150
150
|
mid-run; interactive auth (SSO/OAuth browser, keychain) is unavailable; GitHub org IP
|
|
151
|
-
allowlisting blocks cloud sessions;
|
|
152
|
-
|
|
153
|
-
|
|
151
|
+
allowlisting blocks cloud sessions; raw GitHub clone/fetch/push operations are handled by
|
|
152
|
+
Claude's connected-GitHub proxy/identity and do not need a separate PAT; the `gh` CLI is not the
|
|
153
|
+
same substrate and still needs `GH_TOKEN`; outbound traffic is controlled by the routine
|
|
154
|
+
environment network tier, where the default Trusted tier includes common development domains and
|
|
155
|
+
package registries but arbitrary integration hosts need Custom or Full access; environment
|
|
156
|
+
variables and setup scripts are stored in the cloud environment configuration and are visible to
|
|
157
|
+
anyone who can edit that environment; resource limits (~4 vCPU / 16 GB RAM / 30 GB disk); no
|
|
158
|
+
desktop/computer-use; no statusline/theme rendering.
|
|
154
159
|
|
|
155
160
|
8. **Host-project app needs** — note any build/test/run command a routine would invoke and any
|
|
156
161
|
runtime service it depends on (database, queue, external API) that will not exist in a fresh
|
|
@@ -168,9 +173,18 @@ unsuffixed `…_TOKEN`/`…_KEY` is the simplest to set in a single-account rout
|
|
|
168
173
|
|
|
169
174
|
### GitHub — `tracker: github` and/or `source: github`
|
|
170
175
|
- Headless substrate: `gh` CLI authed by token (every Lisa GitHub script gates on `gh auth status`).
|
|
171
|
-
-
|
|
176
|
+
- Platform substrate: Claude's connected-GitHub proxy/identity authenticates raw git
|
|
177
|
+
clone/fetch/push for repositories the routine can access. Do not ask for a PAT solely for raw git
|
|
178
|
+
or sibling-repo clones.
|
|
179
|
+
- Env: `GH_TOKEN` for the `gh` CLI only; set it because Lisa's PR/issue lifecycle shells out to
|
|
180
|
+
`gh`. Do not describe it as required for raw git clone/fetch/push.
|
|
172
181
|
- Acquire: fine-grained — `https://github.com/settings/personal-access-tokens`; classic — `https://github.com/settings/tokens`.
|
|
173
|
-
- Access: fine-grained → Repository access to the
|
|
182
|
+
- Access: fine-grained → Repository access to the repo(s) where Lisa will run `gh` commands (the
|
|
183
|
+
project repo, and the Lisa repo only if filing Lisa issues); Repository permissions: Contents R/W,
|
|
184
|
+
Issues R/W, Pull requests R/W, Metadata R (mandatory); add Workflows R/W only if editing
|
|
185
|
+
`.github/workflows`, and Organization → Projects R/W only if using ProjectV2. Do not include
|
|
186
|
+
sibling repos that are only cloned/fetched with raw git. Classic equivalent: `repo` + `workflow`
|
|
187
|
+
(+ `project`, `read:org` for boards). The identity must hold WRITE/MAINTAIN/ADMIN on the repo.
|
|
174
188
|
|
|
175
189
|
### JIRA — `tracker: jira`
|
|
176
190
|
- Headless substrate: `jira-cli` + curl (Basic auth). The acli and Atlassian-MCP tiers need prior interactive/OAuth auth → not viable headless.
|
|
@@ -242,6 +256,18 @@ so the generator can render acquisition comments into its template:
|
|
|
242
256
|
{ "name": "linear-server", "transport": "http", "auth": "oauth", "headlessUsable": false, "replacedBy": "LINEAR_API_KEY + Linear GraphQL", "dormant": true }
|
|
243
257
|
],
|
|
244
258
|
"gaps": [ "auto-memory not synced to cloud", "bun package fetch behind proxy", "OS keychain absent — env-var token form only" ],
|
|
259
|
+
"platform": {
|
|
260
|
+
"githubProxy": {
|
|
261
|
+
"rawGitAuthenticated": true,
|
|
262
|
+
"crossRepoAccess": "repositories reachable by the connected GitHub identity/routine access do not need a PAT for raw git",
|
|
263
|
+
"ghCliNeedsToken": true
|
|
264
|
+
},
|
|
265
|
+
"secretsVisibility": "environment variables and setup scripts are visible to environment editors"
|
|
266
|
+
},
|
|
267
|
+
"networkAccess": {
|
|
268
|
+
"tier": "custom",
|
|
269
|
+
"allowlistDomains": []
|
|
270
|
+
},
|
|
245
271
|
"allowlistDomains": []
|
|
246
272
|
}
|
|
247
273
|
```
|
|
@@ -269,5 +295,13 @@ so the generator can render acquisition comments into its template:
|
|
|
269
295
|
Lisa's `setup-*` skills) — transcribe them exactly; never guess at the access a token needs.
|
|
270
296
|
- For the active `tracker`/`source`, always report the **env-var** form of the secret, never the OS
|
|
271
297
|
keychain form — keychain reads do not work in a cloud routine.
|
|
298
|
+
- For GitHub, keep the split explicit: raw git uses the platform GitHub proxy/identity, while
|
|
299
|
+
`GH_TOKEN` is for `gh` CLI commands. Sibling repos that are only cloned or fetched with raw git do
|
|
300
|
+
not belong in the token scope.
|
|
301
|
+
- Add GitHub/npm/PyPI/Docker Hub/common development domains to neither `allowlistDomains` nor
|
|
302
|
+
`networkAccess.allowlistDomains`; those are covered by the routine environment's default Trusted
|
|
303
|
+
list. Only non-default integration hosts require Custom-network allowlisting.
|
|
304
|
+
- Always include a `RISK`/`GAP` finding when environment secrets or setup scripts would be visible
|
|
305
|
+
to environment editors; never imply the generated script can hide them.
|
|
272
306
|
- A browser-OAuth MCP (or interactively-authed CLI) backing an active integration is a `GAP`; the
|
|
273
307
|
remediation is its token substrate from the table, not "authenticate the MCP".
|