@codyswann/lisa 2.178.1 → 2.178.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/plugins/lisa/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa/.codex-plugin/plugin.json +1 -1
- package/plugins/lisa/rules/reference/integration-access-layer.md +1 -1
- package/plugins/lisa/skills/analyze-claude-remote/SKILL.md +50 -6
- package/plugins/lisa/skills/generate-claude-remote-build-script/SKILL.md +21 -0
- package/plugins/lisa/skills/jam-access/SKILL.md +12 -11
- package/plugins/lisa-agy/plugin.json +1 -1
- package/plugins/lisa-agy/skills/analyze-claude-remote/SKILL.md +50 -6
- package/plugins/lisa-agy/skills/generate-claude-remote-build-script/SKILL.md +21 -0
- package/plugins/lisa-agy/skills/jam-access/SKILL.md +12 -11
- package/plugins/lisa-cdk/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-cdk/.codex-plugin/plugin.json +1 -1
- package/plugins/lisa-cdk-agy/plugin.json +1 -1
- package/plugins/lisa-cdk-copilot/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-cdk-cursor/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-copilot/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-copilot/rules/reference/integration-access-layer.md +1 -1
- package/plugins/lisa-copilot/skills/analyze-claude-remote/SKILL.md +50 -6
- package/plugins/lisa-copilot/skills/generate-claude-remote-build-script/SKILL.md +21 -0
- package/plugins/lisa-copilot/skills/jam-access/SKILL.md +12 -11
- package/plugins/lisa-cursor/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-cursor/rules/integration-access-layer-reference.mdc +1 -1
- package/plugins/lisa-cursor/skills/analyze-claude-remote/SKILL.md +50 -6
- package/plugins/lisa-cursor/skills/generate-claude-remote-build-script/SKILL.md +21 -0
- package/plugins/lisa-cursor/skills/jam-access/SKILL.md +12 -11
- package/plugins/lisa-expo/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-expo/.codex-plugin/plugin.json +1 -1
- package/plugins/lisa-expo-agy/plugin.json +1 -1
- package/plugins/lisa-expo-copilot/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-expo-cursor/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-harper-fabric/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-harper-fabric/.codex-plugin/plugin.json +1 -1
- package/plugins/lisa-harper-fabric-agy/plugin.json +1 -1
- package/plugins/lisa-harper-fabric-copilot/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-harper-fabric-cursor/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-nestjs/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-nestjs/.codex-plugin/plugin.json +1 -1
- package/plugins/lisa-nestjs-agy/plugin.json +1 -1
- package/plugins/lisa-nestjs-copilot/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-nestjs-cursor/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-openclaw/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-openclaw/.codex-plugin/plugin.json +1 -1
- package/plugins/lisa-openclaw-agy/plugin.json +1 -1
- package/plugins/lisa-openclaw-copilot/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-openclaw-cursor/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-phaser/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-phaser/.codex-plugin/plugin.json +1 -1
- package/plugins/lisa-phaser-agy/plugin.json +1 -1
- package/plugins/lisa-phaser-copilot/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-phaser-cursor/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-rails/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-rails/.codex-plugin/plugin.json +1 -1
- package/plugins/lisa-rails-agy/plugin.json +1 -1
- package/plugins/lisa-rails-copilot/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-rails-cursor/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-typescript/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-typescript/.codex-plugin/plugin.json +1 -1
- package/plugins/lisa-typescript-agy/plugin.json +1 -1
- package/plugins/lisa-typescript-copilot/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-typescript-cursor/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-wiki/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-wiki/.codex-plugin/plugin.json +1 -1
- package/plugins/lisa-wiki-agy/plugin.json +1 -1
- package/plugins/lisa-wiki-copilot/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-wiki-cursor/.claude-plugin/plugin.json +1 -1
- package/plugins/src/base/rules/reference/integration-access-layer.md +1 -1
- package/plugins/src/base/skills/analyze-claude-remote/SKILL.md +50 -6
- package/plugins/src/base/skills/generate-claude-remote-build-script/SKILL.md +21 -0
- package/plugins/src/base/skills/jam-access/SKILL.md +12 -11
package/package.json
CHANGED
|
@@ -91,7 +91,7 @@
|
|
|
91
91
|
"ws": ">=8.20.1"
|
|
92
92
|
},
|
|
93
93
|
"name": "@codyswann/lisa",
|
|
94
|
-
"version": "2.178.
|
|
94
|
+
"version": "2.178.2",
|
|
95
95
|
"description": "Claude Code governance framework that applies guardrails, guidance, and automated enforcement to projects",
|
|
96
96
|
"main": "dist/index.js",
|
|
97
97
|
"exports": {
|
|
@@ -22,7 +22,7 @@ available.
|
|
|
22
22
|
| Atlassian | `lisa:atlassian-access` | `ATLASSIAN_API_TOKEN` | Atlassian Cloud REST |
|
|
23
23
|
| Notion | `lisa:notion-access` | `NOTION_API_TOKEN` | Notion REST |
|
|
24
24
|
| Linear | `lisa:linear-access` | `LINEAR_API_KEY` | Linear GraphQL |
|
|
25
|
-
| Jam | `lisa:jam-access` | `JAM_PAT` | Jam
|
|
25
|
+
| Jam | `lisa:jam-access` | `JAM_PAT` | Jam CLI |
|
|
26
26
|
| SonarCloud | `lisa:sonarcloud-access` | `SONAR_TOKEN` | SonarCloud Web API |
|
|
27
27
|
| Sentry | `lisa:sentry-access` | `SENTRY_AUTH_TOKEN` | Sentry REST API |
|
|
28
28
|
| PostHog | `lisa:posthog-access` | `POSTHOG_PERSONAL_API_KEY` | PostHog REST API |
|
|
@@ -133,11 +133,35 @@ Group the findings as:
|
|
|
133
133
|
`RISK`/`GAP` (need a local process — only viable if the cloud session can spawn them from the
|
|
134
134
|
repo). Flag interactively/OAuth-authed servers as `GAP` for headless auth — they cannot complete
|
|
135
135
|
a browser flow headless **regardless of transport** (an HTTP MCP like `linear-server` is still a
|
|
136
|
-
`GAP` because its *auth* is OAuth, not because of its transport).
|
|
137
|
-
|
|
138
|
-
|
|
139
|
-
|
|
140
|
-
|
|
136
|
+
`GAP` because its *auth* is OAuth, not because of its transport). Before finalizing any
|
|
137
|
+
OAuth/interactive/stdio MCP as a flat `GAP`, check for a documented headless substrate: a
|
|
138
|
+
static-token MCP header, a vendor CLI that can login from an env token, or a token-authenticated
|
|
139
|
+
REST API that the MCP wraps. If documented evidence exists, mark the MCP `headlessUsable: true`
|
|
140
|
+
in the inventory, mark the supporting secret `required: false` / `secret: true` unless the
|
|
141
|
+
integration is active, and set `replacedBy` to the concrete substrate rather than leaving it as
|
|
142
|
+
an impossible capability. When an OAuth MCP backs an active tracker/source, do not stop at the
|
|
143
|
+
`GAP` — cross-reference group 4a and point to the integration's token substrate as the headless
|
|
144
|
+
replacement (e.g. `linear-server` MCP -> `LINEAR_API_KEY` + Linear GraphQL). Note any user-scoped
|
|
145
|
+
MCP (`~/.claude.json`) as `GAP` — it never reaches the cloud; it must be moved into project
|
|
146
|
+
`.mcp.json`.
|
|
147
|
+
|
|
148
|
+
Use this data-driven hint table as seed evidence, and extend it only when you can cite a vendor
|
|
149
|
+
doc or committed access-skill reference:
|
|
150
|
+
|
|
151
|
+
| Match | Substrate | Env | Setup / wiring | Domains |
|
|
152
|
+
|---|---|---|---|---|
|
|
153
|
+
| `mcp.jam.dev`, `jam`, or Jam MCP entries | Jam CLI (`jam`) authenticated by PAT | `JAM_PAT` | install with `curl -fsSL https://native.jam.dev/install | bash`; export `~/.local/bin`; run `printf '%s' "$JAM_PAT" | jam auth login --token`; optionally `jam skills install` | `native.jam.dev`, `api.jam.dev` |
|
|
154
|
+
| `mcp/sonarqube`, `sonarqube`, or SonarCloud/SonarQube MCP entries | SonarCloud Web API | `SONAR_TOKEN` | use REST calls against `https://sonarcloud.io/api/`; if a host needs legacy token-as-basic-auth, put that in the access adapter | `sonarcloud.io` |
|
|
155
|
+
|
|
156
|
+
For PAT-bearer MCP substrates that really use the same MCP transport, include `mcpHeaders` in
|
|
157
|
+
the inventory with a snippet such as `headers: { "Authorization": "Bearer ${VAR}" }` so the
|
|
158
|
+
generator can print a commented `.mcp.json` example. Do **not** use that for Jam: Jam's preferred
|
|
159
|
+
headless substrate is the `jam` CLI, so the generator should emit CLI setup lines instead of an
|
|
160
|
+
`.mcp.json` header snippet.
|
|
161
|
+
|
|
162
|
+
When no documented substrate is known, keep the MCP as `headlessUsable: false` / `GAP`, and add
|
|
163
|
+
an action line like: `check the vendor for a documented PAT, API-key, CLI, or REST substrate`.
|
|
164
|
+
Never assert that no substrate exists unless the vendor documentation explicitly says so.
|
|
141
165
|
|
|
142
166
|
6. **Config scope & memory gaps** — identify reliance on user-scoped config that will not load
|
|
143
167
|
remotely: `~/.claude/CLAUDE.md`, user `enabledPlugins`, user skills/agents, user MCP. Most
|
|
@@ -250,10 +274,27 @@ so the generator can render acquisition comments into its template:
|
|
|
250
274
|
"headlessSubstrate": "gh CLI (token)",
|
|
251
275
|
"acquireUrl": "https://github.com/settings/personal-access-tokens",
|
|
252
276
|
"accessScope": "fine-grained PAT on target repo: Contents R/W, Issues R/W, Pull requests R/W, Metadata R; +Workflows R/W if editing .github/workflows; +Projects R/W if using ProjectV2"
|
|
277
|
+
},
|
|
278
|
+
{
|
|
279
|
+
"name": "JAM_PAT", "required": false, "secret": true, "integration": "jam",
|
|
280
|
+
"reason": "optional non-tracker MCP recovery; Jam CLI can authenticate headlessly from a PAT",
|
|
281
|
+
"headlessSubstrate": "jam CLI (PAT)",
|
|
282
|
+
"acquireUrl": "https://jam.dev/docs/debug-a-jam/mcp/personal-access-tokens",
|
|
283
|
+
"accessScope": "Jam Personal Access Token for the workspace/team whose traces the routine needs to read",
|
|
284
|
+
"setupSnippet": "curl -fsSL https://native.jam.dev/install | bash; export PATH=\"$HOME/.local/bin:$PATH\"; printf '%s' \"$JAM_PAT\" | jam auth login --token; jam skills install"
|
|
285
|
+
},
|
|
286
|
+
{
|
|
287
|
+
"name": "SONAR_TOKEN", "required": false, "secret": true, "integration": "sonarcloud",
|
|
288
|
+
"reason": "optional non-tracker MCP recovery; SonarQube MCP wraps the token-authenticated SonarCloud Web API",
|
|
289
|
+
"headlessSubstrate": "SonarCloud Web API (token)",
|
|
290
|
+
"acquireUrl": "https://docs.sonarsource.com/sonarqube-cloud/managing-your-account/managing-tokens",
|
|
291
|
+
"accessScope": "token must be able to read the target SonarCloud organization/project quality gate, issues, hotspots, rules, and source snippets"
|
|
253
292
|
}
|
|
254
293
|
],
|
|
255
294
|
"mcp": [
|
|
256
|
-
{ "name": "linear-server", "transport": "http", "auth": "oauth", "headlessUsable": false, "replacedBy": "LINEAR_API_KEY + Linear GraphQL", "dormant": true }
|
|
295
|
+
{ "name": "linear-server", "transport": "http", "auth": "oauth", "headlessUsable": false, "replacedBy": "LINEAR_API_KEY + Linear GraphQL", "dormant": true },
|
|
296
|
+
{ "name": "jam", "transport": "http", "auth": "oauth", "headlessUsable": true, "replacedBy": "jam CLI + JAM_PAT", "dormant": true },
|
|
297
|
+
{ "name": "sonarqube", "transport": "stdio", "auth": "local-wrapper", "headlessUsable": true, "replacedBy": "SONAR_TOKEN + SonarCloud Web API", "dormant": true }
|
|
257
298
|
],
|
|
258
299
|
"gaps": [ "auto-memory not synced to cloud", "bun package fetch behind proxy", "OS keychain absent — env-var token form only" ],
|
|
259
300
|
"platform": {
|
|
@@ -305,3 +346,6 @@ so the generator can render acquisition comments into its template:
|
|
|
305
346
|
to environment editors; never imply the generated script can hide them.
|
|
306
347
|
- A browser-OAuth MCP (or interactively-authed CLI) backing an active integration is a `GAP`; the
|
|
307
348
|
remediation is its token substrate from the table, not "authenticate the MCP".
|
|
349
|
+
- For non-tracker MCPs, a documented CLI, PAT/API-key, or REST substrate converts the finding from
|
|
350
|
+
a flat `GAP` into an `OPTIONAL` headless recovery path; unknown vendors remain gaps with a
|
|
351
|
+
vendor-substrate follow-up, not invented credentials.
|
|
@@ -66,6 +66,27 @@ tracker/source, plus the host project's own package manager and tooling — not
|
|
|
66
66
|
When the entry is `GH_TOKEN`, add a comment from `platform.githubProxy` clarifying that the token
|
|
67
67
|
is for `gh` CLI commands against the project/Lisa repos, not for raw git clone/fetch/push or
|
|
68
68
|
sibling repos reachable through the routine's GitHub proxy.
|
|
69
|
+
For OPTIONAL non-tracker MCP recovery entries discovered by
|
|
70
|
+
`/lisa:analyze-claude-remote`, preserve the same names-only behavior:
|
|
71
|
+
include `JAM_PAT`, `SONAR_TOKEN`, or similar documented substrate env vars
|
|
72
|
+
only as optional secrets, with their acquire/scope comments when the analysis
|
|
73
|
+
supplied them. Never invent values or promote dormant substrates to required.
|
|
74
|
+
|
|
75
|
+
3a. **Emit substrate setup snippets.** When the inventory marks an MCP
|
|
76
|
+
`headlessUsable: true` through a documented substrate, render the matching
|
|
77
|
+
wiring guidance as commented, opt-in setup:
|
|
78
|
+
- CLI substrates: emit the detected install/login commands gated on the
|
|
79
|
+
optional env var. For Jam, this means `curl -fsSL https://native.jam.dev/install | bash`,
|
|
80
|
+
`export PATH="$HOME/.local/bin:$PATH"`, `printf '%s' "$JAM_PAT" | jam auth login --token`,
|
|
81
|
+
and `jam skills install`, all inside `[ -n "${JAM_PAT:-}" ] && ...` guards so missing
|
|
82
|
+
optional secrets do not fail the environment build.
|
|
83
|
+
- REST substitute substrates: do not install an MCP. Emit comments naming the
|
|
84
|
+
REST host and env var (for example `SONAR_TOKEN` with `https://sonarcloud.io/api/`) and
|
|
85
|
+
rely on the access skill or generated consumer to call the API.
|
|
86
|
+
- PAT-bearer MCP substrates: print a commented `.mcp.json` `headers` snippet from the
|
|
87
|
+
inventory's `mcpHeaders`. Use this only when the analysis explicitly says the same MCP
|
|
88
|
+
transport supports static-token auth. Do not print a Jam `.mcp.json` header snippet because
|
|
89
|
+
Jam's preferred headless substrate is its PAT-authenticated CLI.
|
|
69
90
|
|
|
70
91
|
4. **Emit the allowlist + gaps notice.** List any custom domains the setup or runtime reaches
|
|
71
92
|
(from `networkAccess.allowlistDomains`, falling back to legacy `allowlistDomains`) that the user
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
---
|
|
2
2
|
name: jam-access
|
|
3
|
-
description: "Vendor-neutral access layer for Jam. Jam triage rules and skills MUST delegate through this skill rather than calling Jam MCP tools directly. Resolves Jam MCP first when available, then falls back to JAM_PAT
|
|
3
|
+
description: "Vendor-neutral access layer for Jam. Jam triage rules and skills MUST delegate through this skill rather than calling Jam MCP tools directly. Resolves Jam MCP first when available, then falls back to the JAM_PAT-authenticated Jam CLI for headless routines."
|
|
4
4
|
allowed-tools: ["Bash", "Read", "Skill"]
|
|
5
5
|
---
|
|
6
6
|
|
|
@@ -24,16 +24,16 @@ Return parsed JSON or a concise structured summary in a `<result>` block.
|
|
|
24
24
|
Probe in order:
|
|
25
25
|
|
|
26
26
|
1. Jam MCP, if the tool is available and authenticated.
|
|
27
|
-
2.
|
|
27
|
+
2. Jam CLI authenticated with `JAM_PAT`.
|
|
28
28
|
|
|
29
|
-
Jam documents
|
|
30
|
-
|
|
29
|
+
Jam documents a PAT-authenticated CLI that is cleaner for remote routines than
|
|
30
|
+
editing `.mcp.json` headers. The headless tier uses:
|
|
31
31
|
|
|
32
32
|
```bash
|
|
33
|
-
curl -
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
33
|
+
curl -fsSL https://native.jam.dev/install | bash
|
|
34
|
+
export PATH="$HOME/.local/bin:$PATH"
|
|
35
|
+
printf '%s' "$JAM_PAT" | jam auth login --token
|
|
36
|
+
jam skills install
|
|
37
37
|
```
|
|
38
38
|
|
|
39
39
|
If neither tier works, fail with:
|
|
@@ -45,7 +45,8 @@ Error: no Jam access substrate available. Authenticate the Jam MCP or set JAM_PA
|
|
|
45
45
|
## Invariants
|
|
46
46
|
|
|
47
47
|
- Fallback is gated on `JAM_PAT`; do not retry Jam MCP failures blindly.
|
|
48
|
-
- Never commit a Jam PAT into `.mcp.json
|
|
49
|
-
|
|
50
|
-
|
|
48
|
+
- Never commit a Jam PAT into `.mcp.json` or any generated setup artifact.
|
|
49
|
+
- Headless Jam access requires `native.jam.dev` for the installer and
|
|
50
|
+
`api.jam.dev` for CLI/API calls in any custom remote network allowlist.
|
|
51
|
+
- If a requested operation is not yet mapped to the Jam CLI substrate, surface
|
|
51
52
|
that exact missing adapter instead of pretending the trace is unavailable.
|
|
@@ -133,11 +133,35 @@ Group the findings as:
|
|
|
133
133
|
`RISK`/`GAP` (need a local process — only viable if the cloud session can spawn them from the
|
|
134
134
|
repo). Flag interactively/OAuth-authed servers as `GAP` for headless auth — they cannot complete
|
|
135
135
|
a browser flow headless **regardless of transport** (an HTTP MCP like `linear-server` is still a
|
|
136
|
-
`GAP` because its *auth* is OAuth, not because of its transport).
|
|
137
|
-
|
|
138
|
-
|
|
139
|
-
|
|
140
|
-
|
|
136
|
+
`GAP` because its *auth* is OAuth, not because of its transport). Before finalizing any
|
|
137
|
+
OAuth/interactive/stdio MCP as a flat `GAP`, check for a documented headless substrate: a
|
|
138
|
+
static-token MCP header, a vendor CLI that can login from an env token, or a token-authenticated
|
|
139
|
+
REST API that the MCP wraps. If documented evidence exists, mark the MCP `headlessUsable: true`
|
|
140
|
+
in the inventory, mark the supporting secret `required: false` / `secret: true` unless the
|
|
141
|
+
integration is active, and set `replacedBy` to the concrete substrate rather than leaving it as
|
|
142
|
+
an impossible capability. When an OAuth MCP backs an active tracker/source, do not stop at the
|
|
143
|
+
`GAP` — cross-reference group 4a and point to the integration's token substrate as the headless
|
|
144
|
+
replacement (e.g. `linear-server` MCP -> `LINEAR_API_KEY` + Linear GraphQL). Note any user-scoped
|
|
145
|
+
MCP (`~/.claude.json`) as `GAP` — it never reaches the cloud; it must be moved into project
|
|
146
|
+
`.mcp.json`.
|
|
147
|
+
|
|
148
|
+
Use this data-driven hint table as seed evidence, and extend it only when you can cite a vendor
|
|
149
|
+
doc or committed access-skill reference:
|
|
150
|
+
|
|
151
|
+
| Match | Substrate | Env | Setup / wiring | Domains |
|
|
152
|
+
|---|---|---|---|---|
|
|
153
|
+
| `mcp.jam.dev`, `jam`, or Jam MCP entries | Jam CLI (`jam`) authenticated by PAT | `JAM_PAT` | install with `curl -fsSL https://native.jam.dev/install | bash`; export `~/.local/bin`; run `printf '%s' "$JAM_PAT" | jam auth login --token`; optionally `jam skills install` | `native.jam.dev`, `api.jam.dev` |
|
|
154
|
+
| `mcp/sonarqube`, `sonarqube`, or SonarCloud/SonarQube MCP entries | SonarCloud Web API | `SONAR_TOKEN` | use REST calls against `https://sonarcloud.io/api/`; if a host needs legacy token-as-basic-auth, put that in the access adapter | `sonarcloud.io` |
|
|
155
|
+
|
|
156
|
+
For PAT-bearer MCP substrates that really use the same MCP transport, include `mcpHeaders` in
|
|
157
|
+
the inventory with a snippet such as `headers: { "Authorization": "Bearer ${VAR}" }` so the
|
|
158
|
+
generator can print a commented `.mcp.json` example. Do **not** use that for Jam: Jam's preferred
|
|
159
|
+
headless substrate is the `jam` CLI, so the generator should emit CLI setup lines instead of an
|
|
160
|
+
`.mcp.json` header snippet.
|
|
161
|
+
|
|
162
|
+
When no documented substrate is known, keep the MCP as `headlessUsable: false` / `GAP`, and add
|
|
163
|
+
an action line like: `check the vendor for a documented PAT, API-key, CLI, or REST substrate`.
|
|
164
|
+
Never assert that no substrate exists unless the vendor documentation explicitly says so.
|
|
141
165
|
|
|
142
166
|
6. **Config scope & memory gaps** — identify reliance on user-scoped config that will not load
|
|
143
167
|
remotely: `~/.claude/CLAUDE.md`, user `enabledPlugins`, user skills/agents, user MCP. Most
|
|
@@ -250,10 +274,27 @@ so the generator can render acquisition comments into its template:
|
|
|
250
274
|
"headlessSubstrate": "gh CLI (token)",
|
|
251
275
|
"acquireUrl": "https://github.com/settings/personal-access-tokens",
|
|
252
276
|
"accessScope": "fine-grained PAT on target repo: Contents R/W, Issues R/W, Pull requests R/W, Metadata R; +Workflows R/W if editing .github/workflows; +Projects R/W if using ProjectV2"
|
|
277
|
+
},
|
|
278
|
+
{
|
|
279
|
+
"name": "JAM_PAT", "required": false, "secret": true, "integration": "jam",
|
|
280
|
+
"reason": "optional non-tracker MCP recovery; Jam CLI can authenticate headlessly from a PAT",
|
|
281
|
+
"headlessSubstrate": "jam CLI (PAT)",
|
|
282
|
+
"acquireUrl": "https://jam.dev/docs/debug-a-jam/mcp/personal-access-tokens",
|
|
283
|
+
"accessScope": "Jam Personal Access Token for the workspace/team whose traces the routine needs to read",
|
|
284
|
+
"setupSnippet": "curl -fsSL https://native.jam.dev/install | bash; export PATH=\"$HOME/.local/bin:$PATH\"; printf '%s' \"$JAM_PAT\" | jam auth login --token; jam skills install"
|
|
285
|
+
},
|
|
286
|
+
{
|
|
287
|
+
"name": "SONAR_TOKEN", "required": false, "secret": true, "integration": "sonarcloud",
|
|
288
|
+
"reason": "optional non-tracker MCP recovery; SonarQube MCP wraps the token-authenticated SonarCloud Web API",
|
|
289
|
+
"headlessSubstrate": "SonarCloud Web API (token)",
|
|
290
|
+
"acquireUrl": "https://docs.sonarsource.com/sonarqube-cloud/managing-your-account/managing-tokens",
|
|
291
|
+
"accessScope": "token must be able to read the target SonarCloud organization/project quality gate, issues, hotspots, rules, and source snippets"
|
|
253
292
|
}
|
|
254
293
|
],
|
|
255
294
|
"mcp": [
|
|
256
|
-
{ "name": "linear-server", "transport": "http", "auth": "oauth", "headlessUsable": false, "replacedBy": "LINEAR_API_KEY + Linear GraphQL", "dormant": true }
|
|
295
|
+
{ "name": "linear-server", "transport": "http", "auth": "oauth", "headlessUsable": false, "replacedBy": "LINEAR_API_KEY + Linear GraphQL", "dormant": true },
|
|
296
|
+
{ "name": "jam", "transport": "http", "auth": "oauth", "headlessUsable": true, "replacedBy": "jam CLI + JAM_PAT", "dormant": true },
|
|
297
|
+
{ "name": "sonarqube", "transport": "stdio", "auth": "local-wrapper", "headlessUsable": true, "replacedBy": "SONAR_TOKEN + SonarCloud Web API", "dormant": true }
|
|
257
298
|
],
|
|
258
299
|
"gaps": [ "auto-memory not synced to cloud", "bun package fetch behind proxy", "OS keychain absent — env-var token form only" ],
|
|
259
300
|
"platform": {
|
|
@@ -305,3 +346,6 @@ so the generator can render acquisition comments into its template:
|
|
|
305
346
|
to environment editors; never imply the generated script can hide them.
|
|
306
347
|
- A browser-OAuth MCP (or interactively-authed CLI) backing an active integration is a `GAP`; the
|
|
307
348
|
remediation is its token substrate from the table, not "authenticate the MCP".
|
|
349
|
+
- For non-tracker MCPs, a documented CLI, PAT/API-key, or REST substrate converts the finding from
|
|
350
|
+
a flat `GAP` into an `OPTIONAL` headless recovery path; unknown vendors remain gaps with a
|
|
351
|
+
vendor-substrate follow-up, not invented credentials.
|
|
@@ -66,6 +66,27 @@ tracker/source, plus the host project's own package manager and tooling — not
|
|
|
66
66
|
When the entry is `GH_TOKEN`, add a comment from `platform.githubProxy` clarifying that the token
|
|
67
67
|
is for `gh` CLI commands against the project/Lisa repos, not for raw git clone/fetch/push or
|
|
68
68
|
sibling repos reachable through the routine's GitHub proxy.
|
|
69
|
+
For OPTIONAL non-tracker MCP recovery entries discovered by
|
|
70
|
+
`/lisa:analyze-claude-remote`, preserve the same names-only behavior:
|
|
71
|
+
include `JAM_PAT`, `SONAR_TOKEN`, or similar documented substrate env vars
|
|
72
|
+
only as optional secrets, with their acquire/scope comments when the analysis
|
|
73
|
+
supplied them. Never invent values or promote dormant substrates to required.
|
|
74
|
+
|
|
75
|
+
3a. **Emit substrate setup snippets.** When the inventory marks an MCP
|
|
76
|
+
`headlessUsable: true` through a documented substrate, render the matching
|
|
77
|
+
wiring guidance as commented, opt-in setup:
|
|
78
|
+
- CLI substrates: emit the detected install/login commands gated on the
|
|
79
|
+
optional env var. For Jam, this means `curl -fsSL https://native.jam.dev/install | bash`,
|
|
80
|
+
`export PATH="$HOME/.local/bin:$PATH"`, `printf '%s' "$JAM_PAT" | jam auth login --token`,
|
|
81
|
+
and `jam skills install`, all inside `[ -n "${JAM_PAT:-}" ] && ...` guards so missing
|
|
82
|
+
optional secrets do not fail the environment build.
|
|
83
|
+
- REST substitute substrates: do not install an MCP. Emit comments naming the
|
|
84
|
+
REST host and env var (for example `SONAR_TOKEN` with `https://sonarcloud.io/api/`) and
|
|
85
|
+
rely on the access skill or generated consumer to call the API.
|
|
86
|
+
- PAT-bearer MCP substrates: print a commented `.mcp.json` `headers` snippet from the
|
|
87
|
+
inventory's `mcpHeaders`. Use this only when the analysis explicitly says the same MCP
|
|
88
|
+
transport supports static-token auth. Do not print a Jam `.mcp.json` header snippet because
|
|
89
|
+
Jam's preferred headless substrate is its PAT-authenticated CLI.
|
|
69
90
|
|
|
70
91
|
4. **Emit the allowlist + gaps notice.** List any custom domains the setup or runtime reaches
|
|
71
92
|
(from `networkAccess.allowlistDomains`, falling back to legacy `allowlistDomains`) that the user
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
---
|
|
2
2
|
name: jam-access
|
|
3
|
-
description: "Vendor-neutral access layer for Jam. Jam triage rules and skills MUST delegate through this skill rather than calling Jam MCP tools directly. Resolves Jam MCP first when available, then falls back to JAM_PAT
|
|
3
|
+
description: "Vendor-neutral access layer for Jam. Jam triage rules and skills MUST delegate through this skill rather than calling Jam MCP tools directly. Resolves Jam MCP first when available, then falls back to the JAM_PAT-authenticated Jam CLI for headless routines."
|
|
4
4
|
allowed-tools: ["Bash", "Read", "Skill"]
|
|
5
5
|
---
|
|
6
6
|
|
|
@@ -24,16 +24,16 @@ Return parsed JSON or a concise structured summary in a `<result>` block.
|
|
|
24
24
|
Probe in order:
|
|
25
25
|
|
|
26
26
|
1. Jam MCP, if the tool is available and authenticated.
|
|
27
|
-
2.
|
|
27
|
+
2. Jam CLI authenticated with `JAM_PAT`.
|
|
28
28
|
|
|
29
|
-
Jam documents
|
|
30
|
-
|
|
29
|
+
Jam documents a PAT-authenticated CLI that is cleaner for remote routines than
|
|
30
|
+
editing `.mcp.json` headers. The headless tier uses:
|
|
31
31
|
|
|
32
32
|
```bash
|
|
33
|
-
curl -
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
33
|
+
curl -fsSL https://native.jam.dev/install | bash
|
|
34
|
+
export PATH="$HOME/.local/bin:$PATH"
|
|
35
|
+
printf '%s' "$JAM_PAT" | jam auth login --token
|
|
36
|
+
jam skills install
|
|
37
37
|
```
|
|
38
38
|
|
|
39
39
|
If neither tier works, fail with:
|
|
@@ -45,7 +45,8 @@ Error: no Jam access substrate available. Authenticate the Jam MCP or set JAM_PA
|
|
|
45
45
|
## Invariants
|
|
46
46
|
|
|
47
47
|
- Fallback is gated on `JAM_PAT`; do not retry Jam MCP failures blindly.
|
|
48
|
-
- Never commit a Jam PAT into `.mcp.json
|
|
49
|
-
|
|
50
|
-
|
|
48
|
+
- Never commit a Jam PAT into `.mcp.json` or any generated setup artifact.
|
|
49
|
+
- Headless Jam access requires `native.jam.dev` for the installer and
|
|
50
|
+
`api.jam.dev` for CLI/API calls in any custom remote network allowlist.
|
|
51
|
+
- If a requested operation is not yet mapped to the Jam CLI substrate, surface
|
|
51
52
|
that exact missing adapter instead of pretending the trace is unavailable.
|
|
@@ -22,7 +22,7 @@ available.
|
|
|
22
22
|
| Atlassian | `lisa:atlassian-access` | `ATLASSIAN_API_TOKEN` | Atlassian Cloud REST |
|
|
23
23
|
| Notion | `lisa:notion-access` | `NOTION_API_TOKEN` | Notion REST |
|
|
24
24
|
| Linear | `lisa:linear-access` | `LINEAR_API_KEY` | Linear GraphQL |
|
|
25
|
-
| Jam | `lisa:jam-access` | `JAM_PAT` | Jam
|
|
25
|
+
| Jam | `lisa:jam-access` | `JAM_PAT` | Jam CLI |
|
|
26
26
|
| SonarCloud | `lisa:sonarcloud-access` | `SONAR_TOKEN` | SonarCloud Web API |
|
|
27
27
|
| Sentry | `lisa:sentry-access` | `SENTRY_AUTH_TOKEN` | Sentry REST API |
|
|
28
28
|
| PostHog | `lisa:posthog-access` | `POSTHOG_PERSONAL_API_KEY` | PostHog REST API |
|
|
@@ -133,11 +133,35 @@ Group the findings as:
|
|
|
133
133
|
`RISK`/`GAP` (need a local process — only viable if the cloud session can spawn them from the
|
|
134
134
|
repo). Flag interactively/OAuth-authed servers as `GAP` for headless auth — they cannot complete
|
|
135
135
|
a browser flow headless **regardless of transport** (an HTTP MCP like `linear-server` is still a
|
|
136
|
-
`GAP` because its *auth* is OAuth, not because of its transport).
|
|
137
|
-
|
|
138
|
-
|
|
139
|
-
|
|
140
|
-
|
|
136
|
+
`GAP` because its *auth* is OAuth, not because of its transport). Before finalizing any
|
|
137
|
+
OAuth/interactive/stdio MCP as a flat `GAP`, check for a documented headless substrate: a
|
|
138
|
+
static-token MCP header, a vendor CLI that can login from an env token, or a token-authenticated
|
|
139
|
+
REST API that the MCP wraps. If documented evidence exists, mark the MCP `headlessUsable: true`
|
|
140
|
+
in the inventory, mark the supporting secret `required: false` / `secret: true` unless the
|
|
141
|
+
integration is active, and set `replacedBy` to the concrete substrate rather than leaving it as
|
|
142
|
+
an impossible capability. When an OAuth MCP backs an active tracker/source, do not stop at the
|
|
143
|
+
`GAP` — cross-reference group 4a and point to the integration's token substrate as the headless
|
|
144
|
+
replacement (e.g. `linear-server` MCP -> `LINEAR_API_KEY` + Linear GraphQL). Note any user-scoped
|
|
145
|
+
MCP (`~/.claude.json`) as `GAP` — it never reaches the cloud; it must be moved into project
|
|
146
|
+
`.mcp.json`.
|
|
147
|
+
|
|
148
|
+
Use this data-driven hint table as seed evidence, and extend it only when you can cite a vendor
|
|
149
|
+
doc or committed access-skill reference:
|
|
150
|
+
|
|
151
|
+
| Match | Substrate | Env | Setup / wiring | Domains |
|
|
152
|
+
|---|---|---|---|---|
|
|
153
|
+
| `mcp.jam.dev`, `jam`, or Jam MCP entries | Jam CLI (`jam`) authenticated by PAT | `JAM_PAT` | install with `curl -fsSL https://native.jam.dev/install | bash`; export `~/.local/bin`; run `printf '%s' "$JAM_PAT" | jam auth login --token`; optionally `jam skills install` | `native.jam.dev`, `api.jam.dev` |
|
|
154
|
+
| `mcp/sonarqube`, `sonarqube`, or SonarCloud/SonarQube MCP entries | SonarCloud Web API | `SONAR_TOKEN` | use REST calls against `https://sonarcloud.io/api/`; if a host needs legacy token-as-basic-auth, put that in the access adapter | `sonarcloud.io` |
|
|
155
|
+
|
|
156
|
+
For PAT-bearer MCP substrates that really use the same MCP transport, include `mcpHeaders` in
|
|
157
|
+
the inventory with a snippet such as `headers: { "Authorization": "Bearer ${VAR}" }` so the
|
|
158
|
+
generator can print a commented `.mcp.json` example. Do **not** use that for Jam: Jam's preferred
|
|
159
|
+
headless substrate is the `jam` CLI, so the generator should emit CLI setup lines instead of an
|
|
160
|
+
`.mcp.json` header snippet.
|
|
161
|
+
|
|
162
|
+
When no documented substrate is known, keep the MCP as `headlessUsable: false` / `GAP`, and add
|
|
163
|
+
an action line like: `check the vendor for a documented PAT, API-key, CLI, or REST substrate`.
|
|
164
|
+
Never assert that no substrate exists unless the vendor documentation explicitly says so.
|
|
141
165
|
|
|
142
166
|
6. **Config scope & memory gaps** — identify reliance on user-scoped config that will not load
|
|
143
167
|
remotely: `~/.claude/CLAUDE.md`, user `enabledPlugins`, user skills/agents, user MCP. Most
|
|
@@ -250,10 +274,27 @@ so the generator can render acquisition comments into its template:
|
|
|
250
274
|
"headlessSubstrate": "gh CLI (token)",
|
|
251
275
|
"acquireUrl": "https://github.com/settings/personal-access-tokens",
|
|
252
276
|
"accessScope": "fine-grained PAT on target repo: Contents R/W, Issues R/W, Pull requests R/W, Metadata R; +Workflows R/W if editing .github/workflows; +Projects R/W if using ProjectV2"
|
|
277
|
+
},
|
|
278
|
+
{
|
|
279
|
+
"name": "JAM_PAT", "required": false, "secret": true, "integration": "jam",
|
|
280
|
+
"reason": "optional non-tracker MCP recovery; Jam CLI can authenticate headlessly from a PAT",
|
|
281
|
+
"headlessSubstrate": "jam CLI (PAT)",
|
|
282
|
+
"acquireUrl": "https://jam.dev/docs/debug-a-jam/mcp/personal-access-tokens",
|
|
283
|
+
"accessScope": "Jam Personal Access Token for the workspace/team whose traces the routine needs to read",
|
|
284
|
+
"setupSnippet": "curl -fsSL https://native.jam.dev/install | bash; export PATH=\"$HOME/.local/bin:$PATH\"; printf '%s' \"$JAM_PAT\" | jam auth login --token; jam skills install"
|
|
285
|
+
},
|
|
286
|
+
{
|
|
287
|
+
"name": "SONAR_TOKEN", "required": false, "secret": true, "integration": "sonarcloud",
|
|
288
|
+
"reason": "optional non-tracker MCP recovery; SonarQube MCP wraps the token-authenticated SonarCloud Web API",
|
|
289
|
+
"headlessSubstrate": "SonarCloud Web API (token)",
|
|
290
|
+
"acquireUrl": "https://docs.sonarsource.com/sonarqube-cloud/managing-your-account/managing-tokens",
|
|
291
|
+
"accessScope": "token must be able to read the target SonarCloud organization/project quality gate, issues, hotspots, rules, and source snippets"
|
|
253
292
|
}
|
|
254
293
|
],
|
|
255
294
|
"mcp": [
|
|
256
|
-
{ "name": "linear-server", "transport": "http", "auth": "oauth", "headlessUsable": false, "replacedBy": "LINEAR_API_KEY + Linear GraphQL", "dormant": true }
|
|
295
|
+
{ "name": "linear-server", "transport": "http", "auth": "oauth", "headlessUsable": false, "replacedBy": "LINEAR_API_KEY + Linear GraphQL", "dormant": true },
|
|
296
|
+
{ "name": "jam", "transport": "http", "auth": "oauth", "headlessUsable": true, "replacedBy": "jam CLI + JAM_PAT", "dormant": true },
|
|
297
|
+
{ "name": "sonarqube", "transport": "stdio", "auth": "local-wrapper", "headlessUsable": true, "replacedBy": "SONAR_TOKEN + SonarCloud Web API", "dormant": true }
|
|
257
298
|
],
|
|
258
299
|
"gaps": [ "auto-memory not synced to cloud", "bun package fetch behind proxy", "OS keychain absent — env-var token form only" ],
|
|
259
300
|
"platform": {
|
|
@@ -305,3 +346,6 @@ so the generator can render acquisition comments into its template:
|
|
|
305
346
|
to environment editors; never imply the generated script can hide them.
|
|
306
347
|
- A browser-OAuth MCP (or interactively-authed CLI) backing an active integration is a `GAP`; the
|
|
307
348
|
remediation is its token substrate from the table, not "authenticate the MCP".
|
|
349
|
+
- For non-tracker MCPs, a documented CLI, PAT/API-key, or REST substrate converts the finding from
|
|
350
|
+
a flat `GAP` into an `OPTIONAL` headless recovery path; unknown vendors remain gaps with a
|
|
351
|
+
vendor-substrate follow-up, not invented credentials.
|
|
@@ -66,6 +66,27 @@ tracker/source, plus the host project's own package manager and tooling — not
|
|
|
66
66
|
When the entry is `GH_TOKEN`, add a comment from `platform.githubProxy` clarifying that the token
|
|
67
67
|
is for `gh` CLI commands against the project/Lisa repos, not for raw git clone/fetch/push or
|
|
68
68
|
sibling repos reachable through the routine's GitHub proxy.
|
|
69
|
+
For OPTIONAL non-tracker MCP recovery entries discovered by
|
|
70
|
+
`/lisa:analyze-claude-remote`, preserve the same names-only behavior:
|
|
71
|
+
include `JAM_PAT`, `SONAR_TOKEN`, or similar documented substrate env vars
|
|
72
|
+
only as optional secrets, with their acquire/scope comments when the analysis
|
|
73
|
+
supplied them. Never invent values or promote dormant substrates to required.
|
|
74
|
+
|
|
75
|
+
3a. **Emit substrate setup snippets.** When the inventory marks an MCP
|
|
76
|
+
`headlessUsable: true` through a documented substrate, render the matching
|
|
77
|
+
wiring guidance as commented, opt-in setup:
|
|
78
|
+
- CLI substrates: emit the detected install/login commands gated on the
|
|
79
|
+
optional env var. For Jam, this means `curl -fsSL https://native.jam.dev/install | bash`,
|
|
80
|
+
`export PATH="$HOME/.local/bin:$PATH"`, `printf '%s' "$JAM_PAT" | jam auth login --token`,
|
|
81
|
+
and `jam skills install`, all inside `[ -n "${JAM_PAT:-}" ] && ...` guards so missing
|
|
82
|
+
optional secrets do not fail the environment build.
|
|
83
|
+
- REST substitute substrates: do not install an MCP. Emit comments naming the
|
|
84
|
+
REST host and env var (for example `SONAR_TOKEN` with `https://sonarcloud.io/api/`) and
|
|
85
|
+
rely on the access skill or generated consumer to call the API.
|
|
86
|
+
- PAT-bearer MCP substrates: print a commented `.mcp.json` `headers` snippet from the
|
|
87
|
+
inventory's `mcpHeaders`. Use this only when the analysis explicitly says the same MCP
|
|
88
|
+
transport supports static-token auth. Do not print a Jam `.mcp.json` header snippet because
|
|
89
|
+
Jam's preferred headless substrate is its PAT-authenticated CLI.
|
|
69
90
|
|
|
70
91
|
4. **Emit the allowlist + gaps notice.** List any custom domains the setup or runtime reaches
|
|
71
92
|
(from `networkAccess.allowlistDomains`, falling back to legacy `allowlistDomains`) that the user
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
---
|
|
2
2
|
name: jam-access
|
|
3
|
-
description: "Vendor-neutral access layer for Jam. Jam triage rules and skills MUST delegate through this skill rather than calling Jam MCP tools directly. Resolves Jam MCP first when available, then falls back to JAM_PAT
|
|
3
|
+
description: "Vendor-neutral access layer for Jam. Jam triage rules and skills MUST delegate through this skill rather than calling Jam MCP tools directly. Resolves Jam MCP first when available, then falls back to the JAM_PAT-authenticated Jam CLI for headless routines."
|
|
4
4
|
allowed-tools: ["Bash", "Read", "Skill"]
|
|
5
5
|
---
|
|
6
6
|
|
|
@@ -24,16 +24,16 @@ Return parsed JSON or a concise structured summary in a `<result>` block.
|
|
|
24
24
|
Probe in order:
|
|
25
25
|
|
|
26
26
|
1. Jam MCP, if the tool is available and authenticated.
|
|
27
|
-
2.
|
|
27
|
+
2. Jam CLI authenticated with `JAM_PAT`.
|
|
28
28
|
|
|
29
|
-
Jam documents
|
|
30
|
-
|
|
29
|
+
Jam documents a PAT-authenticated CLI that is cleaner for remote routines than
|
|
30
|
+
editing `.mcp.json` headers. The headless tier uses:
|
|
31
31
|
|
|
32
32
|
```bash
|
|
33
|
-
curl -
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
33
|
+
curl -fsSL https://native.jam.dev/install | bash
|
|
34
|
+
export PATH="$HOME/.local/bin:$PATH"
|
|
35
|
+
printf '%s' "$JAM_PAT" | jam auth login --token
|
|
36
|
+
jam skills install
|
|
37
37
|
```
|
|
38
38
|
|
|
39
39
|
If neither tier works, fail with:
|
|
@@ -45,7 +45,8 @@ Error: no Jam access substrate available. Authenticate the Jam MCP or set JAM_PA
|
|
|
45
45
|
## Invariants
|
|
46
46
|
|
|
47
47
|
- Fallback is gated on `JAM_PAT`; do not retry Jam MCP failures blindly.
|
|
48
|
-
- Never commit a Jam PAT into `.mcp.json
|
|
49
|
-
|
|
50
|
-
|
|
48
|
+
- Never commit a Jam PAT into `.mcp.json` or any generated setup artifact.
|
|
49
|
+
- Headless Jam access requires `native.jam.dev` for the installer and
|
|
50
|
+
`api.jam.dev` for CLI/API calls in any custom remote network allowlist.
|
|
51
|
+
- If a requested operation is not yet mapped to the Jam CLI substrate, surface
|
|
51
52
|
that exact missing adapter instead of pretending the trace is unavailable.
|
|
@@ -27,7 +27,7 @@ available.
|
|
|
27
27
|
| Atlassian | `lisa:atlassian-access` | `ATLASSIAN_API_TOKEN` | Atlassian Cloud REST |
|
|
28
28
|
| Notion | `lisa:notion-access` | `NOTION_API_TOKEN` | Notion REST |
|
|
29
29
|
| Linear | `lisa:linear-access` | `LINEAR_API_KEY` | Linear GraphQL |
|
|
30
|
-
| Jam | `lisa:jam-access` | `JAM_PAT` | Jam
|
|
30
|
+
| Jam | `lisa:jam-access` | `JAM_PAT` | Jam CLI |
|
|
31
31
|
| SonarCloud | `lisa:sonarcloud-access` | `SONAR_TOKEN` | SonarCloud Web API |
|
|
32
32
|
| Sentry | `lisa:sentry-access` | `SENTRY_AUTH_TOKEN` | Sentry REST API |
|
|
33
33
|
| PostHog | `lisa:posthog-access` | `POSTHOG_PERSONAL_API_KEY` | PostHog REST API |
|