@codyswann/lisa 2.178.1 → 2.178.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (100) hide show
  1. package/package.json +1 -1
  2. package/plugins/lisa/.claude-plugin/plugin.json +1 -1
  3. package/plugins/lisa/.codex-plugin/plugin.json +1 -1
  4. package/plugins/lisa/rules/reference/integration-access-layer.md +1 -1
  5. package/plugins/lisa/skills/analyze-claude-remote/SKILL.md +50 -6
  6. package/plugins/lisa/skills/generate-claude-remote-build-script/SKILL.md +21 -0
  7. package/plugins/lisa/skills/jam-access/SKILL.md +12 -11
  8. package/plugins/lisa-agy/plugin.json +1 -1
  9. package/plugins/lisa-agy/skills/analyze-claude-remote/SKILL.md +50 -6
  10. package/plugins/lisa-agy/skills/generate-claude-remote-build-script/SKILL.md +21 -0
  11. package/plugins/lisa-agy/skills/jam-access/SKILL.md +12 -11
  12. package/plugins/lisa-cdk/.claude-plugin/plugin.json +1 -1
  13. package/plugins/lisa-cdk/.codex-plugin/plugin.json +1 -1
  14. package/plugins/lisa-cdk-agy/plugin.json +1 -1
  15. package/plugins/lisa-cdk-copilot/.claude-plugin/plugin.json +1 -1
  16. package/plugins/lisa-cdk-cursor/.claude-plugin/plugin.json +1 -1
  17. package/plugins/lisa-copilot/.claude-plugin/plugin.json +1 -1
  18. package/plugins/lisa-copilot/rules/reference/integration-access-layer.md +1 -1
  19. package/plugins/lisa-copilot/skills/analyze-claude-remote/SKILL.md +50 -6
  20. package/plugins/lisa-copilot/skills/generate-claude-remote-build-script/SKILL.md +21 -0
  21. package/plugins/lisa-copilot/skills/jam-access/SKILL.md +12 -11
  22. package/plugins/lisa-cursor/.claude-plugin/plugin.json +1 -1
  23. package/plugins/lisa-cursor/rules/integration-access-layer-reference.mdc +1 -1
  24. package/plugins/lisa-cursor/skills/analyze-claude-remote/SKILL.md +50 -6
  25. package/plugins/lisa-cursor/skills/generate-claude-remote-build-script/SKILL.md +21 -0
  26. package/plugins/lisa-cursor/skills/jam-access/SKILL.md +12 -11
  27. package/plugins/lisa-expo/.claude-plugin/plugin.json +1 -1
  28. package/plugins/lisa-expo/.codex-plugin/plugin.json +1 -1
  29. package/plugins/lisa-expo/skills/atomic-design-gluestack/SKILL.md +8 -0
  30. package/plugins/lisa-expo/skills/atomic-design-gluestack/scripts/test_validate_atomic_structure.py +240 -0
  31. package/plugins/lisa-expo/skills/atomic-design-gluestack/scripts/validate_atomic_structure.py +109 -0
  32. package/plugins/lisa-expo/skills/gluestack-nativewind/SKILL.md +8 -0
  33. package/plugins/lisa-expo/skills/gluestack-nativewind/scripts/test_validate_styling.py +240 -0
  34. package/plugins/lisa-expo/skills/gluestack-nativewind/scripts/validate_styling.py +109 -0
  35. package/plugins/lisa-expo-agy/plugin.json +1 -1
  36. package/plugins/lisa-expo-agy/skills/atomic-design-gluestack/SKILL.md +8 -0
  37. package/plugins/lisa-expo-agy/skills/atomic-design-gluestack/scripts/test_validate_atomic_structure.py +240 -0
  38. package/plugins/lisa-expo-agy/skills/atomic-design-gluestack/scripts/validate_atomic_structure.py +109 -0
  39. package/plugins/lisa-expo-agy/skills/gluestack-nativewind/SKILL.md +8 -0
  40. package/plugins/lisa-expo-agy/skills/gluestack-nativewind/scripts/test_validate_styling.py +240 -0
  41. package/plugins/lisa-expo-agy/skills/gluestack-nativewind/scripts/validate_styling.py +109 -0
  42. package/plugins/lisa-expo-copilot/.claude-plugin/plugin.json +1 -1
  43. package/plugins/lisa-expo-copilot/skills/atomic-design-gluestack/SKILL.md +8 -0
  44. package/plugins/lisa-expo-copilot/skills/atomic-design-gluestack/scripts/test_validate_atomic_structure.py +240 -0
  45. package/plugins/lisa-expo-copilot/skills/atomic-design-gluestack/scripts/validate_atomic_structure.py +109 -0
  46. package/plugins/lisa-expo-copilot/skills/gluestack-nativewind/SKILL.md +8 -0
  47. package/plugins/lisa-expo-copilot/skills/gluestack-nativewind/scripts/test_validate_styling.py +240 -0
  48. package/plugins/lisa-expo-copilot/skills/gluestack-nativewind/scripts/validate_styling.py +109 -0
  49. package/plugins/lisa-expo-cursor/.claude-plugin/plugin.json +1 -1
  50. package/plugins/lisa-expo-cursor/skills/atomic-design-gluestack/SKILL.md +8 -0
  51. package/plugins/lisa-expo-cursor/skills/atomic-design-gluestack/scripts/test_validate_atomic_structure.py +240 -0
  52. package/plugins/lisa-expo-cursor/skills/atomic-design-gluestack/scripts/validate_atomic_structure.py +109 -0
  53. package/plugins/lisa-expo-cursor/skills/gluestack-nativewind/SKILL.md +8 -0
  54. package/plugins/lisa-expo-cursor/skills/gluestack-nativewind/scripts/test_validate_styling.py +240 -0
  55. package/plugins/lisa-expo-cursor/skills/gluestack-nativewind/scripts/validate_styling.py +109 -0
  56. package/plugins/lisa-harper-fabric/.claude-plugin/plugin.json +1 -1
  57. package/plugins/lisa-harper-fabric/.codex-plugin/plugin.json +1 -1
  58. package/plugins/lisa-harper-fabric-agy/plugin.json +1 -1
  59. package/plugins/lisa-harper-fabric-copilot/.claude-plugin/plugin.json +1 -1
  60. package/plugins/lisa-harper-fabric-cursor/.claude-plugin/plugin.json +1 -1
  61. package/plugins/lisa-nestjs/.claude-plugin/plugin.json +1 -1
  62. package/plugins/lisa-nestjs/.codex-plugin/plugin.json +1 -1
  63. package/plugins/lisa-nestjs-agy/plugin.json +1 -1
  64. package/plugins/lisa-nestjs-copilot/.claude-plugin/plugin.json +1 -1
  65. package/plugins/lisa-nestjs-cursor/.claude-plugin/plugin.json +1 -1
  66. package/plugins/lisa-openclaw/.claude-plugin/plugin.json +1 -1
  67. package/plugins/lisa-openclaw/.codex-plugin/plugin.json +1 -1
  68. package/plugins/lisa-openclaw-agy/plugin.json +1 -1
  69. package/plugins/lisa-openclaw-copilot/.claude-plugin/plugin.json +1 -1
  70. package/plugins/lisa-openclaw-cursor/.claude-plugin/plugin.json +1 -1
  71. package/plugins/lisa-phaser/.claude-plugin/plugin.json +1 -1
  72. package/plugins/lisa-phaser/.codex-plugin/plugin.json +1 -1
  73. package/plugins/lisa-phaser-agy/plugin.json +1 -1
  74. package/plugins/lisa-phaser-copilot/.claude-plugin/plugin.json +1 -1
  75. package/plugins/lisa-phaser-cursor/.claude-plugin/plugin.json +1 -1
  76. package/plugins/lisa-rails/.claude-plugin/plugin.json +1 -1
  77. package/plugins/lisa-rails/.codex-plugin/plugin.json +1 -1
  78. package/plugins/lisa-rails-agy/plugin.json +1 -1
  79. package/plugins/lisa-rails-copilot/.claude-plugin/plugin.json +1 -1
  80. package/plugins/lisa-rails-cursor/.claude-plugin/plugin.json +1 -1
  81. package/plugins/lisa-typescript/.claude-plugin/plugin.json +1 -1
  82. package/plugins/lisa-typescript/.codex-plugin/plugin.json +1 -1
  83. package/plugins/lisa-typescript-agy/plugin.json +1 -1
  84. package/plugins/lisa-typescript-copilot/.claude-plugin/plugin.json +1 -1
  85. package/plugins/lisa-typescript-cursor/.claude-plugin/plugin.json +1 -1
  86. package/plugins/lisa-wiki/.claude-plugin/plugin.json +1 -1
  87. package/plugins/lisa-wiki/.codex-plugin/plugin.json +1 -1
  88. package/plugins/lisa-wiki-agy/plugin.json +1 -1
  89. package/plugins/lisa-wiki-copilot/.claude-plugin/plugin.json +1 -1
  90. package/plugins/lisa-wiki-cursor/.claude-plugin/plugin.json +1 -1
  91. package/plugins/src/base/rules/reference/integration-access-layer.md +1 -1
  92. package/plugins/src/base/skills/analyze-claude-remote/SKILL.md +50 -6
  93. package/plugins/src/base/skills/generate-claude-remote-build-script/SKILL.md +21 -0
  94. package/plugins/src/base/skills/jam-access/SKILL.md +12 -11
  95. package/plugins/src/expo/skills/atomic-design-gluestack/SKILL.md +8 -0
  96. package/plugins/src/expo/skills/atomic-design-gluestack/scripts/test_validate_atomic_structure.py +240 -0
  97. package/plugins/src/expo/skills/atomic-design-gluestack/scripts/validate_atomic_structure.py +109 -0
  98. package/plugins/src/expo/skills/gluestack-nativewind/SKILL.md +8 -0
  99. package/plugins/src/expo/skills/gluestack-nativewind/scripts/test_validate_styling.py +240 -0
  100. package/plugins/src/expo/skills/gluestack-nativewind/scripts/validate_styling.py +109 -0
package/package.json CHANGED
@@ -91,7 +91,7 @@
91
91
  "ws": ">=8.20.1"
92
92
  },
93
93
  "name": "@codyswann/lisa",
94
- "version": "2.178.1",
94
+ "version": "2.178.3",
95
95
  "description": "Claude Code governance framework that applies guardrails, guidance, and automated enforcement to projects",
96
96
  "main": "dist/index.js",
97
97
  "exports": {
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "lisa",
3
- "version": "2.178.1",
3
+ "version": "2.178.3",
4
4
  "description": "Universal governance — agents, skills, commands, hooks, and rules for all projects",
5
5
  "author": {
6
6
  "name": "Cody Swann"
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "lisa",
3
- "version": "2.178.1",
3
+ "version": "2.178.3",
4
4
  "description": "Universal governance: agents, skills, commands, hooks, and rules for all projects.",
5
5
  "author": {
6
6
  "name": "Cody Swann"
@@ -22,7 +22,7 @@ available.
22
22
  | Atlassian | `lisa:atlassian-access` | `ATLASSIAN_API_TOKEN` | Atlassian Cloud REST |
23
23
  | Notion | `lisa:notion-access` | `NOTION_API_TOKEN` | Notion REST |
24
24
  | Linear | `lisa:linear-access` | `LINEAR_API_KEY` | Linear GraphQL |
25
- | Jam | `lisa:jam-access` | `JAM_PAT` | Jam MCP HTTP endpoint with bearer PAT |
25
+ | Jam | `lisa:jam-access` | `JAM_PAT` | Jam CLI |
26
26
  | SonarCloud | `lisa:sonarcloud-access` | `SONAR_TOKEN` | SonarCloud Web API |
27
27
  | Sentry | `lisa:sentry-access` | `SENTRY_AUTH_TOKEN` | Sentry REST API |
28
28
  | PostHog | `lisa:posthog-access` | `POSTHOG_PERSONAL_API_KEY` | PostHog REST API |
@@ -133,11 +133,35 @@ Group the findings as:
133
133
  `RISK`/`GAP` (need a local process — only viable if the cloud session can spawn them from the
134
134
  repo). Flag interactively/OAuth-authed servers as `GAP` for headless auth — they cannot complete
135
135
  a browser flow headless **regardless of transport** (an HTTP MCP like `linear-server` is still a
136
- `GAP` because its *auth* is OAuth, not because of its transport). When an OAuth MCP backs an
137
- active tracker/source, do not stop at the `GAP` cross-reference group 4a and point to the
138
- integration's token substrate as the headless replacement (e.g. `linear-server` MCP `LINEAR_API_KEY`
139
- + Linear GraphQL). Note any user-scoped MCP (`~/.claude.json`) as `GAP` it never reaches the
140
- cloud; it must be moved into project `.mcp.json`.
136
+ `GAP` because its *auth* is OAuth, not because of its transport). Before finalizing any
137
+ OAuth/interactive/stdio MCP as a flat `GAP`, check for a documented headless substrate: a
138
+ static-token MCP header, a vendor CLI that can login from an env token, or a token-authenticated
139
+ REST API that the MCP wraps. If documented evidence exists, mark the MCP `headlessUsable: true`
140
+ in the inventory, mark the supporting secret `required: false` / `secret: true` unless the
141
+ integration is active, and set `replacedBy` to the concrete substrate rather than leaving it as
142
+ an impossible capability. When an OAuth MCP backs an active tracker/source, do not stop at the
143
+ `GAP` — cross-reference group 4a and point to the integration's token substrate as the headless
144
+ replacement (e.g. `linear-server` MCP -> `LINEAR_API_KEY` + Linear GraphQL). Note any user-scoped
145
+ MCP (`~/.claude.json`) as `GAP` — it never reaches the cloud; it must be moved into project
146
+ `.mcp.json`.
147
+
148
+ Use this data-driven hint table as seed evidence, and extend it only when you can cite a vendor
149
+ doc or committed access-skill reference:
150
+
151
+ | Match | Substrate | Env | Setup / wiring | Domains |
152
+ |---|---|---|---|---|
153
+ | `mcp.jam.dev`, `jam`, or Jam MCP entries | Jam CLI (`jam`) authenticated by PAT | `JAM_PAT` | install with `curl -fsSL https://native.jam.dev/install | bash`; export `~/.local/bin`; run `printf '%s' "$JAM_PAT" | jam auth login --token`; optionally `jam skills install` | `native.jam.dev`, `api.jam.dev` |
154
+ | `mcp/sonarqube`, `sonarqube`, or SonarCloud/SonarQube MCP entries | SonarCloud Web API | `SONAR_TOKEN` | use REST calls against `https://sonarcloud.io/api/`; if a host needs legacy token-as-basic-auth, put that in the access adapter | `sonarcloud.io` |
155
+
156
+ For PAT-bearer MCP substrates that really use the same MCP transport, include `mcpHeaders` in
157
+ the inventory with a snippet such as `headers: { "Authorization": "Bearer ${VAR}" }` so the
158
+ generator can print a commented `.mcp.json` example. Do **not** use that for Jam: Jam's preferred
159
+ headless substrate is the `jam` CLI, so the generator should emit CLI setup lines instead of an
160
+ `.mcp.json` header snippet.
161
+
162
+ When no documented substrate is known, keep the MCP as `headlessUsable: false` / `GAP`, and add
163
+ an action line like: `check the vendor for a documented PAT, API-key, CLI, or REST substrate`.
164
+ Never assert that no substrate exists unless the vendor documentation explicitly says so.
141
165
 
142
166
  6. **Config scope & memory gaps** — identify reliance on user-scoped config that will not load
143
167
  remotely: `~/.claude/CLAUDE.md`, user `enabledPlugins`, user skills/agents, user MCP. Most
@@ -250,10 +274,27 @@ so the generator can render acquisition comments into its template:
250
274
  "headlessSubstrate": "gh CLI (token)",
251
275
  "acquireUrl": "https://github.com/settings/personal-access-tokens",
252
276
  "accessScope": "fine-grained PAT on target repo: Contents R/W, Issues R/W, Pull requests R/W, Metadata R; +Workflows R/W if editing .github/workflows; +Projects R/W if using ProjectV2"
277
+ },
278
+ {
279
+ "name": "JAM_PAT", "required": false, "secret": true, "integration": "jam",
280
+ "reason": "optional non-tracker MCP recovery; Jam CLI can authenticate headlessly from a PAT",
281
+ "headlessSubstrate": "jam CLI (PAT)",
282
+ "acquireUrl": "https://jam.dev/docs/debug-a-jam/mcp/personal-access-tokens",
283
+ "accessScope": "Jam Personal Access Token for the workspace/team whose traces the routine needs to read",
284
+ "setupSnippet": "curl -fsSL https://native.jam.dev/install | bash; export PATH=\"$HOME/.local/bin:$PATH\"; printf '%s' \"$JAM_PAT\" | jam auth login --token; jam skills install"
285
+ },
286
+ {
287
+ "name": "SONAR_TOKEN", "required": false, "secret": true, "integration": "sonarcloud",
288
+ "reason": "optional non-tracker MCP recovery; SonarQube MCP wraps the token-authenticated SonarCloud Web API",
289
+ "headlessSubstrate": "SonarCloud Web API (token)",
290
+ "acquireUrl": "https://docs.sonarsource.com/sonarqube-cloud/managing-your-account/managing-tokens",
291
+ "accessScope": "token must be able to read the target SonarCloud organization/project quality gate, issues, hotspots, rules, and source snippets"
253
292
  }
254
293
  ],
255
294
  "mcp": [
256
- { "name": "linear-server", "transport": "http", "auth": "oauth", "headlessUsable": false, "replacedBy": "LINEAR_API_KEY + Linear GraphQL", "dormant": true }
295
+ { "name": "linear-server", "transport": "http", "auth": "oauth", "headlessUsable": false, "replacedBy": "LINEAR_API_KEY + Linear GraphQL", "dormant": true },
296
+ { "name": "jam", "transport": "http", "auth": "oauth", "headlessUsable": true, "replacedBy": "jam CLI + JAM_PAT", "dormant": true },
297
+ { "name": "sonarqube", "transport": "stdio", "auth": "local-wrapper", "headlessUsable": true, "replacedBy": "SONAR_TOKEN + SonarCloud Web API", "dormant": true }
257
298
  ],
258
299
  "gaps": [ "auto-memory not synced to cloud", "bun package fetch behind proxy", "OS keychain absent — env-var token form only" ],
259
300
  "platform": {
@@ -305,3 +346,6 @@ so the generator can render acquisition comments into its template:
305
346
  to environment editors; never imply the generated script can hide them.
306
347
  - A browser-OAuth MCP (or interactively-authed CLI) backing an active integration is a `GAP`; the
307
348
  remediation is its token substrate from the table, not "authenticate the MCP".
349
+ - For non-tracker MCPs, a documented CLI, PAT/API-key, or REST substrate converts the finding from
350
+ a flat `GAP` into an `OPTIONAL` headless recovery path; unknown vendors remain gaps with a
351
+ vendor-substrate follow-up, not invented credentials.
@@ -66,6 +66,27 @@ tracker/source, plus the host project's own package manager and tooling — not
66
66
  When the entry is `GH_TOKEN`, add a comment from `platform.githubProxy` clarifying that the token
67
67
  is for `gh` CLI commands against the project/Lisa repos, not for raw git clone/fetch/push or
68
68
  sibling repos reachable through the routine's GitHub proxy.
69
+ For OPTIONAL non-tracker MCP recovery entries discovered by
70
+ `/lisa:analyze-claude-remote`, preserve the same names-only behavior:
71
+ include `JAM_PAT`, `SONAR_TOKEN`, or similar documented substrate env vars
72
+ only as optional secrets, with their acquire/scope comments when the analysis
73
+ supplied them. Never invent values or promote dormant substrates to required.
74
+
75
+ 3a. **Emit substrate setup snippets.** When the inventory marks an MCP
76
+ `headlessUsable: true` through a documented substrate, render the matching
77
+ wiring guidance as commented, opt-in setup:
78
+ - CLI substrates: emit the detected install/login commands gated on the
79
+ optional env var. For Jam, this means `curl -fsSL https://native.jam.dev/install | bash`,
80
+ `export PATH="$HOME/.local/bin:$PATH"`, `printf '%s' "$JAM_PAT" | jam auth login --token`,
81
+ and `jam skills install`, all inside `[ -n "${JAM_PAT:-}" ] && ...` guards so missing
82
+ optional secrets do not fail the environment build.
83
+ - REST substitute substrates: do not install an MCP. Emit comments naming the
84
+ REST host and env var (for example `SONAR_TOKEN` with `https://sonarcloud.io/api/`) and
85
+ rely on the access skill or generated consumer to call the API.
86
+ - PAT-bearer MCP substrates: print a commented `.mcp.json` `headers` snippet from the
87
+ inventory's `mcpHeaders`. Use this only when the analysis explicitly says the same MCP
88
+ transport supports static-token auth. Do not print a Jam `.mcp.json` header snippet because
89
+ Jam's preferred headless substrate is its PAT-authenticated CLI.
69
90
 
70
91
  4. **Emit the allowlist + gaps notice.** List any custom domains the setup or runtime reaches
71
92
  (from `networkAccess.allowlistDomains`, falling back to legacy `allowlistDomains`) that the user
@@ -1,6 +1,6 @@
1
1
  ---
2
2
  name: jam-access
3
- description: "Vendor-neutral access layer for Jam. Jam triage rules and skills MUST delegate through this skill rather than calling Jam MCP tools directly. Resolves Jam MCP first when available, then falls back to JAM_PAT bearer auth for headless routines."
3
+ description: "Vendor-neutral access layer for Jam. Jam triage rules and skills MUST delegate through this skill rather than calling Jam MCP tools directly. Resolves Jam MCP first when available, then falls back to the JAM_PAT-authenticated Jam CLI for headless routines."
4
4
  allowed-tools: ["Bash", "Read", "Skill"]
5
5
  ---
6
6
 
@@ -24,16 +24,16 @@ Return parsed JSON or a concise structured summary in a `<result>` block.
24
24
  Probe in order:
25
25
 
26
26
  1. Jam MCP, if the tool is available and authenticated.
27
- 2. `JAM_PAT` bearer token against Jam's MCP/trace HTTP substrate.
27
+ 2. Jam CLI authenticated with `JAM_PAT`.
28
28
 
29
- Jam documents personal access tokens for MCP clients so a browser OAuth flow is
30
- not required. The headless tier uses:
29
+ Jam documents a PAT-authenticated CLI that is cleaner for remote routines than
30
+ editing `.mcp.json` headers. The headless tier uses:
31
31
 
32
32
  ```bash
33
- curl -sS "https://mcp.jam.dev/mcp" \
34
- -H "Authorization: Bearer $JAM_PAT" \
35
- -H "Content-Type: application/json" \
36
- --data-binary "$PAYLOAD"
33
+ curl -fsSL https://native.jam.dev/install | bash
34
+ export PATH="$HOME/.local/bin:$PATH"
35
+ printf '%s' "$JAM_PAT" | jam auth login --token
36
+ jam skills install
37
37
  ```
38
38
 
39
39
  If neither tier works, fail with:
@@ -45,7 +45,8 @@ Error: no Jam access substrate available. Authenticate the Jam MCP or set JAM_PA
45
45
  ## Invariants
46
46
 
47
47
  - Fallback is gated on `JAM_PAT`; do not retry Jam MCP failures blindly.
48
- - Never commit a Jam PAT into `.mcp.json`. Use env interpolation in host MCP
49
- config, for example `Authorization: Bearer ${JAM_PAT}`.
50
- - If a requested operation is not yet mapped to the Jam HTTP substrate, surface
48
+ - Never commit a Jam PAT into `.mcp.json` or any generated setup artifact.
49
+ - Headless Jam access requires `native.jam.dev` for the installer and
50
+ `api.jam.dev` for CLI/API calls in any custom remote network allowlist.
51
+ - If a requested operation is not yet mapped to the Jam CLI substrate, surface
51
52
  that exact missing adapter instead of pretending the trace is unavailable.
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "lisa",
3
- "version": "2.178.1",
3
+ "version": "2.178.3",
4
4
  "description": "Universal governance — agents, skills, commands, hooks, and rules for all projects",
5
5
  "author": {
6
6
  "name": "Cody Swann"
@@ -133,11 +133,35 @@ Group the findings as:
133
133
  `RISK`/`GAP` (need a local process — only viable if the cloud session can spawn them from the
134
134
  repo). Flag interactively/OAuth-authed servers as `GAP` for headless auth — they cannot complete
135
135
  a browser flow headless **regardless of transport** (an HTTP MCP like `linear-server` is still a
136
- `GAP` because its *auth* is OAuth, not because of its transport). When an OAuth MCP backs an
137
- active tracker/source, do not stop at the `GAP` cross-reference group 4a and point to the
138
- integration's token substrate as the headless replacement (e.g. `linear-server` MCP `LINEAR_API_KEY`
139
- + Linear GraphQL). Note any user-scoped MCP (`~/.claude.json`) as `GAP` it never reaches the
140
- cloud; it must be moved into project `.mcp.json`.
136
+ `GAP` because its *auth* is OAuth, not because of its transport). Before finalizing any
137
+ OAuth/interactive/stdio MCP as a flat `GAP`, check for a documented headless substrate: a
138
+ static-token MCP header, a vendor CLI that can login from an env token, or a token-authenticated
139
+ REST API that the MCP wraps. If documented evidence exists, mark the MCP `headlessUsable: true`
140
+ in the inventory, mark the supporting secret `required: false` / `secret: true` unless the
141
+ integration is active, and set `replacedBy` to the concrete substrate rather than leaving it as
142
+ an impossible capability. When an OAuth MCP backs an active tracker/source, do not stop at the
143
+ `GAP` — cross-reference group 4a and point to the integration's token substrate as the headless
144
+ replacement (e.g. `linear-server` MCP -> `LINEAR_API_KEY` + Linear GraphQL). Note any user-scoped
145
+ MCP (`~/.claude.json`) as `GAP` — it never reaches the cloud; it must be moved into project
146
+ `.mcp.json`.
147
+
148
+ Use this data-driven hint table as seed evidence, and extend it only when you can cite a vendor
149
+ doc or committed access-skill reference:
150
+
151
+ | Match | Substrate | Env | Setup / wiring | Domains |
152
+ |---|---|---|---|---|
153
+ | `mcp.jam.dev`, `jam`, or Jam MCP entries | Jam CLI (`jam`) authenticated by PAT | `JAM_PAT` | install with `curl -fsSL https://native.jam.dev/install | bash`; export `~/.local/bin`; run `printf '%s' "$JAM_PAT" | jam auth login --token`; optionally `jam skills install` | `native.jam.dev`, `api.jam.dev` |
154
+ | `mcp/sonarqube`, `sonarqube`, or SonarCloud/SonarQube MCP entries | SonarCloud Web API | `SONAR_TOKEN` | use REST calls against `https://sonarcloud.io/api/`; if a host needs legacy token-as-basic-auth, put that in the access adapter | `sonarcloud.io` |
155
+
156
+ For PAT-bearer MCP substrates that really use the same MCP transport, include `mcpHeaders` in
157
+ the inventory with a snippet such as `headers: { "Authorization": "Bearer ${VAR}" }` so the
158
+ generator can print a commented `.mcp.json` example. Do **not** use that for Jam: Jam's preferred
159
+ headless substrate is the `jam` CLI, so the generator should emit CLI setup lines instead of an
160
+ `.mcp.json` header snippet.
161
+
162
+ When no documented substrate is known, keep the MCP as `headlessUsable: false` / `GAP`, and add
163
+ an action line like: `check the vendor for a documented PAT, API-key, CLI, or REST substrate`.
164
+ Never assert that no substrate exists unless the vendor documentation explicitly says so.
141
165
 
142
166
  6. **Config scope & memory gaps** — identify reliance on user-scoped config that will not load
143
167
  remotely: `~/.claude/CLAUDE.md`, user `enabledPlugins`, user skills/agents, user MCP. Most
@@ -250,10 +274,27 @@ so the generator can render acquisition comments into its template:
250
274
  "headlessSubstrate": "gh CLI (token)",
251
275
  "acquireUrl": "https://github.com/settings/personal-access-tokens",
252
276
  "accessScope": "fine-grained PAT on target repo: Contents R/W, Issues R/W, Pull requests R/W, Metadata R; +Workflows R/W if editing .github/workflows; +Projects R/W if using ProjectV2"
277
+ },
278
+ {
279
+ "name": "JAM_PAT", "required": false, "secret": true, "integration": "jam",
280
+ "reason": "optional non-tracker MCP recovery; Jam CLI can authenticate headlessly from a PAT",
281
+ "headlessSubstrate": "jam CLI (PAT)",
282
+ "acquireUrl": "https://jam.dev/docs/debug-a-jam/mcp/personal-access-tokens",
283
+ "accessScope": "Jam Personal Access Token for the workspace/team whose traces the routine needs to read",
284
+ "setupSnippet": "curl -fsSL https://native.jam.dev/install | bash; export PATH=\"$HOME/.local/bin:$PATH\"; printf '%s' \"$JAM_PAT\" | jam auth login --token; jam skills install"
285
+ },
286
+ {
287
+ "name": "SONAR_TOKEN", "required": false, "secret": true, "integration": "sonarcloud",
288
+ "reason": "optional non-tracker MCP recovery; SonarQube MCP wraps the token-authenticated SonarCloud Web API",
289
+ "headlessSubstrate": "SonarCloud Web API (token)",
290
+ "acquireUrl": "https://docs.sonarsource.com/sonarqube-cloud/managing-your-account/managing-tokens",
291
+ "accessScope": "token must be able to read the target SonarCloud organization/project quality gate, issues, hotspots, rules, and source snippets"
253
292
  }
254
293
  ],
255
294
  "mcp": [
256
- { "name": "linear-server", "transport": "http", "auth": "oauth", "headlessUsable": false, "replacedBy": "LINEAR_API_KEY + Linear GraphQL", "dormant": true }
295
+ { "name": "linear-server", "transport": "http", "auth": "oauth", "headlessUsable": false, "replacedBy": "LINEAR_API_KEY + Linear GraphQL", "dormant": true },
296
+ { "name": "jam", "transport": "http", "auth": "oauth", "headlessUsable": true, "replacedBy": "jam CLI + JAM_PAT", "dormant": true },
297
+ { "name": "sonarqube", "transport": "stdio", "auth": "local-wrapper", "headlessUsable": true, "replacedBy": "SONAR_TOKEN + SonarCloud Web API", "dormant": true }
257
298
  ],
258
299
  "gaps": [ "auto-memory not synced to cloud", "bun package fetch behind proxy", "OS keychain absent — env-var token form only" ],
259
300
  "platform": {
@@ -305,3 +346,6 @@ so the generator can render acquisition comments into its template:
305
346
  to environment editors; never imply the generated script can hide them.
306
347
  - A browser-OAuth MCP (or interactively-authed CLI) backing an active integration is a `GAP`; the
307
348
  remediation is its token substrate from the table, not "authenticate the MCP".
349
+ - For non-tracker MCPs, a documented CLI, PAT/API-key, or REST substrate converts the finding from
350
+ a flat `GAP` into an `OPTIONAL` headless recovery path; unknown vendors remain gaps with a
351
+ vendor-substrate follow-up, not invented credentials.
@@ -66,6 +66,27 @@ tracker/source, plus the host project's own package manager and tooling — not
66
66
  When the entry is `GH_TOKEN`, add a comment from `platform.githubProxy` clarifying that the token
67
67
  is for `gh` CLI commands against the project/Lisa repos, not for raw git clone/fetch/push or
68
68
  sibling repos reachable through the routine's GitHub proxy.
69
+ For OPTIONAL non-tracker MCP recovery entries discovered by
70
+ `/lisa:analyze-claude-remote`, preserve the same names-only behavior:
71
+ include `JAM_PAT`, `SONAR_TOKEN`, or similar documented substrate env vars
72
+ only as optional secrets, with their acquire/scope comments when the analysis
73
+ supplied them. Never invent values or promote dormant substrates to required.
74
+
75
+ 3a. **Emit substrate setup snippets.** When the inventory marks an MCP
76
+ `headlessUsable: true` through a documented substrate, render the matching
77
+ wiring guidance as commented, opt-in setup:
78
+ - CLI substrates: emit the detected install/login commands gated on the
79
+ optional env var. For Jam, this means `curl -fsSL https://native.jam.dev/install | bash`,
80
+ `export PATH="$HOME/.local/bin:$PATH"`, `printf '%s' "$JAM_PAT" | jam auth login --token`,
81
+ and `jam skills install`, all inside `[ -n "${JAM_PAT:-}" ] && ...` guards so missing
82
+ optional secrets do not fail the environment build.
83
+ - REST substitute substrates: do not install an MCP. Emit comments naming the
84
+ REST host and env var (for example `SONAR_TOKEN` with `https://sonarcloud.io/api/`) and
85
+ rely on the access skill or generated consumer to call the API.
86
+ - PAT-bearer MCP substrates: print a commented `.mcp.json` `headers` snippet from the
87
+ inventory's `mcpHeaders`. Use this only when the analysis explicitly says the same MCP
88
+ transport supports static-token auth. Do not print a Jam `.mcp.json` header snippet because
89
+ Jam's preferred headless substrate is its PAT-authenticated CLI.
69
90
 
70
91
  4. **Emit the allowlist + gaps notice.** List any custom domains the setup or runtime reaches
71
92
  (from `networkAccess.allowlistDomains`, falling back to legacy `allowlistDomains`) that the user
@@ -1,6 +1,6 @@
1
1
  ---
2
2
  name: jam-access
3
- description: "Vendor-neutral access layer for Jam. Jam triage rules and skills MUST delegate through this skill rather than calling Jam MCP tools directly. Resolves Jam MCP first when available, then falls back to JAM_PAT bearer auth for headless routines."
3
+ description: "Vendor-neutral access layer for Jam. Jam triage rules and skills MUST delegate through this skill rather than calling Jam MCP tools directly. Resolves Jam MCP first when available, then falls back to the JAM_PAT-authenticated Jam CLI for headless routines."
4
4
  allowed-tools: ["Bash", "Read", "Skill"]
5
5
  ---
6
6
 
@@ -24,16 +24,16 @@ Return parsed JSON or a concise structured summary in a `<result>` block.
24
24
  Probe in order:
25
25
 
26
26
  1. Jam MCP, if the tool is available and authenticated.
27
- 2. `JAM_PAT` bearer token against Jam's MCP/trace HTTP substrate.
27
+ 2. Jam CLI authenticated with `JAM_PAT`.
28
28
 
29
- Jam documents personal access tokens for MCP clients so a browser OAuth flow is
30
- not required. The headless tier uses:
29
+ Jam documents a PAT-authenticated CLI that is cleaner for remote routines than
30
+ editing `.mcp.json` headers. The headless tier uses:
31
31
 
32
32
  ```bash
33
- curl -sS "https://mcp.jam.dev/mcp" \
34
- -H "Authorization: Bearer $JAM_PAT" \
35
- -H "Content-Type: application/json" \
36
- --data-binary "$PAYLOAD"
33
+ curl -fsSL https://native.jam.dev/install | bash
34
+ export PATH="$HOME/.local/bin:$PATH"
35
+ printf '%s' "$JAM_PAT" | jam auth login --token
36
+ jam skills install
37
37
  ```
38
38
 
39
39
  If neither tier works, fail with:
@@ -45,7 +45,8 @@ Error: no Jam access substrate available. Authenticate the Jam MCP or set JAM_PA
45
45
  ## Invariants
46
46
 
47
47
  - Fallback is gated on `JAM_PAT`; do not retry Jam MCP failures blindly.
48
- - Never commit a Jam PAT into `.mcp.json`. Use env interpolation in host MCP
49
- config, for example `Authorization: Bearer ${JAM_PAT}`.
50
- - If a requested operation is not yet mapped to the Jam HTTP substrate, surface
48
+ - Never commit a Jam PAT into `.mcp.json` or any generated setup artifact.
49
+ - Headless Jam access requires `native.jam.dev` for the installer and
50
+ `api.jam.dev` for CLI/API calls in any custom remote network allowlist.
51
+ - If a requested operation is not yet mapped to the Jam CLI substrate, surface
51
52
  that exact missing adapter instead of pretending the trace is unavailable.
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "lisa-cdk",
3
- "version": "2.178.1",
3
+ "version": "2.178.3",
4
4
  "description": "AWS CDK-specific plugin",
5
5
  "author": {
6
6
  "name": "Cody Swann"
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "lisa-cdk",
3
- "version": "2.178.1",
3
+ "version": "2.178.3",
4
4
  "description": "AWS CDK-specific Lisa plugin.",
5
5
  "author": {
6
6
  "name": "Cody Swann"
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "lisa-cdk",
3
- "version": "2.178.1",
3
+ "version": "2.178.3",
4
4
  "description": "AWS CDK-specific plugin",
5
5
  "author": {
6
6
  "name": "Cody Swann"
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "lisa-cdk",
3
- "version": "2.178.1",
3
+ "version": "2.178.3",
4
4
  "description": "AWS CDK-specific plugin",
5
5
  "author": {
6
6
  "name": "Cody Swann"
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "lisa-cdk",
3
- "version": "2.178.1",
3
+ "version": "2.178.3",
4
4
  "description": "AWS CDK-specific plugin",
5
5
  "author": {
6
6
  "name": "Cody Swann"
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "lisa",
3
- "version": "2.178.1",
3
+ "version": "2.178.3",
4
4
  "description": "Universal governance — agents, skills, commands, hooks, and rules for all projects",
5
5
  "author": {
6
6
  "name": "Cody Swann"
@@ -22,7 +22,7 @@ available.
22
22
  | Atlassian | `lisa:atlassian-access` | `ATLASSIAN_API_TOKEN` | Atlassian Cloud REST |
23
23
  | Notion | `lisa:notion-access` | `NOTION_API_TOKEN` | Notion REST |
24
24
  | Linear | `lisa:linear-access` | `LINEAR_API_KEY` | Linear GraphQL |
25
- | Jam | `lisa:jam-access` | `JAM_PAT` | Jam MCP HTTP endpoint with bearer PAT |
25
+ | Jam | `lisa:jam-access` | `JAM_PAT` | Jam CLI |
26
26
  | SonarCloud | `lisa:sonarcloud-access` | `SONAR_TOKEN` | SonarCloud Web API |
27
27
  | Sentry | `lisa:sentry-access` | `SENTRY_AUTH_TOKEN` | Sentry REST API |
28
28
  | PostHog | `lisa:posthog-access` | `POSTHOG_PERSONAL_API_KEY` | PostHog REST API |
@@ -133,11 +133,35 @@ Group the findings as:
133
133
  `RISK`/`GAP` (need a local process — only viable if the cloud session can spawn them from the
134
134
  repo). Flag interactively/OAuth-authed servers as `GAP` for headless auth — they cannot complete
135
135
  a browser flow headless **regardless of transport** (an HTTP MCP like `linear-server` is still a
136
- `GAP` because its *auth* is OAuth, not because of its transport). When an OAuth MCP backs an
137
- active tracker/source, do not stop at the `GAP` cross-reference group 4a and point to the
138
- integration's token substrate as the headless replacement (e.g. `linear-server` MCP `LINEAR_API_KEY`
139
- + Linear GraphQL). Note any user-scoped MCP (`~/.claude.json`) as `GAP` it never reaches the
140
- cloud; it must be moved into project `.mcp.json`.
136
+ `GAP` because its *auth* is OAuth, not because of its transport). Before finalizing any
137
+ OAuth/interactive/stdio MCP as a flat `GAP`, check for a documented headless substrate: a
138
+ static-token MCP header, a vendor CLI that can login from an env token, or a token-authenticated
139
+ REST API that the MCP wraps. If documented evidence exists, mark the MCP `headlessUsable: true`
140
+ in the inventory, mark the supporting secret `required: false` / `secret: true` unless the
141
+ integration is active, and set `replacedBy` to the concrete substrate rather than leaving it as
142
+ an impossible capability. When an OAuth MCP backs an active tracker/source, do not stop at the
143
+ `GAP` — cross-reference group 4a and point to the integration's token substrate as the headless
144
+ replacement (e.g. `linear-server` MCP -> `LINEAR_API_KEY` + Linear GraphQL). Note any user-scoped
145
+ MCP (`~/.claude.json`) as `GAP` — it never reaches the cloud; it must be moved into project
146
+ `.mcp.json`.
147
+
148
+ Use this data-driven hint table as seed evidence, and extend it only when you can cite a vendor
149
+ doc or committed access-skill reference:
150
+
151
+ | Match | Substrate | Env | Setup / wiring | Domains |
152
+ |---|---|---|---|---|
153
+ | `mcp.jam.dev`, `jam`, or Jam MCP entries | Jam CLI (`jam`) authenticated by PAT | `JAM_PAT` | install with `curl -fsSL https://native.jam.dev/install | bash`; export `~/.local/bin`; run `printf '%s' "$JAM_PAT" | jam auth login --token`; optionally `jam skills install` | `native.jam.dev`, `api.jam.dev` |
154
+ | `mcp/sonarqube`, `sonarqube`, or SonarCloud/SonarQube MCP entries | SonarCloud Web API | `SONAR_TOKEN` | use REST calls against `https://sonarcloud.io/api/`; if a host needs legacy token-as-basic-auth, put that in the access adapter | `sonarcloud.io` |
155
+
156
+ For PAT-bearer MCP substrates that really use the same MCP transport, include `mcpHeaders` in
157
+ the inventory with a snippet such as `headers: { "Authorization": "Bearer ${VAR}" }` so the
158
+ generator can print a commented `.mcp.json` example. Do **not** use that for Jam: Jam's preferred
159
+ headless substrate is the `jam` CLI, so the generator should emit CLI setup lines instead of an
160
+ `.mcp.json` header snippet.
161
+
162
+ When no documented substrate is known, keep the MCP as `headlessUsable: false` / `GAP`, and add
163
+ an action line like: `check the vendor for a documented PAT, API-key, CLI, or REST substrate`.
164
+ Never assert that no substrate exists unless the vendor documentation explicitly says so.
141
165
 
142
166
  6. **Config scope & memory gaps** — identify reliance on user-scoped config that will not load
143
167
  remotely: `~/.claude/CLAUDE.md`, user `enabledPlugins`, user skills/agents, user MCP. Most
@@ -250,10 +274,27 @@ so the generator can render acquisition comments into its template:
250
274
  "headlessSubstrate": "gh CLI (token)",
251
275
  "acquireUrl": "https://github.com/settings/personal-access-tokens",
252
276
  "accessScope": "fine-grained PAT on target repo: Contents R/W, Issues R/W, Pull requests R/W, Metadata R; +Workflows R/W if editing .github/workflows; +Projects R/W if using ProjectV2"
277
+ },
278
+ {
279
+ "name": "JAM_PAT", "required": false, "secret": true, "integration": "jam",
280
+ "reason": "optional non-tracker MCP recovery; Jam CLI can authenticate headlessly from a PAT",
281
+ "headlessSubstrate": "jam CLI (PAT)",
282
+ "acquireUrl": "https://jam.dev/docs/debug-a-jam/mcp/personal-access-tokens",
283
+ "accessScope": "Jam Personal Access Token for the workspace/team whose traces the routine needs to read",
284
+ "setupSnippet": "curl -fsSL https://native.jam.dev/install | bash; export PATH=\"$HOME/.local/bin:$PATH\"; printf '%s' \"$JAM_PAT\" | jam auth login --token; jam skills install"
285
+ },
286
+ {
287
+ "name": "SONAR_TOKEN", "required": false, "secret": true, "integration": "sonarcloud",
288
+ "reason": "optional non-tracker MCP recovery; SonarQube MCP wraps the token-authenticated SonarCloud Web API",
289
+ "headlessSubstrate": "SonarCloud Web API (token)",
290
+ "acquireUrl": "https://docs.sonarsource.com/sonarqube-cloud/managing-your-account/managing-tokens",
291
+ "accessScope": "token must be able to read the target SonarCloud organization/project quality gate, issues, hotspots, rules, and source snippets"
253
292
  }
254
293
  ],
255
294
  "mcp": [
256
- { "name": "linear-server", "transport": "http", "auth": "oauth", "headlessUsable": false, "replacedBy": "LINEAR_API_KEY + Linear GraphQL", "dormant": true }
295
+ { "name": "linear-server", "transport": "http", "auth": "oauth", "headlessUsable": false, "replacedBy": "LINEAR_API_KEY + Linear GraphQL", "dormant": true },
296
+ { "name": "jam", "transport": "http", "auth": "oauth", "headlessUsable": true, "replacedBy": "jam CLI + JAM_PAT", "dormant": true },
297
+ { "name": "sonarqube", "transport": "stdio", "auth": "local-wrapper", "headlessUsable": true, "replacedBy": "SONAR_TOKEN + SonarCloud Web API", "dormant": true }
257
298
  ],
258
299
  "gaps": [ "auto-memory not synced to cloud", "bun package fetch behind proxy", "OS keychain absent — env-var token form only" ],
259
300
  "platform": {
@@ -305,3 +346,6 @@ so the generator can render acquisition comments into its template:
305
346
  to environment editors; never imply the generated script can hide them.
306
347
  - A browser-OAuth MCP (or interactively-authed CLI) backing an active integration is a `GAP`; the
307
348
  remediation is its token substrate from the table, not "authenticate the MCP".
349
+ - For non-tracker MCPs, a documented CLI, PAT/API-key, or REST substrate converts the finding from
350
+ a flat `GAP` into an `OPTIONAL` headless recovery path; unknown vendors remain gaps with a
351
+ vendor-substrate follow-up, not invented credentials.
@@ -66,6 +66,27 @@ tracker/source, plus the host project's own package manager and tooling — not
66
66
  When the entry is `GH_TOKEN`, add a comment from `platform.githubProxy` clarifying that the token
67
67
  is for `gh` CLI commands against the project/Lisa repos, not for raw git clone/fetch/push or
68
68
  sibling repos reachable through the routine's GitHub proxy.
69
+ For OPTIONAL non-tracker MCP recovery entries discovered by
70
+ `/lisa:analyze-claude-remote`, preserve the same names-only behavior:
71
+ include `JAM_PAT`, `SONAR_TOKEN`, or similar documented substrate env vars
72
+ only as optional secrets, with their acquire/scope comments when the analysis
73
+ supplied them. Never invent values or promote dormant substrates to required.
74
+
75
+ 3a. **Emit substrate setup snippets.** When the inventory marks an MCP
76
+ `headlessUsable: true` through a documented substrate, render the matching
77
+ wiring guidance as commented, opt-in setup:
78
+ - CLI substrates: emit the detected install/login commands gated on the
79
+ optional env var. For Jam, this means `curl -fsSL https://native.jam.dev/install | bash`,
80
+ `export PATH="$HOME/.local/bin:$PATH"`, `printf '%s' "$JAM_PAT" | jam auth login --token`,
81
+ and `jam skills install`, all inside `[ -n "${JAM_PAT:-}" ] && ...` guards so missing
82
+ optional secrets do not fail the environment build.
83
+ - REST substitute substrates: do not install an MCP. Emit comments naming the
84
+ REST host and env var (for example `SONAR_TOKEN` with `https://sonarcloud.io/api/`) and
85
+ rely on the access skill or generated consumer to call the API.
86
+ - PAT-bearer MCP substrates: print a commented `.mcp.json` `headers` snippet from the
87
+ inventory's `mcpHeaders`. Use this only when the analysis explicitly says the same MCP
88
+ transport supports static-token auth. Do not print a Jam `.mcp.json` header snippet because
89
+ Jam's preferred headless substrate is its PAT-authenticated CLI.
69
90
 
70
91
  4. **Emit the allowlist + gaps notice.** List any custom domains the setup or runtime reaches
71
92
  (from `networkAccess.allowlistDomains`, falling back to legacy `allowlistDomains`) that the user
@@ -1,6 +1,6 @@
1
1
  ---
2
2
  name: jam-access
3
- description: "Vendor-neutral access layer for Jam. Jam triage rules and skills MUST delegate through this skill rather than calling Jam MCP tools directly. Resolves Jam MCP first when available, then falls back to JAM_PAT bearer auth for headless routines."
3
+ description: "Vendor-neutral access layer for Jam. Jam triage rules and skills MUST delegate through this skill rather than calling Jam MCP tools directly. Resolves Jam MCP first when available, then falls back to the JAM_PAT-authenticated Jam CLI for headless routines."
4
4
  allowed-tools: ["Bash", "Read", "Skill"]
5
5
  ---
6
6
 
@@ -24,16 +24,16 @@ Return parsed JSON or a concise structured summary in a `<result>` block.
24
24
  Probe in order:
25
25
 
26
26
  1. Jam MCP, if the tool is available and authenticated.
27
- 2. `JAM_PAT` bearer token against Jam's MCP/trace HTTP substrate.
27
+ 2. Jam CLI authenticated with `JAM_PAT`.
28
28
 
29
- Jam documents personal access tokens for MCP clients so a browser OAuth flow is
30
- not required. The headless tier uses:
29
+ Jam documents a PAT-authenticated CLI that is cleaner for remote routines than
30
+ editing `.mcp.json` headers. The headless tier uses:
31
31
 
32
32
  ```bash
33
- curl -sS "https://mcp.jam.dev/mcp" \
34
- -H "Authorization: Bearer $JAM_PAT" \
35
- -H "Content-Type: application/json" \
36
- --data-binary "$PAYLOAD"
33
+ curl -fsSL https://native.jam.dev/install | bash
34
+ export PATH="$HOME/.local/bin:$PATH"
35
+ printf '%s' "$JAM_PAT" | jam auth login --token
36
+ jam skills install
37
37
  ```
38
38
 
39
39
  If neither tier works, fail with:
@@ -45,7 +45,8 @@ Error: no Jam access substrate available. Authenticate the Jam MCP or set JAM_PA
45
45
  ## Invariants
46
46
 
47
47
  - Fallback is gated on `JAM_PAT`; do not retry Jam MCP failures blindly.
48
- - Never commit a Jam PAT into `.mcp.json`. Use env interpolation in host MCP
49
- config, for example `Authorization: Bearer ${JAM_PAT}`.
50
- - If a requested operation is not yet mapped to the Jam HTTP substrate, surface
48
+ - Never commit a Jam PAT into `.mcp.json` or any generated setup artifact.
49
+ - Headless Jam access requires `native.jam.dev` for the installer and
50
+ `api.jam.dev` for CLI/API calls in any custom remote network allowlist.
51
+ - If a requested operation is not yet mapped to the Jam CLI substrate, surface
51
52
  that exact missing adapter instead of pretending the trace is unavailable.
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "lisa",
3
- "version": "2.178.1",
3
+ "version": "2.178.3",
4
4
  "description": "Universal governance — agents, skills, commands, hooks, and rules for all projects",
5
5
  "author": {
6
6
  "name": "Cody Swann"
@@ -27,7 +27,7 @@ available.
27
27
  | Atlassian | `lisa:atlassian-access` | `ATLASSIAN_API_TOKEN` | Atlassian Cloud REST |
28
28
  | Notion | `lisa:notion-access` | `NOTION_API_TOKEN` | Notion REST |
29
29
  | Linear | `lisa:linear-access` | `LINEAR_API_KEY` | Linear GraphQL |
30
- | Jam | `lisa:jam-access` | `JAM_PAT` | Jam MCP HTTP endpoint with bearer PAT |
30
+ | Jam | `lisa:jam-access` | `JAM_PAT` | Jam CLI |
31
31
  | SonarCloud | `lisa:sonarcloud-access` | `SONAR_TOKEN` | SonarCloud Web API |
32
32
  | Sentry | `lisa:sentry-access` | `SENTRY_AUTH_TOKEN` | Sentry REST API |
33
33
  | PostHog | `lisa:posthog-access` | `POSTHOG_PERSONAL_API_KEY` | PostHog REST API |