@codyswann/lisa 2.178.5 → 2.178.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/plugins/lisa/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa/.codex-plugin/plugin.json +1 -1
- package/plugins/lisa/skills/analyze-claude-remote/SKILL.md +72 -2
- package/plugins/lisa/skills/generate-claude-remote-build-script/SKILL.md +30 -1
- package/plugins/lisa-agy/plugin.json +1 -1
- package/plugins/lisa-agy/skills/analyze-claude-remote/SKILL.md +72 -2
- package/plugins/lisa-agy/skills/generate-claude-remote-build-script/SKILL.md +30 -1
- package/plugins/lisa-cdk/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-cdk/.codex-plugin/plugin.json +1 -1
- package/plugins/lisa-cdk-agy/plugin.json +1 -1
- package/plugins/lisa-cdk-copilot/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-cdk-cursor/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-copilot/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-copilot/skills/analyze-claude-remote/SKILL.md +72 -2
- package/plugins/lisa-copilot/skills/generate-claude-remote-build-script/SKILL.md +30 -1
- package/plugins/lisa-cursor/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-cursor/skills/analyze-claude-remote/SKILL.md +72 -2
- package/plugins/lisa-cursor/skills/generate-claude-remote-build-script/SKILL.md +30 -1
- package/plugins/lisa-expo/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-expo/.codex-plugin/plugin.json +1 -1
- package/plugins/lisa-expo/agents/ops-specialist.md +2 -2
- package/plugins/lisa-expo/skills/ops-check-logs/SKILL.md +8 -2
- package/plugins/lisa-expo/skills/ops-db-ops/SKILL.md +7 -3
- package/plugins/lisa-expo/skills/ops-deploy/SKILL.md +6 -2
- package/plugins/lisa-expo/skills/ops-run-local/SKILL.md +5 -2
- package/plugins/lisa-expo-agy/agents/ops-specialist.md +2 -2
- package/plugins/lisa-expo-agy/plugin.json +1 -1
- package/plugins/lisa-expo-agy/skills/ops-check-logs/SKILL.md +8 -2
- package/plugins/lisa-expo-agy/skills/ops-db-ops/SKILL.md +7 -3
- package/plugins/lisa-expo-agy/skills/ops-deploy/SKILL.md +6 -2
- package/plugins/lisa-expo-agy/skills/ops-run-local/SKILL.md +5 -2
- package/plugins/lisa-expo-copilot/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-expo-copilot/agents/ops-specialist.agent.md +2 -2
- package/plugins/lisa-expo-copilot/skills/ops-check-logs/SKILL.md +8 -2
- package/plugins/lisa-expo-copilot/skills/ops-db-ops/SKILL.md +7 -3
- package/plugins/lisa-expo-copilot/skills/ops-deploy/SKILL.md +6 -2
- package/plugins/lisa-expo-copilot/skills/ops-run-local/SKILL.md +5 -2
- package/plugins/lisa-expo-cursor/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-expo-cursor/agents/ops-specialist.md +2 -2
- package/plugins/lisa-expo-cursor/skills/ops-check-logs/SKILL.md +8 -2
- package/plugins/lisa-expo-cursor/skills/ops-db-ops/SKILL.md +7 -3
- package/plugins/lisa-expo-cursor/skills/ops-deploy/SKILL.md +6 -2
- package/plugins/lisa-expo-cursor/skills/ops-run-local/SKILL.md +5 -2
- package/plugins/lisa-harper-fabric/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-harper-fabric/.codex-plugin/plugin.json +1 -1
- package/plugins/lisa-harper-fabric-agy/plugin.json +1 -1
- package/plugins/lisa-harper-fabric-copilot/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-harper-fabric-cursor/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-nestjs/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-nestjs/.codex-plugin/plugin.json +1 -1
- package/plugins/lisa-nestjs-agy/plugin.json +1 -1
- package/plugins/lisa-nestjs-copilot/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-nestjs-cursor/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-openclaw/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-openclaw/.codex-plugin/plugin.json +1 -1
- package/plugins/lisa-openclaw-agy/plugin.json +1 -1
- package/plugins/lisa-openclaw-copilot/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-openclaw-cursor/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-phaser/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-phaser/.codex-plugin/plugin.json +1 -1
- package/plugins/lisa-phaser-agy/plugin.json +1 -1
- package/plugins/lisa-phaser-copilot/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-phaser-cursor/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-rails/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-rails/.codex-plugin/plugin.json +1 -1
- package/plugins/lisa-rails/agents/ops-specialist.md +1 -1
- package/plugins/lisa-rails-agy/agents/ops-specialist.md +1 -1
- package/plugins/lisa-rails-agy/plugin.json +1 -1
- package/plugins/lisa-rails-copilot/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-rails-copilot/agents/ops-specialist.agent.md +1 -1
- package/plugins/lisa-rails-cursor/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-rails-cursor/agents/ops-specialist.md +1 -1
- package/plugins/lisa-typescript/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-typescript/.codex-plugin/plugin.json +1 -1
- package/plugins/lisa-typescript-agy/plugin.json +1 -1
- package/plugins/lisa-typescript-copilot/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-typescript-cursor/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-wiki/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-wiki/.codex-plugin/plugin.json +1 -1
- package/plugins/lisa-wiki-agy/plugin.json +1 -1
- package/plugins/lisa-wiki-copilot/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-wiki-cursor/.claude-plugin/plugin.json +1 -1
- package/plugins/src/base/skills/analyze-claude-remote/SKILL.md +72 -2
- package/plugins/src/base/skills/generate-claude-remote-build-script/SKILL.md +30 -1
- package/plugins/src/expo/agents/ops-specialist.md +2 -2
- package/plugins/src/expo/skills/ops-check-logs/SKILL.md +8 -2
- package/plugins/src/expo/skills/ops-db-ops/SKILL.md +7 -3
- package/plugins/src/expo/skills/ops-deploy/SKILL.md +6 -2
- package/plugins/src/expo/skills/ops-run-local/SKILL.md +5 -2
- package/plugins/src/rails/agents/ops-specialist.md +1 -1
|
@@ -100,10 +100,10 @@ Read `app/` directory structure to discover all available routes.
|
|
|
100
100
|
|---------|-------------|-----|
|
|
101
101
|
| `port 8081 already in use` | Previous Metro bundler running | `lsof -ti :8081 \| xargs kill -9` |
|
|
102
102
|
| `port 3000 already in use` | Previous backend running | `lsof -ti :3000 \| xargs kill -9` |
|
|
103
|
-
| `ExpiredTokenException` | AWS
|
|
103
|
+
| `ExpiredTokenException` | AWS credentials expired | Interactive local: refresh the backend AWS signin flow. Headless: use the environment-backed AWS profile; do not start an SSO browser/device flow |
|
|
104
104
|
| Metro bundler crash | Cache corruption | `bun start:local --clear` |
|
|
105
105
|
| `ECONNREFUSED localhost:3000` | Backend not running | Start backend first, then frontend |
|
|
106
|
-
| Migration fails | Missing AWS credentials |
|
|
106
|
+
| Migration fails | Missing AWS credentials | Verify `aws sts get-caller-identity --profile {profile}`; use interactive signin only locally, environment-backed profile headless |
|
|
107
107
|
| EAS CLI not found | Not installed globally | `npm install -g eas-cli` |
|
|
108
108
|
| `sls` not found | Serverless not installed | `cd $BACKEND_DIR && bun install` |
|
|
109
109
|
| GraphQL schema mismatch | Stale generated types | Run `generate:types:{env}` script |
|
|
@@ -132,9 +132,14 @@ Discover available log scripts from the backend `package.json` (matching `logs:*
|
|
|
132
132
|
|
|
133
133
|
```bash
|
|
134
134
|
cd "${BACKEND_DIR:-../backend-v2}"
|
|
135
|
-
|
|
135
|
+
aws sts get-caller-identity --profile {aws-profile} 2>/dev/null
|
|
136
136
|
```
|
|
137
137
|
|
|
138
|
+
If this is an interactive local session and credentials are expired, refresh the backend's local
|
|
139
|
+
AWS signin flow. In a headless or remote-routine session, do not start an SSO browser/device flow;
|
|
140
|
+
use the preconfigured `~/.aws/config` profile backed by `AWS_ACCESS_KEY_ID` /
|
|
141
|
+
`AWS_SECRET_ACCESS_KEY` environment credentials.
|
|
142
|
+
|
|
138
143
|
### View Recent Logs
|
|
139
144
|
|
|
140
145
|
```bash
|
|
@@ -151,7 +156,8 @@ FUNCTION_NAME={fn} bun run logs:watch:{env}
|
|
|
151
156
|
|
|
152
157
|
## Remote Logs (AWS CLI — Advanced Filtering)
|
|
153
158
|
|
|
154
|
-
For more advanced filtering, use the AWS CLI directly. Discover the AWS profile from backend
|
|
159
|
+
For more advanced filtering, use the AWS CLI directly. Discover the AWS profile from backend
|
|
160
|
+
`package.json` scripts or the remote-routine `~/.aws/config` profile.
|
|
155
161
|
|
|
156
162
|
### Discover Log Groups
|
|
157
163
|
|
|
@@ -29,7 +29,7 @@ Read the backend `package.json` to discover available migration and schema scrip
|
|
|
29
29
|
- `migration:generate:*` — generate new migration from entity changes
|
|
30
30
|
- `migration:create` — create empty migration
|
|
31
31
|
- `generate:sql-schema*` — regenerate SQL schema for MCP
|
|
32
|
-
- `aws:signin:*`
|
|
32
|
+
- AWS credential/profile scripts such as `aws:signin:*` and any environment-backed remote profile
|
|
33
33
|
|
|
34
34
|
Read the frontend `package.json` to discover codegen scripts:
|
|
35
35
|
- `fetch:graphql:schema:*` — fetch GraphQL schema
|
|
@@ -37,13 +37,17 @@ Read the frontend `package.json` to discover codegen scripts:
|
|
|
37
37
|
|
|
38
38
|
## AWS Prerequisite
|
|
39
39
|
|
|
40
|
-
All database operations (except `codegen`) require AWS credentials.
|
|
40
|
+
All database operations (except `codegen`) require AWS credentials. Verify the target profile first:
|
|
41
41
|
|
|
42
42
|
```bash
|
|
43
43
|
cd "${BACKEND_DIR:-../backend-v2}"
|
|
44
|
-
|
|
44
|
+
aws sts get-caller-identity --profile {aws-profile}
|
|
45
45
|
```
|
|
46
46
|
|
|
47
|
+
If this is an interactive local session and credentials are expired, refresh the backend's local AWS
|
|
48
|
+
signin flow. In a headless or remote-routine session, use the preconfigured environment-backed
|
|
49
|
+
assume-role profile and do not start an SSO browser/device flow.
|
|
50
|
+
|
|
47
51
|
## Operations
|
|
48
52
|
|
|
49
53
|
### migrate (run pending migrations)
|
|
@@ -73,11 +73,15 @@ Use for JS-only changes (no native module changes).
|
|
|
73
73
|
|
|
74
74
|
### Full Deploy (Serverless Framework)
|
|
75
75
|
|
|
76
|
-
1. AWS
|
|
76
|
+
1. Verify AWS credentials (discover the profile from backend `package.json` or remote-routine
|
|
77
|
+
`~/.aws/config`):
|
|
77
78
|
```bash
|
|
78
79
|
cd "${BACKEND_DIR:-../backend-v2}"
|
|
79
|
-
|
|
80
|
+
aws sts get-caller-identity --profile {aws-profile}
|
|
80
81
|
```
|
|
82
|
+
If this is an interactive local session and credentials are expired, refresh the backend's local
|
|
83
|
+
AWS signin flow. In a headless or remote-routine session, use the environment-backed assume-role
|
|
84
|
+
profile and do not start an SSO browser/device flow.
|
|
81
85
|
|
|
82
86
|
2. Deploy all functions:
|
|
83
87
|
```bash
|
|
@@ -95,11 +95,14 @@ Use when the backend is already deployed and you only need the frontend.
|
|
|
95
95
|
|
|
96
96
|
### start-backend (backend only)
|
|
97
97
|
|
|
98
|
-
1. Check AWS credentials (discover profile from backend `package.json`
|
|
98
|
+
1. Check AWS credentials (discover profile from backend `package.json` scripts or remote-routine
|
|
99
|
+
`~/.aws/config`):
|
|
99
100
|
```bash
|
|
100
101
|
aws sts get-caller-identity --profile {aws-profile} 2>/dev/null
|
|
101
102
|
```
|
|
102
|
-
If expired,
|
|
103
|
+
If this is an interactive local session and credentials are expired, refresh the backend's local
|
|
104
|
+
AWS signin flow. In headless sessions, rely on the configured environment-backed AWS profile and
|
|
105
|
+
do not start an SSO browser/device flow.
|
|
103
106
|
|
|
104
107
|
2. Start:
|
|
105
108
|
```bash
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "lisa-openclaw",
|
|
3
|
-
"version": "2.178.
|
|
3
|
+
"version": "2.178.6",
|
|
4
4
|
"description": "Connect staff roles to Telegram or Slack via OpenClaw — facilitator/specialist hub-and-spoke routing and repo-coding topics, for Claude Code and Codex",
|
|
5
5
|
"author": {
|
|
6
6
|
"name": "Cody Swann"
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "lisa-openclaw",
|
|
3
|
-
"version": "2.178.
|
|
3
|
+
"version": "2.178.6",
|
|
4
4
|
"description": "Connect staff roles to Telegram or Slack via OpenClaw — facilitator/specialist hub-and-spoke routing and repo-coding topics, across Claude and Codex.",
|
|
5
5
|
"author": {
|
|
6
6
|
"name": "Cody Swann"
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "lisa-openclaw",
|
|
3
|
-
"version": "2.178.
|
|
3
|
+
"version": "2.178.6",
|
|
4
4
|
"description": "Connect staff roles to Telegram or Slack via OpenClaw — facilitator/specialist hub-and-spoke routing and repo-coding topics, for Claude Code and Codex",
|
|
5
5
|
"author": {
|
|
6
6
|
"name": "Cody Swann"
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "lisa-openclaw",
|
|
3
|
-
"version": "2.178.
|
|
3
|
+
"version": "2.178.6",
|
|
4
4
|
"description": "Connect staff roles to Telegram or Slack via OpenClaw — facilitator/specialist hub-and-spoke routing and repo-coding topics, for Claude Code and Codex",
|
|
5
5
|
"author": {
|
|
6
6
|
"name": "Cody Swann"
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "lisa-openclaw",
|
|
3
|
-
"version": "2.178.
|
|
3
|
+
"version": "2.178.6",
|
|
4
4
|
"description": "Connect staff roles to Telegram or Slack via OpenClaw — facilitator/specialist hub-and-spoke routing and repo-coding topics, for Claude Code and Codex",
|
|
5
5
|
"author": {
|
|
6
6
|
"name": "Cody Swann"
|
|
@@ -206,7 +206,7 @@ check_env() {
|
|
|
206
206
|
| Solid Queue jobs stuck | Worker process crashed | Check `docker compose logs worker`; restart worker container |
|
|
207
207
|
| Migrations fail on deploy | Unsafe migration detected by Strong Migrations | Fix the migration per Strong Migrations guidance, then redeploy |
|
|
208
208
|
| `ActiveRecord::NoDatabaseError` | Database not created | `bin/rails db:create` (local) or check ECS task definition env vars |
|
|
209
|
-
| AWS credentials expired | SSO session timed out |
|
|
209
|
+
| AWS credentials expired | SSO session timed out locally, or missing env-backed profile headless | Interactive local: refresh the local AWS profile outside headless automation. Headless: use the configured environment-backed assume-role profile |
|
|
210
210
|
| ECS tasks keep restarting | Health check failing or OOM | Check CloudWatch logs for the task; verify `/up` returns 200; check memory limits |
|
|
211
211
|
| OpenTelemetry traces missing | Collector not configured or endpoint wrong | Verify `OTEL_EXPORTER_OTLP_ENDPOINT` in environment; check collector sidecar logs |
|
|
212
212
|
| `Bundler::GemNotFound` | Missing `bundle install` after Gemfile change | `bundle install` locally; for deploy, rebuild Docker image |
|
|
@@ -206,7 +206,7 @@ check_env() {
|
|
|
206
206
|
| Solid Queue jobs stuck | Worker process crashed | Check `docker compose logs worker`; restart worker container |
|
|
207
207
|
| Migrations fail on deploy | Unsafe migration detected by Strong Migrations | Fix the migration per Strong Migrations guidance, then redeploy |
|
|
208
208
|
| `ActiveRecord::NoDatabaseError` | Database not created | `bin/rails db:create` (local) or check ECS task definition env vars |
|
|
209
|
-
| AWS credentials expired | SSO session timed out |
|
|
209
|
+
| AWS credentials expired | SSO session timed out locally, or missing env-backed profile headless | Interactive local: refresh the local AWS profile outside headless automation. Headless: use the configured environment-backed assume-role profile |
|
|
210
210
|
| ECS tasks keep restarting | Health check failing or OOM | Check CloudWatch logs for the task; verify `/up` returns 200; check memory limits |
|
|
211
211
|
| OpenTelemetry traces missing | Collector not configured or endpoint wrong | Verify `OTEL_EXPORTER_OTLP_ENDPOINT` in environment; check collector sidecar logs |
|
|
212
212
|
| `Bundler::GemNotFound` | Missing `bundle install` after Gemfile change | `bundle install` locally; for deploy, rebuild Docker image |
|
|
@@ -206,7 +206,7 @@ check_env() {
|
|
|
206
206
|
| Solid Queue jobs stuck | Worker process crashed | Check `docker compose logs worker`; restart worker container |
|
|
207
207
|
| Migrations fail on deploy | Unsafe migration detected by Strong Migrations | Fix the migration per Strong Migrations guidance, then redeploy |
|
|
208
208
|
| `ActiveRecord::NoDatabaseError` | Database not created | `bin/rails db:create` (local) or check ECS task definition env vars |
|
|
209
|
-
| AWS credentials expired | SSO session timed out |
|
|
209
|
+
| AWS credentials expired | SSO session timed out locally, or missing env-backed profile headless | Interactive local: refresh the local AWS profile outside headless automation. Headless: use the configured environment-backed assume-role profile |
|
|
210
210
|
| ECS tasks keep restarting | Health check failing or OOM | Check CloudWatch logs for the task; verify `/up` returns 200; check memory limits |
|
|
211
211
|
| OpenTelemetry traces missing | Collector not configured or endpoint wrong | Verify `OTEL_EXPORTER_OTLP_ENDPOINT` in environment; check collector sidecar logs |
|
|
212
212
|
| `Bundler::GemNotFound` | Missing `bundle install` after Gemfile change | `bundle install` locally; for deploy, rebuild Docker image |
|
|
@@ -206,7 +206,7 @@ check_env() {
|
|
|
206
206
|
| Solid Queue jobs stuck | Worker process crashed | Check `docker compose logs worker`; restart worker container |
|
|
207
207
|
| Migrations fail on deploy | Unsafe migration detected by Strong Migrations | Fix the migration per Strong Migrations guidance, then redeploy |
|
|
208
208
|
| `ActiveRecord::NoDatabaseError` | Database not created | `bin/rails db:create` (local) or check ECS task definition env vars |
|
|
209
|
-
| AWS credentials expired | SSO session timed out |
|
|
209
|
+
| AWS credentials expired | SSO session timed out locally, or missing env-backed profile headless | Interactive local: refresh the local AWS profile outside headless automation. Headless: use the configured environment-backed assume-role profile |
|
|
210
210
|
| ECS tasks keep restarting | Health check failing or OOM | Check CloudWatch logs for the task; verify `/up` returns 200; check memory limits |
|
|
211
211
|
| OpenTelemetry traces missing | Collector not configured or endpoint wrong | Verify `OTEL_EXPORTER_OTLP_ENDPOINT` in environment; check collector sidecar logs |
|
|
212
212
|
| `Bundler::GemNotFound` | Missing `bundle install` after Gemfile change | `bundle install` locally; for deploy, rebuild Docker image |
|
|
@@ -78,13 +78,18 @@ Group the findings as:
|
|
|
78
78
|
git, and coreutils are present; `gh` is available but should be installed explicitly if scripts
|
|
79
79
|
call it. Classify each `REQUIRED` (core path uses it) vs `OPTIONAL` (only a dormant stack/skill
|
|
80
80
|
uses it). Typical finds: `gh`, `jq`, `docker` (ZAP), `aws`, `acli`, `ruby`/`rubocop`,
|
|
81
|
-
`python3`, `playwright`/chromium, secret scanners.
|
|
81
|
+
`python3`, `playwright`/chromium, secret scanners. Treat AWS as more than a
|
|
82
|
+
binary install: if the repo invokes `aws`, imports AWS SDK packages, uses CDK/Serverless/SST,
|
|
83
|
+
references `AWS_*` env vars, or documents `aws sso login` / `sso_*` profile setup, add the AWS
|
|
84
|
+
credential findings in group 4b as well as the `aws` CLI tool finding.
|
|
82
85
|
|
|
83
86
|
4. **Environment variables & secrets** — scan for `process.env.*`, `${VAR}`/`$VAR` in shell,
|
|
84
87
|
`secrets.*`/`env:` in CI, and config-referenced tokens. Group by integration (GitHub, AWS,
|
|
85
88
|
Atlassian/JIRA/Confluence, Notion, Linear, Anthropic, notifications, feature flags, other).
|
|
86
89
|
Cross-reference `.lisa.config.json` `tracker`/`source` to mark which credentials are **active**
|
|
87
|
-
for this repo vs **dormant** (`OPTIONAL`).
|
|
90
|
+
for this repo vs **dormant** (`OPTIONAL`). Separately classify host-project AWS usage in group 4b:
|
|
91
|
+
AWS can be required even when it is not the tracker or PRD source. Distinguish *where* each var
|
|
92
|
+
must be set, because the
|
|
88
93
|
answer differs and getting it wrong sends the user to do redundant work:
|
|
89
94
|
|
|
90
95
|
- **Committed `.claude/settings.json` `env` flags** (e.g. `CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS`,
|
|
@@ -128,6 +133,34 @@ Group the findings as:
|
|
|
128
133
|
guessed. If a value the table needs (server URL, project key, workspace id, email, team key) is
|
|
129
134
|
missing from `.lisa.config.json`, flag it as a `GAP`/`Action:` to set it, rather than inventing one.
|
|
130
135
|
|
|
136
|
+
4b. **AWS operations credentials** — scan the host project for AWS usage independent of Lisa's
|
|
137
|
+
tracker/source config:
|
|
138
|
+
|
|
139
|
+
- `aws` CLI invocations in `scripts/`, package scripts, committed skills/agents, or
|
|
140
|
+
`.github/workflows/`.
|
|
141
|
+
- AWS SDK imports/packages (`@aws-sdk/*`, `aws-sdk`, `boto3`, CDK, Serverless, SST, Amplify,
|
|
142
|
+
Terraform providers).
|
|
143
|
+
- `aws sso login`, `aws:signin:*`, `sso_start_url`, `sso_account_id`, `sso_role_name`, or
|
|
144
|
+
`sso_session` in docs or config.
|
|
145
|
+
- `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_DEFAULT_REGION`,
|
|
146
|
+
`AWS_PROFILE`, role ARN, external ID, account, or CloudWatch/STS references.
|
|
147
|
+
|
|
148
|
+
If AWS is present, emit an AWS credential finding and inventory entry. If the repo's current
|
|
149
|
+
local path is `aws sso login` or an `aws:signin:*` script, classify that local path as a `GAP`
|
|
150
|
+
for headless remote routines: it is an interactive browser/device-authorization flow and cannot
|
|
151
|
+
complete in the cloud. Route to the AWS row in the Credential reference instead of suggesting
|
|
152
|
+
SSO auth. The finding must name the headless substrate: a dedicated IAM principal (user or role)
|
|
153
|
+
with only permission to `sts:AssumeRole`, environment credentials in the routine UI, and
|
|
154
|
+
`~/.aws/config` profiles using `role_arn`, `credential_source = Environment`, optional
|
|
155
|
+
`external_id`, and `region`.
|
|
156
|
+
|
|
157
|
+
When the repository contains concrete non-secret AWS metadata (role ARNs, account aliases,
|
|
158
|
+
profile names, regions, or ExternalId values), include it in an `awsProfiles` inventory array so
|
|
159
|
+
`/lisa:generate-claude-remote-build-script` can write matching `~/.aws/config` profiles. Never
|
|
160
|
+
invent account IDs, ExternalIds, role names, or regions. If AWS is detected but profile metadata
|
|
161
|
+
is absent, emit the required AWS secret names plus an action to add project-specific profile
|
|
162
|
+
metadata to the generated artifact or environment notes.
|
|
163
|
+
|
|
131
164
|
5. **MCP servers** — read every committed `.mcp.json`. For each server report transport and auth.
|
|
132
165
|
Project-scoped HTTP/SSE servers with no interactive auth are `OK`. Flag stdio servers as
|
|
133
166
|
`RISK`/`GAP` (need a local process — only viable if the cloud session can spawn them from the
|
|
@@ -234,6 +267,31 @@ unsuffixed `…_TOKEN`/`…_KEY` is the simplest to set in a single-account rout
|
|
|
234
267
|
- Acquire: `https://linear.app/<workspace>/settings/account/security` → Personal API keys → New API key.
|
|
235
268
|
- Access: the personal API key inherits the user's workspace permissions — the user must be able to read/create/update Issues in the destination team.
|
|
236
269
|
|
|
270
|
+
### AWS — host-project operations, logs, deploys, CDK/Serverless/SST, or AWS SDK usage
|
|
271
|
+
- Headless substrate: a dedicated IAM principal (user or role) with long-lived bootstrap credentials
|
|
272
|
+
stored in the routine environment, used only to call `sts:AssumeRole` into per-account operational
|
|
273
|
+
roles. The routine writes `~/.aws/config` profiles with `role_arn`, `credential_source =
|
|
274
|
+
Environment`, optional `external_id`, and `region`; agents use `aws --profile <profile> ...`.
|
|
275
|
+
- Env: `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`; optional `AWS_SESSION_TOKEN` for temporary
|
|
276
|
+
bootstrap credentials; `AWS_DEFAULT_REGION` when no profile region is provided. Role ARNs,
|
|
277
|
+
ExternalIds, profile names, and regions are non-secret project metadata and belong in generated
|
|
278
|
+
artifacts or project docs, not in the skill's global guidance.
|
|
279
|
+
- Allowlist: `*.amazonaws.com`, or narrower service hosts such as `sts.amazonaws.com`,
|
|
280
|
+
`logs.<region>.amazonaws.com`, `cloudwatch.<region>.amazonaws.com`,
|
|
281
|
+
`xray.<region>.amazonaws.com`, `ssm.<region>.amazonaws.com`, and service-specific endpoints the
|
|
282
|
+
repo uses.
|
|
283
|
+
- Access: the bootstrap principal should have only `sts:AssumeRole` on the scoped operational role
|
|
284
|
+
ARNs, preferably guarded by an `ExternalId` condition. The assumed roles carry the real
|
|
285
|
+
permissions needed by the repo (CloudWatch Logs, deploy, SSM, etc.) as short-lived STS
|
|
286
|
+
credentials.
|
|
287
|
+
- IAM Identity Center caveat: an IAM Identity Center permission set provisions an `AWSReservedSSO_*`
|
|
288
|
+
role whose trust allows the SSO service, not an arbitrary IAM principal. A headless IAM principal
|
|
289
|
+
cannot directly assume that reserved role. Use a separate assumable role that attaches the same
|
|
290
|
+
policy as the permission set, with the delegated Identity Center admin keeping that policy as the
|
|
291
|
+
source of truth.
|
|
292
|
+
- Alternative: IAM Roles Anywhere (X.509 to STS) when long-lived bootstrap access keys are
|
|
293
|
+
unacceptable.
|
|
294
|
+
|
|
237
295
|
## Output
|
|
238
296
|
|
|
239
297
|
Render the report grouped exactly as above. Start with one `Summary:` line, then a `Counts:` line
|
|
@@ -296,6 +354,15 @@ so the generator can render acquisition comments into its template:
|
|
|
296
354
|
{ "name": "jam", "transport": "http", "auth": "oauth", "headlessUsable": true, "replacedBy": "jam CLI + JAM_PAT", "dormant": true },
|
|
297
355
|
{ "name": "sonarqube", "transport": "stdio", "auth": "local-wrapper", "headlessUsable": true, "replacedBy": "SONAR_TOKEN + SonarCloud Web API", "dormant": true }
|
|
298
356
|
],
|
|
357
|
+
"awsProfiles": [
|
|
358
|
+
{
|
|
359
|
+
"name": "dev",
|
|
360
|
+
"roleArn": "arn:aws:iam::<account-id>:role/<role-name>",
|
|
361
|
+
"credentialSource": "Environment",
|
|
362
|
+
"externalId": "<project-external-id>",
|
|
363
|
+
"region": "us-east-1"
|
|
364
|
+
}
|
|
365
|
+
],
|
|
299
366
|
"gaps": [ "auto-memory not synced to cloud", "bun package fetch behind proxy", "OS keychain absent — env-var token form only" ],
|
|
300
367
|
"platform": {
|
|
301
368
|
"githubProxy": {
|
|
@@ -346,6 +413,9 @@ so the generator can render acquisition comments into its template:
|
|
|
346
413
|
to environment editors; never imply the generated script can hide them.
|
|
347
414
|
- A browser-OAuth MCP (or interactively-authed CLI) backing an active integration is a `GAP`; the
|
|
348
415
|
remediation is its token substrate from the table, not "authenticate the MCP".
|
|
416
|
+
- `aws sso login`, `sso_*` profile configuration, and project scripts that wrap AWS SSO are
|
|
417
|
+
interactive-auth paths. In a headless routine they are a `GAP`, not a setup step. Route AWS access
|
|
418
|
+
to env-var bootstrap credentials plus assume-role profiles.
|
|
349
419
|
- For non-tracker MCPs, a documented CLI, PAT/API-key, or REST substrate converts the finding from
|
|
350
420
|
a flat `GAP` into an `OPTIONAL` headless recovery path; unknown vendors remain gaps with a
|
|
351
421
|
vendor-substrate follow-up, not invented credentials.
|