@cubis/foundry 0.3.59 → 0.3.61

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cubis/foundry",
-  "version": "0.3.59",
+  "version": "0.3.61",
   "description": "Cubis Foundry CLI for workflow-first AI agent environments",
   "type": "module",
   "bin": {
@@ -82,8 +82,10 @@
   },
   "dependencies": {
     "@inquirer/prompts": "^7.8.6",
+    "@modelcontextprotocol/sdk": "^1.27.1",
     "commander": "^14.0.1",
-    "jsonc-parser": "^3.3.1"
+    "jsonc-parser": "^3.3.1",
+    "zod": "^3.25.76"
   },
   "devDependencies": {
     "@types/node": "^20.14.0",

package/src/cli/core.ts

@@ -173,7 +173,7 @@ const CODEX_WORKFLOW_SKILL_PREFIX = "workflow-";
 const CODEX_AGENT_SKILL_PREFIX = "agent-";
 const TERMINAL_VERIFIER_PROVIDERS = ["codex", "gemini"];
 const DEFAULT_TERMINAL_VERIFIER = "codex";
-const POSTMAN_API_KEY_ENV_VAR = "POSTMAN_API_KEY";
+const POSTMAN_API_KEY_ENV_VAR = "POSTMAN_API_KEY_DEFAULT";
 const POSTMAN_MODE_TO_URL = Object.freeze({
   minimal: "https://mcp.postman.com/minimal",
   code: "https://mcp.postman.com/code",
@@ -190,7 +190,7 @@ const FOUNDRY_MCP_SERVER_ID = "cubis-foundry";
 const FOUNDRY_MCP_COMMAND = "cbx";
 const STITCH_SKILL_ID = "stitch";
 const STITCH_MCP_SERVER_ID = "StitchMCP";
-const STITCH_API_KEY_ENV_VAR = "STITCH_API_KEY";
+const STITCH_API_KEY_ENV_VAR = "STITCH_API_KEY_DEFAULT";
 const STITCH_MCP_URL = "https://stitch.googleapis.com/mcp";
 const POSTMAN_WORKSPACE_MANUAL_CHOICE = "__postman_workspace_manual__";
 const CBX_CONFIG_FILENAME = "cbx_config.json";
@@ -1203,6 +1203,99 @@ function parseTomlSections(content) {
   return sections;
 }
 
+function escapeTomlBasicString(value) {
+  return String(value ?? "")
+    .replace(/\\/g, "\\\\")
+    .replace(/"/g, '\\"');
+}
+
+async function patchCodexPostmanHttpHeaders({
+  configPath,
+  mcpUrl,
+  bearerToken,
+  dryRun = false,
+}) {
+  const warnings = [];
+  const normalizedToken = normalizePostmanApiKey(bearerToken);
+  if (!normalizedToken) {
+    return {
+      action: "skipped",
+      warnings: [
+        "Postman API key is unavailable in current environment. Kept bearer_token_env_var wiring in Codex config.",
+      ],
+    };
+  }
+
+  const configExists = await pathExists(configPath);
+  const original = configExists ? await readFile(configPath, "utf8") : "";
+  const lines = original.split(/\r?\n/);
+  const nextLines = [];
+
+  const headerLine =
+    `http_headers = { Authorization = "Bearer ${escapeTomlBasicString(normalizedToken)}" }`;
+  const serverHeader = "[mcp_servers.postman]";
+  let inPostmanSection = false;
+  let postmanSectionFound = false;
+  let insertedHeaders = false;
+
+  const flushPostmanHeaderIfNeeded = () => {
+    if (inPostmanSection && !insertedHeaders) {
+      nextLines.push(headerLine);
+      insertedHeaders = true;
+    }
+  };
+
+  for (const line of lines) {
+    const sectionMatch = line.match(/^\s*\[([^\]]+)\]\s*$/);
+    if (sectionMatch) {
+      flushPostmanHeaderIfNeeded();
+      const sectionName = sectionMatch[1].trim();
+      inPostmanSection = sectionName === "mcp_servers.postman";
+      if (inPostmanSection) {
+        postmanSectionFound = true;
+        insertedHeaders = false;
+      }
+      nextLines.push(line);
+      continue;
+    }
+
+    if (inPostmanSection) {
+      if (
+        /^\s*(bearer_token_env_var|http_headers|env_http_headers)\s*=/.test(
+          line,
+        )
+      ) {
+        continue;
+      }
+    }
+    nextLines.push(line);
+  }
+
+  flushPostmanHeaderIfNeeded();
+
+  if (!postmanSectionFound) {
+    if (nextLines.length > 0 && nextLines[nextLines.length - 1].trim() !== "") {
+      nextLines.push("");
+    }
+    nextLines.push(serverHeader);
+    nextLines.push(`url = "${escapeTomlBasicString(mcpUrl || POSTMAN_MCP_URL)}"`);
+    nextLines.push(headerLine);
+  }
+
+  const next = `${nextLines.join("\n").replace(/\n+$/g, "")}\n`;
+  if (next === original) {
+    return { action: "unchanged", warnings };
+  }
+  if (!dryRun) {
+    await mkdir(path.dirname(configPath), { recursive: true });
+    await writeFile(configPath, next, "utf8");
+  }
+  return {
+    action: dryRun ? "would-patch" : "patched",
+    warnings,
+  };
+}
+
 function parsePubspecDependencyNames(content) {
   const packages = new Set();
   let currentSection = null;
@@ -4208,16 +4301,31 @@ function resolveStitchMcpDefinitionPath({ scope, cwd = process.cwd() }) {
   );
 }
 
-function buildPostmanAuthHeader({ apiKeyEnvVar = POSTMAN_API_KEY_ENV_VAR }) {
+function buildPostmanAuthHeader({
+  apiKeyEnvVar = POSTMAN_API_KEY_ENV_VAR,
+  apiKey = null,
+}) {
+  const normalizedApiKey = normalizePostmanApiKey(apiKey);
+  if (normalizedApiKey) {
+    return `Bearer ${normalizedApiKey}`;
+  }
   return `Bearer \${${apiKeyEnvVar}}`;
 }
 
-function buildStitchApiHeader({ apiKeyEnvVar = STITCH_API_KEY_ENV_VAR }) {
+function buildStitchApiHeader({
+  apiKeyEnvVar = STITCH_API_KEY_ENV_VAR,
+  apiKey = null,
+}) {
+  const normalizedApiKey = normalizePostmanApiKey(apiKey);
+  if (normalizedApiKey) {
+    return `X-Goog-Api-Key: ${normalizedApiKey}`;
+  }
   return `X-Goog-Api-Key: \${${apiKeyEnvVar}}`;
 }
 
 function buildPostmanMcpDefinition({
   apiKeyEnvVar = POSTMAN_API_KEY_ENV_VAR,
+  apiKey = null,
   mcpUrl = POSTMAN_MCP_URL,
 }) {
   return {
@@ -4226,13 +4334,14 @@ function buildPostmanMcpDefinition({
     transport: "http",
     url: mcpUrl,
     headers: {
-      Authorization: buildPostmanAuthHeader({ apiKeyEnvVar }),
+      Authorization: buildPostmanAuthHeader({ apiKeyEnvVar, apiKey }),
     },
   };
 }
 
 function buildStitchMcpDefinition({
   apiKeyEnvVar = STITCH_API_KEY_ENV_VAR,
+  apiKey = null,
   mcpUrl = STITCH_MCP_URL,
 }) {
   return {
@@ -4245,7 +4354,7 @@ function buildStitchMcpDefinition({
       "mcp-remote",
       mcpUrl,
       "--header",
-      buildStitchApiHeader({ apiKeyEnvVar }),
+      buildStitchApiHeader({ apiKeyEnvVar, apiKey }),
     ],
     env: {},
   };
@@ -4253,13 +4362,14 @@ function buildStitchMcpDefinition({
 
 function buildVsCodePostmanServer({
   apiKeyEnvVar = POSTMAN_API_KEY_ENV_VAR,
+  apiKey = null,
   mcpUrl = POSTMAN_MCP_URL,
 }) {
   return {
     type: "sse",
     url: mcpUrl,
     headers: {
-      Authorization: buildPostmanAuthHeader({ apiKeyEnvVar }),
+      Authorization: buildPostmanAuthHeader({ apiKeyEnvVar, apiKey }),
     },
   };
 }
@@ -4283,13 +4393,14 @@ function buildVsCodeFoundryServer({ scope = "auto" } = {}) {
 
 function buildCopilotCliPostmanServer({
   apiKeyEnvVar = POSTMAN_API_KEY_ENV_VAR,
+  apiKey = null,
   mcpUrl = POSTMAN_MCP_URL,
 }) {
   return {
     type: "http",
     url: mcpUrl,
     headers: {
-      Authorization: buildPostmanAuthHeader({ apiKeyEnvVar }),
+      Authorization: buildPostmanAuthHeader({ apiKeyEnvVar, apiKey }),
     },
     tools: ["*"],
   };
@@ -4307,12 +4418,13 @@ function buildCopilotCliFoundryServer({ scope = "auto" } = {}) {
 
 function buildGeminiPostmanServer({
   apiKeyEnvVar = POSTMAN_API_KEY_ENV_VAR,
+  apiKey = null,
   mcpUrl = POSTMAN_MCP_URL,
 }) {
   return {
     httpUrl: mcpUrl,
     headers: {
-      Authorization: buildPostmanAuthHeader({ apiKeyEnvVar }),
+      Authorization: buildPostmanAuthHeader({ apiKeyEnvVar, apiKey }),
     },
   };
 }
@@ -4327,6 +4439,7 @@ function buildGeminiFoundryServer({ scope = "auto" } = {}) {
 
 function buildGeminiStitchServer({
   apiKeyEnvVar = STITCH_API_KEY_ENV_VAR,
+  apiKey = null,
   mcpUrl = STITCH_MCP_URL,
 }) {
   return {
@@ -4336,7 +4449,7 @@ function buildGeminiStitchServer({
       "mcp-remote",
       mcpUrl,
       "--header",
-      buildStitchApiHeader({ apiKeyEnvVar }),
+      buildStitchApiHeader({ apiKeyEnvVar, apiKey }),
     ],
     env: {},
   };
@@ -4840,6 +4953,12 @@ async function applyPostmanMcpForPlatform({
   const workspaceRoot = findWorkspaceRoot(cwd);
   const warnings = [];
   const foundryScope = mcpScope === "global" ? "global" : "project";
+  const resolvedPostmanApiKey = normalizePostmanApiKey(
+    process.env[apiKeyEnvVar || POSTMAN_API_KEY_ENV_VAR],
+  );
+  const resolvedStitchApiKey = normalizePostmanApiKey(
+    process.env[stitchApiKeyEnvVar || STITCH_API_KEY_ENV_VAR],
+  );
 
   if (platform === "antigravity") {
     const settingsPath =
@@ -4859,6 +4978,7 @@ async function applyPostmanMcpForPlatform({
         if (includePostmanMcp) {
           mcpServers[POSTMAN_SKILL_ID] = buildGeminiPostmanServer({
             apiKeyEnvVar,
+            apiKey: resolvedPostmanApiKey,
             mcpUrl,
           });
         }
@@ -4872,6 +4992,7 @@ async function applyPostmanMcpForPlatform({
         if (includeStitchMcp) {
           mcpServers[STITCH_MCP_SERVER_ID] = buildGeminiStitchServer({
             apiKeyEnvVar: stitchApiKeyEnvVar,
+            apiKey: resolvedStitchApiKey,
             mcpUrl: stitchMcpUrl,
           });
         }
@@ -4908,6 +5029,7 @@ async function applyPostmanMcpForPlatform({
           if (includePostmanMcp) {
             mcpServers[POSTMAN_SKILL_ID] = buildCopilotCliPostmanServer({
               apiKeyEnvVar,
+              apiKey: resolvedPostmanApiKey,
               mcpUrl,
             });
           }
@@ -4931,6 +5053,7 @@ async function applyPostmanMcpForPlatform({
         if (includePostmanMcp) {
           servers[POSTMAN_SKILL_ID] = buildVsCodePostmanServer({
             apiKeyEnvVar,
+            apiKey: resolvedPostmanApiKey,
             mcpUrl,
           });
         }
@@ -4971,6 +5094,7 @@ async function applyPostmanMcpForPlatform({
           if (includePostmanMcp) {
             servers[POSTMAN_SKILL_ID] = buildVsCodePostmanServer({
               apiKeyEnvVar,
+              apiKey: resolvedPostmanApiKey,
               mcpUrl,
             });
           }
@@ -5034,6 +5158,23 @@ async function applyPostmanMcpForPlatform({
           ],
           { cwd },
         );
+        const postmanToken = normalizePostmanApiKey(
+          process.env[apiKeyEnvVar || POSTMAN_API_KEY_ENV_VAR],
+        );
+        const postmanPatch = await patchCodexPostmanHttpHeaders({
+          configPath: codexConfigPath,
+          mcpUrl,
+          bearerToken: postmanToken,
+          dryRun: false,
+        });
+        if (postmanPatch.action === "patched") {
+          warnings.push(
+            "Codex Postman MCP config patched to static Authorization header for startup reliability.",
+          );
+        }
+        if (postmanPatch.warnings?.length) {
+          warnings.push(...postmanPatch.warnings);
+        }
       } catch (error) {
         warnings.push(
           `Failed to register Postman MCP via Codex CLI. Ensure 'codex' is installed and rerun. (${error.message})`,
@@ -5562,6 +5703,7 @@ async function configurePostmanInstallArtifacts({
     const mcpDefinitionContent = `${JSON.stringify(
       buildPostmanMcpDefinition({
         apiKeyEnvVar: effectiveApiKeyEnvVar,
+        apiKey: envApiKey,
         mcpUrl: effectiveMcpUrl,
       }),
       null,
@@ -5583,6 +5725,7 @@ async function configurePostmanInstallArtifacts({
     const stitchMcpDefinitionContent = `${JSON.stringify(
       buildStitchMcpDefinition({
         apiKeyEnvVar: effectiveStitchApiKeyEnvVar,
+        apiKey: envStitchApiKey,
         mcpUrl: effectiveStitchMcpUrl,
       }),
       null,
@@ -5721,6 +5864,12 @@ async function applyPostmanConfigArtifacts({
   const stitchApiKeyEnvVar =
     normalizePostmanApiKey(stitchState?.apiKeyEnvVar) || STITCH_API_KEY_ENV_VAR;
   const stitchMcpUrl = stitchState?.mcpUrl || STITCH_MCP_URL;
+  const resolvedPostmanApiKey = normalizePostmanApiKey(
+    process.env[postmanApiKeyEnvVar],
+  );
+  const resolvedStitchApiKey = normalizePostmanApiKey(
+    process.env[stitchApiKeyEnvVar],
+  );
 
   const mcpDefinitionPath = resolvePostmanMcpDefinitionPath({
     platform,
@@ -5730,6 +5879,7 @@ async function applyPostmanConfigArtifacts({
   const mcpDefinitionContent = `${JSON.stringify(
     buildPostmanMcpDefinition({
       apiKeyEnvVar: postmanApiKeyEnvVar,
+      apiKey: resolvedPostmanApiKey,
       mcpUrl: postmanMcpUrl,
     }),
     null,
@@ -5751,6 +5901,7 @@ async function applyPostmanConfigArtifacts({
     const stitchMcpDefinitionContent = `${JSON.stringify(
       buildStitchMcpDefinition({
         apiKeyEnvVar: stitchApiKeyEnvVar,
+        apiKey: resolvedStitchApiKey,
         mcpUrl: stitchMcpUrl,
       }),
       null,