@cyclonedx/cdxgen 12.3.2 → 12.3.3

package/lib/cli/index.poku.js

@@ -1,3 +1,4 @@
+import { execFileSync } from "node:child_process";
 import {
   mkdirSync,
   mkdtempSync,
@@ -6,7 +7,7 @@ import {
   writeFileSync,
 } from "node:fs";
 import { tmpdir } from "node:os";
-import { dirname, join } from "node:path";
+import { dirname, join, normalize, sep } from "node:path";
 import process from "node:process";
 import { fileURLToPath } from "node:url";
 
@@ -20,6 +21,7 @@ import {
   createBom,
   createChromeExtensionBom,
   createNodejsBom,
+  createPHPBom,
   createRustBom,
 } from "./index.js";
 
@@ -58,12 +60,115 @@ const mcpFixtureDir = join(
   "data",
   "mcp-repotest",
 );
+const cacheDisableFixtureDir = join(
+  dirname(fileURLToPath(import.meta.url)),
+  "..",
+  "..",
+  "test",
+  "data",
+  "cache-disable-repotest",
+);
+const composerFixtureDir = join(
+  dirname(fileURLToPath(import.meta.url)),
+  "..",
+  "..",
+  "test",
+  "data",
+);
+const repoDir = join(dirname(fileURLToPath(import.meta.url)), "..", "..");
 
 function getProp(obj, name) {
   return obj?.properties?.find((property) => property.name === name)?.value;
 }
 
+function createComposerNodeModulesFixture() {
+  const tmpDir = mkdtempSync(join(tmpdir(), "cdxgen-composer-node-modules-"));
+  const packageDir = join(tmpDir, "node_modules", "moment-timezone");
+  mkdirSync(packageDir, { recursive: true });
+  writeFileSync(
+    join(packageDir, "composer.json"),
+    readFileSync(join(composerFixtureDir, "composer.json"), "utf-8"),
+  );
+  writeFileSync(
+    join(packageDir, "composer.lock"),
+    readFileSync(join(composerFixtureDir, "composer.lock"), "utf-8"),
+  );
+  return tmpDir;
+}
+
+function createJarNodeModulesFixture() {
+  const tmpDir = mkdtempSync(join(tmpdir(), "cdxgen-jar-node-modules-"));
+  const packageDir = join(tmpDir, "node_modules", "font-mfizz");
+  mkdirSync(packageDir, { recursive: true });
+  writeFileSync(join(packageDir, "blaze.jar"), "fake jar content");
+  return tmpDir;
+}
+
+const stubbedJarPackage = {
+  group: "org.slf4j",
+  name: "slf4j-simple",
+  version: "2.0.17",
+  purl: "pkg:maven/org.slf4j/slf4j-simple@2.0.17?type=jar",
+  "bom-ref": "pkg:maven/org.slf4j/slf4j-simple@2.0.17?type=jar",
+};
+
+async function loadStubbedCreateJarBom() {
+  const actualUtils = await import("../helpers/utils.js");
+  const extractJarArchive = sinon.stub().resolves([stubbedJarPackage]);
+  const getMvnMetadata = sinon.stub().callsFake(async (pkgList) => pkgList);
+  const mockedIndex = await esmock("./index.js", {
+    "../helpers/utils.js": {
+      ...actualUtils,
+      extractJarArchive,
+      getMvnMetadata,
+    },
+  });
+  return mockedIndex.createJarBom;
+}
+
+function toPortablePath(filePath) {
+  return normalize(filePath).split(sep).join("/");
+}
+
+function getNpmPackFilePaths() {
+  const command =
+    process.platform === "win32"
+      ? {
+          args: ["/c", "npm", "pack", "--dry-run", "--json"],
+          file: process.env.ComSpec || "cmd.exe",
+        }
+      : {
+          args: ["pack", "--dry-run", "--json"],
+          file: "npm",
+        };
+  const packOutput = execFileSync(command.file, command.args, {
+    cwd: repoDir,
+    encoding: "utf8",
+  });
+  const [packSummary] = JSON.parse(packOutput);
+  return packSummary.files.map((file) => toPortablePath(file.path));
+}
+
 describe("CLI tests", () => {
+  describe("distribution filters", () => {
+    it("keeps npm types while excluding poku tests from npm pack output", () => {
+      const packedPaths = getNpmPackFilePaths();
+
+      assert.ok(
+        packedPaths.some((path) => path.startsWith("types/")),
+        "expected npm pack output to keep generated type definitions",
+      );
+      assert.ok(
+        packedPaths.every((path) => !path.endsWith(".poku.js")),
+        "expected npm pack output to exclude co-located poku tests",
+      );
+      assert.ok(
+        packedPaths.every((path) => !path.startsWith("test/")),
+        "expected npm pack output to exclude test fixtures",
+      );
+    });
+  });
+
   describe("submitBom()", () => {
     it("should report blocked Dependency-Track submission during dry-run", async () => {
       const recordActivity = sinon.stub();
@@ -146,6 +251,7 @@ describe("CLI tests", () => {
 
       assert.equal(calledUrl, `${serverUrl}/api/v1/bom`);
       assert.equal(options.method, "PUT");
+      assert.equal(options.followRedirect, false);
       assert.equal(options.https.rejectUnauthorized, !skipDtTlsCheck);
       assert.equal(options.headers["X-Api-Key"], apiKey);
       assert.match(options.headers["user-agent"], /@CycloneDX\/cdxgen/);
@@ -206,6 +312,7 @@ describe("CLI tests", () => {
       // Assert call arguments against expectations
       assert.equal(calledUrl, `${serverUrl}/api/v1/bom`);
       assert.equal(options.method, "PUT");
+      assert.equal(options.followRedirect, false);
       assert.equal(options.https.rejectUnauthorized, !skipDtTlsCheck);
       assert.equal(options.headers["X-Api-Key"], apiKey);
       assert.match(options.headers["user-agent"], /@CycloneDX\/cdxgen/);
@@ -262,6 +369,7 @@ describe("CLI tests", () => {
 
       assert.equal(calledUrl, `${serverUrl}/api/v1/bom`);
       assert.equal(options.method, "PUT");
+      assert.equal(options.followRedirect, false);
       assert.equal(options.https.rejectUnauthorized, !skipDtTlsCheck);
       assert.equal(options.headers["X-Api-Key"], apiKey);
       assert.match(options.headers["user-agent"], /@CycloneDX\/cdxgen/);
@@ -328,6 +436,41 @@ describe("CLI tests", () => {
       assert.equal(response, undefined);
       sinon.assert.notCalled(gotStub);
     });
+
+    it("disables redirects for the POST fallback request too", async () => {
+      const putError = new Error("Method not allowed");
+      putError.response = { statusCode: 405 };
+      const gotStub = sinon.stub();
+      gotStub
+        .onFirstCall()
+        .returns({
+          json: sinon.stub().rejects(putError),
+        })
+        .onSecondCall()
+        .returns({
+          json: sinon.stub().resolves({ success: true }),
+        });
+      gotStub.extend = sinon.stub().returns(gotStub);
+
+      const { submitBom } = await esmock("./index.js", {
+        got: { default: gotStub },
+      });
+
+      await submitBom(
+        {
+          serverUrl: "https://dtrack.example.com",
+          projectName: "cdxgen-test-project",
+          apiKey: "TEST_API_KEY\r\n",
+        },
+        { bom: "test6" },
+      );
+
+      assert.equal(gotStub.callCount, 2);
+      const [, postOptions] = gotStub.secondCall.args;
+      assert.equal(postOptions.method, "POST");
+      assert.equal(postOptions.followRedirect, false);
+      assert.equal(postOptions.headers["X-Api-Key"], "TEST_API_KEY");
+    });
   });
 
   describe("createCocoaBom()", () => {
@@ -654,6 +797,103 @@ describe("CLI tests", () => {
         rmSync(tempDir, { recursive: true, force: true });
       }
     });
+
+    it("treats an existing local directory as a staged rootfs for docker scans", async () => {
+      const tempDir = mkdtempSync(join(tmpdir(), "cdxgen-rootfs-"));
+      const exportImage = sinon.stub().resolves(undefined);
+      const getPkgPathList = sinon.stub().returns([]);
+      try {
+        const { createBom: createBomMocked } = await esmock("./index.js", {
+          "../managers/binary.js": {
+            executeOsQuery: sinon.stub(),
+            getBinaryBom: sinon.stub(),
+            getDotnetSlices: sinon.stub(),
+            getOSPackages: sinon.stub().resolves({
+              allTypes: [],
+              binPaths: [],
+              bundledRuntimes: [],
+              bundledSdks: [],
+              dependenciesList: [],
+              executables: [],
+              osPackages: [],
+              sharedLibs: [],
+            }),
+          },
+          "../managers/docker.js": {
+            addSkippedSrcFiles: sinon.stub(),
+            exportArchive: sinon.stub(),
+            exportImage,
+            getPkgPathList,
+            parseImageName: sinon.stub(),
+          },
+        });
+        const bomNSData = await createBomMocked(tempDir, {
+          failOnError: true,
+          installDeps: false,
+          multiProject: false,
+          projectType: ["docker"],
+          specVersion: 1.6,
+        });
+        sinon.assert.notCalled(exportImage);
+        sinon.assert.calledOnce(getPkgPathList);
+        assert.ok(bomNSData?.bomJson);
+        assert.strictEqual(bomNSData?.parentComponent?.type, "container");
+      } finally {
+        rmSync(tempDir, { recursive: true, force: true });
+      }
+    });
+
+    it("prefers an all-layers subdirectory when scanning staged rootfs inputs", async () => {
+      const tempDir = mkdtempSync(join(tmpdir(), "cdxgen-rootfs-"));
+      const allLayersDir = join(tempDir, "all-layers");
+      const exportImage = sinon.stub().resolves(undefined);
+      const getPkgPathList = sinon.stub().returns([]);
+      mkdirSync(allLayersDir);
+      try {
+        const { createBom: createBomMocked } = await esmock("./index.js", {
+          "../managers/binary.js": {
+            executeOsQuery: sinon.stub(),
+            getBinaryBom: sinon.stub(),
+            getDotnetSlices: sinon.stub(),
+            getOSPackages: sinon.stub().resolves({
+              allTypes: [],
+              binPaths: [],
+              bundledRuntimes: [],
+              bundledSdks: [],
+              dependenciesList: [],
+              executables: [],
+              osPackages: [],
+              sharedLibs: [],
+            }),
+          },
+          "../managers/docker.js": {
+            addSkippedSrcFiles: sinon.stub(),
+            exportArchive: sinon.stub(),
+            exportImage,
+            getPkgPathList,
+            parseImageName: sinon.stub(),
+          },
+        });
+        await createBomMocked(tempDir, {
+          failOnError: true,
+          installDeps: false,
+          multiProject: false,
+          projectType: ["docker"],
+          specVersion: 1.6,
+        });
+        sinon.assert.calledOnce(getPkgPathList);
+        assert.strictEqual(
+          getPkgPathList.firstCall.args[0].allLayersDir,
+          tempDir,
+        );
+        assert.strictEqual(
+          getPkgPathList.firstCall.args[0].allLayersExplodedDir,
+          allLayersDir,
+        );
+      } finally {
+        rmSync(tempDir, { recursive: true, force: true });
+      }
+    });
   });
 
   describe("createBom() cargo cache support", () => {
@@ -848,6 +1088,102 @@ checksum = "${"a".repeat(64)}"
     });
   });
 
+  describe("createBom() Collider lock support", () => {
+    it("preserves Collider integrity metadata and dependency nodes in the BOM", async () => {
+      const tmpDir = mkdtempSync(join(tmpdir(), "cdxgen-collider-"));
+      writeFileSync(
+        join(tmpDir, "collider.lock"),
+        JSON.stringify(
+          {
+            version: 1,
+            dependencies: {
+              fmt: {
+                version: "11.0.2",
+                wrap_hash: `sha256:${"a".repeat(64)}`,
+                origin: "https://packages.example.com/collider/v2/",
+              },
+            },
+            packages: {
+              fast_float: {
+                version: "8.0.2",
+                wrap_hash: `sha256:${"b".repeat(64)}`,
+                origin: "https://wrapdb.mesonbuild.com/v2/",
+              },
+            },
+          },
+          null,
+          2,
+        ),
+      );
+      try {
+        const bomNSData = await createBom(tmpDir, {
+          failOnError: true,
+          installDeps: false,
+          multiProject: false,
+          projectType: ["collider"],
+          specVersion: 1.7,
+        });
+        const bomJson = bomNSData?.bomJson || {};
+        const fmtComponent = (bomJson.components || []).find(
+          (component) => component.name === "fmt",
+        );
+        const transitiveComponent = (bomJson.components || []).find(
+          (component) => component.name === "fast_float",
+        );
+        assert.ok(fmtComponent);
+        assert.ok(transitiveComponent);
+        assert.deepStrictEqual(
+          getProp(fmtComponent, "cdx:collider:origin"),
+          "https://packages.example.com/collider/v2/",
+        );
+        assert.deepStrictEqual(
+          getProp(fmtComponent, "cdx:collider:hasWrapHash"),
+          "true",
+        );
+        assert.deepStrictEqual(
+          getProp(transitiveComponent, "cdx:collider:dependencyKind"),
+          "transitive",
+        );
+        assert.deepStrictEqual(fmtComponent.hashes, [
+          {
+            alg: "SHA-256",
+            content: "a".repeat(64),
+          },
+        ]);
+        assert.deepStrictEqual(fmtComponent.externalReferences, [
+          {
+            type: "distribution",
+            url: "https://packages.example.com/collider/v2/",
+          },
+        ]);
+        const parentDependency = (bomJson.dependencies || []).find(
+          (dependency) =>
+            dependency.ref === bomJson.metadata.component["bom-ref"],
+        );
+        assert.ok(parentDependency);
+        assert.deepStrictEqual(parentDependency.dependsOn, [
+          "pkg:generic/fmt@11.0.2",
+        ]);
+        assert.ok(
+          (bomJson.dependencies || []).some(
+            (dependency) =>
+              dependency.ref === "pkg:generic/fmt@11.0.2" &&
+              dependency.dependsOn.length === 0,
+          ),
+        );
+        assert.ok(
+          (bomJson.dependencies || []).some(
+            (dependency) =>
+              dependency.ref === "pkg:generic/fast_float@8.0.2" &&
+              dependency.dependsOn.length === 0,
+          ),
+        );
+      } finally {
+        rmSync(tmpDir, { force: true, recursive: true });
+      }
+    });
+  });
+
   describe("createBom() MCP inventory support", () => {
     it("catalogs MCP services, primitives, and audit findings for JavaScript projects", async () => {
       const options = {
@@ -963,6 +1299,128 @@ checksum = "${"a".repeat(64)}"
       );
     });
 
+    it("flags disabled setup caches for npm, Python, and Cargo fixtures", async () => {
+      const options = {
+        bomAudit: true,
+        bomAuditCategories: "ci-permission",
+        bomAuditMinSeverity: "low",
+        failOnError: true,
+        includeFormulation: true,
+        installDeps: false,
+        multiProject: true,
+        projectType: ["js", "python", "cargo", "github"],
+        specVersion: 1.7,
+      };
+      const bomNSData = await createBom(cacheDisableFixtureDir, options);
+      const processedBomNSData = postProcess(
+        bomNSData,
+        options,
+        cacheDisableFixtureDir,
+      );
+      const bomJson = processedBomNSData?.bomJson || {};
+      const setupNodeComponent = (bomJson.components || []).find(
+        (component) =>
+          getProp(component, "cdx:github:action:uses") ===
+          "actions/setup-node@v4",
+      );
+      const setupPythonComponent = (bomJson.components || []).find(
+        (component) =>
+          getProp(component, "cdx:github:action:uses") ===
+          "actions/setup-python@v5",
+      );
+      const setupRustComponent = (bomJson.components || []).find(
+        (component) =>
+          getProp(component, "cdx:github:action:uses") ===
+          "moonrepo/setup-rust@v1",
+      );
+      const npmComponent = (bomJson.components || []).find((component) =>
+        component.purl?.startsWith("pkg:npm/left-pad@1.3.0"),
+      );
+      const pythonComponent = (bomJson.components || []).find((component) =>
+        component.purl?.startsWith("pkg:pypi/anyio@4.6.0"),
+      );
+      const cargoComponent = (bomJson.components || []).find(
+        (component) =>
+          component.name === "git-crate" &&
+          getProp(component, "cdx:cargo:git") ===
+            "https://github.com/acme/git-crate.git",
+      );
+      const cargoRunComponent = (bomJson.components || []).find((component) =>
+        component.properties?.some(
+          (property) =>
+            property.name === "cdx:github:step:cargoSubcommands" &&
+            property.value === "build",
+        ),
+      );
+      assert.ok(setupNodeComponent, "expected setup-node workflow component");
+      assert.ok(
+        setupPythonComponent,
+        "expected setup-python workflow component",
+      );
+      assert.ok(setupRustComponent, "expected setup-rust workflow component");
+      assert.strictEqual(
+        getProp(setupNodeComponent, "cdx:github:action:disablesBuildCache"),
+        "true",
+      );
+      assert.strictEqual(
+        getProp(setupPythonComponent, "cdx:github:action:disablesBuildCache"),
+        "true",
+      );
+      assert.strictEqual(
+        getProp(setupRustComponent, "cdx:github:action:disablesBuildCache"),
+        "true",
+      );
+      assert.strictEqual(
+        getProp(setupRustComponent, "cdx:github:action:buildCacheEcosystem"),
+        "cargo",
+      );
+      assert.strictEqual(
+        getProp(setupRustComponent, "cdx:github:action:buildCacheDisableInput"),
+        "cache",
+      );
+      assert.ok(npmComponent, "expected npm dependency from package-lock");
+      assert.ok(pythonComponent, "expected PyPI dependency from uv.lock");
+      assert.ok(cargoComponent, "expected Cargo dependency from Cargo.toml");
+      assert.ok(cargoRunComponent, "expected Cargo run step component");
+      assert.strictEqual(
+        getProp(npmComponent, "cdx:npm:manifestSourceType"),
+        "url",
+      );
+      assert.strictEqual(
+        getProp(pythonComponent, "cdx:pypi:manifestSourceType"),
+        "url",
+      );
+      assert.strictEqual(
+        getProp(cargoComponent, "cdx:cargo:git"),
+        "https://github.com/acme/git-crate.git",
+      );
+      assert.strictEqual(
+        getProp(cargoComponent, "cdx:cargo:gitBranch"),
+        "main",
+      );
+      assert.strictEqual(
+        getProp(cargoRunComponent, "cdx:github:step:usesCargo"),
+        "true",
+      );
+
+      const findings = await auditBom(bomJson, {
+        bomAuditCategories: "ci-permission",
+        bomAuditMinSeverity: "low",
+      });
+      assert.ok(
+        findings.some((finding) => finding.ruleId === "CI-022"),
+        "expected npm disabled cache finding",
+      );
+      assert.ok(
+        findings.some((finding) => finding.ruleId === "CI-023"),
+        "expected Python disabled cache finding",
+      );
+      assert.ok(
+        findings.some((finding) => finding.ruleId === "CI-024"),
+        "expected Cargo disabled cache finding",
+      );
+    });
+
     it("supports exact AI skill scans and js exclude-type filtering for AI inventory", async () => {
       const tmpDir = mkdtempSync(join(tmpdir(), "cdxgen-ai-inventory-"));
       mkdirSync(join(tmpDir, ".claude", "skills", "release"), {
@@ -1223,4 +1681,124 @@ checksum = "${"a".repeat(64)}"
       }
     });
   });
+
+  describe("node_modules multi-ecosystem filtering", () => {
+    it("ignores composer manifests in node_modules during mixed npm/php scans", () => {
+      const tmpDir = createComposerNodeModulesFixture();
+      try {
+        const bomData = createPHPBom(tmpDir, {
+          installDeps: false,
+          multiProject: true,
+          projectType: ["js", "php"],
+          specVersion: 1.7,
+        });
+        assert.deepStrictEqual(bomData, {});
+      } finally {
+        rmSync(tmpDir, { force: true, recursive: true });
+      }
+    });
+
+    it("still allows explicit php scans to inspect composer manifests in node_modules", () => {
+      const tmpDir = createComposerNodeModulesFixture();
+      try {
+        const bomData = createPHPBom(tmpDir, {
+          installDeps: false,
+          multiProject: true,
+          projectType: ["php"],
+          specVersion: 1.7,
+        });
+        assert.ok(bomData?.bomJson?.components?.length);
+      } finally {
+        rmSync(tmpDir, { force: true, recursive: true });
+      }
+    });
+
+    it("still allows direct php scans without projectType to inspect composer manifests in node_modules", () => {
+      const tmpDir = createComposerNodeModulesFixture();
+      try {
+        const bomData = createPHPBom(tmpDir, {
+          installDeps: false,
+          multiProject: true,
+          specVersion: 1.7,
+        });
+        assert.ok(bomData?.bomJson?.components?.length);
+      } finally {
+        rmSync(tmpDir, { force: true, recursive: true });
+      }
+    });
+
+    it("still allows explicit php alias combinations to inspect composer manifests in node_modules", () => {
+      const tmpDir = createComposerNodeModulesFixture();
+      try {
+        const bomData = createPHPBom(tmpDir, {
+          installDeps: false,
+          multiProject: true,
+          projectType: ["php", "composer"],
+          specVersion: 1.7,
+        });
+        assert.ok(bomData?.bomJson?.components?.length);
+      } finally {
+        rmSync(tmpDir, { force: true, recursive: true });
+      }
+    });
+
+    it("ignores jar artifacts in node_modules during mixed npm/jar scans", async () => {
+      const tmpDir = createJarNodeModulesFixture();
+      try {
+        const createJarBom = await loadStubbedCreateJarBom();
+        const bomData = await createJarBom(tmpDir, {
+          multiProject: true,
+          projectType: ["js", "jar"],
+          specVersion: 1.7,
+        });
+        assert.strictEqual(bomData?.bomJson?.components?.length || 0, 0);
+      } finally {
+        rmSync(tmpDir, { force: true, recursive: true });
+      }
+    });
+
+    it("still allows explicit jar scans to inspect node_modules artifacts", async () => {
+      const tmpDir = createJarNodeModulesFixture();
+      try {
+        const createJarBom = await loadStubbedCreateJarBom();
+        const bomData = await createJarBom(tmpDir, {
+          multiProject: true,
+          projectType: ["jar"],
+          specVersion: 1.7,
+        });
+        assert.ok(bomData?.bomJson?.components?.length);
+      } finally {
+        rmSync(tmpDir, { force: true, recursive: true });
+      }
+    });
+
+    it("still allows direct jar scans without projectType to inspect node_modules artifacts", async () => {
+      const tmpDir = createJarNodeModulesFixture();
+      try {
+        const createJarBom = await loadStubbedCreateJarBom();
+        const bomData = await createJarBom(tmpDir, {
+          multiProject: true,
+          specVersion: 1.7,
+        });
+        assert.ok(bomData?.bomJson?.components?.length);
+      } finally {
+        rmSync(tmpDir, { force: true, recursive: true });
+      }
+    });
+
+    it("still allows explicit jar alias combinations to inspect node_modules artifacts", async () => {
+      const tmpDir = createJarNodeModulesFixture();
+      try {
+        const createJarBom = await loadStubbedCreateJarBom();
+        const bomData = await createJarBom(tmpDir, {
+          multiProject: true,
+          projectType: ["jar", "war"],
+          specVersion: 1.7,
+        });
+        assert.ok(bomData?.bomJson?.components?.length);
+      } finally {
+        rmSync(tmpDir, { force: true, recursive: true });
+      }
+    });
+  });
 });

package/lib/helpers/agentFormulationParser.js

@@ -7,6 +7,7 @@ import {
   providerNamesForText,
   sanitizeMcpRefToken,
 } from "./mcpDiscovery.js";
+import { sanitizeBomUrl } from "./propertySanitizer.js";
 import { scanTextForHiddenUnicode } from "./unicodeScan.js";
 
 const AGENT_FILE_PATTERNS = [
@@ -125,7 +126,7 @@ function buildInferredMcpServices(filePath, mcpUrls, authHints, providerNames) {
       "bom-ref": `urn:service:agent-mcp:${sanitizeMcpRefToken(hostname || basename(filePath))}:${index + 1}`,
       group: "mcp",
       name: hostname || `${basename(filePath)}-mcp-endpoint`,
-      endpoints: [urlValue],
+      endpoints: [sanitizeBomUrl(urlValue)],
       properties,
       version: "inferred",
     };
@@ -233,10 +234,13 @@ export const agentFormulationParser = {
         }
       }
       if (mcpUrls.length) {
+        const sanitizedMcpUrls = mcpUrls.map((urlValue) =>
+          sanitizeBomUrl(urlValue),
+        );
         properties.push(
           {
             name: "cdx:agent:hiddenMcpUrls",
-            value: mcpUrls.join(","),
+            value: sanitizedMcpUrls.join(","),
           },
           {
             name: "cdx:agent:hiddenMcpHosts",