@f5xc-salesdemos/xcsh 18.36.2 → 18.37.1

package/package.json

@@ -1,7 +1,7 @@
 {
 	"type": "module",
 	"name": "@f5xc-salesdemos/xcsh",
-	"version": "18.36.2",
+	"version": "18.37.1",
 	"description": "Coding agent CLI with read, bash, edit, write tools and session management",
 	"homepage": "https://github.com/f5xc-salesdemos/xcsh",
 	"author": "Can Boluk",
@@ -48,12 +48,12 @@
 	"dependencies": {
 		"@agentclientprotocol/sdk": "0.16.1",
 		"@mozilla/readability": "^0.6",
-		"@f5xc-salesdemos/xcsh-stats": "18.36.2",
-		"@f5xc-salesdemos/pi-agent-core": "18.36.2",
-		"@f5xc-salesdemos/pi-ai": "18.36.2",
-		"@f5xc-salesdemos/pi-natives": "18.36.2",
-		"@f5xc-salesdemos/pi-tui": "18.36.2",
-		"@f5xc-salesdemos/pi-utils": "18.36.2",
+		"@f5xc-salesdemos/xcsh-stats": "18.37.1",
+		"@f5xc-salesdemos/pi-agent-core": "18.37.1",
+		"@f5xc-salesdemos/pi-ai": "18.37.1",
+		"@f5xc-salesdemos/pi-natives": "18.37.1",
+		"@f5xc-salesdemos/pi-tui": "18.37.1",
+		"@f5xc-salesdemos/pi-utils": "18.37.1",
 		"@sinclair/typebox": "^0.34",
 		"@xterm/headless": "^6.0",
 		"ajv": "^8.18",

package/src/config/settings-schema.ts

@@ -1788,6 +1788,9 @@ export const SETTINGS_SCHEMA = {
 	/** Per-session environment variables injected into bash (used by f5xc context system) */
 	"bash.environment": { type: "record", default: {} as Record<string, string> },
 
+	/** Sensitive env var key names from the active f5xc context (populated by ContextService) */
+	"f5xc.sensitiveKeys": { type: "array", default: [] as string[] },
+
 	/** Clear terminal on startup */
 	"startup.clearScreen": { type: "boolean", default: false },
 

package/src/internal-urls/build-info.generated.ts

@@ -17,17 +17,17 @@ export interface BuildInfo {
 }
 
 export const BUILD_INFO: BuildInfo = {
-	"version": "18.36.2",
-	"commit": "bb67816d2bcb454ea8926788b836edae474dcec2",
-	"shortCommit": "bb67816",
+	"version": "18.37.1",
+	"commit": "f8fdc560fa88d310e9c7f39ed258471a9a01d892",
+	"shortCommit": "f8fdc56",
 	"branch": "main",
-	"tag": "v18.36.2",
-	"commitDate": "2026-05-04T05:42:12Z",
-	"buildDate": "2026-05-04T06:06:55.405Z",
+	"tag": "v18.37.1",
+	"commitDate": "2026-05-04T14:41:09Z",
+	"buildDate": "2026-05-04T15:10:02.388Z",
 	"dirty": false,
 	"prNumber": "",
 	"repoUrl": "https://github.com/f5xc-salesdemos/xcsh",
 	"repoSlug": "f5xc-salesdemos/xcsh",
-	"commitUrl": "https://github.com/f5xc-salesdemos/xcsh/commit/bb67816d2bcb454ea8926788b836edae474dcec2",
-	"releaseUrl": "https://github.com/f5xc-salesdemos/xcsh/releases/tag/v18.36.2"
+	"commitUrl": "https://github.com/f5xc-salesdemos/xcsh/commit/f8fdc560fa88d310e9c7f39ed258471a9a01d892",
+	"releaseUrl": "https://github.com/f5xc-salesdemos/xcsh/releases/tag/v18.37.1"
 };

package/src/modes/interactive-mode.ts

@@ -35,6 +35,7 @@ import { HistoryStorage } from "../session/history-storage";
 import type { SessionContext, SessionManager } from "../session/session-manager";
 import { STTController, type SttState } from "../stt";
 import type { ExitPlanModeDetails } from "../tools";
+import { glabStartupWarning } from "../tools/glab/config";
 import type { EventBus } from "../utils/event-bus";
 import { getEditorCommand, openInEditor } from "../utils/external-editor";
 import { popTerminalTitle, pushTerminalTitle, setSessionTerminalTitle } from "../utils/title-generator";
@@ -310,15 +311,20 @@ export class InteractiveMode implements InteractiveModeContext {
 			getProjectDir(),
 		);
 
-		// Run blocking welcome screen status checks (model + context)
-		const welcomeResult = await logger.time("InteractiveMode.init:welcomeChecks", () =>
-			runWelcomeChecks(this.session.model, this.session.modelRegistry.authStorage),
-		);
+		// Run blocking welcome screen status checks (model + context) and glab setup check in parallel
+		const [welcomeResult, glabWarning] = await Promise.all([
+			logger.time("InteractiveMode.init:welcomeChecks", () =>
+				runWelcomeChecks(this.session.model, this.session.modelRegistry.authStorage),
+			),
+			glabStartupWarning(getProjectDir()).catch(() => null),
+		]);
 
 		const startupQuiet = settings.get("startup.quiet");
 		this.#welcomeComponent = undefined;
 
-		for (const warning of this.session.configWarnings) {
+		const allWarnings = [...this.session.configWarnings];
+		if (glabWarning) allWarnings.push(glabWarning);
+		for (const warning of allWarnings) {
 			this.ui.addChild(new Text(theme.fg("warning", `Warning: ${warning}`), 1, 0));
 			this.ui.addChild(new Spacer(1));
 		}

package/src/prompts/system/system-prompt.md

@@ -141,6 +141,15 @@ You are currently connected to F5 XC tenant: {{context.tenant}}, namespace: {{co
 Credential source: {{context.credentialSource}}.
 Auth status: {{context.authStatus}}.
 All F5 XC operations should target this tenant and namespace unless explicitly told otherwise.
+{{#if context.envVars}}
+
+### Context Variables
+
+{{#each context.envVars}}- {{@key}}: {{this}}
+{{/each}}
+
+Use these values when constructing API payloads and resource names.
+{{/if}}
 {{#if knowledgeTopics}}
 Available F5 XC documentation topics: {{knowledgeTopics}}.
 {{/if}}

package/src/sdk.ts

@@ -92,6 +92,7 @@ import {
 	type SecretEntry,
 	SecretObfuscator,
 } from "./secrets";
+import { createContextEnv } from "./services/context-env";
 import { AgentSession } from "./session/agent-session";
 import { AuthStorage } from "./session/auth-storage";
 import { convertToLlm } from "./session/messages";
@@ -1361,7 +1362,13 @@ export async function createAgentSession(options: CreateAgentSessionOptions = {}
 			// rebuilds reflect the most recent /context activate. Mid-session context changes without a
 			// tool change are handled via custom_message injection in the onContextChange listener.
 			let contextForPrompt:
-				| { tenant: string; namespace: string; credentialSource: string; authStatus: string }
+				| {
+						tenant: string;
+						namespace: string;
+						credentialSource: string;
+						authStatus: string;
+						envVars?: Record<string, string>;
+				  }
 				| undefined;
 			try {
 				const status = contextServiceRef?.instance?.getStatus();
@@ -1377,6 +1384,12 @@ export async function createAgentSession(options: CreateAgentSessionOptions = {}
 						credentialSource: status.credentialSource,
 						authStatus: status.authStatus,
 					};
+					const sensitiveKeys = contextServiceRef?.instance?.getActiveSensitiveKeys();
+					const ctxEnv = createContextEnv(settings, sensitiveKeys?.size ? { sensitiveKeys } : undefined);
+					const envVars = ctxEnv.getNonSensitiveVars();
+					if (Object.keys(envVars).length > 0) {
+						contextForPrompt.envVars = envVars;
+					}
 				}
 			} catch {
 				// ContextService not available or not initialized — leave contextForPrompt undefined.

package/src/services/context-env.ts

@@ -0,0 +1,122 @@
+import { SECRET_ENV_PATTERNS } from "../secrets/index";
+import { F5XC_API_TOKEN, F5XC_API_URL, F5XC_NAMESPACE, F5XC_TENANT } from "./f5xc-env";
+
+/** Keys excluded from the system prompt context variables listing. */
+const PROMPT_HIDDEN: ReadonlySet<string> = new Set([F5XC_API_TOKEN, F5XC_API_URL, F5XC_TENANT, F5XC_NAMESPACE]);
+
+/** Keys never expanded in payloads — credentials that must not leak into request bodies. */
+const PAYLOAD_HIDDEN: ReadonlySet<string> = new Set([F5XC_API_TOKEN, F5XC_API_URL]);
+
+export interface ContextEnv {
+	/** Get a single env var value from bash.environment, or undefined. */
+	get(key: string): string | undefined;
+
+	/**
+	 * Resolve `{placeholder}` values in a URL path.
+	 * Explicit params are applied first. Remaining `{key}` placeholders are
+	 * resolved from bash.environment: `{namespace}` → F5XC_NAMESPACE,
+	 * `{key}` → F5XC_{KEY.toUpperCase()}.
+	 * Unresolvable placeholders are left intact.
+	 */
+	resolvePath(path: string, explicitParams?: Record<string, string>): string;
+
+	/**
+	 * Expand `$F5XC_*` variable references in a serialized JSON payload string.
+	 * Unresolvable references are left intact.
+	 */
+	resolvePayloadVars(payloadJson: string): string;
+
+	/**
+	 * Return non-sensitive F5XC_* env vars from bash.environment, suitable for
+	 * display in the LLM system prompt. Excludes ALWAYS_HIDDEN keys, keys
+	 * matching SECRET_ENV_PATTERNS, and explicitly provided sensitiveKeys.
+	 */
+	getNonSensitiveVars(): Record<string, string>;
+}
+
+export interface ContextEnvOptions {
+	/** Additional keys to treat as sensitive (e.g. from context.sensitiveKeys). */
+	sensitiveKeys?: ReadonlySet<string>;
+}
+
+/**
+ * Create a ContextEnv instance bound to the current bash.environment settings.
+ *
+ * @param settings - Any object with a `get(key)` method returning the value of
+ *   "bash.environment" as `Record<string, string>`. Pass `Settings.instance` or
+ *   `session.settings` in production; pass a stub in tests.
+ * @param options - Optional configuration (sensitiveKeys to exclude).
+ */
+export function createContextEnv(settings: { get(key: string): unknown }, options?: ContextEnvOptions): ContextEnv {
+	function bashEnv(): Record<string, string> {
+		return (settings.get("bash.environment") ?? {}) as Record<string, string>;
+	}
+
+	function allSensitiveKeys(): ReadonlySet<string> {
+		if (options?.sensitiveKeys) return options.sensitiveKeys;
+		const fromSettings = settings.get("f5xc.sensitiveKeys");
+		return new Set(Array.isArray(fromSettings) ? (fromSettings as string[]) : []);
+	}
+
+	return {
+		get(key: string): string | undefined {
+			return bashEnv()[key];
+		},
+
+		resolvePath(path: string, explicitParams?: Record<string, string>): string {
+			let resolved = path;
+
+			// Apply explicit params first
+			if (explicitParams) {
+				for (const [key, value] of Object.entries(explicitParams)) {
+					resolved = resolved.replaceAll(`{${key}}`, value);
+				}
+			}
+
+			// Auto-resolve remaining {placeholder} values from bash.environment
+			const env = bashEnv();
+			const sensitive = allSensitiveKeys();
+			resolved = resolved.replace(/\{(\w+)\}/g, (match, key) => {
+				// {namespace} maps directly to F5XC_NAMESPACE
+				const envKey = key === "namespace" ? F5XC_NAMESPACE : `F5XC_${key.toUpperCase()}`;
+				// Never auto-inject credential or sensitive values into URL paths
+				if (PAYLOAD_HIDDEN.has(envKey)) return match;
+				if (SECRET_ENV_PATTERNS.test(envKey)) return match;
+				if (sensitive.has(envKey)) return match;
+				return env[envKey] ?? match;
+			});
+
+			return resolved;
+		},
+
+		resolvePayloadVars(payloadJson: string): string {
+			const env = bashEnv();
+			const sensitive = allSensitiveKeys();
+			return payloadJson.replace(/\$F5XC_([A-Z0-9_]+)/g, (match, suffix) => {
+				const key = `F5XC_${suffix}`;
+				// Never expand credential keys into payloads
+				if (PAYLOAD_HIDDEN.has(key)) return match;
+				if (SECRET_ENV_PATTERNS.test(key)) return match;
+				if (sensitive.has(key)) return match;
+				const value = env[key];
+				if (value === undefined) return match;
+				// JSON-escape the substituted value to prevent injection
+				return JSON.stringify(value).slice(1, -1);
+			});
+		},
+
+		getNonSensitiveVars(): Record<string, string> {
+			const env = bashEnv();
+			const sensitive = allSensitiveKeys();
+			const result: Record<string, string> = {};
+			for (const [key, value] of Object.entries(env)) {
+				if (!key.startsWith("F5XC_")) continue;
+				if (PROMPT_HIDDEN.has(key)) continue;
+				if (SECRET_ENV_PATTERNS.test(key)) continue;
+				if (sensitive.has(key)) continue;
+				result[key] = value;
+			}
+			return result;
+		},
+	};
+}

package/src/services/f5xc-context.ts

@@ -1051,6 +1051,11 @@ export class ContextService {
 		return Object.keys(this.#activeContext?.env ?? {}).sort();
 	}
 
+	/** Sync set of sensitive env var keys on the active context. Empty set if none. */
+	getActiveSensitiveKeys(): ReadonlySet<string> {
+		return new Set(this.#activeContext?.sensitiveKeys ?? []);
+	}
+
 	/** Sync list of known context names, sorted. [] before the first listContexts()/loadActive(). */
 	listContextNamesCached(): string[] {
 		return this.#contextsCache.map(p => p.name);
@@ -1331,6 +1336,7 @@ export class ContextService {
 		}
 
 		Settings.instance.override("bash.environment", merged);
+		Settings.instance.override("f5xc.sensitiveKeys", context.sensitiveKeys ?? []);
 
 		// Notify listeners (e.g. obfuscator refresh) about the context change.
 		for (const cb of ContextService.#onContextChangeListeners) {

package/src/tools/bash.ts

@@ -761,51 +761,57 @@ export const bashToolRenderer = {
 				// REACTIVE: read mutable options at render time
 				const { renderContext } = options;
 				const expanded = renderContext?.expanded ?? options.expanded;
-				const previewLines = renderContext?.previewLines ?? BASH_DEFAULT_PREVIEW_LINES;
-
-				// Get output from context (preferred) or fall back to result content
-				const output = renderContext?.output ?? result.content?.find(c => c.type === "text")?.text ?? "";
-				const displayOutput = output.trimEnd();
-				const showingFullOutput = expanded && renderContext?.isFullOutput === true;
 
-				const rawOutputLines = displayOutput.split("\n");
-				const sixelLineMask =
-					TERMINAL.imageProtocol === ImageProtocol.Sixel ? getSixelLineMask(rawOutputLines) : undefined;
-				const hasSixelOutput = sixelLineMask?.some(Boolean) ?? false;
-
-				// Collapsed mode: single status line when bash.verbose=false
+				// Collapsed mode check first — before heavy computation.
+				// This ensures the collapsed line is always returned when bash.verbose=false,
+				// preventing any transient verbose output flash.
 				const verbose = getBashVerboseSetting();
-				const hasAsyncDetails = details?.async != null;
-				const forceExpand = isError || hasAsyncDetails || hasSixelOutput;
-				if (!verbose && !expanded && !forceExpand) {
-					const rawCmd = args?.command?.replace(/\s*\\\r?\n\s*/g, " ");
-					const summaryText = args?.description ?? rawCmd ?? undefined;
-
-					if (options.isPartial) {
-						const lineCount = rawOutputLines.filter(l => l.trim().length > 0).length;
+				if (!verbose && !expanded) {
+					const hasAsyncDetails = details?.async != null;
+					const outputText = renderContext?.output ?? result.content?.find(c => c.type === "text")?.text ?? "";
+					const hasSixel = TERMINAL.imageProtocol === ImageProtocol.Sixel && outputText.includes("\x1bP");
+					if (!isError && !hasAsyncDetails && !hasSixel) {
+						const rawCmd = args?.command?.replace(/\s*\\\r?\n\s*/g, " ");
+						const summaryText = args?.description ?? rawCmd ?? undefined;
+
+						if (options.isPartial) {
+							const lineCount = outputText.split("\n").filter(l => l.trim().length > 0).length;
+							const line = renderStatusLine(
+								{
+									icon: "running",
+									spinnerFrame: options.spinnerFrame,
+									title: "Bash",
+									description: summaryText,
+									meta: lineCount > 0 ? [`${lineCount} lines`] : undefined,
+								},
+								uiTheme,
+							);
+							return [truncateToWidth(line, width)];
+						}
+
 						const line = renderStatusLine(
 							{
-								icon: "running",
-								spinnerFrame: options.spinnerFrame,
 								title: "Bash",
 								description: summaryText,
-								meta: lineCount > 0 ? [`${lineCount} lines`] : undefined,
 							},
 							uiTheme,
 						);
 						return [truncateToWidth(line, width)];
 					}
-
-					const line = renderStatusLine(
-						{
-							title: "Bash",
-							description: summaryText,
-						},
-						uiTheme,
-					);
-					return [truncateToWidth(line, width)];
 				}
 
+				const previewLines = renderContext?.previewLines ?? BASH_DEFAULT_PREVIEW_LINES;
+
+				// Get output from context (preferred) or fall back to result content
+				const output = renderContext?.output ?? result.content?.find(c => c.type === "text")?.text ?? "";
+				const displayOutput = output.trimEnd();
+				const showingFullOutput = expanded && renderContext?.isFullOutput === true;
+
+				const rawOutputLines = displayOutput.split("\n");
+				const sixelLineMask =
+					TERMINAL.imageProtocol === ImageProtocol.Sixel ? getSixelLineMask(rawOutputLines) : undefined;
+				const hasSixelOutput = sixelLineMask?.some(Boolean) ?? false;
+
 				// Build truncation warning
 				const timeoutSeconds = details?.timeoutSeconds ?? renderContext?.timeout;
 				const timeoutLine =

package/src/tools/glab/config.ts

@@ -6,6 +6,10 @@ import type { GlabConfig } from "./types";
 const CONFIG_FILENAME = "glab-config.json";
 const XCSH_DIR = ".xcsh";
 
+function homeDir(): string {
+	return process.env.HOME || os.homedir();
+}
+
 export async function loadConfig(cwd: string): Promise<GlabConfig | null> {
 	const projectConfig = path.join(cwd, XCSH_DIR, CONFIG_FILENAME);
 	try {
@@ -15,7 +19,7 @@ export async function loadConfig(cwd: string): Promise<GlabConfig | null> {
 		// try user-level fallback
 	}
 
-	const userConfig = path.join(os.homedir(), ".xcsh", "agent", CONFIG_FILENAME);
+	const userConfig = path.join(homeDir(), ".xcsh", "agent", CONFIG_FILENAME);
 	try {
 		const raw = await fs.readFile(userConfig, "utf8");
 		return JSON.parse(raw) as GlabConfig;
@@ -25,13 +29,46 @@ export async function loadConfig(cwd: string): Promise<GlabConfig | null> {
 }
 
 export async function saveConfig(cwd: string, config: GlabConfig): Promise<void> {
-	const dir = path.join(cwd, XCSH_DIR);
-	await fs.mkdir(dir, { recursive: true });
-	await fs.writeFile(path.join(dir, CONFIG_FILENAME), JSON.stringify(config, null, 2), "utf8");
+	const json = JSON.stringify(config, null, 2);
+	const projectDir = path.join(cwd, XCSH_DIR);
+	await fs.mkdir(projectDir, { recursive: true });
+	await fs.writeFile(path.join(projectDir, CONFIG_FILENAME), json, "utf8");
+	const userDir = path.join(homeDir(), ".xcsh", "agent");
+	await fs.mkdir(userDir, { recursive: true });
+	await fs.writeFile(path.join(userDir, CONFIG_FILENAME), json, "utf8");
 }
 
-export async function resolveProject(paramProject: string | undefined, cwd: string): Promise<string | null> {
+export async function resolveProject(
+	paramProject: string | undefined,
+	cwd: string,
+	exec?: (cmd: string, args: string[]) => Promise<{ stdout: string; code: number }>,
+): Promise<string | null> {
 	if (paramProject) return paramProject;
 	const config = await loadConfig(cwd);
-	return config?.project ?? null;
+	if (config?.project) return config.project;
+	// Auto-detect: check if cwd has a gitlab remote
+	if (exec) {
+		try {
+			const result = await exec("glab", ["repo", "view", "--output", "json"]);
+			if (result.code === 0 && result.stdout) {
+				const repo = JSON.parse(result.stdout);
+				if (repo.path_with_namespace) return repo.path_with_namespace;
+			}
+		} catch {
+			// Not a GitLab repo or glab not available — fall through
+		}
+	}
+	return null;
+}
+
+/** Idempotent startup check: returns a warning string if glab is installed but not configured, null otherwise. */
+export async function glabStartupWarning(cwd: string): Promise<string | null> {
+	// Fast path: if glab is not installed, nothing to warn about
+	const { $which } = await import("@f5xc-salesdemos/pi-utils");
+	if (!$which("glab")) return null;
+	// Check if config already exists at project or user level
+	const config = await loadConfig(cwd);
+	if (config?.project) return null;
+	// glab is installed but no project configured — emit a one-time warning
+	return "GitLab (glab) is installed but no project is configured. Run: glab_setup with action save_project and project GROUP/REPO";
 }

package/src/tools/glab.ts

@@ -23,13 +23,10 @@ function makeExecApi(cwd: string): GlabExecApi {
 	return {
 		cwd,
 		async exec(command: string, args: string[], options?: { signal?: AbortSignal; cwd?: string }) {
-			// Check abort before spawning, but do NOT pass signal to Bun.spawn.
-			// glab commands complete in <1s — passing the signal causes a race where
-			// xcsh's AbortSignal fires (e.g. on model completion) and kills the child
-			// process before we can read its output.
-			if (options?.signal?.aborted) {
-				return { stdout: "", stderr: "Command was cancelled before starting", code: 1, killed: true };
-			}
+			// Never pass signal to Bun.spawn and never pre-check signal.aborted.
+			// glab commands finish in 1-3s. Passing the signal or pre-checking causes
+			// false cancellations when xcsh's AbortSignal fires between multi-turn
+			// tool calls (the signal is stale from a prior turn).
 			const child = Bun.spawn([command, ...args], {
 				cwd: options?.cwd ?? cwd,
 				stdin: "ignore",
@@ -245,7 +242,7 @@ export class GlabIssueListTool implements AgentTool<typeof glabIssueListSchema,
 		_context?: AgentToolContext,
 	): Promise<AgentToolResult<GlabToolDetails>> {
 		const api = makeExecApi(this.session.cwd);
-		const project = await resolveProject(params.project, this.session.cwd);
+		const project = await resolveProject(params.project, this.session.cwd, (cmd, args) => api.exec(cmd, args));
 		if (!project) {
 			return textResult("No GitLab project configured. Run glab_setup to set one up.");
 		}
@@ -294,7 +291,7 @@ export class GlabIssueViewTool implements AgentTool<typeof glabIssueViewSchema,
 		_context?: AgentToolContext,
 	): Promise<AgentToolResult<GlabToolDetails>> {
 		const api = makeExecApi(this.session.cwd);
-		const project = await resolveProject(params.project, this.session.cwd);
+		const project = await resolveProject(params.project, this.session.cwd, (cmd, args) => api.exec(cmd, args));
 		if (!project) {
 			return textResult("No GitLab project configured. Run glab_setup to set one up.");
 		}
@@ -336,7 +333,7 @@ export class GlabSearchTool implements AgentTool<typeof glabSearchSchema, GlabTo
 		_context?: AgentToolContext,
 	): Promise<AgentToolResult<GlabToolDetails>> {
 		const api = makeExecApi(this.session.cwd);
-		const project = await resolveProject(params.project, this.session.cwd);
+		const project = await resolveProject(params.project, this.session.cwd, (cmd, args) => api.exec(cmd, args));
 		if (!project) {
 			return textResult("No GitLab project configured. Run glab_setup to set one up.");
 		}

package/src/tools/xcsh-api.ts

@@ -2,6 +2,7 @@ import type { AgentTool, AgentToolResult } from "@f5xc-salesdemos/pi-agent-core"
 import { prompt } from "@f5xc-salesdemos/pi-utils";
 import { type Static, Type } from "@sinclair/typebox";
 import xcshApiDescription from "../prompts/tools/xcsh-api.md" with { type: "text" };
+import { createContextEnv } from "../services/context-env";
 import type { ToolSession } from ".";
 
 const xcshApiSchema = Type.Object({
@@ -13,7 +14,8 @@ const xcshApiSchema = Type.Object({
 	params: Type.Optional(
 		Type.Record(Type.String(), Type.String(), {
 			description:
-				"Path parameter substitutions, e.g. { namespace: 'default', name: 'example-lb', vh_name: 'example-vh' }",
+				"Path parameter substitutions, e.g. { namespace: 'example-ns', vh_name: 'example-vh' }. " +
+				"Unspecified params are auto-resolved from context env (e.g. {namespace} from F5XC_NAMESPACE).",
 		}),
 	),
 	payload: Type.Optional(Type.Unknown({ description: "JSON body for POST/PUT/PATCH/DELETE requests" })),
@@ -36,48 +38,53 @@ export class XcshApiTool implements AgentTool<typeof xcshApiSchema, XcshApiToolD
 	readonly description: string;
 	readonly parameters = xcshApiSchema;
 
-	#apiBase: string;
-	#apiToken: string;
+	#contextEnv: ReturnType<typeof createContextEnv>;
 
-	constructor(_session: ToolSession) {
+	constructor(session: ToolSession) {
 		this.description = prompt.render(xcshApiDescription);
-		this.#apiBase = (process.env.F5XC_API_URL ?? "").replace(/\/+$/, "");
-		this.#apiToken = process.env.F5XC_API_TOKEN ?? "";
+		this.#contextEnv = createContextEnv(session.settings);
 
-		if (this.#apiBase && this.#apiToken) {
-			fetch(`${this.#apiBase}/api/web/namespaces`, {
+		const apiBase = this.#resolveApiBase();
+		const apiToken = this.#resolveApiToken();
+		if (apiBase && apiToken) {
+			fetch(`${apiBase}/api/web/namespaces`, {
 				method: "HEAD",
-				headers: { Authorization: `APIToken ${this.#apiToken}` },
+				headers: { Authorization: `APIToken ${apiToken}` },
 			}).catch(() => {});
 		}
 	}
 
+	#resolveApiBase(): string {
+		return (process.env.F5XC_API_URL ?? this.#contextEnv.get("F5XC_API_URL") ?? "").replace(/\/+$/, "");
+	}
+
+	#resolveApiToken(): string {
+		return process.env.F5XC_API_TOKEN ?? this.#contextEnv.get("F5XC_API_TOKEN") ?? "";
+	}
+
 	async execute(_toolCallId: string, params: XcshApiParams): Promise<XcshApiResult> {
-		if (!this.#apiBase) {
+		const apiBase = this.#resolveApiBase();
+		if (!apiBase) {
 			return {
 				content: [{ type: "text", text: "Error: F5XC_API_URL environment variable is not set." }],
 				isError: true,
 			};
 		}
 
-		if (!this.#apiToken) {
+		const apiToken = this.#resolveApiToken();
+		if (!apiToken) {
 			return {
 				content: [{ type: "text", text: "Error: F5XC_API_TOKEN environment variable is not set." }],
 				isError: true,
 			};
 		}
 
-		let resolvedPath = params.path;
-		if (params.params) {
-			for (const [key, value] of Object.entries(params.params)) {
-				resolvedPath = resolvedPath.replaceAll(`{${key}}`, value);
-			}
-		}
+		const resolvedPath = this.#contextEnv.resolvePath(params.path, params.params);
 
-		const url = `${this.#apiBase}${resolvedPath}`;
+		const url = `${apiBase}${resolvedPath}`;
 		const requestId = crypto.randomUUID();
 		const headers: Record<string, string> = {
-			Authorization: `APIToken ${this.#apiToken}`,
+			Authorization: `APIToken ${apiToken}`,
 			Accept: "application/json",
 			"X-Request-ID": requestId,
 		};
@@ -90,7 +97,8 @@ export class XcshApiTool implements AgentTool<typeof xcshApiSchema, XcshApiToolD
 
 		if (params.payload && params.method !== "GET") {
 			headers["Content-Type"] = "application/json";
-			init.body = JSON.stringify(params.payload);
+			const payloadJson = JSON.stringify(params.payload);
+			init.body = this.#contextEnv.resolvePayloadVars(payloadJson);
 		}
 
 		try {