@glrs-dev/assume 0.12.2 → 0.14.0

package/CHANGELOG.md

@@ -1,5 +1,39 @@
 # @glrs-dev/assume
 
+## 0.14.0
+
+### Minor Changes
+
+- [#297](https://github.com/iceglober/glrs/pull/297) [`19da75b`](https://github.com/iceglober/glrs/commit/19da75b071f3a7aa7af228e3812e63e3e0da4a5f) Thanks [@iceglober](https://github.com/iceglober)! - `gsa` MCP tool `run_with_credentials` now accepts an optional `env` parameter for additional environment variables.
+
+  Agents can pass repo-specific env vars (cert paths, confirmation flags, service addresses, …) alongside the injected AWS credentials — a pure pass-through, no repo knowledge on gsa's side. The command still runs in the gsa MCP server's working directory (the workspace root it was launched in), so relative paths work like the bash tool.
+
+  ```
+  run_with_credentials(
+    command: "node_modules/.bin/tsx scripts/tsx/backfill.ts",
+    context: "production / developer",
+    env: { "CONFIRM_PRODUCTION": "yes", "TEMPORAL_NAMESPACE": "kn-prod" }
+  )
+  ```
+
+  Values must be strings; invalid names or non-string values return a clear invalid-params error. The gsa-injected `AWS_*` credential and region vars take precedence and cannot be overridden by `env`. Env var names (not values) are recorded in the audit log.
+
+## 0.13.0
+
+### Minor Changes
+
+- [#292](https://github.com/iceglober/glrs/pull/292) [`f954712`](https://github.com/iceglober/glrs/commit/f9547129dd13c00ee316eb012bc087326a6307b7) Thanks [@iceglober](https://github.com/iceglober)! - GCP now wraps the gcloud CLI instead of reimplementing Google OAuth.
+
+  Previously glrs ran its own Google OAuth (gcloud's client ID, auth-code flow, raw refresh-token grants) and emulated the GCE metadata server. Under an org that enforces reauth, raw refresh grants are rejected (`invalid_rapt`) and glrs had no reauth flow, so GCP wedged — and the emulated `GCE_METADATA_HOST` shadowed gcloud's own credentials.
+
+  glrs now delegates GCP auth to gcloud, the idiomatic local-dev path:
+
+  - `gsa login gcp` runs `gcloud auth login` + `gcloud auth application-default login` (interactive — satisfies org reauth and writes a proper ADC).
+  - Credentials are delivered by gcloud's **Application Default Credentials**, not the daemon. glrs no longer sets `GCE_METADATA_HOST`; apps read gcloud's ADC natively. The daemon binds no GCP endpoint.
+  - Contexts are projects via `gcloud projects list`; `gsa use gcp <project>` sets `GOOGLE_CLOUD_PROJECT` (and `--default` also `gcloud config set project`); `gsa exec`/agent mint a token via `gcloud ... print-access-token`.
+  - When gcloud needs interactive reauth, the next command surfaces "run: gsa login gcp" (via the needs-login marker) instead of leaking a raw token-endpoint error.
+  - **Requires the Google Cloud SDK (`gcloud`) on PATH** for GCP; the in-house OAuth/ADC writer/metadata emulation are removed. AWS is unaffected.
+
 ## 0.12.2
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@glrs-dev/assume",
-  "version": "0.12.2",
+  "version": "0.14.0",
   "publishConfig": {
     "access": "public"
   },
@@ -51,9 +51,9 @@
     "typescript": "^5"
   },
   "optionalDependencies": {
-    "@glrs-dev/assume-darwin-arm64": "0.12.2",
-    "@glrs-dev/assume-darwin-x64": "0.12.2",
-    "@glrs-dev/assume-linux-x64": "0.12.2",
-    "@glrs-dev/assume-linux-arm64": "0.12.2"
+    "@glrs-dev/assume-darwin-arm64": "0.14.0",
+    "@glrs-dev/assume-darwin-x64": "0.14.0",
+    "@glrs-dev/assume-linux-x64": "0.14.0",
+    "@glrs-dev/assume-linux-arm64": "0.14.0"
   }
 }