@integrity-labs/agt-cli 0.10.2 → 0.10.4

package/dist/{chunk-VCKY6MN2.js → chunk-CVQD6XGB.js}

@@ -1859,7 +1859,7 @@ function extractAllowedDomains(input) {
 registerFramework(nemoClawAdapter);
 
 // ../../packages/core/dist/provisioning/frameworks/claudecode/index.js
-import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, mkdirSync as mkdirSync3, existsSync as existsSync3, chmodSync as chmodSync3 } from "fs";
+import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, mkdirSync as mkdirSync3, existsSync as existsSync3, chmodSync as chmodSync3, readdirSync, rmSync } from "fs";
 import { join as join3, relative } from "path";
 import { homedir as homedir2 } from "os";
 import { execFile as execFile3 } from "child_process";
@@ -1931,7 +1931,7 @@ function buildKnowledgeSection2(knowledge) {
     return "";
   const orgEntries = knowledge.filter((k) => k.scope === "org");
   const teamEntries = knowledge.filter((k) => k.scope === "team");
-  const formatEntry = (k) => `- **${k.title}** (skill: \`knowledge-${k.slug}\`)`;
+  const formatEntry = (k) => `- **${k.title}**`;
   let body = "";
   if (orgEntries.length) {
     body += `### Organization
@@ -1950,9 +1950,9 @@ ${teamEntries.map(formatEntry).join("\n")}
   }
   return `## Core Knowledge
 
-Your team has provided the following core knowledge as skills. These are
-automatically available \u2014 Claude Code will surface the relevant skill when
-you need context. You do not need to read files manually.
+Your team has provided core knowledge via the \`core-knowledge\` skill.
+It is automatically available \u2014 Claude Code will surface it when you need
+context. You do not need to read files manually.
 
 ${body}
 `;
@@ -2149,15 +2149,61 @@ function deployArtifactsToProject(codeName, provisionDir) {
   const projectDir = getProjectDir(codeName);
   mkdirSync3(projectDir, { recursive: true });
   const artifactFiles = ["CLAUDE.md", "settings.json", ".mcp.json", "CHARTER.md", "TOOLS.md"];
+  const SKILLS_START = "<!-- AGT:SKILLS_INDEX_START -->";
+  const SKILLS_END = "<!-- AGT:SKILLS_INDEX_END -->";
   for (const file of artifactFiles) {
     const src = join3(provisionDir, file);
     const dest = join3(projectDir, file);
     try {
-      const content = readFileSync3(src, "utf-8");
-      writeFileSync3(dest, content);
+      const srcContent = readFileSync3(src, "utf-8");
+      if (file === "CLAUDE.md" && existsSync3(dest)) {
+        const destContent = readFileSync3(dest, "utf-8");
+        const stripIndex = (s) => s.replace(new RegExp(`${SKILLS_START}[\\s\\S]*?${SKILLS_END}`), "").trimEnd();
+        if (stripIndex(srcContent) === stripIndex(destContent))
+          continue;
+        const indexMatch = destContent.match(new RegExp(`${SKILLS_START}[\\s\\S]*?${SKILLS_END}`));
+        if (indexMatch) {
+          writeFileSync3(dest, srcContent.trimEnd() + "\n\n" + indexMatch[0] + "\n");
+          continue;
+        }
+      }
+      writeFileSync3(dest, srcContent);
     } catch {
     }
   }
+  const skillsDir = join3(provisionDir, ".claude", "skills");
+  const destSkillsDir = join3(projectDir, ".claude", "skills");
+  try {
+    if (existsSync3(destSkillsDir)) {
+      const srcFolders = existsSync3(skillsDir) ? new Set(readdirSync(skillsDir)) : /* @__PURE__ */ new Set();
+      for (const folder of readdirSync(destSkillsDir)) {
+        if (folder.startsWith("knowledge-") || folder === "core-knowledge" && !srcFolders.has(folder)) {
+          try {
+            rmSync(join3(destSkillsDir, folder), { recursive: true });
+          } catch {
+          }
+        }
+      }
+    }
+    if (existsSync3(skillsDir)) {
+      for (const skillFolder of readdirSync(skillsDir)) {
+        const srcSkillFile = join3(skillsDir, skillFolder, "SKILL.md");
+        if (!existsSync3(srcSkillFile))
+          continue;
+        const destFolder = join3(destSkillsDir, skillFolder);
+        const destFile = join3(destFolder, "SKILL.md");
+        const srcContent = readFileSync3(srcSkillFile, "utf-8");
+        try {
+          if (existsSync3(destFile) && readFileSync3(destFile, "utf-8") === srcContent)
+            continue;
+        } catch {
+        }
+        mkdirSync3(destFolder, { recursive: true });
+        writeFileSync3(destFile, srcContent);
+      }
+    }
+  } catch {
+  }
   const agentMcpPath = join3(getAgentDir(codeName), "provision", ".mcp.json");
   const projectMcpPath = join3(projectDir, ".mcp.json");
   try {
@@ -2474,20 +2520,28 @@ var claudeCodeAdapter = {
       { relativePath: "CHARTER.md", content: input.charterContent },
       { relativePath: "TOOLS.md", content: input.toolsContent }
     ];
-    for (const entry of input.knowledge ?? []) {
-      const skillPath = `.claude/skills/knowledge-${entry.slug}/SKILL.md`;
-      assertSafeRelativePath(skillPath);
-      const scopeLabel = entry.scope === "org" ? "organization" : "team";
+    const knowledgeEntries = input.knowledge ?? [];
+    if (knowledgeEntries.length > 0) {
+      const safeTitles = knowledgeEntries.map((k) => k.title.replace(/[\n\r"\\]/g, " ").trim().toLowerCase()).filter(Boolean);
+      const sections = knowledgeEntries.map((entry) => {
+        const scopeLabel = entry.scope === "org" ? "Organization" : "Team";
+        const safeTitle = entry.title.replace(/[\n\r]/g, " ").trim();
+        return `## ${safeTitle}
+*${scopeLabel} knowledge*
+
+${entry.content}`;
+      }).join("\n\n---\n\n");
+      const description = `Use this skill when the user asks about the company, organization, team, products, or any of: ${safeTitles.join(", ")}. Provides core reference material from the knowledge base.`;
       artifacts.push({
-        relativePath: skillPath,
+        relativePath: ".claude/skills/core-knowledge/SKILL.md",
         content: `---
-name: knowledge-${entry.slug}
-description: "${entry.title} \u2014 ${scopeLabel}-level core knowledge. Use when you need context about ${entry.title.toLowerCase()}."
+name: core-knowledge
+description: ${JSON.stringify(description)}
 ---
 
-# ${entry.title}
+# Core Knowledge
 
-${entry.content}`
+${sections}`
       });
     }
     return artifacts;
@@ -2503,8 +2557,8 @@ ${entry.content}`
     const augDir = join3(homeDir, ".augmented");
     const agents = /* @__PURE__ */ new Set();
     try {
-      const { readdirSync, statSync } = await import("fs");
-      const entries = readdirSync(augDir);
+      const { readdirSync: readdirSync2, statSync } = await import("fs");
+      const entries = readdirSync2(augDir);
       for (const entry of entries) {
         const ccDir = join3(augDir, entry, "claudecode");
         try {
@@ -2874,6 +2928,9 @@ ${entry.content}`
   },
   installSkillFiles(codeName, skillId, files) {
     assertValidCodeName(skillId);
+    const isPluginManaged = skillId.startsWith("plugin-");
+    const READ_ONLY_MODE = 292;
+    const READ_WRITE_MODE = 420;
     const agentDir = getAgentDir(codeName);
     const projectDir = getProjectDir(codeName);
     for (const baseDir of [join3(agentDir, "skills"), join3(projectDir, ".claude", "skills")]) {
@@ -2887,7 +2944,19 @@ ${entry.content}`
           throw new Error(`Path traversal detected: ${file.relativePath} resolves outside ${skillDir}`);
         }
         mkdirSync3(join3(filePath, ".."), { recursive: true });
+        if (isPluginManaged && existsSync3(filePath)) {
+          try {
+            chmodSync3(filePath, READ_WRITE_MODE);
+          } catch {
+          }
+        }
         writeFileSync3(filePath, file.content);
+        if (isPluginManaged) {
+          try {
+            chmodSync3(filePath, READ_ONLY_MODE);
+          } catch {
+          }
+        }
       }
     }
   },
@@ -2971,6 +3040,250 @@ ${entry.content}`
 };
 registerFramework(claudeCodeAdapter);
 
+// ../../packages/core/dist/provisioning/frameworks/managed-agents/system-prompt.js
+function generateSystemPrompt(input) {
+  const { agent, charterFrontmatter, charterContent, resolvedChannels, integrations } = input;
+  const sections = [];
+  sections.push(`# Agent Identity
+
+**Name**: ${agent.display_name} (\`${agent.code_name}\`)
+**Environment**: ${agent.environment}
+**Risk Tier**: ${agent.risk_tier}
+**Owner**: ${charterFrontmatter.owner.name}${charterFrontmatter.owner.email ? ` <${charterFrontmatter.owner.email}>` : ""}
+**Augmented Agent ID**: ${agent.agent_id}`);
+  const bodyContent = stripFrontmatter(charterContent).trim();
+  if (bodyContent) {
+    sections.push(bodyContent);
+  }
+  if (resolvedChannels.length > 0) {
+    sections.push(`## Allowed Channels
+
+This agent is permitted to communicate via the following channels:
+${resolvedChannels.map((ch) => `- ${ch}`).join("\n")}`);
+  }
+  const budget = charterFrontmatter.budget;
+  const limits = charterFrontmatter.limits;
+  if (budget || limits) {
+    const budgetLines = [];
+    if (budget) {
+      const window = budget.window;
+      if (budget.type === "tokens" || budget.type === "both") {
+        budgetLines.push(`- Token budget: ${(budget.limit_tokens ?? budget.limit).toLocaleString()} tokens per ${window}`);
+      }
+      if (budget.type === "dollars" || budget.type === "both") {
+        budgetLines.push(`- Cost budget: $${(budget.limit_dollars ?? budget.limit).toFixed(2)} per ${window}`);
+      }
+      if (budget.enforcement) {
+        budgetLines.push(`- Enforcement: ${budget.enforcement}`);
+      }
+    }
+    if (limits) {
+      budgetLines.push(`- Max tokens per request: ${limits.max_tokens_per_request.toLocaleString()}`);
+      budgetLines.push(`- Max tokens per run: ${limits.max_tokens_per_run.toLocaleString()}`);
+    }
+    sections.push(`## Budget Constraints
+
+${budgetLines.join("\n")}`);
+  }
+  const apiKeyIntegrations = (integrations ?? []).filter((i) => i.auth_type === "api_key" && i.credentials.api_key);
+  if (apiKeyIntegrations.length > 0) {
+    const credLines = apiKeyIntegrations.map((i) => {
+      const envKey = `${i.definition_id.toUpperCase().replace(/[^A-Z0-9]/g, "_")}_API_KEY`;
+      return `- **${i.display_name}**: API key available as \`${envKey}\``;
+    });
+    sections.push(`## Available Integrations (API Keys)
+
+The following integration credentials are available for use in this session:
+${credLines.join("\n")}
+
+These credentials are pre-loaded. Reference them by their environment variable names when invoking tools.`);
+  }
+  return sections.join("\n\n");
+}
+function stripFrontmatter(content) {
+  if (!content.startsWith("---"))
+    return content;
+  const secondDelimiter = content.indexOf("\n---", 3);
+  if (secondDelimiter === -1)
+    return content;
+  return content.slice(secondDelimiter + 4);
+}
+
+// ../../packages/core/dist/provisioning/frameworks/managed-agents/tools-mapper.js
+var TOOL_ID_TO_ANTHROPIC = [
+  ["bash", "bash"],
+  ["shell", "bash"],
+  ["exec", "bash"],
+  ["read", "read"],
+  ["fs_read", "read"],
+  ["file_read", "read"],
+  ["write", "write"],
+  ["fs_write", "write"],
+  ["file_write", "write"],
+  ["edit", "edit"],
+  ["fs_edit", "edit"],
+  ["file_edit", "edit"],
+  ["glob", "glob"],
+  ["fs_glob", "glob"],
+  ["grep", "grep"],
+  ["fs_grep", "grep"],
+  ["web_fetch", "web_fetch"],
+  ["fetch", "web_fetch"],
+  ["http", "web_fetch"],
+  ["web_search", "web_search"],
+  ["search", "web_search"]
+];
+function mapToolsToAgentToolset(toolsFrontmatter) {
+  const enabledTools = /* @__PURE__ */ new Set();
+  for (const tool of toolsFrontmatter.tools) {
+    const id = tool.id.toLowerCase();
+    for (const [prefix, anthropicTool] of TOOL_ID_TO_ANTHROPIC) {
+      if (id === prefix || id.startsWith(`${prefix}_`) || id.startsWith(`${prefix}-`)) {
+        enabledTools.add(anthropicTool);
+        break;
+      }
+    }
+  }
+  const allTools = [
+    "bash",
+    "read",
+    "write",
+    "edit",
+    "glob",
+    "grep",
+    "web_fetch",
+    "web_search"
+  ];
+  return {
+    type: "agent_toolset_20260401",
+    default_config: { enabled: false },
+    configs: allTools.map((name) => ({ name, enabled: enabledTools.has(name) }))
+  };
+}
+function extractAllowedHosts(toolsFrontmatter) {
+  const hosts = /* @__PURE__ */ new Set();
+  for (const tool of toolsFrontmatter.tools) {
+    for (const domain of tool.network?.allowlist_domains ?? []) {
+      hosts.add(domain);
+    }
+  }
+  return [...hosts];
+}
+
+// ../../packages/core/dist/provisioning/frameworks/managed-agents/environment-config.js
+function buildEnvironmentConfig(riskTier, allowedHosts) {
+  switch (riskTier) {
+    case "Low":
+      return {
+        type: "cloud",
+        networking: { type: "unrestricted" }
+      };
+    case "Medium":
+      return {
+        type: "cloud",
+        networking: {
+          type: "limited",
+          allowed_hosts: allowedHosts,
+          allow_mcp_servers: true,
+          allow_package_managers: true
+        }
+      };
+    case "High":
+      return {
+        type: "cloud",
+        networking: {
+          type: "limited",
+          allowed_hosts: [],
+          allow_mcp_servers: true,
+          allow_package_managers: false
+        }
+      };
+  }
+}
+
+// ../../packages/core/dist/provisioning/frameworks/managed-agents/index.js
+function buildMcpServers(input) {
+  const servers = [];
+  for (const integration of input.integrations ?? []) {
+    if (integration.auth_type !== "managed")
+      continue;
+    const config = integration.config;
+    const mcpUrl = config["mcp_server_url"];
+    if (!mcpUrl)
+      continue;
+    const connectedAccountId = integration.credentials["connected_account_id"];
+    const apiKey = integration.credentials["api_key"];
+    const headers = {};
+    if (apiKey)
+      headers["Authorization"] = `secret_ref://${integration.definition_id}/api_key`;
+    if (connectedAccountId)
+      headers["X-Connected-Account-Id"] = String(connectedAccountId);
+    servers.push({
+      type: "url",
+      name: integration.definition_id.replace(/[^a-z0-9-]/gi, "-").toLowerCase(),
+      url: mcpUrl,
+      ...Object.keys(headers).length > 0 ? { headers } : {}
+    });
+  }
+  return servers;
+}
+var ManagedAgentsAdapter = {
+  id: "managed-agents",
+  label: "Managed Agents (Anthropic Cloud)",
+  buildArtifacts(input) {
+    const { agent, toolsFrontmatter } = input;
+    const toolset = mapToolsToAgentToolset(toolsFrontmatter);
+    const allowedHosts = extractAllowedHosts(toolsFrontmatter);
+    const environmentConfig = buildEnvironmentConfig(agent.risk_tier, allowedHosts);
+    const mcpServers = buildMcpServers(input);
+    const tools = [toolset];
+    for (const server of mcpServers) {
+      tools.push({ type: "mcp_toolset", mcp_server_name: server.name });
+    }
+    const config = {
+      name: agent.display_name,
+      model: agent.primary_model ?? "claude-sonnet-4-6",
+      system: generateSystemPrompt(input),
+      tools,
+      mcp_servers: mcpServers,
+      description: agent.description,
+      metadata: {
+        augmented_agent_id: agent.agent_id,
+        augmented_code_name: agent.code_name,
+        augmented_environment: agent.environment,
+        augmented_risk_tier: agent.risk_tier,
+        augmented_framework: "managed-agents"
+      },
+      _environment_config: environmentConfig
+    };
+    return [
+      {
+        relativePath: "managed-agent.json",
+        content: JSON.stringify(config, null, 2)
+      }
+    ];
+  },
+  driftTrackedFiles() {
+    return ["managed-agent.json"];
+  },
+  // -------------------------------------------------------------------------
+  // No local runtime — all execution is in Anthropic's cloud.
+  // These methods are intentional no-ops.
+  // -------------------------------------------------------------------------
+  async getRegisteredAgents() {
+    return /* @__PURE__ */ new Set();
+  },
+  async registerAgent(_codeName, _teamDir) {
+    return true;
+  },
+  async deregisterAgent(_codeName) {
+    return true;
+  },
+  writeAuthProfiles(_codeName, _profiles) {
+  }
+};
+registerFramework(ManagedAgentsAdapter);
+
 // src/lib/config.ts
 import { readFileSync as readFileSync4, writeFileSync as writeFileSync4, mkdirSync as mkdirSync4, existsSync as existsSync4 } from "fs";
 import { join as join4 } from "path";
@@ -4780,8 +5093,10 @@ var ROLE_PERMISSIONS = {
     "agent.view",
     "audit_log.view",
     "host.view",
+    "plugin.view",
     "plugin.install",
-    "plugin.view"
+    "plugin.configure",
+    "plugin.manage_scopes"
   ],
   viewer: [
     "agent.view",
@@ -5244,4 +5559,4 @@ export {
   detectDrift,
   provision
 };
-//# sourceMappingURL=chunk-VCKY6MN2.js.map
+//# sourceMappingURL=chunk-CVQD6XGB.js.map