@integrity-labs/agt-cli 0.15.1 → 0.15.2

package/mcp/index.js

@@ -20985,6 +20985,36 @@ var StdioServerTransport = class {
   }
 };
 
+// src/token-refresh-selection.ts
+var REFRESH_WINDOW_MS = 10 * 6e4;
+function selectIntegrationsToRefresh(input) {
+  const now = input.now ?? Date.now();
+  const windowMs = input.windowMs ?? REFRESH_WINDOW_MS;
+  const oauth = input.integrations.filter((i) => i.auth_type === "oauth2");
+  if (input.integration_id) {
+    const target = oauth.find((i) => i.id === input.integration_id);
+    if (!target) return [];
+    return [{ kind: "force_refresh", integration: target }];
+  }
+  return oauth.map((integration) => {
+    if (!integration.credentials.access_token) {
+      return { kind: "force_refresh", integration };
+    }
+    const expiresAtRaw = integration.credentials.token_expires_at;
+    if (!expiresAtRaw) {
+      return { kind: "force_refresh", integration };
+    }
+    const expiresAt = Date.parse(expiresAtRaw);
+    if (Number.isNaN(expiresAt)) {
+      return { kind: "force_refresh", integration };
+    }
+    if (expiresAt - now < windowMs) {
+      return { kind: "force_refresh", integration };
+    }
+    return { kind: "return_cached", integration };
+  });
+}
+
 // src/index.ts
 import { spawn } from "child_process";
 var DeliveryTargetSchema = external_exports.union([
@@ -21371,40 +21401,48 @@ server.tool(
 );
 server.tool(
   "token.refresh",
-  "Request fresh OAuth tokens for an integration. Returns the new access token directly \u2014 no file-based handoff needed.",
+  "Get a working OAuth access token for an integration. Returns the current cached token when it is still valid (the server-side cron rotates tokens every ~15 minutes) and forces a refresh only when the cached token is expiring or missing. Pass `integration_id` to force-refresh a specific integration after a 401/TokenExpired from the provider.",
   {
-    integration_id: external_exports.string().optional().describe("Specific integration UUID to refresh. If omitted, refreshes all expiring tokens.")
+    integration_id: external_exports.string().optional().describe("Specific integration UUID to force-refresh (use after a 401 from the provider). If omitted, returns current tokens for all OAuth integrations, refreshing any that are within ~10 minutes of expiry.")
   },
   async (params) => {
     const integrations = await apiPost("/host/agent-integrations", {
       agent_id: AGT_AGENT_ID
     });
-    const TEN_MINUTES_MS = 10 * 6e4;
-    const oauthIntegrations = integrations.integrations.filter((i) => {
-      if (i.auth_type !== "oauth2") return false;
-      if (params.integration_id) return i.id === params.integration_id;
-      if (!i.credentials.token_expires_at) return true;
-      return new Date(i.credentials.token_expires_at).getTime() - Date.now() < TEN_MINUTES_MS;
+    const decisions = selectIntegrationsToRefresh({
+      integrations: integrations.integrations,
+      integration_id: params.integration_id
     });
-    if (oauthIntegrations.length === 0) {
+    if (decisions.length === 0) {
       return {
         content: [
           {
             type: "text",
-            text: params.integration_id ? `No OAuth integration found with ID ${params.integration_id}.` : "No expiring OAuth tokens found for this agent."
+            text: params.integration_id ? `No OAuth integration found with ID ${params.integration_id}.` : "No OAuth integrations found for this agent."
           }
         ]
       };
     }
     const results = [];
-    for (const integration of oauthIntegrations) {
+    for (const decision of decisions) {
+      const { integration } = decision;
+      if (decision.kind === "return_cached") {
+        results.push({
+          definition_id: integration.definition_id,
+          access_token: integration.credentials.access_token,
+          expires_at: integration.credentials.token_expires_at,
+          source: "cached"
+        });
+        continue;
+      }
       try {
         const refreshed = await apiPost(`/integrations/oauth/${integration.id}/refresh`, {});
         if (refreshed.ok && refreshed.access_token) {
           results.push({
             definition_id: integration.definition_id,
             access_token: refreshed.access_token,
-            expires_at: refreshed.expires_at
+            expires_at: refreshed.expires_at,
+            source: "refreshed"
           });
         } else {
           results.push({ definition_id: integration.definition_id, error: true });
@@ -21414,17 +21452,20 @@ server.tool(
       }
     }
     const summary = results.map(
-      (r) => r.access_token ? `${r.definition_id}: refreshed (expires ${r.expires_at ?? "unknown"})` : `${r.definition_id}: refresh failed`
+      (r) => r.access_token ? `${r.definition_id}: ${r.source} (expires ${r.expires_at ?? "unknown"})` : `${r.definition_id}: refresh failed`
     );
     return {
       content: [
         {
           type: "text",
           text: JSON.stringify({
+            // Key is `refreshed` for backwards compatibility — entries can now
+            // be either cached or freshly-rotated, distinguished by `source`.
             refreshed: results.filter((r) => r.access_token).map((r) => ({
               definition_id: r.definition_id,
               access_token: r.access_token,
-              expires_at: r.expires_at
+              expires_at: r.expires_at,
+              source: r.source
             })),
             failed: results.filter((r) => r.error).map((r) => r.definition_id),
             summary: summary.join("; ")

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@integrity-labs/agt-cli",
-  "version": "0.15.1",
+  "version": "0.15.2",
   "description": "Augmented Team CLI — agent provisioning and management",
   "type": "module",
   "engines": {