@integrity-labs/agt-cli 0.17.0 → 0.17.4

package/dist/bin/agt.js

@@ -48,7 +48,7 @@ import {
   success,
   table,
   warn
-} from "../chunk-P52H3XS6.js";
+} from "../chunk-HMN7YJOD.js";
 
 // src/bin/agt.ts
 import { join as join10 } from "path";
@@ -3732,7 +3732,7 @@ import { execFileSync, execSync } from "child_process";
 import { existsSync as existsSync5, realpathSync } from "fs";
 import chalk17 from "chalk";
 import ora15 from "ora";
-var cliVersion = true ? "0.17.0" : "dev";
+var cliVersion = true ? "0.17.4" : "dev";
 async function fetchLatestVersion() {
   const host2 = getHost();
   if (!host2) return null;
@@ -4190,7 +4190,7 @@ function handleError(err) {
 }
 
 // src/bin/agt.ts
-var cliVersion2 = true ? "0.17.0" : "dev";
+var cliVersion2 = true ? "0.17.4" : "dev";
 var program = new Command();
 program.name("agt").description("Augmented CLI \u2014 agent provisioning and management").version(cliVersion2).option("--json", "Emit machine-readable JSON output (suppress spinners and colors)").option("--skip-update-check", "Skip the automatic update check on startup");
 program.hook("preAction", (thisCommand) => {

package/dist/{chunk-P52H3XS6.js → chunk-HMN7YJOD.js}

@@ -429,6 +429,27 @@ var INTEGRATION_REGISTRY = [
       { id: "xero:manage-settings", name: "Manage Settings", description: "Manage org settings and chart of accounts", access: "admin" }
     ]
   },
+  {
+    id: "granola",
+    name: "Granola",
+    category: "knowledge",
+    description: "Meeting notes search \u2014 query transcripts, summaries, and folders from Granola",
+    // Granola uses a remote streamable-HTTP MCP with PKCE + Dynamic Client
+    // Registration. End-user OAuth is brokered by the webapp (ENG-4693)
+    // through the shared /integrations/oauth/authorize → /callback path
+    // (ENG-4694), and the access_token is injected into .mcp.json via the
+    // generic bearer-header path. No host-side action required from the
+    // operator beyond running the one-time DCR registration script at
+    // deploy time.
+    supported_auth_types: ["oauth2"],
+    capabilities: [
+      { id: "granola:search-meetings", name: "Search Meetings", description: "Browse meetings, search content, and chat with notes (query_granola_meetings, list_meetings, get_meetings)", access: "read" },
+      { id: "granola:read-transcripts", name: "Read Transcripts", description: "Access raw meeting transcripts (paid plans only \u2014 get_meeting_transcript)", access: "read" },
+      { id: "granola:list-folders", name: "List Folders", description: "View accessible meeting folders (paid plans only \u2014 list_meeting_folders)", access: "read" }
+    ],
+    docs_url: "https://docs.granola.ai/docs/api/mcp",
+    beta: true
+  },
   {
     id: "qmd",
     name: "QMD Memory Search",
@@ -2802,6 +2823,50 @@ You are **${frontmatter.display_name}**, **${roleDisplay}**${team ? ` at **${tea
 ${desc ? `
 ${desc}
 ` : ""}
+
+## \u26A0\uFE0F FIRST ACTION on every channel message: triage
+
+This is the highest-priority instruction in this document. Before anything
+else when you receive an inbound \`<channel>\` tag (Slack/Telegram/Direct
+Chat), decide:
+
+**Will completing this request take longer than ~60 seconds of tool work?**
+Treat as SLOW if it involves any of: Xero data pulls, multi-step Composio
+chains, web research, reading/writing >5 files, image generation, dashboard
+refreshes, multi-skill activations, or anything you'd reasonably want to
+acknowledge before you start.
+
+- **FAST (< 60s):** handle inline. Reply via the channel tool
+  (slack.reply / telegram.reply / directchat.reply) and end your turn.
+
+- **SLOW (\u2265 60s):** dispatch.
+  1. Send a one-line acknowledgement via the channel tool \u2014 short, warm,
+     and tell the user you'll come back. Example shape (don't copy verbatim,
+     match your voice): "On it \u2014 this'll take a minute or two, I'll ping
+     when it's done."
+  2. Invoke the \`channel-message-handler\` subagent (Task tool, with
+     \`subagent_type: channel-message-handler\`) with the full original
+     message text plus the **channel-specific routing keys** the reply
+     tool needs: Slack threads \u2192 \`{ channel_id, thread_ts }\`; Slack
+     non-thread DMs \u2192 \`{ channel_id }\`; Telegram \u2192 \`{ chat_id, message_id }\`;
+     Direct Chat \u2192 \`{ conversation_id }\`. Pass these verbatim from the
+     inbound \`<channel>\` tag \u2014 don't substitute a generic \`message_ts\`,
+     since only Slack threads use it. The subagent will do the actual
+     work and post the real reply itself.
+  3. End your turn. **Do NOT call slack.reply / telegram.reply with the
+     full result yourself** \u2014 that's the subagent's job.
+
+**Why this matters more than any other instruction below:** if you handle
+slow requests inline, you go silent for 60+ seconds while operators send
+follow-up messages that queue behind you. Dispatching keeps you free to
+acknowledge new pings. The kanban-tracking-link convention, work-management
+"create a task" guidance, and Slack reply patterns ALL apply to fast
+inline replies \u2014 they do NOT replace this dispatch decision.
+
+If the work turns out to be unexpectedly slow after you started inline,
+finish the current sub-step, then dispatch the rest. Don't apologise for
+mid-task switching \u2014 operators care about responsiveness, not consistency.
+
 ${personalitySection}## Identity
 
 - Code Name: ${frontmatter.code_name}
@@ -2813,8 +2878,13 @@ ${personalitySection}## Identity
 ${resolvedChannels?.includes("slack") ? `
 ## Slack
 
-You have a Slack MCP server connected. When Slack messages arrive via the channel
-protocol, respond directly in the conversation. You can also proactively use:
+You have a Slack MCP server connected. **First, see \xA7 FIRST ACTION on
+every channel message: triage** at the top of this document \u2014 decide
+fast vs slow before anything else, and dispatch slow work via
+\`channel-message-handler\` rather than handling it inline.
+
+For fast requests, respond directly in the conversation. You can also
+proactively use:
 
 - **slack.reply** \u2014 reply to a message in a channel/thread
 - **slack.react** \u2014 add an emoji reaction to a message (use sparingly \u2014 see taxonomy below)
@@ -3007,6 +3077,124 @@ The marginal cost of completeness is near zero. Do the whole thing.
 ${frontmatter.environment === "prod" ? "- Production environment: exercise extra caution with all operations.\n" : ""}`;
 }
 
+// ../../packages/core/dist/integrations/oauth-providers.js
+var OAUTH_PROVIDERS = {
+  "google-workspace": {
+    definitionId: "google-workspace",
+    authorizeUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+    tokenUrl: "https://oauth2.googleapis.com/token",
+    revokeUrl: "https://oauth2.googleapis.com/revoke",
+    defaultScopes: [
+      "https://www.googleapis.com/auth/gmail.modify",
+      "https://www.googleapis.com/auth/calendar",
+      "https://www.googleapis.com/auth/drive",
+      "https://www.googleapis.com/auth/spreadsheets",
+      "https://www.googleapis.com/auth/documents",
+      "https://www.googleapis.com/auth/chat.messages",
+      "https://www.googleapis.com/auth/chat.spaces.readonly"
+    ],
+    supportsRefresh: true,
+    extraAuthorizeParams: {
+      access_type: "offline",
+      prompt: "consent"
+    },
+    clientAuthMethod: "body",
+    userInfoUrl: "https://www.googleapis.com/oauth2/v2/userinfo"
+  },
+  "github": {
+    definitionId: "github",
+    authorizeUrl: "https://github.com/login/oauth/authorize",
+    tokenUrl: "https://github.com/login/oauth/access_token",
+    defaultScopes: ["repo", "read:org", "gist", "workflow"],
+    supportsRefresh: true,
+    extraAuthorizeParams: {},
+    clientAuthMethod: "body",
+    userInfoUrl: "https://api.github.com/user"
+  },
+  "granola": {
+    // Granola MCP — remote streamable-HTTP at https://mcp.granola.ai/mcp.
+    // The AS is at mcp-auth.granola.ai and exposes RFC 8414 metadata at
+    // /.well-known/oauth-authorization-server. Auth is OAuth 2.0 with
+    // mandatory PKCE (S256) and a public client (no client_secret) issued
+    // via Dynamic Client Registration (RFC 7591). The bootstrap script
+    // (`packages/api/scripts/dcr-register.ts`) registers a client once at
+    // deploy time; OAUTH_GRANOLA_CLIENT_ID is set from its output.
+    definitionId: "granola",
+    authorizeUrl: "https://mcp-auth.granola.ai/oauth2/authorize",
+    tokenUrl: "https://mcp-auth.granola.ai/oauth2/token",
+    // openid+profile+email give us the user identity for status_message;
+    // offline_access is the one that earns us a refresh_token so the
+    // refresh cron can rotate the bearer without operator action.
+    defaultScopes: ["openid", "profile", "email", "offline_access"],
+    supportsRefresh: true,
+    extraAuthorizeParams: {},
+    clientAuthMethod: "body",
+    pkce: "S256",
+    publicClient: true,
+    mcpUrl: "https://mcp.granola.ai/mcp"
+  },
+  "xero": {
+    definitionId: "xero",
+    authorizeUrl: "https://login.xero.com/identity/connect/authorize",
+    tokenUrl: "https://identity.xero.com/connect/token",
+    revokeUrl: "https://identity.xero.com/connect/revocation",
+    defaultScopes: [
+      "openid",
+      "profile",
+      "email",
+      "offline_access",
+      // Granular scopes (required for apps created after March 2, 2026 —
+      // do NOT revert to the broad `accounting.transactions` /
+      // `accounting.contacts` scopes, Xero rejects the manifest).
+      // The variant *without* `.read` is the read+write granular scope.
+      "accounting.settings.read",
+      // contacts: write enables agent-driven supplier/customer creation
+      // (required for bill creation since a bill must reference a contact).
+      "accounting.contacts",
+      // invoices: write enables bill creation (Type=ACCPAY invoices) and
+      // updates to sales invoices alongside the existing read access.
+      "accounting.invoices",
+      // attachments: write enables agents to attach the source PDF to a
+      // bill at creation time. Read-only would force a follow-up manual
+      // upload in Xero; write closes the loop.
+      "accounting.attachments",
+      // accounting.transactions.read → granular read-only replacements
+      // for the surfaces we don't yet need write access on.
+      "accounting.payments.read",
+      "accounting.banktransactions.read",
+      "accounting.manualjournals.read",
+      // accounting.reports.read → granular read-only replacements
+      "accounting.reports.balancesheet.read",
+      "accounting.reports.profitandloss.read",
+      "accounting.reports.trialbalance.read",
+      "accounting.reports.budgetsummary.read",
+      "accounting.reports.banksummary.read",
+      "accounting.reports.executivesummary.read",
+      "accounting.reports.aged.read"
+    ],
+    supportsRefresh: true,
+    extraAuthorizeParams: {},
+    clientAuthMethod: "basic",
+    userInfoUrl: "https://api.xero.com/connections"
+  }
+};
+
+// ../../packages/core/dist/provisioning/remote-mcp.js
+function envVarForToken(definitionId) {
+  return `${definitionId.replace(/-/g, "_").toUpperCase()}_ACCESS_TOKEN`;
+}
+function buildRemoteMcpEntry(definitionId) {
+  const provider = OAUTH_PROVIDERS[definitionId];
+  if (!provider?.mcpUrl)
+    return null;
+  return {
+    url: provider.mcpUrl,
+    headers: {
+      Authorization: `Bearer \${${envVarForToken(definitionId)}}`
+    }
+  };
+}
+
 // ../../packages/core/dist/provisioning/frameworks/claudecode/index.js
 var VALID_CODE_NAME = /^[a-z0-9]+(?:-[a-z0-9]+)*$/;
 var SECRET_FILE_MODE = 384;
@@ -3160,6 +3348,38 @@ function deployArtifactsToProject(codeName, provisionDir) {
     }
   } catch {
   }
+  const agentsDir = join4(provisionDir, ".claude", "agents");
+  const destAgentsDir = join4(projectDir, ".claude", "agents");
+  try {
+    if (existsSync4(agentsDir)) {
+      const sourceAgentFiles = new Set(readdirSync(agentsDir).filter((f) => f.endsWith(".md")));
+      if (existsSync4(destAgentsDir)) {
+        for (const destFile of readdirSync(destAgentsDir)) {
+          if (!destFile.endsWith(".md"))
+            continue;
+          if (sourceAgentFiles.has(destFile))
+            continue;
+          try {
+            rmSync(join4(destAgentsDir, destFile));
+          } catch {
+          }
+        }
+      }
+      for (const agentFile of sourceAgentFiles) {
+        const srcPath = join4(agentsDir, agentFile);
+        const destPath = join4(destAgentsDir, agentFile);
+        const srcContent = readFileSync4(srcPath, "utf-8");
+        try {
+          if (existsSync4(destPath) && readFileSync4(destPath, "utf-8") === srcContent)
+            continue;
+        } catch {
+        }
+        mkdirSync4(destAgentsDir, { recursive: true });
+        writeFileSync4(destPath, srcContent);
+      }
+    }
+  } catch {
+  }
   const agentMcpPath = join4(getAgentDir(codeName), "provision", ".mcp.json");
   const projectMcpPath = join4(projectDir, ".mcp.json");
   try {
@@ -3581,6 +3801,30 @@ function buildSettingsJson(input) {
   settings["permissions"] = { deny: SECRETS_DENY_PERMISSIONS };
   return settings;
 }
+function buildChannelMessageHandlerAgent() {
+  return `---
+name: channel-message-handler
+description: Handles a single inbound Slack/Telegram/Direct-Chat message end to end. Posts the reply itself via the matching channel tool. The parent agent dispatches to this subagent only for slow requests (\u2265 ~60s) so the parent's listener turn stays free for new inbound work.
+background: true
+tools: Bash, Read, Write, Edit, Grep, Glob, Skill, Agent, mcp__augmented__*, mcp__slack__*, mcp__telegram__*, mcp__direct_chat__*, mcp__xero__*, mcp__granola__*, mcp__composio_attio__*, mcp__composio_canva__*, mcp__composio_gmail__*, mcp__composio_googlecalendar__*, mcp__composio_googledocs__*, mcp__composio_googledrive__*, mcp__composio_googlesheets__*
+---
+
+You are dispatched by the parent agent to handle one channel message.
+
+The parent passes you in the task description:
+- The full original message text
+- Channel metadata: Slack channel ID + thread_ts, Telegram chat_id + message_id, OR Direct Chat conversation_id
+- Any supporting context the parent thought relevant
+
+Your job:
+
+1. Do the work the message asks for (Xero pull, research, multi-step skill, etc.). Use whichever tools you need.
+2. Post the reply yourself via the matching channel tool \u2014 slack.reply for Slack, telegram.reply for Telegram, directchat.reply for Direct Chat. Use the metadata the parent gave you to address the right thread/conversation.
+3. End. Do not do additional follow-up work; if more is needed, the user will send another message.
+
+Do NOT post intermediate progress updates unless the work spans 5+ minutes \u2014 keep noise low. The parent already sent a single-line acknowledgement before dispatching you.
+`;
+}
 function buildMcpJson(input) {
   const mcpServers = {};
   const localMcpPath = join4(getHomeDir3(), ".augmented", "_mcp", "index.js");
@@ -3627,6 +3871,12 @@ function buildMcpJson(input) {
       }
     };
   }
+  for (const integration of input.integrations ?? []) {
+    const entry = buildRemoteMcpEntry(integration.definition_id);
+    if (entry) {
+      mcpServers[integration.definition_id] = entry;
+    }
+  }
   return { mcpServers };
 }
 function parseIntervalMinutes(scheduleEvery) {
@@ -3709,7 +3959,16 @@ var claudeCodeAdapter = {
       { relativePath: "settings.json", content: JSON.stringify(buildSettingsJson(input), null, 2) },
       { relativePath: ".mcp.json", content: JSON.stringify(buildMcpJson(input), null, 2) },
       { relativePath: "CHARTER.md", content: input.charterContent },
-      { relativePath: "TOOLS.md", content: input.toolsContent }
+      { relativePath: "TOOLS.md", content: input.toolsContent },
+      // ENG-4684: named subagent the parent uses for slow channel-message
+      // handling. Frontmatter `background: true` makes the parent's listener
+      // turn return immediately on dispatch, so new inbound messages get a
+      // fresh turn while the subagent does the work in parallel. Triggered
+      // by the "Channel message triage" instruction in CLAUDE.md.
+      {
+        relativePath: ".claude/agents/channel-message-handler.md",
+        content: buildChannelMessageHandlerAgent()
+      }
     ];
     const knowledgeEntries = input.knowledge ?? [];
     const delivery = input.knowledgeDelivery ?? "both";
@@ -4115,6 +4374,12 @@ ${sections}`
         }
       });
     }
+    for (const integration of integrations) {
+      const entry = buildRemoteMcpEntry(integration.definition_id);
+      if (entry) {
+        this.writeMcpServer(codeName, integration.definition_id, entry);
+      }
+    }
     const projectDir = getProjectDir(codeName);
     const claudeMdPath = join4(projectDir, "CLAUDE.md");
     try {
@@ -4185,6 +4450,11 @@ ${sections}`
             PIPEDREAM_PROJECT_ENVIRONMENT: headers["x-pd-environment"] ?? process.env["PIPEDREAM_ENVIRONMENT"] ?? "development"
           }
         };
+      } else if (config.headers && Object.keys(config.headers).length > 0) {
+        serverEntry = {
+          url: config.url,
+          headers: config.headers
+        };
       } else {
         serverEntry = {
           command: "npx",
@@ -7697,4 +7967,4 @@ export {
   managerInstallCommand,
   managerUninstallCommand
 };
-//# sourceMappingURL=chunk-P52H3XS6.js.map
+//# sourceMappingURL=chunk-HMN7YJOD.js.map