@integrity-labs/agt-cli 0.17.2 → 0.17.4

package/dist/bin/agt.js

@@ -48,7 +48,7 @@ import {
   success,
   table,
   warn
-} from "../chunk-RGJV3MV3.js";
+} from "../chunk-HMN7YJOD.js";
 
 // src/bin/agt.ts
 import { join as join10 } from "path";
@@ -3732,7 +3732,7 @@ import { execFileSync, execSync } from "child_process";
 import { existsSync as existsSync5, realpathSync } from "fs";
 import chalk17 from "chalk";
 import ora15 from "ora";
-var cliVersion = true ? "0.17.2" : "dev";
+var cliVersion = true ? "0.17.4" : "dev";
 async function fetchLatestVersion() {
   const host2 = getHost();
   if (!host2) return null;
@@ -4190,7 +4190,7 @@ function handleError(err) {
 }
 
 // src/bin/agt.ts
-var cliVersion2 = true ? "0.17.2" : "dev";
+var cliVersion2 = true ? "0.17.4" : "dev";
 var program = new Command();
 program.name("agt").description("Augmented CLI \u2014 agent provisioning and management").version(cliVersion2).option("--json", "Emit machine-readable JSON output (suppress spinners and colors)").option("--skip-update-check", "Skip the automatic update check on startup");
 program.hook("preAction", (thisCommand) => {

package/dist/{chunk-RGJV3MV3.js → chunk-HMN7YJOD.js}

@@ -429,6 +429,27 @@ var INTEGRATION_REGISTRY = [
       { id: "xero:manage-settings", name: "Manage Settings", description: "Manage org settings and chart of accounts", access: "admin" }
     ]
   },
+  {
+    id: "granola",
+    name: "Granola",
+    category: "knowledge",
+    description: "Meeting notes search \u2014 query transcripts, summaries, and folders from Granola",
+    // Granola uses a remote streamable-HTTP MCP with PKCE + Dynamic Client
+    // Registration. End-user OAuth is brokered by the webapp (ENG-4693)
+    // through the shared /integrations/oauth/authorize → /callback path
+    // (ENG-4694), and the access_token is injected into .mcp.json via the
+    // generic bearer-header path. No host-side action required from the
+    // operator beyond running the one-time DCR registration script at
+    // deploy time.
+    supported_auth_types: ["oauth2"],
+    capabilities: [
+      { id: "granola:search-meetings", name: "Search Meetings", description: "Browse meetings, search content, and chat with notes (query_granola_meetings, list_meetings, get_meetings)", access: "read" },
+      { id: "granola:read-transcripts", name: "Read Transcripts", description: "Access raw meeting transcripts (paid plans only \u2014 get_meeting_transcript)", access: "read" },
+      { id: "granola:list-folders", name: "List Folders", description: "View accessible meeting folders (paid plans only \u2014 list_meeting_folders)", access: "read" }
+    ],
+    docs_url: "https://docs.granola.ai/docs/api/mcp",
+    beta: true
+  },
   {
     id: "qmd",
     name: "QMD Memory Search",
@@ -2802,6 +2823,50 @@ You are **${frontmatter.display_name}**, **${roleDisplay}**${team ? ` at **${tea
 ${desc ? `
 ${desc}
 ` : ""}
+
+## \u26A0\uFE0F FIRST ACTION on every channel message: triage
+
+This is the highest-priority instruction in this document. Before anything
+else when you receive an inbound \`<channel>\` tag (Slack/Telegram/Direct
+Chat), decide:
+
+**Will completing this request take longer than ~60 seconds of tool work?**
+Treat as SLOW if it involves any of: Xero data pulls, multi-step Composio
+chains, web research, reading/writing >5 files, image generation, dashboard
+refreshes, multi-skill activations, or anything you'd reasonably want to
+acknowledge before you start.
+
+- **FAST (< 60s):** handle inline. Reply via the channel tool
+  (slack.reply / telegram.reply / directchat.reply) and end your turn.
+
+- **SLOW (\u2265 60s):** dispatch.
+  1. Send a one-line acknowledgement via the channel tool \u2014 short, warm,
+     and tell the user you'll come back. Example shape (don't copy verbatim,
+     match your voice): "On it \u2014 this'll take a minute or two, I'll ping
+     when it's done."
+  2. Invoke the \`channel-message-handler\` subagent (Task tool, with
+     \`subagent_type: channel-message-handler\`) with the full original
+     message text plus the **channel-specific routing keys** the reply
+     tool needs: Slack threads \u2192 \`{ channel_id, thread_ts }\`; Slack
+     non-thread DMs \u2192 \`{ channel_id }\`; Telegram \u2192 \`{ chat_id, message_id }\`;
+     Direct Chat \u2192 \`{ conversation_id }\`. Pass these verbatim from the
+     inbound \`<channel>\` tag \u2014 don't substitute a generic \`message_ts\`,
+     since only Slack threads use it. The subagent will do the actual
+     work and post the real reply itself.
+  3. End your turn. **Do NOT call slack.reply / telegram.reply with the
+     full result yourself** \u2014 that's the subagent's job.
+
+**Why this matters more than any other instruction below:** if you handle
+slow requests inline, you go silent for 60+ seconds while operators send
+follow-up messages that queue behind you. Dispatching keeps you free to
+acknowledge new pings. The kanban-tracking-link convention, work-management
+"create a task" guidance, and Slack reply patterns ALL apply to fast
+inline replies \u2014 they do NOT replace this dispatch decision.
+
+If the work turns out to be unexpectedly slow after you started inline,
+finish the current sub-step, then dispatch the rest. Don't apologise for
+mid-task switching \u2014 operators care about responsiveness, not consistency.
+
 ${personalitySection}## Identity
 
 - Code Name: ${frontmatter.code_name}
@@ -2813,8 +2878,13 @@ ${personalitySection}## Identity
 ${resolvedChannels?.includes("slack") ? `
 ## Slack
 
-You have a Slack MCP server connected. When Slack messages arrive via the channel
-protocol, respond directly in the conversation. You can also proactively use:
+You have a Slack MCP server connected. **First, see \xA7 FIRST ACTION on
+every channel message: triage** at the top of this document \u2014 decide
+fast vs slow before anything else, and dispatch slow work via
+\`channel-message-handler\` rather than handling it inline.
+
+For fast requests, respond directly in the conversation. You can also
+proactively use:
 
 - **slack.reply** \u2014 reply to a message in a channel/thread
 - **slack.react** \u2014 add an emoji reaction to a message (use sparingly \u2014 see taxonomy below)
@@ -2998,21 +3068,6 @@ The marginal cost of completeness is near zero. Do the whole thing.
 - **Search before building. Test before shipping.**
 - **No excuses.** Time, fatigue, and complexity are not reasons to deliver less than complete.
 
-## Channel message triage (ENG-4684)
-
-Every inbound \`<channel>\` tag (Slack/Telegram/Direct Chat) is a fresh request. Triage it BEFORE doing the work:
-
-- **Will this reply take longer than ~60 seconds?** Treat as slow if it involves: Xero pulls (any), multi-step Composio chains, web research, reading/writing >5 files, image generation, or a multi-skill activation.
-
-- **FAST (< 60s):** handle inline. Reply via the channel tool (slack.reply / telegram.reply / directchat.reply) and end your turn.
-
-- **SLOW (\u2265 60s):**
-  1. Send this exact acknowledgement via the channel tool: *"This will take a while, I'll ping you when it's done."* Use the verbatim copy \u2014 don't paraphrase or add detail.
-  2. Invoke the \`channel-message-handler\` subagent (background) with the full message + channel/thread/message_ts metadata as the task.
-  3. End your turn. The subagent posts the actual reply itself when it's done.
-
-Why: dispatching short replies wastes ~20s of subagent overhead. Dispatching slow ones keeps you free to acknowledge new inbound messages immediately instead of going silent for 60s+. Get the routing decision right; the rest follows.
-
 ## Rules
 
 - Never expose secrets or API keys in output.
@@ -3022,6 +3077,124 @@ Why: dispatching short replies wastes ~20s of subagent overhead. Dispatching slo
 ${frontmatter.environment === "prod" ? "- Production environment: exercise extra caution with all operations.\n" : ""}`;
 }
 
+// ../../packages/core/dist/integrations/oauth-providers.js
+var OAUTH_PROVIDERS = {
+  "google-workspace": {
+    definitionId: "google-workspace",
+    authorizeUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+    tokenUrl: "https://oauth2.googleapis.com/token",
+    revokeUrl: "https://oauth2.googleapis.com/revoke",
+    defaultScopes: [
+      "https://www.googleapis.com/auth/gmail.modify",
+      "https://www.googleapis.com/auth/calendar",
+      "https://www.googleapis.com/auth/drive",
+      "https://www.googleapis.com/auth/spreadsheets",
+      "https://www.googleapis.com/auth/documents",
+      "https://www.googleapis.com/auth/chat.messages",
+      "https://www.googleapis.com/auth/chat.spaces.readonly"
+    ],
+    supportsRefresh: true,
+    extraAuthorizeParams: {
+      access_type: "offline",
+      prompt: "consent"
+    },
+    clientAuthMethod: "body",
+    userInfoUrl: "https://www.googleapis.com/oauth2/v2/userinfo"
+  },
+  "github": {
+    definitionId: "github",
+    authorizeUrl: "https://github.com/login/oauth/authorize",
+    tokenUrl: "https://github.com/login/oauth/access_token",
+    defaultScopes: ["repo", "read:org", "gist", "workflow"],
+    supportsRefresh: true,
+    extraAuthorizeParams: {},
+    clientAuthMethod: "body",
+    userInfoUrl: "https://api.github.com/user"
+  },
+  "granola": {
+    // Granola MCP — remote streamable-HTTP at https://mcp.granola.ai/mcp.
+    // The AS is at mcp-auth.granola.ai and exposes RFC 8414 metadata at
+    // /.well-known/oauth-authorization-server. Auth is OAuth 2.0 with
+    // mandatory PKCE (S256) and a public client (no client_secret) issued
+    // via Dynamic Client Registration (RFC 7591). The bootstrap script
+    // (`packages/api/scripts/dcr-register.ts`) registers a client once at
+    // deploy time; OAUTH_GRANOLA_CLIENT_ID is set from its output.
+    definitionId: "granola",
+    authorizeUrl: "https://mcp-auth.granola.ai/oauth2/authorize",
+    tokenUrl: "https://mcp-auth.granola.ai/oauth2/token",
+    // openid+profile+email give us the user identity for status_message;
+    // offline_access is the one that earns us a refresh_token so the
+    // refresh cron can rotate the bearer without operator action.
+    defaultScopes: ["openid", "profile", "email", "offline_access"],
+    supportsRefresh: true,
+    extraAuthorizeParams: {},
+    clientAuthMethod: "body",
+    pkce: "S256",
+    publicClient: true,
+    mcpUrl: "https://mcp.granola.ai/mcp"
+  },
+  "xero": {
+    definitionId: "xero",
+    authorizeUrl: "https://login.xero.com/identity/connect/authorize",
+    tokenUrl: "https://identity.xero.com/connect/token",
+    revokeUrl: "https://identity.xero.com/connect/revocation",
+    defaultScopes: [
+      "openid",
+      "profile",
+      "email",
+      "offline_access",
+      // Granular scopes (required for apps created after March 2, 2026 —
+      // do NOT revert to the broad `accounting.transactions` /
+      // `accounting.contacts` scopes, Xero rejects the manifest).
+      // The variant *without* `.read` is the read+write granular scope.
+      "accounting.settings.read",
+      // contacts: write enables agent-driven supplier/customer creation
+      // (required for bill creation since a bill must reference a contact).
+      "accounting.contacts",
+      // invoices: write enables bill creation (Type=ACCPAY invoices) and
+      // updates to sales invoices alongside the existing read access.
+      "accounting.invoices",
+      // attachments: write enables agents to attach the source PDF to a
+      // bill at creation time. Read-only would force a follow-up manual
+      // upload in Xero; write closes the loop.
+      "accounting.attachments",
+      // accounting.transactions.read → granular read-only replacements
+      // for the surfaces we don't yet need write access on.
+      "accounting.payments.read",
+      "accounting.banktransactions.read",
+      "accounting.manualjournals.read",
+      // accounting.reports.read → granular read-only replacements
+      "accounting.reports.balancesheet.read",
+      "accounting.reports.profitandloss.read",
+      "accounting.reports.trialbalance.read",
+      "accounting.reports.budgetsummary.read",
+      "accounting.reports.banksummary.read",
+      "accounting.reports.executivesummary.read",
+      "accounting.reports.aged.read"
+    ],
+    supportsRefresh: true,
+    extraAuthorizeParams: {},
+    clientAuthMethod: "basic",
+    userInfoUrl: "https://api.xero.com/connections"
+  }
+};
+
+// ../../packages/core/dist/provisioning/remote-mcp.js
+function envVarForToken(definitionId) {
+  return `${definitionId.replace(/-/g, "_").toUpperCase()}_ACCESS_TOKEN`;
+}
+function buildRemoteMcpEntry(definitionId) {
+  const provider = OAUTH_PROVIDERS[definitionId];
+  if (!provider?.mcpUrl)
+    return null;
+  return {
+    url: provider.mcpUrl,
+    headers: {
+      Authorization: `Bearer \${${envVarForToken(definitionId)}}`
+    }
+  };
+}
+
 // ../../packages/core/dist/provisioning/frameworks/claudecode/index.js
 var VALID_CODE_NAME = /^[a-z0-9]+(?:-[a-z0-9]+)*$/;
 var SECRET_FILE_MODE = 384;
@@ -3179,9 +3352,20 @@ function deployArtifactsToProject(codeName, provisionDir) {
   const destAgentsDir = join4(projectDir, ".claude", "agents");
   try {
     if (existsSync4(agentsDir)) {
-      for (const agentFile of readdirSync(agentsDir)) {
-        if (!agentFile.endsWith(".md"))
-          continue;
+      const sourceAgentFiles = new Set(readdirSync(agentsDir).filter((f) => f.endsWith(".md")));
+      if (existsSync4(destAgentsDir)) {
+        for (const destFile of readdirSync(destAgentsDir)) {
+          if (!destFile.endsWith(".md"))
+            continue;
+          if (sourceAgentFiles.has(destFile))
+            continue;
+          try {
+            rmSync(join4(destAgentsDir, destFile));
+          } catch {
+          }
+        }
+      }
+      for (const agentFile of sourceAgentFiles) {
         const srcPath = join4(agentsDir, agentFile);
         const destPath = join4(destAgentsDir, agentFile);
         const srcContent = readFileSync4(srcPath, "utf-8");
@@ -3622,7 +3806,7 @@ function buildChannelMessageHandlerAgent() {
 name: channel-message-handler
 description: Handles a single inbound Slack/Telegram/Direct-Chat message end to end. Posts the reply itself via the matching channel tool. The parent agent dispatches to this subagent only for slow requests (\u2265 ~60s) so the parent's listener turn stays free for new inbound work.
 background: true
-tools: Bash, Read, Write, Edit, Grep, Glob, Skill, Agent, mcp__augmented__*, mcp__slack__*, mcp__telegram__*, mcp__direct_chat__*, mcp__xero__*, mcp__composio_attio__*, mcp__composio_canva__*, mcp__composio_gmail__*, mcp__composio_googlecalendar__*, mcp__composio_googledocs__*, mcp__composio_googledrive__*, mcp__composio_googlesheets__*
+tools: Bash, Read, Write, Edit, Grep, Glob, Skill, Agent, mcp__augmented__*, mcp__slack__*, mcp__telegram__*, mcp__direct_chat__*, mcp__xero__*, mcp__granola__*, mcp__composio_attio__*, mcp__composio_canva__*, mcp__composio_gmail__*, mcp__composio_googlecalendar__*, mcp__composio_googledocs__*, mcp__composio_googledrive__*, mcp__composio_googlesheets__*
 ---
 
 You are dispatched by the parent agent to handle one channel message.
@@ -3687,6 +3871,12 @@ function buildMcpJson(input) {
       }
     };
   }
+  for (const integration of input.integrations ?? []) {
+    const entry = buildRemoteMcpEntry(integration.definition_id);
+    if (entry) {
+      mcpServers[integration.definition_id] = entry;
+    }
+  }
   return { mcpServers };
 }
 function parseIntervalMinutes(scheduleEvery) {
@@ -4184,6 +4374,12 @@ ${sections}`
         }
       });
     }
+    for (const integration of integrations) {
+      const entry = buildRemoteMcpEntry(integration.definition_id);
+      if (entry) {
+        this.writeMcpServer(codeName, integration.definition_id, entry);
+      }
+    }
     const projectDir = getProjectDir(codeName);
     const claudeMdPath = join4(projectDir, "CLAUDE.md");
     try {
@@ -4254,6 +4450,11 @@ ${sections}`
             PIPEDREAM_PROJECT_ENVIRONMENT: headers["x-pd-environment"] ?? process.env["PIPEDREAM_ENVIRONMENT"] ?? "development"
           }
         };
+      } else if (config.headers && Object.keys(config.headers).length > 0) {
+        serverEntry = {
+          url: config.url,
+          headers: config.headers
+        };
       } else {
         serverEntry = {
           command: "npx",
@@ -7766,4 +7967,4 @@ export {
   managerInstallCommand,
   managerUninstallCommand
 };
-//# sourceMappingURL=chunk-RGJV3MV3.js.map
+//# sourceMappingURL=chunk-HMN7YJOD.js.map