@integrity-labs/agt-cli 0.25.1 → 0.25.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1008,6 +1008,33 @@ var CAPACITY_TABLE = {
1008
1008
  };
1009
1009
  var KNOWN_INSTANCE_TYPES = Object.keys(CAPACITY_TABLE);
1010
1010
 
1011
+ // ../../packages/core/dist/provisioning/ec2-pricing.js
1012
+ var HOURLY_BY_REGION = {
1013
+ "ap-southeast-2": {
1014
+ "t3.micro": 0.0132,
1015
+ "t3.small": 0.0264,
1016
+ "t3.medium": 0.0528,
1017
+ "t3.large": 0.1056,
1018
+ "t3.xlarge": 0.2112,
1019
+ "t3.2xlarge": 0.4224,
1020
+ // m6i — general-purpose; in-fleet as of 2026-05 (ENG-5652).
1021
+ "m6i.large": 0.12,
1022
+ "m6i.xlarge": 0.24
1023
+ },
1024
+ "us-east-1": {
1025
+ "t3.micro": 0.0104,
1026
+ "t3.small": 0.0208,
1027
+ "t3.medium": 0.0416,
1028
+ "t3.large": 0.0832,
1029
+ "t3.xlarge": 0.1664,
1030
+ "t3.2xlarge": 0.3328,
1031
+ // m6i — kept symmetric with ap-southeast-2 (ENG-5652).
1032
+ "m6i.large": 0.096,
1033
+ "m6i.xlarge": 0.192
1034
+ }
1035
+ };
1036
+ var KNOWN_PRICING_REGIONS = Object.keys(HOURLY_BY_REGION);
1037
+
1011
1038
  // ../../packages/core/dist/scheduled-tasks/suppress.js
1012
1039
  var SENTINEL_REGEX = /<no-delivery\/>/g;
1013
1040
  function classifyOutput(output) {
@@ -2946,6 +2973,302 @@ var ajv2 = new Ajv20202({ allErrors: true, strict: false });
2946
2973
  addFormats2(ajv2);
2947
2974
  var compiledMetaSchema = ajv2.compile(context_meta_schema_default);
2948
2975
 
2976
+ // ../../packages/core/dist/integrations/oauth-providers.js
2977
+ var OAUTH_PROVIDERS = {
2978
+ "google-workspace": {
2979
+ definitionId: "google-workspace",
2980
+ authorizeUrl: "https://accounts.google.com/o/oauth2/v2/auth",
2981
+ tokenUrl: "https://oauth2.googleapis.com/token",
2982
+ revokeUrl: "https://oauth2.googleapis.com/revoke",
2983
+ defaultScopes: [
2984
+ "https://www.googleapis.com/auth/gmail.modify",
2985
+ "https://www.googleapis.com/auth/calendar",
2986
+ "https://www.googleapis.com/auth/drive",
2987
+ "https://www.googleapis.com/auth/spreadsheets",
2988
+ "https://www.googleapis.com/auth/documents",
2989
+ "https://www.googleapis.com/auth/chat.messages",
2990
+ "https://www.googleapis.com/auth/chat.spaces.readonly"
2991
+ ],
2992
+ supportsRefresh: true,
2993
+ extraAuthorizeParams: {
2994
+ access_type: "offline",
2995
+ prompt: "consent"
2996
+ },
2997
+ clientAuthMethod: "body",
2998
+ userInfoUrl: "https://www.googleapis.com/oauth2/v2/userinfo"
2999
+ },
3000
+ "github": {
3001
+ definitionId: "github",
3002
+ authorizeUrl: "https://github.com/login/oauth/authorize",
3003
+ tokenUrl: "https://github.com/login/oauth/access_token",
3004
+ defaultScopes: ["repo", "read:org", "gist", "workflow"],
3005
+ supportsRefresh: true,
3006
+ extraAuthorizeParams: {},
3007
+ clientAuthMethod: "body",
3008
+ userInfoUrl: "https://api.github.com/user"
3009
+ },
3010
+ "granola": {
3011
+ // Granola MCP — remote streamable-HTTP at https://mcp.granola.ai/mcp.
3012
+ // The AS is at mcp-auth.granola.ai and exposes RFC 8414 metadata at
3013
+ // /.well-known/oauth-authorization-server. Auth is OAuth 2.0 with
3014
+ // mandatory PKCE (S256) and a public client (no client_secret) issued
3015
+ // via Dynamic Client Registration (RFC 7591). The bootstrap script
3016
+ // (`packages/api/scripts/dcr-register.ts`) registers a client once at
3017
+ // deploy time; OAUTH_GRANOLA_CLIENT_ID is set from its output.
3018
+ definitionId: "granola",
3019
+ authorizeUrl: "https://mcp-auth.granola.ai/oauth2/authorize",
3020
+ tokenUrl: "https://mcp-auth.granola.ai/oauth2/token",
3021
+ // Minimal scope set: `offline_access` earns the refresh_token so the
3022
+ // refresh cron can rotate the bearer without operator action; `openid`
3023
+ // is required for the OIDC code flow even when we don't request an
3024
+ // id_token. Profile/email are intentionally omitted — we have no
3025
+ // userInfoUrl wired up here, so requesting them would over-ask consent
3026
+ // for fields the callback can't read.
3027
+ defaultScopes: ["openid", "offline_access"],
3028
+ supportsRefresh: true,
3029
+ extraAuthorizeParams: {},
3030
+ clientAuthMethod: "body",
3031
+ pkce: "S256",
3032
+ publicClient: true,
3033
+ mcpUrl: "https://mcp.granola.ai/mcp"
3034
+ },
3035
+ "notion-cli": {
3036
+ // Notion's public OAuth app. Tokens are workspace-scoped and long-lived —
3037
+ // Notion does not issue refresh_tokens, so `supportsRefresh: false` and
3038
+ // the refresh cron skips this provider entirely. Scopes are not part of
3039
+ // Notion's authorize URL contract; consent is governed by what the user
3040
+ // grants in the OAuth screen, so `defaultScopes` stays empty.
3041
+ // `owner=user` forces the user-OAuth variant (vs internal integration).
3042
+ // Requires OAUTH_NOTION_CLI_CLIENT_ID and OAUTH_NOTION_CLI_CLIENT_SECRET.
3043
+ definitionId: "notion-cli",
3044
+ authorizeUrl: "https://api.notion.com/v1/oauth/authorize",
3045
+ tokenUrl: "https://api.notion.com/v1/oauth/token",
3046
+ defaultScopes: [],
3047
+ supportsRefresh: false,
3048
+ extraAuthorizeParams: {
3049
+ owner: "user"
3050
+ },
3051
+ clientAuthMethod: "basic"
3052
+ },
3053
+ "xero": {
3054
+ definitionId: "xero",
3055
+ authorizeUrl: "https://login.xero.com/identity/connect/authorize",
3056
+ tokenUrl: "https://identity.xero.com/connect/token",
3057
+ revokeUrl: "https://identity.xero.com/connect/revocation",
3058
+ defaultScopes: [
3059
+ "openid",
3060
+ "profile",
3061
+ "email",
3062
+ "offline_access",
3063
+ // Granular scopes (required for apps created after March 2, 2026 —
3064
+ // do NOT revert to the broad `accounting.transactions` /
3065
+ // `accounting.contacts` scopes, Xero rejects the manifest).
3066
+ // The variant *without* `.read` is the read+write granular scope.
3067
+ "accounting.settings.read",
3068
+ // contacts: write enables agent-driven supplier/customer creation
3069
+ // (required for bill creation since a bill must reference a contact).
3070
+ "accounting.contacts",
3071
+ // invoices: write enables bill creation (Type=ACCPAY invoices) and
3072
+ // updates to sales invoices alongside the existing read access.
3073
+ "accounting.invoices",
3074
+ // attachments: write enables agents to attach the source PDF to a
3075
+ // bill at creation time. Read-only would force a follow-up manual
3076
+ // upload in Xero; write closes the loop.
3077
+ "accounting.attachments",
3078
+ // accounting.transactions.read → granular read-only replacements
3079
+ // for the surfaces we don't yet need write access on.
3080
+ "accounting.payments.read",
3081
+ "accounting.banktransactions.read",
3082
+ "accounting.manualjournals.read",
3083
+ // accounting.reports.read → granular read-only replacements
3084
+ "accounting.reports.balancesheet.read",
3085
+ "accounting.reports.profitandloss.read",
3086
+ "accounting.reports.trialbalance.read",
3087
+ "accounting.reports.budgetsummary.read",
3088
+ "accounting.reports.banksummary.read",
3089
+ "accounting.reports.executivesummary.read",
3090
+ "accounting.reports.aged.read"
3091
+ ],
3092
+ supportsRefresh: true,
3093
+ extraAuthorizeParams: {},
3094
+ clientAuthMethod: "basic",
3095
+ userInfoUrl: "https://api.xero.com/connections"
3096
+ }
3097
+ };
3098
+ function getOAuthProvider(definitionId) {
3099
+ return OAUTH_PROVIDERS[definitionId];
3100
+ }
3101
+
3102
+ // ../../packages/core/dist/integrations/connectivity-probe.js
3103
+ var HTTP_PROBE_PROVIDERS = /* @__PURE__ */ new Set([
3104
+ "linear",
3105
+ "google-workspace",
3106
+ "xero",
3107
+ "v0"
3108
+ ]);
3109
+ var CLI_PROBE_ARGS = {
3110
+ gcloud: ["version"]
3111
+ // most CLIs respond to --version; override here only when they don't.
3112
+ };
3113
+ function cliArgsFor(definitionId) {
3114
+ return CLI_PROBE_ARGS[definitionId] ?? ["--version"];
3115
+ }
3116
+ function resolveConnectivityProbe(input) {
3117
+ const { definitionId, sourceType, authType } = input;
3118
+ if (authType === "managed" || sourceType === "managed") {
3119
+ return {
3120
+ kind: "composio_account",
3121
+ sourceType: "managed",
3122
+ readOnly: true,
3123
+ label: `${definitionId}: connected-account check`,
3124
+ centralReachable: true
3125
+ };
3126
+ }
3127
+ if (HTTP_PROBE_PROVIDERS.has(definitionId)) {
3128
+ return {
3129
+ kind: "http_provider",
3130
+ sourceType: sourceType ?? "mcp_server",
3131
+ readOnly: true,
3132
+ label: `${definitionId}: read-only API check`,
3133
+ centralReachable: true,
3134
+ httpProvider: definitionId
3135
+ };
3136
+ }
3137
+ if (getOAuthProvider(definitionId)?.mcpUrl) {
3138
+ return {
3139
+ kind: "mcp_tools_list",
3140
+ sourceType: sourceType ?? "mcp_server",
3141
+ readOnly: true,
3142
+ label: `${definitionId}: MCP tools/list`,
3143
+ centralReachable: false
3144
+ };
3145
+ }
3146
+ switch (sourceType) {
3147
+ case "mcp_server":
3148
+ return {
3149
+ kind: "mcp_tools_list",
3150
+ sourceType: "mcp_server",
3151
+ readOnly: true,
3152
+ label: `${definitionId}: MCP tools/list`,
3153
+ centralReachable: false
3154
+ };
3155
+ case "cli_tool":
3156
+ return {
3157
+ kind: "cli_command",
3158
+ sourceType: "cli_tool",
3159
+ readOnly: true,
3160
+ label: `${definitionId}: CLI reachability`,
3161
+ centralReachable: false,
3162
+ cliArgs: cliArgsFor(definitionId)
3163
+ };
3164
+ case "native":
3165
+ return {
3166
+ kind: "builtin",
3167
+ sourceType: "native",
3168
+ readOnly: true,
3169
+ label: `${definitionId}: built-in check`,
3170
+ centralReachable: false
3171
+ };
3172
+ default:
3173
+ return {
3174
+ kind: "unsupported",
3175
+ sourceType: sourceType ?? "native",
3176
+ readOnly: true,
3177
+ label: `${definitionId}: no connectivity probe available`,
3178
+ centralReachable: false
3179
+ };
3180
+ }
3181
+ }
3182
+
3183
+ // ../../packages/core/dist/integrations/connectivity-http-probes.js
3184
+ var PROBE_TIMEOUT_MS = 1e4;
3185
+ async function timedFetch(fetchImpl, url, init) {
3186
+ const controller = new AbortController();
3187
+ const timer = setTimeout(() => controller.abort(), PROBE_TIMEOUT_MS);
3188
+ try {
3189
+ return await fetchImpl(url, { ...init, signal: controller.signal });
3190
+ } finally {
3191
+ clearTimeout(timer);
3192
+ }
3193
+ }
3194
+ function statusForHttp(httpStatus) {
3195
+ if (httpStatus === 401 || httpStatus === 403)
3196
+ return "down";
3197
+ if (httpStatus >= 500)
3198
+ return "transient_error";
3199
+ return "down";
3200
+ }
3201
+ function networkOutcome(err) {
3202
+ const isAbort = err?.name === "AbortError";
3203
+ return {
3204
+ status: "transient_error",
3205
+ message: isAbort ? `Connection timed out after ${PROBE_TIMEOUT_MS / 1e3}s` : `Connection failed: ${err.message}`
3206
+ };
3207
+ }
3208
+ async function probeLinear(creds, fetchImpl) {
3209
+ const key = creds.api_key ?? creds.access_token;
3210
+ if (!key)
3211
+ return { status: "down", message: "No Linear credential present" };
3212
+ try {
3213
+ const res = await timedFetch(fetchImpl, "https://api.linear.app/graphql", {
3214
+ method: "POST",
3215
+ headers: { "Content-Type": "application/json", Authorization: String(key) },
3216
+ body: JSON.stringify({ query: "{ viewer { id name email } }" })
3217
+ });
3218
+ if (!res.ok)
3219
+ return { status: statusForHttp(res.status), message: `Linear API returned ${res.status}` };
3220
+ const body = await res.json();
3221
+ if (body.errors?.length)
3222
+ return { status: "down", message: body.errors[0]?.message ?? "Unknown Linear error" };
3223
+ const viewer = body.data?.viewer;
3224
+ if (!viewer)
3225
+ return { status: "down", message: "Invalid key \u2014 no viewer returned" };
3226
+ return { status: "ok", message: `Connected as ${viewer.name ?? viewer.email ?? "unknown"}` };
3227
+ } catch (err) {
3228
+ return networkOutcome(err);
3229
+ }
3230
+ }
3231
+ async function probeBearerJson(url, creds, fetchImpl, interpret) {
3232
+ const token = creds.access_token ?? creds.api_key;
3233
+ if (!token)
3234
+ return { status: "down", message: "No credential present" };
3235
+ try {
3236
+ const res = await timedFetch(fetchImpl, url, { headers: { Authorization: `Bearer ${token}` } });
3237
+ if (!res.ok) {
3238
+ const message = res.status === 401 ? "Token expired or revoked \u2014 reconnect required" : `API returned ${res.status}`;
3239
+ return { status: statusForHttp(res.status), message };
3240
+ }
3241
+ return interpret(await res.json());
3242
+ } catch (err) {
3243
+ return networkOutcome(err);
3244
+ }
3245
+ }
3246
+ async function probeHttpProvider(definitionId, credentials, fetchImpl = fetch) {
3247
+ switch (definitionId) {
3248
+ case "linear":
3249
+ return probeLinear(credentials, fetchImpl);
3250
+ case "google-workspace":
3251
+ return probeBearerJson("https://www.googleapis.com/oauth2/v2/userinfo", credentials, fetchImpl, (body) => {
3252
+ const info = body;
3253
+ return { status: "ok", message: `Connected as ${info.name ?? info.email ?? "unknown"}` };
3254
+ });
3255
+ case "xero":
3256
+ return probeBearerJson("https://api.xero.com/connections", credentials, fetchImpl, (body) => {
3257
+ const conns = body ?? [];
3258
+ if (!conns.length)
3259
+ return { status: "down", message: "No Xero organisations connected" };
3260
+ return { status: "ok", message: `Connected to ${conns[0]?.tenantName ?? "Xero"}` };
3261
+ });
3262
+ case "v0":
3263
+ return probeBearerJson("https://api.v0.dev/v1/user", credentials, fetchImpl, (body) => {
3264
+ const user = body;
3265
+ return { status: "ok", message: `Connected as ${user.name ?? user.email ?? "unknown"}` };
3266
+ });
3267
+ default:
3268
+ return null;
3269
+ }
3270
+ }
3271
+
2949
3272
  // ../../packages/core/dist/drift/comparators.js
2950
3273
  function compareToolPolicy(expected, actual) {
2951
3274
  const findings = [];
@@ -3366,6 +3689,14 @@ function attributeTranscriptUsageByRun(jsonl) {
3366
3689
  return { perRunModel: [...agg.values()], runIds: [...runIds] };
3367
3690
  }
3368
3691
 
3692
+ // ../../packages/core/dist/conversations/metrics.js
3693
+ var PERIOD_CONFIG = {
3694
+ "24h": { windowMs: 24 * 60 * 60 * 1e3, bucket: "hour" },
3695
+ "7d": { windowMs: 7 * 24 * 60 * 60 * 1e3, bucket: "day" },
3696
+ "30d": { windowMs: 30 * 24 * 60 * 60 * 1e3, bucket: "day" }
3697
+ };
3698
+ var CONVERSATION_METRICS_PERIODS = Object.keys(PERIOD_CONFIG);
3699
+
3369
3700
  export {
3370
3701
  wrapScheduledTaskPrompt,
3371
3702
  parseDeliveryTarget,
@@ -3382,6 +3713,7 @@ export {
3382
3713
  CHANNEL_REGISTRY,
3383
3714
  getChannel,
3384
3715
  getAllChannelIds,
3716
+ OAUTH_PROVIDERS,
3385
3717
  formatActorId,
3386
3718
  isSelfCompletion,
3387
3719
  classifyActor,
@@ -3403,6 +3735,8 @@ export {
3403
3735
  renderTemplate,
3404
3736
  DEPLOYMENT_TEMPLATES,
3405
3737
  getTemplate,
3738
+ resolveConnectivityProbe,
3739
+ probeHttpProvider,
3406
3740
  detectDrift,
3407
3741
  classifyOutput,
3408
3742
  parseUsageBanner,
@@ -3413,4 +3747,4 @@ export {
3413
3747
  KANBAN_LOOP_COMMAND,
3414
3748
  KANBAN_CHECK_COMMAND
3415
3749
  };
3416
- //# sourceMappingURL=chunk-4K3ERUGE.js.map
3750
+ //# sourceMappingURL=chunk-VWOXS4YP.js.map