@integrity-labs/agt-cli 0.25.1 → 0.26.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1008,6 +1008,33 @@ var CAPACITY_TABLE = {
1008
1008
  };
1009
1009
  var KNOWN_INSTANCE_TYPES = Object.keys(CAPACITY_TABLE);
1010
1010
 
1011
+ // ../../packages/core/dist/provisioning/ec2-pricing.js
1012
+ var HOURLY_BY_REGION = {
1013
+ "ap-southeast-2": {
1014
+ "t3.micro": 0.0132,
1015
+ "t3.small": 0.0264,
1016
+ "t3.medium": 0.0528,
1017
+ "t3.large": 0.1056,
1018
+ "t3.xlarge": 0.2112,
1019
+ "t3.2xlarge": 0.4224,
1020
+ // m6i — general-purpose; in-fleet as of 2026-05 (ENG-5652).
1021
+ "m6i.large": 0.12,
1022
+ "m6i.xlarge": 0.24
1023
+ },
1024
+ "us-east-1": {
1025
+ "t3.micro": 0.0104,
1026
+ "t3.small": 0.0208,
1027
+ "t3.medium": 0.0416,
1028
+ "t3.large": 0.0832,
1029
+ "t3.xlarge": 0.1664,
1030
+ "t3.2xlarge": 0.3328,
1031
+ // m6i — kept symmetric with ap-southeast-2 (ENG-5652).
1032
+ "m6i.large": 0.096,
1033
+ "m6i.xlarge": 0.192
1034
+ }
1035
+ };
1036
+ var KNOWN_PRICING_REGIONS = Object.keys(HOURLY_BY_REGION);
1037
+
1011
1038
  // ../../packages/core/dist/scheduled-tasks/suppress.js
1012
1039
  var SENTINEL_REGEX = /<no-delivery\/>/g;
1013
1040
  function classifyOutput(output) {
@@ -1055,9 +1082,6 @@ function formatRunMarker(runId) {
1055
1082
  }
1056
1083
  var RUN_MARKER_RE = /<!--\s*agt-run:([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})\s*-->/;
1057
1084
 
1058
- // ../../packages/core/dist/loops/kanban-loop.js
1059
- var KANBAN_LOOP_COMMAND = "/loop 5m kanban_list \u2014 follow Kanban Work Policy.";
1060
-
1061
1085
  // ../../packages/core/dist/loops/kanban-check.js
1062
1086
  var KANBAN_CHECK_COMMAND = "kanban_list \u2014 pick up any actionable items if you are free.";
1063
1087
 
@@ -2946,6 +2970,302 @@ var ajv2 = new Ajv20202({ allErrors: true, strict: false });
2946
2970
  addFormats2(ajv2);
2947
2971
  var compiledMetaSchema = ajv2.compile(context_meta_schema_default);
2948
2972
 
2973
+ // ../../packages/core/dist/integrations/oauth-providers.js
2974
+ var OAUTH_PROVIDERS = {
2975
+ "google-workspace": {
2976
+ definitionId: "google-workspace",
2977
+ authorizeUrl: "https://accounts.google.com/o/oauth2/v2/auth",
2978
+ tokenUrl: "https://oauth2.googleapis.com/token",
2979
+ revokeUrl: "https://oauth2.googleapis.com/revoke",
2980
+ defaultScopes: [
2981
+ "https://www.googleapis.com/auth/gmail.modify",
2982
+ "https://www.googleapis.com/auth/calendar",
2983
+ "https://www.googleapis.com/auth/drive",
2984
+ "https://www.googleapis.com/auth/spreadsheets",
2985
+ "https://www.googleapis.com/auth/documents",
2986
+ "https://www.googleapis.com/auth/chat.messages",
2987
+ "https://www.googleapis.com/auth/chat.spaces.readonly"
2988
+ ],
2989
+ supportsRefresh: true,
2990
+ extraAuthorizeParams: {
2991
+ access_type: "offline",
2992
+ prompt: "consent"
2993
+ },
2994
+ clientAuthMethod: "body",
2995
+ userInfoUrl: "https://www.googleapis.com/oauth2/v2/userinfo"
2996
+ },
2997
+ "github": {
2998
+ definitionId: "github",
2999
+ authorizeUrl: "https://github.com/login/oauth/authorize",
3000
+ tokenUrl: "https://github.com/login/oauth/access_token",
3001
+ defaultScopes: ["repo", "read:org", "gist", "workflow"],
3002
+ supportsRefresh: true,
3003
+ extraAuthorizeParams: {},
3004
+ clientAuthMethod: "body",
3005
+ userInfoUrl: "https://api.github.com/user"
3006
+ },
3007
+ "granola": {
3008
+ // Granola MCP — remote streamable-HTTP at https://mcp.granola.ai/mcp.
3009
+ // The AS is at mcp-auth.granola.ai and exposes RFC 8414 metadata at
3010
+ // /.well-known/oauth-authorization-server. Auth is OAuth 2.0 with
3011
+ // mandatory PKCE (S256) and a public client (no client_secret) issued
3012
+ // via Dynamic Client Registration (RFC 7591). The bootstrap script
3013
+ // (`packages/api/scripts/dcr-register.ts`) registers a client once at
3014
+ // deploy time; OAUTH_GRANOLA_CLIENT_ID is set from its output.
3015
+ definitionId: "granola",
3016
+ authorizeUrl: "https://mcp-auth.granola.ai/oauth2/authorize",
3017
+ tokenUrl: "https://mcp-auth.granola.ai/oauth2/token",
3018
+ // Minimal scope set: `offline_access` earns the refresh_token so the
3019
+ // refresh cron can rotate the bearer without operator action; `openid`
3020
+ // is required for the OIDC code flow even when we don't request an
3021
+ // id_token. Profile/email are intentionally omitted — we have no
3022
+ // userInfoUrl wired up here, so requesting them would over-ask consent
3023
+ // for fields the callback can't read.
3024
+ defaultScopes: ["openid", "offline_access"],
3025
+ supportsRefresh: true,
3026
+ extraAuthorizeParams: {},
3027
+ clientAuthMethod: "body",
3028
+ pkce: "S256",
3029
+ publicClient: true,
3030
+ mcpUrl: "https://mcp.granola.ai/mcp"
3031
+ },
3032
+ "notion-cli": {
3033
+ // Notion's public OAuth app. Tokens are workspace-scoped and long-lived —
3034
+ // Notion does not issue refresh_tokens, so `supportsRefresh: false` and
3035
+ // the refresh cron skips this provider entirely. Scopes are not part of
3036
+ // Notion's authorize URL contract; consent is governed by what the user
3037
+ // grants in the OAuth screen, so `defaultScopes` stays empty.
3038
+ // `owner=user` forces the user-OAuth variant (vs internal integration).
3039
+ // Requires OAUTH_NOTION_CLI_CLIENT_ID and OAUTH_NOTION_CLI_CLIENT_SECRET.
3040
+ definitionId: "notion-cli",
3041
+ authorizeUrl: "https://api.notion.com/v1/oauth/authorize",
3042
+ tokenUrl: "https://api.notion.com/v1/oauth/token",
3043
+ defaultScopes: [],
3044
+ supportsRefresh: false,
3045
+ extraAuthorizeParams: {
3046
+ owner: "user"
3047
+ },
3048
+ clientAuthMethod: "basic"
3049
+ },
3050
+ "xero": {
3051
+ definitionId: "xero",
3052
+ authorizeUrl: "https://login.xero.com/identity/connect/authorize",
3053
+ tokenUrl: "https://identity.xero.com/connect/token",
3054
+ revokeUrl: "https://identity.xero.com/connect/revocation",
3055
+ defaultScopes: [
3056
+ "openid",
3057
+ "profile",
3058
+ "email",
3059
+ "offline_access",
3060
+ // Granular scopes (required for apps created after March 2, 2026 —
3061
+ // do NOT revert to the broad `accounting.transactions` /
3062
+ // `accounting.contacts` scopes, Xero rejects the manifest).
3063
+ // The variant *without* `.read` is the read+write granular scope.
3064
+ "accounting.settings.read",
3065
+ // contacts: write enables agent-driven supplier/customer creation
3066
+ // (required for bill creation since a bill must reference a contact).
3067
+ "accounting.contacts",
3068
+ // invoices: write enables bill creation (Type=ACCPAY invoices) and
3069
+ // updates to sales invoices alongside the existing read access.
3070
+ "accounting.invoices",
3071
+ // attachments: write enables agents to attach the source PDF to a
3072
+ // bill at creation time. Read-only would force a follow-up manual
3073
+ // upload in Xero; write closes the loop.
3074
+ "accounting.attachments",
3075
+ // accounting.transactions.read → granular read-only replacements
3076
+ // for the surfaces we don't yet need write access on.
3077
+ "accounting.payments.read",
3078
+ "accounting.banktransactions.read",
3079
+ "accounting.manualjournals.read",
3080
+ // accounting.reports.read → granular read-only replacements
3081
+ "accounting.reports.balancesheet.read",
3082
+ "accounting.reports.profitandloss.read",
3083
+ "accounting.reports.trialbalance.read",
3084
+ "accounting.reports.budgetsummary.read",
3085
+ "accounting.reports.banksummary.read",
3086
+ "accounting.reports.executivesummary.read",
3087
+ "accounting.reports.aged.read"
3088
+ ],
3089
+ supportsRefresh: true,
3090
+ extraAuthorizeParams: {},
3091
+ clientAuthMethod: "basic",
3092
+ userInfoUrl: "https://api.xero.com/connections"
3093
+ }
3094
+ };
3095
+ function getOAuthProvider(definitionId) {
3096
+ return OAUTH_PROVIDERS[definitionId];
3097
+ }
3098
+
3099
+ // ../../packages/core/dist/integrations/connectivity-probe.js
3100
+ var HTTP_PROBE_PROVIDERS = /* @__PURE__ */ new Set([
3101
+ "linear",
3102
+ "google-workspace",
3103
+ "xero",
3104
+ "v0"
3105
+ ]);
3106
+ var CLI_PROBE_ARGS = {
3107
+ gcloud: ["version"]
3108
+ // most CLIs respond to --version; override here only when they don't.
3109
+ };
3110
+ function cliArgsFor(definitionId) {
3111
+ return CLI_PROBE_ARGS[definitionId] ?? ["--version"];
3112
+ }
3113
+ function resolveConnectivityProbe(input) {
3114
+ const { definitionId, sourceType, authType } = input;
3115
+ if (authType === "managed" || sourceType === "managed") {
3116
+ return {
3117
+ kind: "composio_account",
3118
+ sourceType: "managed",
3119
+ readOnly: true,
3120
+ label: `${definitionId}: connected-account check`,
3121
+ centralReachable: true
3122
+ };
3123
+ }
3124
+ if (HTTP_PROBE_PROVIDERS.has(definitionId)) {
3125
+ return {
3126
+ kind: "http_provider",
3127
+ sourceType: sourceType ?? "mcp_server",
3128
+ readOnly: true,
3129
+ label: `${definitionId}: read-only API check`,
3130
+ centralReachable: true,
3131
+ httpProvider: definitionId
3132
+ };
3133
+ }
3134
+ if (getOAuthProvider(definitionId)?.mcpUrl) {
3135
+ return {
3136
+ kind: "mcp_tools_list",
3137
+ sourceType: sourceType ?? "mcp_server",
3138
+ readOnly: true,
3139
+ label: `${definitionId}: MCP tools/list`,
3140
+ centralReachable: false
3141
+ };
3142
+ }
3143
+ switch (sourceType) {
3144
+ case "mcp_server":
3145
+ return {
3146
+ kind: "mcp_tools_list",
3147
+ sourceType: "mcp_server",
3148
+ readOnly: true,
3149
+ label: `${definitionId}: MCP tools/list`,
3150
+ centralReachable: false
3151
+ };
3152
+ case "cli_tool":
3153
+ return {
3154
+ kind: "cli_command",
3155
+ sourceType: "cli_tool",
3156
+ readOnly: true,
3157
+ label: `${definitionId}: CLI reachability`,
3158
+ centralReachable: false,
3159
+ cliArgs: cliArgsFor(definitionId)
3160
+ };
3161
+ case "native":
3162
+ return {
3163
+ kind: "builtin",
3164
+ sourceType: "native",
3165
+ readOnly: true,
3166
+ label: `${definitionId}: built-in check`,
3167
+ centralReachable: false
3168
+ };
3169
+ default:
3170
+ return {
3171
+ kind: "unsupported",
3172
+ sourceType: sourceType ?? "native",
3173
+ readOnly: true,
3174
+ label: `${definitionId}: no connectivity probe available`,
3175
+ centralReachable: false
3176
+ };
3177
+ }
3178
+ }
3179
+
3180
+ // ../../packages/core/dist/integrations/connectivity-http-probes.js
3181
+ var PROBE_TIMEOUT_MS = 1e4;
3182
+ async function timedFetch(fetchImpl, url, init) {
3183
+ const controller = new AbortController();
3184
+ const timer = setTimeout(() => controller.abort(), PROBE_TIMEOUT_MS);
3185
+ try {
3186
+ return await fetchImpl(url, { ...init, signal: controller.signal });
3187
+ } finally {
3188
+ clearTimeout(timer);
3189
+ }
3190
+ }
3191
+ function statusForHttp(httpStatus) {
3192
+ if (httpStatus === 401 || httpStatus === 403)
3193
+ return "down";
3194
+ if (httpStatus >= 500)
3195
+ return "transient_error";
3196
+ return "down";
3197
+ }
3198
+ function networkOutcome(err) {
3199
+ const isAbort = err?.name === "AbortError";
3200
+ return {
3201
+ status: "transient_error",
3202
+ message: isAbort ? `Connection timed out after ${PROBE_TIMEOUT_MS / 1e3}s` : `Connection failed: ${err.message}`
3203
+ };
3204
+ }
3205
+ async function probeLinear(creds, fetchImpl) {
3206
+ const key = creds.api_key ?? creds.access_token;
3207
+ if (!key)
3208
+ return { status: "down", message: "No Linear credential present" };
3209
+ try {
3210
+ const res = await timedFetch(fetchImpl, "https://api.linear.app/graphql", {
3211
+ method: "POST",
3212
+ headers: { "Content-Type": "application/json", Authorization: String(key) },
3213
+ body: JSON.stringify({ query: "{ viewer { id name email } }" })
3214
+ });
3215
+ if (!res.ok)
3216
+ return { status: statusForHttp(res.status), message: `Linear API returned ${res.status}` };
3217
+ const body = await res.json();
3218
+ if (body.errors?.length)
3219
+ return { status: "down", message: body.errors[0]?.message ?? "Unknown Linear error" };
3220
+ const viewer = body.data?.viewer;
3221
+ if (!viewer)
3222
+ return { status: "down", message: "Invalid key \u2014 no viewer returned" };
3223
+ return { status: "ok", message: `Connected as ${viewer.name ?? viewer.email ?? "unknown"}` };
3224
+ } catch (err) {
3225
+ return networkOutcome(err);
3226
+ }
3227
+ }
3228
+ async function probeBearerJson(url, creds, fetchImpl, interpret) {
3229
+ const token = creds.access_token ?? creds.api_key;
3230
+ if (!token)
3231
+ return { status: "down", message: "No credential present" };
3232
+ try {
3233
+ const res = await timedFetch(fetchImpl, url, { headers: { Authorization: `Bearer ${token}` } });
3234
+ if (!res.ok) {
3235
+ const message = res.status === 401 ? "Token expired or revoked \u2014 reconnect required" : `API returned ${res.status}`;
3236
+ return { status: statusForHttp(res.status), message };
3237
+ }
3238
+ return interpret(await res.json());
3239
+ } catch (err) {
3240
+ return networkOutcome(err);
3241
+ }
3242
+ }
3243
+ async function probeHttpProvider(definitionId, credentials, fetchImpl = fetch) {
3244
+ switch (definitionId) {
3245
+ case "linear":
3246
+ return probeLinear(credentials, fetchImpl);
3247
+ case "google-workspace":
3248
+ return probeBearerJson("https://www.googleapis.com/oauth2/v2/userinfo", credentials, fetchImpl, (body) => {
3249
+ const info = body;
3250
+ return { status: "ok", message: `Connected as ${info.name ?? info.email ?? "unknown"}` };
3251
+ });
3252
+ case "xero":
3253
+ return probeBearerJson("https://api.xero.com/connections", credentials, fetchImpl, (body) => {
3254
+ const conns = body ?? [];
3255
+ if (!conns.length)
3256
+ return { status: "down", message: "No Xero organisations connected" };
3257
+ return { status: "ok", message: `Connected to ${conns[0]?.tenantName ?? "Xero"}` };
3258
+ });
3259
+ case "v0":
3260
+ return probeBearerJson("https://api.v0.dev/v1/user", credentials, fetchImpl, (body) => {
3261
+ const user = body;
3262
+ return { status: "ok", message: `Connected as ${user.name ?? user.email ?? "unknown"}` };
3263
+ });
3264
+ default:
3265
+ return null;
3266
+ }
3267
+ }
3268
+
2949
3269
  // ../../packages/core/dist/drift/comparators.js
2950
3270
  function compareToolPolicy(expected, actual) {
2951
3271
  const findings = [];
@@ -3366,6 +3686,14 @@ function attributeTranscriptUsageByRun(jsonl) {
3366
3686
  return { perRunModel: [...agg.values()], runIds: [...runIds] };
3367
3687
  }
3368
3688
 
3689
+ // ../../packages/core/dist/conversations/metrics.js
3690
+ var PERIOD_CONFIG = {
3691
+ "24h": { windowMs: 24 * 60 * 60 * 1e3, bucket: "hour" },
3692
+ "7d": { windowMs: 7 * 24 * 60 * 60 * 1e3, bucket: "day" },
3693
+ "30d": { windowMs: 30 * 24 * 60 * 60 * 1e3, bucket: "day" }
3694
+ };
3695
+ var CONVERSATION_METRICS_PERIODS = Object.keys(PERIOD_CONFIG);
3696
+
3369
3697
  export {
3370
3698
  wrapScheduledTaskPrompt,
3371
3699
  parseDeliveryTarget,
@@ -3382,6 +3710,7 @@ export {
3382
3710
  CHANNEL_REGISTRY,
3383
3711
  getChannel,
3384
3712
  getAllChannelIds,
3713
+ OAUTH_PROVIDERS,
3385
3714
  formatActorId,
3386
3715
  isSelfCompletion,
3387
3716
  classifyActor,
@@ -3403,6 +3732,8 @@ export {
3403
3732
  renderTemplate,
3404
3733
  DEPLOYMENT_TEMPLATES,
3405
3734
  getTemplate,
3735
+ resolveConnectivityProbe,
3736
+ probeHttpProvider,
3406
3737
  detectDrift,
3407
3738
  classifyOutput,
3408
3739
  parseUsageBanner,
@@ -3410,7 +3741,6 @@ export {
3410
3741
  parseTranscriptUsage,
3411
3742
  isEmptyTotals,
3412
3743
  attributeTranscriptUsageByRun,
3413
- KANBAN_LOOP_COMMAND,
3414
3744
  KANBAN_CHECK_COMMAND
3415
3745
  };
3416
- //# sourceMappingURL=chunk-4K3ERUGE.js.map
3746
+ //# sourceMappingURL=chunk-YMIDZT5T.js.map