@integrity-labs/agt-cli 0.27.150 → 0.27.152

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -21097,6 +21097,22 @@ var AdminDebugClient = class _AdminDebugClient {
21097
21097
  listAlerts(args) {
21098
21098
  return this.get("/admin/debug/alerts", _AdminDebugClient.cleanQuery(args));
21099
21099
  }
21100
+ // ─────────────────── request-scoped customer grant (ENG-6279) ───────────────────
21101
+ /**
21102
+ * Open scoped READ access to a SELF-MANAGED customer org so the read tools can
21103
+ * reach it (ENG-6279). POSTs to /admin/debug/grants, which mints the short-TTL,
21104
+ * logged, customer-revocable read grant; the read tools then return that org's
21105
+ * data for the grant's lifetime. Reuses `post()` — same token + 401-re-exchange
21106
+ * flow as the reads. For an already-standing org (is_internal / fully_managed)
21107
+ * the API returns `{ already_authorized: true }` instead of minting a redundant
21108
+ * grant — not an error.
21109
+ */
21110
+ requestAccess(args) {
21111
+ return this.post("/admin/debug/grants", {
21112
+ target_org_id: args.target_org_id,
21113
+ reason: args.reason
21114
+ });
21115
+ }
21100
21116
  // ─────────────────────── remedial actions (ENG-6197) ───────────────────────
21101
21117
  async post(path, body, retried = false) {
21102
21118
  const token = await this.getValidToken();
@@ -21167,6 +21183,12 @@ var listAlertsSchema = external_exports.object({
21167
21183
  open: external_exports.boolean().optional().describe("When true, only currently-open (unclosed) alerts."),
21168
21184
  limit: limitSchema
21169
21185
  });
21186
+ var requestAccessSchema = external_exports.object({
21187
+ target_org_id: external_exports.string().min(1).max(64).describe("UUID of the customer organization to open scoped read access to."),
21188
+ reason: external_exports.string().min(1).max(2e3).describe(
21189
+ "Why access is needed \u2014 recorded on the customer-visible access log and shown to the org when they review or revoke it. Be specific."
21190
+ )
21191
+ });
21170
21192
  var requestActionSchema = external_exports.object({
21171
21193
  action: external_exports.enum(["restart", "clear_pending_inbound"]).describe(
21172
21194
  "The remedial action. restart = bounce the agent (reversible; backlog replays). clear_pending_inbound = move stuck pending-inbound markers aside (drops queued inbound messages; they are NOT reprocessed)."
@@ -21181,7 +21203,7 @@ var checkActionStatusSchema = external_exports.object({
21181
21203
  // package.json
21182
21204
  var package_default = {
21183
21205
  name: "@integrity-labs/augmented-admin-mcp",
21184
- version: "0.1.0",
21206
+ version: "0.1.1",
21185
21207
  description: "Augmented Admin Debug \u2014 Integrity Labs staff-only MCP server for cross-org agent/host/integration/alert diagnostics. Thin client over the Augmented API's /admin/debug/* surface; authority + the diagnostic projection live server-side. ENG-6195.",
21186
21208
  type: "module",
21187
21209
  private: true,
@@ -21249,7 +21271,7 @@ function formatError2(err) {
21249
21271
  var server = new McpServer({ name: "augmented-admin-mcp", version: package_default.version });
21250
21272
  server.tool(
21251
21273
  "debug_search_agents",
21252
- "Search managed end-user agents across all orgs for troubleshooting. Returns a diagnostic projection per agent (code_name, status, environment, risk_tier, org, heartbeat verdict) \u2014 never credentials or transcripts. Filter with { q, status, environment, limit }.",
21274
+ "Search managed end-user agents across authorized orgs for troubleshooting. Returns a diagnostic projection per agent (code_name, status, environment, risk_tier, org, heartbeat verdict) \u2014 never credentials or transcripts. Authorized = IL-owned + fully-managed orgs (standing) plus any self-managed org you hold an active grant for (see debug_request_access). Filter with { q, status, environment, limit }.",
21253
21275
  searchAgentsSchema.shape,
21254
21276
  async (args) => {
21255
21277
  try {
@@ -21275,7 +21297,7 @@ server.tool(
21275
21297
  );
21276
21298
  server.tool(
21277
21299
  "debug_search_hosts",
21278
- "Search managed hosts across all orgs. Returns a projection per host (name, org, status, framework version, last-seen verdict, EC2 + Claude auth status) \u2014 no api-key fingerprints or secrets. Filter with { q, status, limit }.",
21300
+ "Search managed hosts across authorized orgs. Returns a projection per host (name, org, status, framework version, last-seen verdict, EC2 + Claude auth status) \u2014 no api-key fingerprints or secrets. Filter with { q, status, limit }.",
21279
21301
  searchHostsSchema.shape,
21280
21302
  async (args) => {
21281
21303
  try {
@@ -21288,7 +21310,7 @@ server.tool(
21288
21310
  );
21289
21311
  server.tool(
21290
21312
  "debug_list_alerts",
21291
- "List recent platform alerts across all orgs (host-down, agent-stale, probe-timeout, auth-failed), including NULL-team host alerts. Returns a projection per alert (kind, severity, message, source, open/closed state). Filter with { severity, open, limit }.",
21313
+ "List recent platform alerts across authorized orgs (host-down, agent-stale, probe-timeout, auth-failed), including NULL-team host alerts. Returns a projection per alert (kind, severity, message, source, open/closed state). Filter with { severity, open, limit }.",
21292
21314
  listAlertsSchema.shape,
21293
21315
  async (args) => {
21294
21316
  try {
@@ -21299,6 +21321,22 @@ server.tool(
21299
21321
  }
21300
21322
  }
21301
21323
  );
21324
+ server.tool(
21325
+ "debug_request_access",
21326
+ "Open scoped READ access to a SELF-MANAGED customer org so the read tools (debug_search_agents / debug_get_agent / debug_search_hosts / debug_list_alerts) can reach it. Use this when a read returns nothing for an org you have a legitimate support reason to troubleshoot. It mints a short-TTL, logged, customer-revocable read grant \u2014 the customer sees the access in their Support-access console and can revoke it, and it auto-expires; it does NOT grant any write/remedial capability. For an already-authorized org (Integrity-Labs-internal or fully-managed) this returns { already_authorized: true } instead of minting a redundant grant \u2014 just use the read tools. Pass { target_org_id, reason }; the reason is recorded verbatim on the customer-visible access log, so be specific.",
21327
+ requestAccessSchema.shape,
21328
+ async (args) => {
21329
+ try {
21330
+ const result = await client.requestAccess({
21331
+ target_org_id: args.target_org_id,
21332
+ reason: args.reason
21333
+ });
21334
+ return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
21335
+ } catch (err) {
21336
+ return { content: [{ type: "text", text: formatError2(err) }], isError: true };
21337
+ }
21338
+ }
21339
+ );
21302
21340
  server.tool(
21303
21341
  "request_action",
21304
21342
  `Request a HITL-gated remedial action on a customer agent: "restart" (bounce the agent \u2014 reversible, backlog replays) or "clear_pending_inbound" (move stuck pending-inbound markers aside \u2014 drops queued inbound messages, NOT reprocessed). A HUMAN must approve in Slack before anything happens, and only if writes are armed for this stage; in shadow mode the approval runs but nothing executes. Returns { request_id, status, write_mode, notification_status }. Surface a brief, jargon-free note to the user (e.g. "I've asked an admin to approve restarting that agent"). Pass { action, target_agent_id, reason }.`,
@@ -25,8 +25,8 @@ import {
25
25
  takeAcpxExecFailureCount,
26
26
  takeZombieDetection,
27
27
  writePersistentClaudeWrapper
28
- } from "./chunk-JLS7NQFE.js";
29
- import "./chunk-A75AOK6E.js";
28
+ } from "./chunk-FF37P4BH.js";
29
+ import "./chunk-FZTGR2AQ.js";
30
30
  import "./chunk-XWVM4KPK.js";
31
31
  export {
32
32
  SEND_KEYS_ENTER_DELAY_MS,
@@ -56,4 +56,4 @@ export {
56
56
  takeZombieDetection,
57
57
  writePersistentClaudeWrapper
58
58
  };
59
- //# sourceMappingURL=persistent-session-ZLEK4KBF.js.map
59
+ //# sourceMappingURL=persistent-session-THI6WSPJ.js.map
@@ -1,7 +1,7 @@
1
1
  import {
2
2
  paneLogPath
3
- } from "./chunk-JLS7NQFE.js";
4
- import "./chunk-A75AOK6E.js";
3
+ } from "./chunk-FF37P4BH.js";
4
+ import "./chunk-FZTGR2AQ.js";
5
5
  import "./chunk-XWVM4KPK.js";
6
6
 
7
7
  // src/lib/responsiveness-probe.ts
@@ -154,4 +154,4 @@ export {
154
154
  livePendingInboundOldestAgeSeconds,
155
155
  oldestLivePendingInboundMtimeMs
156
156
  };
157
- //# sourceMappingURL=responsiveness-probe-3EUNCJDU.js.map
157
+ //# sourceMappingURL=responsiveness-probe-UFF2EBGZ.js.map
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@integrity-labs/agt-cli",
3
- "version": "0.27.150",
3
+ "version": "0.27.152",
4
4
  "description": "Augmented Team CLI — agent provisioning and management",
5
5
  "type": "module",
6
6
  "engines": {