@integrity-labs/agt-cli 0.27.150 → 0.27.152
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/bin/agt.js +4 -4
- package/dist/{chunk-CUHP2SVW.js → chunk-CPXNNR4W.js} +2 -2
- package/dist/{chunk-JLS7NQFE.js → chunk-FF37P4BH.js} +2 -2
- package/dist/{chunk-A75AOK6E.js → chunk-FZTGR2AQ.js} +153 -20
- package/dist/{chunk-A75AOK6E.js.map → chunk-FZTGR2AQ.js.map} +1 -1
- package/dist/{claude-pair-runtime-3ZIOY3Z5.js → claude-pair-runtime-VSUJJO67.js} +2 -2
- package/dist/lib/manager-worker.js +323 -139
- package/dist/lib/manager-worker.js.map +1 -1
- package/dist/mcp/augmented-admin.js +42 -4
- package/dist/{persistent-session-ZLEK4KBF.js → persistent-session-THI6WSPJ.js} +3 -3
- package/dist/{responsiveness-probe-3EUNCJDU.js → responsiveness-probe-UFF2EBGZ.js} +3 -3
- package/package.json +1 -1
- /package/dist/{chunk-CUHP2SVW.js.map → chunk-CPXNNR4W.js.map} +0 -0
- /package/dist/{chunk-JLS7NQFE.js.map → chunk-FF37P4BH.js.map} +0 -0
- /package/dist/{claude-pair-runtime-3ZIOY3Z5.js.map → claude-pair-runtime-VSUJJO67.js.map} +0 -0
- /package/dist/{persistent-session-ZLEK4KBF.js.map → persistent-session-THI6WSPJ.js.map} +0 -0
- /package/dist/{responsiveness-probe-3EUNCJDU.js.map → responsiveness-probe-UFF2EBGZ.js.map} +0 -0
|
@@ -21097,6 +21097,22 @@ var AdminDebugClient = class _AdminDebugClient {
|
|
|
21097
21097
|
listAlerts(args) {
|
|
21098
21098
|
return this.get("/admin/debug/alerts", _AdminDebugClient.cleanQuery(args));
|
|
21099
21099
|
}
|
|
21100
|
+
// ─────────────────── request-scoped customer grant (ENG-6279) ───────────────────
|
|
21101
|
+
/**
|
|
21102
|
+
* Open scoped READ access to a SELF-MANAGED customer org so the read tools can
|
|
21103
|
+
* reach it (ENG-6279). POSTs to /admin/debug/grants, which mints the short-TTL,
|
|
21104
|
+
* logged, customer-revocable read grant; the read tools then return that org's
|
|
21105
|
+
* data for the grant's lifetime. Reuses `post()` — same token + 401-re-exchange
|
|
21106
|
+
* flow as the reads. For an already-standing org (is_internal / fully_managed)
|
|
21107
|
+
* the API returns `{ already_authorized: true }` instead of minting a redundant
|
|
21108
|
+
* grant — not an error.
|
|
21109
|
+
*/
|
|
21110
|
+
requestAccess(args) {
|
|
21111
|
+
return this.post("/admin/debug/grants", {
|
|
21112
|
+
target_org_id: args.target_org_id,
|
|
21113
|
+
reason: args.reason
|
|
21114
|
+
});
|
|
21115
|
+
}
|
|
21100
21116
|
// ─────────────────────── remedial actions (ENG-6197) ───────────────────────
|
|
21101
21117
|
async post(path, body, retried = false) {
|
|
21102
21118
|
const token = await this.getValidToken();
|
|
@@ -21167,6 +21183,12 @@ var listAlertsSchema = external_exports.object({
|
|
|
21167
21183
|
open: external_exports.boolean().optional().describe("When true, only currently-open (unclosed) alerts."),
|
|
21168
21184
|
limit: limitSchema
|
|
21169
21185
|
});
|
|
21186
|
+
var requestAccessSchema = external_exports.object({
|
|
21187
|
+
target_org_id: external_exports.string().min(1).max(64).describe("UUID of the customer organization to open scoped read access to."),
|
|
21188
|
+
reason: external_exports.string().min(1).max(2e3).describe(
|
|
21189
|
+
"Why access is needed \u2014 recorded on the customer-visible access log and shown to the org when they review or revoke it. Be specific."
|
|
21190
|
+
)
|
|
21191
|
+
});
|
|
21170
21192
|
var requestActionSchema = external_exports.object({
|
|
21171
21193
|
action: external_exports.enum(["restart", "clear_pending_inbound"]).describe(
|
|
21172
21194
|
"The remedial action. restart = bounce the agent (reversible; backlog replays). clear_pending_inbound = move stuck pending-inbound markers aside (drops queued inbound messages; they are NOT reprocessed)."
|
|
@@ -21181,7 +21203,7 @@ var checkActionStatusSchema = external_exports.object({
|
|
|
21181
21203
|
// package.json
|
|
21182
21204
|
var package_default = {
|
|
21183
21205
|
name: "@integrity-labs/augmented-admin-mcp",
|
|
21184
|
-
version: "0.1.
|
|
21206
|
+
version: "0.1.1",
|
|
21185
21207
|
description: "Augmented Admin Debug \u2014 Integrity Labs staff-only MCP server for cross-org agent/host/integration/alert diagnostics. Thin client over the Augmented API's /admin/debug/* surface; authority + the diagnostic projection live server-side. ENG-6195.",
|
|
21186
21208
|
type: "module",
|
|
21187
21209
|
private: true,
|
|
@@ -21249,7 +21271,7 @@ function formatError2(err) {
|
|
|
21249
21271
|
var server = new McpServer({ name: "augmented-admin-mcp", version: package_default.version });
|
|
21250
21272
|
server.tool(
|
|
21251
21273
|
"debug_search_agents",
|
|
21252
|
-
"Search managed end-user agents across
|
|
21274
|
+
"Search managed end-user agents across authorized orgs for troubleshooting. Returns a diagnostic projection per agent (code_name, status, environment, risk_tier, org, heartbeat verdict) \u2014 never credentials or transcripts. Authorized = IL-owned + fully-managed orgs (standing) plus any self-managed org you hold an active grant for (see debug_request_access). Filter with { q, status, environment, limit }.",
|
|
21253
21275
|
searchAgentsSchema.shape,
|
|
21254
21276
|
async (args) => {
|
|
21255
21277
|
try {
|
|
@@ -21275,7 +21297,7 @@ server.tool(
|
|
|
21275
21297
|
);
|
|
21276
21298
|
server.tool(
|
|
21277
21299
|
"debug_search_hosts",
|
|
21278
|
-
"Search managed hosts across
|
|
21300
|
+
"Search managed hosts across authorized orgs. Returns a projection per host (name, org, status, framework version, last-seen verdict, EC2 + Claude auth status) \u2014 no api-key fingerprints or secrets. Filter with { q, status, limit }.",
|
|
21279
21301
|
searchHostsSchema.shape,
|
|
21280
21302
|
async (args) => {
|
|
21281
21303
|
try {
|
|
@@ -21288,7 +21310,7 @@ server.tool(
|
|
|
21288
21310
|
);
|
|
21289
21311
|
server.tool(
|
|
21290
21312
|
"debug_list_alerts",
|
|
21291
|
-
"List recent platform alerts across
|
|
21313
|
+
"List recent platform alerts across authorized orgs (host-down, agent-stale, probe-timeout, auth-failed), including NULL-team host alerts. Returns a projection per alert (kind, severity, message, source, open/closed state). Filter with { severity, open, limit }.",
|
|
21292
21314
|
listAlertsSchema.shape,
|
|
21293
21315
|
async (args) => {
|
|
21294
21316
|
try {
|
|
@@ -21299,6 +21321,22 @@ server.tool(
|
|
|
21299
21321
|
}
|
|
21300
21322
|
}
|
|
21301
21323
|
);
|
|
21324
|
+
server.tool(
|
|
21325
|
+
"debug_request_access",
|
|
21326
|
+
"Open scoped READ access to a SELF-MANAGED customer org so the read tools (debug_search_agents / debug_get_agent / debug_search_hosts / debug_list_alerts) can reach it. Use this when a read returns nothing for an org you have a legitimate support reason to troubleshoot. It mints a short-TTL, logged, customer-revocable read grant \u2014 the customer sees the access in their Support-access console and can revoke it, and it auto-expires; it does NOT grant any write/remedial capability. For an already-authorized org (Integrity-Labs-internal or fully-managed) this returns { already_authorized: true } instead of minting a redundant grant \u2014 just use the read tools. Pass { target_org_id, reason }; the reason is recorded verbatim on the customer-visible access log, so be specific.",
|
|
21327
|
+
requestAccessSchema.shape,
|
|
21328
|
+
async (args) => {
|
|
21329
|
+
try {
|
|
21330
|
+
const result = await client.requestAccess({
|
|
21331
|
+
target_org_id: args.target_org_id,
|
|
21332
|
+
reason: args.reason
|
|
21333
|
+
});
|
|
21334
|
+
return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
|
|
21335
|
+
} catch (err) {
|
|
21336
|
+
return { content: [{ type: "text", text: formatError2(err) }], isError: true };
|
|
21337
|
+
}
|
|
21338
|
+
}
|
|
21339
|
+
);
|
|
21302
21340
|
server.tool(
|
|
21303
21341
|
"request_action",
|
|
21304
21342
|
`Request a HITL-gated remedial action on a customer agent: "restart" (bounce the agent \u2014 reversible, backlog replays) or "clear_pending_inbound" (move stuck pending-inbound markers aside \u2014 drops queued inbound messages, NOT reprocessed). A HUMAN must approve in Slack before anything happens, and only if writes are armed for this stage; in shadow mode the approval runs but nothing executes. Returns { request_id, status, write_mode, notification_status }. Surface a brief, jargon-free note to the user (e.g. "I've asked an admin to approve restarting that agent"). Pass { action, target_agent_id, reason }.`,
|
|
@@ -25,8 +25,8 @@ import {
|
|
|
25
25
|
takeAcpxExecFailureCount,
|
|
26
26
|
takeZombieDetection,
|
|
27
27
|
writePersistentClaudeWrapper
|
|
28
|
-
} from "./chunk-
|
|
29
|
-
import "./chunk-
|
|
28
|
+
} from "./chunk-FF37P4BH.js";
|
|
29
|
+
import "./chunk-FZTGR2AQ.js";
|
|
30
30
|
import "./chunk-XWVM4KPK.js";
|
|
31
31
|
export {
|
|
32
32
|
SEND_KEYS_ENTER_DELAY_MS,
|
|
@@ -56,4 +56,4 @@ export {
|
|
|
56
56
|
takeZombieDetection,
|
|
57
57
|
writePersistentClaudeWrapper
|
|
58
58
|
};
|
|
59
|
-
//# sourceMappingURL=persistent-session-
|
|
59
|
+
//# sourceMappingURL=persistent-session-THI6WSPJ.js.map
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import {
|
|
2
2
|
paneLogPath
|
|
3
|
-
} from "./chunk-
|
|
4
|
-
import "./chunk-
|
|
3
|
+
} from "./chunk-FF37P4BH.js";
|
|
4
|
+
import "./chunk-FZTGR2AQ.js";
|
|
5
5
|
import "./chunk-XWVM4KPK.js";
|
|
6
6
|
|
|
7
7
|
// src/lib/responsiveness-probe.ts
|
|
@@ -154,4 +154,4 @@ export {
|
|
|
154
154
|
livePendingInboundOldestAgeSeconds,
|
|
155
155
|
oldestLivePendingInboundMtimeMs
|
|
156
156
|
};
|
|
157
|
-
//# sourceMappingURL=responsiveness-probe-
|
|
157
|
+
//# sourceMappingURL=responsiveness-probe-UFF2EBGZ.js.map
|
package/package.json
CHANGED
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|