@integrity-labs/agt-cli 0.27.22 → 0.27.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,7 +1,7 @@
1
1
  import {
2
2
  claudeModelAlias,
3
3
  isClaudeFastMode
4
- } from "./chunk-HT6EETEL.js";
4
+ } from "./chunk-6HFXSNNY.js";
5
5
  import {
6
6
  reapOrphanChannelMcps
7
7
  } from "./chunk-XWVM4KPK.js";
@@ -1125,4 +1125,4 @@ export {
1125
1125
  stopAllSessionsAndWait,
1126
1126
  getProjectDir
1127
1127
  };
1128
- //# sourceMappingURL=chunk-F4NG4EXD.js.map
1128
+ //# sourceMappingURL=chunk-JIETOJQV.js.map
@@ -9,7 +9,7 @@ import {
9
9
  parseDeliveryTarget,
10
10
  registerFramework,
11
11
  wrapScheduledTaskPrompt
12
- } from "./chunk-HT6EETEL.js";
12
+ } from "./chunk-6HFXSNNY.js";
13
13
 
14
14
  // ../../packages/core/dist/integrations/registry.js
15
15
  var INTEGRATION_REGISTRY = [
@@ -4851,20 +4851,12 @@ ${sections}`
4851
4851
  },
4852
4852
  writeChannelCredentials(codeName, channelId, config, options) {
4853
4853
  const tzEnv = options?.agentTimezone && options.agentTimezone.trim() !== "" ? { TZ: options.agentTimezone.trim() } : {};
4854
- const senderPolicyEnv = (() => {
4855
- const sp = options?.senderPolicy;
4856
- if (!sp)
4857
- return {};
4858
- return {
4859
- // Channel-specific var name to match what the consumer MCP reads;
4860
- // spread below selects the right one per channelId.
4861
- ...sp.mode === "team_agents_only" && sp.team_id ? { AGT_TEAM_ID: sp.team_id } : {},
4862
- // sentinel keys consumed by the per-channel spread below
4863
- _SENDER_POLICY_MODE: sp.mode
4864
- };
4865
- })();
4866
- const senderPolicyMode = senderPolicyEnv["_SENDER_POLICY_MODE"];
4867
- delete senderPolicyEnv["_SENDER_POLICY_MODE"];
4854
+ const senderPolicyMode = options?.senderPolicy?.mode;
4855
+ const senderPolicyTeamId = options?.senderPolicy?.mode === "team_agents_only" || options?.senderPolicy?.mode === "manager_only" ? options.senderPolicy.team_id : void 0;
4856
+ const slackPrincipalId = options?.senderPolicy?.mode === "manager_only" ? options.senderPolicy.principal?.slack_user_id : void 0;
4857
+ const teamsPrincipalId = options?.senderPolicy?.mode === "manager_only" ? options.senderPolicy.principal?.teams_aad_object_id : void 0;
4858
+ const senderPolicyInternalOnly = options?.senderPolicy?.internal_only === true;
4859
+ const senderPolicyEnv = senderPolicyTeamId ? { AGT_TEAM_ID: senderPolicyTeamId } : {};
4868
4860
  const agentDir = getAgentDir(codeName);
4869
4861
  mkdirSync4(agentDir, { recursive: true });
4870
4862
  const isPersistent = options?.sessionMode === "persistent";
@@ -5022,8 +5014,24 @@ ${sections}`
5022
5014
  // 'all' is the absence of the env var — same convention the
5023
5015
  // MCP filter uses on its own end).
5024
5016
  ...senderPolicyMode ? { SLACK_SENDER_POLICY: senderPolicyMode } : {},
5025
- ...senderPolicyEnv
5017
+ ...senderPolicyEnv,
5026
5018
  // AGT_TEAM_ID when team_agents_only
5019
+ // ENG-5842: principal ID for manager_only — Slack user_id from
5020
+ // people.contact_preferences.slack_user_id. Omitted when the
5021
+ // principal has no Slack ID; MCP filter fails closed on the
5022
+ // missing env var by dropping all human inbound.
5023
+ ...slackPrincipalId ? { SLACK_SENDER_POLICY_PRINCIPAL_ID: slackPrincipalId } : {},
5024
+ // ENG-5843: org-boundary gate. SLACK_INTERNAL_ONLY signals the
5025
+ // filter to check sender's workspace against SLACK_HOME_TEAM_ID
5026
+ // (sourced from the bot install's team_id, populated by
5027
+ // auth.test at install / first-run). Omitted unless explicitly
5028
+ // enabled — the consumer's env-absent default is "no gate".
5029
+ // When INTERNAL_ONLY is true but home team_id can't be
5030
+ // resolved (config['team_id'] not set on the install), the
5031
+ // MCP boot guard fails closed at startup rather than admitting
5032
+ // every sender as "internal".
5033
+ ...senderPolicyInternalOnly ? { SLACK_INTERNAL_ONLY: "true" } : {},
5034
+ ...senderPolicyInternalOnly && typeof config["team_id"] === "string" && config["team_id"].length > 0 ? { SLACK_HOME_TEAM_ID: config["team_id"] } : {}
5027
5035
  }
5028
5036
  };
5029
5037
  const provisionMcpPath = join4(agentDir, "provision", ".mcp.json");
@@ -5203,8 +5211,20 @@ ${sections}`
5203
5211
  // ENG-5841: MSTEAMS_SENDER_POLICY drives teams-inbound-filter.ts.
5204
5212
  // Mirrors the Slack branch above — only emitted when restrictive.
5205
5213
  ...senderPolicyMode ? { MSTEAMS_SENDER_POLICY: senderPolicyMode } : {},
5206
- ...senderPolicyEnv
5214
+ ...senderPolicyEnv,
5207
5215
  // AGT_TEAM_ID when team_agents_only
5216
+ // ENG-5842: principal ID for manager_only — Teams AAD object id from
5217
+ // people.contact_preferences.teams_aad_object_id. Same fail-closed
5218
+ // contract as the Slack branch above.
5219
+ ...teamsPrincipalId ? { MSTEAMS_SENDER_POLICY_PRINCIPAL_ID: teamsPrincipalId } : {},
5220
+ // ENG-5843: org-boundary gate. MSTEAMS_INTERNAL_ONLY + MSTEAMS_HOME_TENANT_ID
5221
+ // mirror the Slack pair. Source is the same tenantId the existing
5222
+ // MSTEAMS_TENANT_ID env var already carries — defaulting to "common"
5223
+ // would be wrong here (it'd admit any tenant), so we skip the
5224
+ // SLACK_HOME_TEAM_ID-equivalent emission when the install hasn't
5225
+ // pinned a real tenant. MCP boot guard fails closed.
5226
+ ...senderPolicyInternalOnly ? { MSTEAMS_INTERNAL_ONLY: "true" } : {},
5227
+ ...senderPolicyInternalOnly && tenantId !== "common" ? { MSTEAMS_HOME_TENANT_ID: tenantId } : {}
5208
5228
  };
5209
5229
  if (isPersistent && existsSync5(localTeamsChannel)) {
5210
5230
  mcpServers["msteams"] = {
@@ -6925,4 +6945,4 @@ export {
6925
6945
  managerInstallSystemUnitCommand,
6926
6946
  managerUninstallSystemUnitCommand
6927
6947
  };
6928
- //# sourceMappingURL=chunk-SUYULB5G.js.map
6948
+ //# sourceMappingURL=chunk-JNDNHPKT.js.map