npm - @integrity-labs/agt-cli - Versions diffs - 0.27.80 → 0.27.82 - Mend

@integrity-labs/agt-cli 0.27.80 → 0.27.82

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/dist/{chunk-Y4INY5FA.js → chunk-AN5X6CN2.js} RENAMED Viewed

@@ -2421,6 +2421,7 @@ function formatLiteralSecretRejection(f) {
 // ../../packages/core/dist/provisioning/mcp-config-guards.js
 var MCP_FILE_MODE = 384;
+var lastRejectionFingerprintByPath = /* @__PURE__ */ new Map();
 var REQUIRED_ENV_RULES_BY_SERVER = {
   "cloud-broker": [
     { key: "AGT_HOST", mustBeConcrete: false },
@@ -2571,9 +2572,13 @@ function safeWriteMcpJson(path, config) {
   }
   const secretFindings = scanConfigForLiteralSecrets(config);
   if (secretFindings.length > 0) {
-    for (const f of secretFindings) {
-      process.stderr.write(`${formatLiteralSecretRejection(f)}
+    const fingerprint = secretFindings.map((f) => `${f.server}.${f.field}.${f.location}`).sort().join("|");
+    if (lastRejectionFingerprintByPath.get(path) !== fingerprint) {
+      lastRejectionFingerprintByPath.set(path, fingerprint);
+      for (const f of secretFindings) {
+        process.stderr.write(`${formatLiteralSecretRejection(f)}
 `);
+      }
     }
     return {
       written: false,
@@ -2584,6 +2589,7 @@ function safeWriteMcpJson(path, config) {
       }))
     };
   }
+  lastRejectionFingerprintByPath.delete(path);
   safeWriteJsonAtomic(path, JSON.stringify(config, null, 2), { mode: MCP_FILE_MODE });
   return { written: true, errors: [] };
 }
@@ -3935,6 +3941,63 @@ function writeEnvIntegrationsForAgent(codeName, args) {
 `);
   }
 }
+var MIGRATABLE_FIELD_TO_ENV_VAR = {
+  SLACK_BOT_TOKEN: "SLACK_BOT_TOKEN",
+  SLACK_APP_TOKEN: "SLACK_APP_TOKEN",
+  TELEGRAM_BOT_TOKEN: "TELEGRAM_BOT_TOKEN",
+  MSTEAMS_CLIENT_SECRET: "MSTEAMS_CLIENT_SECRET",
+  PIPEDREAM_CLIENT_SECRET: "PIPEDREAM_CLIENT_SECRET",
+  "x-api-key": "COMPOSIO_API_KEY",
+  AGT_API_KEY: "AGT_API_KEY"
+};
+function migrateExistingLiteralSecrets(codeName) {
+  const mcpJsonPath = join4(getAgentDir(codeName), "provision", ".mcp.json");
+  let config;
+  try {
+    config = JSON.parse(readFileSync5(mcpJsonPath, "utf-8"));
+  } catch {
+    return;
+  }
+  let existingEnvKeys = /* @__PURE__ */ new Set();
+  try {
+    existingEnvKeys = new Set(parseEnvFileEntries(readFileSync5(join4(getAgentDir(codeName), ".env.integrations"), "utf-8")).keys());
+  } catch {
+  }
+  const findings = scanConfigForLiteralSecrets(config);
+  if (findings.length === 0)
+    return;
+  const updates = {};
+  const unmapped = [];
+  let hoisted = 0;
+  for (const f of findings) {
+    const entry = config.mcpServers?.[f.server];
+    const block = f.location === "env" ? entry?.env : entry?.headers;
+    const envVar = MIGRATABLE_FIELD_TO_ENV_VAR[f.field];
+    const value = block?.[f.field];
+    if (!block || !envVar || typeof value !== "string") {
+      unmapped.push(`${f.server}.${f.field}`);
+      continue;
+    }
+    if (envVar !== "AGT_API_KEY" && !existingEnvKeys.has(envVar)) {
+      updates[envVar] = value;
+    }
+    block[f.field] = `\${${envVar}}`;
+    hoisted++;
+  }
+  if (hoisted === 0) {
+    process.stderr.write(`[mcp-migrate] [no-mappable-literals] agent=${codeName} unmapped=${unmapped.join(",")}
+`);
+    return;
+  }
+  if (Object.keys(updates).length > 0) {
+    writeEnvIntegrationsForAgent(codeName, { mode: "upsert", updates });
+  }
+  if (writeMcpJsonGuarded(codeName, mcpJsonPath, config)) {
+    syncMcpToProject(codeName);
+    process.stderr.write(`[mcp-migrate] [literals-hoisted] agent=${codeName} hoisted=${hoisted}${unmapped.length > 0 ? ` unmapped=${unmapped.join(",")}` : ""}
+`);
+  }
+}
 function assertValidCodeName(codeName) {
   if (!VALID_CODE_NAME.test(codeName)) {
     throw new Error(`Invalid agent code_name: "${codeName}". Must be kebab-case.`);
@@ -5783,6 +5846,12 @@ ${sections}`
     });
     return changed;
   },
+  // ENG-5901 PR 3: hoist pre-Track-D literal secrets out of the on-disk
+  // .mcp.json so the armed lint stops rejecting every incremental write.
+  // See migrateExistingLiteralSecrets for the full story.
+  migrateSecretStorage(codeName) {
+    migrateExistingLiteralSecrets(codeName);
+  },
   seedProfileConfig(codeName) {
     const agentDir = getAgentDir(codeName);
     const projectDir = getProjectDir(codeName);
@@ -7488,4 +7557,4 @@ export {
   managerInstallSystemUnitCommand,
   managerUninstallSystemUnitCommand
 };
-//# sourceMappingURL=chunk-Y4INY5FA.js.map
+//# sourceMappingURL=chunk-AN5X6CN2.js.map