@integrity-labs/agt-cli 0.27.81 → 0.27.83

package/dist/{chunk-CGUXKOUF.js → chunk-HTXXJBB7.js}

@@ -2369,8 +2369,12 @@ var LITERAL_SECRET_PATTERNS = [
   { name: "agt_host_api_key", re: /^tlk_/ },
   // Composio / generic api-key prefix — `ak_<...>`
   { name: "composio_api_key", re: /^ak_/ },
-  // Telegram bot token — `<10-digit bot id>:AAE<...>` (BotFather format).
-  { name: "telegram_bot_token", re: /^\d{10}:AAE/ },
+  // Telegram bot token — `<bot id>:AA<...>` (BotFather format). ENG-5901
+  // PR 4: the original `\d{10}:AAE` (from the issue AC) was too narrow —
+  // live tokens on agt-aws-1 carry `AA` + a varying third character
+  // (don/scout/stirling all had AA-not-E tokens the lint and migration
+  // missed). Bot ids are 8–12 digits; the token part always starts `AA`.
+  { name: "telegram_bot_token", re: /^\d{8,12}:AA[A-Za-z0-9_-]/ },
   // ENG-5901 extension beyond the original AC's five patterns: a literal
   // JWT (`eyJ...`) is the shape of a leaked AGT_API_KEY, which the
   // value-prefix patterns above would otherwise miss. Header values often
@@ -2421,6 +2425,7 @@ function formatLiteralSecretRejection(f) {
 
 // ../../packages/core/dist/provisioning/mcp-config-guards.js
 var MCP_FILE_MODE = 384;
+var lastRejectionFingerprintByPath = /* @__PURE__ */ new Map();
 var REQUIRED_ENV_RULES_BY_SERVER = {
   "cloud-broker": [
     { key: "AGT_HOST", mustBeConcrete: false },
@@ -2571,9 +2576,13 @@ function safeWriteMcpJson(path, config) {
   }
   const secretFindings = scanConfigForLiteralSecrets(config);
   if (secretFindings.length > 0) {
-    for (const f of secretFindings) {
-      process.stderr.write(`${formatLiteralSecretRejection(f)}
+    const fingerprint = secretFindings.map((f) => `${f.server}.${f.field}.${f.location}`).sort().join("|");
+    if (lastRejectionFingerprintByPath.get(path) !== fingerprint) {
+      lastRejectionFingerprintByPath.set(path, fingerprint);
+      for (const f of secretFindings) {
+        process.stderr.write(`${formatLiteralSecretRejection(f)}
 `);
+      }
     }
     return {
       written: false,
@@ -2584,6 +2593,7 @@ function safeWriteMcpJson(path, config) {
       }))
     };
   }
+  lastRejectionFingerprintByPath.delete(path);
   safeWriteJsonAtomic(path, JSON.stringify(config, null, 2), { mode: MCP_FILE_MODE });
   return { written: true, errors: [] };
 }
@@ -3935,6 +3945,66 @@ function writeEnvIntegrationsForAgent(codeName, args) {
 `);
   }
 }
+var MIGRATABLE_FIELD_TO_ENV_VAR = {
+  SLACK_BOT_TOKEN: "SLACK_BOT_TOKEN",
+  SLACK_APP_TOKEN: "SLACK_APP_TOKEN",
+  TELEGRAM_BOT_TOKEN: "TELEGRAM_BOT_TOKEN",
+  MSTEAMS_CLIENT_SECRET: "MSTEAMS_CLIENT_SECRET",
+  PIPEDREAM_CLIENT_SECRET: "PIPEDREAM_CLIENT_SECRET",
+  "x-api-key": "COMPOSIO_API_KEY",
+  AGT_API_KEY: "AGT_API_KEY"
+};
+function migrateExistingLiteralSecrets(codeName) {
+  const mcpJsonPath = join4(getAgentDir(codeName), "provision", ".mcp.json");
+  let config;
+  try {
+    config = JSON.parse(readFileSync5(mcpJsonPath, "utf-8"));
+  } catch {
+    return;
+  }
+  let existingEnvKeys = /* @__PURE__ */ new Set();
+  try {
+    existingEnvKeys = new Set(parseEnvFileEntries(readFileSync5(join4(getAgentDir(codeName), ".env.integrations"), "utf-8")).keys());
+  } catch {
+  }
+  const updates = {};
+  let hoisted = 0;
+  for (const raw of Object.values(config.mcpServers ?? {})) {
+    if (typeof raw !== "object" || raw === null)
+      continue;
+    const entry = raw;
+    for (const block of [entry.env, entry.headers]) {
+      if (!block)
+        continue;
+      for (const [field, envVar] of Object.entries(MIGRATABLE_FIELD_TO_ENV_VAR)) {
+        const value = block[field];
+        if (typeof value !== "string" || value.length === 0 || value.includes("${"))
+          continue;
+        if (envVar !== "AGT_API_KEY" && !existingEnvKeys.has(envVar)) {
+          updates[envVar] = value;
+        }
+        block[field] = `\${${envVar}}`;
+        hoisted++;
+      }
+    }
+  }
+  const unmapped = scanConfigForLiteralSecrets(config).map((f) => `${f.server}.${f.field}`);
+  if (hoisted === 0 && unmapped.length === 0)
+    return;
+  if (hoisted === 0) {
+    process.stderr.write(`[mcp-migrate] [no-mappable-literals] agent=${codeName} unmapped=${unmapped.join(",")}
+`);
+    return;
+  }
+  if (Object.keys(updates).length > 0) {
+    writeEnvIntegrationsForAgent(codeName, { mode: "upsert", updates });
+  }
+  if (writeMcpJsonGuarded(codeName, mcpJsonPath, config)) {
+    syncMcpToProject(codeName);
+    process.stderr.write(`[mcp-migrate] [literals-hoisted] agent=${codeName} hoisted=${hoisted}${unmapped.length > 0 ? ` unmapped=${unmapped.join(",")}` : ""}
+`);
+  }
+}
 function assertValidCodeName(codeName) {
   if (!VALID_CODE_NAME.test(codeName)) {
     throw new Error(`Invalid agent code_name: "${codeName}". Must be kebab-case.`);
@@ -5783,6 +5853,12 @@ ${sections}`
     });
     return changed;
   },
+  // ENG-5901 PR 3: hoist pre-Track-D literal secrets out of the on-disk
+  // .mcp.json so the armed lint stops rejecting every incremental write.
+  // See migrateExistingLiteralSecrets for the full story.
+  migrateSecretStorage(codeName) {
+    migrateExistingLiteralSecrets(codeName);
+  },
   seedProfileConfig(codeName) {
     const agentDir = getAgentDir(codeName);
     const projectDir = getProjectDir(codeName);
@@ -7488,4 +7564,4 @@ export {
   managerInstallSystemUnitCommand,
   managerUninstallSystemUnitCommand
 };
-//# sourceMappingURL=chunk-CGUXKOUF.js.map
+//# sourceMappingURL=chunk-HTXXJBB7.js.map