npm - @integrity-labs/agt-cli - Versions diffs - 0.28.162 → 0.28.163 - Mend

@integrity-labs/agt-cli 0.28.162 → 0.28.163

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/dist/{chunk-MNW2HVGO.js → chunk-OW6ERQHP.js} RENAMED Viewed

@@ -3,7 +3,7 @@ import {
   formatMissingVar,
   isClaudeFastMode,
   probeMcpEnvSubstitution
-} from "./chunk-U6HS4U7L.js";
+} from "./chunk-MTKFDGXO.js";
 import {
   reapOrphanChannelMcps
 } from "./chunk-XWVM4KPK.js";
@@ -1588,4 +1588,4 @@ export {
   stopAllSessionsAndWait,
   getProjectDir
 };
-//# sourceMappingURL=chunk-MNW2HVGO.js.map
+//# sourceMappingURL=chunk-OW6ERQHP.js.map

package/dist/{claude-pair-runtime-PJ4OZ3DE.js → claude-pair-runtime-WEKLV5X5.js} RENAMED Viewed

@@ -100,7 +100,7 @@ async function spawnPairSession(session) {
     return { ok: true };
   } catch {
   }
-  const { resolveClaudeBinary } = await import("./persistent-session-T7Q53HW5.js");
+  const { resolveClaudeBinary } = await import("./persistent-session-3ACIT7F5.js");
   const claudeBin = resolveClaudeBinary();
   const pairEnv = {
     ...process.env,
@@ -373,4 +373,4 @@ export {
   startClaudePair,
   submitClaudePairCode
 };
-//# sourceMappingURL=claude-pair-runtime-PJ4OZ3DE.js.map
+//# sourceMappingURL=claude-pair-runtime-WEKLV5X5.js.map

package/dist/lib/manager-worker.js CHANGED Viewed

@@ -28,7 +28,7 @@ import {
   requireHost,
   safeWriteJsonAtomic,
   setConfigHash
-} from "../chunk-G6NDQYBC.js";
+} from "../chunk-BEUGTZ7Z.js";
 import {
   getProjectDir as getProjectDir2,
   getReadyTasks,
@@ -70,7 +70,7 @@ import {
   takeZombieDetection,
   transcriptActivityAgeSeconds,
   writeEgressAllowlist
-} from "../chunk-MNW2HVGO.js";
+} from "../chunk-OW6ERQHP.js";
 import {
   CONVERSATION_FAILURE_CATEGORIES,
   DEFAULT_FRAMEWORK,
@@ -111,7 +111,7 @@ import {
   resolveChannels,
   resolveDmTarget,
   sumTranscriptUsageInWindow
-} from "../chunk-U6HS4U7L.js";
+} from "../chunk-MTKFDGXO.js";
 import {
   parsePsRows,
   reapOrphanChannelMcps
@@ -6878,7 +6878,7 @@ var agentRestartTimezoneInputs = /* @__PURE__ */ new Map();
 var lastVersionCheckAt = 0;
 var VERSION_CHECK_INTERVAL_MS = 5 * 60 * 1e3;
 var lastResponsivenessProbeAt = 0;
-var agtCliVersion = true ? "0.28.162" : "dev";
+var agtCliVersion = true ? "0.28.163" : "dev";
 function resolveBrewPath(execFileSync4) {
   try {
     const out = execFileSync4("which", ["brew"], { timeout: 5e3 }).toString().trim();
@@ -8011,7 +8011,7 @@ async function pollCycle() {
     }
     try {
       const { detectHostSecurity } = await import("../host-security-6PDFG7F5.js");
-      const { collectDiagnostics } = await import("../persistent-session-T7Q53HW5.js");
+      const { collectDiagnostics } = await import("../persistent-session-3ACIT7F5.js");
       const diagCodeNames = [...agentState.persistentSessionAgents];
       const agentDiagnostics = diagCodeNames.length > 0 ? collectDiagnostics(diagCodeNames) : void 0;
       let tailscaleHostname;
@@ -8159,7 +8159,7 @@ async function pollCycle() {
       const {
         collectResponsivenessProbes,
         getResponsivenessIntervalMs
-      } = await import("../responsiveness-probe-K4Y7BXRH.js");
+      } = await import("../responsiveness-probe-5OCWCS3M.js");
       const probeIntervalMs = getResponsivenessIntervalMs();
       if (now - lastResponsivenessProbeAt > probeIntervalMs) {
         const probeCodeNames = [...agentState.persistentSessionAgents];
@@ -8191,7 +8191,7 @@ async function pollCycle() {
           collectResponsivenessProbes,
           livePendingInboundOldestAgeSeconds,
           parkPendingInbound
-        } = await import("../responsiveness-probe-K4Y7BXRH.js");
+        } = await import("../responsiveness-probe-5OCWCS3M.js");
         const { getProjectDir: wedgeProjectDir } = await import("../claude-scheduler-FATCLHDM.js");
         const wedgeNow = /* @__PURE__ */ new Date();
         const liveAgents = agentState.persistentSessionAgents;
@@ -11692,7 +11692,7 @@ async function processClaudePairSessions(agents) {
     killPairSession,
     pairTmuxSession,
     finalizeClaudePairOnboarding
-  } = await import("../claude-pair-runtime-PJ4OZ3DE.js");
+  } = await import("../claude-pair-runtime-WEKLV5X5.js");
   for (const pairId of pendingResp.cancelled_pair_ids ?? []) {
     log(`[claude-pair] sweeping orphan tmux session for pair ${pairId.slice(0, 8)}`);
     const killed = await killPairSession(pairTmuxSession(pairId));

package/dist/mcp/remote-oauth-proxy.js CHANGED Viewed

@@ -10,15 +10,48 @@ import { resolve as resolvePath } from "path";
 var URL_ENV = "AGT_REMOTE_MCP_URL";
 var TOKEN_FILE_ENV = "AGT_REMOTE_MCP_TOKEN_FILE";
 var TOKEN_VAR_ENV = "AGT_REMOTE_MCP_TOKEN_VAR";
+var ALLOWLIST_ENV = "AGT_REMOTE_MCP_TOOL_ALLOWLIST";
 var REMOTE_FETCH_TIMEOUT_MS = 3e4;
 var remoteUrl = process.env[URL_ENV] ?? "";
 var tokenFile = process.env[TOKEN_FILE_ENV] ?? "";
 var tokenVar = process.env[TOKEN_VAR_ENV] ?? "";
 var label = process.env["AGT_REMOTE_MCP_LABEL"] || tokenVar || "remote-oauth";
+var toolAllowlist = parseToolAllowlist(process.env[ALLOWLIST_ENV] ?? "");
 function logErr(msg) {
   process.stderr.write(`[remote-oauth-proxy:${label}] ${msg}
 `);
 }
+function parseToolAllowlist(raw) {
+  const out = /* @__PURE__ */ new Set();
+  for (const part of (raw || "").split(",")) {
+    const name = part.trim();
+    if (name) out.add(name);
+  }
+  return out;
+}
+function filterToolsListMessage(message, allow) {
+  if (allow.size === 0) return { message, total: 0, kept: 0, advertised: [] };
+  let obj;
+  try {
+    obj = JSON.parse(message);
+  } catch {
+    return { message, total: 0, kept: 0, advertised: [] };
+  }
+  const result = obj?.result;
+  const tools = result?.tools;
+  if (!Array.isArray(tools)) return { message, total: 0, kept: 0, advertised: [] };
+  const nameOf = (t) => t && typeof t === "object" && typeof t.name === "string" ? t.name : "";
+  const advertised = tools.map(nameOf).filter((n) => n.length > 0);
+  const filtered = tools.filter((t) => allow.has(nameOf(t)));
+  result.tools = filtered;
+  return { message: JSON.stringify(obj), total: tools.length, kept: filtered.length, advertised };
+}
+function isToolCallBlocked(method, params, allow) {
+  if (allow.size === 0 || method !== "tools/call") return { blocked: false, name: "" };
+  const name = params && typeof params === "object" && typeof params.name === "string" ? params.name : "";
+  if (name && !allow.has(name)) return { blocked: true, name };
+  return { blocked: false, name };
+}
 function readCurrentToken(file, varName) {
   let raw;
   try {
@@ -71,7 +104,7 @@ function extractJsonRpcMessages(contentType, body) {
   }
   return out;
 }
-async function forward(line, id, isNotification) {
+async function forward(line, id, isNotification, method) {
   const token = readCurrentToken(tokenFile, tokenVar);
   if (!token) {
     logErr(`no token in ${tokenFile} (var ${tokenVar})`);
@@ -102,7 +135,24 @@ async function forward(line, id, isNotification) {
   }
   if (isNotification) return [];
   const messages = extractJsonRpcMessages(ct, body);
-  if (messages.length > 0) return messages;
+  if (messages.length > 0) {
+    if (method === "tools/list" && toolAllowlist.size > 0) {
+      return messages.map((m) => {
+        const r = filterToolsListMessage(m, toolAllowlist);
+        if (r.total !== r.kept) {
+          logErr(`tools/list filtered ${r.total} -> ${r.kept} (allowlist ${toolAllowlist.size})`);
+        }
+        if (r.advertised.length > 0) {
+          const missing = [...toolAllowlist].filter((n) => !r.advertised.includes(n));
+          if (missing.length > 0) {
+            logErr(`allowlisted tools not advertised by server: ${missing.join(", ")}`);
+          }
+        }
+        return r.message;
+      });
+    }
+    return messages;
+  }
   const detail = body.slice(0, 300).replace(/\s+/g, " ").trim();
   return [jsonRpcError(id, -32002, `${label}: MCP server returned HTTP ${res.status}${detail ? ` (${detail})` : ""}`)];
 }
@@ -139,7 +189,19 @@ async function main() {
     }
     const isNotification = !("id" in parsed);
     const id = parsed.id;
-    const task = forward(text, id, isNotification).then(writeReplies).catch((err) => {
+    if (!isNotification) {
+      const block = isToolCallBlocked(parsed.method, parsed.params, toolAllowlist);
+      if (block.blocked) {
+        logErr(`blocked tools/call to non-allowlisted tool "${block.name}"`);
+        const task2 = writeReplies([
+          jsonRpcError(id, -32601, `${label}: tool "${block.name}" is not enabled for this integration`)
+        ]).catch((err) => logErr(`handler error: ${err.message}`));
+        inflight.add(task2);
+        void task2.finally(() => inflight.delete(task2));
+        return;
+      }
+    }
+    const task = forward(text, id, isNotification, parsed.method).then(writeReplies).catch((err) => {
       logErr(`handler error: ${err.message}`);
     });
     inflight.add(task);
@@ -163,6 +225,9 @@ if (invokedDirectly) {
 }
 export {
   extractJsonRpcMessages,
+  filterToolsListMessage,
+  isToolCallBlocked,
   main,
+  parseToolAllowlist,
   readCurrentToken
 };

package/dist/{persistent-session-T7Q53HW5.js → persistent-session-3ACIT7F5.js} RENAMED Viewed

@@ -34,8 +34,8 @@ import {
   writeDirectChatSessionState,
   writeEgressAllowlist,
   writePersistentClaudeWrapper
-} from "./chunk-MNW2HVGO.js";
-import "./chunk-U6HS4U7L.js";
+} from "./chunk-OW6ERQHP.js";
+import "./chunk-MTKFDGXO.js";
 import "./chunk-XWVM4KPK.js";
 export {
   EGRESS_BASELINE_DOMAINS,
@@ -74,4 +74,4 @@ export {
   writeEgressAllowlist,
   writePersistentClaudeWrapper
 };
-//# sourceMappingURL=persistent-session-T7Q53HW5.js.map
+//# sourceMappingURL=persistent-session-3ACIT7F5.js.map

package/dist/{responsiveness-probe-K4Y7BXRH.js → responsiveness-probe-5OCWCS3M.js} RENAMED Viewed

@@ -1,7 +1,7 @@
 import {
   paneLogPath
-} from "./chunk-MNW2HVGO.js";
-import "./chunk-U6HS4U7L.js";
+} from "./chunk-OW6ERQHP.js";
+import "./chunk-MTKFDGXO.js";
 import "./chunk-XWVM4KPK.js";
 // src/lib/responsiveness-probe.ts
@@ -304,4 +304,4 @@ export {
   readAndResetChannelDeflections,
   readAndResetChannelLaneClassifications
 };
-//# sourceMappingURL=responsiveness-probe-K4Y7BXRH.js.map
+//# sourceMappingURL=responsiveness-probe-5OCWCS3M.js.map

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@integrity-labs/agt-cli",
-  "version": "0.28.162",
+  "version": "0.28.163",
   "description": "Augmented Team CLI — agent provisioning and management",
   "type": "module",
   "engines": {