@integrity-labs/agt-cli 0.28.176 → 0.28.177

package/dist/bin/agt.js

@@ -37,7 +37,7 @@ import {
   success,
   table,
   warn
-} from "../chunk-YNCNFORO.js";
+} from "../chunk-HTDMNULF.js";
 import {
   CHANNEL_REGISTRY,
   DEFAULT_FRAMEWORK,
@@ -65,7 +65,7 @@ import {
   renderTemplate,
   resolveChannels,
   serializeManifestForSlackCli
-} from "../chunk-ULPUDU4J.js";
+} from "../chunk-ODMNVKDO.js";
 
 // src/bin/agt.ts
 import { join as join22 } from "path";
@@ -4749,7 +4749,7 @@ import { execFileSync, execSync } from "child_process";
 import { existsSync as existsSync10, realpathSync as realpathSync2 } from "fs";
 import chalk18 from "chalk";
 import ora16 from "ora";
-var cliVersion = true ? "0.28.176" : "dev";
+var cliVersion = true ? "0.28.177" : "dev";
 async function fetchLatestVersion() {
   const host2 = getHost();
   if (!host2) return null;
@@ -5763,7 +5763,7 @@ function handleError(err) {
 }
 
 // src/bin/agt.ts
-var cliVersion2 = true ? "0.28.176" : "dev";
+var cliVersion2 = true ? "0.28.177" : "dev";
 var program = new Command();
 program.name("agt").description("Augmented CLI \u2014 agent provisioning and management").version(cliVersion2).option("--json", "Emit machine-readable JSON output (suppress spinners and colors)").option("--skip-update-check", "Skip the automatic update check on startup");
 program.hook("preAction", async (thisCommand, actionCommand) => {

package/dist/{chunk-NZLZICAD.js → chunk-4LMNQ2V7.js}

@@ -3,7 +3,7 @@ import {
   formatMissingVar,
   isClaudeFastMode,
   probeMcpEnvSubstitution
-} from "./chunk-ULPUDU4J.js";
+} from "./chunk-ODMNVKDO.js";
 import {
   reapOrphanChannelMcps
 } from "./chunk-XWVM4KPK.js";
@@ -1588,4 +1588,4 @@ export {
   stopAllSessionsAndWait,
   getProjectDir
 };
-//# sourceMappingURL=chunk-NZLZICAD.js.map
+//# sourceMappingURL=chunk-4LMNQ2V7.js.map

package/dist/{chunk-YNCNFORO.js → chunk-HTDMNULF.js}

@@ -16,7 +16,7 @@ import {
   resolveConnectivityProbe,
   worseConnectivityOutcome,
   wrapScheduledTaskPrompt
-} from "./chunk-ULPUDU4J.js";
+} from "./chunk-ODMNVKDO.js";
 
 // ../../packages/core/dist/provisioning/mcp-config-guards.js
 import { chmodSync, existsSync, readFileSync, renameSync, writeFileSync, unlinkSync } from "fs";
@@ -1706,8 +1706,15 @@ var INTEGRATION_REGISTRY = [
     remoteMcp: {
       type: "http",
       url: "https://api.anchorbrowser.io/mcp",
+      // ENG-6993 / ADR-0033: the api-key credential header now goes through the
+      // structured `auth` field — the env var (ANCHOR_BROWSER_API_KEY) is
+      // DERIVED from this integration's definition_id + credential_ref, so it
+      // is scoped to Anchor and can't reference another integration's secret
+      // (C1). Renders byte-identically to the previous verbatim header.
+      auth: { scheme: "header", header_name: "anchor-api-key", credential_ref: "api_key" },
+      // The dynamic session header stays here (not a credential — minted per
+      // session by ENG-5857; empty default below until then).
       headers: {
-        "anchor-api-key": "${ANCHOR_BROWSER_API_KEY}",
         "anchor-session-id": "${ANCHOR_BROWSER_SESSION_ID}"
       },
       // ENG-5857 mints the real session id; default empty so the header
@@ -1744,10 +1751,60 @@ var INTEGRATION_REGISTRY = [
     beta: true,
     // ENG-6920: Deck is the first PREMIUM integration. Unlike the customer-auth
     // integrations, every Deck run bills back to Augmented's single account
-    // key, and Deck is usage-priced (compute time + agent runs) — so it is
-    // gated on a per-org opt-in and metered. Pricing amounts are deferred to
-    // the billing mechanism (Stripe); this only declares the model.
-    premium: { pricing: "usage", note: "Billed on Deck compute time and agent runs." }
+    // key, and Deck is usage-priced — so it is gated on a per-org opt-in and
+    // metered. ENG-7032: `meters` declares the billable operation (run_task,
+    // billed per run); the priced rate card (integration_rate_cards) holds the
+    // amount ($1.00 USD / A$1.50 per run, the per-run v1 decision). The
+    // event_type must match what deck-broker writes to integration_usage_events.
+    premium: {
+      pricing: "usage",
+      note: "Billed per Deck task run.",
+      meters: [{ event_type: "run_task", unit: "run" }]
+    }
+  },
+  {
+    id: "elevenlabs",
+    name: "ElevenLabs",
+    category: "media",
+    description: "Speech-to-text for inbound voice notes. When a teammate sends an agent a voice message (Slack, Telegram, etc.), the agent uploads the audio and gets back an accurate transcript via ElevenLabs Scribe, so a voice note is no longer a black box. Augmented Team manages ElevenLabs access for you - there is no key to enter.",
+    // ElevenLabs is REST-only for our use (POST /v1/speech-to-text, `xi-api-key`
+    // header, NOT Bearer) — it ships no MCP server, so the agent-facing tools are
+    // brokered server-side (scribe-broker.ts). It is a PREMIUM integration on the
+    // Deck model (ADR-0031, epic ENG-6920): Augmented owns ONE ElevenLabs account
+    // that every customer agent's transcriptions bill back to, so the account key
+    // is a single platform-held secret (`ELEVENLABS_ACCOUNT_KEY`), NOT a per-agent
+    // credential. Auth type is therefore `none` — customers never enter a key.
+    // Usage is metered in audio-seconds at the broker chokepoint and gated on a
+    // per-org opt-in + monthly cap. (TTS for Augmented Live voiceover is a
+    // separate surface — ENG-7048 — that reuses the same account key.)
+    supported_auth_types: ["none"],
+    capabilities: [
+      { id: "elevenlabs:transcribe", name: "Transcribe Voice Notes", description: "Upload an inbound audio file and transcribe it to text via ElevenLabs Scribe (scribe_create_upload, scribe_transcribe)", access: "write" },
+      // ENG-7048: text-to-speech voiceover for Augmented Live. Surfaced as the
+      // agt_live.generate_voiceover tool (not a standalone scribe_* tool); shares
+      // this one platform account key + the same per-org budget.
+      { id: "elevenlabs:tts", name: "Generate Voiceover", description: "Synthesize a spoken-voice MP3 voiceover from text for an Augmented Live page via ElevenLabs text-to-speech (agt_live.generate_voiceover)", access: "write" }
+    ],
+    // Capabilities index — covers both speech-to-text and text-to-speech, since
+    // the integration now advertises elevenlabs:transcribe AND elevenlabs:tts.
+    docs_url: "https://elevenlabs.io/docs/capabilities",
+    beta: true,
+    // ENG-7005 / ENG-7048: premium (billable). Both surfaces bill back to
+    // Augmented's single account key and are usage-priced, so the integration is
+    // gated on a per-org opt-in and metered. The two surfaces share the one
+    // `elevenlabs` definition (and so the one per-org monthly budget). Pricing
+    // amounts live in integration_rate_cards; this only declares the model.
+    premium: {
+      pricing: "usage",
+      note: "Billed on audio transcribed (per second) and voiceover synthesized (per character).",
+      // ENG-7032: each surface meters its own event in its own physical unit; the
+      // matching integration_rate_cards rows price them. Until a rate is seeded,
+      // that event prices at 0.
+      meters: [
+        { event_type: "transcribe", unit: "audio_second" },
+        { event_type: "tts", unit: "character" }
+      ]
+    }
   },
   {
     id: "postiz",
@@ -1994,6 +2051,28 @@ var INTEGRATION_REGISTRY = [
       { id: "augmented-admin:read-diagnostics", name: "Read Diagnostics", description: "Cross-org read of agent, host, integration, and alert diagnostics (projection only \u2014 never credentials or transcripts).", access: "read" }
     ]
   },
+  {
+    // ENG-7023 (ADR-0031/0032): the per-org self-troubleshoot surface for the
+    // `system_support` concierge agent. Provisions the
+    // @integrity-labs/augmented-support-mcp stdio broker, which reads the
+    // agent's OWN org diagnostics and proposes self-remediation writes
+    // (create_agent) through the server-rendered HITL approval gate, all via
+    // /host/support/*. `beta` while the concierge rolls out gradually (ENG-6975);
+    // auth `none` - no end-user OAuth, the host JWT (org_id claim) is the
+    // credential and the org-lock. NOT a customer-selectable integration: it is
+    // attached automatically to system_support agents at provisioning.
+    id: "augmented-support",
+    name: "Augmented Support",
+    category: "infrastructure",
+    description: "Per-org self-troubleshoot concierge: reads your org's agents, hosts, integrations, alerts, flags, and audit log, files support/feature requests, and proposes new agents for human approval - all scoped to your own organization.",
+    supported_auth_types: ["none"],
+    beta: true,
+    capabilities: [
+      { id: "augmented-support:read-diagnostics", name: "Read Diagnostics", description: "Read your own org's agents, hosts, integrations, alerts, flags, and audit log (projection only - never credentials or transcripts).", access: "read" },
+      { id: "augmented-support:file-requests", name: "File Requests", description: "File bug / feature / integration requests to Augmented Team support.", access: "write" },
+      { id: "augmented-support:propose-writes", name: "Propose Self-Remediation", description: "Propose creating an agent in your own org; executed only after a human approves a server-rendered diff.", access: "write" }
+    ]
+  },
   {
     id: "custom",
     name: "Custom Integration",
@@ -2337,15 +2416,56 @@ function decryptIntegrationCredentials(credentials) {
 function envVarForToken(definitionId) {
   return `${definitionId.replace(/-/g, "_").toUpperCase()}_ACCESS_TOKEN`;
 }
-function buildRemoteMcpEntry(definitionId) {
-  const def = INTEGRATION_REGISTRY.find((d) => d.id === definitionId);
-  if (def?.remoteMcp) {
-    const spec = def.remoteMcp;
-    return {
-      type: spec.type ?? "http",
-      url: spec.url,
-      ...spec.headers ? { headers: { ...spec.headers } } : {}
-    };
+function credentialEnvVar(definitionId, credentialRef) {
+  const idPart = definitionId.replace(/-/g, "_").toUpperCase();
+  const credPart = credentialRef.replace(/-/g, "_").toUpperCase();
+  return `${idPart}_${credPart}`;
+}
+function assertSafeRemoteMcpUrl(url, definitionId) {
+  let u;
+  try {
+    u = new URL(url);
+  } catch {
+    throw new Error(`remoteMcp.url for '${definitionId}' is not a valid URL: ${url}`);
+  }
+  if (u.protocol !== "https:") {
+    throw new Error(`remoteMcp.url for '${definitionId}' must be https (got ${u.protocol}//): ${url}`);
+  }
+  const host = u.hostname.toLowerCase();
+  const blocked = host === "localhost" || host === "169.254.169.254" || // AWS/GCP/Azure instance metadata
+  host === "metadata.google.internal" || /^127\./.test(host) || /^10\./.test(host) || /^192\.168\./.test(host) || /^169\.254\./.test(host) || // link-local
+  /^172\.(1[6-9]|2\d|3[01])\./.test(host) || // 172.16.0.0/12
+  host.endsWith(".internal") || host.endsWith(".local");
+  if (blocked) {
+    throw new Error(`remoteMcp.url for '${definitionId}' resolves to a disallowed (internal/link-local/metadata) host: ${host}`);
+  }
+}
+function renderRemoteMcpSpec(definitionId, spec) {
+  assertSafeRemoteMcpUrl(spec.url, definitionId);
+  const headers = {};
+  if (spec.auth) {
+    const envVar = credentialEnvVar(definitionId, spec.auth.credential_ref);
+    const value = `\${${envVar}}`;
+    if (spec.auth.scheme === "bearer") {
+      headers["Authorization"] = `Bearer ${value}`;
+    } else {
+      if (!spec.auth.header_name) {
+        throw new Error(`remoteMcp.auth for '${definitionId}' uses scheme 'header' but no header_name`);
+      }
+      headers[spec.auth.header_name] = value;
+    }
+  }
+  Object.assign(headers, spec.headers ?? {});
+  return {
+    type: spec.type ?? "http",
+    url: spec.url,
+    ...Object.keys(headers).length > 0 ? { headers } : {}
+  };
+}
+function buildRemoteMcpEntry(definitionId, dbSpec) {
+  const spec = dbSpec ?? INTEGRATION_REGISTRY.find((d) => d.id === definitionId)?.remoteMcp;
+  if (spec) {
+    return renderRemoteMcpSpec(definitionId, spec);
   }
   const provider = OAUTH_PROVIDERS[definitionId];
   if (!provider?.mcpUrl)
@@ -4328,7 +4448,7 @@ function buildMcpJson(input) {
       mcpServers[integration.definition_id] = proxyEntry;
       continue;
     }
-    const entry = buildRemoteMcpEntry(integration.definition_id);
+    const entry = buildRemoteMcpEntry(integration.definition_id, integration.remoteMcp);
     if (entry) {
       mcpServers[integration.definition_id] = entry;
     }
@@ -4395,6 +4515,20 @@ function buildMcpJson(input) {
       }
     };
   }
+  const hasSupport = input.integrations?.some((i) => i.definition_id === "augmented-support") ?? false;
+  if (hasSupport) {
+    const localSupportMcpPath = join2(getHomeDir(), ".augmented", "_mcp", "augmented-support.js");
+    mcpServers["augmented-support"] = {
+      command: "node",
+      args: [localSupportMcpPath],
+      env: {
+        AGT_HOST: "${AGT_HOST}",
+        AGT_AGENT_ID: input.agent.agent_id,
+        AGT_RUN_ID: "${AGT_RUN_ID}",
+        AGT_API_KEY: "${AGT_API_KEY}"
+      }
+    };
+  }
   return { mcpServers };
 }
 function parseIntervalMinutes(scheduleEvery) {
@@ -5372,8 +5506,7 @@ ${sections}`
       }
     }
     for (const integration of decryptedIntegrations) {
-      const def = INTEGRATION_REGISTRY.find((d) => d.id === integration.definition_id);
-      const defaults = def?.remoteMcp?.envDefaults;
+      const defaults = integration.remoteMcp?.envDefaults ?? INTEGRATION_REGISTRY.find((d) => d.id === integration.definition_id)?.remoteMcp?.envDefaults;
       if (!defaults)
         continue;
       for (const [key, value] of Object.entries(defaults)) {
@@ -5437,7 +5570,7 @@ ${sections}`
         this.writeMcpServer(codeName, integration.definition_id, proxyEntry);
         continue;
       }
-      const entry = buildRemoteMcpEntry(integration.definition_id);
+      const entry = buildRemoteMcpEntry(integration.definition_id, integration.remoteMcp);
       if (entry) {
         this.writeMcpServer(codeName, integration.definition_id, entry);
       }
@@ -5515,6 +5648,20 @@ ${sections}`
         }
       });
     }
+    const hasSupport = integrations.some((i) => i.definition_id === "augmented-support");
+    if (hasSupport) {
+      const localSupportMcpPath = join2(getHomeDir(), ".augmented", "_mcp", "augmented-support.js");
+      this.writeMcpServer(codeName, "augmented-support", {
+        command: "node",
+        args: [localSupportMcpPath],
+        env: {
+          AGT_HOST: "${AGT_HOST}",
+          AGT_AGENT_ID: resolveBrokerAgentId(codeName) ?? agentId ?? "",
+          AGT_RUN_ID: "${AGT_RUN_ID}",
+          AGT_API_KEY: "${AGT_API_KEY}"
+        }
+      });
+    }
     if (this.removeMcpServer) {
       const nativeMcpKeys = INTEGRATION_REGISTRY.filter((d) => d.nativeMcp !== void 0).map((d) => d.nativeMcp.key ?? d.id);
       const integrationDerivedKeys = /* @__PURE__ */ new Set([
@@ -5523,6 +5670,7 @@ ${sections}`
         "cloud-broker",
         "xero-broker",
         "augmented-admin",
+        "augmented-support",
         ...nativeMcpKeys,
         ...Object.entries(OAUTH_PROVIDERS).filter(([, provider]) => Boolean(provider.mcpUrl)).map(([id]) => id)
       ]);
@@ -5537,12 +5685,14 @@ ${sections}`
         expectedKeys.add("xero-broker");
       if (hasAdminDebug)
         expectedKeys.add("augmented-admin");
+      if (hasSupport)
+        expectedKeys.add("augmented-support");
       for (const integration of integrations) {
         const def = INTEGRATION_REGISTRY.find((d) => d.id === integration.definition_id);
         if (def?.nativeMcp) {
           expectedKeys.add(def.nativeMcp.key ?? integration.definition_id);
         }
-        if (buildRemoteMcpEntry(integration.definition_id)) {
+        if (buildRemoteMcpEntry(integration.definition_id, integration.remoteMcp)) {
           expectedKeys.add(integration.definition_id);
         }
       }
@@ -5964,7 +6114,7 @@ function requireHost() {
 }
 
 // src/lib/api-client.ts
-var agtCliVersion = true ? "0.28.176" : "dev";
+var agtCliVersion = true ? "0.28.177" : "dev";
 var lastConfigHash = null;
 function setConfigHash(hash) {
   lastConfigHash = hash && hash.length > 0 ? hash : null;
@@ -7269,4 +7419,4 @@ export {
   managerInstallSystemUnitCommand,
   managerUninstallSystemUnitCommand
 };
-//# sourceMappingURL=chunk-YNCNFORO.js.map
+//# sourceMappingURL=chunk-HTDMNULF.js.map