@integrity-labs/agt-cli 0.28.95 → 0.28.96

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -28,7 +28,7 @@ import {
28
28
  requireHost,
29
29
  safeWriteJsonAtomic,
30
30
  setConfigHash
31
- } from "../chunk-QQYVNV5N.js";
31
+ } from "../chunk-LFTKXQEA.js";
32
32
  import {
33
33
  getProjectDir as getProjectDir2,
34
34
  getReadyTasks,
@@ -38,8 +38,10 @@ import {
38
38
  } from "../chunk-I3YS5WFV.js";
39
39
  import {
40
40
  buildAllowedTools,
41
+ buildEgressAllowlist,
41
42
  checkChannelInputs,
42
43
  creditWatchdogGiveUpCount,
44
+ egressMode,
43
45
  getLastFailureContext,
44
46
  getProjectDir,
45
47
  getSessionState,
@@ -53,8 +55,10 @@ import {
53
55
  peekCurrentSession,
54
56
  prepareForRespawn,
55
57
  readPaneLogTail,
58
+ reloadEgressSidecar,
56
59
  resetRestartCount,
57
60
  resolveClaudeBinary,
61
+ restartEgressSidecar,
58
62
  rotateSessionForWedge,
59
63
  sanitizeMcpJson,
60
64
  sendToAgent,
@@ -65,8 +69,9 @@ import {
65
69
  subagentActivityAgeSeconds,
66
70
  takeWatchdogGiveUpCount,
67
71
  takeZombieDetection,
68
- transcriptActivityAgeSeconds
69
- } from "../chunk-JYSWJMXU.js";
72
+ transcriptActivityAgeSeconds,
73
+ writeEgressAllowlist
74
+ } from "../chunk-5NQ652SP.js";
70
75
  import {
71
76
  FLAGS_SCHEMA_VERSION,
72
77
  FLAG_REGISTRY,
@@ -6948,7 +6953,7 @@ var cachedMaintenanceWindow = null;
6948
6953
  var lastVersionCheckAt = 0;
6949
6954
  var VERSION_CHECK_INTERVAL_MS = 5 * 60 * 1e3;
6950
6955
  var lastResponsivenessProbeAt = 0;
6951
- var agtCliVersion = true ? "0.28.95" : "dev";
6956
+ var agtCliVersion = true ? "0.28.96" : "dev";
6952
6957
  function resolveBrewPath(execFileSync4) {
6953
6958
  try {
6954
6959
  const out = execFileSync4("which", ["brew"], { timeout: 5e3 }).toString().trim();
@@ -8059,7 +8064,7 @@ async function pollCycle() {
8059
8064
  }
8060
8065
  try {
8061
8066
  const { detectHostSecurity } = await import("../host-security-6PDFG7F5.js");
8062
- const { collectDiagnostics } = await import("../persistent-session-X62FQ2TN.js");
8067
+ const { collectDiagnostics } = await import("../persistent-session-KAOPVQPC.js");
8063
8068
  const diagCodeNames = [...agentState.persistentSessionAgents];
8064
8069
  const agentDiagnostics = diagCodeNames.length > 0 ? collectDiagnostics(diagCodeNames) : void 0;
8065
8070
  let tailscaleHostname;
@@ -8160,7 +8165,7 @@ async function pollCycle() {
8160
8165
  const {
8161
8166
  collectResponsivenessProbes,
8162
8167
  getResponsivenessIntervalMs
8163
- } = await import("../responsiveness-probe-PYEWQCIU.js");
8168
+ } = await import("../responsiveness-probe-OJPF6XDF.js");
8164
8169
  const probeIntervalMs = getResponsivenessIntervalMs();
8165
8170
  if (now - lastResponsivenessProbeAt > probeIntervalMs) {
8166
8171
  const probeCodeNames = [...agentState.persistentSessionAgents];
@@ -8192,7 +8197,7 @@ async function pollCycle() {
8192
8197
  collectResponsivenessProbes,
8193
8198
  livePendingInboundOldestAgeSeconds,
8194
8199
  parkPendingInbound
8195
- } = await import("../responsiveness-probe-PYEWQCIU.js");
8200
+ } = await import("../responsiveness-probe-OJPF6XDF.js");
8196
8201
  const { getProjectDir: wedgeProjectDir } = await import("../claude-scheduler-FATCLHDM.js");
8197
8202
  const wedgeNow = /* @__PURE__ */ new Date();
8198
8203
  const liveAgents = agentState.persistentSessionAgents;
@@ -10641,6 +10646,13 @@ function cleanupOldFiles(dir, maxAgeDays, ext) {
10641
10646
  var lastMcpFailedBannerCount = /* @__PURE__ */ new Map();
10642
10647
  var persistentSessionStuckTracker = new PersistentSessionStuckTracker();
10643
10648
  var claudeAuthTupleBySession = /* @__PURE__ */ new Map();
10649
+ var egressAllowlistBySession = /* @__PURE__ */ new Map();
10650
+ function deriveEgressAllowlist(toolsRaw) {
10651
+ return buildEgressAllowlist(
10652
+ toolsRaw ? extractFrontmatter(toolsRaw).frontmatter : null
10653
+ );
10654
+ }
10655
+ var egressAllowlistEqual = (a, b) => a.length === b.length && a.every((d, i) => d === b[i]);
10644
10656
  async function ensurePersistentSession(agent, tasks, boardItems, refreshData) {
10645
10657
  const codeName = agent.code_name;
10646
10658
  const projectDir = getProjectDir(codeName);
@@ -10831,6 +10843,10 @@ ${truncateForLog(ctx.tail)}` : `; pane_tail_hash=sha256:${createHash9("sha256").
10831
10843
  metadata: { type: "persistent_session_boot" }
10832
10844
  });
10833
10845
  const spawnPrimaryModel = resolveModelChain(refreshData).primary ?? refreshData.agent?.["primary_model"] ?? null;
10846
+ const egressAllowlist = deriveEgressAllowlist(
10847
+ refreshData.tools?.raw_content
10848
+ );
10849
+ egressAllowlistBySession.set(codeName, egressAllowlist);
10834
10850
  startPersistentSession({
10835
10851
  codeName,
10836
10852
  agentId: agent.agent_id,
@@ -10845,6 +10861,7 @@ ${truncateForLog(ctx.tail)}` : `; pane_tail_hash=sha256:${createHash9("sha256").
10845
10861
  primaryModel: spawnPrimaryModel,
10846
10862
  runId: sessionRunResult.run_id,
10847
10863
  agentTimezone,
10864
+ egressAllowlist,
10848
10865
  log
10849
10866
  });
10850
10867
  agentState.persistentSessionAgents.add(codeName);
@@ -10857,6 +10874,33 @@ ${truncateForLog(ctx.tail)}` : `; pane_tail_hash=sha256:${createHash9("sha256").
10857
10874
  };
10858
10875
  }
10859
10876
  resetRestartCount(codeName);
10877
+ if (egressMode(codeName) === "allowlist") {
10878
+ const allowlist = deriveEgressAllowlist(
10879
+ refreshData.tools?.raw_content
10880
+ );
10881
+ const prev = egressAllowlistBySession.get(codeName);
10882
+ if (!prev || !egressAllowlistEqual(prev, allowlist)) {
10883
+ try {
10884
+ writeEgressAllowlist(codeName, allowlist);
10885
+ const removed = prev ? prev.some((d) => !allowlist.includes(d)) : true;
10886
+ const applied = removed ? restartEgressSidecar(codeName) : reloadEgressSidecar(codeName);
10887
+ if (applied) {
10888
+ egressAllowlistBySession.set(codeName, allowlist);
10889
+ log(
10890
+ `[persistent-session] egress allowlist for '${codeName}' changed (${allowlist.length} domains), ${removed ? "restarted" : "reloaded"} squid sidecar`
10891
+ );
10892
+ } else {
10893
+ log(
10894
+ `[persistent-session] egress allowlist for '${codeName}' written (${allowlist.length} domains) but sidecar not running; will apply on next tick/spawn`
10895
+ );
10896
+ }
10897
+ } catch (err) {
10898
+ log(
10899
+ `[persistent-session] egress allowlist refresh for '${codeName}' failed (will retry next tick): ${err.message}`
10900
+ );
10901
+ }
10902
+ }
10903
+ }
10860
10904
  if (!claudeAuthTupleBySession.has(codeName)) {
10861
10905
  claudeAuthTupleBySession.set(codeName, currentAuthTuple);
10862
10906
  }
@@ -11678,7 +11722,7 @@ async function processClaudePairSessions(agents) {
11678
11722
  killPairSession,
11679
11723
  pairTmuxSession,
11680
11724
  finalizeClaudePairOnboarding
11681
- } = await import("../claude-pair-runtime-DMC3ID2A.js");
11725
+ } = await import("../claude-pair-runtime-2ISKH4M2.js");
11682
11726
  for (const pairId of pendingResp.cancelled_pair_ids ?? []) {
11683
11727
  log(`[claude-pair] sweeping orphan tmux session for pair ${pairId.slice(0, 8)}`);
11684
11728
  const killed = await killPairSession(pairTmuxSession(pairId));