@invarn/cli 0.2.2 → 0.2.3

package/dist/sdk.mjs

@@ -7091,17 +7091,19 @@ async function getAgentBuildResult(sessionToken, buildId, { wait } = {}) {
   }
   return res.json();
 }
-async function listSecrets({ pipelineId, kind } = {}) {
+async function listSecrets({ pipelineId, agentId, kind } = {}) {
   const url = new URL("/secrets", "http://placeholder");
   if (pipelineId) url.searchParams.set("pipeline", pipelineId);
+  if (agentId) url.searchParams.set("agent", agentId);
   if (kind) url.searchParams.set("kind", kind);
   const res = await request(`${url.pathname}${url.search}`);
   const body = await res.json();
   return body.entries || [];
 }
-async function createSecret({ scope, pipelineId, kind, key, value }) {
+async function createSecret({ scope, pipelineId, agentId, kind, key, value }) {
   const body = { scope, kind, key, value };
   if (pipelineId) body.pipelineId = pipelineId;
+  if (agentId) body.agentId = agentId;
   const res = await request("/secrets", {
     method: "POST",
     body: JSON.stringify(body)
@@ -8971,12 +8973,19 @@ ${lines.join("\n")}`;
 }
 async function handleSecretsList(args) {
   try {
+    if (args.pipeline_id && args.agent_id) {
+      return {
+        content: [{ type: "text", text: "Error: pass either pipeline_id or agent_id, not both." }],
+        isError: true
+      };
+    }
     const entries = await listSecrets({
       pipelineId: args.pipeline_id || void 0,
+      agentId: args.agent_id || void 0,
       kind: args.kind
     });
     if (entries.length === 0) {
-      const scope = args.pipeline_id ? "pipeline" : "org";
+      const scope = args.pipeline_id || args.agent_id ? "pipeline" : "org";
       return {
         content: [
           { type: "text", text: `No ${args.kind?.toLowerCase() ?? "entries"} at ${scope} scope.` }
@@ -8996,12 +9005,19 @@ ${lines.join("\n")}` }] };
 }
 async function handleSecretsSet(args) {
   try {
+    if (args.pipeline_id && args.agent_id) {
+      return {
+        content: [{ type: "text", text: "Error: pass either pipeline_id or agent_id, not both." }],
+        isError: true
+      };
+    }
     const kind = args.kind === "VARIABLE" ? "VARIABLE" : "SECRET";
-    const scope = args.pipeline_id ? "PIPELINE" : "ORG";
+    const scope = args.pipeline_id || args.agent_id ? "PIPELINE" : "ORG";
     try {
       await createSecret({
         scope,
         pipelineId: args.pipeline_id,
+        agentId: args.agent_id,
         kind,
         key: args.key,
         value: args.value
@@ -9016,7 +9032,11 @@ async function handleSecretsSet(args) {
       };
     } catch (err) {
       if (err.statusCode !== 409) throw err;
-      const existing = (await listSecrets({ pipelineId: args.pipeline_id, kind })).find((e) => e.key === args.key);
+      const existing = (await listSecrets({
+        pipelineId: args.pipeline_id,
+        agentId: args.agent_id,
+        kind
+      })).find((e) => e.key === args.key);
       if (!existing) throw err;
       await updateSecretValue(existing.id, args.value);
       return {
@@ -9191,16 +9211,17 @@ var TOOL_SPECS = [
   },
   {
     name: "invarn_secrets_list",
-    description: "List secret and variable metadata for the organization or a specific pipeline. Returns keys, kinds, scopes, and timestamps \u2014 NEVER values. Use this to check whether a secret exists before calling invarn_agent_run.",
+    description: "List secret and variable metadata for the organization or a specific pipeline. Returns keys, kinds, scopes, and timestamps \u2014 NEVER values. Use this to check whether a secret exists before calling invarn_agent_run. To scope to an agent's pipeline, pass agent_id \u2014 simpler than looking up pipeline_id.",
     inputSchema: {
-      pipeline_id: z2.string().optional().describe("Pipeline ID. Omit for org-scoped entries."),
+      pipeline_id: z2.string().optional().describe("Pipeline ID. Omit for org-scoped entries. Mutually exclusive with agent_id."),
+      agent_id: z2.string().optional().describe("Agent ID \u2014 resolves to the agent's owned pipeline server-side. Mutually exclusive with pipeline_id."),
       kind: z2.enum(["SECRET", "VARIABLE"]).optional().describe("Filter to a specific kind.")
     },
     handler: async (args) => handleSecretsList(args ?? {})
   },
   {
     name: "invarn_secrets_set",
-    description: "Create or update a secret or variable. Idempotent \u2014 if the key already exists at this scope, the value is replaced. Requires a human (inv_human_\u2026) token with OWNER or ADMIN role in the org; agent tokens receive 403. There is no read tool \u2014 values cannot be retrieved via MCP.",
+    description: "Create or update a secret or variable. Idempotent \u2014 if the key already exists at this scope, the value is replaced. Requires a human (inv_human_\u2026) token with OWNER or ADMIN role in the org; agent tokens receive 403. There is no read tool \u2014 values cannot be retrieved via MCP. To target an agent's pipeline, pass agent_id instead of pipeline_id.",
     inputSchema: {
       key: z2.string().describe(
         "Uppercase env-var-safe key (/^[A-Z_][A-Z0-9_]{0,63}$/, not starting with INVARN_)."
@@ -9209,7 +9230,8 @@ var TOOL_SPECS = [
       kind: z2.enum(["SECRET", "VARIABLE"]).describe(
         "SECRET: encrypted at rest, redacted from build logs. VARIABLE: plaintext, visible in dashboard and logs when echoed."
       ),
-      pipeline_id: z2.string().optional().describe("Pipeline ID for a pipeline-scoped entry. Omit for org scope.")
+      pipeline_id: z2.string().optional().describe("Pipeline ID for a pipeline-scoped entry. Omit for org scope. Mutually exclusive with agent_id."),
+      agent_id: z2.string().optional().describe("Agent ID \u2014 resolves to the agent's owned pipeline server-side. Mutually exclusive with pipeline_id. Omit both for org scope.")
     },
     handler: async (args) => handleSecretsSet(args)
   }
@@ -9319,19 +9341,27 @@ function buildHandlers(ctx, getSession) {
       return result;
     },
     invarn_secrets_list: async (args) => {
+      if (args.pipeline_id && args.agent_id) {
+        throw new Error("pass either pipeline_id or agent_id, not both");
+      }
       const entries = await listSecrets({
         pipelineId: args.pipeline_id || void 0,
+        agentId: args.agent_id || void 0,
         kind: args.kind
       });
       return { entries };
     },
     invarn_secrets_set: async (args) => {
+      if (args.pipeline_id && args.agent_id) {
+        throw new Error("pass either pipeline_id or agent_id, not both");
+      }
       const kind = args.kind === "VARIABLE" ? "VARIABLE" : "SECRET";
-      const scope = args.pipeline_id ? "PIPELINE" : "ORG";
+      const scope = args.pipeline_id || args.agent_id ? "PIPELINE" : "ORG";
       try {
         await createSecret({
           scope,
           pipelineId: args.pipeline_id,
+          agentId: args.agent_id,
           kind,
           key: args.key,
           value: args.value
@@ -9339,7 +9369,11 @@ function buildHandlers(ctx, getSession) {
         return { action: "created", key: args.key, kind, scope: scope.toLowerCase() };
       } catch (err) {
         if (err.statusCode !== 409) throw err;
-        const existing = (await listSecrets({ pipelineId: args.pipeline_id, kind })).find((e) => e.key === args.key);
+        const existing = (await listSecrets({
+          pipelineId: args.pipeline_id,
+          agentId: args.agent_id,
+          kind
+        })).find((e) => e.key === args.key);
         if (!existing) throw err;
         await updateSecretValue(existing.id, args.value);
         return { action: "updated", key: args.key, kind, scope: scope.toLowerCase() };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@invarn/cli",
-  "version": "0.2.2",
+  "version": "0.2.3",
   "description": "Invarn CLI — run builds, check artifacts, and ship from your terminal",
   "type": "module",
   "main": "dist/invarn.cjs",