@invarn/cli 0.2.2 → 0.2.4

package/dist/sdk.mjs

@@ -7091,17 +7091,19 @@ async function getAgentBuildResult(sessionToken, buildId, { wait } = {}) {
   }
   return res.json();
 }
-async function listSecrets({ pipelineId, kind } = {}) {
+async function listSecrets({ pipelineId, agentId, kind } = {}) {
   const url = new URL("/secrets", "http://placeholder");
   if (pipelineId) url.searchParams.set("pipeline", pipelineId);
+  if (agentId) url.searchParams.set("agent", agentId);
   if (kind) url.searchParams.set("kind", kind);
   const res = await request(`${url.pathname}${url.search}`);
   const body = await res.json();
   return body.entries || [];
 }
-async function createSecret({ scope, pipelineId, kind, key, value }) {
+async function createSecret({ scope, pipelineId, agentId, kind, key, value }) {
   const body = { scope, kind, key, value };
   if (pipelineId) body.pipelineId = pipelineId;
+  if (agentId) body.agentId = agentId;
   const res = await request("/secrets", {
     method: "POST",
     body: JSON.stringify(body)
@@ -8865,6 +8867,22 @@ var REGISTRATION_GUIDANCE = [
   "  If it does, read it \u2014 the build steps are already defined there. Base your agent's commands on them.",
   "  Do NOT explore the project structure if a pipeline file already tells you the build commands.",
   "",
+  "STEP SPLITTING \u2014 one concept per command:",
+  "  When you have multiple natural phases (setup, compile, test, package, sign, deploy), SPLIT them into separate commands.",
+  "  Rule of thumb: if your single `run` field contains `&&` joining distinct concepts, that's a signal to split.",
+  "  Example of a BAD single command (distinct phases chained together):",
+  `    run: "printf '...' > local.properties && xcodebuild -scheme iosApp build"`,
+  "  Better as two commands:",
+  `    [{name:"config", run:"printf '...' > local.properties"},`,
+  '     {name:"build",  run:"xcodebuild -scheme iosApp build"}]',
+  "  Why it matters:",
+  "    \u2022 Each command is its own step in the PR check run \u2014 reviewers see exactly which phase broke.",
+  '    \u2022 Failed step name appears in the check summary (e.g. "Build failed at step `build`" is much more useful than a generic "build failed").',
+  "    \u2022 Per-step duration is tracked \u2014 spot slow phases.",
+  "    \u2022 cibuild auto-injects cache steps between commands; one mega-step defeats that.",
+  "    \u2022 Individual steps can be individually retried in future (phase 4 of the roadmap).",
+  "  Shell flow inside ONE command (pipes, variable assignment, short guards) is fine. Splitting is for DISTINCT PHASES, not every line.",
+  "",
   "DESCRIPTION: Write 3 sentences for other AI agents to read.",
   "  1. What this agent does (include specific tools: Gradle, Xcode, pytest, etc.)",
   "  2. When to use it (the trigger condition)",
@@ -8971,12 +8989,19 @@ ${lines.join("\n")}`;
 }
 async function handleSecretsList(args) {
   try {
+    if (args.pipeline_id && args.agent_id) {
+      return {
+        content: [{ type: "text", text: "Error: pass either pipeline_id or agent_id, not both." }],
+        isError: true
+      };
+    }
     const entries = await listSecrets({
       pipelineId: args.pipeline_id || void 0,
+      agentId: args.agent_id || void 0,
       kind: args.kind
     });
     if (entries.length === 0) {
-      const scope = args.pipeline_id ? "pipeline" : "org";
+      const scope = args.pipeline_id || args.agent_id ? "pipeline" : "org";
       return {
         content: [
           { type: "text", text: `No ${args.kind?.toLowerCase() ?? "entries"} at ${scope} scope.` }
@@ -8996,12 +9021,19 @@ ${lines.join("\n")}` }] };
 }
 async function handleSecretsSet(args) {
   try {
+    if (args.pipeline_id && args.agent_id) {
+      return {
+        content: [{ type: "text", text: "Error: pass either pipeline_id or agent_id, not both." }],
+        isError: true
+      };
+    }
     const kind = args.kind === "VARIABLE" ? "VARIABLE" : "SECRET";
-    const scope = args.pipeline_id ? "PIPELINE" : "ORG";
+    const scope = args.pipeline_id || args.agent_id ? "PIPELINE" : "ORG";
     try {
       await createSecret({
         scope,
         pipelineId: args.pipeline_id,
+        agentId: args.agent_id,
         kind,
         key: args.key,
         value: args.value
@@ -9016,7 +9048,11 @@ async function handleSecretsSet(args) {
       };
     } catch (err) {
       if (err.statusCode !== 409) throw err;
-      const existing = (await listSecrets({ pipelineId: args.pipeline_id, kind })).find((e) => e.key === args.key);
+      const existing = (await listSecrets({
+        pipelineId: args.pipeline_id,
+        agentId: args.agent_id,
+        kind
+      })).find((e) => e.key === args.key);
       if (!existing) throw err;
       await updateSecretValue(existing.id, args.value);
       return {
@@ -9143,9 +9179,11 @@ var TOOL_SPECS = [
       description: z2.string().describe("What this agent does, when to use it, and what it does not do"),
       repository: z2.string().optional().describe('Repository to bind to (e.g. "owner/repo-name"). Required if the org has multiple repos connected. Omit if only one repo.'),
       commands: z2.array(z2.object({
-        name: z2.string().describe('Command name (e.g. "compile")'),
+        name: z2.string().describe('Command name \u2014 short, lowercase, hyphenated, matches the concept (e.g. "config", "compile", "test", "package")'),
         run: z2.string().describe('Shell command to execute (e.g. "./gradlew assembleDebug")')
-      })).describe("List of commands this agent can run"),
+      })).describe(
+        'Ordered list of commands. SPLIT NATURAL PHASES INTO SEPARATE COMMANDS \u2014 one concept per command. If you find yourself chaining distinct phases with `&&` (e.g. write a config file THEN build, or compile THEN archive THEN sign), those belong in separate commands. Each command becomes its own step in the check-run output, gets its own duration, and fails the build with a clear "Failed at step X" summary instead of "build step failed" for an 8-minute merged operation. Example: for "write local.properties from secrets, then xcodebuild", use two commands: [{name:"config", run:"printf ... > local.properties"}, {name:"build", run:"xcodebuild ..."}] \u2014 NOT one command that chains both with `&&`.'
+      ),
       overwrite: z2.boolean().optional().describe("Set true to replace a pipeline file that already exists at .ci/pipelines/agent-<name>.yml in the repo. Use this when re-registering an agent \u2014 e.g. the same repo is connected under another org, or a prior registration was deleted without cleaning up the committed file. Do NOT set this when the existing file is hand-authored YAML unrelated to a prior agent."),
       triggers: z2.array(z2.object({
         push_branch: z2.string().optional().describe('Match push events where the pushed branch matches this pattern (glob). Use "*" for any branch.'),
@@ -9191,16 +9229,17 @@ var TOOL_SPECS = [
   },
   {
     name: "invarn_secrets_list",
-    description: "List secret and variable metadata for the organization or a specific pipeline. Returns keys, kinds, scopes, and timestamps \u2014 NEVER values. Use this to check whether a secret exists before calling invarn_agent_run.",
+    description: "List secret and variable metadata for the organization or a specific pipeline. Returns keys, kinds, scopes, and timestamps \u2014 NEVER values. Use this to check whether a secret exists before calling invarn_agent_run. To scope to an agent's pipeline, pass agent_id \u2014 simpler than looking up pipeline_id.",
     inputSchema: {
-      pipeline_id: z2.string().optional().describe("Pipeline ID. Omit for org-scoped entries."),
+      pipeline_id: z2.string().optional().describe("Pipeline ID. Omit for org-scoped entries. Mutually exclusive with agent_id."),
+      agent_id: z2.string().optional().describe("Agent ID \u2014 resolves to the agent's owned pipeline server-side. Mutually exclusive with pipeline_id."),
       kind: z2.enum(["SECRET", "VARIABLE"]).optional().describe("Filter to a specific kind.")
     },
     handler: async (args) => handleSecretsList(args ?? {})
   },
   {
     name: "invarn_secrets_set",
-    description: "Create or update a secret or variable. Idempotent \u2014 if the key already exists at this scope, the value is replaced. Requires a human (inv_human_\u2026) token with OWNER or ADMIN role in the org; agent tokens receive 403. There is no read tool \u2014 values cannot be retrieved via MCP.",
+    description: "Create or update a secret or variable. Idempotent \u2014 if the key already exists at this scope, the value is replaced. Requires a human (inv_human_\u2026) token with OWNER or ADMIN role in the org; agent tokens receive 403. There is no read tool \u2014 values cannot be retrieved via MCP. To target an agent's pipeline, pass agent_id instead of pipeline_id.",
     inputSchema: {
       key: z2.string().describe(
         "Uppercase env-var-safe key (/^[A-Z_][A-Z0-9_]{0,63}$/, not starting with INVARN_)."
@@ -9209,7 +9248,8 @@ var TOOL_SPECS = [
       kind: z2.enum(["SECRET", "VARIABLE"]).describe(
         "SECRET: encrypted at rest, redacted from build logs. VARIABLE: plaintext, visible in dashboard and logs when echoed."
       ),
-      pipeline_id: z2.string().optional().describe("Pipeline ID for a pipeline-scoped entry. Omit for org scope.")
+      pipeline_id: z2.string().optional().describe("Pipeline ID for a pipeline-scoped entry. Omit for org scope. Mutually exclusive with agent_id."),
+      agent_id: z2.string().optional().describe("Agent ID \u2014 resolves to the agent's owned pipeline server-side. Mutually exclusive with pipeline_id. Omit both for org scope.")
     },
     handler: async (args) => handleSecretsSet(args)
   }
@@ -9319,19 +9359,27 @@ function buildHandlers(ctx, getSession) {
       return result;
     },
     invarn_secrets_list: async (args) => {
+      if (args.pipeline_id && args.agent_id) {
+        throw new Error("pass either pipeline_id or agent_id, not both");
+      }
       const entries = await listSecrets({
         pipelineId: args.pipeline_id || void 0,
+        agentId: args.agent_id || void 0,
         kind: args.kind
       });
       return { entries };
     },
     invarn_secrets_set: async (args) => {
+      if (args.pipeline_id && args.agent_id) {
+        throw new Error("pass either pipeline_id or agent_id, not both");
+      }
       const kind = args.kind === "VARIABLE" ? "VARIABLE" : "SECRET";
-      const scope = args.pipeline_id ? "PIPELINE" : "ORG";
+      const scope = args.pipeline_id || args.agent_id ? "PIPELINE" : "ORG";
       try {
         await createSecret({
           scope,
           pipelineId: args.pipeline_id,
+          agentId: args.agent_id,
           kind,
           key: args.key,
           value: args.value
@@ -9339,7 +9387,11 @@ function buildHandlers(ctx, getSession) {
         return { action: "created", key: args.key, kind, scope: scope.toLowerCase() };
       } catch (err) {
         if (err.statusCode !== 409) throw err;
-        const existing = (await listSecrets({ pipelineId: args.pipeline_id, kind })).find((e) => e.key === args.key);
+        const existing = (await listSecrets({
+          pipelineId: args.pipeline_id,
+          agentId: args.agent_id,
+          kind
+        })).find((e) => e.key === args.key);
         if (!existing) throw err;
         await updateSecretValue(existing.id, args.value);
         return { action: "updated", key: args.key, kind, scope: scope.toLowerCase() };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@invarn/cli",
-  "version": "0.2.2",
+  "version": "0.2.4",
   "description": "Invarn CLI — run builds, check artifacts, and ship from your terminal",
   "type": "module",
   "main": "dist/invarn.cjs",