@ninemind/agentgem 0.1.0

package/dist/gem/buildGem.js

@@ -0,0 +1,88 @@
+import { redactMcpConfig } from "./redact.js";
+export function buildGem(inventory, selection, opts = {}) {
+    const artifacts = [];
+    const projects = inventory.projects ?? [];
+    if ("all" in selection && selection.all) {
+        artifacts.push(...inventory.skills, ...inventory.mcpServers, ...inventory.instructions, ...inventory.hooks);
+        for (const p of projects)
+            artifacts.push(...p.skills, ...p.mcpServers, ...p.instructions, ...p.hooks);
+    }
+    else {
+        const sel = selection;
+        for (const n of sel.skills ?? []) {
+            const a = inventory.skills.find((s) => s.name === n);
+            if (!a)
+                throw new Error(`No skill '${n}'. Available: ${inventory.skills.map((s) => s.name).join(", ") || "(none)"}`);
+            artifacts.push(a);
+        }
+        for (const n of sel.mcpServers ?? []) {
+            const a = inventory.mcpServers.find((s) => s.name === n);
+            if (!a)
+                throw new Error(`No MCP server '${n}'. Available: ${inventory.mcpServers.map((s) => s.name).join(", ") || "(none)"}`);
+            artifacts.push(a);
+        }
+        if (sel.includeInstructions)
+            artifacts.push(...inventory.instructions);
+        for (const n of sel.hooks ?? []) {
+            const a = inventory.hooks.find((h) => h.name === n);
+            if (!a)
+                throw new Error(`No hook '${n}'. Available: ${inventory.hooks.map((h) => h.name).join(", ") || "(none)"}`);
+            artifacts.push(a);
+        }
+        for (const [root, ps] of Object.entries(sel.projects ?? {})) {
+            const proj = projects.find((p) => p.root === root);
+            if (!proj)
+                throw new Error(`No project '${root}'. Loaded: ${projects.map((p) => p.root).join(", ") || "(none)"}`);
+            for (const n of ps.skills ?? []) {
+                const a = proj.skills.find((s) => s.name === n);
+                if (!a)
+                    throw new Error(`No skill '${n}' in project '${proj.name}'. Available: ${proj.skills.map((s) => s.name).join(", ") || "(none)"}`);
+                artifacts.push(a);
+            }
+            for (const n of ps.mcpServers ?? []) {
+                const a = proj.mcpServers.find((s) => s.name === n);
+                if (!a)
+                    throw new Error(`No MCP server '${n}' in project '${proj.name}'. Available: ${proj.mcpServers.map((s) => s.name).join(", ") || "(none)"}`);
+                artifacts.push(a);
+            }
+            if (ps.includeInstructions)
+                artifacts.push(...proj.instructions);
+            for (const n of ps.hooks ?? []) {
+                const a = proj.hooks.find((h) => h.name === n);
+                if (!a)
+                    throw new Error(`No hook '${n}' in project '${proj.name}'. Available: ${proj.hooks.map((h) => h.name).join(", ") || "(none)"}`);
+                artifacts.push(a);
+            }
+        }
+    }
+    // Defense in depth: an mcp/hook artifact missing `secretRefs` was never redacted (e.g. it came
+    // from introspectConfig({redact:false}), which the import path uses). Re-redact it before it can
+    // enter the gem. Already-redacted artifacts carry a secretRefs array (possibly empty) and are
+    // left untouched, so this never double-redacts or corrupts existing refs.
+    const guarded = artifacts.map((a) => {
+        if ((a.type === "mcp_server" || a.type === "hook") && a.secretRefs === undefined) {
+            const { config, secrets } = redactMcpConfig(a.config);
+            return { ...a, config, secretRefs: secrets };
+        }
+        return a;
+    });
+    artifacts.length = 0;
+    artifacts.push(...guarded);
+    const requiredSecrets = [];
+    for (const a of artifacts) {
+        if ((a.type === "mcp_server" || a.type === "hook") && a.secretRefs) {
+            for (const ref of a.secretRefs)
+                requiredSecrets.push({ name: ref.name, artifact: a.name, location: ref.location });
+        }
+    }
+    // Embed operator checks, but run each through redaction first: a check's task/setup is
+    // operator-authored test data and must not smuggle a raw secret into the shared gem.
+    const checks = (opts.checks ?? []).map((c) => redactMcpConfig(c).config);
+    return {
+        name: opts.name ?? "gem",
+        createdFrom: opts.createdFrom ?? "unknown",
+        artifacts,
+        checks,
+        requiredSecrets,
+    };
+}

package/dist/gem/checks.js

@@ -0,0 +1,28 @@
+export const RUNNER_REGISTRY = {
+    skillspector: {
+        id: "skillspector",
+        consumes: "gem-as-directory", // Gem materializes to a dir of SKILL.md + config
+        resultShape: "score+findings",
+        defaultWith: { failAboveRisk: 40 },
+    },
+};
+export function scaffoldChecks(gem) {
+    const skills = gem.artifacts.filter((a) => a.type === "skill");
+    const lead = skills[0];
+    const intent = lead?.description ?? lead?.name ?? "the bundled capability";
+    const checks = [
+        {
+            kind: "behavioral",
+            name: "smoke",
+            description: "Draft — edit the task and add assertions before relying on this check.",
+            task: `Using this gem, ${intent}. Then report what you did.`,
+            assertions: [], // stubs: meaningful deterministic assertions are operator-authored
+            timeoutSec: 300,
+        },
+    ];
+    if (skills.length) {
+        const reg = RUNNER_REGISTRY.skillspector;
+        checks.push({ kind: "external", name: "security-scan", runner: reg.id, with: { ...reg.defaultWith } });
+    }
+    return checks;
+}

package/dist/gem/credentials.js

@@ -0,0 +1,34 @@
+// src/gem/credentials.ts
+// Server-side credentials the deploy/publish backends gate on (Claude Managed → ANTHROPIC_API_KEY,
+// eve → VERCEL_TOKEN, flue → CLOUDFLARE_API_TOKEN). These are agentgem-SERVER secrets — the machine's
+// own auth — NOT Gem artifacts. They never enter a Gem; they are set in the running process and
+// persisted (plaintext, 0600) to ~/.agentgem/.env so they survive a restart.
+import { chmodSync, existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { agentgemHome } from "../resolveDir.js";
+// Only these keys may be set/persisted via the API — never arbitrary env vars.
+export const CREDENTIAL_KEYS = ["ANTHROPIC_API_KEY", "VERCEL_TOKEN", "CLOUDFLARE_API_TOKEN"];
+export function credentialsEnvPath(home = agentgemHome()) {
+    return join(home, ".agentgem", ".env");
+}
+// Upsert KEY=value in ~/.agentgem/.env (created 0600) and set it in the running process so the next
+// deploy picks it up without a restart. Rejects empty/multi-line values (would corrupt the .env).
+export function setCredential(key, value, home = agentgemHome()) {
+    const v = value.trim();
+    if (!v)
+        throw new Error("credential value is empty");
+    if (/[\r\n]/.test(v))
+        throw new Error("credential value must be a single line");
+    process.env[key] = v;
+    const abs = credentialsEnvPath(home);
+    const kept = (existsSync(abs) ? readFileSync(abs, "utf8") : "")
+        .split("\n")
+        .filter((l) => l.trim().length > 0 && !l.startsWith(`${key}=`));
+    kept.push(`${key}=${v}`);
+    mkdirSync(dirname(abs), { recursive: true });
+    writeFileSync(abs, kept.join("\n") + "\n", "utf8");
+    try {
+        chmodSync(abs, 0o600);
+    }
+    catch { /* best-effort on platforms without POSIX modes */ }
+}

package/dist/gem/deploy.js

@@ -0,0 +1,35 @@
+import { renderManagedAgent } from "./publish.js";
+import { publishManagedAgent, publishManagedAgentOnce, anthropicPublishClient } from "../publish.js";
+import { previewAgentcorePublish, deployAgentcorePublish, agentcorePublishReady } from "./agentcorePublish.js";
+const managedAgentPreview = (gem) => {
+    const r = renderManagedAgent(gem);
+    return { kind: "managed-agent", payload: r.payload, skillsToRegister: r.skillsToRegister.map((s) => s.name), skipped: r.skipped, vaultSecrets: r.vaultSecrets };
+};
+export const DEPLOY_REGISTRY = {
+    "claude-managed": {
+        id: "claude-managed",
+        label: "Claude Managed Agents",
+        preview: managedAgentPreview,
+        ready: () => !!process.env.ANTHROPIC_API_KEY,
+        deploy: async (gem, requestId) => {
+            const key = process.env.ANTHROPIC_API_KEY;
+            if (!key)
+                throw new Error("ANTHROPIC_API_KEY is not set on the server — cannot deploy to Claude Managed Agents.");
+            // The idempotency fingerprint relies on buildGem's stable ordering: identical retries must
+            // serialize to the same string, so don't make buildGem ordering non-deterministic.
+            const r = await publishManagedAgentOnce(requestId, JSON.stringify(gem), () => publishManagedAgent(gem, anthropicPublishClient(key)));
+            return { kind: "managed-agent", ...r };
+        },
+    },
+    "agentcore-managed": {
+        id: "agentcore-managed",
+        label: "AgentCore Harness",
+        preview: previewAgentcorePublish,
+        ready: agentcorePublishReady,
+        deploy: (gem, requestId) => deployAgentcorePublish(gem, requestId),
+    },
+};
+export const deployTargetIds = Object.keys(DEPLOY_REGISTRY);
+export function deployTargetList() {
+    return deployTargetIds.map((id) => ({ id, label: DEPLOY_REGISTRY[id].label, ready: DEPLOY_REGISTRY[id].ready() }));
+}

package/dist/gem/deployRecord.js

@@ -0,0 +1,24 @@
+// src/gem/deployRecord.ts
+import { existsSync, mkdirSync, readFileSync, writeFileSync, rmSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { workspaceDir } from "./workspaces.js";
+function recPath(name, backend) {
+    return join(workspaceDir(name), ".deploy", `${backend}.json`);
+}
+export function writeDeployRecord(name, rec) {
+    const abs = recPath(name, rec.backend);
+    mkdirSync(dirname(abs), { recursive: true });
+    writeFileSync(abs, JSON.stringify(rec, null, 2) + "\n", "utf8");
+}
+export function readDeployRecord(name, backend) {
+    const abs = recPath(name, backend);
+    try {
+        return existsSync(abs) ? JSON.parse(readFileSync(abs, "utf8")) : null;
+    }
+    catch {
+        return null;
+    }
+}
+export function clearDeployRecord(name, backend) {
+    rmSync(recPath(name, backend), { force: true });
+}

package/dist/gem/introspect.js

@@ -0,0 +1,247 @@
+// src/gem/introspect.ts
+import { existsSync, readFileSync, readdirSync } from "node:fs";
+import { basename, join } from "node:path";
+import { homedir } from "node:os";
+import { redactMcpConfig } from "./redact.js";
+import { parseTomlMcpServers } from "./toml.js";
+function isObj(v) {
+    return !!v && typeof v === "object" && !Array.isArray(v);
+}
+function readJson(path) {
+    try {
+        return JSON.parse(readFileSync(path, "utf8"));
+    }
+    catch {
+        return undefined;
+    }
+}
+function parseFrontmatter(content) {
+    const m = content.match(/^---\n([\s\S]*?)\n---/);
+    if (!m)
+        return { internal: false };
+    const fm = m[1];
+    const description = fm.match(/^description:\s*(.+)$/m)?.[1]?.trim();
+    const internal = /^\s*internal:\s*true\s*$/m.test(fm);
+    return { description, internal };
+}
+function inferTransport(config) {
+    if (typeof config.url === "string")
+        return config.type === "sse" ? "sse" : "http";
+    return "stdio";
+}
+// Read <skillsRoot>/<name>/<file> skills. `files` lists the candidate body filenames to try
+// in order (Claude/Codex/Agents use SKILL.md; Hermes uses DESCRIPTION.md).
+function readSkillsDir(skillsRoot, source, files = ["SKILL.md"]) {
+    const out = [];
+    if (!existsSync(skillsRoot))
+        return out;
+    let names;
+    try {
+        names = readdirSync(skillsRoot);
+    }
+    catch {
+        return out;
+    }
+    for (const name of names) {
+        const skillMd = files.map((f) => join(skillsRoot, name, f)).find((p) => existsSync(p));
+        if (!skillMd)
+            continue;
+        try {
+            const content = readFileSync(skillMd, "utf8");
+            const { description, internal } = parseFrontmatter(content);
+            if (internal)
+                continue;
+            out.push({ type: "skill", name, description, source, content });
+        }
+        catch {
+            // skip unreadable skill
+        }
+    }
+    return out;
+}
+// Read each file directly under <rulesRoot> as an instructions artifact (Codex keeps its
+// global instructions as rules files, e.g. ~/.codex/rules/default.rules).
+function readRulesDir(rulesRoot) {
+    const out = [];
+    if (!existsSync(rulesRoot))
+        return out;
+    let names;
+    try {
+        names = readdirSync(rulesRoot);
+    }
+    catch {
+        return out;
+    }
+    for (const file of names) {
+        try {
+            out.push({ type: "instructions", name: `codex:rules/${file}`, content: readFileSync(join(rulesRoot, file), "utf8") });
+        }
+        catch {
+            // skip subdirectories / unreadable files
+        }
+    }
+    return out;
+}
+function serversToArtifacts(servers, source, redact = true) {
+    return Object.entries(servers).map(([name, cfg]) => {
+        const config = isObj(cfg) ? cfg : {};
+        if (!redact)
+            return { type: "mcp_server", name, transport: inferTransport(config), config, source };
+        const { config: redacted, secrets } = redactMcpConfig(config);
+        return { type: "mcp_server", name, transport: inferTransport(config), config: redacted, source, secretRefs: secrets };
+    });
+}
+function serversFromMcpJson(parsed) {
+    if (!isObj(parsed))
+        return {};
+    if (isObj(parsed.mcpServers))
+        return parsed.mcpServers;
+    return parsed;
+}
+// Turn a config's `.hooks` event map into per-(event, matcher) artifacts. Works for both
+// settings.json (user/project) and a plugin's hooks/hooks.json — both nest under `.hooks`.
+// Each group object is redacted (defense; near-no-op for command strings).
+function hooksFromConfig(parsed, source, redact = true) {
+    const out = [];
+    if (!isObj(parsed) || !isObj(parsed.hooks))
+        return out;
+    for (const [event, groups] of Object.entries(parsed.hooks)) {
+        if (!Array.isArray(groups))
+            continue;
+        for (const g of groups) {
+            if (!isObj(g))
+                continue;
+            const matcher = typeof g.matcher === "string" && g.matcher.length ? g.matcher : undefined;
+            if (!redact) {
+                out.push({ type: "hook", name: `${event}${matcher ? ` · ${matcher}` : ""}`, event, matcher, config: g, source });
+                continue;
+            }
+            const { config: redacted, secrets } = redactMcpConfig(g);
+            out.push({ type: "hook", name: `${event}${matcher ? ` · ${matcher}` : ""}`, event, matcher, config: redacted, source, secretRefs: secrets });
+        }
+    }
+    return out;
+}
+// Hooks are selected by name, so make names unique across sources: a collided name gets its
+// source appended (and an index if the source collides too).
+function uniqueHookNames(hooks) {
+    const counts = {};
+    hooks.forEach((h) => (counts[h.name] = (counts[h.name] || 0) + 1));
+    const idx = {};
+    return hooks.map((h) => {
+        if (counts[h.name] === 1)
+            return h;
+        idx[h.name] = (idx[h.name] || 0) + 1;
+        return { ...h, name: `${h.name} (${h.source})${idx[h.name] > 1 ? ` #${idx[h.name]}` : ""}` };
+    });
+}
+function dedupByName(items) {
+    const seen = new Set();
+    const out = [];
+    for (const it of items) {
+        if (seen.has(it.name))
+            continue;
+        seen.add(it.name);
+        out.push(it);
+    }
+    return out;
+}
+export function introspectConfig(opts = {}) {
+    const redact = opts.redact ?? true;
+    const claudeDir = opts.claudeDir ?? join(homedir(), ".claude");
+    const agentDir = opts.agentDir ?? join(homedir(), ".agents", "skills");
+    const codexDir = opts.codexDir ?? join(homedir(), ".codex");
+    const hermesDir = opts.hermesDir ?? join(homedir(), ".hermes");
+    const skillList = [];
+    const mcpList = [];
+    const hookList = [];
+    skillList.push(...readSkillsDir(join(claudeDir, "skills"), "standalone"));
+    const settings = readJson(join(claudeDir, "settings.json"));
+    if (isObj(settings) && isObj(settings.mcpServers)) {
+        mcpList.push(...serversToArtifacts(settings.mcpServers, "user", redact));
+    }
+    mcpList.push(...serversToArtifacts(serversFromMcpJson(readJson(join(claudeDir, ".mcp.json"))), "user", redact));
+    hookList.push(...hooksFromConfig(settings, "user", redact));
+    const enabled = isObj(settings) && isObj(settings.enabledPlugins) ? settings.enabledPlugins : {};
+    const installed = readJson(join(claudeDir, "plugins", "installed_plugins.json"));
+    const pluginsMap = isObj(installed) && isObj(installed.plugins) ? installed.plugins : {};
+    for (const [key, entry] of Object.entries(pluginsMap)) {
+        if (enabled[key] !== true)
+            continue;
+        const installPath = Array.isArray(entry) && isObj(entry[0]) ? entry[0].installPath : undefined;
+        if (!installPath || typeof installPath !== "string")
+            continue;
+        const source = `plugin:${key}`;
+        mcpList.push(...serversToArtifacts(serversFromMcpJson(readJson(join(installPath, ".mcp.json"))), source, redact));
+        skillList.push(...readSkillsDir(join(installPath, "skills"), source));
+        hookList.push(...hooksFromConfig(readJson(join(installPath, "hooks", "hooks.json")), source, redact));
+    }
+    skillList.push(...readSkillsDir(agentDir, "agent"));
+    // Source 5: Codex skills (~/.codex/skills)
+    skillList.push(...readSkillsDir(join(codexDir, "skills"), "codex"));
+    // Source 6: Hermes skills (~/.hermes/skills/<name>/DESCRIPTION.md, some SKILL.md).
+    // Hermes secrets (.env, auth.json, config.yaml) are never read.
+    skillList.push(...readSkillsDir(join(hermesDir, "skills"), "hermes", ["SKILL.md", "DESCRIPTION.md"]));
+    const instructions = [];
+    const claudeMd = join(claudeDir, "CLAUDE.md");
+    if (existsSync(claudeMd)) {
+        try {
+            instructions.push({ type: "instructions", name: "CLAUDE.md", content: readFileSync(claudeMd, "utf8") });
+        }
+        catch {
+            // skip unreadable CLAUDE.md
+        }
+    }
+    // Codex rules (~/.codex/rules/*) as instructions
+    instructions.push(...readRulesDir(join(codexDir, "rules")));
+    // Hermes persona (~/.hermes/SOUL.md) as instructions
+    const soul = join(hermesDir, "SOUL.md");
+    if (existsSync(soul)) {
+        try {
+            instructions.push({ type: "instructions", name: "SOUL.md", content: readFileSync(soul, "utf8") });
+        }
+        catch {
+            // skip unreadable SOUL.md
+        }
+    }
+    return { skills: dedupByName(skillList), mcpServers: dedupByName(mcpList), instructions, hooks: uniqueHookNames(hookList) };
+}
+// Discover PROJECT-level artifacts under a chosen project root, tagged source "project".
+// Kept separate from the global inventory (its own group, its own selection namespace) so a
+// project artifact never collides with a same-named global one.
+export function introspectProject(root) {
+    const skills = [];
+    const mcp = [];
+    const instructions = [];
+    const hooks = [];
+    skills.push(...readSkillsDir(join(root, ".claude", "skills"), "project"));
+    skills.push(...readSkillsDir(join(root, ".agents", "skills"), "project"));
+    const settings = readJson(join(root, ".claude", "settings.json"));
+    if (isObj(settings) && isObj(settings.mcpServers))
+        mcp.push(...serversToArtifacts(settings.mcpServers, "project"));
+    mcp.push(...serversToArtifacts(serversFromMcpJson(readJson(join(root, ".mcp.json"))), "project"));
+    hooks.push(...hooksFromConfig(settings, "project"));
+    hooks.push(...hooksFromConfig(readJson(join(root, ".claude", "hooks", "hooks.json")), "project"));
+    // Hermes project skills (nested-flat: .hermes/skills/<n>/DESCRIPTION.md|SKILL.md)
+    skills.push(...readSkillsDir(join(root, ".hermes", "skills"), "project", ["DESCRIPTION.md", "SKILL.md"]));
+    // Codex project MCP (.codex/config.toml [mcp_servers])
+    const codexToml = join(root, ".codex", "config.toml");
+    if (existsSync(codexToml)) {
+        try {
+            mcp.push(...serversToArtifacts(parseTomlMcpServers(readFileSync(codexToml, "utf8")), "project"));
+        }
+        catch { /* skip unparseable codex config */ }
+    }
+    for (const rel of ["CLAUDE.md", "AGENTS.md", join(".hermes", "SOUL.md")]) {
+        const p = join(root, rel);
+        if (existsSync(p)) {
+            try {
+                instructions.push({ type: "instructions", name: basename(rel), content: readFileSync(p, "utf8") });
+            }
+            catch {
+                // skip unreadable instructions file
+            }
+        }
+    }
+    return { root, name: basename(root), skills: dedupByName(skills), mcpServers: dedupByName(mcp), instructions, hooks: uniqueHookNames(hooks) };
+}

package/dist/gem/mcpProxy.js

@@ -0,0 +1,53 @@
+// src/gem/mcpProxy.ts
+// Shared, target-agnostic generator for a stdio->Streamable-HTTP MCP proxy runner. A url-only
+// target (Eve today) can't connect to a stdio (command) MCP server directly; instead we emit a
+// self-contained runner the operator launches where the agent runs. It spawns the stdio server and
+// re-serves it over HTTP, so the agent connects to http://localhost:<port>/mcp.
+//
+// agentgem only RENDERS the script (pure text — no @modelcontextprotocol/sdk dependency here); the
+// operator installs the SDK where they run it. Secrets are never embedded: the proxy passes the
+// operator's environment through to the spawned server, and the file lists the env-var names needed.
+export const PROXY_BASE_PORT = 7800;
+export const PROXY_HOST = "127.0.0.1";
+const commentText = (value) => value.replace(/[\r\n\u2028\u2029]/g, " ");
+export function stdioProxyRunner(name, command, args, secretEnvs, port) {
+    const safeName = commentText(name);
+    const secretNote = secretEnvs.length
+        ? `// Set these env vars before running (the underlying server reads them): ${commentText(secretEnvs.join(", "))}\n`
+        : "";
+    return `#!/usr/bin/env node
+// Auto-generated by agentgem — stdio->HTTP MCP proxy for ${JSON.stringify(name)}.
+// Run it alongside your agent:  node agent/proxies/${safeName}.mjs
+// Install where you run it:     npm i @modelcontextprotocol/sdk express
+${secretNote}import express from "express";
+import { Client } from "@modelcontextprotocol/sdk/client/index.js";
+import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import {
+  ListToolsRequestSchema, CallToolRequestSchema,
+  ListPromptsRequestSchema, GetPromptRequestSchema,
+  ListResourcesRequestSchema, ReadResourceRequestSchema,
+} from "@modelcontextprotocol/sdk/types.js";
+
+// Connect to the real stdio MCP server (inherits this process's env for any secrets it needs).
+const upstream = new Client({ name: "agentgem-proxy", version: "1.0.0" }, { capabilities: {} });
+await upstream.connect(new StdioClientTransport({ command: ${JSON.stringify(command)}, args: ${JSON.stringify(args)}, env: process.env }));
+
+// Re-serve it over Streamable HTTP, forwarding the standard MCP methods to the upstream client.
+const server = new Server({ name: ${JSON.stringify(name)}, version: "1.0.0" }, { capabilities: { tools: {}, prompts: {}, resources: {} } });
+server.setRequestHandler(ListToolsRequestSchema, () => upstream.listTools());
+server.setRequestHandler(CallToolRequestSchema, (r) => upstream.callTool(r.params));
+server.setRequestHandler(ListPromptsRequestSchema, () => upstream.listPrompts());
+server.setRequestHandler(GetPromptRequestSchema, (r) => upstream.getPrompt(r.params));
+server.setRequestHandler(ListResourcesRequestSchema, () => upstream.listResources());
+server.setRequestHandler(ReadResourceRequestSchema, (r) => upstream.readResource(r.params));
+
+const transport = new StreamableHTTPServerTransport({ sessionIdGenerator: undefined });
+await server.connect(transport);
+const app = express();
+app.use(express.json());
+app.all("/mcp", (req, res) => transport.handleRequest(req, res, req.body));
+app.listen(${port}, ${JSON.stringify(PROXY_HOST)}, () => console.error(${JSON.stringify(`[agentgem proxy] ${name} -> http://${PROXY_HOST}:${port}/mcp`)}));
+`;
+}

package/dist/gem/publish.js

@@ -0,0 +1,58 @@
+export const MANAGED_AGENTS_MODEL = "claude-opus-4-8";
+const MAX_SKILLS = 20;
+const MAX_MCP = 20;
+export function renderManagedAgent(gem) {
+    const skipped = [];
+    const skills = gem.artifacts.filter((a) => a.type === "skill");
+    const mcp = gem.artifacts.filter((a) => a.type === "mcp_server");
+    const instr = gem.artifacts.filter((a) => a.type === "instructions");
+    const hooks = gem.artifacts.filter((a) => a.type === "hook");
+    // instructions -> system prompt (## <name>); skills are NOT inlined — they become Agent Skills.
+    const system = instr.map((i) => `## ${i.name}\n\n${i.content}`).join("\n\n---\n\n");
+    // skills -> custom skills to register (cap 20)
+    const skillsToRegister = [];
+    for (const s of skills) {
+        if (skillsToRegister.length >= MAX_SKILLS) {
+            skipped.push({ artifact: s.name, type: "skill", reason: "exceeds the Managed Agents 20-skill cap" });
+            continue;
+        }
+        skillsToRegister.push({ name: s.name, content: s.content });
+    }
+    // mcp -> mcp_servers (URL transport only; stdio has no endpoint), cap 20
+    const mcp_servers = [];
+    const mappedMcpNames = new Set();
+    for (const m of mcp) {
+        if (m.transport === "stdio") {
+            skipped.push({ artifact: m.name, type: "mcp_server", reason: "stdio MCP unsupported on Managed Agents (needs a URL endpoint)" });
+            continue;
+        }
+        const url = typeof m.config.url === "string" ? m.config.url : "";
+        // Require a real http(s) endpoint. A redaction-stripped or malformed url (e.g. "<redacted>"
+        // from a token-bearing query string) must not ship a broken server entry.
+        if (!/^https?:\/\//.test(url)) {
+            skipped.push({ artifact: m.name, type: "mcp_server", reason: url ? `${m.transport} MCP url is not a usable https endpoint (redacted or malformed)` : `${m.transport} MCP has no url` });
+            continue;
+        }
+        if (mappedMcpNames.has(m.name)) {
+            skipped.push({ artifact: m.name, type: "mcp_server", reason: "duplicate Managed Agents MCP server name" });
+            continue;
+        }
+        if (mcp_servers.length >= MAX_MCP) {
+            skipped.push({ artifact: m.name, type: "mcp_server", reason: "exceeds Managed Agents 20-server cap" });
+            continue;
+        }
+        mcp_servers.push({ type: "url", name: m.name, url });
+        mappedMcpNames.add(m.name);
+    }
+    // hooks -> no Managed Agents equivalent
+    for (const h of hooks)
+        skipped.push({ artifact: h.name, type: "hook", reason: "hooks have no Managed Agents equivalent" });
+    const tools = [
+        { type: "agent_toolset_20260401" },
+        ...mcp_servers.map((s) => ({ type: "mcp_toolset", mcp_server_name: s.name })),
+    ];
+    // Only surface vault secrets for MCP servers that actually mapped.
+    const mappedNames = new Set(mcp_servers.map((m) => m.name));
+    const vaultSecrets = gem.requiredSecrets.filter((s) => mappedNames.has(s.artifact));
+    return { payload: { name: gem.name, model: MANAGED_AGENTS_MODEL, system, mcp_servers, tools }, skillsToRegister, skipped, vaultSecrets };
+}

package/dist/gem/recents.js

@@ -0,0 +1,39 @@
+// src/gem/recents.ts
+// Persisted "testbeds you've opened in agentgem" — a small JSON list under ~/.agentgem.
+// Pure store: takes an explicit home dir, computes no fs-existence (the endpoint adds that).
+import { mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { dirname, join } from "node:path";
+const CAP = 10;
+function recentsFile(home) {
+    return join(home, ".agentgem", "recents.json");
+}
+function isEntry(v) {
+    const e = v;
+    return !!e && typeof e.path === "string" && typeof e.flavor === "string"
+        && typeof e.name === "string" && typeof e.lastUsed === "string";
+}
+export function readRecents(home) {
+    try {
+        const parsed = JSON.parse(readFileSync(recentsFile(home), "utf8"));
+        return Array.isArray(parsed) ? parsed.filter(isEntry) : [];
+    }
+    catch {
+        return [];
+    }
+}
+// Move/insert `e` at the front (deduped by path), stamp lastUsed, cap, persist.
+// Best-effort write: a non-writable ~/.agentgem must not break opening a testbed.
+export function upsertRecent(home, e) {
+    const entry = { ...e, lastUsed: new Date().toISOString() };
+    const rest = readRecents(home).filter((r) => r.path !== entry.path);
+    const next = [entry, ...rest].slice(0, CAP);
+    try {
+        const abs = recentsFile(home);
+        mkdirSync(dirname(abs), { recursive: true });
+        writeFileSync(abs, JSON.stringify(next, null, 2) + "\n", "utf8");
+    }
+    catch {
+        console.warn(`agentgem: could not write recents to ${recentsFile(home)}`);
+    }
+    return next;
+}

package/dist/gem/redact.js

@@ -0,0 +1,42 @@
+const SECRET_RE = /(api[_-]?key|token|secret|password|passwd|bearer|sk-|ghp_|gho_|xox[a-z]-|credential)/i;
+// A long, special-char-free token (no spaces, slashes, or dots) is almost
+// certainly a secret; long sentences/paths/urls contain those characters.
+function isHighEntropyToken(s) {
+    return s.length >= 32 && /^[A-Za-z0-9_-]+$/.test(s);
+}
+function redactNode(node, underSecretMap, path, key, secrets) {
+    if (typeof node === "string") {
+        const keyIsSecret = key !== undefined && SECRET_RE.test(key);
+        // Value-content heuristics are prose-safe: prose uses words like "bearer" or "token"
+        // legitimately (e.g. "test bearer authentication flow"), so SECRET_RE on the whole string
+        // would produce false positives. Instead:
+        //   • Whitespace-free string: treat the whole value as a single token (existing behaviour).
+        //   • Multi-word string: only flag it if ANY individual whitespace-free token is high-entropy
+        //     (e.g. "use token ghp_abcdefghijklmnopqrstuvwxyz0123" → ghp_… triggers isHighEntropyToken).
+        const isWhitespaceFree = !/\s/.test(node);
+        const looksLikeToken = isWhitespaceFree
+            ? SECRET_RE.test(node) || isHighEntropyToken(node)
+            : node.split(/\s+/).some((t) => t.length > 0 && isHighEntropyToken(t));
+        if (underSecretMap || keyIsSecret || looksLikeToken) {
+            secrets.push({ name: key ?? path, location: path });
+            return "<redacted>";
+        }
+        return node;
+    }
+    if (Array.isArray(node))
+        return node.map((x, i) => redactNode(x, underSecretMap, `${path}[${i}]`, key, secrets));
+    if (node && typeof node === "object") {
+        const out = {};
+        for (const [k, v] of Object.entries(node)) {
+            const secretMap = underSecretMap || k === "env" || k === "headers";
+            out[k] = redactNode(v, secretMap, path ? `${path}.${k}` : k, k, secrets);
+        }
+        return out;
+    }
+    return node;
+}
+export function redactMcpConfig(config) {
+    const secrets = [];
+    const redacted = redactNode(config, false, "", undefined, secrets);
+    return { config: redacted, secrets };
+}