@oisincoveney/pipeline 1.9.0 → 1.10.1

package/README.md

@@ -10,7 +10,7 @@ artifacts.
 
 - Bun 1.1 or newer
 - Node.js 22.13 or newer
-- `npx`, `backlog`, `uvx`, and Docker on `PATH` for default skill and MCP setup
+- `npx`, `backlog`, `uvx`, and Docker on `PATH` for default skills and MCP setup
 - At least one configured runner CLI on `PATH`: `codex`, `claude`,
   `opencode`, `kimi`, `pi`, or a declared command runner
 
@@ -28,11 +28,13 @@ Scaffold the default YAML workflow:
 pipe init
 ```
 
-`pipe init` installs default skills with the `skills` CLI and registers default
-MCP servers with the MCPM CLI from https://mcpm.sh/. The package invokes MCPM
-through `uvx --python 3.12 mcpm`, so generated `.mcp.json` entries do not depend
-on a globally installed `mcpm` binary. The default Qdrant/memory MCP is the
-Momokaya remote endpoint
+`pipe init` installs default project skills with
+`npx skills add oisincoveney/skills` and registers default MCP servers with the
+MCPM CLI from https://mcpm.sh/. Default profiles point at the installed
+`.agents/skills/<skill>/SKILL.md` files in the target repository. The package
+invokes MCPM through `uvx --python 3.12 mcpm`, so generated `.mcp.json` entries
+do not depend on a globally installed `mcpm` binary. The default Qdrant/memory
+MCP is the Momokaya remote endpoint
 `https://memory-mcp.momokaya.ee/mcp/`.
 
 The default GitHub MCP registration uses GitHub's official container in
@@ -107,6 +109,21 @@ pipe "Implement PIPE-123 user-facing behavior"
 Use `PIPELINE_TARGET_PATH=/path/to/worktree` when invoking from outside the
 target repository.
 
+## Pipeline Console Runner Image
+
+`oisin-pipeline` is also the runner package/image used by `pipeline-console`.
+The console owns Kubernetes Job creation, run listing, cancellation, event
+storage, Kueue discovery, and UI rendering. This package owns the in-container
+`runner-job` command: payload validation, existing runtime invocation, event
+translation, authenticated event posting, signal cancellation, and final event
+flushing.
+
+The console starts the image with `OISIN_PIPELINE_RUNNER_PAYLOAD_JSON` and the
+runner-side event token. The payload contract is documented in
+[`docs/pipeline-console-runner-contract.md`](docs/pipeline-console-runner-contract.md).
+Use `PIPELINE_TARGET_PATH=/path/to/worktree` when the checked-out target repo is
+mounted somewhere other than the process working directory.
+
 ## Minimal YAML
 
 `.pipeline/runners.yaml`:
@@ -259,9 +276,10 @@ branches share a base SHA, and merges passing branches into an integration
 branch in declaration order. It reports merge conflicts; it does not resolve
 them automatically.
 
-The `thermo-nuclear-code-quality-review` skill is installed from
-`cursor/plugins` and registered at
-`.agents/skills/thermo-nuclear-code-quality-review/SKILL.md`.
+Default profile skills are installed into `.agents/skills` by `pipe init`.
+Runtime MCP projection and host-specific isolation policy live in `src/mcp`; see
+[`docs/mcp-host-isolation.md`](docs/mcp-host-isolation.md) and
+[`docs/mcp-gateway.md`](docs/mcp-gateway.md).
 
 ## Generated Host Resources
 

package/defaults/install-manifest.json

@@ -2,45 +2,8 @@
   "version": 1,
   "skills": [
     {
-      "source": "obra/superpowers",
-      "skills": [
-        "using-superpowers",
-        "writing-plans",
-        "dispatching-parallel-agents",
-        "requesting-code-review",
-        "receiving-code-review",
-        "verification-before-completion"
-      ]
-    },
-    {
-      "source": "addyosmani/agent-skills",
-      "skills": [
-        "context-engineering",
-        "source-driven-development",
-        "spec-driven-development",
-        "planning-and-task-breakdown",
-        "test-driven-development",
-        "incremental-implementation",
-        "debugging-and-error-recovery",
-        "code-review-and-quality",
-        "doubt-driven-development",
-        "security-and-hardening",
-        "performance-optimization",
-        "documentation-and-adrs",
-        "deprecation-and-migration"
-      ]
-    },
-    {
-      "source": "cursor/plugins",
-      "skills": ["thermo-nuclear-code-quality-review"]
-    },
-    {
-      "source": "trailofbits/skills",
-      "skills": ["semgrep", "supply-chain-risk-auditor"]
-    },
-    {
-      "source": "vercel-labs/agent-skills",
-      "skills": ["vercel-react-best-practices", "web-design-guidelines"]
+      "source": "oisincoveney/skills",
+      "args": ["--agent", "codex", "--skill", "*", "--yes", "--copy"]
     }
   ],
   "mcps": [

package/dist/config.js

@@ -1,5 +1,6 @@
+import { resolveFileReference } from "./path-refs.js";
 import { existsSync, readFileSync } from "node:fs";
-import { isAbsolute, join } from "node:path";
+import { join } from "node:path";
 import { parseDocument } from "yaml";
 import { z } from "zod";
 //#region src/config.ts
@@ -428,7 +429,7 @@ function resolveMcpServerRef(id, ref, projectRoot) {
 		path: `mcp_servers.${id}.ref.path`,
 		message: "MCP server refs require a project root"
 	}]);
-	const filePath = isAbsolute(ref.path) ? ref.path : join(projectRoot, ref.path);
+	const filePath = resolveFileReference(projectRoot, ref.path);
 	if (!existsSync(filePath)) throw validationError([{
 		path: `mcp_servers.${id}.ref.path`,
 		message: `referenced MCP config file '${ref.path}' does not exist`
@@ -655,7 +656,7 @@ function validateListCapability(path, requested, supported, label, issues) {
 }
 function validatePath(path, value, projectRoot, issues, options = {}) {
 	if (!(value && projectRoot)) return;
-	if (!existsSync(join(projectRoot, value))) {
+	if (!existsSync(resolveFileReference(projectRoot, value))) {
 		if (options.allowMissingLintFileReferences && isLintableMissingFileReferencePath(path)) return;
 		issues.push({
 			path,

package/dist/index.js

@@ -2,9 +2,11 @@
 import { PipelineConfigError, loadPipelineConfig, tryLoadPipelineConfig } from "./config.js";
 import { compileWorkflowPlan } from "./workflow-planner.js";
 import { formatInstallCommandsResult, installCommands, parseCommandHost } from "./install-commands.js";
-import { DEFAULT_MCPM_ARGS, formatPipelineInitResult, initPipelineProject } from "./pipeline-init.js";
 import { createOrchestratorLaunchPlan, createRunnerLaunchPlan } from "./runner.js";
 import { formatConfigError, runPipelineFromConfig } from "./pipeline-runtime.js";
+import { runKubernetesRunnerJob } from "./kubernetes-runner.js";
+import { DEFAULT_MCPM_ARGS } from "./mcp/bootstrap.js";
+import { formatPipelineInitResult, initPipelineProject } from "./pipeline-init.js";
 import { existsSync, realpathSync } from "node:fs";
 import { resolve } from "node:path";
 import { fileURLToPath } from "node:url";
@@ -146,10 +148,11 @@ const BUILTIN_PIPE_COMMANDS = new Set([
 	"explain-plan",
 	"doctor",
 	"init",
-	"install-commands"
+	"install-commands",
+	"runner-job"
 ]);
 function createCliProgram() {
-	const configuredPipeline = tryLoadPipelineConfig(process.env.PIPELINE_TARGET_PATH ?? process.cwd(), { allowMissingLintFileReferences: true });
+	const configuredPipeline = tryLoadConfiguredEntrypoints(process.env.PIPELINE_TARGET_PATH ?? process.cwd());
 	const program = new Command();
 	program.name("@oisincoveney/pipeline").description("Run and install the oisin pipeline").exitOverride();
 	const runAction = async (descriptionParts, flags) => {
@@ -200,6 +203,10 @@ function createCliProgram() {
 		});
 		console.log(formatInstallCommandsResult(result));
 	});
+	program.command("runner-job").description("Run an in-pod pipeline runner job from the console payload").action(async () => {
+		const exitCode = await runKubernetesRunnerJob();
+		process.exitCode = exitCode;
+	});
 	const configuredEntrypointCommands = registerConfiguredEntrypointCommands(program, configuredPipeline);
 	if (configuredEntrypointCommands.size > 0) program.configureHelp({ subcommandTerm(command) {
 		if (configuredEntrypointCommands.has(command.name())) return command.name();
@@ -207,6 +214,14 @@ function createCliProgram() {
 	} });
 	return program;
 }
+function tryLoadConfiguredEntrypoints(cwd) {
+	try {
+		return tryLoadPipelineConfig(cwd, { allowMissingLintFileReferences: true });
+	} catch (err) {
+		if (err instanceof PipelineConfigError) return null;
+		throw err;
+	}
+}
 function registerConfiguredEntrypointCommands(program, config) {
 	const registered = /* @__PURE__ */ new Set();
 	if (!config) return registered;
@@ -380,6 +395,10 @@ function normalizeEntrypointPath(path) {
 }
 if (isCliEntrypoint(process.argv)) runCli(process.argv).catch((err) => {
 	if (err instanceof CommanderError) process.exit(err.exitCode);
+	if (hasExitCode(err)) {
+		if (err.message) console.error(err.message);
+		process.exit(err.exitCode);
+	}
 	if (err instanceof Error) {
 		if (err instanceof PipelineConfigError) console.error(formatConfigError(err));
 		else console.error(err.message);
@@ -388,6 +407,9 @@ if (isCliEntrypoint(process.argv)) runCli(process.argv).catch((err) => {
 	console.error(String(err));
 	process.exit(1);
 });
+function hasExitCode(err) {
+	return err instanceof Error && "exitCode" in err && typeof err.exitCode === "number";
+}
 function formatWorkflowPlan(config, worktreePath, workflowId) {
 	const plan = compileWorkflowPlan(config, workflowId);
 	const workflow = config.workflows[plan.workflowId];

package/dist/install-commands.js

@@ -1,4 +1,6 @@
+import { resolveFileReference } from "./path-refs.js";
 import { loadPipelineConfig } from "./config.js";
+import { codexNativeMcpConfig } from "./mcp/native-config.js";
 import { compileWorkflowPlan } from "./workflow-planner.js";
 import { existsSync, readFileSync } from "node:fs";
 import { dirname, join, relative } from "node:path";
@@ -402,7 +404,7 @@ function codexDefinitions(config, cwd) {
 				name: id,
 				sandbox_mode: profile.filesystem?.mode === "workspace-write" ? "workspace-write" : "read-only",
 				...codexAgentSkillConfig(config, profile, cwd),
-				...codexAgentMcpConfig(config, profile)
+				...codexNativeMcpConfig(config, profile)
 			}).trimEnd()}\n`,
 			host: "codex",
 			invocation: invocationForHost("codex"),
@@ -413,33 +415,14 @@ function codexDefinitions(config, cwd) {
 function codexAgentSkillConfig(config, profile, cwd) {
 	const skillConfig = (profile.skills ?? []).flatMap((id) => {
 		const skillPath = config.skills[id]?.path;
-		const absoluteSkillPath = skillPath ? join(cwd, skillPath) : void 0;
-		return absoluteSkillPath && existsSync(absoluteSkillPath) ? [{
+		const resolvedSkillPath = skillPath ? resolveFileReference(cwd, skillPath) : void 0;
+		return skillPath && resolvedSkillPath && existsSync(resolvedSkillPath) ? [{
 			enabled: true,
 			path: skillPath.replaceAll("\\", "/")
 		}] : [];
 	});
 	return skillConfig.length > 0 ? { skills: { config: skillConfig } } : {};
 }
-function codexAgentMcpConfig(config, profile) {
-	const mcpServers = Object.fromEntries((profile.mcp_servers ?? []).flatMap((id) => {
-		const server = config.mcp_servers[id];
-		return server ? [[id, codexAgentMcpServerConfig(server)]] : [];
-	}));
-	return Object.keys(mcpServers).length > 0 ? { mcp_servers: mcpServers } : {};
-}
-function codexAgentMcpServerConfig(server) {
-	if (typeof server.url === "string") return {
-		...server.bearer_token_env_var ? { bearer_token_env_var: server.bearer_token_env_var } : {},
-		...server.headers ? { http_headers: server.headers } : {},
-		url: server.url
-	};
-	return {
-		...server.args ? { args: server.args } : {},
-		command: server.command,
-		...server.env ? { env: server.env } : {}
-	};
-}
 function kimiDefinitions(config) {
 	return [
 		...entrypointCommandDefinitions("kimi", config, (id, entrypoint) => ({

package/dist/kubernetes-runner.js

@@ -0,0 +1,134 @@
+import { PipelineConfigError } from "./config.js";
+import { runPipelineFromConfig } from "./pipeline-runtime.js";
+import { RUNNER_PAYLOAD_ENV, parseRunnerJobPayload, resolveRunnerEventSinkAuthToken } from "./runner-job-contract.js";
+import { createRunnerEventSink } from "./runner-event-sink.js";
+//#region src/kubernetes-runner.ts
+const EXIT_PASS = 0;
+const EXIT_FAIL = 1;
+const EXIT_CANCELLED = 130;
+const EXIT_VALIDATION = 64;
+const EXIT_STARTUP = 70;
+async function runKubernetesRunnerJob(options = {}) {
+	const prepared = prepareRunnerJob(options);
+	if (prepared.exitCode !== void 0) return prepared.exitCode;
+	const { authToken, env, payload, stderr } = prepared.job;
+	const controller = new AbortController();
+	const signalEmitter = options.signalEmitter ?? process;
+	const forceExit = options.onForceExit ?? ((exitCode) => process.exit(exitCode));
+	let signalExitCode;
+	let signalCount = 0;
+	let signalFinalResultRecorded = false;
+	const sink = createRunnerEventSink({
+		authHeader: payload.eventSink.authHeader,
+		authToken,
+		fetch: options.fetch,
+		runId: payload.run.runId,
+		url: payload.eventSink.url
+	});
+	const handleSignal = (exitCode) => {
+		signalCount += 1;
+		if (signalCount === 1) {
+			signalExitCode = exitCode;
+			sink.recordCancellation(payload.selector.workflowId);
+			signalFinalResultRecorded = true;
+			controller.abort();
+			return;
+		}
+		forceExit(signalExitCode ?? exitCode);
+	};
+	const handleSigterm = () => handleSignal(EXIT_CANCELLED);
+	const handleSigint = () => handleSignal(EXIT_CANCELLED);
+	signalEmitter.on("SIGTERM", handleSigterm);
+	signalEmitter.on("SIGINT", handleSigint);
+	const runner = options.pipelineRunner ?? runPipelineFromConfig;
+	let sawWorkflowFinish = false;
+	try {
+		const result = await runner({
+			reporter: (event) => {
+				if (event.type === "workflow.finish") sawWorkflowFinish = true;
+				sink.recordRuntimeEvent(event);
+			},
+			runId: payload.run.runId,
+			signal: controller.signal,
+			task: payload.task.prompt,
+			workflowId: payload.selector.workflowId,
+			worktreePath: env.PIPELINE_TARGET_PATH ?? options.cwd ?? process.cwd()
+		});
+		if (!(sawWorkflowFinish || signalFinalResultRecorded)) sink.recordFinalResult(result.outcome, result.plan.workflowId);
+		if (await flushAndReport(sink.flush, stderr) && !signalExitCode) return EXIT_STARTUP;
+		return signalExitCode ?? exitCodeForRuntimeResult(result);
+	} catch (err) {
+		const message = err instanceof Error ? err.message : String(err);
+		stderr.write(`${message}\n`);
+		await flushAndReport(sink.flush, stderr);
+		if (err instanceof PipelineConfigError) return signalExitCode ?? EXIT_VALIDATION;
+		return signalExitCode ?? EXIT_STARTUP;
+	} finally {
+		removeSignalListener(signalEmitter, "SIGTERM", handleSigterm);
+		removeSignalListener(signalEmitter, "SIGINT", handleSigint);
+	}
+}
+function prepareRunnerJob(options) {
+	const env = options.env ?? process.env;
+	const stderr = options.stderr ?? process.stderr;
+	const payloadRaw = env[RUNNER_PAYLOAD_ENV];
+	if (!payloadRaw) {
+		stderr.write(`${RUNNER_PAYLOAD_ENV} is required\n`);
+		return { exitCode: EXIT_VALIDATION };
+	}
+	const payload = parsePayload(payloadRaw, stderr);
+	if (!payload) return { exitCode: EXIT_VALIDATION };
+	const authToken = resolveAuthToken(env, stderr);
+	if (!authToken) return { exitCode: EXIT_VALIDATION };
+	return { job: {
+		authToken,
+		env,
+		payload,
+		stderr
+	} };
+}
+function parsePayload(payloadRaw, stderr) {
+	try {
+		return parseRunnerJobPayload(payloadRaw);
+	} catch (err) {
+		const message = err instanceof Error ? err.message : String(err);
+		stderr.write(`${message}\n`);
+		return null;
+	}
+}
+function resolveAuthToken(env, stderr) {
+	try {
+		return resolveRunnerEventSinkAuthToken({ env });
+	} catch (err) {
+		const message = err instanceof Error ? err.message : String(err);
+		stderr.write(`${message}\n`);
+		return null;
+	}
+}
+function exitCodeForRuntimeResult(result) {
+	switch (result.outcome) {
+		case "PASS": return EXIT_PASS;
+		case "FAIL": return EXIT_FAIL;
+		case "CANCELLED": return EXIT_CANCELLED;
+		default: return EXIT_STARTUP;
+	}
+}
+async function flushAndReport(flush, stderr) {
+	try {
+		await flush();
+		return false;
+	} catch (err) {
+		const message = err instanceof Error ? err.message : String(err);
+		stderr.write(`Event sink flush failed: ${message}\n`);
+		return true;
+	}
+}
+function removeSignalListener(emitter, event, listener) {
+	if (emitter.off) {
+		emitter.off(event, listener);
+		return;
+	}
+	emitter.removeListener?.(event, listener);
+}
+//#endregion
+export { runKubernetesRunnerJob };

package/dist/mcp/bootstrap.js

@@ -0,0 +1,237 @@
+import { readFileSync } from "node:fs";
+import { z } from "zod";
+import { execa } from "execa";
+//#region src/mcp/bootstrap.ts
+var PipelineMcpInstallError = class extends Error {
+	constructor(message) {
+		super(message);
+		this.name = "PipelineMcpInstallError";
+	}
+};
+var PipelineMcpMissingCredentialError = class extends PipelineMcpInstallError {
+	headerName;
+	missingEnv;
+	serverName;
+	constructor(serverName, headerName, missingEnv) {
+		super([`MCP server ${serverName} requires ${headerName} credentials before it can be registered.`, `Set ${missingEnv.join(" or ")} and re-run pipeline init.`].join("\n"));
+		this.name = "PipelineMcpMissingCredentialError";
+		this.serverName = serverName;
+		this.headerName = headerName;
+		this.missingEnv = missingEnv;
+	}
+};
+var PipelineDefaultManifestError = class extends Error {
+	constructor(message) {
+		super(message);
+		this.name = "PipelineDefaultManifestError";
+	}
+};
+const DEFAULT_MCPM_ARGS = [
+	"--python",
+	"3.12",
+	"mcpm"
+];
+const DEFAULT_INSTALL_MANIFEST_URL = new URL("../../defaults/install-manifest.json", import.meta.url);
+const pipelineMcpHeaderSourceSchema = z.object({
+	env: z.string().min(1),
+	prefix: z.string().optional(),
+	suffix: z.string().optional()
+}).strict();
+const pipelineMcpHeaderValueSchema = z.union([z.string(), z.object({ sources: z.array(pipelineMcpHeaderSourceSchema).min(1) }).strict()]);
+const pipelineMcpInstallSpecSchema = z.object({
+	args: z.array(z.string()).optional(),
+	catalog: z.string().min(1).optional(),
+	command: z.string().min(1).optional(),
+	env: z.record(z.string(), z.string()).optional(),
+	headers: z.record(z.string(), pipelineMcpHeaderValueSchema).optional(),
+	name: z.string().min(1),
+	optionalRegistration: z.boolean().optional(),
+	transport: z.enum(["remote", "stdio"]),
+	url: z.string().url().optional()
+}).strict().superRefine((spec, ctx) => {
+	if (spec.catalog) return;
+	if (spec.transport === "remote") {
+		if (!spec.url) ctx.addIssue({
+			code: "custom",
+			message: "remote MCP install spec must declare url or catalog",
+			path: ["url"]
+		});
+		if (spec.command) ctx.addIssue({
+			code: "custom",
+			message: "remote MCP install spec cannot declare command",
+			path: ["command"]
+		});
+		if (spec.args) ctx.addIssue({
+			code: "custom",
+			message: "remote MCP install spec cannot declare args",
+			path: ["args"]
+		});
+		if (spec.env) ctx.addIssue({
+			code: "custom",
+			message: "remote MCP install spec cannot declare env",
+			path: ["env"]
+		});
+		return;
+	}
+	if (!spec.command) ctx.addIssue({
+		code: "custom",
+		message: "stdio MCP install spec must declare command or catalog",
+		path: ["command"]
+	});
+	if (spec.headers) ctx.addIssue({
+		code: "custom",
+		message: "stdio MCP install spec cannot declare headers",
+		path: ["headers"]
+	});
+	if (spec.url) ctx.addIssue({
+		code: "custom",
+		message: "stdio MCP install spec cannot declare url",
+		path: ["url"]
+	});
+});
+const defaultInstallManifestSchema = z.object({
+	mcps: z.array(pipelineMcpInstallSpecSchema),
+	skills: z.array(z.object({
+		args: z.array(z.string()).optional(),
+		source: z.string().min(1)
+	}).strict()).default([]),
+	version: z.literal(1)
+}).strict();
+function loadDefaultInstallManifest() {
+	const raw = JSON.parse(readFileSync(DEFAULT_INSTALL_MANIFEST_URL, "utf8"));
+	const parsed = defaultInstallManifestSchema.safeParse(raw);
+	if (!parsed.success) throw new PipelineDefaultManifestError(["Invalid defaults/install-manifest.json.", ...parsed.error.issues.map((issue) => [issue.path.join("."), issue.message].filter(Boolean).join(": "))].join("\n"));
+	return parsed.data;
+}
+const DEFAULT_INSTALL_MANIFEST = loadDefaultInstallManifest();
+const DEFAULT_MCP_INSTALLS = DEFAULT_INSTALL_MANIFEST.mcps;
+const DEFAULT_SKILL_INSTALLS = DEFAULT_INSTALL_MANIFEST.skills;
+function defaultMcpJson() {
+	return `${JSON.stringify({ mcpServers: Object.fromEntries([
+		["backlog", "oisin-pipeline-backlog"],
+		["context7", "oisin-pipeline-context7"],
+		["github-readonly", "oisin-pipeline-github-readonly"],
+		["playwright", "oisin-pipeline-playwright"],
+		["qdrant", "oisin-pipeline-qdrant"],
+		["semgrep", "oisin-pipeline-semgrep"],
+		["serena", "oisin-pipeline-serena"]
+	].map(([server, installName]) => [server, {
+		args: [
+			...DEFAULT_MCPM_ARGS,
+			"run",
+			installName
+		],
+		command: "uvx"
+	}])) }, null, 2)}\n`;
+}
+async function installDefaultMcpsWithCli(specs, cwd) {
+	const skipped = [];
+	for (const spec of specs) {
+		const install = mcpInstallArgs(spec);
+		if ("skipped" in install) {
+			skipped.push(install.skipped);
+			continue;
+		}
+		try {
+			await execa("uvx", [...DEFAULT_MCPM_ARGS, ...install.args], {
+				cwd,
+				env: {
+					MCPM_FORCE: "true",
+					MCPM_JSON_OUTPUT: "true",
+					MCPM_NON_INTERACTIVE: "true"
+				},
+				stdin: "ignore"
+			});
+		} catch (err) {
+			const error = err;
+			throw new PipelineMcpInstallError([
+				`Failed to register MCP server ${spec.name} with MCPM.`,
+				"Pipeline init runs MCPM through `uvx --python 3.12 mcpm`.",
+				"Install uv/uvx from https://docs.astral.sh/uv/ and re-run pipeline init.",
+				redactMcpInstallOutput(error.shortMessage, install.redactions),
+				redactMcpInstallOutput(error.stderr, install.redactions),
+				redactMcpInstallOutput(error.stdout, install.redactions)
+			].filter(Boolean).join("\n"));
+		}
+	}
+	return { skipped };
+}
+function mcpInstallArgs(spec) {
+	if (spec.catalog) return {
+		args: [
+			"install",
+			spec.catalog,
+			"--force",
+			"--alias",
+			spec.name
+		],
+		redactions: []
+	};
+	const args = [
+		"new",
+		spec.name,
+		"--type",
+		spec.transport,
+		"--force"
+	];
+	if (spec.transport === "remote") {
+		if (!spec.url) throw new PipelineMcpInstallError(`MCP server ${spec.name} is remote but has no url.`);
+		const redactions = [];
+		try {
+			const headers = Object.entries(spec.headers ?? {}).flatMap(([key, value]) => {
+				const headerValue = resolveMcpHeaderValue(spec.name, key, value);
+				redactions.push(headerValue);
+				return ["--headers", `${key}=${headerValue}`];
+			});
+			return {
+				args: [
+					...args,
+					"--url",
+					spec.url,
+					...headers
+				],
+				redactions
+			};
+		} catch (err) {
+			if (spec.optionalRegistration && err instanceof PipelineMcpMissingCredentialError) return { skipped: {
+				missingEnv: err.missingEnv,
+				name: spec.name,
+				reason: `missing ${err.headerName} credentials`
+			} };
+			throw err;
+		}
+	}
+	if (!spec.command) throw new PipelineMcpInstallError(`MCP server ${spec.name} is stdio but has no command.`);
+	return {
+		args: [
+			...args,
+			"--command",
+			spec.command,
+			...spec.args?.length ? ["--args", spec.args.join(" ")] : [],
+			...Object.entries(spec.env ?? {}).flatMap(([key, value]) => ["--env", `${key}=${value}`])
+		],
+		redactions: []
+	};
+}
+const MCP_CREDENTIAL_PATTERN = /^\S+\s+(.+)$/;
+function redactMcpInstallOutput(value, redactions) {
+	if (!value) return value;
+	const sensitiveValues = redactions.flatMap((item) => {
+		const trimmed = item.trim();
+		const credential = trimmed.match(MCP_CREDENTIAL_PATTERN)?.[1]?.trim();
+		return credential ? [trimmed, credential] : [trimmed];
+	}).filter((item) => item.length > 0);
+	const escaped = [...new Set(sensitiveValues)].sort((a, b) => b.length - a.length).map((item) => item.replace(/[.*+?^${}()|[\]\\]/g, "\\$&"));
+	const sensitivePattern = escaped.length > 0 ? new RegExp(escaped.join("|"), "g") : null;
+	return (sensitivePattern ? value.replace(sensitivePattern, "[REDACTED]") : value).replace(/Authorization=[^\r\n'"]+/gi, "Authorization=[REDACTED]");
+}
+function resolveMcpHeaderValue(serverName, headerName, header) {
+	if (typeof header === "string") return header;
+	for (const source of header.sources ?? []) {
+		const rawValue = process.env[source.env];
+		if (rawValue && rawValue.trim().length > 0) return `${source.prefix ?? ""}${rawValue}${source.suffix ?? ""}`;
+	}
+	throw new PipelineMcpMissingCredentialError(serverName, headerName, header.sources.map((source) => source.env));
+}
+//#endregion
+export { DEFAULT_MCPM_ARGS, DEFAULT_MCP_INSTALLS, DEFAULT_SKILL_INSTALLS, defaultMcpJson, installDefaultMcpsWithCli };