@poncho-ai/harness 0.6.0 → 0.7.0

package/.turbo/turbo-build.log

@@ -1,5 +1,5 @@
 
-> @poncho-ai/harness@0.6.0 build /Users/cesar/Dev/latitude/poncho-ai/packages/harness
+> @poncho-ai/harness@0.7.0 build /Users/cesar/Dev/latitude/poncho-ai/packages/harness
 > tsup src/index.ts --format esm --dts
 
 CLI Building entry: src/index.ts
@@ -7,8 +7,8 @@ CLI Using tsconfig: tsconfig.json
 CLI tsup v8.5.1
 CLI Target: es2022
 ESM Build start
-ESM dist/index.js 114.60 KB
-ESM ⚡️ Build success in 69ms
+ESM dist/index.js 115.52 KB
+ESM ⚡️ Build success in 56ms
 DTS Build start
-DTS ⚡️ Build success in 2819ms
+DTS ⚡️ Build success in 2668ms
 DTS dist/index.d.ts 16.10 KB

package/CHANGELOG.md

@@ -1,5 +1,15 @@
 # @poncho-ai/harness
 
+## 0.7.0
+
+### Minor Changes
+
+- Simplify MCP tool patterns and improve auth UI
+  - Allow tool patterns without server prefix in poncho.config.js (e.g., `include: ['*']` instead of `include: ['linear/*']`)
+  - Fix auth screen button styling to be fully rounded with centered arrow
+  - Add self-extension capabilities section to development mode instructions
+  - Update documentation to clarify MCP pattern formats
+
 ## 0.6.0
 
 ### Minor Changes

package/dist/index.js

@@ -7,6 +7,7 @@ import YAML from "yaml";
 
 // src/tool-policy.ts
 var MCP_PATTERN = /^[^/*\s]+\/(\*|[^/*\s]+)$/;
+var MCP_TOOL_PATTERN = /^(\*|[^/*\s]+)$/;
 var SCRIPT_PATTERN = /^[^/*\s]+\/(\*|[^*\s]+)$/;
 var validateMcpPattern = (pattern, path) => {
   if (!MCP_PATTERN.test(pattern)) {
@@ -15,6 +16,13 @@ var validateMcpPattern = (pattern, path) => {
     );
   }
 };
+var validateMcpToolPattern = (pattern, path) => {
+  if (!MCP_TOOL_PATTERN.test(pattern)) {
+    throw new Error(
+      `Invalid MCP tool pattern at ${path}: "${pattern}". Expected "tool" or "*".`
+    );
+  }
+};
 var validateScriptPattern = (pattern, path) => {
   if (!SCRIPT_PATTERN.test(pattern)) {
     throw new Error(
@@ -1057,7 +1065,7 @@ var LocalMcpBridge = class {
     const policy = server.tools;
     const validateList = (values, path) => {
       for (const [index, value] of (values ?? []).entries()) {
-        validateMcpPattern(value, `${path}[${index}]`);
+        validateMcpToolPattern(value, `${path}[${index}]`);
       }
     };
     validateList(policy?.include, `mcp.${serverName}.tools.include`);
@@ -1230,7 +1238,12 @@ var LocalMcpBridge = class {
       const discovered = this.toolCatalog.get(serverName) ?? [];
       const fullNames = discovered.map((tool) => `${serverName}/${tool.name}`);
       const effectivePolicy = mergePolicyForEnvironment(server.tools, environment);
-      const policyDecision = applyToolPolicy(fullNames, effectivePolicy);
+      const fullPatternPolicy = effectivePolicy ? {
+        ...effectivePolicy,
+        include: effectivePolicy.include?.map((p) => `${serverName}/${p}`),
+        exclude: effectivePolicy.exclude?.map((p) => `${serverName}/${p}`)
+      } : effectivePolicy;
+      const policyDecision = applyToolPolicy(fullNames, fullPatternPolicy);
       filteredByPolicy.push(...policyDecision.filteredOut);
       const selectedFullNames = policyDecision.allowed.filter(
         (toolName) => requestedPatterns.some((pattern) => matchesSlashPattern(toolName, pattern))
@@ -1962,6 +1975,15 @@ You are running locally in development mode. Treat this as an editable agent wor
 - For setup/configuration/skills/MCP questions, proactively read \`README.md\` with \`read_file\` before answering
 - Prefer concrete commands and examples from \`README.md\` over assumptions
 
+## Self-Extension Capabilities
+
+You can extend your own capabilities by creating custom JavaScript/TypeScript scripts:
+
+- Create scripts under \`skills/<skill-name>/scripts/\` to add new functionality
+- Scripts can perform any Node.js operations: API calls, file processing, data transformations, web scraping, etc.
+- Use the \`run_skill_script\` tool to execute these scripts and integrate results into your workflow
+- This allows you to dynamically add custom tools and capabilities as users need them, without requiring external dependencies or MCP servers
+
 ## When users ask about customization:
 
 - Explain and edit \`poncho.config.js\` for model/provider, storage+memory, auth, telemetry, and MCP settings.
@@ -1969,17 +1991,16 @@ You are running locally in development mode. Treat this as an editable agent wor
 - For executable skills, add JavaScript/TypeScript scripts under \`skills/<skill-name>/scripts/\` and run them via \`run_skill_script\`.
 - For MCP setup, default to direct \`poncho.config.js\` edits (\`mcp\` entries with URL, bearer token env, and tool policy).
 - Keep MCP server connection details in \`poncho.config.js\` only (name/url/auth/tools policy). Do not move server definitions into \`SKILL.md\`.
-- In \`AGENT.md\`/\`SKILL.md\`, declare MCP intent only as \`tools.mcp\` string patterns (for example \`linear/*\` or \`linear/list_issues\`).
-- Never use nested MCP objects in skill frontmatter (for example \`mcp: [{ name, url, auth }]\`) and never use underscore/colon tool patterns.
-- To scope tools to a skill: keep server config in \`poncho.config.js\`, add desired \`tools.mcp\` patterns in that skill's \`SKILL.md\`, and remove global \`AGENT.md tools.mcp\` fallback if you do not want global availability.
+- In \`AGENT.md\`/\`SKILL.md\` frontmatter, declare MCP tools in \`allowed-tools\` array as \`mcp:server/pattern\` (for example \`mcp:linear/*\` or \`mcp:linear/list_issues\`).
+- Never use nested MCP objects in skill frontmatter (for example \`mcp: [{ name, url, auth }]\`).
+- To scope tools to a skill: keep server config in \`poncho.config.js\`, add desired \`allowed-tools\` patterns in that skill's \`SKILL.md\`, and remove global \`AGENT.md\` patterns if you do not want global availability.
 - Do not invent unsupported top-level config keys (for example \`model\` in \`poncho.config.js\`). Keep existing config structure unless README/spec explicitly says otherwise.
-- In \`poncho.config.js\`, MCP tool allowlist patterns must be slash-based (for example \`linear/list_initiatives\` or \`linear/*\`), not underscored names like \`linear_list_initiatives\`.
+- In \`poncho.config.js\`, MCP tool patterns are scoped within each server object, so use just the tool name (for example \`include: ["*"]\` or \`include: ["list_issues"]\`), not the full \`server/tool\` format.
 - Keep \`poncho.config.js\` valid JavaScript and preserve existing imports/types/comments. If there is a JSDoc type import, do not rewrite it to a different package name.
 - Preferred MCP config shape in \`poncho.config.js\`:
-  \`mcp: [{ name: "linear", url: "https://mcp.linear.app/mcp", auth: { type: "bearer", tokenEnv: "LINEAR_TOKEN" }, tools: { mode: "allowlist", include: ["linear/*"] } }]\`
+  \`mcp: [{ name: "linear", url: "https://mcp.linear.app/mcp", auth: { type: "bearer", tokenEnv: "LINEAR_TOKEN" }, tools: { mode: "allowlist", include: ["*"] } }]\`
 - If shell/CLI access exists, you can use \`poncho mcp add --url ... --name ... --auth-bearer-env ...\`, then \`poncho mcp tools list <server>\` and \`poncho mcp tools select <server>\`.
 - If shell/CLI access is unavailable, ask the user to run needed commands and provide exact copy-paste commands.
-- Use strict slash patterns for MCP tool selections (\`server/tool\`, \`server/*\`) and verify by inspecting config/tool state.
 - For setup, skills, MCP, auth, storage, telemetry, or "how do I..." questions, proactively read \`README.md\` with \`read_file\` before answering.
 - Prefer quoting concrete commands and examples from \`README.md\` over guessing.
 - Keep edits minimal, preserve unrelated settings/code, and summarize what changed.`;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@poncho-ai/harness",
-  "version": "0.6.0",
+  "version": "0.7.0",
   "description": "Agent execution runtime - conversation loop, tool dispatch, streaming",
   "repository": {
     "type": "git",

package/src/harness.ts

@@ -108,6 +108,15 @@ You are running locally in development mode. Treat this as an editable agent wor
 - For setup/configuration/skills/MCP questions, proactively read \`README.md\` with \`read_file\` before answering
 - Prefer concrete commands and examples from \`README.md\` over assumptions
 
+## Self-Extension Capabilities
+
+You can extend your own capabilities by creating custom JavaScript/TypeScript scripts:
+
+- Create scripts under \`skills/<skill-name>/scripts/\` to add new functionality
+- Scripts can perform any Node.js operations: API calls, file processing, data transformations, web scraping, etc.
+- Use the \`run_skill_script\` tool to execute these scripts and integrate results into your workflow
+- This allows you to dynamically add custom tools and capabilities as users need them, without requiring external dependencies or MCP servers
+
 ## When users ask about customization:
 
 - Explain and edit \`poncho.config.js\` for model/provider, storage+memory, auth, telemetry, and MCP settings.
@@ -115,17 +124,16 @@ You are running locally in development mode. Treat this as an editable agent wor
 - For executable skills, add JavaScript/TypeScript scripts under \`skills/<skill-name>/scripts/\` and run them via \`run_skill_script\`.
 - For MCP setup, default to direct \`poncho.config.js\` edits (\`mcp\` entries with URL, bearer token env, and tool policy).
 - Keep MCP server connection details in \`poncho.config.js\` only (name/url/auth/tools policy). Do not move server definitions into \`SKILL.md\`.
-- In \`AGENT.md\`/\`SKILL.md\`, declare MCP intent only as \`tools.mcp\` string patterns (for example \`linear/*\` or \`linear/list_issues\`).
-- Never use nested MCP objects in skill frontmatter (for example \`mcp: [{ name, url, auth }]\`) and never use underscore/colon tool patterns.
-- To scope tools to a skill: keep server config in \`poncho.config.js\`, add desired \`tools.mcp\` patterns in that skill's \`SKILL.md\`, and remove global \`AGENT.md tools.mcp\` fallback if you do not want global availability.
+- In \`AGENT.md\`/\`SKILL.md\` frontmatter, declare MCP tools in \`allowed-tools\` array as \`mcp:server/pattern\` (for example \`mcp:linear/*\` or \`mcp:linear/list_issues\`).
+- Never use nested MCP objects in skill frontmatter (for example \`mcp: [{ name, url, auth }]\`).
+- To scope tools to a skill: keep server config in \`poncho.config.js\`, add desired \`allowed-tools\` patterns in that skill's \`SKILL.md\`, and remove global \`AGENT.md\` patterns if you do not want global availability.
 - Do not invent unsupported top-level config keys (for example \`model\` in \`poncho.config.js\`). Keep existing config structure unless README/spec explicitly says otherwise.
-- In \`poncho.config.js\`, MCP tool allowlist patterns must be slash-based (for example \`linear/list_initiatives\` or \`linear/*\`), not underscored names like \`linear_list_initiatives\`.
+- In \`poncho.config.js\`, MCP tool patterns are scoped within each server object, so use just the tool name (for example \`include: ["*"]\` or \`include: ["list_issues"]\`), not the full \`server/tool\` format.
 - Keep \`poncho.config.js\` valid JavaScript and preserve existing imports/types/comments. If there is a JSDoc type import, do not rewrite it to a different package name.
 - Preferred MCP config shape in \`poncho.config.js\`:
-  \`mcp: [{ name: "linear", url: "https://mcp.linear.app/mcp", auth: { type: "bearer", tokenEnv: "LINEAR_TOKEN" }, tools: { mode: "allowlist", include: ["linear/*"] } }]\`
+  \`mcp: [{ name: "linear", url: "https://mcp.linear.app/mcp", auth: { type: "bearer", tokenEnv: "LINEAR_TOKEN" }, tools: { mode: "allowlist", include: ["*"] } }]\`
 - If shell/CLI access exists, you can use \`poncho mcp add --url ... --name ... --auth-bearer-env ...\`, then \`poncho mcp tools list <server>\` and \`poncho mcp tools select <server>\`.
 - If shell/CLI access is unavailable, ask the user to run needed commands and provide exact copy-paste commands.
-- Use strict slash patterns for MCP tool selections (\`server/tool\`, \`server/*\`) and verify by inspecting config/tool state.
 - For setup, skills, MCP, auth, storage, telemetry, or "how do I..." questions, proactively read \`README.md\` with \`read_file\` before answering.
 - Prefer quoting concrete commands and examples from \`README.md\` over guessing.
 - Keep edits minimal, preserve unrelated settings/code, and summarize what changed.`;

package/src/mcp.ts

@@ -6,6 +6,7 @@ import {
   type RuntimeEnvironment,
   type ToolPatternPolicy,
   validateMcpPattern,
+  validateMcpToolPattern,
 } from "./tool-policy.js";
 
 export interface RemoteMcpServerConfig {
@@ -304,7 +305,7 @@ export class LocalMcpBridge {
     const policy = server.tools;
     const validateList = (values: string[] | undefined, path: string): void => {
       for (const [index, value] of (values ?? []).entries()) {
-        validateMcpPattern(value, `${path}[${index}]`);
+        validateMcpToolPattern(value, `${path}[${index}]`);
       }
     };
     validateList(policy?.include, `mcp.${serverName}.tools.include`);
@@ -494,7 +495,13 @@ export class LocalMcpBridge {
       const discovered = this.toolCatalog.get(serverName) ?? [];
       const fullNames = discovered.map((tool) => `${serverName}/${tool.name}`);
       const effectivePolicy = mergePolicyForEnvironment(server.tools, environment);
-      const policyDecision = applyToolPolicy(fullNames, effectivePolicy);
+      // Prepend server name to patterns for matching
+      const fullPatternPolicy = effectivePolicy ? {
+        ...effectivePolicy,
+        include: effectivePolicy.include?.map((p) => `${serverName}/${p}`),
+        exclude: effectivePolicy.exclude?.map((p) => `${serverName}/${p}`),
+      } : effectivePolicy;
+      const policyDecision = applyToolPolicy(fullNames, fullPatternPolicy);
       filteredByPolicy.push(...policyDecision.filteredOut);
       const selectedFullNames = policyDecision.allowed.filter((toolName) =>
         requestedPatterns.some((pattern) => matchesSlashPattern(toolName, pattern)),

package/src/tool-policy.ts

@@ -14,6 +14,7 @@ export interface ToolPatternPolicy {
 }
 
 const MCP_PATTERN = /^[^/*\s]+\/(\*|[^/*\s]+)$/;
+const MCP_TOOL_PATTERN = /^(\*|[^/*\s]+)$/;
 const SCRIPT_PATTERN = /^[^/*\s]+\/(\*|[^*\s]+)$/;
 
 export const validateMcpPattern = (pattern: string, path: string): void => {
@@ -24,6 +25,14 @@ export const validateMcpPattern = (pattern: string, path: string): void => {
   }
 };
 
+export const validateMcpToolPattern = (pattern: string, path: string): void => {
+  if (!MCP_TOOL_PATTERN.test(pattern)) {
+    throw new Error(
+      `Invalid MCP tool pattern at ${path}: "${pattern}". Expected "tool" or "*".`,
+    );
+  }
+};
+
 export const validateScriptPattern = (pattern: string, path: string): void => {
   if (!SCRIPT_PATTERN.test(pattern)) {
     throw new Error(