@posthog/agent 2.3.643 → 2.3.655

package/src/adapters/codex/local-tools-mcp-server.ts

@@ -0,0 +1,71 @@
+/**
+ * Standalone stdio MCP server exposing the general local tools to the Codex
+ * adapter. Spawned by codex-acp as an MCP server process. Reads its context
+ * (cwd, taskId, token) from POSTHOG_LOCAL_TOOLS_CTX and the set of tools to
+ * register from POSTHOG_LOCAL_TOOLS_ENABLED (both set by the parent, which has
+ * already evaluated each tool's gate) — then registers those registry tools,
+ * the same ones the Claude adapter exposes in-process.
+ *
+ * Usage:
+ *   POSTHOG_LOCAL_TOOLS_CTX=<base64> \
+ *   POSTHOG_LOCAL_TOOLS_ENABLED=git_signed_commit \
+ *     node local-tools-mcp-server.js
+ */
+
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { readGithubTokenFromEnv } from "@posthog/git/signed-commit";
+import {
+  LOCAL_TOOLS,
+  LOCAL_TOOLS_MCP_NAME,
+  type LocalToolCtx,
+} from "../local-tools";
+
+function die(message: string): never {
+  process.stderr.write(`[local-tools-mcp-server] ${message}\n`);
+  process.exit(1);
+}
+
+const ctxEnv = process.env.POSTHOG_LOCAL_TOOLS_CTX;
+if (!ctxEnv) {
+  die("POSTHOG_LOCAL_TOOLS_CTX env var is required");
+}
+
+let parsed: { cwd: string; taskId?: string; token?: string };
+try {
+  parsed = JSON.parse(Buffer.from(ctxEnv, "base64").toString("utf-8"));
+} catch (err) {
+  die(`Failed to parse POSTHOG_LOCAL_TOOLS_CTX as base64-encoded JSON: ${err}`);
+}
+
+if (!parsed.cwd) {
+  die("POSTHOG_LOCAL_TOOLS_CTX must include cwd");
+}
+
+const ctx: LocalToolCtx = {
+  cwd: parsed.cwd,
+  token: parsed.token ?? readGithubTokenFromEnv(),
+  taskId: parsed.taskId,
+};
+
+const enabledNames = (process.env.POSTHOG_LOCAL_TOOLS_ENABLED ?? "")
+  .split(",")
+  .filter(Boolean);
+const tools = LOCAL_TOOLS.filter((t) => enabledNames.includes(t.name));
+if (tools.length === 0) {
+  die("POSTHOG_LOCAL_TOOLS_ENABLED listed no known tools");
+}
+
+const server = new McpServer({
+  name: LOCAL_TOOLS_MCP_NAME,
+  version: "1.0.0",
+});
+
+for (const t of tools) {
+  server.tool(t.name, t.description, t.schema, async (args) =>
+    t.handler(ctx, args),
+  );
+}
+
+const transport = new StdioServerTransport();
+await server.connect(transport);

package/src/adapters/local-tools/index.ts

@@ -0,0 +1,22 @@
+import type { LocalTool, LocalToolCtx, LocalToolGateMeta } from "./registry";
+import { signedCommitTool } from "./tools/signed-commit";
+
+export {
+  LOCAL_TOOLS_MCP_NAME,
+  type LocalTool,
+  type LocalToolCtx,
+  type LocalToolGateMeta,
+  type LocalToolResult,
+  qualifiedLocalToolName,
+} from "./registry";
+
+/** Every tool the general local MCP server can expose. Add new tools here. */
+export const LOCAL_TOOLS: LocalTool[] = [signedCommitTool];
+
+/** Tools whose gate passes for the given context — the set to actually expose. */
+export function enabledLocalTools(
+  ctx: LocalToolCtx,
+  meta: LocalToolGateMeta | undefined,
+): LocalTool[] {
+  return LOCAL_TOOLS.filter((t) => t.isEnabled(ctx, meta));
+}

package/src/adapters/local-tools/registry.test.ts

@@ -0,0 +1,57 @@
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+import {
+  enabledLocalTools,
+  LOCAL_TOOLS,
+  LOCAL_TOOLS_MCP_NAME,
+  qualifiedLocalToolName,
+} from "./index";
+
+describe("local-tools registry", () => {
+  const savedSandbox = process.env.IS_SANDBOX;
+
+  beforeEach(() => {
+    // isCloudRun also keys off IS_SANDBOX; clear it so meta.taskRunId is the
+    // only cloud signal under test.
+    delete process.env.IS_SANDBOX;
+  });
+
+  afterEach(() => {
+    if (savedSandbox === undefined) {
+      delete process.env.IS_SANDBOX;
+    } else {
+      process.env.IS_SANDBOX = savedSandbox;
+    }
+  });
+
+  it("registers tools with unique names", () => {
+    const names = LOCAL_TOOLS.map((t) => t.name);
+    expect(new Set(names).size).toBe(names.length);
+  });
+
+  it("qualifies tool names under the general server", () => {
+    expect(qualifiedLocalToolName("git_signed_commit")).toBe(
+      `mcp__${LOCAL_TOOLS_MCP_NAME}__git_signed_commit`,
+    );
+  });
+
+  it.each([
+    { name: "cloud run with a token", taskRunId: "run-1", token: "ghs_x" },
+    { name: "cloud run without a token", taskRunId: "run-1", token: undefined },
+    { name: "desktop run with a token", taskRunId: undefined, token: "ghs_x" },
+    {
+      name: "desktop run without a token",
+      taskRunId: undefined,
+      token: undefined,
+    },
+  ])(
+    "exposes git_signed_commit only in $name when cloud+token",
+    ({ taskRunId, token }) => {
+      const tools = enabledLocalTools(
+        { cwd: "/repo", token },
+        taskRunId ? { taskRunId } : undefined,
+      );
+      const hasSignedCommit = tools.some((t) => t.name === "git_signed_commit");
+      expect(hasSignedCommit).toBe(Boolean(taskRunId) && Boolean(token));
+    },
+  );
+});

package/src/adapters/local-tools/registry.ts

@@ -0,0 +1,81 @@
+import type { z } from "zod";
+
+/**
+ * A single general-purpose local MCP server hosts every tool registered here,
+ * for both adapters: the Claude in-process SDK server and the Codex stdio
+ * server. Adding a tool means adding one entry to `LOCAL_TOOLS` (see
+ * `./index.ts`) — no per-tool server file or adapter wiring. The name appears
+ * in tool ids as `mcp__posthog-local__<tool>`.
+ */
+export const LOCAL_TOOLS_MCP_NAME = "posthog-local";
+
+/** Runtime context handed to every local tool's handler and gate. */
+export interface LocalToolCtx {
+  cwd: string;
+  /** GitHub token available to the sandbox, if any. */
+  token?: string;
+  taskId?: string;
+}
+
+/** Minimal session-meta shape needed to gate tools (e.g. cloud-only). */
+export interface LocalToolGateMeta {
+  taskRunId?: string;
+}
+
+/**
+ * MCP tool result shape. Carries an open index signature so the value is
+ * assignable to either SDK's `CallToolResult` (the Claude SDK and the MCP SDK
+ * both attach an open `_meta`).
+ */
+export interface LocalToolResult {
+  content: { type: "text"; text: string }[];
+  isError?: true;
+  [key: string]: unknown;
+}
+
+/** Tool definition with its input schema's type preserved for the handler. */
+export interface LocalToolDef<S extends z.ZodRawShape> {
+  name: string;
+  description: string;
+  schema: S;
+  /**
+   * Keep the tool visible even though MCP tools are offloaded behind ToolSearch
+   * by default in the Claude adapter (ENABLE_TOOL_SEARCH). Ignored by Codex.
+   */
+  alwaysLoad?: boolean;
+  isEnabled(ctx: LocalToolCtx, meta: LocalToolGateMeta | undefined): boolean;
+  handler(
+    ctx: LocalToolCtx,
+    args: z.infer<z.ZodObject<S>>,
+  ): Promise<LocalToolResult>;
+}
+
+/** Schema-erased tool, the shape stored in the registry array. */
+export interface LocalTool {
+  name: string;
+  description: string;
+  schema: z.ZodRawShape;
+  alwaysLoad?: boolean;
+  isEnabled(ctx: LocalToolCtx, meta: LocalToolGateMeta | undefined): boolean;
+  handler(
+    ctx: LocalToolCtx,
+    args: Record<string, unknown>,
+  ): Promise<LocalToolResult>;
+}
+
+/**
+ * Registers a tool, preserving its schema's inferred type at the definition
+ * site. The returned value erases the schema generic so tools of different
+ * shapes can live in one array; the cast is sound because both MCP SDKs
+ * validate `args` against `schema` before dispatching to the handler.
+ */
+export function defineLocalTool<S extends z.ZodRawShape>(
+  def: LocalToolDef<S>,
+): LocalTool {
+  return def as unknown as LocalTool;
+}
+
+/** The qualified tool id as the model and tool guards see it. */
+export function qualifiedLocalToolName(toolName: string): string {
+  return `mcp__${LOCAL_TOOLS_MCP_NAME}__${toolName}`;
+}

package/src/adapters/local-tools/tools/signed-commit.ts

@@ -0,0 +1,26 @@
+import { isCloudRun } from "../../../utils/common";
+import {
+  runSignedCommitTool,
+  SIGNED_COMMIT_TOOL_DESCRIPTION,
+  SIGNED_COMMIT_TOOL_NAME,
+  signedCommitToolSchema,
+} from "../../signed-commit-shared";
+import { defineLocalTool } from "../registry";
+
+/**
+ * `git_signed_commit` as a local tool. Cloud runs only, and only when a GitHub
+ * token is available (the commit is created via GitHub's API, which also signs
+ * it). Committing is core to cloud tasks, so keep it visible past ToolSearch.
+ */
+export const signedCommitTool = defineLocalTool({
+  name: SIGNED_COMMIT_TOOL_NAME,
+  description: SIGNED_COMMIT_TOOL_DESCRIPTION,
+  schema: signedCommitToolSchema,
+  alwaysLoad: true,
+  isEnabled: (ctx, meta) => isCloudRun(meta) && !!ctx.token,
+  handler: (ctx, args) =>
+    runSignedCommitTool(
+      { cwd: ctx.cwd, token: ctx.token ?? "", taskId: ctx.taskId },
+      args,
+    ),
+});

package/src/adapters/session-meta.ts

@@ -0,0 +1,16 @@
+/** Minimal shape needed to resolve the effective task id from session meta. */
+interface TaskIdSource {
+  taskId?: string;
+  persistence?: { taskId?: string };
+}
+
+/**
+ * The task id can arrive directly on the session meta or nested under
+ * `persistence`; prefer the top-level value. Shared by the Claude and Codex
+ * adapters so the fallback chain stays in sync.
+ */
+export function resolveTaskId(
+  meta: TaskIdSource | undefined,
+): string | undefined {
+  return meta?.taskId ?? meta?.persistence?.taskId;
+}

package/src/adapters/signed-commit-shared.ts

@@ -0,0 +1,82 @@
+import {
+  createSignedCommit,
+  type SignedCommitCtx,
+  type SignedCommitInput,
+  type SignedCommitResult,
+} from "@posthog/git/signed-commit";
+import { z } from "zod";
+import { qualifiedLocalToolName } from "./local-tools/registry";
+
+/**
+ * Shared definitions for the `git_signed_commit` tool, used by the local-tools
+ * registry entry (which both adapters expose) so the tool name, schema,
+ * description, and result formatting can't drift. The qualified name also
+ * appears in the cloud system prompt and the PreToolUse guard message.
+ */
+
+export const SIGNED_COMMIT_TOOL_NAME = "git_signed_commit";
+export const SIGNED_COMMIT_QUALIFIED_TOOL_NAME = qualifiedLocalToolName(
+  SIGNED_COMMIT_TOOL_NAME,
+);
+
+export const SIGNED_COMMIT_TOOL_DESCRIPTION =
+  "Create a GitHub-signed (Verified) commit on the branch. Stage files with `git add` " +
+  "first (or pass `paths`), then call this instead of `git commit`/`git push` — those are " +
+  "blocked because all commits must be signed. The commit is created via GitHub's API and " +
+  "your local checkout is kept in sync. For a new branch, pass `branch` (prefixed with " +
+  "`posthog-code/`) and the tool creates it on the remote.";
+
+export const signedCommitToolSchema = {
+  message: z.string().describe("Commit headline (first line)."),
+  body: z.string().optional().describe("Optional extended commit body."),
+  branch: z
+    .string()
+    .optional()
+    .describe(
+      "Target branch; defaults to the current branch. Use a posthog-code/ prefix for new branches.",
+    ),
+  paths: z
+    .array(z.string())
+    .optional()
+    .describe(
+      "Files to stage before committing; defaults to already-staged files.",
+    ),
+};
+
+export function formatSignedCommitResult(result: SignedCommitResult): string {
+  const list = result.commits.map((c) => `- ${c.sha} ${c.url}`).join("\n");
+  return `Created ${result.commits.length} signed commit(s) on ${result.branch}:\n${list}`;
+}
+
+export interface SignedCommitToolResult {
+  content: { type: "text"; text: string }[];
+  isError?: true;
+  // Both SDKs' CallToolResult carries an open `_meta`/index signature; mirror it
+  // so this shape is assignable to either adapter's tool-handler return type.
+  [key: string]: unknown;
+}
+
+/**
+ * Runs `git_signed_commit` and formats the MCP result. Shared by the Claude
+ * in-process tool and the Codex stdio server so success/error formatting (and
+ * the error-message prefix) can't drift between adapters.
+ */
+export async function runSignedCommitTool(
+  ctx: SignedCommitCtx,
+  args: SignedCommitInput,
+): Promise<SignedCommitToolResult> {
+  try {
+    const result = await createSignedCommit(ctx, args);
+    return {
+      content: [{ type: "text", text: formatSignedCommitResult(result) }],
+    };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      content: [
+        { type: "text", text: `${SIGNED_COMMIT_TOOL_NAME} failed: ${message}` },
+      ],
+      isError: true,
+    };
+  }
+}

package/src/server/agent-server.test.ts

@@ -900,10 +900,8 @@ describe("AgentServer HTTP Mode", () => {
       expect(prompt).toContain(
         "gh pr checkout https://github.com/org/repo/pull/1",
       );
-      expect(prompt).toContain(
-        "Stage and commit all changes with a clear commit message",
-      );
-      expect(prompt).toContain("Push to the existing PR branch");
+      expect(prompt).toContain("git_signed_commit");
+      expect(prompt).toContain("Committing (signed commits required)");
       expect(prompt).not.toContain("Create a draft pull request");
       // Review-comment thread handling: reply + resolve
       expect(prompt).toContain("review thread");

package/src/server/agent-server.ts

@@ -25,6 +25,7 @@ import {
   type AgentErrorClassification,
   classifyAgentError,
 } from "../adapters/error-classification";
+import { SIGNED_COMMIT_QUALIFIED_TOOL_NAME } from "../adapters/signed-commit-shared";
 import type { PermissionMode } from "../execution-mode";
 import { DEFAULT_CODEX_MODEL } from "../gateway-models";
 import { HandoffCheckpointTracker } from "../handoff-checkpoint";
@@ -949,6 +950,7 @@ export class AgentServer {
       _meta: {
         sessionId: payload.run_id,
         taskRunId: payload.run_id,
+        taskId: payload.task_id,
         systemPrompt: sessionSystemPrompt,
         ...(this.config.model && { model: this.config.model }),
         allowedDomains: this.config.allowedDomains,
@@ -1599,24 +1601,21 @@ export class AgentServer {
   private buildCloudSystemPrompt(prUrl?: string | null): string {
     const taskId = this.config.taskId;
     const shouldAutoCreatePr = this.shouldAutoPublishCloudChanges();
-    const attributionInstructions = `
-## Attribution
-Do NOT use Claude Code's default attribution (no "Co-Authored-By" trailers, no "Generated with [Claude Code]" lines).
+    const signedCommitInstructions = `
+## Committing (signed commits required)
+Commits MUST be signed. \`git commit\` and \`git push\` are blocked in this environment.
+To commit: stage your changes with \`git add\`, then call the \`git_signed_commit\` tool (full
+name \`${SIGNED_COMMIT_QUALIFIED_TOOL_NAME}\`) with a \`message\` (and optional \`body\`/\`paths\`).
+It creates a GitHub-signed ("Verified") commit on the branch and keeps your local checkout in
+sync. To start a new branch, pass \`branch\` (prefixed with \`posthog-code/\`) — the tool creates
+it on the remote for you.
 
-If you create a commit, add the following trailers to the commit message (after a blank line at the end):
+## Attribution
+Do NOT add "Co-Authored-By" trailers or "Generated with [Claude Code]" lines to your
+commit messages. The \`git_signed_commit\` tool automatically appends the only trailers
+we want:
   Generated-By: PostHog Code
-  Task-Id: ${taskId}
-
-Example:
-\`\`\`
-git commit -m "$(cat <<'EOF'
-fix: resolve login redirect loop
-
-Generated-By: PostHog Code
-Task-Id: ${taskId}
-EOF
-)"
-\`\`\``;
+  Task-Id: ${taskId}`;
 
     if (prUrl) {
       if (!shouldAutoCreatePr) {
@@ -1630,7 +1629,7 @@ Do the requested work, but stop with local changes ready for review.
 Important:
 - Do NOT create new commits, push to the branch, or update the pull request unless the user explicitly asks.
 - Do NOT create a new branch or a new pull request.
-${attributionInstructions}
+${signedCommitInstructions}
 `;
       }
 
@@ -1641,9 +1640,8 @@ This task already has an open pull request: ${prUrl}
 
 After completing the requested changes:
 1. Check out the existing PR branch with \`gh pr checkout ${prUrl}\`
-2. Stage and commit all changes with a clear commit message
-3. Push to the existing PR branch
-4. For every PR review comment or review thread you addressed, treat the thread as done only after BOTH of these:
+2. Stage your changes with \`git add\`, then call the \`git_signed_commit\` tool with a clear \`message\` (do NOT use \`git commit\`/\`git push\` — they are blocked). This commits to the existing PR branch.
+3. For every PR review comment or review thread you addressed, treat the thread as done only after BOTH of these:
    - Reply on the thread with a short note describing what changed (reference the commit SHA when useful) using \`gh api -X POST /repos/{owner}/{repo}/pulls/{n}/comments/{id}/replies -f body='...'\`.
    - Resolve the thread via the \`resolveReviewThread\` GraphQL mutation: \`gh api graphql -f query='mutation($id:ID!){resolveReviewThread(input:{threadId:$id}){thread{isResolved}}}' -f id="<thread-node-id>"\`.
    List unresolved threads first with \`gh api graphql -f query='{repository(owner:"<owner>",name:"<repo>"){pullRequest(number:<n>){reviewThreads(first:100){nodes{id isResolved comments(first:1){nodes{body}}}}}}}'\` so you can resolve each one you fixed.
@@ -1651,7 +1649,7 @@ After completing the requested changes:
 Important:
 - Do NOT create a new branch or a new pull request.
 - Do NOT push fixes for review comments without replying to and resolving each related thread.
-${attributionInstructions}
+${signedCommitInstructions}
 `;
     }
 
@@ -1666,7 +1664,7 @@ When the user asks for code changes:
 When the user explicitly asks to clone or work in a GitHub repository:
 - Clone the repository into /tmp/workspace/repos/<owner>/<repo> using \`gh repo clone <owner>/<repo> /tmp/workspace/repos/<owner>/<repo>\`
 - Work from inside that cloned repository for follow-up code changes
-- If the user explicitly asks you to open or update a pull request, create a branch, commit the requested changes, push it, and open a draft pull request from inside the clone. Before opening the PR, check the cloned repo for a PR template at \`.github/pull_request_template.md\` (or variants; fall back to the org's \`.github\` repo via \`gh api\`) and use it as the body structure, and search for matching open issues with \`gh issue list --search\` to include \`Closes #<n>\` / \`Refs #<n>\` links.
+- If the user explicitly asks you to open or update a pull request, create a branch, stage your changes with \`git add\` and commit them with the \`git_signed_commit\` tool (do NOT use \`git commit\`/\`git push\` — they are blocked), and open a draft pull request from inside the clone. Before opening the PR, check the cloned repo for a PR template at \`.github/pull_request_template.md\` (or variants; fall back to the org's \`.github\` repo via \`gh api\`) and use it as the body structure, and search for matching open issues with \`gh issue list --search\` to include \`Closes #<n>\` / \`Refs #<n>\` links.
 - Do NOT create branches, commits, push changes, or open pull requests unless the user explicitly asks for that`;
 
       return `
@@ -1686,7 +1684,7 @@ ${publishInstructions}
 
 Important:
 - Prefer using MCP tools to answer questions with real data over giving generic advice.
-${attributionInstructions}
+${signedCommitInstructions}
 `;
     }
 
@@ -1698,7 +1696,7 @@ Do the requested work, but stop with local changes ready for review.
 
 Important:
 - Do NOT create a branch, commit, push, or open a pull request unless the user explicitly asks.
-${attributionInstructions}
+${signedCommitInstructions}
 `;
     }
 
@@ -1706,14 +1704,13 @@ ${attributionInstructions}
 # Cloud Task Execution
 
 After completing the requested changes:
-1. Create a new branch prefixed with \`posthog-code/\` (e.g. \`posthog-code/fix-login-redirect\`) based on the work done
-2. Stage and commit all changes with a clear commit message
-3. Push the branch to origin
-4. Before opening the PR, prepare the body:
+1. Pick a new branch name prefixed with \`posthog-code/\` (e.g. \`posthog-code/fix-login-redirect\`)
+2. Stage your changes with \`git add\`, then call the \`git_signed_commit\` tool with \`branch\` set to that name and a clear \`message\` (do NOT use \`git commit\`/\`git push\` — they are blocked). The tool creates the branch on the remote and a signed commit on it.
+3. Before opening the PR, prepare the body:
    - Check the repo for a PR template at \`.github/pull_request_template.md\` (also try \`.github/PULL_REQUEST_TEMPLATE.md\`, \`docs/pull_request_template.md\`, and root variants). If one exists, use its exact section headings as the PR body — do NOT fall back to a generic Summary/Test plan format.
    - If no repo-level template exists, check the org's \`.github\` repo via \`gh api /repos/<owner>/.github/contents/.github/pull_request_template.md\` (and other common paths) and use that as a fallback.
    - Search for matching open issues with \`gh issue list --state open --search '<keywords>'\` (derive keywords from the branch name, commits, and changed files; \`gh issue view <n>\` to confirm relevance). For every issue this PR would resolve, include a \`Closes #<n>\` line in the body so GitHub auto-links and auto-closes it on merge. For issues that are related but not fully resolved, use \`Refs #<n>\` instead.
-5. Create a draft pull request using \`gh pr create --draft${this.config.baseBranch ? ` --base ${this.config.baseBranch}` : ""}\` with a descriptive title and the body prepared above. Add the following footer at the end of the PR description:
+4. Create a draft pull request using \`gh pr create --draft${this.config.baseBranch ? ` --base ${this.config.baseBranch}` : ""}\` with a descriptive title and the body prepared above. Add the following footer at the end of the PR description:
 \`\`\`
 ---
 *Created with [PostHog Code](https://posthog.com/code?ref=pr)*
@@ -1721,7 +1718,7 @@ After completing the requested changes:
 
 Important:
 - Always create the PR as a draft. Do not ask for confirmation.
-${attributionInstructions}
+${signedCommitInstructions}
 `;
   }
 

package/src/utils/common.ts

@@ -1,3 +1,4 @@
+import { readGithubTokenFromEnv } from "@posthog/git/signed-commit";
 import type { Logger } from "./logger";
 
 /**
@@ -25,6 +26,19 @@ export const IS_ROOT =
 
 export const ALLOW_BYPASS = !IS_ROOT || !!process.env.IS_SANDBOX;
 
+/**
+ * A cloud sandbox run, as opposed to a local desktop session. Cloud sandboxes
+ * always set IS_SANDBOX and carry a taskRunId; desktop sessions have neither.
+ */
+export function isCloudRun(meta: { taskRunId?: string } | undefined): boolean {
+  return !!process.env.IS_SANDBOX || !!meta?.taskRunId;
+}
+
+/** The GitHub token available to the sandbox, if any. */
+export function resolveGithubToken(): string | undefined {
+  return readGithubTokenFromEnv();
+}
+
 export function unreachable(value: never, logger: Logger): void {
   let valueAsString: string;
   try {