@posthog/agent 2.3.647 → 2.3.655

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@posthog/agent",
-  "version": "2.3.647",
+  "version": "2.3.655",
   "repository": "https://github.com/PostHog/code",
   "description": "TypeScript agent framework wrapping Claude Agent SDK with Git-based task execution for PostHog",
   "exports": {
@@ -107,8 +107,8 @@
     "typescript": "^5.5.0",
     "vitest": "^2.1.8",
     "@posthog/shared": "1.0.0",
-    "@posthog/git": "1.0.0",
-    "@posthog/enricher": "1.0.0"
+    "@posthog/enricher": "1.0.0",
+    "@posthog/git": "1.0.0"
   },
   "dependencies": {
     "@agentclientprotocol/sdk": "0.19.0",

package/src/adapters/claude/claude-agent.ts

@@ -57,10 +57,17 @@ import {
   type FileEnrichmentDeps,
 } from "../../enrichment/file-enricher";
 import type { PostHogAPIConfig } from "../../types";
-import { unreachable, withTimeout } from "../../utils/common";
+import {
+  isCloudRun,
+  resolveGithubToken,
+  unreachable,
+  withTimeout,
+} from "../../utils/common";
 import { Logger } from "../../utils/logger";
 import { Pushable } from "../../utils/streams";
 import { BaseAcpAgent } from "../base-acp-agent";
+import { LOCAL_TOOLS_MCP_NAME } from "../local-tools";
+import { resolveTaskId } from "../session-meta";
 import { promptToClaude } from "./conversion/acp-to-sdk";
 import {
   handleResultMessage,
@@ -69,6 +76,7 @@ import {
   handleUserAssistantMessage,
 } from "./conversion/sdk-to-acp";
 import type { EnrichedReadCache } from "./hooks";
+import { createLocalToolsMcpServer } from "./mcp/local-tools";
 import {
   fetchMcpToolMetadata,
   getConnectedMcpServerNames,
@@ -1091,7 +1099,10 @@ export class ClaudeAcpAgent extends BaseAcpAgent {
     const isResume = !!resume;
 
     const meta = params._meta as NewSessionMeta | undefined;
-    const taskId = meta?.persistence?.taskId;
+    const taskId = resolveTaskId(meta);
+    // Gate signed-commit wiring on cloud-run detection so the desktop (which
+    // signs via CommitSaga) is untouched.
+    const cloudRun = isCloudRun(meta);
     const effort = meta?.claudeCode?.options?.effort as EffortLevel | undefined;
 
     // We want to create a new session id unless it is resume,
@@ -1115,6 +1126,24 @@ export class ClaudeAcpAgent extends BaseAcpAgent {
     const mcpServers = supportsMcpInjection(earlyModelId)
       ? parseMcpServers(params)
       : {};
+
+    // Register the in-process general local-tools MCP server. Tools self-gate
+    // via the registry (e.g. signed-commit is cloud-only and needs a GH token),
+    // so adding a tool needs no change here. In cloud runs `git commit`/`git
+    // push` are blocked by the PreToolUse guard (and the sandbox git shim), so
+    // the agent commits via the signed-commit tool instead.
+    const localToolsServer = createLocalToolsMcpServer(
+      { cwd, token: resolveGithubToken(), taskId },
+      meta,
+    );
+    if (localToolsServer) {
+      mcpServers[LOCAL_TOOLS_MCP_NAME] = localToolsServer;
+    } else if (cloudRun) {
+      this.logger.warn(
+        "Cloud run registered no local tools — missing GH_TOKEN/GITHUB_TOKEN? signed commits unavailable",
+      );
+    }
+
     const systemPrompt = buildSystemPrompt(meta?.systemPrompt);
 
     if (meta?.mcpToolApprovals) {
@@ -1164,6 +1193,7 @@ export class ClaudeAcpAgent extends BaseAcpAgent {
       effort,
       enrichmentDeps: this.enrichment?.deps,
       enrichedReadCache: this.enrichedReadCache,
+      cloudMode: cloudRun,
     });
 
     // Use the same abort controller that buildSessionOptions gave to the query

package/src/adapters/claude/hooks.test.ts

@@ -11,6 +11,7 @@ import { Logger } from "../../utils/logger";
 import {
   createPreToolUseHook,
   createReadEnrichmentHook,
+  createSignedCommitGuardHook,
   type EnrichedReadCache,
 } from "./hooks";
 import type {
@@ -311,3 +312,56 @@ describe("createPreToolUseHook", () => {
     });
   });
 });
+
+describe("createSignedCommitGuardHook", () => {
+  const logger = new Logger();
+
+  function bashInput(command: string): HookInput {
+    return {
+      session_id: "s",
+      transcript_path: "/tmp/t",
+      cwd: "/tmp",
+      hook_event_name: "PreToolUse",
+      tool_name: "Bash",
+      tool_use_id: "toolu_1",
+      tool_input: { command },
+    } as HookInput;
+  }
+
+  const guard = createSignedCommitGuardHook(logger);
+  const opts = { signal: new AbortController().signal };
+
+  test.each([
+    "git commit -m x",
+    "git push origin main",
+    "git add . && git commit -m 'y'",
+    "git -C /repo commit",
+    "git --no-pager push",
+  ])("denies %s", async (command) => {
+    const result = await guard(bashInput(command), undefined, opts);
+    expect(result).toMatchObject({
+      hookSpecificOutput: { permissionDecision: "deny" },
+    });
+  });
+
+  test.each([
+    "git status",
+    "git add .",
+    "git fetch origin",
+    "git log --grep=commit",
+    "git stash push",
+    "git ls-remote --heads origin x",
+  ])("allows %s", async (command) => {
+    const result = await guard(bashInput(command), undefined, opts);
+    expect(result).toEqual({ continue: true });
+  });
+
+  test("ignores non-Bash tools", async () => {
+    const result = await guard(
+      { ...bashInput("git commit"), tool_name: "Read" } as HookInput,
+      undefined,
+      opts,
+    );
+    expect(result).toEqual({ continue: true });
+  });
+});

package/src/adapters/claude/hooks.ts

@@ -4,6 +4,7 @@ import {
   type FileEnrichmentDeps,
 } from "../../enrichment/file-enricher";
 import type { Logger } from "../../utils/logger";
+import { SIGNED_COMMIT_QUALIFIED_TOOL_NAME } from "../signed-commit-shared";
 import { stripCatLineNumbers } from "./conversion/sdk-to-acp";
 import {
   extractPostHogSubTool,
@@ -222,6 +223,91 @@ export const createSubagentRewriteHook =
     };
   };
 
+// git global options that consume the following token as their value, so the
+// subcommand detector must skip both (mirrors the sandbox `git` PATH shim).
+const GIT_VALUE_FLAGS = new Set([
+  "-C",
+  "-c",
+  "--git-dir",
+  "--work-tree",
+  "--namespace",
+  "--exec-path",
+]);
+
+function gitSubcommand(segment: string): string | null {
+  const tokens = segment.trim().split(/\s+/).filter(Boolean);
+  if (tokens.length === 0) return null;
+  // Strip a leading path so `/usr/bin/git` is still recognised as git.
+  const head = tokens[0].split("/").pop();
+  if (head !== "git") return null;
+
+  let skipNext = false;
+  for (const tok of tokens.slice(1)) {
+    if (skipNext) {
+      skipNext = false;
+      continue;
+    }
+    if (GIT_VALUE_FLAGS.has(tok)) {
+      skipNext = true;
+      continue;
+    }
+    if (tok.startsWith("-")) continue;
+    return tok;
+  }
+  return null;
+}
+
+/**
+ * True when any top-level shell segment of `command` is a direct `git commit` /
+ * `git push` invocation (allowing `git`-level global flags like `-C path` or
+ * `--no-pager`). Does not match subcommands such as `git stash push` or
+ * `git log --grep=commit`. Git reached via command substitution (`$(git push)`)
+ * is not caught here — the sandbox `git` PATH shim is the authoritative backstop;
+ * this hook is a fast in-band deny with a helpful message.
+ */
+function blocksUnsignedGit(command: string): boolean {
+  // Cheap reject for the overwhelmingly common non-git Bash call before splitting.
+  if (!command.includes("git")) return false;
+  return command.split(/&&|\|\||[;\n|]/).some((segment) => {
+    const sub = gitSubcommand(segment);
+    return sub === "commit" || sub === "push";
+  });
+}
+
+/**
+ * Cloud-only guard: blocks raw `git commit` / `git push` so unsigned commits
+ * cannot leave the sandbox. The agent must use the `git_signed_commit` tool,
+ * which creates GitHub-signed (Verified) commits via the API.
+ */
+export const createSignedCommitGuardHook =
+  (logger: Logger): HookCallback =>
+  async (input: HookInput, _toolUseID: string | undefined) => {
+    if (input.hook_event_name !== "PreToolUse") return { continue: true };
+    if (input.tool_name !== "Bash") return { continue: true };
+
+    const command = (input.tool_input as { command?: string } | undefined)
+      ?.command;
+    if (!command || !blocksUnsignedGit(command)) {
+      return { continue: true };
+    }
+
+    logger.info(
+      `[SignedCommitGuard] Blocking unsigned git command: ${command}`,
+    );
+    return {
+      continue: true,
+      hookSpecificOutput: {
+        hookEventName: "PreToolUse" as const,
+        permissionDecision: "deny" as const,
+        permissionDecisionReason:
+          "Commits must be signed: `git commit` and `git push` are disabled here. " +
+          "Stage changes with `git add`, then call the `git_signed_commit` tool " +
+          `(${SIGNED_COMMIT_QUALIFIED_TOOL_NAME}) with a \`message\` to create a signed ` +
+          "commit on the branch.",
+      },
+    };
+  };
+
 export const createPreToolUseHook =
   (settingsManager: SettingsManager, logger: Logger): HookCallback =>
   async (input: HookInput, _toolUseID: string | undefined) => {

package/src/adapters/claude/mcp/local-tools.test.ts

@@ -0,0 +1,50 @@
+import { Client } from "@modelcontextprotocol/sdk/client/index.js";
+import { InMemoryTransport } from "@modelcontextprotocol/sdk/inMemory.js";
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+import { createLocalToolsMcpServer } from "./local-tools";
+
+describe("createLocalToolsMcpServer", () => {
+  const savedSandbox = process.env.IS_SANDBOX;
+
+  beforeEach(() => {
+    // isCloudRun also keys off IS_SANDBOX; clear it so the meta arg is the only
+    // cloud signal under test.
+    delete process.env.IS_SANDBOX;
+  });
+
+  afterEach(() => {
+    if (savedSandbox === undefined) {
+      delete process.env.IS_SANDBOX;
+    } else {
+      process.env.IS_SANDBOX = savedSandbox;
+    }
+  });
+
+  it("returns undefined when no tool's gate passes (desktop run)", () => {
+    expect(
+      createLocalToolsMcpServer({ cwd: "/repo", token: "ghs_x" }, undefined),
+    ).toBeUndefined();
+  });
+
+  it("exposes git_signed_commit over MCP in a cloud run with a token", async () => {
+    const server = createLocalToolsMcpServer(
+      { cwd: "/repo", token: "ghs_x" },
+      { taskRunId: "run-1" },
+    );
+    if (!server) {
+      throw new Error("expected the local-tools server to be registered");
+    }
+    expect(server.name).toBe("posthog-local");
+
+    const [clientTransport, serverTransport] =
+      InMemoryTransport.createLinkedPair();
+    await server.instance.connect(serverTransport);
+    const client = new Client({ name: "test", version: "1.0.0" });
+    await client.connect(clientTransport);
+
+    const { tools } = await client.listTools();
+    expect(tools.map((t) => t.name)).toContain("git_signed_commit");
+
+    await client.close();
+  });
+});

package/src/adapters/claude/mcp/local-tools.ts

@@ -0,0 +1,40 @@
+import {
+  createSdkMcpServer,
+  type McpSdkServerConfigWithInstance,
+  tool,
+} from "@anthropic-ai/claude-agent-sdk";
+import {
+  enabledLocalTools,
+  LOCAL_TOOLS_MCP_NAME,
+  type LocalToolCtx,
+  type LocalToolGateMeta,
+} from "../../local-tools";
+
+/**
+ * In-process SDK MCP server exposing the enabled local tools to the Claude
+ * adapter (see `../../local-tools` for the registry). Returns `undefined` when
+ * no tool's gate passes, so the caller can skip registering an empty server.
+ * Registered per session in `claude-agent.ts`.
+ */
+export function createLocalToolsMcpServer(
+  ctx: LocalToolCtx,
+  meta: LocalToolGateMeta | undefined,
+): McpSdkServerConfigWithInstance | undefined {
+  const tools = enabledLocalTools(ctx, meta);
+  if (tools.length === 0) {
+    return undefined;
+  }
+  return createSdkMcpServer({
+    name: LOCAL_TOOLS_MCP_NAME,
+    version: "1.0.0",
+    tools: tools.map((t) =>
+      tool(
+        t.name,
+        t.description,
+        t.schema,
+        async (args) => t.handler(ctx, args),
+        { alwaysLoad: t.alwaysLoad ?? false },
+      ),
+    ),
+  });
+}

package/src/adapters/claude/session/options.ts

@@ -17,6 +17,7 @@ import {
   createPostToolUseHook,
   createPreToolUseHook,
   createReadEnrichmentHook,
+  createSignedCommitGuardHook,
   createSubagentRewriteHook,
   type EnrichedReadCache,
   type OnModeChange,
@@ -55,6 +56,8 @@ export interface BuildOptionsParams {
   effort?: EffortLevel;
   enrichmentDeps?: FileEnrichmentDeps;
   enrichedReadCache?: EnrichedReadCache;
+  /** Cloud task session — enables the signed-commit guard. */
+  cloudMode?: boolean;
 }
 
 export function buildSystemPrompt(
@@ -129,6 +132,7 @@ function buildHooks(
   enrichmentDeps: FileEnrichmentDeps | undefined,
   enrichedReadCache: EnrichedReadCache | undefined,
   registeredAgents: ReadonlySet<string>,
+  cloudMode: boolean,
 ): Options["hooks"] {
   const postToolUseHooks = [createPostToolUseHook({ onModeChange })];
   if (enrichmentDeps && enrichedReadCache) {
@@ -137,21 +141,21 @@ function buildHooks(
     );
   }
 
+  const preToolUseHooks = [
+    createPreToolUseHook(settingsManager, logger),
+    createSubagentRewriteHook(logger, registeredAgents),
+  ];
+  if (cloudMode) {
+    preToolUseHooks.push(createSignedCommitGuardHook(logger));
+  }
+
   return {
     ...userHooks,
     PostToolUse: [
       ...(userHooks?.PostToolUse || []),
       { hooks: postToolUseHooks },
     ],
-    PreToolUse: [
-      ...(userHooks?.PreToolUse || []),
-      {
-        hooks: [
-          createPreToolUseHook(settingsManager, logger),
-          createSubagentRewriteHook(logger, registeredAgents),
-        ],
-      },
-    ],
+    PreToolUse: [...(userHooks?.PreToolUse || []), { hooks: preToolUseHooks }],
   };
 }
 
@@ -352,6 +356,7 @@ export function buildSessionOptions(params: BuildOptionsParams): Options {
       params.enrichmentDeps,
       params.enrichedReadCache,
       registeredAgentNames,
+      params.cloudMode ?? false,
     ),
     outputFormat: params.outputFormat,
     abortController: getAbortController(

package/src/adapters/claude/types.ts

@@ -120,6 +120,7 @@ export type SDKMessageFilter = {
 
 export type NewSessionMeta = {
   taskRunId?: string;
+  taskId?: string;
   disableBuiltInTools?: boolean;
   systemPrompt?: unknown;
   sessionId?: string;

package/src/adapters/codex/codex-agent.ts

@@ -38,6 +38,7 @@ import {
   type SetSessionModeRequest,
   type SetSessionModeResponse,
 } from "@agentclientprotocol/sdk";
+import { ghTokenEnv } from "@posthog/git/signed-commit";
 import packageJson from "../../../package.json" with { type: "json" };
 import {
   isMethod,
@@ -56,6 +57,7 @@ import {
   type PermissionMode,
 } from "../../execution-mode";
 import type { PostHogAPIConfig, ProcessSpawnedCallback } from "../../types";
+import { isCloudRun, resolveGithubToken } from "../../utils/common";
 import { Logger } from "../../utils/logger";
 import {
   nodeReadableToWebReadable,
@@ -63,6 +65,12 @@ import {
 } from "../../utils/streams";
 import { BaseAcpAgent, type BaseSession } from "../base-acp-agent";
 import { classifyAgentError } from "../error-classification";
+import {
+  enabledLocalTools,
+  LOCAL_TOOLS_MCP_NAME,
+  type LocalToolCtx,
+} from "../local-tools";
+import { resolveTaskId } from "../session-meta";
 import { createCodexClient } from "./codex-client";
 import { normalizeCodexConfigOptions } from "./models";
 import {
@@ -193,8 +201,7 @@ const STRUCTURED_OUTPUT_INSTRUCTIONS = `\n\nWhen you have completed the task, ca
  * harness/bin.js, etc), `import.meta.dirname` sits at different depths. Walk
  * up until we find the script so each bundle locates the shared dist asset.
  */
-function resolveStructuredOutputMcpScript(): string {
-  const rel = "adapters/codex/structured-output-mcp-server.js";
+function resolveBundledMcpScript(rel: string): string {
   let dir = import.meta.dirname ?? __dirname;
   for (let i = 0; i < 5; i++) {
     const candidate = resolvePath(dir, rel);
@@ -209,7 +216,9 @@ function resolveStructuredOutputMcpScript(): string {
 function buildStructuredOutputMcpServer(
   jsonSchema: Record<string, unknown>,
 ): McpServerStdio {
-  const scriptPath = resolveStructuredOutputMcpScript();
+  const scriptPath = resolveBundledMcpScript(
+    "adapters/codex/structured-output-mcp-server.js",
+  );
   const schemaBase64 = Buffer.from(JSON.stringify(jsonSchema)).toString(
     "base64",
   );
@@ -221,6 +230,41 @@ function buildStructuredOutputMcpServer(
   };
 }
 
+/**
+ * Builds the stdio MCP server config exposing the enabled local tools. Context
+ * (cwd, taskId, token) and the enabled tool names are passed base64/CSV-encoded
+ * so the child registers the same tools the Claude adapter exposes in-process.
+ */
+function buildLocalToolsMcpServer(
+  ctx: LocalToolCtx,
+  enabledNames: string[],
+): McpServerStdio {
+  const scriptPath = resolveBundledMcpScript(
+    "adapters/codex/local-tools-mcp-server.js",
+  );
+  const ctxBase64 = Buffer.from(JSON.stringify(ctx)).toString("base64");
+  const env = [
+    { name: "POSTHOG_LOCAL_TOOLS_CTX", value: ctxBase64 },
+    { name: "POSTHOG_LOCAL_TOOLS_ENABLED", value: enabledNames.join(",") },
+  ];
+  if (ctx.token) {
+    // Token also on the child env so its own git remote ops (fetch/ls-remote)
+    // authenticate; the var names come from the single shared source.
+    env.push(
+      ...Object.entries(ghTokenEnv(ctx.token)).map(([name, value]) => ({
+        name,
+        value,
+      })),
+    );
+  }
+  return {
+    name: LOCAL_TOOLS_MCP_NAME,
+    command: process.execPath,
+    args: [scriptPath],
+    env,
+  };
+}
+
 export class CodexAcpAgent extends BaseAcpAgent {
   readonly adapterName = "codex";
   declare session: CodexSession;
@@ -338,7 +382,10 @@ export class CodexAcpAgent extends BaseAcpAgent {
     const meta = params._meta as NewSessionMeta | undefined;
     const requestedPermissionMode = toCodexPermissionMode(meta?.permissionMode);
 
-    const injectedParams = this.applyStructuredOutput(params, meta);
+    const injectedParams = this.applyLocalTools(
+      this.applyStructuredOutput(params, meta),
+      meta,
+    );
     const response = await this.codexConnection.newSession(injectedParams);
     response.configOptions = normalizeCodexConfigOptions(
       response.configOptions,
@@ -347,7 +394,7 @@ export class CodexAcpAgent extends BaseAcpAgent {
     // Initialize session state
     this.sessionState = createSessionState(response.sessionId, params.cwd, {
       taskRunId: meta?.taskRunId,
-      taskId: meta?.taskId ?? meta?.persistence?.taskId,
+      taskId: resolveTaskId(meta),
       modeId: response.modes?.currentModeId ?? "auto",
       modelId: response.models?.currentModelId,
       permissionMode: requestedPermissionMode,
@@ -380,7 +427,10 @@ export class CodexAcpAgent extends BaseAcpAgent {
 
   async loadSession(params: LoadSessionRequest): Promise<LoadSessionResponse> {
     const meta = params._meta as NewSessionMeta | undefined;
-    const injectedParams = this.applyStructuredOutput(params, meta);
+    const injectedParams = this.applyLocalTools(
+      this.applyStructuredOutput(params, meta),
+      meta,
+    );
     const response = await this.codexConnection.loadSession(injectedParams);
     response.configOptions = normalizeCodexConfigOptions(
       response.configOptions,
@@ -396,7 +446,7 @@ export class CodexAcpAgent extends BaseAcpAgent {
     // not, which silently broke task-completion tracking on re-attach.
     this.sessionState = createSessionState(params.sessionId, params.cwd, {
       taskRunId: meta?.taskRunId,
-      taskId: meta?.taskId ?? meta?.persistence?.taskId,
+      taskId: resolveTaskId(meta),
       modeId: response.modes?.currentModeId ?? "auto",
       permissionMode: currentPermissionMode,
     });
@@ -418,13 +468,16 @@ export class CodexAcpAgent extends BaseAcpAgent {
     params: ResumeSessionRequest,
   ): Promise<ResumeSessionResponse> {
     const meta = params._meta as NewSessionMeta | undefined;
-    const injectedParams = this.applyStructuredOutput(
-      {
-        sessionId: params.sessionId,
-        cwd: params.cwd,
-        mcpServers: params.mcpServers ?? [],
-        _meta: params._meta,
-      },
+    const injectedParams = this.applyLocalTools(
+      this.applyStructuredOutput(
+        {
+          sessionId: params.sessionId,
+          cwd: params.cwd,
+          mcpServers: params.mcpServers ?? [],
+          _meta: params._meta,
+        },
+        meta,
+      ),
       meta,
     );
 
@@ -439,7 +492,7 @@ export class CodexAcpAgent extends BaseAcpAgent {
     );
     this.sessionState = createSessionState(params.sessionId, params.cwd, {
       taskRunId: meta?.taskRunId,
-      taskId: meta?.taskId ?? meta?.persistence?.taskId,
+      taskId: resolveTaskId(meta),
       modeId: loadResponse.modes?.currentModeId ?? "auto",
       permissionMode: currentPermissionMode,
     });
@@ -465,12 +518,15 @@ export class CodexAcpAgent extends BaseAcpAgent {
     params: ForkSessionRequest,
   ): Promise<ForkSessionResponse> {
     const meta = params._meta as NewSessionMeta | undefined;
-    const injectedParams = this.applyStructuredOutput(
-      {
-        cwd: params.cwd,
-        mcpServers: params.mcpServers ?? [],
-        _meta: params._meta,
-      },
+    const injectedParams = this.applyLocalTools(
+      this.applyStructuredOutput(
+        {
+          cwd: params.cwd,
+          mcpServers: params.mcpServers ?? [],
+          _meta: params._meta,
+        },
+        meta,
+      ),
       meta,
     );
 
@@ -483,7 +539,7 @@ export class CodexAcpAgent extends BaseAcpAgent {
     const requestedPermissionMode = toCodexPermissionMode(meta?.permissionMode);
     this.sessionState = createSessionState(newResponse.sessionId, params.cwd, {
       taskRunId: meta?.taskRunId,
-      taskId: meta?.taskId ?? meta?.persistence?.taskId,
+      taskId: resolveTaskId(meta),
       modeId: newResponse.modes?.currentModeId ?? "auto",
       permissionMode: requestedPermissionMode,
     });
@@ -531,6 +587,45 @@ export class CodexAcpAgent extends BaseAcpAgent {
     };
   }
 
+  /**
+   * Injects the stdio general local-tools MCP server. Tools self-gate via the
+   * registry (e.g. signed-commit is cloud-only and needs a GH token), so the
+   * server is only injected when at least one tool's gate passes. Their
+   * instructions already live in the shared cloud system prompt, so only the
+   * server needs injecting here.
+   */
+  private applyLocalTools<
+    T extends { cwd?: string; mcpServers?: McpServer[]; _meta?: unknown },
+  >(request: T, meta: NewSessionMeta | undefined): T {
+    const cwd = request.cwd;
+    if (!cwd) {
+      return request;
+    }
+    const ctx: LocalToolCtx = {
+      cwd,
+      token: resolveGithubToken(),
+      taskId: resolveTaskId(meta),
+    };
+    const tools = enabledLocalTools(ctx, meta);
+    if (tools.length === 0) {
+      if (isCloudRun(meta)) {
+        this.logger.warn(
+          "Cloud run registered no local tools — missing GH_TOKEN/GITHUB_TOKEN? signed commits unavailable",
+        );
+      }
+      return request;
+    }
+
+    const mcpServer = buildLocalToolsMcpServer(
+      ctx,
+      tools.map((t) => t.name),
+    );
+    return {
+      ...request,
+      mcpServers: [...(request.mcpServers ?? []), mcpServer],
+    };
+  }
+
   private async applyInitialPermissionMode(
     sessionId: string,
     permissionMode?: string,