@posthog/agent 2.3.663 → 2.3.675

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@posthog/agent",
-  "version": "2.3.663",
+  "version": "2.3.675",
   "repository": "https://github.com/PostHog/code",
   "description": "TypeScript agent framework wrapping Claude Agent SDK with Git-based task execution for PostHog",
   "exports": {
@@ -107,8 +107,8 @@
     "typescript": "^5.5.0",
     "vitest": "^2.1.8",
     "@posthog/shared": "1.0.0",
-    "@posthog/git": "1.0.0",
-    "@posthog/enricher": "1.0.0"
+    "@posthog/enricher": "1.0.0",
+    "@posthog/git": "1.0.0"
   },
   "dependencies": {
     "@agentclientprotocol/sdk": "0.19.0",

package/src/adapters/claude/mcp/local-tools.test.ts

@@ -29,7 +29,7 @@ describe("createLocalToolsMcpServer", () => {
   it("exposes git_signed_commit over MCP in a cloud run with a token", async () => {
     const server = createLocalToolsMcpServer(
       { cwd: "/repo", token: "ghs_x" },
-      { taskRunId: "run-1" },
+      { environment: "cloud" },
     );
     if (!server) {
       throw new Error("expected the local-tools server to be registered");

package/src/adapters/claude/types.ts

@@ -121,6 +121,7 @@ export type SDKMessageFilter = {
 export type NewSessionMeta = {
   taskRunId?: string;
   taskId?: string;
+  environment?: "local" | "cloud";
   disableBuiltInTools?: boolean;
   systemPrompt?: unknown;
   sessionId?: string;

package/src/adapters/codex/codex-agent.ts

@@ -97,6 +97,7 @@ export {
 interface NewSessionMeta {
   taskRunId?: string;
   taskId?: string;
+  environment?: "local" | "cloud";
   systemPrompt?: string;
   permissionMode?: string;
   model?: string;

package/src/adapters/local-tools/registry.test.ts

@@ -10,7 +10,7 @@ describe("local-tools registry", () => {
   const savedSandbox = process.env.IS_SANDBOX;
 
   beforeEach(() => {
-    // isCloudRun also keys off IS_SANDBOX; clear it so meta.taskRunId is the
+    // isCloudRun also keys off IS_SANDBOX; clear it so meta.environment is the
     // only cloud signal under test.
     delete process.env.IS_SANDBOX;
   });
@@ -35,23 +35,41 @@ describe("local-tools registry", () => {
   });
 
   it.each([
-    { name: "cloud run with a token", taskRunId: "run-1", token: "ghs_x" },
-    { name: "cloud run without a token", taskRunId: "run-1", token: undefined },
-    { name: "desktop run with a token", taskRunId: undefined, token: "ghs_x" },
     {
-      name: "desktop run without a token",
-      taskRunId: undefined,
+      name: "cloud run with a token",
+      meta: { environment: "cloud" as const },
+      token: "ghs_x",
+      expected: true,
+    },
+    {
+      name: "cloud run without a token (resolved lazily at call time)",
+      meta: { environment: "cloud" as const },
       token: undefined,
+      expected: true,
     },
-  ])(
-    "exposes git_signed_commit only in $name when cloud+token",
-    ({ taskRunId, token }) => {
-      const tools = enabledLocalTools(
-        { cwd: "/repo", token },
-        taskRunId ? { taskRunId } : undefined,
-      );
-      const hasSignedCommit = tools.some((t) => t.name === "git_signed_commit");
-      expect(hasSignedCommit).toBe(Boolean(taskRunId) && Boolean(token));
+    {
+      name: "desktop run with a token",
+      meta: { environment: "local" as const },
+      token: "ghs_x",
+      expected: false,
     },
-  );
+    {
+      name: "desktop run without a token",
+      meta: { environment: "local" as const },
+      token: undefined,
+      expected: false,
+    },
+  ])("exposes git_signed_commit in $name", ({ meta, token, expected }) => {
+    const tools = enabledLocalTools({ cwd: "/repo", token }, meta);
+    const hasSignedCommit = tools.some((t) => t.name === "git_signed_commit");
+    expect(hasSignedCommit).toBe(expected);
+  });
+
+  it("does not treat legacy taskRunId-only metadata as cloud", () => {
+    const tools = enabledLocalTools({ cwd: "/repo", token: undefined }, {
+      taskRunId: "run-1",
+    } as unknown as { environment?: "local" | "cloud" });
+    const hasSignedCommit = tools.some((t) => t.name === "git_signed_commit");
+    expect(hasSignedCommit).toBe(false);
+  });
 });

package/src/adapters/local-tools/registry.ts

@@ -19,7 +19,7 @@ export interface LocalToolCtx {
 
 /** Minimal session-meta shape needed to gate tools (e.g. cloud-only). */
 export interface LocalToolGateMeta {
-  taskRunId?: string;
+  environment?: "local" | "cloud";
 }
 
 /**

package/src/adapters/local-tools/tools/signed-commit.ts

@@ -1,4 +1,4 @@
-import { isCloudRun } from "../../../utils/common";
+import { isCloudRun, resolveGithubToken } from "../../../utils/common";
 import {
   runSignedCommitTool,
   SIGNED_COMMIT_TOOL_DESCRIPTION,
@@ -8,19 +8,34 @@ import {
 import { defineLocalTool } from "../registry";
 
 /**
- * `git_signed_commit` as a local tool. Cloud runs only, and only when a GitHub
- * token is available (the commit is created via GitHub's API, which also signs
- * it). Committing is core to cloud tasks, so keep it visible past ToolSearch.
+ * `git_signed_commit` as a local tool. Cloud-run only; the token is resolved
+ * lazily at call time so the tool stays visible even when the GitHub token
+ * lands in `process.env` after the session was created (e.g. an orchestrator
+ * injecting it post-spawn). Committing is core to cloud tasks, so keep it
+ * exposed past ToolSearch via `alwaysLoad`.
  */
 export const signedCommitTool = defineLocalTool({
   name: SIGNED_COMMIT_TOOL_NAME,
   description: SIGNED_COMMIT_TOOL_DESCRIPTION,
   schema: signedCommitToolSchema,
   alwaysLoad: true,
-  isEnabled: (ctx, meta) => isCloudRun(meta) && !!ctx.token,
-  handler: (ctx, args) =>
-    runSignedCommitTool(
-      { cwd: ctx.cwd, token: ctx.token ?? "", taskId: ctx.taskId },
+  isEnabled: (_ctx, meta) => isCloudRun(meta),
+  handler: (ctx, args) => {
+    const token = ctx.token ?? resolveGithubToken();
+    if (!token) {
+      return Promise.resolve({
+        content: [
+          {
+            type: "text" as const,
+            text: `${SIGNED_COMMIT_TOOL_NAME} failed: no GitHub token in env (GH_TOKEN/GITHUB_TOKEN)`,
+          },
+        ],
+        isError: true,
+      });
+    }
+    return runSignedCommitTool(
+      { cwd: ctx.cwd, token, taskId: ctx.taskId },
       args,
-    ),
+    );
+  },
 });

package/src/server/agent-server.ts

@@ -976,6 +976,7 @@ export class AgentServer {
         sessionId: payload.run_id,
         taskRunId: payload.run_id,
         taskId: payload.task_id,
+        environment: "cloud",
         systemPrompt: sessionSystemPrompt,
         ...(this.config.model && { model: this.config.model }),
         allowedDomains: this.config.allowedDomains,

package/src/utils/common.ts

@@ -27,11 +27,16 @@ export const IS_ROOT =
 export const ALLOW_BYPASS = !IS_ROOT || !!process.env.IS_SANDBOX;
 
 /**
- * A cloud sandbox run, as opposed to a local desktop session. Cloud sandboxes
- * always set IS_SANDBOX and carry a taskRunId; desktop sessions have neither.
+ * A cloud sandbox run, as opposed to a local desktop session. `taskRunId` is
+ * used by both desktop and cloud for persistence, so it must not imply cloud.
  */
-export function isCloudRun(meta: { taskRunId?: string } | undefined): boolean {
-  return !!process.env.IS_SANDBOX || !!meta?.taskRunId;
+export function isCloudRun(
+  meta: { environment?: "local" | "cloud" } | undefined,
+): boolean {
+  if (meta?.environment) {
+    return meta.environment === "cloud";
+  }
+  return !!process.env.IS_SANDBOX;
 }
 
 /** The GitHub token available to the sandbox, if any. */