create-ironclaws 1.0.3 → 1.1.0

package/template/scripts/setup-onecli-secrets.sh

@@ -4,8 +4,11 @@
 # Configure OneCLI secrets via the LOCAL HTTP API (handles encryption correctly).
 # Direct DB insertion bypasses encryption and breaks the gateway — never do that.
 #
-# Run this on the VM after deploying NanoClaw:
-#   cd ~/nanoclaw-docker && bash scripts/setup-onecli-secrets.sh
+# Run after deploying IronClaws:
+#   bash scripts/setup-onecli-secrets.sh
+#
+# To add a new service: copy one of the existing blocks below, update the
+# variable names, and add a corresponding section in .env.example.
 
 set -eo pipefail
 
@@ -78,8 +81,8 @@ link_secret_to_agent() {
   local secret_name="$1"
   local agent_name="$2"
 
-  # Match by identifier (set to folder name by setup-agents.sh) first,
-  # fall back to name for agents registered before identifier was used.
+  # Match by identifier (folder name) first,
+  # fall back to name for backward compatibility.
   docker exec onecli-postgres-1 psql -U onecli -d onecli -c "
     INSERT INTO agent_secrets (agent_id, secret_id, created_at, updated_at)
     SELECT a.id, s.id, NOW(), NOW()
@@ -122,103 +125,38 @@ fi
 echo "Reading credentials from $ENV_FILE"
 echo ""
 
-# Read all credentials
-ELASTIC_API_KEY=$(env_val "ELASTIC_API_KEY")
-ELASTIC_BASE_URL=$(env_val "ELASTIC_BASE_URL")
-ELASTIC_HOST=$(echo "$ELASTIC_BASE_URL" | sed 's|^https://||;s|^http://||' | cut -d/ -f1)
-
-JIRA_EMAIL=$(env_val "JIRA_EMAIL")
-JIRA_API_TOKEN=$(env_val "JIRA_API_TOKEN")
-JIRA_BASE_URL=$(env_val "JIRA_BASE_URL")
-JIRA_HOST=$(echo "$JIRA_BASE_URL" | sed 's|^https://||;s|^http://||' | cut -d/ -f1)
-JIRA_BASIC=$(printf '%s:%s' "$JIRA_EMAIL" "$JIRA_API_TOKEN" | base64 | tr -d '\n')
-
-CONFLUENCE_USERNAME=$(env_val "CONFLUENCE_USERNAME")
-CONFLUENCE_PASSWORD=$(env_val "CONFLUENCE_PASSWORD")
-CONFLUENCE_BASE_URL=$(env_val "CONFLUENCE_BASE_URL")
-CONFLUENCE_HOST=$(echo "$CONFLUENCE_BASE_URL" | sed 's|^https://||;s|^http://||' | cut -d/ -f1)
-CONFLUENCE_BASIC=$(printf '%s:%s' "$CONFLUENCE_USERNAME" "$CONFLUENCE_PASSWORD" | base64 | tr -d '\n')
-
-SLACK_BOT_TOKEN=$(env_val "SLACK_BOT_TOKEN")
-INTERCOM_ACCESS_TOKEN=$(env_val "INTERCOM_ACCESS_TOKEN")
-
-XLEDGER_API_TOKEN=$(env_val "XLEDGER_API_TOKEN")
-XLEDGER_API_BASE=$(env_val "XLEDGER_API_BASE")
-XLEDGER_HOST=$(echo "$XLEDGER_API_BASE" | sed 's|^https://||;s|^http://||' | cut -d/ -f1)
-
-ARDOQ_API_KEY=$(env_val "ARDOQ_API_KEY")
-ARDOQ_BASE_URL=$(env_val "ARDOQ_BASE_URL")
-ARDOQ_HOST=$(echo "$ARDOQ_BASE_URL" | sed 's|^https://||;s|^http://||' | cut -d/ -f1)
-
+# Read credentials from .env
 ANTHROPIC_AUTH_TOKEN=$(env_val "ANTHROPIC_AUTH_TOKEN")
 LLM_GATEWAY=$(env_val "ANTHROPIC_BASE_URL")
 LLM_GATEWAY_HOST=$(echo "$LLM_GATEWAY" | sed 's|^https://||;s|^http://||' | cut -d/ -f1)
 
+SLACK_BOT_TOKEN=$(env_val "SLACK_BOT_TOKEN")
+
 # ── Register secrets via API (with proper encryption) ─────────────────────────
 
 echo "Registering secrets..."
 echo ""
 
-[ -n "$ELASTIC_API_KEY" ] && [ -n "$ELASTIC_HOST" ] && \
-  upsert_secret "elastic" "$ELASTIC_HOST" "Authorization" "ApiKey $ELASTIC_API_KEY" || \
-  echo "  ⚠ Skipping elastic"
-
-[ -n "$JIRA_BASIC" ] && [ -n "$JIRA_HOST" ] && \
-  upsert_secret "jira" "$JIRA_HOST" "Authorization" "Basic $JIRA_BASIC" || \
-  echo "  ⚠ Skipping jira"
-
-# Confluence: only if host differs from Jira (usually same Atlassian instance)
-if [ -n "$CONFLUENCE_BASIC" ] && [ -n "$CONFLUENCE_HOST" ] && [ "$CONFLUENCE_HOST" != "$JIRA_HOST" ]; then
-  upsert_secret "confluence" "$CONFLUENCE_HOST" "Authorization" "Basic $CONFLUENCE_BASIC"
-else
-  echo "  ✓ Confluence shares host with Jira — using jira secret for both"
-fi
-
-[ -n "$SLACK_BOT_TOKEN" ] && \
-  upsert_secret "slack" "slack.com" "Authorization" "Bearer $SLACK_BOT_TOKEN" || \
-  echo "  ⚠ Skipping slack"
-
-[ -n "$INTERCOM_ACCESS_TOKEN" ] && \
-  upsert_secret "intercom" "api.intercom.io" "Authorization" "Bearer $INTERCOM_ACCESS_TOKEN" || \
-  echo "  ⚠ Skipping intercom"
-
-[ -n "$ARDOQ_API_KEY" ] && [ -n "$ARDOQ_HOST" ] && \
-  upsert_secret "ardoq" "$ARDOQ_HOST" "Authorization" "Token token=$ARDOQ_API_KEY" || \
-  echo "  ⚠ Skipping ardoq"
-
+# LiteLLM gateway — required. Routes all Claude API calls through your proxy.
 [ -n "$ANTHROPIC_AUTH_TOKEN" ] && [ -n "$LLM_GATEWAY_HOST" ] && \
   upsert_secret "litellm" "$LLM_GATEWAY_HOST" "Authorization" "Bearer $ANTHROPIC_AUTH_TOKEN" || \
-  echo "  ⚠ Skipping litellm"
+  echo "  ⚠ Skipping litellm (ANTHROPIC_AUTH_TOKEN or ANTHROPIC_BASE_URL not set)"
 
-[ -n "$XLEDGER_API_TOKEN" ] && [ -n "$XLEDGER_HOST" ] && \
-  upsert_secret "xledger" "$XLEDGER_HOST" "Authorization" "token $XLEDGER_API_TOKEN" || \
-  echo "  ⚠ Skipping xledger"
+# Slack — optional. Only needed for agents that call the Slack API directly
+# (e.g. reading channel history). The host handles Slack posting natively.
+[ -n "$SLACK_BOT_TOKEN" ] && \
+  upsert_secret "slack" "slack.com" "Authorization" "Bearer $SLACK_BOT_TOKEN"
 
-echo ""
+# ── Add your services here ────────────────────────────────────────────────────
+# For each service your agents call, add a block:
+#
+#   MY_TOKEN=$(env_val "MY_SERVICE_TOKEN")
+#   MY_HOST="api.myservice.com"
+#   [ -n "$MY_TOKEN" ] && upsert_secret "my-service" "$MY_HOST" "Authorization" "Bearer $MY_TOKEN"
+#
+# Then add "my-service" to the agent's onecli_secrets in agents.yaml.
+# The proxy will inject the Authorization header for any call to MY_HOST.
 
-# ── Register global-claw agent if missing ────────────────────────────────────
-
-echo "Ensuring agents exist..."
-GLOBAL_CLAW_EXISTS=$(docker exec onecli-postgres-1 psql -U onecli -d onecli -t -c \
-  "SELECT COUNT(*) FROM agents WHERE name='global-claw';" | tr -d ' \n')
-
-if [ "$GLOBAL_CLAW_EXISTS" = "0" ]; then
-  RAND_TOKEN=$(openssl rand -hex 20)
-  # Try new schema (account_id) first, fall back to old schema (project_id)
-  docker exec onecli-postgres-1 psql -U onecli -d onecli -c \
-    "INSERT INTO agents (id, name, access_token, identifier, secret_mode, account_id, created_at, updated_at)
-     SELECT 'nanoclaw-global-claw', 'global-claw', 'aoc_${RAND_TOKEN}', 'global-claw', 'selective', id, NOW(), NOW()
-     FROM accounts LIMIT 1
-     ON CONFLICT (id) DO NOTHING;" > /dev/null 2>&1 || \
-  docker exec onecli-postgres-1 psql -U onecli -d onecli -c \
-    "INSERT INTO agents (id, name, access_token, identifier, secret_mode, project_id, created_at, updated_at)
-     VALUES ('nanoclaw-global-claw', 'global-claw', 'aoc_${RAND_TOKEN}', 'global-claw', 'selective',
-             (SELECT id FROM projects LIMIT 1), NOW(), NOW())
-     ON CONFLICT (id) DO NOTHING;" > /dev/null 2>&1
-  echo "  ✓ Created global-claw agent"
-else
-  echo "  ✓ global-claw agent already exists"
-fi
 echo ""
 
 # ── Link secrets to agents (driven by agents.yaml — single source of truth) ───

package/template/src/container-runner.ts

@@ -148,7 +148,7 @@ function redactContainerArgs(args: string[]): string {
 }
 
 // Env vars forwarded from .env into every container so Claude's Bash tool
-// can call service-specific tools (elastic_query.py, gh, etc.) without
+// can call tools (Python scripts, gh CLI, etc.) without
 // secrets being baked into the container image.
 const FORWARDED_ENV_KEYS = [
   'CLAUDE_CODE_API_KEY_HELPER_TTL_MS',
@@ -172,7 +172,7 @@ const FORWARDED_ENV_KEYS = [
   'GITHUB_TOKEN',
   'GITHUB_REPO',
 
-  // Jira (ticket-creator, jira-worker)
+  // Jira
   'JIRA_BASE_URL',
   'JIRA_EMAIL',
   'JIRA_API_TOKEN',
@@ -450,8 +450,8 @@ async function buildContainerArgs(
   args.push('-e', `TZ=${TIMEZONE}`);
 
   // Forward service credentials from .env so Claude's Bash tool can call
-  // elastic_query.py, gh CLI, etc. inside the container.
-  const agentFolder = agentIdentifier || "global-claw";
+  // tools and gh CLI inside the container.
+  const agentFolder = agentIdentifier || "forge";
   const forwardedEnv = readEnvFile(getAgentEnvKeys(agentFolder));
   for (const [key, value] of Object.entries(forwardedEnv)) {
     args.push('-e', `${key}=${value}`);

package/template/src/index.ts

@@ -583,13 +583,13 @@ function ensureContainerSystemRunning(): void {
  *
  * On every startup, reads agents.yaml and registers any agent whose channel
  * ID env var is set but isn't in the DB yet. This replaces the need to run
- * setup-agents.sh manually on fresh installs.
+ * Agents auto-register on startup — no manual script needed.
  */
 /**
  * Ensure every agent from agents.yaml has an entry in the sender allowlist.
  *
  * The allowlist file only needs entries for OVERRIDES — e.g. restricting
- * global-claw to a specific sender. Every other registered agent is
+ * a main/meta agent to a specific sender. Every other registered agent is
  * automatically allowed with the default open policy so agents.yaml + .env
  * is the single file to maintain.
  */
@@ -647,6 +647,7 @@ function autoRegisterAgentsFromYaml(): void {
     is_main?: boolean;
     onecli_secrets?: string[];
     onecli_id?: string;
+    container_config?: import('./types.js').ContainerConfig;
   }>;
 
   try {
@@ -676,6 +677,7 @@ function autoRegisterAgentsFromYaml(): void {
       added_at: new Date().toISOString(),
       requiresTrigger: def.requires_trigger !== false,
       isMain: def.is_main === true,
+      ...(def.container_config ? { containerConfig: def.container_config } : {}),
     };
 
     setRegisteredGroup(jid, group);
@@ -695,7 +697,7 @@ function autoRegisterAgentsFromYaml(): void {
 
   // Ensure every registered agent has an entry in the sender allowlist.
   // The allowlist file only needs to exist for OVERRIDES (e.g. restricting
-  // global-claw to specific senders). All other agents are auto-added with
+  // a main/meta agent to specific senders). All other agents are auto-added with
   // the default open policy so agents.yaml + .env is the only file to maintain.
   ensureAllowlistEntries(agentDefs);
 
@@ -714,13 +716,32 @@ function ensureOneCLISecrets(): void {
   const secretsScript = path.join(process.cwd(), 'scripts', 'setup-onecli-secrets.sh');
   if (!fs.existsSync(secretsScript)) return;
 
-  // Hash the credential-bearing env vars that the secrets script uses
+  // Hash two things:
+  // 1. Credential-bearing env vars (re-run when secrets rotate)
+  // 2. onecli_secrets from agents.yaml (re-run when an agent's secret list changes)
   const credentialKeys = [
     'ELASTIC_API_KEY', 'JIRA_EMAIL', 'JIRA_API_TOKEN',
     'SLACK_BOT_TOKEN', 'INTERCOM_ACCESS_TOKEN', 'ARDOQ_API_KEY',
     'ANTHROPIC_AUTH_TOKEN', 'CONFLUENCE_USERNAME', 'CONFLUENCE_PASSWORD',
+    'XLEDGER_API_TOKEN',
   ];
-  const hashInput = credentialKeys.map(k => `${k}=${process.env[k] || ''}`).join('\n');
+  const envHash = credentialKeys.map(k => `${k}=${process.env[k] || ''}`).join('\n');
+
+  // Include agents.yaml onecli_secrets so adding/removing a secret triggers re-run
+  let agentsSecretsSig = '';
+  try {
+    const agentsYaml = path.join(process.cwd(), 'agents.yaml');
+    if (fs.existsSync(agentsYaml)) {
+      const defs = YAML.parse(fs.readFileSync(agentsYaml, 'utf-8')).agents || [];
+      agentsSecretsSig = defs
+        .map((d: { folder: string; onecli_secrets?: string[] }) =>
+          `${d.folder}:${(d.onecli_secrets || []).sort().join(',')}`)
+        .sort()
+        .join('\n');
+    }
+  } catch { /* non-fatal — env hash alone is still useful */ }
+
+  const hashInput = envHash + '\n---agents---\n' + agentsSecretsSig;
   const currentHash = crypto.createHash('sha256').update(hashInput).digest('hex');
 
   const hashFile = path.join(STORE_DIR, 'onecli-secrets.hash');

package/template/container/tools/elastic_query.py

@@ -1,161 +0,0 @@
-"""
-Standalone Elastic/Kibana log query tool for Argus.
-
-Usage:
-  python3 elastic_query.py --namespace it-ops
-  python3 elastic_query.py --namespace it-ops --container my-service
-  python3 elastic_query.py --namespace it-ops --from 2024-01-01T10:00:00Z --to 2024-01-01T11:00:00Z
-  python3 elastic_query.py  # searches all namespaces with default lookback
-
-Environment variables (required):
-  ELASTIC_BASE_URL      e.g. https://kibana.yourcompany.com
-  ELASTIC_API_KEY       Kibana API key
-
-Optional environment variables:
-  ELASTIC_LOOKBACK_MINUTES  default 60
-  ELASTIC_MAX_LOGS          default 100
-"""
-
-import argparse
-import json
-import os
-import sys
-from datetime import datetime, timedelta, timezone
-
-try:
-    import requests
-except ImportError:
-    print("ERROR: 'requests' is not installed. Run: pip3 install requests", file=sys.stderr)
-    sys.exit(1)
-
-KIBANA_PROXY_PATH = "/api/console/proxy"
-
-
-def parse_args():
-    p = argparse.ArgumentParser(description="Query Elastic error logs via Kibana proxy")
-    p.add_argument("--namespace", help="Kubernetes namespace (omit to search all)")
-    p.add_argument("--container", help="Kubernetes container name (optional filter)")
-    p.add_argument("--from", dest="from_ts", help="Start timestamp (ISO 8601 or 'now-Xm/h/d')")
-    p.add_argument("--to", dest="to_ts", help="End timestamp (ISO 8601 or 'now')")
-    p.add_argument("--lookback", type=int, help="Lookback minutes (overrides ELASTIC_LOOKBACK_MINUTES)")
-    p.add_argument("--max", type=int, help="Max log entries (overrides ELASTIC_MAX_LOGS)")
-    return p.parse_args()
-
-
-def resolve_ts(ts: str) -> str:
-    """Resolve 'now-Xm/h/d' and 'now' to ISO timestamps."""
-    if not ts.startswith("now"):
-        return ts
-    import re
-    m = re.match(r"now-(\d+)([mhd])$", ts)
-    if m:
-        amount, unit = int(m.group(1)), m.group(2)
-        delta = {"m": timedelta(minutes=amount), "h": timedelta(hours=amount), "d": timedelta(days=amount)}[unit]
-        return (datetime.now(timezone.utc) - delta).isoformat()
-    return datetime.now(timezone.utc).isoformat()
-
-
-def query_logs(namespace, container, from_ts, to_ts, max_logs, base_url, api_key):
-    if from_ts and to_ts:
-        time_range = {"gte": from_ts, "lte": to_ts}
-    else:
-        now = datetime.now(timezone.utc)
-        lookback = int(os.environ.get("ELASTIC_LOOKBACK_MINUTES", "60"))
-        since = now - timedelta(minutes=lookback)
-        time_range = {"gte": since.isoformat(), "lte": now.isoformat()}
-
-    must = [{"range": {"@timestamp": time_range}}]
-    if namespace:
-        must.append({"match_phrase": {"kubernetes.namespace": namespace}})
-    if container:
-        must.append({"match_phrase": {"kubernetes.container.name": container}})
-
-    body = {
-        "size": max_logs,
-        "sort": [{"@timestamp": {"order": "desc"}}],
-        "query": {
-            "bool": {
-                "must": must,
-                "should": [
-                    {"match_phrase": {"log.level": "error"}},
-                    {"match_phrase": {"log.level": "ERROR"}},
-                    {"match": {"message": "error"}},
-                    {"match": {"message": "exception"}},
-                    {"match": {"message": "traceback"}},
-                    {"match": {"message": "Traceback"}},
-                ],
-                "minimum_should_match": 1,
-            }
-        },
-        "_source": [
-            "@timestamp",
-            "message",
-            "log.level",
-            "kubernetes.pod.name",
-            "kubernetes.container.name",
-        ],
-    }
-
-    url = f"{base_url.rstrip('/')}{KIBANA_PROXY_PATH}"
-    params = {"path": "/filebeat-*/_search", "method": "GET"}
-    # Authorization header is optional here — if ELASTIC_API_KEY env var is set,
-    # use it directly. If absent, the OneCLI HTTPS proxy injects it automatically.
-    headers = {"kbn-xsrf": "true", "Content-Type": "application/json"}
-    if api_key:
-        headers["Authorization"] = f"ApiKey {api_key}"
-
-    resp = requests.post(url, params=params, headers=headers, json=body, timeout=30)
-    resp.raise_for_status()
-    hits = resp.json().get("hits", {}).get("hits", [])
-    return [h["_source"] for h in hits]
-
-
-def format_logs(logs):
-    if not logs:
-        return "No error logs found in the specified time window."
-    lines = []
-    for log in logs:
-        ts = log.get("@timestamp", "?")
-        level = log.get("log.level") or (log.get("log") or {}).get("level", "?")
-        k8s = log.get("kubernetes") or {}
-        pod = (k8s.get("pod") or {}).get("name", "?")
-        ctr = (k8s.get("container") or {}).get("name", "?")
-        msg = log.get("message", "").strip()
-        lines.append(f"[{ts}] [{level}] [{ctr}/{pod}] {msg}")
-    return "\n".join(lines)
-
-
-def main():
-    args = parse_args()
-
-    base_url = os.environ.get("ELASTIC_BASE_URL", "").strip()
-    if not base_url:
-        print("ERROR: ELASTIC_BASE_URL must be set in the environment.", file=sys.stderr)
-        sys.exit(1)
-
-    # api_key is optional — if absent, OneCLI HTTPS proxy injects the Authorization header.
-    api_key = os.environ.get("ELASTIC_API_KEY", "").strip()
-
-    from_ts = resolve_ts(args.from_ts) if args.from_ts else None
-    to_ts = resolve_ts(args.to_ts) if args.to_ts else None
-    max_logs = args.max or int(os.environ.get("ELASTIC_MAX_LOGS", "100"))
-
-    try:
-        logs = query_logs(
-            namespace=args.namespace,
-            container=args.container,
-            from_ts=from_ts,
-            to_ts=to_ts,
-            max_logs=max_logs,
-            base_url=base_url,
-            api_key=api_key,
-        )
-    except Exception as e:
-        print(f"ERROR: Elastic query failed: {e}", file=sys.stderr)
-        sys.exit(1)
-
-    print(format_logs(logs))
-
-
-if __name__ == "__main__":
-    main()

package/template/container/tools/gdrive_tool.py

@@ -1,185 +0,0 @@
-"""
-Standalone Google Drive tool for Argus agents.
-Uses OAuth refresh token — no google-auth library needed, just requests.
-
-Usage:
-  # List files in the standup folder
-  python3 gdrive_tool.py list
-
-  # List only files not yet in processed_transcripts.txt
-  python3 gdrive_tool.py list --new-only
-
-  # Read a Google Doc as plain text
-  python3 gdrive_tool.py read --file-id 1abc123...
-
-  # Mark a file as processed (appends ID to processed_transcripts.txt)
-  python3 gdrive_tool.py mark-processed --file-id 1abc123...
-
-Environment variables (required):
-  GOOGLE_CLIENT_ID
-  GOOGLE_CLIENT_SECRET
-  GOOGLE_REFRESH_TOKEN
-  GOOGLE_DRIVE_STANDUP_FOLDER_ID
-
-Optional:
-  GDRIVE_PROCESSED_FILE   path to processed transcripts list
-                          default: /workspace/group/processed_transcripts.txt
-"""
-
-import argparse
-import json
-import os
-import sys
-
-try:
-    import requests
-except ImportError:
-    print("ERROR: 'requests' is not installed.", file=sys.stderr)
-    sys.exit(1)
-
-TOKEN_URL = "https://oauth2.googleapis.com/token"
-DRIVE_API = "https://www.googleapis.com/drive/v3"
-
-PROCESSED_FILE = os.environ.get(
-    "GDRIVE_PROCESSED_FILE", "/workspace/group/processed_transcripts.txt"
-)
-
-
-def get_access_token():
-    """Get Google access token.
-
-    Uses GOOGLE_ACCESS_TOKEN injected by the NanoClaw host (short-lived, ~1h TTL).
-    The OAuth refresh credentials stay on the host — never in the container.
-    """
-    token = os.environ.get("GOOGLE_ACCESS_TOKEN", "").strip()
-    if not token:
-        print(
-            "ERROR: GOOGLE_ACCESS_TOKEN must be set. "
-            "The NanoClaw host generates this token — check that Google OAuth "
-            "credentials (GOOGLE_CLIENT_ID/SECRET/REFRESH_TOKEN) are in the host .env.",
-            file=sys.stderr,
-        )
-        sys.exit(1)
-    return token
-
-
-def get_folder_id():
-    folder_id = os.environ.get("GOOGLE_DRIVE_STANDUP_FOLDER_ID", "").strip()
-    if not folder_id:
-        print("ERROR: GOOGLE_DRIVE_STANDUP_FOLDER_ID must be set.", file=sys.stderr)
-        sys.exit(1)
-    return folder_id
-
-
-def load_processed():
-    """Return set of already-processed file IDs."""
-    if not os.path.exists(PROCESSED_FILE):
-        return set()
-    with open(PROCESSED_FILE) as f:
-        return set(line.strip() for line in f if line.strip())
-
-
-def mark_processed(file_id):
-    """Append a file ID to the processed list."""
-    processed = load_processed()
-    if file_id not in processed:
-        with open(PROCESSED_FILE, "a") as f:
-            f.write(file_id + "\n")
-        print(f"Marked {file_id} as processed.")
-    else:
-        print(f"{file_id} was already marked as processed.")
-
-
-def cmd_list(args):
-    token = get_access_token()
-    folder_id = get_folder_id()
-
-    resp = requests.get(
-        f"{DRIVE_API}/files",
-        headers={"Authorization": f"Bearer {token}"},
-        params={
-            "q": f"'{folder_id}' in parents and trashed=false",
-            "fields": "files(id,name,createdTime,mimeType)",
-            "orderBy": "createdTime asc",
-            "pageSize": 1000,
-            "supportsAllDrives": True,
-            "includeItemsFromAllDrives": True,
-        },
-        timeout=30,
-    )
-    resp.raise_for_status()
-    files = resp.json().get("files", [])
-
-    if args.new_only:
-        processed = load_processed()
-        files = [f for f in files if f["id"] not in processed]
-
-    if not files:
-        print("No files found." if not args.new_only else "No new files to process.")
-        return
-
-    print(json.dumps(files, indent=2))
-
-
-def cmd_read(args):
-    token = get_access_token()
-
-    # Try exporting as plain text (works for Google Docs)
-    resp = requests.get(
-        f"{DRIVE_API}/files/{args.file_id}/export",
-        headers={"Authorization": f"Bearer {token}"},
-        params={"mimeType": "text/plain"},
-        timeout=60,
-    )
-
-    if resp.status_code == 400:
-        # Not a Google Doc — try downloading directly
-        resp = requests.get(
-            f"{DRIVE_API}/files/{args.file_id}?alt=media",
-            headers={"Authorization": f"Bearer {token}"},
-            timeout=60,
-        )
-
-    resp.raise_for_status()
-    print(resp.text)
-
-
-def cmd_mark_processed(args):
-    mark_processed(args.file_id)
-
-
-def parse_args():
-    p = argparse.ArgumentParser(description="Google Drive tool for Argus agents")
-    sub = p.add_subparsers(dest="command")
-
-    l = sub.add_parser("list", help="List files in the standup folder")
-    l.add_argument("--new-only", action="store_true", help="Only show unprocessed files")
-
-    r = sub.add_parser("read", help="Read a Google Doc as plain text")
-    r.add_argument("--file-id", required=True)
-
-    m = sub.add_parser("mark-processed", help="Mark a file as processed")
-    m.add_argument("--file-id", required=True)
-
-    return p.parse_args()
-
-
-def main():
-    args = parse_args()
-    if not args.command:
-        print("ERROR: specify a command. Use --help for usage.", file=sys.stderr)
-        sys.exit(1)
-    try:
-        {"list": cmd_list, "read": cmd_read, "mark-processed": cmd_mark_processed}[
-            args.command
-        ](args)
-    except requests.HTTPError as e:
-        print(f"ERROR: Google Drive API error: {e}\n{e.response.text}", file=sys.stderr)
-        sys.exit(1)
-    except Exception as e:
-        print(f"ERROR: {e}", file=sys.stderr)
-        sys.exit(1)
-
-
-if __name__ == "__main__":
-    main()