harness-mcp-v2 3.0.2 → 3.0.3

package/README.md

@@ -11,7 +11,7 @@ This server is built differently:
 - **11 tools, 169 resource types.** A registry-based dispatch system routes `harness_list`, `harness_get`, `harness_create`, etc. to any Harness resource — pipelines, services, environments, orgs, projects, feature flags, cost data, and more. The LLM picks from 11 tools instead of hundreds.
 - **Full platform coverage.** 31 toolsets spanning CI/CD, GitOps, Feature Flags, Cloud Cost Management, Security Testing, Chaos Engineering, Database DevOps, Internal Developer Portal, Software Supply Chain, Governance, Service Overrides, Visualizations, and more. Not just pipelines — the entire Harness platform.
 - **Multi-project workflows out of the box.** Agents discover organizations and projects dynamically — no hardcoded env vars needed. Ask "show failed executions across all projects" and the agent can navigate the full account hierarchy.
-- **30 prompt templates.** Pre-built prompts for common workflows: build & deploy apps end-to-end, debug failed pipelines, review DORA metrics, triage vulnerabilities, optimize cloud costs, audit access control, plan feature flag rollouts, review pull requests, approve pending pipelines, and more.
+- **31 prompt templates.** Pre-built prompts for common workflows: build & deploy apps end-to-end, debug failed pipelines, review DORA metrics, triage vulnerabilities, optimize cloud costs, audit access control, plan feature flag rollouts, review pull requests, approve pending pipelines, and more.
 - **Works everywhere.** Stdio transport for local clients (Claude Desktop, Cursor, Windsurf), HTTP transport for remote/shared deployments, Docker and Kubernetes ready.
 - **Zero-config start.** Just provide a Harness API key. Account ID is auto-extracted from PAT tokens, org/project defaults are optional, and toolset filtering lets you expose only what you need.
 - **Extensible by design.** Adding a new Harness resource means adding a declarative data file — no new tool registration, no schema changes, no prompt updates.
@@ -125,6 +125,8 @@ The HTTP transport runs in **session-based mode**. A new MCP session is created
 
 Operational constraints in HTTP mode:
 
+- Set `HARNESS_MCP_AUTH_TOKEN` for any shared or remotely reachable deployment. When set, every `POST`, `GET`, and `DELETE` request to `/mcp` must include `Authorization: Bearer <token>`.
+- Non-loopback binds require `HARNESS_MCP_AUTH_TOKEN` by default. To run unauthenticated on a non-loopback interface anyway, set `HARNESS_MCP_ALLOW_UNAUTHENTICATED_HTTP=true` explicitly.
 - `POST /mcp` without `mcp-session-id` must be an `initialize` request.
 - `POST /mcp`, `GET /mcp`, and `DELETE /mcp` for existing sessions require the `mcp-session-id` header.
 - `GET /mcp` is used for SSE notifications (progress updates and elicitation prompts).
@@ -132,27 +134,48 @@ Operational constraints in HTTP mode:
 - `GET /health` is the only non-MCP endpoint.
 - Request body size is capped by `HARNESS_MAX_BODY_SIZE_MB` (default `10` MB).
 - Set `x-harness-pipeline-version: 0` or `1` on the `initialize` request to select V0 or V1 pipeline resources for that HTTP session.
+- Set `x-harness-auto-approve-risk: none|low_write|medium_write|high_write|all` on the `initialize` request to choose a stricter per-session auto-approval threshold. The server caps this value at the deployment-level `HARNESS_AUTO_APPROVE_RISK`, so a session can reduce but not expand the configured approval ceiling.
+
+#### Multi-User Mode
+
+Set `HARNESS_MCP_MODE=multi-user` for shared HTTP deployments where each client authenticates as a different Harness user. In this mode:
+
+- `HARNESS_API_KEY` must **not** be set in the server config — the server holds no Harness credentials.
+- Each session must provide `x-harness-api-key` and `x-harness-account-id` headers on the `initialize` request. Sessions without these headers are rejected with a 401.
+- Sessions may also provide `x-harness-org` and `x-harness-project` headers to set default scope for that session.
+- The Harness API key flows through to every Harness API call for that session, so the audit trail in Harness reflects the real user.
+- `HARNESS_MCP_AUTH_TOKEN` is independent and can still be used as an additional transport-layer gate.
 
 ```bash
 # Health check
 curl http://localhost:3000/health
 
 # MCP initialize request (capture mcp-session-id response header)
+# In multi-user mode, x-harness-api-key and x-harness-account-id are required on initialize.
 curl -i -X POST http://localhost:3000/mcp \
   -H "Content-Type: application/json" \
+  -H "Accept: application/json, text/event-stream" \
+  -H "Authorization: Bearer $HARNESS_MCP_AUTH_TOKEN" \
+  -H "x-harness-api-key: $HARNESS_API_KEY" \
+  -H "x-harness-account-id: $HARNESS_ACCOUNT_ID" \
   -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-03-26","capabilities":{},"clientInfo":{"name":"test","version":"1.0"}}}'
 
 # Subsequent MCP request (use returned session ID)
 curl -X POST http://localhost:3000/mcp \
   -H "Content-Type: application/json" \
+  -H "Accept: application/json, text/event-stream" \
+  -H "Authorization: Bearer $HARNESS_MCP_AUTH_TOKEN" \
   -H "mcp-session-id: <session-id>" \
   -d '{"jsonrpc":"2.0","id":2,"method":"tools/list","params":{}}'
 
 # Terminate session
 curl -X DELETE http://localhost:3000/mcp \
+  -H "Authorization: Bearer $HARNESS_MCP_AUTH_TOKEN" \
   -H "mcp-session-id: <session-id>"
 ```
 
+`HARNESS_MCP_ALLOWED_HOSTS` controls Host-header validation for DNS-rebinding protection, and CORS limits browser origins. Neither is authentication; use `HARNESS_MCP_AUTH_TOKEN` or an authenticated gateway/reverse proxy for access control.
+
 ### Client Configuration
 
 > **Note:** `HARNESS_ORG` and `HARNESS_PROJECT` are optional. They set the org ID and project ID used when not specified per tool call. Agents can discover orgs and projects dynamically using `harness_list(resource_type="organization")` and `harness_list(resource_type="project")`. The deprecated names `HARNESS_DEFAULT_ORG_ID` and `HARNESS_DEFAULT_PROJECT_ID` are still accepted for backward compatibility.
@@ -494,8 +517,9 @@ The server automatically loads environment variables from a `.env` file in the p
 
 | Variable                    | Required | Default                     | Description                                                                                                                                                                                                                                           |
 | --------------------------- | -------- | --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `HARNESS_API_KEY`           | Yes      | --                          | Harness personal access token or service account token                                                                                                                                                                                                |
-| `HARNESS_ACCOUNT_ID`        | No       | *(from PAT)*                | Harness account identifier. Auto-extracted from PAT tokens; only needed for non-PAT API keys                                                                                                                                                          |
+| `HARNESS_MCP_MODE`          | No       | `single-user`               | Deployment mode: `single-user` (API key in config, used for all sessions) or `multi-user` (HTTP only, per-session credentials via `x-harness-api-key` and `x-harness-account-id` headers)                                                            |
+| `HARNESS_API_KEY`           | Yes*     | --                          | Harness personal access token or service account token. Required in `single-user` mode. Must NOT be set in `multi-user` mode                                                                                                                          |
+| `HARNESS_ACCOUNT_ID`        | No       | *(from PAT)*                | Harness account identifier. Auto-extracted from PAT tokens in single-user mode; sessions provide their own via `x-harness-account-id` in multi-user mode                                                                                              |
 | `HARNESS_BASE_URL`          | No       | `https://app.harness.io`    | Harness API/UI base URL for local stdio or self-hosted HTTP deployments. Set this to environments such as `https://harness0.harness.io` when running the server yourself. It does not affect the managed `https://mcp.harness.io/mcp` hosted endpoint |
 | `HARNESS_ORG`               | No       | --                          | Organization ID. Used when `org_id` is not specified per tool call. If omitted, `org_id` must be provided explicitly. Agents can also discover orgs dynamically via `harness_list(resource_type="organization")`                                      |
 | `HARNESS_PROJECT`           | No       | --                          | Project ID. Used when `project_id` is not specified per tool call. Agents can also discover projects dynamically via `harness_list(resource_type="project")`                                                                                          |
@@ -511,6 +535,8 @@ The server automatically loads environment variables from a `.env` file in the p
 | `HARNESS_ALLOW_HTTP`        | No       | `false`                     | Allow non-HTTPS `HARNESS_BASE_URL`. By default, the server enforces HTTPS for security. Set to `true` only for local development against a non-TLS Harness instance                                                                                   |
 | `HARNESS_PIPELINE_VERSION`  | No       | `0`                         | **(Alpha)** Pipeline YAML version. `0` loads the `pipeline` resource type and excludes `pipeline_v1`; `1` loads `pipeline_v1` and excludes `pipeline`. HTTP sessions can override this at initialize time with `x-harness-pipeline-version: 0` or `1` |
 | `HARNESS_MCP_ALLOWED_HOSTS` | No       | --                          | Comma-separated hostnames allowed by HTTP transport Host-header validation. `mcp.harness.io` is allowed by default for localhost binds; add proxy/custom domains here                                                                                 |
+| `HARNESS_MCP_AUTH_TOKEN`    | No       | --                          | Bearer token required on `/mcp` HTTP routes when set. Required by default when HTTP transport binds to a non-loopback host                                                                                                                             |
+| `HARNESS_MCP_ALLOW_UNAUTHENTICATED_HTTP` | No | `false`         | Explicitly allow unauthenticated HTTP transport on non-loopback binds. Use only behind another authenticated control                                                                                                                                    |
 | `HARNESS_MCP_LOG_FILE`      | No       | `~/.claude/harness-mcp.log` | File used for stdio disconnect/crash diagnostics when stderr may no longer be available                                                                                                                                                               |
 
 
@@ -732,6 +758,17 @@ Use this sequence to reduce execution-time input errors:
   - **Constraint:** shorthand expansion is skipped when `inputs.build` is already present (explicit `build` wins).
 3. **Execute the run**
   - `harness_execute(resource_type="pipeline", action="run", resource_id="<pipeline_id>", ...)`
+  - For Git-backed pipelines whose YAML should be loaded from a non-default branch, pass `params.pipeline_branch` (sent to Harness as `pipelineBranchName`):
+
+    ```json
+    {
+      "resource_type": "pipeline",
+      "action": "run",
+      "resource_id": "deploy_app",
+      "params": { "pipeline_branch": "feature/new-stage" },
+      "inputs": { "branch": "main" }
+    }
+    ```
 4. **Optional: combine both**
   - Use `input_set_ids` for the base shape and `inputs` for simple overrides.
 
@@ -1064,12 +1101,14 @@ Only one pipeline YAML resource type is loaded at startup. By default `HARNESS_P
 | -------------- | ---- | --- | ------ | ------ | ------ | -------------------- |
 | `repository`   | x    | x   | x      | x      |        |                      |
 | `branch`       | x    | x   | x      |        | x      |                      |
-| `commit`       | x    | x   |        |        |        | `diff`, `diff_stats` |
+| `commit`       | x    | x   | x      |        |        | `diff`, `diff_stats` |
 | `file_content` |      | x   |        |        |        | `blame`              |
 | `tag`          | x    |     | x      |        | x      |                      |
 | `repo_rule`    | x    | x   |        |        |        |                      |
 | `space_rule`   | x    | x   |        |        |        |                      |
 
+`commit` creation commits one or more file actions directly through the Harness Code API without cloning. Pass `body.title`, `body.branch`, and `body.actions`; each action is `CREATE`, `UPDATE`, `DELETE`, or `MOVE`, and `UPDATE` requires the current blob SHA.
+
 
 ### Artifact Registries
 
@@ -1089,6 +1128,8 @@ Only one pipeline YAML resource type is loaded at startup. By default `HARNESS_P
 | ------------- | ---- | --- | ------ | ------ | ------ | --------------- |
 | `template`    | x    | x   | x      | x      | x      |                 |
 
+Template operations use the Harness Template service paths (`/template/api/templates...`). Create and update require the full template YAML string in `body.template_yaml` or `body.yaml`; `version_label` targets a specific version for update/delete, while deleting without `version_label` deletes all versions.
+
 
 ### Dashboards
 
@@ -1130,12 +1171,14 @@ Only one pipeline YAML resource type is loaded at startup. By default `HARNESS_P
 
 | Resource Type  | List | Get | Create | Update | Delete | Execute Actions |
 | -------------- | ---- | --- | ------ | ------ | ------ | --------------- |
-| `pull_request` | x    | x   | x      | x      |        | `merge`         |
+| `pull_request` | x    | x   | x      | x      |        | `close`, `merge` |
 | `pr_reviewer`  | x    |     | x      |        |        | `submit_review` |
 | `pr_comment`   | x    |     | x      |        |        |                 |
 | `pr_check`     | x    |     |        |        |        |                 |
 | `pr_activity`  | x    |     |        |        |        |                 |
 
+Use `harness_execute(resource_type="pull_request", action="close", ...)` for an explicit close operation. `harness_update` also accepts `body.state` (`open` or `closed`) and routes state changes to the dedicated Harness Code PR state endpoint; send title/description edits in a separate update call.
+
 
 ### Feature Flags
 
@@ -1258,7 +1301,9 @@ SEI resources are consolidated for token efficiency. Use `metric` or `aspect` pa
 | ----------------------- | ---- | --- | ------ | ------ | ------ | ------------------------------ |
 | `security_issue`        | x    |     |        |        |        |                                |
 | `security_issue_filter` | x    |     |        |        |        |                                |
-| `security_exemption`    | x    |     |        |        |        | `approve`, `reject`, `promote` |
+| `security_exemption`    | x    |     | x      |        |        | `approve`, `reject`, `promote` |
+
+`security_exemption` create is a `high_write` operation. The server derives `requester_id` from the authenticated PAT, sets `exemptFutureOccurrences=true`, and defaults `duration_days` to 30 when not provided. For listing exemptions, pass a small explicit page size (for example `filters: { "status": "Pending", "size": 5 }`) and follow the `_nextPageHint` returned in each response.
 
 
 ### Access Control
@@ -1370,6 +1415,7 @@ Inline PNG chart visualizations rendered from Harness data. These are metadata-o
 | `sbom-compliance-check`     | Audit SBOM and compliance posture for artifacts — license risks, policy violations, component vulnerabilities | `artifactId` (optional), `projectId` (optional)                         |
 | `supply-chain-audit`        | End-to-end software supply chain security audit — provenance, chain of custody, policy compliance             | `projectId` (optional)                                                  |
 | `security-exemption-review` | Review pending security exemptions and make batch approval or rejection decisions                             | `projectId` (optional)                                                  |
+| `bulk-exemption-create`     | Create justified security exemptions for multiple STO issues with explicit scope and duration guidance        | `projectId` (required), `exemption_type` (required), `reason` (required), issue filters (optional) |
 | `access-control-audit`      | Audit user permissions, over-privileged accounts, and role assignments to enforce least-privilege             | `projectId` (optional), `orgId` (optional)                              |
 
 
@@ -1694,18 +1740,16 @@ Elicitation behavior varies by operation risk when client support is missing:
 
 If elicitation fails at runtime, operations at `medium_write` or above are blocked.
 
-### Auto-Approve for Autonomous Workflows
+### Autonomous Mode
 
-For CI/CD bots, headless agents, or batch automation, use `HARNESS_AUTO_APPROVE_RISK` to auto-approve operations up to a given risk level:
+**Autonomous mode** means the server proceeds with all operations — including writes and destructive actions — without prompting for confirmation. Enable it by setting:
 
 ```bash
-# Auto-approve everything (equivalent to old HARNESS_SKIP_ELICITATION=true)
 HARNESS_AUTO_APPROVE_RISK=all
-
-# Auto-approve only low-risk writes, still prompt for medium+
-HARNESS_AUTO_APPROVE_RISK=low_write
 ```
 
+This is the deployment-level ceiling: once set, individual sessions cannot escalate beyond it (though they can choose a stricter threshold per-session via the `x-harness-auto-approve-risk` header).
+
 Or in your MCP client config:
 
 ```json
@@ -1723,9 +1767,27 @@ Or in your MCP client config:
 }
 ```
 
-> **Migration note:** `HARNESS_SKIP_ELICITATION=true` is still supported and maps to `HARNESS_AUTO_APPROVE_RISK=all`. A deprecation warning is logged to stderr. If both are set, `HARNESS_AUTO_APPROVE_RISK` takes precedence.
+**Partial autonomy:** You can also auto-approve only up to a specific risk level while still prompting for higher-risk operations:
+
+```bash
+# Auto-approve reads and low-risk writes; prompt for medium_write, high_write, destructive
+HARNESS_AUTO_APPROVE_RISK=low_write
 
-When set to `all`, **all** write and delete operations proceed without user confirmation — including destructive operations like `harness_delete`. Use with caution and consider pairing with `HARNESS_TOOLSETS` to restrict which resource types are available.
+# Auto-approve up to high-risk writes; only prompt for destructive operations
+HARNESS_AUTO_APPROVE_RISK=high_write
+```
+
+| Value | What's auto-approved |
+|---|---|
+| `none` (default) | Nothing — no auto-approval threshold |
+| `low_write` | Reads + low-risk writes |
+| `medium_write` | Reads + low + medium-risk writes |
+| `high_write` | Reads + low + medium + high-risk writes |
+| `all` | Everything, including destructive operations |
+
+> **Autonomous mode warning:** `HARNESS_AUTO_APPROVE_RISK=all` skips confirmation for **all** operations including `harness_delete`. Use with caution and consider pairing with `HARNESS_TOOLSETS` to restrict which resource types are available.
+
+> **Migration note:** `HARNESS_SKIP_ELICITATION=true` is still supported and maps to `HARNESS_AUTO_APPROVE_RISK=all`. A deprecation warning is logged to stderr. If both are set, `HARNESS_AUTO_APPROVE_RISK` takes precedence.
 
 ## Safety
 
@@ -1761,6 +1823,8 @@ The Harness MCP server pairs well with **[Harness Skills](https://github.com/har
 | `Read-only mode is enabled ... operations are not allowed`                       | `HARNESS_READ_ONLY=true` blocks create/update/delete/execute                                         | Set `HARNESS_READ_ONLY=false` if write operations are intended                                                                       |
 | Pipeline run fails pre-flight with unresolved required inputs                    | Provided `inputs` did not cover required runtime placeholders                                        | Fetch `runtime_input_template`, supply missing simple keys, or use `input_set_ids` for structural inputs                             |
 | Pipeline CI shorthand (`branch`, `tag`, `pr_number`, `commit_sha`) did not apply | `inputs.build` was already provided, so shorthand expansion was intentionally skipped                | Remove `inputs.build` to use shorthand expansion, or keep full explicit `build` structure                                            |
+| Pipeline run loaded the wrong YAML revision                                     | The pipeline definition is stored in Git and the run did not specify the desired pipeline branch      | Pass `params.pipeline_branch` on the `run` action; this maps to Harness `pipelineBranchName`                                         |
+| Execution logs are empty or blob downloads return 403                           | Harness-hosted log blob URLs require the configured Harness client/auth path, especially for internal or self-managed hosts | Keep `HARNESS_BASE_URL` pointed at the target Harness host and use `harness_get(resource_type="execution_log", ...)` or `harness_diagnose(..., include_logs=true)` rather than bypassing the MCP client |
 | `Operation declined by user`                                                     | User declined the elicitation confirmation dialog                                                    | The user chose not to proceed — verify the operation details and retry if intended                                                   |
 | `body.template_yaml (or body.yaml) is required` for template create/update       | Template APIs expect full YAML payload                                                               | Provide full `template_yaml` string in `body`; for deletes, pass `version_label` to delete one version (omit to delete all versions) |
 | `HARNESS_BASE_URL must use HTTPS` on startup                                     | `HARNESS_BASE_URL` is set to an HTTP URL                                                             | Use HTTPS, or set `HARNESS_ALLOW_HTTP=true` for local development                                                                    |

package/build/config.d.ts

@@ -6,7 +6,11 @@ import * as z from "zod/v4";
  */
 export declare function extractAccountIdFromToken(apiKey: string): string | undefined;
 export declare const ConfigSchema: z.ZodPipe<z.ZodObject<{
-    HARNESS_API_KEY: z.ZodString;
+    HARNESS_MCP_MODE: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodDefault<z.ZodEnum<{
+        "single-user": "single-user";
+        "multi-user": "multi-user";
+    }>>>;
+    HARNESS_API_KEY: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodOptional<z.ZodString>>;
     HARNESS_ACCOUNT_ID: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodOptional<z.ZodString>>;
     HARNESS_BASE_URL: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodDefault<z.ZodString>>;
     HARNESS_ORG: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodOptional<z.ZodString>>;
@@ -16,10 +20,10 @@ export declare const ConfigSchema: z.ZodPipe<z.ZodObject<{
     HARNESS_API_TIMEOUT_MS: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
     HARNESS_MAX_RETRIES: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
     LOG_LEVEL: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodDefault<z.ZodEnum<{
-        error: "error";
         debug: "debug";
         info: "info";
         warn: "warn";
+        error: "error";
     }>>>;
     HARNESS_TOOLSETS: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodOptional<z.ZodString>>;
     HARNESS_MAX_BODY_SIZE_MB: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
@@ -35,6 +39,8 @@ export declare const ConfigSchema: z.ZodPipe<z.ZodObject<{
     }>>>;
     HARNESS_ALLOW_HTTP: z.ZodDefault<z.ZodPipe<z.ZodUnion<readonly [z.ZodBoolean, z.ZodString, z.ZodUndefined]>, z.ZodTransform<boolean, string | boolean | undefined>>>;
     HARNESS_MCP_ALLOWED_HOSTS: z.ZodPipe<z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodOptional<z.ZodString>>, z.ZodTransform<string | undefined, string | undefined>>;
+    HARNESS_MCP_AUTH_TOKEN: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodOptional<z.ZodString>>;
+    HARNESS_MCP_ALLOW_UNAUTHENTICATED_HTTP: z.ZodDefault<z.ZodPipe<z.ZodUnion<readonly [z.ZodBoolean, z.ZodString, z.ZodUndefined]>, z.ZodTransform<boolean, string | boolean | undefined>>>;
     HARNESS_FME_BASE_URL: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodDefault<z.ZodString>>;
     HARNESS_LOG_UNSAFE_BODIES: z.ZodDefault<z.ZodPipe<z.ZodUnion<readonly [z.ZodBoolean, z.ZodString, z.ZodUndefined]>, z.ZodTransform<boolean, string | boolean | undefined>>>;
     HARNESS_PIPELINE_VERSION: z.ZodOptional<z.ZodEnum<{
@@ -47,46 +53,51 @@ export declare const ConfigSchema: z.ZodPipe<z.ZodObject<{
     HARNESS_AUDIT_WEBHOOK_BATCH_SIZE: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodDefault<z.ZodCoercedNumber<unknown>>>;
     HARNESS_AUDIT_WEBHOOK_FLUSH_MS: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodDefault<z.ZodCoercedNumber<unknown>>>;
 }, z.core.$strip>, z.ZodTransform<{
+    HARNESS_API_KEY: string;
     HARNESS_ACCOUNT_ID: string;
     HARNESS_ORG: string | undefined;
     HARNESS_PROJECT: string | undefined;
     HARNESS_AUTO_APPROVE_RISK: "none" | "low_write" | "medium_write" | "high_write" | "all";
-    HARNESS_API_KEY: string;
+    HARNESS_MCP_MODE: "single-user" | "multi-user";
     HARNESS_BASE_URL: string;
     HARNESS_API_TIMEOUT_MS: number;
     HARNESS_MAX_RETRIES: number;
-    LOG_LEVEL: "error" | "debug" | "info" | "warn";
+    LOG_LEVEL: "debug" | "info" | "warn" | "error";
     HARNESS_MAX_BODY_SIZE_MB: number;
     HARNESS_RATE_LIMIT_RPS: number;
     HARNESS_READ_ONLY: boolean;
     HARNESS_SKIP_ELICITATION: boolean;
     HARNESS_ALLOW_HTTP: boolean;
     HARNESS_MCP_ALLOWED_HOSTS: string | undefined;
+    HARNESS_MCP_ALLOW_UNAUTHENTICATED_HTTP: boolean;
     HARNESS_FME_BASE_URL: string;
     HARNESS_LOG_UNSAFE_BODIES: boolean;
     HARNESS_AUDIT_WEBHOOK_BATCH_SIZE: number;
     HARNESS_AUDIT_WEBHOOK_FLUSH_MS: number;
     HARNESS_TOOLSETS?: string | undefined;
+    HARNESS_MCP_AUTH_TOKEN?: string | undefined;
     HARNESS_PIPELINE_VERSION?: "1" | "0" | undefined;
     HARNESS_AUDIT_FILE?: string | undefined;
     HARNESS_AUDIT_WEBHOOK_URL?: string | undefined;
     HARNESS_AUDIT_WEBHOOK_TOKEN?: string | undefined;
 }, {
-    HARNESS_API_KEY: string;
+    HARNESS_MCP_MODE: "single-user" | "multi-user";
     HARNESS_BASE_URL: string;
     HARNESS_API_TIMEOUT_MS: number;
     HARNESS_MAX_RETRIES: number;
-    LOG_LEVEL: "error" | "debug" | "info" | "warn";
+    LOG_LEVEL: "debug" | "info" | "warn" | "error";
     HARNESS_MAX_BODY_SIZE_MB: number;
     HARNESS_RATE_LIMIT_RPS: number;
     HARNESS_READ_ONLY: boolean;
     HARNESS_SKIP_ELICITATION: boolean;
     HARNESS_ALLOW_HTTP: boolean;
     HARNESS_MCP_ALLOWED_HOSTS: string | undefined;
+    HARNESS_MCP_ALLOW_UNAUTHENTICATED_HTTP: boolean;
     HARNESS_FME_BASE_URL: string;
     HARNESS_LOG_UNSAFE_BODIES: boolean;
     HARNESS_AUDIT_WEBHOOK_BATCH_SIZE: number;
     HARNESS_AUDIT_WEBHOOK_FLUSH_MS: number;
+    HARNESS_API_KEY?: string | undefined;
     HARNESS_ACCOUNT_ID?: string | undefined;
     HARNESS_ORG?: string | undefined;
     HARNESS_PROJECT?: string | undefined;
@@ -94,6 +105,7 @@ export declare const ConfigSchema: z.ZodPipe<z.ZodObject<{
     HARNESS_DEFAULT_PROJECT_ID?: string | undefined;
     HARNESS_TOOLSETS?: string | undefined;
     HARNESS_AUTO_APPROVE_RISK?: "none" | "low_write" | "medium_write" | "high_write" | "all" | undefined;
+    HARNESS_MCP_AUTH_TOKEN?: string | undefined;
     HARNESS_PIPELINE_VERSION?: "1" | "0" | undefined;
     HARNESS_AUDIT_FILE?: string | undefined;
     HARNESS_AUDIT_WEBHOOK_URL?: string | undefined;

package/build/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,QAAQ,CAAC;AAuC5B;;;;GAIG;AACH,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAO5E;AAuCD,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqDvB,CAAC;AAEH,MAAM,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAElD;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,GAAG,KAAK,GAAG,MAAM,GAAG,SAAS,CAGpG;AAED,wBAAgB,UAAU,IAAI,MAAM,CAQnC"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,QAAQ,CAAC;AAuC5B;;;;GAIG;AACH,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAO5E;AA6CD,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyEvB,CAAC;AAEH,MAAM,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAElD;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,GAAG,KAAK,GAAG,MAAM,GAAG,SAAS,CAGpG;AAED,wBAAgB,UAAU,IAAI,MAAM,CAQnC"}

package/build/config.js

@@ -45,7 +45,8 @@ export function extractAccountIdFromToken(apiKey) {
     return undefined;
 }
 const RawConfigSchema = z.object({
-    HARNESS_API_KEY: z.string().min(1, "HARNESS_API_KEY is required"),
+    HARNESS_MCP_MODE: z.preprocess(emptyStringAsUndefined, z.enum(["single-user", "multi-user"]).default("single-user")),
+    HARNESS_API_KEY: optionalStringFromEnv,
     HARNESS_ACCOUNT_ID: optionalStringFromEnv,
     HARNESS_BASE_URL: urlFromEnv("https://app.harness.io"),
     // New names (preferred)
@@ -65,6 +66,8 @@ const RawConfigSchema = z.object({
     HARNESS_AUTO_APPROVE_RISK: z.preprocess(emptyStringAsUndefined, z.enum(["none", "low_write", "medium_write", "high_write", "all"]).optional()),
     HARNESS_ALLOW_HTTP: booleanFromEnv.default(false),
     HARNESS_MCP_ALLOWED_HOSTS: optionalStringFromEnv.transform(validateAllowedHosts),
+    HARNESS_MCP_AUTH_TOKEN: optionalStringFromEnv,
+    HARNESS_MCP_ALLOW_UNAUTHENTICATED_HTTP: booleanFromEnv.default(false),
     HARNESS_FME_BASE_URL: urlFromEnv("https://api.split.io"),
     HARNESS_LOG_UNSAFE_BODIES: booleanFromEnv.default(false),
     HARNESS_PIPELINE_VERSION: z.enum(["0", "1"]).optional(),
@@ -75,9 +78,23 @@ const RawConfigSchema = z.object({
     HARNESS_AUDIT_WEBHOOK_FLUSH_MS: z.preprocess(emptyStringAsUndefined, z.coerce.number().min(1).default(5000)),
 });
 export const ConfigSchema = RawConfigSchema.transform((data) => {
-    const accountId = data.HARNESS_ACCOUNT_ID ?? extractAccountIdFromToken(data.HARNESS_API_KEY);
-    if (!accountId) {
-        throw new Error("HARNESS_ACCOUNT_ID is required when the API key is not a PAT (pat.<accountId>.<tokenId>.<secret>)");
+    const isMultiUser = data.HARNESS_MCP_MODE === "multi-user";
+    if (isMultiUser && data.HARNESS_API_KEY) {
+        throw new Error("HARNESS_API_KEY must not be set in multi-user mode. " +
+            "Each session must provide its own API key via the x-harness-api-key header.");
+    }
+    if (!isMultiUser && !data.HARNESS_API_KEY) {
+        throw new Error("HARNESS_API_KEY is required in single-user mode.");
+    }
+    let accountId;
+    if (isMultiUser) {
+        accountId = data.HARNESS_ACCOUNT_ID ?? "";
+    }
+    else {
+        accountId = data.HARNESS_ACCOUNT_ID ?? extractAccountIdFromToken(data.HARNESS_API_KEY);
+        if (!accountId) {
+            throw new Error("HARNESS_ACCOUNT_ID is required when the API key is not a PAT (pat.<accountId>.<tokenId>.<secret>)");
+        }
     }
     if (!data.HARNESS_BASE_URL.startsWith("https://") && !data.HARNESS_ALLOW_HTTP) {
         throw new Error(`HARNESS_BASE_URL must use HTTPS (got "${data.HARNESS_BASE_URL}"). ` +
@@ -109,7 +126,7 @@ export const ConfigSchema = RawConfigSchema.transform((data) => {
     }
     // Remove deprecated keys from output, expose only the canonical names
     const { HARNESS_DEFAULT_ORG_ID: _oldOrg, HARNESS_DEFAULT_PROJECT_ID: _oldProject, ...rest } = data;
-    return { ...rest, HARNESS_ACCOUNT_ID: accountId, HARNESS_ORG, HARNESS_PROJECT, HARNESS_AUTO_APPROVE_RISK };
+    return { ...rest, HARNESS_API_KEY: data.HARNESS_API_KEY ?? "", HARNESS_ACCOUNT_ID: accountId, HARNESS_ORG, HARNESS_PROJECT, HARNESS_AUTO_APPROVE_RISK };
 });
 /**
  * Resolve the base URL for a given product backend.

package/build/config.js.map

@@ -1 +1 @@
-{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,QAAQ,CAAC;AAC5B,OAAO,EAAE,wBAAwB,EAAE,MAAM,uBAAuB,CAAC;AAEjE;;;;GAIG;AACH,MAAM,cAAc,GAAG,CAAC;KACrB,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC;KAC/C,SAAS,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;AAEnG,MAAM,sBAAsB,GAAG,CAAC,GAAY,EAAW,EAAE,CAAC,GAAG,KAAK,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC;AACvF,MAAM,qBAAqB,GAAG,CAAC,CAAC,UAAU,CAAC,sBAAsB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,CAAC;AAC1F,MAAM,UAAU,GAAG,CAAC,YAAoB,EAAE,EAAE,CAC1C,CAAC,CAAC,UAAU,CAAC,sBAAsB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC;AAE/E,SAAS,oBAAoB,CAAC,QAA4B;IACxD,IAAI,QAAQ,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAE7C,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,KAAK,MAAM,KAAK,IAAI,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;QACxC,MAAM,QAAQ,GAAG,wBAAwB,CAAC,KAAK,CAAC,CAAC;QACjD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;QAClC,CAAC;aAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YACrC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,WAAW,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvE,MAAM,IAAI,KAAK,CAAC,8CAA8C,WAAW,EAAE,CAAC,CAAC;IAC/E,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACzB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,yBAAyB,CAAC,MAAc;IACtD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAChC,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAC3B,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,KAAK,IAAI,SAAS,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjF,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,eAAe,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/B,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,6BAA6B,CAAC;IACjE,kBAAkB,EAAE,qBAAqB;IACzC,gBAAgB,EAAE,UAAU,CAAC,wBAAwB,CAAC;IACtD,wBAAwB;IACxB,WAAW,EAAE,qBAAqB;IAClC,eAAe,EAAE,qBAAqB;IACtC,qCAAqC;IACrC,sBAAsB,EAAE,qBAAqB;IAC7C,0BAA0B,EAAE,qBAAqB;IACjD,sBAAsB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IACxD,mBAAmB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IACjD,SAAS,EAAE,CAAC,CAAC,UAAU,CACrB,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,KAAK,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,EACvC,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAC3D;IACD,gBAAgB,EAAE,qBAAqB;IACvC,wBAAwB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;IACvD,sBAAsB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;IACrD,iBAAiB,EAAE,cAAc,CAAC,OAAO,CAAC,KAAK,CAAC;IAChD,wBAAwB,EAAE,cAAc,CAAC,OAAO,CAAC,KAAK,CAAC;IACvD,yBAAyB,EAAE,CAAC,CAAC,UAAU,CACrC,sBAAsB,EACtB,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,WAAW,EAAE,cAAc,EAAE,YAAY,EAAE,KAAK,CAAC,CAAC,CAAC,QAAQ,EAAE,CAC9E;IACD,kBAAkB,EAAE,cAAc,CAAC,OAAO,CAAC,KAAK,CAAC;IACjD,yBAAyB,EAAE,qBAAqB,CAAC,SAAS,CAAC,oBAAoB,CAAC;IAChF,oBAAoB,EAAE,UAAU,CAAC,sBAAsB,CAAC;IACxD,yBAAyB,EAAE,cAAc,CAAC,OAAO,CAAC,KAAK,CAAC;IACxD,wBAAwB,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE;IACvD,kBAAkB,EAAE,qBAAqB;IACzC,yBAAyB,EAAE,CAAC,CAAC,UAAU,CAAC,sBAAsB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;IAC5F,2BAA2B,EAAE,qBAAqB;IAClD,gCAAgC,EAAE,CAAC,CAAC,UAAU,CAAC,sBAAsB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAC5G,8BAA8B,EAAE,CAAC,CAAC,UAAU,CAAC,sBAAsB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7G,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,YAAY,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC,IAAI,EAAE,EAAE;IAC7D,MAAM,SAAS,GAAG,IAAI,CAAC,kBAAkB,IAAI,yBAAyB,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAC7F,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,mGAAmG,CACpG,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC9E,MAAM,IAAI,KAAK,CACb,yCAAyC,IAAI,CAAC,gBAAgB,MAAM;YACpE,sEAAsE,CACvE,CAAC;IACJ,CAAC;IAED,IAAI,IAAI,CAAC,oBAAoB,IAAI,CAAC,IAAI,CAAC,oBAAoB,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC/G,MAAM,IAAI,KAAK,CACb,6CAA6C,IAAI,CAAC,oBAAoB,MAAM;YAC5E,sEAAsE,CACvE,CAAC;IACJ,CAAC;IAED,IAAI,IAAI,CAAC,yBAAyB,IAAI,CAAC,IAAI,CAAC,yBAAyB,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACzH,MAAM,IAAI,KAAK,CACb,kDAAkD,IAAI,CAAC,yBAAyB,MAAM;YACtF,sEAAsE,CACvE,CAAC;IACJ,CAAC;IAED,uEAAuE;IACvE,IAAI,CAAC,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,sBAAsB,EAAE,CAAC;QACrD,OAAO,CAAC,KAAK,CAAC,8EAA8E,CAAC,CAAC;IAChG,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,eAAe,IAAI,IAAI,CAAC,0BAA0B,EAAE,CAAC;QAC7D,OAAO,CAAC,KAAK,CAAC,sFAAsF,CAAC,CAAC;IACxG,CAAC;IACD,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,sBAAsB,CAAC;IACpE,MAAM,eAAe,GAAG,IAAI,CAAC,eAAe,IAAI,IAAI,CAAC,0BAA0B,CAAC;IAEhF,uFAAuF;IACvF,IAAI,yBAAyB,GAAG,IAAI,CAAC,yBAAyB,IAAI,MAAM,CAAC;IACzE,IAAI,CAAC,IAAI,CAAC,yBAAyB,IAAI,IAAI,CAAC,wBAAwB,EAAE,CAAC;QACrE,OAAO,CAAC,KAAK,CACX,gGAAgG;YAChG,iFAAiF,CAClF,CAAC;QACF,yBAAyB,GAAG,KAAK,CAAC;IACpC,CAAC;IAED,sEAAsE;IACtE,MAAM,EAAE,sBAAsB,EAAE,OAAO,EAAE,0BAA0B,EAAE,WAAW,EAAE,GAAG,IAAI,EAAE,GAAG,IAAI,CAAC;IAEnG,OAAO,EAAE,GAAG,IAAI,EAAE,kBAAkB,EAAE,SAAS,EAAE,WAAW,EAAE,eAAe,EAAE,yBAAyB,EAAE,CAAC;AAC7G,CAAC,CAAC,CAAC;AAIH;;;;GAIG;AACH,MAAM,UAAU,qBAAqB,CAAC,MAAc,EAAE,OAA0B;IAC9E,IAAI,OAAO,KAAK,KAAK;QAAE,OAAO,MAAM,CAAC,oBAAoB,CAAC;IAC1D,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,UAAU;IACxB,MAAM,MAAM,GAAG,YAAY,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACnD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChG,MAAM,IAAI,KAAK,CAAC,2BAA2B,MAAM,EAAE,CAAC,CAAC;IACvD,CAAC;IAED,OAAO,MAAM,CAAC,IAAI,CAAC;AACrB,CAAC"}
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,QAAQ,CAAC;AAC5B,OAAO,EAAE,wBAAwB,EAAE,MAAM,uBAAuB,CAAC;AAEjE;;;;GAIG;AACH,MAAM,cAAc,GAAG,CAAC;KACrB,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC;KAC/C,SAAS,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;AAEnG,MAAM,sBAAsB,GAAG,CAAC,GAAY,EAAW,EAAE,CAAC,GAAG,KAAK,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC;AACvF,MAAM,qBAAqB,GAAG,CAAC,CAAC,UAAU,CAAC,sBAAsB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,CAAC;AAC1F,MAAM,UAAU,GAAG,CAAC,YAAoB,EAAE,EAAE,CAC1C,CAAC,CAAC,UAAU,CAAC,sBAAsB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC;AAE/E,SAAS,oBAAoB,CAAC,QAA4B;IACxD,IAAI,QAAQ,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAE7C,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,KAAK,MAAM,KAAK,IAAI,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;QACxC,MAAM,QAAQ,GAAG,wBAAwB,CAAC,KAAK,CAAC,CAAC;QACjD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;QAClC,CAAC;aAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YACrC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,WAAW,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvE,MAAM,IAAI,KAAK,CAAC,8CAA8C,WAAW,EAAE,CAAC,CAAC;IAC/E,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACzB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,yBAAyB,CAAC,MAAc;IACtD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAChC,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAC3B,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,KAAK,IAAI,SAAS,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjF,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,eAAe,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/B,gBAAgB,EAAE,CAAC,CAAC,UAAU,CAC5B,sBAAsB,EACtB,CAAC,CAAC,IAAI,CAAC,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAC7D;IACD,eAAe,EAAE,qBAAqB;IACtC,kBAAkB,EAAE,qBAAqB;IACzC,gBAAgB,EAAE,UAAU,CAAC,wBAAwB,CAAC;IACtD,wBAAwB;IACxB,WAAW,EAAE,qBAAqB;IAClC,eAAe,EAAE,qBAAqB;IACtC,qCAAqC;IACrC,sBAAsB,EAAE,qBAAqB;IAC7C,0BAA0B,EAAE,qBAAqB;IACjD,sBAAsB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IACxD,mBAAmB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IACjD,SAAS,EAAE,CAAC,CAAC,UAAU,CACrB,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,KAAK,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,EACvC,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAC3D;IACD,gBAAgB,EAAE,qBAAqB;IACvC,wBAAwB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;IACvD,sBAAsB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;IACrD,iBAAiB,EAAE,cAAc,CAAC,OAAO,CAAC,KAAK,CAAC;IAChD,wBAAwB,EAAE,cAAc,CAAC,OAAO,CAAC,KAAK,CAAC;IACvD,yBAAyB,EAAE,CAAC,CAAC,UAAU,CACrC,sBAAsB,EACtB,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,WAAW,EAAE,cAAc,EAAE,YAAY,EAAE,KAAK,CAAC,CAAC,CAAC,QAAQ,EAAE,CAC9E;IACD,kBAAkB,EAAE,cAAc,CAAC,OAAO,CAAC,KAAK,CAAC;IACjD,yBAAyB,EAAE,qBAAqB,CAAC,SAAS,CAAC,oBAAoB,CAAC;IAChF,sBAAsB,EAAE,qBAAqB;IAC7C,sCAAsC,EAAE,cAAc,CAAC,OAAO,CAAC,KAAK,CAAC;IACrE,oBAAoB,EAAE,UAAU,CAAC,sBAAsB,CAAC;IACxD,yBAAyB,EAAE,cAAc,CAAC,OAAO,CAAC,KAAK,CAAC;IACxD,wBAAwB,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE;IACvD,kBAAkB,EAAE,qBAAqB;IACzC,yBAAyB,EAAE,CAAC,CAAC,UAAU,CAAC,sBAAsB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;IAC5F,2BAA2B,EAAE,qBAAqB;IAClD,gCAAgC,EAAE,CAAC,CAAC,UAAU,CAAC,sBAAsB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAC5G,8BAA8B,EAAE,CAAC,CAAC,UAAU,CAAC,sBAAsB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7G,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,YAAY,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC,IAAI,EAAE,EAAE;IAC7D,MAAM,WAAW,GAAG,IAAI,CAAC,gBAAgB,KAAK,YAAY,CAAC;IAE3D,IAAI,WAAW,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CACb,sDAAsD;YACtD,6EAA6E,CAC9E,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CACb,kDAAkD,CACnD,CAAC;IACJ,CAAC;IAED,IAAI,SAA6B,CAAC;IAClC,IAAI,WAAW,EAAE,CAAC;QAChB,SAAS,GAAG,IAAI,CAAC,kBAAkB,IAAI,EAAE,CAAC;IAC5C,CAAC;SAAM,CAAC;QACN,SAAS,GAAG,IAAI,CAAC,kBAAkB,IAAI,yBAAyB,CAAC,IAAI,CAAC,eAAgB,CAAC,CAAC;QACxF,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CACb,mGAAmG,CACpG,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC9E,MAAM,IAAI,KAAK,CACb,yCAAyC,IAAI,CAAC,gBAAgB,MAAM;YACpE,sEAAsE,CACvE,CAAC;IACJ,CAAC;IAED,IAAI,IAAI,CAAC,oBAAoB,IAAI,CAAC,IAAI,CAAC,oBAAoB,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC/G,MAAM,IAAI,KAAK,CACb,6CAA6C,IAAI,CAAC,oBAAoB,MAAM;YAC5E,sEAAsE,CACvE,CAAC;IACJ,CAAC;IAED,IAAI,IAAI,CAAC,yBAAyB,IAAI,CAAC,IAAI,CAAC,yBAAyB,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACzH,MAAM,IAAI,KAAK,CACb,kDAAkD,IAAI,CAAC,yBAAyB,MAAM;YACtF,sEAAsE,CACvE,CAAC;IACJ,CAAC;IAED,uEAAuE;IACvE,IAAI,CAAC,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,sBAAsB,EAAE,CAAC;QACrD,OAAO,CAAC,KAAK,CAAC,8EAA8E,CAAC,CAAC;IAChG,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,eAAe,IAAI,IAAI,CAAC,0BAA0B,EAAE,CAAC;QAC7D,OAAO,CAAC,KAAK,CAAC,sFAAsF,CAAC,CAAC;IACxG,CAAC;IACD,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,sBAAsB,CAAC;IACpE,MAAM,eAAe,GAAG,IAAI,CAAC,eAAe,IAAI,IAAI,CAAC,0BAA0B,CAAC;IAEhF,uFAAuF;IACvF,IAAI,yBAAyB,GAAG,IAAI,CAAC,yBAAyB,IAAI,MAAM,CAAC;IACzE,IAAI,CAAC,IAAI,CAAC,yBAAyB,IAAI,IAAI,CAAC,wBAAwB,EAAE,CAAC;QACrE,OAAO,CAAC,KAAK,CACX,gGAAgG;YAChG,iFAAiF,CAClF,CAAC;QACF,yBAAyB,GAAG,KAAK,CAAC;IACpC,CAAC;IAED,sEAAsE;IACtE,MAAM,EAAE,sBAAsB,EAAE,OAAO,EAAE,0BAA0B,EAAE,WAAW,EAAE,GAAG,IAAI,EAAE,GAAG,IAAI,CAAC;IAEnG,OAAO,EAAE,GAAG,IAAI,EAAE,eAAe,EAAE,IAAI,CAAC,eAAe,IAAI,EAAE,EAAE,kBAAkB,EAAE,SAAS,EAAE,WAAW,EAAE,eAAe,EAAE,yBAAyB,EAAE,CAAC;AAC1J,CAAC,CAAC,CAAC;AAIH;;;;GAIG;AACH,MAAM,UAAU,qBAAqB,CAAC,MAAc,EAAE,OAA0B;IAC9E,IAAI,OAAO,KAAK,KAAK;QAAE,OAAO,MAAM,CAAC,oBAAoB,CAAC;IAC1D,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,UAAU;IACxB,MAAM,MAAM,GAAG,YAAY,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACnD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChG,MAAM,IAAI,KAAK,CAAC,2BAA2B,MAAM,EAAE,CAAC,CAAC;IACvD,CAAC;IAED,OAAO,MAAM,CAAC,IAAI,CAAC;AACrB,CAAC"}

package/build/data/schemas/v0/pipeline.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"pipeline.d.ts","sourceRoot":"","sources":["../../../../src/data/schemas/v0/pipeline.ts"],"names":[],"mappings":"AAGA,QAAA,MAAM,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAu+hH/B,CAAC;AACF,eAAe,MAAM,CAAC"}
+{"version":3,"file":"pipeline.d.ts","sourceRoot":"","sources":["../../../../src/data/schemas/v0/pipeline.ts"],"names":[],"mappings":"AAGA,QAAA,MAAM,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAokiH/B,CAAC;AACF,eAAe,MAAM,CAAC"}