npm - poe-code - Versions diffs - 3.0.213 → 3.0.215 - Mend

poe-code 3.0.213 → 3.0.215

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.js +420 -71
package/dist/index.js.map +4 -4
package/dist/prompts/github-issue-opened.md +3 -3
package/package.json +1 -1

package/dist/index.js CHANGED Viewed

@@ -38279,7 +38279,7 @@ function selectNextExecution(plan, taskId) {
 function describeExecutionContext(selection) {
   return selection.stepName ? `task "${selection.task.id}" step "${selection.stepName}"` : `task "${selection.task.id}"`;
 }
-async function resolveFileIncludes(template2, cwd, readFile45) {
+async function resolveFileIncludes(template2, cwd, readFile46) {
   const matches2 = [...template2.matchAll(FILE_INCLUDE_PATTERN)];
   if (matches2.length === 0) {
     return template2;
@@ -38287,7 +38287,7 @@ async function resolveFileIncludes(template2, cwd, readFile45) {
   let result = template2;
   for (const match of matches2) {
     const absolutePath = path51.resolve(cwd, match[1]);
-    const content = await readFile45(absolutePath, "utf8");
+    const content = await readFile46(absolutePath, "utf8");
     result = result.replace(match[0], content);
   }
   return result;
@@ -38355,15 +38355,15 @@ async function resolveDocVarFromPath(options) {
     );
   }
 }
-async function resolvePipelineVars(vars, cwd, readFile45) {
+async function resolvePipelineVars(vars, cwd, readFile46) {
   const resolved = {};
   for (const [key2, value] of Object.entries(vars)) {
     if (key2.endsWith("_doc") && looksLikeDocPath(value)) {
-      const docContent = await resolveDocVarFromPath({ key: key2, value, cwd, readFile: readFile45 });
-      resolved[key2] = await resolveFileIncludes(docContent, cwd, readFile45);
+      const docContent = await resolveDocVarFromPath({ key: key2, value, cwd, readFile: readFile46 });
+      resolved[key2] = await resolveFileIncludes(docContent, cwd, readFile46);
       continue;
     }
-    resolved[key2] = await resolveFileIncludes(value, cwd, readFile45);
+    resolved[key2] = await resolveFileIncludes(value, cwd, readFile46);
   }
   return resolved;
 }
@@ -49593,6 +49593,316 @@ var init_require_comment_prefix = __esm({
   }
 });
+// packages/github-workflows/src/exec/trufflehog-pr-scan.ts
+import { appendFile as appendFile5, readFile as readFile24, writeFile as writeFile15 } from "node:fs/promises";
+async function runTruffleHogPrScanCommand(command, env, options = {}) {
+  const runner = options.runner ?? runCommand;
+  const cwd = options.cwd ?? process.cwd();
+  if (command === "scan-for-secrets") {
+    await scanForSecrets(env, cwd, runner);
+    return null;
+  }
+  if (command === "report-advisory-result") {
+    await reportAdvisoryResult(env, runner);
+    return null;
+  }
+  await clearStaleAdvisoryResult(env, runner);
+  return null;
+}
+function parseTruffleHogFindings(jsonl) {
+  const findings = [];
+  for (const line of jsonl.split("\n")) {
+    if (line.trim() === "") {
+      continue;
+    }
+    const parsed = parseJsonObject(line);
+    const detector = stringValue(parsed.DetectorName);
+    if (detector === void 0) {
+      continue;
+    }
+    findings.push({
+      detector,
+      filePath: readFilePath(parsed),
+      lineNumber: readLineNumber(parsed),
+      status: readStatus(parsed)
+    });
+  }
+  return findings;
+}
+function uniqueTruffleHogFindings(findings) {
+  const unique = /* @__PURE__ */ new Map();
+  for (const finding of findings) {
+    const key2 = [finding.status, finding.detector, finding.filePath, String(finding.lineNumber)].join("\0");
+    if (!unique.has(key2)) {
+      unique.set(key2, finding);
+    }
+  }
+  return [...unique.values()];
+}
+function renderTruffleHogFindingsTable(findings, options) {
+  const uniqueFindings = uniqueTruffleHogFindings(findings);
+  const rows = [
+    "| Detector | Location | Verification |",
+    "| --- | --- | --- |",
+    ...uniqueFindings.slice(0, options.maxFindings).map((finding) => `| ${md(finding.detector)} | ${renderLocation(finding, options)} | ${md(finding.status)} |`)
+  ];
+  if (uniqueFindings.length > options.maxFindings) {
+    rows.push("", `_Showing first ${options.maxFindings} of ${uniqueFindings.length} findings._`);
+  }
+  return rows.join("\n");
+}
+function renderTruffleHogComment(findings, options) {
+  const uniqueFindings = uniqueTruffleHogFindings(findings);
+  const heading = uniqueFindings.length === 1 ? "TruffleHog found a possible secret" : `TruffleHog found ${uniqueFindings.length} possible secrets`;
+  return [
+    COMMENT_MARKER,
+    "",
+    `### ${heading}`,
+    "",
+    renderTruffleHogFindingsTable(findings, options),
+    "",
+    FIX_MESSAGE
+  ].join("\n");
+}
+async function scanForSecrets(env, cwd, runner) {
+  const baseSha = requireEnv(env, "BASE_SHA");
+  const headSha = requireEnv(env, "HEAD_SHA");
+  const results = requireEnv(env, "RESULTS");
+  const image = requireEnv(env, "TRUFFLEHOG_IMAGE");
+  const resultsFile = env.get("TRUFFLEHOG_RESULTS_FILE") ?? DEFAULT_RESULTS_FILE;
+  const stderrFile = env.get("TRUFFLEHOG_STDERR_FILE") ?? DEFAULT_STDERR_FILE;
+  const result = await runner(
+    "docker",
+    [
+      "run",
+      "--rm",
+      "-v",
+      `${cwd}:/tmp`,
+      "-w",
+      "/tmp",
+      image,
+      "git",
+      "file:///tmp/",
+      "--since-commit",
+      baseSha,
+      "--branch",
+      headSha,
+      "--fail",
+      "--no-update",
+      "--json",
+      `--results=${results}`
+    ],
+    { cwd }
+  );
+  await writeFile15(resultsFile, result.stdout, "utf8");
+  await writeFile15(stderrFile, result.stderr, "utf8");
+  process.stderr.write(result.stderr);
+  const findingsCount = parseTruffleHogFindings(result.stdout).length;
+  await setGitHubOutput(env, "exit_code", String(result.exitCode));
+  await setGitHubOutput(env, "findings_count", String(findingsCount));
+  if (result.exitCode !== 0 && findingsCount === 0) {
+    throw new UserError(`TruffleHog exited with ${result.exitCode} without producing findings.`);
+  }
+}
+async function reportAdvisoryResult(env, runner) {
+  const githubToken = requireEnv(env, "GH_TOKEN");
+  const headSha = requireEnv(env, "HEAD_SHA");
+  const maxFindings = numberEnv(env, "MAX_FINDINGS");
+  const prNumber = requireEnv(env, "PR_NUMBER");
+  const repository = requireEnv(env, "REPOSITORY");
+  const resultsFile = env.get("TRUFFLEHOG_RESULTS_FILE") ?? DEFAULT_RESULTS_FILE;
+  const findings = uniqueTruffleHogFindings(parseTruffleHogFindings(await readFile24(resultsFile, "utf8")));
+  const body = renderTruffleHogComment(findings, { repository, headSha, maxFindings });
+  emitInlineAnnotations(findings, { maxFindings });
+  const existingCommentId = await findExistingCommentId(runner, githubToken, repository, prNumber);
+  if (existingCommentId === void 0) {
+    await ghApi(runner, githubToken, ["repos", repository, "issues", prNumber, "comments"], [
+      "--method",
+      "POST",
+      "--field",
+      `body=${body}`
+    ]);
+  } else {
+    await ghApi(runner, githubToken, ["repos", repository, "issues", "comments", existingCommentId], [
+      "--method",
+      "PATCH",
+      "--field",
+      `body=${body}`
+    ]);
+  }
+  const heading = findings.length === 1 ? "TruffleHog found a possible secret" : `TruffleHog found ${findings.length} possible secrets`;
+  const errorTitle = findings.length === 1 ? "TruffleHog finding" : "TruffleHog findings";
+  const errorMessage = findings.length === 1 ? "Possible secret detected." : "Possible secrets detected.";
+  console.log(`::error title=${errorTitle}::${errorMessage}`);
+  await appendStepSummary(env, [
+    `### ${heading}`,
+    "",
+    renderTruffleHogFindingsTable(findings, { repository, headSha, maxFindings }),
+    "",
+    FIX_MESSAGE
+  ].join("\n"));
+}
+async function clearStaleAdvisoryResult(env, runner) {
+  const githubToken = requireEnv(env, "GH_TOKEN");
+  const prNumber = requireEnv(env, "PR_NUMBER");
+  const repository = requireEnv(env, "REPOSITORY");
+  const existingCommentId = await findExistingCommentId(runner, githubToken, repository, prNumber);
+  if (existingCommentId !== void 0) {
+    await ghApi(runner, githubToken, ["repos", repository, "issues", "comments", existingCommentId], [
+      "--method",
+      "DELETE"
+    ]);
+  }
+}
+function emitInlineAnnotations(findings, options) {
+  for (const finding of findings.slice(0, options.maxFindings)) {
+    if (finding.filePath === "" || finding.lineNumber <= 0) {
+      continue;
+    }
+    console.log(
+      `::error file=${commandValue(finding.filePath)},line=${finding.lineNumber},title=${commandValue(`TruffleHog: ${finding.detector}`)}::${messageValue(`Possible secret detected (${finding.status}). Remove it from the PR and rotate it if it was real.`)}`
+    );
+  }
+}
+async function findExistingCommentId(runner, githubToken, repository, prNumber) {
+  const output = await ghApi(runner, githubToken, ["repos", repository, "issues", prNumber, "comments"]);
+  const comments = parseJsonArray(output);
+  for (let index = comments.length - 1; index >= 0; index -= 1) {
+    const comment = comments[index];
+    if (stringValue(comment.body)?.includes(COMMENT_MARKER) === true) {
+      return stringValue(comment.id);
+    }
+  }
+  return void 0;
+}
+async function ghApi(runner, githubToken, pathParts, args = []) {
+  const result = await runner("gh", ["api", pathParts.join("/"), ...args], {
+    env: { GH_TOKEN: githubToken }
+  });
+  if (result.exitCode !== 0) {
+    throw new UserError(`GitHub API call failed with exit code ${result.exitCode}: ${result.stderr}`);
+  }
+  return result.stdout;
+}
+async function setGitHubOutput(env, key2, value) {
+  const outputPath = env.get("GITHUB_OUTPUT");
+  if (outputPath !== void 0 && outputPath !== "") {
+    await appendFile5(outputPath, `${key2}=${value}
+`, "utf8");
+  }
+}
+async function appendStepSummary(env, content) {
+  const summaryPath = env.get("GITHUB_STEP_SUMMARY");
+  if (summaryPath !== void 0 && summaryPath !== "") {
+    await appendFile5(summaryPath, `${content}
+`, "utf8");
+  }
+}
+function renderLocation(finding, options) {
+  if (finding.lineNumber > 0 && finding.filePath !== "unknown") {
+    return `[${finding.filePath}:${finding.lineNumber}](https://github.com/${options.repository}/blob/${options.headSha}/${finding.filePath}#L${finding.lineNumber})`;
+  }
+  if (finding.filePath !== "unknown") {
+    return `\`${md(finding.filePath)}\``;
+  }
+  return "unknown";
+}
+function readStatus(record) {
+  if (record.Verified === true) {
+    return "verified";
+  }
+  const verificationError = stringValue(record.VerificationError);
+  return verificationError === void 0 || verificationError === "" ? "unverified" : "unknown";
+}
+function readFilePath(record) {
+  const metadata = objectValue(record.SourceMetadata);
+  const gitMetadata = recordValue(recordValue(metadata.Data)?.Git) ?? recordValue(metadata.Git) ?? recordValue(metadata.git) ?? recordValue(recordValue(metadata.data)?.git) ?? {};
+  const filesystemMetadata = recordValue(metadata.Filesystem) ?? recordValue(metadata.filesystem) ?? {};
+  return stringValue(gitMetadata.file) ?? stringValue(gitMetadata.File) ?? stringValue(filesystemMetadata.file) ?? "unknown";
+}
+function readLineNumber(record) {
+  const metadata = objectValue(record.SourceMetadata);
+  const gitMetadata = recordValue(recordValue(metadata.Data)?.Git) ?? recordValue(metadata.Git) ?? recordValue(metadata.git) ?? recordValue(recordValue(metadata.data)?.git) ?? {};
+  const filesystemMetadata = recordValue(metadata.Filesystem) ?? recordValue(metadata.filesystem) ?? {};
+  return numberValue(gitMetadata.line) ?? numberValue(gitMetadata.Line) ?? numberValue(filesystemMetadata.line) ?? 0;
+}
+function requireEnv(env, name) {
+  const value = env.get(name);
+  if (value === void 0 || value === "") {
+    throw new UserError(`${name} is required.`);
+  }
+  return value;
+}
+function numberEnv(env, name) {
+  const value = Number(requireEnv(env, name));
+  if (!Number.isFinite(value)) {
+    throw new UserError(`${name} must be a number.`);
+  }
+  return value;
+}
+function parseJsonObject(value) {
+  try {
+    const parsed = JSON.parse(value);
+    return objectValue(parsed);
+  } catch {
+    return {};
+  }
+}
+function parseJsonArray(value) {
+  try {
+    const parsed = JSON.parse(value);
+    return Array.isArray(parsed) ? parsed.map(objectValue) : [];
+  } catch {
+    return [];
+  }
+}
+function objectValue(value) {
+  return recordValue(value) ?? {};
+}
+function recordValue(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value) ? value : void 0;
+}
+function stringValue(value) {
+  if (typeof value === "string") {
+    return value;
+  }
+  if (typeof value === "number") {
+    return String(value);
+  }
+  return void 0;
+}
+function numberValue(value) {
+  if (typeof value === "number") {
+    return value;
+  }
+  if (typeof value !== "string") {
+    return void 0;
+  }
+  const parsed = Number(value);
+  return Number.isFinite(parsed) ? parsed : void 0;
+}
+function md(value) {
+  return value.replaceAll("|", "\\|").replaceAll("`", "'").replaceAll("\r", " ").replaceAll("\n", " ");
+}
+function commandValue(value) {
+  return value.replaceAll("%", "%25").replaceAll("\r", "%0D").replaceAll("\n", "%0A").replaceAll(":", "%3A").replaceAll(",", "%2C");
+}
+function messageValue(value) {
+  return value.replaceAll("%", "%25").replaceAll("\r", "%0D").replaceAll("\n", "%0A");
+}
+var DEFAULT_RESULTS_FILE, DEFAULT_STDERR_FILE, COMMENT_MARKER, FIX_MESSAGE;
+var init_trufflehog_pr_scan = __esm({
+  "packages/github-workflows/src/exec/trufflehog-pr-scan.ts"() {
+    "use strict";
+    init_src16();
+    init_src12();
+    DEFAULT_RESULTS_FILE = "/tmp/trufflehog-results.jsonl";
+    DEFAULT_STDERR_FILE = "/tmp/trufflehog-stderr.log";
+    COMMENT_MARKER = "<!-- trufflehog-pr-scan -->";
+    FIX_MESSAGE = "Fix: remove the value, rotate it if it was real, and push a cleanup commit.";
+  }
+});
 // packages/github-workflows/src/preflight.ts
 function runPreflightChecks(context) {
   checkRequiredEnvVar(context.env, "POE_API_KEY");
@@ -49661,7 +49971,7 @@ var init_setup_agent = __esm({
 // packages/github-workflows/src/variables.ts
 import path75 from "node:path";
-import { readFile as readFile24 } from "node:fs/promises";
+import { readFile as readFile25 } from "node:fs/promises";
 import { isMap as isMap4, parseDocument as parseDocument9, stringify as stringify4 } from "yaml";
 function isRecord25(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
@@ -49752,7 +50062,7 @@ function extractUserOverrideBlocks(filePath, content) {
 }
 async function readOptionalVariablesContent(filePath) {
   try {
-    return await readFile24(filePath, "utf8");
+    return await readFile25(filePath, "utf8");
   } catch (error2) {
     if (error2 instanceof Error && error2.code === "ENOENT") {
       return void 0;
@@ -49781,7 +50091,7 @@ function formatCommentedBlock(name, value) {
 }
 async function loadVariableSources(builtInDir, projectDir) {
   const builtInPath = path75.join(builtInDir, VARIABLES_FILE_NAME);
-  const builtInVariables = parseVariables(builtInPath, await readFile24(builtInPath, "utf8"));
+  const builtInVariables = parseVariables(builtInPath, await readFile25(builtInPath, "utf8"));
   const projectVariablesPath = projectDir === void 0 ? void 0 : path75.join(projectDir, VARIABLES_FILE_NAME);
   const projectVariablesContent = projectVariablesPath === void 0 ? void 0 : await readOptionalVariablesContent(projectVariablesPath);
   if (projectVariablesPath === void 0 || projectVariablesContent === void 0) {
@@ -49795,7 +50105,7 @@ async function loadVariableSources(builtInDir, projectDir) {
 }
 async function loadVariables(builtInDir, projectDir) {
   const builtInPath = path75.join(builtInDir, VARIABLES_FILE_NAME);
-  const builtInContent = await readFile24(builtInPath, "utf8");
+  const builtInContent = await readFile25(builtInPath, "utf8");
   const builtInVariables = parseVariables(builtInPath, builtInContent);
   if (projectDir === void 0) {
     return filterDisabledVariables(builtInVariables);
@@ -49819,7 +50129,7 @@ async function loadVariables(builtInDir, projectDir) {
       }
     ],
     {
-      fs: { readFile: readFile24 },
+      fs: { readFile: readFile25 },
       autoExtend: true
     }
   );
@@ -49894,7 +50204,7 @@ var init_variables2 = __esm({
 });
 // packages/github-workflows/src/commands.ts
-import { access as access3, mkdir as mkdir16, readFile as readFile25, unlink as unlink12, writeFile as writeFile15 } from "node:fs/promises";
+import { access as access3, mkdir as mkdir16, readFile as readFile26, unlink as unlink12, writeFile as writeFile16 } from "node:fs/promises";
 import path76 from "node:path";
 import { fileURLToPath as fileURLToPath8 } from "node:url";
 import Mustache3 from "mustache";
@@ -49918,7 +50228,7 @@ async function loadNamedAutomation(name, cwd) {
 }
 async function readBuiltInPromptFile(name) {
   try {
-    return await readFile25(path76.join(await resolveBuiltInPromptsDir(), `${name}.md`), "utf8");
+    return await readFile26(path76.join(await resolveBuiltInPromptsDir(), `${name}.md`), "utf8");
   } catch (error2) {
     if (isMissingPathError2(error2)) {
       throw new UserError(`Automation "${name}" was not found.`);
@@ -49929,7 +50239,7 @@ async function readBuiltInPromptFile(name) {
 async function readBuiltInWorkflowTemplate(name, variant, automationName = name, promptPath) {
   const templatePath = path76.join(await resolveBuiltInWorkflowTemplatesDir(), `${name}.${variant}.yml`);
   try {
-    const content = await readFile25(templatePath, "utf8");
+    const content = await readFile26(templatePath, "utf8");
     const header = promptPath !== void 0 ? `# Auto-generated by: poe-code github-workflows install ${name}
 # Edit ${path76.relative(process.cwd(), promptPath)} to customize the prompt.
 ` : `# Auto-generated by: poe-code github-workflows install ${name}
@@ -50082,6 +50392,29 @@ function buildPerItemTemplateContext(item, sharedContext) {
 function renderPrompt(template2, view) {
   return Mustache3.render(template2, view);
 }
+function requireSuccessfulRuns(name, items) {
+  const succeeded = items.filter((item) => item.result.exitCode === 0).length;
+  if (succeeded === items.length) {
+    return;
+  }
+  const firstFailure = items.find((item) => item.result.exitCode !== 0);
+  const details = [
+    `Automation "${name}" failed: ${succeeded}/${items.length} spawned agent runs exited successfully.`
+  ];
+  if (firstFailure !== void 0) {
+    details.push(`First failure exited with code ${firstFailure.result.exitCode}.`);
+    appendCommandOutput(details, "stderr", firstFailure.result.stderr);
+    appendCommandOutput(details, "stdout", firstFailure.result.stdout);
+  }
+  throw new UserError(details.join("\n"));
+}
+function appendCommandOutput(details, label, output) {
+  const trimmed = output.trim();
+  if (trimmed.length === 0) {
+    return;
+  }
+  details.push(`${label}:`, trimmed);
+}
 function resolveSourceCommand(source, env) {
   const repo = env.get("GITHUB_REPOSITORY");
   if (repo === void 0) {
@@ -50140,10 +50473,10 @@ async function installAutomation(name, cwd, isEject) {
   ]);
   const workflowPath = path76.join(cwd, ".github", "workflows", `poe-code-${name}.yml`);
   await mkdir16(path76.dirname(workflowPath), { recursive: true });
-  await writeFile15(workflowPath, workflowTemplate, "utf8");
+  await writeFile16(workflowPath, workflowTemplate, "utf8");
   if (promptPath !== void 0) {
     await mkdir16(path76.dirname(promptPath), { recursive: true });
-    await writeFile15(promptPath, addPromptHeader(rawPrompt, name), "utf8");
+    await writeFile16(promptPath, addPromptHeader(rawPrompt, name), "utf8");
   }
   return {
     name,
@@ -50158,17 +50491,17 @@ async function ensureProjectSupportFiles(cwd, builtInVariables) {
   const variablesPath = path76.join(projectDir, "variables.yaml");
   const readmePath = path76.join(projectDir, "README.md");
   await mkdir16(projectDir, { recursive: true });
-  await writeFile15(
+  await writeFile16(
     variablesPath,
     generateProjectVariablesFile(builtInVariables, await readOptionalFile4(variablesPath)),
     "utf8"
   );
-  await writeFile15(readmePath, renderProjectReadme(), "utf8");
+  await writeFile16(readmePath, renderProjectReadme(), "utf8");
   return { readmePath, variablesPath };
 }
 async function readOptionalFile4(filePath) {
   try {
-    return await readFile25(filePath, "utf8");
+    return await readFile26(filePath, "utf8");
   } catch (error2) {
     if (isMissingPathError2(error2)) {
       return void 0;
@@ -50215,7 +50548,7 @@ async function selectAutomationName(message2, automations) {
   }
   return selected;
 }
-var UPSTREAM_REPO, builtInPromptsDirCandidates, builtInWorkflowTemplatesDirCandidates, installableAutomations, runCommandDef, listCommand, installCommand2, uninstallCommand, requireUserAllowCommand, requireCommentPrefixCommand, prepareCommand, promptPreviewCommand, variablesCommand, ghGroup;
+var UPSTREAM_REPO, builtInPromptsDirCandidates, builtInWorkflowTemplatesDirCandidates, installableAutomations, runCommandDef, listCommand, installCommand2, uninstallCommand, requireUserAllowCommand, requireCommentPrefixCommand, truffleHogPrScanCommand, prepareCommand, promptPreviewCommand, variablesCommand, ghGroup;
 var init_commands2 = __esm({
   "packages/github-workflows/src/commands.ts"() {
     "use strict";
@@ -50226,6 +50559,7 @@ var init_commands2 = __esm({
     init_discover2();
     init_check_user_allow();
     init_require_comment_prefix();
+    init_trufflehog_pr_scan();
     init_preflight();
     init_setup_agent();
     init_variables2();
@@ -50277,21 +50611,23 @@ var init_commands2 = __esm({
         const sharedTemplateContext = { ...variables, ...buildTemplateContext5(env) };
         if (automation.source === void 0) {
           const prompt = renderPrompt(automation.prompt, sharedTemplateContext);
+          const items2 = [
+            {
+              prompt,
+              result: await spawn4(agent2, {
+                prompt,
+                cwd,
+                ...params.model === void 0 ? {} : { model: params.model },
+                ...params.mode === void 0 ? {} : { mode: params.mode },
+                ...automation.mcp === void 0 ? {} : { mcpServers: resolveMcpConfig(automation.mcp, env) }
+              })
+            }
+          ];
+          requireSuccessfulRuns(automation.name, items2);
           return {
             automation: automation.name,
             agent: agent2,
-            items: [
-              {
-                prompt,
-                result: await spawn4(agent2, {
-                  prompt,
-                  cwd,
-                  ...params.model === void 0 ? {} : { model: params.model },
-                  ...params.mode === void 0 ? {} : { mode: params.mode },
-                  ...automation.mcp === void 0 ? {} : { mcpServers: resolveMcpConfig(automation.mcp, env) }
-                })
-              }
-            ]
+            items: items2
           };
         }
         const sourceResult = await runCommand("sh", ["-c", resolveSourceCommand(automation.source, env)], {
@@ -50318,6 +50654,7 @@ var init_commands2 = __esm({
             })
           });
         }
+        requireSuccessfulRuns(automation.name, results);
         return {
           automation: automation.name,
           agent: agent2,
@@ -50485,6 +50822,16 @@ var init_commands2 = __esm({
         return null;
       }
     });
+    truffleHogPrScanCommand = defineCommand({
+      name: "trufflehog-pr-scan",
+      description: "Run the TruffleHog PR scan workflow helper.",
+      positional: ["command"],
+      params: S.Object({
+        command: S.Enum(["scan-for-secrets", "report-advisory-result", "clear-stale-advisory-result"])
+      }),
+      scope: ["cli"],
+      handler: async ({ params, env }) => runTruffleHogPrScanCommand(params.command, env)
+    });
     prepareCommand = defineCommand({
       name: "prepare",
       description: "Install and configure the agent required by a workflow automation.",
@@ -50571,6 +50918,7 @@ var init_commands2 = __esm({
         prepareCommand,
         requireUserAllowCommand,
         requireCommentPrefixCommand,
+        truffleHogPrScanCommand,
         listCommand,
         installCommand2,
         uninstallCommand,
@@ -50591,6 +50939,7 @@ var init_src32 = __esm({
     init_commands2();
     init_check_user_allow();
     init_require_comment_prefix();
+    init_trufflehog_pr_scan();
   }
 });
@@ -51831,7 +52180,7 @@ var init_renderer3 = __esm({
 });
 // packages/toolcraft/src/cli.ts
-import { access as access4, readFile as readFile26, writeFile as writeFile16 } from "node:fs/promises";
+import { access as access4, readFile as readFile27, writeFile as writeFile17 } from "node:fs/promises";
 import path79 from "node:path";
 import {
   Command as CommanderCommand,
@@ -53083,9 +53432,9 @@ async function withOutputFormat2(output, fn) {
 }
 function createFs3() {
   return {
-    readFile: async (path108, encoding = "utf8") => readFile26(path108, { encoding }),
+    readFile: async (path108, encoding = "utf8") => readFile27(path108, { encoding }),
     writeFile: async (path108, contents) => {
-      await writeFile16(path108, contents);
+      await writeFile17(path108, contents);
     },
     exists: async (path108) => {
       try {
@@ -53192,7 +53541,7 @@ function validatePresetFieldValue(value, field, presetPath) {
 async function loadPresetValues(fields, presetPath) {
   let rawPreset;
   try {
-    rawPreset = await readFile26(presetPath, {
+    rawPreset = await readFile27(presetPath, {
       encoding: "utf8"
     });
   } catch (error2) {
@@ -53449,7 +53798,7 @@ async function loadFixtureScenario(command, selector) {
   const fixturePath = resolveFixturePath(commandPath);
   let rawFixture;
   try {
-    rawFixture = await readFile26(fixturePath, {
+    rawFixture = await readFile27(fixturePath, {
       encoding: "utf8"
     });
   } catch {
@@ -54530,12 +54879,12 @@ function createOverlayFileSystem(base) {
     }
     return base.readFile(filePath, "utf8");
   };
-  async function readFile45(filePath, encoding) {
+  async function readFile46(filePath, encoding) {
     const content = await readOverlayText(filePath);
     return encoding ? content : Buffer.from(content);
   }
   const fs19 = {
-    readFile: readFile45,
+    readFile: readFile46,
     async writeFile(filePath, content) {
       writes.set(filePath, stringifyFileContent(content));
     },
@@ -58885,7 +59234,7 @@ var init_dashboard_loop_shared = __esm({
 // src/cli/commands/pipeline.ts
 import path83 from "node:path";
-import { readFile as readFile27, stat as stat18 } from "node:fs/promises";
+import { readFile as readFile28, stat as stat18 } from "node:fs/promises";
 import { fileURLToPath as fileURLToPath10 } from "node:url";
 async function resolvePipelineCommandConfig(container) {
   const [configDoc, pipelineYamlConfig] = await Promise.all([
@@ -59339,8 +59688,8 @@ async function loadPipelineTemplates() {
       continue;
     }
     const [skillPlan, steps] = await Promise.all([
-      readFile27(path83.join(templateRoot, "SKILL_plan.md"), "utf8"),
-      readFile27(path83.join(templateRoot, "steps.yaml.mustache"), "utf8")
+      readFile28(path83.join(templateRoot, "SKILL_plan.md"), "utf8"),
+      readFile28(path83.join(templateRoot, "steps.yaml.mustache"), "utf8")
     ]);
     pipelineTemplatesCache = { skillPlan, steps };
     return pipelineTemplatesCache;
@@ -59668,11 +60017,11 @@ function registerPipelineCommand(program, container) {
         if (typeof t.status === "string") return t.status === "done";
         return Object.values(t.status).every((s) => s === "done");
       }).length;
-      const readFile45 = container.fs.readFile.bind(container.fs);
+      const readFile46 = container.fs.readFile.bind(container.fs);
       const resolvedVars = await resolvePipelineVars(
         plan.vars ?? {},
         container.env.cwd,
-        readFile45
+        readFile46
       );
       const resolvedSetup = plan.setup === null ? void 0 : plan.setup ?? steps.setup;
       const resolvedTeardown = plan.teardown === null ? void 0 : plan.teardown ?? steps.teardown;
@@ -59694,7 +60043,7 @@ function registerPipelineCommand(program, container) {
       if (opts.preview) {
         if (resolvedSetup) {
           const raw = interpolatePipelineVars(resolvedSetup.prompt, resolvedVars, "setup");
-          const expanded = await resolveFileIncludes(raw, container.env.cwd, readFile45);
+          const expanded = await resolveFileIncludes(raw, container.env.cwd, readFile46);
           resources.logger.resolved("setup", expanded);
         }
         for (const task of plan.tasks) {
@@ -59707,7 +60056,7 @@ function registerPipelineCommand(program, container) {
                 vars: resolvedVars
               }),
               container.env.cwd,
-              readFile45
+              readFile46
             );
             resources.logger.resolved(`task: ${task.id} \u2014 ${task.title}`, expanded);
           } else {
@@ -59720,7 +60069,7 @@ function registerPipelineCommand(program, container) {
                   vars: resolvedVars
                 }),
                 container.env.cwd,
-                readFile45
+                readFile46
               );
               resources.logger.resolved(`task: ${task.id} / ${stepName}`, expanded);
             }
@@ -59728,7 +60077,7 @@ function registerPipelineCommand(program, container) {
         }
         if (resolvedTeardown) {
           const raw = interpolatePipelineVars(resolvedTeardown.prompt, resolvedVars, "teardown");
-          const expanded = await resolveFileIncludes(raw, container.env.cwd, readFile45);
+          const expanded = await resolveFileIncludes(raw, container.env.cwd, readFile46);
           resources.logger.resolved("teardown", expanded);
         }
       }
@@ -60483,7 +60832,7 @@ var init_ralph3 = __esm({
 // src/cli/commands/experiment.ts
 import path85 from "node:path";
-import { readFile as readFile28, stat as stat19 } from "node:fs/promises";
+import { readFile as readFile29, stat as stat19 } from "node:fs/promises";
 import { fileURLToPath as fileURLToPath11 } from "node:url";
 function resolveExperimentPaths(scope, cwd, homeDir) {
   const rootPath = scope === "global" ? path85.join(homeDir, ".poe-code", "experiments") : path85.join(cwd, ".poe-code", "experiments");
@@ -60531,8 +60880,8 @@ async function loadExperimentTemplates() {
       continue;
     }
     const [skillPlan, runYaml] = await Promise.all([
-      readFile28(path85.join(templateRoot, "SKILL_experiment.md"), "utf8"),
-      readFile28(path85.join(templateRoot, "run.yaml.mustache"), "utf8")
+      readFile29(path85.join(templateRoot, "SKILL_experiment.md"), "utf8"),
+      readFile29(path85.join(templateRoot, "run.yaml.mustache"), "utf8")
     ]);
     experimentTemplatesCache = { skillPlan, runYaml };
     return experimentTemplatesCache;
@@ -76842,7 +77191,7 @@ var init_dump = __esm({
 });
 // packages/agent-script/src/snapshot/scheduler.ts
-import { mkdir as mkdir21, rename as rename8, writeFile as writeFile23 } from "node:fs/promises";
+import { mkdir as mkdir21, rename as rename8, writeFile as writeFile24 } from "node:fs/promises";
 import { dirname as dirname6 } from "node:path";
 function createSnapshotScheduler(options) {
   if (options.snapshotPath === void 0) {
@@ -76875,7 +77224,7 @@ function createSnapshotScheduler(options) {
 async function writeSnapshotAtomically(snapshotPath, snapshot2) {
   const temporaryPath = `${snapshotPath}.tmp`;
   await mkdir21(dirname6(snapshotPath), { recursive: true });
-  await writeFile23(temporaryPath, JSON.stringify(snapshot2, null, 2));
+  await writeFile24(temporaryPath, JSON.stringify(snapshot2, null, 2));
   await rename8(temporaryPath, snapshotPath);
 }
 var DEFAULT_SNAPSHOT_INTERVAL_MS;
@@ -79073,22 +79422,22 @@ function writeBlockSequence(state, level, object, compact) {
   state.dump = _result || "[]";
 }
 function writeFlowMapping(state, level, object) {
-  var _result = "", _tag = state.tag, objectKeyList = Object.keys(object), index, length, objectKey, objectValue, pairBuffer;
+  var _result = "", _tag = state.tag, objectKeyList = Object.keys(object), index, length, objectKey, objectValue2, pairBuffer;
   for (index = 0, length = objectKeyList.length; index < length; index += 1) {
     pairBuffer = "";
     if (_result !== "") pairBuffer += ", ";
     if (state.condenseFlow) pairBuffer += '"';
     objectKey = objectKeyList[index];
-    objectValue = object[objectKey];
+    objectValue2 = object[objectKey];
     if (state.replacer) {
-      objectValue = state.replacer.call(object, objectKey, objectValue);
+      objectValue2 = state.replacer.call(object, objectKey, objectValue2);
     }
     if (!writeNode(state, level, objectKey, false, false)) {
       continue;
     }
     if (state.dump.length > 1024) pairBuffer += "? ";
     pairBuffer += state.dump + (state.condenseFlow ? '"' : "") + ":" + (state.condenseFlow ? "" : " ");
-    if (!writeNode(state, level, objectValue, false, false)) {
+    if (!writeNode(state, level, objectValue2, false, false)) {
       continue;
     }
     pairBuffer += state.dump;
@@ -79098,7 +79447,7 @@ function writeFlowMapping(state, level, object) {
   state.dump = "{" + _result + "}";
 }
 function writeBlockMapping(state, level, object, compact) {
-  var _result = "", _tag = state.tag, objectKeyList = Object.keys(object), index, length, objectKey, objectValue, explicitPair, pairBuffer;
+  var _result = "", _tag = state.tag, objectKeyList = Object.keys(object), index, length, objectKey, objectValue2, explicitPair, pairBuffer;
   if (state.sortKeys === true) {
     objectKeyList.sort();
   } else if (typeof state.sortKeys === "function") {
@@ -79112,9 +79461,9 @@ function writeBlockMapping(state, level, object, compact) {
       pairBuffer += generateNextLine(state, level);
     }
     objectKey = objectKeyList[index];
-    objectValue = object[objectKey];
+    objectValue2 = object[objectKey];
     if (state.replacer) {
-      objectValue = state.replacer.call(object, objectKey, objectValue);
+      objectValue2 = state.replacer.call(object, objectKey, objectValue2);
     }
     if (!writeNode(state, level + 1, objectKey, true, true, true)) {
       continue;
@@ -79131,7 +79480,7 @@ function writeBlockMapping(state, level, object, compact) {
     if (explicitPair) {
       pairBuffer += generateNextLine(state, level);
     }
-    if (!writeNode(state, level + 1, objectValue, true, explicitPair)) {
+    if (!writeNode(state, level + 1, objectValue2, true, explicitPair)) {
       continue;
     }
     if (state.dump && CHAR_LINE_FEED === state.dump.charCodeAt(0)) {
@@ -79835,7 +80184,7 @@ var init_frontmatter6 = __esm({
 });
 // packages/agent-script/src/runner/run-harness.ts
-import { readFile as readFile41 } from "node:fs/promises";
+import { readFile as readFile42 } from "node:fs/promises";
 import { extname as extname2 } from "node:path";
 var init_run_harness = __esm({
   "packages/agent-script/src/runner/run-harness.ts"() {
@@ -80697,7 +81046,7 @@ var init_validate3 = __esm({
 });
 // packages/agent-harness/src/loader/run.ts
-import { mkdir as mkdir22, readFile as readFile43, unlink as unlink15, writeFile as writeFile24 } from "node:fs/promises";
+import { mkdir as mkdir22, readFile as readFile44, unlink as unlink15, writeFile as writeFile25 } from "node:fs/promises";
 import os12 from "node:os";
 import { dirname as dirname8, join as join8 } from "node:path";
 async function runHarnessPair(mdPath, options) {
@@ -80884,7 +81233,7 @@ async function createHostCallReplay(snapshotPath) {
 }
 async function readHostCallRecords(storePath) {
   try {
-    const parsed = JSON.parse(await readFile43(storePath, "utf8"));
+    const parsed = JSON.parse(await readFile44(storePath, "utf8"));
     return Array.isArray(parsed) ? parsed : [];
   } catch (error2) {
     if (hasErrorCode5(error2, "ENOENT")) {
@@ -80901,7 +81250,7 @@ async function writeHostCallRecords(storePath, records) {
     return;
   }
   await mkdir22(dirname8(storePath), { recursive: true });
-  await writeFile24(storePath, serialized);
+  await writeFile25(storePath, serialized);
 }
 async function cleanupCompletedSnapshot(snapshotPath) {
   await Promise.all([
@@ -80953,7 +81302,7 @@ function resolveSnapshotPath(mdPath, snapshotPath) {
 }
 async function readSnapshot(snapshotPath) {
   try {
-    return JSON.parse(await readFile43(snapshotPath, "utf8"));
+    return JSON.parse(await readFile44(snapshotPath, "utf8"));
   } catch (error2) {
     if (hasErrorCode5(error2, "ENOENT")) {
       return void 0;
@@ -80962,7 +81311,7 @@ async function readSnapshot(snapshotPath) {
   }
 }
 async function readTextFile(path108) {
-  const source = await readFile43(path108, "utf8");
+  const source = await readFile44(path108, "utf8");
   return source.startsWith("\uFEFF") ? source.slice(1) : source;
 }
 function formatLintErrorMessage(diagnostics) {
@@ -81040,7 +81389,7 @@ var init_src36 = __esm({
 // src/cli/commands/harness.ts
 import path107 from "node:path";
-import { readFile as readFile44 } from "node:fs/promises";
+import { readFile as readFile45 } from "node:fs/promises";
 function registerHarnessCommand(program, container) {
   const harness = program.command("harness").description("Run and manage agent harness pairs.");
   harness.command("run").description("Run a harness pair.").argument("[md-path]", "Path to the harness .md file").option("-y, --yes", "Accept defaults without prompting.").action(async (mdPath, options) => {
@@ -81087,8 +81436,8 @@ async function executeHarnessNew(program, container, kind, basename4, options) {
     return;
   }
   const [mdSource, ajsSource] = await Promise.all([
-    readFile44(template2.mdPath, "utf8"),
-    readFile44(template2.ajsPath, "utf8")
+    readFile45(template2.mdPath, "utf8"),
+    readFile45(template2.ajsPath, "utf8")
   ]);
   await container.fs.mkdir(resolvedDir, { recursive: true });
   await Promise.all([
@@ -81360,7 +81709,7 @@ var init_package2 = __esm({
   "package.json"() {
     package_default2 = {
       name: "poe-code",
-      version: "3.0.213",
+      version: "3.0.215",
       description: "CLI tool to configure Poe API for developer workflows.",
       type: "module",
       main: "./dist/index.js",