tokrepo-mcp-server 2.12.0 → 2.12.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +9 -7
  2. package/bin/server.js +30 -7
  3. package/package.json +1 -1
package/README.md CHANGED
@@ -39,11 +39,11 @@ Once connected, your AI assistant can:
39
39
  - **Search** 200+ curated AI assets by keyword or category with agent fit signals
40
40
  - **Browse** trending assets, filter by type (MCP, Skill, Prompt, Agent, Script)
41
41
  - **Get details** — full documentation, install instructions, and metadata
42
- - **Verify trust** — read-only content hash, install plan hash, permission envelope, policy, trust_score_v2, blockers, and warnings
43
- - **Plan before install** — get install plan v2 with policy decisions, rollback, and verification
42
+ - **Verify trust** — read-only content hash, install plan hash, permission envelope, policy, trust_score_v2, `evidence_bundle`, SBOM-lite, `signature_evidence`, blockers, and warnings
43
+ - **Plan before install** — get install plan v2 with policy decisions, rollback, verification, `evidence_bundle`, SBOM-lite, and `signature_evidence`
44
44
  - **Safe Codex install** — dry-run by default; risky assets must be staged or explicitly approved
45
45
  - **Lifecycle control** — list, update, uninstall, and roll back managed Codex installs
46
- - **Post-task handoff planning** — inspect reusable local work with `tokrepo_handoff_plan` before any push
46
+ - **Post-task handoff planning** — inspect reusable local work with `tokrepo_handoff_plan` before any push, including `quality_gate`, package manifest, SBOM-lite, and provenance
47
47
  - **Project memory** — pair with `tokrepo init-agent --target all` so future agents know to call TokRepo during planning
48
48
  - **Discovery surfaces** — official MCP `server.json`, A2A agent card, portable agent manifest, tool catalog, `.well-known`, `agents.txt`, `llms.txt`, and npm metadata are kept machine-readable for agents and registries
49
49
  - **Funnel visibility** — anonymous aggregate events show whether agents actually discover, plan, install, hand off, and push reusable assets
@@ -55,14 +55,14 @@ Once connected, your AI assistant can:
55
55
  | `tokrepo_discover` | Planning-time capability discovery from a task, environment, and constraints |
56
56
  | `tokrepo_search` | Search assets by keyword/tag with `agent_fit` ranking |
57
57
  | `tokrepo_detail` | Get full asset details by UUID |
58
- | `tokrepo_verify` | Verify trust, hashes, permissions, and policy before activation |
59
- | `tokrepo_install_plan` | Get agent-native install plan v2 |
58
+ | `tokrepo_verify` | Verify trust, hashes, permissions, policy, evidence_bundle, SBOM-lite, and signature_evidence before activation |
59
+ | `tokrepo_install_plan` | Get agent-native install plan v2 with rollback, evidence_bundle, SBOM-lite, and signature_evidence |
60
60
  | `tokrepo_codex_install` | Dry-run, stage, or install a Codex skill safely |
61
61
  | `tokrepo_installed` | List TokRepo-managed Codex installs |
62
62
  | `tokrepo_update` | Dry-run or update managed Codex installs |
63
63
  | `tokrepo_uninstall` | Dry-run or remove a managed Codex install |
64
64
  | `tokrepo_rollback` | Dry-run or roll back a prior Codex install session |
65
- | `tokrepo_handoff_plan` | Read-only packaging plan for reusable local work after a task |
65
+ | `tokrepo_handoff_plan` | Read-only packaging plan with quality_gate and package manifest for reusable local work after a task |
66
66
  | `tokrepo_push` | Push one explicit asset to TokRepo after user confirmation |
67
67
 
68
68
  ## Example Conversations
@@ -81,7 +81,7 @@ AI: [calls tokrepo_codex_install with dry_run=false, confirm=true] → Writes on
81
81
  AI: [calls tokrepo_rollback with dry_run=true] → Shows exactly what would be removed before rollback
82
82
 
83
83
  You: "We created a reusable project rule; save it for future agents"
84
- AI: [calls tokrepo_handoff_plan] → Returns explicit files, hashes, metadata defaults, and private-by-default push guidance
84
+ AI: [calls tokrepo_handoff_plan] → Returns explicit files, hashes, quality_gate, package manifest, SBOM-lite, provenance, metadata defaults, and private-by-default push guidance
85
85
  AI: [asks for confirmation before tokrepo_push] → Uploads only reviewed files
86
86
  ```
87
87
 
@@ -109,6 +109,8 @@ Registries and agents can discover this server through:
109
109
  - Eval evidence: [tokrepo.com/evals/agent-discovery.json](https://tokrepo.com/evals/agent-discovery.json)
110
110
  - Multi-agent compatibility: [tokrepo.com/evals/multi-agent-compatibility.json](https://tokrepo.com/evals/multi-agent-compatibility.json)
111
111
  - Agent memory schema: [tokrepo.com/schemas/agent-memory.schema.json](https://tokrepo.com/schemas/agent-memory.schema.json)
112
+ - Agent evidence bundle schema: [tokrepo.com/schemas/agent-evidence-bundle.schema.json](https://tokrepo.com/schemas/agent-evidence-bundle.schema.json)
113
+ - Handoff package schema: [tokrepo.com/schemas/handoff-package.schema.json](https://tokrepo.com/schemas/handoff-package.schema.json)
112
114
  - Agent text entry: [tokrepo.com/agents.txt](https://tokrepo.com/agents.txt)
113
115
  - Agent instructions: [tokrepo.com/agent-instructions/tokrepo.md](https://tokrepo.com/agent-instructions/tokrepo.md)
114
116
  - Agent ecosystem distribution pack: [tokrepo.com/agent-ecosystem.json](https://tokrepo.com/agent-ecosystem.json)
package/bin/server.js CHANGED
@@ -20,7 +20,7 @@ const API_BASE = process.env.TOKREPO_API || 'https://api.tokrepo.com';
20
20
  const TOKREPO_URL = 'https://tokrepo.com';
21
21
  const TOKREPO_TOKEN = process.env.TOKREPO_TOKEN || '';
22
22
  const TOKREPO_CLI = process.env.TOKREPO_CLI || '';
23
- const SERVER_VERSION = '2.12.0';
23
+ const SERVER_VERSION = '2.12.2';
24
24
 
25
25
  // ─── MCP Protocol (JSON-RPC over stdio) ───
26
26
 
@@ -137,7 +137,7 @@ const TOOLS = [
137
137
  },
138
138
  {
139
139
  name: 'tokrepo_install_plan',
140
- description: 'Return an agent-native install plan v2 for a TokRepo asset. Use this before installing: it includes preconditions, actions, risk profile, policy decision, rollback, and post-install verification.',
140
+ description: 'Return an agent-native install plan v2 for a TokRepo asset. Use this before installing: it includes preconditions, actions, risk profile, policy decision, rollback, post-install verification, evidence_bundle, SBOM-lite, signature_evidence, and provenance_v2.',
141
141
  inputSchema: {
142
142
  type: 'object',
143
143
  properties: {
@@ -157,7 +157,7 @@ const TOOLS = [
157
157
  },
158
158
  {
159
159
  name: 'tokrepo_verify',
160
- description: 'Read-only asset trust verification for agents. Produces content hash, install plan hash, policy decision, permission envelope, trust_score_v2, blockers, warnings, schemas, and safe next actions before activation.',
160
+ description: 'Read-only asset trust verification for agents. Produces content hash, install plan hash, policy decision, permission envelope, trust_score_v2, evidence_bundle, SBOM-lite, signature_evidence, blockers, warnings, schemas, and safe next actions before activation.',
161
161
  inputSchema: {
162
162
  type: 'object',
163
163
  properties: {
@@ -342,7 +342,7 @@ const TOOLS = [
342
342
  },
343
343
  {
344
344
  name: 'tokrepo_handoff_plan',
345
- description: 'Inspect local files after a task and return an agent handoff packaging plan. This is read-only and never publishes automatically; use tokrepo_push only after human confirmation with explicit reviewed files.',
345
+ description: 'Inspect local files after a task and return an agent handoff packaging plan with quality_gate, package_manifest, SBOM-lite, and provenance. This is read-only and never publishes automatically; use tokrepo_push only after human confirmation with explicit reviewed files.',
346
346
  inputSchema: {
347
347
  type: 'object',
348
348
  properties: {
@@ -1123,9 +1123,9 @@ function buildCandidate(item, target, ranking = {}) {
1123
1123
  agent_use_contract: [
1124
1124
  'Use only if the capability matches the current subtask.',
1125
1125
  'Call tokrepo_detail before install to inspect content and metadata.',
1126
- 'Call tokrepo_verify to inspect hashes, permissions, trust_score_v2, blockers, and warnings.',
1126
+ 'Call tokrepo_verify to inspect hashes, permissions, trust_score_v2, evidence_bundle, SBOM-lite, signature_evidence, blockers, and warnings.',
1127
1127
  'Call tokrepo audit if future agents need a persistent trust-history snapshot.',
1128
- 'Call tokrepo_install_plan and respect policy_decision before writing files.',
1128
+ 'Call tokrepo_install_plan and respect policy_decision, evidence_bundle, SBOM-lite, signature_evidence, rollback, and verification steps before writing files.',
1129
1129
  'Prefer dry-run or stage-only when risk or fit is uncertain.',
1130
1130
  'After using it, verify the original task outcome and record failures.',
1131
1131
  ],
@@ -1207,7 +1207,7 @@ async function handleDiscover(args) {
1207
1207
  'Rank candidates by fit, policy, trust, and whether the entrypoint matches the active agent runtime.',
1208
1208
  'Call tokrepo_detail for the top candidate before installation or use.',
1209
1209
  'Call tokrepo audit if the chosen asset materially affects the task and future agents need a trust-history snapshot.',
1210
- 'Call tokrepo_install_plan and respect policy_decision, rollback, and verification steps.',
1210
+ 'Call tokrepo_install_plan and respect policy_decision, evidence_bundle, SBOM-lite, signature_evidence, rollback, and verification steps.',
1211
1211
  'Dry-run or stage when the asset may write files, execute code, require secrets, or change global config.',
1212
1212
  'Use the installed capability only for the matching subtask, then verify the user goal.',
1213
1213
  'If the agent creates a reusable improvement, ask before publishing and use tokrepo_push with explicit files.',
@@ -1347,6 +1347,29 @@ async function handleInstall(args) {
1347
1347
 
1348
1348
  async function handleInstallPlan(args) {
1349
1349
  const { uuid, target = 'codex' } = args;
1350
+ if (target === 'codex') {
1351
+ try {
1352
+ const { stdout, stderr } = await runTokrepoCli(['plan', uuid, '--target', target]);
1353
+ let data;
1354
+ try {
1355
+ data = JSON.parse(stdout);
1356
+ } catch {
1357
+ data = { stdout, stderr };
1358
+ }
1359
+ const decision = planPolicyDecision(data);
1360
+ const command = decision === 'allow'
1361
+ ? `tokrepo install ${data.asset_uuid || uuid} --target ${target} --yes`
1362
+ : `tokrepo install ${data.asset_uuid || uuid} --target ${target} --dry-run --json`;
1363
+ return {
1364
+ content: [{
1365
+ type: 'text',
1366
+ text: jsonText(`Install plan v${data.schema_version || 1} for ${data.asset_title || uuid}\n\nPolicy: ${decision}\nCLI: ${command}`, data),
1367
+ }],
1368
+ };
1369
+ } catch {
1370
+ // Fall back to the API plan below when the CLI is unavailable.
1371
+ }
1372
+ }
1350
1373
  const plan = await fetchInstallPlan(uuid, target);
1351
1374
  const decision = planPolicyDecision(plan);
1352
1375
  const command = decision === 'allow'
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "tokrepo-mcp-server",
3
- "version": "2.12.0",
3
+ "version": "2.12.2",
4
4
  "description": "Agent-native MCP server for TokRepo - discover, verify, plan, safely install, hand off, and push AI assets from MCP clients.",
5
5
  "mcpName": "io.github.henu-wang/tokrepo-mcp-server",
6
6
  "bin": {