diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json index 0488a96..36117a0 100644 --- a/.claude-plugin/plugin.json +++ b/.claude-plugin/plugin.json @@ -2,7 +2,7 @@ "name": "jfrog", "displayName": "JFrog", "description": "Official JFrog plugin. Connect Claude Code to JFrog to manage, secure, and govern your software supply chain. Give agents the context to build secure, compliant software.", - "version": "0.2.2", + "version": "0.2.3", "author": { "name": "JFrog Ltd.", "email": "devrel@jfrog.com", diff --git a/templates/jfrog-mcp-management.md b/templates/jfrog-mcp-management.md index 334bb64..a14f7c2 100644 --- a/templates/jfrog-mcp-management.md +++ b/templates/jfrog-mcp-management.md @@ -356,10 +356,16 @@ npx --yes \ [--server ] ``` -Output is a JSON array; each element has `name`, `packageName`, -`description`, `type`, `packageVersion`, optional `env[]`. - -3. Filter out any `packageName` already present in the installed list +The output is a compact TSV: a header line, then one server per line, +tab-separated: `nametypeversiondescription`. +Run the command ONCE and present the rows directly as a numbered +table — do NOT re-run it, redirect it, or parse it with `python3`/`jq`. +The `name` column is the install identifier (the value you pass to +`--inspect --mcp` and to install); `packageName` is NOT a separate +column — for remote/http MCPs there is no package name, so `name` is +the display name. + +3. Filter out any `name` already present in the installed list (compare against `mcp=` in `_JF_ARGS`). Mark the rest as available to install. @@ -385,6 +391,11 @@ Output is a JSON array; each element has `name`, `packageName`, - Package name MUST come from the catalog (`--inspect` / `--list-available`). NEVER guess. NEVER install MCPs outside the agent guard. NEVER use Fetch/WebFetch for catalog calls. +- NEVER pipe a catalog command through `python3`, and NEVER capture it + with `2>&1` — `npx`/`npm` writes progress to stderr, which corrupts + the output stream. For `--list-available` present the compact TSV it + prints; for `--inspect` read the JSON it prints on stdout + directly (or with a single `jq` filter), never via `python3`. - NEVER write a raw secret into `.mcp.json` or `~/.claude.json` — always `${ENV_VAR}`. NEVER show tokens / API keys. - NEVER try multiple servers — ask the user to pick one.