From 302a6aeeb44a7da2ca09a08f9989fbcd67d0dab6 Mon Sep 17 00:00:00 2001 From: Yoni Melki Date: Tue, 2 Jun 2026 22:19:31 +0300 Subject: [PATCH 1/2] AX-1508 - Use compact --list-available output for the MCP catalog agent-guard --list-available now prints a compact TSV by default. Present its rows directly as a numbered table; never parse the catalog with python3 or capture it with 2>&1 (npm/npx writes progress to stderr, which corrupts the stream). packageName can be empty for remote/http MCPs, so use the name column as the install identifier. Co-Authored-By: Claude Opus 4.8 (1M context) --- templates/jfrog-mcp-management.md | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/templates/jfrog-mcp-management.md b/templates/jfrog-mcp-management.md index 334bb64..a14f7c2 100644 --- a/templates/jfrog-mcp-management.md +++ b/templates/jfrog-mcp-management.md @@ -356,10 +356,16 @@ npx --yes \ [--server ] ``` -Output is a JSON array; each element has `name`, `packageName`, -`description`, `type`, `packageVersion`, optional `env[]`. - -3. Filter out any `packageName` already present in the installed list +The output is a compact TSV: a header line, then one server per line, +tab-separated: `nametypeversiondescription`. +Run the command ONCE and present the rows directly as a numbered +table — do NOT re-run it, redirect it, or parse it with `python3`/`jq`. +The `name` column is the install identifier (the value you pass to +`--inspect --mcp` and to install); `packageName` is NOT a separate +column — for remote/http MCPs there is no package name, so `name` is +the display name. + +3. Filter out any `name` already present in the installed list (compare against `mcp=` in `_JF_ARGS`). Mark the rest as available to install. @@ -385,6 +391,11 @@ Output is a JSON array; each element has `name`, `packageName`, - Package name MUST come from the catalog (`--inspect` / `--list-available`). NEVER guess. NEVER install MCPs outside the agent guard. NEVER use Fetch/WebFetch for catalog calls. +- NEVER pipe a catalog command through `python3`, and NEVER capture it + with `2>&1` — `npx`/`npm` writes progress to stderr, which corrupts + the output stream. For `--list-available` present the compact TSV it + prints; for `--inspect` read the JSON it prints on stdout + directly (or with a single `jq` filter), never via `python3`. - NEVER write a raw secret into `.mcp.json` or `~/.claude.json` — always `${ENV_VAR}`. NEVER show tokens / API keys. - NEVER try multiple servers — ask the user to pick one. From 3d1b1f45748c8d9962165147a484bb5917c0237f Mon Sep 17 00:00:00 2001 From: Yoni Melki Date: Mon, 8 Jun 2026 19:04:53 +0300 Subject: [PATCH 2/2] Bump plugin version from 0.2.2 to 0.2.3 in plugin.json to reflect recent updates. --- .claude-plugin/plugin.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json index 0488a96..36117a0 100644 --- a/.claude-plugin/plugin.json +++ b/.claude-plugin/plugin.json @@ -2,7 +2,7 @@ "name": "jfrog", "displayName": "JFrog", "description": "Official JFrog plugin. Connect Claude Code to JFrog to manage, secure, and govern your software supply chain. Give agents the context to build secure, compliant software.", - "version": "0.2.2", + "version": "0.2.3", "author": { "name": "JFrog Ltd.", "email": "devrel@jfrog.com",