From 07bae8351424317c21743f40f2ac7a29314013bb Mon Sep 17 00:00:00 2001 From: Yoni Melki Date: Tue, 2 Jun 2026 22:19:38 +0300 Subject: [PATCH] AX-1508 - Use compact --list-available output for the MCP catalog agent-guard --list-available now prints a compact TSV by default. Present its rows directly as a numbered table; never parse the catalog with python3 or capture it with 2>&1 (npm/npx writes progress to stderr, which corrupts the stream). packageName can be empty for remote/http MCPs, so use the name column as the install identifier. Co-Authored-By: Claude Opus 4.8 (1M context) --- .../jfrog/templates/jfrog-mcp-management.md | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/plugins/jfrog/templates/jfrog-mcp-management.md b/plugins/jfrog/templates/jfrog-mcp-management.md index 2abb620..781457a 100644 --- a/plugins/jfrog/templates/jfrog-mcp-management.md +++ b/plugins/jfrog/templates/jfrog-mcp-management.md @@ -329,10 +329,16 @@ npx --yes \ [--server ] ``` -Output is a JSON array; each element has `name`, `packageName`, -`description`, `type`, `packageVersion`, optional `env[]`. - -3. Filter out any `packageName` already present in the installed list +The output is a compact TSV: a header line, then one server per line, +tab-separated: `nametypeversiondescription`. +Run the command ONCE and present the rows directly as a numbered +table — do NOT re-run it, redirect it, or parse it with `python3`/`jq`. +The `name` column is the install identifier (the value you pass to +`--inspect --mcp` and to install); `packageName` is NOT a separate +column — for remote/http MCPs there is no package name, so `name` is +the display name. + +3. Filter out any `name` already present in the installed list (compare against `mcp=` in `_JF_ARGS`). Mark the rest as available to install. @@ -358,6 +364,11 @@ Output is a JSON array; each element has `name`, `packageName`, - Package name MUST come from the catalog (`--inspect` / `--list-available`). NEVER guess. NEVER install MCPs outside the gateway. NEVER use Fetch/WebFetch for catalog calls. +- NEVER pipe a catalog command through `python3`, and NEVER capture it + with `2>&1` — `npx`/`npm` writes progress to stderr, which corrupts + the output stream. For `--list-available` present the compact TSV it + prints; for `--inspect` read the JSON it prints on stdout + directly (or with a single `jq` filter), never via `python3`. - NEVER write a raw secret into `mcp.json` — always use `${env:VAR_NAME}`. NEVER show tokens / API keys. - NEVER try multiple servers — ask the user to pick one.