From 871bdb0a696b59a5225c0d8491c294f2bf06ba5d Mon Sep 17 00:00:00 2001 From: Yoni Melki Date: Tue, 2 Jun 2026 22:19:45 +0300 Subject: [PATCH] AX-1508 - Use compact --list-available output for the MCP catalog agent-guard --list-available now prints a compact TSV by default. Present its rows directly as a numbered table; never parse the catalog with python3 or capture it with 2>&1 (npm/npx writes progress to stderr, which corrupts the stream). packageName can be empty for remote/http MCPs, so use the name column as the install identifier. Co-Authored-By: Claude Opus 4.8 (1M context) --- plugin/templates/copilot-instructions.md | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/plugin/templates/copilot-instructions.md b/plugin/templates/copilot-instructions.md index 2e470a6..feabbd8 100644 --- a/plugin/templates/copilot-instructions.md +++ b/plugin/templates/copilot-instructions.md @@ -275,12 +275,16 @@ npx --yes \ --project ``` -The output is a JSON array where each element has `name`, -`packageName`, `description`, `type`, `packageVersion`, and optionally -an inline `env[]` array of required environment variables (same shape -as the full `--inspect` output). - -3. Compare each `packageName` against the `_JF_ARGS` values +The output is a compact TSV: a header line, then one server per line, +tab-separated: `nametypeversiondescription`. +Run the command ONCE and present the rows directly as a numbered +table - do NOT re-run it, redirect it, or parse it with `python3`/`jq`. +The `name` column is the install identifier (the value you pass to +`--inspect --mcp` and to install); `packageName` is NOT a separate +column - for remote/http MCPs there is no package name, so `name` is +the display name. + +3. Compare each `name` against the `_JF_ARGS` values already present in `.vscode/mcp.json` to mark each one as "available to install" or "already installed". @@ -301,6 +305,11 @@ as the full `--inspect` output). `~/.jfrog/jfrogmcp.conf.json`. - `_JF_ARGS` MUST contain `project=&mcp=`. - Package name MUST come from the catalog API. NEVER guess. +- NEVER pipe a catalog command through `python3`, and NEVER capture it + with `2>&1` - `npx`/`npm` writes progress to stderr, which corrupts + the output stream. For `--list-available` present the compact TSV it + prints; for `--inspect` read the JSON it prints on stdout + directly (or with a single `jq` filter), never via `python3`. - NEVER install MCPs directly via `npx`/`pip`/`docker` - always use the agent guard pattern above. - NEVER write `"type": "sse"`, `"type": "http"`, or a top-level `"url"`