From b929fc4bf58782358cb74116a86c861b33925bb0 Mon Sep 17 00:00:00 2001 From: yanivt Date: Wed, 24 Jun 2026 10:42:07 +0300 Subject: [PATCH 1/7] add jfrog mcp --- .claude-plugin/plugin.json | 2 +- .mcp.json | 8 ++++++++ README.md | 3 ++- 3 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 .mcp.json diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json index 4c72906..8c748c0 100644 --- a/.claude-plugin/plugin.json +++ b/.claude-plugin/plugin.json @@ -2,7 +2,7 @@ "name": "jfrog", "displayName": "JFrog", "description": "Official JFrog plugin. Connect Claude Code to JFrog to manage, secure, and govern your software supply chain. Give agents the context to build secure, compliant software.", - "version": "0.2.7", + "version": "0.2.8", "author": { "name": "JFrog Ltd.", "email": "devrel@jfrog.com", diff --git a/.mcp.json b/.mcp.json new file mode 100644 index 0000000..d7b7ef3 --- /dev/null +++ b/.mcp.json @@ -0,0 +1,8 @@ +{ + "mcpServers": { + "jfrog": { + "type": "http", + "url": "${JFROG_URL}/mcp" + } + } +} diff --git a/README.md b/README.md index 3d1d95f..69c042b 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,7 @@ The JFrog plugin provides the following capabilities, grouped by component: | Component | Feature | Description | | --- | --- | --- | +| **MCP** | JFrog MCP server | Remote JFrog MCP server auto-attached to every session via `.mcp.json` at `${JFROG_URL}/mcp` (OAuth, no API keys). | | **Skill** | JFrog Platform | Interact with Artifactory repositories, builds, permissions, users, access tokens, projects, release bundles, and platform administration via the JFrog CLI and REST/GraphQL APIs. Also covers security audits, CVE lookups, and Advanced Security exposure queries. | | **Skill** | Package safety & download | Check whether npm, Maven, PyPI, Go, and other packages are safe, curated, or allowed, then download them through Artifactory remote caches or curation-aware package managers. | | **Hook** | Agent Guard | Claude manages MCPs through the JFrog Agent Guard. Through the Agent Guard you can discover, install, configure, update, and remove MCP servers from the JFrog AI Catalog approved for your project, and authenticate to remote HTTP MCPs via OAuth, API key, or bearer token. | @@ -53,7 +54,7 @@ claude --plugin-dir /path/to/claude-plugin | Variable | Description | | --- | --- | -| `JFROG_URL` | Your JFrog platform URL, e.g. `https://mycompany.jfrog.io` | +| `JFROG_URL` | Your JFrog platform URL, e.g. `https://mycompany.jfrog.io` (no trailing `/`) | | `JFROG_ACCESS_TOKEN` | Your JFrog access token | ### 2. Configure the JFrog CLI From 9aa8838d14f560e72aa623b61c157ca17cf8a9c8 Mon Sep 17 00:00:00 2001 From: Matan Eden <57892946+MatanEden1@users.noreply.github.com> Date: Mon, 29 Jun 2026 10:23:39 +0300 Subject: [PATCH 2/7] Validate JFROG_URL and bump plugin version Mirrors jfrog/vscode-plugin#28: warn early when JFROG_URL is unset or has a trailing slash before the MCP server fails with a confusing DNS or double-slash error, drop the log prefix so the warnings read as plain user-facing messages, and bump the plugin version so users receive the update. Co-Authored-By: Claude Opus 4.8 (1M context) --- .claude-plugin/plugin.json | 2 +- scripts/inject-instructions.mjs | 15 +++++++++++++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json index 8c748c0..5f8a1d4 100644 --- a/.claude-plugin/plugin.json +++ b/.claude-plugin/plugin.json @@ -2,7 +2,7 @@ "name": "jfrog", "displayName": "JFrog", "description": "Official JFrog plugin. Connect Claude Code to JFrog to manage, secure, and govern your software supply chain. Give agents the context to build secure, compliant software.", - "version": "0.2.8", + "version": "0.2.9", "author": { "name": "JFrog Ltd.", "email": "devrel@jfrog.com", diff --git a/scripts/inject-instructions.mjs b/scripts/inject-instructions.mjs index b4ca105..b0f2e2f 100755 --- a/scripts/inject-instructions.mjs +++ b/scripts/inject-instructions.mjs @@ -9,7 +9,7 @@ import { fileURLToPath } from "node:url"; // Logs go to stderr; stdout is reserved for the hook JSON payload. const debugEnabled = process.env.JF_AGENT_GUARD_DEBUG === "true"; -const log = (message) => console.error(`[jfrog-agent-guard] ${message}`); +const log = (message) => console.error(message); const debug = (message) => { if (debugEnabled) log(message); }; @@ -73,12 +73,23 @@ async function isAgentGuardEnabledViaSettings() { if (forceDisabled) { debug("Force-disable flag is set."); process.exit(0); -} else if (forceEnabled) { +} + +// Validate JFROG_URL early to surface misconfigurations before the MCP server +// attempts to connect and fails with a confusing DNS or double-slash error. +if (!process.env.JFROG_URL && !process.env.JF_URL) { + log("JFROG_URL is not set. The JFrog MCP server will be unreachable — set JFROG_URL to your Artifactory base URL (e.g. https://mycompany.jfrog.io) and restart."); +} else if (process.env.JFROG_URL?.endsWith("/")) { + log("JFROG_URL has a trailing slash. This produces a double-slash in the MCP URL and will silently fail — remove the trailing slash and restart."); +} + +if (forceEnabled) { debug("Force-enable flag is set."); } else if (!(await isAgentGuardEnabledViaSettings())) { debug("Agent Guard not enabled; exiting without injecting instructions"); process.exit(0); } + debug("Injecting instructions"); // Derive the plugin root from this script's own location instead of relying From a78521dca7a25c0404745749ac61e3b10c48d6cb Mon Sep 17 00:00:00 2001 From: Matan Eden <57892946+MatanEden1@users.noreply.github.com> Date: Mon, 29 Jun 2026 10:31:07 +0300 Subject: [PATCH 3/7] Validate JFROG_URL configuration to prevent connection errors --- scripts/inject-instructions.mjs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/inject-instructions.mjs b/scripts/inject-instructions.mjs index b0f2e2f..8561489 100755 --- a/scripts/inject-instructions.mjs +++ b/scripts/inject-instructions.mjs @@ -77,7 +77,7 @@ if (forceDisabled) { // Validate JFROG_URL early to surface misconfigurations before the MCP server // attempts to connect and fails with a confusing DNS or double-slash error. -if (!process.env.JFROG_URL && !process.env.JF_URL) { +if (!process.env.JFROG_URL) { log("JFROG_URL is not set. The JFrog MCP server will be unreachable — set JFROG_URL to your Artifactory base URL (e.g. https://mycompany.jfrog.io) and restart."); } else if (process.env.JFROG_URL?.endsWith("/")) { log("JFROG_URL has a trailing slash. This produces a double-slash in the MCP URL and will silently fail — remove the trailing slash and restart."); From 0795bf3be1a38891a2c123b0acf4acb6448aaeaf Mon Sep 17 00:00:00 2001 From: Matan Eden <57892946+MatanEden1@users.noreply.github.com> Date: Mon, 29 Jun 2026 13:55:10 +0300 Subject: [PATCH 4/7] Rename msg to missingUrlWarning and trailingSlashWarning for clarity Co-Authored-By: Claude Sonnet 4.6 --- scripts/inject-instructions.mjs | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/scripts/inject-instructions.mjs b/scripts/inject-instructions.mjs index 8561489..88cbd30 100755 --- a/scripts/inject-instructions.mjs +++ b/scripts/inject-instructions.mjs @@ -78,9 +78,25 @@ if (forceDisabled) { // Validate JFROG_URL early to surface misconfigurations before the MCP server // attempts to connect and fails with a confusing DNS or double-slash error. if (!process.env.JFROG_URL) { - log("JFROG_URL is not set. The JFrog MCP server will be unreachable — set JFROG_URL to your Artifactory base URL (e.g. https://mycompany.jfrog.io) and restart."); + const missingUrlWarning = "JFROG_URL is not set. The JFrog MCP server will be unreachable — set JFROG_URL to your Artifactory base URL (e.g. https://mycompany.jfrog.io) and restart."; + log(missingUrlWarning); + process.stdout.write(JSON.stringify({ + hookSpecificOutput: { + hookEventName: "SessionStart", + additionalContext: `IMPORTANT: Immediately tell the user: "${missingUrlWarning}"`, + }, + })); + process.exit(0); } else if (process.env.JFROG_URL?.endsWith("/")) { - log("JFROG_URL has a trailing slash. This produces a double-slash in the MCP URL and will silently fail — remove the trailing slash and restart."); + const trailingSlashWarning = "JFROG_URL has a trailing slash. This produces a double-slash in the MCP URL and will silently fail — remove the trailing slash and restart."; + log(trailingSlashWarning); + process.stdout.write(JSON.stringify({ + hookSpecificOutput: { + hookEventName: "SessionStart", + additionalContext: `IMPORTANT: Immediately tell the user: "${trailingSlashWarning}"`, + }, + })); + process.exit(0); } if (forceEnabled) { From e76a32a2625e8e41a8d08c8c378294faf9b09ab9 Mon Sep 17 00:00:00 2001 From: Matan Eden <57892946+MatanEden1@users.noreply.github.com> Date: Mon, 29 Jun 2026 14:17:23 +0300 Subject: [PATCH 5/7] refactor: improve trailing slash warning for JFROG_URL configuration --- scripts/inject-instructions.mjs | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/scripts/inject-instructions.mjs b/scripts/inject-instructions.mjs index 88cbd30..6d1b0ee 100755 --- a/scripts/inject-instructions.mjs +++ b/scripts/inject-instructions.mjs @@ -87,16 +87,10 @@ if (!process.env.JFROG_URL) { }, })); process.exit(0); -} else if (process.env.JFROG_URL?.endsWith("/")) { - const trailingSlashWarning = "JFROG_URL has a trailing slash. This produces a double-slash in the MCP URL and will silently fail — remove the trailing slash and restart."; - log(trailingSlashWarning); - process.stdout.write(JSON.stringify({ - hookSpecificOutput: { - hookEventName: "SessionStart", - additionalContext: `IMPORTANT: Immediately tell the user: "${trailingSlashWarning}"`, - }, - })); - process.exit(0); +} else if (process.env.JFROG_URL.endsWith("/")) { + // The settings check normalizes the trailing slash, so Agent Guard and its + // instruction injection still work — warn to stderr but don't exit. + log("JFROG_URL has a trailing slash. This produces a double-slash in the MCP URL and may cause the JFrog MCP server to fail — remove the trailing slash and restart."); } if (forceEnabled) { From d5f2b510b0d0cbb7df287287e069ce4c81ac2d06 Mon Sep 17 00:00:00 2001 From: Matan Eden <57892946+MatanEden1@users.noreply.github.com> Date: Mon, 29 Jun 2026 14:20:18 +0300 Subject: [PATCH 6/7] fix: enhance warning for trailing slash in JFROG_URL to prevent silent failures --- scripts/inject-instructions.mjs | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/scripts/inject-instructions.mjs b/scripts/inject-instructions.mjs index 6d1b0ee..91825b8 100755 --- a/scripts/inject-instructions.mjs +++ b/scripts/inject-instructions.mjs @@ -88,9 +88,15 @@ if (!process.env.JFROG_URL) { })); process.exit(0); } else if (process.env.JFROG_URL.endsWith("/")) { - // The settings check normalizes the trailing slash, so Agent Guard and its - // instruction injection still work — warn to stderr but don't exit. - log("JFROG_URL has a trailing slash. This produces a double-slash in the MCP URL and may cause the JFrog MCP server to fail — remove the trailing slash and restart."); + const trailingSlashWarning = "JFROG_URL has a trailing slash. This produces a double-slash in the MCP URL and will silently fail — remove the trailing slash and restart."; + log(trailingSlashWarning); + process.stdout.write(JSON.stringify({ + hookSpecificOutput: { + hookEventName: "SessionStart", + additionalContext: `IMPORTANT: Immediately tell the user: "${trailingSlashWarning}"`, + }, + })); + process.exit(0); } if (forceEnabled) { From cfececb4612b4def01afd526a84739c8e8f7b07f Mon Sep 17 00:00:00 2001 From: Matan Eden <57892946+MatanEden1@users.noreply.github.com> Date: Mon, 29 Jun 2026 14:40:46 +0300 Subject: [PATCH 7/7] fix: add warning prefix to JFROG_URL validation messages for clarity --- scripts/inject-instructions.mjs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/inject-instructions.mjs b/scripts/inject-instructions.mjs index 91825b8..d17262a 100755 --- a/scripts/inject-instructions.mjs +++ b/scripts/inject-instructions.mjs @@ -78,7 +78,7 @@ if (forceDisabled) { // Validate JFROG_URL early to surface misconfigurations before the MCP server // attempts to connect and fails with a confusing DNS or double-slash error. if (!process.env.JFROG_URL) { - const missingUrlWarning = "JFROG_URL is not set. The JFrog MCP server will be unreachable — set JFROG_URL to your Artifactory base URL (e.g. https://mycompany.jfrog.io) and restart."; + const missingUrlWarning = "WARNING: JFROG_URL is not set. The JFrog MCP server will be unreachable — set JFROG_URL to your Artifactory base URL (e.g. https://mycompany.jfrog.io) and restart."; log(missingUrlWarning); process.stdout.write(JSON.stringify({ hookSpecificOutput: { @@ -88,7 +88,7 @@ if (!process.env.JFROG_URL) { })); process.exit(0); } else if (process.env.JFROG_URL.endsWith("/")) { - const trailingSlashWarning = "JFROG_URL has a trailing slash. This produces a double-slash in the MCP URL and will silently fail — remove the trailing slash and restart."; + const trailingSlashWarning = "WARNING: JFROG_URL has a trailing slash. This produces a double-slash in the MCP URL and will silently fail — remove the trailing slash and restart."; log(trailingSlashWarning); process.stdout.write(JSON.stringify({ hookSpecificOutput: {