feat(mcp): JFrog Platform remote MCP (token auth) + install hint#19
feat(mcp): JFrog Platform remote MCP (token auth) + install hint#19michaelfrog wants to merge 4 commits into
Conversation
In the same config hook that registers the vendored skills, inject
config.mcp.jfrog as an OpenCode remote MCP at https://<host>/mcp when both a
host (JFROG_URL / JF_URL / JFROG_PLATFORM_URL) and a token env (JFROG_ACCESS_TOKEN
/ JF_ACCESS_TOKEN) are present and JFROG_MCP_DISABLE is not set.
- Token auth, headless: oauth:false + Authorization: "Bearer {env:<TOKEN_VAR>}".
The {env:} reference keeps the raw token out of the config (logs/state/rotation).
- Idempotent and non-destructive: never clobbers a user-defined mcp.jfrog.
- URL normalization (strip scheme + trailing slash); pure sync mutation, no
network on load. Skips cleanly (log only) when unconfigured.
- Tests cover the full matrix; README documents setup, the JWT-token requirement,
and the JFROG_MCP_DISABLE opt-out.
Co-authored-by: Cursor <cursoragent@cursor.com>
Default-on for parity with the Cursor/Claude plugins; note the ~32K (OpenCode) / ~44K (Cursor) per-request tool-schema cost and the JFROG_MCP_DISABLE / tools scoping escape hatches. Skills do not carry this cost. Co-authored-by: Cursor <cursoragent@cursor.com>
…r + tests
- Inject the resolved Bearer token directly (OpenCode does not expand {env:} in
plugin-injected config), so the JFrog MCP actually authenticates headlessly.
- Just-in-time install-jf hint via tool.execute.before; MCP setup issues
(missing env, non-JWT token, 401) are surfaced by OpenCode's mcp list/TUI and
the README, with a debug WARNING for non-JWT tokens.
- Functional refactor (pure helpers) + unit tests for registration, gating,
idempotency, host/token precedence + normalization, and the install hint.
- README: JFrog MCP prerequisites, token handling, context cost, 401 troubleshooting.
Co-authored-by: Cursor <cursoragent@cursor.com>
YoniMelki
left a comment
YoniMelki
left a comment
There was a problem hiding this comment.
4 findings, 2 confirmed bugs + 2 design issues:
- Windows
commandExists(line 53):split(':')hardcodes Unix PATH separator;.exe/.cmdextension not probed.hasJfCliis always false on Windows. - Silent
http://→https://upgrade (line 97):normalizeHoststrips scheme,mcpServerEntryhardcodeshttps://. On-prem HTTP instances get a broken MCP URL with no warning. - No dedup guard on error toast (line 115): The
nudgeShownguard was removed with the info toast, but the broken-package error toast has no equivalent — it fires on every config call. registerMcpskipped when skills broken (line 196): Two independent features are coupled; a missingskills/dir silently prevents MCP registration.
|
|
||
| /** True if `cmd` is found as an executable on PATH. Cheap synchronous scan; spawns no subprocess. */ | ||
| const commandExists = (cmd: string): boolean => | ||
| (process.env.PATH ?? '').split(':').some((dir) => { |
There was a problem hiding this comment.
Bug: Windows PATH separator
split(':') hardcodes the Unix separator. On Windows PATH uses ;, so the entire path string is treated as one token and accessSync always fails — hasJfCli is always false, and the install-hint toast fires on every jf command even when jf.exe is installed.
Also: even with the correct separator, Windows executables are named jf.exe, so accessSync(join(dir, 'jf'), X_OK) won't find them.
// fix
import { delimiter } from 'path';
(process.env.PATH ?? '').split(delimiter).some((dir) => {
if (!dir) return false;
const names = process.platform === 'win32' ? [cmd + '.exe', cmd + '.cmd'] : [cmd];
return names.some((name) => {
try { accessSync(join(dir, name), constants.X_OK); return true; }
catch { return false; }
});
});There was a problem hiding this comment.
Fixed in c38990f — commandExists now splits on path.delimiter (not a hardcoded :) and probes .exe/.cmd/.bat on Windows, so hasJfCli resolves correctly cross-platform.
| */ | ||
| const mcpServerEntry = ({ host }: McpCredentials, token: string): McpServer => ({ | ||
| type: 'remote', | ||
| url: `https://${host}/mcp`, |
There was a problem hiding this comment.
Bug: http:// scheme silently upgraded to https://
normalizeHost strips the scheme unconditionally, and mcpServerEntry always prepends https://. A user with JFROG_URL=http://internal.corp gets url: 'https://internal.corp/mcp' — a TLS handshake failure against an HTTP-only server, with no log or toast explaining the mismatch.
Fix: either preserve the original scheme through resolveMcpCredentials and pass it to mcpServerEntry, or reject http:// URLs early with an error toast saying HTTPS is required.
There was a problem hiding this comment.
Fixed in c38990f — replaced normalizeHost with toBaseUrl, which preserves an explicit http:///https://, defaults to https:// only when no scheme is given, and strips trailing slashes. Added unit tests covering both the http-preserved and https-default cases.
| `JFrog: bundled skills not found at ${BUNDLED_SKILLS_DIR}. ` + | ||
| 'The plugin package may be broken; reinstall @jfrog/opencode-jfrog-plugin.'; | ||
| log('ERROR ' + message); | ||
| toast(message, 'error'); |
There was a problem hiding this comment.
Bug: error toast has no dedup guard
The old nudgeShown flag prevented repeated toasts across multiple config calls. That guard was removed with the info toast, but the error toast here has no equivalent. OpenCode calls the config hook multiple times per session (that's exactly why nudgeShown existed), so a broken install spams this toast on every call.
Add a module-level flag (e.g. let errorShown = false) and short-circuit here — same pattern as installHintShown.
There was a problem hiding this comment.
Fixed in c38990f — added a module-level skillsErrorShown guard so the broken-package error logs and toasts at most once per session, even though the config hook runs multiple times.
| log('ERROR ' + message); | ||
| toast(message, 'error'); | ||
| const cfg = config as ConfigWithJfrog; | ||
| if (!registerSkills(cfg, log, toast)) { |
There was a problem hiding this comment.
Design: registerMcp silently skipped when skills are broken
Skills and MCP are independent features — a missing skills/ dir (broken package layout) shouldn't disable token-auth MCP registration. A user with valid JFROG_URL + JFROG_ACCESS_TOKEN and a partially corrupted install loses both features, but only sees the skills error.
// current — MCP never runs if skills are broken
if (!registerSkills(cfg, log, toast)) {
return;
}
registerMcp(cfg, log);
// suggested — run both regardless
registerSkills(cfg, log, toast);
registerMcp(cfg, log);There was a problem hiding this comment.
Fixed in c38990f — the config hook now calls registerSkills(...) and registerMcp(...) unconditionally instead of early-returning on a skills failure, so token-auth MCP registration is no longer coupled to the skills dir being present.
…toast dedup, skills/MCP decoupling - commandExists: use path.delimiter and probe Windows .exe/.cmd/.bat - MCP base URL: preserve explicit http://, default https://, strip trailing slash - skills-not-found error toast/log deduped via module-level guard (once per session) - config hook registers skills and MCP unconditionally (independent features) Co-authored-by: Cursor <cursoragent@cursor.com>
2 participants
Summary
Adds the JFrog Platform remote MCP to the OpenCode plugin (token auth, headless), on top of the skills work (#16). When
JFROG_URL+JFROG_ACCESS_TOKENare set, the plugin registersconfig.mcp.jfrogso the JFrog platform tools appear in OpenCode alongside the skills.What changed
confighook:config.mcp.jfrog→ remotehttps://<host>/mcp,oauth:false,Authorization: Bearer <token>. Env-gated (host and token required), host precedenceJFROG_URL→JF_URL→JFROG_PLATFORM_URL+ scheme/trailing-slash normalization, idempotent (never clobbers a user-definedjfrog),JFROG_MCP_DISABLEopt-out. No network on load.{env:…}in config a plugin injects at runtime, so the plugin reads the token from the environment and sets the resolvedBearer <token>header directly. The token lives in the in-memory session config (sourced from env); the plugin never writes it to disk. Prefer a short-livedjf atctoken.jfhint: atool.execute.beforehook nudges once/session to install the CLI whenjfis missing and ajfcommand runs. MCP setup problems (missing env, non-JWT token,401) are surfaced by OpenCode's ownmcp list/TUI + the README — aWARNINGline is logged (debug) for a non-JWT token.resolveMcpCredentials,mcpServerEntry,commandExists,looksLikeJwt); unit tests for registration, gating, idempotency, host/token precedence + normalization, reference-token-still-registers, and the install hint.401troubleshooting.Verification
lint/typecheck/test(26 pass) /buildgreen;sync-skills:check+pack:checkpass.opencode mcp listshows✓ jfrog connected+jfrog_*tools; reference token →401(surfaced by OpenCode) + debugWARNING; no env → not registered;JFROG_MCP_DISABLE=true→ not registered.Notes
56 tools (+32K tokens/request; OpenCode has no lazy tool loading). Enabled by default for parity with the Cursor/Claude plugins; opt out withJFROG_MCP_DISABLE=trueor scope viatoolsglobbing.