feat(bin): add Retell AI inspection AXI and skill#112
Open
MerpGoaterman wants to merge 12 commits into
Open
Conversation
96c9af8 to
a2b850e
Compare
…rom argv, stop tmpfile leak
a2b850e to
2f2160d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Intent
Update the Retell AXI and retellai skill to use the captain's 1Password item named RetellAi Api Credentials instead of Recall.it API Key for the Retell connection. Preserve the existing auth order with RETELL_API_KEY first, keep all output secret-free, update tests and docs to match, and verify the live Retell API auth check succeeds through op without printing the key.
What Changed
bin/retell-axi, a read-only AXI for inspecting a Retell AI workspace (auth check, home view, agents/calls/phone-number listings, MCP config), authenticating viaRETELL_API_KEYfirst then the captain'sRetellAi Api Credentials1Password item, with all output kept secret-free (key passed throughcurl --header @fileto stay out of argv, bounded curl timeouts, node-dependency guard).retellaiskill (.agents/skills/retellai/SKILL.md) documenting the Retell AI interface and pointing at the AXI first, plus a covering test suite intests/retell-axi.test.sh(5 cases including missing-auth home view).CONTRIBUTING.md,README.md, anddocs/scripts.md.Risk Assessment
✅ Low: Well-bounded, read-only, already heavily reviewed tooling; the final intent-change (1Password item rename) is implemented consistently across script, tests, and docs with secret-free output preserved.
Testing
Ran the existing retell-axi behavior suite (5/5 pass) and then performed live verification against the captain's real 1Password vault and the Retell API: with RETELL_API_KEY unset,
retell-axi auth checkresolved the key throughopfrom the new "RetellAi Api Credentials" item and returned status: ok; with the env var set, the source was correctly RETELL_API_KEY, confirming the auth order is preserved. I retrieved the actual secret and confirmed it never appears in any command output, and grepped the whole repo to confirm no "Recall.it" references remain. The user intent is fully demonstrated working end-to-end. No UI surface is involved, so a CLI transcript is the appropriate reviewer-visible artifact.Evidence: Retell AXI 1Password migration - live CLI transcript
## Live auth check (RETELL_API_KEY unset) auth: status: ok source: 1password:RetellAi Api Credentials concurrency: current: 0 limit: 20 ## Secret-free leak scan (live 32-char key_ secret) auth check : clean home view : clean mcp-config : clean agents list: clean ## No residual 'Recall.it' references: none ## Behavior tests: 5/5 okPipeline
Updates from git push no-mistakes
✅ **intent** - passed
✅ No issues found.
✅ **Rebase** - passed
✅ No issues found.
bin/retell-axi:106- op_secret() picks the 1Password field with the highest heuristic score (label/type regex match). For the typical 'RetellAi Api Credentials' API-Credential or Login item this correctly selects the concealed credential field, but an atypical item layout with multiple concealed fields could select the wrong one. Failure mode is a 401 (handled, no secret leak), not a crash, so this is an acceptable design tradeoff rather than a bug.bin/retell-axi:211- The auth header is passed via 'curl --header @file' to keep the key out of argv/ps - good. This @file form requires curl >= 7.55; on an older curl the header would be sent malformed and auth would fail with a 401 (still no key leak). macOS system curl is recent, so this is only a theoretical portability note.✅ **Test** - passed
✅ No issues found.
bash tests/retell-axi.test.sh(5/5 pass)env -u RETELL_API_KEY bin/retell-axi auth check-> status: ok, source: 1password:RetellAi Api Credentials (live API, op resolves new item)RETELL_API_KEY=<real> bin/retell-axi auth check-> source: RETELL_API_KEY (env precedence preserved)Leak scan: retrieved live 32-char key_ secret via op and grep -F acrossauth check, home view,mcp-config,agents listoutputs -> all cleangrep -rn Recall.itacross repo -> none remaining✅ **Document** - passed
✅ No issues found.
✅ **Lint** - passed
✅ No issues found.
✅ **Push** - passed
✅ No issues found.