This is an automated email from the ASF dual-hosted git repository.

potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/main by this push:
     new 549af7a070e Sync magpie setup bootstrap with upstream sandbox-bypass 
guidance (#69421)
549af7a070e is described below

commit 549af7a070e650fdaeb27c4260c0baaccb3ac701
Author: Jarek Potiuk <[email protected]>
AuthorDate: Sat Jul 11 08:27:48 2026 +0200

    Sync magpie setup bootstrap with upstream sandbox-bypass guidance (#69421)
    
    The committed magpie-setup bootstrap copy had drifted behind the upstream 
apache/magpie framework. Refreshing it from the current framework snapshot 
documents the sandbox bypass an isolated agent needs when the snapshot's nested 
.git blocks the delete-and-reclone during an upgrade, and picks up the newer 
setup sub-actions (setup-status, override-upstream, upstream-fix) and verify 
checks.
---
 .agents/skills/magpie-setup/SKILL.md   |  2 ++
 .agents/skills/magpie-setup/adopt.md   | 60 +++++++++++++++++++++++++++++++++-
 .agents/skills/magpie-setup/agents.md  |  1 +
 .agents/skills/magpie-setup/upgrade.md | 15 +++++++++
 .agents/skills/magpie-setup/verify.md  |  1 +
 5 files changed, 78 insertions(+), 1 deletion(-)

diff --git a/.agents/skills/magpie-setup/SKILL.md 
b/.agents/skills/magpie-setup/SKILL.md
index ac8e394b03d..31f151a5f2b 100644
--- a/.agents/skills/magpie-setup/SKILL.md
+++ b/.agents/skills/magpie-setup/SKILL.md
@@ -1,4 +1,6 @@
 ---
+# SPDX-License-Identifier: Apache-2.0
+# https://www.apache.org/licenses/LICENSE-2.0
 name: magpie-setup
 description: |
   Adopt and maintain the apache-magpie framework in a project
diff --git a/.agents/skills/magpie-setup/adopt.md 
b/.agents/skills/magpie-setup/adopt.md
index 1bcf79c64cb..d09b6b67417 100644
--- a/.agents/skills/magpie-setup/adopt.md
+++ b/.agents/skills/magpie-setup/adopt.md
@@ -279,6 +279,13 @@ Per the chosen method (FRESH) or per the committed lock
   verify, `unzip` to `.apache-magpie/`. Re-fetch
   verification details into `<committed-lock>` (FRESH only).
 
+**Sandboxed agents:** for the `git-branch` / `git-tag` methods
+the clone writes the snapshot's nested `.apache-magpie/.git/`,
+which is in Claude Code's git-internals write-deny set, so the
+clone fails with `operation not permitted`. Only the local
+`.git/` write is blocked (the fetch host is allowlisted) —
+propose a sandbox bypass to the operator before cloning.
+
 If `<snapshot-dir>/` already exists with content, skip the
 fetch — the recipe ran first and left the snapshot in place.
 
@@ -954,6 +961,50 @@ Add `mcp__apache-projects__*` to the per-family permission
 allow-list recommendation exactly as the `mcp__ponymail__*` tools
 are handled — both are read-only and scoped.
 
+## Step 9d — gmail-plaintext MCP (optional, Gmail drafters)
+
+**Run this step only for operators who draft mail from an agent**
+(the `security` family's mailing-list replies, release announcements,
+etc.). It is **optional** and not ASF-gated — unlike the comdev
+servers in 9c, this one ships **in-repo** as part of the
+[`oauth-draft`](../../tools/gmail/oauth-draft/README.md#mcp-server)
+tool, so there is nothing to clone.
+
+`gmail-plaintext` exposes one tool, `create_draft`, that POSTs a raw
+`text/plain` message straight to Gmail's `drafts.create` — links go
+out verbatim. Prefer it over the claude.ai Gmail connector's
+`create_draft`, which rewrites embedded URLs into Google tracking
+redirects (see
+[`tools/gmail/draft-backends.md`](../../tools/gmail/draft-backends.md#privacy-warning--the-claudeai-gmail-mcp-rewrites-embedded-urls-into-google-tracking-redirects)).
+
+Same hands-off contract as 9c — **surface, do not run**:
+
+1. **Prerequisite — auth:** a Gmail OAuth credential at
+   `~/.config/apache-magpie/gmail-oauth.json`. The operator can create it
+   either with the
+   
[`oauth-draft-setup`](../../tools/gmail/oauth-draft/README.md#setup--one-time)
+   CLI **or** by calling the server's own `setup_credentials` tool once —
+   both run the same consent flow and write the same file, which also backs
+   the CLI `oauth-draft-*` scripts.
+2. **Surface the registration** (user scope; the `--extra mcp` pulls
+   the optional `mcp` SDK):
+
+   ```bash
+   claude mcp add gmail-plaintext -s user -- \
+     uv run --project <framework>/tools/gmail/oauth-draft --extra mcp 
oauth-draft-mcp
+   ```
+
+   The tools then appear under the `mcp__gmail-plaintext__*` prefix
+   (`create_draft`, `setup_credentials`, `check_auth`). Registering at
+   **user scope** installs it for the operator, not a single project — it
+   is then usable by **any** agent session on the machine, Magpie-related
+   or not (see [`tools/gmail/oauth-draft/README.md` → MCP 
server](../../tools/gmail/oauth-draft/README.md#mcp-server)).
+3. **Reflect the outcome** in the recommended permission allow-list
+   (add `mcp__gmail-plaintext__create_draft` alongside the Gmail read
+   tools — see [`verify.md`](verify.md) check 8d). It only ever creates
+   **unsent** drafts the human reviews and sends, so allow-listing it
+   avoids a prompt on every draft.
+
 ## Step 10 — Worktree-aware post-checkout hook (FRESH only)
 
 Install `<repo-root>/.git/hooks/post-checkout` — a best-effort
@@ -1241,10 +1292,17 @@ Four passes, in this order:
 
      ```json
      { "matcher": "Bash", "hooks": [ { "type": "command",
-       "command": "python3 
\"$CLAUDE_PROJECT_DIR/.claude/hooks/agent-guard.py\"",
+       "command": "[ -f \"$CLAUDE_PROJECT_DIR/.claude/hooks/agent-guard.py\" ] 
&& python3 \"$CLAUDE_PROJECT_DIR/.claude/hooks/agent-guard.py\" || true",
        "timeout": 30 } ] }
      ```
 
+     The `[ -f … ] && … || true` guard makes the hook a **no-op on a
+     fresh clone** — before `/magpie-setup` has synced `agent-guard.py`
+     in (the script is gitignored framework code, not committed), so
+     without the guard the committed hook would exec a missing file on
+     every Bash call and a `PreToolUse` error can block the tool. Once
+     the script is present the guard passes and the hook runs normally.
+
      Wiring happens **only once**; thereafter guards are
      added/removed purely by syncing `guards.d` — no settings.json
      change. If the `hooks.PreToolUse` entry is already present,
diff --git a/.agents/skills/magpie-setup/agents.md 
b/.agents/skills/magpie-setup/agents.md
index f8210e6d6b7..bc870ddfd54 100644
--- a/.agents/skills/magpie-setup/agents.md
+++ b/.agents/skills/magpie-setup/agents.md
@@ -27,6 +27,7 @@ go"*, never as *"what files contain"*.
 | `github` | `.github/skills/` | native (relay) | GitHub's skill loader |
 | `windsurf` | `.windsurf/skills/` | native (relay) | Windsurf |
 | `goose` | `.goose/skills/` | native (relay) | Goose |
+| `kiro` | `.kiro/skills/` | native (relay) | Kiro CLI |
 
 The table is **extensible**: a new agent that wants framework
 skills is one new row (`id`, project dir, kind), nothing else —
diff --git a/.agents/skills/magpie-setup/upgrade.md 
b/.agents/skills/magpie-setup/upgrade.md
index 25353041d14..a13ec337ce2 100644
--- a/.agents/skills/magpie-setup/upgrade.md
+++ b/.agents/skills/magpie-setup/upgrade.md
@@ -168,6 +168,14 @@ The snapshot is gitignored — destroying it loses no
 committed work. Do this **before** the new install to avoid
 "new layered on top of old" partial state.
 
+**Sandboxed agents:** the snapshot's nested `.git/` (its
+`config` + `hooks/*.sample`) sits in Claude Code's built-in
+git-internals write-deny set, so this `rm -rf` fails with
+`operation not permitted` and leaves the snapshot half-deleted.
+Propose a sandbox bypass to the operator *before* running it —
+the same propose-then-bypass pattern Step 6c uses for its
+`.claude/` writes.
+
 ## Step 4 — Install per the committed lock
 
 Per `<committed-lock>.method`:
@@ -184,6 +192,13 @@ Per `<committed-lock>.method`:
   **mandatory**; mismatched SHA-512 stops the upgrade and
   surfaces the discrepancy.
 
+**Sandboxed agents (git methods):** writing the clone's nested
+`.apache-magpie/.git/hooks/*.sample` hits the same git-internals
+write-deny set, so `git clone` fails with `operation not
+permitted`. The fetch host is already allowlisted — only the
+local `.git/` write needs the bypass; propose it before cloning,
+as in Step 3.
+
 After install, capture the actual on-disk state for the
 new `<local-lock>`:
 
diff --git a/.agents/skills/magpie-setup/verify.md 
b/.agents/skills/magpie-setup/verify.md
index 1d086200b5e..107661eea2c 100644
--- a/.agents/skills/magpie-setup/verify.md
+++ b/.agents/skills/magpie-setup/verify.md
@@ -550,6 +550,7 @@ adopter opted into via
   - `mcp__claude_ai_Gmail__search_threads`
   - `mcp__claude_ai_Gmail__list_drafts`
   - `mcp__claude_ai_Gmail__list_labels`
+  - `mcp__gmail-plaintext__create_draft`
   - `mcp__ponymail__search_list`
   - `mcp__ponymail__auth_status`
   - `mcp__ponymail__get_thread`

Reply via email to