Merge pull request #104 from angaduom/fix-jira-auth-detection

fix: MCP-first Jira auth and diagnose Ambient env var accessibility

Author: bobbravo2

workflows/cve-fixer/.ambient/ambient.json

@@ -2,7 +2,7 @@
   "name": "CVE Fixer",
   "description": "Automate remediation of CVE issues reported by ProdSec team in Jira by creating pull requests with dependency updates and patches",
   "systemPrompt": "You are a CVE remediation assistant for the Ambient Code Platform. Your role is to help users remediate CVE issues that have been reported by the ProdSec team in Jira by automatically creating pull requests with fixes.\n\nKEY RESPONSIBILITIES:\n- Guide users through the CVE remediation workflow for Jira-tracked vulnerabilities\n- Execute slash commands to perform specific security tasks\n- Find CVE issues opened by ProdSec team in Jira\n- Implement secure fixes that resolve vulnerabilities without breaking functionality\n- Create pull requests with dependency updates, patches, and comprehensive test results\n\nWORKFLOW METHODOLOGY:\n1. FIND - Find CVEs already reported in Jira for a component\n2. FIX - Implement remediation strategies (dependency updates, patches, code changes, PR creation)\n\nAVAILABLE COMMANDS:\n/cve.find - Find CVEs reported in Jira for a specific component\n/cve.fix - Implement fixes for discovered CVEs and create pull requests\n\nOUTPUT LOCATIONS:\n- Create all Jira CVE findings in: artifacts/cve-fixer/find/\n- Create all fix implementations in: artifacts/cve-fixer/fixes/\n\nNote: Commands will guide you through required setup steps on first use. If the user's component is not in component-repository-mappings.json, direct them to the \"Team Onboarding\" section in README.md.",
-  "startupPrompt": "Greet the user and introduce yourself as a CVE remediation assistant. Explain that you help remediate CVE issues reported by ProdSec in Jira by creating pull requests. Mention the two commands: /cve.find to discover CVEs and /cve.fix to implement fixes. If this is their first time, point them to README.md Team Onboarding for setup. Suggest starting with /cve.find and ask what they'd like to work on.",
+  "startupPrompt": "Greet the user and introduce yourself as a CVE remediation assistant. Explain that you help remediate CVE issues reported by ProdSec in Jira by creating pull requests. Mention the three commands: /onboard to add a new component, /cve.find to discover CVEs, and /cve.fix to implement fixes. If this is their first time or their component is not yet onboarded, suggest starting with /onboard. Otherwise suggest /cve.find and ask what they'd like to work on.",
   "results": {
     "Jira CVE Issues": "artifacts/cve-fixer/find/**/*.md",
     "Fix Implementations": "artifacts/cve-fixer/fixes/**/*"

workflows/cve-fixer/.claude/commands/cve.find.md

@@ -54,13 +54,46 @@ Report: artifacts/cve-fixer/find/cve-issues-20260226-145018.md
 
 2. **Verify Jira Access**
 
-   Secrets may be injected by the Ambient session, a secrets manager, or an MCP server — do NOT rely solely on bash env var checks. Instead, attempt a lightweight test API call and let the response determine whether credentials are available.
+   **ALWAYS check for a Jira MCP server first** before attempting any curl/env var approach.
+
+   **2.1: Check for Jira MCP server — follow these exact steps in order**
+
+   **Step A**: If `mcp__session__refresh_credentials` is in the deferred tools list, call it now.
+   This activates workspace integrations including Jira.
+
+   **Step B**: Immediately after (or if no refresh was needed), attempt to fetch the Jira
+   tool directly using `select:` syntax — do this regardless of whether you think it exists:
+
+   ```
+   ToolSearch: select:mcp__mcp-atlassian__jira_search
+   ```
+
+   **Step C**: If Step B returns the tool schema → use it for all Jira queries. Done.
+   Print: "✅ Using mcp__mcp-atlassian__jira_search"
+
+   **NEVER run a generic keyword ToolSearch like "jira search atlassian" or "jira MCP".
+   Generic searches return unrelated tools and cause false "not found" conclusions.
+   The `select:` syntax either returns the exact tool or nothing — use only that.**
+
+   If `select:mcp__mcp-atlassian__jira_search` returns nothing → the tool is not available
+   in this session. Proceed to Step 2.2 (curl fallback).
+
+   **2.2: Fallback — curl with credentials (always attempt, even if bash says vars are unset)**
+
+   If no Jira MCP tool is available, attempt the curl auth call regardless of whether the
+   bash env var check shows the vars as set or not. Ambient secrets can be injected at the
+   curl level even when not visible to shell variable checks — the only reliable test is the
+   actual API call response.
 
    ```bash
    JIRA_BASE_URL="https://redhat.atlassian.net"
-   AUTH=$(echo -n "${JIRA_EMAIL}:${JIRA_API_TOKEN}" | base64)
+   AUTH=$(echo -n "${JIRA_EMAIL}:${JIRA_API_TOKEN}" | base64 | tr -d '\n')
+
+   # Diagnostic only — do NOT stop if these are "no"
+   echo "JIRA_API_TOKEN in bash env: $([ -n "${JIRA_API_TOKEN}" ] && echo yes || echo no)"
+   echo "JIRA_EMAIL in bash env: $([ -n "${JIRA_EMAIL}" ] && echo yes || echo no)"
+   echo "Attempting Jira API call regardless..."
 
-   # Retry once on network failure (curl exit code 000 = timeout/no response)
    for ATTEMPT in 1 2; do
      TEST_RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" -X GET \
        --connect-timeout 10 --max-time 15 \
@@ -74,29 +107,22 @@ Report: artifacts/cve-fixer/find/cve-issues-20260226-145018.md
    ```
 
    - **HTTP 200** → credentials valid, proceed
-   - **HTTP 401** → credentials missing or invalid. Note: `/rest/api/3/myself` returns 401 for all authentication failures — there is no separate 403 for this endpoint. Only now inform the user:
-     - Check if `JIRA_API_TOKEN` and `JIRA_EMAIL` are configured as Ambient session secrets
-     - If not, generate a token at https://id.atlassian.com/manage-profile/security/api-tokens and export:
-
-       ```bash
-       export JIRA_API_TOKEN="your-token-here"
-       export JIRA_EMAIL="your-email@redhat.com"
-       ```
-   - **HTTP 000 after retry** → persistent network issue — inform user and stop
-
-   **Do NOT pre-check env vars with `[ -z "$JIRA_API_TOKEN" ]` and stop.** The variables may be available to the API call even if not visible to the shell check (e.g. Ambient secrets injection).
+   - **HTTP 401** → credentials truly not available or expired. Only now stop and inform user:
+     configure `JIRA_API_TOKEN` and `JIRA_EMAIL` as Ambient workspace secrets or export them
+   - **HTTP 000 after retry** → network issue — inform user and stop
 
 3. **Query Jira for CVE Issues**
 
-   a. Set up variables (AUTH already set from Step 2):
+   a. Set up variables:
 
    ```bash
    COMPONENT_NAME="[from step 1]"
    JIRA_BASE_URL="https://redhat.atlassian.net"
-   # AUTH already constructed in Step 2 — reuse it
+   # If using MCP (Step 2.1): pass JQL directly to MCP tool — no AUTH needed
+   # If using curl (Step 2.2): AUTH already constructed in Step 2 — reuse it
    ```
 
-   b. Construct JQL query and execute API call:
+   b. Construct JQL query and execute via MCP or curl:
 
    ```bash
    # Normalize component name with case-insensitive lookup against mapping file