AX-1694 — Align VS Code copilot-instructions with Claude/Cursor agent-guard docs

[MatanEden1]

Jira Ticket Path: https://jfrog-int.atlassian.net/browse/AX-1694

The VS Code MCP-management instructions had drifted from the updated Claude and Cursor agent-guard instructions, and the plugin still shipped them via the legacy platform-specific shell scripts. This PR aligns the template with the same structure and rules as Claude/Cursor and replaces the shell scripts with a single cross-platform Node injector, while preserving the VS Code-native mechanics that intentionally differ from Claude/Cursor.

Changes

• Replace the shell scripts with a Node injector. Deleted scripts/ensure-instructions.sh and scripts/ensure-instructions.ps1; added scripts/inject-instructions.mjs. The injector resolves JFrog credentials (env vars JFROG_URL/JF_URL + token, falling back to the JFrog CLI's default server via jf config export), checks whether Agent Guard is enabled for the account, and — when enabled — emits the template via hookSpecificOutput.additionalContext for the SessionStart hook. Honors _JF_AGENT_GUARD_FORCE_DISABLE / JF_AGENT_GUARD_FORCE_ENABLE. Fails closed (emits {} and exits 0) on any error.
• Delivery is additionalContext-only. The injector no longer writes a workspace instructions file; the instructions are delivered solely through the SessionStart hook payload, which the IDE consumes directly.
• Update hooks.json to the SessionStart shape and point it at node inject-instructions.mjs (timeout 7s).
• Restructure the template (templates/jfrog-mcp-management.md) to match the Claude/Cursor layout: Pre-flight section (live-execution rule, mandatory <PROJECT>, auto-resolvable <SERVER_ID>, network note), catalog-first "Adding an MCP" flow, numbered Steps 1–5 with explicit start+verify (4a) and OAuth login (5), the Listing routing table, and expanded Key Rules / Troubleshooting. Wording that had drifted is now aligned verbatim with the references.
• Preserve the VS Code secrets model: top-level inputs + ${input:...} substitution + OS-keychain prompt-on-first-start (not shell env-var export), CodeLens / MCP: List Servers mechanics, the real VS Code MCP config locations (workspace .vscode/mcp.json and the user-profile .../Code/User/mcp.json), and orphaned-inputs cleanup on removal.
• Bump version to 1.0.4 (marketplace.json and plugin/.claude-plugin/plugin.json) so the new instructions ship.
• Add a smoke test + CI. scripts/validate-template.mjs (run by a Validate Template workflow on every PR) asserts the injector parses, force-enable emits valid JSON with a non-empty hookSpecificOutput.additionalContext, force-disable emits {}, the template the injector reads resolves, and hooks.json wires SessionStart to the injector — guarding the template-filename/read-path drift that recurred during review. Mirrors the validators in claude-plugin/cursor-plugin.

Runtime note

For CLI-credential users (no JFROG_URL/JFROG_ACCESS_TOKEN set), the injector spawns jf config export (bounded by a 3s timeout) plus one settings network call on every SessionStart; env-var users skip the jf spawn. All paths fail closed (emit {}, exit 0).

Intentional divergences from Claude/Cursor

These differ on purpose because the IDE requires it or by product decision — they are not drift:

• Default install scope is user-level (.../Code/User/mcp.json), with the workspace .vscode/mcp.json as the "for this project / commit / share" opt-in. Claude/Cursor default to the project file; VS Code defaults to user-level so installed MCPs follow the user across all workspaces.
• No agent-runnable mcp list. Claude/Cursor have CLI list commands (claude mcp list / cursor agent mcp list); VS Code's MCP: List Servers is UI-only, so "Currently installed" reads the config files directly and defers live status to a user-ask.
• Start & verify are user actions. Starting the server, entering inputs at the keychain prompt, and reading server status are VS Code UI actions the agent cannot perform, so 4a asks the user and acts on what they report.
• The inputs/${input:...}/keychain model replaces Claude/Cursor's shell ${VAR}/${env:VAR} exports entirely.

align to:
claude-plugin commit_id: 97e25cc7db106c7fb6e2343968cbfe8fe5e5963a
cursor-plugin commit_id: 72bd39a7c2cec02fea39dbe97e51f039cc4bada7

Tests

Automated: scripts/validate-template.mjs runs on every PR via the Validate Template workflow (verified it goes red on a simulated template-filename drift and green once fixed).

Manual: exercised the injector across force-disable / force-enable / env-var creds / jf config export decode / malformed-token / missing-jf paths — all emit valid JSON and fail closed. Template reviewed section-by-section against the Claude/Cursor references.

🤖 Generated with Claude Code

[YoniMelki]

Review: requesting changes

Reviewed against the canonical Claude (claude-plugin/templates/jfrog-mcp-management.md) and Cursor (cursor-plugin/plugins/jfrog/templates/jfrog-mcp-management.md) templates, since the goal of this PR is cross-plugin alignment.

The alignment work itself is solid — structure, command blocks, Pre-flight resolution chains, and Key Rules all track the other two templates, and the VS Code-native mechanics (servers / inputs / ${input:...} keychain model, CodeLens, MCP: List Servers) are preserved correctly. Nice work.

Requesting changes for the items below — details in the inline comments.

Must fix (this file):

• Trailing whitespace, plus a . For HTTP → .For HTTP missing-space regression in the Step 4 inputs rules.

Needs a decision / release step:

• Version bump: this changes the template that ships to users, but marketplace.json (currently 1.0.2) isn't bumped. Per our release convention vscode-plugin bumps marketplace.json only — please bump it so the new instructions actually ship.
• A few additions here are ahead of / diverge from Claude & Cursor (the ## Managed Settings section, the <PROJECT> re-sync Exception: clause, and the richer Step 2 error handling). Each is good on its own, but for true alignment we should either back-port them to the other two plugins or mark them as intentional VS-Code-only. Please also correct the PR description line about VS Code 'missing ... managed-settings enforcement' — it's actually ahead there.

Confirmed separately: the registry env var JFROG_AGENT_GUARD_REPO is correct (matches Claude). Cursor's JFROG_MCP_GATEWAY_REPO is the stale outlier and can be fixed in a separate change.

[YoniMelki]

Re-review (head 3585b81): still requesting changes

Thanks for the updates. Confirmed resolved from the previous round: the . For HTTP space regression and the trailing whitespace in the template are fixed, and the project-switch priority is now mirrored into Pre-flight.

The scope grew to replace the shell scripts with inject-instructions.mjs, and that new file has blocking issues — details inline. Summary:

Blocking

• inject-instructions.mjs reads the wrong template filename (jfrog-mcp-management.md vs this repo's copilot-instructions.md) and fails silently → nothing is ever injected.
• The injector no longer writes .github/copilot-instructions.md, which is the file VS Code / GitHub Copilot actually reads — only the Claude-Code additionalContext is emitted now. Need confirmation this delivery-model change is intentional.

Should fix

• Asymmetric force-flag env-var names (disable has a leading _, enable doesn't).
• --server resolution is dead code, since the hook invokes the script with no args.
• New per-session network call on SessionStart (minor; please note it in the PR).

Process

• marketplace.json is 1.0.3 on both main and this branch, so the PR doesn't bump it — confirm these changes ship under a fresh version (if 1.0.3 is already published, this needs 1.0.4).
• The PR description is now stale: it doesn't mention the script→Node-injector replacement (the largest code change here), and still claims VS Code was 'missing … managed-settings enforcement while the other two plugins moved ahead' (VS Code is actually ahead). Please update both.

[YoniMelki]

Re-review (head 5cc4d1d): one alignment blocker left

Thanks for the quick turnaround — most of the last round is resolved.

Resolved

• Template filename fixed to copilot-instructions.md (was injecting nothing); the read catch now logs instead of failing silently.
• .github/copilot-instructions.md write restored (write-when-absent, non-fatal) — Copilot delivery is back, with additionalContext still covering Claude Code.
• --server dead-code branch removed and the precedence docstring corrected.
• Settings-check timeout lowered to 3s with an explanatory comment.

Blocking (alignment)

• The force-flag rename diverges from Claude/Cursor — see inline. Important correction to my previous comment: the disable/enable asymmetry (_JF_AGENT_GUARD_FORCE_DISABLE with underscore, JF_AGENT_GUARD_FORCE_ENABLE without) is the intentional, identical convention in both reference plugins. My earlier 'align them' note was wrong for this PR's goal. Adding the underscore to the enable flag means JF_AGENT_GUARD_FORCE_ENABLE (the name that works in Claude/Cursor) now silently no-ops in VS Code. Please match the references exactly.

Minor — VS-Code-ahead deltas (not blocking; reconcile or confirm intentional)

• resolveCredentials() adds a JF-CLI-config fallback the references don't have (they're env-only) — nice enhancement, but it changes when the settings check fires vs Claude/Cursor. Worth back-porting for parity or noting as deliberately ahead.
• 3s vs the references' 5s timeout, and isGatewayEnabledViaSettings / 'gateway' log wording vs the references' 'agent guard' naming (post-rename). Cosmetic.
• The clearer --login sandbox-permissions note is a good candidate to back-port to Claude/Cursor.
• .github/copilot-instructions.md is create-only — see inline lifecycle note.

Process

• marketplace.json is 1.0.3 on both main and this branch. Per this repo's convention that's the file bumped per ticket, so AX-1694 should ship as 1.0.4 if 1.0.3 is already released.
• The PR description is stale: it still lists 'Add a Managed Settings section' under Changes, but that section was removed in 0606423; and it doesn't mention the script→Node-injector replacement (the largest change here). Please update both.

[YoniMelki]

Re-review (head af832bb): injector regressed — please don't ship this version

The template MCP-config work this round is good (see below), but inject-instructions.mjs was replaced with what looks like a verbatim copy of the Cursor injector, which re-broke two blockers from earlier rounds and added a third. As it stands on af832bb, the injector delivers nothing to either Copilot or Claude Code. Details inline; summary:

Blocking (all in inject-instructions.mjs)

• Wrong template filename, again — reads templates/jfrog-mcp-management.md, which does not exist in this repo (the only template is copilot-instructions.md). The read throws, the catch writes {} and exits → nothing injected. This is the round-1 critical bug, reintroduced.
• .github/copilot-instructions.md write removed, again — the file-materialization block that was restored last round is gone, so Copilot has no instructions file to read. Round-1 major regression, reintroduced.
• Wrong output key for this hook — emits top-level additional_context (Cursor's format), but hooks.json is a Claude Code SessionStart hook, which reads hookSpecificOutput.additionalContext. Even with the filename fixed, the payload would be ignored.

Resolved / good

• Force-flag fixed: forceEnabled is now JF_AGENT_GUARD_FORCE_ENABLE (no underscore), matching Claude/Cursor. Thanks for the correction.
• resolveCredentials() refactor is cleaner and keeps the env→JF-CLI-config fallback; naming aligned; 5s timeout matches the references.
• Template config-location work is accurate: it correctly warns against ~/.vscode/mcp.json and points to the real user-profile paths (…/Code/User/mcp.json) and the workspace .vscode/mcp.json. Nicely done.

The fix: keep this round's force-flag fix and refactor, but restore the three VS-Code-specific bits the Cursor copy dropped — read copilot-instructions.md, re-add the .github/copilot-instructions.md write, and emit hookSpecificOutput.additionalContext. Effectively the prior head's injector plus this round's force-flag change.

Process

• marketplace.json is still 1.0.3 on both main and this branch — no bump; should be 1.0.4 per the per-ticket convention if 1.0.3 is released.
• PR description is still stale: it lists 'Add a Managed Settings section' (removed in 0606423) and omits the script→Node-injector rewrite.

[YoniMelki]

Re-review (head dace1a6): injector fixed ✅ — but a new template regression

Thanks Matan — all three injector blockers are resolved and verified:

• reads copilot-instructions.md (not the nonexistent jfrog-mcp-management.md);
• restores the .github/copilot-instructions.md write (write-when-absent, non-fatal);
• emits hookSpecificOutput.additionalContext, the correct shape for this Claude Code SessionStart hook.

The injector is now coherent and correct. However, a separate commit this round (ba067fa, "Clarify user-level MCP config path") regressed the template in the wrong direction, and it's blocking.

Blocking — wrong user-level MCP config path (7 places)
ba067fa replaced the user-level config path with ~/.vscode/mcp.json everywhere (lines 87, 121, 123, 197, 248, 324, 358) and deleted the correct paths. Per the VS Code docs, the user-level mcp.json lives in the user-profile folder — ~/Library/Application Support/Code/User/mcp.json (macOS), ~/.config/Code/User/mcp.json (Linux), %APPDATA%\Code\User\mcp.json (Windows). VS Code does not read an mcp.json in ~/.vscode/ (that folder holds extensions and argv.json). The previous head (af832bb) had this correct and even warned against this exact path — please restore those paths. Details inline. (Refs: https://code.visualstudio.com/docs/copilot/chat/mcp-servers and https://code.visualstudio.com/docs/agent-customization/mcp-servers)

Process (unchanged)

• marketplace.json is still 1.0.3 on both main and this branch — no bump; should be 1.0.4 per the per-ticket convention.
• PR description is still stale: it lists 'Add a Managed Settings section' (removed in 0606423) and omits the script→Node-injector rewrite.

[YoniMelki]

Re-review at head 5036f0d.

Landed this round (good ✅) — commit 5036f0d adds the credentials block (template lines ~49–72): JFROG_URL must be the bare platform base URL, present in the command's own environment, with a clear explanation of the '<' looking for beginning of value HTML-not-JSON failure. Accurate, well-scoped, closes a real footgun.

Injector — unchanged since dace1a6 and still correct: reads copilot-instructions.md, writes .github/copilot-instructions.md when absent, emits hookSpecificOutput.additionalContext. All earlier injector blockers remain resolved. ✅

---

🔴 Blocker (still open) — wrong user-level MCP config path. This is the one remaining functional blocker, and it's now an open disagreement rather than an oversight: the template uses ~/.vscode/mcp.json for the user-level config in 7 places, and Matan's replies note we'd "talked about" that path. I've replied in detail on both inline threads (write path, line 144; read path, line 379) with the evidence:

• VS Code's MCP: Open User Configuration opens mcp.json in the user profile folder (~/Library/Application Support/Code/User/ on macOS), per the docs — not the home ~/.vscode/ folder (which is for extensions + argv.json).
• Verified on a real machine with two active user-level gallery MCPs: VS Code wrote them to ~/Library/Application Support/Code/User/mcp.json (+ a Code/User/mcp/ runtime dir); ~/.vscode/mcp.json was never created.
• Net effect as written: install silently no-ops (line 144) and "Currently installed" always reads empty (line 379).

Correct user-level paths — macOS ~/Library/Application Support/Code/User/mcp.json, Windows %APPDATA%\Code\User\mcp.json, Linux ~/.config/Code/User/mcp.json. Workspace .vscode/mcp.json is correct and stays.

One-step confirmation: run MCP: Open User Configuration and read the path in the editor tab. If it's …/Code/User/mcp.json, this needs the fix; if it genuinely opens ~/.vscode/mcp.json, I'm wrong — say so on the thread and I'll drop it.

Process notes (carried forward, unchanged):

• marketplace.json not bumped — plugins[0].version is still 1.0.3 on both head and main; should be 1.0.4 per convention.
• PR description is stale: it lists "Add a Managed Settings section," but there's no such section in the template (the earlier ## Managed Settings heading is gone — its removal isn't reflected in the description); and it still omits the injector rewrite (ensure-instructions.sh/.ps1 → inject-instructions.mjs), the largest structural change in the PR.

[davida-jfrog]

Why is this differnt from cursor?

[MatanEden1]

already resolved

[davida-jfrog]

The agent cant do it so this should say what the agent should ask the user to do more explicitly.

[MatanEden1]

already resolved

[davida-jfrog]

It looks like the agent cant execute this.

[davida-jfrog]

I dont think there is a need for the user to list the mcp servers manually in the normal case. the agent can do it by themselfes.

For troubleshooting - fine.

[MatanEden1]

already resolved

[YoniMelki]

Two carried-over typos from the references: missing space in Server ID before <SERVER_ID> here, and line 66 says "not env vars" (should be "no env vars"). They match claude/cursor so byte-equivalence holds, but they're real typos in all three - worth one cleanup pass across the plugins.