Add agent-safe hidden source handling to intent list

[LadyBluenotes]

Summary

• add std-env based audience detection for agent vs human intent list output
• redact unlisted allowlist candidates from agent-facing notices and JSON while preserving hidden-source counts
• add intent list --show-hidden so human sessions can review hidden source names, while agent sessions get a refusal message
• document the new hidden-source behavior and cover human/agent output paths with focused tests

Summary by CodeRabbit

• New Features
  • Added a --show-hidden option to intent list for revealing hidden/unlisted skill sources when allowed.
  • Introduced audience-aware “agent-safe” handling: agent sessions only see hidden-source counts plus guidance, while human sessions can view details.
  • Extended --json output to include hiddenSourceCount and hiddenSources (with agent-safe redaction).
• Documentation
  • Updated intent list CLI docs to document --show-hidden and the updated JSON schema.
• Tests
  • Added coverage for INTENT_AUDIENCE-specific behavior in both CLI and core logic.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 84dfa992-c3b4-4ad2-8d8f-65f57b50dec9

📥 Commits

Reviewing files that changed from the base of the PR and between 31174b4 and a56fd92.

📒 Files selected for processing (1)

• packages/intent/src/core/source-policy.ts

---

📝 Walkthrough

Walkthrough

Adds agent-safe handling for hidden skill sources in intent list. A new detectIntentAudience() helper resolves the current audience from an explicit argument, INTENT_AUDIENCE env var, or std-env's detectAgent(). Source policy collection is updated to track hiddenSources with per-package skill counts, emit audience-aware notices, and suppress the sources array (returning only a count) for agent sessions. A new --show-hidden CLI option exposes the hidden sources for human sessions only.

Changes

Agent-safe hidden skill source redaction

Layer / File(s)	Summary
Public types and audience detection helper packages/intent/package.json, packages/intent/src/core/types.ts, packages/intent/src/shared/environment.ts	IntentAudience, IntentHiddenSourceSummary, audience fields on IntentCoreOptions/IntentSkillList, and detectIntentAudience() resolving audience from explicit arg, INTENT_AUDIENCE env var, or std-env agent detection. Adds std-env runtime dependency.
Source policy: hidden source collection and audience-aware notices packages/intent/src/core/source-policy.ts	SourcePolicyOptions gains audience. applySourcePolicy collects hiddenSources with skillCount instead of plain unlisted names and emits audience-aware notices via formatUnlistedNotice. SourcePolicyResult and PolicedScan are extended. scanForPolicedIntents derives audience and suppresses hiddenSources array for agent sessions while preserving hiddenSourceCount.
listIntentSkills: propagate hidden source fields packages/intent/src/core/intent-core.ts	listIntentSkills destructures hiddenSourceCount and hiddenSources from scanForPolicedIntents and includes them on the returned IntentSkillList.
CLI --show-hidden option wiring and printHiddenSources packages/intent/src/cli.ts, packages/intent/src/commands/list.ts	Adds --show-hidden to usage string and option registration. ListCommandOptions gains showHidden. runListCommand detects audience and passes it to listIntentSkills. printHiddenSources blocks disclosure for agent audience; two conditional call sites in the non-JSON output path invoke it when showHidden is enabled.
Tests, docs, and changeset packages/intent/tests/cli.test.ts, packages/intent/tests/core.test.ts, docs/cli/intent-list.md, .changeset/thick-snakes-yell.md	CLI tests add INTENT_AUDIENCE isolation and cover human/agent/JSON audience scenarios. Core tests add hiddenSourceCount/hiddenSources assertions and an agent-redaction test. Docs update command syntax, options, JSON schema, and allowlist section. Changeset documents the patch release.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• TanStack/intent#156: Modifies the same core/source-policy.ts allowlist gating pipeline (applySourcePolicy, unlisted package surfacing) that this PR extends with audience-based hidden-source counting and redaction.

Suggested labels

dependencies

Suggested reviewers

• KevinVandy
• schiller-manuel

Poem

🐇 A rabbit hops through hidden trails,
Where agent eyes must see no names—
Just counts and hints behind the veil,
While humans play the guessing games.
--show-hidden lifts the human's shroud,
But bots get only numbers, proud!

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 7.69% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The PR description provides a clear summary of changes and their motivation, but lacks completion of the template sections, particularly the checklist and release impact declarations.	Complete the template by checking off items in the Checklist section and marking whether this affects published code or is docs/CI/dev-only.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: adding agent-safe hidden source handling to the intent list command, which is the primary objective of this PR.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch agent-safe-list-redaction

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 31174b4

Command	Status	Duration	Result
nx run-many --targets=build --exclude=examples/**	✅ Succeeded	<1s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-06-21 23:30:34 UTC

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/TanStack/intent/@tanstack/intent@176

commit: 31174b4

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/intent/src/core/source-policy.ts`:
- Around line 13-22: The import statements in source-policy.ts violate ESLint's
import/order rule because parent directory imports should be ordered before
sibling/child directory imports. Reorder the imports so that imports from parent
directories (starting with ../shared/environment.js and ../skills/use.js) appear
before all the relative imports from the current directory (./excludes.js,
./project-context.js, ./skill-sources.js, and ./types.js). This ensures
compliance with the configured import ordering rules.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 907834c8-c3b5-45a8-8765-c35c980a7f0a

📥 Commits

Reviewing files that changed from the base of the PR and between ebf3ee3 and 31174b4.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (11)

• .changeset/thick-snakes-yell.md
• docs/cli/intent-list.md
• packages/intent/package.json
• packages/intent/src/cli.ts
• packages/intent/src/commands/list.ts
• packages/intent/src/core/intent-core.ts
• packages/intent/src/core/source-policy.ts
• packages/intent/src/core/types.ts
• packages/intent/src/shared/environment.ts
• packages/intent/tests/cli.test.ts
• packages/intent/tests/core.test.ts