@fentz26/envcp 1.0.1 → 1.0.2

package/dist/utils/session.js

@@ -2,6 +2,7 @@ import * as fs from 'fs-extra';
 import * as path from 'path';
 import { SessionSchema } from '../types.js';
 import { generateId, encrypt, decrypt } from './crypto.js';
+import * as crypto from 'crypto';
 export class SessionManager {
     sessionPath;
     session = null;
@@ -27,9 +28,11 @@ export class SessionManager {
             last_access: now.toISOString(),
         };
         this.password = password;
+        // Store a verification hash instead of the raw password
+        const passwordHash = crypto.createHash('sha256').update(password).digest('hex');
         const sessionData = JSON.stringify({
             session: this.session,
-            password: password,
+            passwordHash,
         });
         const encrypted = encrypt(sessionData, password);
         await fs.writeFile(this.sessionPath, encrypted, 'utf8');
@@ -48,7 +51,8 @@ export class SessionManager {
             const decrypted = decrypt(encrypted, pwd);
             const data = JSON.parse(decrypted);
             this.session = SessionSchema.parse(data.session);
-            this.password = data.password;
+            // Password is verified by successful decryption — no longer stored in file
+            this.password = pwd;
             if (new Date() > new Date(this.session.expires)) {
                 await this.destroy();
                 return null;
@@ -80,9 +84,10 @@ export class SessionManager {
         this.session.expires = expires.toISOString();
         this.session.extensions += 1;
         this.session.last_access = now.toISOString();
+        const passwordHash = crypto.createHash('sha256').update(this.password).digest('hex');
         const sessionData = JSON.stringify({
             session: this.session,
-            password: this.password,
+            passwordHash,
         });
         const encrypted = encrypt(sessionData, this.password);
         await fs.writeFile(this.sessionPath, encrypted, 'utf8');

package/dist/utils/session.js.map

@@ -1 +1 @@
-{"version":3,"file":"session.js","sourceRoot":"","sources":["../../src/utils/session.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,UAAU,CAAC;AAC/B,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAW,aAAa,EAAE,MAAM,aAAa,CAAC;AACrD,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAE3D,MAAM,OAAO,cAAc;IACjB,WAAW,CAAS;IACpB,OAAO,GAAmB,IAAI,CAAC;IAC/B,QAAQ,GAAkB,IAAI,CAAC;IAC/B,cAAc,CAAS;IACvB,aAAa,CAAS;IAE9B,YAAY,WAAmB,EAAE,iBAAyB,EAAE,EAAE,gBAAwB,CAAC;QACrF,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,cAAc,GAAG,cAAc,CAAC;QACrC,IAAI,CAAC,aAAa,GAAG,aAAa,CAAC;IACrC,CAAC;IAED,KAAK,CAAC,IAAI;QACR,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC;IACrD,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,QAAgB;QAC3B,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,cAAc,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAE1E,IAAI,CAAC,OAAO,GAAG;YACb,EAAE,EAAE,UAAU,EAAE;YAChB,OAAO,EAAE,GAAG,CAAC,WAAW,EAAE;YAC1B,OAAO,EAAE,OAAO,CAAC,WAAW,EAAE;YAC9B,UAAU,EAAE,CAAC;YACb,WAAW,EAAE,GAAG,CAAC,WAAW,EAAE;SAC/B,CAAC;QAEF,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QAEzB,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC;YACjC,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,QAAQ,EAAE,QAAQ;SACnB,CAAC,CAAC;QAEH,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QACjD,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,WAAW,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;QAExD,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,QAAiB;QAC1B,IAAI,CAAC,MAAM,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;YAC3C,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;YAE9D,MAAM,GAAG,GAAG,QAAQ,IAAI,IAAI,CAAC,QAAQ,CAAC;YACtC,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,OAAO,IAAI,CAAC;YACd,CAAC;YAED,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;YAC1C,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YACnC,IAAI,CAAC,OAAO,GAAG,aAAa,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACjD,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;YAE9B,IAAI,IAAI,IAAI,EAAE,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;gBAChD,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;gBACrB,OAAO,IAAI,CAAC;YACd,CAAC;YAED,OAAO,IAAI,CAAC,OAAO,CAAC;QACtB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO;QACX,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,IAAI,IAAI,EAAE,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IACrD,CAAC;IAED,KAAK,CAAC,MAAM;QACV,IAAI,CAAC,IAAI,CAAC,OAAO,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,IAAI,CAAC,OAAO,CAAC,UAAU,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YAClD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC,MAAM,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC;YAC1B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,cAAc,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAE1E,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QAC7C,IAAI,CAAC,OAAO,CAAC,UAAU,IAAI,CAAC,CAAC;QAC7B,IAAI,CAAC,OAAO,CAAC,WAAW,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;QAE7C,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC;YACjC,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB,CAAC,CAAC;QAEH,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;QACtD,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,WAAW,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;QAExD,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,OAAO;QACX,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;QACpB,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;QAErB,IAAI,MAAM,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;YAC1C,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACpC,CAAC;IACH,CAAC;IAED,WAAW;QACT,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;IAED,UAAU;QACR,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,gBAAgB;QACd,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,OAAO,CAAC,CAAC;QACX,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACxE,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,IAAI,GAAG,EAAE,CAAC,CAAC,CAAC;IACxD,CAAC;CACF"}
+{"version":3,"file":"session.js","sourceRoot":"","sources":["../../src/utils/session.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,UAAU,CAAC;AAC/B,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAW,aAAa,EAAE,MAAM,aAAa,CAAC;AACrD,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAC3D,OAAO,KAAK,MAAM,MAAM,QAAQ,CAAC;AAEjC,MAAM,OAAO,cAAc;IACjB,WAAW,CAAS;IACpB,OAAO,GAAmB,IAAI,CAAC;IAC/B,QAAQ,GAAkB,IAAI,CAAC;IAC/B,cAAc,CAAS;IACvB,aAAa,CAAS;IAE9B,YAAY,WAAmB,EAAE,iBAAyB,EAAE,EAAE,gBAAwB,CAAC;QACrF,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,cAAc,GAAG,cAAc,CAAC;QACrC,IAAI,CAAC,aAAa,GAAG,aAAa,CAAC;IACrC,CAAC;IAED,KAAK,CAAC,IAAI;QACR,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC;IACrD,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,QAAgB;QAC3B,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,cAAc,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAE1E,IAAI,CAAC,OAAO,GAAG;YACb,EAAE,EAAE,UAAU,EAAE;YAChB,OAAO,EAAE,GAAG,CAAC,WAAW,EAAE;YAC1B,OAAO,EAAE,OAAO,CAAC,WAAW,EAAE;YAC9B,UAAU,EAAE,CAAC;YACb,WAAW,EAAE,GAAG,CAAC,WAAW,EAAE;SAC/B,CAAC;QAEF,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QAEzB,wDAAwD;QACxD,MAAM,YAAY,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAChF,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC;YACjC,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,YAAY;SACb,CAAC,CAAC;QAEH,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QACjD,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,WAAW,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;QAExD,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,QAAiB;QAC1B,IAAI,CAAC,MAAM,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;YAC3C,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;YAE9D,MAAM,GAAG,GAAG,QAAQ,IAAI,IAAI,CAAC,QAAQ,CAAC;YACtC,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,OAAO,IAAI,CAAC;YACd,CAAC;YAED,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;YAC1C,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YACnC,IAAI,CAAC,OAAO,GAAG,aAAa,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACjD,2EAA2E;YAC3E,IAAI,CAAC,QAAQ,GAAG,GAAG,CAAC;YAEpB,IAAI,IAAI,IAAI,EAAE,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;gBAChD,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;gBACrB,OAAO,IAAI,CAAC;YACd,CAAC;YAED,OAAO,IAAI,CAAC,OAAO,CAAC;QACtB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO;QACX,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,IAAI,IAAI,EAAE,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IACrD,CAAC;IAED,KAAK,CAAC,MAAM;QACV,IAAI,CAAC,IAAI,CAAC,OAAO,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,IAAI,CAAC,OAAO,CAAC,UAAU,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YAClD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC,MAAM,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC;YAC1B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,cAAc,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAE1E,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QAC7C,IAAI,CAAC,OAAO,CAAC,UAAU,IAAI,CAAC,CAAC;QAC7B,IAAI,CAAC,OAAO,CAAC,WAAW,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;QAE7C,MAAM,YAAY,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACrF,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC;YACjC,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,YAAY;SACb,CAAC,CAAC;QAEH,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;QACtD,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,WAAW,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;QAExD,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,OAAO;QACX,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;QACpB,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;QAErB,IAAI,MAAM,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;YAC1C,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACpC,CAAC;IACH,CAAC;IAED,WAAW;QACT,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;IAED,UAAU;QACR,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,gBAAgB;QACd,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,OAAO,CAAC,CAAC;QACX,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACxE,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,IAAI,GAAG,EAAE,CAAC,CAAC,CAAC;IACxD,CAAC;CACF"}

package/jest.config.js

@@ -0,0 +1,11 @@
+export default {
+  preset: 'ts-jest/presets/default-esm',
+  testEnvironment: 'node',
+  extensionsToTreatAsEsm: ['.ts'],
+  moduleNameMapper: {
+    '^(\\.{1,2}/.*)\\.js$': '$1',
+  },
+  transform: {
+    '^.+\\.ts$': ['ts-jest', { useESM: true }],
+  },
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fentz26/envcp",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "description": "MCP server for secure environment variable management - Keep your secrets safe from AI agents",
   "type": "module",
   "main": "dist/index.js",
@@ -29,7 +29,6 @@
     "@modelcontextprotocol/sdk": "^1.0.0",
     "chalk": "^4.1.2",
     "commander": "^11.1.0",
-
     "dotenv": "^16.3.1",
     "fs-extra": "^11.2.0",
     "inquirer": "^8.2.6",
@@ -37,11 +36,13 @@
     "zod": "^3.22.4"
   },
   "devDependencies": {
-
     "@types/fs-extra": "^11.0.4",
     "@types/inquirer": "^9.0.7",
+    "@types/jest": "^30.0.0",
     "@types/js-yaml": "^4.0.9",
     "@types/node": "^20.10.0",
+    "jest": "^30.3.0",
+    "ts-jest": "^29.4.9",
     "typescript": "^5.3.0"
   },
   "engines": {

package/src/adapters/base.ts

@@ -1,7 +1,7 @@
 import { StorageManager, LogManager } from '../storage/index.js';
 import { EnvCPConfig, Variable, ToolDefinition } from '../types.js';
 import { maskValue } from '../utils/crypto.js';
-import { canAccess, isBlacklisted, canAIActiveCheck, requiresUserReference } from '../config/manager.js';
+import { canAccess, isBlacklisted, canAIActiveCheck, validateVariableName, matchesPattern } from '../config/manager.js';
 import { SessionManager } from '../utils/session.js';
 import * as fs from 'fs-extra';
 import * as path from 'path';
@@ -40,6 +40,108 @@ export abstract class BaseAdapter {
 
   protected abstract registerTools(): void;
 
+  protected registerDefaultTools(): void {
+    const tools: ToolDefinition[] = [
+      {
+        name: 'envcp_list',
+        description: 'List all available environment variable names. Values are never shown.',
+        parameters: {
+          type: 'object',
+          properties: {
+            tags: { type: 'array', items: { type: 'string' }, description: 'Filter by tags' },
+          },
+        },
+        handler: async (params) => this.listVariables(params as { tags?: string[] }),
+      },
+      {
+        name: 'envcp_get',
+        description: 'Get an environment variable. Returns masked value by default.',
+        parameters: {
+          type: 'object',
+          properties: {
+            name: { type: 'string', description: 'Variable name' },
+            show_value: { type: 'boolean', description: 'Show actual value (requires user confirmation)' },
+          },
+          required: ['name'],
+        },
+        handler: async (params) => this.getVariable(params as { name: string; show_value?: boolean }),
+      },
+      {
+        name: 'envcp_set',
+        description: 'Create or update an environment variable.',
+        parameters: {
+          type: 'object',
+          properties: {
+            name: { type: 'string', description: 'Variable name' },
+            value: { type: 'string', description: 'Variable value' },
+            tags: { type: 'array', items: { type: 'string' }, description: 'Tags' },
+            description: { type: 'string', description: 'Description' },
+          },
+          required: ['name', 'value'],
+        },
+        handler: async (params) => this.setVariable(params as { name: string; value: string; tags?: string[]; description?: string }),
+      },
+      {
+        name: 'envcp_delete',
+        description: 'Delete an environment variable.',
+        parameters: {
+          type: 'object',
+          properties: {
+            name: { type: 'string', description: 'Variable name' },
+          },
+          required: ['name'],
+        },
+        handler: async (params) => this.deleteVariable(params as { name: string }),
+      },
+      {
+        name: 'envcp_sync',
+        description: 'Sync variables to .env file.',
+        parameters: { type: 'object', properties: {} },
+        handler: async () => this.syncToEnv(),
+      },
+      {
+        name: 'envcp_run',
+        description: 'Execute a command with environment variables injected.',
+        parameters: {
+          type: 'object',
+          properties: {
+            command: { type: 'string', description: 'Command to execute' },
+            variables: { type: 'array', items: { type: 'string' }, description: 'Variables to inject' },
+          },
+          required: ['command', 'variables'],
+        },
+        handler: async (params) => this.runCommand(params as { command: string; variables: string[] }),
+      },
+      {
+        name: 'envcp_add_to_env',
+        description: 'Write a stored variable to a .env file.',
+        parameters: {
+          type: 'object',
+          properties: {
+            name: { type: 'string', description: 'Variable name to add' },
+            env_file: { type: 'string', description: 'Path to .env file (default: .env)' },
+          },
+          required: ['name'],
+        },
+        handler: async (params) => this.addToEnv(params as { name: string; env_file?: string }),
+      },
+      {
+        name: 'envcp_check_access',
+        description: 'Check if a variable exists and can be accessed.',
+        parameters: {
+          type: 'object',
+          properties: {
+            name: { type: 'string', description: 'Variable name to check' },
+          },
+          required: ['name'],
+        },
+        handler: async (params) => this.checkAccess(params as { name: string }),
+      },
+    ];
+
+    tools.forEach(tool => this.tools.set(tool.name, tool));
+  }
+
   async init(): Promise<void> {
     await this.logs.init();
     await this.sessionManager.init();
@@ -158,6 +260,10 @@ export abstract class BaseAdapter {
       throw new Error('AI write access is disabled');
     }
 
+    if (!validateVariableName(args.name)) {
+      throw new Error(`Invalid variable name '${args.name}'. Must match [A-Za-z_][A-Za-z0-9_]*`);
+    }
+
     if (isBlacklisted(args.name, this.config)) {
       throw new Error(`Variable '${args.name}' is blacklisted`);
     }
@@ -233,16 +339,15 @@ export abstract class BaseAdapter {
         continue;
       }
 
-      const excluded = this.config.sync.exclude?.some(pattern => {
-        const regex = new RegExp('^' + pattern.replace(/\*/g, '.*') + '$');
-        return regex.test(name);
-      });
+      const excluded = this.config.sync.exclude?.some(pattern => matchesPattern(name, pattern));
 
       if (excluded || !variable.sync_to_env) {
         continue;
       }
 
-      lines.push(`${name}=${variable.value}`);
+      const needsQuoting = /[\s#"'\\]/.test(variable.value);
+      const val = needsQuoting ? `"${variable.value.replace(/\\/g, '\\\\').replace(/"/g, '\\"')}"` : variable.value;
+      lines.push(`${name}=${val}`);
     }
 
     const envPath = path.join(this.projectPath, this.config.sync.target);
@@ -270,7 +375,11 @@ export abstract class BaseAdapter {
       throw new Error(`Variable '${args.name}' is blacklisted`);
     }
 
-    const envPath = path.join(this.projectPath, args.env_file || '.env');
+    const envPath = path.resolve(this.projectPath, args.env_file || '.env');
+    if (!envPath.startsWith(path.resolve(this.projectPath))) {
+      throw new Error('env_file must be within the project directory');
+    }
+
     let content = '';
 
     if (await fs.pathExists(envPath)) {
@@ -279,17 +388,20 @@ export abstract class BaseAdapter {
 
     const envVars = dotenv.parse(content);
 
+    const needsQuoting = /[\s#"'\\]/.test(variable.value);
+    const quotedValue = needsQuoting ? `"${variable.value.replace(/\\/g, '\\\\').replace(/"/g, '\\"')}"` : variable.value;
+
     if (envVars[args.name]) {
       const lines = content.split('\n');
       const newLines = lines.map(line => {
         if (line.startsWith(`${args.name}=`)) {
-          return `${args.name}=${variable.value}`;
+          return `${args.name}=${quotedValue}`;
         }
         return line;
       });
       content = newLines.join('\n');
     } else {
-      content += `\n${args.name}=${variable.value}`;
+      content += `\n${args.name}=${quotedValue}`;
     }
 
     await fs.writeFile(envPath, content, 'utf8');
@@ -308,9 +420,7 @@ export abstract class BaseAdapter {
 
   protected async checkAccess(args: { name: string }): Promise<{
     name: string;
-    exists: boolean;
     accessible: boolean;
-    blacklisted: boolean;
     message: string;
   }> {
     const variable = await this.storage.get(args.name);
@@ -329,10 +439,8 @@ export abstract class BaseAdapter {
 
     return {
       name: args.name,
-      exists,
       accessible,
-      blacklisted,
-      message: accessible ? 'Variable exists and can be accessed' : 'Variable cannot be accessed or does not exist',
+      message: accessible ? 'Variable exists and can be accessed' : 'Variable cannot be accessed',
     };
   }
 
@@ -375,10 +483,20 @@ export abstract class BaseAdapter {
     stdout: string;
     stderr: string;
   }> {
+    if (!this.config.access.allow_ai_execute) {
+      throw new Error('AI command execution is disabled');
+    }
+
     this.validateCommand(args.command);
 
     const { spawn } = await import('child_process');
-    const { program, args: cmdArgs } = this.parseCommand(args.command);
+    const { program: prog, args: cmdArgs } = this.parseCommand(args.command);
+
+    if (this.config.access.allowed_commands && this.config.access.allowed_commands.length > 0) {
+      if (!this.config.access.allowed_commands.includes(prog)) {
+        throw new Error(`Command '${prog}' is not in the allowed commands list`);
+      }
+    }
     const env: Record<string, string> = { ...process.env } as Record<string, string>;
 
     for (const name of args.variables) {
@@ -391,19 +509,32 @@ export abstract class BaseAdapter {
       }
     }
 
+    const TIMEOUT_MS = 30000;
+
     return new Promise((resolve) => {
-      const proc = spawn(program, cmdArgs, {
+      const proc = spawn(prog, cmdArgs, {
         env,
         cwd: this.projectPath,
       });
 
       let stdout = '';
       let stderr = '';
+      let killed = false;
+
+      const timer = setTimeout(() => {
+        killed = true;
+        proc.kill('SIGTERM');
+        setTimeout(() => { if (!proc.killed) proc.kill('SIGKILL'); }, 5000);
+      }, TIMEOUT_MS);
 
       proc.stdout.on('data', (data) => { stdout += data; });
       proc.stderr.on('data', (data) => { stderr += data; });
 
       proc.on('close', (code) => {
+        clearTimeout(timer);
+        if (killed) {
+          stderr += '\n[Process killed: exceeded 30s timeout]';
+        }
         resolve({ exitCode: code, stdout, stderr });
       });
     });

package/src/adapters/gemini.ts

@@ -1,110 +1,18 @@
 import { BaseAdapter } from './base.js';
-import { EnvCPConfig, GeminiFunctionDeclaration, GeminiFunctionCall, GeminiFunctionResponse, ToolDefinition } from '../types.js';
-import { setCorsHeaders, sendJson, parseBody, validateApiKey } from '../utils/http.js';
+import { EnvCPConfig, GeminiFunctionDeclaration, GeminiFunctionCall, GeminiFunctionResponse } from '../types.js';
+import { setCorsHeaders, sendJson, parseBody, validateApiKey, RateLimiter, rateLimitMiddleware } from '../utils/http.js';
 import * as http from 'http';
-import * as url from 'url';
 
 export class GeminiAdapter extends BaseAdapter {
   private server: http.Server | null = null;
+  private rateLimiter = new RateLimiter(60, 60000);
 
   constructor(config: EnvCPConfig, projectPath: string, password?: string) {
     super(config, projectPath, password);
   }
 
   protected registerTools(): void {
-    const tools: ToolDefinition[] = [
-      {
-        name: 'envcp_list',
-        description: 'List all available environment variable names. Values are never shown.',
-        parameters: {
-          type: 'object',
-          properties: {
-            tags: {
-              type: 'array',
-              items: { type: 'string' },
-              description: 'Filter by tags',
-            },
-          },
-        },
-        handler: async (params) => this.listVariables(params as { tags?: string[] }),
-      },
-      {
-        name: 'envcp_get',
-        description: 'Get an environment variable. Returns masked value by default.',
-        parameters: {
-          type: 'object',
-          properties: {
-            name: { type: 'string', description: 'Variable name' },
-            show_value: { type: 'boolean', description: 'Show actual value (requires user confirmation)' },
-          },
-          required: ['name'],
-        },
-        handler: async (params) => this.getVariable(params as { name: string; show_value?: boolean }),
-      },
-      {
-        name: 'envcp_set',
-        description: 'Create or update an environment variable.',
-        parameters: {
-          type: 'object',
-          properties: {
-            name: { type: 'string', description: 'Variable name' },
-            value: { type: 'string', description: 'Variable value' },
-            tags: { type: 'array', items: { type: 'string' }, description: 'Tags' },
-            description: { type: 'string', description: 'Description' },
-          },
-          required: ['name', 'value'],
-        },
-        handler: async (params) => this.setVariable(params as any),
-      },
-      {
-        name: 'envcp_delete',
-        description: 'Delete an environment variable.',
-        parameters: {
-          type: 'object',
-          properties: {
-            name: { type: 'string', description: 'Variable name' },
-          },
-          required: ['name'],
-        },
-        handler: async (params) => this.deleteVariable(params as { name: string }),
-      },
-      {
-        name: 'envcp_sync',
-        description: 'Sync variables to .env file.',
-        parameters: {
-          type: 'object',
-          properties: {},
-        },
-        handler: async () => this.syncToEnv(),
-      },
-      {
-        name: 'envcp_run',
-        description: 'Execute a command with environment variables injected.',
-        parameters: {
-          type: 'object',
-          properties: {
-            command: { type: 'string', description: 'Command to execute' },
-            variables: { type: 'array', items: { type: 'string' }, description: 'Variables to inject' },
-          },
-          required: ['command', 'variables'],
-        },
-        handler: async (params) => this.runCommand(params as { command: string; variables: string[] }),
-      },
-      {
-        name: 'envcp_check_access',
-        description: 'Check if a variable exists and can be accessed.',
-        parameters: {
-          type: 'object',
-          properties: {
-            name: { type: 'string', description: 'Variable name' },
-          },
-          required: ['name'],
-        },
-        handler: async (params) => this.checkAccess(params as { name: string }),
-      },
-    ];
-
-    tools.forEach(tool => this.tools.set(tool.name, tool));
+    this.registerDefaultTools();
   }
 
   // Convert tools to Gemini function declaration format
@@ -114,8 +22,8 @@ export class GeminiAdapter extends BaseAdapter {
       description: tool.description,
       parameters: {
         type: 'object' as const,
-        properties: (tool.parameters as any).properties || {},
-        required: (tool.parameters as any).required,
+        properties: (tool.parameters as Record<string, unknown>).properties as Record<string, unknown> || {},
+        required: (tool.parameters as Record<string, unknown>).required as string[] | undefined,
       },
     }));
   }
@@ -131,10 +39,11 @@ export class GeminiAdapter extends BaseAdapter {
           name: call.name,
           response: { result },
         });
-      } catch (error: any) {
+      } catch (error: unknown) {
+        const message = error instanceof Error ? error.message : String(error);
         results.push({
           name: call.name,
-          response: { error: error.message },
+          response: { error: message },
         });
       }
     }
@@ -147,7 +56,7 @@ export class GeminiAdapter extends BaseAdapter {
     await this.init();
 
     this.server = http.createServer(async (req, res) => {
-      setCorsHeaders(res);
+      setCorsHeaders(res, undefined, req.headers.origin);
 
       if (req.method === 'OPTIONS') {
         res.writeHead(204);
@@ -155,6 +64,10 @@ export class GeminiAdapter extends BaseAdapter {
         return;
       }
 
+      if (!rateLimitMiddleware(this.rateLimiter, req, res)) {
+        return;
+      }
+
       // API key validation
       if (apiKey) {
         const providedKey = (req.headers['x-goog-api-key'] || req.headers['authorization']?.replace('Bearer ', '')) as string | undefined;
@@ -164,8 +77,8 @@ export class GeminiAdapter extends BaseAdapter {
         }
       }
 
-      const parsedUrl = url.parse(req.url || '/', true);
-      const pathname = parsedUrl.pathname || '/';
+      const parsedUrl = new URL(req.url || '/', `http://${req.headers.host || 'localhost'}`);
+      const pathname = parsedUrl.pathname;
 
       try {
         // Gemini-compatible endpoints
@@ -293,8 +206,9 @@ export class GeminiAdapter extends BaseAdapter {
         // 404
         sendJson(res, 404, { error: { code: 404, message: 'Not found', status: 'NOT_FOUND' } });
 
-      } catch (error: any) {
-        sendJson(res, 500, { error: { code: 500, message: error.message, status: 'INTERNAL' } });
+      } catch (error: unknown) {
+        const message = error instanceof Error ? error.message : String(error);
+        sendJson(res, 500, { error: { code: 500, message, status: 'INTERNAL' } });
       }
     });