@hasna/configs 0.2.12 → 0.2.14

package/dist/cli/index.js

@@ -3756,7 +3756,7 @@ Run with --fix to redact in-place.`));
   }
 });
 var mcpCmd = program.command("mcp").description("Install/remove MCP server for AI agents");
-mcpCmd.command("install").alias("add").description("Install configs MCP server into an agent").option("--claude", "install into Claude Code").option("--codex", "install into Codex").option("--gemini", "install into Gemini").option("--all", "install into all agents").action(async (opts) => {
+mcpCmd.command("install").alias("add").description("Install configs MCP server into an agent").option("--claude", "install into Claude Code").option("--codex", "install into Codex").option("--gemini", "install into Gemini").option("--all", "install into all agents").option("--profile <level>", "set CONFIGS_PROFILE (minimal|standard|full)", "standard").action(async (opts) => {
   const targets = opts.all ? ["claude", "codex", "gemini"] : [
     ...opts.claude ? ["claude"] : [],
     ...opts.codex ? ["codex"] : [],
@@ -3769,7 +3769,8 @@ mcpCmd.command("install").alias("add").description("Install configs MCP server i
   for (const target of targets) {
     try {
       if (target === "claude") {
-        const proc = Bun.spawn(["claude", "mcp", "add", "--transport", "stdio", "--scope", "user", "configs", "--", "configs-mcp"], { stdout: "inherit", stderr: "inherit" });
+        const cmd = opts.profile && opts.profile !== "full" ? ["claude", "mcp", "add", "--transport", "stdio", "--scope", "user", "configs", "--", "env", `CONFIGS_PROFILE=${opts.profile}`, "configs-mcp"] : ["claude", "mcp", "add", "--transport", "stdio", "--scope", "user", "configs", "--", "configs-mcp"];
+        const proc = Bun.spawn(cmd, { stdout: "inherit", stderr: "inherit" });
         await proc.exited;
         console.log(chalk.green("\u2713") + " Installed into Claude Code");
       } else if (target === "codex") {

package/dist/server/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":";;;;;AA0QA,wBAAgD"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":";;;;;AAqRA,wBAAgD"}

package/dist/server/index.js

@@ -1,5 +1,6 @@
 #!/usr/bin/env bun
 // @bun
+var __require = import.meta.require;
 
 // node_modules/hono/dist/compose.js
 var compose = (middleware, onError, onNotFound) => {
@@ -2617,6 +2618,12 @@ app.post("/api/sync", async (c) => {
   try {
     const body = await c.req.json();
     const dir = body.dir || "~/.claude";
+    const { resolve: resolve3 } = __require("path");
+    const { homedir: hd } = __require("os");
+    const absDir = dir.startsWith("~/") ? resolve3(hd(), dir.slice(2)) : resolve3(dir);
+    if (!absDir.startsWith(hd())) {
+      return c.json({ error: "Sync restricted to home directory paths" }, 403);
+    }
     const direction = body.direction || "from_disk";
     const result = direction === "to_disk" ? await syncToDir(dir, { dryRun: body.dry_run }) : await syncFromDir(dir, { dryRun: body.dry_run });
     return c.json(result);
@@ -2696,10 +2703,13 @@ function findDashboardDir() {
 }
 var dashDir = findDashboardDir();
 if (dashDir) {
+  const resolvedDashDir = __require("path").resolve(dashDir);
   app.get("/*", (c) => {
     const url = new URL(c.req.url);
     let filePath = url.pathname === "/" ? "/index.html" : url.pathname;
-    let absPath = join4(dashDir, filePath);
+    let absPath = __require("path").resolve(join4(dashDir, filePath));
+    if (!absPath.startsWith(resolvedDashDir))
+      return c.json({ error: "Forbidden" }, 403);
     if (!existsSync5(absPath))
       absPath = join4(dashDir, "index.html");
     if (!existsSync5(absPath))

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hasna/configs",
-  "version": "0.2.12",
+  "version": "0.2.14",
   "description": "AI coding agent configuration manager — store, version, apply, and share all your AI coding configs. CLI + MCP + REST API + Dashboard.",
   "type": "module",
   "main": "dist/index.js",