@luquimbo/bi-superpowers 3.0.0 → 3.0.1

package/.claude-plugin/marketplace.json

@@ -6,7 +6,7 @@
   },
   "metadata": {
     "description": "AI-powered skills for Power BI, Microsoft Fabric, and Excel development. 24 skills covering DAX, Power Query, data modeling, report design, governance, and more.",
-    "version": "3.0.0",
+    "version": "3.0.1",
     "repository": "https://github.com/luquimbo/bi-superpowers"
   },
   "plugins": [

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "bi-superpowers",
   "description": "Claude Code plugin for Power BI, Microsoft Fabric, and semantic model workflows powered by the official Microsoft MCP servers.",
-  "version": "3.0.0",
+  "version": "3.0.1",
   "author": {
     "name": "Lucas Sanchez"
   }

package/.claude-plugin/skill-manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "bi-superpowers",
-  "version": "3.0.0",
+  "version": "3.0.1",
   "skillCount": 2,
   "skills": [
     {

package/.plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "spec": "open-plugin-spec@1",
   "name": "bi-superpowers",
-  "version": "3.0.0",
+  "version": "3.0.1",
   "description": "Claude Code plugin for Power BI, Microsoft Fabric, and semantic model workflows powered by the official Microsoft MCP servers.",
   "author": {
     "name": "Lucas Sanchez"

package/bin/commands/install.js

@@ -400,7 +400,7 @@ async function installCommand(args, config) {
         mcpResults.push({ agent: agent.name, configPath, success: true });
       }
     } catch (err) {
-      console.log(chalk.yellow(`  ⚠ ${agent.name}: ${err.message}`));
+      console.log(chalk.red(`  ✗ ${agent.name}: ${err.message}`));
       mcpResults.push({ agent: agent.name, success: false, error: err.message });
     }
   }
@@ -408,11 +408,25 @@ async function installCommand(args, config) {
   // Resumen
   const totalAgents = agentResults.length + (universalAgents.length > 0 ? 1 : 0);
   const mcpSuccess = mcpResults.filter((r) => r.success).length;
+  const mcpFailures = mcpResults.filter((r) => !r.success);
+  const hasFailures = mcpFailures.length > 0;
+
+  const successMsg = `Instalados ${skillDirs.length} skills + 2 MCPs para ${totalAgents} agentes`;
+  const failureMsg = `Instalados ${skillDirs.length} skills. MCPs: ${mcpSuccess}/${mcpResults.length} agentes ✓, ${mcpFailures.length} con errores.`;
+  const headerLine = hasFailures ? chalk.yellow.bold(failureMsg) : chalk.green.bold(successMsg);
+
+  const failureDetail = hasFailures
+    ? '\n' +
+      chalk.red('Agentes con errores en MCP:') +
+      '\n' +
+      mcpFailures.map((r) => chalk.red(`  ✗ ${r.agent}: ${r.error}`)).join('\n') +
+      '\n'
+    : '';
+
   console.log(
     boxen(
-      chalk.green.bold(
-        `Instalados ${skillDirs.length} skills + 2 MCPs para ${totalAgents} agentes`
-      ) +
+      headerLine +
+        failureDetail +
         '\n\n' +
         chalk.gray(`MCPs configurados en ${mcpSuccess}/${mcpResults.length} agentes.`) +
         '\n' +
@@ -427,10 +441,17 @@ async function installCommand(args, config) {
         padding: 1,
         margin: { top: 1 },
         borderStyle: 'round',
-        borderColor: 'green',
+        borderColor: hasFailures ? 'yellow' : 'green',
       }
     )
   );
+
+  if (hasFailures) {
+    // Non-zero exit so CI/scripts know something went wrong, but skills
+    // still got installed — we use exit code 2 to distinguish from total
+    // failure (exit 1).
+    process.exitCode = 2;
+  }
 }
 
 // Exports internos para testing

package/bin/commands/install.test.js

@@ -210,3 +210,80 @@ describe('install command - module exports', () => {
     assert.strictEqual(typeof installCommand.formatFsError, 'function');
   });
 });
+
+describe('install command - integration: --all --yes', () => {
+  let tempHome;
+  let tempPkg;
+  let origHome;
+
+  beforeEach(() => {
+    tempHome = fs.mkdtempSync(path.join(os.tmpdir(), 'bi-install-int-home-'));
+    tempPkg = fs.mkdtempSync(path.join(os.tmpdir(), 'bi-install-int-pkg-'));
+
+    // Minimal fake package layout: skills/<name>/SKILL.md + launcher file
+    const skillsDir = path.join(tempPkg, 'skills');
+    for (const skillName of ['project-kickoff', 'pbi-connect']) {
+      const dir = path.join(skillsDir, skillName);
+      fs.mkdirSync(dir, { recursive: true });
+      fs.writeFileSync(
+        path.join(dir, 'SKILL.md'),
+        `---\nname: ${skillName}\ndescription: fake skill for test\n---\n# ${skillName}\n`
+      );
+    }
+    fs.mkdirSync(path.join(tempPkg, 'bin', 'mcp'), { recursive: true });
+    fs.writeFileSync(
+      path.join(tempPkg, 'bin', 'mcp', 'powerbi-modeling-launcher.js'),
+      '// fake launcher\n'
+    );
+
+    origHome = os.homedir;
+    os.homedir = () => tempHome;
+  });
+
+  afterEach(() => {
+    os.homedir = origHome;
+    fs.rmSync(tempHome, { recursive: true, force: true });
+    fs.rmSync(tempPkg, { recursive: true, force: true });
+  });
+
+  test('installs skills and writes MCP config for all 5 agents', async () => {
+    const origExitCode = process.exitCode;
+    try {
+      await installCommand(['--all', '--yes'], {
+        packageDir: tempPkg,
+        version: '9.9.9-test',
+      });
+    } finally {
+      // Reset exit code so subsequent tests aren't affected
+      process.exitCode = origExitCode;
+    }
+
+    // Skills installed at universal path
+    assert.ok(
+      fs.existsSync(path.join(tempHome, '.agents', 'skills', 'project-kickoff', 'SKILL.md'))
+    );
+    assert.ok(fs.existsSync(path.join(tempHome, '.agents', 'skills', 'pbi-connect', 'SKILL.md')));
+
+    // MCP configs written for all 5 agents
+    const expectedMcpFiles = [
+      path.join(tempHome, '.claude.json'),
+      path.join(tempHome, '.copilot', 'mcp-config.json'),
+      path.join(tempHome, '.codex', 'config.toml'),
+      path.join(tempHome, '.gemini', 'settings.json'),
+      path.join(tempHome, '.kilocode', 'mcp_settings.json'),
+    ];
+    for (const filePath of expectedMcpFiles) {
+      assert.ok(fs.existsSync(filePath), `expected MCP config at ${filePath}`);
+    }
+
+    // Claude Code config has both servers under mcpServers
+    const claudeConfig = JSON.parse(fs.readFileSync(path.join(tempHome, '.claude.json'), 'utf8'));
+    assert.ok(claudeConfig.mcpServers['powerbi-modeling']);
+    assert.ok(claudeConfig.mcpServers['microsoft-learn']);
+
+    // Codex TOML has both sections
+    const codexToml = fs.readFileSync(path.join(tempHome, '.codex', 'config.toml'), 'utf8');
+    assert.ok(codexToml.includes('[mcp_servers.powerbi-modeling]'));
+    assert.ok(codexToml.includes('[mcp_servers.microsoft-learn]'));
+  });
+});

package/bin/lib/mcp-config.js

@@ -52,10 +52,28 @@ function readJsonSafe(filePath) {
   }
 }
 
+/**
+ * Reject symlink attacks before writing to a file. We use lstatSync so
+ * we detect the link itself (not what it points to). If a user home has
+ * `~/.claude.json` pointing to `/etc/passwd`, we refuse to write.
+ * @throws {Error} if filePath exists and is a symbolic link
+ */
+function assertNotSymlink(filePath) {
+  if (!fs.existsSync(filePath)) return;
+  if (fs.lstatSync(filePath).isSymbolicLink()) {
+    throw new Error(
+      `Refusing to write MCP config: ${filePath} is a symbolic link. ` +
+        'Remove the symlink and re-run the install.'
+    );
+  }
+}
+
 /**
  * Write a JSON file, creating parent dirs if needed.
+ * Refuses to overwrite symbolic links for safety.
  */
 function writeJson(filePath, data) {
+  assertNotSymlink(filePath);
   const dir = path.dirname(filePath);
   if (!fs.existsSync(dir)) {
     fs.mkdirSync(dir, { recursive: true });
@@ -65,9 +83,31 @@ function writeJson(filePath, data) {
 
 /**
  * Escape a string for use inside TOML double-quoted strings.
+ * Covers backslash, quote, and the control characters that TOML spec
+ * requires escaping in basic strings: \b \t \n \f \r
+ *
+ * Note: `\b` in a JS regex is word-boundary, NOT backspace (0x08).
+ * We use \x08 explicitly to match the backspace character itself.
  */
 function tomlEscape(str) {
-  return String(str).replace(/\\/g, '\\\\').replace(/"/g, '\\"');
+  return (
+    String(str)
+      .replace(/\\/g, '\\\\')
+      .replace(/"/g, '\\"')
+      // eslint-disable-next-line no-control-regex
+      .replace(/\x08/g, '\\b')
+      .replace(/\t/g, '\\t')
+      .replace(/\n/g, '\\n')
+      .replace(/\f/g, '\\f')
+      .replace(/\r/g, '\\r')
+  );
+}
+
+/**
+ * Escape a string for safe use inside a regex pattern (as a literal).
+ */
+function escapeRegex(str) {
+  return String(str).replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
 }
 
 // ============================================
@@ -125,6 +165,7 @@ function writeCopilotConfig(packageDir) {
 // appending the fresh ones.
 function writeCodexConfig(packageDir) {
   const configPath = path.join(os.homedir(), '.codex', 'config.toml');
+  assertNotSymlink(configPath);
   const launcher = getLauncherAbsolutePath(packageDir);
 
   let existing = '';
@@ -134,9 +175,11 @@ function writeCodexConfig(packageDir) {
 
   // Remove any previous bi-superpowers MCP sections so re-running install
   // doesn't duplicate them. Strips each section from its header to the
-  // next [ header or EOF.
+  // next [ header or EOF. Server names are escaped for regex safety even
+  // though current values are literal — defensive against future renames.
+  const namePattern = [MODELING_SERVER_NAME, LEARN_SERVER_NAME].map(escapeRegex).join('|');
   const stripPattern = new RegExp(
-    `\\n?\\[mcp_servers\\.(${MODELING_SERVER_NAME}|${LEARN_SERVER_NAME})\\][\\s\\S]*?(?=\\n\\[|$)`,
+    `\\n?\\[mcp_servers\\.(${namePattern})\\][\\s\\S]*?(?=\\n\\[|$)`,
     'g'
   );
   existing = existing.replace(stripPattern, '');
@@ -238,5 +281,7 @@ module.exports = {
   readJsonSafe,
   writeJson,
   tomlEscape,
+  escapeRegex,
+  assertNotSymlink,
   getLauncherAbsolutePath,
 };

package/bin/lib/mcp-config.test.js

@@ -14,6 +14,8 @@ const {
   LEARN_SERVER_NAME,
   MICROSOFT_LEARN_URL,
   tomlEscape,
+  escapeRegex,
+  assertNotSymlink,
   getLauncherAbsolutePath,
 } = require('./mcp-config');
 
@@ -29,6 +31,55 @@ describe('mcp-config helpers', () => {
     assert.strictEqual(tomlEscape('C:\\path\\to\\file'), 'C:\\\\path\\\\to\\\\file');
     assert.strictEqual(tomlEscape('say "hello"'), 'say \\"hello\\"');
   });
+
+  test('tomlEscape escapes TOML control characters', () => {
+    assert.strictEqual(tomlEscape('line1\nline2'), 'line1\\nline2');
+    assert.strictEqual(tomlEscape('tab\there'), 'tab\\there');
+    assert.strictEqual(tomlEscape('cr\rhere'), 'cr\\rhere');
+    // \x08 = backspace, \f = form feed
+    assert.strictEqual(tomlEscape('\x08\f'), '\\b\\f');
+  });
+
+  test('escapeRegex escapes all regex metacharacters', () => {
+    assert.strictEqual(escapeRegex('plain'), 'plain');
+    assert.strictEqual(escapeRegex('a.b'), 'a\\.b');
+    assert.strictEqual(escapeRegex('a[b]c'), 'a\\[b\\]c');
+    assert.strictEqual(escapeRegex('a+b*c?'), 'a\\+b\\*c\\?');
+    assert.strictEqual(escapeRegex('(hello)'), '\\(hello\\)');
+  });
+});
+
+describe('assertNotSymlink', () => {
+  let tempDir;
+
+  beforeEach(() => {
+    tempDir = fs.mkdtempSync(path.join(os.tmpdir(), 'bi-mcp-symlink-'));
+  });
+
+  afterEach(() => {
+    fs.rmSync(tempDir, { recursive: true, force: true });
+  });
+
+  test('allows non-existent paths', () => {
+    assert.doesNotThrow(() => {
+      assertNotSymlink(path.join(tempDir, 'nope.json'));
+    });
+  });
+
+  test('allows regular files', () => {
+    const file = path.join(tempDir, 'regular.json');
+    fs.writeFileSync(file, '{}');
+    assert.doesNotThrow(() => assertNotSymlink(file));
+  });
+
+  test('throws on symbolic links', () => {
+    const target = path.join(tempDir, 'target.json');
+    const link = path.join(tempDir, 'link.json');
+    fs.writeFileSync(target, '{}');
+    fs.symlinkSync(target, link);
+
+    assert.throws(() => assertNotSymlink(link), /is a symbolic link/);
+  });
 });
 
 describe('MCP_WRITERS registry', () => {
@@ -127,6 +178,44 @@ describe('MCP writers — JSON agents', () => {
     assert.ok(config.mcpServers[MODELING_SERVER_NAME]);
     assert.ok(config.mcpServers[LEARN_SERVER_NAME]);
   });
+
+  // Re-install de-duplication for JSON writers — each should replace its
+  // own entries cleanly without duplicating them on repeated runs.
+  for (const agentId of ['claude-code', 'github-copilot', 'gemini-cli', 'kilo']) {
+    test(`${agentId} re-install replaces entries without duplicating`, () => {
+      // First install
+      MCP_WRITERS[agentId](fakePkgDir);
+      // Second install (same args)
+      const configPath = MCP_WRITERS[agentId](fakePkgDir);
+
+      const config = JSON.parse(fs.readFileSync(configPath, 'utf8'));
+      const serversKey = agentId === 'github-copilot' ? 'servers' : 'mcpServers';
+      const servers = config[serversKey];
+
+      // Our 2 servers should each appear exactly once (via object keys)
+      assert.ok(servers[MODELING_SERVER_NAME], 'modeling server missing after re-install');
+      assert.ok(servers[LEARN_SERVER_NAME], 'learn server missing after re-install');
+
+      // And no stray duplicates of our keys
+      const ourKeys = Object.keys(servers).filter(
+        (k) => k === MODELING_SERVER_NAME || k === LEARN_SERVER_NAME
+      );
+      assert.strictEqual(ourKeys.length, 2, `expected 2 of our keys, found ${ourKeys.length}`);
+    });
+  }
+
+  test('writeJson refuses to overwrite symlinked target', () => {
+    const realFile = path.join(tempHome, 'real-claude.json');
+    const linkFile = path.join(tempHome, '.claude.json');
+    fs.writeFileSync(realFile, '{"mcpServers":{}}');
+    fs.symlinkSync(realFile, linkFile);
+
+    assert.throws(() => MCP_WRITERS['claude-code'](fakePkgDir), /symbolic link/);
+
+    // The real file content must not have been touched.
+    const content = JSON.parse(fs.readFileSync(realFile, 'utf8'));
+    assert.deepStrictEqual(content, { mcpServers: {} });
+  });
 });
 
 describe('codex writer — TOML', () => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@luquimbo/bi-superpowers",
-  "version": "3.0.0",
+  "version": "3.0.1",
   "description": "Plugin-first Claude Code toolkit for Power BI, Microsoft Fabric, and Excel workflows powered by official Microsoft MCP servers.",
   "main": "bin/cli.js",
   "bin": {

package/skills/pbi-connect/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: "pbi-connect"
 description: "Use when the user asks about Power BI MCP Connection Skill, especially phrases like \"connect Power BI\", \"modeling mcp\", \"Power BI Desktop\", \"conectar Power BI\", \"can't connect to Power BI\"."
-version: "3.0.0"
+version: "3.0.1"
 ---
 
 <!-- Generated by BI Agent Superpowers. Edit src/content/skills/pbi-connect.md instead. -->

package/skills/project-kickoff/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: "project-kickoff"
 description: "Project Kickoff Skill: Project analysis and planning."
-version: "3.0.0"
+version: "3.0.1"
 ---
 
 <!-- Generated by BI Agent Superpowers. Edit src/content/skills/project-kickoff.md instead. -->