agentvibes 2.12.5 → 2.12.6

package/.claude/hooks/bmad-voice-manager.sh

@@ -59,8 +59,12 @@ ENABLED_FLAG="$CONFIG_DIR/bmad-voices-enabled.flag"
 # @calledby auto_enable_if_bmad_detected, get_bmad_config_path
 # @calls None
 detect_bmad_version() {
-    if [[ -f "bmad/_cfg/manifest.yaml" ]]; then
-        # v6 detected
+    if [[ -f ".bmad/_cfg/manifest.yaml" ]]; then
+        # v6 detected (standard path with dot prefix)
+        echo "6"
+        return 0
+    elif [[ -f "bmad/_cfg/manifest.yaml" ]]; then
+        # v6 detected (alternative path without dot prefix)
         echo "6"
         return 0
     elif [[ -f ".bmad-core/install-manifest.yaml" ]]; then
@@ -88,7 +92,12 @@ get_bmad_config_path() {
     local version=$(detect_bmad_version)
 
     if [[ "$version" == "6" ]]; then
-        echo "bmad/core/config.yaml"
+        # Check both possible v6 paths
+        if [[ -f ".bmad/core/config.yaml" ]]; then
+            echo ".bmad/core/config.yaml"
+        else
+            echo "bmad/core/config.yaml"
+        fi
         return 0
     elif [[ "$version" == "4" ]]; then
         echo ".bmad-core/config.yaml"
@@ -138,8 +147,15 @@ get_agent_voice() {
 
     # Check for BMAD v6 CSV file first (preferred, loose coupling)
     # If this exists, use it directly without requiring plugin enable flag
-    local bmad_voice_map=".bmad/_cfg/agent-voice-map.csv"
-    if [[ -f "$bmad_voice_map" ]]; then
+    # Support both .bmad (standard) and bmad (alternative) paths
+    local bmad_voice_map=""
+    if [[ -f ".bmad/_cfg/agent-voice-map.csv" ]]; then
+        bmad_voice_map=".bmad/_cfg/agent-voice-map.csv"
+    elif [[ -f "bmad/_cfg/agent-voice-map.csv" ]]; then
+        bmad_voice_map="bmad/_cfg/agent-voice-map.csv"
+    fi
+
+    if [[ -n "$bmad_voice_map" ]]; then
         # Read from BMAD's standard _cfg directory
         # CSV format: agent_id,voice_name
         local voice=$(grep "^$agent_id," "$bmad_voice_map" | cut -d',' -f2)

package/README.md

@@ -11,7 +11,7 @@
 [![Publish](https://github.com/paulpreibisch/AgentVibes/actions/workflows/publish.yml/badge.svg)](https://github.com/paulpreibisch/AgentVibes/actions/workflows/publish.yml)
 [![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 
-**Author**: Paul Preibisch ([@997Fire](https://x.com/997Fire)) | **Version**: v2.12.5
+**Author**: Paul Preibisch ([@997Fire](https://x.com/997Fire)) | **Version**: v2.12.6
 
 ---
 
@@ -94,17 +94,17 @@ Whether you're coding in Claude Code, chatting in Claude Desktop, or using Warp
 
 ## 📰 Latest Release
 
-**[v2.12.5 - Code Quality Improvements](https://github.com/paulpreibisch/AgentVibes/releases/tag/v2.12.5)** 🎉
+**[v2.12.6 - Security & Reliability Improvements](https://github.com/paulpreibisch/AgentVibes/releases/tag/v2.12.6)** 🎉
 
-AgentVibes v2.12.5 improves code quality by upgrading Sonar quality gates and implementing best practices identified through static analysis. This release includes enhanced input validation, improved shell command handling, better file locking for atomic operations, and secure temporary directory management while maintaining 100% backward compatibility.
+AgentVibes v2.12.6 brings quality improvements based on SonarCloud analysis and enhances BMAD party mode. This release improves API key privacy in terminal output, adds better cleanup for long-running sessions, includes more robust error handling, and ensures BMAD agents each get their unique voice. All improvements maintain 100% backward compatibility.
 
 **Key Highlights:**
-- ✅ **Sonar Quality Gates Upgraded** - Enhanced code quality standards across the codebase
-- 🔒 **18 Code Improvements** - Better input validation, command handling, and file operations
-- 🧪 **110/110 Tests Passing** - All functionality verified and working
-- 🔄 **Zero Breaking Changes** - Fully backward compatible with existing installations
-- 📊 **162 Lines Enhanced** - Code quality improvements across 8 files
-- 💡 **Best Practices** - Improved error handling and validation
+- 🔒 **API Key Privacy** - Masked display prevents credential leaks in terminal history
+- 🛡️ **Resource Cleanup** - Better subprocess management for long-running stability
+- ⚡ **Error Handling** - Graceful degradation instead of crashes on file operations
+- 🎭 **BMAD Voice Detection** - Party mode supports multiple directory paths
+- ✅ **110/110 Tests Passing** - All functionality verified and working
+- 🔄 **Zero Breaking Changes** - Fully backward compatible with v2.12.5
 
 💡 **Tip:** If `npx agentvibes` shows an older version or missing commands, clear your npm cache: `npm cache clean --force && npx agentvibes@latest --help`
 

package/RELEASE_NOTES.md

@@ -1,3 +1,225 @@
+# Release v2.12.6 - Security & Reliability Improvements
+
+**Release Date:** 2025-01-24
+**Type:** Patch Release (Security & Reliability)
+
+## 🔒 AI Summary
+
+AgentVibes v2.12.6 brings quality improvements based on SonarCloud analysis and enhances BMAD party mode. This release improves API key privacy in terminal output, adds better cleanup for long-running sessions, includes more robust error handling, and ensures BMAD agents each get their unique voice. All improvements maintain 100% backward compatibility with 110/110 tests passing.
+
+**Key Highlights:**
+- 🔒 **API Key Security** - Masked API key display prevents credential leaks in terminal history
+- 🛡️ **Resource Leak Prevention** - Subprocess cleanup prevents "too many open files" errors
+- ⚡ **Enhanced Error Handling** - Graceful degradation instead of crashes on file operations
+- 🎭 **BMAD Voice Detection** - Fixed party mode to support both .bmad and bmad directory paths
+- ✅ **110/110 Tests Passing** - All functionality verified and working
+
+---
+
+## 🔧 Security Improvements
+
+### API Key Masking (Issue #45)
+**Files:** `src/installer.js` (lines 384, 445, 464, 489)
+
+**Changes:**
+- Replaced partial API key display (`first10chars...`) with masked format (`***************...`)
+- Removed full API key from error messages and manual setup instructions
+- Changed all console outputs to use placeholder `<your-api-key>`
+
+**Impact:**
+- Prevents credential leaks in terminal history (`.bash_history`, `.zsh_history`)
+- Safer during screen recordings and screenshots
+- Reduces risk during pair programming sessions
+
+### Path Validation Enhancement (Issue #45)
+**File:** `src/installer.js:214-219`
+
+**Changes:**
+- Added `path.resolve()` validation for script execution
+- Ensures scripts are within allowed `.claude/hooks` directory
+- Defense-in-depth security measure
+
+**Impact:**
+- Prevents path traversal attacks
+- Better error messages for invalid paths
+
+---
+
+## 🛡️ Reliability Improvements
+
+### Resource Leak Prevention (Issue #45)
+**Files:** `mcp-server/server.py:144-174, 510-537`
+
+**Changes:**
+- Added try-finally blocks around subprocess operations
+- Ensures processes are properly killed if still running after errors
+- Cleanup happens even on exceptions
+
+**Impact:**
+- Prevents "too many open files" errors in long-running MCP server sessions
+- Better resource management for continuous operation
+- More stable in production environments
+
+### Enhanced Error Handling - Python (Issue #45)
+**Files:** `mcp-server/server.py:544-558, 565-584`
+
+**Changes:**
+- Added error handling to `_get_personality()` function
+- Added error handling to `_get_provider()` function
+- Catches `PermissionError`, `UnicodeDecodeError`, `OSError`
+- Returns sensible defaults instead of crashing
+
+**Impact:**
+- Graceful degradation when config files are corrupted or inaccessible
+- Continues operation with defaults rather than failing
+- Better user experience in edge cases
+
+### Enhanced Error Handling - JavaScript (Issue #45)
+**Files:** `src/installer.js:500-536, 544-604`
+
+**Changes:**
+- Added comprehensive error handling to `copyCommandFiles()`
+- Added comprehensive error handling to `copyHookFiles()`
+- Tracks success/failure counts per file
+- Continues with remaining files on partial failures
+- Shows clear feedback about what succeeded vs failed
+
+**Impact:**
+- Installation continues even if individual files fail to copy
+- Users see exactly which operations succeeded
+- Partial installations are more visible and recoverable
+
+### Shell Config Deduplication (Issue #45)
+**File:** `src/installer.js:482-498`
+
+**Changes:**
+- Checks if `ELEVENLABS_API_KEY` already exists before appending
+- Shows friendly message when key already present
+- Prevents duplicate entries on repeated installations
+
+**Impact:**
+- Cleaner shell configuration files
+- No accumulation of duplicate exports
+- Better UX for repeated installs
+
+---
+
+## 🎭 BMAD Integration Improvements
+
+### Multi-Path Voice Detection (Issue #46)
+**File:** `.claude/hooks/bmad-voice-manager.sh`
+
+**Changes:**
+- Enhanced `detect_bmad_version()` to check both `.bmad/` and `bmad/` paths
+- Updated `get_bmad_config_path()` to support both v6 directory variants
+- Fixed `get_agent_voice()` to find `agent-voice-map.csv` in either location
+
+**Impact:**
+- BMAD party mode now works regardless of installation path
+- Each agent speaks with their unique assigned voice
+- Resolves all agents using default "lessac" voice
+
+**Supported Paths:**
+```
+✓ .bmad/_cfg/agent-voice-map.csv (standard)
+✓ bmad/_cfg/agent-voice-map.csv (alternative)
+✓ .bmad/core/config.yaml (standard)
+✓ bmad/core/config.yaml (alternative)
+```
+
+---
+
+## 📊 Changes Summary
+
+**Issues Resolved:**
+- #45 - SonarCloud Quality Gate: 17 Security Hotspots & C Reliability
+- #46 - BMAD Plugin: Missing agent-voice-map.csv path detection
+
+**Files Modified:** 3
+- `src/installer.js` - API key masking, error handling, shell config deduplication, path validation
+- `mcp-server/server.py` - Resource cleanup, error handling
+- `.claude/hooks/bmad-voice-manager.sh` - Multi-path BMAD detection
+
+**Lines Changed:** 180 additions, 85 deletions
+
+**Test Results:** 110/110 passing ✅
+
+---
+
+## 💡 Technical Details
+
+### SonarCloud Quality Gate Fixes
+
+**Must-Fix Items (High Priority):**
+1. ✅ API Key Logging - Prevents accidental credential exposure
+2. ✅ Resource Leaks - Prevents crashes in long-running sessions
+3. ✅ Missing Error Handling - Prevents crashes on file system errors
+
+**Nice-to-Fix Items (Medium Priority):**
+4. ✅ Shell Config Deduplication - Better UX on repeated installations
+5. ✅ Path Validation Enhancement - Defense-in-depth security
+
+### Error Handling Strategy
+
+**Python (`server.py`):**
+```python
+try:
+    if personality_file.exists():
+        return personality_file.read_text().strip()
+except (PermissionError, UnicodeDecodeError, OSError) as e:
+    print(f"Warning: Could not read file: {e}", file=sys.stderr)
+return "normal"  # Sensible default
+```
+
+**JavaScript (`installer.js`):**
+```javascript
+try {
+    await fs.copyFile(srcPath, destPath);
+    successCount++;
+} catch (err) {
+    console.log(chalk.yellow(`⚠ Failed to copy ${file}: ${err.message}`));
+    // Continue with other files
+}
+```
+
+---
+
+## ✅ Testing
+
+### Test Suite Results
+- **110 tests total**
+- **110 passing** ✅
+- **0 failing**
+- All functionality verified working
+
+### Syntax Validation
+- ✅ Node.js syntax check passed
+- ✅ Python syntax check passed
+- ✅ No runtime errors detected
+
+---
+
+## 🎯 Migration Notes
+
+**No migration required** - This is a patch release with security and reliability improvements.
+
+**Compatibility:** 100% backward compatible with v2.12.5
+
+**Recommended Action:** Update to get the latest security and stability improvements
+```bash
+npx agentvibes@latest update
+```
+
+---
+
+## 🔗 References
+
+- GitHub Issue #45: https://github.com/paulpreibisch/AgentVibes/issues/45
+- GitHub Issue #46: https://github.com/paulpreibisch/AgentVibes/issues/46
+- SonarCloud Quality Gates: Code quality and security analysis
+
+---
+
 # Release v2.12.5 - Code Quality Improvements
 
 **Release Date:** 2025-01-23

package/mcp-server/server.py

@@ -147,25 +147,31 @@ class AgentVibesServer:
                 stderr=asyncio.subprocess.PIPE,
                 env=env,
             )
-            stdout, stderr = await result.communicate()
-
-            if result.returncode == 0:
-                output = stdout.decode().strip()
-                # Extract file path from output
-                for line in output.split("\n"):
-                    if "Saved to:" in line:
-                        file_path = line.split("Saved to:")[1].strip()
-                        truncated = (
-                            f"{text[:50]}..." if len(text) > 50 else text
-                        )
-                        return f"✅ Spoke: {truncated}\n📁 Audio saved: {file_path}"
-
-                return f"✅ Spoke: {text[:50]}..." if len(text) > 50 else f"✅ Spoke: {text}"
-            else:
-                error = stderr.decode().strip()
-                stdout_output = stdout.decode().strip()
-                full_error = f"{error}\nStdout: {stdout_output}" if stdout_output else error
-                return f"❌ TTS failed: {full_error}"
+            try:
+                stdout, stderr = await result.communicate()
+
+                if result.returncode == 0:
+                    output = stdout.decode().strip()
+                    # Extract file path from output
+                    for line in output.split("\n"):
+                        if "Saved to:" in line:
+                            file_path = line.split("Saved to:")[1].strip()
+                            truncated = (
+                                f"{text[:50]}..." if len(text) > 50 else text
+                            )
+                            return f"✅ Spoke: {truncated}\n📁 Audio saved: {file_path}"
+
+                    return f"✅ Spoke: {text[:50]}..." if len(text) > 50 else f"✅ Spoke: {text}"
+                else:
+                    error = stderr.decode().strip()
+                    stdout_output = stdout.decode().strip()
+                    full_error = f"{error}\nStdout: {stdout_output}" if stdout_output else error
+                    return f"❌ TTS failed: {full_error}"
+            finally:
+                # Ensure process cleanup
+                if result.returncode is None:
+                    result.kill()
+                    await result.wait()
 
         finally:
             # Restore original settings
@@ -513,14 +519,20 @@ class AgentVibesServer:
                 stderr=asyncio.subprocess.PIPE,
                 env=env,
             )
-            stdout, stderr = await result.communicate()
-            if result.returncode == 0:
-                return stdout.decode().strip()
-            else:
-                error_msg = stderr.decode().strip()
-                if not error_msg:  # If stderr is empty, include stdout for debugging
-                    error_msg = f"Return code {result.returncode}. Stdout: {stdout.decode().strip()}"
-                return error_msg
+            try:
+                stdout, stderr = await result.communicate()
+                if result.returncode == 0:
+                    return stdout.decode().strip()
+                else:
+                    error_msg = stderr.decode().strip()
+                    if not error_msg:  # If stderr is empty, include stdout for debugging
+                        error_msg = f"Return code {result.returncode}. Stdout: {stdout.decode().strip()}"
+                    return error_msg
+            finally:
+                # Ensure process cleanup
+                if result.returncode is None:
+                    result.kill()
+                    await result.wait()
         except Exception as e:
             return f"Error running script: {e}"
 
@@ -536,8 +548,13 @@ class AgentVibesServer:
             # Try global
             personality_file = Path.home() / ".claude" / "tts-personality.txt"
 
-        if personality_file.exists():
-            return personality_file.read_text().strip()
+        try:
+            if personality_file.exists():
+                return personality_file.read_text().strip()
+        except (PermissionError, UnicodeDecodeError, OSError) as e:
+            # Log error but don't crash - return default
+            import sys
+            print(f"Warning: Could not read personality file: {e}", file=sys.stderr)
         return "normal"
 
     async def _get_language(self) -> str:
@@ -551,13 +568,18 @@ class AgentVibesServer:
         if not provider_file.exists():
             provider_file = Path.home() / ".claude" / "tts-provider.txt"
 
-        if provider_file.exists():
-            provider = provider_file.read_text().strip()
-            if provider == "elevenlabs":
-                return "ElevenLabs (Premium AI)"
-            elif provider == "piper":
-                return "Piper TTS (Free, Offline)"
-            return provider
+        try:
+            if provider_file.exists():
+                provider = provider_file.read_text().strip()
+                if provider == "elevenlabs":
+                    return "ElevenLabs (Premium AI)"
+                elif provider == "piper":
+                    return "Piper TTS (Free, Offline)"
+                return provider
+        except (PermissionError, UnicodeDecodeError, OSError) as e:
+            # Log error but don't crash - return default
+            import sys
+            print(f"Warning: Could not read provider file: {e}", file=sys.stderr)
         # Default to Piper (free, offline) instead of ElevenLabs
         return "Piper TTS (Free, Offline)"
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://json.schemastore.org/package.json",
   "name": "agentvibes",
-  "version": "2.12.5",
+  "version": "2.12.6",
   "description": "Now your AI Agents can finally talk back! Professional TTS voice for Claude Code and Claude Desktop (via MCP) with multi-provider support.",
   "homepage": "https://agentvibes.org",
   "keywords": [

package/src/installer.js

@@ -128,27 +128,27 @@ function showReleaseInfo() {
   console.log(
     boxen(
       chalk.white.bold('═══════════════════════════════════════════════════════════════\n') +
-      chalk.cyan.bold('  📦 AgentVibes v2.12.5 - Code Quality Improvements\n') +
+      chalk.cyan.bold('  📦 AgentVibes v2.12.6 - Security & Reliability Improvements\n') +
       chalk.white.bold('═══════════════════════════════════════════════════════════════\n\n') +
       chalk.green.bold('🎙️ WHAT\'S NEW:\n\n') +
-      chalk.cyan('AgentVibes v2.12.5 improves code quality by upgrading Sonar quality gates\n') +
-      chalk.cyan('and implementing best practices identified through static analysis. This\n') +
-      chalk.cyan('release includes enhanced input validation, improved shell command handling,\n') +
-      chalk.cyan('better file locking for atomic operations, and secure temporary directory\n') +
-      chalk.cyan('management while maintaining 100% backward compatibility.\n\n') +
+      chalk.cyan('AgentVibes v2.12.6 brings quality improvements based on SonarCloud analysis\n') +
+      chalk.cyan('and enhances BMAD party mode. This release improves API key privacy in\n') +
+      chalk.cyan('terminal output, adds better cleanup for long-running sessions, includes\n') +
+      chalk.cyan('more robust error handling, and ensures BMAD agents each get their unique\n') +
+      chalk.cyan('voice. All improvements maintain 100% backward compatibility.\n\n') +
       chalk.green.bold('✨ KEY HIGHLIGHTS:\n\n') +
-      chalk.gray('   ✅ Sonar Quality Gates Upgraded - Enhanced code quality standards\n') +
-      chalk.gray('   🔒 18 Code Improvements - Better input validation and command handling\n') +
-      chalk.gray('   🧪 110/110 Tests Passing - All functionality verified and working\n') +
-      chalk.gray('   🔄 Zero Breaking Changes - Fully backward compatible with v2.12.4\n') +
-      chalk.gray('   📊 162 Lines Enhanced - Code quality improvements across 8 files\n') +
-      chalk.gray('   💡 Best Practices - Improved error handling and validation\n\n') +
+      chalk.gray('   🔒 API Key Privacy - Masked display prevents credential leaks in logs\n') +
+      chalk.gray('   🛡️ Resource Cleanup - Better subprocess management for stability\n') +
+      chalk.gray('   ⚡ Error Handling - Graceful degradation instead of crashes\n') +
+      chalk.gray('   🎭 BMAD Voice Detection - Party mode supports multiple directory paths\n') +
+      chalk.gray('   ✅ 110/110 Tests Passing - All functionality verified and working\n') +
+      chalk.gray('   🔄 Zero Breaking Changes - Fully backward compatible with v2.12.5\n\n') +
       chalk.cyan('Technical Improvements:\n') +
-      chalk.gray('   • Enhanced input validation across all interfaces\n') +
-      chalk.gray('   • Improved shell command handling with proper escaping\n') +
-      chalk.gray('   • Better file system operations with path validation\n') +
-      chalk.gray('   • Atomic PID file operations with file locking\n') +
-      chalk.gray('   • Cleaner code with debug output removed\n\n') +
+      chalk.gray('   • API keys now masked in terminal output and error messages\n') +
+      chalk.gray('   • Process cleanup prevents "too many open files" errors\n') +
+      chalk.gray('   • Enhanced error handling for file operations\n') +
+      chalk.gray('   • BMAD agents now use unique voices in party mode\n') +
+      chalk.gray('   • Shell config deduplication on repeated installs\n\n') +
       chalk.white.bold('═══════════════════════════════════════════════════════════════\n\n') +
       chalk.gray('📖 Full Release Notes: RELEASE_NOTES.md\n') +
       chalk.gray('🌐 Website: https://agentvibes.org\n') +
@@ -211,6 +211,13 @@ function execScript(scriptPath, options = {}) {
     throw new Error('Invalid characters in script path');
   }
 
+  // Validate path is within expected directory (defense in depth)
+  const resolvedPath = path.resolve(scriptFile);
+  const allowedDir = path.resolve(__dirname, '..', '.claude', 'hooks');
+  if (!resolvedPath.startsWith(allowedDir)) {
+    throw new Error('Script path outside allowed directory');
+  }
+
   // Escape each argument properly
   const escapedArgs = args.map(arg => {
     // Replace single quotes with '\'' (end quote, escaped quote, start quote)
@@ -381,7 +388,7 @@ async function handleElevenLabsApiKey(options) {
 
   if (elevenLabsKey) {
     console.log(chalk.green(`\n✓ ElevenLabs API key detected from environment`));
-    console.log(chalk.gray(`  Key: ${elevenLabsKey.substring(0, 10)}...`));
+    console.log(chalk.gray(`  Key: ***************...`));
 
     if (!options.yes) {
       const { useExisting } = await inquirer.prompt([
@@ -442,7 +449,7 @@ async function handleElevenLabsApiKey(options) {
 
     if (setupMethod === 'manual') {
       console.log(chalk.yellow('\n⚠️  Remember to add this to your environment variables later:'));
-      console.log(chalk.gray(`   export ELEVENLABS_API_KEY="${apiKey}"\n`));
+      console.log(chalk.gray(`   export ELEVENLABS_API_KEY="<your-api-key>"\n`));
     } else if (setupMethod === 'shell') {
       await addApiKeyToShellConfig(apiKey);
     }
@@ -461,7 +468,7 @@ async function addApiKeyToShellConfig(apiKey) {
   if (!shellName || !shellConfig) {
     console.log(chalk.yellow('\n⚠️  Could not detect shell type'));
     console.log(chalk.gray('   Please add manually to your shell config:'));
-    console.log(chalk.gray(`   export ELEVENLABS_API_KEY="${apiKey}"\n`));
+    console.log(chalk.gray(`   export ELEVENLABS_API_KEY="<your-api-key>"\n`));
     return;
   }
 
@@ -479,14 +486,27 @@ async function addApiKeyToShellConfig(apiKey) {
 
   if (confirmShell) {
     try {
-      const configContent = `\n# ElevenLabs API Key for AgentVibes\nexport ELEVENLABS_API_KEY="${apiKey}"\n`;
-      await fs.appendFile(shellConfig, configContent);
-      console.log(chalk.green(`\n✓ API key added to ${shellConfig}`));
-      console.log(chalk.yellow('  Run this to use immediately: ') + chalk.cyan(`source ${shellConfig}`));
+      // Check if already exists to avoid duplicates
+      let existingContent = '';
+      try {
+        existingContent = await fs.readFile(shellConfig, 'utf8');
+      } catch (err) {
+        // File might not exist yet, which is fine
+      }
+
+      if (existingContent.includes('ELEVENLABS_API_KEY')) {
+        console.log(chalk.cyan(`\n→ API key already exists in ${shellConfig}`));
+        console.log(chalk.gray('   No changes needed'));
+      } else {
+        const configContent = `\n# ElevenLabs API Key for AgentVibes\nexport ELEVENLABS_API_KEY="${apiKey}"\n`;
+        await fs.appendFile(shellConfig, configContent);
+        console.log(chalk.green(`\n✓ API key added to ${shellConfig}`));
+        console.log(chalk.yellow('  Run this to use immediately: ') + chalk.cyan(`source ${shellConfig}`));
+      }
     } catch (error) {
       console.log(chalk.red(`\n✗ Failed to write to ${shellConfig}`));
       console.log(chalk.gray('   Please add manually:'));
-      console.log(chalk.gray(`   export ELEVENLABS_API_KEY="${apiKey}"\n`));
+      console.log(chalk.gray(`   export ELEVENLABS_API_KEY="<your-api-key>"\n`));
     }
   }
 }
@@ -503,20 +523,36 @@ async function copyCommandFiles(targetDir, spinner) {
   const commandsDir = path.join(targetDir, '.claude', 'commands');
   const agentVibesCommandsDir = path.join(commandsDir, 'agent-vibes');
 
-  await fs.mkdir(agentVibesCommandsDir, { recursive: true });
+  try {
+    await fs.mkdir(agentVibesCommandsDir, { recursive: true });
 
-  const commandFiles = await fs.readdir(srcCommandsDir);
-  console.log(chalk.cyan(`\n📋 Installing ${commandFiles.length} command files:`));
+    const commandFiles = await fs.readdir(srcCommandsDir);
+    console.log(chalk.cyan(`\n📋 Installing ${commandFiles.length} command files:`));
 
-  for (const file of commandFiles) {
-    const srcPath = path.join(srcCommandsDir, file);
-    const destPath = path.join(agentVibesCommandsDir, file);
-    await fs.copyFile(srcPath, destPath);
-    console.log(chalk.gray(`   ✓ agent-vibes/${file}`));
-  }
+    let successCount = 0;
+    for (const file of commandFiles) {
+      const srcPath = path.join(srcCommandsDir, file);
+      const destPath = path.join(agentVibesCommandsDir, file);
+      try {
+        await fs.copyFile(srcPath, destPath);
+        console.log(chalk.gray(`   ✓ agent-vibes/${file}`));
+        successCount++;
+      } catch (err) {
+        console.log(chalk.yellow(`   ⚠ Failed to copy ${file}: ${err.message}`));
+        // Continue with other files
+      }
+    }
 
-  spinner.succeed(chalk.green('Installed /agent-vibes commands!\n'));
-  return commandFiles.length;
+    if (successCount === commandFiles.length) {
+      spinner.succeed(chalk.green('Installed /agent-vibes commands!\n'));
+    } else {
+      spinner.warn(chalk.yellow(`Installed ${successCount}/${commandFiles.length} commands (some failed)\n`));
+    }
+    return successCount;
+  } catch (err) {
+    spinner.fail(chalk.red(`Failed to install commands: ${err.message}`));
+    throw err;
+  }
 }
 
 /**
@@ -530,40 +566,61 @@ async function copyHookFiles(targetDir, spinner) {
   const srcHooksDir = path.join(__dirname, '..', '.claude', 'hooks');
   const hooksDir = path.join(targetDir, '.claude', 'hooks');
 
-  await fs.mkdir(hooksDir, { recursive: true });
+  try {
+    await fs.mkdir(hooksDir, { recursive: true });
 
-  const allHookFiles = await fs.readdir(srcHooksDir);
-  const hookFiles = [];
+    const allHookFiles = await fs.readdir(srcHooksDir);
+    const hookFiles = [];
 
-  for (const file of allHookFiles) {
-    const srcPath = path.join(srcHooksDir, file);
-    const stat = await fs.stat(srcPath);
+    for (const file of allHookFiles) {
+      const srcPath = path.join(srcHooksDir, file);
+      try {
+        const stat = await fs.stat(srcPath);
 
-    if (stat.isFile() &&
-        (file.endsWith('.sh') || file === 'hooks.json') &&
-        !file.includes('prepare-release') &&
-        !file.startsWith('.')) {
-      hookFiles.push(file);
+        if (stat.isFile() &&
+            (file.endsWith('.sh') || file === 'hooks.json') &&
+            !file.includes('prepare-release') &&
+            !file.startsWith('.')) {
+          hookFiles.push(file);
+        }
+      } catch (err) {
+        console.log(chalk.yellow(`   ⚠ Could not check ${file}: ${err.message}`));
+        // Continue with other files
+      }
     }
-  }
 
-  console.log(chalk.cyan(`🔧 Installing ${hookFiles.length} TTS scripts:`));
-  for (const file of hookFiles) {
-    const srcPath = path.join(srcHooksDir, file);
-    const destPath = path.join(hooksDir, file);
-    await fs.copyFile(srcPath, destPath);
+    console.log(chalk.cyan(`🔧 Installing ${hookFiles.length} TTS scripts:`));
+    let successCount = 0;
+    for (const file of hookFiles) {
+      const srcPath = path.join(srcHooksDir, file);
+      const destPath = path.join(hooksDir, file);
+      try {
+        await fs.copyFile(srcPath, destPath);
 
-    if (file.endsWith('.sh')) {
-      // Security: Use more restrictive permissions (owner: rwx, group: r-x, others: ---)
-      await fs.chmod(destPath, 0o750);
-      console.log(chalk.gray(`   ✓ ${file} (executable)`));
+        if (file.endsWith('.sh')) {
+          // Security: Use more restrictive permissions (owner: rwx, group: r-x, others: ---)
+          await fs.chmod(destPath, 0o750);
+          console.log(chalk.gray(`   ✓ ${file} (executable)`));
+        } else {
+          console.log(chalk.gray(`   ✓ ${file}`));
+        }
+        successCount++;
+      } catch (err) {
+        console.log(chalk.yellow(`   ⚠ Failed to copy ${file}: ${err.message}`));
+        // Continue with other files
+      }
+    }
+
+    if (successCount === hookFiles.length) {
+      spinner.succeed(chalk.green('Installed TTS scripts!\n'));
     } else {
-      console.log(chalk.gray(`   ✓ ${file}`));
+      spinner.warn(chalk.yellow(`Installed ${successCount}/${hookFiles.length} scripts (some failed)\n`));
     }
+    return successCount;
+  } catch (err) {
+    spinner.fail(chalk.red(`Failed to install hook scripts: ${err.message}`));
+    throw err;
   }
-
-  spinner.succeed(chalk.green('Installed TTS scripts!\n'));
-  return hookFiles.length;
 }
 
 /**