agentvibes 5.1.1 → 5.1.3

package/.claude/hooks-windows/play-tts.ps1

@@ -16,6 +16,17 @@ param(
     [string]$llm = ""
 )
 
+# Security: Validate LLM provider name (alphanumeric, hyphens, underscores
+# only) — mirrors play-tts.sh line 92.  This prevents weird values from
+# poisoning the audio-effects.cfg lookup or the AGENTVIBES_LLM_KEY env var
+# we export to child scripts.  An invalid value is treated as unset rather
+# than aborting, so the script falls back to the default config and the
+# rest of TTS still works.
+if ($llm -and $llm -notmatch '^[a-zA-Z0-9_-]+$') {
+    Write-Error "Invalid LLM provider name: '$llm' — must match ^[a-zA-Z0-9_-]+$. Falling back to default config."
+    $llm = ""
+}
+
 # Configuration paths
 # Priority: CLAUDE_PROJECT_DIR env var → script's parent project → user profile
 # Local project settings ALWAYS override global (~/.claude)

package/README.md

@@ -11,7 +11,7 @@
 [![Publish](https://github.com/paulpreibisch/AgentVibes/actions/workflows/publish.yml/badge.svg)](https://github.com/paulpreibisch/AgentVibes/actions/workflows/publish.yml)
 [![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 
-**Author**: Paul Preibisch ([@997Fire](https://x.com/997Fire)) | **Version**: v5.1.1
+**Author**: Paul Preibisch ([@997Fire](https://x.com/997Fire)) | **Version**: v5.1.3
 
 ---
 
@@ -43,6 +43,24 @@ Whether you're using Claude Code, GitHub Copilot, OpenAI Codex, Claude Desktop,
 
 ---
 
+## 🛡️ v5.1.3 — Hardening Pass (Adversarial Review Followup)
+
+- **Existing `.mcp.json` is now auto-migrated** — v5.1.2's installer detected an existing `.mcp.json` and printed instructions instead of fixing it, leaving v5.1.0/v5.1.1 users still broken after upgrade. v5.1.3 merges the `AGENTVIBES_LLM` env var into existing configs in-place.
+- **`AGENTVIBES_LLM` is now validated** in both `mcp-server/server.py` (Python regex) and `play-tts.ps1` (PowerShell regex), matching `play-tts.sh`'s `^[a-zA-Z0-9_-]+$` check. Cross-platform contract is now symmetric.
+- **`npm pack` content guard hardened**: hard-fails (not silent-passes) when `npm pack` errors; uses `git status --porcelain` to catch UNTRACKED publishable files (the v5.1.0 disaster also could've happened with a stray new file); has explicit 60s timeout to prevent CI hangs.
+
+---
+
+## 🔀 v5.1.2 — MCP Per-LLM Routing Hotfix
+
+- **MCP server now reads `AGENTVIBES_LLM` env var** instead of hardcoding `copilot` — Codex / Copilot / Claude Code each get routed to their own per-LLM voice / pretext / music / effects config from `audio-effects.cfg`.
+- **MCP launcher templates set the env var** automatically — `.codex/config.toml`, `.vscode/mcp.json`, and `.mcp.json` all include `AGENTVIBES_LLM` for the right provider.
+- **24 new regression tests** prevent this class of bug from shipping again, including a `npm pack` content guard that fails the test suite if the working tree has uncommitted changes (the v5.1.0 disaster guard).
+
+If you already have AgentVibes installed, re-run the per-provider configure step or add `"env": { "AGENTVIBES_LLM": "<your-llm>" }` manually to your MCP config.
+
+---
+
 ## 🩹 v5.1.1 — Windows TTS Hook Hotfix
 
 - **`play-tts.ps1 -llm` parameter restored** — npm-published v5.1.0 shipped a regressed copy without `-llm` support, breaking the Setup tab Preview button and the agentvibes MCP `text_to_speech` tool on Windows. Fixed in v5.1.1. If you hit the error, clear your npx cache: `npm cache clean --force` then reinstall.

package/RELEASE_NOTES.md

@@ -1,5 +1,77 @@
 # AgentVibes Release Notes
 
+## 🛡️ v5.1.3 — Hardening Pass (Adversarial Review Followup)
+
+**Release Date:** April 2026
+
+This release addresses HIGH/MEDIUM findings from a parallel adversarial review (Blind Hunter + Edge Case Hunter) of the v5.1.2 hotfix.
+
+### Bug Fixes
+
+- **Existing `.mcp.json` is now auto-migrated** — v5.1.2's installer detected an existing `.mcp.json` and printed instructions to fix it manually. Result: anyone upgrading from v5.1.0/v5.1.1 was still broken after `npm i -g agentvibes@5.1.2`. v5.1.3 detects an existing config, merges the `AGENTVIBES_LLM` env var (and the rest of the agentvibes server entry) in-place, and shows a green "✅ MCP Configuration Updated" message. Existing user `env` keys are preserved.
+
+- **`AGENTVIBES_LLM` is now validated** before being forwarded to the child shell. The bash version of `play-tts.sh` already validated `^[a-zA-Z0-9_-]+$` and rejected weird values; the Python `mcp-server/server.py` and the Windows `play-tts.ps1` did not. Now all three do, with the same regex. Invalid values are logged to stderr and treated as "unset" so TTS still works (falls back to default config).
+
+### Testing & Hardening
+
+- **`npm pack` content guard now hard-fails on `packError`** instead of silently returning early. The previous v5.1.2 implementation had `if (packError) return;` in 6 of 8 tests, which meant a real `npm pack` failure surfaced as one failed test and SIX false-greens — defeating the entire purpose of the publish guard.
+
+- **Dirty-tree check now uses `git status --porcelain`** instead of `git diff HEAD`. The previous implementation only caught modified-but-uncommitted tracked files; it missed brand-new untracked files in publishable directories (e.g. a `play-tts.ps1.new` someone forgot to delete). The v5.1.0 disaster could just as easily have shipped via an untracked stray file.
+
+- **`npm pack` exec timeout** — added explicit 60-second timeout with `SIGKILL` so the publish guard can't hang CI on a stuck registry call.
+
+- **`git status` failures hard-fail** instead of silently skipping. A missing git binary in CI was previously treated as "no findings" — that's exactly the opposite of what a security guard should do. Now it fails loudly with a message explaining the guard requires git.
+
+- **3 new regression tests** for the new validations and migration logic.
+
+### How to Update
+
+```
+npm cache clean --force
+npx --yes agentvibes@5.1.3
+```
+
+If you upgraded from v5.1.0 or v5.1.1, **re-run the AgentVibes installer once** so the new in-place migration touches your existing `.mcp.json` / `.codex/config.toml` / `.vscode/mcp.json`.
+
+---
+
+## 🔀 v5.1.2 — MCP Per-LLM Routing Hotfix
+
+**Release Date:** April 2026
+
+### Bug Fixes
+
+- **MCP server no longer hardcodes `-llm copilot`** — `mcp-server/server.py` was passing `-llm copilot` for every caller, regardless of whether the actual client was Codex, Copilot, or Claude Code. This meant per-LLM voice/pretext/music routing in `audio-effects.cfg` was effectively broken: all three providers fell through to the same `llm:copilot` lookup (or worse, the global default config). The server now reads `AGENTVIBES_LLM` from the environment and forwards that as the `-llm` value, falling back to no `-llm` flag if unset.
+
+- **MCP launcher templates set `AGENTVIBES_LLM`** — Each provider's MCP config now sets the env var so the server knows which LLM is calling:
+  - Codex: `.codex/config.toml` → `env = { AGENTVIBES_LLM = "codex" }`
+  - Copilot: `.vscode/mcp.json` → `"env": { "AGENTVIBES_LLM": "copilot" }`
+  - Claude Code: `.mcp.json` → `"env": { "AGENTVIBES_LLM": "claude-code" }`
+
+  Both freshly-installed configs and the manual-instruction snippets shown by the installer include the env var.
+
+### Testing & Hardening
+
+- **24 new regression tests** in `test/unit/llm-provider-mcp-routing.test.js` and `test/unit/npm-pack-contents.test.js` enforce the contract end-to-end:
+  - Each MCP launcher template MUST set `AGENTVIBES_LLM` to the correct value
+  - `mcp-server/server.py` MUST read `AGENTVIBES_LLM` from env and MUST NOT hardcode `-llm copilot`
+  - `play-tts.ps1` MUST declare its `$llm` parameter, contain per-LLM lookup logic, export `AGENTVIBES_LLM_KEY`, and be at least 400 lines (catches the v5.1.0 mass-deletion regression)
+  - `play-tts.sh` MUST parse `--llm` and do per-LLM lookup against `audio-effects.cfg`
+  - **Working tree must be clean** before publishing (the v5.1.0 disaster guard — `npm publish` packs the working tree, not the git tag, so any uncommitted local edits get shipped)
+
+- The contract tests are **mutation-tested**: temporarily replacing `play-tts.ps1` with a broken stub fires 4 assertions with clear messages, proving the exact v5.1.0 regression would now block publish.
+
+### How to Update
+
+```
+npm cache clean --force
+npx --yes agentvibes@5.1.2
+```
+
+If you already have AgentVibes installed for one or more providers, re-run the installer's per-provider configure step (or manually add `"env": { "AGENTVIBES_LLM": "<your-llm>" }` to your `.mcp.json` / `.vscode/mcp.json` / `.codex/config.toml`).
+
+---
+
 ## 🩹 v5.1.1 — Windows TTS Hook Hotfix
 
 **Release Date:** April 2026

package/mcp-server/server.py

@@ -194,18 +194,45 @@ class AgentVibesServer:
                 original_language = await self._get_language()
                 await self._run_script(self.LANGUAGE_MANAGER_SCRIPT, ["set", language])
 
-            # Call the TTS script via appropriate shell
+            # Call the TTS script via appropriate shell.
+            #
+            # The LLM key is read from the AGENTVIBES_LLM env var so each
+            # caller (Claude Code, GitHub Copilot, OpenAI Codex) gets routed
+            # to its own per-LLM voice / pretext / music / effects config.
+            # The MCP launcher in each provider's config file should set
+            # this env var (e.g. .codex/config.toml [mcp_servers.agentvibes]
+            # env = { AGENTVIBES_LLM = "codex" }).
+            #
+            # If unset OR invalid, no -llm flag is passed and play-tts falls
+            # back to the project / global default config.  Validation
+            # mirrors play-tts.sh line 92 — alphanumeric / hyphen /
+            # underscore only.  This prevents weird values from poisoning
+            # the audio-effects.cfg lookup or being forwarded as ambiguous
+            # arguments to the child shell.
+            import re as _re
+            llm_key = os.environ.get("AGENTVIBES_LLM", "").strip()
+            if llm_key and not _re.match(r"^[a-zA-Z0-9_-]+$", llm_key):
+                # Invalid value — log to stderr and treat as unset
+                print(
+                    f"[AgentVibes] WARN: Ignoring invalid AGENTVIBES_LLM='{llm_key}' "
+                    "(must match ^[a-zA-Z0-9_-]+$); falling back to default config",
+                    file=__import__('sys').stderr,
+                )
+                llm_key = ""
             tts_script = "play-tts.ps1" if self.is_windows else "play-tts.sh"
             play_tts = self.hooks_dir / tts_script
             if self.is_windows:
-                args = ["powershell", "-NoProfile", "-ExecutionPolicy", "Bypass", "-File", str(play_tts), text, "-llm", "copilot"]
+                args = ["powershell", "-NoProfile", "-ExecutionPolicy", "Bypass", "-File", str(play_tts), text]
                 if voice:
                     args.extend(["-VoiceOverride", voice])
+                if llm_key:
+                    args.extend(["-llm", llm_key])
             else:
                 args = ["bash", str(play_tts), text]
                 if voice:
                     args.append(voice)
-                args.extend(["--llm", "copilot"])
+                if llm_key:
+                    args.extend(["--llm", llm_key])
 
             env = self._build_script_env()
             # Set agent name for audio effects lookup (audio-effects.cfg, background music config)

package/package.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://json.schemastore.org/package.json",
   "name": "agentvibes",
-  "version": "5.1.1",
+  "version": "5.1.3",
   "description": "Now your AI Agents can finally talk back! Professional TTS voice for Claude Code, Claude Desktop (via MCP), and Clawdbot with multi-provider support.",
   "homepage": "https://agentvibes.org",
   "keywords": [

package/src/installer.js

@@ -4297,12 +4297,15 @@ function isPathSafe(targetPath, basePath) {
 async function handleMcpConfiguration(targetDir, options) {
   const mcpConfigPath = path.join(targetDir, '.mcp.json');
 
-  // MCP server configuration for AgentVibes
+  // MCP server configuration for AgentVibes.
+  // The AGENTVIBES_LLM env var tells the MCP server which LLM is calling
+  // so per-LLM voice / pretext / music / effects routing works correctly.
   const mcpConfig = {
     mcpServers: {
       agentvibes: {
         command: 'npx',
-        args: ['-y', '--package=agentvibes', 'agentvibes-mcp-server']
+        args: ['-y', '--package=agentvibes', 'agentvibes-mcp-server'],
+        env: { AGENTVIBES_LLM: 'claude-code' }
       }
     }
   };
@@ -4317,18 +4320,75 @@ async function handleMcpConfiguration(targetDir, options) {
   }
 
   if (mcpExists) {
-    // Scenario 3: Config already exists - show manual instructions
+    // Existing config: try to migrate it in-place so users upgrading from
+    // v5.1.x get the AGENTVIBES_LLM env var added without manual editing.
+    // This is the v5.1.2 follow-up fix — the prior version returned here
+    // and only printed instructions, leaving existing users broken.
+    let migrated = false;
+    let migrationError = null;
+    try {
+      const existingRaw = await fs.readFile(mcpConfigPath, 'utf8');
+      const existingCfg = JSON.parse(existingRaw);
+      if (existingCfg && typeof existingCfg === 'object') {
+        if (!existingCfg.mcpServers || typeof existingCfg.mcpServers !== 'object') {
+          existingCfg.mcpServers = {};
+        }
+        const current = existingCfg.mcpServers.agentvibes;
+        const wantEnv = { AGENTVIBES_LLM: 'claude-code' };
+        // Decide whether we need to write — only if the agentvibes entry
+        // is missing OR its env doesn't include the AGENTVIBES_LLM key.
+        const needsWrite =
+          !current ||
+          !current.env ||
+          current.env.AGENTVIBES_LLM !== 'claude-code';
+        if (needsWrite) {
+          existingCfg.mcpServers.agentvibes = {
+            command: 'npx',
+            args: ['-y', '--package=agentvibes', 'agentvibes-mcp-server'],
+            // Preserve any other env keys the user added manually.
+            env: { ...(current?.env ?? {}), ...wantEnv },
+          };
+          await fs.writeFile(mcpConfigPath, JSON.stringify(existingCfg, null, 2) + '\n');
+          migrated = true;
+        }
+      }
+    } catch (err) {
+      migrationError = err;
+    }
+
+    if (migrated) {
+      console.log(
+        boxen(
+          chalk.green.bold('✅ MCP Configuration Updated\n\n') +
+          chalk.white('Your existing ') + chalk.cyan('.mcp.json') + chalk.white(' has been updated\n') +
+          chalk.white('with the AgentVibes MCP server entry, including the\n') +
+          chalk.cyan('AGENTVIBES_LLM=claude-code') + chalk.white(' env var for per-LLM routing.'),
+          {
+            padding: 1,
+            margin: { top: 1, bottom: 1, left: 0, right: 0 },
+            borderStyle: 'double',
+            borderColor: 'green',
+          }
+        )
+      );
+      return;
+    }
+
+    // Migration was not needed (already correct) or failed — fall through
+    // to the manual-instructions box.
     console.log(
       boxen(
         chalk.yellow.bold('ℹ️  MCP Configuration Already Exists\n\n') +
         chalk.white('An ') + chalk.cyan('.mcp.json') + chalk.white(' file already exists in this project.\n\n') +
-        chalk.white('To add AgentVibes MCP server manually, add this\n') +
-        chalk.white('to your ') + chalk.cyan('mcpServers') + chalk.white(' section:'),
+        (migrationError
+          ? chalk.red('Could not auto-update it: ' + migrationError.message + '\n\n')
+          : chalk.gray('It already has the correct AgentVibes entry.\n\n')) +
+        chalk.white('To add or fix the AgentVibes MCP server manually, use:'),
         {
           padding: 1,
           margin: { top: 1, bottom: 1, left: 0, right: 0 },
           borderStyle: 'round',
-          borderColor: 'yellow',
+          borderColor: migrationError ? 'red' : 'yellow',
         }
       )
     );
@@ -4337,7 +4397,8 @@ async function handleMcpConfiguration(targetDir, options) {
     console.log(
       '\n"agentvibes": {\n' +
       '  "command": "npx",\n' +
-      '  "args": ["-y", "--package=agentvibes", "agentvibes-mcp-server"]\n' +
+      '  "args": ["-y", "--package=agentvibes", "agentvibes-mcp-server"],\n' +
+      '  "env": { "AGENTVIBES_LLM": "claude-code" }\n' +
       '}\n'
     );
 
@@ -4442,7 +4503,8 @@ async function handleMcpConfiguration(targetDir, options) {
       '  "mcpServers": {\n' +
       '    "agentvibes": {\n' +
       '      "command": "npx",\n' +
-      '      "args": ["-y", "--package=agentvibes", "agentvibes-mcp-server"]\n' +
+      '      "args": ["-y", "--package=agentvibes", "agentvibes-mcp-server"],\n' +
+      '      "env": { "AGENTVIBES_LLM": "claude-code" }\n' +
       '    }\n' +
       '  }\n' +
       '}\n'

package/src/services/llm-provider-service.js

@@ -228,6 +228,9 @@ export async function installCopilotMcp(targetDir) {
     type: 'stdio',
     command: 'npx',
     args: ['-y', '--package=agentvibes', 'agentvibes-mcp-server'],
+    // Tells the MCP server which LLM is calling so per-LLM voice / pretext
+    // / music / effects routing in audio-effects.cfg works correctly.
+    env: { AGENTVIBES_LLM: 'copilot' },
   };
 
   try {
@@ -337,6 +340,9 @@ export function buildCodexToml(existingContent = '') {
     '[mcp_servers.agentvibes]',
     'command = "npx"',
     'args = ["-y", "--package=agentvibes", "agentvibes-mcp-server"]',
+    // Tells the MCP server which LLM is calling so per-LLM voice / pretext
+    // / music / effects routing in audio-effects.cfg works correctly.
+    'env = { AGENTVIBES_LLM = "codex" }',
   ].join('\n');
 
   if (!existingContent.trim()) return serverBlock + '\n';