agentvibes 5.1.2 → 5.1.3

package/.claude/hooks-windows/play-tts.ps1

@@ -16,6 +16,17 @@ param(
     [string]$llm = ""
 )
 
+# Security: Validate LLM provider name (alphanumeric, hyphens, underscores
+# only) — mirrors play-tts.sh line 92.  This prevents weird values from
+# poisoning the audio-effects.cfg lookup or the AGENTVIBES_LLM_KEY env var
+# we export to child scripts.  An invalid value is treated as unset rather
+# than aborting, so the script falls back to the default config and the
+# rest of TTS still works.
+if ($llm -and $llm -notmatch '^[a-zA-Z0-9_-]+$') {
+    Write-Error "Invalid LLM provider name: '$llm' — must match ^[a-zA-Z0-9_-]+$. Falling back to default config."
+    $llm = ""
+}
+
 # Configuration paths
 # Priority: CLAUDE_PROJECT_DIR env var → script's parent project → user profile
 # Local project settings ALWAYS override global (~/.claude)

package/README.md

@@ -11,7 +11,7 @@
 [![Publish](https://github.com/paulpreibisch/AgentVibes/actions/workflows/publish.yml/badge.svg)](https://github.com/paulpreibisch/AgentVibes/actions/workflows/publish.yml)
 [![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 
-**Author**: Paul Preibisch ([@997Fire](https://x.com/997Fire)) | **Version**: v5.1.2
+**Author**: Paul Preibisch ([@997Fire](https://x.com/997Fire)) | **Version**: v5.1.3
 
 ---
 
@@ -43,6 +43,14 @@ Whether you're using Claude Code, GitHub Copilot, OpenAI Codex, Claude Desktop,
 
 ---
 
+## 🛡️ v5.1.3 — Hardening Pass (Adversarial Review Followup)
+
+- **Existing `.mcp.json` is now auto-migrated** — v5.1.2's installer detected an existing `.mcp.json` and printed instructions instead of fixing it, leaving v5.1.0/v5.1.1 users still broken after upgrade. v5.1.3 merges the `AGENTVIBES_LLM` env var into existing configs in-place.
+- **`AGENTVIBES_LLM` is now validated** in both `mcp-server/server.py` (Python regex) and `play-tts.ps1` (PowerShell regex), matching `play-tts.sh`'s `^[a-zA-Z0-9_-]+$` check. Cross-platform contract is now symmetric.
+- **`npm pack` content guard hardened**: hard-fails (not silent-passes) when `npm pack` errors; uses `git status --porcelain` to catch UNTRACKED publishable files (the v5.1.0 disaster also could've happened with a stray new file); has explicit 60s timeout to prevent CI hangs.
+
+---
+
 ## 🔀 v5.1.2 — MCP Per-LLM Routing Hotfix
 
 - **MCP server now reads `AGENTVIBES_LLM` env var** instead of hardcoding `copilot` — Codex / Copilot / Claude Code each get routed to their own per-LLM voice / pretext / music / effects config from `audio-effects.cfg`.

package/RELEASE_NOTES.md

@@ -1,5 +1,40 @@
 # AgentVibes Release Notes
 
+## 🛡️ v5.1.3 — Hardening Pass (Adversarial Review Followup)
+
+**Release Date:** April 2026
+
+This release addresses HIGH/MEDIUM findings from a parallel adversarial review (Blind Hunter + Edge Case Hunter) of the v5.1.2 hotfix.
+
+### Bug Fixes
+
+- **Existing `.mcp.json` is now auto-migrated** — v5.1.2's installer detected an existing `.mcp.json` and printed instructions to fix it manually. Result: anyone upgrading from v5.1.0/v5.1.1 was still broken after `npm i -g agentvibes@5.1.2`. v5.1.3 detects an existing config, merges the `AGENTVIBES_LLM` env var (and the rest of the agentvibes server entry) in-place, and shows a green "✅ MCP Configuration Updated" message. Existing user `env` keys are preserved.
+
+- **`AGENTVIBES_LLM` is now validated** before being forwarded to the child shell. The bash version of `play-tts.sh` already validated `^[a-zA-Z0-9_-]+$` and rejected weird values; the Python `mcp-server/server.py` and the Windows `play-tts.ps1` did not. Now all three do, with the same regex. Invalid values are logged to stderr and treated as "unset" so TTS still works (falls back to default config).
+
+### Testing & Hardening
+
+- **`npm pack` content guard now hard-fails on `packError`** instead of silently returning early. The previous v5.1.2 implementation had `if (packError) return;` in 6 of 8 tests, which meant a real `npm pack` failure surfaced as one failed test and SIX false-greens — defeating the entire purpose of the publish guard.
+
+- **Dirty-tree check now uses `git status --porcelain`** instead of `git diff HEAD`. The previous implementation only caught modified-but-uncommitted tracked files; it missed brand-new untracked files in publishable directories (e.g. a `play-tts.ps1.new` someone forgot to delete). The v5.1.0 disaster could just as easily have shipped via an untracked stray file.
+
+- **`npm pack` exec timeout** — added explicit 60-second timeout with `SIGKILL` so the publish guard can't hang CI on a stuck registry call.
+
+- **`git status` failures hard-fail** instead of silently skipping. A missing git binary in CI was previously treated as "no findings" — that's exactly the opposite of what a security guard should do. Now it fails loudly with a message explaining the guard requires git.
+
+- **3 new regression tests** for the new validations and migration logic.
+
+### How to Update
+
+```
+npm cache clean --force
+npx --yes agentvibes@5.1.3
+```
+
+If you upgraded from v5.1.0 or v5.1.1, **re-run the AgentVibes installer once** so the new in-place migration touches your existing `.mcp.json` / `.codex/config.toml` / `.vscode/mcp.json`.
+
+---
+
 ## 🔀 v5.1.2 — MCP Per-LLM Routing Hotfix
 
 **Release Date:** April 2026

package/mcp-server/server.py

@@ -203,10 +203,22 @@ class AgentVibesServer:
             # this env var (e.g. .codex/config.toml [mcp_servers.agentvibes]
             # env = { AGENTVIBES_LLM = "codex" }).
             #
-            # If unset, no -llm flag is passed and play-tts falls back to
-            # the project / global default config — which is the correct
-            # behavior for ad-hoc / unconfigured callers.
+            # If unset OR invalid, no -llm flag is passed and play-tts falls
+            # back to the project / global default config.  Validation
+            # mirrors play-tts.sh line 92 — alphanumeric / hyphen /
+            # underscore only.  This prevents weird values from poisoning
+            # the audio-effects.cfg lookup or being forwarded as ambiguous
+            # arguments to the child shell.
+            import re as _re
             llm_key = os.environ.get("AGENTVIBES_LLM", "").strip()
+            if llm_key and not _re.match(r"^[a-zA-Z0-9_-]+$", llm_key):
+                # Invalid value — log to stderr and treat as unset
+                print(
+                    f"[AgentVibes] WARN: Ignoring invalid AGENTVIBES_LLM='{llm_key}' "
+                    "(must match ^[a-zA-Z0-9_-]+$); falling back to default config",
+                    file=__import__('sys').stderr,
+                )
+                llm_key = ""
             tts_script = "play-tts.ps1" if self.is_windows else "play-tts.sh"
             play_tts = self.hooks_dir / tts_script
             if self.is_windows:

package/package.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://json.schemastore.org/package.json",
   "name": "agentvibes",
-  "version": "5.1.2",
+  "version": "5.1.3",
   "description": "Now your AI Agents can finally talk back! Professional TTS voice for Claude Code, Claude Desktop (via MCP), and Clawdbot with multi-provider support.",
   "homepage": "https://agentvibes.org",
   "keywords": [

package/src/installer.js

@@ -4320,18 +4320,75 @@ async function handleMcpConfiguration(targetDir, options) {
   }
 
   if (mcpExists) {
-    // Scenario 3: Config already exists - show manual instructions
+    // Existing config: try to migrate it in-place so users upgrading from
+    // v5.1.x get the AGENTVIBES_LLM env var added without manual editing.
+    // This is the v5.1.2 follow-up fix — the prior version returned here
+    // and only printed instructions, leaving existing users broken.
+    let migrated = false;
+    let migrationError = null;
+    try {
+      const existingRaw = await fs.readFile(mcpConfigPath, 'utf8');
+      const existingCfg = JSON.parse(existingRaw);
+      if (existingCfg && typeof existingCfg === 'object') {
+        if (!existingCfg.mcpServers || typeof existingCfg.mcpServers !== 'object') {
+          existingCfg.mcpServers = {};
+        }
+        const current = existingCfg.mcpServers.agentvibes;
+        const wantEnv = { AGENTVIBES_LLM: 'claude-code' };
+        // Decide whether we need to write — only if the agentvibes entry
+        // is missing OR its env doesn't include the AGENTVIBES_LLM key.
+        const needsWrite =
+          !current ||
+          !current.env ||
+          current.env.AGENTVIBES_LLM !== 'claude-code';
+        if (needsWrite) {
+          existingCfg.mcpServers.agentvibes = {
+            command: 'npx',
+            args: ['-y', '--package=agentvibes', 'agentvibes-mcp-server'],
+            // Preserve any other env keys the user added manually.
+            env: { ...(current?.env ?? {}), ...wantEnv },
+          };
+          await fs.writeFile(mcpConfigPath, JSON.stringify(existingCfg, null, 2) + '\n');
+          migrated = true;
+        }
+      }
+    } catch (err) {
+      migrationError = err;
+    }
+
+    if (migrated) {
+      console.log(
+        boxen(
+          chalk.green.bold('✅ MCP Configuration Updated\n\n') +
+          chalk.white('Your existing ') + chalk.cyan('.mcp.json') + chalk.white(' has been updated\n') +
+          chalk.white('with the AgentVibes MCP server entry, including the\n') +
+          chalk.cyan('AGENTVIBES_LLM=claude-code') + chalk.white(' env var for per-LLM routing.'),
+          {
+            padding: 1,
+            margin: { top: 1, bottom: 1, left: 0, right: 0 },
+            borderStyle: 'double',
+            borderColor: 'green',
+          }
+        )
+      );
+      return;
+    }
+
+    // Migration was not needed (already correct) or failed — fall through
+    // to the manual-instructions box.
     console.log(
       boxen(
         chalk.yellow.bold('ℹ️  MCP Configuration Already Exists\n\n') +
         chalk.white('An ') + chalk.cyan('.mcp.json') + chalk.white(' file already exists in this project.\n\n') +
-        chalk.white('To add AgentVibes MCP server manually, add this\n') +
-        chalk.white('to your ') + chalk.cyan('mcpServers') + chalk.white(' section:'),
+        (migrationError
+          ? chalk.red('Could not auto-update it: ' + migrationError.message + '\n\n')
+          : chalk.gray('It already has the correct AgentVibes entry.\n\n')) +
+        chalk.white('To add or fix the AgentVibes MCP server manually, use:'),
         {
           padding: 1,
           margin: { top: 1, bottom: 1, left: 0, right: 0 },
           borderStyle: 'round',
-          borderColor: 'yellow',
+          borderColor: migrationError ? 'red' : 'yellow',
         }
       )
     );