ai-agent-config 2.5.9 → 2.6.1

package/README.md

@@ -33,14 +33,31 @@ ai-agent update
 | Command | Description |
 |---------|-------------|
 | `init --repo <url>` | Initialize config and clone repo |
-| `push` / `pull` | Git push/pull with your skills repo |
-| `update` | Pull -> sync external skills -> push |
+| `push [--message "msg"]` | Git push to your skills repo |
+| `pull` | Git pull from repo + auto-install |
+| `update` | Pull → sync external skills → push |
 | `install` | Copy skills to platform directories |
 | `list` | List installed skills |
 | `platforms` | Show detected platforms |
-| `source add/remove/list` | Manage skill sources |
-| `config get/set/edit` | Manage configuration |
 | `uninstall` | Remove installed skills |
+| `source add <url>` | Add custom skill source |
+| `source remove <name>` | Remove skill source |
+| `source list` | List all sources |
+| `source enable <name>` | Enable a source |
+| `source disable <name>` | Disable a source |
+| `source info <name>` | View source details |
+| `config get <key>` | Get config value |
+| `config set <key> <value>` | Set config value |
+| `config edit` | Open config in $EDITOR |
+| `config validate` | Validate configuration |
+| `config export [file]` | Export configuration |
+| `config import [file]` | Import configuration |
+| `config reset --yes` | Reset to defaults |
+| `secrets sync` | Sync MCP secrets from Bitwarden vault |
+| `sync-external` | Alias for `update` |
+| `list-external` | List available external skills |
+| `version` | Show version |
+| `help` | Show help |
 
 ## Supported Platforms
 
@@ -53,22 +70,44 @@ ai-agent update
 | Codex CLI | `~/.codex/skills/` |
 | GitHub Copilot | `~/.github/copilot-instructions.md` |
 
+## Secret Management
+
+Securely sync MCP secrets from Bitwarden vault to your shell profile:
+
+```bash
+ai-agent secrets sync
+```
+
+**How it works:**
+- Discovers required secrets from MCP config files (e.g., `${GITHUB_TOKEN}`)
+- Fetches secrets from Bitwarden vault folder "MCP Secrets"
+- Writes to `~/.zshrc` for persistence across sessions
+- Never stores Bitwarden master password
+
+**Setup:** See [Bitwarden MCP Setup Guide](./mcp-servers/bitwarden/README.md)
+
+**Auto-configuration:** Package automatically configures Bitwarden MCP server in Antigravity on install
+
 ## Configuration
 
 User config at `~/.ai-agent/config.json`:
 
 ```json
 {
-  "version": "2.3",
+  "version": "2.5",
   "repository": {
     "url": "https://github.com/youruser/my-ai-skills.git",
     "branch": "main",
-    "local": "~/.ai-agent/sync-repo"
+    "local": "/Users/you/.ai-agent/sync-repo"
   },
-  "sources": {
-    "official": [],
-    "custom": []
-  }
+  "sources": [
+    {
+      "name": "vercel-labs",
+      "url": "https://github.com/vercel-labs/agent-skills.git",
+      "enabled": true
+    }
+  ],
+  "lastSync": "2026-02-13T12:00:00.000Z"
 }
 ```
 

package/bin/cli.js

@@ -199,6 +199,21 @@ function listSkills() {
     });
   }
 
+  // MCP Servers
+  const mcpInstaller = require("../scripts/mcp-installer");
+  const mcpServers = mcpInstaller.getAvailableMcpServers();
+
+  console.log("\nMCP Servers:");
+  if (mcpServers.length === 0) {
+    console.log("  (no MCP servers found)");
+  } else {
+    mcpServers.forEach((server) => {
+      const status = server.enabled === false ? " (disabled)" : "";
+      const desc = server.description ? ` - ${server.description}` : "";
+      console.log(`  • ${server.name}${desc}${status}`);
+    });
+  }
+
   console.log(`\nSource: ${installer.CACHE_DIR}`);
   console.log("");
 }
@@ -668,6 +683,13 @@ function install(args) {
       if (result.skillsCount > 0) parts.push(`${result.skillsCount} skill(s)`);
       if (result.workflowsCount > 0) parts.push(`${result.workflowsCount} workflow(s)`);
 
+      // Count MCP servers across all platforms
+      let mcpTotal = 0;
+      result.details.forEach((d) => {
+        if (d.mcpServers) mcpTotal += d.mcpServers.added + d.mcpServers.skipped;
+      });
+      if (mcpTotal > 0) parts.push(`${mcpTotal} MCP server(s)`);
+
       console.log(`\n✓ Installed ${parts.join(", ")} to ${result.platformsCount} platform(s)\n`);
       result.details.forEach((d) => {
         console.log(`  ${d.platform}:`);
@@ -685,7 +707,18 @@ function install(args) {
             console.log(`      • ${w.name} ${status}`);
           });
         }
+        if (d.mcpServers && d.mcpServers.servers.length > 0) {
+          console.log(`    MCP Servers: ${d.mcpServers.added} added, ${d.mcpServers.skipped} skipped`);
+          d.mcpServers.servers.forEach((name) => {
+            console.log(`      • ${name}`);
+          });
+        }
       });
+
+      // Hint about secrets sync if MCP servers were installed
+      if (mcpTotal > 0) {
+        console.log("\n💡 Run 'ai-agent secrets sync' to resolve Bitwarden secrets");
+      }
     } else {
       console.log("\n⚠️  No skills or workflows installed.");
     }
@@ -830,7 +863,7 @@ function pull(args) {
       const noInstall = args.includes("--no-install");
 
       if (!noInstall) {
-        console.log("📥 Auto-installing skills...\n");
+        console.log("📥 Auto-installing skills + MCP servers...\n");
         install(["--force"]); // Force install to ensure latest
       }
     } else {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ai-agent-config",
-  "version": "2.5.9",
+  "version": "2.6.1",
   "description": "Universal skill & workflow manager for AI coding assistants with bi-directional GitHub sync",
   "main": "index.js",
   "bin": {

package/scripts/installer.js

@@ -8,6 +8,8 @@ const path = require("path");
 const { execSync } = require("child_process");
 const platforms = require("./platforms");
 
+const mcpInstaller = require("./mcp-installer");
+
 const REPO_URL = "https://github.com/dongitran/ai-agent-config.git";
 const CACHE_DIR = path.join(platforms.HOME, ".ai-agent-config-cache");
 const REPO_SKILLS_DIR = path.join(CACHE_DIR, ".agent", "skills");
@@ -178,6 +180,7 @@ function installToPlatform(platform, options = {}) {
     workflowsPath: workflowsPath,
     skills: [],
     workflows: [],
+    mcpServers: null,
   };
 
   // Install skills
@@ -230,6 +233,15 @@ function installToPlatform(platform, options = {}) {
     }
   }
 
+  // Install MCP servers (Antigravity only for now)
+  if (platform.name === "antigravity") {
+    try {
+      results.mcpServers = mcpInstaller.installMcpServers({ force });
+    } catch (error) {
+      console.warn(`  ⚠️  MCP install failed: ${error.message}`);
+    }
+  }
+
   return results;
 }
 

package/scripts/mcp-installer.js

@@ -0,0 +1,280 @@
+/**
+ * MCP Installer Module
+ * Handles discovering, validating, and installing MCP servers from repo to platforms
+ */
+
+const fs = require("fs");
+const path = require("path");
+const platforms = require("./platforms");
+const configManager = require("./config-manager");
+
+const SKIP_FOLDERS = ["bitwarden"];
+
+/**
+ * Get the MCP servers directory from the user's sync repo
+ * @returns {string|null} Path to .agent/mcp-servers/ or null
+ */
+function getMcpServersDir() {
+    const config = configManager.loadConfig();
+    const repoLocal = config.repository && config.repository.local;
+    if (!repoLocal) return null;
+
+    const expanded = repoLocal.replace(/^~/, process.env.HOME || process.env.USERPROFILE);
+    const mcpDir = path.join(expanded, ".agent", "mcp-servers");
+    return fs.existsSync(mcpDir) ? mcpDir : null;
+}
+
+/**
+ * Validate an MCP server config
+ * @param {Object} config - Parsed config.json
+ * @returns {{ valid: boolean, errors: string[] }}
+ */
+function validateMcpConfig(config) {
+    const errors = [];
+
+    if (!config.name || typeof config.name !== "string") {
+        errors.push("Missing or invalid 'name' field");
+    }
+    if (!config.command || typeof config.command !== "string") {
+        errors.push("Missing or invalid 'command' field");
+    }
+    if (!Array.isArray(config.args)) {
+        errors.push("Missing or invalid 'args' field (must be array)");
+    }
+    if (config.bitwardenEnv && typeof config.bitwardenEnv !== "object") {
+        errors.push("'bitwardenEnv' must be an object");
+    }
+    if (config.disabledTools && !Array.isArray(config.disabledTools)) {
+        errors.push("'disabledTools' must be an array");
+    }
+
+    return { valid: errors.length === 0, errors };
+}
+
+/**
+ * Get all available MCP servers from the repo
+ * @returns {Array<Object>} Array of parsed and validated MCP server configs
+ */
+function getAvailableMcpServers() {
+    const mcpDir = getMcpServersDir();
+    if (!mcpDir) return [];
+
+    const servers = [];
+
+    const entries = fs.readdirSync(mcpDir, { withFileTypes: true });
+    for (const entry of entries) {
+        if (!entry.isDirectory()) continue;
+        if (SKIP_FOLDERS.includes(entry.name)) continue;
+
+        const configPath = path.join(mcpDir, entry.name, "config.json");
+        if (!fs.existsSync(configPath)) continue;
+
+        try {
+            const config = JSON.parse(fs.readFileSync(configPath, "utf-8"));
+            const validation = validateMcpConfig(config);
+            if (!validation.valid) {
+                console.warn(`  ⚠️  Invalid MCP config in ${entry.name}/: ${validation.errors.join(", ")}`);
+                continue;
+            }
+            servers.push(config);
+        } catch (error) {
+            console.warn(`  ⚠️  Failed to parse ${entry.name}/config.json: ${error.message}`);
+        }
+    }
+
+    return servers;
+}
+
+/**
+ * Collect all bitwardenEnv entries from MCP server configs
+ * @returns {Array<{ serverName: string, envVar: string, bitwardenItem: string }>}
+ */
+function collectBitwardenEnvs() {
+    const servers = getAvailableMcpServers();
+    const envs = [];
+
+    for (const server of servers) {
+        if (server.enabled === false) continue;
+        if (!server.bitwardenEnv) continue;
+
+        for (const [envVar, bitwardenItem] of Object.entries(server.bitwardenEnv)) {
+            envs.push({
+                serverName: server.name,
+                envVar,
+                bitwardenItem,
+            });
+        }
+    }
+
+    return envs;
+}
+
+/**
+ * Install MCP servers to Antigravity's mcp_config.json
+ * This is the "pull" flow - installs structure without resolved secrets
+ * @param {Object} options - { force: boolean }
+ * @returns {{ added: number, skipped: number, servers: string[] }}
+ */
+function installMcpServers(options = {}) {
+    const { force = false } = options;
+    const antigravity = platforms.getByName("antigravity");
+
+    if (!antigravity || !antigravity.mcpConfigPath) {
+        return { added: 0, skipped: 0, servers: [] };
+    }
+
+    const servers = getAvailableMcpServers().filter((s) => s.enabled !== false);
+    if (servers.length === 0) {
+        return { added: 0, skipped: 0, servers: [] };
+    }
+
+    // Read existing mcp_config.json
+    let mcpConfig = { mcpServers: {} };
+    if (fs.existsSync(antigravity.mcpConfigPath)) {
+        try {
+            mcpConfig = JSON.parse(fs.readFileSync(antigravity.mcpConfigPath, "utf-8"));
+            if (!mcpConfig.mcpServers) mcpConfig.mcpServers = {};
+        } catch {
+            mcpConfig = { mcpServers: {} };
+        }
+    }
+
+    let added = 0;
+    let skipped = 0;
+    const serverNames = [];
+
+    for (const server of servers) {
+        const existing = mcpConfig.mcpServers[server.name];
+
+        if (existing && !force) {
+            skipped++;
+            serverNames.push(server.name);
+            continue;
+        }
+
+        // Build server entry for Antigravity format
+        const entry = {
+            command: server.command,
+            args: server.args,
+        };
+
+        // Preserve existing env if not forcing
+        if (existing && existing.env) {
+            entry.env = existing.env;
+        }
+
+        if (server.disabledTools && server.disabledTools.length > 0) {
+            entry.disabledTools = server.disabledTools;
+        }
+
+        mcpConfig.mcpServers[server.name] = entry;
+        added++;
+        serverNames.push(server.name);
+    }
+
+    // Write back
+    if (added > 0) {
+        const configDir = path.dirname(antigravity.mcpConfigPath);
+        if (!fs.existsSync(configDir)) {
+            fs.mkdirSync(configDir, { recursive: true });
+        }
+        fs.writeFileSync(antigravity.mcpConfigPath, JSON.stringify(mcpConfig, null, 2) + "\n", "utf-8");
+    }
+
+    return { added, skipped, servers: serverNames };
+}
+
+/**
+ * Install MCP servers with resolved secrets to Antigravity
+ * This is the "secrets sync" flow - updates env with real values
+ * @param {Object} resolvedSecrets - Map of envVar → resolvedValue
+ * @returns {{ installed: number, servers: Array<{ name: string, secretsCount: number }> }}
+ */
+function installMcpServersWithSecrets(resolvedSecrets) {
+    const antigravity = platforms.getByName("antigravity");
+
+    if (!antigravity || !antigravity.mcpConfigPath) {
+        return { installed: 0, servers: [] };
+    }
+
+    const allServers = getAvailableMcpServers().filter((s) => s.enabled !== false);
+    if (allServers.length === 0) {
+        return { installed: 0, servers: [] };
+    }
+
+    // Read existing mcp_config.json
+    let mcpConfig = { mcpServers: {} };
+    if (fs.existsSync(antigravity.mcpConfigPath)) {
+        try {
+            mcpConfig = JSON.parse(fs.readFileSync(antigravity.mcpConfigPath, "utf-8"));
+            if (!mcpConfig.mcpServers) mcpConfig.mcpServers = {};
+        } catch {
+            mcpConfig = { mcpServers: {} };
+        }
+    }
+
+    let installed = 0;
+    const serverResults = [];
+
+    for (const server of allServers) {
+        const existing = mcpConfig.mcpServers[server.name] || {};
+
+        // Build entry: keep existing custom fields (disabledTools user may have customized)
+        const entry = {
+            command: server.command,
+            args: server.args,
+        };
+
+        // Build env from resolved secrets
+        if (server.bitwardenEnv) {
+            const env = {};
+            let secretsCount = 0;
+
+            for (const [envVar, bitwardenItem] of Object.entries(server.bitwardenEnv)) {
+                if (resolvedSecrets[bitwardenItem]) {
+                    env[envVar] = resolvedSecrets[bitwardenItem];
+                    secretsCount++;
+                }
+            }
+
+            if (Object.keys(env).length > 0) {
+                entry.env = { ...(existing.env || {}), ...env };
+            }
+
+            serverResults.push({ name: server.name, secretsCount });
+        } else {
+            serverResults.push({ name: server.name, secretsCount: 0 });
+        }
+
+        // Preserve user-customized disabledTools from existing config
+        if (existing.disabledTools) {
+            entry.disabledTools = existing.disabledTools;
+        } else if (server.disabledTools && server.disabledTools.length > 0) {
+            entry.disabledTools = server.disabledTools;
+        }
+
+        mcpConfig.mcpServers[server.name] = entry;
+        installed++;
+    }
+
+    // Write back
+    if (installed > 0) {
+        const configDir = path.dirname(antigravity.mcpConfigPath);
+        if (!fs.existsSync(configDir)) {
+            fs.mkdirSync(configDir, { recursive: true });
+        }
+        fs.writeFileSync(antigravity.mcpConfigPath, JSON.stringify(mcpConfig, null, 2) + "\n", "utf-8");
+    }
+
+    return { installed, servers: serverResults };
+}
+
+module.exports = {
+    getMcpServersDir,
+    validateMcpConfig,
+    getAvailableMcpServers,
+    collectBitwardenEnvs,
+    installMcpServers,
+    installMcpServersWithSecrets,
+    SKIP_FOLDERS,
+};

package/scripts/platforms.js

@@ -42,6 +42,7 @@ const SUPPORTED = [
     configDir: ".gemini/antigravity",
     skillsDir: "skills",
     workflowsDir: "workflows",
+    mcpConfigFile: "mcp_config.json",
     get configPath() {
       return path.join(HOME, this.configDir);
     },
@@ -51,6 +52,9 @@ const SUPPORTED = [
     get workflowsPath() {
       return path.join(HOME, this.configDir, this.workflowsDir);
     },
+    get mcpConfigPath() {
+      return path.join(HOME, this.configDir, this.mcpConfigFile);
+    },
     detect() {
       // Check for .gemini directory or Antigravity app
       return (

package/scripts/secret-manager.js

@@ -9,7 +9,6 @@ const { execSync, spawnSync } = require("child_process");
 const os = require("os");
 
 const HOME = os.homedir();
-const BITWARDEN_FOLDER = "MCP Secrets";
 
 /**
  * Validate that Bitwarden CLI is installed
@@ -153,40 +152,73 @@ function unlockBitwarden(password) {
 }
 
 /**
- * Discover required secrets from MCP configs
- * Scans ~/.gemini/antigravity/mcp_config.json for ${VAR} patterns
+ * Try to reuse BW_SESSION from Antigravity MCP config
+ * This prevents creating a new session that would invalidate the MCP server's session
+ * @returns {{ success: boolean, sessionKey?: string, reason?: string }}
  */
-function discoverRequiredSecrets() {
+function tryReuseAntigravitySession() {
     const platforms = require("./platforms");
     const antigravity = platforms.getByName("antigravity");
 
-    if (!antigravity) {
-        return { found: false, secrets: [], reason: "Antigravity platform not detected" };
+    if (!antigravity || !antigravity.mcpConfigPath) {
+        return { success: false, reason: "Antigravity not configured" };
     }
 
-    const mcpConfigPath = path.join(antigravity.configPath, "mcp_config.json");
-
-    if (!fs.existsSync(mcpConfigPath)) {
-        return { found: false, secrets: [], reason: "MCP config not found" };
+    if (!fs.existsSync(antigravity.mcpConfigPath)) {
+        return { success: false, reason: "mcp_config.json not found" };
     }
 
     try {
-        const content = fs.readFileSync(mcpConfigPath, "utf-8");
+        const mcpConfig = JSON.parse(fs.readFileSync(antigravity.mcpConfigPath, "utf-8"));
+        const bitwardenServer = mcpConfig.mcpServers?.bitwarden;
 
-        // Extract all ${VAR_NAME} patterns (supports mixed/lowercase)
-        const regex = /\$\{([a-zA-Z_][a-zA-Z0-9_]*)\}/g;
-        const matches = [...content.matchAll(regex)];
-        const secretNames = [...new Set(matches.map((m) => m[1]))];
+        if (!bitwardenServer || !bitwardenServer.env || !bitwardenServer.env.BW_SESSION) {
+            return { success: false, reason: "No BW_SESSION in bitwarden MCP config" };
+        }
 
-        return { found: true, secrets: secretNames };
+        const sessionKey = bitwardenServer.env.BW_SESSION;
+
+        // Validate session by trying to list folders
+        const testResult = spawnSync("bw", ["list", "folders", "--session", sessionKey], {
+            encoding: "utf-8",
+            stdio: ["pipe", "pipe", "pipe"],
+        });
+
+        if (testResult.status === 0) {
+            return { success: true, sessionKey };
+        } else {
+            return { success: false, reason: "Session expired or invalid" };
+        }
     } catch (error) {
-        return { found: false, secrets: [], reason: error.message };
+        return { success: false, reason: `Failed to read config: ${error.message}` };
+    }
+}
+
+/**
+ * Discover required secrets from MCP server configs in the repo
+ * Scans .agent/mcp-servers/{name}/config.json for bitwardenEnv fields
+ */
+function discoverRequiredSecrets() {
+    const mcpInstaller = require("./mcp-installer");
+    const envs = mcpInstaller.collectBitwardenEnvs();
+
+    if (envs.length === 0) {
+        const mcpDir = mcpInstaller.getMcpServersDir();
+        if (!mcpDir) {
+            return { found: false, secrets: [], reason: "No repository configured or no MCP servers found" };
+        }
+        return { found: true, secrets: [] };
     }
+
+    // Collect unique Bitwarden item names to fetch
+    const secretNames = [...new Set(envs.map((e) => e.bitwardenItem))];
+
+    return { found: true, secrets: secretNames, envs };
 }
 
 /**
  * Fetch secrets from Bitwarden vault
- * Only searches in "MCP Secrets" folder
+ * Searches entire vault (all folders) for matching items
  */
 function fetchSecretsFromBitwarden(sessionKey, secretNames) {
     const results = {
@@ -195,30 +227,14 @@ function fetchSecretsFromBitwarden(sessionKey, secretNames) {
     };
 
     try {
-        // Step 1: Get folder ID for "MCP Secrets"
-        const foldersJson = execSync(`bw list folders --session ${sessionKey}`, {
-            encoding: "utf-8",
-            stdio: ["pipe", "pipe", "pipe"],
-        });
-        const folders = JSON.parse(foldersJson);
-        const mcpFolder = folders.find((f) => f.name === BITWARDEN_FOLDER);
-
-        if (!mcpFolder) {
-            console.warn(`\n⚠️  Folder "${BITWARDEN_FOLDER}" not found in Bitwarden vault`);
-            console.warn(`   Create folder "${BITWARDEN_FOLDER}" and add your secrets there\n`);
-            // All secrets are missing since folder doesn't exist
-            secretNames.forEach((name) => results.missing.push(name));
-            return results;
-        }
-
-        // Step 2: List all items in "MCP Secrets" folder
-        const itemsJson = execSync(`bw list items --folderid ${mcpFolder.id} --session ${sessionKey}`, {
+        // List all items in the vault (across all folders)
+        const itemsJson = execSync(`bw list items --session ${sessionKey}`, {
             encoding: "utf-8",
             stdio: ["pipe", "pipe", "pipe"],
         });
         const items = JSON.parse(itemsJson);
 
-        // Step 3: Match secrets by name
+        // Match secrets by name
         for (const secretName of secretNames) {
             const item = items.find((i) => i.name === secretName);
 
@@ -301,6 +317,7 @@ function writeToShellProfile(secrets) {
  */
 async function syncSecrets() {
     let sessionKey = null;
+    let sessionSource = null; // Track where session came from: "reused" or "new"
 
     try {
         console.log("\n🔐 Bitwarden Secret Sync\n");
@@ -319,82 +336,107 @@ async function syncSecrets() {
             process.exit(1);
         }
 
-        // 3. Prompt for password
-        const password = await promptPassword();
+        // 3. Try to reuse existing session from Antigravity MCP
+        console.log("🔄 Checking for existing Bitwarden session...");
+        const reuseResult = tryReuseAntigravitySession();
 
-        // 4. Unlock vault
-        console.log("\n🔓 Unlocking vault...");
-        const unlockResult = unlockBitwarden(password);
+        if (reuseResult.success) {
+            console.log("✓ Reusing session from Antigravity MCP config\n");
+            sessionKey = reuseResult.sessionKey;
+            sessionSource = "reused";
+        } else {
+            console.log(`  ⊗ ${reuseResult.reason}`);
+            console.log("  → Creating new session\n");
 
-        if (!unlockResult.success) {
-            console.error(`❌ ${unlockResult.message}\n`);
-            process.exit(1);
-        }
+            // 4. Fallback: Prompt for password
+            const password = await promptPassword();
+
+            // 5. Unlock vault
+            console.log("\n🔓 Unlocking vault...");
+            const unlockResult = unlockBitwarden(password);
+
+            if (!unlockResult.success) {
+                console.error(`❌ ${unlockResult.message}\n`);
+                process.exit(1);
+            }
 
-        console.log("✓ Vault unlocked\n");
-        sessionKey = unlockResult.sessionKey;
+            console.log("✓ Vault unlocked\n");
+            sessionKey = unlockResult.sessionKey;
+            sessionSource = "new";
+        }
 
-        // 5. Discover required secrets
-        console.log("🔍 Scanning MCP configs for required secrets...");
+        // 6. Discover required secrets from repo's bitwardenEnv
+        console.log("🔍 Scanning MCP server configs for required secrets...");
         const discovery = discoverRequiredSecrets();
 
         if (!discovery.found) {
             console.log(`⚠️  ${discovery.reason}`);
-            console.log("\n💡 No secrets to sync. MCP configs will be available after implementing Plan 01.\n");
+            console.log("\n💡 Configure a repository first: ai-agent init --repo <url>\n");
             return;
         }
 
         if (discovery.secrets.length === 0) {
-            console.log("No environment variables found in MCP configs.\n");
+            console.log("No bitwardenEnv entries found in MCP server configs.\n");
             return;
         }
 
-        console.log(`Found ${discovery.secrets.length} secret(s):`);
+        console.log(`Found ${discovery.secrets.length} secret(s) to fetch:`);
         discovery.secrets.forEach((name) => {
             console.log(`  • ${name}`);
         });
 
-        // 6. Fetch secrets from Bitwarden
-        console.log(`\n🔐 Fetching from Bitwarden (folder: ${BITWARDEN_FOLDER})...`);
+        // 7. Fetch secrets from Bitwarden
+        console.log(`\n🔐 Fetching from Bitwarden vault...`);
         const fetchResults = fetchSecretsFromBitwarden(sessionKey, discovery.secrets);
 
         fetchResults.found.forEach((secret) => {
-            console.log(`✓ ${secret.name} (found)`);
+            console.log(`  ✓ ${secret.name}`);
         });
 
         fetchResults.missing.forEach((name) => {
-            console.log(`⚠ ${name} (not found in vault)`);
+            console.log(`  ⚠ ${name} (not found in vault)`);
         });
 
-        // 7. Write to shell profile
+        // 7. Install MCP servers with resolved secrets to Antigravity
         if (fetchResults.found.length > 0) {
-            console.log("\n💾 Writing secrets to shell profile...");
-            const writeResult = writeToShellProfile(fetchResults.found);
-            console.log(`✓ Added ${writeResult.count} environment variable(s) to ${writeResult.path}`);
+            const mcpInstaller = require("./mcp-installer");
+
+            // Build resolvedSecrets map: bitwardenItemName → value
+            const resolvedSecrets = {};
+            fetchResults.found.forEach((s) => {
+                resolvedSecrets[s.name] = s.value;
+            });
+
+            console.log("\n📦 Installing MCP servers to Antigravity...");
+            const installResult = mcpInstaller.installMcpServersWithSecrets(resolvedSecrets);
+
+            installResult.servers.forEach((s) => {
+                if (s.secretsCount > 0) {
+                    console.log(`  ✓ ${s.name}: ${s.secretsCount} secret(s) resolved`);
+                } else {
+                    console.log(`  ✓ ${s.name}: no secrets needed`);
+                }
+            });
         }
 
         // 8. Summary
         console.log("\n✅ Secrets synced successfully!\n");
 
-        console.log("ℹ️  Next steps:");
-        console.log("   1. Restart terminal or run: source ~/.zshrc");
-
         if (fetchResults.missing.length > 0) {
-            console.log(`   2. Missing secrets: ${fetchResults.missing.join(", ")}`);
-            console.log("      Add them to Bitwarden or set manually");
+            console.log(`⚠️  Missing secrets: ${fetchResults.missing.join(", ")}`);
+            console.log(`   Add them to your Bitwarden vault\n`);
         }
-
-        console.log("");
     } finally {
-        // Cleanup: Lock vault to invalidate session key
-        if (sessionKey) {
+        // Cleanup: Only lock if we created a new session
+        // Don't lock if we reused the session - let MCP keep using it
+        if (sessionKey && sessionSource === "new") {
             try {
                 execSync("bw lock", { stdio: "pipe" });
             } catch (e) {
                 // Silent fail - vault may already be locked
             }
-            sessionKey = null;
         }
+        sessionKey = null;
     }
 }
 

package/scripts/sync-manager.js

@@ -168,9 +168,13 @@ class SyncManager {
             // Add all .agent/ files except bundled package skills
             execSync("git add .agent/workflows/", { cwd: this.repoPath, stdio: "pipe" });
 
+            // Add MCP servers
+            const mcpServersDir = path.join(this.repoPath, ".agent/mcp-servers");
+            if (fs.existsSync(mcpServersDir)) {
+                execSync("git add .agent/mcp-servers/", { cwd: this.repoPath, stdio: "pipe" });
+            }
+
             // Add skills individually, excluding bundled ones
-            const fs = require("fs");
-            const path = require("path");
             const skillsDir = path.join(this.repoPath, ".agent/skills");
             const bundledSkills = ["ai-agent-config", "config-manager"];