ai-agent-config 2.7.0 → 2.7.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/scripts/mcp-installer.js +18 -0
- package/scripts/postinstall.js +22 -36
- package/scripts/secret-manager.js +5 -4
package/package.json
CHANGED
package/scripts/mcp-installer.js
CHANGED
|
@@ -167,6 +167,15 @@ function writeMcpToPlatformConfig(configPath, servers, options = {}) {
|
|
|
167
167
|
fs.mkdirSync(configDir, { recursive: true });
|
|
168
168
|
}
|
|
169
169
|
fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n", "utf-8");
|
|
170
|
+
// Set restrictive permissions (owner read/write only) to protect secrets
|
|
171
|
+
// Only on Unix-like systems (macOS, Linux) - Windows uses ACL instead
|
|
172
|
+
if (process.platform !== "win32") {
|
|
173
|
+
try {
|
|
174
|
+
fs.chmodSync(configPath, 0o600);
|
|
175
|
+
} catch (e) {
|
|
176
|
+
console.warn(`⚠️ Warning: Could not set file permissions on ${configPath}: ${e.message}`);
|
|
177
|
+
}
|
|
178
|
+
}
|
|
170
179
|
}
|
|
171
180
|
|
|
172
181
|
return { added, skipped };
|
|
@@ -291,6 +300,15 @@ function writeMcpWithSecretsToPlatformConfig(configPath, servers, resolvedSecret
|
|
|
291
300
|
fs.mkdirSync(configDir, { recursive: true });
|
|
292
301
|
}
|
|
293
302
|
fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n", "utf-8");
|
|
303
|
+
// Set restrictive permissions (owner read/write only) to protect secrets
|
|
304
|
+
// Only on Unix-like systems (macOS, Linux) - Windows uses ACL instead
|
|
305
|
+
if (process.platform !== "win32") {
|
|
306
|
+
try {
|
|
307
|
+
fs.chmodSync(configPath, 0o600);
|
|
308
|
+
} catch (e) {
|
|
309
|
+
console.warn(`⚠️ Warning: Could not set file permissions on ${configPath}: ${e.message}`);
|
|
310
|
+
}
|
|
311
|
+
}
|
|
294
312
|
}
|
|
295
313
|
|
|
296
314
|
return { installed, servers: serverResults };
|
package/scripts/postinstall.js
CHANGED
|
@@ -7,6 +7,26 @@
|
|
|
7
7
|
|
|
8
8
|
const platforms = require("./platforms");
|
|
9
9
|
|
|
10
|
+
// Bitwarden MCP: Tools to disable (org management, device approval, sends, etc.)
|
|
11
|
+
const BITWARDEN_DISABLED_TOOLS = [
|
|
12
|
+
"lock", "sync", "status", "confirm",
|
|
13
|
+
"create_org_collection", "edit_org_collection", "edit_item_collections", "move",
|
|
14
|
+
"device_approval_list", "device_approval_approve", "device_approval_approve_all",
|
|
15
|
+
"device_approval_deny", "device_approval_deny_all",
|
|
16
|
+
"create_text_send", "create_file_send", "list_send", "get_send",
|
|
17
|
+
"edit_send", "delete_send", "remove_send_password",
|
|
18
|
+
"create_attachment",
|
|
19
|
+
"list_org_collections", "get_org_collection", "update_org_collection", "delete_org_collection",
|
|
20
|
+
"list_org_members", "get_org_member", "get_org_member_groups",
|
|
21
|
+
"invite_org_member", "update_org_member", "update_org_member_groups",
|
|
22
|
+
"remove_org_member", "reinvite_org_member",
|
|
23
|
+
"list_org_groups", "get_org_group", "get_org_group_members",
|
|
24
|
+
"create_org_group", "update_org_group", "delete_org_group", "update_org_group_members",
|
|
25
|
+
"list_org_policies", "get_org_policy", "update_org_policy",
|
|
26
|
+
"get_org_events", "get_org_subscription", "update_org_subscription",
|
|
27
|
+
"import_org_users_and_groups"
|
|
28
|
+
];
|
|
29
|
+
|
|
10
30
|
function main() {
|
|
11
31
|
console.log("\n╔═══════════════════════════════════════════════════════════════╗");
|
|
12
32
|
console.log("║ AI Agent Config Installed! ║");
|
|
@@ -73,24 +93,7 @@ function main() {
|
|
|
73
93
|
BW_CLIENT_ID: "${BW_CLIENT_ID}",
|
|
74
94
|
BW_CLIENT_SECRET: "${BW_CLIENT_SECRET}",
|
|
75
95
|
},
|
|
76
|
-
disabledTools:
|
|
77
|
-
"lock", "sync", "status", "confirm",
|
|
78
|
-
"create_org_collection", "edit_org_collection", "edit_item_collections", "move",
|
|
79
|
-
"device_approval_list", "device_approval_approve", "device_approval_approve_all",
|
|
80
|
-
"device_approval_deny", "device_approval_deny_all",
|
|
81
|
-
"create_text_send", "create_file_send", "list_send", "get_send",
|
|
82
|
-
"edit_send", "delete_send", "remove_send_password",
|
|
83
|
-
"create_attachment",
|
|
84
|
-
"list_org_collections", "get_org_collection", "update_org_collection", "delete_org_collection",
|
|
85
|
-
"list_org_members", "get_org_member", "get_org_member_groups",
|
|
86
|
-
"invite_org_member", "update_org_member", "update_org_member_groups",
|
|
87
|
-
"remove_org_member", "reinvite_org_member",
|
|
88
|
-
"list_org_groups", "get_org_group", "get_org_group_members",
|
|
89
|
-
"create_org_group", "update_org_group", "delete_org_group", "update_org_group_members",
|
|
90
|
-
"list_org_policies", "get_org_policy", "update_org_policy",
|
|
91
|
-
"get_org_events", "get_org_subscription", "update_org_subscription",
|
|
92
|
-
"import_org_users_and_groups"
|
|
93
|
-
],
|
|
96
|
+
disabledTools: BITWARDEN_DISABLED_TOOLS,
|
|
94
97
|
};
|
|
95
98
|
changed = true;
|
|
96
99
|
console.log("🔐 Bitwarden MCP server added to Antigravity (✓ enabled)");
|
|
@@ -110,24 +113,7 @@ function main() {
|
|
|
110
113
|
|
|
111
114
|
// Phase 4: Add disabledTools if not present (don't override if user customized)
|
|
112
115
|
if (!bw.disabledTools) {
|
|
113
|
-
bw.disabledTools =
|
|
114
|
-
"lock", "sync", "status", "confirm",
|
|
115
|
-
"create_org_collection", "edit_org_collection", "edit_item_collections", "move",
|
|
116
|
-
"device_approval_list", "device_approval_approve", "device_approval_approve_all",
|
|
117
|
-
"device_approval_deny", "device_approval_deny_all",
|
|
118
|
-
"create_text_send", "create_file_send", "list_send", "get_send",
|
|
119
|
-
"edit_send", "delete_send", "remove_send_password",
|
|
120
|
-
"create_attachment",
|
|
121
|
-
"list_org_collections", "get_org_collection", "update_org_collection", "delete_org_collection",
|
|
122
|
-
"list_org_members", "get_org_member", "get_org_member_groups",
|
|
123
|
-
"invite_org_member", "update_org_member", "update_org_member_groups",
|
|
124
|
-
"remove_org_member", "reinvite_org_member",
|
|
125
|
-
"list_org_groups", "get_org_group", "get_org_group_members",
|
|
126
|
-
"create_org_group", "update_org_group", "delete_org_group", "update_org_group_members",
|
|
127
|
-
"list_org_policies", "get_org_policy", "update_org_policy",
|
|
128
|
-
"get_org_events", "get_org_subscription", "update_org_subscription",
|
|
129
|
-
"import_org_users_and_groups"
|
|
130
|
-
];
|
|
116
|
+
bw.disabledTools = BITWARDEN_DISABLED_TOOLS;
|
|
131
117
|
changed = true;
|
|
132
118
|
console.log("🎛️ Bitwarden MCP: Added tool filters (disabled org-management tools)");
|
|
133
119
|
}
|
|
@@ -124,13 +124,14 @@ async function promptPassword() {
|
|
|
124
124
|
/**
|
|
125
125
|
* Unlock Bitwarden vault with password
|
|
126
126
|
* Returns session key or null if failed
|
|
127
|
-
* Uses
|
|
127
|
+
* Uses --passwordenv to pass password securely (not visible in process list)
|
|
128
128
|
*/
|
|
129
129
|
function unlockBitwarden(password) {
|
|
130
130
|
try {
|
|
131
|
-
// Use
|
|
132
|
-
//
|
|
133
|
-
const result = spawnSync("bw", ["unlock",
|
|
131
|
+
// Use --passwordenv to avoid leaking password in /proc/<pid>/cmdline
|
|
132
|
+
// Set password in env only for this child process
|
|
133
|
+
const result = spawnSync("bw", ["unlock", "--passwordenv", "BW_UNLOCK_PASSWORD", "--raw"], {
|
|
134
|
+
env: { ...process.env, BW_UNLOCK_PASSWORD: password },
|
|
134
135
|
encoding: "utf-8",
|
|
135
136
|
});
|
|
136
137
|
|