ai-agent-config 2.7.0 → 2.7.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ai-agent-config",
-  "version": "2.7.0",
+  "version": "2.7.2",
   "description": "Universal skill & workflow manager for AI coding assistants with bi-directional GitHub sync",
   "main": "index.js",
   "bin": {

package/scripts/config-manager.js

@@ -1,6 +1,6 @@
 /**
  * Config Manager Module
- * Manages user configuration for ai-agent-config v2.3
+ * Manages user configuration for ai-agent-config
  */
 
 const fs = require("fs");
@@ -10,6 +10,7 @@ const os = require("os");
 const CONFIG_DIR = path.join(os.homedir(), ".ai-agent");
 const CONFIG_FILE = path.join(CONFIG_DIR, "config.json");
 const OFFICIAL_SOURCES = path.join(__dirname, "../config/official-sources.json");
+const CONFIG_VERSION = require("../package.json").version;
 
 /**
  * Get user config path
@@ -49,7 +50,7 @@ function loadOfficialSources() {
  */
 function createDefaultConfig() {
   const config = {
-    version: "2.3",
+    version: CONFIG_VERSION,
     repository: {
       url: null,
       branch: "main",
@@ -96,11 +97,11 @@ function initConfig(force = false) {
 }
 
 /**
- * Migrate config from older versions to v2.3
+ * Migrate config from older versions to current version
  */
 function migrateConfig(oldConfig) {
   const newConfig = {
-    version: "2.3",
+    version: CONFIG_VERSION,
     repository: {
       url: oldConfig.repository?.url || null,
       branch: oldConfig.repository?.branch || "main",
@@ -137,9 +138,9 @@ function loadConfig() {
   const data = fs.readFileSync(CONFIG_FILE, "utf-8");
   let config = JSON.parse(data);
 
-  // Auto-migrate from v2.0/v2.2 to v2.3
-  if (config.version !== "2.3") {
-    console.log(`🔄 Migrating config from v${config.version} to v2.3...`);
+  // Auto-migrate from older versions
+  if (config.version !== CONFIG_VERSION) {
+    console.log(`🔄 Migrating config from v${config.version} to v${CONFIG_VERSION}...`);
     config = migrateConfig(config);
     saveConfig(config);
     console.log("✅ Config migrated successfully!");
@@ -188,10 +189,10 @@ function validateConfig(config) {
     }
   }
 
-  // V2.3 validation
-  if (config.version === "2.3") {
+  // Current version validation
+  if (config.version === CONFIG_VERSION) {
     if (!config.repository) {
-      errors.push("Missing repository field in v2.3 config");
+      errors.push(`Missing repository field in v${CONFIG_VERSION} config`);
     } else {
       if (config.repository.url && typeof config.repository.url !== "string") {
         errors.push("repository.url must be a string");

package/scripts/mcp-installer.js

@@ -167,6 +167,15 @@ function writeMcpToPlatformConfig(configPath, servers, options = {}) {
             fs.mkdirSync(configDir, { recursive: true });
         }
         fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n", "utf-8");
+        // Set restrictive permissions (owner read/write only) to protect secrets
+        // Only on Unix-like systems (macOS, Linux) - Windows uses ACL instead
+        if (process.platform !== "win32") {
+            try {
+                fs.chmodSync(configPath, 0o600);
+            } catch (e) {
+                console.warn(`⚠️  Warning: Could not set file permissions on ${configPath}: ${e.message}`);
+            }
+        }
     }
 
     return { added, skipped };
@@ -291,6 +300,15 @@ function writeMcpWithSecretsToPlatformConfig(configPath, servers, resolvedSecret
             fs.mkdirSync(configDir, { recursive: true });
         }
         fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n", "utf-8");
+        // Set restrictive permissions (owner read/write only) to protect secrets
+        // Only on Unix-like systems (macOS, Linux) - Windows uses ACL instead
+        if (process.platform !== "win32") {
+            try {
+                fs.chmodSync(configPath, 0o600);
+            } catch (e) {
+                console.warn(`⚠️  Warning: Could not set file permissions on ${configPath}: ${e.message}`);
+            }
+        }
     }
 
     return { installed, servers: serverResults };

package/scripts/postinstall.js

@@ -7,6 +7,26 @@
 
 const platforms = require("./platforms");
 
+// Bitwarden MCP: Tools to disable (org management, device approval, sends, etc.)
+const BITWARDEN_DISABLED_TOOLS = [
+  "lock", "sync", "status", "confirm",
+  "create_org_collection", "edit_org_collection", "edit_item_collections", "move",
+  "device_approval_list", "device_approval_approve", "device_approval_approve_all",
+  "device_approval_deny", "device_approval_deny_all",
+  "create_text_send", "create_file_send", "list_send", "get_send",
+  "edit_send", "delete_send", "remove_send_password",
+  "create_attachment",
+  "list_org_collections", "get_org_collection", "update_org_collection", "delete_org_collection",
+  "list_org_members", "get_org_member", "get_org_member_groups",
+  "invite_org_member", "update_org_member", "update_org_member_groups",
+  "remove_org_member", "reinvite_org_member",
+  "list_org_groups", "get_org_group", "get_org_group_members",
+  "create_org_group", "update_org_group", "delete_org_group", "update_org_group_members",
+  "list_org_policies", "get_org_policy", "update_org_policy",
+  "get_org_events", "get_org_subscription", "update_org_subscription",
+  "import_org_users_and_groups"
+];
+
 function main() {
   console.log("\n╔═══════════════════════════════════════════════════════════════╗");
   console.log("║               AI Agent Config Installed!                      ║");
@@ -39,6 +59,12 @@ function main() {
   console.log("📦 Repository: https://github.com/dongitran/ai-agent-config\n");
 
   // Auto-install Bitwarden MCP server to Antigravity
+  // Skip if AI_AGENT_NO_AUTOCONFIG is set (opt-out for security/trust)
+  if (process.env.AI_AGENT_NO_AUTOCONFIG === "1" || process.env.AI_AGENT_NO_AUTOCONFIG === "true") {
+    console.log("⏭️  Skipping auto-config (AI_AGENT_NO_AUTOCONFIG is set)\n");
+    return;
+  }
+
   const fs = require("fs");
   const path = require("path");
   const os = require("os");
@@ -73,24 +99,7 @@ function main() {
             BW_CLIENT_ID: "${BW_CLIENT_ID}",
             BW_CLIENT_SECRET: "${BW_CLIENT_SECRET}",
           },
-          disabledTools: [
-            "lock", "sync", "status", "confirm",
-            "create_org_collection", "edit_org_collection", "edit_item_collections", "move",
-            "device_approval_list", "device_approval_approve", "device_approval_approve_all",
-            "device_approval_deny", "device_approval_deny_all",
-            "create_text_send", "create_file_send", "list_send", "get_send",
-            "edit_send", "delete_send", "remove_send_password",
-            "create_attachment",
-            "list_org_collections", "get_org_collection", "update_org_collection", "delete_org_collection",
-            "list_org_members", "get_org_member", "get_org_member_groups",
-            "invite_org_member", "update_org_member", "update_org_member_groups",
-            "remove_org_member", "reinvite_org_member",
-            "list_org_groups", "get_org_group", "get_org_group_members",
-            "create_org_group", "update_org_group", "delete_org_group", "update_org_group_members",
-            "list_org_policies", "get_org_policy", "update_org_policy",
-            "get_org_events", "get_org_subscription", "update_org_subscription",
-            "import_org_users_and_groups"
-          ],
+          disabledTools: BITWARDEN_DISABLED_TOOLS,
         };
         changed = true;
         console.log("🔐 Bitwarden MCP server added to Antigravity (✓ enabled)");
@@ -110,24 +119,7 @@ function main() {
 
         // Phase 4: Add disabledTools if not present (don't override if user customized)
         if (!bw.disabledTools) {
-          bw.disabledTools = [
-            "lock", "sync", "status", "confirm",
-            "create_org_collection", "edit_org_collection", "edit_item_collections", "move",
-            "device_approval_list", "device_approval_approve", "device_approval_approve_all",
-            "device_approval_deny", "device_approval_deny_all",
-            "create_text_send", "create_file_send", "list_send", "get_send",
-            "edit_send", "delete_send", "remove_send_password",
-            "create_attachment",
-            "list_org_collections", "get_org_collection", "update_org_collection", "delete_org_collection",
-            "list_org_members", "get_org_member", "get_org_member_groups",
-            "invite_org_member", "update_org_member", "update_org_member_groups",
-            "remove_org_member", "reinvite_org_member",
-            "list_org_groups", "get_org_group", "get_org_group_members",
-            "create_org_group", "update_org_group", "delete_org_group", "update_org_group_members",
-            "list_org_policies", "get_org_policy", "update_org_policy",
-            "get_org_events", "get_org_subscription", "update_org_subscription",
-            "import_org_users_and_groups"
-          ];
+          bw.disabledTools = BITWARDEN_DISABLED_TOOLS;
           changed = true;
           console.log("🎛️  Bitwarden MCP: Added tool filters (disabled org-management tools)");
         }

package/scripts/secret-manager.js

@@ -124,13 +124,14 @@ async function promptPassword() {
 /**
  * Unlock Bitwarden vault with password
  * Returns session key or null if failed
- * Uses spawnSync to avoid shell injection
+ * Uses --passwordenv to pass password securely (not visible in process list)
  */
 function unlockBitwarden(password) {
     try {
-        // Use positional password argument for compatibility with older Bitwarden CLI versions
-        // Since we use spawnSync without shell: true, the password doesn't leak into shell history
-        const result = spawnSync("bw", ["unlock", password, "--raw"], {
+        // Use --passwordenv to avoid leaking password in /proc/<pid>/cmdline
+        // Set password in env only for this child process
+        const result = spawnSync("bw", ["unlock", "--passwordenv", "BW_UNLOCK_PASSWORD", "--raw"], {
+            env: { ...process.env, BW_UNLOCK_PASSWORD: password },
             encoding: "utf-8",
         });