aidevops 2.105.2 → 2.105.5

package/VERSION

@@ -1 +1 @@
-2.105.2
+2.105.5

package/aidevops.sh

@@ -3,7 +3,7 @@
 # AI DevOps Framework CLI
 # Usage: aidevops <command> [options]
 #
-# Version: 2.105.2
+# Version: 2.105.5
 
 set -euo pipefail
 
@@ -25,6 +25,9 @@ REPOS_FILE="$CONFIG_DIR/repos.json"
 REPO_URL="https://github.com/marcusquinn/aidevops.git"
 VERSION_FILE="$INSTALL_DIR/VERSION"
 
+# Portable sed in-place edit (macOS BSD sed vs GNU sed)
+sed_inplace() { if [[ "$(uname)" == "Darwin" ]]; then sed -i '' "$@"; else sed -i "$@"; fi; }
+
 print_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
 print_success() { echo -e "${GREEN}[OK]${NC} $1"; }
 print_warning() { echo -e "${YELLOW}[WARN]${NC} $1"; }
@@ -588,8 +591,24 @@ cmd_update() {
         fi
     else
         print_warning "Repository not found, performing fresh install..."
-        # shellcheck disable=SC2312  # curl|bash is intentional for install
-        bash <(curl -fsSL https://raw.githubusercontent.com/marcusquinn/aidevops/main/setup.sh)
+        # Download setup script to temp file first (not piped to shell)
+        local tmp_setup
+        tmp_setup=$(mktemp "${TMPDIR:-/tmp}/aidevops-setup-XXXXXX.sh") || {
+            print_error "Failed to create temp file for setup script"
+            return 1
+        }
+        if curl -fsSL "https://raw.githubusercontent.com/marcusquinn/aidevops/main/setup.sh" -o "$tmp_setup" 2>/dev/null && [[ -s "$tmp_setup" ]]; then
+            chmod +x "$tmp_setup"
+            bash "$tmp_setup"
+            local setup_exit=$?
+            rm -f "$tmp_setup"
+            [[ $setup_exit -ne 0 ]] && return 1
+        else
+            rm -f "$tmp_setup"
+            print_error "Failed to download setup script"
+            print_info "Try: git clone https://github.com/marcusquinn/aidevops.git $INSTALL_DIR && bash $INSTALL_DIR/setup.sh"
+            return 1
+        fi
     fi
     
     # Check registered repos for updates
@@ -761,8 +780,7 @@ cmd_uninstall() {
                 # Create backup
                 cp "$rc_file" "$rc_file.bak"
                 # Remove our alias block (from comment to empty line)
-                sed -i.tmp '/# AI Assistant Server Access Framework/,/^$/d' "$rc_file"
-                rm -f "$rc_file.tmp"
+                sed_inplace '/# AI Assistant Server Access Framework/,/^$/d' "$rc_file"
                 print_success "Removed aliases from $rc_file"
             fi
         fi
@@ -798,7 +816,8 @@ cmd_uninstall() {
     echo ""
     print_success "Uninstall complete!"
     print_info "To reinstall, run:"
-    echo "  bash <(curl -fsSL https://raw.githubusercontent.com/marcusquinn/aidevops/main/setup.sh)"
+    echo "  npm install -g aidevops && aidevops update"
+    echo "  OR: brew install marcusquinn/tap/aidevops && aidevops update"
 }
 
 # Init command - initialize aidevops in a project
@@ -1360,8 +1379,7 @@ cmd_upgrade_planning() {
         fi
         
         # Update date placeholder
-        sed -i.tmp "s/{{DATE}}/$(date +%Y-%m-%d)/" "$todo_file" 2>/dev/null || true
-        rm -f "${todo_file}.tmp"
+        sed_inplace "s/{{DATE}}/$(date +%Y-%m-%d)/" "$todo_file" 2>/dev/null || true
         
         # Merge existing tasks into Backlog section (after the TOON block closing tag)
         if [[ -n "$existing_tasks" ]]; then
@@ -1426,8 +1444,7 @@ cmd_upgrade_planning() {
         fi
         
         # Update date placeholder
-        sed -i.tmp "s/{{DATE}}/$(date +%Y-%m-%d)/" "$plans_file" 2>/dev/null || true
-        rm -f "${plans_file}.tmp"
+        sed_inplace "s/{{DATE}}/$(date +%Y-%m-%d)/" "$plans_file" 2>/dev/null || true
         
         # Merge existing plans into Active Plans section (after the TOON block closing tag)
         if [[ -n "$existing_plans" ]]; then
@@ -1483,8 +1500,7 @@ cmd_upgrade_planning() {
             ' "$config_file" > "$temp_json" && mv "$temp_json" "$config_file"
         else
             # Update existing templates_version
-            sed -i.tmp "s/\"templates_version\": \"[^\"]*\"/\"templates_version\": \"$aidevops_version\"/" "$config_file" 2>/dev/null || true
-            rm -f "${config_file}.tmp"
+            sed_inplace "s/\"templates_version\": \"[^\"]*\"/\"templates_version\": \"$aidevops_version\"/" "$config_file" 2>/dev/null || true
         fi
     fi
     
@@ -2019,9 +2035,9 @@ cmd_help() {
     echo "  aidevops skill remove <name> # Remove an imported skill"
     echo ""
     echo "Installation:"
-    echo "  npm install -g aidevops && aidevops update      # via npm"
+    echo "  npm install -g aidevops && aidevops update      # via npm (recommended)"
     echo "  brew install marcusquinn/tap/aidevops && aidevops update  # via Homebrew"
-    echo "  bash <(curl -fsSL https://aidevops.sh) # via curl"
+    echo "  curl -fsSL https://aidevops.sh -o /tmp/aidevops-setup.sh && bash /tmp/aidevops-setup.sh  # manual"
     echo ""
     echo "Documentation: https://github.com/marcusquinn/aidevops"
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aidevops",
-  "version": "2.105.2",
+  "version": "2.105.5",
   "description": "AI DevOps Framework - AI-assisted development workflows, code quality, and deployment automation",
   "type": "module",
   "bin": {

package/setup.sh

@@ -3,11 +3,12 @@
 # AI Assistant Server Access Framework Setup Script
 # Helps developers set up the framework for their infrastructure
 #
-# Version: 2.105.2
+# Version: 2.105.5
 #
-# Quick Install (one-liner):
-#   bash <(curl -fsSL https://aidevops.dev/install)
-#   OR: bash <(curl -fsSL https://raw.githubusercontent.com/marcusquinn/aidevops/main/setup.sh)
+# Quick Install:
+#   npm install -g aidevops && aidevops update          (recommended)
+#   brew install marcusquinn/tap/aidevops && aidevops update  (Homebrew)
+#   curl -fsSL https://aidevops.sh -o /tmp/aidevops-setup.sh && bash /tmp/aidevops-setup.sh  (manual)
 
 # Colors for output
 GREEN='\033[0;32m'
@@ -64,6 +65,73 @@ run_with_spinner() {
     return $exit_code
 }
 
+# Verified install: download script to temp file, inspect, then execute
+# Replaces unsafe curl|sh patterns with download-verify-execute
+# Usage: verified_install "description" "url" [extra_args...]
+# Options (set before calling):
+#   VERIFIED_INSTALL_SUDO="true"  - run with sudo
+#   VERIFIED_INSTALL_SHELL="sh"  - use sh instead of bash (default: bash)
+# Returns: 0 on success, 1 on failure
+verified_install() {
+    local description="$1"
+    local url="$2"
+    shift 2
+    local extra_args=("$@")
+    local shell="${VERIFIED_INSTALL_SHELL:-bash}"
+    local use_sudo="${VERIFIED_INSTALL_SUDO:-false}"
+
+    # Reset options for next call
+    VERIFIED_INSTALL_SUDO="false"
+    VERIFIED_INSTALL_SHELL="bash"
+
+    # Create secure temp file
+    local tmp_script
+    tmp_script=$(mktemp "${TMPDIR:-/tmp}/aidevops-install-XXXXXX.sh") || {
+        print_error "Failed to create temp file for $description"
+        return 1
+    }
+
+    # Ensure cleanup on exit from this function
+    # shellcheck disable=SC2064
+    trap "rm -f '$tmp_script'" RETURN
+
+    # Download script to file (not piped to shell)
+    print_info "Downloading $description install script..."
+    if ! curl -fsSL "$url" -o "$tmp_script" 2>/dev/null; then
+        print_error "Failed to download $description install script from $url"
+        return 1
+    fi
+
+    # Verify download is non-empty and looks like a script
+    if [[ ! -s "$tmp_script" ]]; then
+        print_error "Downloaded $description script is empty"
+        return 1
+    fi
+
+    # Basic content safety check: reject binary content
+    if file "$tmp_script" 2>/dev/null | grep -qv 'text'; then
+        print_error "Downloaded $description script appears to be binary, not a shell script"
+        return 1
+    fi
+
+    # Make executable
+    chmod +x "$tmp_script"
+
+    # Execute from file
+    local cmd=("$shell" "$tmp_script" "${extra_args[@]}")
+    if [[ "$use_sudo" == "true" ]]; then
+        cmd=(sudo "$shell" "$tmp_script" "${extra_args[@]}")
+    fi
+
+    if "${cmd[@]}"; then
+        print_success "$description installed"
+        return 0
+    else
+        print_error "$description installation failed"
+        return 1
+    fi
+}
+
 # Find OpenCode config file (checks multiple possible locations)
 # Returns: path to config file, or empty string if not found
 find_opencode_config() {
@@ -310,20 +378,36 @@ migrate_agent_to_agents_folder() {
         done < <(jq -r '.initialized_repos[].path' "$repos_file" 2>/dev/null)
     fi
     
-    # 2. Also scan ~/Git/ for any .agent symlinks not in repos.json
+    # 2. Also scan ~/Git/ for any .agent symlinks or directories not in repos.json
     if [[ -d "$HOME/Git" ]]; then
-        while IFS= read -r -d '' agent_link; do
+        while IFS= read -r -d '' agent_path; do
             local repo_dir
-            repo_dir=$(dirname "$agent_link")
-            if [[ -L "$agent_link" ]] && [[ ! -e "$repo_dir/.agents" ]]; then
-                local target
-                target=$(readlink "$agent_link")
-                rm -f "$agent_link"
-                ln -s "$target" "$repo_dir/.agents" 2>/dev/null || true
-                print_info "  Migrated symlink: $agent_link -> .agents"
-                ((migrated++))
+            repo_dir=$(dirname "$agent_path")
+            
+            if [[ -L "$agent_path" ]]; then
+                # Symlink: migrate or clean up stale
+                if [[ ! -e "$repo_dir/.agents" ]]; then
+                    local target
+                    target=$(readlink "$agent_path")
+                    rm -f "$agent_path"
+                    ln -s "$target" "$repo_dir/.agents" 2>/dev/null || true
+                    print_info "  Migrated symlink: $agent_path -> .agents"
+                    ((migrated++))
+                else
+                    # .agents already exists, remove stale .agent symlink
+                    rm -f "$agent_path"
+                    print_info "  Removed stale symlink: $agent_path (.agents already exists)"
+                    ((migrated++))
+                fi
+            elif [[ -d "$agent_path" ]]; then
+                # Directory: rename to .agents if .agents doesn't exist
+                if [[ ! -e "$repo_dir/.agents" ]]; then
+                    mv "$agent_path" "$repo_dir/.agents"
+                    print_info "  Renamed directory: $agent_path -> .agents"
+                    ((migrated++))
+                fi
             fi
-        done < <(find "$HOME/Git" -maxdepth 3 -name ".agent" -type l -print0 2>/dev/null)
+        done < <(find "$HOME/Git" -maxdepth 3 -name ".agent" \( -type l -o -type d \) -print0 2>/dev/null)
     fi
     
     # 3. Update AI assistant config files that reference .agent/
@@ -1211,8 +1295,9 @@ setup_oh_my_zsh() {
     
     if [[ "$install_omz" =~ ^[Yy]$ ]]; then
         print_info "Installing Oh My Zsh..."
-        # Use --unattended to avoid changing the shell or starting zsh
-        if sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" "" --unattended; then
+        # Use verified download + --unattended to avoid changing the shell or starting zsh
+        VERIFIED_INSTALL_SHELL="sh"
+        if verified_install "Oh My Zsh" "https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh" --unattended; then
             print_success "Oh My Zsh installed"
             
             # Ensure .zshrc exists (Oh My Zsh creates it, but verify)
@@ -1235,11 +1320,11 @@ setup_oh_my_zsh() {
             fi
         else
             print_warning "Oh My Zsh installation failed"
-            print_info "Install manually: sh -c \"\$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)\""
+            print_info "Install manually: curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh -o /tmp/omz-install.sh && sh /tmp/omz-install.sh"
         fi
     else
         print_info "Skipped Oh My Zsh installation"
-        print_info "Install later: sh -c \"\$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)\""
+        print_info "Install later: curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh -o /tmp/omz-install.sh && sh /tmp/omz-install.sh"
     fi
     
     return 0
@@ -1720,15 +1805,17 @@ setup_recommended_tools() {
                     pkg_manager=$(detect_package_manager)
                     case "$pkg_manager" in
                         apt)
-                            # Add packagecloud repo for Tabby
-                            print_info "Adding Tabby repository..."
-                            curl -s https://packagecloud.io/install/repositories/eugeny/tabby/script.deb.sh | sudo bash
-                            sudo apt-get install -y tabby-terminal
+                            # Add packagecloud repo for Tabby (verified download, not piped to sudo)
+                            VERIFIED_INSTALL_SUDO="true"
+                            if verified_install "Tabby repository (apt)" "https://packagecloud.io/install/repositories/eugeny/tabby/script.deb.sh"; then
+                                sudo apt-get install -y tabby-terminal
+                            fi
                             ;;
                         dnf|yum)
-                            print_info "Adding Tabby repository..."
-                            curl -s https://packagecloud.io/install/repositories/eugeny/tabby/script.rpm.sh | sudo bash
-                            sudo "$pkg_manager" install -y tabby-terminal
+                            VERIFIED_INSTALL_SUDO="true"
+                            if verified_install "Tabby repository (rpm)" "https://packagecloud.io/install/repositories/eugeny/tabby/script.rpm.sh"; then
+                                sudo "$pkg_manager" install -y tabby-terminal
+                            fi
                             ;;
                         pacman)
                             # AUR package
@@ -1764,10 +1851,9 @@ setup_recommended_tools() {
                         echo "  Download manually: https://zed.dev/download"
                     fi
                 elif [[ "$(uname)" == "Linux" ]]; then
-                    # Zed provides an install script for Linux (interactive, can't use spinner)
-                    print_info "Running Zed install script..."
-                    if curl -f https://zed.dev/install.sh | sh; then
-                        print_success "Zed installed successfully"
+                    # Zed provides an install script for Linux (verified download)
+                    VERIFIED_INSTALL_SHELL="sh"
+                    if verified_install "Zed" "https://zed.dev/install.sh"; then
                         zed_installed=true
                     else
                         print_warning "Failed to install Zed"
@@ -1955,8 +2041,9 @@ add_local_bin_to_path() {
     while IFS= read -r rc_file; do
         [[ -z "$rc_file" ]] && continue
         
-        # Create the rc file if it doesn't exist
+        # Create the rc file if it doesn't exist (ensure parent dir exists for fish etc.)
         if [[ ! -f "$rc_file" ]]; then
+            mkdir -p "$(dirname "$rc_file")"
             touch "$rc_file"
         fi
         
@@ -2074,7 +2161,7 @@ alias aws-helper './.agents/scripts/aws-helper.sh'
 ALIASES
 )
     
-    # Check if aliases already exist in any rc file
+    # Check if aliases already exist in any rc file (including fish config)
     local any_configured=false
     local rc_file
     while IFS= read -r rc_file; do
@@ -2084,6 +2171,13 @@ ALIASES
             break
         fi
     done < <(get_all_shell_rcs)
+    # Also check fish config (not included in get_all_shell_rcs on macOS)
+    if [[ "$any_configured" == "false" ]]; then
+        local fish_config="$HOME/.config/fish/config.fish"
+        if grep -q "# AI Assistant Server Access" "$fish_config" 2>/dev/null; then
+            any_configured=true
+        fi
+    fi
     
     if [[ "$any_configured" == "true" ]]; then
         print_info "Server Access aliases already configured - Skipping"
@@ -2604,28 +2698,59 @@ scan_imported_skills() {
         return 0
     fi
     
-    # Install skill-scanner if not present and uv is available
+    # Install skill-scanner if not present
+    # Fallback chain: uv -> pipx -> venv+symlink -> pip3 --user (legacy)
+    # PEP 668 (Ubuntu 24.04+) blocks pip3 --user, so we try isolated methods first
     if ! command -v skill-scanner &>/dev/null; then
-        if command -v uv &>/dev/null; then
-            print_info "Installing Cisco Skill Scanner..."
+        local installed=false
+        
+        # 1. uv tool install (preferred - fast, isolated)
+        if [[ "$installed" == "false" ]] && command -v uv &>/dev/null; then
+            print_info "Installing Cisco Skill Scanner via uv..."
             if run_with_spinner "Installing cisco-ai-skill-scanner" uv tool install cisco-ai-skill-scanner; then
-                print_success "Cisco Skill Scanner installed"
-            else
-                print_warning "Failed to install Cisco Skill Scanner - skipping security scan"
-                print_info "Install manually with: uv tool install cisco-ai-skill-scanner"
-                return 0
+                print_success "Cisco Skill Scanner installed via uv"
+                installed=true
+            fi
+        fi
+        
+        # 2. pipx install (designed for isolated app installs)
+        if [[ "$installed" == "false" ]] && command -v pipx &>/dev/null; then
+            print_info "Installing Cisco Skill Scanner via pipx..."
+            if run_with_spinner "Installing cisco-ai-skill-scanner" pipx install cisco-ai-skill-scanner; then
+                print_success "Cisco Skill Scanner installed via pipx"
+                installed=true
             fi
-        elif command -v pip3 &>/dev/null; then
-            print_info "Installing Cisco Skill Scanner via pip..."
-            if run_with_spinner "Installing cisco-ai-skill-scanner" pip3 install --user cisco-ai-skill-scanner; then
-                print_success "Cisco Skill Scanner installed"
+        fi
+        
+        # 3. venv + symlink (works on PEP 668 systems without uv/pipx)
+        if [[ "$installed" == "false" ]] && command -v python3 &>/dev/null; then
+            local venv_dir="$HOME/.aidevops/.agent-workspace/work/cisco-scanner-env"
+            local bin_dir="$HOME/.local/bin"
+            print_info "Installing Cisco Skill Scanner in isolated venv..."
+            if python3 -m venv "$venv_dir" 2>/dev/null && \
+               "$venv_dir/bin/pip" install cisco-ai-skill-scanner 2>/dev/null; then
+                mkdir -p "$bin_dir"
+                ln -sf "$venv_dir/bin/skill-scanner" "$bin_dir/skill-scanner"
+                print_success "Cisco Skill Scanner installed via venv ($venv_dir)"
+                installed=true
             else
-                print_warning "Failed to install Cisco Skill Scanner - skipping security scan"
-                return 0
+                rm -rf "$venv_dir" 2>/dev/null || true
             fi
-        else
-            print_info "Cisco Skill Scanner not installed (uv or pip3 required)"
-            print_info "Install with: uv tool install cisco-ai-skill-scanner"
+        fi
+        
+        # 4. pip3 --user (legacy fallback, fails on PEP 668 systems)
+        if [[ "$installed" == "false" ]] && command -v pip3 &>/dev/null; then
+            print_info "Installing Cisco Skill Scanner via pip3 --user..."
+            if run_with_spinner "Installing cisco-ai-skill-scanner" pip3 install --user cisco-ai-skill-scanner 2>/dev/null; then
+                print_success "Cisco Skill Scanner installed via pip3"
+                installed=true
+            fi
+        fi
+        
+        if [[ "$installed" == "false" ]]; then
+            print_warning "Failed to install Cisco Skill Scanner - skipping security scan"
+            print_info "Install manually with: uv tool install cisco-ai-skill-scanner"
+            print_info "Or: pipx install cisco-ai-skill-scanner"
             return 0
         fi
     fi
@@ -2904,7 +3029,7 @@ install_mcp_packages() {
         install_cmd="npm install -g"
     else
         print_warning "Neither bun nor npm found - cannot install MCP packages"
-        print_info "Install bun (recommended): curl -fsSL https://bun.sh/install | bash"
+        print_info "Install bun (recommended): npm install -g bun OR brew install oven-sh/bun/bun"
         return 0
     fi
 
@@ -3335,15 +3460,15 @@ setup_beads_ui() {
                     print_warning "Go install failed"
                 fi
             else
-                # Offer curl install script
+                # Offer verified install script (download-then-execute, not piped)
                 read -r -p "  Install bv via install script? [Y/n]: " use_script
                 if [[ "$use_script" =~ ^[Yy]?$ ]]; then
-                    if run_with_spinner "Installing bv via script" bash -c 'curl -fsSL "https://raw.githubusercontent.com/Dicklesworthstone/beads_viewer/main/install.sh" | bash'; then
+                    if verified_install "bv (beads viewer)" "https://raw.githubusercontent.com/Dicklesworthstone/beads_viewer/main/install.sh"; then
                         print_info "Run: bv (in a beads-enabled project)"
                         ((installed_count++))
                     else
                         print_warning "Install script failed - try manually:"
-                        print_info "  curl -fsSL https://raw.githubusercontent.com/Dicklesworthstone/beads_viewer/main/install.sh | bash"
+                        print_info "  Homebrew: brew tap dicklesworthstone/tap && brew install dicklesworthstone/tap/bv"
                     fi
                 else
                     print_info "Install later:"
@@ -3417,7 +3542,7 @@ setup_browser_tools() {
     # Install Bun if not present (required for dev-browser)
     if [[ "$has_bun" == "false" ]]; then
         print_info "Installing Bun (required for dev-browser)..."
-        if curl -fsSL https://bun.sh/install | bash 2>/dev/null; then
+        if verified_install "Bun" "https://bun.sh/install"; then
             # Source the updated PATH
             export BUN_INSTALL="$HOME/.bun"
             export PATH="$BUN_INSTALL/bin:$PATH"
@@ -3670,14 +3795,6 @@ setup_opencode_plugins() {
     
     return 0
 }
-
-# Setup Oh-My-OpenCode Plugin (removed - no longer supported)
-# Kept as stub for backward compatibility with any callers
-setup_oh_my_opencode() {
-    # Removed - oh-my-opencode no longer supported
-    return 0
-}
-
 setup_seo_mcps() {
     print_info "Setting up SEO integrations..."