create-byan-agent 2.15.0 → 2.16.1

package/install/GUIDE-INSTALLATION-BYAN-SIMPLE.md

@@ -416,6 +416,46 @@ Claude reconnaît l'agent BYAN et vous pouvez interagir avec lui.
 
 ---
 
+### 🔌 Extensions MCP optionnelles (depuis 2.16.0)
+
+Pendant l'installation, BYAN propose d'activer des MCP servers tiers en plus du serveur byan natif.
+
+**Disponibles aujourd'hui :**
+
+| Extension | Description | Setup |
+|-----------|-------------|-------|
+| `gdrive` | Google Workspace : Docs, Sheets, Slides, Drive, Gmail, Calendar (95+ tools via `google-workspace-mcp`) | Interactif — guide Google Cloud + OAuth flow |
+
+**Sécurité — où vivent les credentials :**
+
+- Aucune credential n'est écrite dans le repo BYAN ni dans `.mcp.json` (source : [CLAIM L1] code de `install/packages/platform-config/lib/mcp-config.js`, fonction `assertNoSecretInEntry`)
+- `~/.google-mcp/credentials.json` (perm 600) — Client OAuth Google
+- `~/.google-mcp/tokens/<account>.json` — Tokens d'accès persistés par compte
+- `BYAN_API_TOKEN` — vit uniquement dans `.env` (gitignored) + `.claude/settings.local.json` (gitignored)
+
+**Si tu skip l'extension à l'install et veux l'activer plus tard**, relance `npx create-byan-agent` ou ajoute manuellement l'entry suivante à `.mcp.json` :
+
+```json
+{
+  "mcpServers": {
+    "gdrive": {
+      "command": "npx",
+      "args": ["-y", "google-workspace-mcp", "serve"]
+    }
+  }
+}
+```
+
+Puis exécute le setup interactif du package :
+
+```bash
+npx -y google-workspace-mcp setup
+npx -y google-workspace-mcp accounts add default
+npx -y google-workspace-mcp status   # vérifier que tout est OK
+```
+
+---
+
 ## 5. Cas d'Usage Typiques
 
 ### 🎯 Cas 1 : Créer un Nouvel Agent

package/install/bin/create-byan-agent-v2.js

@@ -17,6 +17,7 @@ const { launchPhase2Chat, generateDefaultConfig } = require('../lib/phase2-chat'
 const { setupByanWebIntegration, validateByanWebReachability } = require('../lib/byan-web-integration');
 const { setupClaudeNative } = require('../lib/claude-native-setup');
 const { setupCodexNative } = require('../lib/codex-native-setup');
+const { setupMcpExtensions } = require('../lib/mcp-extensions');
 const { setupStagingConsent } = require('../lib/staging-consent');
 const { getLatestVersion, compareVersions } = require('../lib/utils/version-compare');
 
@@ -1491,6 +1492,14 @@ async function install(options = {}) {
     }
   }
 
+  if (needsClaude) {
+    try {
+      await setupMcpExtensions(projectRoot, {});
+    } catch (error) {
+      console.log(chalk.yellow(`  ⚠ MCP extensions setup skipped: ${error.message}`));
+    }
+  }
+
   // Step 8: Create config.yaml
   const configSpinner = ora('Generating configuration...').start();
   

package/install/lib/mcp-extensions/gdrive.js

@@ -0,0 +1,256 @@
+/**
+ * Google Workspace MCP extension (gdrive)
+ *
+ * Wraps the npm package `google-workspace-mcp` (Docs, Sheets, Slides, Drive,
+ * Gmail, Calendar, Forms — 95+ tools). The package ships its own CLI for
+ * interactive credential setup and persists everything under
+ * ~/.google-mcp/ (gitignored by virtue of being in $HOME).
+ *
+ * Our role here is:
+ *   1. Detect if the package is reachable (npx).
+ *   2. Detect if credentials are already on disk.
+ *   3. If not, walk the user through the Google Cloud setup steps with
+ *      direct console links, and delegate the actual OAuth flow to the
+ *      package's `setup` / `accounts add` CLI subcommands.
+ *   4. Provide the .mcp.json entry to register the server.
+ *
+ * No credential ever touches the project tree. The .mcp.json entry only
+ * declares command/args — every secret stays in ~/.google-mcp/.
+ */
+
+'use strict';
+
+const path = require('path');
+const os = require('os');
+const fs = require('fs-extra');
+const chalk = require('chalk');
+const inquirer = require('inquirer');
+const { execSync, spawnSync } = require('child_process');
+
+const PACKAGE_NAME = 'google-workspace-mcp';
+const CONFIG_DIR = path.join(os.homedir(), '.google-mcp');
+const CREDENTIALS_PATH = path.join(CONFIG_DIR, 'credentials.json');
+
+const SETUP_LINKS = [
+  {
+    step: 'Créer un projet Google Cloud',
+    url: 'https://console.cloud.google.com/projectcreate',
+  },
+  {
+    step: 'Activer les APIs (Drive, Docs, Sheets, Slides, Gmail, Calendar, Forms)',
+    url: 'https://console.cloud.google.com/apis/library',
+  },
+  {
+    step: 'Configurer l\'écran de consentement OAuth (External, mode Test)',
+    url: 'https://console.cloud.google.com/apis/credentials/consent',
+  },
+  {
+    step: 'Créer un OAuth Client ID type "Desktop App"',
+    url: 'https://console.cloud.google.com/apis/credentials/oauthclient',
+  },
+];
+
+async function isPackageInstallable() {
+  try {
+    execSync(`npm view ${PACKAGE_NAME} version --silent`, {
+      stdio: ['ignore', 'ignore', 'pipe'],
+      timeout: 30_000,
+    });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+async function hasCredentials() {
+  return fs.pathExists(CREDENTIALS_PATH);
+}
+
+async function isConfigured() {
+  return hasCredentials();
+}
+
+function buildEntry() {
+  return {
+    command: 'npx',
+    args: ['-y', PACKAGE_NAME, 'serve'],
+  };
+}
+
+async function buildMcpEntry() {
+  return buildEntry();
+}
+
+function printSetupGuide(log) {
+  log();
+  log(chalk.cyan('Étapes Google Cloud (faire dans le navigateur, dans cet ordre) :'));
+  SETUP_LINKS.forEach((s, i) => {
+    log(chalk.gray(`  ${i + 1}. ${s.step}`));
+    log(chalk.gray(`     → ${s.url}`));
+  });
+  log();
+  log(chalk.gray(`  5. Télécharger le JSON OAuth Client (bouton "Download JSON")`));
+  log(chalk.gray(`  6. Renommer ce fichier en : credentials.json`));
+  log(chalk.gray(`  7. Le placer dans : ${CREDENTIALS_PATH}`));
+  log();
+}
+
+async function importCredentialsFromPath(srcPath, log) {
+  const abs = path.resolve(srcPath);
+  if (!(await fs.pathExists(abs))) {
+    throw new Error(`Fichier introuvable : ${abs}`);
+  }
+  let parsed;
+  try {
+    parsed = await fs.readJson(abs);
+  } catch (e) {
+    throw new Error(`JSON invalide : ${e.message}`);
+  }
+  // Sanity check — Google OAuth client JSON has either "installed" or "web"
+  if (!parsed.installed && !parsed.web) {
+    throw new Error(
+      `Format inattendu : ce fichier ne ressemble pas à un OAuth Client Google (clé "installed" ou "web" absente)`
+    );
+  }
+  await fs.ensureDir(CONFIG_DIR);
+  // Tighten dir perms : 700 (owner only). Best-effort on non-POSIX.
+  try {
+    await fs.chmod(CONFIG_DIR, 0o700);
+  } catch {
+    // ignore on platforms where this fails
+  }
+  await fs.writeFile(CREDENTIALS_PATH, JSON.stringify(parsed, null, 2), {
+    mode: 0o600,
+  });
+  log(chalk.green(`  ✓ credentials.json copié vers ${CREDENTIALS_PATH} (perm 600)`));
+}
+
+async function runOAuthFlow(log) {
+  log();
+  log(chalk.cyan('Lancement du flow OAuth Google (le navigateur va s\'ouvrir)'));
+  log(chalk.gray('  Suis les instructions à l\'écran. Ferme la fenêtre quand le flow est terminé.'));
+  log();
+
+  const { accountName } = await inquirer.prompt([
+    {
+      type: 'input',
+      name: 'accountName',
+      message: 'Nom du compte Google (un slug — ex : "perso", "work") :',
+      default: 'default',
+      validate: (v) => /^[a-z0-9_-]+$/i.test(v) || 'Caractères autorisés : a-z, 0-9, _, -',
+    },
+  ]);
+
+  const result = spawnSync('npx', ['-y', PACKAGE_NAME, 'accounts', 'add', accountName], {
+    stdio: 'inherit',
+    timeout: 600_000, // 10 minutes
+  });
+
+  if (result.status !== 0) {
+    throw new Error(`google-workspace-mcp accounts add a échoué (exit ${result.status})`);
+  }
+  log(chalk.green(`  ✓ Compte "${accountName}" ajouté`));
+  return accountName;
+}
+
+async function setup({ quiet } = {}) {
+  const log = quiet ? () => {} : (...a) => console.log(...a);
+
+  if (!(await isPackageInstallable())) {
+    return {
+      configured: false,
+      skipReason: `Le package npm "${PACKAGE_NAME}" n'est pas accessible (réseau / registre indisponible). Réessaie plus tard.`,
+    };
+  }
+
+  if (await hasCredentials()) {
+    log(chalk.gray(`  · credentials.json déjà présent à ${CREDENTIALS_PATH}`));
+    const { reuse } = await inquirer.prompt([
+      {
+        type: 'confirm',
+        name: 'reuse',
+        message: 'Réutiliser la config existante (sans relancer OAuth) ?',
+        default: true,
+      },
+    ]);
+    if (reuse) {
+      return { configured: true, message: 'reused existing credentials' };
+    }
+  } else {
+    printSetupGuide(log);
+
+    const { hasJson } = await inquirer.prompt([
+      {
+        type: 'confirm',
+        name: 'hasJson',
+        message: 'Tu as téléchargé le credentials.json (étapes 1-5) ?',
+        default: false,
+      },
+    ]);
+
+    if (!hasJson) {
+      return {
+        configured: false,
+        skipReason:
+          'Setup interrompu — relance l\'installer une fois le credentials.json téléchargé.',
+      };
+    }
+
+    const { jsonPath } = await inquirer.prompt([
+      {
+        type: 'input',
+        name: 'jsonPath',
+        message: 'Chemin local vers le credentials.json téléchargé :',
+        validate: (v) => v && v.trim().length > 0 || 'Chemin requis',
+      },
+    ]);
+
+    try {
+      await importCredentialsFromPath(jsonPath.trim(), log);
+    } catch (err) {
+      return { configured: false, skipReason: `Import des credentials échoué : ${err.message}` };
+    }
+  }
+
+  const { runAuth } = await inquirer.prompt([
+    {
+      type: 'confirm',
+      name: 'runAuth',
+      message: 'Lancer le flow OAuth maintenant (ouvre le navigateur) ?',
+      default: true,
+    },
+  ]);
+
+  if (!runAuth) {
+    return {
+      configured: true,
+      message:
+        'credentials importés ; lance le flow OAuth plus tard via : npx -y google-workspace-mcp accounts add <name>',
+    };
+  }
+
+  try {
+    const account = await runOAuthFlow(log);
+    return { configured: true, message: `compte "${account}" authentifié` };
+  } catch (err) {
+    return {
+      configured: false,
+      skipReason:
+        `OAuth a échoué : ${err.message}. Relance manuellement : npx -y ${PACKAGE_NAME} accounts add <name>`,
+    };
+  }
+}
+
+module.exports = {
+  id: 'gdrive',
+  name: 'Google Workspace (Docs / Sheets / Slides / Drive / Gmail / Calendar)',
+  description: '95+ tools via google-workspace-mcp, OAuth2, creds in ~/.google-mcp/',
+  isConfigured,
+  setup,
+  buildMcpEntry,
+  // exposed for tests
+  buildEntry,
+  CONFIG_DIR,
+  CREDENTIALS_PATH,
+  PACKAGE_NAME,
+};

package/install/lib/mcp-extensions/index.js

@@ -0,0 +1,147 @@
+/**
+ * MCP Extensions Registry — discovers and orchestrates third-party MCP
+ * server integrations (Google Workspace, etc.) during yanstaller install.
+ *
+ * Each extension is a module under this directory exposing the contract:
+ *
+ *   {
+ *     id          : string                       // unique slug (becomes mcpServers key)
+ *     name        : string                       // human-readable name
+ *     description : string                       // shown to user during prompt
+ *     async isConfigured(): Promise<boolean>     // already set up on this machine?
+ *     async setup(options): Promise<{
+ *       configured: boolean,
+ *       message:    string,
+ *       skipReason?: string,
+ *     }>                                          // interactive: walks the user
+ *                                                 // through credential setup
+ *     async buildMcpEntry(): Promise<object>     // returns the entry to write
+ *                                                 // into mcpServers.<id>
+ *   }
+ *
+ * The registry walks the list, prompts the user for each, runs setup if
+ * accepted, and writes the resulting MCP entry into .mcp.json via
+ * addMcpEntry (which refuses any entry containing a value that looks like
+ * a secret — see mcp-config.js).
+ *
+ * No secret value is ever stored by this module. Per-extension credential
+ * persistence is the extension's responsibility (typically under ~/.config/
+ * or ~/.<package>/, never inside the project).
+ */
+
+'use strict';
+
+const path = require('path');
+const fs = require('fs-extra');
+const chalk = require('chalk');
+const inquirer = require('inquirer');
+
+const {
+  mcpConfig: { addMcpEntry },
+} = require('byan-platform-config');
+
+const gdrive = require('./gdrive');
+
+const EXTENSIONS = [gdrive];
+
+function listExtensions() {
+  return EXTENSIONS.map((ext) => ({
+    id: ext.id,
+    name: ext.name,
+    description: ext.description,
+  }));
+}
+
+function getExtension(id) {
+  return EXTENSIONS.find((ext) => ext.id === id) || null;
+}
+
+/**
+ * Walk every registered extension and offer it to the user. For each
+ * extension the user accepts, run its setup flow, then register the
+ * resulting MCP entry in .mcp.json.
+ *
+ * @param {string} projectRoot
+ * @param {{
+ *   skipPrompts?: boolean,
+ *   presetSelections?: Record<string, boolean>,  // { gdrive: true }
+ *   quiet?: boolean,
+ * }} options
+ * @returns {Promise<Array<{ id: string, configured: boolean, message: string }>>}
+ */
+async function setupMcpExtensions(projectRoot, options = {}) {
+  const log = options.quiet ? () => {} : (...a) => console.log(...a);
+  const results = [];
+
+  if (EXTENSIONS.length === 0) return results;
+
+  log();
+  log(chalk.cyan('MCP extensions (optional third-party integrations)'));
+
+  for (const ext of EXTENSIONS) {
+    let want;
+    if (options.skipPrompts) {
+      want = options.presetSelections && options.presetSelections[ext.id] === true;
+    } else {
+      const answers = await inquirer.prompt([
+        {
+          type: 'confirm',
+          name: 'enable',
+          message: `${ext.name} — ${ext.description}\n  Activer ?`,
+          default: false,
+        },
+      ]);
+      want = answers.enable === true;
+    }
+
+    if (!want) {
+      log(chalk.gray(`  · ${ext.id}: skipped`));
+      results.push({ id: ext.id, configured: false, message: 'skipped by user' });
+      continue;
+    }
+
+    let setupResult;
+    try {
+      setupResult = await ext.setup({ projectRoot, quiet: options.quiet });
+    } catch (err) {
+      log(chalk.red(`  ✘ ${ext.id} setup failed: ${err.message}`));
+      results.push({ id: ext.id, configured: false, message: `setup error: ${err.message}` });
+      continue;
+    }
+
+    if (!setupResult || setupResult.configured !== true) {
+      const reason = (setupResult && (setupResult.skipReason || setupResult.message)) || 'setup not completed';
+      log(chalk.yellow(`  ⚠ ${ext.id}: ${reason}`));
+      results.push({ id: ext.id, configured: false, message: reason });
+      continue;
+    }
+
+    let entry;
+    try {
+      entry = await ext.buildMcpEntry({ projectRoot });
+    } catch (err) {
+      log(chalk.red(`  ✘ ${ext.id} buildMcpEntry failed: ${err.message}`));
+      results.push({ id: ext.id, configured: false, message: `buildMcpEntry error: ${err.message}` });
+      continue;
+    }
+
+    try {
+      await addMcpEntry(projectRoot, ext.id, entry);
+      log(chalk.green(`  ✓ ${ext.id} registered in .mcp.json`));
+      results.push({ id: ext.id, configured: true, message: 'registered' });
+    } catch (err) {
+      log(chalk.red(`  ✘ ${ext.id} addMcpEntry failed: ${err.message}`));
+      results.push({ id: ext.id, configured: false, message: `addMcpEntry error: ${err.message}` });
+    }
+  }
+
+  return results;
+}
+
+module.exports = {
+  listExtensions,
+  getExtension,
+  setupMcpExtensions,
+  // re-exported for tests / programmatic callers
+  EXTENSIONS,
+};

package/install/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-byan-agent",
-  "version": "2.15.0",
+  "version": "2.16.1",
   "description": "BYAN v2.2.2 - Intelligent AI agent installer with multi-platform native support (GitHub Copilot CLI, Claude Code, Codex/OpenCode)",
   "bin": {
     "create-byan-agent": "bin/create-byan-agent-v2.js"

package/install/packages/platform-config/lib/mcp-config.js

@@ -3,7 +3,21 @@
  *
  * READ-MERGE-WRITE semantics : preserves all existing mcpServers.* entries
  * and, if byan entry already exists, preserves its command/args. Only the
- * env.BYAN_API_URL and env.BYAN_API_TOKEN are authoritative from caller.
+ * env.BYAN_API_URL is authoritative from caller.
+ *
+ * Security: BYAN_API_TOKEN is NEVER written into .mcp.json (which is
+ * checked into git). The token lives exclusively in:
+ *   - .env (gitignored, for shell tools and Codex CLI)
+ *   - .claude/settings.local.json (gitignored, for Claude Code MCP injection)
+ *
+ * Claude Code reads .claude/settings.local.json's "env" block at startup and
+ * injects those vars into every MCP server it spawns. So the token reaches
+ * the byan MCP server via that channel — no need to declare it in .mcp.json.
+ *
+ * The `token` parameter on this module's API is kept for backward-compat
+ * but is intentionally discarded (with a one-line audit trail in the
+ * returned result). Callers that supply a token should instead use
+ * envConfig.updateDotenv + envConfig.updateSettingsLocal.
  */
 
 const path = require('path');
@@ -11,6 +25,7 @@ const fs = require('fs-extra');
 const { stripApiSuffix } = require('./url-utils');
 
 const MCP_SERVER_REL_PATH = '_byan/mcp/byan-mcp-server/server.js';
+const TOKEN_PLACEHOLDER = '${BYAN_API_TOKEN}';
 
 async function readJsonOrEmpty(filePath) {
   if (await fs.pathExists(filePath)) {
@@ -43,11 +58,14 @@ async function readMcpConfig(projectRoot) {
  * Pure merge — no I/O. Returns a new config object with byan entry merged.
  * Useful for migrations that inspect the diff before writing.
  *
+ * BYAN_API_TOKEN is intentionally stripped from env (never written into
+ * .mcp.json). See module header for the rationale and the persistence path.
+ *
  * @param {object} existingConfig — current parsed config (may be {} or {mcpServers:{...}})
- * @param {{ apiUrl: string, token?: string }} opts
+ * @param {{ apiUrl: string, token?: string }} opts — `token` is accepted but discarded
  * @returns {object} new merged config
  */
-function mergeByanEntry(existingConfig, { apiUrl, token } = {}) {
+function mergeByanEntry(existingConfig, { apiUrl } = {}) {
   const cfg = existingConfig && typeof existingConfig === 'object' ? { ...existingConfig } : {};
   cfg.mcpServers = { ...(cfg.mcpServers || {}) };
 
@@ -56,11 +74,7 @@ function mergeByanEntry(existingConfig, { apiUrl, token } = {}) {
 
   const env = { ...(existing.env || {}) };
   env.BYAN_API_URL = cleanUrl;
-  if (token && typeof token === 'string' && token.length > 0) {
-    env.BYAN_API_TOKEN = token;
-  } else {
-    delete env.BYAN_API_TOKEN;
-  }
+  delete env.BYAN_API_TOKEN;
 
   cfg.mcpServers.byan = {
     command: 'node',
@@ -87,9 +101,94 @@ async function ensureMcpConfig(projectRoot, { apiUrl, token } = {}) {
   return { path: filePath };
 }
 
+/**
+ * Adds (or replaces) an arbitrary MCP server entry under mcpServers.<name>.
+ * Used by mcp-extensions to register third-party MCPs (gdrive, etc.) without
+ * touching the byan entry. Other entries are preserved.
+ *
+ * Security guard : refuses to write any value matching common token shapes
+ * directly into .mcp.json. Callers must put secrets in .env / settings.local
+ * and reference env-var names elsewhere.
+ *
+ * @param {string} projectRoot
+ * @param {string} name — server identifier (becomes the mcpServers key)
+ * @param {object} entry — { command, args?, env?, ... }
+ * @returns {Promise<{ path: string }>}
+ */
+async function addMcpEntry(projectRoot, name, entry) {
+  if (!name || typeof name !== 'string') {
+    throw new Error('addMcpEntry: name must be a non-empty string');
+  }
+  if (!entry || typeof entry !== 'object') {
+    throw new Error('addMcpEntry: entry must be an object');
+  }
+  assertNoSecretInEntry(entry);
+
+  const filePath = path.join(projectRoot, '.mcp.json');
+  const current = await readJsonOrEmpty(filePath);
+  const cfg = current && typeof current === 'object' ? { ...current } : {};
+  cfg.mcpServers = { ...(cfg.mcpServers || {}) };
+  cfg.mcpServers[name] = entry;
+  await fs.writeJson(filePath, cfg, { spaces: 2 });
+  return { path: filePath };
+}
+
+/**
+ * Removes an MCP server entry. No-op if the entry does not exist.
+ *
+ * @param {string} projectRoot
+ * @param {string} name
+ * @returns {Promise<{ path: string, removed: boolean }>}
+ */
+async function removeMcpEntry(projectRoot, name) {
+  const filePath = path.join(projectRoot, '.mcp.json');
+  const current = await readJsonOrEmpty(filePath);
+  if (!current || !current.mcpServers || !(name in current.mcpServers)) {
+    return { path: filePath, removed: false };
+  }
+  const cfg = { ...current, mcpServers: { ...current.mcpServers } };
+  delete cfg.mcpServers[name];
+  await fs.writeJson(filePath, cfg, { spaces: 2 });
+  return { path: filePath, removed: true };
+}
+
+const SECRET_SHAPES = [
+  /^byan_[a-f0-9]{20,}$/i,                  // byan tokens
+  /^ghp_[A-Za-z0-9]{30,}$/,                 // GitHub PAT
+  /^gho_[A-Za-z0-9]{30,}$/,                 // GitHub OAuth
+  /^github_pat_[A-Za-z0-9_]{60,}$/,         // GitHub PAT (new format)
+  /^sk-ant-[A-Za-z0-9_-]{20,}$/,            // Anthropic
+  /^sk-proj-[A-Za-z0-9_-]{20,}$/,           // OpenAI project
+  /^AIza[0-9A-Za-z_-]{30,}$/,               // Google API key
+  /^xox[bpao]-[0-9]+-[0-9]+-/,              // Slack
+  /^AKIA[0-9A-Z]{16}$/,                     // AWS
+];
+
+function looksLikeSecret(value) {
+  if (typeof value !== 'string') return false;
+  return SECRET_SHAPES.some((re) => re.test(value));
+}
+
+function assertNoSecretInEntry(entry) {
+  const env = (entry && entry.env) || {};
+  for (const [key, val] of Object.entries(env)) {
+    if (looksLikeSecret(val)) {
+      throw new Error(
+        `addMcpEntry: env.${key} looks like a secret. Refusing to write it into .mcp.json. ` +
+          `Put the value in .env (gitignored) and reference it via .claude/settings.local.json env, ` +
+          `or use \${VAR_NAME} if your MCP client supports env-var expansion.`
+      );
+    }
+  }
+}
+
 module.exports = {
   ensureMcpConfig,
   readMcpConfig,
   mergeByanEntry,
+  addMcpEntry,
+  removeMcpEntry,
+  looksLikeSecret,
   MCP_SERVER_REL_PATH,
+  TOKEN_PLACEHOLDER,
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-byan-agent",
-  "version": "2.15.0",
+  "version": "2.16.1",
   "description": "BYAN v2.8 - Intelligent AI agent creator with ELO trust system + scientific fact-check + Hermes universal dispatcher + native Claude Code integration (hooks, skills, MCP server). Multi-platform (Copilot CLI, Claude Code, Codex). Merise Agile + TDD + 64 Mantras. ~54% LLM cost savings.",
   "main": "src/index.js",
   "bin": {

package/update-byan-agent/__tests__/migrate-mcp-config.test.js

@@ -13,6 +13,7 @@ const fs   = require('fs-extra');
 
 // Module under test (loaded once; all I/O goes to tmpdir per test)
 const { runMigration } = require('../lib/migrate-mcp-config');
+const { mcpConfig: { TOKEN_PLACEHOLDER } } = require('byan-platform-config');
 
 // ──────────────────────────────────────────────────────────────────────────────
 // Helpers
@@ -69,16 +70,16 @@ test('returns no-byan-server if .mcp.json has other servers but no byan entry',
 });
 
 // ──────────────────────────────────────────────────────────────────────────────
-// Test 3 — byan entry already has token and URL without /api suffix → already-ok
+// Test 3 — byan entry already has placeholder + clean URL → already-ok
 // ──────────────────────────────────────────────────────────────────────────────
-test('returns already-ok if byan entry has token and no /api suffix', async () => {
+test('returns already-ok if byan entry has no BYAN_API_TOKEN (token belongs in .env / settings.local.json)', async () => {
   const dir = await makeTmp();
   await writeMcp(dir, {
     mcpServers: {
       byan: {
         command: 'node',
         args:    ['_byan/mcp/byan-mcp-server/server.js'],
-        env:     { BYAN_API_URL: 'https://api.byan.io', BYAN_API_TOKEN: 'byan_tok' },
+        env:     { BYAN_API_URL: 'https://api.byan.io' },
       },
     },
   });
@@ -91,7 +92,7 @@ test('returns already-ok if byan entry has token and no /api suffix', async () =
 // ──────────────────────────────────────────────────────────────────────────────
 // Test 4 — needs token but .env + settings.local.json both empty → no-token-available
 // ──────────────────────────────────────────────────────────────────────────────
-test('returns no-token-available if .mcp.json needs token but sources are empty', async () => {
+test('returns already-ok if .mcp.json has no BYAN_API_TOKEN (token absence is now the desired state)', async () => {
   const dir = await makeTmp();
   await writeMcp(dir, {
     mcpServers: {
@@ -99,23 +100,19 @@ test('returns no-token-available if .mcp.json needs token but sources are empty'
         command: 'node',
         args:    ['_byan/mcp/byan-mcp-server/server.js'],
         env:     { BYAN_API_URL: 'https://api.byan.io' },
-        // no BYAN_API_TOKEN
       },
     },
   });
-  // no .env, no settings.local.json
   const result = await runMigration(dir);
   expect(result.migrated).toBe(false);
-  expect(result.reason).toBe('no-token-available');
-  expect(typeof result.hint).toBe('string');
-  expect(result.hint.length).toBeGreaterThan(0);
+  expect(result.reason).toBe('already-ok');
   await fs.remove(dir);
 });
 
 // ──────────────────────────────────────────────────────────────────────────────
 // Test 5 — migrates successfully: token from .env
 // ──────────────────────────────────────────────────────────────────────────────
-test('migrates: token from .env → .mcp.json env.BYAN_API_TOKEN', async () => {
+test('with token already absent in .mcp.json + .env populated: no-op (already-ok), .env preserved untouched', async () => {
   const dir = await makeTmp();
   await writeMcp(dir, {
     mcpServers: {
@@ -129,19 +126,18 @@ test('migrates: token from .env → .mcp.json env.BYAN_API_TOKEN', async () => {
   await writeDotenv(dir, 'BYAN_API_TOKEN=byan_from_dotenv\n');
 
   const result = await runMigration(dir);
-  expect(result.migrated).toBe(true);
-  expect(result.reason).toBe('healed');
-  expect(result.changes.length).toBeGreaterThanOrEqual(1);
+  expect(result.migrated).toBe(false);
+  expect(result.reason).toBe('already-ok');
 
-  const written = await readMcp(dir);
-  expect(written.mcpServers.byan.env.BYAN_API_TOKEN).toBe('byan_from_dotenv');
+  const dotenvAfter = await fs.readFile(path.join(dir, '.env'), 'utf8');
+  expect(dotenvAfter).toBe('BYAN_API_TOKEN=byan_from_dotenv\n');
   await fs.remove(dir);
 });
 
 // ──────────────────────────────────────────────────────────────────────────────
 // Test 6 — migrates successfully: token from .claude/settings.local.json fallback
 // ──────────────────────────────────────────────────────────────────────────────
-test('migrates: token from settings.local.json fallback', async () => {
+test('with token in settings.local.json + absent from .mcp.json: no-op (already-ok), settings preserved', async () => {
   const dir = await makeTmp();
   await writeMcp(dir, {
     mcpServers: {
@@ -152,22 +148,20 @@ test('migrates: token from settings.local.json fallback', async () => {
       },
     },
   });
-  // no .env, token in settings.local.json
   await writeSettingsLocal(dir, { env: { BYAN_API_TOKEN: 'byan_from_settings' } });
 
   const result = await runMigration(dir);
-  expect(result.migrated).toBe(true);
-  expect(result.reason).toBe('healed');
-
-  const written = await readMcp(dir);
-  expect(written.mcpServers.byan.env.BYAN_API_TOKEN).toBe('byan_from_settings');
+  expect(result.migrated).toBe(false);
+  expect(result.reason).toBe('already-ok');
+  const settings = await fs.readJson(path.join(dir, '.claude', 'settings.local.json'));
+  expect(settings.env.BYAN_API_TOKEN).toBe('byan_from_settings');
   await fs.remove(dir);
 });
 
 // ──────────────────────────────────────────────────────────────────────────────
 // Test 7 — strips /api suffix from BYAN_API_URL
 // ──────────────────────────────────────────────────────────────────────────────
-test('strips /api suffix from BYAN_API_URL', async () => {
+test('strips /api suffix and extracts clear token to .env (token removed from .mcp.json)', async () => {
   const dir = await makeTmp();
   await writeMcp(dir, {
     mcpServers: {
@@ -184,7 +178,60 @@ test('strips /api suffix from BYAN_API_URL', async () => {
 
   const written = await readMcp(dir);
   expect(written.mcpServers.byan.env.BYAN_API_URL).toBe('https://api.byan.io');
-  expect(written.mcpServers.byan.env.BYAN_API_TOKEN).toBe('byan_tok');
+  expect(written.mcpServers.byan.env.BYAN_API_TOKEN).toBeUndefined();
+  const dotenvContent = await fs.readFile(path.join(dir, '.env'), 'utf8');
+  expect(dotenvContent).toContain('BYAN_API_TOKEN=byan_tok');
+  const raw = await fs.readFile(path.join(dir, '.mcp.json'), 'utf8');
+  expect(raw).not.toContain('byan_tok');
+  await fs.remove(dir);
+});
+
+test('extracts clear token from .mcp.json into .env and removes it from .mcp.json (security migration)', async () => {
+  const dir = await makeTmp();
+  await writeMcp(dir, {
+    mcpServers: {
+      byan: {
+        command: 'node',
+        args:    ['_byan/mcp/byan-mcp-server/server.js'],
+        env:     { BYAN_API_URL: 'https://api.byan.io', BYAN_API_TOKEN: 'byan_leaked_in_clear' },
+      },
+    },
+  });
+
+  const result = await runMigration(dir);
+  expect(result.migrated).toBe(true);
+  expect(result.reason).toBe('healed');
+  expect(result.changes.some((c) => /extracted/i.test(c))).toBe(true);
+
+  const written = await readMcp(dir);
+  expect(written.mcpServers.byan.env.BYAN_API_TOKEN).toBeUndefined();
+
+  const raw = await fs.readFile(path.join(dir, '.mcp.json'), 'utf8');
+  expect(raw).not.toContain('byan_leaked_in_clear');
+
+  const dotenvContent = await fs.readFile(path.join(dir, '.env'), 'utf8');
+  expect(dotenvContent).toContain('BYAN_API_TOKEN=byan_leaked_in_clear');
+  await fs.remove(dir);
+});
+
+test('removes ${BYAN_API_TOKEN} placeholder from .mcp.json (no value to extract)', async () => {
+  const dir = await makeTmp();
+  await writeMcp(dir, {
+    mcpServers: {
+      byan: {
+        command: 'node',
+        args:    ['_byan/mcp/byan-mcp-server/server.js'],
+        env:     { BYAN_API_URL: 'https://api.byan.io', BYAN_API_TOKEN: TOKEN_PLACEHOLDER },
+      },
+    },
+  });
+
+  const result = await runMigration(dir);
+  expect(result.migrated).toBe(true);
+  expect(result.reason).toBe('healed');
+
+  const written = await readMcp(dir);
+  expect(written.mcpServers.byan.env.BYAN_API_TOKEN).toBeUndefined();
   await fs.remove(dir);
 });
 
@@ -215,6 +262,9 @@ test('dry-run: does not write .mcp.json but returns changes', async () => {
   const afterMcp = await readMcp(dir);
   expect(afterMcp.mcpServers.byan.env.BYAN_API_URL).toBe('https://api.byan.io/api');
   expect(afterMcp.mcpServers.byan.env.BYAN_API_TOKEN).toBeUndefined();
+  // .env must NOT have been touched on dry-run either
+  const dotenvAfter = await fs.readFile(path.join(dir, '.env'), 'utf8');
+  expect(dotenvAfter).toBe('BYAN_API_TOKEN=byan_dryrun_tok\n');
   await fs.remove(dir);
 });
 

package/update-byan-agent/lib/migrate-mcp-config.js

@@ -1,16 +1,20 @@
 /**
  * migrate-mcp-config — self-healing migration for pre-fix BYAN installs.
  *
- * Injects BYAN_API_TOKEN into .mcp.json env block if absent, and strips the
- * legacy /api suffix from BYAN_API_URL. Uses byan-platform-config primitives
- * exclusively; no duplicated logic here.
+ * Heals three drift cases on .mcp.json:
+ *   1. token missing       → injects ${BYAN_API_TOKEN} placeholder
+ *   2. url has /api suffix → strips it
+ *   3. token in clear      → extracts to .env and replaces with placeholder
+ *                            (security fix from BYAN >=2.16.0)
+ *
+ * Uses byan-platform-config primitives exclusively; no duplicated logic here.
  */
 
 const chalk = require('chalk');
 const ora = require('ora');
 const {
-  mcpConfig: { readMcpConfig, ensureMcpConfig },
-  envConfig:  { readEnvToken },
+  mcpConfig: { readMcpConfig, ensureMcpConfig, TOKEN_PLACEHOLDER },
+  envConfig:  { readEnvToken, updateDotenv },
   urlUtils:   { stripApiSuffix },
 } = require('byan-platform-config');
 
@@ -65,32 +69,27 @@ async function runMigration(projectRoot, { dryRun = false, verbose = false } = {
   stopSpinner(chalk.gray('.mcp.json lu'), true);
 
   // 3. Diagnose
-  const tokenMissing   = !byan.env || !byan.env.BYAN_API_TOKEN;
-  const urlHasApiSuffix = /\/api\/?$/.test(byan.env && byan.env.BYAN_API_URL || '');
+  const currentToken      = (byan.env && byan.env.BYAN_API_TOKEN) || '';
+  const tokenIsPlaceholder = currentToken === TOKEN_PLACEHOLDER;
+  const tokenInClear      = !!currentToken && !tokenIsPlaceholder;
+  const tokenIsLegacy     = !!currentToken; // any non-empty value is legacy: token must not live in .mcp.json
+  const urlHasApiSuffix   = /\/api\/?$/.test(byan.env && byan.env.BYAN_API_URL || '');
 
   // 4. Nothing to do?
-  if (!tokenMissing && !urlHasApiSuffix) {
-    log(chalk.green('  .mcp.json est deja a jour (token present, URL correcte)'));
+  if (!tokenIsLegacy && !urlHasApiSuffix) {
+    log(chalk.green('  .mcp.json est deja a jour (token absent du fichier, URL correcte)'));
     return { migrated: false, reason: 'already-ok' };
   }
 
   const changes = [];
-
-  // 5. Resolve token
-  let token = byan.env && byan.env.BYAN_API_TOKEN; // may already exist (url-only fix)
-  if (tokenMissing) {
-    startSpinner('Recherche BYAN_API_TOKEN (.env / settings.local.json)...');
-    token = await readEnvToken(projectRoot);
-    if (!token) {
-      stopSpinner(chalk.yellow('Token introuvable'), false);
-      return {
-        migrated: false,
-        reason:   'no-token-available',
-        hint:     'Re-run npx create-byan-agent to prompt for a token',
-      };
-    }
-    stopSpinner(chalk.green('Token trouve'), true);
-    changes.push('BYAN_API_TOKEN injected into .mcp.json env');
+  let extractedClearToken = null;
+
+  // 5. Detect a clear-text token to relocate to .env
+  if (tokenInClear) {
+    extractedClearToken = currentToken;
+    changes.push('BYAN_API_TOKEN extracted from .mcp.json (clear) into .env, removed from .mcp.json');
+  } else if (tokenIsPlaceholder) {
+    changes.push('BYAN_API_TOKEN placeholder removed from .mcp.json (token now resolved via settings.local.json env)');
   }
 
   // 6. Resolve URL
@@ -108,9 +107,16 @@ async function runMigration(projectRoot, { dryRun = false, verbose = false } = {
     return { migrated: false, reason: 'dry-run', changes };
   }
 
-  // 8. Apply via ensureMcpConfig
+  // 8. Apply
   startSpinner('Application de la migration...');
-  await ensureMcpConfig(projectRoot, { apiUrl: cleanUrl || existingUrl, token });
+  if (extractedClearToken) {
+    const existingDotenvToken = await readEnvToken(projectRoot);
+    if (!existingDotenvToken || existingDotenvToken !== extractedClearToken) {
+      await updateDotenv(projectRoot, { BYAN_API_TOKEN: extractedClearToken });
+    }
+  }
+  // ensureMcpConfig always strips BYAN_API_TOKEN from .mcp.json (security)
+  await ensureMcpConfig(projectRoot, { apiUrl: cleanUrl || existingUrl });
   stopSpinner(chalk.green('.mcp.json migre avec succes'), true);
 
   // 9. Return result