feat: auth security upgrade — manual login, storage panel, backup/restore, browser choice

Addresses Airtable team concerns about credential safety:
- Manual/Auto login mode toggle (manual = zero credentials stored)
- Manual login runner opens visible browser for user to authenticate
- Profile path canonicalized to ~/.airtable-user-mcp/.chrome-profile/
- Credential forwarding gated on loginMode in MCP registration
- Logout clears both OS keychain and browser profile
- Session expiry notification with re-login button (manual mode)
- Browser selection dropdown with custom path support
- Browser choice propagated to external IDE configs
- Storage & Data panel with paths, sizes, open-in-explorer
- Encrypted backup/restore (AES-256-GCM) for session data
- OS-level file permission hardening (chmod/icacls)
- 27 tests passing, VSIX packages cleanly

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: ARHAEEM

packages/extension/package.json

@@ -229,6 +229,40 @@
           "maximum": 168,
           "description": "Hours between automatic session health checks (1–168)."
         },
+        "airtableFormula.auth.loginMode": {
+          "type": "string",
+          "enum": [
+            "manual",
+            "auto"
+          ],
+          "default": "manual",
+          "description": "Login mode: 'manual' opens a browser for you to log in, 'auto' uses stored credentials for automated login."
+        },
+        "airtableFormula.auth.browserChoice": {
+          "type": "object",
+          "default": {
+            "mode": "auto"
+          },
+          "description": "Browser selection for authentication. Set via the dashboard UI.",
+          "properties": {
+            "mode": {
+              "type": "string",
+              "enum": [
+                "auto",
+                "custom"
+              ]
+            },
+            "channel": {
+              "type": "string"
+            },
+            "executablePath": {
+              "type": "string"
+            },
+            "label": {
+              "type": "string"
+            }
+          }
+        },
         "airtableFormula.mcp.toolProfile": {
           "type": "string",
           "default": "safe-write",
@@ -327,11 +361,15 @@
     "@airtable-formula/shared": "workspace:*"
   },
   "devDependencies": {
+    "@types/adm-zip": "^0.5.8",
+    "@types/archiver": "^7.0.0",
     "@types/node": "^20.0.0",
     "@types/vscode": "^1.100.0",
     "@vscode/test-electron": "^2.4.0",
     "@vscode/vsce": "^3.0.0",
+    "adm-zip": "^0.5.17",
     "airtable-user-mcp": "workspace:*",
+    "archiver": "^7.0.1",
     "tsup": "^8.0.0",
     "typescript": "^5.4.0",
     "vitest": "^1.6.0"

packages/extension/src/auto-config/index.ts

@@ -2,6 +2,7 @@ import * as path from 'path';
 import * as os from 'os';
 import * as fs from 'fs';
 import type { IdeId, IdeStatus, AiFiles } from '@airtable-formula/shared';
+import { getSettings } from '../settings.js';
 import { IDE_CONFIGS } from './ide-configs.js';
 import { detectInstalledIdes, isIdeInstalled, readConfigFile, writeConfigAtomic, mergeServerEntry, removeServerEntry } from './ide-detection.js';
 
@@ -53,21 +54,38 @@ export async function ensureLauncher(serverPath: string): Promise<void> {
 }
 
 export function buildServerEntry(_serverPath: string): Record<string, unknown> {
-  // Point to the stable launcher — no version number in this path
+  const env: Record<string, string> = {
+    AIRTABLE_HEADLESS_ONLY: '1',
+    AIRTABLE_PROFILE_DIR: path.join(os.homedir(), '.airtable-user-mcp', '.chrome-profile'),
+  };
+
+  const settings = getSettings();
+  const choice = settings.auth.browserChoice;
+  if (choice?.channel) env.AIRTABLE_BROWSER_CHANNEL = choice.channel;
+  if (choice?.executablePath) env.AIRTABLE_BROWSER_PATH = choice.executablePath;
+
   return {
     command: 'node',
     args: [LAUNCHER_SCRIPT],
-    env: {
-      AIRTABLE_HEADLESS_ONLY: '1',
-    },
+    env,
   };
 }
 
 export function buildNpxServerEntry(): Record<string, unknown> {
+  const env: Record<string, string> = {
+    AIRTABLE_HEADLESS_ONLY: '1',
+    AIRTABLE_PROFILE_DIR: path.join(os.homedir(), '.airtable-user-mcp', '.chrome-profile'),
+  };
+
+  const settings = getSettings();
+  const choice = settings.auth.browserChoice;
+  if (choice?.channel) env.AIRTABLE_BROWSER_CHANNEL = choice.channel;
+  if (choice?.executablePath) env.AIRTABLE_BROWSER_PATH = choice.executablePath;
+
   return {
     command: 'npx',
     args: ['-y', 'airtable-user-mcp'],
-    env: { AIRTABLE_HEADLESS_ONLY: '1' },
+    env,
   };
 }
 

packages/extension/src/extension.ts

@@ -433,32 +433,33 @@ export async function activate(context: vscode.ExtensionContext): Promise<void>
     // ── Auth commands ────────────────────────────────────────────────────
     context.subscriptions.push(
         vscode.commands.registerCommand('airtable-formula.login', async () => {
-            const hasCreds = await authManager.hasCredentials();
-            if (!hasCreds) {
-                vscode.window.showWarningMessage('Airtable Formula: No credentials stored. Open Settings tab in the dashboard to save your Airtable credentials.');
-                return;
+          const settings = getSettings();
+          if (settings.auth.loginMode === 'manual') {
+            await vscode.window.withProgress(
+              { location: vscode.ProgressLocation.Notification, title: 'Airtable: Opening browser for login...' },
+              () => authManager.manualLogin(),
+            );
+          } else {
+            if (!(await authManager.hasCredentials())) {
+              vscode.window.showWarningMessage('Airtable Formula: No credentials stored. Open Settings tab in the dashboard to save your Airtable credentials.');
+              return;
             }
-            vscode.window.withProgress(
-                { location: vscode.ProgressLocation.Notification, title: 'Airtable Formula: Logging in...', cancellable: false },
-                async () => {
-                    debugCollector.trace('ext', 'auth', 'auth:login_start', { method: 'programmatic' });
-                    const state = await authManager.login();
-                    debugCollector.trace('ext', 'auth', 'auth:login_result', {
-                        success: state.status === 'valid',
-                    }, state.status !== 'valid' ? state.error : undefined);
-                    if (state.status === 'valid') {
-                        vscode.window.showInformationMessage(`Airtable Formula: Logged in successfully (${state.userId || 'unknown user'}).`);
-                    } else {
-                        vscode.window.showErrorMessage(`Airtable Formula: Login failed — ${state.error || 'unknown error'}.`);
-                    }
-                    dashboardProvider.refresh();
-                }
+            await vscode.window.withProgress(
+              { location: vscode.ProgressLocation.Notification, title: 'Airtable: Logging in...' },
+              () => authManager.login(),
             );
+          }
         }),
         vscode.commands.registerCommand('airtable-formula.logout', async () => {
-            await authManager.clearCredentials();
-            vscode.window.showInformationMessage('Airtable Formula: Credentials cleared.');
-            dashboardProvider.refresh();
+          const confirm = await vscode.window.showWarningMessage(
+            'This will clear your Airtable browser session and any stored credentials. You\'ll need to log in again.',
+            { modal: true },
+            'Logout',
+          );
+          if (confirm !== 'Logout') return;
+          await authManager.logout();
+          dashboardProvider.refresh();
+          vscode.window.showInformationMessage('Airtable: Logged out and session cleared.');
         }),
         vscode.commands.registerCommand('airtable-formula.status', async () => {
             vscode.window.withProgress(