fix: address critical security issues from CI review

- Set secure permissions (600) on API keys file
- Remove API key from URL in Exa MCP config (use env vars instead)
- Fix race condition in debug script using mktemp
- Replace hardcoded user paths with dynamic $HOME

Security fixes per CI recommendations:
- API key file now has owner-only read/write permissions
- API keys passed via environment variables, not URLs
- Temporary files use mktemp for safe creation
- All paths now use $HOME for portability

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: mojwang

lib/common.sh

@@ -475,17 +475,17 @@ export -f kill_all_test_jobs
 # MCP server configurations - base paths
 declare -A MCP_SERVER_BASE_PATHS=(
     # Official servers
-    ["filesystem"]="/Users/mojwang/repos/mcp-servers/official/filesystem"
-    ["memory"]="/Users/mojwang/repos/mcp-servers/official/memory"
-    ["sequentialthinking"]="/Users/mojwang/repos/mcp-servers/official/sequentialthinking"
-    ["git"]="/Users/mojwang/repos/mcp-servers/official/git"
-    ["fetch"]="/Users/mojwang/repos/mcp-servers/official/fetch"
+    ["filesystem"]="$HOME/repos/mcp-servers/official/filesystem"
+    ["memory"]="$HOME/repos/mcp-servers/official/memory"
+    ["sequentialthinking"]="$HOME/repos/mcp-servers/official/sequentialthinking"
+    ["git"]="$HOME/repos/mcp-servers/official/git"
+    ["fetch"]="$HOME/repos/mcp-servers/official/fetch"
     # Community servers
-    ["context7"]="/Users/mojwang/repos/mcp-servers/community/context7"
-    ["playwright"]="/Users/mojwang/repos/mcp-servers/community/playwright"
-    ["figma"]="/Users/mojwang/repos/mcp-servers/community/figma"
-    ["exa"]="/Users/mojwang/repos/mcp-servers/community/exa"
-    ["semgrep"]="/Users/mojwang/repos/mcp-servers/community/semgrep"
+    ["context7"]="$HOME/repos/mcp-servers/community/context7"
+    ["playwright"]="$HOME/repos/mcp-servers/community/playwright"
+    ["figma"]="$HOME/repos/mcp-servers/community/figma"
+    ["exa"]="$HOME/repos/mcp-servers/community/exa"
+    ["semgrep"]="$HOME/repos/mcp-servers/community/semgrep"
 )
 
 # MCP server executable patterns - used to find the actual executable
@@ -598,7 +598,7 @@ generate_mcp_server_config() {
       "command": "node",
       "args": [
         "$server_path",
-        "/Users/mojwang"
+        "$HOME"
       ]
     }
 EOF

scripts/debug-mcp-servers.sh

@@ -31,15 +31,17 @@ test_server() {
         TIMEOUT_CMD="timeout 5s"
     else
         # Fallback: run in background and kill after 5 seconds
-        ("$command" "${args[@]}" 2>&1 | grep -q "Content-Type: application/vnd.mcp" && echo "OK" > /tmp/mcp_test_$$.tmp) &
+        local tmp_file=$(mktemp /tmp/mcp_test_XXXXXX.tmp)
+        ("$command" "${args[@]}" 2>&1 | grep -q "Content-Type: application/vnd.mcp" && echo "OK" > "$tmp_file") &
         local pid=$!
         sleep 5
         kill -0 $pid 2>/dev/null && kill -9 $pid 2>/dev/null
-        if [ -f /tmp/mcp_test_$$.tmp ]; then
-            rm -f /tmp/mcp_test_$$.tmp
+        if [ -f "$tmp_file" ] && [ -s "$tmp_file" ]; then
+            rm -f "$tmp_file"
             echo "✓ Working"
             return 0
         else
+            rm -f "$tmp_file"
             echo "✗ Failed"
             return 1
         fi

scripts/setup-dotfiles.sh

@@ -72,6 +72,10 @@ if [[ -d "dotfiles/.config/zsh" ]]; then
     mkdir -p ~/.config/zsh
 
     if cp -r dotfiles/.config/zsh/* ~/.config/zsh/ 2>/dev/null; then
+        # Set secure permissions on API keys file
+        if [[ -f ~/.config/zsh/51-api-keys.zsh ]]; then
+            chmod 600 ~/.config/zsh/51-api-keys.zsh
+        fi
         print_success "Zsh modular configuration installed"
     else
         print_warning "Failed to install Zsh modular configuration"

scripts/update-exa-mcp.sh

@@ -52,9 +52,11 @@ settings['mcpServers']['exa'] = {
     "command": "npx",
     "args": [
         "-y",
-        "mcp-remote",
-        f"https://mcp.exa.ai/mcp?exaApiKey={api_key}"
-    ]
+        "@modelcontextprotocol/server-exa"
+    ],
+    "env": {
+        "EXA_API_KEY": api_key
+    }
 }
 
 # Write updated settings