v1.1.0

Highlights

• Credential encryption at rest — session files (~/.qalabs/session/*/session.json) are now stored as AES-256-GCM ciphertext, key derived (HKDF-SHA256) from a machine fingerprint (/etc/machine-id on Linux, IOPlatformUUID on macOS, MachineGuid on Windows; falls back to hostname + user). File mode forced to 0600, atomic write via .tmp + rename. Same treatment for the global ~/.qalabs/config.json.
• Lazy migration — legacy plaintext sessions from v1.0.x are still readable; the next save transparently upgrades the file.
• configure is interactive-only — qalabs configure no longer accepts app_id / app_secret / admin_email as positional argv (closed bash_history / ps aux leaks). For CI, supply credentials via QALABS_APP_ID, QALABS_APP_SECRET, QALABS_ADMIN_EMAIL, QALABS_SERVER.
• New: qalabs update [--check] — queries the latest release via gh release view, downloads the new bundle via gh release download, atomically replaces the binary. Requires the same gh auth used at install time.
• New: qalabs uninstall — removes the install.sh-installed binary; refuses for npm link / unknown layouts; prompts before deleting ~/.qalabs/; never touches project-level .qalabs/.

Install / upgrade

Prerequisites: Node.js 16+, gh CLI authenticated with repo scope.

gh release download --repo Qiscus-Integration/agentlabs_cli \
  --pattern install.sh -O- | sh

Existing users:

qalabs update

Escape hatch

If ~/.qalabs/ lives on shared storage (NFS) or the same session must work across containers with a varying machine fingerprint, set QALABS_DISABLE_ENCRYPTION=1 to keep plaintext-on-disk (mode 0600 still enforced).