feat: use get.agent-vault.dev short URL and add anonymous install beacon #95
Code review found 1 important issue
Found 6 candidates, confirmed 4. See review comments for details.
Details
| Severity | Count |
|---|---|
| 🔴 Important | 1 |
| 🟡 Nit | 2 |
| 🟣 Pre-existing | 1 |
| Severity | File:Line | Issue |
|---|---|---|
| 🔴 Important | install.sh:12 |
Telemetry opt-out command in comment uses wrong shell syntax |
| 🟡 Nit | docs/self-hosting/local.mdx:8-12 |
Telemetry disclosure Note missing from self-hosting/local.mdx |
| 🟡 Nit | install.sh:186-192 |
AGENT_VAULT_NO_TELEMETRY not documented in required env var files |
| 🟣 Pre-existing | install.sh:180-195 |
BACKUP_FILE referenced when potentially unset, producing misleading warning |
Annotations
Check failure on line 12 in install.sh
claude / Claude Code Review
Telemetry opt-out command in comment uses wrong shell syntax
The telemetry opt-out command documented in install.sh (line 12) and docs/installation.mdx is syntactically incorrect: `AGENT_VAULT_NO_TELEMETRY=1 curl -fsSL https://get.agent-vault.dev | sh` sets the variable only in curl's environment, not in the downstream `sh` process that actually checks it — so the beacon fires regardless. Fix by moving the prefix to `sh`: `curl -fsSL https://get.agent-vault.dev | AGENT_VAULT_NO_TELEMETRY=1 sh`, or use `export AGENT_VAULT_NO_TELEMETRY=1 &&` before the pipe
Check warning on line 12 in docs/self-hosting/local.mdx
claude / Claude Code Review
Telemetry disclosure Note missing from self-hosting/local.mdx
The PR adds a telemetry disclosure `<Note>` to `docs/installation.mdx` after the install command, but the equivalent disclosure is missing from `docs/self-hosting/local.mdx`, which documents the identical `curl -fsSL https://get.agent-vault.dev | sh` command at both the install section (line 11) and the upgrade section (line 117). Users following the self-hosting guide will have the beacon fire without receiving any notice or opt-out instructions.
Check warning on line 192 in install.sh
claude / Claude Code Review
AGENT_VAULT_NO_TELEMETRY not documented in required env var files
The PR introduces AGENT_VAULT_NO_TELEMETRY in install.sh but omits it from the three files that CLAUDE.md mandates be updated for every new environment variable: .env.example, docs/self-hosting/environment-variables.mdx, and docs/reference/cli.mdx. Users consulting the canonical environment-variable reference will find no entry for this opt-out mechanism.
Check notice on line 195 in install.sh
claude / Claude Code Review
BACKUP_FILE referenced when potentially unset, producing misleading warning
Pre-existing bug: `BACKUP_FILE` is only assigned inside `if [ -f "$DB_FILE" ]`, but is referenced at two later points guarded solely by `if [ -n "$EXISTING_VERSION" ]`. If the `agent-vault` binary is on PATH (so `EXISTING_VERSION` is set) but the database file has never been created (server was never started), the script prints "A database backup was saved at: " and "Database backup: " with an empty path — falsely claiming a backup was made. The fix is to guard both references with an additional