Skip to content

feat: use get.agent-vault.dev short URL and add anonymous install beacon #95

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dangtony98 merged 2 commits into from
Apr 21, 2026
Merged

feat: use get.agent-vault.dev short URL and add anonymous install beacon #95

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
548604f
feat: use get.agent-vault.dev short URL and add anonymous install beacon
dangtony98 Apr 21, 2026
bae6cee
fix: correct telemetry opt-out invocation and document it in canonica…
dangtony98 Apr 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions docs/installation.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,11 +13,15 @@ Agent Vault ships as a single binary that acts as both a server and CLI client.
Works for both fresh installs and upgrades (backs up your database before upgrading).

```bash
curl -fsSL https://raw.githubusercontent.com/Infisical/agent-vault/main/install.sh | sh
curl -fsSL https://get.agent-vault.dev | sh
```

Supports macOS (Intel + Apple Silicon) and Linux (x86\_64 + ARM64).

<Note>
On a successful install the script sends an anonymous ping (OS, architecture, version — nothing else) so we can count installs for the launch. Opt out with `AGENT_VAULT_NO_TELEMETRY=1`.
</Note>

</Tab>
<Tab title="Docker">
No build tools required. Pull the image and run:
Expand Down Expand Up @@ -73,7 +77,7 @@ cosign verify-blob \
Re-run the same install command — the script detects your existing installation, stops the running server, backs up your database, and installs the latest version:

```bash
curl -fsSL https://raw.githubusercontent.com/Infisical/agent-vault/main/install.sh | sh
curl -fsSL https://get.agent-vault.dev | sh
```

Restart the server afterward:
Expand Down
4 changes: 2 additions & 2 deletions docs/self-hosting/local.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,11 @@

## Install

Auto-detects your OS and architecture, downloads the latest release, and installs. Works for both fresh installs and upgrades.

```bash
curl -fsSL https://raw.githubusercontent.com/Infisical/agent-vault/main/install.sh | sh
curl -fsSL https://get.agent-vault.dev | sh
```

Check warning on line 12 in docs/self-hosting/local.mdx

View check run for this annotation

Claude / Claude Code Review

Telemetry disclosure Note missing from self-hosting/local.mdx 

The PR adds a telemetry disclosure `<Note>` to `docs/installation.mdx` after the install command, but the equivalent disclosure is missing from `docs/self-hosting/local.mdx`, which documents the identical `curl -fsSL https://get.agent-vault.dev | sh` command at both the install section (line 11) and the upgrade section (line 117). Users following the self-hosting guide will have the beacon fire without receiving any notice or opt-out instructions.
Comment thread
dangtony98 marked this conversation as resolved.

Supports macOS (Intel + Apple Silicon) and Linux (x86\_64 + ARM64).

Expand Down Expand Up @@ -114,7 +114,7 @@
Re-run the same install command — the script detects your existing installation, stops the running server, backs up your database, and installs the latest version:

```bash
curl -fsSL https://raw.githubusercontent.com/Infisical/agent-vault/main/install.sh | sh
curl -fsSL https://get.agent-vault.dev | sh
```

Restart the server afterward:
Expand Down
16 changes: 15 additions & 1 deletion install.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,14 @@
set -e

# Agent Vault installer
# Usage: curl -fsSL https://raw.githubusercontent.com/Infisical/agent-vault/main/install.sh | sh
# Usage: curl -fsSL https://get.agent-vault.dev | sh
#
# Supports: macOS (Intel + Apple Silicon), Linux (amd64 + arm64)
# Works for both fresh install and upgrade.
#
# Privacy: on successful install, sends an anonymous ping with OS, arch,
# and version only — no identifiers, no IP retention. Opt out with:
# AGENT_VAULT_NO_TELEMETRY=1 curl -fsSL https://get.agent-vault.dev | sh

Check failure on line 12 in install.sh

View check run for this annotation

Claude / Claude Code Review

Telemetry opt-out command in comment uses wrong shell syntax 

The telemetry opt-out command documented in install.sh (line 12) and docs/installation.mdx is syntactically incorrect: `AGENT_VAULT_NO_TELEMETRY=1 curl -fsSL https://get.agent-vault.dev | sh` sets the variable only in curl's environment, not in the downstream `sh` process that actually checks it — so the beacon fires regardless. Fix by moving the prefix to `sh`: `curl -fsSL https://get.agent-vault.dev | AGENT_VAULT_NO_TELEMETRY=1 sh`, or use `export AGENT_VAULT_NO_TELEMETRY=1 &&` before the pipe
Copy link
Copy Markdown

@claude claude Bot Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 The telemetry opt-out command documented in install.sh (line 12) and docs/installation.mdx is syntactically incorrect: AGENT_VAULT_NO_TELEMETRY=1 curl -fsSL https://get.agent-vault.dev | sh sets the variable only in curl's environment, not in the downstream sh process that actually checks it — so the beacon fires regardless. Fix by moving the prefix to sh: curl -fsSL https://get.agent-vault.dev | AGENT_VAULT_NO_TELEMETRY=1 sh, or use export AGENT_VAULT_NO_TELEMETRY=1 && before the pipeline.

Extended reasoning...

What the bug is and how it manifests

The install.sh comment (line 12) and the docs/installation.mdx <Note> both document the telemetry opt-out as:

AGENT_VAULT_NO_TELEMETRY=1 curl -fsSL https://get.agent-vault.dev | sh

This syntax is incorrect. In POSIX shell, a VAR=value prefix on a command sets that variable only in the environment of the immediately following command — here, curl. It does not propagate to subsequent stages of the pipeline. The sh process that fetches and executes the downloaded script is a separate process that inherits from the parent shell's environment, where AGENT_VAULT_NO_TELEMETRY is not set.

The specific code path that triggers it

At install.sh line 186 (in the new main() block added by this PR), the script checks:

if [ -z "$AGENT_VAULT_NO_TELEMETRY" ]; then

When a user follows the documented procedure, sh sees AGENT_VAULT_NO_TELEMETRY as empty (because curl consumed the prefix, not sh), the condition is true, and the beacon fires unconditionally.

Why existing code doesn't prevent it

The check itself is correct — it correctly gates the beacon on the variable being non-empty. The problem is purely in the documentation: the example command sets the variable in the wrong process. No runtime guard exists to detect or compensate for this mis-invocation.

What the impact would be

Users who explicitly follow the documented privacy opt-out procedure will still have their install telemetrized without their knowledge or consent. This silently violates stated user intent and contradicts the privacy promise made in both the script comment and the docs Note. Since this is a new feature introduced by this PR, the broken opt-out ships alongside the first deployment of the beacon.

How to fix it

Two correct forms exist:

  1. Move the prefix to sh (the process that actually uses it):
curl -fsSL https://get.agent-vault.dev | AGENT_VAULT_NO_TELEMETRY=1 sh
  1. Export the variable before the pipeline:
export AGENT_VAULT_NO_TELEMETRY=1 && curl -fsSL https://get.agent-vault.dev | sh

Both install.sh line 12 and docs/installation.mdx should be updated with the correct form. The docs Note currently says only Opt out with AGENT_VAULT_NO_TELEMETRY=1`` without showing any command — it should show the correct invocation explicitly.

Step-by-step proof

  1. User reads the docs/installation.mdx Note or the install.sh comment and decides to opt out.
  2. User runs: AGENT_VAULT_NO_TELEMETRY=1 curl -fsSL https://get.agent-vault.dev | sh
  3. The shell forks curl with AGENT_VAULT_NO_TELEMETRY=1 in its environment; curl downloads the script and writes it to the pipe. AGENT_VAULT_NO_TELEMETRY plays no role in curl's behavior.
  4. The shell simultaneously forks sh to read from the pipe. sh inherits the parent shell's environment, which has no AGENT_VAULT_NO_TELEMETRY variable set.
  5. The script runs inside sh; at line 186, [ -z "$AGENT_VAULT_NO_TELEMETRY" ] evaluates to true (variable is unset/empty).
  6. The beacon curl -fsS -m 3 "https://get.agent-vault.dev/ok?..." fires.
  7. User believes they opted out; telemetry was collected anyway.

Empirical confirmation: running TEST=1 true | bash -c 'echo ${TEST:-UNSET}' outputs UNSET, proving the variable does not cross pipeline stage boundaries.


REPO="Infisical/agent-vault"
INSTALL_DIR="/usr/local/bin"
Expand Down Expand Up @@ -173,9 +177,19 @@
if [ "$SERVER_WAS_RUNNING" = true ]; then
echo ""
info "The server was stopped for the upgrade."
info "Run 'agent-vault server' to start it again."
info "Database migrations (if any) will run automatically on startup."
fi

# Anonymous completion beacon. No PII, no identifiers.
# Opt out: AGENT_VAULT_NO_TELEMETRY=1
if [ -z "$AGENT_VAULT_NO_TELEMETRY" ]; then
EVENT="install"
if [ -n "$EXISTING_VERSION" ] && [ "$EXISTING_VERSION" != "unknown" ]; then
EVENT="upgrade"
fi
curl -fsS -m 3 "https://get.agent-vault.dev/ok?os=${OS}&arch=${ARCH}&v=${LATEST}&event=${EVENT}" >/dev/null 2>&1 || true
fi

Check warning on line 192 in install.sh

View check run for this annotation

Claude / Claude Code Review

AGENT_VAULT_NO_TELEMETRY not documented in required env var files 

The PR introduces AGENT_VAULT_NO_TELEMETRY in install.sh but omits it from the three files that CLAUDE.md mandates be updated for every new environment variable: .env.example, docs/self-hosting/environment-variables.mdx, and docs/reference/cli.mdx. Users consulting the canonical environment-variable reference will find no entry for this opt-out mechanism.
Comment thread
dangtony98 marked this conversation as resolved.
}

main "$@"

Check notice on line 195 in install.sh

View check run for this annotation

Claude / Claude Code Review

BACKUP_FILE referenced when potentially unset, producing misleading warning 

Pre-existing bug: `BACKUP_FILE` is only assigned inside `if [ -f "$DB_FILE" ]`, but is referenced at two later points guarded solely by `if [ -n "$EXISTING_VERSION" ]`. If the `agent-vault` binary is on PATH (so `EXISTING_VERSION` is set) but the database file has never been created (server was never started), the script prints "A database backup was saved at: " and "Database backup: " with an empty path — falsely claiming a backup was made. The fix is to guard both references with an additional
Comment thread
dangtony98 marked this conversation as resolved.
2 changes: 1 addition & 1 deletion web/src/pages/Register.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ function InviteOnlyNotice() {
);
}

const INSTALL_COMMAND = "curl -fsSL https://raw.githubusercontent.com/Infisical/agent-vault/main/install.sh | sh";
const INSTALL_COMMAND = "curl -fsSL https://get.agent-vault.dev | sh";

function CommandBlock({ command }: { command: string }) {
const [copied, setCopied] = useState(false);
Expand Down