@gethmy/mcp 2.9.3 → 2.9.5

package/README.md

@@ -17,7 +17,7 @@ Enables AI coding agents (Claude Code, OpenAI Codex, Cursor) to interact with yo
 - **Memory Sync** - bidirectional sync between local markdown files and remote database
 - **Multi-Agent Support** - works with Claude Code, Codex, Cursor, Claude.ai
 - **Smart Setup** - one command configures everything
-- **API Key Authentication** - no database credentials required
+- **Browser Sign-In** - secure OAuth setup (loopback + PKCE), no key to copy or paste; API keys still supported for CI
 
 ## Prerequisites
 
@@ -26,14 +26,7 @@ Enables AI coding agents (Claude Code, OpenAI Codex, Cursor) to interact with yo
 
 ## Quick Start
 
-### 1. Get an API Key
-
-1. Log into [Harmony](https://gethmy.com)
-2. Go to **[API Keys](https://gethmy.com/user/keys)**
-3. Click **"Generate New Key"**
-4. Copy the key (starts with `hmy_`)
-
-### 2. Run Setup
+### Run Setup
 
 ```bash
 npx @gethmy/mcp setup
@@ -41,13 +34,15 @@ npx @gethmy/mcp setup
 
 The smart setup wizard will:
 
-- Validate your API key
+- Sign you in through your browser (OAuth — no API key to copy or paste). You can also create a free account or paste an existing key from the same prompt.
 - Detect installed AI agents (Claude Code, Cursor, Codex)
 - Install skills globally (recommended) or locally
 - Let you select your workspace and project
 
 That's it! You're ready to use Harmony with your AI agent.
 
+> **Prefer an API key?** Generate one at [gethmy.com/user/keys](https://gethmy.com/user/keys) (starts with `hmy_`) and choose "Paste an API key" in the setup prompt, or pass `--api-key` for unattended CI. Browser sign-in is the recommended path for interactive setup.
+
 ## Remote MCP (Hosted)
 
 Connect any MCP-compatible agent to Harmony's hosted endpoint - no local server required.
@@ -114,11 +109,12 @@ It detects your existing configuration and only asks for the project context.
 ## CLI Commands
 
 ```bash
-# Setup (recommended)
+# Setup (recommended) — authorizes in your browser, no API key handling
 npx @gethmy/mcp setup              # Smart setup wizard
 
 # Setup with flags (non-interactive)
-npx @gethmy/mcp setup --api-key KEY --global --workspace ID --project ID
+npx @gethmy/mcp setup --global --workspace ID --project ID
+# --api-key is supported for unattended CI only (deprecated — see below)
 
 # Status and management
 npx @gethmy/mcp status             # Show current configuration
@@ -132,7 +128,7 @@ npx @gethmy/mcp serve              # Start MCP server
 
 | Flag                       | Description                                          |
 | -------------------------- | ---------------------------------------------------- |
-| `-k, --api-key <key>`      | API key (skips prompt)                               |
+| `-k, --api-key <key>`      | **Deprecated** — insecure (leaks via argv/shell history). Unattended CI only; interactive setup uses browser sign-in. |
 | `-e, --email <email>`      | Your email for auto-assignment                       |
 | `-a, --agents <agents...>` | Agents to configure: claude, codex, cursor, windsurf |
 | `-g, --global`             | Install skills globally (recommended)                |
@@ -395,11 +391,15 @@ curl -X GET "https://gethmy.com/api/v1/workspaces" \
 
 ### Global Configuration
 
-Stored in `~/.harmony-mcp/config.json`:
+Stored in `~/.harmony-mcp/config.json`. Browser sign-in writes OAuth tokens (and nulls `apiKey`); API-key setup writes `apiKey` instead. The server prefers a live OAuth token and refreshes it automatically:
 
 ```json
 {
-  "apiKey": "hmy_...",
+  "apiKey": null,
+  "oauthAccessToken": "hmy_at_...",
+  "oauthRefreshToken": "...",
+  "oauthExpiresAt": 1750000000,
+  "oauthClientId": "...",
   "apiUrl": "https://gethmy.com/api",
   "userEmail": "you@example.com",
   "activeWorkspaceId": null,