@icoretech/warden-mcp 0.1.10 → 0.1.13

package/README.md

@@ -56,9 +56,15 @@ npm install -g @bitwarden/cli
 Or run with an explicit binary path:
 
 ```bash
-BW_BIN=/absolute/path/to/bw npx -y @icoretech/warden-mcp
+BW_BIN=/absolute/path/to/bw npx -y @icoretech/warden-mcp@latest
 ```
 
+`warden-mcp` intentionally bundles a vetted `@bitwarden/cli` version instead of
+blindly following the newest upstream CLI on every release. New `bw` releases
+can change login and unlock behavior in ways that break automation, so `bw`
+upgrades should be smoke-tested against real Vaultwarden and Bitwarden flows
+before bumping the bundled version.
+
 ## Install And Run
 
 ### Choose a transport
@@ -69,7 +75,7 @@ BW_BIN=/absolute/path/to/bw npx -y @icoretech/warden-mcp
 ### Local stdio mode
 
 ```bash
-npx -y @icoretech/warden-mcp --stdio
+npx -y @icoretech/warden-mcp@latest --stdio
 ```
 
 For stdio mode, you must provide Bitwarden credentials up front via env vars:
@@ -78,7 +84,7 @@ For stdio mode, you must provide Bitwarden credentials up front via env vars:
 BW_HOST=https://vaultwarden.example.com \
 BW_USER=user@example.com \
 BW_PASSWORD='your-master-password' \
-npx -y @icoretech/warden-mcp --stdio
+npx -y @icoretech/warden-mcp@latest --stdio
 ```
 
 API key login works too:
@@ -88,7 +94,7 @@ BW_HOST=https://vaultwarden.example.com \
 BW_CLIENTID=user.xxxxx \
 BW_CLIENTSECRET=xxxxx \
 BW_PASSWORD='your-master-password' \
-npx -y @icoretech/warden-mcp --stdio
+npx -y @icoretech/warden-mcp@latest --stdio
 ```
 
 ### Shared HTTP mode
@@ -96,7 +102,7 @@ npx -y @icoretech/warden-mcp --stdio
 Start one long-lived MCP server:
 
 ```bash
-npx -y @icoretech/warden-mcp
+npx -y @icoretech/warden-mcp@latest
 ```
 
 Verify it is up:
@@ -115,13 +121,13 @@ This mode is what makes `warden-mcp` different from a simple local wrapper:
 ### Docker
 
 ```bash
-docker run --rm -p 3005:3005 ghcr.io/icoretech/warden-mcp
+docker run --rm -p 3005:3005 ghcr.io/icoretech/warden-mcp:latest
 ```
 
 ### Global install
 
 ```bash
-npm install -g @icoretech/warden-mcp
+npm install -g @icoretech/warden-mcp@latest
 warden-mcp
 ```
 
@@ -130,7 +136,7 @@ warden-mcp
 For local MCP hosts, stdio is the most portable option.
 
 ```bash
-npx -y @icoretech/warden-mcp --stdio
+npx -y @icoretech/warden-mcp@latest --stdio
 ```
 
 The examples below use Bitwarden API-key auth. If you prefer username/password login, replace `BW_CLIENTID` + `BW_CLIENTSECRET` with `BW_USER`.
@@ -146,10 +152,10 @@ codex mcp add warden \
   --env BW_CLIENTID=user.xxxxx \
   --env BW_CLIENTSECRET=xxxxx \
   --env BW_PASSWORD='your-master-password' \
-  -- npx -y @icoretech/warden-mcp --stdio
+  -- npx -y @icoretech/warden-mcp@latest --stdio
 
 # Claude Code
-claude mcp add-json warden '{"command":"npx","args":["-y","@icoretech/warden-mcp","--stdio"],"env":{"BW_HOST":"https://vaultwarden.example.com","BW_CLIENTID":"user.xxxxx","BW_CLIENTSECRET":"xxxxx","BW_PASSWORD":"your-master-password"}}'
+claude mcp add-json warden '{"command":"npx","args":["-y","@icoretech/warden-mcp@latest","--stdio"],"env":{"BW_HOST":"https://vaultwarden.example.com","BW_CLIENTID":"user.xxxxx","BW_CLIENTSECRET":"xxxxx","BW_PASSWORD":"your-master-password"}}'
 
 # Qwen Code
 qwen mcp add warden \
@@ -157,7 +163,7 @@ qwen mcp add warden \
   -e BW_CLIENTID=user.xxxxx \
   -e BW_CLIENTSECRET=xxxxx \
   -e BW_PASSWORD=your-master-password \
-  npx -y @icoretech/warden-mcp --stdio
+  npx -y @icoretech/warden-mcp@latest --stdio
 ```
 
 ### JSON config hosts
@@ -176,7 +182,7 @@ Shared JSON shape:
   "mcpServers": {
     "warden": {
       "command": "npx",
-      "args": ["-y", "@icoretech/warden-mcp", "--stdio"],
+      "args": ["-y", "@icoretech/warden-mcp@latest", "--stdio"],
       "env": {
         "BW_HOST": "https://vaultwarden.example.com",
         "BW_CLIENTID": "user.xxxxx",
@@ -193,7 +199,8 @@ Codex uses TOML instead of JSON:
 ```toml
 [mcp_servers.warden]
 command = "npx"
-args = ["-y", "@icoretech/warden-mcp", "--stdio"]
+args = ["-y", "@icoretech/warden-mcp@latest", "--stdio"]
+startup_timeout_sec = 30
 
 [mcp_servers.warden.env]
 BW_HOST = "https://vaultwarden.example.com"
@@ -202,6 +209,10 @@ BW_CLIENTSECRET = "xxxxx"
 BW_PASSWORD = "your-master-password"
 ```
 
+`startup_timeout_sec = 30` is a practical Codex default when using `npx`,
+because a cold first launch can spend several seconds downloading and unpacking
+the package before MCP initialization begins.
+
 ### Windsurf
 
 Windsurf uses the same stdio idea but stores it in `~/.codeium/windsurf/mcp_config.json`:
@@ -211,7 +222,7 @@ Windsurf uses the same stdio idea but stores it in `~/.codeium/windsurf/mcp_conf
   "mcpServers": {
     "warden": {
       "command": "npx",
-      "args": ["-y", "@icoretech/warden-mcp", "--stdio"],
+      "args": ["-y", "@icoretech/warden-mcp@latest", "--stdio"],
       "env": {
         "BW_HOST": "https://vaultwarden.example.com",
         "BW_CLIENTID": "user.xxxxx",
@@ -230,7 +241,7 @@ If your MCP host supports Streamable HTTP with custom headers, you can connect t
 Start the shared server:
 
 ```bash
-npx -y @icoretech/warden-mcp
+npx -y @icoretech/warden-mcp@latest
 ```
 
 Every MCP request must include:
@@ -419,7 +430,7 @@ If you run `warden-mcp` beyond local development, review these items:
 Run the published package in HTTP mode and verify the server is up:
 
 ```bash
-npx -y @icoretech/warden-mcp
+npx -y @icoretech/warden-mcp@latest
 curl -fsS http://localhost:3005/healthz
 ```
 

package/bin/warden-mcp.js

@@ -3,9 +3,9 @@
 // bin/warden-mcp.js — CLI entry for @icoretech/warden-mcp
 
 import { spawnSync } from 'node:child_process';
-import { accessSync, constants, existsSync } from 'node:fs';
+import { accessSync, constants, existsSync, readFileSync } from 'node:fs';
 import { createRequire } from 'node:module';
-import { dirname, join, resolve } from 'node:path';
+import { dirname, resolve } from 'node:path';
 import { fileURLToPath } from 'node:url';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
@@ -14,12 +14,12 @@ const __dirname = dirname(fileURLToPath(import.meta.url));
 if (!process.env.BW_BIN) {
   try {
     const require = createRequire(import.meta.url);
-    // @bitwarden/cli installs the binary at <pkg>/dist/bw (the npm bin shim
-    // lives at node_modules/.bin/bw, but we resolve to the actual package).
+    const { resolveBundledBwCandidate } = await import(
+      resolve(__dirname, '../dist/bw/resolveBwBin.js')
+    );
     const pkgManifest = require.resolve('@bitwarden/cli/package.json');
-    const pkgDir = dirname(pkgManifest);
-    // The CLI binary is published as `bw` (no extension) inside the package.
-    const candidate = join(pkgDir, 'dist', 'bw');
+    const pkgJson = JSON.parse(readFileSync(pkgManifest, 'utf8'));
+    const candidate = resolveBundledBwCandidate(pkgManifest, pkgJson.bin);
     if (existsSync(candidate)) {
       try {
         accessSync(candidate, constants.X_OK);

package/dist/bw/resolveBwBin.js

@@ -0,0 +1,10 @@
+import { dirname, join } from 'node:path';
+export function resolveBundledBwCandidate(pkgManifestPath, pkgBin) {
+    const pkgDir = dirname(pkgManifestPath);
+    const binEntry = typeof pkgBin === 'string'
+        ? pkgBin
+        : typeof pkgBin?.bw === 'string'
+            ? pkgBin.bw
+            : 'dist/bw';
+    return join(pkgDir, binEntry);
+}

package/dist/server.js

@@ -16,7 +16,11 @@ if (useStdio) {
 else {
     const PORT = Number.parseInt(process.env.PORT ?? '3005', 10);
     const app = createKeychainApp();
-    app.listen(PORT, () => {
+    const server = app.listen(PORT, () => {
         console.log(`[warden-mcp] listening on http://localhost:${PORT}/sse`);
     });
+    await new Promise((resolve, reject) => {
+        server.once('close', resolve);
+        server.once('error', reject);
+    });
 }

package/package.json

@@ -1,7 +1,7 @@
 {
   "private": false,
   "name": "@icoretech/warden-mcp",
-  "version": "0.1.10",
+  "version": "0.1.13",
   "type": "module",
   "license": "MIT",
   "description": "Vaultwarden/Bitwarden MCP server backed by Bitwarden CLI (bw).",
@@ -48,7 +48,7 @@
     "zod": "^4.3.6"
   },
   "optionalDependencies": {
-    "@bitwarden/cli": "2026.2.0"
+    "@bitwarden/cli": "2026.1.0"
   },
   "devDependencies": {
     "@biomejs/biome": "^2.4.8",