npm - @muhaven/mcp - Versions diffs - 0.1.2 → 0.1.4 - Mend

@muhaven/mcp 0.1.2 → 0.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/dist/broker.cjs CHANGED Viewed

@@ -7,7 +7,6 @@ var net = require('net');
 var promises = require('fs/promises');
 var accounts = require('viem/accounts');
-// src/broker/cli.ts
 var DEFAULT_BACKEND_URL = "https://api.muhaven.app";
 var DEFAULT_DASHBOARD_URL = "https://muhaven.app";
 var DEFAULT_REQUEST_TIMEOUT_MS = 15e3;
@@ -73,23 +72,26 @@ function loadMcpConfig(env = process.env) {
 }
 var PRIVKEY_HEX_RE = /^0x[0-9a-fA-F]{64}$/;
 function loadBrokerConfig(env = process.env) {
-  const sessionKeyHex = env.MUHAVEN_BROKER_SESSION_KEY;
-  if (!sessionKeyHex) {
-    throw new Error(
-      "MUHAVEN_BROKER_SESSION_KEY is required (0x-prefixed 32-byte hex). Mint a session key via the dashboard policy-template install flow."
-    );
-  }
-  if (!PRIVKEY_HEX_RE.test(sessionKeyHex)) {
-    throw new Error("MUHAVEN_BROKER_SESSION_KEY must be a 0x-prefixed 32-byte hex string");
+  const sessionKeyHexRaw = env.MUHAVEN_BROKER_SESSION_KEY;
+  let sessionKeyHex;
+  if (sessionKeyHexRaw && sessionKeyHexRaw.length > 0) {
+    if (!PRIVKEY_HEX_RE.test(sessionKeyHexRaw)) {
+      throw new Error("MUHAVEN_BROKER_SESSION_KEY must be a 0x-prefixed 32-byte hex string");
+    }
+    sessionKeyHex = sessionKeyHexRaw;
   }
   const endpoint = env.MUHAVEN_BROKER_ENDPOINT ?? defaultBrokerEndpoint();
   const maxRequestBytes = readEnvInt("MUHAVEN_BROKER_MAX_BYTES", DEFAULT_BROKER_MAX_BYTES, env);
   const requestTimeoutMs = readEnvInt("MUHAVEN_BROKER_TIMEOUT_MS", DEFAULT_BROKER_TIMEOUT_MS, env);
+  const backendBaseUrl = trimTrailingSlash(env.MUHAVEN_BACKEND_URL ?? DEFAULT_BACKEND_URL);
+  const dashboardBaseUrl = trimTrailingSlash(env.MUHAVEN_DASHBOARD_URL ?? DEFAULT_DASHBOARD_URL);
   return {
     endpoint,
     sessionKeyHex,
     maxRequestBytes,
-    requestTimeoutMs
+    requestTimeoutMs,
+    backendBaseUrl,
+    dashboardBaseUrl
   };
 }
 var BrokerClientError = class extends Error {
@@ -522,7 +524,7 @@ async function openKeystore(options = {}) {
 }
 // src/broker/protocol.ts
-var BROKER_PROTOCOL_VERSION = "0.2.0";
+var BROKER_PROTOCOL_VERSION = "0.3.0";
 var HASH_HEX_RE = /^0x[0-9a-fA-F]{64}$/;
 var JWT_RE = /^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/;
 function isHashHex(value) {
@@ -608,6 +610,21 @@ function parseBrokerRequest(line) {
 function serializeResponse(res) {
   return JSON.stringify(res) + "\n";
 }
+var MissingSessionKeyError = class extends Error {
+  constructor() {
+    super(
+      "session_key_unavailable: daemon booted in read-only posture (no MUHAVEN_BROKER_SESSION_KEY at env-load time). Mint a session key via the dashboard /agent/policy/transition flow, set MUHAVEN_BROKER_SESSION_KEY, and restart the daemon. (Note: `muhaven-broker login` mints a JWT, NOT a session key \u2014 do not loop on that command for this error.)"
+    );
+    this.name = "MissingSessionKeyError";
+  }
+};
+var ZERO_ADDRESS = "0x0000000000000000000000000000000000000000";
+var NullSigner = class {
+  address = ZERO_ADDRESS;
+  async signHash(_hash) {
+    throw new MissingSessionKeyError();
+  }
+};
 var ViemSigner = class {
   account;
   constructor(privateKey) {
@@ -624,7 +641,7 @@ var ViemSigner = class {
 // src/broker/daemon.ts
 var noopLogger = (_e) => {
 };
-async function handleBrokerRequest(req, signer, keystore, nowSec = () => Math.floor(Date.now() / 1e3)) {
+async function handleBrokerRequest(req, signer, keystore, nowSec = () => Math.floor(Date.now() / 1e3), options = {}) {
   switch (req.type) {
     case "hello": {
       let hasJwt = false;
@@ -634,16 +651,26 @@ async function handleBrokerRequest(req, signer, keystore, nowSec = () => Math.fl
       } catch {
         hasJwt = false;
       }
+      const hasSessionKey = options.hasSessionKey ?? true;
       return {
         type: "hello",
         version: BROKER_PROTOCOL_VERSION,
         sessionKeyAddress: signer.address,
-        hasJwt
+        hasJwt,
+        hasSessionKey,
+        ...options.effectiveConfig ? { effectiveConfig: options.effectiveConfig } : {}
       };
     }
     case "sign_hash": {
-      const signature = await signer.signHash(req.hash);
-      return { type: "sign_hash", signature, signerAddress: signer.address };
+      try {
+        const signature = await signer.signHash(req.hash);
+        return { type: "sign_hash", signature, signerAddress: signer.address };
+      } catch (err) {
+        if (err instanceof MissingSessionKeyError) {
+          return errorResponse("session_key_unavailable", err.message);
+        }
+        throw err;
+      }
     }
     case "store_jwt": {
       try {
@@ -715,9 +742,24 @@ var BrokerDaemon = class {
   log;
   config;
   keystore;
+  /**
+   * Whether a session-key private half is actually loaded. `false` =
+   * daemon booted in read-only posture (no `MUHAVEN_BROKER_SESSION_KEY`
+   * at env-load time) and uses a `NullSigner` whose `signHash` throws.
+   */
+  hasSessionKey;
   constructor(options) {
     this.config = options.config;
-    this.signer = options.signer ?? new ViemSigner(options.config.sessionKeyHex);
+    if (options.signer) {
+      this.signer = options.signer;
+      this.hasSessionKey = true;
+    } else if (options.config.sessionKeyHex) {
+      this.signer = new ViemSigner(options.config.sessionKeyHex);
+      this.hasSessionKey = true;
+    } else {
+      this.signer = new NullSigner();
+      this.hasSessionKey = false;
+    }
     this.keystore = options.keystore ?? null;
     this.log = options.logger ?? noopLogger;
     this.server = net.createServer((socket) => this.onConnection(socket));
@@ -755,6 +797,7 @@ var BrokerDaemon = class {
       meta: {
         endpoint: this.config.endpoint,
         signer: this.signer.address,
+        hasSessionKey: this.hasSessionKey,
         keystore: this.keystore.backend,
         version: BROKER_PROTOCOL_VERSION
       }
@@ -836,7 +879,19 @@ var BrokerDaemon = class {
       return;
     }
     try {
-      const res = await handleBrokerRequest(parsed, this.signer, this.keystore);
+      const res = await handleBrokerRequest(
+        parsed,
+        this.signer,
+        this.keystore,
+        void 0,
+        {
+          hasSessionKey: this.hasSessionKey,
+          effectiveConfig: {
+            backendBaseUrl: this.config.backendBaseUrl,
+            dashboardBaseUrl: this.config.dashboardBaseUrl
+          }
+        }
+      );
       socket.end(serializeResponse(res));
     } catch (err) {
       this.log({
@@ -852,6 +907,15 @@ var BrokerDaemon = class {
 };
 async function runBrokerDaemonCli() {
   const config = loadBrokerConfig();
+  if (!config.sessionKeyHex) {
+    process.stderr.write(
+      JSON.stringify({
+        ts: (/* @__PURE__ */ new Date()).toISOString(),
+        level: "info",
+        msg: "broker booting in read-only posture (no MUHAVEN_BROKER_SESSION_KEY)"
+      }) + "\n"
+    );
+  }
   const daemon = new BrokerDaemon({
     config,
     logger: (e) => {
@@ -869,6 +933,332 @@ async function runBrokerDaemonCli() {
   await new Promise(() => {
   });
 }
+var DANGEROUS_NODE_ENV_VARS = [
+  "NODE_OPTIONS",
+  "NODE_TLS_REJECT_UNAUTHORIZED",
+  "NODE_EXTRA_CA_CERTS",
+  "NODE_PATH"
+];
+function applyEnvDefaults(input) {
+  const { env } = input;
+  const platformId = input.platformId ?? process.platform;
+  const osRelease = input.osRelease ?? os.release();
+  const toSet = {};
+  const preserved = [];
+  const defaultIfUnset = (name, value) => {
+    if (env[name] && env[name].length > 0) {
+      preserved.push(name);
+    } else {
+      toSet[name] = value;
+    }
+  };
+  defaultIfUnset("MUHAVEN_BACKEND_URL", "https://api.muhaven.app");
+  defaultIfUnset("MUHAVEN_DASHBOARD_URL", "https://muhaven.app");
+  const wantFileKeyring = platformId === "win32" || platformId === "linux" && (env.WSL_DISTRO_NAME !== void 0 || /microsoft/i.test(osRelease)) || env.REMOTE_CONTAINERS === "true" || env.CODESPACES === "true" || env.SSH_CONNECTION !== void 0;
+  if (wantFileKeyring) {
+    defaultIfUnset("MUHAVEN_KEYRING", "file");
+  } else if (env.MUHAVEN_KEYRING) {
+    preserved.push("MUHAVEN_KEYRING");
+  }
+  return { toSet, preserved };
+}
+function mintSessionKey() {
+  return accounts.generatePrivateKey();
+}
+function decideSetupAction(input) {
+  if (input.hello === null) return "spawn_and_login";
+  if (!input.hello.hasJwt) return "login_only";
+  return "already_ready";
+}
+function spawnDaemon(options) {
+  const sanitized = {};
+  for (const [k, v] of Object.entries(process.env)) {
+    if (!DANGEROUS_NODE_ENV_VARS.includes(k)) {
+      sanitized[k] = v;
+    }
+  }
+  const merged = { ...sanitized, ...options.env };
+  const child = child_process.spawn(process.execPath, [options.binPath], {
+    detached: true,
+    stdio: "ignore",
+    windowsHide: true,
+    env: merged
+  });
+  child.unref();
+  if (child.pid === void 0) {
+    throw new Error("failed to spawn muhaven-broker daemon \u2014 child pid is undefined");
+  }
+  return child.pid;
+}
+function validateHttpUrlFlag(name, value) {
+  let parsed;
+  try {
+    parsed = new URL(value);
+  } catch {
+    return `${name} is not a valid URL: ${value}`;
+  }
+  if (parsed.protocol === "https:") return null;
+  if (parsed.protocol === "http:") {
+    const host = parsed.hostname;
+    if (host === "localhost" || host === "127.0.0.1" || host === "[::1]") return null;
+    return `${name} must use https:// (got http:// to ${host} \u2014 refusing to ship JWT cleartext)`;
+  }
+  return `${name} must use https:// (got ${parsed.protocol})`;
+}
+function validateBrokerEndpointFlag(value, platformId) {
+  if (!value || value.length === 0) {
+    return "--broker-endpoint cannot be empty";
+  }
+  if (platformId === "win32") {
+    if (value.startsWith("\\\\.\\pipe\\") || value.startsWith("//./pipe/")) {
+      return null;
+    }
+    return "--broker-endpoint on Windows must be a named pipe path (\\\\.\\pipe\\...)";
+  }
+  if (!value.startsWith("/")) {
+    return "--broker-endpoint on POSIX must be an absolute path (e.g. /run/muhaven/broker.sock)";
+  }
+  return null;
+}
+var defaultSleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+async function waitForBroker(options) {
+  const timeoutMs = options.timeoutMs ?? 8e3;
+  const intervalMs = options.intervalMs ?? 200;
+  const sleep = options.sleep ?? defaultSleep;
+  const now = options.now ?? Date.now;
+  const deadline = now() + timeoutMs;
+  let lastErr = null;
+  while (now() < deadline) {
+    try {
+      const hello = await options.broker.hello();
+      return { hasJwt: hello.hasJwt };
+    } catch (err) {
+      lastErr = err;
+      if (now() + intervalMs < deadline) {
+        await sleep(intervalMs);
+      } else {
+        break;
+      }
+    }
+  }
+  throw new Error(
+    `muhaven-broker daemon did not become reachable within ${timeoutMs}ms: ${lastErr instanceof Error ? lastErr.message : String(lastErr)}`
+  );
+}
+function parseSetupFlags(argv) {
+  let foreground = false;
+  let noLaunchBrowser = false;
+  let brokerEndpoint;
+  let backendBaseUrl;
+  let dashboardBaseUrl;
+  let skipLogin = false;
+  for (let i = 0; i < argv.length; i++) {
+    const a = argv[i];
+    if (a === "--foreground" || a === "-f") foreground = true;
+    else if (a === "--no-launch-browser") noLaunchBrowser = true;
+    else if (a === "--skip-login") skipLogin = true;
+    else if (a === "--broker-endpoint" && i + 1 < argv.length) brokerEndpoint = argv[++i];
+    else if (a === "--backend-base-url" && i + 1 < argv.length) backendBaseUrl = argv[++i];
+    else if (a === "--dashboard-base-url" && i + 1 < argv.length) dashboardBaseUrl = argv[++i];
+    else throw new Error(`unknown flag: ${a}`);
+  }
+  return {
+    foreground,
+    noLaunchBrowser,
+    brokerEndpoint,
+    backendBaseUrl,
+    dashboardBaseUrl,
+    skipLogin
+  };
+}
+async function runSetup(argv, deps) {
+  let flags;
+  try {
+    flags = parseSetupFlags(argv);
+  } catch (err) {
+    deps.printErr(`error: ${err.message}`);
+    deps.printErr(
+      "usage: muhaven-broker setup [--foreground|-f] [--no-launch-browser] [--skip-login]\n                            [--broker-endpoint PATH] [--backend-base-url URL]\n                            [--dashboard-base-url URL]"
+    );
+    return 2;
+  }
+  if (flags.backendBaseUrl) {
+    const err = validateHttpUrlFlag("--backend-base-url", flags.backendBaseUrl);
+    if (err) {
+      deps.printErr(`error: ${err}`);
+      return 2;
+    }
+  }
+  if (flags.dashboardBaseUrl) {
+    const err = validateHttpUrlFlag("--dashboard-base-url", flags.dashboardBaseUrl);
+    if (err) {
+      deps.printErr(`error: ${err}`);
+      return 2;
+    }
+  }
+  if (flags.brokerEndpoint) {
+    const err = validateBrokerEndpointFlag(flags.brokerEndpoint, deps.platformId);
+    if (err) {
+      deps.printErr(`error: ${err}`);
+      return 2;
+    }
+  }
+  const overrides = applyEnvDefaults({
+    env: deps.env,
+    platformId: deps.platformId,
+    osRelease: deps.osRelease
+  });
+  const effectiveEnv = {};
+  for (const [k, v] of Object.entries(deps.env)) {
+    if (typeof v === "string") effectiveEnv[k] = v;
+  }
+  for (const [k, v] of Object.entries(overrides.toSet)) {
+    effectiveEnv[k] = v;
+  }
+  if (flags.brokerEndpoint) effectiveEnv.MUHAVEN_BROKER_ENDPOINT = flags.brokerEndpoint;
+  if (flags.backendBaseUrl) effectiveEnv.MUHAVEN_BACKEND_URL = flags.backendBaseUrl;
+  if (flags.dashboardBaseUrl) effectiveEnv.MUHAVEN_DASHBOARD_URL = flags.dashboardBaseUrl;
+  for (const name of overrides.preserved) {
+    deps.print(`Env preserved: ${name} (set in your shell)`);
+  }
+  for (const [k, v] of Object.entries(overrides.toSet)) {
+    deps.print(`Env defaulted: ${k}=${v}`);
+  }
+  let sessionKey = effectiveEnv.MUHAVEN_BROKER_SESSION_KEY;
+  let mintedKey = false;
+  if (!sessionKey || sessionKey === "") {
+    sessionKey = deps.mintSessionKey();
+    mintedKey = true;
+    deps.print("Session key: minted fresh (secp256k1, ephemeral to this daemon).");
+  } else {
+    deps.print("Session key: using MUHAVEN_BROKER_SESSION_KEY from env.");
+  }
+  effectiveEnv.MUHAVEN_BROKER_SESSION_KEY = sessionKey;
+  if (flags.foreground) {
+    deps.print("Foreground mode \u2014 running daemon attached to this shell. Ctrl-C to stop.");
+    const restorationKeys = [
+      ...Object.keys(overrides.toSet),
+      "MUHAVEN_BROKER_SESSION_KEY",
+      ...flags.brokerEndpoint ? ["MUHAVEN_BROKER_ENDPOINT"] : [],
+      ...flags.backendBaseUrl ? ["MUHAVEN_BACKEND_URL"] : [],
+      ...flags.dashboardBaseUrl ? ["MUHAVEN_DASHBOARD_URL"] : []
+    ];
+    const originalValues = {};
+    for (const k of restorationKeys) {
+      originalValues[k] = process.env[k];
+      process.env[k] = effectiveEnv[k];
+    }
+    try {
+      await deps.runForegroundDaemon();
+    } finally {
+      for (const k of restorationKeys) {
+        if (originalValues[k] === void 0) delete process.env[k];
+        else process.env[k] = originalValues[k];
+      }
+    }
+    return 0;
+  }
+  const config = loadMcpConfig(effectiveEnv);
+  const broker = deps.newBrokerClient(config.brokerEndpoint, config.brokerTimeoutMs);
+  let helloProbe = null;
+  try {
+    helloProbe = await broker.hello();
+  } catch {
+  }
+  const action = decideSetupAction({ hello: helloProbe });
+  let daemonPid = null;
+  if (action === "spawn_and_login") {
+    deps.print("Broker daemon: not running, starting one (detached) ...");
+    daemonPid = deps.spawnDaemon({
+      binPath: deps.resolveBinPath(),
+      env: {
+        // Explicit env for the spawned daemon. Includes every var that the
+        // daemon's loadBrokerConfig will read, sourced from our resolved
+        // effectiveEnv (NOT from process.env). spawnDaemon will sanitize
+        // process.env-inherited values further (strips NODE_OPTIONS etc.).
+        ...overrides.toSet,
+        MUHAVEN_BROKER_ENDPOINT: config.brokerEndpoint,
+        MUHAVEN_BACKEND_URL: effectiveEnv.MUHAVEN_BACKEND_URL,
+        MUHAVEN_DASHBOARD_URL: effectiveEnv.MUHAVEN_DASHBOARD_URL,
+        MUHAVEN_BROKER_SESSION_KEY: sessionKey
+      }
+    });
+    try {
+      const readyHello = await deps.waitForBroker({ broker });
+      helloProbe = readyHello;
+      deps.print(`Broker daemon: ready (PID ${daemonPid}, endpoint ${config.brokerEndpoint}).`);
+    } catch (err) {
+      deps.printErr(err.message);
+      deps.printErr(
+        "  hint: re-run `muhaven-broker setup` after checking that no other broker is bound to the same endpoint."
+      );
+      return 1;
+    }
+  } else {
+    deps.print(`Broker daemon: already reachable at ${config.brokerEndpoint}.`);
+  }
+  const needsLogin = !flags.skipLogin && !(helloProbe && helloProbe.hasJwt);
+  if (flags.skipLogin) {
+    deps.print("Login: skipped per --skip-login.");
+  } else if (helloProbe && helloProbe.hasJwt) {
+    deps.print("Login: skipped \u2014 JWT already in keystore.");
+  }
+  if (needsLogin) {
+    const loginArgv = [];
+    if (flags.noLaunchBrowser) loginArgv.push("--no-launch-browser");
+    if (flags.brokerEndpoint) {
+      loginArgv.push("--broker-endpoint", flags.brokerEndpoint);
+    }
+    if (flags.backendBaseUrl) {
+      loginArgv.push("--backend-base-url", flags.backendBaseUrl);
+    }
+    if (flags.dashboardBaseUrl) {
+      loginArgv.push("--dashboard-base-url", flags.dashboardBaseUrl);
+    }
+    const restorationKeys = ["MUHAVEN_BACKEND_URL", "MUHAVEN_DASHBOARD_URL", "MUHAVEN_BROKER_ENDPOINT"];
+    const originalValues = {};
+    for (const k of restorationKeys) {
+      originalValues[k] = process.env[k];
+      if (effectiveEnv[k]) process.env[k] = effectiveEnv[k];
+    }
+    let code;
+    try {
+      code = await deps.runLogin(loginArgv);
+    } finally {
+      for (const k of restorationKeys) {
+        if (originalValues[k] === void 0) delete process.env[k];
+        else process.env[k] = originalValues[k];
+      }
+    }
+    if (code !== 0) {
+      deps.printErr(
+        "Setup: login step failed \u2014 daemon is still running, re-run `muhaven-broker login` to retry."
+      );
+      if (daemonPid !== null) {
+        const killCmd = deps.platformId === "win32" ? `Stop-Process -Id ${daemonPid}` : `kill ${daemonPid}`;
+        deps.printErr(`  (daemon PID ${daemonPid}; stop with: ${killCmd})`);
+      }
+      return code;
+    }
+  }
+  deps.print("");
+  deps.print("================================");
+  deps.print("Setup complete.");
+  if (daemonPid !== null) {
+    deps.print(`  Daemon PID : ${daemonPid}`);
+    const killCmd = deps.platformId === "win32" ? `Stop-Process -Id ${daemonPid}` : `kill ${daemonPid}`;
+    deps.print(`  Stop daemon: ${killCmd}`);
+  } else {
+    deps.print("  Daemon     : already running");
+  }
+  deps.print(`  Endpoint   : ${config.brokerEndpoint}`);
+  deps.print("  Sign out   : muhaven-broker logout   (clears JWT, leaves daemon running)");
+  if (mintedKey) {
+    deps.print("  Session key: ephemeral \u2014 minted by setup, lives only in the daemon process.");
+  }
+  deps.print("================================");
+  return 0;
+}
 // src/broker/cli.ts
 function print(line) {
@@ -878,7 +1268,7 @@ function printErr(line) {
   process.stderr.write(line + "\n");
 }
 function detectMcpHost() {
-  return process.env.MCP_HOST_NAME ?? process.env.CLAUDE_CODE_HOST ?? process.env.npm_lifecycle_event ?? "muhaven-broker-cli";
+  return process.env.MCP_HOST_NAME ?? process.env.CLAUDE_CODE_HOST ?? "muhaven-broker-cli";
 }
 function detectEnvironment() {
   const warnings = [];
@@ -904,9 +1294,11 @@ function parseLoginFlags(argv) {
   let brokerEndpoint;
   let backendBaseUrl;
   let dashboardBaseUrl;
+  let fromDaemon = false;
   for (let i = 0; i < argv.length; i++) {
     const a = argv[i];
     if (a === "--no-launch-browser") noLaunchBrowser = true;
+    else if (a === "--from-daemon") fromDaemon = true;
     else if (a === "--broker-endpoint" && i + 1 < argv.length) {
       brokerEndpoint = argv[++i];
     } else if (a === "--backend-base-url" && i + 1 < argv.length) {
@@ -917,7 +1309,12 @@ function parseLoginFlags(argv) {
       throw new Error(`unknown flag: ${a}`);
     }
   }
-  return { noLaunchBrowser, brokerEndpoint, backendBaseUrl, dashboardBaseUrl };
+  if (fromDaemon && (backendBaseUrl || dashboardBaseUrl)) {
+    throw new Error(
+      "--from-daemon is mutually exclusive with --backend-base-url / --dashboard-base-url"
+    );
+  }
+  return { noLaunchBrowser, brokerEndpoint, backendBaseUrl, dashboardBaseUrl, fromDaemon };
 }
 async function tryLaunchBrowser(url) {
   return new Promise((resolve) => {
@@ -931,7 +1328,9 @@ async function runLogin(argv) {
     flags = parseLoginFlags(argv);
   } catch (err) {
     printErr(`error: ${err.message}`);
-    printErr("usage: muhaven-broker login [--no-launch-browser] [--broker-endpoint PATH] [--backend-base-url URL] [--dashboard-base-url URL]");
+    printErr(
+      "usage: muhaven-broker login [--no-launch-browser] [--broker-endpoint PATH] [--from-daemon | (--backend-base-url URL --dashboard-base-url URL)]"
+    );
     return 2;
   }
   const env = process.env;
@@ -945,8 +1344,9 @@ async function runLogin(argv) {
     endpoint: config.brokerEndpoint,
     timeoutMs: config.brokerTimeoutMs
   });
+  let helloResult;
   try {
-    await broker.hello();
+    helloResult = await broker.hello();
   } catch (err) {
     printErr(
       `cannot reach muhaven-broker daemon at ${config.brokerEndpoint}: ${err.message}`
@@ -954,9 +1354,42 @@ async function runLogin(argv) {
     printErr("hint: start the daemon first (`muhaven-broker` with no subcommand).");
     return 1;
   }
+  let backendBaseUrl = config.backendBaseUrl;
+  let dashboardBaseUrl = config.dashboardBaseUrl;
+  if (flags.fromDaemon) {
+    if (!helloResult.effectiveConfig) {
+      printErr(
+        "--from-daemon requested but broker did not return effectiveConfig (daemon is older than protocol 0.3.0). Upgrade the daemon (`@muhaven/mcp@0.1.3+`) or drop the flag."
+      );
+      return 1;
+    }
+    const daemonBackend = helloResult.effectiveConfig.backendBaseUrl;
+    const daemonDashboard = helloResult.effectiveConfig.dashboardBaseUrl;
+    if (!daemonBackend || !daemonDashboard) {
+      printErr(
+        "--from-daemon: daemon returned an empty backend/dashboard URL \u2014 refusing to proceed."
+      );
+      return 1;
+    }
+    if (daemonBackend !== config.backendBaseUrl) {
+      print(
+        `\u26A0 daemon backend (${daemonBackend}) differs from CLI env (${config.backendBaseUrl}). Using daemon's value per --from-daemon.`
+      );
+    }
+    if (daemonDashboard !== config.dashboardBaseUrl) {
+      print(
+        `\u26A0 daemon dashboard (${daemonDashboard}) differs from CLI env (${config.dashboardBaseUrl}). Using daemon's value per --from-daemon.`
+      );
+    }
+    backendBaseUrl = daemonBackend;
+    dashboardBaseUrl = daemonDashboard;
+    print(`Using daemon's effective config:`);
+    print(`  backend:   ${backendBaseUrl}`);
+    print(`  dashboard: ${dashboardBaseUrl}`);
+  }
   const flow = new DeviceFlowClient({
-    backendBaseUrl: config.backendBaseUrl,
-    dashboardBaseUrl: config.dashboardBaseUrl,
+    backendBaseUrl,
+    dashboardBaseUrl,
     requesterMetadata: {
       processName: detectMcpHost(),
       hostname: os.hostname(),
@@ -1071,7 +1504,13 @@ async function runDoctor() {
   });
   try {
     const h = await broker.hello();
-    print(`Broker daemon     : reachable (proto v${h.version}, signer ${h.sessionKeyAddress}, hasJwt=${h.hasJwt})`);
+    const hasKey = h.hasSessionKey ?? true;
+    const keyTag = hasKey ? `signer ${h.sessionKeyAddress}` : "NO SESSION KEY (read-only posture)";
+    print(`Broker daemon     : reachable (proto v${h.version}, ${keyTag}, hasJwt=${h.hasJwt})`);
+    if (h.effectiveConfig) {
+      print(`Daemon backend URL: ${h.effectiveConfig.backendBaseUrl}`);
+      print(`Daemon dashboard  : ${h.effectiveConfig.dashboardBaseUrl}`);
+    }
     return 0;
   } catch (err) {
     print(`Broker daemon     : NOT reachable (${err.message})`);
@@ -1083,10 +1522,44 @@ function printUsage() {
   print("usage: muhaven-broker [<subcommand>] [options]");
   print("");
   print("  (no subcommand)    Run the daemon (production mode)");
+  print("  setup              One-shot install: env defaults + session key + detached daemon + login");
+  print("                       [--foreground|-f] keeps the daemon attached (skip background spawn)");
+  print("                       [--skip-login] starts the daemon but lets you run login later");
+  print("                       [--no-launch-browser] pass-through to login");
   print("  login              Acquire a JWT via the device-code flow + store in keystore");
+  print("                       [--from-daemon] resolves backend/dashboard URLs from the running daemon");
   print("  logout             Clear the JWT from the keystore");
   print("  doctor             Print environment + keystore + reachability report");
   print("  -h, --help         Show this help");
+  print("  -v, --version      Print the @muhaven/mcp package version");
+}
+function getBrokerPackageVersion() {
+  {
+    return "0.1.4";
+  }
+}
+function printVersion() {
+  print(`muhaven-broker @muhaven/mcp@${getBrokerPackageVersion()}`);
+}
+function resolveBrokerBinPath() {
+  return path.resolve(__dirname, "..", "bin", "muhaven-broker.cjs");
+}
+async function runSetup2(argv) {
+  const deps = {
+    print,
+    printErr,
+    mintSessionKey,
+    newBrokerClient: (endpoint, timeoutMs) => new BrokerClient({ endpoint, timeoutMs }),
+    spawnDaemon,
+    waitForBroker,
+    runLogin,
+    runForegroundDaemon: runBrokerDaemonCli,
+    resolveBinPath: resolveBrokerBinPath,
+    env: process.env,
+    platformId: process.platform,
+    osRelease: os.release()
+  };
+  return runSetup(argv, deps);
 }
 async function runCli(argv) {
   const [sub, ...rest] = argv;
@@ -1094,6 +1567,8 @@ async function runCli(argv) {
     case void 0:
       await runBrokerDaemonCli();
       return 0;
+    case "setup":
+      return runSetup2(rest);
     case "login":
       return runLogin(rest);
     case "logout":
@@ -1104,6 +1579,10 @@ async function runCli(argv) {
     case "--help":
       printUsage();
       return 0;
+    case "-v":
+    case "--version":
+      printVersion();
+      return 0;
     default:
       printErr(`unknown subcommand: ${sub}`);
       printUsage();
@@ -1111,7 +1590,10 @@ async function runCli(argv) {
   }
 }
+exports.getBrokerPackageVersion = getBrokerPackageVersion;
+exports.parseLoginFlags = parseLoginFlags;
 exports.runCli = runCli;
 exports.runDoctor = runDoctor;
 exports.runLogin = runLogin;
 exports.runLogout = runLogout;
+exports.runSetup = runSetup2;