@muhaven/mcp 0.1.2 → 0.1.4

package/dist/broker.js

@@ -1,11 +1,14 @@
+import path, { join, dirname, resolve } from 'path';
+import { fileURLToPath } from 'url';
 import { platform, release, hostname, homedir } from 'os';
-import { exec } from 'child_process';
-import { join, dirname } from 'path';
+import { exec, spawn } from 'child_process';
 import { connect, createServer } from 'net';
 import { mkdir, chmod, writeFile, readFile, unlink, stat } from 'fs/promises';
-import { privateKeyToAccount } from 'viem/accounts';
+import { privateKeyToAccount, generatePrivateKey } from 'viem/accounts';
 
-// src/broker/cli.ts
+var getFilename = () => fileURLToPath(import.meta.url);
+var getDirname = () => path.dirname(getFilename());
+var __dirname$1 = /* @__PURE__ */ getDirname();
 var DEFAULT_BACKEND_URL = "https://api.muhaven.app";
 var DEFAULT_DASHBOARD_URL = "https://muhaven.app";
 var DEFAULT_REQUEST_TIMEOUT_MS = 15e3;
@@ -71,23 +74,26 @@ function loadMcpConfig(env = process.env) {
 }
 var PRIVKEY_HEX_RE = /^0x[0-9a-fA-F]{64}$/;
 function loadBrokerConfig(env = process.env) {
-  const sessionKeyHex = env.MUHAVEN_BROKER_SESSION_KEY;
-  if (!sessionKeyHex) {
-    throw new Error(
-      "MUHAVEN_BROKER_SESSION_KEY is required (0x-prefixed 32-byte hex). Mint a session key via the dashboard policy-template install flow."
-    );
-  }
-  if (!PRIVKEY_HEX_RE.test(sessionKeyHex)) {
-    throw new Error("MUHAVEN_BROKER_SESSION_KEY must be a 0x-prefixed 32-byte hex string");
+  const sessionKeyHexRaw = env.MUHAVEN_BROKER_SESSION_KEY;
+  let sessionKeyHex;
+  if (sessionKeyHexRaw && sessionKeyHexRaw.length > 0) {
+    if (!PRIVKEY_HEX_RE.test(sessionKeyHexRaw)) {
+      throw new Error("MUHAVEN_BROKER_SESSION_KEY must be a 0x-prefixed 32-byte hex string");
+    }
+    sessionKeyHex = sessionKeyHexRaw;
   }
   const endpoint = env.MUHAVEN_BROKER_ENDPOINT ?? defaultBrokerEndpoint();
   const maxRequestBytes = readEnvInt("MUHAVEN_BROKER_MAX_BYTES", DEFAULT_BROKER_MAX_BYTES, env);
   const requestTimeoutMs = readEnvInt("MUHAVEN_BROKER_TIMEOUT_MS", DEFAULT_BROKER_TIMEOUT_MS, env);
+  const backendBaseUrl = trimTrailingSlash(env.MUHAVEN_BACKEND_URL ?? DEFAULT_BACKEND_URL);
+  const dashboardBaseUrl = trimTrailingSlash(env.MUHAVEN_DASHBOARD_URL ?? DEFAULT_DASHBOARD_URL);
   return {
     endpoint,
     sessionKeyHex,
     maxRequestBytes,
-    requestTimeoutMs
+    requestTimeoutMs,
+    backendBaseUrl,
+    dashboardBaseUrl
   };
 }
 var BrokerClientError = class extends Error {
@@ -415,8 +421,8 @@ var OsKeystore = class {
   }
 };
 var FileKeystore = class {
-  constructor(path) {
-    this.path = path;
+  constructor(path2) {
+    this.path = path2;
   }
   path;
   backend = "file";
@@ -520,7 +526,7 @@ async function openKeystore(options = {}) {
 }
 
 // src/broker/protocol.ts
-var BROKER_PROTOCOL_VERSION = "0.2.0";
+var BROKER_PROTOCOL_VERSION = "0.3.0";
 var HASH_HEX_RE = /^0x[0-9a-fA-F]{64}$/;
 var JWT_RE = /^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/;
 function isHashHex(value) {
@@ -606,6 +612,21 @@ function parseBrokerRequest(line) {
 function serializeResponse(res) {
   return JSON.stringify(res) + "\n";
 }
+var MissingSessionKeyError = class extends Error {
+  constructor() {
+    super(
+      "session_key_unavailable: daemon booted in read-only posture (no MUHAVEN_BROKER_SESSION_KEY at env-load time). Mint a session key via the dashboard /agent/policy/transition flow, set MUHAVEN_BROKER_SESSION_KEY, and restart the daemon. (Note: `muhaven-broker login` mints a JWT, NOT a session key \u2014 do not loop on that command for this error.)"
+    );
+    this.name = "MissingSessionKeyError";
+  }
+};
+var ZERO_ADDRESS = "0x0000000000000000000000000000000000000000";
+var NullSigner = class {
+  address = ZERO_ADDRESS;
+  async signHash(_hash) {
+    throw new MissingSessionKeyError();
+  }
+};
 var ViemSigner = class {
   account;
   constructor(privateKey) {
@@ -622,7 +643,7 @@ var ViemSigner = class {
 // src/broker/daemon.ts
 var noopLogger = (_e) => {
 };
-async function handleBrokerRequest(req, signer, keystore, nowSec = () => Math.floor(Date.now() / 1e3)) {
+async function handleBrokerRequest(req, signer, keystore, nowSec = () => Math.floor(Date.now() / 1e3), options = {}) {
   switch (req.type) {
     case "hello": {
       let hasJwt = false;
@@ -632,16 +653,26 @@ async function handleBrokerRequest(req, signer, keystore, nowSec = () => Math.fl
       } catch {
         hasJwt = false;
       }
+      const hasSessionKey = options.hasSessionKey ?? true;
       return {
         type: "hello",
         version: BROKER_PROTOCOL_VERSION,
         sessionKeyAddress: signer.address,
-        hasJwt
+        hasJwt,
+        hasSessionKey,
+        ...options.effectiveConfig ? { effectiveConfig: options.effectiveConfig } : {}
       };
     }
     case "sign_hash": {
-      const signature = await signer.signHash(req.hash);
-      return { type: "sign_hash", signature, signerAddress: signer.address };
+      try {
+        const signature = await signer.signHash(req.hash);
+        return { type: "sign_hash", signature, signerAddress: signer.address };
+      } catch (err) {
+        if (err instanceof MissingSessionKeyError) {
+          return errorResponse("session_key_unavailable", err.message);
+        }
+        throw err;
+      }
     }
     case "store_jwt": {
       try {
@@ -713,9 +744,24 @@ var BrokerDaemon = class {
   log;
   config;
   keystore;
+  /**
+   * Whether a session-key private half is actually loaded. `false` =
+   * daemon booted in read-only posture (no `MUHAVEN_BROKER_SESSION_KEY`
+   * at env-load time) and uses a `NullSigner` whose `signHash` throws.
+   */
+  hasSessionKey;
   constructor(options) {
     this.config = options.config;
-    this.signer = options.signer ?? new ViemSigner(options.config.sessionKeyHex);
+    if (options.signer) {
+      this.signer = options.signer;
+      this.hasSessionKey = true;
+    } else if (options.config.sessionKeyHex) {
+      this.signer = new ViemSigner(options.config.sessionKeyHex);
+      this.hasSessionKey = true;
+    } else {
+      this.signer = new NullSigner();
+      this.hasSessionKey = false;
+    }
     this.keystore = options.keystore ?? null;
     this.log = options.logger ?? noopLogger;
     this.server = createServer((socket) => this.onConnection(socket));
@@ -753,6 +799,7 @@ var BrokerDaemon = class {
       meta: {
         endpoint: this.config.endpoint,
         signer: this.signer.address,
+        hasSessionKey: this.hasSessionKey,
         keystore: this.keystore.backend,
         version: BROKER_PROTOCOL_VERSION
       }
@@ -834,7 +881,19 @@ var BrokerDaemon = class {
       return;
     }
     try {
-      const res = await handleBrokerRequest(parsed, this.signer, this.keystore);
+      const res = await handleBrokerRequest(
+        parsed,
+        this.signer,
+        this.keystore,
+        void 0,
+        {
+          hasSessionKey: this.hasSessionKey,
+          effectiveConfig: {
+            backendBaseUrl: this.config.backendBaseUrl,
+            dashboardBaseUrl: this.config.dashboardBaseUrl
+          }
+        }
+      );
       socket.end(serializeResponse(res));
     } catch (err) {
       this.log({
@@ -850,6 +909,15 @@ var BrokerDaemon = class {
 };
 async function runBrokerDaemonCli() {
   const config = loadBrokerConfig();
+  if (!config.sessionKeyHex) {
+    process.stderr.write(
+      JSON.stringify({
+        ts: (/* @__PURE__ */ new Date()).toISOString(),
+        level: "info",
+        msg: "broker booting in read-only posture (no MUHAVEN_BROKER_SESSION_KEY)"
+      }) + "\n"
+    );
+  }
   const daemon = new BrokerDaemon({
     config,
     logger: (e) => {
@@ -867,6 +935,332 @@ async function runBrokerDaemonCli() {
   await new Promise(() => {
   });
 }
+var DANGEROUS_NODE_ENV_VARS = [
+  "NODE_OPTIONS",
+  "NODE_TLS_REJECT_UNAUTHORIZED",
+  "NODE_EXTRA_CA_CERTS",
+  "NODE_PATH"
+];
+function applyEnvDefaults(input) {
+  const { env } = input;
+  const platformId = input.platformId ?? process.platform;
+  const osRelease = input.osRelease ?? release();
+  const toSet = {};
+  const preserved = [];
+  const defaultIfUnset = (name, value) => {
+    if (env[name] && env[name].length > 0) {
+      preserved.push(name);
+    } else {
+      toSet[name] = value;
+    }
+  };
+  defaultIfUnset("MUHAVEN_BACKEND_URL", "https://api.muhaven.app");
+  defaultIfUnset("MUHAVEN_DASHBOARD_URL", "https://muhaven.app");
+  const wantFileKeyring = platformId === "win32" || platformId === "linux" && (env.WSL_DISTRO_NAME !== void 0 || /microsoft/i.test(osRelease)) || env.REMOTE_CONTAINERS === "true" || env.CODESPACES === "true" || env.SSH_CONNECTION !== void 0;
+  if (wantFileKeyring) {
+    defaultIfUnset("MUHAVEN_KEYRING", "file");
+  } else if (env.MUHAVEN_KEYRING) {
+    preserved.push("MUHAVEN_KEYRING");
+  }
+  return { toSet, preserved };
+}
+function mintSessionKey() {
+  return generatePrivateKey();
+}
+function decideSetupAction(input) {
+  if (input.hello === null) return "spawn_and_login";
+  if (!input.hello.hasJwt) return "login_only";
+  return "already_ready";
+}
+function spawnDaemon(options) {
+  const sanitized = {};
+  for (const [k, v] of Object.entries(process.env)) {
+    if (!DANGEROUS_NODE_ENV_VARS.includes(k)) {
+      sanitized[k] = v;
+    }
+  }
+  const merged = { ...sanitized, ...options.env };
+  const child = spawn(process.execPath, [options.binPath], {
+    detached: true,
+    stdio: "ignore",
+    windowsHide: true,
+    env: merged
+  });
+  child.unref();
+  if (child.pid === void 0) {
+    throw new Error("failed to spawn muhaven-broker daemon \u2014 child pid is undefined");
+  }
+  return child.pid;
+}
+function validateHttpUrlFlag(name, value) {
+  let parsed;
+  try {
+    parsed = new URL(value);
+  } catch {
+    return `${name} is not a valid URL: ${value}`;
+  }
+  if (parsed.protocol === "https:") return null;
+  if (parsed.protocol === "http:") {
+    const host = parsed.hostname;
+    if (host === "localhost" || host === "127.0.0.1" || host === "[::1]") return null;
+    return `${name} must use https:// (got http:// to ${host} \u2014 refusing to ship JWT cleartext)`;
+  }
+  return `${name} must use https:// (got ${parsed.protocol})`;
+}
+function validateBrokerEndpointFlag(value, platformId) {
+  if (!value || value.length === 0) {
+    return "--broker-endpoint cannot be empty";
+  }
+  if (platformId === "win32") {
+    if (value.startsWith("\\\\.\\pipe\\") || value.startsWith("//./pipe/")) {
+      return null;
+    }
+    return "--broker-endpoint on Windows must be a named pipe path (\\\\.\\pipe\\...)";
+  }
+  if (!value.startsWith("/")) {
+    return "--broker-endpoint on POSIX must be an absolute path (e.g. /run/muhaven/broker.sock)";
+  }
+  return null;
+}
+var defaultSleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+async function waitForBroker(options) {
+  const timeoutMs = options.timeoutMs ?? 8e3;
+  const intervalMs = options.intervalMs ?? 200;
+  const sleep = options.sleep ?? defaultSleep;
+  const now = options.now ?? Date.now;
+  const deadline = now() + timeoutMs;
+  let lastErr = null;
+  while (now() < deadline) {
+    try {
+      const hello = await options.broker.hello();
+      return { hasJwt: hello.hasJwt };
+    } catch (err) {
+      lastErr = err;
+      if (now() + intervalMs < deadline) {
+        await sleep(intervalMs);
+      } else {
+        break;
+      }
+    }
+  }
+  throw new Error(
+    `muhaven-broker daemon did not become reachable within ${timeoutMs}ms: ${lastErr instanceof Error ? lastErr.message : String(lastErr)}`
+  );
+}
+function parseSetupFlags(argv) {
+  let foreground = false;
+  let noLaunchBrowser = false;
+  let brokerEndpoint;
+  let backendBaseUrl;
+  let dashboardBaseUrl;
+  let skipLogin = false;
+  for (let i = 0; i < argv.length; i++) {
+    const a = argv[i];
+    if (a === "--foreground" || a === "-f") foreground = true;
+    else if (a === "--no-launch-browser") noLaunchBrowser = true;
+    else if (a === "--skip-login") skipLogin = true;
+    else if (a === "--broker-endpoint" && i + 1 < argv.length) brokerEndpoint = argv[++i];
+    else if (a === "--backend-base-url" && i + 1 < argv.length) backendBaseUrl = argv[++i];
+    else if (a === "--dashboard-base-url" && i + 1 < argv.length) dashboardBaseUrl = argv[++i];
+    else throw new Error(`unknown flag: ${a}`);
+  }
+  return {
+    foreground,
+    noLaunchBrowser,
+    brokerEndpoint,
+    backendBaseUrl,
+    dashboardBaseUrl,
+    skipLogin
+  };
+}
+async function runSetup(argv, deps) {
+  let flags;
+  try {
+    flags = parseSetupFlags(argv);
+  } catch (err) {
+    deps.printErr(`error: ${err.message}`);
+    deps.printErr(
+      "usage: muhaven-broker setup [--foreground|-f] [--no-launch-browser] [--skip-login]\n                            [--broker-endpoint PATH] [--backend-base-url URL]\n                            [--dashboard-base-url URL]"
+    );
+    return 2;
+  }
+  if (flags.backendBaseUrl) {
+    const err = validateHttpUrlFlag("--backend-base-url", flags.backendBaseUrl);
+    if (err) {
+      deps.printErr(`error: ${err}`);
+      return 2;
+    }
+  }
+  if (flags.dashboardBaseUrl) {
+    const err = validateHttpUrlFlag("--dashboard-base-url", flags.dashboardBaseUrl);
+    if (err) {
+      deps.printErr(`error: ${err}`);
+      return 2;
+    }
+  }
+  if (flags.brokerEndpoint) {
+    const err = validateBrokerEndpointFlag(flags.brokerEndpoint, deps.platformId);
+    if (err) {
+      deps.printErr(`error: ${err}`);
+      return 2;
+    }
+  }
+  const overrides = applyEnvDefaults({
+    env: deps.env,
+    platformId: deps.platformId,
+    osRelease: deps.osRelease
+  });
+  const effectiveEnv = {};
+  for (const [k, v] of Object.entries(deps.env)) {
+    if (typeof v === "string") effectiveEnv[k] = v;
+  }
+  for (const [k, v] of Object.entries(overrides.toSet)) {
+    effectiveEnv[k] = v;
+  }
+  if (flags.brokerEndpoint) effectiveEnv.MUHAVEN_BROKER_ENDPOINT = flags.brokerEndpoint;
+  if (flags.backendBaseUrl) effectiveEnv.MUHAVEN_BACKEND_URL = flags.backendBaseUrl;
+  if (flags.dashboardBaseUrl) effectiveEnv.MUHAVEN_DASHBOARD_URL = flags.dashboardBaseUrl;
+  for (const name of overrides.preserved) {
+    deps.print(`Env preserved: ${name} (set in your shell)`);
+  }
+  for (const [k, v] of Object.entries(overrides.toSet)) {
+    deps.print(`Env defaulted: ${k}=${v}`);
+  }
+  let sessionKey = effectiveEnv.MUHAVEN_BROKER_SESSION_KEY;
+  let mintedKey = false;
+  if (!sessionKey || sessionKey === "") {
+    sessionKey = deps.mintSessionKey();
+    mintedKey = true;
+    deps.print("Session key: minted fresh (secp256k1, ephemeral to this daemon).");
+  } else {
+    deps.print("Session key: using MUHAVEN_BROKER_SESSION_KEY from env.");
+  }
+  effectiveEnv.MUHAVEN_BROKER_SESSION_KEY = sessionKey;
+  if (flags.foreground) {
+    deps.print("Foreground mode \u2014 running daemon attached to this shell. Ctrl-C to stop.");
+    const restorationKeys = [
+      ...Object.keys(overrides.toSet),
+      "MUHAVEN_BROKER_SESSION_KEY",
+      ...flags.brokerEndpoint ? ["MUHAVEN_BROKER_ENDPOINT"] : [],
+      ...flags.backendBaseUrl ? ["MUHAVEN_BACKEND_URL"] : [],
+      ...flags.dashboardBaseUrl ? ["MUHAVEN_DASHBOARD_URL"] : []
+    ];
+    const originalValues = {};
+    for (const k of restorationKeys) {
+      originalValues[k] = process.env[k];
+      process.env[k] = effectiveEnv[k];
+    }
+    try {
+      await deps.runForegroundDaemon();
+    } finally {
+      for (const k of restorationKeys) {
+        if (originalValues[k] === void 0) delete process.env[k];
+        else process.env[k] = originalValues[k];
+      }
+    }
+    return 0;
+  }
+  const config = loadMcpConfig(effectiveEnv);
+  const broker = deps.newBrokerClient(config.brokerEndpoint, config.brokerTimeoutMs);
+  let helloProbe = null;
+  try {
+    helloProbe = await broker.hello();
+  } catch {
+  }
+  const action = decideSetupAction({ hello: helloProbe });
+  let daemonPid = null;
+  if (action === "spawn_and_login") {
+    deps.print("Broker daemon: not running, starting one (detached) ...");
+    daemonPid = deps.spawnDaemon({
+      binPath: deps.resolveBinPath(),
+      env: {
+        // Explicit env for the spawned daemon. Includes every var that the
+        // daemon's loadBrokerConfig will read, sourced from our resolved
+        // effectiveEnv (NOT from process.env). spawnDaemon will sanitize
+        // process.env-inherited values further (strips NODE_OPTIONS etc.).
+        ...overrides.toSet,
+        MUHAVEN_BROKER_ENDPOINT: config.brokerEndpoint,
+        MUHAVEN_BACKEND_URL: effectiveEnv.MUHAVEN_BACKEND_URL,
+        MUHAVEN_DASHBOARD_URL: effectiveEnv.MUHAVEN_DASHBOARD_URL,
+        MUHAVEN_BROKER_SESSION_KEY: sessionKey
+      }
+    });
+    try {
+      const readyHello = await deps.waitForBroker({ broker });
+      helloProbe = readyHello;
+      deps.print(`Broker daemon: ready (PID ${daemonPid}, endpoint ${config.brokerEndpoint}).`);
+    } catch (err) {
+      deps.printErr(err.message);
+      deps.printErr(
+        "  hint: re-run `muhaven-broker setup` after checking that no other broker is bound to the same endpoint."
+      );
+      return 1;
+    }
+  } else {
+    deps.print(`Broker daemon: already reachable at ${config.brokerEndpoint}.`);
+  }
+  const needsLogin = !flags.skipLogin && !(helloProbe && helloProbe.hasJwt);
+  if (flags.skipLogin) {
+    deps.print("Login: skipped per --skip-login.");
+  } else if (helloProbe && helloProbe.hasJwt) {
+    deps.print("Login: skipped \u2014 JWT already in keystore.");
+  }
+  if (needsLogin) {
+    const loginArgv = [];
+    if (flags.noLaunchBrowser) loginArgv.push("--no-launch-browser");
+    if (flags.brokerEndpoint) {
+      loginArgv.push("--broker-endpoint", flags.brokerEndpoint);
+    }
+    if (flags.backendBaseUrl) {
+      loginArgv.push("--backend-base-url", flags.backendBaseUrl);
+    }
+    if (flags.dashboardBaseUrl) {
+      loginArgv.push("--dashboard-base-url", flags.dashboardBaseUrl);
+    }
+    const restorationKeys = ["MUHAVEN_BACKEND_URL", "MUHAVEN_DASHBOARD_URL", "MUHAVEN_BROKER_ENDPOINT"];
+    const originalValues = {};
+    for (const k of restorationKeys) {
+      originalValues[k] = process.env[k];
+      if (effectiveEnv[k]) process.env[k] = effectiveEnv[k];
+    }
+    let code;
+    try {
+      code = await deps.runLogin(loginArgv);
+    } finally {
+      for (const k of restorationKeys) {
+        if (originalValues[k] === void 0) delete process.env[k];
+        else process.env[k] = originalValues[k];
+      }
+    }
+    if (code !== 0) {
+      deps.printErr(
+        "Setup: login step failed \u2014 daemon is still running, re-run `muhaven-broker login` to retry."
+      );
+      if (daemonPid !== null) {
+        const killCmd = deps.platformId === "win32" ? `Stop-Process -Id ${daemonPid}` : `kill ${daemonPid}`;
+        deps.printErr(`  (daemon PID ${daemonPid}; stop with: ${killCmd})`);
+      }
+      return code;
+    }
+  }
+  deps.print("");
+  deps.print("================================");
+  deps.print("Setup complete.");
+  if (daemonPid !== null) {
+    deps.print(`  Daemon PID : ${daemonPid}`);
+    const killCmd = deps.platformId === "win32" ? `Stop-Process -Id ${daemonPid}` : `kill ${daemonPid}`;
+    deps.print(`  Stop daemon: ${killCmd}`);
+  } else {
+    deps.print("  Daemon     : already running");
+  }
+  deps.print(`  Endpoint   : ${config.brokerEndpoint}`);
+  deps.print("  Sign out   : muhaven-broker logout   (clears JWT, leaves daemon running)");
+  if (mintedKey) {
+    deps.print("  Session key: ephemeral \u2014 minted by setup, lives only in the daemon process.");
+  }
+  deps.print("================================");
+  return 0;
+}
 
 // src/broker/cli.ts
 function print(line) {
@@ -876,7 +1270,7 @@ function printErr(line) {
   process.stderr.write(line + "\n");
 }
 function detectMcpHost() {
-  return process.env.MCP_HOST_NAME ?? process.env.CLAUDE_CODE_HOST ?? process.env.npm_lifecycle_event ?? "muhaven-broker-cli";
+  return process.env.MCP_HOST_NAME ?? process.env.CLAUDE_CODE_HOST ?? "muhaven-broker-cli";
 }
 function detectEnvironment() {
   const warnings = [];
@@ -902,9 +1296,11 @@ function parseLoginFlags(argv) {
   let brokerEndpoint;
   let backendBaseUrl;
   let dashboardBaseUrl;
+  let fromDaemon = false;
   for (let i = 0; i < argv.length; i++) {
     const a = argv[i];
     if (a === "--no-launch-browser") noLaunchBrowser = true;
+    else if (a === "--from-daemon") fromDaemon = true;
     else if (a === "--broker-endpoint" && i + 1 < argv.length) {
       brokerEndpoint = argv[++i];
     } else if (a === "--backend-base-url" && i + 1 < argv.length) {
@@ -915,7 +1311,12 @@ function parseLoginFlags(argv) {
       throw new Error(`unknown flag: ${a}`);
     }
   }
-  return { noLaunchBrowser, brokerEndpoint, backendBaseUrl, dashboardBaseUrl };
+  if (fromDaemon && (backendBaseUrl || dashboardBaseUrl)) {
+    throw new Error(
+      "--from-daemon is mutually exclusive with --backend-base-url / --dashboard-base-url"
+    );
+  }
+  return { noLaunchBrowser, brokerEndpoint, backendBaseUrl, dashboardBaseUrl, fromDaemon };
 }
 async function tryLaunchBrowser(url) {
   return new Promise((resolve) => {
@@ -929,7 +1330,9 @@ async function runLogin(argv) {
     flags = parseLoginFlags(argv);
   } catch (err) {
     printErr(`error: ${err.message}`);
-    printErr("usage: muhaven-broker login [--no-launch-browser] [--broker-endpoint PATH] [--backend-base-url URL] [--dashboard-base-url URL]");
+    printErr(
+      "usage: muhaven-broker login [--no-launch-browser] [--broker-endpoint PATH] [--from-daemon | (--backend-base-url URL --dashboard-base-url URL)]"
+    );
     return 2;
   }
   const env = process.env;
@@ -943,8 +1346,9 @@ async function runLogin(argv) {
     endpoint: config.brokerEndpoint,
     timeoutMs: config.brokerTimeoutMs
   });
+  let helloResult;
   try {
-    await broker.hello();
+    helloResult = await broker.hello();
   } catch (err) {
     printErr(
       `cannot reach muhaven-broker daemon at ${config.brokerEndpoint}: ${err.message}`
@@ -952,9 +1356,42 @@ async function runLogin(argv) {
     printErr("hint: start the daemon first (`muhaven-broker` with no subcommand).");
     return 1;
   }
+  let backendBaseUrl = config.backendBaseUrl;
+  let dashboardBaseUrl = config.dashboardBaseUrl;
+  if (flags.fromDaemon) {
+    if (!helloResult.effectiveConfig) {
+      printErr(
+        "--from-daemon requested but broker did not return effectiveConfig (daemon is older than protocol 0.3.0). Upgrade the daemon (`@muhaven/mcp@0.1.3+`) or drop the flag."
+      );
+      return 1;
+    }
+    const daemonBackend = helloResult.effectiveConfig.backendBaseUrl;
+    const daemonDashboard = helloResult.effectiveConfig.dashboardBaseUrl;
+    if (!daemonBackend || !daemonDashboard) {
+      printErr(
+        "--from-daemon: daemon returned an empty backend/dashboard URL \u2014 refusing to proceed."
+      );
+      return 1;
+    }
+    if (daemonBackend !== config.backendBaseUrl) {
+      print(
+        `\u26A0 daemon backend (${daemonBackend}) differs from CLI env (${config.backendBaseUrl}). Using daemon's value per --from-daemon.`
+      );
+    }
+    if (daemonDashboard !== config.dashboardBaseUrl) {
+      print(
+        `\u26A0 daemon dashboard (${daemonDashboard}) differs from CLI env (${config.dashboardBaseUrl}). Using daemon's value per --from-daemon.`
+      );
+    }
+    backendBaseUrl = daemonBackend;
+    dashboardBaseUrl = daemonDashboard;
+    print(`Using daemon's effective config:`);
+    print(`  backend:   ${backendBaseUrl}`);
+    print(`  dashboard: ${dashboardBaseUrl}`);
+  }
   const flow = new DeviceFlowClient({
-    backendBaseUrl: config.backendBaseUrl,
-    dashboardBaseUrl: config.dashboardBaseUrl,
+    backendBaseUrl,
+    dashboardBaseUrl,
     requesterMetadata: {
       processName: detectMcpHost(),
       hostname: hostname(),
@@ -1069,7 +1506,13 @@ async function runDoctor() {
   });
   try {
     const h = await broker.hello();
-    print(`Broker daemon     : reachable (proto v${h.version}, signer ${h.sessionKeyAddress}, hasJwt=${h.hasJwt})`);
+    const hasKey = h.hasSessionKey ?? true;
+    const keyTag = hasKey ? `signer ${h.sessionKeyAddress}` : "NO SESSION KEY (read-only posture)";
+    print(`Broker daemon     : reachable (proto v${h.version}, ${keyTag}, hasJwt=${h.hasJwt})`);
+    if (h.effectiveConfig) {
+      print(`Daemon backend URL: ${h.effectiveConfig.backendBaseUrl}`);
+      print(`Daemon dashboard  : ${h.effectiveConfig.dashboardBaseUrl}`);
+    }
     return 0;
   } catch (err) {
     print(`Broker daemon     : NOT reachable (${err.message})`);
@@ -1081,10 +1524,44 @@ function printUsage() {
   print("usage: muhaven-broker [<subcommand>] [options]");
   print("");
   print("  (no subcommand)    Run the daemon (production mode)");
+  print("  setup              One-shot install: env defaults + session key + detached daemon + login");
+  print("                       [--foreground|-f] keeps the daemon attached (skip background spawn)");
+  print("                       [--skip-login] starts the daemon but lets you run login later");
+  print("                       [--no-launch-browser] pass-through to login");
   print("  login              Acquire a JWT via the device-code flow + store in keystore");
+  print("                       [--from-daemon] resolves backend/dashboard URLs from the running daemon");
   print("  logout             Clear the JWT from the keystore");
   print("  doctor             Print environment + keystore + reachability report");
   print("  -h, --help         Show this help");
+  print("  -v, --version      Print the @muhaven/mcp package version");
+}
+function getBrokerPackageVersion() {
+  {
+    return "0.1.4";
+  }
+}
+function printVersion() {
+  print(`muhaven-broker @muhaven/mcp@${getBrokerPackageVersion()}`);
+}
+function resolveBrokerBinPath() {
+  return resolve(__dirname$1, "..", "bin", "muhaven-broker.cjs");
+}
+async function runSetup2(argv) {
+  const deps = {
+    print,
+    printErr,
+    mintSessionKey,
+    newBrokerClient: (endpoint, timeoutMs) => new BrokerClient({ endpoint, timeoutMs }),
+    spawnDaemon,
+    waitForBroker,
+    runLogin,
+    runForegroundDaemon: runBrokerDaemonCli,
+    resolveBinPath: resolveBrokerBinPath,
+    env: process.env,
+    platformId: process.platform,
+    osRelease: release()
+  };
+  return runSetup(argv, deps);
 }
 async function runCli(argv) {
   const [sub, ...rest] = argv;
@@ -1092,6 +1569,8 @@ async function runCli(argv) {
     case void 0:
       await runBrokerDaemonCli();
       return 0;
+    case "setup":
+      return runSetup2(rest);
     case "login":
       return runLogin(rest);
     case "logout":
@@ -1102,6 +1581,10 @@ async function runCli(argv) {
     case "--help":
       printUsage();
       return 0;
+    case "-v":
+    case "--version":
+      printVersion();
+      return 0;
     default:
       printErr(`unknown subcommand: ${sub}`);
       printUsage();
@@ -1109,4 +1592,4 @@ async function runCli(argv) {
   }
 }
 
-export { runCli, runDoctor, runLogin, runLogout };
+export { getBrokerPackageVersion, parseLoginFlags, runCli, runDoctor, runLogin, runLogout, runSetup2 as runSetup };