@nestpilot/mcp-app 1.0.0 → 1.0.1

package/dist/cli/init.js

@@ -74,11 +74,15 @@ export async function initCommand() {
                     }
                     else {
                         console.log("   ⚠ Could not provision API key (cloud API unavailable).");
+                        console.log("   Local plan creation & storage still works without an API key.");
+                        console.log("   Cloud compute (forecasts, Roth optimization) requires a key.");
                         console.log("   Set NESTPILOT_API_KEY env var manually, or run init again later.");
                     }
                 }
                 catch {
                     console.log("   ⚠ Could not reach cloud API for key provisioning.");
+                    console.log("   Local plan creation & storage still works without an API key.");
+                    console.log("   Cloud compute (forecasts, Roth optimization) requires a key.");
                     console.log("   Set NESTPILOT_API_KEY env var manually, or run init again later.");
                 }
             }
@@ -132,19 +136,25 @@ extensions:
     type: mcp
     transport: stdio
     command: npx
-    args: ["nestpilot-mcp-server"]
+    args:
+      - "--yes"
+      - "--package=@nestpilot/mcp-app"
+      - "nestpilot-mcp-server"
     env:
       NESTPILOT_MODE: local
+      NESTPILOT_DATA_DIR: "~/.nestpilot"
 `;
     await fs.writeFile(path.join(dir, "goose.yaml"), gooseConfig);
     // Cowork
     const coworkConfig = {
+        _comment: "NestPilot MCP Server — Claude Cowork (Claude Desktop) Configuration. Add this to your claude_desktop_config.json.",
         mcpServers: {
             nestpilot: {
                 command: "npx",
-                args: ["nestpilot-mcp-server"],
+                args: ["--yes", "--package=@nestpilot/mcp-app", "nestpilot-mcp-server"],
                 env: {
                     NESTPILOT_MODE: "local",
+                    NESTPILOT_DATA_DIR: "~/.nestpilot",
                 },
             },
         },
@@ -153,19 +163,25 @@ extensions:
     // OpenClaw
     const openclawManifest = {
         name: "nestpilot",
+        package: "@nestpilot/mcp-app",
         version: "1.0.0",
         description: "Local-first retirement planning — your data stays on your machine",
+        homepage: "https://www.npmjs.com/package/@nestpilot/mcp-app",
         transport: "stdio",
         command: "npx",
-        args: ["nestpilot-mcp-server"],
+        args: ["--yes", "--package=@nestpilot/mcp-app", "nestpilot-mcp-server"],
         env: {
             NESTPILOT_MODE: "local",
+            NESTPILOT_DATA_DIR: "~/.nestpilot",
         },
         capabilities: {
             tools: true,
             resources: true,
             apps: true,
         },
+        setup: {
+            instructions: "Run `npx --yes --package=@nestpilot/mcp-app nestpilot init` before first use.",
+        },
     };
     await fs.writeFile(path.join(dir, "openclaw-manifest.json"), JSON.stringify(openclawManifest, null, 2));
 }

package/dist/host-configs/cowork.json

@@ -1,10 +1,16 @@
 {
+  "_comment": "NestPilot MCP Server — Claude Cowork (Claude Desktop) Configuration. Run `npx --yes --package=@nestpilot/mcp-app nestpilot init` first, then add this to your claude_desktop_config.json.",
   "mcpServers": {
     "nestpilot": {
       "command": "npx",
-      "args": ["nestpilot-mcp-server"],
+      "args": [
+        "--yes",
+        "--package=@nestpilot/mcp-app",
+        "nestpilot-mcp-server"
+      ],
       "env": {
-        "NESTPILOT_MODE": "local"
+        "NESTPILOT_MODE": "local",
+        "NESTPILOT_DATA_DIR": "~/.nestpilot"
       }
     }
   }

package/dist/host-configs/goose.yaml

@@ -1,10 +1,15 @@
 # NestPilot MCP Server — Goose Host Configuration
 #
-# Add this to your Goose profile configuration:
-#   ~/.config/goose/profiles.yaml
+# Installation
+# ------------
+# 1. Run the initializer first (one-time setup):
+#      npx --yes --package=@nestpilot/mcp-app nestpilot init
 #
-# Under the `extensions:` section of your active profile,
-# paste the following block.
+# 2. Add the block below to your Goose profile:
+#      ~/.config/goose/profiles.yaml
+#    under the `extensions:` key of your active profile.
+#
+# 3. Restart Goose.
 #
 # @feature FEAT-0088
 
@@ -13,10 +18,13 @@ extensions:
     type: mcp
     transport: stdio
     command: npx
-    args: ["nestpilot-mcp-server"]
+    args:
+      - "--yes"
+      - "--package=@nestpilot/mcp-app"
+      - "nestpilot-mcp-server"
     env:
       NESTPILOT_MODE: local
+      NESTPILOT_DATA_DIR: "~/.nestpilot"
       # Optional overrides:
-      # NESTPILOT_DATA_DIR: "~/.nestpilot"
-      # NESTPILOT_CLOUD_API_URL: "https://api.nestpilot.com"
+      # NESTPILOT_CLOUD_API_URL: "https://api.nestpilot.net"
       # NESTPILOT_API_KEY: "your-api-key"

package/dist/host-configs/openclaw-manifest.json

@@ -1,16 +1,26 @@
 {
   "name": "nestpilot",
+  "package": "@nestpilot/mcp-app",
   "version": "1.0.0",
   "description": "Local-first retirement planning — your data stays on your machine",
+  "homepage": "https://www.npmjs.com/package/@nestpilot/mcp-app",
   "transport": "stdio",
   "command": "npx",
-  "args": ["nestpilot-mcp-server"],
+  "args": [
+    "--yes",
+    "--package=@nestpilot/mcp-app",
+    "nestpilot-mcp-server"
+  ],
   "env": {
-    "NESTPILOT_MODE": "local"
+    "NESTPILOT_MODE": "local",
+    "NESTPILOT_DATA_DIR": "~/.nestpilot"
   },
   "capabilities": {
     "tools": true,
     "resources": true,
     "apps": true
+  },
+  "setup": {
+    "instructions": "Run `npx --yes --package=@nestpilot/mcp-app nestpilot init` before first use."
   }
 }

package/dist/main.js

@@ -104,10 +104,16 @@ async function startStreamableHTTPServer(factory) {
     process.on("SIGTERM", shutdown);
 }
 /**
- * Starts an MCP server with stdio transport (for Claude Desktop).
+ * Starts an MCP server with stdio transport (for Claude Desktop / VS Code).
+ *
+ * In stdio mode there are no HTTP headers, so we synthesize an authCtx from
+ * the config's defaultUserId.  This ensures the policy engine can resolve a
+ * real role ("authenticated") when MCP_DEFAULT_USER_ID is set to anything
+ * other than the literal string "anonymous".
  */
 async function startStdioServer(factory) {
-    await factory().connect(new StdioServerTransport());
+    const stdioAuthCtx = { userId: config.defaultUserId };
+    await factory(stdioAuthCtx).connect(new StdioServerTransport());
 }
 async function main() {
     if (process.argv.includes("--stdio")) {

package/dist/server.js

@@ -72,49 +72,49 @@ export function createServer(authCtx) {
     });
     if (localConfig.mode === "local") {
         // ── Local mode (FEAT-0087) ────────────────────────────────────────
-        console.log("[server] Starting in LOCAL mode — data stays on this machine");
+        console.error("[server] Starting in LOCAL mode — data stays on this machine");
         const keychain = createKeychainProvider(localConfig.dataDir);
         const encryption = new EncryptionService(keychain);
         const store = new LocalPlanStore(localConfig.dataDir, encryption);
         const computeClient = new CloudComputeClient(localConfig.cloudApiUrl, localConfig.apiKey ?? "");
-        console.log("Registering Local Plan tools...");
+        console.error("Registering Local Plan tools...");
         registerLocalPlanTools(server, store, computeClient);
         // Cloud-backed tools that use PII-free payloads
-        console.log("Registering Medicare tools (cloud)...");
+        console.error("Registering Medicare tools (cloud)...");
         registerMedicareTools(server, authCtx);
-        console.log("Registering Roth tools (cloud)...");
+        console.error("Registering Roth tools (cloud)...");
         registerRothTools(server, authCtx);
-        console.log("Registering Report tools (cloud)...");
+        console.error("Registering Report tools (cloud)...");
         registerReportTools(server, authCtx);
     }
     else {
         // ── Cloud mode (default — existing behavior) ──────────────────────
-        console.log("[server] Starting in CLOUD mode — proxy to Spring Boot API");
-        console.log("Registering Medicare tools...");
+        console.error("[server] Starting in CLOUD mode — proxy to Spring Boot API");
+        console.error("Registering Medicare tools...");
         registerMedicareTools(server, authCtx);
-        console.log("Registering Planning tools...");
+        console.error("Registering Planning tools...");
         registerPlanningTools(server, authCtx);
-        console.log("Registering Roth tools...");
+        console.error("Registering Roth tools...");
         registerRothTools(server, authCtx);
-        console.log("Registering Agent tools...");
+        console.error("Registering Agent tools...");
         registerAgentTools(server, authCtx);
-        console.log("Registering Plan Management tools...");
+        console.error("Registering Plan Management tools...");
         registerPlanManagementTools(server, authCtx);
-        console.log("Registering Forecast Management tools...");
+        console.error("Registering Forecast Management tools...");
         registerForecastManagementTools(server, authCtx);
-        console.log("Registering Scenario Management tools...");
+        console.error("Registering Scenario Management tools...");
         registerScenarioManagementTools(server, authCtx);
-        console.log("Registering Proposal tools...");
+        console.error("Registering Proposal tools...");
         registerProposalTools(server, authCtx);
-        console.log("Registering Report tools...");
+        console.error("Registering Report tools...");
         registerReportTools(server, authCtx);
     }
     // ── Shared registrations (both modes) ─────────────────────────────────
-    console.log("Registering views...");
+    console.error("Registering views...");
     registerPlannerView(server);
     registerVerificationPacketView(server);
     registerSkillResources(server);
-    console.log("Server registration complete");
+    console.error("Server registration complete");
     return server;
 }
 // ── Retirement Planner view ─────────────────────────────────────────────

package/dist/src/local/keychain.js

@@ -83,28 +83,46 @@ class WindowsKeychain {
     async get(service, account) {
         try {
             const target = this.target(service, account);
+            // Use Win32 CredRead API via P/Invoke — works on all Windows versions
+            // without requiring the external CredentialManager PowerShell module.
+            // The script is Base64-encoded (UTF-16LE) to avoid quoting/escaping issues.
+            const script = [
+                "Add-Type -TypeDefinition @'",
+                "using System; using System.Runtime.InteropServices;",
+                "public class NpCred {",
+                '  [DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]',
+                "  public static extern bool CredRead(string t, int ty, int f, out IntPtr c);",
+                '  [DllImport("advapi32.dll")]',
+                "  public static extern void CredFree(IntPtr c);",
+                "  [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]",
+                "  public struct CREDENTIAL {",
+                "    public int Flags; public int Type; public string TargetName;",
+                "    public string Comment; public long LastWritten;",
+                "    public int CredentialBlobSize; public IntPtr CredentialBlob;",
+                "    public int Persist; public int AttributeCount; public IntPtr Attributes;",
+                "    public string TargetAlias; public string UserName;",
+                "  }",
+                "}",
+                "'@",
+                "$p=[IntPtr]::Zero",
+                `if([NpCred]::CredRead('${target}',1,0,[ref]$p)){`,
+                "  $c=[Runtime.InteropServices.Marshal]::PtrToStructure($p,[Type][NpCred+CREDENTIAL])",
+                "  $s=[Runtime.InteropServices.Marshal]::PtrToStringUni($c.CredentialBlob,$c.CredentialBlobSize/2)",
+                "  [NpCred]::CredFree($p)",
+                "  Write-Output $s",
+                "}",
+            ].join("\n");
+            const encoded = Buffer.from(script, "utf16le").toString("base64");
             const { stdout } = await execFileAsync("powershell.exe", [
                 "-NoProfile",
-                "-Command",
-                `$cred = Get-StoredCredential -Target '${target}' -ErrorAction SilentlyContinue; if ($cred) { $cred.GetNetworkCredential().Password } else { $null }`,
+                "-EncodedCommand",
+                encoded,
             ]);
             const result = stdout.trim();
             return result && result !== "" ? result : null;
         }
         catch {
-            // Fallback: try cmdkey
-            try {
-                const target = this.target(service, account);
-                const { stdout } = await execFileAsync("powershell.exe", [
-                    "-NoProfile",
-                    "-Command",
-                    `[System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR((New-Object System.Management.Automation.PSCredential('_', (cmdkey /generic:${target} /list 2>$null | Out-Null; [System.Security.SecureString]::new()))).Password))`,
-                ]);
-                return stdout.trim() || null;
-            }
-            catch {
-                return null;
-            }
+            return null;
         }
     }
     async set(service, account, value) {

package/dist/src/local/local-config.js

@@ -31,7 +31,7 @@ export function configFilePath(dataDir) {
     return path.join(dataDir, "config.json");
 }
 // ── Configuration loader ─────────────────────────────────────────────────
-const DEFAULT_CLOUD_API_URL = "https://api.nestpilot.com";
+const DEFAULT_CLOUD_API_URL = "https://api.nestpilot.net";
 /**
  * Loads the local configuration from environment variables.
  *

package/dist/tools/local-plan-tools.js

@@ -207,7 +207,7 @@ Requires internet connectivity for cloud compute. Cached results are returned if
                 }, true);
             }
             if (removedFields.length > 0) {
-                console.log(`[local] PII scrubber removed ${removedFields.length} field(s): ${removedFields.join(", ")}`);
+                console.error(`[local] PII scrubber removed ${removedFields.length} field(s): ${removedFields.join(", ")}`);
             }
             // Call cloud compute
             const result = await computeClient.forecast(scrubbed);

package/dist/tools/mcp-helpers.js

@@ -80,9 +80,16 @@ function runPipeline(opts) {
         }
     }
     if (contract) {
+        const resolvedUserId = opts.actorId ?? opts.authCtx?.userId ?? "anonymous";
+        const resolvedRole = opts.role ??
+            (opts.authCtx?.bearerToken
+                ? "authenticated"
+                : resolvedUserId !== "anonymous"
+                    ? "authenticated"
+                    : "anonymous");
         const policyCtx = {
-            actorId: opts.actorId ?? opts.authCtx?.userId ?? "anonymous",
-            role: opts.role ?? (opts.authCtx?.bearerToken ? "authenticated" : "anonymous"),
+            actorId: resolvedUserId,
+            role: resolvedRole,
             toolName: opts.toolName,
         };
         const decision = evaluatePolicy(policyCtx);

package/dist/tools/optimize-roth-tools.js

@@ -32,7 +32,7 @@ const POLICY_TARGET_BRACKETS = {
 };
 // ── Tool registration ───────────────────────────────────────────────────
 export function registerRothTools(server, authCtx) {
-    console.log("registerRothTools: Starting registration...");
+    console.error("registerRothTools: Starting registration...");
     try {
         registerAppTool(server, "optimize_roth_conversion", {
             title: "Optimize Roth Conversion",
@@ -377,7 +377,7 @@ DO NOT USE for basic forecasting — use run_forecast instead.`,
                 }, true);
             }
         });
-        console.log("registerRothTools: Registration successful!");
+        console.error("registerRothTools: Registration successful!");
     }
     catch (error) {
         console.error("registerRothTools: FAILED to register optimize_roth_conversion:", error);

package/host-configs/cowork.json

@@ -1,10 +1,16 @@
 {
+  "_comment": "NestPilot MCP Server — Claude Cowork (Claude Desktop) Configuration. Run `npx --yes --package=@nestpilot/mcp-app nestpilot init` first, then add this to your claude_desktop_config.json.",
   "mcpServers": {
     "nestpilot": {
       "command": "npx",
-      "args": ["nestpilot-mcp-server"],
+      "args": [
+        "--yes",
+        "--package=@nestpilot/mcp-app",
+        "nestpilot-mcp-server"
+      ],
       "env": {
-        "NESTPILOT_MODE": "local"
+        "NESTPILOT_MODE": "local",
+        "NESTPILOT_DATA_DIR": "~/.nestpilot"
       }
     }
   }

package/host-configs/goose.yaml

@@ -1,10 +1,15 @@
 # NestPilot MCP Server — Goose Host Configuration
 #
-# Add this to your Goose profile configuration:
-#   ~/.config/goose/profiles.yaml
+# Installation
+# ------------
+# 1. Run the initializer first (one-time setup):
+#      npx --yes --package=@nestpilot/mcp-app nestpilot init
 #
-# Under the `extensions:` section of your active profile,
-# paste the following block.
+# 2. Add the block below to your Goose profile:
+#      ~/.config/goose/profiles.yaml
+#    under the `extensions:` key of your active profile.
+#
+# 3. Restart Goose.
 #
 # @feature FEAT-0088
 
@@ -13,10 +18,13 @@ extensions:
     type: mcp
     transport: stdio
     command: npx
-    args: ["nestpilot-mcp-server"]
+    args:
+      - "--yes"
+      - "--package=@nestpilot/mcp-app"
+      - "nestpilot-mcp-server"
     env:
       NESTPILOT_MODE: local
+      NESTPILOT_DATA_DIR: "~/.nestpilot"
       # Optional overrides:
-      # NESTPILOT_DATA_DIR: "~/.nestpilot"
-      # NESTPILOT_CLOUD_API_URL: "https://api.nestpilot.com"
+      # NESTPILOT_CLOUD_API_URL: "https://api.nestpilot.net"
       # NESTPILOT_API_KEY: "your-api-key"

package/host-configs/openclaw-manifest.json

@@ -1,16 +1,26 @@
 {
   "name": "nestpilot",
+  "package": "@nestpilot/mcp-app",
   "version": "1.0.0",
   "description": "Local-first retirement planning — your data stays on your machine",
+  "homepage": "https://www.npmjs.com/package/@nestpilot/mcp-app",
   "transport": "stdio",
   "command": "npx",
-  "args": ["nestpilot-mcp-server"],
+  "args": [
+    "--yes",
+    "--package=@nestpilot/mcp-app",
+    "nestpilot-mcp-server"
+  ],
   "env": {
-    "NESTPILOT_MODE": "local"
+    "NESTPILOT_MODE": "local",
+    "NESTPILOT_DATA_DIR": "~/.nestpilot"
   },
   "capabilities": {
     "tools": true,
     "resources": true,
     "apps": true
+  },
+  "setup": {
+    "instructions": "Run `npx --yes --package=@nestpilot/mcp-app nestpilot init` before first use."
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nestpilot/mcp-app",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "type": "module",
   "description": "NestPilot MCP App — Retirement planning tools and interactive views",
   "bin": {