@nestpilot/mcp-app 1.0.0 → 1.0.2

package/dist/cli/init.js

@@ -4,12 +4,13 @@
  * Steps:
  *   1. Create ~/.nestpilot/ directory structure
  *   2. Generate encryption key and store in OS keychain
- *   3. Optionally provision API key via cloud endpoint
+ *   3. Authenticate via Device Code Flow and provision API key
  *   4. Write config.json with preferences
  *   5. Copy host config templates
  *   6. Print success message with next steps
  *
  * @feature FEAT-0088
+ * @feature FEAT-0091
  */
 import fs from "node:fs/promises";
 import path from "node:path";
@@ -18,6 +19,7 @@ import { stdin, stdout } from "node:process";
 import { loadLocalConfig, DATA_SUBDIRS, configFilePath, } from "../src/local/local-config.js";
 import { createKeychainProvider } from "../src/local/keychain.js";
 import { EncryptionService } from "../src/local/encryption.js";
+import { DeviceAuthClient } from "../src/local/device-auth.js";
 // ── Init command ─────────────────────────────────────────────────────────
 export async function initCommand() {
     console.log("\n🏠 NestPilot Local Setup");
@@ -48,42 +50,36 @@ export async function initCommand() {
         console.log("   ✓ Encryption key generated and stored in OS keychain");
     }
     console.log();
-    // Step 3: API Key provisioning (optional)
+    // Step 3: API Key provisioning via Device Code Flow (FEAT-0091)
     console.log("3. API Key Provisioning");
     const existingKey = await keychain.get("nestpilot", "api-key");
     if (existingKey) {
-        console.log("   ✓ API key already configured");
+        // Verify the stored key is still valid
+        const deviceAuth = new DeviceAuthClient(config.cloudApiUrl);
+        try {
+            const valid = await deviceAuth.verifyApiKey(existingKey);
+            if (valid) {
+                console.log("   ✓ API key already configured and valid");
+            }
+            else {
+                console.log("   ⚠ Stored API key is expired or revoked. Re-authenticating...");
+                await provisionApiKey(config.cloudApiUrl, keychain);
+            }
+        }
+        catch {
+            console.log("   ✓ API key configured (cloud verification skipped — offline)");
+        }
     }
     else {
         const rl = readline.createInterface({ input: stdin, output: stdout });
         try {
-            const email = await rl.question("   Enter your email for free tier (10 forecasts/mo), or press Enter to skip: ");
-            if (email.trim()) {
-                try {
-                    const response = await fetch(`${config.cloudApiUrl}/api/auth/provision-key`, {
-                        method: "POST",
-                        headers: { "Content-Type": "application/json" },
-                        body: JSON.stringify({ email: email.trim() }),
-                        signal: AbortSignal.timeout(10_000),
-                    });
-                    if (response.ok) {
-                        const data = (await response.json());
-                        await keychain.set("nestpilot", "api-key", data.apiKey);
-                        console.log("   ✓ API key provisioned (10 forecasts/mo free)");
-                        console.log("   ✓ API key stored in OS keychain");
-                    }
-                    else {
-                        console.log("   ⚠ Could not provision API key (cloud API unavailable).");
-                        console.log("   Set NESTPILOT_API_KEY env var manually, or run init again later.");
-                    }
-                }
-                catch {
-                    console.log("   ⚠ Could not reach cloud API for key provisioning.");
-                    console.log("   Set NESTPILOT_API_KEY env var manually, or run init again later.");
-                }
+            const answer = await rl.question("   Sign in to NestPilot for cloud compute (forecasts, Roth optimization)? [Y/n] ");
+            if (answer.trim().toLowerCase() !== "n") {
+                await provisionApiKey(config.cloudApiUrl, keychain);
             }
             else {
-                console.log("   ⏭ Skipped. Set NESTPILOT_API_KEY env var later.");
+                console.log("   ⏭ Skipped. Run 'nestpilot init' again or set NESTPILOT_API_KEY env var later.");
+                console.log("   Local plan creation & storage works without an API key.");
             }
         }
         finally {
@@ -121,6 +117,46 @@ export async function initCommand() {
     console.log("Quick test: npx nestpilot-mcp-server status");
     console.log();
 }
+async function provisionApiKey(cloudApiUrl, keychain) {
+    const deviceAuth = new DeviceAuthClient(cloudApiUrl);
+    try {
+        // 1. Initiate device code flow
+        const authResponse = await deviceAuth.authorize();
+        console.log();
+        console.log("   ┌──────────────────────────────────────────┐");
+        console.log(`   │  Code: ${authResponse.userCode.padEnd(33)}│`);
+        console.log("   └──────────────────────────────────────────┘");
+        console.log();
+        console.log(`   Open: ${authResponse.verificationUri}`);
+        console.log("   Enter the code above and sign in with your NestPilot account.");
+        console.log();
+        // 2. Open browser automatically
+        deviceAuth.openBrowser(authResponse.verificationUriComplete ?? authResponse.verificationUri);
+        // 3. Poll for token completion
+        console.log("   ⏳ Waiting for sign-in...");
+        const tokenResponse = await deviceAuth.pollForToken(authResponse.deviceCode, authResponse.interval ?? 5, authResponse.expiresIn);
+        if (tokenResponse.status !== "completed" || !tokenResponse.accessToken) {
+            console.log(`   ⚠ Sign-in ${tokenResponse.status}: ${tokenResponse.error ?? "timed out"}`);
+            console.log("   Local plan creation & storage still works without an API key.");
+            console.log("   Run 'nestpilot init' again to retry.");
+            return;
+        }
+        console.log("   ✓ Signed in successfully");
+        // 4. Exchange JWT for a long-lived API key
+        const apiKeyResult = await deviceAuth.exchangeForApiKey(tokenResponse.accessToken, `${process.platform}-cli-${new Date().toISOString().slice(0, 10)}`);
+        // 5. Store in OS keychain
+        await keychain.set("nestpilot", "api-key", apiKeyResult.apiKey);
+        console.log("   ✓ API key provisioned and stored in OS keychain");
+        console.log(`   ✓ Key: ${apiKeyResult.keyPrefix}... (expires: ${apiKeyResult.expiresAt?.slice(0, 10) ?? "never"})`);
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        console.log(`   ⚠ Could not complete sign-in: ${msg}`);
+        console.log("   Local plan creation & storage still works without an API key.");
+        console.log("   Cloud compute (forecasts, Roth optimization) requires a key.");
+        console.log("   Run 'nestpilot init' again or set NESTPILOT_API_KEY env var.");
+    }
+}
 // ── Host config writer ───────────────────────────────────────────────────
 async function writeHostConfigs(dir) {
     // Goose
@@ -132,19 +168,25 @@ extensions:
     type: mcp
     transport: stdio
     command: npx
-    args: ["nestpilot-mcp-server"]
+    args:
+      - "--yes"
+      - "--package=@nestpilot/mcp-app"
+      - "nestpilot-mcp-server"
     env:
       NESTPILOT_MODE: local
+      NESTPILOT_DATA_DIR: "~/.nestpilot"
 `;
     await fs.writeFile(path.join(dir, "goose.yaml"), gooseConfig);
     // Cowork
     const coworkConfig = {
+        _comment: "NestPilot MCP Server — Claude Cowork (Claude Desktop) Configuration. Add this to your claude_desktop_config.json.",
         mcpServers: {
             nestpilot: {
                 command: "npx",
-                args: ["nestpilot-mcp-server"],
+                args: ["--yes", "--package=@nestpilot/mcp-app", "nestpilot-mcp-server"],
                 env: {
                     NESTPILOT_MODE: "local",
+                    NESTPILOT_DATA_DIR: "~/.nestpilot",
                 },
             },
         },
@@ -153,19 +195,25 @@ extensions:
     // OpenClaw
     const openclawManifest = {
         name: "nestpilot",
+        package: "@nestpilot/mcp-app",
         version: "1.0.0",
         description: "Local-first retirement planning — your data stays on your machine",
+        homepage: "https://www.npmjs.com/package/@nestpilot/mcp-app",
         transport: "stdio",
         command: "npx",
-        args: ["nestpilot-mcp-server"],
+        args: ["--yes", "--package=@nestpilot/mcp-app", "nestpilot-mcp-server"],
         env: {
             NESTPILOT_MODE: "local",
+            NESTPILOT_DATA_DIR: "~/.nestpilot",
         },
         capabilities: {
             tools: true,
             resources: true,
             apps: true,
         },
+        setup: {
+            instructions: "Run `npx --yes --package=@nestpilot/mcp-app nestpilot init` before first use.",
+        },
     };
     await fs.writeFile(path.join(dir, "openclaw-manifest.json"), JSON.stringify(openclawManifest, null, 2));
 }

package/dist/host-configs/cowork.json

@@ -1,10 +1,16 @@
 {
+  "_comment": "NestPilot MCP Server — Claude Cowork (Claude Desktop) Configuration. Run `npx --yes --package=@nestpilot/mcp-app nestpilot init` first, then add this to your claude_desktop_config.json.",
   "mcpServers": {
     "nestpilot": {
       "command": "npx",
-      "args": ["nestpilot-mcp-server"],
+      "args": [
+        "--yes",
+        "--package=@nestpilot/mcp-app",
+        "nestpilot-mcp-server"
+      ],
       "env": {
-        "NESTPILOT_MODE": "local"
+        "NESTPILOT_MODE": "local",
+        "NESTPILOT_DATA_DIR": "~/.nestpilot"
       }
     }
   }

package/dist/host-configs/goose.yaml

@@ -1,10 +1,15 @@
 # NestPilot MCP Server — Goose Host Configuration
 #
-# Add this to your Goose profile configuration:
-#   ~/.config/goose/profiles.yaml
+# Installation
+# ------------
+# 1. Run the initializer first (one-time setup):
+#      npx --yes --package=@nestpilot/mcp-app nestpilot init
 #
-# Under the `extensions:` section of your active profile,
-# paste the following block.
+# 2. Add the block below to your Goose profile:
+#      ~/.config/goose/profiles.yaml
+#    under the `extensions:` key of your active profile.
+#
+# 3. Restart Goose.
 #
 # @feature FEAT-0088
 
@@ -13,10 +18,13 @@ extensions:
     type: mcp
     transport: stdio
     command: npx
-    args: ["nestpilot-mcp-server"]
+    args:
+      - "--yes"
+      - "--package=@nestpilot/mcp-app"
+      - "nestpilot-mcp-server"
     env:
       NESTPILOT_MODE: local
+      NESTPILOT_DATA_DIR: "~/.nestpilot"
       # Optional overrides:
-      # NESTPILOT_DATA_DIR: "~/.nestpilot"
-      # NESTPILOT_CLOUD_API_URL: "https://api.nestpilot.com"
+      # NESTPILOT_CLOUD_API_URL: "https://api.nestpilot.net"
       # NESTPILOT_API_KEY: "your-api-key"

package/dist/host-configs/openclaw-manifest.json

@@ -1,16 +1,26 @@
 {
   "name": "nestpilot",
+  "package": "@nestpilot/mcp-app",
   "version": "1.0.0",
   "description": "Local-first retirement planning — your data stays on your machine",
+  "homepage": "https://www.npmjs.com/package/@nestpilot/mcp-app",
   "transport": "stdio",
   "command": "npx",
-  "args": ["nestpilot-mcp-server"],
+  "args": [
+    "--yes",
+    "--package=@nestpilot/mcp-app",
+    "nestpilot-mcp-server"
+  ],
   "env": {
-    "NESTPILOT_MODE": "local"
+    "NESTPILOT_MODE": "local",
+    "NESTPILOT_DATA_DIR": "~/.nestpilot"
   },
   "capabilities": {
     "tools": true,
     "resources": true,
     "apps": true
+  },
+  "setup": {
+    "instructions": "Run `npx --yes --package=@nestpilot/mcp-app nestpilot init` before first use."
   }
 }

package/dist/main.js

@@ -104,10 +104,16 @@ async function startStreamableHTTPServer(factory) {
     process.on("SIGTERM", shutdown);
 }
 /**
- * Starts an MCP server with stdio transport (for Claude Desktop).
+ * Starts an MCP server with stdio transport (for Claude Desktop / VS Code).
+ *
+ * In stdio mode there are no HTTP headers, so we synthesize an authCtx from
+ * the config's defaultUserId.  This ensures the policy engine can resolve a
+ * real role ("authenticated") when MCP_DEFAULT_USER_ID is set to anything
+ * other than the literal string "anonymous".
  */
 async function startStdioServer(factory) {
-    await factory().connect(new StdioServerTransport());
+    const stdioAuthCtx = { userId: config.defaultUserId };
+    await factory(stdioAuthCtx).connect(new StdioServerTransport());
 }
 async function main() {
     if (process.argv.includes("--stdio")) {

package/dist/server.js

@@ -72,49 +72,49 @@ export function createServer(authCtx) {
     });
     if (localConfig.mode === "local") {
         // ── Local mode (FEAT-0087) ────────────────────────────────────────
-        console.log("[server] Starting in LOCAL mode — data stays on this machine");
+        console.error("[server] Starting in LOCAL mode — data stays on this machine");
         const keychain = createKeychainProvider(localConfig.dataDir);
         const encryption = new EncryptionService(keychain);
         const store = new LocalPlanStore(localConfig.dataDir, encryption);
         const computeClient = new CloudComputeClient(localConfig.cloudApiUrl, localConfig.apiKey ?? "");
-        console.log("Registering Local Plan tools...");
+        console.error("Registering Local Plan tools...");
         registerLocalPlanTools(server, store, computeClient);
         // Cloud-backed tools that use PII-free payloads
-        console.log("Registering Medicare tools (cloud)...");
+        console.error("Registering Medicare tools (cloud)...");
         registerMedicareTools(server, authCtx);
-        console.log("Registering Roth tools (cloud)...");
+        console.error("Registering Roth tools (cloud)...");
         registerRothTools(server, authCtx);
-        console.log("Registering Report tools (cloud)...");
+        console.error("Registering Report tools (cloud)...");
         registerReportTools(server, authCtx);
     }
     else {
         // ── Cloud mode (default — existing behavior) ──────────────────────
-        console.log("[server] Starting in CLOUD mode — proxy to Spring Boot API");
-        console.log("Registering Medicare tools...");
+        console.error("[server] Starting in CLOUD mode — proxy to Spring Boot API");
+        console.error("Registering Medicare tools...");
         registerMedicareTools(server, authCtx);
-        console.log("Registering Planning tools...");
+        console.error("Registering Planning tools...");
         registerPlanningTools(server, authCtx);
-        console.log("Registering Roth tools...");
+        console.error("Registering Roth tools...");
         registerRothTools(server, authCtx);
-        console.log("Registering Agent tools...");
+        console.error("Registering Agent tools...");
         registerAgentTools(server, authCtx);
-        console.log("Registering Plan Management tools...");
+        console.error("Registering Plan Management tools...");
         registerPlanManagementTools(server, authCtx);
-        console.log("Registering Forecast Management tools...");
+        console.error("Registering Forecast Management tools...");
         registerForecastManagementTools(server, authCtx);
-        console.log("Registering Scenario Management tools...");
+        console.error("Registering Scenario Management tools...");
         registerScenarioManagementTools(server, authCtx);
-        console.log("Registering Proposal tools...");
+        console.error("Registering Proposal tools...");
         registerProposalTools(server, authCtx);
-        console.log("Registering Report tools...");
+        console.error("Registering Report tools...");
         registerReportTools(server, authCtx);
     }
     // ── Shared registrations (both modes) ─────────────────────────────────
-    console.log("Registering views...");
+    console.error("Registering views...");
     registerPlannerView(server);
     registerVerificationPacketView(server);
     registerSkillResources(server);
-    console.log("Server registration complete");
+    console.error("Server registration complete");
     return server;
 }
 // ── Retirement Planner view ─────────────────────────────────────────────

package/dist/src/local/device-auth.d.ts

@@ -0,0 +1,52 @@
+export interface DeviceCodeResponse {
+    deviceCode: string;
+    userCode: string;
+    verificationUri: string;
+    verificationUriComplete?: string;
+    expiresIn: number;
+    interval: number;
+    message?: string;
+}
+export interface DeviceTokenResponse {
+    status: "pending" | "completed" | "expired" | "denied" | "error";
+    accessToken?: string;
+    tokenType?: string;
+    expiresIn?: number;
+    error?: string;
+    errorDescription?: string;
+}
+export interface ApiKeyCreatedResponse {
+    id: string;
+    apiKey: string;
+    keyPrefix: string;
+    name: string;
+    scopes: string[];
+    expiresAt: string;
+    createdAt: string;
+    message: string;
+}
+export declare class DeviceAuthClient {
+    private cloudApiUrl;
+    constructor(cloudApiUrl: string);
+    /**
+     * Step 1: Initiate device code flow.
+     */
+    authorize(): Promise<DeviceCodeResponse>;
+    /**
+     * Step 2: Open browser for user authentication.
+     */
+    openBrowser(url: string): void;
+    /**
+     * Step 3: Poll for device code completion.
+     * Retries at the specified interval until the user completes auth or the code expires.
+     */
+    pollForToken(deviceCode: string, interval: number, expiresIn: number, onPoll?: () => void): Promise<DeviceTokenResponse>;
+    /**
+     * Step 4: Exchange JWT for a NestPilot API key.
+     */
+    exchangeForApiKey(accessToken: string, name?: string): Promise<ApiKeyCreatedResponse>;
+    /**
+     * Verify an existing API key is still valid.
+     */
+    verifyApiKey(apiKey: string): Promise<boolean>;
+}

package/dist/src/local/device-auth.js

@@ -0,0 +1,148 @@
+/**
+ * Device Authorization Grant (RFC 8628) client for CLI-based authentication.
+ *
+ * Flow:
+ *   1. POST /api/auth/device/authorize → get user_code + verification_uri
+ *   2. Open browser for user to sign in
+ *   3. Poll POST /api/auth/device/token until completed
+ *   4. Exchange JWT for API key via POST /api/auth/api-keys
+ *   5. Store API key in OS keychain
+ *
+ * @feature FEAT-0091
+ */
+import { exec } from "node:child_process";
+import os from "node:os";
+// ── Device Auth Client ───────────────────────────────────────────────────
+export class DeviceAuthClient {
+    cloudApiUrl;
+    constructor(cloudApiUrl) {
+        this.cloudApiUrl = cloudApiUrl;
+        // Strip trailing slash
+        if (this.cloudApiUrl.endsWith("/")) {
+            this.cloudApiUrl = this.cloudApiUrl.slice(0, -1);
+        }
+    }
+    /**
+     * Step 1: Initiate device code flow.
+     */
+    async authorize() {
+        const response = await fetch(`${this.cloudApiUrl}/api/auth/device/authorize`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            signal: AbortSignal.timeout(10_000),
+        });
+        if (!response.ok) {
+            throw new Error(`Failed to initiate device code flow: ${response.status} ${await response.text()}`);
+        }
+        return (await response.json());
+    }
+    /**
+     * Step 2: Open browser for user authentication.
+     */
+    openBrowser(url) {
+        const platform = os.platform();
+        let command;
+        switch (platform) {
+            case "darwin":
+                command = `open "${url}"`;
+                break;
+            case "win32":
+                command = `start "${url}"`;
+                break;
+            case "linux":
+                command = `xdg-open "${url}"`;
+                break;
+            default:
+                console.log(`\n   Please open this URL in your browser:\n   ${url}\n`);
+                return;
+        }
+        exec(command, (error) => {
+            if (error) {
+                console.log(`\n   Could not open browser automatically.\n   Please open this URL:\n   ${url}\n`);
+            }
+        });
+    }
+    /**
+     * Step 3: Poll for device code completion.
+     * Retries at the specified interval until the user completes auth or the code expires.
+     */
+    async pollForToken(deviceCode, interval, expiresIn, onPoll) {
+        const deadline = Date.now() + expiresIn * 1000;
+        while (Date.now() < deadline) {
+            if (onPoll)
+                onPoll();
+            const response = await fetch(`${this.cloudApiUrl}/api/auth/device/token`, {
+                method: "POST",
+                headers: { "Content-Type": "application/json" },
+                body: JSON.stringify({ device_code: deviceCode }),
+                signal: AbortSignal.timeout(10_000),
+            });
+            const result = (await response.json());
+            if (result.status === "completed" && result.accessToken) {
+                return result;
+            }
+            if (result.status === "expired" || result.status === "denied") {
+                return result;
+            }
+            if (result.status === "error" &&
+                result.error !== "authorization_pending") {
+                return result;
+            }
+            // Wait before next poll
+            await sleep(interval * 1000);
+        }
+        return {
+            status: "expired",
+            error: "expired_token",
+            errorDescription: "Device code expired before user completed authentication.",
+        };
+    }
+    /**
+     * Step 4: Exchange JWT for a NestPilot API key.
+     */
+    async exchangeForApiKey(accessToken, name) {
+        const response = await fetch(`${this.cloudApiUrl}/api/auth/api-keys`, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${accessToken}`,
+            },
+            body: JSON.stringify({
+                name: name ?? `CLI (${os.hostname()})`,
+                scopes: ["compute"],
+                expiresInDays: 90,
+            }),
+            signal: AbortSignal.timeout(10_000),
+        });
+        if (!response.ok) {
+            const text = await response.text();
+            throw new Error(`Failed to create API key: ${response.status} ${text}`);
+        }
+        return (await response.json());
+    }
+    /**
+     * Verify an existing API key is still valid.
+     */
+    async verifyApiKey(apiKey) {
+        try {
+            const response = await fetch(`${this.cloudApiUrl}/api/auth/api-keys/verify`, {
+                method: "GET",
+                headers: {
+                    Authorization: `Bearer ${apiKey}`,
+                },
+                signal: AbortSignal.timeout(5_000),
+            });
+            if (!response.ok)
+                return false;
+            const result = (await response.json());
+            return result.valid === true;
+        }
+        catch {
+            return false;
+        }
+    }
+}
+// ── Utilities ────────────────────────────────────────────────────────────
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}

package/dist/src/local/keychain.js

@@ -83,28 +83,46 @@ class WindowsKeychain {
     async get(service, account) {
         try {
             const target = this.target(service, account);
+            // Use Win32 CredRead API via P/Invoke — works on all Windows versions
+            // without requiring the external CredentialManager PowerShell module.
+            // The script is Base64-encoded (UTF-16LE) to avoid quoting/escaping issues.
+            const script = [
+                "Add-Type -TypeDefinition @'",
+                "using System; using System.Runtime.InteropServices;",
+                "public class NpCred {",
+                '  [DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]',
+                "  public static extern bool CredRead(string t, int ty, int f, out IntPtr c);",
+                '  [DllImport("advapi32.dll")]',
+                "  public static extern void CredFree(IntPtr c);",
+                "  [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]",
+                "  public struct CREDENTIAL {",
+                "    public int Flags; public int Type; public string TargetName;",
+                "    public string Comment; public long LastWritten;",
+                "    public int CredentialBlobSize; public IntPtr CredentialBlob;",
+                "    public int Persist; public int AttributeCount; public IntPtr Attributes;",
+                "    public string TargetAlias; public string UserName;",
+                "  }",
+                "}",
+                "'@",
+                "$p=[IntPtr]::Zero",
+                `if([NpCred]::CredRead('${target}',1,0,[ref]$p)){`,
+                "  $c=[Runtime.InteropServices.Marshal]::PtrToStructure($p,[Type][NpCred+CREDENTIAL])",
+                "  $s=[Runtime.InteropServices.Marshal]::PtrToStringUni($c.CredentialBlob,$c.CredentialBlobSize/2)",
+                "  [NpCred]::CredFree($p)",
+                "  Write-Output $s",
+                "}",
+            ].join("\n");
+            const encoded = Buffer.from(script, "utf16le").toString("base64");
             const { stdout } = await execFileAsync("powershell.exe", [
                 "-NoProfile",
-                "-Command",
-                `$cred = Get-StoredCredential -Target '${target}' -ErrorAction SilentlyContinue; if ($cred) { $cred.GetNetworkCredential().Password } else { $null }`,
+                "-EncodedCommand",
+                encoded,
             ]);
             const result = stdout.trim();
             return result && result !== "" ? result : null;
         }
         catch {
-            // Fallback: try cmdkey
-            try {
-                const target = this.target(service, account);
-                const { stdout } = await execFileAsync("powershell.exe", [
-                    "-NoProfile",
-                    "-Command",
-                    `[System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR((New-Object System.Management.Automation.PSCredential('_', (cmdkey /generic:${target} /list 2>$null | Out-Null; [System.Security.SecureString]::new()))).Password))`,
-                ]);
-                return stdout.trim() || null;
-            }
-            catch {
-                return null;
-            }
+            return null;
         }
     }
     async set(service, account, value) {

package/dist/src/local/local-config.js

@@ -31,7 +31,7 @@ export function configFilePath(dataDir) {
     return path.join(dataDir, "config.json");
 }
 // ── Configuration loader ─────────────────────────────────────────────────
-const DEFAULT_CLOUD_API_URL = "https://api.nestpilot.com";
+const DEFAULT_CLOUD_API_URL = "https://api.nestpilot.net";
 /**
  * Loads the local configuration from environment variables.
  *

package/dist/src/local/local-data-layer.d.ts

@@ -18,3 +18,5 @@ export { scrubPII, validateNoPII } from "./pii-scrubber.js";
 export type { ScrubResult } from "./pii-scrubber.js";
 export { CloudComputeClient } from "./cloud-compute-client.js";
 export type { CloudComputeResult } from "./cloud-compute-client.js";
+export { DeviceAuthClient } from "./device-auth.js";
+export type { DeviceCodeResponse, DeviceTokenResponse, ApiKeyCreatedResponse, } from "./device-auth.js";

package/dist/src/local/local-data-layer.js

@@ -13,3 +13,4 @@ export { createKeychainProvider, FileKeychain, } from "./keychain.js";
 export { LocalPlanStore } from "./local-plan-store.js";
 export { scrubPII, validateNoPII } from "./pii-scrubber.js";
 export { CloudComputeClient } from "./cloud-compute-client.js";
+export { DeviceAuthClient } from "./device-auth.js";

package/dist/tools/local-plan-tools.js

@@ -207,7 +207,7 @@ Requires internet connectivity for cloud compute. Cached results are returned if
                 }, true);
             }
             if (removedFields.length > 0) {
-                console.log(`[local] PII scrubber removed ${removedFields.length} field(s): ${removedFields.join(", ")}`);
+                console.error(`[local] PII scrubber removed ${removedFields.length} field(s): ${removedFields.join(", ")}`);
             }
             // Call cloud compute
             const result = await computeClient.forecast(scrubbed);

package/dist/tools/mcp-helpers.js

@@ -80,9 +80,16 @@ function runPipeline(opts) {
         }
     }
     if (contract) {
+        const resolvedUserId = opts.actorId ?? opts.authCtx?.userId ?? "anonymous";
+        const resolvedRole = opts.role ??
+            (opts.authCtx?.bearerToken
+                ? "authenticated"
+                : resolvedUserId !== "anonymous"
+                    ? "authenticated"
+                    : "anonymous");
         const policyCtx = {
-            actorId: opts.actorId ?? opts.authCtx?.userId ?? "anonymous",
-            role: opts.role ?? (opts.authCtx?.bearerToken ? "authenticated" : "anonymous"),
+            actorId: resolvedUserId,
+            role: resolvedRole,
             toolName: opts.toolName,
         };
         const decision = evaluatePolicy(policyCtx);

package/dist/tools/optimize-roth-tools.js

@@ -32,7 +32,7 @@ const POLICY_TARGET_BRACKETS = {
 };
 // ── Tool registration ───────────────────────────────────────────────────
 export function registerRothTools(server, authCtx) {
-    console.log("registerRothTools: Starting registration...");
+    console.error("registerRothTools: Starting registration...");
     try {
         registerAppTool(server, "optimize_roth_conversion", {
             title: "Optimize Roth Conversion",
@@ -377,7 +377,7 @@ DO NOT USE for basic forecasting — use run_forecast instead.`,
                 }, true);
             }
         });
-        console.log("registerRothTools: Registration successful!");
+        console.error("registerRothTools: Registration successful!");
     }
     catch (error) {
         console.error("registerRothTools: FAILED to register optimize_roth_conversion:", error);

package/host-configs/cowork.json

@@ -1,10 +1,16 @@
 {
+  "_comment": "NestPilot MCP Server — Claude Cowork (Claude Desktop) Configuration. Run `npx --yes --package=@nestpilot/mcp-app nestpilot init` first, then add this to your claude_desktop_config.json.",
   "mcpServers": {
     "nestpilot": {
       "command": "npx",
-      "args": ["nestpilot-mcp-server"],
+      "args": [
+        "--yes",
+        "--package=@nestpilot/mcp-app",
+        "nestpilot-mcp-server"
+      ],
       "env": {
-        "NESTPILOT_MODE": "local"
+        "NESTPILOT_MODE": "local",
+        "NESTPILOT_DATA_DIR": "~/.nestpilot"
       }
     }
   }

package/host-configs/goose.yaml

@@ -1,10 +1,15 @@
 # NestPilot MCP Server — Goose Host Configuration
 #
-# Add this to your Goose profile configuration:
-#   ~/.config/goose/profiles.yaml
+# Installation
+# ------------
+# 1. Run the initializer first (one-time setup):
+#      npx --yes --package=@nestpilot/mcp-app nestpilot init
 #
-# Under the `extensions:` section of your active profile,
-# paste the following block.
+# 2. Add the block below to your Goose profile:
+#      ~/.config/goose/profiles.yaml
+#    under the `extensions:` key of your active profile.
+#
+# 3. Restart Goose.
 #
 # @feature FEAT-0088
 
@@ -13,10 +18,13 @@ extensions:
     type: mcp
     transport: stdio
     command: npx
-    args: ["nestpilot-mcp-server"]
+    args:
+      - "--yes"
+      - "--package=@nestpilot/mcp-app"
+      - "nestpilot-mcp-server"
     env:
       NESTPILOT_MODE: local
+      NESTPILOT_DATA_DIR: "~/.nestpilot"
       # Optional overrides:
-      # NESTPILOT_DATA_DIR: "~/.nestpilot"
-      # NESTPILOT_CLOUD_API_URL: "https://api.nestpilot.com"
+      # NESTPILOT_CLOUD_API_URL: "https://api.nestpilot.net"
       # NESTPILOT_API_KEY: "your-api-key"

package/host-configs/openclaw-manifest.json

@@ -1,16 +1,26 @@
 {
   "name": "nestpilot",
+  "package": "@nestpilot/mcp-app",
   "version": "1.0.0",
   "description": "Local-first retirement planning — your data stays on your machine",
+  "homepage": "https://www.npmjs.com/package/@nestpilot/mcp-app",
   "transport": "stdio",
   "command": "npx",
-  "args": ["nestpilot-mcp-server"],
+  "args": [
+    "--yes",
+    "--package=@nestpilot/mcp-app",
+    "nestpilot-mcp-server"
+  ],
   "env": {
-    "NESTPILOT_MODE": "local"
+    "NESTPILOT_MODE": "local",
+    "NESTPILOT_DATA_DIR": "~/.nestpilot"
   },
   "capabilities": {
     "tools": true,
     "resources": true,
     "apps": true
+  },
+  "setup": {
+    "instructions": "Run `npx --yes --package=@nestpilot/mcp-app nestpilot init` before first use."
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nestpilot/mcp-app",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "type": "module",
   "description": "NestPilot MCP App — Retirement planning tools and interactive views",
   "bin": {