npm - @path58/p58-n8n - Versions diffs - 0.2.20-demo.2 → 0.2.20-demo.3 - Mend

@path58/p58-n8n 0.2.20-demo.2 → 0.2.20-demo.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/AGENT_INSTALL.md CHANGED Viewed

@@ -1,10 +1,28 @@
 # p58-n8n — LLM Agent Installation Guide
-> **AX-Native install (the canonical demo path):** Tell your LLM client *"install p58-n8n using this guide"* and paste the URL of this file. Your LLM follows the steps below, probes your environment, asks ≤2 clarifying questions (n8n API key + optional Path58 premium token), writes the config, and tells you to restart. Per Pillar 3 of `STRATEGIC_ANCHORS.md` v1.2.0 — *every customer-facing operation happens through the agent the user already uses*.
+> **AX-Native install (the canonical demo path):** Tell your LLM client *"install p58-n8n using this guide"* and paste this file's URL. Your agent detects what it can do, picks the lowest-friction install path for your environment, walks you through configuration conversationally, and **proactively offers a working demo** using only the credentials you already have. Per Pillar 3 of `STRATEGIC_ANCHORS.md` v1.2.0 — *every customer-facing operation happens through the agent the user already uses*.
-> **🤖 ACTION REQUIRED:** You are reading this because a user wants you to install the **p58-n8n** MCP server. Follow the steps in order. Everything you need is in this file — do NOT search the web. Minimize questions to the user: auto-discover what you can, only ask when you must (the n8n URL and API key, if you can't find them).
+> **🤖 ACTION REQUIRED:** You are reading this because a user wants you to install the **p58-n8n** MCP server. Follow the steps in order. Everything you need is in this file — do NOT search the web. Minimize questions to the user: auto-discover what you can; only ask when you must.
-> **Your job:** detect the user's MCP client → find their n8n instance → discover or ask for the API key → **validate the pairing with a curl test** → write the config → restart → verify with `setup_check`.
+> **Your job:** detect your own capabilities → pick the right install path → guide configuration → verify with `setup_check` → propose a tailored opportunistic demo → build + test + report.
+---
+## Step 0 — Self-check: what can you actually do? (DO THIS FIRST)
+Different agent environments have different capabilities. Pick the path that matches your environment **before** giving the user any instructions, so you don't promise actions you can't deliver.
+| Your environment | Can you read/write the user's filesystem? | Can you run shell commands? | Use this install path |
+|---|---|---|---|
+| **claude.ai web** (sandboxed Linux container, no host access) | ❌ No | ❌ Only inside sandbox | **STOP — hand off.** Tell the user: *"I'm running in claude.ai's sandbox and can't reach your machine. Please open Claude Desktop OR run `claude` in a terminal, then paste this same guide URL there. I'll be able to install properly from either of those."* |
+| **Claude Desktop with Cowork / workspace folder** (filesystem access scoped to a connected folder; can't reach `~/Library/Application Support/Claude/`) | ⚠️ Scoped | ✅ Inside workspace | **Path A: `.mcpb` extension** (mandatory — Cowork can't write the config dir) |
+| **Claude Desktop with a filesystem MCP granted write access** to `~/Library/Application Support/` | ✅ Yes | Maybe | Either Path A or Path B works. **Recommend Path A** (no PATH issues, faster). |
+| **Claude Code CLI** (`claude` in terminal — full filesystem + bash) | ✅ Yes | ✅ Yes | Either path. **Recommend Path A** for non-developer users; **Path B** is fine for developers who prefer JSON. |
+| **Anything else** (Cursor, Windsurf, VS Code Copilot, Codex, Antigravity) | Varies | Varies | Path B — these clients use JSON config files; see § Path B below. |
+> **Tier indicators in chat.** If your tools include any with names containing `screenshot`, `bash`, `desktop_commander`, or `apple_script`, you likely have full or near-full local access (Cowork or local-agent Desktop). If your only tools are `web_search`, `web_fetch`, `repl`, or `analysis`, you are in claude.ai sandbox — STOP and hand off.
+Once you've identified your path, proceed.
 ---
@@ -25,76 +43,108 @@ These are orthogonal: premium catalog works with or without n8n connected, and n
 ---
-## Fresh install — zero-config quick start (`.mcpb` extension only)
+# Path A — `.mcpb` extension (recommended)
-If a user is installing `.mcpb` for the first time and wants instant free-tier access without entering any credentials:
+The `.mcpb` is a Claude Desktop Extension. It bundles its own Node runtime so it has **no PATH issues, no `npx` problems**, and configuration happens through a clean form UI guided by you (the agent) in chat. This is the path **most users should take.**
-1. Drag `p58-n8n.mcpb` into Claude Desktop → Extensions
-2. Click **Configure**
-3. Leave **all 7 fields blank**
-4. Click **Save**
-5. Restart Claude Desktop
+## A.1 — Where to get the file
-The free tier activates immediately:
-- 1,603 node-name catalog (offline)
-- 14,805 operation-name index
-- 679 credential type lookups
-- L1-L3 validation (offline)
-- Discovery + `get_node_info` (names + metadata)
+The .mcpb is published to npm and downloadable directly via unpkg (no GitHub credentials required):
-This is enough to **browse, validate, and plan workflows** without n8n connectivity or premium credentials. The recipient experiences value immediately.
+```
+https://unpkg.com/@path58/p58-n8n@latest/p58-n8n.mcpb
+```
-To upgrade later (premium catalog + n8n build/deploy/test), the agent guides the user through adding `P58_ACCESS_TOKEN`, `N8N_API_URL`, and `N8N_API_KEY` via the Configure form OR via the `jq` extraction in the next section.
+Tell the user:
+> *"Download the extension file from `https://unpkg.com/@path58/p58-n8n@latest/p58-n8n.mcpb`. Then drag the file onto your Claude Desktop window (or use Settings → Extensions → Install from File)."*
----
+## A.2 — Install
-## Upgrading from a manual MCP config
+After the user drags the file in, Claude Desktop shows:
+1. An **Install** button — they click it.
+2. A **Configure** form with 7 user-config fields (all marked optional).
-If you already have p58-n8n configured manually in `claude_desktop_config.json` (or another MCP client's config file) and want to install the `.mcpb` extension instead, you can extract all 7 config values in one terminal command:
+**They can click Save with all fields blank** and get instant **free-tier access** (the 1,603-node offline catalog, L1-L3 validation, discovery). This is enough to browse and plan workflows without any credentials. Tell them this is fine — they can add credentials any time later.
-**macOS / Claude Desktop:**
-```bash
-jq '.mcpServers["p58-n8n"].env' ~/Library/Application\ Support/Claude/claude_desktop_config.json
-```
+To unlock n8n build/deploy/test or the premium enriched catalog, the user needs to fill some fields. **DO NOT have them figure that out alone** — guide them conversationally (next step).
-**Cursor (~/.cursor/mcp.json), VS Code (.vscode/mcp.json), Windsurf, or any JSON-based client:**
-```bash
-jq '.mcpServers["p58-n8n"].env' <your-config-file>
-```
+## A.3 — Configure conversationally (the AX-Native part)
+After the .mcpb is installed (with or without blank fields), the user opens Claude chat and says something like *"configure p58-n8n"* or *"finish setting up p58-n8n"*.
+**Your loop:**
+1. Call `setup_check`. The response tells you exactly what's missing — `n8n_configured: false` if no n8n URL+key, `access_mode: "free"` if no premium token, etc.
+2. For each missing field, ask the user **one question at a time**. Don't dump all 7 fields on them.
+3. After the user gives you a value, tell them exactly where to paste it:
+   > *"Paste that into the **n8n_api_url** field of the p58-n8n extension settings. Open Claude Desktop → Settings → Extensions → p58-n8n → Configure. Click Save when you've pasted it. Let me know when done."*
+4. When they say "done," call `setup_check` again. Confirm it shows the new value registered. Move to the next field.
+5. **Search before asking** when possible — try common locations for credentials so you don't ask for things the user already has stored. See § Credential search (below).
+6. Stop when `setup_check` returns `n8n_configured: true` AND the user's intended `access_mode` is achieved (`premium` if they have a P58 token, `free` if not).
+**Order of fields to ask about (in priority):**
+| Field | Why ask | Skip if |
+|---|---|---|
+| `n8n_api_url` | Required for build/deploy/test | User has no n8n / doesn't want to connect one |
+| `n8n_api_key` | Pairs with the URL | (same as above) |
+| `p58_access_token` | Unlocks premium enriched catalog | User has no token |
+| `cf_access_client_id` + `cf_access_client_secret` | Only if their n8n is behind Cloudflare Access | Pair-test shows no 302 to cloudflareaccess.com |
+| `n8n_user_email` + `n8n_user_password` | Optional — enables clean `test_credential` + run-and-verify | User doesn't need credential testing |
+After every Save → restart, the `.mcpb` extension reloads with the new env vars and `setup_check` reflects them. Don't proceed until verified.
+## A.4 — Credential search (search before asking)
+Before asking the user for `N8N_API_KEY` or `P58_ACCESS_TOKEN`, search common locations:
-**Codex (TOML config):**
 ```bash
-# Codex uses TOML; manually read ~/.codex/config.toml
-cat ~/.codex/config.toml | grep -A 10 "p58-n8n"
+# .env files in the user's current directory or common project paths
+grep -rl "N8N_API_KEY" . --include=".env*" 2>/dev/null
+grep -rl "P58_ACCESS_TOKEN" . --include=".env*" 2>/dev/null
+# Sibling MCP configs (they may have it set there from a prior install)
+~/Library/Application\ Support/Claude/claude_desktop_config.json
+~/.cursor/mcp.json
+.vscode/mcp.json
+# Secret managers
+op item list 2>/dev/null | grep -i n8n     # 1Password
+security find-generic-password -s n8n 2>/dev/null  # macOS Keychain
 ```
-The output is a JSON object with all 7 values:
-```json
-{
-  "P58_ACCESS_TOKEN": "...",
-  "N8N_API_URL": "https://your-n8n/api/v1",
-  "N8N_API_KEY": "eyJ...",
-  "N8N_USER_EMAIL": "you@example.com",
-  "N8N_USER_PASSWORD": "...",
-  "CF_ACCESS_CLIENT_ID": "...",
-  "CF_ACCESS_CLIENT_SECRET": "..."
-}
+If you find values, **confirm with the user** before using them ("I found an N8N_API_KEY in your `.env` — want me to use it?"). Don't autofill secrets without consent.
+## A.5 — Validate the pairing — **before** declaring config done
+A valid-looking key against the wrong instance fails silently. After the user fills `n8n_api_url` + `n8n_api_key`, before announcing success, pair-test:
+```bash
+curl -s -o /dev/null -w "%{http_code}" "$N8N_API_URL/workflows?limit=1" -H "X-N8N-API-KEY: $KEY" -L
 ```
-Open Claude Desktop → Extensions → p58-n8n → **Configure**, then copy each value from the JSON output into the matching form field. Total: ~30 seconds vs hunting through multiple sources. Fields you don't have / don't need can be left blank — only `N8N_API_URL` + `N8N_API_KEY` + `P58_ACCESS_TOKEN` are needed for the standard demo path.
+| Result | Meaning | Action |
+|---|---|---|
+| `200` | Correct pair | ✅ Tell user, move on |
+| `401 {"message":"invalid signature"}` | Valid JWT, **wrong instance** (e.g. prod key vs local n8n) | Re-pair: "the key is real but points at a different n8n than the URL you gave me. Which is right?" |
+| `401 {"message":"unauthorized"}` | Wrong/expired key | Ask user to mint a fresh one: n8n → Settings → API → Create API Key |
+| `302` → `*.cloudflareaccess.com` | n8n is **behind Cloudflare Access** | Trigger the CF-Access branch (ask for `CF_ACCESS_CLIENT_ID` + `CF_ACCESS_CLIENT_SECRET`) |
-> **Coming soon (post-demo per `REQ-2026-06-02-mcpb-config-autofill.md`):** a single "bulk paste" Configure field that accepts the whole JSON blob in one paste, eliminating the field-by-field copy. Tracked for 0.3.0+.
+> If `setup_check` says `n8n_configured: true` but the curl pair-test fails, trust the curl. The server may be caching the previous successful test. Re-test after any field change.
 ---
-## Step 1: Detect the MCP client
+# Path B — JSON config (advanced / power users)
-> **Verification status:** This guide covers MCP clients that follow the standard MCP protocol. Only **Claude Desktop** (manual JSON config + `.mcpb` extension install) and **Claude Code** (CLI / VS Code extension / terminal) are end-to-end verified by p58-n8n's Phase C install matrix (RAG-4.97.6.1). Cursor / VS Code Copilot / Windsurf / Codex / Antigravity / Gemini CLI paths are documented based on each client's published MCP integration spec; their install paths are expected to work but have not been QA'd by us. Multi-client QA matrix queued post-demo via `REQ-2026-06-02-multi-client-install-qa.md`. Please report any client-specific issues via GitHub Issues.
+Use this path when:
+- The user is on Claude Code CLI (`claude` in terminal)
+- The user is on Cursor / Windsurf / VS Code Copilot / Codex / Antigravity
+- The user explicitly wants to manage `claude_desktop_config.json` themselves
-Check for these config files (if several exist, ask which client to configure):
+## B.1 — Detect the MCP client
 | Client | Config file | OS |
-|--------|-------------|-----|
+|---|---|---|
 | **Claude Desktop** | `~/Library/Application Support/Claude/claude_desktop_config.json` | macOS |
 | **Claude Desktop** | `%APPDATA%\Claude\claude_desktop_config.json` | Windows |
 | **Claude Desktop** | `~/.config/Claude/claude_desktop_config.json` | Linux |
@@ -105,106 +155,56 @@ Check for these config files (if several exist, ask which client to configure):
 | **Codex (OpenAI)** | `~/.codex/config.toml` (**TOML**, not JSON) | All |
 | **Antigravity (Google)** | `~/.gemini/antigravity/mcp_config.json` (needs global install + full paths) | All |
----
+## B.2 — Resolve absolute path to `npx` (CRITICAL on macOS)
-## Step 2: Find the user's n8n instance
+Desktop apps on macOS don't inherit your shell's PATH. Bare `npx` in MCP config **silently fails** with `Failed to spawn process: No such file or directory` because the app searches only `/usr/local/bin:/usr/bin:/bin:/sbin` — but Homebrew Node lives in `/opt/homebrew/bin/npx` and nvm Node lives in `~/.nvm/versions/node/vX.Y.Z/bin/npx`.
-The catalog tools work without n8n, but build/deploy/test need it. Try, in order:
+**ALWAYS resolve to the absolute path before writing the config:**
 ```bash
-# A. Environment variables
-echo "$N8N_API_URL"; echo "$N8N_API_BASE_URL"; echo "$N8N_HOST"
-# B. Probe the standard local port (401 = n8n running + auth required ✅ ; 000 = nothing there)
-curl -s -o /dev/null -w "%{http_code}" http://localhost:5678/api/v1/workflows
-# C. Docker
-docker ps --filter "name=n8n" --format "{{.Ports}}"
-# D. Running processes
-ps aux | grep -i n8n | grep -v grep
+NPX_PATH="$(command -v npx)"
+echo "Using: $NPX_PATH"
+# Use $NPX_PATH below — NEVER write the bare word "npx" in the command field.
 ```
-If none work, ask: *"What's the URL of your n8n instance? (e.g. `http://localhost:5678` or `https://n8n.example.com`)"*
-> The API URL must include the `/api/v1` suffix, e.g. `http://localhost:5678/api/v1`. `N8N_API_BASE_URL` is accepted as a fallback for `N8N_API_URL`.<sup>[[4]](#sources)</sup>
----
-## Step 3: Get the credentials
+If `command -v npx` returns nothing, Node isn't installed. Tell the user:
+> *"Node isn't installed. Install it first: `brew install node` on macOS (or download from nodejs.org), then run this guide again."*
-### 3a — Premium token (`P58_ACCESS_TOKEN`)
+## B.3 — Find the user's n8n instance
-If the user was given a `P58_ACCESS_TOKEN` (demo / premium users), use it — it unlocks the enriched catalog. If they don't have one, skip it: the free bundled index still works.
-### 3b — n8n API key — **search before asking** (G1)
-The key can't be auto-*extracted* from n8n (n8n stores it as a hash; the plaintext JWT exists only where the user saved it), but it can often be **found**. Search local artifacts BEFORE asking the user:<sup>[[5]](#sources)</sup>
+Same as A.4 + try environment variables and standard ports:
 ```bash
-# 1. Project / CWD .env files
-grep -rl "N8N_API_KEY" . --include=".env*" 2>/dev/null
-# 2. Sibling MCP configs (the user may have pasted it once already)
-#    ~/Library/Application Support/Claude/claude_desktop_config.json
-#    ~/.cursor/mcp.json · .vscode/mcp.json · ~/.codex/config.toml
-# 3. Secret managers
-op item list 2>/dev/null | grep -i n8n            # 1Password
-security find-generic-password -s n8n 2>/dev/null # macOS Keychain
-# 4. Docker
-docker inspect <n8n-container> --format '{{json .Config.Env}}'
-```
-Only if all are dry, ask the user to mint one: **n8n → Settings → API → Create API Key** (it starts with `eyJ…`, JWT format).
-### 3c — Optional: session auth for `test_credential` and run-and-verify
-Some n8n versions gate two things behind a logged-in session (not just the API key): reading credential **secrets** (`test_credential`), and **executing** a workflow via REST — which `test_workflow`'s verification step uses. **Optional** — build/deploy/activate and the workflow's own execution all work on URL + API key alone. To enable clean run-and-verify + `test_credential`, set `N8N_USER_EMAIL` + `N8N_USER_PASSWORD` (the user's n8n web-UI login).<sup>[[4]](#sources)</sup>
-> ⚠️ **Known false-negative when absent.** On a session-auth-gated n8n without these set, `test_workflow` can report **"❌ TEST FAILED … N8N_USER_EMAIL/PASSWORD required"** even though the workflow **actually ran and delivered** (the deployed workflow executes server-side on API-key alone). If you see this, check the channel — the result likely arrived. Setting the optional login removes the false-negative. (Tracked: `INC-2026-06-02-test-workflow-clone-verify-false-negative-session-auth`.)
----
-## Step 4: Validate the (URL, key) pairing — **before writing any config** (G3/G4)
-A valid-looking key against the wrong instance fails *silently* after install. Pair-test first:<sup>[[5]](#sources)</sup>
-```bash
-curl -s -o /dev/null -w "%{http_code}" "$N8N_API_URL/workflows?limit=1" -H "X-N8N-API-KEY: $KEY" -L
+echo "$N8N_API_URL"; echo "$N8N_API_BASE_URL"; echo "$N8N_HOST"
+curl -s -o /dev/null -w "%{http_code}" http://localhost:5678/api/v1/workflows
+docker ps --filter "name=n8n" --format "{{.Ports}}"
+ps aux | grep -i n8n | grep -v grep
 ```
-| Result | Meaning | Action |
-|---|---|---|
-| `200` | Correct pair | ✅ Write the config |
-| `401 {"message":"invalid signature"}` | Valid JWT, **wrong instance** (e.g. prod key vs local n8n) | Re-pair — try another URL/key combination |
-| `401 {"message":"unauthorized"}` | Wrong/expired key | Mint a fresh key (Step 3b) |
-| `302` → `*.cloudflareaccess.com` | n8n is **behind Cloudflare Access** | Optional CF branch ↓ — **most users skip this** |
-> **Never assume one key ↔ one URL.** If a user has both a local dev n8n and a remote one, the wrong pairing returns `invalid signature`. Pair-test to confirm.<sup>[[5]](#sources)</sup>
+If none work, ask: *"What's the URL of your n8n instance? (e.g. `http://localhost:5678` or `https://n8n.example.com`)"*
-### Optional Cloudflare-Access branch (only if you saw a `302`)
+> The API URL must include the `/api/v1` suffix.
-**Most n8n instances are not behind Cloudflare Access — skip this unless Step 4 returned a `302` to a `cloudflareaccess.com` login page.** If it did, the instance needs a CF Access **service token**. p58-n8n supports `CF_ACCESS_CLIENT_ID` + `CF_ACCESS_CLIENT_SECRET`, which it sends as `CF-Access-Client-Id` / `CF-Access-Client-Secret` headers.<sup>[[6]](#sources)</sup> Re-test with them:
+## B.4 — Get credentials
-```bash
-curl -s -o /dev/null -w "%{http_code}" "$N8N_API_URL/workflows?limit=1" \
-  -H "X-N8N-API-KEY: $KEY" \
-  -H "CF-Access-Client-Id: $CF_ID" -H "CF-Access-Client-Secret: $CF_SECRET"
-# 200 → add CF_ACCESS_CLIENT_ID / CF_ACCESS_CLIENT_SECRET to the MCP env in Step 5
-```
+Same as A.4 (search-first, then ask).
-Full walkthrough: [`docs/mcp-install-cloudflare-access-runbook.md`](docs/mcp-install-cloudflare-access-runbook.md).
+## B.5 — Pair-test (before writing config)
----
+Same as A.5.
-## Step 5: Write the configuration
+## B.6 — Write the configuration
-Add p58-n8n inside the existing `mcpServers` object — **do not overwrite other servers.** Include only the env vars you actually have.
+Add p58-n8n inside the existing `mcpServers` object — **do not overwrite other servers.** Use the **absolute** npx path you resolved in B.2.
-### Claude Desktop / Cursor / Windsurf / VS Code (JSON)
+### Claude Desktop / Cursor / Windsurf (JSON)
 ```json
 {
   "mcpServers": {
     "p58-n8n": {
-      "command": "npx",
-      "args": ["-y", "@path58/p58-n8n@demo"],
+      "command": "/opt/homebrew/bin/npx",
+      "args": ["-y", "@path58/p58-n8n@latest"],
       "env": {
         "N8N_API_URL": "https://YOUR-n8n-host/api/v1",
         "N8N_API_KEY": "<n8n-api-key>",
@@ -215,22 +215,37 @@ Add p58-n8n inside the existing `mcpServers` object — **do not overwrite other
 }
 ```
-- **Free, no n8n:** keep only `command`/`args` (catalog discovery works offline).
-- **Optional `test_credential`:** add `N8N_USER_EMAIL` + `N8N_USER_PASSWORD`.
-- **Optional CF Access (only if Step 4 said so):** add `CF_ACCESS_CLIENT_ID` + `CF_ACCESS_CLIENT_SECRET`.
-- **VS Code only:** top-level key is `"servers"`, and add `"type": "stdio"`.
+> Replace `/opt/homebrew/bin/npx` with whatever `command -v npx` returned in B.2. Never write the bare `"npx"` string here.
+### VS Code
+Top-level key is `"servers"` (not `"mcpServers"`), and add `"type": "stdio"`.
 ### Claude Code (CLI)
 ```bash
+NPX_PATH="$(command -v npx)"
 claude mcp add p58-n8n \
   -e N8N_API_URL=https://YOUR-n8n-host/api/v1 \
   -e N8N_API_KEY=<n8n-api-key> \
   -e P58_ACCESS_TOKEN=<premium-token-if-you-have-one> \
-  -- npx -y @path58/p58-n8n@demo
+  -- "$NPX_PATH" -y @path58/p58-n8n@latest
+```
+### Codex (TOML)
+```toml
+[mcpServers.p58-n8n]
+command = "/opt/homebrew/bin/npx"
+args = ["-y", "@path58/p58-n8n@latest"]
+[mcpServers.p58-n8n.env]
+N8N_API_URL = "https://YOUR-n8n-host/api/v1"
+N8N_API_KEY = "<n8n-api-key>"
+P58_ACCESS_TOKEN = "<premium-token-if-you-have-one>"
 ```
-### Avoid plaintext secrets (optional, G7)
+### Avoid plaintext secrets (optional)
 To keep secrets out of `~/.claude.json` / config files, wrap them with a secret manager at launch:
@@ -238,55 +253,128 @@ To keep secrets out of `~/.claude.json` / config files, wrap them with a secret
 {
   "mcpServers": {
     "p58-n8n": {
-      "command": "sh",
-      "args": ["-c", "N8N_API_KEY=$(op read 'op://Vault/n8n/api-key') P58_ACCESS_TOKEN=$(op read 'op://Vault/p58/access-token') N8N_API_URL=https://YOUR-n8n-host/api/v1 npx -y @path58/p58-n8n@demo"]
+      "command": "/bin/sh",
+      "args": ["-c", "N8N_API_KEY=$(op read 'op://Vault/n8n/api-key') P58_ACCESS_TOKEN=$(op read 'op://Vault/p58/access-token') N8N_API_URL=https://YOUR-n8n-host/api/v1 /opt/homebrew/bin/npx -y @path58/p58-n8n@latest"]
     }
   }
 }
 ```
-The same pattern works for `CF_ACCESS_CLIENT_ID` / `CF_ACCESS_CLIENT_SECRET`. Note: env changes only take effect after a restart (Step 6).
----
-## Step 6: Restart the client (G6)
-The MCP server reads its env **only at startup** — a running process keeps showing the old state until the session restarts.
+## B.7 — Restart the client
 | Client | Restart |
-|--------|---------|
+|---|---|
 | **Claude Desktop** | Fully quit (Cmd+Q on macOS — closing the window is not enough), reopen |
 | **Claude Code** | Exit and restart the CLI session |
 | **Cursor / Windsurf / VS Code** | Reload window / restart |
 | **Codex / Antigravity** | Restart the app |
+## B.8 — Verify with `setup_check`
+After restart, call `setup_check`. A healthy connected result shows:
+- `access_mode: "premium"` (if a token is set) or `"free"`
+- `n8n_configured: true` + `workflow_engine_connected: true`
+- a `credential_count`, and `issues: []`
+If `n8n_configured: false`, the URL/key pairing is wrong — re-run § A.5.
 ---
-## Step 7: Verify — **after** restart
+# Step ∞ — Proactively offer an opportunistic demo (BOTH paths)
-Validate the pairing with curl **before** restart (Step 4); confirm the running server **after** restart with `setup_check`.<sup>[[5]](#sources)</sup>
+The moment `setup_check` returns GREEN for the first time after install, **don't wait for the user to ask** what to do next. Discover what they have, propose a tailored workflow that pulls live data and delivers a visible result, and build it.
-Ask the agent: **"Run `setup_check`."** A healthy connected result shows:
-- `access_mode: "premium"` (if a token is set) or `"free"`,
-- `n8n_configured: true` + `workflow_engine_connected: true`,
-- a `credential_count`, and `issues: []`.
+This is the "wow" moment of the install. Done well, the user goes from "ok it's connected" to "holy crap that worked" in 30 seconds.
-If `n8n_configured` is false, the API key/URL pairing is wrong — re-run Step 4.
+## ∞.1 — Discover what the user has
----
+Call `list_credentials`. Bucket each credential by capability:
+```
+DATASOURCE  (preferred: PUBLIC APIs to avoid touching user data)
+  ZERO-CRED:  HTTP request to public endpoints (no n8n credential needed):
+              - HackerNews top stories (hacker-news.firebaseio.com)
+              - Wikipedia daily featured (en.wikipedia.org/api)
+              - GitHub trending (api.github.com/search)
+              - Public RSS feeds
+              - boredapi.com, jsonplaceholder.typicode.com (test APIs)
+              - cat-facts API (catfact.ninja)
+  KEY-BASED public: openWeatherMap, serpApi, newsApi, perplexityApi,
+                    coinMarketCap, exchangeRateApi
+  USER-DATA SaaS: notionApi, airtableApi, googleSheets, githubApi,
+                  hubspotApi, salesforceApi, monday, supabase
+  USER DB:    postgres, mysql, mongodb, microsoftSql, redis
+AI
+  openAi, anthropic, googlePalmApi, mistralCloud, cohereApi,
+  openRouterApi, perplexityApi, huggingFaceApi
+CHANNEL
+  slackApi, telegramApi, gmailOAuth2, discordApi, twilioApi,
+  microsoftOutlookOAuth2, microsoftTeams, sendGrid, mailgun
+```
+## ∞.2 — Pick datasource using PUBLIC-FIRST priority ladder
+```
+1. ZERO-CRED public APIs  →  works for everyone, never touches user data
+2. KEY-BASED public APIs  →  if user has e.g. openWeatherMap credential
+3. USER-DATA SaaS         →  ONLY with explicit consent ("want me to use your Notion?")
+4. USER DB                →  ONLY when user explicitly invites it
+```
+The default is always tier 1 or 2 (public data). Only escalate to user-data tiers if the user asks for richer demo with their own data.
+## ∞.3 — Pick AI + Channel from their list
+- AI: prefer Anthropic > OpenAI > others (any AI cred works)
+- Channel: prefer Slack > Telegram > Gmail > Discord > whatever they have
+## ∞.4 — Propose ONE workflow before building
+Tell the user concretely what you'd build, using THEIR actual tools by name:
-## Step 8: Offer the first workflow — opportunistic, best-effort, narrated
+> *"You've got OpenAI + Slack connected. I'd build a quick demo: pull the current top 5 HackerNews stories, have GPT-4 summarize them into a 3-sentence digest, and post to your Slack #general. ~15 seconds. Want me to go ahead?"*
-Don't hand the user a bare "hello world." Immediately after a healthy `setup_check`, proactively build them a **personalized first automation** that pulls live data and delivers a result to a channel they'll actually see. Behavior:
+| User has | Proposed demo (public-data default) |
+|---|---|
+| OpenAI + Slack | HackerNews top 5 → GPT summarizes → post to Slack |
+| Anthropic + Telegram | Wikipedia daily featured → Claude shortens to a tweet → Telegram DM |
+| OpenAI + Gmail | GitHub trending repos → GPT picks 3 most relevant → email summary |
+| openWeatherMap + Anthropic + Slack | Tel Aviv weather → Claude writes 2-line forecast with personality → Slack |
+| Just OpenAI (no channel) | Wikipedia featured → GPT summary → respond inline in chat |
+| Just Slack (no AI) | OpenWeatherMap (free key) → simple 2-node weather post |
-1. **Discover.** `setup_check` + `list_credentials` → what credentials exist.
-2. **Harvest reusable runtime params (when available).** If a `list_workflows` / `discover_runtime_params` capability is present, scan the user's **existing** workflows for proven resource-locators (Slack channel IDs, Telegram chat IDs, recipient emails, sheet IDs) and **reuse one** — zero-friction, lands where they already work, and makes Telegram viable (chat-id harvested, not asked). *Not yet shippable on the 18-tool surface — `list_workflows` isn't registered; tracked in `REQ-2026-06-02-harvest-runtime-params-from-existing-workflows`. Until then, ask once for the one irreducible value (their email, or a Slack channel).*
-3. **Pick the lowest-friction channel present:** email → Slack → *never* Telegram cold.
-4. **Narrate the plan first (mitigate surprise).** Tell the user, in the chat, what you found and what you're about to build, and that it's a **best-effort** first run you'll self-heal if needed — e.g. *"You've got Slack + OpenWeatherMap connected. I'll build a webhook → live weather → Slack welcome. Best-effort first run — if n8n flags anything I'll fix it and re-run."*
-5. **Build defensively:** **webhook trigger** (runs via public URL — no n8n login needed), **explicit** values (channel, message, city — never payload-dependent defaults), credentials wired **by ID**, version-stable nodes (Webhook/OpenWeatherMap/Slack/Gmail/Code/HTTP) over volatile AI/LangChain nodes for the *first* run.
-6. **Build → `test_workflow` → self-heal.** On a config gap, read the exact `failed_node`/`recovery_hint` and `partial_update_workflow` it (e.g. Slack missing `channelId`/`text`), then re-test.
-7. **Report honestly.** ✅ if verified; if it delivered but the verify pass was blocked by missing session auth (Step 3c), say so — *"it ran and the message should have arrived; I just couldn't run my verification pass without your n8n login."* **Never** say "failed" when the result actually landed (see the 3c false-negative note).
-8. **Personalize.** Address the user by name (harvest from `setup_check`'s n8n project owner when present) and add a short warm welcome.
+If the user has user-data credentials (Notion, Airtable, Postgres) but ALSO has a public-data path available, **propose the public-data demo by default** and OFFER the richer one as an alternative:
+> *"Quick proof-of-life demo: HackerNews → GPT → Slack. If you want a more personalized one, I could pull from your Notion or query your Postgres instead — just say the word."*
+## ∞.5 — Build defensively
+Once the user says yes:
+1. **Use a webhook trigger** — runs via public URL, no n8n session login needed for execution.
+2. **Bind credentials by ID, not name** — use the cred IDs from `list_credentials`.
+3. **Hardcode explicit values** — channel name, city, message text. Don't depend on payload defaults.
+4. **Prefer version-stable nodes** — Webhook, HTTP Request, Slack, OpenAI/Anthropic, Code over volatile LangChain nodes for the FIRST run.
+5. **Cap at 3-5 nodes.** Don't get fancy — the goal is "it runs and posts."
+```
+build_workflow → returns workflow ID + canvas link
+test_workflow  → returns sync execution result
+```
+On a config gap, read `failed_node` + `recovery_hint` and `partial_update_workflow` the fix, then re-test. Don't tell the user it failed if the side-effect actually landed.
+## ∞.6 — Report honestly with evidence
+✅ if the workflow actually delivered (Slack message landed, email arrived, etc.). Include the concrete proof:
+> *"✅ Built workflow `YQcQOAy8IcG7zG6w`, test_workflow GREEN. Top story 'X' summarized and posted to #general at 09:42:13. Open the canvas: <link>."*
+If `test_workflow` returned a session-auth false negative (see Step A.5 ⚠️ note) but the result actually landed in the channel, **say so plainly** — don't claim failure when there's a real Slack message:
+> *"It ran and the message should have arrived in #general. I couldn't run my verification pass without your n8n login, but check the channel — it almost certainly landed."*
 ---
@@ -309,25 +397,27 @@ Don't hand the user a bare "hello world." Immediately after a healthy `setup_che
 ## Troubleshooting
 | Symptom | Cause | Fix |
-|---------|-------|-----|
-| Tools not appearing | Config syntax error or wrong path | Validate JSON; verify the OS-specific path (Step 1) |
-| `"npx: command not found"` | Node.js not installed / not on PATH | Install Node 18+ from nodejs.org; on desktop apps use full path `/opt/homebrew/bin/npx` |
-| `setup_check` → `n8n_configured: false` | Wrong URL/key pairing | Re-run the Step 4 pair-test |
-| `401 invalid signature` | Valid key, wrong instance | Re-pair (Step 4) |
-| `302` to cloudflareaccess.com | n8n behind Cloudflare Access | Add CF service token (Step 4 branch) |
-| New env not taking effect | Process not restarted | Fully quit + reopen (Step 6) |
+|---|---|---|
+| Tools not appearing after install | `.mcpb` not installed OR JSON config broken | A: re-install .mcpb. B: validate JSON and absolute npx path (B.2) |
+| `"Failed to spawn process: No such file or directory"` | Path B with bare `npx` — Claude Desktop can't find it | Re-run B.2 to get absolute path; replace `"npx"` with that path in config |
+| `"npx: command not found"` in logs | Node.js not installed at all | `brew install node` (or nodejs.org) |
+| `setup_check` → `n8n_configured: false` after Save | Wrong URL/key pairing | Re-run A.5 pair-test; check pair returns 200 |
+| `401 invalid signature` from n8n | Valid key, wrong instance | Confirm URL matches the n8n that issued the key |
+| `302` to cloudflareaccess.com | n8n behind Cloudflare Access | Add `CF_ACCESS_CLIENT_ID` + `CF_ACCESS_CLIENT_SECRET` |
+| New env vars not taking effect | Process not restarted | Cmd+Q + reopen (Desktop) / exit + re-run (CLI) |
+| `test_workflow` says fail but Slack/email got the message | Session-auth false negative (Step A.5 ⚠️) | Set `N8N_USER_EMAIL` + `N8N_USER_PASSWORD`; or trust the side-effect |
 ---
 ## Sources
-1. **18 tools** — `src/mcp/tools/index.ts` `TOOL_ENTRIES` (14 core + 4 credential-management; the RAG-4.97.2 locked set).
-2. **Bundled catalog counts** — `src/data/public-catalog/manifest.json` (`bundle_type: public-basic`, names/metadata only): 1,603 nodes / 14,805 operations / 679 credential types.
-3. **Tier model** — `src/mcp/runtime/access-mode.ts`: `P58_ACCESS_TOKEN` → `premium` (enriched proxy catalog); `P58_DATABASE_URL` → `dev` (internal); neither → `free` (bundled index). Premium proxy serves catalog knowledge, not the n8n engine.
-4. **n8n engine env vars** — `src/config/env.schema.ts` (`N8N_API_BASE_URL`/`N8N_API_KEY`/`N8N_USER_EMAIL`/`N8N_USER_PASSWORD`); live `setup_check` confirms `N8N_API_URL` resolution.
-5. **Search-first discovery + validation loop** — field report `MCP_INSTALL_FIELD_REPORT_2026-06-01` §6 (key discovery) and §7 (pair-test matrix); curl results observed in a live install session.
-6. **Cloudflare Access headers** — `src/shared/n8n-api-adapter.ts` injects `CF-Access-Client-Id` / `CF-Access-Client-Secret` from `CF_ACCESS_CLIENT_ID` / `CF_ACCESS_CLIENT_SECRET`.
+1. **18 tools** — `src/mcp/tools/index.ts` `TOOL_ENTRIES` (14 core + 4 credential-management; RAG-4.97.2 locked set).
+2. **Bundled catalog counts** — `src/data/public-catalog/manifest.json` (`bundle_type: public-basic`): 1,603 nodes / 14,805 operations / 679 credential types.
+3. **Tier model** — `src/mcp/runtime/access-mode.ts`: `P58_ACCESS_TOKEN` → `premium`; `P58_DATABASE_URL` → `dev` (internal); neither → `free`.
+4. **n8n engine env vars** — `src/config/env.schema.ts` (`N8N_API_BASE_URL`/`N8N_API_KEY`/`N8N_USER_EMAIL`/`N8N_USER_PASSWORD`).
+5. **Search-first discovery + validation loop** — field report `MCP_INSTALL_FIELD_REPORT_2026-06-01` §6 (key discovery), §7 (pair-test matrix).
+6. **Cloudflare Access headers** — `src/shared/n8n-api-adapter.ts` injects `CF-Access-Client-Id`/`CF-Access-Client-Secret`.
 ---
-**Package:** `@path58/p58-n8n` · **npm:** https://www.npmjs.com/package/@path58/p58-n8n · **Version:** 0.2.20-demo.2
+**Package:** `@path58/p58-n8n` · **npm:** https://www.npmjs.com/package/@path58/p58-n8n · **Version:** 0.2.20-demo.3 (candidate)

package/CHANGELOG.md CHANGED Viewed

@@ -5,6 +5,25 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [0.2.20-demo.3] - 2026-06-03
+### Added
+- **`p58-n8n.mcpb` shipped in npm tarball** — `package.json` `files[]` now includes the Claude Desktop Extension file. Cohort recipients can download directly via `https://unpkg.com/@path58/p58-n8n@latest/p58-n8n.mcpb` (one-click) or via `npm install`. Fills the gap where demo.1/demo.2 had the .mcpb on disk and on private GitHub Release only.
+### Changed
+- **`AGENT_INSTALL.md` v3** — restructured for clean-Mac success on first try:
+  - **Step 0 (NEW)**: client-capability self-check (sandbox / Cowork / local-agent / Claude Code CLI) — agent picks correct install path based on what it can actually do, instead of failing mid-install.
+  - **Path A — `.mcpb` (recommended)** with conversational config flow: agent calls `setup_check`, asks user one field at a time, tells them exactly which Configure form field to paste into, re-verifies between steps. No JSON editing.
+  - **Path B — JSON config (advanced)** with **mandatory absolute-`npx`-path resolution** (closes the `Failed to spawn process` bug on macOS — bare `npx` in `claude_desktop_config.json` silently fails because Claude Desktop's app PATH doesn't include `/opt/homebrew/bin/` or `~/.nvm/`).
+  - **Opportunistic demo with public-data-first priority ladder** — after `setup_check` green, agent proposes a 3-node workflow using public APIs (HackerNews / Wikipedia / OpenWeatherMap / GitHub trending) before touching user-data sources. Notion / Postgres / Airtable only with explicit user consent.
+- **Footer version** updated to 0.2.20-demo.3.
+### Fixed
+- **Clean-Mac install via JSON path** no longer fails with `Failed to spawn process: No such file or directory` — agent now resolves `command -v npx` to an absolute path before writing the config field (Path B § B.2). The bare `"npx"` value in MCP config worked only when the host shell PATH bled through into Claude Desktop, which it doesn't on stock macOS.
 ## [0.2.20-demo.2] - 2026-06-02
 ### Changed

package/p58-n8n.mcpb ADDED Viewed

Binary file

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@path58/p58-n8n",
-  "version": "0.2.20-demo.2",
+  "version": "0.2.20-demo.3",
   "description": "The smartest and fastest n8n MCP server — validate, fix, and discover workflows inside your LLM",
   "keywords": [
     "mcp",
@@ -27,6 +27,7 @@
   "files": [
     "dist/mcp/server.bundle.cjs",
     "src/data/public-catalog/**/*",
+    "p58-n8n.mcpb",
     "README.md",
     "AGENT_INSTALL.md",
     "CHANGELOG.md",