@path58/p58-n8n 0.2.9 → 0.2.11

package/AGENT_INSTALL.md

@@ -99,6 +99,38 @@ The API key cannot be auto-discovered. The user must provide it or create one.
 
 ---
 
+## Step 3b: Get n8n Login Credentials (Optional — for credential testing)
+
+Some tools (`test_credential`, credential health checks) need REST session auth to access credential secrets. This requires the user's n8n login email and password.
+
+**When to ask:** If the user wants credential management features (testing, health audits), ask:
+> "To enable credential testing, I'll also need your n8n login email and password. These are the same credentials you use to log into the n8n web UI. Want to add them now?"
+
+**If the user declines:** Tier 2-7 tools still work — only `test_credential` will prompt for credentials per-call.
+
+**Security notes:**
+- These credentials are stored in the MCP config file alongside the API key (same security model)
+- The MCP server never logs credentials — they are only used to obtain a session cookie from n8n
+- The session cookie is ephemeral and not persisted to disk
+- If the user is uncomfortable storing their password in the config, they can omit it and provide credentials per-call when using `test_credential`
+
+**Advanced: Use a credential manager instead of plaintext:**
+
+If the user has 1Password CLI installed, they can reference secrets dynamically:
+```json
+{
+  "mcpServers": {
+    "p58-n8n": {
+      "command": "sh",
+      "args": ["-c", "N8N_API_KEY=$(op read 'op://Vault/n8n/api-key') N8N_USER_EMAIL=$(op read 'op://Vault/n8n/email') N8N_USER_PASSWORD=$(op read 'op://Vault/n8n/password') N8N_API_URL=http://localhost:5678/api/v1 npx -y @path58/p58-n8n"]
+    }
+  }
+}
+```
+This way no secrets are stored in the config file — they're fetched from 1Password at startup with biometric approval.
+
+---
+
 ## Step 4: Write the Configuration
 
 ### For Claude Desktop / Cursor / Gemini CLI / VS Code (JSON config)
@@ -114,7 +146,9 @@ Read the existing config file, then add p58-n8n inside the `mcpServers` object.
       "args": ["-y", "@path58/p58-n8n"],
       "env": {
         "N8N_API_URL": "http://localhost:5678/api/v1",
-        "N8N_API_KEY": "<paste-api-key-here>"
+        "N8N_API_KEY": "<paste-api-key-here>",
+        "N8N_USER_EMAIL": "<n8n-login-email>",
+        "N8N_USER_PASSWORD": "<n8n-login-password>"
       }
     }
   }
@@ -140,6 +174,8 @@ Read the existing config file, then add p58-n8n inside the `mcpServers` object.
 claude mcp add p58-n8n \
   -e N8N_API_URL=http://localhost:5678/api/v1 \
   -e N8N_API_KEY=<paste-api-key-here> \
+  -e N8N_USER_EMAIL=<n8n-login-email> \
+  -e N8N_USER_PASSWORD=<n8n-login-password> \
   -- npx -y @path58/p58-n8n
 ```
 
@@ -193,6 +229,8 @@ Ask: "List my n8n credentials"
 |----------|-----------|-------------|-------------|
 | `N8N_API_URL` | For Tier 2-7 tools | n8n instance API URL | See Step 2 above |
 | `N8N_API_KEY` | For Tier 2-7 tools | n8n API authentication key | n8n → Settings → API Keys |
+| `N8N_USER_EMAIL` | For `test_credential` | n8n login email (REST session auth) | Same email you use to log into n8n UI |
+| `N8N_USER_PASSWORD` | For `test_credential` | n8n login password (REST session auth) | Same password you use to log into n8n UI |
 
 > **Note:** `N8N_API_BASE_URL` is accepted as a fallback for `N8N_API_URL`. If neither is set, defaults to `http://localhost:5678/api/v1`.
 
@@ -215,6 +253,7 @@ Ask: "List my n8n credentials"
 | "npx: command not found" | Node.js not installed | Install from https://nodejs.org/ |
 | "Authentication failed" on deploy tools | N8N_API_KEY missing or invalid | Add API key to config, restart client |
 | "Connection refused" on server_health | n8n not running at configured URL | Start n8n or fix N8N_API_URL |
+| `test_credential` returns `NEEDS_N8N_LOGIN` | Session auth vars not set | Add `N8N_USER_EMAIL` and `N8N_USER_PASSWORD` to config (Step 3b) |
 | All tools timeout | Firewall blocking localhost | Check firewall / VPN settings |
 | Server shows "failed" status | ANSI color issue (pre-v0.2.2) | Update to latest version: `npx -y @path58/p58-n8n@latest` |
 

package/CHANGELOG.md

@@ -5,6 +5,21 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.2.11] - 2026-03-11
+
+### Added
+
+- **Session auth env vars** — `N8N_USER_EMAIL` and `N8N_USER_PASSWORD` now defined in env schema with Zod validation. When set in MCP config, `test_credential` works without per-call password prompts.
+- **Security documentation** — README now includes a full Security section documenting credential security model, auth layers, and user responsibilities.
+- **Credential helper example** — AGENT_INSTALL.md includes a 1Password CLI config pattern for users who prefer not to store passwords in plaintext config files.
+- **Step 3b in install guide** — AGENT_INSTALL.md now documents session auth setup as an optional step during installation.
+
+## [0.2.10] - 2026-03-11
+
+### Fixed
+
+- **Webhook URL construction bug** — `extractWebhookPath` incorrectly prefixed `{workflowId}/{encodedNodeName}/` to the webhook path, producing URLs like `/webhook/4aDOC5YlrPOTUTgm/webhook/langchain-test-029` instead of `/webhook/langchain-test-029`. This caused 404 errors on every webhook-triggered `test_workflow` and `execute_workflow` call. n8n production webhooks listen at `/webhook/{path}` with no prefix.
+
 ## [0.2.9] - 2026-03-11
 
 ### Fixed

package/README.md

@@ -280,6 +280,49 @@ p58-n8n is in **soft launch** (friends & family). Issues and feedback welcome:
 
 ---
 
+## Security
+
+p58-n8n handles your n8n API keys, credentials, and server access. We take that responsibility seriously — here's exactly how your data is protected.
+
+### Your Data Stays on Your Machine
+
+p58-n8n runs as a **local stdio process**. There is no cloud relay, no telemetry, no external servers. Your credentials, workflow data, and n8n API traffic never leave your machine. The MCP protocol communicates exclusively via stdin/stdout with your local AI client.
+
+### Credential Security
+
+| Protection | How It Works |
+|-----------|-------------|
+| **No credential logging** | Passwords, API keys, and session tokens are never written to logs at any level — verified by automated grep checks |
+| **Ephemeral sessions** | n8n session cookies are created per-operation, held in memory only, and never persisted to disk |
+| **No secrets in responses** | MCP tool responses never include credential values — only metadata (name, type, health status) |
+| **Schema-validated config** | All environment variables are validated with Zod at startup — malformed values are rejected immediately |
+| **Fail-closed design** | Missing credentials produce clear error messages — the server never falls back to insecure defaults or guesses |
+| **Per-call override** | Users who prefer not to store passwords in config files can provide credentials per-tool-call instead |
+
+### Authentication Layers
+
+p58-n8n uses two independent auth mechanisms to talk to your n8n instance:
+
+| Layer | Variables | What It Accesses | When Needed |
+|-------|----------|-----------------|-------------|
+| **API Key** | `N8N_API_KEY` | Workflow CRUD, activation, execution | All Tier 2-7 tools |
+| **Session Auth** | `N8N_USER_EMAIL`, `N8N_USER_PASSWORD` | Credential secrets, credential testing | `test_credential` only |
+
+Session auth is **optional**. Without it, all tools work except `test_credential`, which will prompt for credentials per-call.
+
+### Your Responsibility
+
+While p58-n8n implements security best practices, **you are responsible for:**
+- Securing access to your n8n instance and API keys
+- Protecting your MCP config files (we recommend `chmod 600`)
+- Rotating API keys and passwords periodically
+- Using a credential manager (1Password, macOS Keychain) for production environments instead of plaintext config files
+- Reviewing what workflows the AI builds before deploying to production
+
+**We recommend:** Use a credential helper to inject secrets into your MCP config rather than storing them in plaintext. See [AGENT_INSTALL.md](https://github.com/tsvika58/p58-n8n/blob/main/AGENT_INSTALL.md) for setup options.
+
+---
+
 ## Architecture
 
 p58-n8n runs as a local stdio MCP server. No cloud services required for basic use.

package/dist/mcp/server.bundle.cjs

@@ -18473,7 +18473,7 @@ var import_types22 = require("@modelcontextprotocol/sdk/types.js");
 var config = {
   // Server identity
   SERVER_NAME: "p58-n8n",
-  SERVER_VERSION: "0.2.9",
+  SERVER_VERSION: "0.2.11",
   // Database configuration (from environment)
   SUPABASE_URL: process.env.SUPABASE_URL,
   SUPABASE_KEY: process.env.SUPABASE_KEY,
@@ -37464,16 +37464,7 @@ function extractWebhookPath(workflow) {
   if (!trigger)
     return null;
   const params = trigger.parameters ?? {};
-  const shortPath = typeof params.path === "string" && params.path.length > 0 && params.path || typeof params.webhookId === "string" && params.webhookId.length > 0 && params.webhookId || typeof trigger.webhookId === "string" && trigger.webhookId.length > 0 && trigger.webhookId || null;
-  if (!shortPath)
-    return null;
-  const wfId = workflow.id;
-  const nodeName = trigger.name ?? "Webhook";
-  if (wfId) {
-    const encodedNodeName = encodeURIComponent(String(nodeName).toLowerCase());
-    return `${wfId}/${encodedNodeName}/${shortPath}`;
-  }
-  return shortPath;
+  return typeof params.path === "string" && params.path.length > 0 && params.path || typeof params.webhookId === "string" && params.webhookId.length > 0 && params.webhookId || typeof trigger.webhookId === "string" && trigger.webhookId.length > 0 && trigger.webhookId || null;
 }
 function buildN8nHostUrl() {
   const apiBase = process.env.N8N_API_BASE_URL ?? process.env.N8N_API_URL ?? "http://localhost:5678/api/v1";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@path58/p58-n8n",
-  "version": "0.2.9",
+  "version": "0.2.11",
   "description": "The smartest and fastest n8n MCP server — validate, fix, and discover workflows inside your LLM",
   "keywords": [
     "mcp",