@vaultys/mcp-agent 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 VaultysID
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,246 @@
+# @vaultys/mcp-agent
+
+**Policy-enforced MCP server powered by VaultysID** — cryptographic authorization and tamper-evident audit trail for every AI tool call.
+
+Every action your AI agent takes is:
+1. **Authorized** against a signed policy bundle
+2. **Executed** only if allowed
+3. **Receipted** with a cryptographic signature for tamper-evident audit
+
+## Quick Start — 2 minutes to Claude Desktop
+
+### 1. Add to Claude Desktop
+
+Edit `~/Library/Application Support/Claude/claude_desktop_config.json` (macOS) or `%APPDATA%\Claude\claude_desktop_config.json` (Windows):
+
+```json
+{
+  "mcpServers": {
+    "vaultys-agent": {
+      "command": "npx",
+      "args": ["-y", "@vaultys/mcp-agent"]
+    }
+  }
+}
+```
+
+That's it. Restart Claude Desktop — the server auto-generates a default policy on first run.
+
+### 2. (Optional) Set a workspace directory
+
+By default the agent uses your current working directory. To restrict file access to a specific project:
+
+```json
+{
+  "mcpServers": {
+    "vaultys-agent": {
+      "command": "npx",
+      "args": ["-y", "@vaultys/mcp-agent"],
+      "env": {
+        "WORKSPACE_ROOT": "/Users/you/projects/my-app"
+      }
+    }
+  }
+}
+```
+
+### 3. (Optional) Customize the policy
+
+```bash
+npx @vaultys/mcp-agent init --workspace /path/to/project --hours 48
+```
+
+This creates/updates the signed policy in `~/.vaultys-mcp/`.
+
+## What It Does
+
+```
+┌──────────────┐         ┌────────────────────────────────────┐
+│  Claude /    │◄──MCP──►│  @vaultys/mcp-agent                │
+│  Cursor /    │  stdio  │                                    │
+│  any client  │         │  ┌──────────────────────────────┐  │
+│              │         │  │ Policy Middleware             │  │
+│              │         │  │  map tool → capability        │  │
+│              │         │  │  evaluate against policy      │  │
+│              │         │  │  sign receipt                 │  │
+│              │         │  └──────────────────────────────┘  │
+│              │         │                                    │
+│              │         │  Tools:                            │
+│              │         │    read_file   → fs.read:path      │
+│              │         │    write_file  → fs.write:path     │
+│              │         │    list_directory → fs.list:path   │
+│              │         │    run_command → proc.exec:bin     │
+│              │         │    fetch_url   → net.egress:host   │
+│              │         │                                    │
+│              │         │  Audit: ~/.vaultys-mcp/ + ./audit/ │
+└──────────────┘         └────────────────────────────────────┘
+```
+
+### Policy Enforcement
+
+Every tool call is mapped to a taxonomy capability and checked against the signed policy:
+
+| Tool             | Capability        | Example Scope             |
+| ---------------- | ----------------- | ------------------------- |
+| `read_file`      | `fs.read`         | `/workspace/src/index.ts` |
+| `write_file`     | `fs.write`        | `/workspace/output.json`  |
+| `list_directory` | `fs.list`         | `/workspace/src`          |
+| `run_command`    | `proc.exec`       | `ls`, `grep`, `cat`       |
+| `fetch_url`      | `net.egress.http` | `api.example.com`         |
+
+Denied calls return an error message to the AI and are logged with a signed denial receipt.
+
+### Default Policy
+
+Auto-generated on first run — allows:
+- File read/write/list within `WORKSPACE_ROOT`
+- Safe commands: `ls`, `cat`, `echo`, `wc`, `head`, `tail`, `grep`, `find`, `pwd`, `date`, `whoami`
+- HTTP requests to any host
+- Blocks: `secrets.*`, `pkg.system`, `proc.privilege`
+
+## CLI Commands
+
+```bash
+# Start the MCP server (called by Claude Desktop via npx)
+npx @vaultys/mcp-agent
+
+# Interactive setup — customize policy, workspace, validity
+npx @vaultys/mcp-agent init
+npx @vaultys/mcp-agent init --workspace /path --hours 48
+
+# Sign a custom policy
+npx @vaultys/mcp-agent grant --policy custom.json --hours 2
+
+# Verify the audit trail
+npx @vaultys/mcp-agent audit
+npx @vaultys/mcp-agent audit --tamper <job-id>   # demo tampering detection
+```
+
+Or using globally installed commands:
+
+```bash
+vaultys-mcp-agent          # start server
+vaultys-mcp-init           # setup
+vaultys-mcp-grant          # sign policy
+vaultys-mcp-audit          # verify receipts
+```
+
+## MCP Resources
+
+The server exposes these resources that Claude can read:
+
+| Resource URI                | Description                 |
+| --------------------------- | --------------------------- |
+| `vaultys://policy/current`  | Active signed policy (JSON) |
+| `vaultys://identity/server` | Server DID and public key   |
+| `vaultys://receipts/list`   | All receipt summaries       |
+
+## Configuration
+
+### Environment Variables
+
+| Variable             | Default           | Description                                 |
+| -------------------- | ----------------- | ------------------------------------------- |
+| `WORKSPACE_ROOT`     | Current directory | Root directory for file operations          |
+| `POLICY_FILE`        | (auto-managed)    | Path to a custom signed policy file         |
+| `AUTHORITY_FILE`     | (auto-managed)    | Path to authority identity for verification |
+| `VAULTYS_CONFIG_DIR` | `~/.vaultys-mcp`  | Configuration directory                     |
+
+### Config Directory (`~/.vaultys-mcp/`)
+
+| File                      | Purpose                             |
+| ------------------------- | ----------------------------------- |
+| `server.identity.json`    | Server's VaultysID (auto-generated) |
+| `authority.secret.json`   | Authority private key (keep safe!)  |
+| `authority.identity.json` | Authority public key                |
+| `policy.signed.json`      | Active signed policy                |
+
+### Custom Policy File
+
+Create a JSON policy and sign it:
+
+```json
+{
+  "version": "1.0",
+  "scopes": {
+    "fs.read": ["{{WORKSPACE}}/**"],
+    "fs.write": ["{{WORKSPACE}}/output/**"],
+    "fs.list": ["{{WORKSPACE}}/**"],
+    "proc.exec": ["ls", "cat", "grep"],
+    "net.egress.http": ["api.mycompany.com"]
+  },
+  "denied": ["secrets.*", "pkg.system"],
+  "constraints": {
+    "max_runtime": 60,
+    "no_shell_features": true
+  }
+}
+```
+
+`{{WORKSPACE}}` is replaced with the actual workspace path at signing time.
+
+```bash
+vaultys-mcp-grant --policy my-policy.json --workspace /my/project --hours 8
+```
+
+## Audit Trail
+
+Every tool call produces a signed receipt in `./audit/`:
+
+```json
+{
+  "job_id": "a1b2c3d4-...",
+  "timestamp": "2025-02-12T...",
+  "tool": "read_file",
+  "decision": "allow",
+  "allowed_caps": ["fs.read:/workspace/README.md"],
+  "receipt": {
+    "intent_hash": "sha256...",
+    "policy_hash": "sha256...",
+    "exec": { "started": "...", "ended": "...", "exit_code": 0 },
+    "broker_signature": "<base64>"
+  }
+}
+```
+
+Verify the entire audit trail:
+
+```bash
+vaultys-mcp-audit
+```
+
+Tampered receipts are detected — the cryptographic signature becomes invalid.
+
+## Security Model
+
+- **Server identity**: Ed25519 keypair generated on first run, persisted in `~/.vaultys-mcp/`
+- **Authority identity**: Separate keypair that signs policies — can be held by a different person/system
+- **Policy signing**: Authority signs the policy bundle; server verifies before loading
+- **Intent signing**: Server signs each execution intent before policy evaluation
+- **Receipt signing**: Server signs each execution outcome for tamper-evident audit
+- **Scope matching**: File paths resolved to absolute paths; glob matching against policy patterns
+- **Denied capabilities**: Explicit deny list checked before scope matching (deny wins)
+
+## Development
+
+```bash
+git clone https://github.com/nicmusic/vaultysid
+cd typescript/demos/mcp-agent
+pnpm install
+
+# Run tests (29 E2E tests)
+pnpm test
+
+# Start server directly (dev mode, no build needed)
+pnpm start
+
+# Sign a policy (dev mode)
+pnpm grant-policy
+
+# Build for production
+pnpm build
+```
+
+## License
+
+MIT

package/dist/bin/audit.d.ts

@@ -0,0 +1,12 @@
+#!/usr/bin/env node
+/**
+ * vaultys-mcp-audit — Verify the cryptographic audit trail.
+ *
+ * Walks through all signed receipts and verifies broker signatures.
+ *
+ * Usage:
+ *   vaultys-mcp-audit                        # verify all receipts
+ *   vaultys-mcp-audit --tamper <job-id>       # tamper then verify (demo)
+ *   vaultys-mcp-audit --dir /path/to/audit    # custom audit directory
+ */
+export {};

package/dist/bin/audit.js

@@ -0,0 +1,137 @@
+#!/usr/bin/env node
+/**
+ * vaultys-mcp-audit — Verify the cryptographic audit trail.
+ *
+ * Walks through all signed receipts and verifies broker signatures.
+ *
+ * Usage:
+ *   vaultys-mcp-audit                        # verify all receipts
+ *   vaultys-mcp-audit --tamper <job-id>       # tamper then verify (demo)
+ *   vaultys-mcp-audit --dir /path/to/audit    # custom audit directory
+ */
+import * as fs from "node:fs";
+import * as path from "node:path";
+import { ExecutionManager, IdManager, MemoryStorage } from "@vaultys/id";
+import { configPath } from "../src/autoInit.js";
+// ── Parse args ──
+const args = process.argv.slice(2);
+function getArg(name, defaultValue) {
+    const idx = args.indexOf(`--${name}`);
+    if (idx !== -1 && args[idx + 1])
+        return args[idx + 1];
+    return defaultValue;
+}
+const AUDIT_DIR = path.resolve(getArg("dir", "audit"));
+const tamperId = getArg("tamper", "");
+async function main() {
+    console.log("╔══════════════════════════════════════════════════╗");
+    console.log("║  VaultysID Audit Trail Verifier                 ║");
+    console.log("╚══════════════════════════════════════════════════╝");
+    console.log();
+    // Load server identity for verification
+    let serverVaultysId = null;
+    const identityPath = configPath("server.identity.json");
+    if (fs.existsSync(identityPath)) {
+        const data = fs.readFileSync(identityPath, "utf-8");
+        const store = MemoryStorage().fromString(data);
+        const idm = await IdManager.fromStore(store);
+        if (idm) {
+            serverVaultysId = idm.vaultysId;
+            console.log(`Server DID: ${serverVaultysId.did}`);
+        }
+    }
+    // Fallback: try local server.identity.json
+    if (!serverVaultysId && fs.existsSync("server.identity.json")) {
+        const data = fs.readFileSync("server.identity.json", "utf-8");
+        const store = MemoryStorage().fromString(data);
+        const idm = await IdManager.fromStore(store);
+        if (idm) {
+            serverVaultysId = idm.vaultysId;
+            console.log(`Server DID: ${serverVaultysId.did}`);
+        }
+    }
+    if (!serverVaultysId) {
+        console.error("⚠  Cannot load server identity — signature verification disabled");
+    }
+    console.log();
+    // Load receipts
+    if (!fs.existsSync(AUDIT_DIR)) {
+        console.log("No audit records found. Run some tool calls first!");
+        return;
+    }
+    const files = fs.readdirSync(AUDIT_DIR).filter((f) => f.endsWith(".json")).sort();
+    if (files.length === 0) {
+        console.log("No audit records found. Run some tool calls first!");
+        return;
+    }
+    console.log(`Found ${files.length} receipt(s)\n`);
+    // Optionally tamper
+    if (tamperId) {
+        const tamperFile = path.join(AUDIT_DIR, `${tamperId}.json`);
+        if (fs.existsSync(tamperFile)) {
+            const record = JSON.parse(fs.readFileSync(tamperFile, "utf-8"));
+            record.receipt.exec.exit_code = 999;
+            fs.writeFileSync(tamperFile, JSON.stringify(record, null, 2));
+            console.log(`🔧 TAMPERED with receipt ${tamperId} (changed exit_code to 999)\n`);
+        }
+        else {
+            console.error(`⚠  Receipt ${tamperId} not found`);
+        }
+    }
+    let passed = 0;
+    let failed = 0;
+    let skipped = 0;
+    for (const file of files) {
+        const filePath = path.join(AUDIT_DIR, file);
+        let record;
+        try {
+            record = JSON.parse(fs.readFileSync(filePath, "utf-8"));
+        }
+        catch {
+            console.log(`  ⚠  ${file}: invalid JSON`);
+            skipped++;
+            continue;
+        }
+        const receipt = record.receipt;
+        const jobId = record.job_id;
+        const decision = record.decision;
+        const tool = record.tool;
+        if (receipt.broker_signature && typeof receipt.broker_signature === "string") {
+            receipt.broker_signature = Buffer.from(receipt.broker_signature, "base64");
+        }
+        let verified = false;
+        let sigStatus = "⏭  no key";
+        if (serverVaultysId) {
+            verified = ExecutionManager.verifyReceipt(receipt, serverVaultysId);
+            sigStatus = verified ? "✅ VALID" : "❌ INVALID";
+            if (verified)
+                passed++;
+            else
+                failed++;
+        }
+        else {
+            skipped++;
+        }
+        const decisionIcon = decision === "allow" ? "🟢" : "🔴";
+        console.log(`  ${sigStatus}  ${decisionIcon} ${tool.padEnd(16)}  ${jobId}  ${record.timestamp}`);
+        if (!verified && serverVaultysId) {
+            console.log(`           ⚠  Signature verification FAILED — possible tampering!`);
+        }
+    }
+    console.log();
+    console.log("─".repeat(52));
+    console.log(`  Results: ${passed} verified, ${failed} FAILED, ${skipped} skipped`);
+    if (failed > 0) {
+        console.log();
+        console.log("  ⚠  TAMPERING DETECTED in one or more receipts!");
+    }
+    else if (passed > 0) {
+        console.log();
+        console.log("  ✅ All receipts verified — audit trail is intact.");
+    }
+    console.log();
+}
+main().catch((err) => {
+    console.error("Error:", err);
+    process.exit(1);
+});

package/dist/bin/grant-policy.d.ts

@@ -0,0 +1,10 @@
+#!/usr/bin/env node
+/**
+ * vaultys-mcp-grant — Sign a custom policy for the MCP agent.
+ *
+ * Usage:
+ *   vaultys-mcp-grant                                              # default policy, 1 year
+ *   vaultys-mcp-grant --policy custom.json --hours 2               # custom policy, 2 hours
+ *   vaultys-mcp-grant --workspace /my/project --hours 48           # custom workspace
+ */
+export {};

package/dist/bin/grant-policy.js

@@ -0,0 +1,110 @@
+#!/usr/bin/env node
+/**
+ * vaultys-mcp-grant — Sign a custom policy for the MCP agent.
+ *
+ * Usage:
+ *   vaultys-mcp-grant                                              # default policy, 1 year
+ *   vaultys-mcp-grant --policy custom.json --hours 2               # custom policy, 2 hours
+ *   vaultys-mcp-grant --workspace /my/project --hours 48           # custom workspace
+ */
+import * as fs from "node:fs";
+import * as path from "node:path";
+import { ensureConfigDir, configPath, loadOrCreateIdentity, } from "../src/autoInit.js";
+import { ExecutionManager } from "@vaultys/id";
+// ── Parse args ──
+const args = process.argv.slice(2);
+function getArg(name, defaultValue) {
+    const idx = args.indexOf(`--${name}`);
+    if (idx !== -1 && args[idx + 1])
+        return args[idx + 1];
+    return defaultValue;
+}
+const policyFile = getArg("policy", "");
+const hours = parseInt(getArg("hours", String(24 * 365)), 10);
+const workspaceRoot = path.resolve(getArg("workspace", process.cwd()));
+async function main() {
+    console.log("╔══════════════════════════════════════════════════╗");
+    console.log("║  VaultysID MCP Agent — Grant Policy             ║");
+    console.log("╚══════════════════════════════════════════════════╝");
+    console.log();
+    ensureConfigDir();
+    // 1. Load or create authority
+    const { idm: authorityIdm, created } = await loadOrCreateIdentity(configPath("authority.secret.json"));
+    if (created) {
+        console.log(`✓ Generated authority identity: ${authorityIdm.vaultysId.did}`);
+    }
+    else {
+        console.log(`✓ Loaded authority identity: ${authorityIdm.vaultysId.did}`);
+    }
+    // Export public identity
+    const vid = authorityIdm.vaultysId;
+    fs.writeFileSync(configPath("authority.identity.json"), JSON.stringify({
+        did: vid.did,
+        id: Buffer.from(vid.id).toString("base64"),
+        fingerprint: vid.fingerprint,
+    }, null, 2));
+    // 2. Load policy template
+    let policyTemplate;
+    if (policyFile && fs.existsSync(policyFile)) {
+        policyTemplate = JSON.parse(fs.readFileSync(policyFile, "utf-8"));
+        console.log(`✓ Loaded custom policy: ${policyFile}`);
+    }
+    else {
+        // Use built-in default
+        policyTemplate = {
+            version: "1.0",
+            scopes: {
+                "fs.read": ["{{WORKSPACE}}/**"],
+                "fs.write": ["{{WORKSPACE}}/**"],
+                "fs.list": ["{{WORKSPACE}}/**"],
+                "proc.exec": ["ls", "cat", "echo", "wc", "head", "tail", "grep", "find", "pwd", "date", "whoami"],
+                "net.egress.http": ["*"],
+            },
+            denied: ["secrets.*", "pkg.system", "proc.privilege"],
+            constraints: {
+                max_runtime: 300,
+                no_shell_features: true,
+            },
+        };
+        console.log("✓ Using default policy template");
+    }
+    // 3. Substitute {{WORKSPACE}} placeholder
+    if (policyTemplate.scopes && typeof policyTemplate.scopes === "object") {
+        const scopes = policyTemplate.scopes;
+        for (const [key, patterns] of Object.entries(scopes)) {
+            if (Array.isArray(patterns)) {
+                scopes[key] = patterns.map((p) => p.replace(/\{\{WORKSPACE\}\}/g, workspaceRoot));
+            }
+        }
+    }
+    // 4. Add time bounds
+    const now = Date.now();
+    const policy = {
+        ...policyTemplate,
+        not_before: now,
+        not_after: now + hours * 3600_000,
+    };
+    console.log(`  Workspace: ${workspaceRoot}`);
+    console.log(`  Valid from: ${new Date(now).toISOString()}`);
+    console.log(`  Expires:    ${new Date(now + hours * 3600_000).toISOString()}`);
+    console.log(`  Duration:   ${hours} hours`);
+    // 5. Sign
+    const em = new ExecutionManager(authorityIdm);
+    const signed = await em.signPolicy(policy);
+    // 6. Persist
+    const serializable = {
+        ...signed,
+        signature: signed.signature
+            ? Buffer.from(signed.signature).toString("base64")
+            : undefined,
+    };
+    fs.writeFileSync(configPath("policy.signed.json"), JSON.stringify(serializable, null, 2));
+    console.log();
+    console.log(`✓ Signed policy saved to: ${configPath("policy.signed.json")}`);
+    console.log();
+    console.log("Run 'npx @vaultys/mcp-agent' to start the server with this policy.");
+}
+main().catch((err) => {
+    console.error("Error:", err);
+    process.exit(1);
+});

package/dist/bin/init.d.ts

@@ -0,0 +1,15 @@
+#!/usr/bin/env node
+/**
+ * vaultys-mcp-init — Interactive configuration for the MCP agent.
+ *
+ * Creates or updates configuration in ~/.vaultys-mcp/:
+ *   - Server identity (auto-generated if missing)
+ *   - Authority identity (auto-generated if missing)
+ *   - Signed policy (customizable)
+ *
+ * Usage:
+ *   npx @vaultys/mcp-agent init            # interactive setup
+ *   vaultys-mcp-init --hours 48            # 48-hour policy
+ *   vaultys-mcp-init --workspace /my/dir   # custom workspace root
+ */
+export {};

package/dist/bin/init.js

@@ -0,0 +1,77 @@
+#!/usr/bin/env node
+/**
+ * vaultys-mcp-init — Interactive configuration for the MCP agent.
+ *
+ * Creates or updates configuration in ~/.vaultys-mcp/:
+ *   - Server identity (auto-generated if missing)
+ *   - Authority identity (auto-generated if missing)
+ *   - Signed policy (customizable)
+ *
+ * Usage:
+ *   npx @vaultys/mcp-agent init            # interactive setup
+ *   vaultys-mcp-init --hours 48            # 48-hour policy
+ *   vaultys-mcp-init --workspace /my/dir   # custom workspace root
+ */
+import * as path from "node:path";
+import { ensureConfigDir, loadOrCreateIdentity, configPath, signAndPersistPolicy, } from "../src/autoInit.js";
+// ── Parse args ──
+const args = process.argv.slice(2);
+function getArg(name, defaultValue) {
+    const idx = args.indexOf(`--${name}`);
+    if (idx !== -1 && args[idx + 1])
+        return args[idx + 1];
+    return defaultValue;
+}
+const hours = parseInt(getArg("hours", String(24 * 365)), 10);
+const workspaceRoot = path.resolve(getArg("workspace", process.cwd()));
+async function main() {
+    console.log("╔══════════════════════════════════════════════════╗");
+    console.log("║  VaultysID MCP Agent — Setup                    ║");
+    console.log("╚══════════════════════════════════════════════════╝");
+    console.log();
+    const dir = ensureConfigDir();
+    console.log(`Config directory: ${dir}`);
+    console.log();
+    // 1. Server identity
+    const { idm: serverIdm, created: serverCreated } = await loadOrCreateIdentity(configPath("server.identity.json"));
+    if (serverCreated) {
+        console.log(`✓ Generated server identity: ${serverIdm.vaultysId.did}`);
+    }
+    else {
+        console.log(`✓ Server identity exists: ${serverIdm.vaultysId.did}`);
+    }
+    // 2. Authority + Policy
+    const { signedPolicy, authorityIdm } = await signAndPersistPolicy(workspaceRoot, hours);
+    console.log(`✓ Authority DID: ${authorityIdm.vaultysId.did}`);
+    console.log(`✓ Policy signed (${hours} hours validity)`);
+    console.log(`  Workspace: ${workspaceRoot}`);
+    if (signedPolicy.not_before) {
+        console.log(`  Valid from: ${new Date(signedPolicy.not_before).toISOString()}`);
+    }
+    if (signedPolicy.not_after) {
+        console.log(`  Expires:    ${new Date(signedPolicy.not_after).toISOString()}`);
+    }
+    console.log();
+    console.log("┌──────────────────────────────────────────────────┐");
+    console.log("│  Setup complete!                                 │");
+    console.log("├──────────────────────────────────────────────────┤");
+    console.log("│                                                  │");
+    console.log("│  Add to Claude Desktop config:                   │");
+    console.log("│                                                  │");
+    console.log('│  "mcpServers": {                                 │');
+    console.log('│    "vaultys-agent": {                            │');
+    console.log('│      "command": "npx",                           │');
+    console.log('│      "args": ["@vaultys/mcp-agent"]              │');
+    console.log("│    }                                             │");
+    console.log("│  }                                               │");
+    console.log("│                                                  │");
+    console.log("│  Config file location (macOS):                   │");
+    console.log("│  ~/Library/Application Support/Claude/           │");
+    console.log("│    claude_desktop_config.json                    │");
+    console.log("│                                                  │");
+    console.log("└──────────────────────────────────────────────────┘");
+}
+main().catch((err) => {
+    console.error("Error:", err);
+    process.exit(1);
+});

package/dist/bin/server.d.ts

@@ -0,0 +1,9 @@
+#!/usr/bin/env node
+/**
+ * vaultys-mcp-agent — Start the policy-enforced MCP server.
+ *
+ * Usage:
+ *   npx @vaultys/mcp-agent                           # zero-config, uses cwd
+ *   WORKSPACE_ROOT=/my/project npx @vaultys/mcp-agent # custom workspace
+ */
+import "../src/server.js";

package/dist/bin/server.js

@@ -0,0 +1,9 @@
+#!/usr/bin/env node
+/**
+ * vaultys-mcp-agent — Start the policy-enforced MCP server.
+ *
+ * Usage:
+ *   npx @vaultys/mcp-agent                           # zero-config, uses cwd
+ *   WORKSPACE_ROOT=/my/project npx @vaultys/mcp-agent # custom workspace
+ */
+import "../src/server.js";

package/dist/grant-policy.d.ts

@@ -0,0 +1,16 @@
+#!/usr/bin/env node
+/**
+ * Grant Policy CLI
+ *
+ * Creates an authority identity and signs a policy bundle.
+ * Outputs:
+ *   - policy.signed.json       — the signed policy (loaded by the MCP server)
+ *   - authority.identity.json  — the authority's public key (for verification)
+ *   - authority.secret.json    — the authority's full identity (keep safe!)
+ *
+ * Usage:
+ *   pnpm grant-policy                          # uses policy.example.json, 24h validity
+ *   pnpm grant-policy -- --policy custom.json  # custom policy file
+ *   pnpm grant-policy -- --hours 2             # 2-hour validity window
+ */
+export {};