pando-ai 0.2.5 → 0.2.6

package/README.md

@@ -38,8 +38,10 @@ Two choke points, one ruleset:
 
 - **Launch shim** (`~/.pando/bin` ahead of the real tools on PATH) — supervises
   every `codex`/`claude` invocation. It disables the agent's native tools where
-  supported, installs the Pando MCP server (root-scoped to your project), and
-  applies the MCP allow/deny policy via the agent's own launch flags.
+  supported, dynamically injects the Pando MCP server (root-scoped to your
+  project), and applies the MCP allow/deny policy via the agent's own launch
+  flags. Pando does not permanently add itself to the user's MCP config files by
+  default; supervised launches pass generated config on each run.
 - **Wire gateway** (a local reverse proxy speaking the OpenAI Responses API and
   Anthropic Messages API) — sits inline on every supported request and forwards
   it to the upstream you control, so traffic stays local. It blocks off-policy
@@ -74,7 +76,7 @@ Legacy completion APIs, including OpenAI chat/completions and Anthropic
 | Capability | Claude Code | Codex |
 | --- | --- | --- |
 | Disable native tools | ✅ `--tools ""` (MCP stays available) + gateway/hook block | ⚠️ read-only sandbox + web search disabled + request/response gateway block |
-| Install Pando MCP, root-scoped | ✅ `--mcp-config` | ✅ required `-c mcp_servers.pando.*` |
+| Install Pando MCP, root-scoped | ✅ dynamic `--mcp-config` + `--strict-mcp-config` | ✅ dynamic required `-c mcp_servers.pando.*` |
 | `other_mcp: deny_all` | ✅ `--strict-mcp-config` (Pando only) + gateway/hook block | ✅ request/response gateway block |
 | `other_mcp: allow_list` | ✅ strict config with Pando + named servers + gateway/hook block | ✅ request/response gateway block |
 | `other_mcp: deny_list` | ✅ `--disallowedTools` removes denied names + gateway/hook block | ✅ request/response gateway block |
@@ -182,11 +184,11 @@ provider-bound gateway enforcement is disabled.
 ## Surfaces
 
 ```bash
-pando-ai                 # firewall console (TTY): status, install, uninstall
+pando-ai                 # firewall console: status, install, uninstall
 pando-ai install         # force a (re)install pass
 pando-ai uninstall       # remove Pando shims, managed PATH block, install state, and global npm install when detected
 pando-ai serve [path]    # stdio MCP server for MCP clients
-pando-ai serve-http      # HTTP MCP server
+pando-ai serve-http      # explicit HTTP MCP server for debugging/integrations
 pando-ai gateway         # run the firewall gateway in the foreground (debug)
 pando-ai proxy status|enable|disable [codex|claude]
 pando-ai login|logout|whoami
@@ -215,14 +217,30 @@ to remove in that case.
 
 ## MCP serve mode
 
-When invoked without a TTY (e.g. spawned by an MCP client) `pando-ai` starts the
-engine over stdio for the given path, or the current working directory, exactly
-as before. `pando-ai config set telemetry false` disables usage telemetry.
+MCP mode is explicit. Bare `pando-ai` always opens the firewall console; it does
+not become an MCP server just because stdin/stdout are non-interactive.
+
+Use stdio MCP for agents:
+
+```bash
+pando-ai serve /path/to/project
+```
+
+`serve-http` remains available as an explicit command for debugging or
+integrations that need HTTP:
+
+```bash
+pando-ai serve-http /path/to/project --host 127.0.0.1 --port 5888
+```
+
+`pando-ai config set telemetry false` disables usage telemetry.
 
 ## Transport behavior
 
-- MCP runs over stdio only.
-- The CLI redirects incidental runtime logs to stderr so stdout stays valid JSON-RPC/MCP traffic.
+- MCP does not run by default. Agents should use `pando-ai serve`.
+- HTTP MCP does not run by default. It only starts through explicit
+  `pando-ai serve-http`.
+- The CLI redirects incidental runtime logs to stderr so stdout stays valid JSON-RPC/MCP traffic in stdio mode.
 
 ## Agent setup