feat: rename @agentkey/mcp → @agentkey/cli in install scripts and docs

.claude/CLAUDE.md

@@ -9,7 +9,7 @@ AgentKey Skill ships the agent-side half of AgentKey: a single skill that teache
 AgentKey has **two pieces** and a full end-user install is two commands:
 
 1. `npx skills add chainbase-labs/agentkey` — installs **this** skill. It does NOT register the MCP server.
-2. `npx -y @agentkey/mcp --auth-login` — registers the MCP server (`@agentkey/mcp` from `../AgentKey-Server/mcp-server`) and writes the API key into Claude Code, Claude Desktop, and Cursor configs.
+2. `npx -y @agentkey/cli --auth-login` — runs the AgentKey CLI (`@agentkey/cli` from `../AgentKey-Server/cli`). It mints an API key via device-code login and writes a remote-HTTP MCP block (pointing at `https://api.agentkey.app/v1/mcp`) into Claude Code, Claude Desktop, and Cursor configs. The hosted MCP server itself lives at `/v1/mcp` on AgentKey-Server.
 
 The skill is useless without the MCP server; the MCP server works without the skill but the agent won't know to prefer it over built-in web search. Keep this mental model when editing docs — do not let either command drift into claiming it does both.
 
@@ -65,16 +65,16 @@ Releases are driven by [release-please](https://github.com/googleapis/release-pl
 
 **Changes to `.mcp.json`:**
 - Ensure env var name matches `plugin.json` userConfig key via `CLAUDE_PLUGIN_OPTION_` prefix
-- Only matters for the Claude Code plugin path; the Skills-CLI path writes MCP config through `npx @agentkey/mcp --auth-login`
+- Only matters for the Claude Code plugin path; the Skills-CLI path writes MCP config through `npx @agentkey/cli --auth-login`
 
 **Changes to install/uninstall docs:**
 - Update both `README.md` and `docs/README_zh.md` together — they mirror each other
-- The canonical install is always the two-command sequence (`npx skills add …` + `npx -y @agentkey/mcp --auth-login`). Don't imply either command does both.
+- The canonical install is always the two-command sequence (`npx skills add …` + `npx -y @agentkey/cli --auth-login`). Don't imply either command does both.
 - Do **not** re-add OpenClaw / per-agent installers without a new design — historical context is in git history (removed in chore/remove-archive-directory)
 
 ## Architecture Constraints
 
-- Setup mode in SKILL.md runs `! npx -y @agentkey/mcp --auth-login` to authenticate via browser — same command as step 2 of the public install
-- `@agentkey/mcp --auth-login` auto-writes configs for Claude Code, Claude Desktop (mac/win), and Cursor only. Other agents need a manual JSON paste — SKILL.md's "Fallback" section covers this; keep it up to date with any new auto-targets added server-side
-- `.mcp.json` auto-registers the MCP server in Claude Code plugin mode; API key flows from plugin userConfig → `CLAUDE_PLUGIN_OPTION_AGENTKEY_API_KEY` env var (read in `../AgentKey-Server/mcp-server/src/index.ts`)
+- Setup mode in SKILL.md runs `! npx -y @agentkey/cli --auth-login` to authenticate via browser — same command as step 2 of the public install
+- `@agentkey/cli --auth-login` auto-writes configs for Claude Code, Claude Desktop (mac/win), and Cursor only. Other agents need a manual JSON paste — SKILL.md's "Fallback" section covers this; keep it up to date with any new auto-targets added server-side
+- `.mcp.json` registers the remote-HTTP MCP endpoint (`https://api.agentkey.app/v1/mcp`) in Claude Code plugin mode; API key flows from plugin userConfig → `Authorization: Bearer <key>` header (no stdio binary is launched)
 - `README.md` / `docs/README_zh.md` are the public-facing docs; keep them in sync with any structural changes

README.md

@@ -146,7 +146,7 @@ Just top up. No auto-renewal, no hidden charges.
 
 There are two pieces and they update differently:
 
-- **MCP server** (`@agentkey/mcp` npm package): always up to date. Your MCP config runs it as `npx -y @agentkey/mcp`, which re-resolves to the latest published version every time your agent restarts. You never have to touch this.
+- **MCP server**: the real server is hosted at `https://api.agentkey.app/v1/mcp`, so it's always up to date — no local upgrade step. The `@agentkey/cli` package (run as `npx -y @agentkey/cli --auth-login`) only writes the remote-HTTP MCP config into each AI client and never has to be re-run unless you want to rotate your key.
 
 - **Skill files** (`SKILL.md` + helpers): how this updates depends on your client.
 
@@ -187,7 +187,7 @@ npx skills add chainbase-labs/agentkey@v1.0.0
 
 Note: `npx skills update` writes to `~/.agents/skills/agentkey` and `~/.claude/skills/agentkey`, which is where Claude Code reads from. **Claude Desktop reads from its own sandbox path** and is not touched by `npx skills update` — use the Desktop bootstrap command above for Desktop.
 
-Re-run `npx -y @agentkey/mcp --auth-login` only when you want to rotate your API key.
+Re-run `npx -y @agentkey/cli --auth-login` only when you want to rotate your API key.
 
 </details>
 
@@ -299,7 +299,7 @@ PowerShell equivalents: `-Yes`, `-ListAgents`, `-Only`, `-AllAgents`, `-SkipMcp`
 npx skills add chainbase-labs/agentkey
 
 # 2. Authenticate and register the MCP server
-npx -y @agentkey/mcp --auth-login
+npx -y @agentkey/cli --auth-login
 ```
 
 </details>
@@ -327,7 +327,7 @@ curl -fsSL https://agentkey.app/install.sh | bash -s -- --local
 
 PowerShell: `-Remote` / `-Local`.
 
-If you'd rather skip the URL/QR flow entirely and type a key manually, `npx -y @agentkey/mcp --setup` opens an interactive wizard that asks for the key and lets you pick which MCP clients to write to.
+If you'd rather skip the URL/QR flow entirely and type a key manually, `npx -y @agentkey/cli --setup` opens an interactive wizard that asks for the key and lets you pick which MCP clients to write to.
 
 </details>
 
@@ -340,9 +340,9 @@ MCP auto-configuration covers **Claude Code**, **Claude Desktop**, and **Cursor*
 {
   "mcpServers": {
     "agentkey": {
-      "command": "npx",
-      "args": ["-y", "@agentkey/mcp"],
-      "env": { "AGENTKEY_API_KEY": "ak_..." }
+      "type": "http",
+      "url": "https://api.agentkey.app/v1/mcp",
+      "headers": { "Authorization": "Bearer ak_..." }
     }
   }
 }
@@ -365,12 +365,12 @@ cd agentkey
 npx skills add .
 
 # 2. Register the MCP server (if you haven't already)
-npx -y @agentkey/mcp --auth-login
+npx -y @agentkey/cli --auth-login
 ```
 
 `npx skills add .` accepts a local path (or a `file://` URL) — run it again after each edit to `skills/agentkey/SKILL.md`. The MCP step only needs to run once per machine.
 
-**Iterating on the MCP server itself?** Point the MCP config's `command` at `node /path/to/AgentKey-Server/mcp-server/dist/index.js`, then `pnpm --filter @agentkey/mcp build` in the server repo between iterations.
+**Iterating on the MCP server itself?** The server lives at `AgentKey-Server/` (Go) and exposes the MCP endpoint at `/v1/mcp`. Run a local server (`make run`) and point your MCP config at `http://localhost:8081/v1/mcp` to test changes end-to-end.
 
 **Claude Code plugin mode** — add the repo as a local marketplace:
 

SECURITY.md

@@ -47,15 +47,15 @@ The skill ships two helper scripts that the agent invokes:
 | `~/.config/agentkey/auto-upgrade` | written by the agent on user's "Always keep me up to date" choice; read by Step 0 to skip the prompt | Persistent auto-upgrade opt-in |
 | `~/.config/agentkey/update-snoozed` | written by the agent on user's "Not now" choice; read by `check-update.sh` to suppress reminders | Snooze state (`<version> <level> <epoch>`) |
 | `~/.config/agentkey/update-disabled` | written by the agent on user's "Never ask again" choice; read by `check-update.sh` to exit silently | Permanent disable for update checks |
-| `~/Library/Application Support/Claude/claude_desktop_config.json` (macOS) / `%APPDATA%/Claude/...` (Windows) | written by the separate `npx -y @agentkey/mcp --auth-login` command, **not** by the skill | MCP registration |
+| `~/Library/Application Support/Claude/claude_desktop_config.json` (macOS) / `%APPDATA%/Claude/...` (Windows) | written by the separate `npx -y @agentkey/cli --auth-login` command, **not** by the skill | MCP registration |
 | `~/.cursor/mcp.json` | written by `--auth-login`, **not** by the skill | MCP registration |
 
 ### Network egress from the skill
 
 | Destination | When | Why |
 |---|---|---|
 | `api.github.com` | At most every 24 hours | Look up the latest release tag |
-| npm registry | When the user first runs `npx -y @agentkey/mcp` | Resolve and run the MCP server |
+| npm registry | When the user first runs `npx -y @agentkey/cli --auth-login` | Resolve and run the AgentKey CLI |
 
 ### Credential handling
 
@@ -66,7 +66,7 @@ The skill ships two helper scripts that the agent invokes:
 ### Supply chain
 
 - Releases are cut by [release-please](https://github.com/googleapis/release-please) from merged Conventional-Commit PRs on `main` — no manual artifact uploads, no manual tag pushes.
-- The companion `@agentkey/mcp` npm package is published from the same organization. Users invoke it via `npx -y @agentkey/mcp`, which resolves to the latest published version at runtime — this is the same threat model as any other `npx`-launched CLI.
+- The companion `@agentkey/cli` npm package is published from the same organization. Users invoke it via `npx -y @agentkey/cli`, which resolves to the latest published version at runtime — this is the same threat model as any other `npx`-launched CLI.
 - Future work: SLSA provenance attestation via GitHub OIDC + sigstore; signed npm provenance.
 
 ## Scanner false-positive notes

docs/README_zh.md

@@ -146,7 +146,7 @@ Claude 与 ChatGPT 的原生联网与平台覆盖有限，往往触达不到推
 
 AgentKey 有两部分，更新方式不同：
 
-- **MCP server**（npm 包 `@agentkey/mcp`）：永远自动最新。你的 MCP 配置写的是 `npx -y @agentkey/mcp`，每次 Agent 重启都会重新解析到最新发布版。这部分完全不用你管。
+- **MCP server**：真正的服务端在 `https://api.agentkey.app/v1/mcp`，永远自动最新，不需要本地升级。`@agentkey/cli` 包（`npx -y @agentkey/cli --auth-login`）只负责把远程 HTTP MCP 配置写入各个 AI client，除非要换 API Key，否则不用再跑。
 
 - **Skill 文件**（`SKILL.md` 加辅助脚本）：升级方式取决于你用的 client。
 
@@ -187,7 +187,7 @@ npx skills add chainbase-labs/agentkey@v1.0.0
 
 注意：`npx skills update` 只写 `~/.agents/skills/agentkey` 和 `~/.claude/skills/agentkey` 这两个目录，是 Claude Code 读取的位置。**Claude Desktop 读的是自己的 sandbox 路径**，`npx skills update` 碰不到——Desktop 升级要用上面的破冰命令。
 
-只有在需要换 API Key 时才需要再跑一次 `npx -y @agentkey/mcp --auth-login`。
+只有在需要换 API Key 时才需要再跑一次 `npx -y @agentkey/cli --auth-login`。
 
 </details>
 
@@ -299,7 +299,7 @@ PowerShell 对应参数：`-Yes`、`-ListAgents`、`-Only`、`-AllAgents`、`-Sk
 npx skills add chainbase-labs/agentkey
 
 # 2. 浏览器授权并注册 MCP Server
-npx -y @agentkey/mcp --auth-login
+npx -y @agentkey/cli --auth-login
 ```
 
 </details>
@@ -327,7 +327,7 @@ curl -fsSL https://agentkey.app/install.sh | bash -s -- --local
 
 PowerShell：`-Remote` / `-Local`。
 
-如果完全不想走 URL/二维码流程、想自己手动粘 Key，可以用 `npx -y @agentkey/mcp --setup` —— 交互式向导，问你要 Key 并让你勾选要写入的 MCP 客户端。
+如果完全不想走 URL/二维码流程、想自己手动粘 Key，可以用 `npx -y @agentkey/cli --setup` —— 交互式向导，问你要 Key 并让你勾选要写入的 MCP 客户端。
 
 </details>
 
@@ -340,9 +340,9 @@ MCP 自动配置覆盖 **Claude Code**、**Claude Desktop**、**Cursor**。如
 {
   "mcpServers": {
     "agentkey": {
-      "command": "npx",
-      "args": ["-y", "@agentkey/mcp"],
-      "env": { "AGENTKEY_API_KEY": "ak_..." }
+      "type": "http",
+      "url": "https://api.agentkey.app/v1/mcp",
+      "headers": { "Authorization": "Bearer ak_..." }
     }
   }
 }
@@ -365,12 +365,12 @@ cd agentkey
 npx skills add .
 
 # 2. 注册 MCP Server（只需一次）
-npx -y @agentkey/mcp --auth-login
+npx -y @agentkey/cli --auth-login
 ```
 
 `npx skills add .` 支持本地路径（也支持 `file://` URL），改完 `skills/agentkey/SKILL.md` 再跑一次就能立刻生效，是日常迭代最快的路径。MCP 注册步骤每台机器只需一次。
 
-**想改 MCP Server 本身？** 在 MCP 配置里把 `command` 换成 `node /path/to/AgentKey-Server/mcp-server/dist/index.js`，然后在 server 仓库里 `pnpm --filter @agentkey/mcp build`，就能在本地验证改动。
+**想改 MCP Server 本身？** MCP server 在 `AgentKey-Server/`（Go），端点是 `/v1/mcp`。本地起服务（`make run`），把 MCP 配置指向 `http://localhost:8081/v1/mcp` 就能端到端验证。
 
 **Claude Code 插件模式** —— 把仓库当成本地 marketplace 安装：
 

docs/SERVER-IMPLEMENTATION.md

@@ -1,6 +1,6 @@
 # Server Implementation Guide — `agentkey_skill_meta`
 
-Implementation handoff for the `@agentkey/mcp` MCP server. Tells the server maintainer exactly what to build so the cross-client skill-update path (Claude Desktop, Cursor, etc.) works.
+Implementation handoff for AgentKey-Server's hosted MCP endpoint (`/v1/mcp`). Tells the server maintainer exactly what to build so the cross-client skill-update path (Claude Desktop, Cursor, etc.) works.
 
 **Authoritative spec**: [protocol/skill-meta-v1.md](../protocol/skill-meta-v1.md). This doc is implementation guidance, not protocol; if it conflicts with the spec, the spec wins.
 
@@ -90,7 +90,7 @@ async function fetchFromGitHub(prevEtag?: string): Promise<Cache | null> {
     "https://api.github.com/repos/chainbase-labs/agentkey/releases/latest",
     {
       headers: {
-        "User-Agent": "@agentkey/mcp",
+        "User-Agent": "AgentKey-Server",
         ...(prevEtag ? { "If-None-Match": prevEtag } : {}),
       },
       signal: AbortSignal.timeout(3000),
@@ -230,7 +230,7 @@ export async function handleSkillMeta() {
 Add a CI workflow on the server side that diffs the vendored schema against this repo's authoritative copy:
 
 ```yaml
-# .github/workflows/protocol-drift.yml (in @agentkey/mcp repo)
+# .github/workflows/protocol-drift.yml (in AgentKey-Server repo)
 on:
   pull_request:
   schedule: [{cron: '0 12 * * 1'}]
@@ -285,9 +285,9 @@ Honor the env var `AGENTKEY_NO_VERSION_BEACON=1`: tool stays registered (so the
 
 ## Release coordination with this repo
 
-1. Implement and merge in `@agentkey/mcp`
-2. `npm publish` a new version
-3. (Verify) Any user with `npx -y @agentkey/mcp` in their config will pick it up on next agent restart automatically
+1. Implement and merge in AgentKey-Server
+2. Deploy to production (hosted MCP endpoint at `https://api.agentkey.app/v1/mcp`)
+3. (Verify) Any user whose MCP config points at `/v1/mcp` picks it up on next agent restart automatically — no client-side upgrade required
 4. In this repo, a new skill release (`v1.4.0`) ships the SKILL.md rule that reads the metadata tool
 5. Existing skill versions (≤1.3.x) silently ignore the new tool — no regression; they continue to use the inline bash path on Claude Code and have no upgrade path on Desktop (status quo)
 6. New skill versions (≥1.4.0) work everywhere

protocol/skill-meta-v1.md

@@ -1,6 +1,6 @@
 # AgentKey Skill-Meta Protocol v1
 
-Contract between **`@agentkey/mcp`** (server, npm package) and **`chainbase-labs/agentkey`** (this skill repo). The server publishes the skill's latest version + client-specific upgrade instructions via a dedicated MCP tool; the skill (via the agent) reads it and tells the user how to upgrade.
+Contract between **AgentKey-Server** (the hosted MCP server at `/v1/mcp`) and **`chainbase-labs/agentkey`** (this skill repo). The server publishes the skill's latest version + client-specific upgrade instructions via a dedicated MCP tool; the skill (via the agent) reads it and tells the user how to upgrade.
 
 This protocol exists because some MCP clients — notably Claude Desktop — cannot execute the inline `bash` block in `SKILL.md` Step 0, so the in-skill update-check path silently fails there. Routing the check through the always-on MCP server makes upgrades discoverable on every client.
 
@@ -171,4 +171,4 @@ The server's own CI MUST validate every `SkillMetaResponse` it emits against thi
 - [example-response-claude-code.json](./example-response-claude-code.json) — fixture for Code client
 - [example-response-unknown-client.json](./example-response-unknown-client.json) — fixture for unrecognized client
 - [example-response-offline.json](./example-response-offline.json) — fixture for the server-offline / rate-limited failure mode
-- [docs/SERVER-IMPLEMENTATION.md](../docs/SERVER-IMPLEMENTATION.md) — implementation guide for `@agentkey/mcp` maintainers
+- [docs/SERVER-IMPLEMENTATION.md](../docs/SERVER-IMPLEMENTATION.md) — implementation guide for AgentKey-Server maintainers

scripts/install.ps1

@@ -11,7 +11,7 @@
 
     Behavior mirrors install.sh: checks Node >= 18 (installs via winget/scoop/choco),
     auto-detects which AI agents are installed and runs `npx skills add` for them,
-    then `npx @agentkey/mcp --auth-login` for device auth. The auth step opens a
+    then `npx @agentkey/cli --auth-login` for device auth. The auth step opens a
     local browser by default; under SSH / Docker / OpenClaw it switches to a
     QR + URL flow that the user scans on a phone (`--no-browser` server-side flag).
     MCP config is written automatically for Claude Code / Claude Desktop / Cursor.
@@ -35,7 +35,7 @@ param(
 
 $ErrorActionPreference = 'Stop'
 $SkillRepo   = 'chainbase-labs/agentkey'
-$McpPackage  = '@agentkey/mcp'
+$CliPackage  = '@agentkey/cli'
 $NodeMinMajor = 18
 
 # ── Agent markers (mirror of install.sh) ──────────────────────────────────
@@ -378,7 +378,7 @@ if ($SkipMcp) {
     # Telemetry context for install_completed. Opt-out is honored at the
     # SOURCE: when AGENTKEY_TELEMETRY=0, no other context env vars are
     # exported — hostname-derived fingerprint, agent lists, and installer
-    # flags are never computed nor passed to the child `npx @agentkey/mcp`
+    # flags are never computed nor passed to the child `npx @agentkey/cli`
     # process. The server treats AGENTKEY_TELEMETRY=0 as a hard skip.
     if ($NoTelemetry -or (Test-Path -LiteralPath $TelemetryOptOutFile)) {
         $env:AGENTKEY_TELEMETRY = '0'
@@ -403,10 +403,10 @@ if ($SkipMcp) {
         $env:AGENTKEY_DEVICE_FINGERPRINT = $DeviceFingerprint
     }
 
-    & npx -y $McpPackage @authArgs
+    & npx -y $CliPackage @authArgs
     if ($LASTEXITCODE -ne 0) {
         Write-Err 'MCP auth failed.'
-        Write-Muted "Retry manually:  npx -y $McpPackage $($authArgs -join ' ')"
+        Write-Muted "Retry manually:  npx -y $CliPackage $($authArgs -join ' ')"
         exit 1
     }
     Write-Ok 'MCP server registered'