CLIENT.ENCRYPTED SERVER.BLIND AGENT.NATIVE
v0.22.6-0ba4f5e5
// AGENT-NATIVE SECRETS

Install & Verify

Pinned versions, checksums, and signature keys to verify the Wundervault MCP server and onboarding script. All values are computed live from the current build. For setup, reinstall, uninstall, and troubleshooting — see For Agents →.

MCP Server — npm Package

Install the pinned version directly from npm:

npm install @wundervault/[email protected]

Verify the package integrity after install:

npm view @wundervault/[email protected] dist.integrity

The integrity hash uses the npm standard (sha512, base64-encoded). Compare it against what npm reports locally after install — a mismatch means the package was tampered with in transit.

Onboarding Script

The onboarding script is served at wundervault.com/onboard. Download it first — pipe mode (curl ... | python3) is hard-blocked by the script, which detects it and exits immediately.

curl -fsSL https://wundervault.com/onboard -o /tmp/wv-onboard.py

SHA-256 Checksum

Current checksum of the onboarding script (computed live):

8a895a22decbb2701af7c05ac321184f3691b88e5dee0f64904cad0b652a0026  wv-onboard.py

Verify locally after downloading:

sha256sum /tmp/wv-onboard.py

Ed25519 Signature

The script also carries an ed25519 signature, available at wundervault.com/onboard.sig. The script verifies this automatically on startup — if the signature check fails, it aborts before doing anything.

Public key for independent verification:

3yhfVM5ABcBHPGSuZSQuIxr0C9QkHnFKoGMWwcWpooY=

Verify manually with Python:

python3 - <<'EOF'
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey
from cryptography.exceptions import InvalidSignature
import base64, pathlib

pubkey_b64 = "3yhfVM5ABcBHPGSuZSQuIxr0C9QkHnFKoGMWwcWpooY="
script = pathlib.Path("/tmp/wv-onboard.py").read_bytes()
sig_b64  = pathlib.Path("/tmp/wv-onboard.py.sig").read_text().strip()

pub = Ed25519PublicKey.from_public_bytes(base64.b64decode(pubkey_b64))
try:
    pub.verify(base64.b64decode(sig_b64), script)
    print("✅ Signature valid")
except InvalidSignature:
    print("❌ Signature invalid — do not run this script")
EOF

The cryptography package is required: pip install cryptography

Trusted Environment

  • Run setup only on a machine you control — the onboarding script writes a token file to ~/.wundervault/agents/
  • Do not run on shared or ephemeral machines where the home directory may be accessible to others
  • If a machine becomes untrusted, revoke the agent from Settings → Agents in the dashboard — this immediately invalidates its token