feat: support AGENTA_SIGNER env var in MCP server for local signer config

[PancheI]

Problem

The MCP server currently requires AGENTA_API_KEY and AGENTA_API_SECRET as env vars in the MCP client config (e.g. Claude Desktop, Cursor). This means the base64-encoded signer share sits in plaintext in the config JSON file — visible on disk and potentially in AI conversation logs.

This undermines the security model of MPC threshold signing, where the whole point is that no single party should have easy access to a share.

Solution

Add support for AGENTA_SIGNER env var. When set, the MCP server loads credentials from ~/.agenta/signers/{name}.json (created by agenta init), the same way the CLI already works.

Two paths:

Path 1 — Local signer (recommended)

{
  "mcpServers": {
    "agentaos": {
      "command": "npx",
      "args": ["agentaos"],
      "env": {
        "AGENTA_SIGNER": "my-agent"
      }
    }
  }
}

No secrets in the config file. Share loaded from ~/.agenta/ at runtime.

Path 2 — Direct env vars (CI/CD, Docker, remote)

{
  "mcpServers": {
    "agentaos": {
      "command": "npx",
      "args": ["agentaos"],
      "env": {
        "AGENTA_API_KEY": "gw_live_...",
        "AGENTA_API_SECRET": "base64-encoded-share"
      }
    }
  }
}

Priority

• AGENTA_SIGNER takes precedence if set
• Falls back to AGENTA_API_KEY + AGENTA_API_SECRET
• Clear error message if neither path is configured

Security context

• Trail of Bits: Insecure Credential Storage Plagues MCP — documents plaintext credential exposure in MCP configs
• The signer share in ~/.agenta/ can be stored in macOS keychain with Touch ID (already supported by CLI)
• Config file with only AGENTA_SIGNER=my-agent is safe to commit/share

Changes

• packages/wallet/src/lib/signer-manager.ts — add AGENTA_SIGNER path to getConfig()