From 889ba3b97e437c6693b37a0daf1b808b9f337982 Mon Sep 17 00:00:00 2001
From: "Panche I." <pance.isajeski@blockialabs.com>
Date: Thu, 5 Mar 2026 10:52:50 +0100
Subject: [PATCH] feat: support AGENTA_SIGNER env var in MCP server

Add a second credential path for the MCP server. When AGENTA_SIGNER
is set, load config from ~/.agenta/signers/{name}.json instead of
requiring AGENTA_API_KEY and AGENTA_API_SECRET as direct env vars.

This keeps the signer share out of the MCP client config file,
improving security for local development with Claude Desktop, Cursor,
and other MCP clients.

AGENTA_SIGNER takes precedence. Falls back to direct env vars for
CI/CD, Docker, and remote agent deployments.

Closes #3
---
 packages/wallet/src/lib/signer-manager.ts | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/packages/wallet/src/lib/signer-manager.ts b/packages/wallet/src/lib/signer-manager.ts
index b32f73e..1d6fb43 100644
--- a/packages/wallet/src/lib/signer-manager.ts
+++ b/packages/wallet/src/lib/signer-manager.ts
@@ -1,5 +1,6 @@
 import { CGGMP24Scheme } from '@agentaos/engine';
 import { AgentaApi, HttpClient, ThresholdSigner } from '@agentaos/sdk';
+import { loadSignerConfig, resolveApiSecret, resolveSignerName } from './config.js';
 
 export class SignerManager {
 	private signer: ThresholdSigner | null = null;
@@ -8,12 +9,28 @@ export class SignerManager {
 	private api: AgentaApi | null = null;
 
 	private getConfig() {
+		const signerName = process.env.AGENTA_SIGNER;
+
+		// Path 1: load from ~/.agenta/signers/{name}.json
+		if (signerName) {
+			const config = loadSignerConfig(resolveSignerName(signerName));
+			return {
+				apiSecret: resolveApiSecret(config),
+				serverUrl: config.serverUrl,
+				apiKey: config.apiKey,
+			};
+		}
+
+		// Path 2: direct env vars (CI/CD, Docker, remote agents)
 		const apiSecret = process.env.AGENTA_API_SECRET;
 		const serverUrl = process.env.AGENTA_SERVER || 'https://api.agentaos.ai';
 		const apiKey = process.env.AGENTA_API_KEY;
 
-		if (!apiSecret) throw new Error('AGENTA_API_SECRET is required');
-		if (!apiKey) throw new Error('AGENTA_API_KEY is required');
+		if (!apiSecret || !apiKey) {
+			throw new Error(
+				'Set AGENTA_SIGNER to use a local signer (from `agenta init`), or set both AGENTA_API_KEY and AGENTA_API_SECRET.',
+			);
+		}
 
 		return { apiSecret, serverUrl, apiKey };
 	}