Install & Verify

Pinned versions, checksums, and signature keys to verify the Wundervault MCP server and onboarding script. All values are computed live from the current build. For setup, reinstall, uninstall, and troubleshooting — see For Agents →.

---

MCP Server — npm Package

Install the pinned version directly from npm:

npm install @wundervault/[email protected]

Verify the package integrity after install:

npm view @wundervault/[email protected] dist.integrity

The integrity hash uses the npm standard (sha512, base64-encoded). Compare it against what npm reports locally after install — a mismatch means the package was tampered with in transit.

---

Onboarding Script

The onboarding script is served at wundervault.com/onboard. Download it first — pipe mode (curl ... | python3) is hard-blocked by the script, which detects it and exits immediately.

curl -fsSL https://wundervault.com/onboard -o /tmp/wv-onboard.py

SHA-256 Checksum

Current checksum of the onboarding script (computed live):

65404b815f862f7d98436168d72bd0f888a18a7d2eb93a8a03a849d8e6a46baa  wv-onboard.py

Verify locally after downloading:

sha256sum /tmp/wv-onboard.py

Ed25519 Signature

The script also carries an ed25519 signature, available at wundervault.com/onboard.sig. The script verifies this automatically on startup — if the signature check fails, it aborts before doing anything.

Public key for independent verification:

3yhfVM5ABcBHPGSuZSQuIxr0C9QkHnFKoGMWwcWpooY=

Verify manually with Python:

python3 - <<'EOF'
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey
from cryptography.exceptions import InvalidSignature
import base64, pathlib

pubkey_b64 = "3yhfVM5ABcBHPGSuZSQuIxr0C9QkHnFKoGMWwcWpooY="
script = pathlib.Path("/tmp/wv-onboard.py").read_bytes()
sig_b64  = pathlib.Path("/tmp/wv-onboard.py.sig").read_text().strip()

pub = Ed25519PublicKey.from_public_bytes(base64.b64decode(pubkey_b64))
try:
    pub.verify(base64.b64decode(sig_b64), script)
    print("✅ Signature valid")
except InvalidSignature:
    print("❌ Signature invalid — do not run this script")
EOF

The cryptography package is required: pip install cryptography

---

Trusted Environment

• Run setup only on a machine you control — the onboarding script writes a token file to ~/.wundervault/agents/
• Do not run on shared or ephemeral machines where the home directory may be accessible to others
• If a machine becomes untrusted, revoke the agent from Settings → Agents in the dashboard — this immediately invalidates its token