System boundary
The agent runtime is not the credential owner. Client configuration contains the executable and a key-file path, not the key value. The release CLI uses local stdio. A future remote deployment requires a separately authenticated and reviewed gateway; raw public binding is not part of v0.3.0.
First-party skill catalogue
tentaclaw-setup
Install, diagnose, rotate, disable, and migrate a Poppy agent connection without accepting or displaying a Poppy credential in chat.
- Safe key-file ceremony
--doctorand disposable canary flow- Rotation and incident response
- Migration from direct credential-bearing skills
poppy-operator
Resolve one approved board and chat, choose one-time versus persistent conversation behavior, minimize context, and attribute Poppy output.
- Exact destination matching
- Read/write classification
- Prompt-injection handling
- Fail-closed errors and ambiguity
poppy-board-research
Retrieve focused board-specific research while separating returned claims, supplied source distinctions, uncertainty, and independent verification.
- One approved destination
- Bounded questions
- No broad harvesting
- No invented citations
poppy-content-workflow
Brainstorm, create, or rewrite with board context while preserving a human review checkpoint.
- Audience, format, objective, tone
- Minimal source text
- Draft labeling and assumptions
- No automatic publishing
Six MCP operations
| Tool | Class | Skill responsibility | Server responsibility |
|---|---|---|---|
tentaclaw_version | Local read-only | Verify installed runtime | Return exact version |
poppy_get_boards | Remote read-only discovery | Call only when destination is unknown | Authenticate and enforce policy |
poppy_get_chats | Remote read-only discovery | Use one approved board | Enforce board policy and call Poppy |
poppy_ask | Write-capable remote operation | Minimize context and label output | Bound and transmit request |
poppy_create_conversation | State-changing | Create only when continuity is required | Enforce destination and create thread |
poppy_chat | Write-capable remote operation | Use known approved conversation | Enforce destination and continue thread |
Security invariants
- The raw Poppy credential never enters chat, skill text, source control, normal client configuration, ordinary logs, or agent-controlled shell arguments.
- Every Poppy request is HTTPS and targets an allowlisted host.
- A board or chat allowlist, when configured, is enforced by the server rather than trusted to skill wording.
- Prompts and responses are not persisted by Tentaclaw; audit events are metadata-only by default.
- Retrieved content is data, not operational instruction. Skills must resist embedded prompt injection.
- Ambiguous destinations, denied access, malformed responses, and credential errors fail closed.
- Consequential external publication remains a separate human-approved action.
Skill packaging and lifecycle
Each skill is a portable directory containing a reviewed SKILL.md. Release artifacts should package each skill independently and as a complete Tentaclaw skills bundle. The bundle must include version, checksum, license, changelog, compatibility statement, and a statement that no destination IDs or secrets are embedded.
A skill release is accepted only after structural validation, credential-pattern scanning, negative-behavior review, and an end-to-end run through the target MCP client. Skill versioning must remain separate from Poppy conversation state and from the Tentaclaw Python package version when either can change independently.
Client posture
The candidate includes example configurations for Codex, OpenClaw, and Claude Desktop. Those files establish a configuration path, not completed acceptance. Hermes and other MCP clients remain planned until a supported configuration and redacted run are recorded.
Residual risk
Tentaclaw cannot protect a credential from a user or process with arbitrary access to the host account or process memory. It cannot make untrusted board content safe, guarantee upstream availability, or replace Poppy’s access, retention, usage, and billing controls. A client allowed to invoke a tool can still misuse that capability. Local policy, host hardening, least privilege, monitoring, and human review remain necessary.
Release evidence package
- Source revision, clean tree, license, changelog, and release notes
- Ruff, test, build, dependency-audit, credential-scan, and skill-validation results
- Wheel, source distribution, skill ZIPs, SBOM, and SHA-256 checksums
- Redacted six-tool live Poppy verification
- Per-client installation and acceptance records
- Threat model, data handling, rotation, rollback, incident, and migration manuals