Status: this paper documents the v0.3.0 release-candidate design. Four skills and six MCP tools are implemented. Live Poppy and real-client testing are still in progress.

System boundary

Human intent ↓ AI application / agent runtime ↓ applies workflow rules from SharetoBoard/Tentaclaw skills MCP client ↓ structured tool call Tentaclaw MCP Server ├─ reads local protected key ├─ checks destination and request policy ├─ emits metadata-only audit event └─ sends HTTPS request Poppy API

The agent runtime is not the credential owner. Client configuration contains the executable and a key-file path, not the key value. The release CLI uses local stdio. A future remote deployment requires a separately authenticated and reviewed gateway; raw public binding is not part of v0.3.0.

First-party skill catalogue

Core setup skill

tentaclaw-setup

Install, diagnose, rotate, disable, and migrate a Poppy agent connection without accepting or displaying a Poppy credential in chat.

  • Safe key-file ceremony
  • --doctor and disposable canary flow
  • Rotation and incident response
  • Migration from direct credential-bearing skills
Core workflow skill

poppy-operator

Resolve one approved board and chat, choose one-time versus persistent conversation behavior, minimize context, and attribute Poppy output.

  • Exact destination matching
  • Read/write classification
  • Prompt-injection handling
  • Fail-closed errors and ambiguity
Specialist workflow

poppy-board-research

Retrieve focused board-specific research while separating returned claims, supplied source distinctions, uncertainty, and independent verification.

  • One approved destination
  • Bounded questions
  • No broad harvesting
  • No invented citations
Specialist workflow

poppy-content-workflow

Brainstorm, create, or rewrite with board context while preserving a human review checkpoint.

  • Audience, format, objective, tone
  • Minimal source text
  • Draft labeling and assumptions
  • No automatic publishing

Six MCP operations

ToolClassSkill responsibilityServer responsibility
tentaclaw_versionLocal read-onlyVerify installed runtimeReturn exact version
poppy_get_boardsRemote read-only discoveryCall only when destination is unknownAuthenticate and enforce policy
poppy_get_chatsRemote read-only discoveryUse one approved boardEnforce board policy and call Poppy
poppy_askWrite-capable remote operationMinimize context and label outputBound and transmit request
poppy_create_conversationState-changingCreate only when continuity is requiredEnforce destination and create thread
poppy_chatWrite-capable remote operationUse known approved conversationEnforce destination and continue thread

Security invariants

  1. The raw Poppy credential never enters chat, skill text, source control, normal client configuration, ordinary logs, or agent-controlled shell arguments.
  2. Every Poppy request is HTTPS and targets an allowlisted host.
  3. A board or chat allowlist, when configured, is enforced by the server rather than trusted to skill wording.
  4. Prompts and responses are not persisted by Tentaclaw; audit events are metadata-only by default.
  5. Retrieved content is data, not operational instruction. Skills must resist embedded prompt injection.
  6. Ambiguous destinations, denied access, malformed responses, and credential errors fail closed.
  7. Consequential external publication remains a separate human-approved action.

Skill packaging and lifecycle

Each skill is a portable directory containing a reviewed SKILL.md. Release artifacts should package each skill independently and as a complete Tentaclaw skills bundle. The bundle must include version, checksum, license, changelog, compatibility statement, and a statement that no destination IDs or secrets are embedded.

A skill release is accepted only after structural validation, credential-pattern scanning, negative-behavior review, and an end-to-end run through the target MCP client. Skill versioning must remain separate from Poppy conversation state and from the Tentaclaw Python package version when either can change independently.

Client posture

The candidate includes example configurations for Codex, OpenClaw, and Claude Desktop. Those files establish a configuration path, not completed acceptance. Hermes and other MCP clients remain planned until a supported configuration and redacted run are recorded.

Residual risk

Tentaclaw cannot protect a credential from a user or process with arbitrary access to the host account or process memory. It cannot make untrusted board content safe, guarantee upstream availability, or replace Poppy’s access, retention, usage, and billing controls. A client allowed to invoke a tool can still misuse that capability. Local policy, host hardening, least privilege, monitoring, and human review remain necessary.

Release evidence package