Updated architecture with consideration to rune-admin (#4)

* Updated architecture with consideration to rune-admin

* Initial plan

* Fix shell variable interpolation in Python heredoc

Co-authored-by: sunchuljung <108503957+sunchuljung@users.noreply.github.com>

* Improve error message clarity in Python heredoc

Co-authored-by: sunchuljung <108503957+sunchuljung@users.noreply.github.com>

* Improve variable naming for better clarity

Co-authored-by: sunchuljung <108503957+sunchuljung@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>

Author: sunchuljung

.claude/mcp_servers.template.json

@@ -1,14 +1,9 @@
 {
   "mcpServers": {
     "rune-vault": {
-      "command": "python3",
-      "args": [
-        "PLUGIN_DIR/mcp/vault/vault_mcp.py"
-      ],
-      "env": {
-        "VAULT_CONFIG": "~/.rune/config.json"
-      },
-      "description": "Rune-Vault MCP server for FHE key management and decryption"
+      "type": "sse",
+      "url": "VAULT_URL/sse",
+      "description": "Remote Rune-Vault MCP server for FHE decryption (deployed by team admin)"
     },
     "envector": {
       "command": "python3",

.github/claude-plugin.json

@@ -2,7 +2,7 @@
   "$schema": "https://claude.ai/schemas/plugin-v1.json",
   "name": "rune",
   "displayName": "Rune - Organizational Memory",
-  "version": "0.2.0",
+  "version": "0.2.1",
   "description": "FHE-encrypted organizational memory system for teams. Capture and retrieve institutional knowledge with zero-knowledge privacy.",
   "author": {
     "name": "CryptoLabInc",
@@ -111,12 +111,10 @@
   },
   "mcpServers": {
     "rune-vault": {
-      "description": "Rune-Vault MCP server for FHE key management",
-      "command": "python3",
-      "args": ["mcp/vault/vault_mcp.py"],
-      "env": {
-        "VAULT_CONFIG": "~/.rune/config.json"
-      }
+      "description": "Remote Rune-Vault MCP server for FHE decryption (deployed by team admin)",
+      "type": "sse",
+      "url": "${VAULT_URL}/sse",
+      "note": "VAULT_URL is configured in ~/.rune/config.json and set during /rune configure"
     },
     "envector": {
       "description": "enVector MCP server for encrypted vectors",

.gitmodules

@@ -1,3 +1,3 @@
 [submodule "mcp/envector-mcp-server"]
 	path = mcp/envector-mcp-server
-	url = git@github.com:CryptoLabInc/envector-mcp-server
+	url = https://github.com/CryptoLabInc/envector-mcp-server.git

CHANGELOG.md

@@ -5,14 +5,43 @@ All notable changes to Rune Plugin will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.2.1] - 2026-02-04
+
+### Changed - Security Architecture Fix
+
+**Critical Fix**: Enforced proper isolation between plugin and Vault.
+
+#### Removed
+- **Local Vault MCP**: Removed `mcp/vault/` directory from plugin
+  - Vault MCP server must run on a separate machine (deployed by team admin)
+  - SecKey (decryption key) should never exist on user machines
+  - This enforces the security model where agents cannot decrypt data locally
+
+#### Changed
+- **MCP Configuration**: Updated to connect to remote Vault via SSE
+  - `.claude/mcp_servers.template.json` - Now uses SSE connection to remote Vault
+  - `.github/claude-plugin.json` - Vault connection via `${VAULT_URL}/sse`
+- **start-mcp-servers.sh**: Now only starts envector-mcp-server locally
+  - Vault MCP is accessed remotely (no local startup needed)
+
+#### Architecture Clarification
+```
+Plugin (user machine)           Vault (admin-deployed VM)
+├── envector-mcp-server    ──►  └── vault_mcp.py (SecKey here only)
+│   (encryption only)               (decryption capability)
+└── No SecKey access
+```
+
+---
+
 ## [0.2.0] - 2026-02-02
 
 ### Added - Complete Plugin with MCP Servers
 
 **Major Update**: Transformed from documentation-only plugin to full-featured plugin with infrastructure.
 
 #### Infrastructure
-- **MCP Servers**: Included Vault MCP server (`mcp/vault/vault_mcp.py`)
+- **MCP Servers**: Included envector-mcp-server for encrypted vector operations
 - **Agent Specifications**: Added Scribe and Retriever agent specs (`agents/`)
 - **Python Dependencies**: Added `requirements.txt` with pyenvector, fastmcp, psutil, prometheus-client
 - **Installation Scripts**:

mcp/envector-mcp-server

@@ -59,15 +59,17 @@ else
     print_warn "curl not found, skipping Vault connectivity check"
 fi
 
-# Check if MCP servers are running
-if pgrep -f "vault_mcp.py" > /dev/null; then
-    print_check "Vault MCP server is running (PID: $(pgrep -f vault_mcp.py))"
+# Check if local envector-mcp-server is running
+if pgrep -f "envector-mcp-server" > /dev/null; then
+    print_check "enVector MCP server is running (PID: $(pgrep -f envector-mcp-server))"
 else
-    print_warn "Vault MCP server is not running"
+    print_warn "enVector MCP server is not running locally"
     echo "  Start with: scripts/start-mcp-servers.sh"
     # Not failing here, as it can be started later
 fi
 
+# Note: Vault MCP runs on remote server (already checked via HTTP above)
+
 # Check if virtual environment exists
 PLUGIN_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 if [ -d "$PLUGIN_DIR/.venv" ]; then

mcp/vault/run_vault.sh

@@ -28,18 +28,63 @@ echo "Config file: $CLAUDE_CONFIG"
 TEMP_CONFIG=$(mktemp)
 sed "s|PLUGIN_DIR|$PLUGIN_DIR|g" "$PLUGIN_DIR/.claude/mcp_servers.template.json" > "$TEMP_CONFIG"
 
-# Merge with existing config (simple approach: add rune servers)
-# TODO: Proper JSON merging for production
+# Merge with existing config using jq or Python fallback
+merge_json_with_python() {
+    python3 - "$CLAUDE_CONFIG" "$TEMP_CONFIG" << 'PYEOF'
+import json
+import sys
+
+def deep_merge(base, overlay):
+    """Recursively merge overlay into base."""
+    for key, value in overlay.items():
+        if key in base and isinstance(base[key], dict) and isinstance(value, dict):
+            deep_merge(base[key], value)
+        else:
+            base[key] = value
+    return base
+
+if len(sys.argv) != 3:
+    print("Error: Expected exactly 2 arguments: base_config_path overlay_config_path", file=sys.stderr)
+    sys.exit(1)
+
+base_config_file = sys.argv[1]
+overlay_config_file = sys.argv[2]
+
+try:
+    with open(base_config_file, 'r') as f:
+        base = json.load(f)
+except (json.JSONDecodeError, FileNotFoundError):
+    base = {}
+
+try:
+    with open(overlay_config_file, 'r') as f:
+        overlay = json.load(f)
+except (json.JSONDecodeError, FileNotFoundError):
+    print("Error: Failed to read template config", file=sys.stderr)
+    sys.exit(1)
+
+merged = deep_merge(base, overlay)
+
+with open(base_config_file, 'w') as f:
+    json.dump(merged, f, indent=2)
+
+print("✓ MCP servers configured successfully")
+PYEOF
+}
+
 if command -v jq &> /dev/null; then
     # Use jq if available
     jq -s '.[0] * .[1]' "$CLAUDE_CONFIG" "$TEMP_CONFIG" > "$CLAUDE_CONFIG.tmp"
     mv "$CLAUDE_CONFIG.tmp" "$CLAUDE_CONFIG"
     echo "✓ MCP servers configured successfully"
+elif command -v python3 &> /dev/null; then
+    # Fallback: use Python for JSON merging
+    merge_json_with_python
 else
-    # Fallback: just append (may create duplicate keys)
-    echo "Warning: jq not found. Using simple append."
-    cat "$TEMP_CONFIG" >> "$CLAUDE_CONFIG"
-    echo "✓ MCP configuration appended (you may need to manually clean up)"
+    echo "Error: Neither jq nor python3 found. Cannot merge JSON configuration."
+    echo "Please install jq (recommended) or python3."
+    rm "$TEMP_CONFIG"
+    exit 1
 fi
 
 rm "$TEMP_CONFIG"