Fixed
- The release bundle now carries a generated
resources.sexpmanifest mapping the bundled prompt directory to its place in the bundle, so a source install serves the workflow prompts —workon,handoff,implement,plan,research,validate— over MCPprompts/listandresources/list. Requires kli ≥ 0.1.3, which registers the manifest's roots at load; on older kli the prompts remain unavailable (tools are unaffected either way).
Install
kli install https://github.com/kleisli-io/cairn/releases/download/v0.1.1/cairn.bundle 1b92b2928de8de87711c299d7353f1e0b602068e
The second argument is the artifact's git-tree-sha1 pin: kli recomputes it over the unpacked tree and refuses on mismatch (integrity floor, always on). Then serve it to any MCP client with kli mcp-serve cairn.
To additionally require the release signature (authenticity, opt-in), add the Kleisli.IO release key to trustRoots in your kli settings.json:
"trustRoots": ["373cb80b9c572f0f437b868a6cd6ffa4f174576567e2ebeb9f2b8e26414e056e"]With a trust root set, kli fetches cairn.bundle.sig alongside the artifact and installs only if the ed25519 signature over the bundle verifies against a trusted key. The same key is committed at release/trust/cairn-release.pub. SHA-256 sums of both assets are in checksums.txt.