refactor(mcp-server): migrate worker-URL env to AGENTKEYS_WORKER_{MEMORY,AUDIT}_URL

[hanwencheng]

What & why

Terminology-drift follow-up (arch.md §5 "Canonical names"). The MCP server (agentkeys-mcp-server) read its worker base-URLs from the bare env names AGENTKEYS_MEMORY_URL / AGENTKEYS_AUDIT_URL, diverging from the canonical AGENTKEYS_WORKER_<svc>_URL family that scripts/operator-workstation.env already defines (audit/cred/email/memory) and that the daemon's W3 work + the dev guide use. This renames the MCP server's family to the canonical spelling — memory and audit together, since they share the same drift.

AGENTKEYS_BROKER_URL is intentionally untouched — the broker is not a worker, so the bare name is already canonical.

Zero-downtime (accept-both fallback)

A deployed remote MCP host still carries the old bare names in /etc/agentkeys/mcp.env (written by an older setup-mcp-host.sh) until its next redeploy. To avoid breaking it between the binary upgrade and that redeploy, config.rs::from_cli now accepts both: it reads the canonical AGENTKEYS_WORKER_* var (clap env, or the --memory-url/--audit-url flag) first, then falls back to the legacy bare name via std::env::var(...).ok() only when unset. The fallback drops out naturally once the next setup-mcp-host.sh run rewrites mcp.env with the canonical names.

(The daemon could hard-rename because nothing external sets its old name; the MCP server cannot, hence the fallback.)

Files

• crates/agentkeys-mcp-server/src/config.rs — clap env attrs (memory_url/audit_url) + the from_cli accept-both fallback.
• crates/agentkeys-mcp-server/README.md — Docker -e flags.
• scripts/setup-mcp-host.sh — both mcp.env heredocs (xiaozhi + self-hosted modes).
• docs/plan/issue-107-mcp-demo-runbook.md — the http-backend switch line + the §B.5 broker-URLs callout (with a short note that the binary accepts the legacy names during the upgrade window).
• docs/arch.md — new §5 canonical-names row marking the bare names retired-in-code-with-fallback for the MCP server.

Verification

• cargo check -p agentkeys-mcp-server → exit 0, 0 warnings.
• bash -n scripts/setup-mcp-host.sh → OK.
• bash scripts/lint-wiki.sh → clean (no wiki page touched).
• grep confirms no stale clap env attrs remain and every residual bare-name reference is a deliberate fallback/legacy mention.

Reviewer notes

• Daemon is NOT migrated in this branch. The task framed the daemon as "already migrated to AGENTKEYS_WORKER_MEMORY_URL", but on main (crates/agentkeys-daemon/src/main.rs --memory-url) it still reads the bare AGENTKEYS_MEMORY_URL. Left as-is (out of scope); the new arch.md row records this honestly and flags the daemon hard-rename as a separate follow-up.
• arch.md §5 had no pre-existing env-URL row to "update", so this adds one — which also captures the daemon's still-bare state.
• Cargo.lock was deliberately excluded. cargo check materialized a pre-existing manifest/lockfile drift (agentkeys-daemon's dep list gained agentkeys-provisioner); no Cargo.toml was touched in this PR, so the unrelated lockfile delta was kept out of this focused diff. Worth a separate cargo update -p/lockfile-sync commit on main.

[hanwencheng]

Review verdict: rebase & salvage — the core rename is still valid, but the branch is stale.

The premise still holds on main: config.rs:49,53 still reads the bare AGENTKEYS_MEMORY_URL / AGENTKEYS_AUDIT_URL, while operator-workstation.env:150-154 already defines the canonical AGENTKEYS_WORKER_*_URL family. That drift is exactly what the arch.md §5 terminology-source-of-truth rule exists to close, and the MCP server is still a live component (re-converged on every deploy via setup-broker-host.sh → setup-mcp-host.sh). The accept-both fallback is the right zero-downtime shape.

Two staleness issues to fix before this can merge:

1. CONFLICTING/DIRTY — needs a rebase onto current main.
2. It edits docs/plan/issue-107-mcp-demo-runbook.md, which Onboarding config bootstrap + classifier-driven auto-distribution (cred + memory, R1–R4) #207 deleted (commit 8c5f47a). That hunk is dead — drop it.

The reviewer note is still accurate: daemon/src/main.rs:223 still reads the bare AGENTKEYS_MEMORY_URL. Since it's the same divergence, fold the daemon rename into this change rather than leaving a documented split.

Recommended action: rebase, drop the runbook hunk, add the daemon rename, keep the accept-both fallback → mergeable. Keep this PR open.

[hanwencheng]

Salvage pushed — this is now MERGEABLE (was CONFLICTING/DIRTY).

Rebased onto current main as a single clean commit:

• ✅ MCP config.rs — clap env → canonical AGENTKEYS_WORKER_{MEMORY,AUDIT}_URL, with the accept-both fallback in from_cli (legacy bare names honored only when the canonical var/flag is unset).
• ✅ setup-mcp-host.sh + README.md — emit the canonical names.
• ✅ Folded in the daemon rename (per the review): daemon/main.rs --memory-url now reads AGENTKEYS_WORKER_MEMORY_URL (matching its already-canonical --config-url) with the same legacy fallback at consumption — closing the divergence the original PR documented as a follow-up.
• ✅ arch.md §5 — added the AGENTKEYS_WORKER_<svc>_URL canonical-names row (placed after the config_bucket row that Config data class + lazy, config-driven memory list (Phases 1–5) #201 added; reflects both clients migrated).
• 🗑️ Dropped the stale docs/plan/issue-107-mcp-demo-runbook.md hunk — that file was deleted by Onboarding config bootstrap + classifier-driven auto-distribution (cred + memory, R1–R4) #207 (8c5f47a).

Verification: cargo check -p agentkeys-mcp-server -p agentkeys-daemon clean (38s), bash -n scripts/setup-mcp-host.sh ok.

Ready for review/merge.