npm - @abstract-foundation/agw-mcp - Versions diffs - 0.1.0-beta.3 → 0.1.0-beta.5 - Mend

@abstract-foundation/agw-mcp 0.1.0-beta.3 → 0.1.0-beta.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -9,13 +9,13 @@ MCP server for [Abstract Global Wallet](https://abs.xyz) session-key workflows
 ## Quick Start
 ```bash
-npx -y @abstract-foundation/agw-mcp serve --chain-id 11124
+npx -y @abstract-foundation/agw-mcp serve --chain-id 2741
 ```
 Or add it to Claude Code directly:
 ```bash
-claude mcp add agw -- npx -y @abstract-foundation/agw-mcp serve --chain-id 11124
+claude mcp add agw -- npx -y @abstract-foundation/agw-mcp serve --chain-id 2741
 ```
 ## Setup
@@ -23,10 +23,10 @@ claude mcp add agw -- npx -y @abstract-foundation/agw-mcp serve --chain-id 11124
 ### 1. Bootstrap a session
 ```bash
-npx -y @abstract-foundation/agw-mcp init --chain-id 11124
+npx -y @abstract-foundation/agw-mcp init --chain-id 2741
 ```
-This opens the hosted onboarding app (`https://app-jarrodwatts.vercel.app`) where you:
+This opens the hosted onboarding app (`https://mcp.abs.xyz` by default) where you:
 1. Choose a policy preset (or provide custom policy JSON)
 2. Connect your Abstract Global Wallet
@@ -35,11 +35,12 @@ This opens the hosted onboarding app (`https://app-jarrodwatts.vercel.app`) wher
 Session data is saved to `~/.agw-mcp/session.json` with `0o600` file permissions. The session signer key is stored separately in `~/.agw-mcp/session-signer.key`.
 If a previous active session exists locally, the CLI attempts to revoke it on-chain after creating the new one.
 Bootstrap is single-process per storage directory (lockfile: `~/.agw-mcp/.bootstrap-init.lock`) to prevent concurrent `init` races.
+When local sessions are revoked/cleared, the signer keyfile is deleted as part of local cleanup.
 ### 2. Start the MCP server
 ```bash
-npx -y @abstract-foundation/agw-mcp serve --chain-id 11124
+npx -y @abstract-foundation/agw-mcp serve --chain-id 2741
 ```
 ## Client Configuration
@@ -47,7 +48,7 @@ npx -y @abstract-foundation/agw-mcp serve --chain-id 11124
 ### Claude Code
 ```bash
-claude mcp add agw -- npx -y @abstract-foundation/agw-mcp serve --chain-id 11124
+claude mcp add agw -- npx -y @abstract-foundation/agw-mcp serve --chain-id 2741
 ```
 ### Claude Desktop
@@ -62,7 +63,7 @@ Add to your `claude_desktop_config.json`:
   "mcpServers": {
     "agw-mcp": {
       "command": "npx",
-      "args": ["-y", "@abstract-foundation/agw-mcp", "serve", "--chain-id", "11124"]
+      "args": ["-y", "@abstract-foundation/agw-mcp", "serve", "--chain-id", "2741"]
     }
   }
 }
@@ -78,7 +79,7 @@ Add to your `claude_desktop_config.json`:
   "mcpServers": {
     "agw-mcp": {
       "command": "npx",
-      "args": ["-y", "@abstract-foundation/agw-mcp", "serve", "--chain-id", "11124"]
+      "args": ["-y", "@abstract-foundation/agw-mcp", "serve", "--chain-id", "2741"]
     }
   }
 }
@@ -93,7 +94,7 @@ Use the same JSON block as Claude Desktop in your editor's MCP configuration fil
 ### Generate config snippet
 ```bash
-npx -y @abstract-foundation/agw-mcp config --npx --chain-id 11124
+npx -y @abstract-foundation/agw-mcp config --npx --chain-id 2741
 ```
 ## Tools
@@ -117,7 +118,7 @@ npx -y @abstract-foundation/agw-mcp config --npx --chain-id 11124
 ## Network Configuration
-Defaults to Abstract testnet (chain ID `11124`). Switch to mainnet or override RPC:
+Defaults to Abstract mainnet (chain ID `2741`). Override RPC or switch to testnet when needed:
 ```bash
 # Mainnet
@@ -132,15 +133,16 @@ Environment variables are also supported:
 ```bash
 AGW_MCP_CHAIN_ID=2741 npx -y @abstract-foundation/agw-mcp serve
 AGW_MCP_RPC_URL=https://api.mainnet.abs.xyz npx -y @abstract-foundation/agw-mcp serve
-AGW_MCP_APP_URL=http://localhost:3001 npx -y @abstract-foundation/agw-mcp init --chain-id 11124
+AGW_MCP_APP_URL=https://mcp.abs.xyz npx -y @abstract-foundation/agw-mcp init --chain-id 2741
 ```
 `init` requires `https://` app URLs except for loopback local development URLs (`http://localhost`, `http://127.0.0.1`, `http://[::1]`).
+`init` defaults to `https://mcp.abs.xyz` if no app URL is configured via `--app-url` or `AGW_MCP_APP_URL`.
 For local hosted-app development:
 ```bash
-npx -y @abstract-foundation/agw-mcp init --chain-id 11124 --app-url http://localhost:3001
+npx -y @abstract-foundation/agw-mcp init --chain-id 2741 --app-url http://localhost:3001
 ```
 ## Security Model
@@ -151,6 +153,15 @@ npx -y @abstract-foundation/agw-mcp init --chain-id 11124 --app-url http://local
 - **Restrictive file permissions**: Session storage directory `0o700`, files `0o600`.
 - **Stderr-only logging**: stdout is reserved for MCP stdio transport. All operational logs go to stderr.
+### Real Funds Checklist
+For production usage with real money:
+1. Use a trusted onboarding host (`--app-url` or `AGW_MCP_APP_URL`) and pin it in deployment config.
+2. Start with minimal intent scope (prefer payments-only) and shortest practical expiry.
+3. Keep `execute` off by default and run preview-first workflows where possible.
+4. Revoke sessions after task completion (`revoke_session`) and confirm status with `get_session_status`.
 ## Development
 ```bash

package/dist/index.mjs CHANGED Viewed

@@ -117,12 +117,24 @@ var SessionStorage = class {
 	}
 	resolveSignerRefForRuntime(data) {
 		if (data.sessionSignerRef.kind === "keyfile") {
-			if (!fs.existsSync(data.sessionSignerRef.value)) return null;
+			if (!fs.existsSync(data.sessionSignerRef.value)) {
+				if (data.status === "revoked") return {
+					...data,
+					sessionSignerRef: {
+						kind: "raw",
+						value: REDACTED_SIGNER_REF$1
+					}
+				};
+				return null;
+			}
 			return data;
 		}
 		const rawValue = data.sessionSignerRef.value.trim();
 		if (rawValue === REDACTED_SIGNER_REF$1) {
-			if (!fs.existsSync(this.signerKeyPath)) return null;
+			if (!fs.existsSync(this.signerKeyPath)) {
+				if (data.status === "revoked") return data;
+				return null;
+			}
 			return {
 				...data,
 				sessionSignerRef: {
@@ -131,7 +143,16 @@ var SessionStorage = class {
 				}
 			};
 		}
-		if (!PRIVATE_KEY_PATTERN$4.test(rawValue)) return null;
+		if (!PRIVATE_KEY_PATTERN$4.test(rawValue)) {
+			if (data.status === "revoked") return {
+				...data,
+				sessionSignerRef: {
+					kind: "raw",
+					value: REDACTED_SIGNER_REF$1
+				}
+			};
+			return null;
+		}
 		return {
 			...data,
 			sessionSignerRef: {
@@ -172,11 +193,23 @@ var SessionStorage = class {
 		} : data;
 		fs.writeFileSync(this.filePath, JSON.stringify(this.sanitizeForPersistence(normalized), null, 2), { mode: 384 });
 	}
-	delete() {
+	deleteFile(filePath, wipe = false) {
 		try {
-			if (fs.existsSync(this.filePath)) fs.unlinkSync(this.filePath);
+			if (!fs.existsSync(filePath)) return;
+			if (wipe) try {
+				const stats = fs.statSync(filePath);
+				if (stats.isFile() && stats.size > 0) fs.writeFileSync(filePath, Buffer.alloc(stats.size), { flag: "r+" });
+			} catch {}
+			fs.unlinkSync(filePath);
 		} catch {}
 	}
+	deleteSignerKeyfile() {
+		this.deleteFile(this.signerKeyPath, true);
+	}
+	delete() {
+		this.deleteFile(this.filePath);
+		this.deleteSignerKeyfile();
+	}
 };
 //#endregion
@@ -206,7 +239,7 @@ const SUPPORTED_CHAINS = {
 	[abstractTestnet.id]: abstractTestnet,
 	[abstract.id]: abstract
 };
-const DEFAULT_CHAIN_ID = abstractTestnet.id;
+const DEFAULT_CHAIN_ID = abstract.id;
 function normalizeOptionalString(value) {
 	if (typeof value !== "string") return;
 	const normalized = value.trim();
@@ -891,6 +924,7 @@ const LOOPBACK_HOSTS = new Set([
 	"[::1]"
 ]);
 const BOOTSTRAP_LOCK_STALE_MS = 1800 * 1e3;
+const DEFAULT_ONBOARDING_APP_URL = "https://mcp.abs.xyz";
 function ensurePrivateDir$1(dir) {
 	fs.mkdirSync(dir, {
 		recursive: true,
@@ -1019,7 +1053,11 @@ function isLoopbackHostname(hostname) {
 	return LOOPBACK_HOSTS.has(hostname);
 }
 function resolveAppUrl(options) {
-	return options.appUrl ?? process.env.AGW_MCP_APP_URL ?? "https://app-jarrodwatts.vercel.app";
+	const explicitAppUrl = options.appUrl?.trim();
+	if (explicitAppUrl) return explicitAppUrl;
+	const envAppUrl = process.env.AGW_MCP_APP_URL?.trim();
+	if (envAppUrl) return envAppUrl;
+	return DEFAULT_ONBOARDING_APP_URL;
 }
 function validateAppUrl(appUrl) {
 	let appOrigin;
@@ -1406,7 +1444,7 @@ var AuditLog = class {
 const ADDRESS_PATTERN = /^0x[0-9a-fA-F]{40}$/;
 const SELECTOR_PATTERN = /^0x[0-9a-fA-F]{8}$/;
 const UINT_PATTERN = /^\d+$/;
-const DEFAULT_MAX_SESSION_LIFETIME_SECONDS = 1440 * 60;
+const DEFAULT_MAX_SESSION_LIFETIME_SECONDS = 720 * 60 * 60;
 const EQUAL_CONDITION = 1n;
 const UNSAFE_DESTINATION_SELECTORS = new Set([
 	"0xa22cb465",
@@ -1644,7 +1682,7 @@ var SessionManager = class {
 	constructor(logger, options = {}) {
 		this.logger = logger.child("session");
 		this.storage = new SessionStorage(options.storageDir);
-		this.chainId = options.chainId ?? 11124;
+		this.chainId = options.chainId ?? DEFAULT_CHAIN_ID;
 		this.rpcUrl = options.rpcUrl;
 	}
 	initialize() {
@@ -1678,6 +1716,12 @@ var SessionManager = class {
 			source: "local",
 			checkedAt
 		};
+		if (this.session.status === "revoked") return {
+			status: "Closed",
+			statusCode: 2,
+			source: "local",
+			checkedAt
+		};
 		const networkConfig = this.getNetworkConfig(this.session.chainId);
 		const sessionClient = createSessionClientFromSessionData({
 			session: this.session,
@@ -1714,6 +1758,7 @@ var SessionManager = class {
 			updatedAt: updatedAtUnixSeconds
 		};
 		this.storage.save(this.session);
+		this.storage.deleteSignerKeyfile();
 	}
 	getChainId() {
 		return this.chainId;
@@ -3315,7 +3360,7 @@ var AgwMcpServer = class {
 const logger = new Logger("agw-mcp");
 const program = new Command();
 program.name("agw-mcp").description("Local MCP server for AGW session-key workflows").version("0.1.0");
-program.command("init").description("Bootstrap local AGW MCP session storage").option("--chain-id <chainId>", "EVM chain id (env: AGW_MCP_CHAIN_ID)").option("--rpc-url <rpcUrl>", "RPC URL override (env: AGW_MCP_RPC_URL)").option("--app-url <url>", "Hosted session onboarding URL (env: AGW_MCP_APP_URL)").option("--storage-dir <dir>", "Session storage directory").action(async (options) => {
+program.command("init").description("Bootstrap local AGW MCP session storage").option("--chain-id <chainId>", "EVM chain id (env: AGW_MCP_CHAIN_ID)").option("--rpc-url <rpcUrl>", "RPC URL override (env: AGW_MCP_RPC_URL)").option("--app-url <url>", "Hosted session onboarding URL (defaults to https://mcp.abs.xyz; env: AGW_MCP_APP_URL)").option("--storage-dir <dir>", "Session storage directory").action(async (options) => {
 	const networkConfig = resolveNetworkConfig({
 		chainId: options.chainId,
 		rpcUrl: options.rpcUrl

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@abstract-foundation/agw-mcp",
-  "version": "0.1.0-beta.3",
+  "version": "0.1.0-beta.5",
   "description": "MCP server for Abstract Global Wallet session-key workflows",
   "license": "MIT",
   "author": "Abstract Foundation",
@@ -71,5 +71,11 @@
     "tsdown": "^0.20.3",
     "tsx": "^4.19.3",
     "typescript": "^5.8.3"
+  },
+  "pnpm": {
+    "overrides": {
+      "ajv": "6.14.0",
+      "minimatch": "10.2.1"
+    }
   }
 }