@abstract-foundation/agw-mcp 0.1.0-beta.3 → 0.1.0-beta.6

package/README.md

@@ -9,13 +9,13 @@ MCP server for [Abstract Global Wallet](https://abs.xyz) session-key workflows
 ## Quick Start
 
 ```bash
-npx -y @abstract-foundation/agw-mcp serve --chain-id 11124
+npx -y @abstract-foundation/agw-mcp serve --chain-id 2741
 ```
 
 Or add it to Claude Code directly:
 
 ```bash
-claude mcp add agw -- npx -y @abstract-foundation/agw-mcp serve --chain-id 11124
+claude mcp add agw -- npx -y @abstract-foundation/agw-mcp serve --chain-id 2741
 ```
 
 ## Setup
@@ -23,10 +23,10 @@ claude mcp add agw -- npx -y @abstract-foundation/agw-mcp serve --chain-id 11124
 ### 1. Bootstrap a session
 
 ```bash
-npx -y @abstract-foundation/agw-mcp init --chain-id 11124
+npx -y @abstract-foundation/agw-mcp init --chain-id 2741
 ```
 
-This opens the hosted onboarding app (`https://app-jarrodwatts.vercel.app`) where you:
+This opens the hosted onboarding app (`https://mcp.abs.xyz` by default) where you:
 
 1. Choose a policy preset (or provide custom policy JSON)
 2. Connect your Abstract Global Wallet
@@ -35,11 +35,12 @@ This opens the hosted onboarding app (`https://app-jarrodwatts.vercel.app`) wher
 Session data is saved to `~/.agw-mcp/session.json` with `0o600` file permissions. The session signer key is stored separately in `~/.agw-mcp/session-signer.key`.
 If a previous active session exists locally, the CLI attempts to revoke it on-chain after creating the new one.
 Bootstrap is single-process per storage directory (lockfile: `~/.agw-mcp/.bootstrap-init.lock`) to prevent concurrent `init` races.
+When local sessions are revoked/cleared, the signer keyfile is deleted as part of local cleanup.
 
 ### 2. Start the MCP server
 
 ```bash
-npx -y @abstract-foundation/agw-mcp serve --chain-id 11124
+npx -y @abstract-foundation/agw-mcp serve --chain-id 2741
 ```
 
 ## Client Configuration
@@ -47,7 +48,7 @@ npx -y @abstract-foundation/agw-mcp serve --chain-id 11124
 ### Claude Code
 
 ```bash
-claude mcp add agw -- npx -y @abstract-foundation/agw-mcp serve --chain-id 11124
+claude mcp add agw -- npx -y @abstract-foundation/agw-mcp serve --chain-id 2741
 ```
 
 ### Claude Desktop
@@ -62,7 +63,7 @@ Add to your `claude_desktop_config.json`:
   "mcpServers": {
     "agw-mcp": {
       "command": "npx",
-      "args": ["-y", "@abstract-foundation/agw-mcp", "serve", "--chain-id", "11124"]
+      "args": ["-y", "@abstract-foundation/agw-mcp", "serve", "--chain-id", "2741"]
     }
   }
 }
@@ -78,7 +79,7 @@ Add to your `claude_desktop_config.json`:
   "mcpServers": {
     "agw-mcp": {
       "command": "npx",
-      "args": ["-y", "@abstract-foundation/agw-mcp", "serve", "--chain-id", "11124"]
+      "args": ["-y", "@abstract-foundation/agw-mcp", "serve", "--chain-id", "2741"]
     }
   }
 }
@@ -93,7 +94,7 @@ Use the same JSON block as Claude Desktop in your editor's MCP configuration fil
 ### Generate config snippet
 
 ```bash
-npx -y @abstract-foundation/agw-mcp config --npx --chain-id 11124
+npx -y @abstract-foundation/agw-mcp config --npx --chain-id 2741
 ```
 
 ## Tools
@@ -117,7 +118,7 @@ npx -y @abstract-foundation/agw-mcp config --npx --chain-id 11124
 
 ## Network Configuration
 
-Defaults to Abstract testnet (chain ID `11124`). Switch to mainnet or override RPC:
+Defaults to Abstract mainnet (chain ID `2741`). Override RPC or switch to testnet when needed:
 
 ```bash
 # Mainnet
@@ -132,15 +133,16 @@ Environment variables are also supported:
 ```bash
 AGW_MCP_CHAIN_ID=2741 npx -y @abstract-foundation/agw-mcp serve
 AGW_MCP_RPC_URL=https://api.mainnet.abs.xyz npx -y @abstract-foundation/agw-mcp serve
-AGW_MCP_APP_URL=http://localhost:3001 npx -y @abstract-foundation/agw-mcp init --chain-id 11124
+AGW_MCP_APP_URL=https://mcp.abs.xyz npx -y @abstract-foundation/agw-mcp init --chain-id 2741
 ```
 
 `init` requires `https://` app URLs except for loopback local development URLs (`http://localhost`, `http://127.0.0.1`, `http://[::1]`).
+`init` defaults to `https://mcp.abs.xyz` if no app URL is configured via `--app-url` or `AGW_MCP_APP_URL`.
 
 For local hosted-app development:
 
 ```bash
-npx -y @abstract-foundation/agw-mcp init --chain-id 11124 --app-url http://localhost:3001
+npx -y @abstract-foundation/agw-mcp init --chain-id 2741 --app-url http://localhost:3001
 ```
 
 ## Security Model
@@ -151,6 +153,15 @@ npx -y @abstract-foundation/agw-mcp init --chain-id 11124 --app-url http://local
 - **Restrictive file permissions**: Session storage directory `0o700`, files `0o600`.
 - **Stderr-only logging**: stdout is reserved for MCP stdio transport. All operational logs go to stderr.
 
+### Real Funds Checklist
+
+For production usage with real money:
+
+1. Use a trusted onboarding host (`--app-url` or `AGW_MCP_APP_URL`) and pin it in deployment config.
+2. Start with minimal intent scope (prefer payments-only) and shortest practical expiry.
+3. Keep `execute` off by default and run preview-first workflows where possible.
+4. Revoke sessions after task completion (`revoke_session`) and confirm status with `get_session_status`.
+
 ## Development
 
 ```bash

package/dist/index.mjs

@@ -1,9 +1,9 @@
 #!/usr/bin/env node
+import fs from "node:fs";
 import { Command } from "commander";
 import open from "open";
 import { randomBytes } from "node:crypto";
 import { generatePrivateKey, privateKeyToAccount } from "viem/accounts";
-import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
 import { sessionKeyValidatorAddress } from "@abstract-foundation/agw-client/constants";
@@ -117,12 +117,24 @@ var SessionStorage = class {
 	}
 	resolveSignerRefForRuntime(data) {
 		if (data.sessionSignerRef.kind === "keyfile") {
-			if (!fs.existsSync(data.sessionSignerRef.value)) return null;
+			if (!fs.existsSync(data.sessionSignerRef.value)) {
+				if (data.status === "revoked") return {
+					...data,
+					sessionSignerRef: {
+						kind: "raw",
+						value: REDACTED_SIGNER_REF$1
+					}
+				};
+				return null;
+			}
 			return data;
 		}
 		const rawValue = data.sessionSignerRef.value.trim();
 		if (rawValue === REDACTED_SIGNER_REF$1) {
-			if (!fs.existsSync(this.signerKeyPath)) return null;
+			if (!fs.existsSync(this.signerKeyPath)) {
+				if (data.status === "revoked") return data;
+				return null;
+			}
 			return {
 				...data,
 				sessionSignerRef: {
@@ -131,7 +143,16 @@ var SessionStorage = class {
 				}
 			};
 		}
-		if (!PRIVATE_KEY_PATTERN$4.test(rawValue)) return null;
+		if (!PRIVATE_KEY_PATTERN$4.test(rawValue)) {
+			if (data.status === "revoked") return {
+				...data,
+				sessionSignerRef: {
+					kind: "raw",
+					value: REDACTED_SIGNER_REF$1
+				}
+			};
+			return null;
+		}
 		return {
 			...data,
 			sessionSignerRef: {
@@ -172,11 +193,23 @@ var SessionStorage = class {
 		} : data;
 		fs.writeFileSync(this.filePath, JSON.stringify(this.sanitizeForPersistence(normalized), null, 2), { mode: 384 });
 	}
-	delete() {
+	deleteFile(filePath, wipe = false) {
 		try {
-			if (fs.existsSync(this.filePath)) fs.unlinkSync(this.filePath);
+			if (!fs.existsSync(filePath)) return;
+			if (wipe) try {
+				const stats = fs.statSync(filePath);
+				if (stats.isFile() && stats.size > 0) fs.writeFileSync(filePath, Buffer.alloc(stats.size), { flag: "r+" });
+			} catch {}
+			fs.unlinkSync(filePath);
 		} catch {}
 	}
+	deleteSignerKeyfile() {
+		this.deleteFile(this.signerKeyPath, true);
+	}
+	delete() {
+		this.deleteFile(this.filePath);
+		this.deleteSignerKeyfile();
+	}
 };
 
 //#endregion
@@ -206,7 +239,7 @@ const SUPPORTED_CHAINS = {
 	[abstractTestnet.id]: abstractTestnet,
 	[abstract.id]: abstract
 };
-const DEFAULT_CHAIN_ID = abstractTestnet.id;
+const DEFAULT_CHAIN_ID = abstract.id;
 function normalizeOptionalString(value) {
 	if (typeof value !== "string") return;
 	const normalized = value.trim();
@@ -891,6 +924,7 @@ const LOOPBACK_HOSTS = new Set([
 	"[::1]"
 ]);
 const BOOTSTRAP_LOCK_STALE_MS = 1800 * 1e3;
+const DEFAULT_ONBOARDING_APP_URL = "https://mcp.abs.xyz";
 function ensurePrivateDir$1(dir) {
 	fs.mkdirSync(dir, {
 		recursive: true,
@@ -1019,7 +1053,11 @@ function isLoopbackHostname(hostname) {
 	return LOOPBACK_HOSTS.has(hostname);
 }
 function resolveAppUrl(options) {
-	return options.appUrl ?? process.env.AGW_MCP_APP_URL ?? "https://app-jarrodwatts.vercel.app";
+	const explicitAppUrl = options.appUrl?.trim();
+	if (explicitAppUrl) return explicitAppUrl;
+	const envAppUrl = process.env.AGW_MCP_APP_URL?.trim();
+	if (envAppUrl) return envAppUrl;
+	return DEFAULT_ONBOARDING_APP_URL;
 }
 function validateAppUrl(appUrl) {
 	let appOrigin;
@@ -1406,7 +1444,7 @@ var AuditLog = class {
 const ADDRESS_PATTERN = /^0x[0-9a-fA-F]{40}$/;
 const SELECTOR_PATTERN = /^0x[0-9a-fA-F]{8}$/;
 const UINT_PATTERN = /^\d+$/;
-const DEFAULT_MAX_SESSION_LIFETIME_SECONDS = 1440 * 60;
+const DEFAULT_MAX_SESSION_LIFETIME_SECONDS = 720 * 60 * 60;
 const EQUAL_CONDITION = 1n;
 const UNSAFE_DESTINATION_SELECTORS = new Set([
 	"0xa22cb465",
@@ -1644,7 +1682,7 @@ var SessionManager = class {
 	constructor(logger, options = {}) {
 		this.logger = logger.child("session");
 		this.storage = new SessionStorage(options.storageDir);
-		this.chainId = options.chainId ?? 11124;
+		this.chainId = options.chainId ?? DEFAULT_CHAIN_ID;
 		this.rpcUrl = options.rpcUrl;
 	}
 	initialize() {
@@ -1678,6 +1716,12 @@ var SessionManager = class {
 			source: "local",
 			checkedAt
 		};
+		if (this.session.status === "revoked") return {
+			status: "Closed",
+			statusCode: 2,
+			source: "local",
+			checkedAt
+		};
 		const networkConfig = this.getNetworkConfig(this.session.chainId);
 		const sessionClient = createSessionClientFromSessionData({
 			session: this.session,
@@ -1714,6 +1758,7 @@ var SessionManager = class {
 			updatedAt: updatedAtUnixSeconds
 		};
 		this.storage.save(this.session);
+		this.storage.deleteSignerKeyfile();
 	}
 	getChainId() {
 		return this.chainId;
@@ -3313,9 +3358,18 @@ var AgwMcpServer = class {
 //#endregion
 //#region src/index.ts
 const logger = new Logger("agw-mcp");
+function resolveCliVersion() {
+	try {
+		const packageJsonUrl = new URL("../package.json", import.meta.url);
+		const packageJsonRaw = fs.readFileSync(packageJsonUrl, "utf8");
+		const parsed = JSON.parse(packageJsonRaw);
+		if (typeof parsed.version === "string" && parsed.version.trim().length > 0) return parsed.version.trim();
+	} catch {}
+	return "0.1.0";
+}
 const program = new Command();
-program.name("agw-mcp").description("Local MCP server for AGW session-key workflows").version("0.1.0");
-program.command("init").description("Bootstrap local AGW MCP session storage").option("--chain-id <chainId>", "EVM chain id (env: AGW_MCP_CHAIN_ID)").option("--rpc-url <rpcUrl>", "RPC URL override (env: AGW_MCP_RPC_URL)").option("--app-url <url>", "Hosted session onboarding URL (env: AGW_MCP_APP_URL)").option("--storage-dir <dir>", "Session storage directory").action(async (options) => {
+program.name("agw-mcp").description("Local MCP server for AGW session-key workflows").version(resolveCliVersion());
+program.command("init").description("Bootstrap local AGW MCP session storage").option("--chain-id <chainId>", "EVM chain id (env: AGW_MCP_CHAIN_ID)").option("--rpc-url <rpcUrl>", "RPC URL override (env: AGW_MCP_RPC_URL)").option("--app-url <url>", "Hosted session onboarding URL (defaults to https://mcp.abs.xyz; env: AGW_MCP_APP_URL)").option("--storage-dir <dir>", "Session storage directory").action(async (options) => {
 	const networkConfig = resolveNetworkConfig({
 		chainId: options.chainId,
 		rpcUrl: options.rpcUrl

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@abstract-foundation/agw-mcp",
-  "version": "0.1.0-beta.3",
+  "version": "0.1.0-beta.6",
   "description": "MCP server for Abstract Global Wallet session-key workflows",
   "license": "MIT",
   "author": "Abstract Foundation",
@@ -71,5 +71,11 @@
     "tsdown": "^0.20.3",
     "tsx": "^4.19.3",
     "typescript": "^5.8.3"
+  },
+  "pnpm": {
+    "overrides": {
+      "ajv": "6.14.0",
+      "minimatch": "10.2.1"
+    }
   }
 }