@muhaven/mcp 0.1.0 → 0.1.2

package/CHANGELOG.md

@@ -7,7 +7,69 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-## [0.1.0] — 2026-05-10
+## [0.1.2] — 2026-05-11
+
+Re-roll of the `0.1.1` workflow-validation cut. `0.1.1` never reached npm:
+the tag pointed at the version-bump commit but the workflow at that SHA
+lacked two fixes that landed on `agenticwave` after the tag was first cut.
+Bumping to `0.1.2` lets the tag reference the latest `agenticwave` HEAD
+which contains both fixes; subsequent releases follow the normal flow.
+
+### Fixed
+
+- **NODE_AUTH_TOKEN was overriding the OIDC trusted-publisher exchange in
+  `.github/workflows/mcp-publish.yml`** (commit `e373e36`). The
+  `actions/setup-node@v4` `registry-url` parameter writes an `.npmrc`
+  with `_authToken=${NODE_AUTH_TOKEN}` placeholder; the GitHub Actions
+  runner's inherited env had `NODE_AUTH_TOKEN` populated (visible in the
+  failing workflow logs as `XXXXX-XXXXX-XXXXX-XXXXX`), so npm tried
+  token-based publish first and 404'd because that token has no
+  permission on `@muhaven/mcp`. Fix: explicit `env: NODE_AUTH_TOKEN: ''`
+  on the publish step forces the `--provenance`-driven OIDC exchange as
+  the sole auth method.
+
+- **OIDC claims diagnostic step added pre-publish** (commit `e373e36`).
+  Prints `github.repository_owner` / `github.repository` /
+  `github.workflow_ref` / `github.event_name` / `github.ref` so that any
+  future Trusted Publisher binding mismatch can be diff'd
+  character-by-character against the npm-side configuration. Surfaced
+  the case-sensitivity gotcha around `repository_owner` that `0.1.1`'s
+  three failed attempts triggered.
+
+### Distribution
+
+- Identical bundle bytes to the `0.1.1` artifact except for the embedded
+  `0.1.2` version strings in `package.json` + `manifest.json`. No code
+  changes to the MCP server or broker daemon. Same `dist/` shape, same
+  16 files in the tarball, same `bin/` entry-points.
+
+## [0.1.1] — 2026-05-11
+
+Workflow-validation cut. `0.1.0` shipped via a one-time manual `npm publish
+--no-provenance` because npm Trusted Publisher could not be configured against
+a non-existent package; this release exercises the `mcp-publish.yml` workflow
+end-to-end on the muhaven.app hosts so subsequent releases carry full Sigstore
+provenance attestations and `npm view dist.signatures` populates.
+
+### Fixed
+
+- Re-runs the publish path through `.github/workflows/mcp-publish.yml`
+  (Workstream D) on the now-configured Trusted Publisher binding for
+  `@muhaven/mcp`. Validates the full OIDC → cosign sign → `npm publish
+  --provenance` → post-publish shasum verify chain that `0.1.0` skipped.
+- No code change relative to `0.1.0`. Bundle bytes identical except for the
+  embedded `0.1.1` version string in `package.json` + `manifest.json`. The
+  `0.1.0` "Provenance" badge gap (visible on the npmjs.com sidebar) closes
+  with this release.
+
+### Distribution
+
+- First release where `npm view @muhaven/mcp@0.1.1 dist.signatures` returns a
+  populated array, `dist.attestations.url` resolves to a GitHub-hosted
+  attestation, and the npmjs.com sidebar shows the "Provenance" badge linked
+  to the workflow run.
+
+
 
 First publishable cut. All publish-readiness security must-fixes (H-1 / H-2 /
 H-3 from `MCP_PUBLISH_READINESS.md` §2) and package-hygiene work landed on
@@ -119,5 +181,7 @@ Workstream H)
     muhaven-mcp-0.1.0.tgz
   ```
 
-[Unreleased]: https://github.com/hasToDev/muhaven/compare/mcp-v0.1.0...HEAD
+[Unreleased]: https://github.com/hasToDev/muhaven/compare/mcp-v0.1.2...HEAD
+[0.1.2]: https://github.com/hasToDev/muhaven/releases/tag/mcp-v0.1.2
+[0.1.1]: https://github.com/hasToDev/muhaven/releases/tag/mcp-v0.1.1
 [0.1.0]: https://github.com/hasToDev/muhaven/releases/tag/mcp-v0.1.0

package/README.md

@@ -1,125 +1,125 @@
-# `@muhaven/mcp` — MCP server for MuHaven RWA portfolios
-
-Confidential RWA portfolio management on Fhenix CoFHE, exposed as a Model
-Context Protocol server installable in Claude Desktop / Cursor / Claude Code.
-
-## What it does
-
-22 tools across five groups (P3 + P7 + P11):
-
-| Group | Tools | Description |
-|---|---|---|
-| `muhaven.read.*` | `portfolio` · `yields` · `distribution` · `tokens` · `audit` · `protection_coverage` · `kyc_attestation` | Read your encrypted-balance portfolio, yield history, audit log, and P11 governance/KYC state |
-| `muhaven.position.*` | `buy` · `sell` · `claim` · `rebalance` | **Propose** trades — returns unsigned UserOps + broker signature; never auto-submits |
-| `muhaven.policy.*` | `set_tier` · `pause` · `audit_export` · `session_key_status` | Manage the tiered-autonomy state machine |
-| `muhaven.issuer.*` | `distribute_yield` · `kyc_add` · `kyc_remove` · `unpause_token` · `audit_query` | Issuer-side: distribute yield, manage KYC whitelist, NAV-set+unpause, query own audit trail |
-| `muhaven.governance.*` | `propose` · `cast_vote` | P11 encrypted-governance ceremony (cast-vote frontend runner deferred to Wave 5) |
-
-`MUHAVEN_READ_ONLY=true` exposes only the 7 `muhaven.read.*` tools.
-
-## Architecture (one paragraph)
-
-The MCP server runs as an MCPB STDIO subprocess of the host LLM (Claude
-Desktop, Cursor, Claude Code). It speaks HTTPS to the MuHaven backend at
-`https://api.muhaven.app` and IPC to a long-running sibling daemon
-called `muhaven-broker`. The broker holds two secrets — your ZeroDev
-session-key private half (for signing UserOps) and your scoped JWT (for
-authenticating to the backend) — both in your OS keychain. The broker
-NEVER speaks TCP and NEVER reaches out to the network. It exposes one
-signing primitive over a Unix socket (POSIX) or named pipe (Windows).
-This split — network-facing MCP server / signing-only broker — is the
-**lethal-trifecta** mitigation: an attacker who compromises the LLM
-process cannot exfiltrate your key without also compromising a separate
-process running under your user.
-
-The `muhaven-broker login` ceremony uses the OAuth 2.0 Device
-Authorization Grant (RFC 8628) — same shape as `gh auth login --web`,
-`wrangler login`, `gcloud auth login`. You never paste a JWT.
-
-## Install (development)
-
-```bash
-# In the muhaven monorepo, from repo root
-pnpm install
-pnpm --filter @muhaven/mcp build
-```
-
-The `bin/` shims will be invokable as `muhaven-mcp` and `muhaven-broker`
-once the package is linked.
-
-## Setup (end-user, post-MCPB-publish)
-
-1. **Install the MCPB package** in your host (Claude Desktop / Cursor / Claude Code).
-2. **Provision a session key.** This is the private half the broker holds for signing UserOps. The dashboard-side mint UI is a Wave 5 deliverable — until then, generate one yourself:
-   ```bash
-   node -e "console.log('0x' + require('crypto').randomBytes(32).toString('hex'))"
-   ```
-   The corresponding kernel session key install on-chain runs through the dashboard `/agent/policy/transition` flow (one-time per tier). For read-only smokes you can skip the install — the broker only needs the private half to start.
-3. **Start the broker daemon.** Set `MUHAVEN_BROKER_SESSION_KEY=0x…` and run:
-   ```bash
-   muhaven-broker
-   ```
-   Recipes for systemd / launchd / Windows Service in `docs/runbook.md` (TODO).
-4. **Authenticate via device-code flow:**
-   ```bash
-   muhaven-broker login
-   ```
-   The broker prints a URL like `https://muhaven.app/link?code=ABCD-1234` and (when not run with `--no-launch-browser`) opens it. Sign in with your passkey on the dashboard, verify the device fingerprint shown on the `/link` page, click **Authorize**. The CLI exits with success when the JWT lands in your keystore.
-5. **Use any MCP tool** from your host LLM. First call may take a moment as the broker fetches the JWT from the keystore.
-
-> **Windows / WSL2 / devcontainer / SSH-remote operators:** export `MUHAVEN_KEYRING=file` to skip the OS-keychain probe and use the file-backed keystore at `~/.muhaven/jwt` (mode 0600, parent dir mode 0700). The keychain backend depends on `@napi-rs/keyring` which needs platform-specific build prerequisites; the file fallback works everywhere.
-
-## Hardening invariants (`THREAT_MODEL_P0.md` aligned)
-
-- **Transport is STDIO + Unix-socket only.** The MCP server's `StdioServerTransport` is the only transport mounted; the broker's IPC is a Unix socket on POSIX (parent dir mode `0700`, socket file mode `0600`) or a per-user named pipe on Windows. **Never bind TCP.**
-- **`mcp-remote` is banned.** CVE-2025-6514 disclosed an arbitrary-command-execution path through that proxy. Do not use it; do not set `MUHAVEN_BACKEND_URL` to anything that wraps it.
-- **`CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1`** is recommended in your shell rc when running Claude Code locally — it prevents inherited env vars from leaking into the MCP subprocess. The MCP package's `MUHAVEN_*` env vars are read at boot, but adopting the scrub habit limits collateral exposure.
-- **Tool descriptions are pinned** at build time in `tool-hashes.json`. The server exits with code 70 (`EX_CONFIG`) on startup if the live descriptors don't match the pinned hashes — defends against tool-description-poisoning patches per the mcp-context-protector pattern (post-MCPoison, March 2026).
-- **Position tools never auto-submit.** They return an unsigned UserOp envelope plus a broker signature. The host LLM is expected to present this to the user for explicit confirmation before bundler submission. The MCP server does not speak to any bundler.
-
-## Environment variables
-
-| Var | Required | Default | Purpose |
-|---|---|---|---|
-| `MUHAVEN_BACKEND_URL` | no | `https://api.muhaven.app` | Backend host. Use staging URL for development. |
-| `MUHAVEN_DASHBOARD_URL` | no | `https://muhaven.app` | Dashboard origin used for the `/link` URL. |
-| `MUHAVEN_BROKER_ENDPOINT` | no | `~/.muhaven/broker.sock` (POSIX) / `\\.\pipe\muhaven-broker-<user>` (Windows) | IPC path. Set if running multiple isolated brokers. |
-| `MUHAVEN_BROKER_SESSION_KEY` | **yes** (broker) | — | 0x-prefixed 32-byte hex; the session-key private half. |
-| `MUHAVEN_READ_ONLY` | no | `false` | When `true`, only `muhaven.read.*` tools are registered. |
-| `MUHAVEN_KEYRING` | no | auto | Set to `file` to force the file-backed keystore (required on WSL2 / devcontainer / SSH-remote). |
-| `MUHAVEN_REQUEST_TIMEOUT_MS` | no | `15000` | Backend HTTP timeout. |
-| `MUHAVEN_BROKER_TIMEOUT_MS` | no | `5000` | Broker IPC timeout. |
-| `MUHAVEN_JWT_CACHE_TTL_SEC` | no | `30` | In-process JWT cache TTL. |
-| `MUHAVEN_BROKER_MAX_BYTES` | no | `65536` | Per-request payload cap on the broker IPC. |
-
-The MCPB `manifest.json` declares the user-facing subset (`backend_url`, `dashboard_url`, `broker_endpoint`, `read_only`); the host's secret manager handles the values.
-
-## CLI subcommands (`muhaven-broker`)
-
-| Command | Effect |
-|---|---|
-| (none) | Run the daemon (production mode). |
-| `muhaven-broker login [--no-launch-browser]` | Run the device-code ceremony; on success store the JWT in the keystore. |
-| `muhaven-broker logout` | Clear the JWT from the keystore. |
-| `muhaven-broker doctor` | Print environment + keystore + reachability report. |
-
-## Threat model in 30 seconds
-
-Per `development/DEV_WAVE_4/THREAT_MODEL_P0.md`:
-
-| Risk | Control |
-|---|---|
-| **R-1** Prompt injection escalating into a tx | Position tools return *unsigned* UserOps; host MUST present to user for explicit passkey confirmation. |
-| **R-2** Hallucinated tool call | Strict-enum tool registry + `additionalProperties: false` Zod schemas. |
-| **R-3** Replay of confirmation tokens | Single-use server-side nonced tokens via existing P1 confirm-token-service. |
-| **R-6** ZeroDev session-key escape | Session key lives in broker keystore (OS keychain) — never in the LLM-process env. |
-| **R-7** MCP env-block exfiltration | MCPB `sensitive: true` for secrets → OS keychain; broker isolation; no plaintext disk. |
-| **R-8** FHE ACL bypass | Backend enforces every read; MCP server never decrypts FHE handles. |
-
-## License
-
-MIT
-
-## Status: `0.1.0` — first publish-ready cut
-
-Wave 4 Phase P3 deliverable per `development/DEV_WAVE_4/PROGRESS.md`. Workstreams A–D of the npm-publish ceremony (security must-fixes, `package.json` hygiene, `LICENSE` + `CHANGELOG`, GitHub Actions workflows) are landed on `agenticwave`; the actual `npm publish` is operator-driven via the tag-push of `mcp-v0.1.0` against the `npm-publish` GitHub Environment (2-reviewer gate · OIDC trusted-publishing · Sigstore provenance). See `development/DEV_WAVE_4/MCP_PUBLISH_READINESS.md` §6 for the operator runbook.
+# `@muhaven/mcp` — MCP server for MuHaven RWA portfolios
+
+Confidential RWA portfolio management on Fhenix CoFHE, exposed as a Model
+Context Protocol server installable in Claude Desktop / Cursor / Claude Code.
+
+## What it does
+
+22 tools across five groups (P3 + P7 + P11):
+
+| Group | Tools | Description |
+|---|---|---|
+| `muhaven.read.*` | `portfolio` · `yields` · `distribution` · `tokens` · `audit` · `protection_coverage` · `kyc_attestation` | Read your encrypted-balance portfolio, yield history, audit log, and P11 governance/KYC state |
+| `muhaven.position.*` | `buy` · `sell` · `claim` · `rebalance` | **Propose** trades — returns unsigned UserOps + broker signature; never auto-submits |
+| `muhaven.policy.*` | `set_tier` · `pause` · `audit_export` · `session_key_status` | Manage the tiered-autonomy state machine |
+| `muhaven.issuer.*` | `distribute_yield` · `kyc_add` · `kyc_remove` · `unpause_token` · `audit_query` | Issuer-side: distribute yield, manage KYC whitelist, NAV-set+unpause, query own audit trail |
+| `muhaven.governance.*` | `propose` · `cast_vote` | P11 encrypted-governance ceremony (cast-vote frontend runner deferred to Wave 5) |
+
+`MUHAVEN_READ_ONLY=true` exposes only the 7 `muhaven.read.*` tools.
+
+## Architecture (one paragraph)
+
+The MCP server runs as an MCPB STDIO subprocess of the host LLM (Claude
+Desktop, Cursor, Claude Code). It speaks HTTPS to the MuHaven backend at
+`https://api.muhaven.app` and IPC to a long-running sibling daemon
+called `muhaven-broker`. The broker holds two secrets — your ZeroDev
+session-key private half (for signing UserOps) and your scoped JWT (for
+authenticating to the backend) — both in your OS keychain. The broker
+NEVER speaks TCP and NEVER reaches out to the network. It exposes one
+signing primitive over a Unix socket (POSIX) or named pipe (Windows).
+This split — network-facing MCP server / signing-only broker — is the
+**lethal-trifecta** mitigation: an attacker who compromises the LLM
+process cannot exfiltrate your key without also compromising a separate
+process running under your user.
+
+The `muhaven-broker login` ceremony uses the OAuth 2.0 Device
+Authorization Grant (RFC 8628) — same shape as `gh auth login --web`,
+`wrangler login`, `gcloud auth login`. You never paste a JWT.
+
+## Install (development)
+
+```bash
+# In the muhaven monorepo, from repo root
+pnpm install
+pnpm --filter @muhaven/mcp build
+```
+
+The `bin/` shims will be invokable as `muhaven-mcp` and `muhaven-broker`
+once the package is linked.
+
+## Setup (end-user, post-MCPB-publish)
+
+1. **Install the MCPB package** in your host (Claude Desktop / Cursor / Claude Code).
+2. **Provision a session key.** This is the private half the broker holds for signing UserOps. The dashboard-side mint UI is a Wave 5 deliverable — until then, generate one yourself:
+   ```bash
+   node -e "console.log('0x' + require('crypto').randomBytes(32).toString('hex'))"
+   ```
+   The corresponding kernel session key install on-chain runs through the dashboard `/agent/policy/transition` flow (one-time per tier). For read-only smokes you can skip the install — the broker only needs the private half to start.
+3. **Start the broker daemon.** Set `MUHAVEN_BROKER_SESSION_KEY=0x…` and run:
+   ```bash
+   muhaven-broker
+   ```
+   Recipes for systemd / launchd / Windows Service in `docs/runbook.md` (TODO).
+4. **Authenticate via device-code flow:**
+   ```bash
+   muhaven-broker login
+   ```
+   The broker prints a URL like `https://muhaven.app/link?code=ABCD-1234` and (when not run with `--no-launch-browser`) opens it. Sign in with your passkey on the dashboard, verify the device fingerprint shown on the `/link` page, click **Authorize**. The CLI exits with success when the JWT lands in your keystore.
+5. **Use any MCP tool** from your host LLM. First call may take a moment as the broker fetches the JWT from the keystore.
+
+> **Windows / WSL2 / devcontainer / SSH-remote operators:** export `MUHAVEN_KEYRING=file` to skip the OS-keychain probe and use the file-backed keystore at `~/.muhaven/jwt` (mode 0600, parent dir mode 0700). The keychain backend depends on `@napi-rs/keyring` which needs platform-specific build prerequisites; the file fallback works everywhere.
+
+## Hardening invariants (`THREAT_MODEL_P0.md` aligned)
+
+- **Transport is STDIO + Unix-socket only.** The MCP server's `StdioServerTransport` is the only transport mounted; the broker's IPC is a Unix socket on POSIX (parent dir mode `0700`, socket file mode `0600`) or a per-user named pipe on Windows. **Never bind TCP.**
+- **`mcp-remote` is banned.** CVE-2025-6514 disclosed an arbitrary-command-execution path through that proxy. Do not use it; do not set `MUHAVEN_BACKEND_URL` to anything that wraps it.
+- **`CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1`** is recommended in your shell rc when running Claude Code locally — it prevents inherited env vars from leaking into the MCP subprocess. The MCP package's `MUHAVEN_*` env vars are read at boot, but adopting the scrub habit limits collateral exposure.
+- **Tool descriptions are pinned** at build time in `tool-hashes.json`. The server exits with code 70 (`EX_CONFIG`) on startup if the live descriptors don't match the pinned hashes — defends against tool-description-poisoning patches per the mcp-context-protector pattern (post-MCPoison, March 2026).
+- **Position tools never auto-submit.** They return an unsigned UserOp envelope plus a broker signature. The host LLM is expected to present this to the user for explicit confirmation before bundler submission. The MCP server does not speak to any bundler.
+
+## Environment variables
+
+| Var | Required | Default | Purpose |
+|---|---|---|---|
+| `MUHAVEN_BACKEND_URL` | no | `https://api.muhaven.app` | Backend host. Use staging URL for development. |
+| `MUHAVEN_DASHBOARD_URL` | no | `https://muhaven.app` | Dashboard origin used for the `/link` URL. |
+| `MUHAVEN_BROKER_ENDPOINT` | no | `~/.muhaven/broker.sock` (POSIX) / `\\.\pipe\muhaven-broker-<user>` (Windows) | IPC path. Set if running multiple isolated brokers. |
+| `MUHAVEN_BROKER_SESSION_KEY` | **yes** (broker) | — | 0x-prefixed 32-byte hex; the session-key private half. |
+| `MUHAVEN_READ_ONLY` | no | `false` | When `true`, only `muhaven.read.*` tools are registered. |
+| `MUHAVEN_KEYRING` | no | auto | Set to `file` to force the file-backed keystore (required on WSL2 / devcontainer / SSH-remote). |
+| `MUHAVEN_REQUEST_TIMEOUT_MS` | no | `15000` | Backend HTTP timeout. |
+| `MUHAVEN_BROKER_TIMEOUT_MS` | no | `5000` | Broker IPC timeout. |
+| `MUHAVEN_JWT_CACHE_TTL_SEC` | no | `30` | In-process JWT cache TTL. |
+| `MUHAVEN_BROKER_MAX_BYTES` | no | `65536` | Per-request payload cap on the broker IPC. |
+
+The MCPB `manifest.json` declares the user-facing subset (`backend_url`, `dashboard_url`, `broker_endpoint`, `read_only`); the host's secret manager handles the values.
+
+## CLI subcommands (`muhaven-broker`)
+
+| Command | Effect |
+|---|---|
+| (none) | Run the daemon (production mode). |
+| `muhaven-broker login [--no-launch-browser]` | Run the device-code ceremony; on success store the JWT in the keystore. |
+| `muhaven-broker logout` | Clear the JWT from the keystore. |
+| `muhaven-broker doctor` | Print environment + keystore + reachability report. |
+
+## Threat model in 30 seconds
+
+Per `development/DEV_WAVE_4/THREAT_MODEL_P0.md`:
+
+| Risk | Control |
+|---|---|
+| **R-1** Prompt injection escalating into a tx | Position tools return *unsigned* UserOps; host MUST present to user for explicit passkey confirmation. |
+| **R-2** Hallucinated tool call | Strict-enum tool registry + `additionalProperties: false` Zod schemas. |
+| **R-3** Replay of confirmation tokens | Single-use server-side nonced tokens via existing P1 confirm-token-service. |
+| **R-6** ZeroDev session-key escape | Session key lives in broker keystore (OS keychain) — never in the LLM-process env. |
+| **R-7** MCP env-block exfiltration | MCPB `sensitive: true` for secrets → OS keychain; broker isolation; no plaintext disk. |
+| **R-8** FHE ACL bypass | Backend enforces every read; MCP server never decrypts FHE handles. |
+
+## License
+
+MIT
+
+## Status: `0.1.0` — first publish-ready cut
+
+Wave 4 Phase P3 deliverable per `development/DEV_WAVE_4/PROGRESS.md`. Workstreams A–D of the npm-publish ceremony (security must-fixes, `package.json` hygiene, `LICENSE` + `CHANGELOG`, GitHub Actions workflows) are landed on `agenticwave`; the actual `npm publish` is operator-driven via the tag-push of `mcp-v0.1.0` against the `npm-publish` GitHub Environment (2-reviewer gate · OIDC trusted-publishing · Sigstore provenance). See `development/DEV_WAVE_4/MCP_PUBLISH_READINESS.md` §6 for the operator runbook.

package/bin/muhaven-broker.cjs

@@ -1,11 +1,11 @@
-#!/usr/bin/env node
-/* eslint-disable */
-const { runCli } = require('../dist/broker.cjs');
-
-runCli(process.argv.slice(2)).then(
-  (code) => process.exit(code ?? 0),
-  (err) => {
-    process.stderr.write(`fatal: ${err && err.stack ? err.stack : String(err)}\n`);
-    process.exit(1);
-  },
-);
+#!/usr/bin/env node
+/* eslint-disable */
+const { runCli } = require('../dist/broker.cjs');
+
+runCli(process.argv.slice(2)).then(
+  (code) => process.exit(code ?? 0),
+  (err) => {
+    process.stderr.write(`fatal: ${err && err.stack ? err.stack : String(err)}\n`);
+    process.exit(1);
+  },
+);

package/bin/muhaven-mcp.cjs

@@ -1,11 +1,11 @@
-#!/usr/bin/env node
-/* eslint-disable */
-const { runMcpStdioCli } = require('../dist/index.cjs');
-
-runMcpStdioCli().then(
-  () => process.exit(0),
-  (err) => {
-    process.stderr.write(`fatal: ${err && err.stack ? err.stack : String(err)}\n`);
-    process.exit(1);
-  },
-);
+#!/usr/bin/env node
+/* eslint-disable */
+const { runMcpStdioCli } = require('../dist/index.cjs');
+
+runMcpStdioCli().then(
+  () => process.exit(0),
+  (err) => {
+    process.stderr.write(`fatal: ${err && err.stack ? err.stack : String(err)}\n`);
+    process.exit(1);
+  },
+);

package/manifest.json

@@ -1,98 +1,98 @@
-{
-  "$comment": "MCPB v0.2 manifest for @muhaven/mcp. Per ADR-3 the JWT is acquired via the device-code ceremony and stored in the broker's keystore — it is NOT a user_config entry. Sensitive items declared here are limited to the broker session-key + IPC endpoint overrides.",
-  "manifest_version": "0.2",
-  "name": "muhaven-mcp",
-  "display_name": "MuHaven (RWA portfolio)",
-  "version": "0.1.0",
-  "description": "Confidential RWA portfolio management on Fhenix CoFHE. Read your encrypted balances, propose yield claims and policy changes — all signing happens in a sibling broker daemon, the LLM never sees your private key.",
-  "long_description": "MuHaven MCP exposes 22 tools across read.* / position.* / policy.* / issuer.* / governance.* groups for managing real-world asset (RWA) tokens with FHE-encrypted balances. Authentication uses a one-time device-code ceremony (run `muhaven-broker login`); subsequent tool calls fetch the JWT from the broker over a Unix socket. Position / governance tools return unsigned UserOps + broker signatures — they NEVER auto-submit to a bundler. The companion `muhaven-broker` daemon must be running before tools can be invoked. See README for setup.",
-  "author": {
-    "name": "MuHaven",
-    "email": "hello@muhaven.app",
-    "url": "https://muhaven.app"
-  },
-  "homepage": "https://muhaven.app",
-  "documentation": "https://github.com/hasToDev/muhaven/blob/master/packages/mcp/README.md",
-  "support": "https://github.com/hasToDev/muhaven/issues",
-  "license": "MIT",
-  "keywords": ["fhe", "fhenix", "rwa", "claude", "mcp", "muhaven"],
-  "compatibility": {
-    "platforms": ["darwin", "win32", "linux"],
-    "runtimes": {
-      "node": ">=20.0.0"
-    }
-  },
-  "server": {
-    "type": "node",
-    "entry_point": "dist/index.cjs",
-    "mcp_config": {
-      "command": "node",
-      "args": ["${__dirname}/dist/index.cjs"],
-      "env": {
-        "MUHAVEN_BACKEND_URL": "${user_config.backend_url}",
-        "MUHAVEN_DASHBOARD_URL": "${user_config.dashboard_url}",
-        "MUHAVEN_BROKER_ENDPOINT": "${user_config.broker_endpoint}",
-        "MUHAVEN_READ_ONLY": "${user_config.read_only}"
-      }
-    }
-  },
-  "tools": [
-    { "name": "muhaven.read.portfolio", "description": "Encrypted-balance portfolio summary; aggregates only.", "sensitive": false },
-    { "name": "muhaven.read.yields", "description": "Per-token yield history (cleartext aggregates).", "sensitive": false },
-    { "name": "muhaven.read.distribution", "description": "Distribution status for a (token, epoch).", "sensitive": false },
-    { "name": "muhaven.read.tokens", "description": "RWA tokens the user holds.", "sensitive": false },
-    { "name": "muhaven.read.audit", "description": "User's tiered-autonomy audit log.", "sensitive": false },
-    { "name": "muhaven.position.buy", "description": "Propose a Subscription buy. Returns unsigned UserOp.", "sensitive": true },
-    { "name": "muhaven.position.sell", "description": "Propose a redemption-queue sell. Returns unsigned UserOp.", "sensitive": true },
-    { "name": "muhaven.position.claim", "description": "Propose a yield claim. Returns unsigned UserOp.", "sensitive": true },
-    { "name": "muhaven.position.rebalance", "description": "Propose a multi-leg atomic rebalance.", "sensitive": true },
-    { "name": "muhaven.policy.set_tier", "description": "Request / commit a tiered-autonomy transition.", "sensitive": true },
-    { "name": "muhaven.policy.pause", "description": "Activate /pause kill-switch.", "sensitive": true },
-    { "name": "muhaven.policy.audit_export", "description": "Drain the audit log to JSON.", "sensitive": false },
-    { "name": "muhaven.policy.session_key_status", "description": "Inspect ZeroDev session-key state.", "sensitive": false },
-    { "name": "muhaven.issuer.distribute_yield", "description": "Propose a yield distribution. Issuer-only.", "sensitive": true },
-    { "name": "muhaven.issuer.kyc_add", "description": "Propose adding an investor to the ERC-3643 whitelist. Issuer-only.", "sensitive": true },
-    { "name": "muhaven.issuer.kyc_remove", "description": "Propose removing an investor from the ERC-3643 whitelist. Issuer-only.", "sensitive": true },
-    { "name": "muhaven.issuer.unpause_token", "description": "Propose set-NAV-and-unpause for a freshly-deployed token. Issuer-only.", "sensitive": true },
-    { "name": "muhaven.issuer.audit_query", "description": "Read your own tiered-autonomy audit log (issuer-self).", "sensitive": false },
-    { "name": "muhaven.read.protection_coverage", "description": "Read the on-chain DefaultProtection coverage state for a token (P11).", "sensitive": false },
-    { "name": "muhaven.read.kyc_attestation", "description": "Read the KYC attestation registry status for an investor (P11).", "sensitive": false },
-    { "name": "muhaven.governance.propose", "description": "Propose an EncryptedGovernance vote. Returns unsigned UserOp (P11).", "sensitive": true },
-    { "name": "muhaven.governance.cast_vote", "description": "Cast an encrypted vote on an open proposal. Returns unsigned UserOp (P11; runner deferred to Wave 5).", "sensitive": true }
-  ],
-  "user_config": [
-    {
-      "key": "backend_url",
-      "type": "string",
-      "title": "MuHaven backend URL",
-      "description": "Backend host. Default: https://api.muhaven.app (production). Use https://api-stage.muhaven.app for staging.",
-      "default": "https://api.muhaven.app",
-      "sensitive": false
-    },
-    {
-      "key": "dashboard_url",
-      "type": "string",
-      "title": "MuHaven dashboard URL",
-      "description": "Dashboard origin used by the device-code authorization page (/link). Default: https://muhaven.app. Hardcoded for phishing resistance — do not change unless you know what you are doing.",
-      "default": "https://muhaven.app",
-      "sensitive": false
-    },
-    {
-      "key": "broker_endpoint",
-      "type": "string",
-      "title": "muhaven-broker IPC endpoint",
-      "description": "Path to the broker's Unix socket (POSIX) or named pipe (Windows). Leave blank to use the per-user default.",
-      "default": "",
-      "sensitive": false
-    },
-    {
-      "key": "read_only",
-      "type": "boolean",
-      "title": "Read-only mode",
-      "description": "When enabled, only the muhaven.read.* toolset is exposed; position.* and policy.* tools are not registered.",
-      "default": false,
-      "sensitive": false
-    }
-  ],
-  "$comment_setup": "First-run instructions: (1) install this package via your MCPB host (Claude Desktop / Cursor / Claude Code). (2) Start the broker daemon: `muhaven-broker` (running in the background; see README for systemd / launchd / Windows-Service recipes). (3) Authenticate: `muhaven-broker login` — opens browser to https://muhaven.app/link?code=XXXX-XXXX, complete passkey ceremony. (4) Use any tool in this MCP package."
-}
+{
+  "$comment": "MCPB v0.2 manifest for @muhaven/mcp. Per ADR-3 the JWT is acquired via the device-code ceremony and stored in the broker's keystore — it is NOT a user_config entry. Sensitive items declared here are limited to the broker session-key + IPC endpoint overrides.",
+  "manifest_version": "0.2",
+  "name": "muhaven-mcp",
+  "display_name": "MuHaven (RWA portfolio)",
+  "version": "0.1.2",
+  "description": "Confidential RWA portfolio management on Fhenix CoFHE. Read your encrypted balances, propose yield claims and policy changes — all signing happens in a sibling broker daemon, the LLM never sees your private key.",
+  "long_description": "MuHaven MCP exposes 22 tools across read.* / position.* / policy.* / issuer.* / governance.* groups for managing real-world asset (RWA) tokens with FHE-encrypted balances. Authentication uses a one-time device-code ceremony (run `muhaven-broker login`); subsequent tool calls fetch the JWT from the broker over a Unix socket. Position / governance tools return unsigned UserOps + broker signatures — they NEVER auto-submit to a bundler. The companion `muhaven-broker` daemon must be running before tools can be invoked. See README for setup.",
+  "author": {
+    "name": "MuHaven",
+    "email": "hello@muhaven.app",
+    "url": "https://muhaven.app"
+  },
+  "homepage": "https://muhaven.app",
+  "documentation": "https://github.com/hasToDev/muhaven/blob/master/packages/mcp/README.md",
+  "support": "https://github.com/hasToDev/muhaven/issues",
+  "license": "MIT",
+  "keywords": ["fhe", "fhenix", "rwa", "claude", "mcp", "muhaven"],
+  "compatibility": {
+    "platforms": ["darwin", "win32", "linux"],
+    "runtimes": {
+      "node": ">=20.0.0"
+    }
+  },
+  "server": {
+    "type": "node",
+    "entry_point": "dist/index.cjs",
+    "mcp_config": {
+      "command": "node",
+      "args": ["${__dirname}/dist/index.cjs"],
+      "env": {
+        "MUHAVEN_BACKEND_URL": "${user_config.backend_url}",
+        "MUHAVEN_DASHBOARD_URL": "${user_config.dashboard_url}",
+        "MUHAVEN_BROKER_ENDPOINT": "${user_config.broker_endpoint}",
+        "MUHAVEN_READ_ONLY": "${user_config.read_only}"
+      }
+    }
+  },
+  "tools": [
+    { "name": "muhaven.read.portfolio", "description": "Encrypted-balance portfolio summary; aggregates only.", "sensitive": false },
+    { "name": "muhaven.read.yields", "description": "Per-token yield history (cleartext aggregates).", "sensitive": false },
+    { "name": "muhaven.read.distribution", "description": "Distribution status for a (token, epoch).", "sensitive": false },
+    { "name": "muhaven.read.tokens", "description": "RWA tokens the user holds.", "sensitive": false },
+    { "name": "muhaven.read.audit", "description": "User's tiered-autonomy audit log.", "sensitive": false },
+    { "name": "muhaven.position.buy", "description": "Propose a Subscription buy. Returns unsigned UserOp.", "sensitive": true },
+    { "name": "muhaven.position.sell", "description": "Propose a redemption-queue sell. Returns unsigned UserOp.", "sensitive": true },
+    { "name": "muhaven.position.claim", "description": "Propose a yield claim. Returns unsigned UserOp.", "sensitive": true },
+    { "name": "muhaven.position.rebalance", "description": "Propose a multi-leg atomic rebalance.", "sensitive": true },
+    { "name": "muhaven.policy.set_tier", "description": "Request / commit a tiered-autonomy transition.", "sensitive": true },
+    { "name": "muhaven.policy.pause", "description": "Activate /pause kill-switch.", "sensitive": true },
+    { "name": "muhaven.policy.audit_export", "description": "Drain the audit log to JSON.", "sensitive": false },
+    { "name": "muhaven.policy.session_key_status", "description": "Inspect ZeroDev session-key state.", "sensitive": false },
+    { "name": "muhaven.issuer.distribute_yield", "description": "Propose a yield distribution. Issuer-only.", "sensitive": true },
+    { "name": "muhaven.issuer.kyc_add", "description": "Propose adding an investor to the ERC-3643 whitelist. Issuer-only.", "sensitive": true },
+    { "name": "muhaven.issuer.kyc_remove", "description": "Propose removing an investor from the ERC-3643 whitelist. Issuer-only.", "sensitive": true },
+    { "name": "muhaven.issuer.unpause_token", "description": "Propose set-NAV-and-unpause for a freshly-deployed token. Issuer-only.", "sensitive": true },
+    { "name": "muhaven.issuer.audit_query", "description": "Read your own tiered-autonomy audit log (issuer-self).", "sensitive": false },
+    { "name": "muhaven.read.protection_coverage", "description": "Read the on-chain DefaultProtection coverage state for a token (P11).", "sensitive": false },
+    { "name": "muhaven.read.kyc_attestation", "description": "Read the KYC attestation registry status for an investor (P11).", "sensitive": false },
+    { "name": "muhaven.governance.propose", "description": "Propose an EncryptedGovernance vote. Returns unsigned UserOp (P11).", "sensitive": true },
+    { "name": "muhaven.governance.cast_vote", "description": "Cast an encrypted vote on an open proposal. Returns unsigned UserOp (P11; runner deferred to Wave 5).", "sensitive": true }
+  ],
+  "user_config": [
+    {
+      "key": "backend_url",
+      "type": "string",
+      "title": "MuHaven backend URL",
+      "description": "Backend host. Default: https://api.muhaven.app (production). Use https://api-stage.muhaven.app for staging.",
+      "default": "https://api.muhaven.app",
+      "sensitive": false
+    },
+    {
+      "key": "dashboard_url",
+      "type": "string",
+      "title": "MuHaven dashboard URL",
+      "description": "Dashboard origin used by the device-code authorization page (/link). Default: https://muhaven.app. Hardcoded for phishing resistance — do not change unless you know what you are doing.",
+      "default": "https://muhaven.app",
+      "sensitive": false
+    },
+    {
+      "key": "broker_endpoint",
+      "type": "string",
+      "title": "muhaven-broker IPC endpoint",
+      "description": "Path to the broker's Unix socket (POSIX) or named pipe (Windows). Leave blank to use the per-user default.",
+      "default": "",
+      "sensitive": false
+    },
+    {
+      "key": "read_only",
+      "type": "boolean",
+      "title": "Read-only mode",
+      "description": "When enabled, only the muhaven.read.* toolset is exposed; position.* and policy.* tools are not registered.",
+      "default": false,
+      "sensitive": false
+    }
+  ],
+  "$comment_setup": "First-run instructions: (1) install this package via your MCPB host (Claude Desktop / Cursor / Claude Code). (2) Start the broker daemon: `muhaven-broker` (running in the background; see README for systemd / launchd / Windows-Service recipes). (3) Authenticate: `muhaven-broker login` — opens browser to https://muhaven.app/link?code=XXXX-XXXX, complete passkey ceremony. (4) Use any tool in this MCP package."
+}

package/package.json

@@ -1,104 +1,104 @@
-{
-  "name": "@muhaven/mcp",
-  "version": "0.1.0",
-  "description": "MuHaven MCP server — read/position/policy toolsets bridging Claude Desktop / Cursor / Claude Code to the MuHaven backend, with a sibling muhaven-broker daemon holding the session-key private half over a local IPC socket",
-  "type": "module",
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/hasToDev/muhaven.git",
-    "directory": "packages/mcp"
-  },
-  "bugs": {
-    "url": "https://github.com/hasToDev/muhaven/issues"
-  },
-  "homepage": "https://github.com/hasToDev/muhaven/tree/master/packages/mcp",
-  "publishConfig": {
-    "access": "public",
-    "registry": "https://registry.npmjs.org/",
-    "provenance": true
-  },
-  "sideEffects": false,
-  "main": "./dist/index.cjs",
-  "module": "./dist/index.js",
-  "types": "./dist/index.d.ts",
-  "exports": {
-    ".": {
-      "import": {
-        "types": "./dist/index.d.ts",
-        "default": "./dist/index.js"
-      },
-      "require": {
-        "types": "./dist/index.d.cts",
-        "default": "./dist/index.cjs"
-      }
-    },
-    "./broker": {
-      "import": {
-        "types": "./dist/broker.d.ts",
-        "default": "./dist/broker.js"
-      },
-      "require": {
-        "types": "./dist/broker.d.cts",
-        "default": "./dist/broker.cjs"
-      }
-    },
-    "./package.json": "./package.json"
-  },
-  "bin": {
-    "muhaven-mcp": "./bin/muhaven-mcp.cjs",
-    "muhaven-broker": "./bin/muhaven-broker.cjs"
-  },
-  "files": [
-    "dist",
-    "bin",
-    "manifest.json",
-    "tool-hashes.json",
-    "README.md",
-    "CHANGELOG.md",
-    "LICENSE"
-  ],
-  "scripts": {
-    "build": "tsup",
-    "dev": "MUHAVEN_DEV_BUILD=1 tsup --watch",
-    "clean": "rimraf dist",
-    "typecheck": "tsc --noEmit",
-    "test": "vitest run",
-    "test:watch": "vitest",
-    "verify-tool-hashes": "tsx scripts/verify-tool-hashes.ts",
-    "prepublishOnly": "pnpm clean && pnpm build && pnpm typecheck && pnpm test && pnpm verify-tool-hashes -- --check"
-  },
-  "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.0.4",
-    "viem": "^2.47.0",
-    "zod": "^3.24.0"
-  },
-  "optionalDependencies": {
-    "@napi-rs/keyring": "^1.1.0"
-  },
-  "devDependencies": {
-    "@types/node": "^22.0.0",
-    "rimraf": "^5.0.0",
-    "tsup": "^8.5.1",
-    "tsx": "^4.21.0",
-    "typescript": "^5.7.0",
-    "vitest": "^3.0.0"
-  },
-  "engines": {
-    "node": ">=20.0.0",
-    "pnpm": ">=9.0.0"
-  },
-  "keywords": [
-    "mcp",
-    "model-context-protocol",
-    "mcpb",
-    "fhe",
-    "fhenix",
-    "muhaven",
-    "rwa",
-    "claude",
-    "agentic",
-    "web3",
-    "erc-3643"
-  ],
-  "license": "MIT"
-}
+{
+  "name": "@muhaven/mcp",
+  "version": "0.1.2",
+  "description": "MuHaven MCP server — read/position/policy toolsets bridging Claude Desktop / Cursor / Claude Code to the MuHaven backend, with a sibling muhaven-broker daemon holding the session-key private half over a local IPC socket",
+  "type": "module",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/hasToDev/muhaven.git",
+    "directory": "packages/mcp"
+  },
+  "bugs": {
+    "url": "https://github.com/hasToDev/muhaven/issues"
+  },
+  "homepage": "https://github.com/hasToDev/muhaven/tree/master/packages/mcp",
+  "publishConfig": {
+    "access": "public",
+    "registry": "https://registry.npmjs.org/",
+    "provenance": true
+  },
+  "sideEffects": false,
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.js"
+      },
+      "require": {
+        "types": "./dist/index.d.cts",
+        "default": "./dist/index.cjs"
+      }
+    },
+    "./broker": {
+      "import": {
+        "types": "./dist/broker.d.ts",
+        "default": "./dist/broker.js"
+      },
+      "require": {
+        "types": "./dist/broker.d.cts",
+        "default": "./dist/broker.cjs"
+      }
+    },
+    "./package.json": "./package.json"
+  },
+  "bin": {
+    "muhaven-mcp": "./bin/muhaven-mcp.cjs",
+    "muhaven-broker": "./bin/muhaven-broker.cjs"
+  },
+  "files": [
+    "dist",
+    "bin",
+    "manifest.json",
+    "tool-hashes.json",
+    "README.md",
+    "CHANGELOG.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "tsup",
+    "dev": "MUHAVEN_DEV_BUILD=1 tsup --watch",
+    "clean": "rimraf dist",
+    "typecheck": "tsc --noEmit",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "verify-tool-hashes": "tsx scripts/verify-tool-hashes.ts",
+    "prepublishOnly": "pnpm clean && pnpm build && pnpm typecheck && pnpm test && pnpm verify-tool-hashes -- --check"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.0.4",
+    "viem": "^2.47.0",
+    "zod": "^3.24.0"
+  },
+  "optionalDependencies": {
+    "@napi-rs/keyring": "^1.1.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "rimraf": "^5.0.0",
+    "tsup": "^8.5.1",
+    "tsx": "^4.21.0",
+    "typescript": "^5.7.0",
+    "vitest": "^3.0.0"
+  },
+  "engines": {
+    "node": ">=20.0.0",
+    "pnpm": ">=9.0.0"
+  },
+  "keywords": [
+    "mcp",
+    "model-context-protocol",
+    "mcpb",
+    "fhe",
+    "fhenix",
+    "muhaven",
+    "rwa",
+    "claude",
+    "agentic",
+    "web3",
+    "erc-3643"
+  ],
+  "license": "MIT"
+}