@muhaven/mcp 0.1.0 → 0.1.3

package/CHANGELOG.md

@@ -7,7 +7,138 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-## [0.1.0] — 2026-05-10
+## [0.1.3] — 2026-05-16
+
+Q2 fix bundle from the post-§4 queue closing four findings from §3e⁶
+(broker-session-key-required-for-reads, broker-env-divergence,
+mcp-serverinfo-version-stale) and unblocking the openclaw-skill ClawScan
+fix (the `noExternal: ['@muhaven/mcp']` inline bundle requires this
+version on npm before the skill can be republished).
+
+### Added
+
+- **Read-only daemon posture**: the broker daemon now boots WITHOUT
+  `MUHAVEN_BROKER_SESSION_KEY`. In that mode the daemon still serves
+  `hello` + the JWT verbs (so `muhaven.read.*` tools work end-to-end via
+  the standalone `@muhaven/mcp` install), but any `sign_hash` request
+  returns the new `session_key_unavailable` broker error so write paths
+  fail with a clear remediation message instead of the daemon dying at
+  startup. Closes §3e⁶ F-broker-session-key-required-for-reads.
+- **`muhaven-broker login --from-daemon` flag**: resolves backend +
+  dashboard URLs from the running daemon's `hello.effectiveConfig`
+  rather than the login CLI's env. Solves the daemon-vs-CLI env-divergence
+  problem when the two processes inherit different shell environments
+  (e.g. the daemon was launched by systemd/launchd, the CLI by ssh).
+  Mutually exclusive with explicit `--backend-base-url` /
+  `--dashboard-base-url`. Closes §3e⁶ F-broker-env-divergence.
+- **`muhaven-broker doctor` surfaces the daemon's effective config**
+  and read-only-posture status — the operator can verify which backend
+  URL is actually in play before driving a login.
+
+### Changed
+
+- **Broker protocol bumped 0.2.0 → 0.3.0** (additive — pre-0.3.0 clients
+  remain compatible):
+  - `hello.hasSessionKey` (optional `boolean`) — absence implies `true`
+    for back-compat.
+  - `hello.effectiveConfig` (optional `{ backendBaseUrl, dashboardBaseUrl }`).
+  - New `session_key_unavailable` broker error code.
+- **`serverInfo.version`** in the MCP server's `initialize` response is
+  now build-time injected from `package.json#version` (tsup `define` on
+  `__SERVER_VERSION__`) rather than the previously hardcoded `'0.1.0'`
+  string in `src/server.ts`. Closes §3e⁶ F-mcp-serverinfo-version-stale.
+
+### Tests
+
+- 134 vitest pass (up from 101 in 0.1.2). Net +33 cases:
+  - **+6** `config.test.ts` — `loadBrokerConfig` lazy-validation
+    (no key, empty string, valid key, malformed key) + env-driven backend
+    + dashboard URL surface.
+  - **+5** `daemon-handler.test.ts` — 0.3.0 protocol: `hello` surfaces
+    `hasSessionKey` + `effectiveConfig` from options, defaults `true`
+    when omitted, reflects `false` when set; `sign_hash` with
+    `NullSigner` returns `session_key_unavailable`; re-throws non-Missing
+    errors verbatim.
+  - **+9** `cli-parse-login-flags.test.ts` — flag parser unit cases
+    incl. `--from-daemon` mutual-exclusion guard.
+  - **+8** `session-key-required.test.ts` — `signEnvelope` probe of
+    `hello.hasSessionKey`; short-circuit returns `SESSION_KEY_REQUIRED`
+    for buy + claim with mint-URL pointing at `dashboardBaseUrl`;
+    safety-net mapping of inner `session_key_unavailable`;
+    probe-cache reuse; concurrent-call coalescing (one hello round-trip
+    for N callers); retry-after-rejection (eager cache clear); trailing-slash
+    mintUrl strip.
+  - **+2** `server-version.test.ts` — runtime fallback returns
+    `package.json#version`; matches `manifest.json#version`.
+  - **+2** `build-artifacts.test.ts` — hostname-migration guard + new
+    `__SERVER_VERSION__` literal grep in bundled dist.
+  - **+1** `daemon-lifecycle.test.ts` — read-only-posture boot test
+    replaces the prior "exits on missing key" assertion; added
+    "exits on a malformed session key" as the second negative-path test.
+
+## [0.1.2] — 2026-05-11
+
+Re-roll of the `0.1.1` workflow-validation cut. `0.1.1` never reached npm:
+the tag pointed at the version-bump commit but the workflow at that SHA
+lacked two fixes that landed on `agenticwave` after the tag was first cut.
+Bumping to `0.1.2` lets the tag reference the latest `agenticwave` HEAD
+which contains both fixes; subsequent releases follow the normal flow.
+
+### Fixed
+
+- **NODE_AUTH_TOKEN was overriding the OIDC trusted-publisher exchange in
+  `.github/workflows/mcp-publish.yml`** (commit `e373e36`). The
+  `actions/setup-node@v4` `registry-url` parameter writes an `.npmrc`
+  with `_authToken=${NODE_AUTH_TOKEN}` placeholder; the GitHub Actions
+  runner's inherited env had `NODE_AUTH_TOKEN` populated (visible in the
+  failing workflow logs as `XXXXX-XXXXX-XXXXX-XXXXX`), so npm tried
+  token-based publish first and 404'd because that token has no
+  permission on `@muhaven/mcp`. Fix: explicit `env: NODE_AUTH_TOKEN: ''`
+  on the publish step forces the `--provenance`-driven OIDC exchange as
+  the sole auth method.
+
+- **OIDC claims diagnostic step added pre-publish** (commit `e373e36`).
+  Prints `github.repository_owner` / `github.repository` /
+  `github.workflow_ref` / `github.event_name` / `github.ref` so that any
+  future Trusted Publisher binding mismatch can be diff'd
+  character-by-character against the npm-side configuration. Surfaced
+  the case-sensitivity gotcha around `repository_owner` that `0.1.1`'s
+  three failed attempts triggered.
+
+### Distribution
+
+- Identical bundle bytes to the `0.1.1` artifact except for the embedded
+  `0.1.2` version strings in `package.json` + `manifest.json`. No code
+  changes to the MCP server or broker daemon. Same `dist/` shape, same
+  16 files in the tarball, same `bin/` entry-points.
+
+## [0.1.1] — 2026-05-11
+
+Workflow-validation cut. `0.1.0` shipped via a one-time manual `npm publish
+--no-provenance` because npm Trusted Publisher could not be configured against
+a non-existent package; this release exercises the `mcp-publish.yml` workflow
+end-to-end on the muhaven.app hosts so subsequent releases carry full Sigstore
+provenance attestations and `npm view dist.signatures` populates.
+
+### Fixed
+
+- Re-runs the publish path through `.github/workflows/mcp-publish.yml`
+  (Workstream D) on the now-configured Trusted Publisher binding for
+  `@muhaven/mcp`. Validates the full OIDC → cosign sign → `npm publish
+  --provenance` → post-publish shasum verify chain that `0.1.0` skipped.
+- No code change relative to `0.1.0`. Bundle bytes identical except for the
+  embedded `0.1.1` version string in `package.json` + `manifest.json`. The
+  `0.1.0` "Provenance" badge gap (visible on the npmjs.com sidebar) closes
+  with this release.
+
+### Distribution
+
+- First release where `npm view @muhaven/mcp@0.1.1 dist.signatures` returns a
+  populated array, `dist.attestations.url` resolves to a GitHub-hosted
+  attestation, and the npmjs.com sidebar shows the "Provenance" badge linked
+  to the workflow run.
+
+
 
 First publishable cut. All publish-readiness security must-fixes (H-1 / H-2 /
 H-3 from `MCP_PUBLISH_READINESS.md` §2) and package-hygiene work landed on
@@ -119,5 +250,8 @@ Workstream H)
     muhaven-mcp-0.1.0.tgz
   ```
 
-[Unreleased]: https://github.com/hasToDev/muhaven/compare/mcp-v0.1.0...HEAD
+[Unreleased]: https://github.com/hasToDev/muhaven/compare/mcp-v0.1.3...HEAD
+[0.1.3]: https://github.com/hasToDev/muhaven/releases/tag/mcp-v0.1.3
+[0.1.2]: https://github.com/hasToDev/muhaven/releases/tag/mcp-v0.1.2
+[0.1.1]: https://github.com/hasToDev/muhaven/releases/tag/mcp-v0.1.1
 [0.1.0]: https://github.com/hasToDev/muhaven/releases/tag/mcp-v0.1.0

package/README.md

@@ -1,125 +1,125 @@
-# `@muhaven/mcp` — MCP server for MuHaven RWA portfolios
-
-Confidential RWA portfolio management on Fhenix CoFHE, exposed as a Model
-Context Protocol server installable in Claude Desktop / Cursor / Claude Code.
-
-## What it does
-
-22 tools across five groups (P3 + P7 + P11):
-
-| Group | Tools | Description |
-|---|---|---|
-| `muhaven.read.*` | `portfolio` · `yields` · `distribution` · `tokens` · `audit` · `protection_coverage` · `kyc_attestation` | Read your encrypted-balance portfolio, yield history, audit log, and P11 governance/KYC state |
-| `muhaven.position.*` | `buy` · `sell` · `claim` · `rebalance` | **Propose** trades — returns unsigned UserOps + broker signature; never auto-submits |
-| `muhaven.policy.*` | `set_tier` · `pause` · `audit_export` · `session_key_status` | Manage the tiered-autonomy state machine |
-| `muhaven.issuer.*` | `distribute_yield` · `kyc_add` · `kyc_remove` · `unpause_token` · `audit_query` | Issuer-side: distribute yield, manage KYC whitelist, NAV-set+unpause, query own audit trail |
-| `muhaven.governance.*` | `propose` · `cast_vote` | P11 encrypted-governance ceremony (cast-vote frontend runner deferred to Wave 5) |
-
-`MUHAVEN_READ_ONLY=true` exposes only the 7 `muhaven.read.*` tools.
-
-## Architecture (one paragraph)
-
-The MCP server runs as an MCPB STDIO subprocess of the host LLM (Claude
-Desktop, Cursor, Claude Code). It speaks HTTPS to the MuHaven backend at
-`https://api.muhaven.app` and IPC to a long-running sibling daemon
-called `muhaven-broker`. The broker holds two secrets — your ZeroDev
-session-key private half (for signing UserOps) and your scoped JWT (for
-authenticating to the backend) — both in your OS keychain. The broker
-NEVER speaks TCP and NEVER reaches out to the network. It exposes one
-signing primitive over a Unix socket (POSIX) or named pipe (Windows).
-This split — network-facing MCP server / signing-only broker — is the
-**lethal-trifecta** mitigation: an attacker who compromises the LLM
-process cannot exfiltrate your key without also compromising a separate
-process running under your user.
-
-The `muhaven-broker login` ceremony uses the OAuth 2.0 Device
-Authorization Grant (RFC 8628) — same shape as `gh auth login --web`,
-`wrangler login`, `gcloud auth login`. You never paste a JWT.
-
-## Install (development)
-
-```bash
-# In the muhaven monorepo, from repo root
-pnpm install
-pnpm --filter @muhaven/mcp build
-```
-
-The `bin/` shims will be invokable as `muhaven-mcp` and `muhaven-broker`
-once the package is linked.
-
-## Setup (end-user, post-MCPB-publish)
-
-1. **Install the MCPB package** in your host (Claude Desktop / Cursor / Claude Code).
-2. **Provision a session key.** This is the private half the broker holds for signing UserOps. The dashboard-side mint UI is a Wave 5 deliverable — until then, generate one yourself:
-   ```bash
-   node -e "console.log('0x' + require('crypto').randomBytes(32).toString('hex'))"
-   ```
-   The corresponding kernel session key install on-chain runs through the dashboard `/agent/policy/transition` flow (one-time per tier). For read-only smokes you can skip the install — the broker only needs the private half to start.
-3. **Start the broker daemon.** Set `MUHAVEN_BROKER_SESSION_KEY=0x…` and run:
-   ```bash
-   muhaven-broker
-   ```
-   Recipes for systemd / launchd / Windows Service in `docs/runbook.md` (TODO).
-4. **Authenticate via device-code flow:**
-   ```bash
-   muhaven-broker login
-   ```
-   The broker prints a URL like `https://muhaven.app/link?code=ABCD-1234` and (when not run with `--no-launch-browser`) opens it. Sign in with your passkey on the dashboard, verify the device fingerprint shown on the `/link` page, click **Authorize**. The CLI exits with success when the JWT lands in your keystore.
-5. **Use any MCP tool** from your host LLM. First call may take a moment as the broker fetches the JWT from the keystore.
-
-> **Windows / WSL2 / devcontainer / SSH-remote operators:** export `MUHAVEN_KEYRING=file` to skip the OS-keychain probe and use the file-backed keystore at `~/.muhaven/jwt` (mode 0600, parent dir mode 0700). The keychain backend depends on `@napi-rs/keyring` which needs platform-specific build prerequisites; the file fallback works everywhere.
-
-## Hardening invariants (`THREAT_MODEL_P0.md` aligned)
-
-- **Transport is STDIO + Unix-socket only.** The MCP server's `StdioServerTransport` is the only transport mounted; the broker's IPC is a Unix socket on POSIX (parent dir mode `0700`, socket file mode `0600`) or a per-user named pipe on Windows. **Never bind TCP.**
-- **`mcp-remote` is banned.** CVE-2025-6514 disclosed an arbitrary-command-execution path through that proxy. Do not use it; do not set `MUHAVEN_BACKEND_URL` to anything that wraps it.
-- **`CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1`** is recommended in your shell rc when running Claude Code locally — it prevents inherited env vars from leaking into the MCP subprocess. The MCP package's `MUHAVEN_*` env vars are read at boot, but adopting the scrub habit limits collateral exposure.
-- **Tool descriptions are pinned** at build time in `tool-hashes.json`. The server exits with code 70 (`EX_CONFIG`) on startup if the live descriptors don't match the pinned hashes — defends against tool-description-poisoning patches per the mcp-context-protector pattern (post-MCPoison, March 2026).
-- **Position tools never auto-submit.** They return an unsigned UserOp envelope plus a broker signature. The host LLM is expected to present this to the user for explicit confirmation before bundler submission. The MCP server does not speak to any bundler.
-
-## Environment variables
-
-| Var | Required | Default | Purpose |
-|---|---|---|---|
-| `MUHAVEN_BACKEND_URL` | no | `https://api.muhaven.app` | Backend host. Use staging URL for development. |
-| `MUHAVEN_DASHBOARD_URL` | no | `https://muhaven.app` | Dashboard origin used for the `/link` URL. |
-| `MUHAVEN_BROKER_ENDPOINT` | no | `~/.muhaven/broker.sock` (POSIX) / `\\.\pipe\muhaven-broker-<user>` (Windows) | IPC path. Set if running multiple isolated brokers. |
-| `MUHAVEN_BROKER_SESSION_KEY` | **yes** (broker) | — | 0x-prefixed 32-byte hex; the session-key private half. |
-| `MUHAVEN_READ_ONLY` | no | `false` | When `true`, only `muhaven.read.*` tools are registered. |
-| `MUHAVEN_KEYRING` | no | auto | Set to `file` to force the file-backed keystore (required on WSL2 / devcontainer / SSH-remote). |
-| `MUHAVEN_REQUEST_TIMEOUT_MS` | no | `15000` | Backend HTTP timeout. |
-| `MUHAVEN_BROKER_TIMEOUT_MS` | no | `5000` | Broker IPC timeout. |
-| `MUHAVEN_JWT_CACHE_TTL_SEC` | no | `30` | In-process JWT cache TTL. |
-| `MUHAVEN_BROKER_MAX_BYTES` | no | `65536` | Per-request payload cap on the broker IPC. |
-
-The MCPB `manifest.json` declares the user-facing subset (`backend_url`, `dashboard_url`, `broker_endpoint`, `read_only`); the host's secret manager handles the values.
-
-## CLI subcommands (`muhaven-broker`)
-
-| Command | Effect |
-|---|---|
-| (none) | Run the daemon (production mode). |
-| `muhaven-broker login [--no-launch-browser]` | Run the device-code ceremony; on success store the JWT in the keystore. |
-| `muhaven-broker logout` | Clear the JWT from the keystore. |
-| `muhaven-broker doctor` | Print environment + keystore + reachability report. |
-
-## Threat model in 30 seconds
-
-Per `development/DEV_WAVE_4/THREAT_MODEL_P0.md`:
-
-| Risk | Control |
-|---|---|
-| **R-1** Prompt injection escalating into a tx | Position tools return *unsigned* UserOps; host MUST present to user for explicit passkey confirmation. |
-| **R-2** Hallucinated tool call | Strict-enum tool registry + `additionalProperties: false` Zod schemas. |
-| **R-3** Replay of confirmation tokens | Single-use server-side nonced tokens via existing P1 confirm-token-service. |
-| **R-6** ZeroDev session-key escape | Session key lives in broker keystore (OS keychain) — never in the LLM-process env. |
-| **R-7** MCP env-block exfiltration | MCPB `sensitive: true` for secrets → OS keychain; broker isolation; no plaintext disk. |
-| **R-8** FHE ACL bypass | Backend enforces every read; MCP server never decrypts FHE handles. |
-
-## License
-
-MIT
-
-## Status: `0.1.0` — first publish-ready cut
-
-Wave 4 Phase P3 deliverable per `development/DEV_WAVE_4/PROGRESS.md`. Workstreams A–D of the npm-publish ceremony (security must-fixes, `package.json` hygiene, `LICENSE` + `CHANGELOG`, GitHub Actions workflows) are landed on `agenticwave`; the actual `npm publish` is operator-driven via the tag-push of `mcp-v0.1.0` against the `npm-publish` GitHub Environment (2-reviewer gate · OIDC trusted-publishing · Sigstore provenance). See `development/DEV_WAVE_4/MCP_PUBLISH_READINESS.md` §6 for the operator runbook.
+# `@muhaven/mcp` — MCP server for MuHaven RWA portfolios
+
+Confidential RWA portfolio management on Fhenix CoFHE, exposed as a Model
+Context Protocol server installable in Claude Desktop / Cursor / Claude Code.
+
+## What it does
+
+22 tools across five groups (P3 + P7 + P11):
+
+| Group | Tools | Description |
+|---|---|---|
+| `muhaven.read.*` | `portfolio` · `yields` · `distribution` · `tokens` · `audit` · `protection_coverage` · `kyc_attestation` | Read your encrypted-balance portfolio, yield history, audit log, and P11 governance/KYC state |
+| `muhaven.position.*` | `buy` · `sell` · `claim` · `rebalance` | **Propose** trades — returns unsigned UserOps + broker signature; never auto-submits |
+| `muhaven.policy.*` | `set_tier` · `pause` · `audit_export` · `session_key_status` | Manage the tiered-autonomy state machine |
+| `muhaven.issuer.*` | `distribute_yield` · `kyc_add` · `kyc_remove` · `unpause_token` · `audit_query` | Issuer-side: distribute yield, manage KYC whitelist, NAV-set+unpause, query own audit trail |
+| `muhaven.governance.*` | `propose` · `cast_vote` | P11 encrypted-governance ceremony (cast-vote frontend runner deferred to Wave 5) |
+
+`MUHAVEN_READ_ONLY=true` exposes only the 7 `muhaven.read.*` tools.
+
+## Architecture (one paragraph)
+
+The MCP server runs as an MCPB STDIO subprocess of the host LLM (Claude
+Desktop, Cursor, Claude Code). It speaks HTTPS to the MuHaven backend at
+`https://api.muhaven.app` and IPC to a long-running sibling daemon
+called `muhaven-broker`. The broker holds two secrets — your ZeroDev
+session-key private half (for signing UserOps) and your scoped JWT (for
+authenticating to the backend) — both in your OS keychain. The broker
+NEVER speaks TCP and NEVER reaches out to the network. It exposes one
+signing primitive over a Unix socket (POSIX) or named pipe (Windows).
+This split — network-facing MCP server / signing-only broker — is the
+**lethal-trifecta** mitigation: an attacker who compromises the LLM
+process cannot exfiltrate your key without also compromising a separate
+process running under your user.
+
+The `muhaven-broker login` ceremony uses the OAuth 2.0 Device
+Authorization Grant (RFC 8628) — same shape as `gh auth login --web`,
+`wrangler login`, `gcloud auth login`. You never paste a JWT.
+
+## Install (development)
+
+```bash
+# In the muhaven monorepo, from repo root
+pnpm install
+pnpm --filter @muhaven/mcp build
+```
+
+The `bin/` shims will be invokable as `muhaven-mcp` and `muhaven-broker`
+once the package is linked.
+
+## Setup (end-user, post-MCPB-publish)
+
+1. **Install the MCPB package** in your host (Claude Desktop / Cursor / Claude Code).
+2. **Provision a session key.** This is the private half the broker holds for signing UserOps. The dashboard-side mint UI is a Wave 5 deliverable — until then, generate one yourself:
+   ```bash
+   node -e "console.log('0x' + require('crypto').randomBytes(32).toString('hex'))"
+   ```
+   The corresponding kernel session key install on-chain runs through the dashboard `/agent/policy/transition` flow (one-time per tier). For read-only smokes you can skip the install — the broker only needs the private half to start.
+3. **Start the broker daemon.** Set `MUHAVEN_BROKER_SESSION_KEY=0x…` and run:
+   ```bash
+   muhaven-broker
+   ```
+   Recipes for systemd / launchd / Windows Service in `docs/runbook.md` (TODO).
+4. **Authenticate via device-code flow:**
+   ```bash
+   muhaven-broker login
+   ```
+   The broker prints a URL like `https://muhaven.app/link?code=ABCD-1234` and (when not run with `--no-launch-browser`) opens it. Sign in with your passkey on the dashboard, verify the device fingerprint shown on the `/link` page, click **Authorize**. The CLI exits with success when the JWT lands in your keystore.
+5. **Use any MCP tool** from your host LLM. First call may take a moment as the broker fetches the JWT from the keystore.
+
+> **Windows / WSL2 / devcontainer / SSH-remote operators:** export `MUHAVEN_KEYRING=file` to skip the OS-keychain probe and use the file-backed keystore at `~/.muhaven/jwt` (mode 0600, parent dir mode 0700). The keychain backend depends on `@napi-rs/keyring` which needs platform-specific build prerequisites; the file fallback works everywhere.
+
+## Hardening invariants (`THREAT_MODEL_P0.md` aligned)
+
+- **Transport is STDIO + Unix-socket only.** The MCP server's `StdioServerTransport` is the only transport mounted; the broker's IPC is a Unix socket on POSIX (parent dir mode `0700`, socket file mode `0600`) or a per-user named pipe on Windows. **Never bind TCP.**
+- **`mcp-remote` is banned.** CVE-2025-6514 disclosed an arbitrary-command-execution path through that proxy. Do not use it; do not set `MUHAVEN_BACKEND_URL` to anything that wraps it.
+- **`CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1`** is recommended in your shell rc when running Claude Code locally — it prevents inherited env vars from leaking into the MCP subprocess. The MCP package's `MUHAVEN_*` env vars are read at boot, but adopting the scrub habit limits collateral exposure.
+- **Tool descriptions are pinned** at build time in `tool-hashes.json`. The server exits with code 70 (`EX_CONFIG`) on startup if the live descriptors don't match the pinned hashes — defends against tool-description-poisoning patches per the mcp-context-protector pattern (post-MCPoison, March 2026).
+- **Position tools never auto-submit.** They return an unsigned UserOp envelope plus a broker signature. The host LLM is expected to present this to the user for explicit confirmation before bundler submission. The MCP server does not speak to any bundler.
+
+## Environment variables
+
+| Var | Required | Default | Purpose |
+|---|---|---|---|
+| `MUHAVEN_BACKEND_URL` | no | `https://api.muhaven.app` | Backend host. Use staging URL for development. |
+| `MUHAVEN_DASHBOARD_URL` | no | `https://muhaven.app` | Dashboard origin used for the `/link` URL. |
+| `MUHAVEN_BROKER_ENDPOINT` | no | `~/.muhaven/broker.sock` (POSIX) / `\\.\pipe\muhaven-broker-<user>` (Windows) | IPC path. Set if running multiple isolated brokers. |
+| `MUHAVEN_BROKER_SESSION_KEY` | **yes** (broker) | — | 0x-prefixed 32-byte hex; the session-key private half. |
+| `MUHAVEN_READ_ONLY` | no | `false` | When `true`, only `muhaven.read.*` tools are registered. |
+| `MUHAVEN_KEYRING` | no | auto | Set to `file` to force the file-backed keystore (required on WSL2 / devcontainer / SSH-remote). |
+| `MUHAVEN_REQUEST_TIMEOUT_MS` | no | `15000` | Backend HTTP timeout. |
+| `MUHAVEN_BROKER_TIMEOUT_MS` | no | `5000` | Broker IPC timeout. |
+| `MUHAVEN_JWT_CACHE_TTL_SEC` | no | `30` | In-process JWT cache TTL. |
+| `MUHAVEN_BROKER_MAX_BYTES` | no | `65536` | Per-request payload cap on the broker IPC. |
+
+The MCPB `manifest.json` declares the user-facing subset (`backend_url`, `dashboard_url`, `broker_endpoint`, `read_only`); the host's secret manager handles the values.
+
+## CLI subcommands (`muhaven-broker`)
+
+| Command | Effect |
+|---|---|
+| (none) | Run the daemon (production mode). |
+| `muhaven-broker login [--no-launch-browser]` | Run the device-code ceremony; on success store the JWT in the keystore. |
+| `muhaven-broker logout` | Clear the JWT from the keystore. |
+| `muhaven-broker doctor` | Print environment + keystore + reachability report. |
+
+## Threat model in 30 seconds
+
+Per `development/DEV_WAVE_4/THREAT_MODEL_P0.md`:
+
+| Risk | Control |
+|---|---|
+| **R-1** Prompt injection escalating into a tx | Position tools return *unsigned* UserOps; host MUST present to user for explicit passkey confirmation. |
+| **R-2** Hallucinated tool call | Strict-enum tool registry + `additionalProperties: false` Zod schemas. |
+| **R-3** Replay of confirmation tokens | Single-use server-side nonced tokens via existing P1 confirm-token-service. |
+| **R-6** ZeroDev session-key escape | Session key lives in broker keystore (OS keychain) — never in the LLM-process env. |
+| **R-7** MCP env-block exfiltration | MCPB `sensitive: true` for secrets → OS keychain; broker isolation; no plaintext disk. |
+| **R-8** FHE ACL bypass | Backend enforces every read; MCP server never decrypts FHE handles. |
+
+## License
+
+MIT
+
+## Status: `0.1.0` — first publish-ready cut
+
+Wave 4 Phase P3 deliverable per `development/DEV_WAVE_4/PROGRESS.md`. Workstreams A–D of the npm-publish ceremony (security must-fixes, `package.json` hygiene, `LICENSE` + `CHANGELOG`, GitHub Actions workflows) are landed on `agenticwave`; the actual `npm publish` is operator-driven via the tag-push of `mcp-v0.1.0` against the `npm-publish` GitHub Environment (2-reviewer gate · OIDC trusted-publishing · Sigstore provenance). See `development/DEV_WAVE_4/MCP_PUBLISH_READINESS.md` §6 for the operator runbook.

package/bin/muhaven-broker.cjs

@@ -1,11 +1,11 @@
-#!/usr/bin/env node
-/* eslint-disable */
-const { runCli } = require('../dist/broker.cjs');
-
-runCli(process.argv.slice(2)).then(
-  (code) => process.exit(code ?? 0),
-  (err) => {
-    process.stderr.write(`fatal: ${err && err.stack ? err.stack : String(err)}\n`);
-    process.exit(1);
-  },
-);
+#!/usr/bin/env node
+/* eslint-disable */
+const { runCli } = require('../dist/broker.cjs');
+
+runCli(process.argv.slice(2)).then(
+  (code) => process.exit(code ?? 0),
+  (err) => {
+    process.stderr.write(`fatal: ${err && err.stack ? err.stack : String(err)}\n`);
+    process.exit(1);
+  },
+);

package/bin/muhaven-mcp.cjs

@@ -1,11 +1,11 @@
-#!/usr/bin/env node
-/* eslint-disable */
-const { runMcpStdioCli } = require('../dist/index.cjs');
-
-runMcpStdioCli().then(
-  () => process.exit(0),
-  (err) => {
-    process.stderr.write(`fatal: ${err && err.stack ? err.stack : String(err)}\n`);
-    process.exit(1);
-  },
-);
+#!/usr/bin/env node
+/* eslint-disable */
+const { runMcpStdioCli } = require('../dist/index.cjs');
+
+runMcpStdioCli().then(
+  () => process.exit(0),
+  (err) => {
+    process.stderr.write(`fatal: ${err && err.stack ? err.stack : String(err)}\n`);
+    process.exit(1);
+  },
+);