@muhaven/mcp 0.1.7 → 0.2.0

package/CHANGELOG.md

@@ -7,6 +7,122 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.2.0] — 2026-05-18
+
+**Minor bump signals a breaking change to `position.buy`'s input
+shape.** This release consolidates the pre-Codex review of the 0.1.7
+Path C bundle: 4 parallel agents (Code Reviewer, Frontend Developer,
+Security Engineer, Reality Checker) surfaced ≥5 cross-confirmed HIGH
+findings and several MEDIUM/LOW items. 0.2.0 lands all of them.
+
+### Breaking
+
+- **`muhaven.position.buy.amountUsdc6` → `amountUsdc` (human decimal).**
+  Pre-0.2.0, the field was base-6 integer string ("5000000" = $5).
+  An LLM hearing "buy 5 dollars" would naively emit `"5"` and silently
+  produce a URL with `amount=0.000005` — user buys $5e-6 instead of $5.
+  0.2.0 unifies the unit convention across the whole Path C surface
+  (matches `cash.wrap.amountUsdc` shape): `"5"` means 5 mhUSDC. Max
+  6 fractional digits, 48-char length cap. Server-side schema rejects
+  scientific notation, leading +, thousands separators, leading zeros,
+  bare leading/trailing dots.
+
+- **`muhaven.position.sell.amountShares` rejects fractional input.**
+  fhERC-20 shares are integer base units (memory:
+  `project_decimals_lie_wave4_p0`). Pre-0.2.0 accepted "2.5" which
+  silently floored to 2 on the on-chain submit. 0.2.0 schema regex
+  `^[1-9]\d*$` rejects any fractional or leading-zero input at the
+  MCP-server boundary.
+
+- **Position tool response shape** stays the `{ dashboardUrl, action,
+  instructions, echo }` format from 0.1.7 — no change here, but the
+  schema breaking changes above are what trigger the minor bump per
+  semver.
+
+### Removed (cleanup of 0.1.7 deprecation candidates)
+
+- `__resetSessionKeyProbeCacheForTests` — was retained as a no-op in
+  0.1.7 for "back-compat with downstream test consumers." Verified
+  empirically (Security Engineer review) that no consumer outside our
+  own tests imported it. Deleted entirely.
+- `formatUsdc6ToDecimal` + `computeIntentHash` +
+  `PLACEHOLDER_INTENT_DOMAIN` — orphaned helpers tied to the
+  pre-0.1.7 attestation path. No external consumers; deleted.
+
+### Fixed
+
+- **`MUHAVEN_DASHBOARD_URL` env-poisoning** (Security M-2): the URL
+  is used to build every position deep-link. Pre-0.2.0, a malicious
+  npm dep or attacker with write access to `~/.claude.json` could
+  set `MUHAVEN_DASHBOARD_URL=https://muhaven-app.com` and have the
+  MCP server route every user click to a typosquat phishing clone.
+  Validation now happens at boot in `loadMcpConfig` + `loadBrokerConfig`
+  using the same `https-or-loopback` rule as the existing
+  `--dashboard-base-url` CLI flag. Hard-fails at server start with a
+  clear error message if invalid.
+
+- **`buildRegisterEnv` shell-metachar sanitization** (Security M-1):
+  the JSON config blob passed via argv to `claude mcp add-json` could
+  carry a crafted `MUHAVEN_KEYRING='file" & calc.exe &"'` past
+  Windows's `shell: true` invocation, reaching `cmd.exe`'s parser as
+  a command-injection vector. 0.2.0 rejects (not escapes) any value
+  containing shell metacharacters (`"` `\` newline `&` `|` `;`
+  `` ` `` `<` `>` `(` `)` `%` `$`) and restricts `MUHAVEN_KEYRING` to
+  the recognized values (`file` / `os`). Rejected values surface as
+  warnings on stderr; setup continues with the cleaned env.
+
+- **`claude mcp remove` exit-code capture** (Code Reviewer H2 +
+  Security M-3): pre-0.2.0 swallowed every exit code from the
+  idempotent remove step. A perm-locked scope or stale lockfile that
+  failed remove + then failed add showed an opaque error attributing
+  the failure only to add. 0.2.0 captures remove's exit + stderr,
+  swallows only the expected "no such server" pattern, and surfaces
+  any anomaly as a warning on the success path or folds it into the
+  failure reason on the error path. Closes the split-brain
+  `~/.claude.json` operator-confusion class.
+
+- **`decimalUsdcAmountSchema.max(48)` length cap** (Security L-5):
+  defense-in-depth against URL bloat (LLM emits a 10MB digit string).
+
+### Sibling commits (same hotfix bundle, deployed in lockstep)
+
+- Backend `pg-portfolio.repository.findByUserId` now orders by
+  `last_synced_at DESC NULLS LAST` so the frontend's first-seen Map
+  dedup picks the freshest row — aligns the tiebreak across backend +
+  frontend + dedup script (Code Reviewer N2).
+- `backend/scripts/dedup-portfolios.ts` moved the discovery SELECT
+  inside the dedup transaction + added `SELECT FOR UPDATE` row locks
+  + `pg_advisory_xact_lock`. Closes the TOCTOU window where a
+  concurrent backend write could lose data (Security H-1).
+- Frontend TradePage / YieldsPage now render an inline AlertTriangle
+  banner when `?token=` doesn't resolve instead of silently falling
+  back to `marketplace.filtered[0]`. Closes the LLM-token-swap footgun
+  (Frontend H-1).
+- TradePage marketplace.load() failure surfaces a Retry CTA instead
+  of half-rendering (Frontend H-2).
+- TradePage / CashPage `?amount=` pre-fill uses a shared
+  `sanitizePrefillAmount` helper that bounds precision to 6 dp and
+  rejects fractional shares (Frontend H-4 / Code Reviewer L1).
+- YieldsPage scroll-into-view moved into a watch keyed on
+  `epochsStore.items.length` so deep-link landings on disconnected
+  wallets still scroll once the items render (Frontend H-3).
+- YieldsPage `selectedToken` declaration hoisted above onMounted so
+  the deep-link path sets the ref synchronously before the
+  `selectableTokens` watcher (`immediate: true`) snaps it to `list[0]`
+  (Frontend H-5).
+
+### Internal
+
+- `__tests__/position-deeplink.test.ts`: rewrote amount tests for the
+  decimal-string schema; added schema-level corpus tests pinning the
+  reject list (negative, scientific notation, leading +, thousands
+  separator, leading zeros, etc.); added a regression test for the
+  base-6 footgun (`position.buy({amountUsdc: '5'})` must produce
+  `amount=5`, NOT `0.000005`).
+- `__tests__/mcp-redteam.test.ts`: updated field name from `amountUsdc6`
+  to `amountUsdc` in 4 call sites.
+- Total tool count unchanged at 23.
+
 ## [0.1.7] — 2026-05-18
 
 `position.*` tools can now drive real on-chain action via @muhaven/mcp

package/dist/broker.cjs

@@ -51,9 +51,38 @@ function deriveAllowedHosts(baseUrl) {
 function trimTrailingSlash(s) {
   return s.endsWith("/") ? s.slice(0, -1) : s;
 }
+function validatePublicUrlEnv(name, value) {
+  let parsed;
+  try {
+    parsed = new URL(value);
+  } catch {
+    return `${name} is not a valid URL: ${value}`;
+  }
+  if (parsed.protocol === "https:") return null;
+  if (parsed.protocol === "http:") {
+    const host = parsed.hostname;
+    if (host === "localhost" || host === "127.0.0.1" || host === "[::1]") return null;
+    return `${name} must use https:// (got http:// to ${host} \u2014 refusing to route MCP deep-links over cleartext to a non-loopback host)`;
+  }
+  return `${name} must use https:// (got ${parsed.protocol})`;
+}
+function resolvePublicUrlEnv(name, rawValue, defaultValue) {
+  const value = rawValue ?? defaultValue;
+  const err = validatePublicUrlEnv(name, value);
+  if (err) throw new Error(err);
+  return trimTrailingSlash(value);
+}
 function loadMcpConfig(env = process.env) {
-  const backendBaseUrl = trimTrailingSlash(env.MUHAVEN_BACKEND_URL ?? DEFAULT_BACKEND_URL);
-  const dashboardBaseUrl = trimTrailingSlash(env.MUHAVEN_DASHBOARD_URL ?? DEFAULT_DASHBOARD_URL);
+  const backendBaseUrl = resolvePublicUrlEnv(
+    "MUHAVEN_BACKEND_URL",
+    env.MUHAVEN_BACKEND_URL,
+    DEFAULT_BACKEND_URL
+  );
+  const dashboardBaseUrl = resolvePublicUrlEnv(
+    "MUHAVEN_DASHBOARD_URL",
+    env.MUHAVEN_DASHBOARD_URL,
+    DEFAULT_DASHBOARD_URL
+  );
   const brokerEndpoint = env.MUHAVEN_BROKER_ENDPOINT ?? defaultBrokerEndpoint();
   const readOnly = readEnvBool("MUHAVEN_READ_ONLY", false, env);
   const requestTimeoutMs = readEnvInt("MUHAVEN_REQUEST_TIMEOUT_MS", DEFAULT_REQUEST_TIMEOUT_MS, env);
@@ -83,8 +112,16 @@ function loadBrokerConfig(env = process.env) {
   const endpoint = env.MUHAVEN_BROKER_ENDPOINT ?? defaultBrokerEndpoint();
   const maxRequestBytes = readEnvInt("MUHAVEN_BROKER_MAX_BYTES", DEFAULT_BROKER_MAX_BYTES, env);
   const requestTimeoutMs = readEnvInt("MUHAVEN_BROKER_TIMEOUT_MS", DEFAULT_BROKER_TIMEOUT_MS, env);
-  const backendBaseUrl = trimTrailingSlash(env.MUHAVEN_BACKEND_URL ?? DEFAULT_BACKEND_URL);
-  const dashboardBaseUrl = trimTrailingSlash(env.MUHAVEN_DASHBOARD_URL ?? DEFAULT_DASHBOARD_URL);
+  const backendBaseUrl = resolvePublicUrlEnv(
+    "MUHAVEN_BACKEND_URL",
+    env.MUHAVEN_BACKEND_URL,
+    DEFAULT_BACKEND_URL
+  );
+  const dashboardBaseUrl = resolvePublicUrlEnv(
+    "MUHAVEN_DASHBOARD_URL",
+    env.MUHAVEN_DASHBOARD_URL,
+    DEFAULT_DASHBOARD_URL
+  );
   return {
     endpoint,
     sessionKeyHex,
@@ -1105,12 +1142,34 @@ function parseSetupFlags(argv) {
     registerScope
   };
 }
+var SHELL_METACHAR_RE = /["\\\n\r&|;`<>()%$]/;
+var SAFE_KEYRING_VALUES = /* @__PURE__ */ new Set(["file", "os"]);
 function buildRegisterEnv(effectiveEnv) {
   const env = {};
-  if (effectiveEnv.MUHAVEN_BACKEND_URL) env.MUHAVEN_BACKEND_URL = effectiveEnv.MUHAVEN_BACKEND_URL;
-  if (effectiveEnv.MUHAVEN_DASHBOARD_URL) env.MUHAVEN_DASHBOARD_URL = effectiveEnv.MUHAVEN_DASHBOARD_URL;
-  if (effectiveEnv.MUHAVEN_KEYRING) env.MUHAVEN_KEYRING = effectiveEnv.MUHAVEN_KEYRING;
-  return env;
+  const warnings = [];
+  function acceptOrWarn(name, value) {
+    if (!value) return;
+    if (SHELL_METACHAR_RE.test(value)) {
+      warnings.push(
+        `${name} contains shell metacharacters and was dropped from the host config \u2014 set a clean value in your env if you need a non-default.`
+      );
+      return;
+    }
+    env[name] = value;
+  }
+  acceptOrWarn("MUHAVEN_BACKEND_URL", effectiveEnv.MUHAVEN_BACKEND_URL);
+  acceptOrWarn("MUHAVEN_DASHBOARD_URL", effectiveEnv.MUHAVEN_DASHBOARD_URL);
+  const keyring = effectiveEnv.MUHAVEN_KEYRING;
+  if (keyring) {
+    if (!SAFE_KEYRING_VALUES.has(keyring)) {
+      warnings.push(
+        `MUHAVEN_KEYRING="${keyring}" is not one of the recognized values (file, os) \u2014 dropped from the host config.`
+      );
+    } else {
+      env.MUHAVEN_KEYRING = keyring;
+    }
+  }
+  return { env, warnings };
 }
 function buildClaudeMcpRegisterJson(registerEnv) {
   const payload = {
@@ -1128,6 +1187,7 @@ function buildClaudeMcpAddJsonArgv(serverName, json, scope) {
 function buildClaudeMcpRemoveArgv(serverName, scope) {
   return ["mcp", "remove", serverName, "--scope", scope];
 }
+var CLAUDE_REMOVE_NOT_FOUND_RE = /(no.*server|not found|does not exist|no MCP server)/i;
 async function registerWithHost(deps, options) {
   if (options.host === "claude-code") {
     return registerWithClaudeCode(deps, options);
@@ -1152,7 +1212,28 @@ async function registerWithClaudeCode(deps, options) {
       cmd: "claude --version"
     };
   }
-  await deps.shellOut("claude", buildClaudeMcpRemoveArgv(options.serverName, options.scope));
+  const warnings = [];
+  let removeResult = null;
+  try {
+    removeResult = await deps.shellOut(
+      "claude",
+      buildClaudeMcpRemoveArgv(options.serverName, options.scope)
+    );
+  } catch (err) {
+    warnings.push(
+      `claude mcp remove threw before exit: ${err.message}. If the add below succeeds but you see duplicates in ~/.claude.json, inspect file permissions.`
+    );
+  }
+  if (removeResult && removeResult.exitCode !== 0) {
+    const stderr = removeResult.stderr.trim();
+    const stdout = removeResult.stdout.trim();
+    const combined = [stderr, stdout].filter((s) => s.length > 0).join(" | ");
+    if (!CLAUDE_REMOVE_NOT_FOUND_RE.test(combined)) {
+      warnings.push(
+        `claude mcp remove returned exit ${removeResult.exitCode}: ${combined || "(no stderr)"}. Continuing with add. If you see duplicate muhaven entries afterwards, inspect ~/.claude.json or the project's .mcp.json manually.`
+      );
+    }
+  }
   const json = buildClaudeMcpRegisterJson(options.registerEnv);
   const addArgv = buildClaudeMcpAddJsonArgv(options.serverName, json, options.scope);
   let add;
@@ -1166,10 +1247,11 @@ async function registerWithClaudeCode(deps, options) {
     };
   }
   if (add.exitCode !== 0) {
-    const reason = [add.stderr, add.stdout].map((s) => s.trim()).filter((s) => s.length > 0).join(" | ") || `exit ${add.exitCode}`;
+    const addReason = [add.stderr, add.stdout].map((s) => s.trim()).filter((s) => s.length > 0).join(" | ") || `exit ${add.exitCode}`;
+    const reason = warnings.length > 0 ? `${addReason} (preceding remove also surfaced: ${warnings.join("; ")})` : addReason;
     return { status: "failed", host: options.host, reason };
   }
-  return { status: "registered", host: options.host, scope: options.scope };
+  return warnings.length > 0 ? { status: "registered", host: options.host, scope: options.scope, warnings } : { status: "registered", host: options.host, scope: options.scope };
 }
 async function runSetup(argv, deps) {
   let flags;
@@ -1342,7 +1424,10 @@ async function runSetup(argv, deps) {
     }
   }
   if (flags.register.length > 0) {
-    const registerEnv = buildRegisterEnv(effectiveEnv);
+    const { env: registerEnv, warnings: envWarnings } = buildRegisterEnv(effectiveEnv);
+    for (const w of envWarnings) {
+      deps.printErr(`Host register env: ${w}`);
+    }
     for (const host of flags.register) {
       const outcome = await registerWithHost(deps, {
         host,
@@ -1355,6 +1440,11 @@ async function runSetup(argv, deps) {
           deps.print(
             `Host register: ${outcome.host} wired (scope: ${outcome.scope}). Restart the host to pick up the new MCP server.`
           );
+          if (outcome.warnings) {
+            for (const w of outcome.warnings) {
+              deps.printErr(`Host register warning: ${w}`);
+            }
+          }
           break;
         case "cli_missing":
           deps.printErr(
@@ -1750,7 +1840,7 @@ function printUsage() {
 }
 function getBrokerPackageVersion() {
   {
-    return "0.1.7";
+    return "0.2.0";
   }
 }
 function printVersion() {

package/dist/broker.js

@@ -53,9 +53,38 @@ function deriveAllowedHosts(baseUrl) {
 function trimTrailingSlash(s) {
   return s.endsWith("/") ? s.slice(0, -1) : s;
 }
+function validatePublicUrlEnv(name, value) {
+  let parsed;
+  try {
+    parsed = new URL(value);
+  } catch {
+    return `${name} is not a valid URL: ${value}`;
+  }
+  if (parsed.protocol === "https:") return null;
+  if (parsed.protocol === "http:") {
+    const host = parsed.hostname;
+    if (host === "localhost" || host === "127.0.0.1" || host === "[::1]") return null;
+    return `${name} must use https:// (got http:// to ${host} \u2014 refusing to route MCP deep-links over cleartext to a non-loopback host)`;
+  }
+  return `${name} must use https:// (got ${parsed.protocol})`;
+}
+function resolvePublicUrlEnv(name, rawValue, defaultValue) {
+  const value = rawValue ?? defaultValue;
+  const err = validatePublicUrlEnv(name, value);
+  if (err) throw new Error(err);
+  return trimTrailingSlash(value);
+}
 function loadMcpConfig(env = process.env) {
-  const backendBaseUrl = trimTrailingSlash(env.MUHAVEN_BACKEND_URL ?? DEFAULT_BACKEND_URL);
-  const dashboardBaseUrl = trimTrailingSlash(env.MUHAVEN_DASHBOARD_URL ?? DEFAULT_DASHBOARD_URL);
+  const backendBaseUrl = resolvePublicUrlEnv(
+    "MUHAVEN_BACKEND_URL",
+    env.MUHAVEN_BACKEND_URL,
+    DEFAULT_BACKEND_URL
+  );
+  const dashboardBaseUrl = resolvePublicUrlEnv(
+    "MUHAVEN_DASHBOARD_URL",
+    env.MUHAVEN_DASHBOARD_URL,
+    DEFAULT_DASHBOARD_URL
+  );
   const brokerEndpoint = env.MUHAVEN_BROKER_ENDPOINT ?? defaultBrokerEndpoint();
   const readOnly = readEnvBool("MUHAVEN_READ_ONLY", false, env);
   const requestTimeoutMs = readEnvInt("MUHAVEN_REQUEST_TIMEOUT_MS", DEFAULT_REQUEST_TIMEOUT_MS, env);
@@ -85,8 +114,16 @@ function loadBrokerConfig(env = process.env) {
   const endpoint = env.MUHAVEN_BROKER_ENDPOINT ?? defaultBrokerEndpoint();
   const maxRequestBytes = readEnvInt("MUHAVEN_BROKER_MAX_BYTES", DEFAULT_BROKER_MAX_BYTES, env);
   const requestTimeoutMs = readEnvInt("MUHAVEN_BROKER_TIMEOUT_MS", DEFAULT_BROKER_TIMEOUT_MS, env);
-  const backendBaseUrl = trimTrailingSlash(env.MUHAVEN_BACKEND_URL ?? DEFAULT_BACKEND_URL);
-  const dashboardBaseUrl = trimTrailingSlash(env.MUHAVEN_DASHBOARD_URL ?? DEFAULT_DASHBOARD_URL);
+  const backendBaseUrl = resolvePublicUrlEnv(
+    "MUHAVEN_BACKEND_URL",
+    env.MUHAVEN_BACKEND_URL,
+    DEFAULT_BACKEND_URL
+  );
+  const dashboardBaseUrl = resolvePublicUrlEnv(
+    "MUHAVEN_DASHBOARD_URL",
+    env.MUHAVEN_DASHBOARD_URL,
+    DEFAULT_DASHBOARD_URL
+  );
   return {
     endpoint,
     sessionKeyHex,
@@ -1107,12 +1144,34 @@ function parseSetupFlags(argv) {
     registerScope
   };
 }
+var SHELL_METACHAR_RE = /["\\\n\r&|;`<>()%$]/;
+var SAFE_KEYRING_VALUES = /* @__PURE__ */ new Set(["file", "os"]);
 function buildRegisterEnv(effectiveEnv) {
   const env = {};
-  if (effectiveEnv.MUHAVEN_BACKEND_URL) env.MUHAVEN_BACKEND_URL = effectiveEnv.MUHAVEN_BACKEND_URL;
-  if (effectiveEnv.MUHAVEN_DASHBOARD_URL) env.MUHAVEN_DASHBOARD_URL = effectiveEnv.MUHAVEN_DASHBOARD_URL;
-  if (effectiveEnv.MUHAVEN_KEYRING) env.MUHAVEN_KEYRING = effectiveEnv.MUHAVEN_KEYRING;
-  return env;
+  const warnings = [];
+  function acceptOrWarn(name, value) {
+    if (!value) return;
+    if (SHELL_METACHAR_RE.test(value)) {
+      warnings.push(
+        `${name} contains shell metacharacters and was dropped from the host config \u2014 set a clean value in your env if you need a non-default.`
+      );
+      return;
+    }
+    env[name] = value;
+  }
+  acceptOrWarn("MUHAVEN_BACKEND_URL", effectiveEnv.MUHAVEN_BACKEND_URL);
+  acceptOrWarn("MUHAVEN_DASHBOARD_URL", effectiveEnv.MUHAVEN_DASHBOARD_URL);
+  const keyring = effectiveEnv.MUHAVEN_KEYRING;
+  if (keyring) {
+    if (!SAFE_KEYRING_VALUES.has(keyring)) {
+      warnings.push(
+        `MUHAVEN_KEYRING="${keyring}" is not one of the recognized values (file, os) \u2014 dropped from the host config.`
+      );
+    } else {
+      env.MUHAVEN_KEYRING = keyring;
+    }
+  }
+  return { env, warnings };
 }
 function buildClaudeMcpRegisterJson(registerEnv) {
   const payload = {
@@ -1130,6 +1189,7 @@ function buildClaudeMcpAddJsonArgv(serverName, json, scope) {
 function buildClaudeMcpRemoveArgv(serverName, scope) {
   return ["mcp", "remove", serverName, "--scope", scope];
 }
+var CLAUDE_REMOVE_NOT_FOUND_RE = /(no.*server|not found|does not exist|no MCP server)/i;
 async function registerWithHost(deps, options) {
   if (options.host === "claude-code") {
     return registerWithClaudeCode(deps, options);
@@ -1154,7 +1214,28 @@ async function registerWithClaudeCode(deps, options) {
       cmd: "claude --version"
     };
   }
-  await deps.shellOut("claude", buildClaudeMcpRemoveArgv(options.serverName, options.scope));
+  const warnings = [];
+  let removeResult = null;
+  try {
+    removeResult = await deps.shellOut(
+      "claude",
+      buildClaudeMcpRemoveArgv(options.serverName, options.scope)
+    );
+  } catch (err) {
+    warnings.push(
+      `claude mcp remove threw before exit: ${err.message}. If the add below succeeds but you see duplicates in ~/.claude.json, inspect file permissions.`
+    );
+  }
+  if (removeResult && removeResult.exitCode !== 0) {
+    const stderr = removeResult.stderr.trim();
+    const stdout = removeResult.stdout.trim();
+    const combined = [stderr, stdout].filter((s) => s.length > 0).join(" | ");
+    if (!CLAUDE_REMOVE_NOT_FOUND_RE.test(combined)) {
+      warnings.push(
+        `claude mcp remove returned exit ${removeResult.exitCode}: ${combined || "(no stderr)"}. Continuing with add. If you see duplicate muhaven entries afterwards, inspect ~/.claude.json or the project's .mcp.json manually.`
+      );
+    }
+  }
   const json = buildClaudeMcpRegisterJson(options.registerEnv);
   const addArgv = buildClaudeMcpAddJsonArgv(options.serverName, json, options.scope);
   let add;
@@ -1168,10 +1249,11 @@ async function registerWithClaudeCode(deps, options) {
     };
   }
   if (add.exitCode !== 0) {
-    const reason = [add.stderr, add.stdout].map((s) => s.trim()).filter((s) => s.length > 0).join(" | ") || `exit ${add.exitCode}`;
+    const addReason = [add.stderr, add.stdout].map((s) => s.trim()).filter((s) => s.length > 0).join(" | ") || `exit ${add.exitCode}`;
+    const reason = warnings.length > 0 ? `${addReason} (preceding remove also surfaced: ${warnings.join("; ")})` : addReason;
     return { status: "failed", host: options.host, reason };
   }
-  return { status: "registered", host: options.host, scope: options.scope };
+  return warnings.length > 0 ? { status: "registered", host: options.host, scope: options.scope, warnings } : { status: "registered", host: options.host, scope: options.scope };
 }
 async function runSetup(argv, deps) {
   let flags;
@@ -1344,7 +1426,10 @@ async function runSetup(argv, deps) {
     }
   }
   if (flags.register.length > 0) {
-    const registerEnv = buildRegisterEnv(effectiveEnv);
+    const { env: registerEnv, warnings: envWarnings } = buildRegisterEnv(effectiveEnv);
+    for (const w of envWarnings) {
+      deps.printErr(`Host register env: ${w}`);
+    }
     for (const host of flags.register) {
       const outcome = await registerWithHost(deps, {
         host,
@@ -1357,6 +1442,11 @@ async function runSetup(argv, deps) {
           deps.print(
             `Host register: ${outcome.host} wired (scope: ${outcome.scope}). Restart the host to pick up the new MCP server.`
           );
+          if (outcome.warnings) {
+            for (const w of outcome.warnings) {
+              deps.printErr(`Host register warning: ${w}`);
+            }
+          }
           break;
         case "cli_missing":
           deps.printErr(
@@ -1752,7 +1842,7 @@ function printUsage() {
 }
 function getBrokerPackageVersion() {
   {
-    return "0.1.7";
+    return "0.2.0";
   }
 }
 function printVersion() {

package/dist/index.cjs

@@ -11,7 +11,6 @@ var zod = require('zod');
 var os = require('os');
 var net = require('net');
 var crypto = require('crypto');
-require('viem');
 var accounts = require('viem/accounts');
 
 // ../../node_modules/.pnpm/tsup@8.5.1_postcss@8.5.14_tsx@4.21.0_typescript@5.9.3/node_modules/tsup/assets/cjs_shims.js
@@ -61,9 +60,38 @@ function deriveAllowedHosts(baseUrl) {
 function trimTrailingSlash(s) {
   return s.endsWith("/") ? s.slice(0, -1) : s;
 }
+function validatePublicUrlEnv(name, value) {
+  let parsed;
+  try {
+    parsed = new URL(value);
+  } catch {
+    return `${name} is not a valid URL: ${value}`;
+  }
+  if (parsed.protocol === "https:") return null;
+  if (parsed.protocol === "http:") {
+    const host = parsed.hostname;
+    if (host === "localhost" || host === "127.0.0.1" || host === "[::1]") return null;
+    return `${name} must use https:// (got http:// to ${host} \u2014 refusing to route MCP deep-links over cleartext to a non-loopback host)`;
+  }
+  return `${name} must use https:// (got ${parsed.protocol})`;
+}
+function resolvePublicUrlEnv(name, rawValue, defaultValue) {
+  const value = rawValue ?? defaultValue;
+  const err2 = validatePublicUrlEnv(name, value);
+  if (err2) throw new Error(err2);
+  return trimTrailingSlash(value);
+}
 function loadMcpConfig(env = process.env) {
-  const backendBaseUrl = trimTrailingSlash(env.MUHAVEN_BACKEND_URL ?? DEFAULT_BACKEND_URL);
-  const dashboardBaseUrl = trimTrailingSlash(env.MUHAVEN_DASHBOARD_URL ?? DEFAULT_DASHBOARD_URL);
+  const backendBaseUrl = resolvePublicUrlEnv(
+    "MUHAVEN_BACKEND_URL",
+    env.MUHAVEN_BACKEND_URL,
+    DEFAULT_BACKEND_URL
+  );
+  const dashboardBaseUrl = resolvePublicUrlEnv(
+    "MUHAVEN_DASHBOARD_URL",
+    env.MUHAVEN_DASHBOARD_URL,
+    DEFAULT_DASHBOARD_URL
+  );
   const brokerEndpoint = env.MUHAVEN_BROKER_ENDPOINT ?? defaultBrokerEndpoint();
   const readOnly = readEnvBool("MUHAVEN_READ_ONLY", false, env);
   const requestTimeoutMs = readEnvInt("MUHAVEN_REQUEST_TIMEOUT_MS", DEFAULT_REQUEST_TIMEOUT_MS, env);
@@ -93,8 +121,16 @@ function loadBrokerConfig(env = process.env) {
   const endpoint = env.MUHAVEN_BROKER_ENDPOINT ?? defaultBrokerEndpoint();
   const maxRequestBytes = readEnvInt("MUHAVEN_BROKER_MAX_BYTES", DEFAULT_BROKER_MAX_BYTES, env);
   const requestTimeoutMs = readEnvInt("MUHAVEN_BROKER_TIMEOUT_MS", DEFAULT_BROKER_TIMEOUT_MS, env);
-  const backendBaseUrl = trimTrailingSlash(env.MUHAVEN_BACKEND_URL ?? DEFAULT_BACKEND_URL);
-  const dashboardBaseUrl = trimTrailingSlash(env.MUHAVEN_DASHBOARD_URL ?? DEFAULT_DASHBOARD_URL);
+  const backendBaseUrl = resolvePublicUrlEnv(
+    "MUHAVEN_BACKEND_URL",
+    env.MUHAVEN_BACKEND_URL,
+    DEFAULT_BACKEND_URL
+  );
+  const dashboardBaseUrl = resolvePublicUrlEnv(
+    "MUHAVEN_DASHBOARD_URL",
+    env.MUHAVEN_DASHBOARD_URL,
+    DEFAULT_DASHBOARD_URL
+  );
   return {
     endpoint,
     sessionKeyHex,
@@ -467,13 +503,13 @@ var TOOL_DESCRIPTORS = [
   {
     name: "muhaven.position.buy",
     group: "position",
-    description: `Prepare a Subscription buy. Returns a dashboard deep-link URL (muhaven.app/trade?mode=buy&...) the user opens to review the pre-filled form, then taps Authorize. The user's passkey + ZeroDev kernel sign on the dashboard \u2014 this MCP tool never holds or submits a signing key. Use after the user names a clear amount + token (e.g. "Buy 5 mhUSDC of TBILL1"). Token accepts either a symbol ("TBILL1") or 0x-address. Settlement is NOT observable from MCP \u2014 verify by calling muhaven.read.portfolio after the user confirms done.`,
+    description: 'Prepare a Subscription buy. Returns a dashboard deep-link URL (muhaven.app/trade?mode=buy&...) the user opens to review the pre-filled form, then taps Authorize. The user\'s passkey + ZeroDev kernel sign on the dashboard \u2014 this MCP tool never holds or submits a signing key. Use after the user names a clear amount + token (e.g. "Buy 5 mhUSDC of TBILL1" \u2192 `amountUsdc: "5"`). Token accepts either a symbol ("TBILL1") or 0x-address. The `amountUsdc` field is HUMAN-DECIMAL mhUSDC ("5" = 5 mhUSDC, "0.5" = half a mhUSDC) \u2014 NOT base-6 integer. Max 6 fractional digits. Settlement is NOT observable from MCP \u2014 verify by calling muhaven.read.portfolio after the user confirms done.',
     sensitive: true
   },
   {
     name: "muhaven.position.sell",
     group: "position",
-    description: "Prepare a Subscription sell. Returns a dashboard deep-link URL (muhaven.app/trade?mode=sell&...) with the form pre-filled. Same passkey + verify-after pattern as muhaven.position.buy. Input is amountShares (raw share count), NOT mhUSDC notional.",
+    description: "Prepare a Subscription sell. Returns a dashboard deep-link URL (muhaven.app/trade?mode=sell&...) with the form pre-filled. Same passkey + verify-after pattern as muhaven.position.buy. Input is amountShares (raw POSITIVE INTEGER share count, NOT mhUSDC notional) \u2014 fhERC-20 shares have no decimals so fractional inputs are rejected.",
     sensitive: true
   },
   {
@@ -660,16 +696,30 @@ var ReadAuditInputSchema = zod.z.object({
   cursor: zod.z.string().min(1).max(512).optional(),
   limit: zod.z.number().int().min(1).max(200).optional()
 }).strict();
+var decimalUsdcAmountSchema = zod.z.string().regex(
+  /^(0|[1-9]\d*)(\.\d{1,6})?$/,
+  'must be a positive decimal mhUSDC amount with at most 6 fractional digits (e.g. "5", "0.5", "1234.567")'
+).max(48, "must be at most 48 characters");
 var PositionBuyInputSchema = zod.z.object({
   /** Symbol (e.g. "TBILL1") or 0x-address. Path C dashboard resolves either. */
   token: tokenIdentifierSchema,
-  /** Investor candidate spend, denominated in USDC base units (uint64). */
-  amountUsdc6: zod.z.string().regex(/^\d+$/, "must be a base-10 integer string")
+  /**
+   * mhUSDC amount in human-decimal units ("5" = 5 mhUSDC, "0.5" =
+   * half a mhUSDC). Forwarded verbatim to the dashboard form via
+   * `/trade?amount=`. Replaces the prior `amountUsdc6` base-6 integer
+   * field — see schema doc above for rationale (LLM-footgun fix).
+   */
+  amountUsdc: decimalUsdcAmountSchema
 }).strict();
 var PositionSellInputSchema = zod.z.object({
   token: tokenIdentifierSchema,
-  /** Encrypted-balance share count to redeem, denominated in fhERC-20 base units. */
-  amountShares: zod.z.string().regex(/^\d+$/, "must be a base-10 integer string")
+  /**
+   * Share count to redeem. fhERC-20 shares are integer base units
+   * (no decimals — see memory `project_decimals_lie_wave4_p0`).
+   * Regex rejects any fractional input so a deep-link can't pre-fill
+   * "2.5 shares" that would silently floor on the on-chain submit.
+   */
+  amountShares: zod.z.string().regex(/^[1-9]\d*$/, "must be a positive integer share count")
 }).strict();
 var PositionClaimInputSchema = zod.z.object({
   token: tokenIdentifierSchema,
@@ -687,11 +737,13 @@ var PositionRebalanceInputSchema = zod.z.object({
 }).strict();
 var CashWrapInputSchema = zod.z.object({
   /**
-   * USDC amount in human-readable units ("100" for $100, "1.5" for
-   * $1.50). Forwarded verbatim to `/cash?amount=`. Decimal optional
-   * — CashPage parses both `\d+` and `\d+\.\d+`.
+   * USDC amount in human-decimal units ("100" for $100, "1.5" for
+   * $1.50). Same shape + same regex as `PositionBuyInputSchema.amountUsdc`
+   * so the LLM doesn't have to learn two different unit conventions
+   * across the Path C surface. Max 6 fractional digits (USDC's base
+   * unit floor); 48-char length cap is URL-bloat defense.
    */
-  amountUsdc: zod.z.string().regex(/^\d+(\.\d+)?$/, "must be a positive decimal number string")
+  amountUsdc: decimalUsdcAmountSchema
 }).strict();
 var PolicySetTierInputSchema = zod.z.object({
   targetTier: tierSchema,
@@ -841,39 +893,23 @@ function buildPositionDeeplink(dashboardBaseUrl, action, params) {
   search.set("from", "mcp");
   return `${base}${path}?${search.toString()}`;
 }
-function formatUsdc6ToDecimal(amountUsdc6) {
-  if (!/^\d+$/.test(amountUsdc6)) {
-    throw new Error(`amountUsdc6 must be a non-negative integer string: ${amountUsdc6}`);
-  }
-  const padded = amountUsdc6.padStart(7, "0");
-  const intPart = padded.slice(0, -6).replace(/^0+(?=\d)/, "");
-  const fracPart = padded.slice(-6).replace(/0+$/, "");
-  return fracPart === "" ? intPart : `${intPart}.${fracPart}`;
-}
 function resolveDashboardBaseUrl(deps) {
   return deps.dashboardBaseUrl ?? "https://muhaven.app";
 }
 async function positionBuy(input, deps) {
-  const amount = formatUsdc6ToDecimal(input.amountUsdc6);
   const dashboardUrl = buildPositionDeeplink(resolveDashboardBaseUrl(deps), "buy", {
     token: input.token,
-    amount
+    amount: input.amountUsdc
   });
   return ok({
     dashboardUrl,
     action: "buy",
-    instructions: `Open this link to review and authorize the buy of ${amount} mhUSDC of ${input.token}:
+    instructions: `Open this link to review and authorize the buy of ${input.amountUsdc} mhUSDC of ${input.token}:
 ${dashboardUrl}`,
-    echo: { action: "buy", token: input.token, amount }
+    echo: { action: "buy", token: input.token, amount: input.amountUsdc }
   });
 }
 async function positionSell(input, deps) {
-  if (!/^\d+(\.\d+)?$/.test(input.amountShares)) {
-    return err(
-      "invalid_input",
-      `amountShares must be a non-negative number string: ${JSON.stringify(input.amountShares)}`
-    );
-  }
   const dashboardUrl = buildPositionDeeplink(resolveDashboardBaseUrl(deps), "sell", {
     token: input.token,
     shares: input.amountShares
@@ -1216,7 +1252,7 @@ var SERVER_NAME = "@muhaven/mcp";
 var SERVER_VERSION = resolveServerVersion();
 function resolveServerVersion() {
   {
-    return "0.1.7";
+    return "0.2.0";
   }
 }
 function toJsonInputSchema(schema) {

package/dist/index.js

@@ -9,7 +9,6 @@ import { z, ZodError } from 'zod';
 import { platform, homedir } from 'os';
 import { connect, createServer } from 'net';
 import { createHash } from 'crypto';
-import 'viem';
 import { privateKeyToAccount } from 'viem/accounts';
 
 // src/server.ts
@@ -57,9 +56,38 @@ function deriveAllowedHosts(baseUrl) {
 function trimTrailingSlash(s) {
   return s.endsWith("/") ? s.slice(0, -1) : s;
 }
+function validatePublicUrlEnv(name, value) {
+  let parsed;
+  try {
+    parsed = new URL(value);
+  } catch {
+    return `${name} is not a valid URL: ${value}`;
+  }
+  if (parsed.protocol === "https:") return null;
+  if (parsed.protocol === "http:") {
+    const host = parsed.hostname;
+    if (host === "localhost" || host === "127.0.0.1" || host === "[::1]") return null;
+    return `${name} must use https:// (got http:// to ${host} \u2014 refusing to route MCP deep-links over cleartext to a non-loopback host)`;
+  }
+  return `${name} must use https:// (got ${parsed.protocol})`;
+}
+function resolvePublicUrlEnv(name, rawValue, defaultValue) {
+  const value = rawValue ?? defaultValue;
+  const err2 = validatePublicUrlEnv(name, value);
+  if (err2) throw new Error(err2);
+  return trimTrailingSlash(value);
+}
 function loadMcpConfig(env = process.env) {
-  const backendBaseUrl = trimTrailingSlash(env.MUHAVEN_BACKEND_URL ?? DEFAULT_BACKEND_URL);
-  const dashboardBaseUrl = trimTrailingSlash(env.MUHAVEN_DASHBOARD_URL ?? DEFAULT_DASHBOARD_URL);
+  const backendBaseUrl = resolvePublicUrlEnv(
+    "MUHAVEN_BACKEND_URL",
+    env.MUHAVEN_BACKEND_URL,
+    DEFAULT_BACKEND_URL
+  );
+  const dashboardBaseUrl = resolvePublicUrlEnv(
+    "MUHAVEN_DASHBOARD_URL",
+    env.MUHAVEN_DASHBOARD_URL,
+    DEFAULT_DASHBOARD_URL
+  );
   const brokerEndpoint = env.MUHAVEN_BROKER_ENDPOINT ?? defaultBrokerEndpoint();
   const readOnly = readEnvBool("MUHAVEN_READ_ONLY", false, env);
   const requestTimeoutMs = readEnvInt("MUHAVEN_REQUEST_TIMEOUT_MS", DEFAULT_REQUEST_TIMEOUT_MS, env);
@@ -89,8 +117,16 @@ function loadBrokerConfig(env = process.env) {
   const endpoint = env.MUHAVEN_BROKER_ENDPOINT ?? defaultBrokerEndpoint();
   const maxRequestBytes = readEnvInt("MUHAVEN_BROKER_MAX_BYTES", DEFAULT_BROKER_MAX_BYTES, env);
   const requestTimeoutMs = readEnvInt("MUHAVEN_BROKER_TIMEOUT_MS", DEFAULT_BROKER_TIMEOUT_MS, env);
-  const backendBaseUrl = trimTrailingSlash(env.MUHAVEN_BACKEND_URL ?? DEFAULT_BACKEND_URL);
-  const dashboardBaseUrl = trimTrailingSlash(env.MUHAVEN_DASHBOARD_URL ?? DEFAULT_DASHBOARD_URL);
+  const backendBaseUrl = resolvePublicUrlEnv(
+    "MUHAVEN_BACKEND_URL",
+    env.MUHAVEN_BACKEND_URL,
+    DEFAULT_BACKEND_URL
+  );
+  const dashboardBaseUrl = resolvePublicUrlEnv(
+    "MUHAVEN_DASHBOARD_URL",
+    env.MUHAVEN_DASHBOARD_URL,
+    DEFAULT_DASHBOARD_URL
+  );
   return {
     endpoint,
     sessionKeyHex,
@@ -463,13 +499,13 @@ var TOOL_DESCRIPTORS = [
   {
     name: "muhaven.position.buy",
     group: "position",
-    description: `Prepare a Subscription buy. Returns a dashboard deep-link URL (muhaven.app/trade?mode=buy&...) the user opens to review the pre-filled form, then taps Authorize. The user's passkey + ZeroDev kernel sign on the dashboard \u2014 this MCP tool never holds or submits a signing key. Use after the user names a clear amount + token (e.g. "Buy 5 mhUSDC of TBILL1"). Token accepts either a symbol ("TBILL1") or 0x-address. Settlement is NOT observable from MCP \u2014 verify by calling muhaven.read.portfolio after the user confirms done.`,
+    description: 'Prepare a Subscription buy. Returns a dashboard deep-link URL (muhaven.app/trade?mode=buy&...) the user opens to review the pre-filled form, then taps Authorize. The user\'s passkey + ZeroDev kernel sign on the dashboard \u2014 this MCP tool never holds or submits a signing key. Use after the user names a clear amount + token (e.g. "Buy 5 mhUSDC of TBILL1" \u2192 `amountUsdc: "5"`). Token accepts either a symbol ("TBILL1") or 0x-address. The `amountUsdc` field is HUMAN-DECIMAL mhUSDC ("5" = 5 mhUSDC, "0.5" = half a mhUSDC) \u2014 NOT base-6 integer. Max 6 fractional digits. Settlement is NOT observable from MCP \u2014 verify by calling muhaven.read.portfolio after the user confirms done.',
     sensitive: true
   },
   {
     name: "muhaven.position.sell",
     group: "position",
-    description: "Prepare a Subscription sell. Returns a dashboard deep-link URL (muhaven.app/trade?mode=sell&...) with the form pre-filled. Same passkey + verify-after pattern as muhaven.position.buy. Input is amountShares (raw share count), NOT mhUSDC notional.",
+    description: "Prepare a Subscription sell. Returns a dashboard deep-link URL (muhaven.app/trade?mode=sell&...) with the form pre-filled. Same passkey + verify-after pattern as muhaven.position.buy. Input is amountShares (raw POSITIVE INTEGER share count, NOT mhUSDC notional) \u2014 fhERC-20 shares have no decimals so fractional inputs are rejected.",
     sensitive: true
   },
   {
@@ -656,16 +692,30 @@ var ReadAuditInputSchema = z.object({
   cursor: z.string().min(1).max(512).optional(),
   limit: z.number().int().min(1).max(200).optional()
 }).strict();
+var decimalUsdcAmountSchema = z.string().regex(
+  /^(0|[1-9]\d*)(\.\d{1,6})?$/,
+  'must be a positive decimal mhUSDC amount with at most 6 fractional digits (e.g. "5", "0.5", "1234.567")'
+).max(48, "must be at most 48 characters");
 var PositionBuyInputSchema = z.object({
   /** Symbol (e.g. "TBILL1") or 0x-address. Path C dashboard resolves either. */
   token: tokenIdentifierSchema,
-  /** Investor candidate spend, denominated in USDC base units (uint64). */
-  amountUsdc6: z.string().regex(/^\d+$/, "must be a base-10 integer string")
+  /**
+   * mhUSDC amount in human-decimal units ("5" = 5 mhUSDC, "0.5" =
+   * half a mhUSDC). Forwarded verbatim to the dashboard form via
+   * `/trade?amount=`. Replaces the prior `amountUsdc6` base-6 integer
+   * field — see schema doc above for rationale (LLM-footgun fix).
+   */
+  amountUsdc: decimalUsdcAmountSchema
 }).strict();
 var PositionSellInputSchema = z.object({
   token: tokenIdentifierSchema,
-  /** Encrypted-balance share count to redeem, denominated in fhERC-20 base units. */
-  amountShares: z.string().regex(/^\d+$/, "must be a base-10 integer string")
+  /**
+   * Share count to redeem. fhERC-20 shares are integer base units
+   * (no decimals — see memory `project_decimals_lie_wave4_p0`).
+   * Regex rejects any fractional input so a deep-link can't pre-fill
+   * "2.5 shares" that would silently floor on the on-chain submit.
+   */
+  amountShares: z.string().regex(/^[1-9]\d*$/, "must be a positive integer share count")
 }).strict();
 var PositionClaimInputSchema = z.object({
   token: tokenIdentifierSchema,
@@ -683,11 +733,13 @@ var PositionRebalanceInputSchema = z.object({
 }).strict();
 var CashWrapInputSchema = z.object({
   /**
-   * USDC amount in human-readable units ("100" for $100, "1.5" for
-   * $1.50). Forwarded verbatim to `/cash?amount=`. Decimal optional
-   * — CashPage parses both `\d+` and `\d+\.\d+`.
+   * USDC amount in human-decimal units ("100" for $100, "1.5" for
+   * $1.50). Same shape + same regex as `PositionBuyInputSchema.amountUsdc`
+   * so the LLM doesn't have to learn two different unit conventions
+   * across the Path C surface. Max 6 fractional digits (USDC's base
+   * unit floor); 48-char length cap is URL-bloat defense.
    */
-  amountUsdc: z.string().regex(/^\d+(\.\d+)?$/, "must be a positive decimal number string")
+  amountUsdc: decimalUsdcAmountSchema
 }).strict();
 var PolicySetTierInputSchema = z.object({
   targetTier: tierSchema,
@@ -837,39 +889,23 @@ function buildPositionDeeplink(dashboardBaseUrl, action, params) {
   search.set("from", "mcp");
   return `${base}${path}?${search.toString()}`;
 }
-function formatUsdc6ToDecimal(amountUsdc6) {
-  if (!/^\d+$/.test(amountUsdc6)) {
-    throw new Error(`amountUsdc6 must be a non-negative integer string: ${amountUsdc6}`);
-  }
-  const padded = amountUsdc6.padStart(7, "0");
-  const intPart = padded.slice(0, -6).replace(/^0+(?=\d)/, "");
-  const fracPart = padded.slice(-6).replace(/0+$/, "");
-  return fracPart === "" ? intPart : `${intPart}.${fracPart}`;
-}
 function resolveDashboardBaseUrl(deps) {
   return deps.dashboardBaseUrl ?? "https://muhaven.app";
 }
 async function positionBuy(input, deps) {
-  const amount = formatUsdc6ToDecimal(input.amountUsdc6);
   const dashboardUrl = buildPositionDeeplink(resolveDashboardBaseUrl(deps), "buy", {
     token: input.token,
-    amount
+    amount: input.amountUsdc
   });
   return ok({
     dashboardUrl,
     action: "buy",
-    instructions: `Open this link to review and authorize the buy of ${amount} mhUSDC of ${input.token}:
+    instructions: `Open this link to review and authorize the buy of ${input.amountUsdc} mhUSDC of ${input.token}:
 ${dashboardUrl}`,
-    echo: { action: "buy", token: input.token, amount }
+    echo: { action: "buy", token: input.token, amount: input.amountUsdc }
   });
 }
 async function positionSell(input, deps) {
-  if (!/^\d+(\.\d+)?$/.test(input.amountShares)) {
-    return err(
-      "invalid_input",
-      `amountShares must be a non-negative number string: ${JSON.stringify(input.amountShares)}`
-    );
-  }
   const dashboardUrl = buildPositionDeeplink(resolveDashboardBaseUrl(deps), "sell", {
     token: input.token,
     shares: input.amountShares
@@ -1212,7 +1248,7 @@ var SERVER_NAME = "@muhaven/mcp";
 var SERVER_VERSION = resolveServerVersion();
 function resolveServerVersion() {
   {
-    return "0.1.7";
+    return "0.2.0";
   }
 }
 function toJsonInputSchema(schema) {

package/manifest.json

@@ -3,7 +3,7 @@
   "manifest_version": "0.2",
   "name": "muhaven-mcp",
   "display_name": "MuHaven (RWA portfolio)",
-  "version": "0.1.7",
+  "version": "0.2.0",
   "description": "Confidential RWA portfolio management on Fhenix CoFHE. Read your encrypted balances, propose yield claims and policy changes — all signing happens in a sibling broker daemon, the LLM never sees your private key.",
   "long_description": "MuHaven MCP exposes 22 tools across read.* / position.* / policy.* / issuer.* / governance.* groups for managing real-world asset (RWA) tokens with FHE-encrypted balances. Authentication uses a one-time device-code ceremony (run `muhaven-broker login`); subsequent tool calls fetch the JWT from the broker over a Unix socket. Position / governance tools return unsigned UserOps + broker signatures — they NEVER auto-submit to a bundler. The companion `muhaven-broker` daemon must be running before tools can be invoked. See README for setup.",
   "author": {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@muhaven/mcp",
-  "version": "0.1.7",
+  "version": "0.2.0",
   "description": "MuHaven MCP server — read/position/policy toolsets bridging Claude Desktop / Cursor / Claude Code to the MuHaven backend, with a sibling muhaven-broker daemon holding the session-key private half over a local IPC socket",
   "type": "module",
   "repository": {

package/tool-hashes.json

@@ -1,5 +1,5 @@
 {
-  "generatedAt": "2026-05-17T18:17:06.859Z",
+  "generatedAt": "2026-05-17T19:03:52.417Z",
   "tools": [
     {
       "name": "muhaven.read.portfolio",
@@ -23,11 +23,11 @@
     },
     {
       "name": "muhaven.position.buy",
-      "sha256": "f24c9628249e91ed485031f9114053fa6b174a5d55aedfb4109392eb5795c9e4"
+      "sha256": "4266f9d91df2086729709e3b1e76c34cb598fd90265aa24de90c256a3a6c217a"
     },
     {
       "name": "muhaven.position.sell",
-      "sha256": "707545106fdd505d7d942153bcb34d7ead53c2539b9699e0733159a57c72177d"
+      "sha256": "58c5090b04ecf4068dafe1f6a62e60b0befc9e0ad1cbbaedbab57e623c0194ce"
     },
     {
       "name": "muhaven.position.claim",