@muhaven/mcp 0.2.0 → 0.2.2

package/dist/index.js

@@ -1,4 +1,4 @@
-import { unlink, readFile, mkdir, chmod, writeFile, stat } from 'fs/promises';
+import { unlink, readFile, mkdir, chmod, writeFile, rename, readdir, stat } from 'fs/promises';
 import 'fs';
 import { join, dirname } from 'path';
 import { fileURLToPath } from 'url';
@@ -6,9 +6,13 @@ import { Server } from '@modelcontextprotocol/sdk/server/index.js';
 import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
 import { ListToolsRequestSchema, CallToolRequestSchema } from '@modelcontextprotocol/sdk/types.js';
 import { z, ZodError } from 'zod';
+import { zodToJsonSchema } from 'zod-to-json-schema';
 import { platform, homedir } from 'os';
 import { connect, createServer } from 'net';
-import { createHash } from 'crypto';
+import { setTimeout as setTimeout$1 } from 'timers/promises';
+import { parseAbi, toFunctionSelector, encodeFunctionData, encodePacked, pad, concatHex, decodeAbiParameters } from 'viem';
+import { createHash, randomBytes } from 'crypto';
+import { getUserOperationHash } from 'viem/account-abstraction';
 import { privateKeyToAccount } from 'viem/accounts';
 
 // src/server.ts
@@ -18,6 +22,10 @@ var DEFAULT_REQUEST_TIMEOUT_MS = 15e3;
 var DEFAULT_BROKER_TIMEOUT_MS = 5e3;
 var DEFAULT_BROKER_MAX_BYTES = 64 * 1024;
 var DEFAULT_JWT_CACHE_TTL_SEC = 30;
+var DEFAULT_BUNDLER_TIMEOUT_MS = 2e4;
+var DEFAULT_CHAIN_ID = 421614;
+var DEFAULT_ENTRY_POINT_ADDRESS = "0x0000000071727De22E5E9d8BAf0edAc6f37da032";
+var ADDRESS_HEX_RE = /^0x[0-9a-fA-F]{40}$/;
 function defaultBrokerEndpoint() {
   if (platform() === "win32") {
     const user = process.env.USERNAME ?? "default";
@@ -93,6 +101,35 @@ function loadMcpConfig(env = process.env) {
   const requestTimeoutMs = readEnvInt("MUHAVEN_REQUEST_TIMEOUT_MS", DEFAULT_REQUEST_TIMEOUT_MS, env);
   const brokerTimeoutMs = readEnvInt("MUHAVEN_BROKER_TIMEOUT_MS", DEFAULT_BROKER_TIMEOUT_MS, env);
   const jwtCacheTtlSec = readEnvInt("MUHAVEN_JWT_CACHE_TTL_SEC", DEFAULT_JWT_CACHE_TTL_SEC, env);
+  const bundlerUrlRaw = readEnv("MUHAVEN_BUNDLER_URL", env);
+  let bundlerUrl;
+  if (bundlerUrlRaw !== void 0) {
+    const validationErr = validatePublicUrlEnv("MUHAVEN_BUNDLER_URL", bundlerUrlRaw);
+    if (validationErr) throw new Error(validationErr);
+    bundlerUrl = trimTrailingSlash(bundlerUrlRaw);
+  }
+  const bundlerTimeoutMs = readEnvInt("MUHAVEN_BUNDLER_TIMEOUT_MS", DEFAULT_BUNDLER_TIMEOUT_MS, env);
+  const chainId = readEnvInt("MUHAVEN_CHAIN_ID", DEFAULT_CHAIN_ID, env);
+  const subscriptionAddressRaw = readEnv("MUHAVEN_SUBSCRIPTION_ADDRESS", env);
+  let subscriptionAddress;
+  if (subscriptionAddressRaw !== void 0) {
+    if (!ADDRESS_HEX_RE.test(subscriptionAddressRaw)) {
+      throw new Error(
+        `MUHAVEN_SUBSCRIPTION_ADDRESS must be a 0x-prefixed 20-byte hex string (got ${JSON.stringify(subscriptionAddressRaw)})`
+      );
+    }
+    subscriptionAddress = subscriptionAddressRaw.toLowerCase();
+  }
+  const entryPointAddressRaw = readEnv("MUHAVEN_ENTRY_POINT", env);
+  let entryPointAddress = DEFAULT_ENTRY_POINT_ADDRESS;
+  if (entryPointAddressRaw !== void 0) {
+    if (!ADDRESS_HEX_RE.test(entryPointAddressRaw)) {
+      throw new Error(
+        `MUHAVEN_ENTRY_POINT must be a 0x-prefixed 20-byte hex string (got ${JSON.stringify(entryPointAddressRaw)})`
+      );
+    }
+    entryPointAddress = entryPointAddressRaw.toLowerCase();
+  }
   return {
     backendBaseUrl,
     dashboardBaseUrl,
@@ -101,7 +138,12 @@ function loadMcpConfig(env = process.env) {
     requestTimeoutMs,
     brokerTimeoutMs,
     allowedBackendHosts: deriveAllowedHosts(backendBaseUrl),
-    jwtCacheTtlSec
+    jwtCacheTtlSec,
+    bundlerUrl,
+    bundlerTimeoutMs,
+    chainId,
+    subscriptionAddress,
+    entryPointAddress
   };
 }
 var PRIVKEY_HEX_RE = /^0x[0-9a-fA-F]{64}$/;
@@ -136,16 +178,366 @@ function loadBrokerConfig(env = process.env) {
     dashboardBaseUrl
   };
 }
+
+// src/broker/protocol.ts
+var BROKER_PROTOCOL_VERSION = "0.4.0";
+var HASH_HEX_RE = /^0x[0-9a-fA-F]{64}$/;
+var ADDRESS_HEX_RE2 = /^0x[0-9a-fA-F]{40}$/;
+var SELECTOR_HEX_RE = /^0x[0-9a-fA-F]{8}$/;
+var HEX_PREFIXED_RE = /^0x[0-9a-fA-F]*$/;
+var JWT_RE = /^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/;
+var SESSION_ID_RE = /^[A-Za-z0-9_-]{1,128}$/;
+var UINT256_DEC_RE = /^(0|[1-9][0-9]{0,77})$/;
+var MAX_CALLDATA_HEX_LEN = 2e5;
+function isHashHex(value) {
+  return typeof value === "string" && HASH_HEX_RE.test(value);
+}
+function isAddressHex(value) {
+  return typeof value === "string" && ADDRESS_HEX_RE2.test(value);
+}
+function isSelectorHex(value) {
+  return typeof value === "string" && SELECTOR_HEX_RE.test(value);
+}
+function isHexPrefixed(value) {
+  return typeof value === "string" && HEX_PREFIXED_RE.test(value);
+}
+function isJwtShape(value) {
+  return typeof value === "string" && value.length <= 8192 && JWT_RE.test(value);
+}
+function isSessionIdShape(value) {
+  return typeof value === "string" && SESSION_ID_RE.test(value);
+}
+function isUint256DecString(value) {
+  return typeof value === "string" && UINT256_DEC_RE.test(value);
+}
+var UINT256_MAX = (1n << 256n) - 1n;
+function isUint256InRange(value) {
+  if (!isUint256DecString(value)) return false;
+  return BigInt(value) <= UINT256_MAX;
+}
+function parseSelectorCap(raw) {
+  if (typeof raw !== "object" || raw === null) {
+    return { error: "selectorCap must be an object" };
+  }
+  const obj = raw;
+  if (!isSelectorHex(obj.selector)) {
+    return { error: "selectorCap.selector must be a 4-byte 0x-hex" };
+  }
+  const capArgIndex = obj.capArgIndex;
+  const maxAmount = obj.maxAmount;
+  const indexIsNull = capArgIndex === null;
+  const amountIsNull = maxAmount === null;
+  if (indexIsNull !== amountIsNull) {
+    return {
+      error: "selectorCap.capArgIndex and selectorCap.maxAmount must both be null or both non-null"
+    };
+  }
+  if (!indexIsNull) {
+    if (typeof capArgIndex !== "number" || !Number.isInteger(capArgIndex) || capArgIndex < 0 || capArgIndex > 31) {
+      return {
+        error: "selectorCap.capArgIndex must be an integer in [0, 31] (max 32 ABI words)"
+      };
+    }
+    if (typeof maxAmount !== "string" || !isUint256InRange(maxAmount)) {
+      return { error: "selectorCap.maxAmount must be a uint256 decimal string \u2264 2^256-1" };
+    }
+  }
+  return {
+    selector: obj.selector.toLowerCase(),
+    capArgIndex: indexIsNull ? null : capArgIndex,
+    maxAmount: indexIsNull ? null : maxAmount
+  };
+}
+function isOptionalHash32(value) {
+  return value === void 0 || isHashHex(value);
+}
+function isOptionalPermissionId(value) {
+  return value === void 0 || isSelectorHex(value);
+}
+function parsePolicySnapshot(raw) {
+  if (typeof raw !== "object" || raw === null) {
+    return { error: "snapshot must be a JSON object" };
+  }
+  const obj = raw;
+  if (!isSessionIdShape(obj.sessionId)) {
+    return { error: "snapshot.sessionId must be 1-128 chars [A-Za-z0-9_-]" };
+  }
+  if (obj.mode !== "scoped") {
+    return { error: "snapshot.mode must be 'scoped' (wildcard ships in Slice 4)" };
+  }
+  if (!isAddressHex(obj.signerAddress)) {
+    return { error: "snapshot.signerAddress must be a 0x-prefixed 20-byte hex" };
+  }
+  const targetContracts = obj.targetContracts;
+  if (!Array.isArray(targetContracts) || targetContracts.length === 0 || targetContracts.length > 32 || !targetContracts.every(isAddressHex)) {
+    return {
+      error: "snapshot.targetContracts must be a 1..32-element array of 0x-addresses"
+    };
+  }
+  const rawCaps = obj.selectorCaps;
+  if (!Array.isArray(rawCaps) || rawCaps.length === 0 || rawCaps.length > 32) {
+    return { error: "snapshot.selectorCaps must be a 1..32-element array" };
+  }
+  const parsedCaps = [];
+  const seenSelectors = /* @__PURE__ */ new Set();
+  for (const c of rawCaps) {
+    const parsed = parseSelectorCap(c);
+    if ("error" in parsed) return { error: `selectorCaps: ${parsed.error}` };
+    if (seenSelectors.has(parsed.selector)) {
+      return { error: `selectorCaps: duplicate selector ${parsed.selector}` };
+    }
+    seenSelectors.add(parsed.selector);
+    parsedCaps.push(parsed);
+  }
+  if (typeof obj.validUntilSec !== "number" || !Number.isFinite(obj.validUntilSec) || obj.validUntilSec <= 0) {
+    return { error: "snapshot.validUntilSec must be a positive number" };
+  }
+  if (typeof obj.mintedAtSec !== "number" || !Number.isFinite(obj.mintedAtSec) || obj.mintedAtSec <= 0) {
+    return { error: "snapshot.mintedAtSec must be a positive number" };
+  }
+  if (!isOptionalHash32(obj.consentActionHash)) {
+    return { error: "snapshot.consentActionHash must be a 0x-prefixed 32-byte hex when provided" };
+  }
+  if (!isOptionalHash32(obj.consentTextSha256)) {
+    return { error: "snapshot.consentTextSha256 must be a 0x-prefixed 32-byte hex when provided" };
+  }
+  if (!isOptionalPermissionId(obj.permissionId)) {
+    return { error: "snapshot.permissionId must be a 0x-prefixed 4-byte hex when provided" };
+  }
+  return {
+    sessionId: obj.sessionId,
+    mode: "scoped",
+    signerAddress: obj.signerAddress.toLowerCase(),
+    targetContracts: targetContracts.map(
+      (a) => a.toLowerCase()
+    ),
+    selectorCaps: parsedCaps,
+    validUntilSec: obj.validUntilSec,
+    mintedAtSec: obj.mintedAtSec,
+    ...obj.consentActionHash === void 0 ? {} : { consentActionHash: obj.consentActionHash.toLowerCase() },
+    ...obj.consentTextSha256 === void 0 ? {} : { consentTextSha256: obj.consentTextSha256.toLowerCase() },
+    ...obj.permissionId === void 0 ? {} : { permissionId: obj.permissionId.toLowerCase() }
+  };
+}
+function parseBrokerRequest(line) {
+  let parsed;
+  try {
+    parsed = JSON.parse(line);
+  } catch {
+    return { type: "error", code: "invalid_request", message: "request is not valid JSON" };
+  }
+  if (typeof parsed !== "object" || parsed === null) {
+    return { type: "error", code: "invalid_request", message: "request must be a JSON object" };
+  }
+  const obj = parsed;
+  switch (obj.type) {
+    case "hello":
+      return { type: "hello" };
+    case "sign_hash": {
+      const hash = obj.hash;
+      if (!isHashHex(hash)) {
+        return {
+          type: "error",
+          code: "invalid_request",
+          message: "sign_hash.hash must be a 0x-prefixed 32-byte hex string"
+        };
+      }
+      const intent = obj.intent;
+      const intentValid = intent === void 0 || typeof intent === "object" && intent !== null && typeof intent.tool === "string";
+      if (!intentValid) {
+        return {
+          type: "error",
+          code: "invalid_request",
+          message: "sign_hash.intent.tool must be a string when provided"
+        };
+      }
+      return {
+        type: "sign_hash",
+        hash,
+        ...intent === void 0 ? {} : { intent }
+      };
+    }
+    case "store_jwt": {
+      const jwt = obj.jwt;
+      if (!isJwtShape(jwt)) {
+        return {
+          type: "error",
+          code: "invalid_request",
+          message: "store_jwt.jwt must be a JWT-shaped string \u22648192 chars"
+        };
+      }
+      const expiresAtSec = obj.expiresAtSec;
+      const expiresValid = expiresAtSec === void 0 || typeof expiresAtSec === "number" && Number.isFinite(expiresAtSec) && expiresAtSec > 0;
+      if (!expiresValid) {
+        return {
+          type: "error",
+          code: "invalid_request",
+          message: "store_jwt.expiresAtSec must be a positive number when provided"
+        };
+      }
+      return {
+        type: "store_jwt",
+        jwt,
+        ...expiresAtSec === void 0 ? {} : { expiresAtSec }
+      };
+    }
+    case "get_jwt":
+      return { type: "get_jwt" };
+    case "clear_jwt":
+      return { type: "clear_jwt" };
+    case "sign_userop": {
+      const sessionId = obj.sessionId;
+      if (!isSessionIdShape(sessionId)) {
+        return {
+          type: "error",
+          code: "invalid_request",
+          message: "sign_userop.sessionId must be 1-128 chars [A-Za-z0-9_-]"
+        };
+      }
+      const userOpHash = obj.userOpHash;
+      if (!isHashHex(userOpHash)) {
+        return {
+          type: "error",
+          code: "invalid_request",
+          message: "sign_userop.userOpHash must be a 0x-prefixed 32-byte hex string"
+        };
+      }
+      const innerCall = obj.innerCall;
+      if (typeof innerCall !== "object" || innerCall === null) {
+        return {
+          type: "error",
+          code: "invalid_request",
+          message: "sign_userop.innerCall must be an object with { target, callData }"
+        };
+      }
+      const ic = innerCall;
+      if (!isAddressHex(ic.target)) {
+        return {
+          type: "error",
+          code: "invalid_request",
+          message: "sign_userop.innerCall.target must be a 0x-prefixed 20-byte hex"
+        };
+      }
+      if (!isHexPrefixed(ic.callData) || ic.callData.length < 74 || ic.callData.length % 2 !== 0 || ic.callData.length > MAX_CALLDATA_HEX_LEN) {
+        return {
+          type: "error",
+          code: "invalid_request",
+          message: "sign_userop.innerCall.callData must be 0x-prefixed even-length hex \u226574 chars (selector + first uint256 arg) and \u2264200000 chars"
+        };
+      }
+      const intent = obj.intent;
+      let safeIntent;
+      if (intent !== void 0) {
+        if (typeof intent !== "object" || intent === null) {
+          return {
+            type: "error",
+            code: "invalid_request",
+            message: "sign_userop.intent must be an object when provided"
+          };
+        }
+        const intentObj = intent;
+        if (typeof intentObj.tool !== "string" || intentObj.tool.length > 64) {
+          return {
+            type: "error",
+            code: "invalid_request",
+            message: "sign_userop.intent.tool must be a string \u226464 chars"
+          };
+        }
+        if (intentObj.summary !== void 0 && (typeof intentObj.summary !== "string" || intentObj.summary.length > 256)) {
+          return {
+            type: "error",
+            code: "invalid_request",
+            message: "sign_userop.intent.summary must be a string \u2264256 chars when provided"
+          };
+        }
+        safeIntent = {
+          tool: intentObj.tool,
+          ...typeof intentObj.summary === "string" ? { summary: intentObj.summary } : {}
+        };
+      }
+      return {
+        type: "sign_userop",
+        sessionId,
+        userOpHash,
+        innerCall: {
+          target: ic.target.toLowerCase(),
+          callData: ic.callData.toLowerCase()
+        },
+        ...safeIntent === void 0 ? {} : { intent: safeIntent }
+      };
+    }
+    case "store_policy_snapshot": {
+      const parsed2 = parsePolicySnapshot(obj.snapshot);
+      if ("error" in parsed2) {
+        return { type: "error", code: "invalid_request", message: parsed2.error };
+      }
+      return { type: "store_policy_snapshot", snapshot: parsed2 };
+    }
+    case "get_policy_snapshot": {
+      if (!isSessionIdShape(obj.sessionId)) {
+        return {
+          type: "error",
+          code: "invalid_request",
+          message: "get_policy_snapshot.sessionId must be 1-128 chars [A-Za-z0-9_-]"
+        };
+      }
+      return { type: "get_policy_snapshot", sessionId: obj.sessionId };
+    }
+    case "clear_policy_snapshot": {
+      if (!isSessionIdShape(obj.sessionId)) {
+        return {
+          type: "error",
+          code: "invalid_request",
+          message: "clear_policy_snapshot.sessionId must be 1-128 chars [A-Za-z0-9_-]"
+        };
+      }
+      return { type: "clear_policy_snapshot", sessionId: obj.sessionId };
+    }
+    case "get_active_session_id":
+      return { type: "get_active_session_id" };
+    default:
+      return {
+        type: "error",
+        code: "unsupported_type",
+        message: `unsupported request type: ${String(obj.type)}`
+      };
+  }
+}
+function serializeResponse(res) {
+  return JSON.stringify(res) + "\n";
+}
+
+// src/clients/broker-client.ts
 var BrokerClientError = class extends Error {
-  constructor(code, message, cause) {
+  constructor(code, message, cause, brokerCode) {
     super(message);
     this.code = code;
     this.cause = cause;
+    this.brokerCode = brokerCode;
     this.name = "BrokerClientError";
   }
   code;
   cause;
+  brokerCode;
 };
+function semverGte(a, b) {
+  const re = /^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)$/;
+  const ma = re.exec(a);
+  const mb = re.exec(b);
+  if (!ma || !mb) {
+    throw new BrokerClientError(
+      "protocol_error",
+      `semverGte: malformed version (got ${JSON.stringify(a)} vs ${JSON.stringify(b)})`
+    );
+  }
+  for (let i = 1; i <= 3; i++) {
+    const ai = Number(ma[i]);
+    const bi = Number(mb[i]);
+    if (ai > bi) return true;
+    if (ai < bi) return false;
+  }
+  return true;
+}
 var BrokerClient = class {
   constructor(options) {
     this.options = options;
@@ -205,6 +597,109 @@ var BrokerClient = class {
       );
     }
   }
+  // ── Wave 5 Path D Slice 1 (Commit 3) — policy snapshot CRUD + sign_userop ──
+  async signUserOp(args) {
+    const res = await this.exchange({
+      type: "sign_userop",
+      sessionId: args.sessionId,
+      userOpHash: args.userOpHash,
+      innerCall: args.innerCall,
+      ...args.intent ? { intent: args.intent } : {}
+    });
+    if (res.type !== "sign_userop") {
+      throw new BrokerClientError(
+        "protocol_error",
+        `expected sign_userop response, got ${res.type}`
+      );
+    }
+    return res;
+  }
+  async storePolicySnapshot(snapshot) {
+    const res = await this.exchange({ type: "store_policy_snapshot", snapshot });
+    if (res.type !== "store_policy_snapshot") {
+      throw new BrokerClientError(
+        "protocol_error",
+        `expected store_policy_snapshot response, got ${res.type}`
+      );
+    }
+    return res;
+  }
+  async getPolicySnapshot(sessionId) {
+    const res = await this.exchange({ type: "get_policy_snapshot", sessionId });
+    if (res.type !== "get_policy_snapshot") {
+      throw new BrokerClientError(
+        "protocol_error",
+        `expected get_policy_snapshot response, got ${res.type}`
+      );
+    }
+    return res;
+  }
+  async clearPolicySnapshot(sessionId) {
+    const res = await this.exchange({ type: "clear_policy_snapshot", sessionId });
+    if (res.type !== "clear_policy_snapshot") {
+      throw new BrokerClientError(
+        "protocol_error",
+        `expected clear_policy_snapshot response, got ${res.type}`
+      );
+    }
+    return res;
+  }
+  async getActiveSessionId() {
+    const res = await this.exchange({ type: "get_active_session_id" });
+    if (res.type !== "get_active_session_id") {
+      throw new BrokerClientError(
+        "protocol_error",
+        `expected get_active_session_id response, got ${res.type}`
+      );
+    }
+    return res;
+  }
+  /**
+   * Detect whether the running daemon speaks Path D (protocol 0.4.0+).
+   * Wraps `hello()` with a semver-gte comparison so the MCP tool layer
+   * can short-circuit to Path C with a clear `version_too_old` reason
+   * instead of surfacing the opaque `unsupported_type` error a stale
+   * 0.3.0 daemon would emit on `sign_userop` / `get_active_session_id`
+   * (Backend Architect H-2, round 2).
+   *
+   * Returns `{ supported: false }` on broker connect failure too — the
+   * caller treats "daemon down" identically to "version too old": Path D
+   * not available, fall through to Path C.
+   */
+  async preflight() {
+    let hello;
+    try {
+      hello = await this.hello();
+    } catch (err2) {
+      return {
+        supported: false,
+        reason: "broker_unreachable",
+        message: err2 instanceof BrokerClientError ? `broker.${err2.code}: ${err2.message}` : err2 instanceof Error ? err2.message : "broker unreachable",
+        requiredVersion: BROKER_PROTOCOL_VERSION
+      };
+    }
+    if (!semverGte(hello.version, BROKER_PROTOCOL_VERSION)) {
+      return {
+        supported: false,
+        reason: "version_too_old",
+        daemonVersion: hello.version,
+        requiredVersion: BROKER_PROTOCOL_VERSION
+      };
+    }
+    if (hello.hasSessionKey === false) {
+      return {
+        supported: false,
+        reason: "session_key_unavailable",
+        daemonVersion: hello.version,
+        requiredVersion: BROKER_PROTOCOL_VERSION
+      };
+    }
+    return {
+      supported: true,
+      daemonVersion: hello.version,
+      signerAddress: hello.sessionKeyAddress
+    };
+  }
   exchange(request) {
     return new Promise((resolve, reject) => {
       let socket;
@@ -245,7 +740,12 @@ var BrokerClient = class {
           const parsed = JSON.parse(line);
           if (parsed.type === "error") {
             settleErr(
-              new BrokerClientError("broker_error", `${parsed.code}: ${parsed.message}`)
+              new BrokerClientError(
+                "broker_error",
+                `${parsed.code}: ${parsed.message}`,
+                void 0,
+                parsed.code
+              )
             );
             return;
           }
@@ -373,6 +873,23 @@ var BackendClient = class {
       false
     );
   }
+  /**
+   * GET variant that sends no Authorization header. Use for backend
+   * endpoints that are intentionally public (e.g. `/api/v1/tokens`
+   * which the marketplace + the 0.2.1 `positionBuy` NAV-conversion
+   * both read). Avoids triggering the AUTH_REQUIRED branch for the
+   * "not yet logged in" case on read paths that don't need auth.
+   */
+  async getUnauth(path, query) {
+    const url = this.buildUrl(path, query);
+    return this.exchange(
+      "GET",
+      url,
+      void 0,
+      /* withAuth */
+      false
+    );
+  }
   buildUrl(path, query) {
     if (!path.startsWith("/")) {
       throw new BackendError("bad_request", `path must start with "/": ${path}`);
@@ -465,12 +982,413 @@ function mapStatus(status) {
   if (status >= 500) return "server_error";
   return "invalid_response";
 }
-var TOOL_DESCRIPTORS = [
-  {
-    name: "muhaven.read.portfolio",
-    group: "read",
-    description: "Return the authenticated investor's encrypted-balance portfolio summary. Output exposes only public aggregates (token list, ebool isOverexposed / isUnderYield handles); decrypted balances are NEVER included in the response. The LLM should call muhaven.read.portfolio for fact-checks about the user's state, not estimate from chat history.",
-    sensitive: false
+var ENTRY_POINT_GET_NONCE_ABI = parseAbi([
+  "function getNonce(address sender, uint192 key) view returns (uint256)"
+]);
+var BundlerClientError = class extends Error {
+  constructor(code, message, detail) {
+    super(message);
+    this.code = code;
+    this.detail = detail;
+    this.name = "BundlerClientError";
+  }
+  code;
+  detail;
+};
+var BundlerClient = class {
+  constructor(options) {
+    this.options = options;
+    this.fetchImpl = options.fetchImpl ?? globalThis.fetch.bind(globalThis);
+  }
+  options;
+  fetchImpl;
+  nextRpcId = 1;
+  /**
+   * Submit a signed UserOperation. Returns the userOpHash the bundler
+   * computed (which must match the hash the broker signed — caller is
+   * responsible for the consistency check; broker policy snapshot
+   * captures the signer-binding piece).
+   */
+  async sendUserOp(userOp, entryPoint) {
+    const result = await this.rpc("eth_sendUserOperation", [userOp, entryPoint]);
+    if (typeof result !== "string" || !/^0x[0-9a-fA-F]{64}$/.test(result)) {
+      throw new BundlerClientError(
+        "invalid_response",
+        `eth_sendUserOperation returned non-hash result: ${JSON.stringify(result).slice(0, 80)}`
+      );
+    }
+    return result.toLowerCase();
+  }
+  /** Return the receipt for a userOpHash, or null when the UserOp has
+   *  not yet been bundled. */
+  async getReceipt(userOpHash) {
+    const result = await this.rpc("eth_getUserOperationReceipt", [userOpHash]);
+    if (result === null || result === void 0) return null;
+    return parseReceipt(result);
+  }
+  /**
+   * Poll until the bundler returns a receipt, or `timeoutMs` elapses.
+   * Caller decides retry / fallback behaviour on `receipt_timeout`.
+   *
+   * Poll interval grows linearly from `initialIntervalMs` to
+   * `maxIntervalMs` to avoid burning the bundler quota when blocks are
+   * slow. Default tuning: 500ms → 2000ms over the first 6 polls; then
+   * pinned at 2000ms.
+   */
+  async waitForReceipt(userOpHash, opts) {
+    const clock = opts.clockMs ?? (() => Date.now());
+    const sleep = opts.sleep ?? ((ms) => setTimeout$1(ms));
+    const initial = opts.initialIntervalMs ?? 500;
+    const max = opts.maxIntervalMs ?? 2e3;
+    const deadline = clock() + opts.timeoutMs;
+    let attempt = 0;
+    while (true) {
+      const receipt = await this.getReceipt(userOpHash);
+      if (receipt) return receipt;
+      const now = clock();
+      if (now >= deadline) {
+        throw new BundlerClientError(
+          "receipt_timeout",
+          `no receipt for userOp ${userOpHash} within ${opts.timeoutMs}ms`
+        );
+      }
+      const interval = Math.min(max, initial + attempt * 250);
+      const remaining = Math.max(0, deadline - now);
+      await sleep(Math.min(interval, remaining));
+      attempt++;
+    }
+  }
+  /**
+   * Wave 5 Path D Slice 1 Commit 3.5 — `pm_sponsorUserOperation`.
+   * ZeroDev's bundler URL serves both bundler RPCs AND paymaster RPCs
+   * at the same endpoint, so we don't need a separate paymaster URL.
+   * Returns the paymaster fields + the gas limits the paymaster's
+   * simulation computed (the caller doesn't need a separate
+   * `estimateUserOpGas` round-trip on the happy path).
+   */
+  async sponsorUserOp(userOp, entryPoint) {
+    const result = await this.rpc("pm_sponsorUserOperation", [userOp, entryPoint]);
+    return parseSponsoredFields(result);
+  }
+  /**
+   * Wave 5 Path D Slice 1 Commit 3.5 — `eth_estimateUserOperationGas`.
+   * Not used in the happy path (sponsorship returns gas), but lives as
+   * a fallback for unsponsored flows OR if the operator's paymaster
+   * goes down. Reading gas separately also makes the failure modes
+   * distinguishable for the LLM-facing fallback reasons.
+   */
+  async estimateUserOpGas(userOp, entryPoint) {
+    const result = await this.rpc("eth_estimateUserOperationGas", [userOp, entryPoint]);
+    if (typeof result !== "object" || result === null) {
+      throw new BundlerClientError(
+        "invalid_response",
+        "eth_estimateUserOperationGas returned non-object"
+      );
+    }
+    const obj = result;
+    return {
+      callGasLimit: assertHex(obj.callGasLimit, "estimateUserOpGas.callGasLimit"),
+      verificationGasLimit: assertHex(
+        obj.verificationGasLimit,
+        "estimateUserOpGas.verificationGasLimit"
+      ),
+      preVerificationGas: assertHex(
+        obj.preVerificationGas,
+        "estimateUserOpGas.preVerificationGas"
+      )
+    };
+  }
+  /**
+   * Wave 5 Path D Slice 1 Commit 3.5 — `eth_call` against the
+   * EntryPoint's `getNonce(sender, key)`. Uses the bundler URL as a
+   * full Arb Sepolia node (ZeroDev's bundler accepts read-side RPCs).
+   *
+   * Pass `key = 0n` for the default nonce key — Path D never uses a
+   * non-default key in Slice 1; reserved for batched UserOps in
+   * later slices.
+   */
+  async getNonce(sender, entryPoint, key = 0n) {
+    const data = encodeFunctionData({
+      abi: ENTRY_POINT_GET_NONCE_ABI,
+      functionName: "getNonce",
+      args: [sender, key]
+    });
+    const result = await this.rpc("eth_call", [
+      { to: entryPoint, data },
+      "latest"
+    ]);
+    if (typeof result !== "string" || !/^0x[0-9a-fA-F]*$/.test(result)) {
+      throw new BundlerClientError(
+        "invalid_response",
+        `eth_call returned non-hex: ${JSON.stringify(result).slice(0, 80)}`
+      );
+    }
+    const [nonce] = decodeAbiParameters([{ type: "uint256" }], result);
+    return nonce;
+  }
+  /**
+   * Wave 5 Path D Slice 1 Commit 3.5 — fetch the fee market via
+   * `eth_gasPrice` (returns a single value the bundler will accept for
+   * both maxFee + maxPriorityFee on Arb Sepolia, which has effectively
+   * no priority-vs-base distinction).
+   *
+   * Simple-on-purpose: a full EIP-1559 fee market read would need two
+   * RPCs (`eth_maxPriorityFeePerGas` + `eth_getBlock`); Arb Sepolia's
+   * fee dynamics don't require that precision and the paymaster pays
+   * either way. A future caller wanting EIP-1559 precision can add a
+   * sibling method.
+   */
+  async getFeeData() {
+    const result = await this.rpc("eth_gasPrice", []);
+    if (typeof result !== "string" || !/^0x[0-9a-fA-F]+$/.test(result)) {
+      throw new BundlerClientError(
+        "invalid_response",
+        `eth_gasPrice returned non-hex: ${JSON.stringify(result).slice(0, 80)}`
+      );
+    }
+    const base = BigInt(result);
+    const margined = base * 2n;
+    const hex = `0x${margined.toString(16)}`;
+    return { maxFeePerGas: hex, maxPriorityFeePerGas: hex };
+  }
+  /**
+   * Verify the bundler's reported chainId matches `expectedChainId`. Cheap
+   * to call once at MCP server boot (or lazily before the first send) so
+   * a misconfigured bundler URL surfaces as `chain_mismatch` before any
+   * user-facing send rather than after a guaranteed-failing submit.
+   *
+   * Throws `BundlerClientError(config)` if no `expectedChainId` is set —
+   * caller asked for an assert without configuring the expectation.
+   */
+  async assertChainId() {
+    if (this.options.expectedChainId === void 0) {
+      throw new BundlerClientError(
+        "config",
+        "assertChainId called without expectedChainId configured"
+      );
+    }
+    const result = await this.rpc("eth_chainId", []);
+    if (typeof result !== "string" || !/^0x[0-9a-fA-F]+$/.test(result)) {
+      throw new BundlerClientError(
+        "invalid_response",
+        `eth_chainId returned non-hex result: ${JSON.stringify(result).slice(0, 80)}`
+      );
+    }
+    const reported = Number.parseInt(result, 16);
+    if (reported !== this.options.expectedChainId) {
+      throw new BundlerClientError(
+        "chain_mismatch",
+        `bundler reports chainId ${reported}, MCP expected ${this.options.expectedChainId}`,
+        { reportedChainId: reported, expectedChainId: this.options.expectedChainId }
+      );
+    }
+  }
+  async rpc(method, params) {
+    const id = this.nextRpcId++;
+    const body = JSON.stringify({ jsonrpc: "2.0", id, method, params });
+    const ctrl = new AbortController();
+    const timer = setTimeout(() => ctrl.abort(), this.options.requestTimeoutMs);
+    let res;
+    try {
+      res = await this.fetchImpl(this.options.endpoint, {
+        method: "POST",
+        headers: { "content-type": "application/json", accept: "application/json" },
+        body,
+        signal: ctrl.signal
+      });
+    } catch (err2) {
+      clearTimeout(timer);
+      if (err2.name === "AbortError") {
+        throw new BundlerClientError("timeout", `bundler ${method} timed out`);
+      }
+      throw new BundlerClientError(
+        "network",
+        `bundler ${method} network error: ${err2 instanceof Error ? err2.message : String(err2)}`,
+        err2
+      );
+    } finally {
+      clearTimeout(timer);
+    }
+    if (!res.ok) {
+      let text = "";
+      try {
+        text = (await res.text()).slice(0, 256);
+      } catch {
+      }
+      throw new BundlerClientError(
+        "http_error",
+        `bundler ${method} \u2192 HTTP ${res.status}: ${text}`
+      );
+    }
+    let parsed;
+    try {
+      parsed = await res.json();
+    } catch (err2) {
+      throw new BundlerClientError(
+        "invalid_response",
+        `bundler ${method} returned non-JSON: ${err2 instanceof Error ? err2.message : String(err2)}`
+      );
+    }
+    if (typeof parsed !== "object" || parsed === null) {
+      throw new BundlerClientError(
+        "invalid_response",
+        `bundler ${method} returned non-object`
+      );
+    }
+    const obj = parsed;
+    if (obj.error !== void 0 && obj.error !== null) {
+      const err2 = obj.error;
+      throw new BundlerClientError(
+        "rpc_error",
+        `bundler ${method} rpc error: ${typeof err2.message === "string" ? err2.message : "<no message>"}`,
+        { code: err2.code, message: err2.message, data: err2.data }
+      );
+    }
+    return obj.result;
+  }
+};
+function parseReceipt(raw) {
+  if (typeof raw !== "object" || raw === null) {
+    throw new BundlerClientError("invalid_response", "receipt is not an object");
+  }
+  const obj = raw;
+  const userOpHash = obj.userOpHash;
+  if (typeof userOpHash !== "string" || !/^0x[0-9a-fA-F]{64}$/.test(userOpHash)) {
+    throw new BundlerClientError("invalid_response", "receipt.userOpHash malformed");
+  }
+  const sender = obj.sender;
+  if (typeof sender !== "string" || !/^0x[0-9a-fA-F]{40}$/.test(sender)) {
+    throw new BundlerClientError("invalid_response", "receipt.sender malformed");
+  }
+  if (typeof obj.success !== "boolean") {
+    throw new BundlerClientError("invalid_response", "receipt.success must be a boolean");
+  }
+  const inner = obj.receipt;
+  if (typeof inner !== "object" || inner === null) {
+    throw new BundlerClientError("invalid_response", "receipt.receipt missing");
+  }
+  const innerObj = inner;
+  const txHash = innerObj.transactionHash;
+  if (typeof txHash !== "string" || !/^0x[0-9a-fA-F]{64}$/.test(txHash)) {
+    throw new BundlerClientError(
+      "invalid_response",
+      "receipt.receipt.transactionHash malformed"
+    );
+  }
+  const blockNumber = innerObj.blockNumber;
+  if (typeof blockNumber !== "string" || !/^0x[0-9a-fA-F]+$/.test(blockNumber)) {
+    throw new BundlerClientError(
+      "invalid_response",
+      "receipt.receipt.blockNumber malformed"
+    );
+  }
+  const blockHash = innerObj.blockHash;
+  if (typeof blockHash !== "string" || !/^0x[0-9a-fA-F]{64}$/.test(blockHash)) {
+    throw new BundlerClientError(
+      "invalid_response",
+      "receipt.receipt.blockHash malformed"
+    );
+  }
+  return {
+    userOpHash: userOpHash.toLowerCase(),
+    sender: sender.toLowerCase(),
+    success: obj.success,
+    ...typeof obj.reason === "string" ? { reason: obj.reason } : {},
+    receipt: {
+      transactionHash: txHash.toLowerCase(),
+      blockNumber: blockNumber.toLowerCase(),
+      blockHash: blockHash.toLowerCase()
+    }
+  };
+}
+function parseSponsoredFields(raw) {
+  if (typeof raw !== "object" || raw === null) {
+    throw new BundlerClientError(
+      "invalid_response",
+      "pm_sponsorUserOperation returned non-object"
+    );
+  }
+  const obj = raw;
+  return {
+    paymaster: assertHexAddress(obj.paymaster, "sponsoredFields.paymaster"),
+    paymasterVerificationGasLimit: assertHexNonZero(
+      obj.paymasterVerificationGasLimit,
+      "sponsoredFields.paymasterVerificationGasLimit",
+      MAX_PAYMASTER_GAS_LIMIT
+    ),
+    paymasterPostOpGasLimit: assertHexNonZero(
+      obj.paymasterPostOpGasLimit,
+      "sponsoredFields.paymasterPostOpGasLimit",
+      MAX_PAYMASTER_GAS_LIMIT
+    ),
+    // paymasterData is the only sponsored field that can legitimately
+    // be empty (`0x`) — paymasters with no per-op data return that.
+    paymasterData: assertHex(obj.paymasterData, "sponsoredFields.paymasterData"),
+    callGasLimit: assertHexNonZero(
+      obj.callGasLimit,
+      "sponsoredFields.callGasLimit",
+      MAX_CALL_GAS_LIMIT
+    ),
+    verificationGasLimit: assertHexNonZero(
+      obj.verificationGasLimit,
+      "sponsoredFields.verificationGasLimit",
+      MAX_VERIFICATION_GAS_LIMIT
+    ),
+    preVerificationGas: assertHexNonZero(
+      obj.preVerificationGas,
+      "sponsoredFields.preVerificationGas",
+      MAX_PRE_VERIFICATION_GAS
+    )
+  };
+}
+function assertHex(value, label) {
+  if (typeof value !== "string" || !/^0x([0-9a-fA-F]{2})*$/.test(value)) {
+    const repr = value === void 0 ? "undefined" : JSON.stringify(value);
+    const safe = typeof repr === "string" ? repr.slice(0, 80) : "unknown";
+    throw new BundlerClientError(
+      "invalid_response",
+      `${label} must be a 0x-prefixed hex string (got ${safe})`
+    );
+  }
+  return value;
+}
+function assertHexNonZero(value, label, maxValue) {
+  const hex = assertHex(value, label);
+  if (hex.length === 2 || BigInt(hex) === 0n) {
+    throw new BundlerClientError(
+      "invalid_response",
+      `${label} must be a non-zero hex value (got "${hex}")`
+    );
+  }
+  if (maxValue !== void 0 && BigInt(hex) > maxValue) {
+    throw new BundlerClientError(
+      "invalid_response",
+      `${label} = ${BigInt(hex)} exceeds plausible ceiling ${maxValue} \u2014 refusing to sign + submit`
+    );
+  }
+  return hex;
+}
+var MAX_CALL_GAS_LIMIT = 20000000n;
+var MAX_VERIFICATION_GAS_LIMIT = 20000000n;
+var MAX_PRE_VERIFICATION_GAS = 5000000n;
+var MAX_PAYMASTER_GAS_LIMIT = 5000000n;
+function assertHexAddress(value, label) {
+  if (typeof value !== "string" || !/^0x[0-9a-fA-F]{40}$/.test(value)) {
+    const repr = value === void 0 ? "undefined" : JSON.stringify(value);
+    const safe = typeof repr === "string" ? repr.slice(0, 80) : "unknown";
+    throw new BundlerClientError(
+      "invalid_response",
+      `${label} must be a 0x-prefixed 20-byte hex address (got ${safe})`
+    );
+  }
+  return value;
+}
+var TOOL_DESCRIPTORS = [
+  {
+    name: "muhaven.read.portfolio",
+    group: "read",
+    description: "Return the authenticated investor's encrypted-balance portfolio summary. Output exposes only public aggregates (token list, ebool isOverexposed / isUnderYield handles); decrypted balances are NEVER included in the response. The LLM should call muhaven.read.portfolio for fact-checks about the user's state, not estimate from chat history.",
+    sensitive: false
   },
   {
     name: "muhaven.read.yields",
@@ -496,16 +1414,22 @@ var TOOL_DESCRIPTORS = [
     description: `Return the authenticated user's tiered-autonomy audit log entries. Cursor-paginated. Useful for forensic review ("why was I paused?") and grant-reviewer demos. Read-only \u2014 never exposes other users' data.`,
     sensitive: false
   },
+  {
+    name: "muhaven.read.activity",
+    group: "read",
+    description: "Return the authenticated investor's on-chain activity feed (buys / sells / wraps / unwraps / yield claims / transfers). Each row carries token address, tx hash, block timestamp, and event type \u2014 but NEVER cleartext amounts (encrypted handles only, decryptable client-side via permit). USE THIS to verify a Path C dashboard action settled: after position.buy / position.sell / cash.wrap, the user opens the deep-link, taps Authorize, the on-chain tx lands \u2192 a new row appears here. Far more reliable than re-calling read.portfolio (which only changes shape when a NEW token enters the catalog).",
+    sensitive: false
+  },
   {
     name: "muhaven.position.buy",
     group: "position",
-    description: 'Prepare a Subscription buy. Returns a dashboard deep-link URL (muhaven.app/trade?mode=buy&...) the user opens to review the pre-filled form, then taps Authorize. The user\'s passkey + ZeroDev kernel sign on the dashboard \u2014 this MCP tool never holds or submits a signing key. Use after the user names a clear amount + token (e.g. "Buy 5 mhUSDC of TBILL1" \u2192 `amountUsdc: "5"`). Token accepts either a symbol ("TBILL1") or 0x-address. The `amountUsdc` field is HUMAN-DECIMAL mhUSDC ("5" = 5 mhUSDC, "0.5" = half a mhUSDC) \u2014 NOT base-6 integer. Max 6 fractional digits. Settlement is NOT observable from MCP \u2014 verify by calling muhaven.read.portfolio after the user confirms done.',
+    description: 'Prepare a Subscription buy. Returns a dashboard deep-link URL (muhaven.app/trade?mode=buy&...) the user opens to review the pre-filled form, then taps Authorize. The user\'s passkey + ZeroDev kernel sign on the dashboard \u2014 this MCP tool never holds or submits a signing key. Use after the user names a clear amount + token (e.g. "Buy 5 mhUSDC of TBILL1" \u2192 `amountUsdc: "5"`). Token accepts either a symbol ("TBILL1") or 0x-address. The `amountUsdc` field is HUMAN-DECIMAL mhUSDC ("5" = 5 mhUSDC, "0.5" = half a mhUSDC) \u2014 NOT base-6 integer. Max 6 fractional digits. The tool fetches the current on-chain NAV for the token and converts the notional to integer shares (floor) before building the URL \u2014 so "Buy 3 mhUSDC of GOLD1" at NAV $0.01 becomes "Buy 300 GOLD1 shares (~3 mhUSDC)". Refuses with `amount_too_small_for_share` when the notional won\'t buy at least 1 share at current NAV; the error message tells the user the minimum mhUSDC needed. Settlement is NOT observable from MCP \u2014 verify by calling muhaven.read.activity after the user confirms done (a new "buy" row with the tx hash will appear).',
     sensitive: true
   },
   {
     name: "muhaven.position.sell",
     group: "position",
-    description: "Prepare a Subscription sell. Returns a dashboard deep-link URL (muhaven.app/trade?mode=sell&...) with the form pre-filled. Same passkey + verify-after pattern as muhaven.position.buy. Input is amountShares (raw POSITIVE INTEGER share count, NOT mhUSDC notional) \u2014 fhERC-20 shares have no decimals so fractional inputs are rejected.",
+    description: 'Prepare a Subscription sell. Returns a dashboard deep-link URL (muhaven.app/trade?mode=sell&...) with the form pre-filled. Same passkey + verify-after pattern as muhaven.position.buy. Input is amountShares (raw POSITIVE INTEGER share count, NOT mhUSDC notional) \u2014 fhERC-20 shares have no decimals so fractional inputs are rejected. Verify settlement by calling muhaven.read.activity (look for a "sell" or "sell-queued" row with the tx hash).',
     sensitive: true
   },
   {
@@ -524,7 +1448,7 @@ var TOOL_DESCRIPTORS = [
   {
     name: "muhaven.cash.wrap",
     group: "cash",
-    description: 'Prepare a USDC \u2192 mhUSDC wrap (the encrypted-balance conversion that funds buys). Returns a dashboard deep-link URL (muhaven.app/cash?action=wrap&...) with the amount pre-filled. Input amountUsdc is human-readable USDC ("100" = $100). Common LLM chain: read.portfolio \u2192 notice 0 mhUSDC \u2192 cash.wrap \u2192 then position.buy (each is its own user-confirmed deep-link). Settlement not observable from MCP \u2014 re-call read.portfolio to verify.',
+    description: 'Prepare a USDC \u2192 mhUSDC wrap (the encrypted-balance conversion that funds buys). Returns a dashboard deep-link URL (muhaven.app/cash?action=wrap&...) with the amount pre-filled. Input amountUsdc is human-readable USDC ("100" = $100). Common LLM chain: read.portfolio \u2192 notice 0 mhUSDC \u2192 cash.wrap \u2192 then position.buy (each is its own user-confirmed deep-link). Verify settlement by calling muhaven.read.activity (a new "wrap" row will appear with the tx hash).',
     sensitive: true
   },
   {
@@ -692,6 +1616,10 @@ var ReadAuditInputSchema = z.object({
   cursor: z.string().min(1).max(512).optional(),
   limit: z.number().int().min(1).max(200).optional()
 }).strict();
+var ReadActivityInputSchema = z.object({
+  limit: z.number().int().min(1).max(50).optional(),
+  offset: z.number().int().min(0).max(1e3).optional()
+}).strict();
 var decimalUsdcAmountSchema = z.string().regex(
   /^(0|[1-9]\d*)(\.\d{1,6})?$/,
   'must be a positive decimal mhUSDC amount with at most 6 fractional digits (e.g. "5", "0.5", "1234.567")'
@@ -802,6 +1730,119 @@ var GovernanceCastVoteInputSchema = z.object({
   voteYes: z.boolean()
 }).strict();
 
+// src/auth/jwt-decode.ts
+var JwtDecodeError = class extends Error {
+  code;
+  constructor(code, message) {
+    super(message);
+    this.name = "JwtDecodeError";
+    this.code = code;
+  }
+};
+function decodeJwtPayload(jwt) {
+  const segments = jwt.split(".");
+  if (segments.length !== 3) {
+    throw new JwtDecodeError(
+      "malformed_segments",
+      `expected 3 dot-separated segments, got ${segments.length}`
+    );
+  }
+  const payloadSegment = segments[1];
+  if (payloadSegment === void 0) {
+    throw new JwtDecodeError("malformed_segments", "payload segment missing");
+  }
+  let payloadJson;
+  try {
+    payloadJson = Buffer.from(payloadSegment, "base64url").toString("utf8");
+  } catch (err2) {
+    throw new JwtDecodeError(
+      "malformed_base64",
+      `payload segment is not valid base64url: ${err2 instanceof Error ? err2.message : String(err2)}`
+    );
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(payloadJson);
+  } catch (err2) {
+    throw new JwtDecodeError(
+      "malformed_json",
+      `payload is not valid JSON: ${err2 instanceof Error ? err2.message : String(err2)}`
+    );
+  }
+  if (parsed === null || typeof parsed !== "object") {
+    throw new JwtDecodeError(
+      "malformed_json",
+      `payload is not a JSON object (got ${parsed === null ? "null" : typeof parsed})`
+    );
+  }
+  const obj = parsed;
+  return {
+    sub: typeof obj.sub === "string" ? obj.sub : null,
+    scope: Array.isArray(obj.scope) ? obj.scope.filter((s) => typeof s === "string") : [],
+    expSec: typeof obj.exp === "number" ? obj.exp : null,
+    iss: typeof obj.iss === "string" ? obj.iss : null
+  };
+}
+function truncateSubject(sub) {
+  if (!sub) return "(missing)";
+  const sanitized = sub.replace(/[^\x20-\x7e]/g, "?");
+  if (sanitized.length <= 12) return sanitized;
+  return `${sanitized.slice(0, 8)}\u2026${sanitized.slice(-4)}`;
+}
+var KERNEL_EXECUTE_ABI = parseAbi([
+  "function execute(bytes32 mode, bytes calldata executionCalldata)"
+]);
+var KERNEL_V3_SINGLE_CALL_MODE_DEFAULT = `0x${"00".repeat(32)}`;
+function encodeKernelExecuteSingleCall(input) {
+  const executionCalldata = encodePacked(
+    ["address", "uint256", "bytes"],
+    [input.target, input.value, input.callData]
+  );
+  return encodeFunctionData({
+    abi: KERNEL_EXECUTE_ABI,
+    functionName: "execute",
+    args: [KERNEL_V3_SINGLE_CALL_MODE_DEFAULT, executionCalldata]
+  });
+}
+var ECDSA_SIG_HEX_RE = /^0x[0-9a-fA-F]{130}$/;
+var PERMISSION_USE_PREFIX = "0xff";
+function buildKernelSessionKeySignature(input) {
+  if (!ECDSA_SIG_HEX_RE.test(input.ecdsaSignature)) {
+    throw new Error(
+      `buildKernelSessionKeySignature: ecdsaSignature must be a 0x-prefixed 65-byte hex (got ${input.ecdsaSignature.length} chars)`
+    );
+  }
+  return concatHex([PERMISSION_USE_PREFIX, input.ecdsaSignature]);
+}
+var VALIDATOR_MODE_DEFAULT = "0x00";
+var VALIDATOR_TYPE_PERMISSION = "0x02";
+var PERMISSION_ID_HEX_RE = /^0x[0-9a-fA-F]{8}$/;
+function composeKernelV3NonceKey(args) {
+  if (!PERMISSION_ID_HEX_RE.test(args.permissionId)) {
+    throw new Error(
+      `composeKernelV3NonceKey: permissionId must be a 0x-prefixed 4-byte hex (got ${args.permissionId.length} chars)`
+    );
+  }
+  const customKey = args.customKey ?? 0n;
+  if (customKey < 0n || customKey > 0xffffn) {
+    throw new Error(
+      `composeKernelV3NonceKey: customKey must fit in 2 bytes (0..0xffff), got ${customKey}`
+    );
+  }
+  const paddedPermissionId = pad(args.permissionId, { size: 20, dir: "right" });
+  const customKeyHex = pad(`0x${customKey.toString(16)}`, { size: 2 });
+  const composite = pad(
+    concatHex([
+      VALIDATOR_MODE_DEFAULT,
+      VALIDATOR_TYPE_PERMISSION,
+      paddedPermissionId,
+      customKeyHex
+    ]),
+    { size: 24 }
+  );
+  return BigInt(composite);
+}
+
 // src/tools/auth-required.ts
 function authRequiredPayload() {
   return {
@@ -812,7 +1853,45 @@ function authRequiredPayload() {
   };
 }
 
+// src/tools/decimal.ts
+function parseDecimalToUsd6(decimal) {
+  const m = /^(\d+)(?:\.(\d+))?$/.exec(decimal);
+  if (!m) {
+    throw new Error(`Invalid decimal price: ${JSON.stringify(decimal)}`);
+  }
+  const intPart = m[1];
+  const fracPart = m[2] ?? "";
+  const fracPadded = (fracPart + "000000").slice(0, 6);
+  return BigInt(intPart + fracPadded);
+}
+function computeSharesFromUsd6(notionalUsd6, navUsd6) {
+  if (navUsd6 <= 0n) {
+    throw new Error("navUsd6 must be positive");
+  }
+  if (notionalUsd6 < 0n) {
+    throw new Error("notionalUsd6 must be non-negative");
+  }
+  return notionalUsd6 / navUsd6;
+}
+function formatUsd6AsDecimal(usd6) {
+  if (usd6 < 0n) {
+    throw new Error("usd6 must be non-negative");
+  }
+  const whole = usd6 / 1000000n;
+  const frac = usd6 % 1000000n;
+  if (frac === 0n) return whole.toString();
+  const fracStr = frac.toString().padStart(6, "0").replace(/0+$/, "");
+  return `${whole.toString()}.${fracStr}`;
+}
+
 // src/tools/handlers.ts
+var SUBSCRIPTION_PURCHASE_SELECTOR = toFunctionSelector(
+  "function purchase(address,(uint256,uint8,uint8,bytes),uint128,address)"
+).toLowerCase();
+var SUBSCRIPTION_PURCHASE_ABI = parseAbi([
+  "function purchase(address token, (uint256 ctHash, uint8 securityZone, uint8 utype, bytes signature) encShares, uint128 maxSharesHint, address ephemeralEOA)"
+]);
+var PLACEHOLDER_SIGNATURE = "0x" + "fe".repeat(86);
 function ok(data) {
   return { ok: true, data };
 }
@@ -824,85 +1903,775 @@ function mapBackendError(e) {
     if (e.code === "unauthorized") return authRequiredPayload();
     return err(`backend.${e.code}`, e.message);
   }
-  if (e instanceof Error) return err("backend.network", e.message);
-  return err("backend.network", "unknown backend error");
-}
-async function readPortfolio(_input, deps) {
+  if (e instanceof Error) return err("backend.network", e.message);
+  return err("backend.network", "unknown backend error");
+}
+async function readPortfolio(_input, deps) {
+  try {
+    const data = await deps.backend.get("/api/v1/portfolio");
+    return ok(data);
+  } catch (e) {
+    return mapBackendError(e);
+  }
+}
+async function readYields(input, deps) {
+  try {
+    const data = await deps.backend.get("/api/v1/yields", {
+      token: input.token,
+      limit: input.limit
+    });
+    return ok(data);
+  } catch (e) {
+    return mapBackendError(e);
+  }
+}
+async function readDistribution(input, deps) {
+  try {
+    const data = await deps.backend.get("/api/v1/distributions", {
+      token: input.token,
+      epoch: input.epoch
+    });
+    return ok(data);
+  } catch (e) {
+    return mapBackendError(e);
+  }
+}
+async function readTokens(_input, deps) {
+  try {
+    const data = await deps.backend.get("/api/v1/tokens");
+    return ok(data);
+  } catch (e) {
+    return mapBackendError(e);
+  }
+}
+async function readAudit(input, deps) {
+  try {
+    const data = await deps.backend.get("/api/v1/agent/policy/audit", {
+      surface: input.surface,
+      eventTypes: input.eventTypes?.join(","),
+      since: input.since,
+      until: input.until,
+      cursor: input.cursor,
+      limit: input.limit
+    });
+    return ok(data);
+  } catch (e) {
+    return mapBackendError(e);
+  }
+}
+async function readActivity(input, deps) {
+  try {
+    const data = await deps.backend.get("/api/v1/activity", {
+      limit: input.limit,
+      offset: input.offset
+    });
+    return ok(data);
+  } catch (e) {
+    return mapBackendError(e);
+  }
+}
+function buildPositionDeeplink(dashboardBaseUrl, action, params) {
+  const base = dashboardBaseUrl.replace(/\/+$/, "");
+  const path = action === "buy" || action === "sell" ? "/trade" : action === "claim" ? "/yields" : "/cash";
+  const search = new URLSearchParams();
+  if (action === "buy" || action === "sell") search.set("mode", action);
+  for (const [k, v] of Object.entries(params)) search.set(k, v);
+  search.set("from", "mcp");
+  return `${base}${path}?${search.toString()}`;
+}
+function resolveDashboardBaseUrl(deps) {
+  return deps.dashboardBaseUrl ?? "https://muhaven.app";
+}
+function resolveTokenInCatalog(identifier, catalog) {
+  const needle = identifier.toLowerCase();
+  return catalog.find(
+    (t) => t.address.toLowerCase() === needle || t.symbol.toLowerCase() === needle
+  ) ?? null;
+}
+function sanitizeSymbolForLlmContext(raw) {
+  const cleaned = raw.replace(/[^A-Za-z0-9_-]/g, "?");
+  return cleaned.length > 16 ? cleaned.slice(0, 16) : cleaned;
+}
+function sanitizeRpcMessageForLlmContext(raw) {
+  const cleaned = raw.replace(/[\x00-\x1f\x7f]/g, "").replace(/[^\x20-\x7e]/g, "?").replace(/\s+/g, " ").trim();
+  return cleaned.length > 120 ? cleaned.slice(0, 120) + "\u2026" : cleaned;
+}
+function mapBrokerCallFailure(err2, verb, defaultReason = "broker_internal") {
+  if (err2 instanceof BrokerClientError && err2.brokerCode === "unsupported_type") {
+    return {
+      kind: "fallback",
+      reason: "version_too_old",
+      message: `broker daemon rejected ${verb} as unsupported_type \u2014 daemon is likely older than protocol 0.4.0; upgrade @muhaven/mcp and restart the broker`
+    };
+  }
+  return {
+    kind: "fallback",
+    reason: defaultReason,
+    message: `broker rejected ${verb} (${typedErrorCode(err2)})`
+  };
+}
+var MCP_HEX_20_BYTE_RE = /^0x[0-9a-fA-F]{40}$/;
+var MCP_HEX_4_BYTE_RE = /^0x[0-9a-fA-F]{8}$/;
+var MCP_HEX_32_BYTE_RE = /^0x[0-9a-fA-F]{64}$/;
+var MCP_SESSION_ID_RE = /^[A-Za-z0-9_-]{1,128}$/;
+var MirrorDtoMalformedError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "MirrorDtoMalformedError";
+  }
+};
+function mirrorDtoToPolicySnapshot(dto) {
+  if (dto.mode !== "scoped") {
+    throw new MirrorDtoMalformedError(
+      `mode must be 'scoped' (got ${JSON.stringify(dto.mode)}); wildcard mirror auto-sync ships in Slice 4`
+    );
+  }
+  if (dto.status !== "active") {
+    throw new MirrorDtoMalformedError(
+      `status must be 'active' for auto-sync (got ${JSON.stringify(dto.status)}); backend mirror should have filtered this row out`
+    );
+  }
+  if (typeof dto.sessionId !== "string" || !MCP_SESSION_ID_RE.test(dto.sessionId)) {
+    throw new MirrorDtoMalformedError(
+      `sessionId must match /^[A-Za-z0-9_-]{1,128}$/`
+    );
+  }
+  if (!MCP_HEX_20_BYTE_RE.test(dto.signerAddress)) {
+    throw new MirrorDtoMalformedError(
+      `signerAddress is not a 0x-prefixed 20-byte hex`
+    );
+  }
+  if (!Array.isArray(dto.targetContracts) || dto.targetContracts.length === 0) {
+    throw new MirrorDtoMalformedError(
+      `targetContracts must be a non-empty array`
+    );
+  }
+  for (const t of dto.targetContracts) {
+    if (typeof t !== "string" || !MCP_HEX_20_BYTE_RE.test(t)) {
+      throw new MirrorDtoMalformedError(
+        `targetContracts entry is not a 0x-prefixed 20-byte hex`
+      );
+    }
+  }
+  if (!Array.isArray(dto.selectorCaps) || dto.selectorCaps.length === 0) {
+    throw new MirrorDtoMalformedError(`selectorCaps must be a non-empty array`);
+  }
+  for (const c of dto.selectorCaps) {
+    if (typeof c?.selector !== "string" || !MCP_HEX_4_BYTE_RE.test(c.selector)) {
+      throw new MirrorDtoMalformedError(
+        `selectorCaps entry has a malformed selector`
+      );
+    }
+  }
+  if (dto.permissionId != null && !MCP_HEX_4_BYTE_RE.test(dto.permissionId)) {
+    throw new MirrorDtoMalformedError(
+      `permissionId is not a 0x-prefixed 4-byte hex`
+    );
+  }
+  if (dto.consentActionHash != null && !MCP_HEX_32_BYTE_RE.test(dto.consentActionHash)) {
+    throw new MirrorDtoMalformedError(
+      `consentActionHash is not a 0x-prefixed 32-byte hex`
+    );
+  }
+  if (dto.consentTextSha256 != null && !MCP_HEX_32_BYTE_RE.test(dto.consentTextSha256)) {
+    throw new MirrorDtoMalformedError(
+      `consentTextSha256 is not a 0x-prefixed 32-byte hex`
+    );
+  }
+  return {
+    sessionId: dto.sessionId,
+    mode: "scoped",
+    signerAddress: dto.signerAddress.toLowerCase(),
+    targetContracts: dto.targetContracts.map(
+      (a) => a.toLowerCase()
+    ),
+    selectorCaps: dto.selectorCaps.map((c) => ({
+      selector: c.selector.toLowerCase(),
+      capArgIndex: c.capArgIndex,
+      maxAmount: c.maxAmount
+    })),
+    validUntilSec: dto.validUntilSec,
+    mintedAtSec: dto.mintedAtSec,
+    ...dto.consentActionHash ? { consentActionHash: dto.consentActionHash.toLowerCase() } : {},
+    ...dto.consentTextSha256 ? { consentTextSha256: dto.consentTextSha256.toLowerCase() } : {},
+    ...dto.permissionId ? { permissionId: dto.permissionId.toLowerCase() } : {}
+  };
+}
+function typedErrorCode(err2) {
+  if (err2 instanceof BackendError) return `backend.${err2.code}`;
+  if (err2 instanceof BrokerClientError) {
+    return err2.brokerCode ? `broker.${err2.brokerCode}` : `broker.${err2.code}`;
+  }
+  if (err2 instanceof MirrorDtoMalformedError) return "malformed_mirror_row";
+  return "unknown";
+}
+async function fetchJwtSubjectHint(deps) {
+  if (!deps.broker) return null;
+  try {
+    const res = await deps.broker.getJwt();
+    if (!res.jwt) return null;
+    const decoded = decodeJwtPayload(res.jwt);
+    return truncateSubject(decoded.sub);
+  } catch {
+    return null;
+  }
+}
+async function syncSnapshotFromMirror(deps, brokerSignerAddress) {
+  if (!deps.broker) {
+    return {
+      kind: "fallback",
+      reason: "mirror_sync_failed",
+      message: "auto-sync invoked without a broker dep \u2014 pipeline bug"
+    };
+  }
+  let mirror;
+  try {
+    mirror = await deps.backend.get(
+      "/api/v1/agent/policy/scoped-session",
+      { surface: "mcp" }
+    );
+  } catch (err2) {
+    return {
+      kind: "fallback",
+      reason: "mirror_sync_failed",
+      message: `backend mirror lookup failed (${typedErrorCode(err2)})`
+    };
+  }
+  if (!mirror || mirror.session == null) {
+    const subjectHint = await fetchJwtSubjectHint(deps);
+    const hintSuffix = subjectHint ? ` (broker JWT subject: ${subjectHint} \u2014 verify this matches the userId of the wallet you used to mint the scoped tier; if not, run \`muhaven-broker logout && muhaven-broker login\` and re-authorize with the correct passkey)` : "";
+    return {
+      kind: "fallback",
+      reason: "no_active_session_key",
+      message: "no active scoped session \u2014 visit /agent/policy/transition to mint one, then retry. (Mirror also empty; nothing to auto-sync.)" + hintSuffix
+    };
+  }
+  let snapshot;
+  try {
+    snapshot = mirrorDtoToPolicySnapshot(mirror.session);
+  } catch (err2) {
+    return {
+      kind: "fallback",
+      reason: "mirror_sync_failed",
+      message: `mirror returned a malformed scoped-session row (${typedErrorCode(err2)})`
+    };
+  }
+  if (snapshot.signerAddress.toLowerCase() !== brokerSignerAddress.toLowerCase()) {
+    return {
+      kind: "fallback",
+      reason: "signer_mismatch",
+      message: `mirror snapshot is bound to signer ${snapshot.signerAddress}, broker is currently signing as ${brokerSignerAddress} \u2014 re-mint the scoped tier from the dashboard against the broker's current session key, OR restart the broker with the session key matching the mirror snapshot`
+    };
+  }
+  try {
+    await deps.broker.storePolicySnapshot(snapshot);
+  } catch (err2) {
+    return {
+      kind: "fallback",
+      reason: "mirror_sync_failed",
+      message: `broker rejected store_policy_snapshot (${typedErrorCode(err2)})`
+    };
+  }
+  let activeId;
+  try {
+    const res = await deps.broker.getActiveSessionId();
+    activeId = res.sessionId;
+  } catch (err2) {
+    return {
+      kind: "fallback",
+      reason: "mirror_sync_failed",
+      message: `broker re-probe after store_policy_snapshot failed (${typedErrorCode(err2)})`
+    };
+  }
+  if (!activeId) {
+    return {
+      kind: "fallback",
+      reason: "mirror_sync_failed",
+      message: "broker accepted store_policy_snapshot but get_active_session_id returned null \u2014 most likely cause: multiple non-expired snapshots for the same signer collapse to ambiguous. Clear stale snapshots via the muhaven-broker CLI before retrying. (Snapshot signer was pre-validated to match the broker; signer mismatch already filtered upstream.)"
+    };
+  }
+  return { kind: "ok", sessionId: activeId };
+}
+async function attemptPathD(args, deps) {
+  const { shares, tokenAddress, tokenSymbol } = args;
+  if (!deps.broker || !deps.bundler) {
+    return { kind: "unconfigured" };
+  }
+  if (!deps.subscriptionAddress) {
+    return {
+      kind: "fallback",
+      reason: "subscription_address_unset",
+      message: "MUHAVEN_SUBSCRIPTION_ADDRESS not configured \u2014 Path D autonomous-buy disabled until the operator sets it in the MCP env"
+    };
+  }
+  if (!deps.entryPointAddress) {
+    return {
+      kind: "fallback",
+      reason: "entry_point_unset",
+      message: "MUHAVEN_ENTRY_POINT resolved to undefined \u2014 Path D requires the EntryPoint v0.7 address"
+    };
+  }
+  if (typeof deps.chainId !== "number") {
+    return {
+      kind: "fallback",
+      reason: "chain_id_unset",
+      message: "MUHAVEN_CHAIN_ID not configured \u2014 Path D autonomous-buy requires a chain id for userOpHash"
+    };
+  }
+  const subscriptionAddress = deps.subscriptionAddress;
+  const entryPointAddress = deps.entryPointAddress;
+  const chainId = deps.chainId;
+  const preflight = await deps.broker.preflight();
+  if (!preflight.supported) {
+    if (preflight.reason === "broker_unreachable") {
+      return {
+        kind: "fallback",
+        reason: "broker_unreachable",
+        message: `broker daemon not reachable (${preflight.message}) \u2014 falling back to Path C dashboard deep-link`
+      };
+    }
+    if (preflight.reason === "version_too_old") {
+      return {
+        kind: "fallback",
+        reason: "version_too_old",
+        message: `broker speaks ${preflight.daemonVersion}, Path D requires \u2265${preflight.requiredVersion} \u2014 upgrade @muhaven/mcp and restart the broker`
+      };
+    }
+    return {
+      kind: "fallback",
+      reason: "session_key_unavailable",
+      message: "broker is running in read-only posture (no MUHAVEN_BROKER_SESSION_KEY set) \u2014 Path D requires a loaded session key"
+    };
+  }
+  let activeId;
+  try {
+    const res = await deps.broker.getActiveSessionId();
+    activeId = res.sessionId;
+  } catch (err2) {
+    return mapBrokerCallFailure(err2, "get_active_session_id");
+  }
+  if (!activeId) {
+    const synced = await syncSnapshotFromMirror(deps, preflight.signerAddress);
+    if (synced.kind === "fallback") {
+      return synced;
+    }
+    activeId = synced.sessionId;
+  }
+  let snapshot;
+  try {
+    const res = await deps.broker.getPolicySnapshot(activeId);
+    snapshot = res.snapshot;
+  } catch (err2) {
+    return mapBrokerCallFailure(err2, "get_policy_snapshot", "snapshot_lookup_failed");
+  }
+  if (!snapshot) {
+    return {
+      kind: "fallback",
+      reason: "no_active_snapshot",
+      message: `broker reported session ${activeId} active but get_policy_snapshot returned null (race? \u2014 refresh tier from dashboard)`
+    };
+  }
+  if (snapshot.signerAddress.toLowerCase() !== preflight.signerAddress.toLowerCase()) {
+    return {
+      kind: "fallback",
+      reason: "signer_mismatch",
+      message: `snapshot ${activeId} is bound to signer ${snapshot.signerAddress}, broker is currently signing as ${preflight.signerAddress} \u2014 broker session-key likely rotated mid-flight; re-mint the scoped tier from the dashboard`
+    };
+  }
+  const purchaseCap = snapshot.selectorCaps.find(
+    (c) => c.selector.toLowerCase() === SUBSCRIPTION_PURCHASE_SELECTOR
+  );
+  if (!purchaseCap) {
+    return {
+      kind: "fallback",
+      reason: "selector_not_in_snapshot",
+      message: "active scoped session does not authorize subscription.purchase \u2014 re-mint the session with a purchase cap"
+    };
+  }
+  if (purchaseCap.maxAmount === null) {
+    return {
+      kind: "fallback",
+      reason: "selector_uncapped",
+      message: "active scoped session lists subscription.purchase but with no per-op cap (capArgIndex/maxAmount both null) \u2014 Slice 1 refuses to autonomy-buy without an explicit ceiling; re-mint with a maxAmount"
+    };
+  }
+  const maxShares = BigInt(purchaseCap.maxAmount);
+  if (shares > maxShares) {
+    return {
+      kind: "fallback",
+      reason: "out_of_scope",
+      message: `requested ${shares} shares exceeds the active session's per-op cap of ${maxShares} shares \u2014 fall back to Path C dashboard deep-link for this larger buy`
+    };
+  }
+  if (!snapshot.targetContracts.some(
+    (t) => t.toLowerCase() === subscriptionAddress.toLowerCase()
+  )) {
+    return {
+      kind: "fallback",
+      reason: "target_not_in_snapshot",
+      message: `subscription target ${subscriptionAddress} not in active session's target allowlist \u2014 re-mint the session with subscription in scope`
+    };
+  }
+  let accountAddress;
   try {
-    const data = await deps.backend.get("/api/v1/portfolio");
-    return ok(data);
-  } catch (e) {
-    return mapBackendError(e);
+    const stateDto = await deps.backend.get("/api/v1/agent/policy/state", {
+      surface: "mcp"
+    });
+    if (!stateDto.accountAddress || !/^0x[0-9a-fA-F]{40}$/.test(stateDto.accountAddress)) {
+      return {
+        kind: "fallback",
+        reason: "no_validator_registered",
+        message: "backend /agent/policy/state returned no accountAddress \u2014 re-login the MCP"
+      };
+    }
+    accountAddress = stateDto.accountAddress.toLowerCase();
+  } catch (err2) {
+    return {
+      kind: "fallback",
+      reason: "no_validator_registered",
+      message: `backend /agent/policy/state lookup failed: ${err2 instanceof Error ? err2.message : String(err2)}`
+    };
   }
-}
-async function readYields(input, deps) {
+  if (!snapshot.permissionId) {
+    return {
+      kind: "fallback",
+      reason: "no_permission_id_in_snapshot",
+      message: "active scoped session snapshot lacks permissionId \u2014 frontend storePolicySnapshot wire-up is a Slice 2 prerequisite; falling back to Path C"
+    };
+  }
+  const permissionId = snapshot.permissionId;
+  let encShares;
+  let ephemeralEOA;
   try {
-    const data = await deps.backend.get("/api/v1/yields", {
-      token: input.token,
-      limit: input.limit
+    const enc = await deps.backend.post("/api/v1/agent/path-d/encrypt-shares", {
+      tokenAddress,
+      sharesAmount: shares.toString()
     });
-    return ok(data);
-  } catch (e) {
-    return mapBackendError(e);
+    if (!enc.encShares || typeof enc.encShares.ctHash !== "string" || typeof enc.encShares.securityZone !== "number" || typeof enc.encShares.utype !== "number" || typeof enc.encShares.signature !== "string" || typeof enc.ephemeralEOA !== "string") {
+      return {
+        kind: "fallback",
+        reason: "encrypt_shares_server_error",
+        message: "backend /agent/path-d/encrypt-shares returned malformed payload"
+      };
+    }
+    encShares = {
+      ctHash: enc.encShares.ctHash,
+      securityZone: enc.encShares.securityZone,
+      utype: enc.encShares.utype,
+      signature: enc.encShares.signature
+    };
+    ephemeralEOA = enc.ephemeralEOA;
+  } catch (err2) {
+    if (err2 instanceof BackendError) {
+      const is4xx = typeof err2.status === "number" && err2.status < 500;
+      return {
+        kind: "fallback",
+        reason: is4xx ? "encrypt_shares_rejected" : "encrypt_shares_server_error",
+        message: `backend rejected encrypt-shares (backend.${err2.code})`
+      };
+    }
+    return {
+      kind: "fallback",
+      reason: "encrypt_shares_server_error",
+      message: `backend /agent/path-d/encrypt-shares failed: ${err2 instanceof Error ? err2.message : String(err2)}`
+    };
   }
-}
-async function readDistribution(input, deps) {
+  const innerCallData = encodeFunctionData({
+    abi: SUBSCRIPTION_PURCHASE_ABI,
+    functionName: "purchase",
+    args: [
+      tokenAddress,
+      {
+        ctHash: BigInt(encShares.ctHash),
+        securityZone: encShares.securityZone,
+        utype: encShares.utype,
+        signature: encShares.signature
+      },
+      shares,
+      // maxSharesHint — tight per spec
+      ephemeralEOA
+    ]
+  });
+  const kernelCallData = encodeKernelExecuteSingleCall({
+    target: subscriptionAddress,
+    value: 0n,
+    callData: innerCallData
+  });
+  let nonce;
+  let feeData;
   try {
-    const data = await deps.backend.get("/api/v1/distributions", {
-      token: input.token,
-      epoch: input.epoch
+    const nonceKey = composeKernelV3NonceKey({ permissionId });
+    nonce = await deps.bundler.getNonce(accountAddress, entryPointAddress, nonceKey);
+    feeData = await deps.bundler.getFeeData();
+  } catch (err2) {
+    return {
+      kind: "fallback",
+      reason: "bundler_setup_failed",
+      message: `bundler bootstrap failed: ${err2 instanceof BundlerClientError ? `${err2.code}: ${err2.message}` : String(err2)}`
+    };
+  }
+  const partial = {
+    sender: accountAddress,
+    nonce: `0x${nonce.toString(16)}`,
+    callData: kernelCallData,
+    maxFeePerGas: feeData.maxFeePerGas,
+    maxPriorityFeePerGas: feeData.maxPriorityFeePerGas,
+    signature: PLACEHOLDER_SIGNATURE
+  };
+  let sponsored;
+  try {
+    sponsored = await deps.bundler.sponsorUserOp(partial, entryPointAddress);
+  } catch (err2) {
+    const detail = err2 instanceof BundlerClientError && err2.detail && typeof err2.detail === "object" ? ` (rpc code=${err2.detail.code ?? "unknown"})` : "";
+    const safeMsg = sanitizeRpcMessageForLlmContext(
+      err2 instanceof Error ? err2.message : String(err2)
+    );
+    return {
+      kind: "fallback",
+      reason: "paymaster_rejected",
+      message: `pm_sponsorUserOperation rejected${detail}: ${safeMsg}`
+    };
+  }
+  const userOpForHash = {
+    sender: accountAddress,
+    nonce,
+    factory: void 0,
+    factoryData: void 0,
+    callData: kernelCallData,
+    callGasLimit: BigInt(sponsored.callGasLimit),
+    verificationGasLimit: BigInt(sponsored.verificationGasLimit),
+    preVerificationGas: BigInt(sponsored.preVerificationGas),
+    maxFeePerGas: BigInt(feeData.maxFeePerGas),
+    maxPriorityFeePerGas: BigInt(feeData.maxPriorityFeePerGas),
+    paymaster: sponsored.paymaster,
+    paymasterVerificationGasLimit: BigInt(sponsored.paymasterVerificationGasLimit),
+    paymasterPostOpGasLimit: BigInt(sponsored.paymasterPostOpGasLimit),
+    paymasterData: sponsored.paymasterData,
+    signature: PLACEHOLDER_SIGNATURE
+  };
+  const userOpHash = getUserOperationHash({
+    userOperation: userOpForHash,
+    entryPointAddress,
+    entryPointVersion: "0.7",
+    chainId
+  });
+  let brokerSig;
+  try {
+    const signed = await deps.broker.signUserOp({
+      sessionId: activeId,
+      userOpHash,
+      innerCall: { target: subscriptionAddress, callData: innerCallData },
+      intent: {
+        tool: "muhaven.position.buy",
+        summary: `${shares.toString()} shares of ${sanitizeSymbolForLlmContext(tokenSymbol)}`
+      }
     });
-    return ok(data);
-  } catch (e) {
-    return mapBackendError(e);
+    brokerSig = signed.signature;
+  } catch (err2) {
+    if (err2 instanceof BrokerClientError && err2.brokerCode) {
+      const code = err2.brokerCode;
+      if (code === "policy_violation") {
+        return {
+          kind: "fallback",
+          reason: "broker_policy_violation",
+          message: "broker rejected sign_userop: policy_violation (innerCall vs snapshot mismatch)"
+        };
+      }
+      if (code === "scope_violation") {
+        return {
+          kind: "fallback",
+          reason: "broker_scope_violation",
+          message: "broker rejected sign_userop: scope_violation (snapshot expired between gate and sign)"
+        };
+      }
+      if (code === "max_spend_exceeded") {
+        return {
+          kind: "fallback",
+          reason: "broker_max_spend_exceeded",
+          message: "broker rejected sign_userop: max_spend_exceeded (innerCall maxSharesHint over cap)"
+        };
+      }
+      if (code === "no_active_snapshot") {
+        return {
+          kind: "fallback",
+          reason: "broker_no_active_snapshot_at_sign",
+          message: "broker reported no_active_snapshot at sign time \u2014 likely GC race after our snapshot read"
+        };
+      }
+    }
+    return mapBrokerCallFailure(err2, "sign_userop", "broker_internal");
+  }
+  const signedUserOpWire = {
+    sender: accountAddress,
+    nonce: partial.nonce,
+    callData: kernelCallData,
+    callGasLimit: sponsored.callGasLimit,
+    verificationGasLimit: sponsored.verificationGasLimit,
+    preVerificationGas: sponsored.preVerificationGas,
+    maxFeePerGas: feeData.maxFeePerGas,
+    maxPriorityFeePerGas: feeData.maxPriorityFeePerGas,
+    paymaster: sponsored.paymaster,
+    paymasterVerificationGasLimit: sponsored.paymasterVerificationGasLimit,
+    paymasterPostOpGasLimit: sponsored.paymasterPostOpGasLimit,
+    paymasterData: sponsored.paymasterData,
+    signature: buildKernelSessionKeySignature({ ecdsaSignature: brokerSig })
+  };
+  let submittedHash;
+  try {
+    submittedHash = await deps.bundler.sendUserOp(signedUserOpWire, entryPointAddress);
+  } catch (err2) {
+    const detail = err2 instanceof BundlerClientError && err2.detail && typeof err2.detail === "object" ? ` (rpc code=${err2.detail.code ?? "unknown"})` : "";
+    return {
+      kind: "fallback",
+      reason: "bundler_submit_rejected",
+      message: `bundler eth_sendUserOperation rejected${detail}: ${err2 instanceof Error ? err2.message : String(err2)}`
+    };
+  }
+  if (submittedHash.toLowerCase() !== userOpHash.toLowerCase()) {
+    return {
+      kind: "fallback",
+      reason: "userop_hash_mismatch",
+      message: `bundler reported userOpHash ${submittedHash} but we signed ${userOpHash} \u2014 refusing to wait for receipt`
+    };
+  }
+  try {
+    const receipt = await deps.bundler.waitForReceipt(userOpHash, { timeoutMs: 12e3 });
+    return {
+      kind: "ok",
+      data: {
+        action: "buy",
+        status: "submitted",
+        txHash: receipt.receipt.transactionHash,
+        userOpHash,
+        path: "D"
+      }
+    };
+  } catch (err2) {
+    try {
+      const lateReceipt = await deps.bundler.getReceipt(userOpHash);
+      if (lateReceipt) {
+        return {
+          kind: "ok",
+          data: {
+            action: "buy",
+            status: "submitted",
+            txHash: lateReceipt.receipt.transactionHash,
+            userOpHash,
+            path: "D"
+          }
+        };
+      }
+    } catch {
+    }
+    return {
+      kind: "fallback",
+      reason: "bundler_receipt_timeout",
+      message: `no receipt for userOp ${userOpHash} within 12s. The userOp may still mine. BEFORE proposing another position.buy for this intent, call muhaven.read.activity to verify whether the prior submit settled \u2014 re-issuing without that check risks double-filling.`,
+      submittedUserOpHash: userOpHash
+    };
   }
 }
-async function readTokens(_input, deps) {
+async function positionBuy(input, deps) {
+  let catalog;
   try {
-    const data = await deps.backend.get("/api/v1/tokens");
-    return ok(data);
+    catalog = await deps.backend.getUnauth("/api/v1/tokens");
   } catch (e) {
     return mapBackendError(e);
   }
-}
-async function readAudit(input, deps) {
+  const token = resolveTokenInCatalog(input.token, catalog.tokens ?? []);
+  if (!token) {
+    return err(
+      "token_not_found",
+      `Token "${sanitizeSymbolForLlmContext(input.token)}" is not in the MuHaven catalog. Call muhaven.read.tokens for the canonical symbol list.`
+    );
+  }
+  const safeSymbol = sanitizeSymbolForLlmContext(token.symbol);
+  if (!token.latest_nav || !token.latest_nav.nav) {
+    return err(
+      "nav_unavailable",
+      `No NAV snapshot available for ${safeSymbol} yet. The nav-worker may not have written one \u2014 retry shortly, or use the dashboard /trade page directly.`
+    );
+  }
+  let navUsd6;
   try {
-    const data = await deps.backend.get("/api/v1/agent/policy/audit", {
-      surface: input.surface,
-      eventTypes: input.eventTypes?.join(","),
-      since: input.since,
-      until: input.until,
-      cursor: input.cursor,
-      limit: input.limit
-    });
-    return ok(data);
+    navUsd6 = parseDecimalToUsd6(token.latest_nav.nav);
   } catch (e) {
-    return mapBackendError(e);
+    return err(
+      "nav_malformed",
+      `NAV for ${safeSymbol} is not a valid decimal price. Open the dashboard /trade page directly.`
+    );
+  }
+  if (navUsd6 <= 0n) {
+    return err(
+      "nav_non_positive",
+      `NAV for ${safeSymbol} is non-positive. Cannot quote a buy.`
+    );
+  }
+  let notionalUsd6;
+  try {
+    notionalUsd6 = parseDecimalToUsd6(input.amountUsdc);
+  } catch (e) {
+    return err(
+      "invalid_amount",
+      `amountUsdc "${input.amountUsdc}" is not a valid decimal mhUSDC amount.`
+    );
+  }
+  if (notionalUsd6 <= 0n) {
+    return err(
+      "invalid_amount",
+      "amountUsdc must be greater than zero."
+    );
+  }
+  const shares = computeSharesFromUsd6(notionalUsd6, navUsd6);
+  if (shares <= 0n) {
+    const navDisplay2 = formatUsd6AsDecimal(navUsd6);
+    return err(
+      "amount_too_small_for_share",
+      `${input.amountUsdc} mhUSDC isn't enough to buy 1 share of ${safeSymbol} at the current NAV of $${navDisplay2}/share. Need at least ${navDisplay2} mhUSDC to buy 1 share. Ask the user for a larger amount, or chain muhaven.cash.wrap first if they're short on mhUSDC.`
+    );
+  }
+  const effectiveNotionalUsd6 = shares * navUsd6;
+  const effectiveNotionalDisplay = formatUsd6AsDecimal(effectiveNotionalUsd6);
+  const navDisplay = formatUsd6AsDecimal(navUsd6);
+  const sharesStr = shares.toString();
+  let pathDFallbackReason;
+  let pathDSubmittedUserOpHash;
+  const pathD = await attemptPathD(
+    { shares, tokenAddress: token.address, tokenSymbol: token.symbol },
+    deps
+  );
+  if (pathD.kind === "ok") {
+    return ok(pathD.data);
+  }
+  if (pathD.kind === "fallback") {
+    pathDFallbackReason = pathD.reason;
+    if (pathD.submittedUserOpHash) {
+      pathDSubmittedUserOpHash = pathD.submittedUserOpHash;
+    }
   }
-}
-function buildPositionDeeplink(dashboardBaseUrl, action, params) {
-  const base = dashboardBaseUrl.replace(/\/+$/, "");
-  const path = action === "buy" || action === "sell" ? "/trade" : action === "claim" ? "/yields" : "/cash";
-  const search = new URLSearchParams();
-  if (action === "buy" || action === "sell") search.set("mode", action);
-  for (const [k, v] of Object.entries(params)) search.set(k, v);
-  search.set("from", "mcp");
-  return `${base}${path}?${search.toString()}`;
-}
-function resolveDashboardBaseUrl(deps) {
-  return deps.dashboardBaseUrl ?? "https://muhaven.app";
-}
-async function positionBuy(input, deps) {
   const dashboardUrl = buildPositionDeeplink(resolveDashboardBaseUrl(deps), "buy", {
-    token: input.token,
-    amount: input.amountUsdc
+    token: token.symbol,
+    amount: sharesStr
   });
   return ok({
     dashboardUrl,
     action: "buy",
-    instructions: `Open this link to review and authorize the buy of ${input.amountUsdc} mhUSDC of ${input.token}:
+    instructions: `Open this link to review and authorize the buy of ${sharesStr} ${safeSymbol} shares (~${effectiveNotionalDisplay} mhUSDC at current NAV $${navDisplay}/share):
 ${dashboardUrl}`,
-    echo: { action: "buy", token: input.token, amount: input.amountUsdc }
+    echo: {
+      action: "buy",
+      token: token.symbol,
+      amount: sharesStr,
+      shares: sharesStr,
+      // Carry the original request + the conversion math so the LLM
+      // (and a human auditor reading the trace) can see why the URL
+      // shows the share count instead of the user-stated notional.
+      amountUsdc: input.amountUsdc,
+      effectiveNotionalUsd6: effectiveNotionalUsd6.toString(),
+      navUsd6: navUsd6.toString(),
+      ...pathDFallbackReason ? { pathDFallbackReason } : {},
+      ...pathDSubmittedUserOpHash ? { pathDSubmittedUserOpHash } : {}
+    }
   });
 }
 async function positionSell(input, deps) {
@@ -1144,6 +2913,10 @@ var HANDLERS = {
     schema: ReadAuditInputSchema,
     handler: readAudit
   },
+  "muhaven.read.activity": {
+    schema: ReadActivityInputSchema,
+    handler: readActivity
+  },
   "muhaven.position.buy": {
     schema: PositionBuyInputSchema,
     handler: positionBuy
@@ -1248,14 +3021,20 @@ var SERVER_NAME = "@muhaven/mcp";
 var SERVER_VERSION = resolveServerVersion();
 function resolveServerVersion() {
   {
-    return "0.2.0";
+    return "0.2.2";
   }
 }
 function toJsonInputSchema(schema) {
-  return {
-    type: "object",
-    additionalProperties: false
-  };
+  const json = zodToJsonSchema(schema, {
+    target: "jsonSchema7",
+    $refStrategy: "none",
+    removeAdditionalStrategy: "strict"
+  });
+  if ("$schema" in json) {
+    const { $schema: _drop, ...rest } = json;
+    return rest;
+  }
+  return json;
 }
 async function loadPinnedToolHashes() {
   const here = dirname(fileURLToPath(import.meta.url));
@@ -1324,8 +3103,12 @@ function buildMcpServer(opts) {
       const result = await entry.handler(parsed, {
         backend: opts.backend,
         broker: opts.broker,
+        bundler: opts.bundler,
         surface: "mcp",
-        dashboardBaseUrl: opts.dashboardBaseUrl
+        dashboardBaseUrl: opts.dashboardBaseUrl,
+        chainId: opts.chainId,
+        subscriptionAddress: opts.subscriptionAddress,
+        entryPointAddress: opts.entryPointAddress
       });
       return toolJsonResponse(result);
     } catch (err2) {
@@ -1376,6 +3159,11 @@ async function runMcpStdioCli(opts = {}) {
     timeoutMs: config.requestTimeoutMs,
     allowedHosts: config.allowedBackendHosts
   });
+  const bundler = config.bundlerUrl ? new BundlerClient({
+    endpoint: config.bundlerUrl,
+    requestTimeoutMs: config.bundlerTimeoutMs,
+    expectedChainId: config.chainId
+  }) : void 0;
   const baseRegistry = selectRegistry(config.readOnly);
   const registry = opts.filterRegistry ? opts.filterRegistry(baseRegistry) : baseRegistry;
   if (registry.length === 0) {
@@ -1388,8 +3176,20 @@ async function runMcpStdioCli(opts = {}) {
     registry,
     backend,
     broker: config.readOnly ? void 0 : broker,
-    dashboardBaseUrl: config.dashboardBaseUrl
+    bundler: config.readOnly ? void 0 : bundler,
+    dashboardBaseUrl: config.dashboardBaseUrl,
+    chainId: config.chainId,
+    subscriptionAddress: config.subscriptionAddress,
+    entryPointAddress: config.entryPointAddress
   });
+  if (bundler && !config.readOnly) {
+    void bundler.assertChainId().catch((err2) => {
+      process.stderr.write(
+        `[muhaven-mcp] bundler chain-id assert failed: ${err2 instanceof Error ? err2.message : String(err2)} \u2014 Path D autonomous-buys will fail until MUHAVEN_BUNDLER_URL + MUHAVEN_CHAIN_ID agree
+`
+      );
+    });
+  }
   const transport = new StdioServerTransport();
   await server.connect(transport);
   await new Promise((resolve) => {
@@ -1494,140 +3294,52 @@ var DeviceFlowClient = class {
       const body2 = await safeJson(res);
       throw new DeviceFlowAbortedError({ code: "invalid_response", status: res.status, body: body2 });
     }
-    const body = await safeJson(res);
-    if (!body || !body.deviceCode || !body.userCode) {
-      throw new DeviceFlowAbortedError({ code: "invalid_response", status: res.status, body });
-    }
-    const verificationUri = `${trim(this.options.dashboardBaseUrl)}/link`;
-    const verificationUriComplete = `${verificationUri}?code=${encodeURIComponent(body.userCode)}`;
-    return {
-      deviceCode: body.deviceCode,
-      userCode: body.userCode,
-      verificationUri,
-      verificationUriComplete,
-      expiresInSec: body.expiresInSec ?? 300,
-      pollIntervalSec: body.pollIntervalSec ?? Math.floor(DEFAULT_POLL_INTERVAL_MS / 1e3)
-    };
-  }
-  async pollOnce(deviceCode) {
-    const url = new URL("/api/v1/auth/device/token", this.options.backendBaseUrl);
-    let res;
-    try {
-      res = await this.fetchImpl(url, {
-        method: "POST",
-        headers: { "content-type": "application/json", accept: "application/json" },
-        body: JSON.stringify({ deviceCode })
-      });
-    } catch (err2) {
-      throw new DeviceFlowAbortedError({ code: "network", cause: err2 });
-    }
-    if (res.status === 429) {
-      return { state: "pending" };
-    }
-    const body = await safeJson(res);
-    if (!body || typeof body.state !== "string") {
-      throw new DeviceFlowAbortedError({ code: "invalid_response", status: res.status, body });
-    }
-    return body;
-  }
-};
-function trim(s) {
-  return s.endsWith("/") ? s.slice(0, -1) : s;
-}
-async function safeJson(res) {
-  try {
-    return await res.json();
-  } catch {
-    return null;
-  }
-}
-
-// src/broker/protocol.ts
-var BROKER_PROTOCOL_VERSION = "0.3.0";
-var HASH_HEX_RE = /^0x[0-9a-fA-F]{64}$/;
-var JWT_RE = /^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/;
-function isHashHex(value) {
-  return typeof value === "string" && HASH_HEX_RE.test(value);
-}
-function isJwtShape(value) {
-  return typeof value === "string" && value.length <= 8192 && JWT_RE.test(value);
-}
-function parseBrokerRequest(line) {
-  let parsed;
-  try {
-    parsed = JSON.parse(line);
-  } catch {
-    return { type: "error", code: "invalid_request", message: "request is not valid JSON" };
-  }
-  if (typeof parsed !== "object" || parsed === null) {
-    return { type: "error", code: "invalid_request", message: "request must be a JSON object" };
-  }
-  const obj = parsed;
-  switch (obj.type) {
-    case "hello":
-      return { type: "hello" };
-    case "sign_hash": {
-      const hash = obj.hash;
-      if (!isHashHex(hash)) {
-        return {
-          type: "error",
-          code: "invalid_request",
-          message: "sign_hash.hash must be a 0x-prefixed 32-byte hex string"
-        };
-      }
-      const intent = obj.intent;
-      const intentValid = intent === void 0 || typeof intent === "object" && intent !== null && typeof intent.tool === "string";
-      if (!intentValid) {
-        return {
-          type: "error",
-          code: "invalid_request",
-          message: "sign_hash.intent.tool must be a string when provided"
-        };
-      }
-      return {
-        type: "sign_hash",
-        hash,
-        ...intent === void 0 ? {} : { intent }
-      };
+    const body = await safeJson(res);
+    if (!body || !body.deviceCode || !body.userCode) {
+      throw new DeviceFlowAbortedError({ code: "invalid_response", status: res.status, body });
     }
-    case "store_jwt": {
-      const jwt = obj.jwt;
-      if (!isJwtShape(jwt)) {
-        return {
-          type: "error",
-          code: "invalid_request",
-          message: "store_jwt.jwt must be a JWT-shaped string \u22648192 chars"
-        };
-      }
-      const expiresAtSec = obj.expiresAtSec;
-      const expiresValid = expiresAtSec === void 0 || typeof expiresAtSec === "number" && Number.isFinite(expiresAtSec) && expiresAtSec > 0;
-      if (!expiresValid) {
-        return {
-          type: "error",
-          code: "invalid_request",
-          message: "store_jwt.expiresAtSec must be a positive number when provided"
-        };
-      }
-      return {
-        type: "store_jwt",
-        jwt,
-        ...expiresAtSec === void 0 ? {} : { expiresAtSec }
-      };
+    const verificationUri = `${trim(this.options.dashboardBaseUrl)}/link`;
+    const verificationUriComplete = `${verificationUri}?code=${encodeURIComponent(body.userCode)}`;
+    return {
+      deviceCode: body.deviceCode,
+      userCode: body.userCode,
+      verificationUri,
+      verificationUriComplete,
+      expiresInSec: body.expiresInSec ?? 300,
+      pollIntervalSec: body.pollIntervalSec ?? Math.floor(DEFAULT_POLL_INTERVAL_MS / 1e3)
+    };
+  }
+  async pollOnce(deviceCode) {
+    const url = new URL("/api/v1/auth/device/token", this.options.backendBaseUrl);
+    let res;
+    try {
+      res = await this.fetchImpl(url, {
+        method: "POST",
+        headers: { "content-type": "application/json", accept: "application/json" },
+        body: JSON.stringify({ deviceCode })
+      });
+    } catch (err2) {
+      throw new DeviceFlowAbortedError({ code: "network", cause: err2 });
     }
-    case "get_jwt":
-      return { type: "get_jwt" };
-    case "clear_jwt":
-      return { type: "clear_jwt" };
-    default:
-      return {
-        type: "error",
-        code: "unsupported_type",
-        message: `unsupported request type: ${String(obj.type)}`
-      };
+    if (res.status === 429) {
+      return { state: "pending" };
+    }
+    const body = await safeJson(res);
+    if (!body || typeof body.state !== "string") {
+      throw new DeviceFlowAbortedError({ code: "invalid_response", status: res.status, body });
+    }
+    return body;
   }
+};
+function trim(s) {
+  return s.endsWith("/") ? s.slice(0, -1) : s;
 }
-function serializeResponse(res) {
-  return JSON.stringify(res) + "\n";
+async function safeJson(res) {
+  try {
+    return await res.json();
+  } catch {
+    return null;
+  }
 }
 var MissingSessionKeyError = class extends Error {
   constructor() {
@@ -1643,6 +3355,9 @@ var NullSigner = class {
   async signHash(_hash) {
     throw new MissingSessionKeyError();
   }
+  async signRawMessage(_hash) {
+    throw new MissingSessionKeyError();
+  }
 };
 var ViemSigner = class {
   account;
@@ -1655,6 +3370,9 @@ var ViemSigner = class {
   async signHash(hash) {
     return this.account.sign({ hash });
   }
+  async signRawMessage(hash) {
+    return this.account.signMessage({ message: { raw: hash } });
+  }
 };
 var KEYRING_SERVICE = "muhaven.mcp";
 var KEYRING_ACCOUNT = "jwt";
@@ -1811,11 +3529,293 @@ async function openKeystore(options = {}) {
   }
   return { keystore: new OsKeystore(entry), fallbackReason: null };
 }
+var PolicyStoreError = class extends Error {
+  constructor(code, message, cause) {
+    super(message);
+    this.code = code;
+    this.cause = cause;
+    this.name = "PolicyStoreError";
+  }
+  code;
+  cause;
+};
+var SESSION_ID_RE2 = /^[A-Za-z0-9_-]{1,128}$/;
+var UINT256_MAX_LOCAL = (1n << 256n) - 1n;
+function validateSessionId(sessionId) {
+  if (!SESSION_ID_RE2.test(sessionId)) {
+    throw new PolicyStoreError(
+      "invalid_session_id",
+      `sessionId "${sessionId}" must be 1-128 chars [A-Za-z0-9_-] (path-traversal guard)`
+    );
+  }
+}
+var FilePolicyStore = class {
+  constructor(dir) {
+    this.dir = dir;
+  }
+  dir;
+  static defaultDir() {
+    return join(homedir(), ".muhaven", "policy-snapshots");
+  }
+  snapshotPath(sessionId) {
+    return join(this.dir, `${sessionId}.json`);
+  }
+  async get(sessionId, nowSec) {
+    validateSessionId(sessionId);
+    let raw;
+    try {
+      raw = await readFile(this.snapshotPath(sessionId), "utf8");
+    } catch (err2) {
+      if (err2.code === "ENOENT") return null;
+      throw new PolicyStoreError(
+        "read_failed",
+        `failed to read snapshot ${sessionId}: ${asMessage2(err2)}`,
+        err2
+      );
+    }
+    let parsed;
+    try {
+      const obj = JSON.parse(raw);
+      parsed = coerceFromDisk(obj);
+    } catch (err2) {
+      throw new PolicyStoreError(
+        "malformed_record",
+        `snapshot ${sessionId} is not valid JSON: ${asMessage2(err2)}`,
+        err2
+      );
+    }
+    if (parsed.validUntilSec <= nowSec) return null;
+    return parsed;
+  }
+  async put(snapshot) {
+    validateSessionId(snapshot.sessionId);
+    const dest = this.snapshotPath(snapshot.sessionId);
+    const tmp = `${dest}.tmp-${randomBytes(6).toString("hex")}`;
+    try {
+      await mkdir(this.dir, { recursive: true, mode: 448 });
+      await chmod(this.dir, 448).catch(() => void 0);
+      await writeFile(tmp, JSON.stringify(snapshot), { mode: 384 });
+      await chmod(tmp, 384).catch(() => void 0);
+      await rename(tmp, dest);
+    } catch (err2) {
+      await unlink(tmp).catch(() => void 0);
+      throw new PolicyStoreError(
+        "write_failed",
+        `failed to write snapshot ${snapshot.sessionId}: ${asMessage2(err2)}`,
+        err2
+      );
+    }
+  }
+  async delete(sessionId) {
+    validateSessionId(sessionId);
+    try {
+      await unlink(this.snapshotPath(sessionId));
+    } catch (err2) {
+      if (err2.code === "ENOENT") return;
+      throw new PolicyStoreError(
+        "delete_failed",
+        `failed to delete snapshot ${sessionId}: ${asMessage2(err2)}`,
+        err2
+      );
+    }
+  }
+  async list() {
+    let entries;
+    try {
+      entries = await readdir(this.dir);
+    } catch (err2) {
+      if (err2.code === "ENOENT") return [];
+      throw new PolicyStoreError(
+        "read_failed",
+        `failed to enumerate snapshot dir: ${asMessage2(err2)}`,
+        err2
+      );
+    }
+    const out = [];
+    for (const entry of entries) {
+      if (!entry.endsWith(".json")) continue;
+      const sessionId = entry.slice(0, -".json".length);
+      if (!SESSION_ID_RE2.test(sessionId)) continue;
+      try {
+        const raw = await readFile(join(this.dir, entry), "utf8");
+        out.push(coerceFromDisk(JSON.parse(raw)));
+      } catch {
+        continue;
+      }
+    }
+    return out;
+  }
+  async activeSessionId(activeSignerAddress, nowSec) {
+    const all = await this.list();
+    const needle = activeSignerAddress.toLowerCase();
+    const matches = all.filter(
+      (s) => s.validUntilSec > nowSec && s.signerAddress.toLowerCase() === needle
+    );
+    return matches.length === 1 ? matches[0].sessionId : null;
+  }
+};
+function coerceFromDisk(obj) {
+  if (typeof obj !== "object" || obj === null) throw new Error("snapshot not an object");
+  const o = obj;
+  if (typeof o.sessionId !== "string" || !SESSION_ID_RE2.test(o.sessionId)) {
+    throw new Error("snapshot.sessionId malformed");
+  }
+  if (o.mode !== "scoped") throw new Error('snapshot.mode must be "scoped"');
+  if (typeof o.signerAddress !== "string" || !/^0x[0-9a-fA-F]{40}$/.test(o.signerAddress)) {
+    throw new Error("snapshot.signerAddress malformed");
+  }
+  if (!Array.isArray(o.targetContracts) || !o.targetContracts.every((t) => typeof t === "string" && /^0x[0-9a-fA-F]{40}$/.test(t))) {
+    throw new Error("snapshot.targetContracts malformed");
+  }
+  if (!Array.isArray(o.selectorCaps) || o.selectorCaps.length === 0) {
+    throw new Error("snapshot.selectorCaps malformed");
+  }
+  const caps = [];
+  for (const c of o.selectorCaps) {
+    if (typeof c !== "object" || c === null) throw new Error("selectorCap not an object");
+    const cap = c;
+    if (typeof cap.selector !== "string" || !/^0x[0-9a-fA-F]{8}$/.test(cap.selector)) {
+      throw new Error("selectorCap.selector malformed");
+    }
+    const indexNull = cap.capArgIndex === null;
+    const amountNull = cap.maxAmount === null;
+    if (indexNull !== amountNull) {
+      throw new Error("selectorCap.capArgIndex/maxAmount must both be null or both non-null");
+    }
+    if (!indexNull) {
+      if (typeof cap.capArgIndex !== "number" || !Number.isInteger(cap.capArgIndex) || cap.capArgIndex < 0 || cap.capArgIndex > 31) {
+        throw new Error("selectorCap.capArgIndex must be an integer in [0, 31]");
+      }
+      if (typeof cap.maxAmount !== "string" || !/^(0|[1-9][0-9]{0,77})$/.test(cap.maxAmount)) {
+        throw new Error("selectorCap.maxAmount malformed (length)");
+      }
+      if (BigInt(cap.maxAmount) > UINT256_MAX_LOCAL) {
+        throw new Error("selectorCap.maxAmount exceeds uint256 max");
+      }
+    }
+    caps.push({
+      selector: cap.selector.toLowerCase(),
+      capArgIndex: indexNull ? null : cap.capArgIndex,
+      maxAmount: indexNull ? null : cap.maxAmount
+    });
+  }
+  if (typeof o.validUntilSec !== "number" || o.validUntilSec <= 0) {
+    throw new Error("snapshot.validUntilSec malformed");
+  }
+  if (typeof o.mintedAtSec !== "number" || o.mintedAtSec <= 0) {
+    throw new Error("snapshot.mintedAtSec malformed");
+  }
+  if (o.consentActionHash !== void 0) {
+    if (typeof o.consentActionHash !== "string" || !/^0x[0-9a-fA-F]{64}$/.test(o.consentActionHash)) {
+      throw new Error("snapshot.consentActionHash malformed");
+    }
+  }
+  if (o.consentTextSha256 !== void 0) {
+    if (typeof o.consentTextSha256 !== "string" || !/^0x[0-9a-fA-F]{64}$/.test(o.consentTextSha256)) {
+      throw new Error("snapshot.consentTextSha256 malformed");
+    }
+  }
+  if (o.permissionId !== void 0) {
+    if (typeof o.permissionId !== "string" || !/^0x[0-9a-fA-F]{8}$/.test(o.permissionId)) {
+      throw new Error("snapshot.permissionId malformed (must be 0x-prefixed 4-byte hex)");
+    }
+  }
+  return {
+    sessionId: o.sessionId,
+    mode: "scoped",
+    signerAddress: o.signerAddress.toLowerCase(),
+    targetContracts: o.targetContracts.map(
+      (t) => t.toLowerCase()
+    ),
+    selectorCaps: caps,
+    validUntilSec: o.validUntilSec,
+    mintedAtSec: o.mintedAtSec,
+    ...o.consentActionHash === void 0 ? {} : { consentActionHash: o.consentActionHash.toLowerCase() },
+    ...o.consentTextSha256 === void 0 ? {} : { consentTextSha256: o.consentTextSha256.toLowerCase() },
+    ...o.permissionId === void 0 ? {} : { permissionId: o.permissionId.toLowerCase() }
+  };
+}
+function asMessage2(err2) {
+  return err2 instanceof Error ? err2.message : String(err2);
+}
+function decodeUint256ArgAt(callDataHex, wordIndex) {
+  if (!Number.isInteger(wordIndex) || wordIndex < 0) {
+    throw new Error(`wordIndex must be a non-negative integer (got ${wordIndex})`);
+  }
+  const requiredLen = 2 + 8 + (wordIndex + 1) * 64;
+  if (callDataHex.length < requiredLen) {
+    throw new Error(
+      `callData length ${callDataHex.length} too short to carry word ${wordIndex} (need \u2265${requiredLen} chars)`
+    );
+  }
+  const wordStart = 2 + 8 + wordIndex * 64;
+  const argHex = callDataHex.slice(wordStart, wordStart + 64);
+  return BigInt(`0x${argHex}`);
+}
+function selectorOf(callDataHex) {
+  return callDataHex.slice(0, 10).toLowerCase();
+}
+function checkPolicy(input) {
+  const { snapshot, innerCall, activeSigner, nowSec } = input;
+  if (snapshot.validUntilSec <= nowSec) {
+    return {
+      ok: false,
+      code: "scope_violation",
+      message: `snapshot ${snapshot.sessionId} expired at ${snapshot.validUntilSec} (now ${nowSec})`
+    };
+  }
+  if (snapshot.signerAddress.toLowerCase() !== activeSigner.toLowerCase()) {
+    return {
+      ok: false,
+      code: "policy_violation",
+      message: `snapshot ${snapshot.sessionId} bound to signer ${snapshot.signerAddress}, broker active signer is ${activeSigner}`
+    };
+  }
+  const targetLower = innerCall.target.toLowerCase();
+  const targetMatch = snapshot.targetContracts.some((t) => t === targetLower);
+  if (!targetMatch) {
+    return {
+      ok: false,
+      code: "policy_violation",
+      message: `target ${innerCall.target} not in allowlist for session ${snapshot.sessionId}`
+    };
+  }
+  const selector = selectorOf(innerCall.callData);
+  const rule = snapshot.selectorCaps.find((c) => c.selector === selector);
+  if (!rule) {
+    return {
+      ok: false,
+      code: "policy_violation",
+      message: `selector ${selector} not in selectorCaps for session ${snapshot.sessionId}`
+    };
+  }
+  if (rule.capArgIndex !== null && rule.maxAmount !== null) {
+    let argValue;
+    try {
+      argValue = decodeUint256ArgAt(innerCall.callData, rule.capArgIndex);
+    } catch (err2) {
+      return {
+        ok: false,
+        code: "policy_violation",
+        message: `callData decode failed at wordIndex ${rule.capArgIndex}: ${asMessage2(err2)}`
+      };
+    }
+    const cap = BigInt(rule.maxAmount);
+    if (argValue > cap) {
+      return {
+        ok: false,
+        code: "max_spend_exceeded",
+        message: `arg word[${rule.capArgIndex}] = ${argValue} exceeds maxAmount ${cap} for selector ${selector} (session ${snapshot.sessionId})`
+      };
+    }
+  }
+  return { ok: true };
+}
 
 // src/broker/daemon.ts
 var noopLogger = (_e) => {
 };
-async function handleBrokerRequest(req, signer, keystore, nowSec = () => Math.floor(Date.now() / 1e3), options = {}) {
+async function handleBrokerRequest(req, signer, keystore, nowSec = () => Math.floor(Date.now() / 1e3), options = {}, policyStore) {
   switch (req.type) {
     case "hello": {
       let hasJwt = false;
@@ -1888,6 +3888,141 @@ async function handleBrokerRequest(req, signer, keystore, nowSec = () => Math.fl
         );
       }
     }
+    case "sign_userop": {
+      if (!policyStore) {
+        return errorResponse(
+          "internal",
+          "broker daemon is not configured with a policy store"
+        );
+      }
+      const now = nowSec();
+      let snapshot;
+      try {
+        snapshot = await policyStore.get(req.sessionId, now);
+      } catch (err2) {
+        return errorResponse(
+          "internal",
+          err2 instanceof Error ? err2.message : "policy store read failed"
+        );
+      }
+      if (!snapshot) {
+        return errorResponse(
+          "no_active_snapshot",
+          `no active snapshot for session ${req.sessionId}`
+        );
+      }
+      const check = checkPolicy({
+        snapshot,
+        innerCall: req.innerCall,
+        activeSigner: signer.address,
+        nowSec: now
+      });
+      if (!check.ok) {
+        return errorResponse(check.code, check.message);
+      }
+      try {
+        const signature = await signer.signRawMessage(req.userOpHash);
+        return {
+          type: "sign_userop",
+          signature,
+          signerAddress: signer.address,
+          sessionId: req.sessionId
+        };
+      } catch (err2) {
+        if (err2 instanceof MissingSessionKeyError) {
+          return errorResponse("session_key_unavailable", err2.message);
+        }
+        throw err2;
+      }
+    }
+    case "store_policy_snapshot": {
+      if (!policyStore) {
+        return errorResponse(
+          "internal",
+          "broker daemon is not configured with a policy store"
+        );
+      }
+      try {
+        await policyStore.put(req.snapshot);
+        return {
+          type: "store_policy_snapshot",
+          stored: true,
+          sessionId: req.snapshot.sessionId
+        };
+      } catch (err2) {
+        if (err2 instanceof PolicyStoreError) {
+          return errorResponse("internal", err2.message);
+        }
+        return errorResponse(
+          "internal",
+          err2 instanceof Error ? err2.message : "policy store write failed"
+        );
+      }
+    }
+    case "get_policy_snapshot": {
+      if (!policyStore) {
+        return errorResponse(
+          "internal",
+          "broker daemon is not configured with a policy store"
+        );
+      }
+      try {
+        const snapshot = await policyStore.get(req.sessionId, nowSec());
+        return { type: "get_policy_snapshot", snapshot };
+      } catch (err2) {
+        if (err2 instanceof PolicyStoreError) {
+          return errorResponse("internal", err2.message);
+        }
+        return errorResponse(
+          "internal",
+          err2 instanceof Error ? err2.message : "policy store read failed"
+        );
+      }
+    }
+    case "clear_policy_snapshot": {
+      if (!policyStore) {
+        return errorResponse(
+          "internal",
+          "broker daemon is not configured with a policy store"
+        );
+      }
+      try {
+        await policyStore.delete(req.sessionId);
+        return {
+          type: "clear_policy_snapshot",
+          cleared: true,
+          sessionId: req.sessionId
+        };
+      } catch (err2) {
+        if (err2 instanceof PolicyStoreError) {
+          return errorResponse("internal", err2.message);
+        }
+        return errorResponse(
+          "internal",
+          err2 instanceof Error ? err2.message : "policy store clear failed"
+        );
+      }
+    }
+    case "get_active_session_id": {
+      if (!policyStore) {
+        return errorResponse(
+          "internal",
+          "broker daemon is not configured with a policy store"
+        );
+      }
+      try {
+        const sessionId = await policyStore.activeSessionId(signer.address, nowSec());
+        return { type: "get_active_session_id", sessionId };
+      } catch (err2) {
+        if (err2 instanceof PolicyStoreError) {
+          return errorResponse("internal", err2.message);
+        }
+        return errorResponse(
+          "internal",
+          err2 instanceof Error ? err2.message : "policy store enumerate failed"
+        );
+      }
+    }
   }
 }
 function errorResponse(code, message) {
@@ -1917,6 +4052,7 @@ var BrokerDaemon = class {
   log;
   config;
   keystore;
+  policyStore;
   /**
    * Whether a session-key private half is actually loaded. `false` =
    * daemon booted in read-only posture (no `MUHAVEN_BROKER_SESSION_KEY`
@@ -1936,6 +4072,7 @@ var BrokerDaemon = class {
       this.hasSessionKey = false;
     }
     this.keystore = options.keystore ?? null;
+    this.policyStore = options.policyStore ?? new FilePolicyStore(FilePolicyStore.defaultDir());
     this.log = options.logger ?? noopLogger;
     this.server = createServer((socket) => this.onConnection(socket));
   }
@@ -1951,6 +4088,7 @@ var BrokerDaemon = class {
         });
       }
     }
+    if (this.policyStore.init) await this.policyStore.init();
     await prepareEndpoint(this.config.endpoint);
     await new Promise((resolve, reject) => {
       const onError = (err2) => {
@@ -2066,7 +4204,8 @@ var BrokerDaemon = class {
             dashboardBaseUrl: this.config.dashboardBaseUrl
           },
           pid: process.pid
-        }
+        },
+        this.policyStore
       );
       socket.end(serializeResponse(res));
     } catch (err2) {
@@ -2082,4 +4221,4 @@ var BrokerDaemon = class {
   }
 };
 
-export { BROKER_PROTOCOL_VERSION, BackendClient, BackendError, BrokerClient, BrokerClientError, BrokerDaemon, DeviceFlowAbortedError, DeviceFlowClient, JwtSource, KeystoreError, MissingSessionKeyError, NoJwtAvailableError, NullSigner, SERVER_VERSION, TOOL_DESCRIPTORS, ViemSigner, ZERO_ADDRESS, buildMcpServer, buildToolHashTable, defaultBrokerEndpoint, fullToolRegistry, handleBrokerRequest, hashToolDescriptor, loadBrokerConfig, loadMcpConfig, openKeystore, parseBrokerRequest, registryForReadOnly, runMcpStdioCli, selectRegistry, serializeResponse, verifyDescriptorAgainstPin };
+export { BROKER_PROTOCOL_VERSION, BackendClient, BackendError, BrokerClient, BrokerClientError, BrokerDaemon, BundlerClient, BundlerClientError, DeviceFlowAbortedError, DeviceFlowClient, JwtSource, KeystoreError, MissingSessionKeyError, NoJwtAvailableError, NullSigner, SERVER_VERSION, TOOL_DESCRIPTORS, ViemSigner, ZERO_ADDRESS, buildMcpServer, buildToolHashTable, defaultBrokerEndpoint, fullToolRegistry, handleBrokerRequest, hashToolDescriptor, loadBrokerConfig, loadMcpConfig, openKeystore, parseBrokerRequest, registryForReadOnly, runMcpStdioCli, selectRegistry, semverGte, serializeResponse, verifyDescriptorAgainstPin };