@muhaven/mcp 0.2.1 → 0.2.3

package/CHANGELOG.md

@@ -7,6 +7,131 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.2.3] — 2026-05-23
+
+### Fixed
+
+- **`BundlerClient` now sends an `Origin` header on every RPC.** ZeroDev
+  bundler URLs gate access via an IP+domain allowlist; browser requests
+  from `https://muhaven.app` pass because the project's allowlist
+  accepts that domain, but Node `fetch` (the MCP server's transport)
+  sends no `Origin` by default and so hit a `403 "Neither IP nor domain
+  is on the allowlist"` on every `eth_call` / `eth_gasPrice`. The MCP
+  server then surfaced this as `pathDFallbackReason:
+  bundler_setup_failed` and degraded to Path C. Fix: stamp `Origin:
+  <MUHAVEN_DASHBOARD_URL>` on every bundler RPC (defaults to
+  `https://muhaven.app`, threaded through from
+  `buildMcpServer({ dashboardBaseUrl })`). Mirrors how ethers.js + viem
+  stamp default Origins against EVM RPC providers; surfaces a single
+  knob (`MUHAVEN_DASHBOARD_URL`) for operators on a custom domain.
+  Diagnosed 2026-05-23 via direct curl reproduction (bare → 403; with
+  `Origin: https://muhaven.app` → `result: 0x66eee`).
+
+  Added 3 regression tests pinning the contract (Origin sent when set;
+  omitted when undefined; omitted when explicitly empty for test
+  injection).
+
+## [0.2.2] — 2026-05-23
+
+### Fixed
+
+- **`tools/list.inputSchema` now exposes the per-field shape, not a
+  bare `{type:'object', additionalProperties:false}` placeholder.**
+  The 0.2.1 (and earlier) `toJsonInputSchema` was a stub: it returned
+  the object envelope with `additionalProperties:false` but no
+  `properties` block. JSON-Schema-compliant MCP hosts (Claude Code's
+  tool-call validator) interpret that combination as "no properties
+  allowed" and silently strip every argument before dispatch — every
+  call landed at the server as `{}`. Surfaced 2026-05-23 by an
+  operator-side `Buy TBILL1 $1` smoke. Fix: wire `zod-to-json-schema`
+  (`target: 'jsonSchema7'`, `$refStrategy: 'none'`,
+  `removeAdditionalStrategy: 'strict'`) so the real per-field shape
+  reaches the host. Drops the top-level `$schema` URL (host noise).
+  Added 14 unit + 48 registry-wide regression cases pinning the
+  contract per tool, plus a recursive nested-strict walker that fails
+  if a future contributor adds a nested `z.object(...)` without
+  `.strict()` (Security Engineer MED, absorbed inline).
+
+### Dependencies
+
+- **Added `zod-to-json-schema@^3.24.0`** as a runtime dep (~30KB, zero
+  transitive deps). Required by the inputSchema fix above; previously
+  the converter was a placeholder stub per the original commit's note
+  to "avoid runtime dep for hackathon scope."
+- **Bumped `zod` dep range from `^3.24.0` to `^3.25.0`** to match
+  `@modelcontextprotocol/sdk@^1.0.4`'s peer-dep declaration
+  (`zod: ^3.25 || ^4.0`). The installed tree already resolves to
+  3.25.x so prod runtime is unchanged, but the declared range avoids
+  a peer-dep warning for consumers running `npm i @muhaven/mcp` with
+  an older zod hoisted in their tree (Code Reviewer HIGH, absorbed
+  inline).
+
+### Notes
+
+- **`tool-hashes.json` does NOT need regenerating for 0.2.2.** The
+  hashed surface is the tool descriptor (name + description +
+  sensitive flag, see `descriptions.ts::hashToolDescriptor`); the
+  JSON-Schema export is downstream of that and not part of the hash.
+  `pnpm verify-tool-hashes -- --check` continues to pass against the
+  existing pin from 0.2.0.
+
+### Added — Wave 5 Path D Slice 1 (in flight)
+
+- **Broker protocol verb `get_active_session_id`** (additive over 0.4.0).
+  Narrow "which session is live?" probe — returns the sessionId of the
+  single non-expired snapshot bound to the broker's loaded signer, or
+  null on zero / 2+ matches. Backs the MCP server's bootstrap of Path
+  D's broker-side signing path before Slice 2's backend-mirror
+  `agent_scoped_sessions` table lands. Intentionally narrower than
+  `list()` so RD-3 (no IPC enumeration) stays honoured.
+- **`BrokerClient.preflight()` + semver gate (Backend Architect H-2).**
+  Detects stale 0.3.x daemons before any sign_userop call, surfacing
+  `version_too_old` / `session_key_unavailable` / `broker_unreachable`
+  with structured remediation hints instead of an opaque
+  `unsupported_type`.
+- **`BundlerClient` (NEW, `src/clients/bundler-client.ts`).** ERC-4337
+  v0.7 JSON-RPC client surface — `sendUserOp` + `getReceipt` +
+  `waitForReceipt` + `assertChainId`. Lives MCP-server-side (network
+  egress), not in the broker (R-1 zero-egress invariant preserved).
+  Configured via new `MUHAVEN_BUNDLER_URL` + `MUHAVEN_CHAIN_ID` env
+  vars (manifest.json user_config block extended). The UserOp BUILD +
+  SIGN path remains DEFERRED to a later release (FHE encrypt + kernel-
+  execute encode have unresolved design points); the bundler-client
+  surface ships now with full test coverage.
+- **`positionBuy` Path D probe.** When BOTH bundler and broker are
+  configured, the handler runs a preflight chain
+  (preflight → getActiveSessionId → getPolicySnapshot → selector-cap
+  match → shares cap) BEFORE building the Path C deep-link. Every gate
+  failure surfaces as a structured non-retryable
+  `pathDFallbackReason` in the echo while still returning a valid
+  Path C URL — single affordance for the user, full structured
+  observability for the LLM. The "all gates pass" terminal state
+  returns `path_d_userop_build_pending` until the UserOp build path
+  lands.
+- **`/agent/policy/state` extension** (backend): top-level
+  `accountAddress` field (= JWT subject = kernel smart-account
+  address). Backward-compatible; older callers ignore the new field.
+  Lays foundation for the Commit 3.5 UserOp builder's kernel-address
+  lookup without needing a separate /me endpoint.
+
+### Internal — Wave 5 Path D Slice 1
+
+- `IPolicyStore.activeSessionId(activeSignerAddress, nowSec)` method —
+  enumerates daemon-internal snapshots, returns the unique active
+  sessionId or null. File-backed + memory implementations both honour
+  the same "zero or ambiguous → null" semantics.
+- 65 new vitest cases across protocol / policy-snapshot / daemon-handler
+  / bundler-client / broker-client-preflight / position-deeplink test
+  files. Total 474 MCP vitest cases (up from 409). Three-agent parallel
+  pre-commit review (Code Reviewer + MCP Builder + Security Engineer
+  fresh) absorbed: 4 HIGH addressed inline (BrokerClientError gains
+  typed `brokerCode` field with `unsupported_type → version_too_old`
+  remap; `attemptPathD` adds signer-mismatch guard + splits
+  selector-uncapped vs selector-not-in-snapshot; test stubs replaced
+  with Proxy-based throw-on-unstubbed-access); MED-1 closed (semverGte
+  regex tightened to reject leading zeros per SemVer 2.0 §2). Security
+  Engineer approved with no HIGH findings.
+
 ## [0.2.0] — 2026-05-18
 
 **Minor bump signals a breaking change to `position.buy`'s input