@muhaven/mcp 0.2.1 → 0.2.3

package/dist/index.js

@@ -1,4 +1,4 @@
-import { unlink, readFile, mkdir, chmod, writeFile, stat } from 'fs/promises';
+import { unlink, readFile, mkdir, chmod, writeFile, rename, readdir, stat } from 'fs/promises';
 import 'fs';
 import { join, dirname } from 'path';
 import { fileURLToPath } from 'url';
@@ -6,9 +6,13 @@ import { Server } from '@modelcontextprotocol/sdk/server/index.js';
 import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
 import { ListToolsRequestSchema, CallToolRequestSchema } from '@modelcontextprotocol/sdk/types.js';
 import { z, ZodError } from 'zod';
+import { zodToJsonSchema } from 'zod-to-json-schema';
 import { platform, homedir } from 'os';
 import { connect, createServer } from 'net';
-import { createHash } from 'crypto';
+import { setTimeout as setTimeout$1 } from 'timers/promises';
+import { parseAbi, toFunctionSelector, encodeFunctionData, encodePacked, pad, concatHex, decodeAbiParameters } from 'viem';
+import { createHash, randomBytes } from 'crypto';
+import { getUserOperationHash } from 'viem/account-abstraction';
 import { privateKeyToAccount } from 'viem/accounts';
 
 // src/server.ts
@@ -18,6 +22,10 @@ var DEFAULT_REQUEST_TIMEOUT_MS = 15e3;
 var DEFAULT_BROKER_TIMEOUT_MS = 5e3;
 var DEFAULT_BROKER_MAX_BYTES = 64 * 1024;
 var DEFAULT_JWT_CACHE_TTL_SEC = 30;
+var DEFAULT_BUNDLER_TIMEOUT_MS = 2e4;
+var DEFAULT_CHAIN_ID = 421614;
+var DEFAULT_ENTRY_POINT_ADDRESS = "0x0000000071727De22E5E9d8BAf0edAc6f37da032";
+var ADDRESS_HEX_RE = /^0x[0-9a-fA-F]{40}$/;
 function defaultBrokerEndpoint() {
   if (platform() === "win32") {
     const user = process.env.USERNAME ?? "default";
@@ -93,6 +101,35 @@ function loadMcpConfig(env = process.env) {
   const requestTimeoutMs = readEnvInt("MUHAVEN_REQUEST_TIMEOUT_MS", DEFAULT_REQUEST_TIMEOUT_MS, env);
   const brokerTimeoutMs = readEnvInt("MUHAVEN_BROKER_TIMEOUT_MS", DEFAULT_BROKER_TIMEOUT_MS, env);
   const jwtCacheTtlSec = readEnvInt("MUHAVEN_JWT_CACHE_TTL_SEC", DEFAULT_JWT_CACHE_TTL_SEC, env);
+  const bundlerUrlRaw = readEnv("MUHAVEN_BUNDLER_URL", env);
+  let bundlerUrl;
+  if (bundlerUrlRaw !== void 0) {
+    const validationErr = validatePublicUrlEnv("MUHAVEN_BUNDLER_URL", bundlerUrlRaw);
+    if (validationErr) throw new Error(validationErr);
+    bundlerUrl = trimTrailingSlash(bundlerUrlRaw);
+  }
+  const bundlerTimeoutMs = readEnvInt("MUHAVEN_BUNDLER_TIMEOUT_MS", DEFAULT_BUNDLER_TIMEOUT_MS, env);
+  const chainId = readEnvInt("MUHAVEN_CHAIN_ID", DEFAULT_CHAIN_ID, env);
+  const subscriptionAddressRaw = readEnv("MUHAVEN_SUBSCRIPTION_ADDRESS", env);
+  let subscriptionAddress;
+  if (subscriptionAddressRaw !== void 0) {
+    if (!ADDRESS_HEX_RE.test(subscriptionAddressRaw)) {
+      throw new Error(
+        `MUHAVEN_SUBSCRIPTION_ADDRESS must be a 0x-prefixed 20-byte hex string (got ${JSON.stringify(subscriptionAddressRaw)})`
+      );
+    }
+    subscriptionAddress = subscriptionAddressRaw.toLowerCase();
+  }
+  const entryPointAddressRaw = readEnv("MUHAVEN_ENTRY_POINT", env);
+  let entryPointAddress = DEFAULT_ENTRY_POINT_ADDRESS;
+  if (entryPointAddressRaw !== void 0) {
+    if (!ADDRESS_HEX_RE.test(entryPointAddressRaw)) {
+      throw new Error(
+        `MUHAVEN_ENTRY_POINT must be a 0x-prefixed 20-byte hex string (got ${JSON.stringify(entryPointAddressRaw)})`
+      );
+    }
+    entryPointAddress = entryPointAddressRaw.toLowerCase();
+  }
   return {
     backendBaseUrl,
     dashboardBaseUrl,
@@ -101,7 +138,12 @@ function loadMcpConfig(env = process.env) {
     requestTimeoutMs,
     brokerTimeoutMs,
     allowedBackendHosts: deriveAllowedHosts(backendBaseUrl),
-    jwtCacheTtlSec
+    jwtCacheTtlSec,
+    bundlerUrl,
+    bundlerTimeoutMs,
+    chainId,
+    subscriptionAddress,
+    entryPointAddress
   };
 }
 var PRIVKEY_HEX_RE = /^0x[0-9a-fA-F]{64}$/;
@@ -136,16 +178,366 @@ function loadBrokerConfig(env = process.env) {
     dashboardBaseUrl
   };
 }
+
+// src/broker/protocol.ts
+var BROKER_PROTOCOL_VERSION = "0.4.0";
+var HASH_HEX_RE = /^0x[0-9a-fA-F]{64}$/;
+var ADDRESS_HEX_RE2 = /^0x[0-9a-fA-F]{40}$/;
+var SELECTOR_HEX_RE = /^0x[0-9a-fA-F]{8}$/;
+var HEX_PREFIXED_RE = /^0x[0-9a-fA-F]*$/;
+var JWT_RE = /^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/;
+var SESSION_ID_RE = /^[A-Za-z0-9_-]{1,128}$/;
+var UINT256_DEC_RE = /^(0|[1-9][0-9]{0,77})$/;
+var MAX_CALLDATA_HEX_LEN = 2e5;
+function isHashHex(value) {
+  return typeof value === "string" && HASH_HEX_RE.test(value);
+}
+function isAddressHex(value) {
+  return typeof value === "string" && ADDRESS_HEX_RE2.test(value);
+}
+function isSelectorHex(value) {
+  return typeof value === "string" && SELECTOR_HEX_RE.test(value);
+}
+function isHexPrefixed(value) {
+  return typeof value === "string" && HEX_PREFIXED_RE.test(value);
+}
+function isJwtShape(value) {
+  return typeof value === "string" && value.length <= 8192 && JWT_RE.test(value);
+}
+function isSessionIdShape(value) {
+  return typeof value === "string" && SESSION_ID_RE.test(value);
+}
+function isUint256DecString(value) {
+  return typeof value === "string" && UINT256_DEC_RE.test(value);
+}
+var UINT256_MAX = (1n << 256n) - 1n;
+function isUint256InRange(value) {
+  if (!isUint256DecString(value)) return false;
+  return BigInt(value) <= UINT256_MAX;
+}
+function parseSelectorCap(raw) {
+  if (typeof raw !== "object" || raw === null) {
+    return { error: "selectorCap must be an object" };
+  }
+  const obj = raw;
+  if (!isSelectorHex(obj.selector)) {
+    return { error: "selectorCap.selector must be a 4-byte 0x-hex" };
+  }
+  const capArgIndex = obj.capArgIndex;
+  const maxAmount = obj.maxAmount;
+  const indexIsNull = capArgIndex === null;
+  const amountIsNull = maxAmount === null;
+  if (indexIsNull !== amountIsNull) {
+    return {
+      error: "selectorCap.capArgIndex and selectorCap.maxAmount must both be null or both non-null"
+    };
+  }
+  if (!indexIsNull) {
+    if (typeof capArgIndex !== "number" || !Number.isInteger(capArgIndex) || capArgIndex < 0 || capArgIndex > 31) {
+      return {
+        error: "selectorCap.capArgIndex must be an integer in [0, 31] (max 32 ABI words)"
+      };
+    }
+    if (typeof maxAmount !== "string" || !isUint256InRange(maxAmount)) {
+      return { error: "selectorCap.maxAmount must be a uint256 decimal string \u2264 2^256-1" };
+    }
+  }
+  return {
+    selector: obj.selector.toLowerCase(),
+    capArgIndex: indexIsNull ? null : capArgIndex,
+    maxAmount: indexIsNull ? null : maxAmount
+  };
+}
+function isOptionalHash32(value) {
+  return value === void 0 || isHashHex(value);
+}
+function isOptionalPermissionId(value) {
+  return value === void 0 || isSelectorHex(value);
+}
+function parsePolicySnapshot(raw) {
+  if (typeof raw !== "object" || raw === null) {
+    return { error: "snapshot must be a JSON object" };
+  }
+  const obj = raw;
+  if (!isSessionIdShape(obj.sessionId)) {
+    return { error: "snapshot.sessionId must be 1-128 chars [A-Za-z0-9_-]" };
+  }
+  if (obj.mode !== "scoped") {
+    return { error: "snapshot.mode must be 'scoped' (wildcard ships in Slice 4)" };
+  }
+  if (!isAddressHex(obj.signerAddress)) {
+    return { error: "snapshot.signerAddress must be a 0x-prefixed 20-byte hex" };
+  }
+  const targetContracts = obj.targetContracts;
+  if (!Array.isArray(targetContracts) || targetContracts.length === 0 || targetContracts.length > 32 || !targetContracts.every(isAddressHex)) {
+    return {
+      error: "snapshot.targetContracts must be a 1..32-element array of 0x-addresses"
+    };
+  }
+  const rawCaps = obj.selectorCaps;
+  if (!Array.isArray(rawCaps) || rawCaps.length === 0 || rawCaps.length > 32) {
+    return { error: "snapshot.selectorCaps must be a 1..32-element array" };
+  }
+  const parsedCaps = [];
+  const seenSelectors = /* @__PURE__ */ new Set();
+  for (const c of rawCaps) {
+    const parsed = parseSelectorCap(c);
+    if ("error" in parsed) return { error: `selectorCaps: ${parsed.error}` };
+    if (seenSelectors.has(parsed.selector)) {
+      return { error: `selectorCaps: duplicate selector ${parsed.selector}` };
+    }
+    seenSelectors.add(parsed.selector);
+    parsedCaps.push(parsed);
+  }
+  if (typeof obj.validUntilSec !== "number" || !Number.isFinite(obj.validUntilSec) || obj.validUntilSec <= 0) {
+    return { error: "snapshot.validUntilSec must be a positive number" };
+  }
+  if (typeof obj.mintedAtSec !== "number" || !Number.isFinite(obj.mintedAtSec) || obj.mintedAtSec <= 0) {
+    return { error: "snapshot.mintedAtSec must be a positive number" };
+  }
+  if (!isOptionalHash32(obj.consentActionHash)) {
+    return { error: "snapshot.consentActionHash must be a 0x-prefixed 32-byte hex when provided" };
+  }
+  if (!isOptionalHash32(obj.consentTextSha256)) {
+    return { error: "snapshot.consentTextSha256 must be a 0x-prefixed 32-byte hex when provided" };
+  }
+  if (!isOptionalPermissionId(obj.permissionId)) {
+    return { error: "snapshot.permissionId must be a 0x-prefixed 4-byte hex when provided" };
+  }
+  return {
+    sessionId: obj.sessionId,
+    mode: "scoped",
+    signerAddress: obj.signerAddress.toLowerCase(),
+    targetContracts: targetContracts.map(
+      (a) => a.toLowerCase()
+    ),
+    selectorCaps: parsedCaps,
+    validUntilSec: obj.validUntilSec,
+    mintedAtSec: obj.mintedAtSec,
+    ...obj.consentActionHash === void 0 ? {} : { consentActionHash: obj.consentActionHash.toLowerCase() },
+    ...obj.consentTextSha256 === void 0 ? {} : { consentTextSha256: obj.consentTextSha256.toLowerCase() },
+    ...obj.permissionId === void 0 ? {} : { permissionId: obj.permissionId.toLowerCase() }
+  };
+}
+function parseBrokerRequest(line) {
+  let parsed;
+  try {
+    parsed = JSON.parse(line);
+  } catch {
+    return { type: "error", code: "invalid_request", message: "request is not valid JSON" };
+  }
+  if (typeof parsed !== "object" || parsed === null) {
+    return { type: "error", code: "invalid_request", message: "request must be a JSON object" };
+  }
+  const obj = parsed;
+  switch (obj.type) {
+    case "hello":
+      return { type: "hello" };
+    case "sign_hash": {
+      const hash = obj.hash;
+      if (!isHashHex(hash)) {
+        return {
+          type: "error",
+          code: "invalid_request",
+          message: "sign_hash.hash must be a 0x-prefixed 32-byte hex string"
+        };
+      }
+      const intent = obj.intent;
+      const intentValid = intent === void 0 || typeof intent === "object" && intent !== null && typeof intent.tool === "string";
+      if (!intentValid) {
+        return {
+          type: "error",
+          code: "invalid_request",
+          message: "sign_hash.intent.tool must be a string when provided"
+        };
+      }
+      return {
+        type: "sign_hash",
+        hash,
+        ...intent === void 0 ? {} : { intent }
+      };
+    }
+    case "store_jwt": {
+      const jwt = obj.jwt;
+      if (!isJwtShape(jwt)) {
+        return {
+          type: "error",
+          code: "invalid_request",
+          message: "store_jwt.jwt must be a JWT-shaped string \u22648192 chars"
+        };
+      }
+      const expiresAtSec = obj.expiresAtSec;
+      const expiresValid = expiresAtSec === void 0 || typeof expiresAtSec === "number" && Number.isFinite(expiresAtSec) && expiresAtSec > 0;
+      if (!expiresValid) {
+        return {
+          type: "error",
+          code: "invalid_request",
+          message: "store_jwt.expiresAtSec must be a positive number when provided"
+        };
+      }
+      return {
+        type: "store_jwt",
+        jwt,
+        ...expiresAtSec === void 0 ? {} : { expiresAtSec }
+      };
+    }
+    case "get_jwt":
+      return { type: "get_jwt" };
+    case "clear_jwt":
+      return { type: "clear_jwt" };
+    case "sign_userop": {
+      const sessionId = obj.sessionId;
+      if (!isSessionIdShape(sessionId)) {
+        return {
+          type: "error",
+          code: "invalid_request",
+          message: "sign_userop.sessionId must be 1-128 chars [A-Za-z0-9_-]"
+        };
+      }
+      const userOpHash = obj.userOpHash;
+      if (!isHashHex(userOpHash)) {
+        return {
+          type: "error",
+          code: "invalid_request",
+          message: "sign_userop.userOpHash must be a 0x-prefixed 32-byte hex string"
+        };
+      }
+      const innerCall = obj.innerCall;
+      if (typeof innerCall !== "object" || innerCall === null) {
+        return {
+          type: "error",
+          code: "invalid_request",
+          message: "sign_userop.innerCall must be an object with { target, callData }"
+        };
+      }
+      const ic = innerCall;
+      if (!isAddressHex(ic.target)) {
+        return {
+          type: "error",
+          code: "invalid_request",
+          message: "sign_userop.innerCall.target must be a 0x-prefixed 20-byte hex"
+        };
+      }
+      if (!isHexPrefixed(ic.callData) || ic.callData.length < 74 || ic.callData.length % 2 !== 0 || ic.callData.length > MAX_CALLDATA_HEX_LEN) {
+        return {
+          type: "error",
+          code: "invalid_request",
+          message: "sign_userop.innerCall.callData must be 0x-prefixed even-length hex \u226574 chars (selector + first uint256 arg) and \u2264200000 chars"
+        };
+      }
+      const intent = obj.intent;
+      let safeIntent;
+      if (intent !== void 0) {
+        if (typeof intent !== "object" || intent === null) {
+          return {
+            type: "error",
+            code: "invalid_request",
+            message: "sign_userop.intent must be an object when provided"
+          };
+        }
+        const intentObj = intent;
+        if (typeof intentObj.tool !== "string" || intentObj.tool.length > 64) {
+          return {
+            type: "error",
+            code: "invalid_request",
+            message: "sign_userop.intent.tool must be a string \u226464 chars"
+          };
+        }
+        if (intentObj.summary !== void 0 && (typeof intentObj.summary !== "string" || intentObj.summary.length > 256)) {
+          return {
+            type: "error",
+            code: "invalid_request",
+            message: "sign_userop.intent.summary must be a string \u2264256 chars when provided"
+          };
+        }
+        safeIntent = {
+          tool: intentObj.tool,
+          ...typeof intentObj.summary === "string" ? { summary: intentObj.summary } : {}
+        };
+      }
+      return {
+        type: "sign_userop",
+        sessionId,
+        userOpHash,
+        innerCall: {
+          target: ic.target.toLowerCase(),
+          callData: ic.callData.toLowerCase()
+        },
+        ...safeIntent === void 0 ? {} : { intent: safeIntent }
+      };
+    }
+    case "store_policy_snapshot": {
+      const parsed2 = parsePolicySnapshot(obj.snapshot);
+      if ("error" in parsed2) {
+        return { type: "error", code: "invalid_request", message: parsed2.error };
+      }
+      return { type: "store_policy_snapshot", snapshot: parsed2 };
+    }
+    case "get_policy_snapshot": {
+      if (!isSessionIdShape(obj.sessionId)) {
+        return {
+          type: "error",
+          code: "invalid_request",
+          message: "get_policy_snapshot.sessionId must be 1-128 chars [A-Za-z0-9_-]"
+        };
+      }
+      return { type: "get_policy_snapshot", sessionId: obj.sessionId };
+    }
+    case "clear_policy_snapshot": {
+      if (!isSessionIdShape(obj.sessionId)) {
+        return {
+          type: "error",
+          code: "invalid_request",
+          message: "clear_policy_snapshot.sessionId must be 1-128 chars [A-Za-z0-9_-]"
+        };
+      }
+      return { type: "clear_policy_snapshot", sessionId: obj.sessionId };
+    }
+    case "get_active_session_id":
+      return { type: "get_active_session_id" };
+    default:
+      return {
+        type: "error",
+        code: "unsupported_type",
+        message: `unsupported request type: ${String(obj.type)}`
+      };
+  }
+}
+function serializeResponse(res) {
+  return JSON.stringify(res) + "\n";
+}
+
+// src/clients/broker-client.ts
 var BrokerClientError = class extends Error {
-  constructor(code, message, cause) {
+  constructor(code, message, cause, brokerCode) {
     super(message);
     this.code = code;
     this.cause = cause;
+    this.brokerCode = brokerCode;
     this.name = "BrokerClientError";
   }
   code;
   cause;
+  brokerCode;
 };
+function semverGte(a, b) {
+  const re = /^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)$/;
+  const ma = re.exec(a);
+  const mb = re.exec(b);
+  if (!ma || !mb) {
+    throw new BrokerClientError(
+      "protocol_error",
+      `semverGte: malformed version (got ${JSON.stringify(a)} vs ${JSON.stringify(b)})`
+    );
+  }
+  for (let i = 1; i <= 3; i++) {
+    const ai = Number(ma[i]);
+    const bi = Number(mb[i]);
+    if (ai > bi) return true;
+    if (ai < bi) return false;
+  }
+  return true;
+}
 var BrokerClient = class {
   constructor(options) {
     this.options = options;
@@ -205,6 +597,109 @@ var BrokerClient = class {
       );
     }
   }
+  // ── Wave 5 Path D Slice 1 (Commit 3) — policy snapshot CRUD + sign_userop ──
+  async signUserOp(args) {
+    const res = await this.exchange({
+      type: "sign_userop",
+      sessionId: args.sessionId,
+      userOpHash: args.userOpHash,
+      innerCall: args.innerCall,
+      ...args.intent ? { intent: args.intent } : {}
+    });
+    if (res.type !== "sign_userop") {
+      throw new BrokerClientError(
+        "protocol_error",
+        `expected sign_userop response, got ${res.type}`
+      );
+    }
+    return res;
+  }
+  async storePolicySnapshot(snapshot) {
+    const res = await this.exchange({ type: "store_policy_snapshot", snapshot });
+    if (res.type !== "store_policy_snapshot") {
+      throw new BrokerClientError(
+        "protocol_error",
+        `expected store_policy_snapshot response, got ${res.type}`
+      );
+    }
+    return res;
+  }
+  async getPolicySnapshot(sessionId) {
+    const res = await this.exchange({ type: "get_policy_snapshot", sessionId });
+    if (res.type !== "get_policy_snapshot") {
+      throw new BrokerClientError(
+        "protocol_error",
+        `expected get_policy_snapshot response, got ${res.type}`
+      );
+    }
+    return res;
+  }
+  async clearPolicySnapshot(sessionId) {
+    const res = await this.exchange({ type: "clear_policy_snapshot", sessionId });
+    if (res.type !== "clear_policy_snapshot") {
+      throw new BrokerClientError(
+        "protocol_error",
+        `expected clear_policy_snapshot response, got ${res.type}`
+      );
+    }
+    return res;
+  }
+  async getActiveSessionId() {
+    const res = await this.exchange({ type: "get_active_session_id" });
+    if (res.type !== "get_active_session_id") {
+      throw new BrokerClientError(
+        "protocol_error",
+        `expected get_active_session_id response, got ${res.type}`
+      );
+    }
+    return res;
+  }
+  /**
+   * Detect whether the running daemon speaks Path D (protocol 0.4.0+).
+   * Wraps `hello()` with a semver-gte comparison so the MCP tool layer
+   * can short-circuit to Path C with a clear `version_too_old` reason
+   * instead of surfacing the opaque `unsupported_type` error a stale
+   * 0.3.0 daemon would emit on `sign_userop` / `get_active_session_id`
+   * (Backend Architect H-2, round 2).
+   *
+   * Returns `{ supported: false }` on broker connect failure too — the
+   * caller treats "daemon down" identically to "version too old": Path D
+   * not available, fall through to Path C.
+   */
+  async preflight() {
+    let hello;
+    try {
+      hello = await this.hello();
+    } catch (err2) {
+      return {
+        supported: false,
+        reason: "broker_unreachable",
+        message: err2 instanceof BrokerClientError ? `broker.${err2.code}: ${err2.message}` : err2 instanceof Error ? err2.message : "broker unreachable",
+        requiredVersion: BROKER_PROTOCOL_VERSION
+      };
+    }
+    if (!semverGte(hello.version, BROKER_PROTOCOL_VERSION)) {
+      return {
+        supported: false,
+        reason: "version_too_old",
+        daemonVersion: hello.version,
+        requiredVersion: BROKER_PROTOCOL_VERSION
+      };
+    }
+    if (hello.hasSessionKey === false) {
+      return {
+        supported: false,
+        reason: "session_key_unavailable",
+        daemonVersion: hello.version,
+        requiredVersion: BROKER_PROTOCOL_VERSION
+      };
+    }
+    return {
+      supported: true,
+      daemonVersion: hello.version,
+      signerAddress: hello.sessionKeyAddress
+    };
+  }
   exchange(request) {
     return new Promise((resolve, reject) => {
       let socket;
@@ -245,7 +740,12 @@ var BrokerClient = class {
           const parsed = JSON.parse(line);
           if (parsed.type === "error") {
             settleErr(
-              new BrokerClientError("broker_error", `${parsed.code}: ${parsed.message}`)
+              new BrokerClientError(
+                "broker_error",
+                `${parsed.code}: ${parsed.message}`,
+                void 0,
+                parsed.code
+              )
             );
             return;
           }
@@ -482,6 +982,414 @@ function mapStatus(status) {
   if (status >= 500) return "server_error";
   return "invalid_response";
 }
+var ENTRY_POINT_GET_NONCE_ABI = parseAbi([
+  "function getNonce(address sender, uint192 key) view returns (uint256)"
+]);
+var BundlerClientError = class extends Error {
+  constructor(code, message, detail) {
+    super(message);
+    this.code = code;
+    this.detail = detail;
+    this.name = "BundlerClientError";
+  }
+  code;
+  detail;
+};
+var BundlerClient = class {
+  constructor(options) {
+    this.options = options;
+    this.fetchImpl = options.fetchImpl ?? globalThis.fetch.bind(globalThis);
+  }
+  options;
+  fetchImpl;
+  nextRpcId = 1;
+  /**
+   * Submit a signed UserOperation. Returns the userOpHash the bundler
+   * computed (which must match the hash the broker signed — caller is
+   * responsible for the consistency check; broker policy snapshot
+   * captures the signer-binding piece).
+   */
+  async sendUserOp(userOp, entryPoint) {
+    const result = await this.rpc("eth_sendUserOperation", [userOp, entryPoint]);
+    if (typeof result !== "string" || !/^0x[0-9a-fA-F]{64}$/.test(result)) {
+      throw new BundlerClientError(
+        "invalid_response",
+        `eth_sendUserOperation returned non-hash result: ${JSON.stringify(result).slice(0, 80)}`
+      );
+    }
+    return result.toLowerCase();
+  }
+  /** Return the receipt for a userOpHash, or null when the UserOp has
+   *  not yet been bundled. */
+  async getReceipt(userOpHash) {
+    const result = await this.rpc("eth_getUserOperationReceipt", [userOpHash]);
+    if (result === null || result === void 0) return null;
+    return parseReceipt(result);
+  }
+  /**
+   * Poll until the bundler returns a receipt, or `timeoutMs` elapses.
+   * Caller decides retry / fallback behaviour on `receipt_timeout`.
+   *
+   * Poll interval grows linearly from `initialIntervalMs` to
+   * `maxIntervalMs` to avoid burning the bundler quota when blocks are
+   * slow. Default tuning: 500ms → 2000ms over the first 6 polls; then
+   * pinned at 2000ms.
+   */
+  async waitForReceipt(userOpHash, opts) {
+    const clock = opts.clockMs ?? (() => Date.now());
+    const sleep = opts.sleep ?? ((ms) => setTimeout$1(ms));
+    const initial = opts.initialIntervalMs ?? 500;
+    const max = opts.maxIntervalMs ?? 2e3;
+    const deadline = clock() + opts.timeoutMs;
+    let attempt = 0;
+    while (true) {
+      const receipt = await this.getReceipt(userOpHash);
+      if (receipt) return receipt;
+      const now = clock();
+      if (now >= deadline) {
+        throw new BundlerClientError(
+          "receipt_timeout",
+          `no receipt for userOp ${userOpHash} within ${opts.timeoutMs}ms`
+        );
+      }
+      const interval = Math.min(max, initial + attempt * 250);
+      const remaining = Math.max(0, deadline - now);
+      await sleep(Math.min(interval, remaining));
+      attempt++;
+    }
+  }
+  /**
+   * Wave 5 Path D Slice 1 Commit 3.5 — `pm_sponsorUserOperation`.
+   * ZeroDev's bundler URL serves both bundler RPCs AND paymaster RPCs
+   * at the same endpoint, so we don't need a separate paymaster URL.
+   * Returns the paymaster fields + the gas limits the paymaster's
+   * simulation computed (the caller doesn't need a separate
+   * `estimateUserOpGas` round-trip on the happy path).
+   */
+  async sponsorUserOp(userOp, entryPoint) {
+    const result = await this.rpc("pm_sponsorUserOperation", [userOp, entryPoint]);
+    return parseSponsoredFields(result);
+  }
+  /**
+   * Wave 5 Path D Slice 1 Commit 3.5 — `eth_estimateUserOperationGas`.
+   * Not used in the happy path (sponsorship returns gas), but lives as
+   * a fallback for unsponsored flows OR if the operator's paymaster
+   * goes down. Reading gas separately also makes the failure modes
+   * distinguishable for the LLM-facing fallback reasons.
+   */
+  async estimateUserOpGas(userOp, entryPoint) {
+    const result = await this.rpc("eth_estimateUserOperationGas", [userOp, entryPoint]);
+    if (typeof result !== "object" || result === null) {
+      throw new BundlerClientError(
+        "invalid_response",
+        "eth_estimateUserOperationGas returned non-object"
+      );
+    }
+    const obj = result;
+    return {
+      callGasLimit: assertHex(obj.callGasLimit, "estimateUserOpGas.callGasLimit"),
+      verificationGasLimit: assertHex(
+        obj.verificationGasLimit,
+        "estimateUserOpGas.verificationGasLimit"
+      ),
+      preVerificationGas: assertHex(
+        obj.preVerificationGas,
+        "estimateUserOpGas.preVerificationGas"
+      )
+    };
+  }
+  /**
+   * Wave 5 Path D Slice 1 Commit 3.5 — `eth_call` against the
+   * EntryPoint's `getNonce(sender, key)`. Uses the bundler URL as a
+   * full Arb Sepolia node (ZeroDev's bundler accepts read-side RPCs).
+   *
+   * Pass `key = 0n` for the default nonce key — Path D never uses a
+   * non-default key in Slice 1; reserved for batched UserOps in
+   * later slices.
+   */
+  async getNonce(sender, entryPoint, key = 0n) {
+    const data = encodeFunctionData({
+      abi: ENTRY_POINT_GET_NONCE_ABI,
+      functionName: "getNonce",
+      args: [sender, key]
+    });
+    const result = await this.rpc("eth_call", [
+      { to: entryPoint, data },
+      "latest"
+    ]);
+    if (typeof result !== "string" || !/^0x[0-9a-fA-F]*$/.test(result)) {
+      throw new BundlerClientError(
+        "invalid_response",
+        `eth_call returned non-hex: ${JSON.stringify(result).slice(0, 80)}`
+      );
+    }
+    const [nonce] = decodeAbiParameters([{ type: "uint256" }], result);
+    return nonce;
+  }
+  /**
+   * Wave 5 Path D Slice 1 Commit 3.5 — fetch the fee market via
+   * `eth_gasPrice` (returns a single value the bundler will accept for
+   * both maxFee + maxPriorityFee on Arb Sepolia, which has effectively
+   * no priority-vs-base distinction).
+   *
+   * Simple-on-purpose: a full EIP-1559 fee market read would need two
+   * RPCs (`eth_maxPriorityFeePerGas` + `eth_getBlock`); Arb Sepolia's
+   * fee dynamics don't require that precision and the paymaster pays
+   * either way. A future caller wanting EIP-1559 precision can add a
+   * sibling method.
+   */
+  async getFeeData() {
+    const result = await this.rpc("eth_gasPrice", []);
+    if (typeof result !== "string" || !/^0x[0-9a-fA-F]+$/.test(result)) {
+      throw new BundlerClientError(
+        "invalid_response",
+        `eth_gasPrice returned non-hex: ${JSON.stringify(result).slice(0, 80)}`
+      );
+    }
+    const base = BigInt(result);
+    const margined = base * 2n;
+    const hex = `0x${margined.toString(16)}`;
+    return { maxFeePerGas: hex, maxPriorityFeePerGas: hex };
+  }
+  /**
+   * Verify the bundler's reported chainId matches `expectedChainId`. Cheap
+   * to call once at MCP server boot (or lazily before the first send) so
+   * a misconfigured bundler URL surfaces as `chain_mismatch` before any
+   * user-facing send rather than after a guaranteed-failing submit.
+   *
+   * Throws `BundlerClientError(config)` if no `expectedChainId` is set —
+   * caller asked for an assert without configuring the expectation.
+   */
+  async assertChainId() {
+    if (this.options.expectedChainId === void 0) {
+      throw new BundlerClientError(
+        "config",
+        "assertChainId called without expectedChainId configured"
+      );
+    }
+    const result = await this.rpc("eth_chainId", []);
+    if (typeof result !== "string" || !/^0x[0-9a-fA-F]+$/.test(result)) {
+      throw new BundlerClientError(
+        "invalid_response",
+        `eth_chainId returned non-hex result: ${JSON.stringify(result).slice(0, 80)}`
+      );
+    }
+    const reported = Number.parseInt(result, 16);
+    if (reported !== this.options.expectedChainId) {
+      throw new BundlerClientError(
+        "chain_mismatch",
+        `bundler reports chainId ${reported}, MCP expected ${this.options.expectedChainId}`,
+        { reportedChainId: reported, expectedChainId: this.options.expectedChainId }
+      );
+    }
+  }
+  async rpc(method, params) {
+    const id = this.nextRpcId++;
+    const body = JSON.stringify({ jsonrpc: "2.0", id, method, params });
+    const ctrl = new AbortController();
+    const timer = setTimeout(() => ctrl.abort(), this.options.requestTimeoutMs);
+    let res;
+    try {
+      const headers = {
+        "content-type": "application/json",
+        accept: "application/json"
+      };
+      if (this.options.originHeader) {
+        headers["origin"] = this.options.originHeader;
+      }
+      res = await this.fetchImpl(this.options.endpoint, {
+        method: "POST",
+        headers,
+        body,
+        signal: ctrl.signal
+      });
+    } catch (err2) {
+      clearTimeout(timer);
+      if (err2.name === "AbortError") {
+        throw new BundlerClientError("timeout", `bundler ${method} timed out`);
+      }
+      throw new BundlerClientError(
+        "network",
+        `bundler ${method} network error: ${err2 instanceof Error ? err2.message : String(err2)}`,
+        err2
+      );
+    } finally {
+      clearTimeout(timer);
+    }
+    if (!res.ok) {
+      let text = "";
+      try {
+        text = (await res.text()).slice(0, 256);
+      } catch {
+      }
+      throw new BundlerClientError(
+        "http_error",
+        `bundler ${method} \u2192 HTTP ${res.status}: ${text}`
+      );
+    }
+    let parsed;
+    try {
+      parsed = await res.json();
+    } catch (err2) {
+      throw new BundlerClientError(
+        "invalid_response",
+        `bundler ${method} returned non-JSON: ${err2 instanceof Error ? err2.message : String(err2)}`
+      );
+    }
+    if (typeof parsed !== "object" || parsed === null) {
+      throw new BundlerClientError(
+        "invalid_response",
+        `bundler ${method} returned non-object`
+      );
+    }
+    const obj = parsed;
+    if (obj.error !== void 0 && obj.error !== null) {
+      const err2 = obj.error;
+      throw new BundlerClientError(
+        "rpc_error",
+        `bundler ${method} rpc error: ${typeof err2.message === "string" ? err2.message : "<no message>"}`,
+        { code: err2.code, message: err2.message, data: err2.data }
+      );
+    }
+    return obj.result;
+  }
+};
+function parseReceipt(raw) {
+  if (typeof raw !== "object" || raw === null) {
+    throw new BundlerClientError("invalid_response", "receipt is not an object");
+  }
+  const obj = raw;
+  const userOpHash = obj.userOpHash;
+  if (typeof userOpHash !== "string" || !/^0x[0-9a-fA-F]{64}$/.test(userOpHash)) {
+    throw new BundlerClientError("invalid_response", "receipt.userOpHash malformed");
+  }
+  const sender = obj.sender;
+  if (typeof sender !== "string" || !/^0x[0-9a-fA-F]{40}$/.test(sender)) {
+    throw new BundlerClientError("invalid_response", "receipt.sender malformed");
+  }
+  if (typeof obj.success !== "boolean") {
+    throw new BundlerClientError("invalid_response", "receipt.success must be a boolean");
+  }
+  const inner = obj.receipt;
+  if (typeof inner !== "object" || inner === null) {
+    throw new BundlerClientError("invalid_response", "receipt.receipt missing");
+  }
+  const innerObj = inner;
+  const txHash = innerObj.transactionHash;
+  if (typeof txHash !== "string" || !/^0x[0-9a-fA-F]{64}$/.test(txHash)) {
+    throw new BundlerClientError(
+      "invalid_response",
+      "receipt.receipt.transactionHash malformed"
+    );
+  }
+  const blockNumber = innerObj.blockNumber;
+  if (typeof blockNumber !== "string" || !/^0x[0-9a-fA-F]+$/.test(blockNumber)) {
+    throw new BundlerClientError(
+      "invalid_response",
+      "receipt.receipt.blockNumber malformed"
+    );
+  }
+  const blockHash = innerObj.blockHash;
+  if (typeof blockHash !== "string" || !/^0x[0-9a-fA-F]{64}$/.test(blockHash)) {
+    throw new BundlerClientError(
+      "invalid_response",
+      "receipt.receipt.blockHash malformed"
+    );
+  }
+  return {
+    userOpHash: userOpHash.toLowerCase(),
+    sender: sender.toLowerCase(),
+    success: obj.success,
+    ...typeof obj.reason === "string" ? { reason: obj.reason } : {},
+    receipt: {
+      transactionHash: txHash.toLowerCase(),
+      blockNumber: blockNumber.toLowerCase(),
+      blockHash: blockHash.toLowerCase()
+    }
+  };
+}
+function parseSponsoredFields(raw) {
+  if (typeof raw !== "object" || raw === null) {
+    throw new BundlerClientError(
+      "invalid_response",
+      "pm_sponsorUserOperation returned non-object"
+    );
+  }
+  const obj = raw;
+  return {
+    paymaster: assertHexAddress(obj.paymaster, "sponsoredFields.paymaster"),
+    paymasterVerificationGasLimit: assertHexNonZero(
+      obj.paymasterVerificationGasLimit,
+      "sponsoredFields.paymasterVerificationGasLimit",
+      MAX_PAYMASTER_GAS_LIMIT
+    ),
+    paymasterPostOpGasLimit: assertHexNonZero(
+      obj.paymasterPostOpGasLimit,
+      "sponsoredFields.paymasterPostOpGasLimit",
+      MAX_PAYMASTER_GAS_LIMIT
+    ),
+    // paymasterData is the only sponsored field that can legitimately
+    // be empty (`0x`) — paymasters with no per-op data return that.
+    paymasterData: assertHex(obj.paymasterData, "sponsoredFields.paymasterData"),
+    callGasLimit: assertHexNonZero(
+      obj.callGasLimit,
+      "sponsoredFields.callGasLimit",
+      MAX_CALL_GAS_LIMIT
+    ),
+    verificationGasLimit: assertHexNonZero(
+      obj.verificationGasLimit,
+      "sponsoredFields.verificationGasLimit",
+      MAX_VERIFICATION_GAS_LIMIT
+    ),
+    preVerificationGas: assertHexNonZero(
+      obj.preVerificationGas,
+      "sponsoredFields.preVerificationGas",
+      MAX_PRE_VERIFICATION_GAS
+    )
+  };
+}
+function assertHex(value, label) {
+  if (typeof value !== "string" || !/^0x([0-9a-fA-F]{2})*$/.test(value)) {
+    const repr = value === void 0 ? "undefined" : JSON.stringify(value);
+    const safe = typeof repr === "string" ? repr.slice(0, 80) : "unknown";
+    throw new BundlerClientError(
+      "invalid_response",
+      `${label} must be a 0x-prefixed hex string (got ${safe})`
+    );
+  }
+  return value;
+}
+function assertHexNonZero(value, label, maxValue) {
+  const hex = assertHex(value, label);
+  if (hex.length === 2 || BigInt(hex) === 0n) {
+    throw new BundlerClientError(
+      "invalid_response",
+      `${label} must be a non-zero hex value (got "${hex}")`
+    );
+  }
+  if (maxValue !== void 0 && BigInt(hex) > maxValue) {
+    throw new BundlerClientError(
+      "invalid_response",
+      `${label} = ${BigInt(hex)} exceeds plausible ceiling ${maxValue} \u2014 refusing to sign + submit`
+    );
+  }
+  return hex;
+}
+var MAX_CALL_GAS_LIMIT = 20000000n;
+var MAX_VERIFICATION_GAS_LIMIT = 20000000n;
+var MAX_PRE_VERIFICATION_GAS = 5000000n;
+var MAX_PAYMASTER_GAS_LIMIT = 5000000n;
+function assertHexAddress(value, label) {
+  if (typeof value !== "string" || !/^0x[0-9a-fA-F]{40}$/.test(value)) {
+    const repr = value === void 0 ? "undefined" : JSON.stringify(value);
+    const safe = typeof repr === "string" ? repr.slice(0, 80) : "unknown";
+    throw new BundlerClientError(
+      "invalid_response",
+      `${label} must be a 0x-prefixed 20-byte hex address (got ${safe})`
+    );
+  }
+  return value;
+}
 var TOOL_DESCRIPTORS = [
   {
     name: "muhaven.read.portfolio",
@@ -829,6 +1737,119 @@ var GovernanceCastVoteInputSchema = z.object({
   voteYes: z.boolean()
 }).strict();
 
+// src/auth/jwt-decode.ts
+var JwtDecodeError = class extends Error {
+  code;
+  constructor(code, message) {
+    super(message);
+    this.name = "JwtDecodeError";
+    this.code = code;
+  }
+};
+function decodeJwtPayload(jwt) {
+  const segments = jwt.split(".");
+  if (segments.length !== 3) {
+    throw new JwtDecodeError(
+      "malformed_segments",
+      `expected 3 dot-separated segments, got ${segments.length}`
+    );
+  }
+  const payloadSegment = segments[1];
+  if (payloadSegment === void 0) {
+    throw new JwtDecodeError("malformed_segments", "payload segment missing");
+  }
+  let payloadJson;
+  try {
+    payloadJson = Buffer.from(payloadSegment, "base64url").toString("utf8");
+  } catch (err2) {
+    throw new JwtDecodeError(
+      "malformed_base64",
+      `payload segment is not valid base64url: ${err2 instanceof Error ? err2.message : String(err2)}`
+    );
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(payloadJson);
+  } catch (err2) {
+    throw new JwtDecodeError(
+      "malformed_json",
+      `payload is not valid JSON: ${err2 instanceof Error ? err2.message : String(err2)}`
+    );
+  }
+  if (parsed === null || typeof parsed !== "object") {
+    throw new JwtDecodeError(
+      "malformed_json",
+      `payload is not a JSON object (got ${parsed === null ? "null" : typeof parsed})`
+    );
+  }
+  const obj = parsed;
+  return {
+    sub: typeof obj.sub === "string" ? obj.sub : null,
+    scope: Array.isArray(obj.scope) ? obj.scope.filter((s) => typeof s === "string") : [],
+    expSec: typeof obj.exp === "number" ? obj.exp : null,
+    iss: typeof obj.iss === "string" ? obj.iss : null
+  };
+}
+function truncateSubject(sub) {
+  if (!sub) return "(missing)";
+  const sanitized = sub.replace(/[^\x20-\x7e]/g, "?");
+  if (sanitized.length <= 12) return sanitized;
+  return `${sanitized.slice(0, 8)}\u2026${sanitized.slice(-4)}`;
+}
+var KERNEL_EXECUTE_ABI = parseAbi([
+  "function execute(bytes32 mode, bytes calldata executionCalldata)"
+]);
+var KERNEL_V3_SINGLE_CALL_MODE_DEFAULT = `0x${"00".repeat(32)}`;
+function encodeKernelExecuteSingleCall(input) {
+  const executionCalldata = encodePacked(
+    ["address", "uint256", "bytes"],
+    [input.target, input.value, input.callData]
+  );
+  return encodeFunctionData({
+    abi: KERNEL_EXECUTE_ABI,
+    functionName: "execute",
+    args: [KERNEL_V3_SINGLE_CALL_MODE_DEFAULT, executionCalldata]
+  });
+}
+var ECDSA_SIG_HEX_RE = /^0x[0-9a-fA-F]{130}$/;
+var PERMISSION_USE_PREFIX = "0xff";
+function buildKernelSessionKeySignature(input) {
+  if (!ECDSA_SIG_HEX_RE.test(input.ecdsaSignature)) {
+    throw new Error(
+      `buildKernelSessionKeySignature: ecdsaSignature must be a 0x-prefixed 65-byte hex (got ${input.ecdsaSignature.length} chars)`
+    );
+  }
+  return concatHex([PERMISSION_USE_PREFIX, input.ecdsaSignature]);
+}
+var VALIDATOR_MODE_DEFAULT = "0x00";
+var VALIDATOR_TYPE_PERMISSION = "0x02";
+var PERMISSION_ID_HEX_RE = /^0x[0-9a-fA-F]{8}$/;
+function composeKernelV3NonceKey(args) {
+  if (!PERMISSION_ID_HEX_RE.test(args.permissionId)) {
+    throw new Error(
+      `composeKernelV3NonceKey: permissionId must be a 0x-prefixed 4-byte hex (got ${args.permissionId.length} chars)`
+    );
+  }
+  const customKey = args.customKey ?? 0n;
+  if (customKey < 0n || customKey > 0xffffn) {
+    throw new Error(
+      `composeKernelV3NonceKey: customKey must fit in 2 bytes (0..0xffff), got ${customKey}`
+    );
+  }
+  const paddedPermissionId = pad(args.permissionId, { size: 20, dir: "right" });
+  const customKeyHex = pad(`0x${customKey.toString(16)}`, { size: 2 });
+  const composite = pad(
+    concatHex([
+      VALIDATOR_MODE_DEFAULT,
+      VALIDATOR_TYPE_PERMISSION,
+      paddedPermissionId,
+      customKeyHex
+    ]),
+    { size: 24 }
+  );
+  return BigInt(composite);
+}
+
 // src/tools/auth-required.ts
 function authRequiredPayload() {
   return {
@@ -871,6 +1892,13 @@ function formatUsd6AsDecimal(usd6) {
 }
 
 // src/tools/handlers.ts
+var SUBSCRIPTION_PURCHASE_SELECTOR = toFunctionSelector(
+  "function purchase(address,(uint256,uint8,uint8,bytes),uint128,address)"
+).toLowerCase();
+var SUBSCRIPTION_PURCHASE_ABI = parseAbi([
+  "function purchase(address token, (uint256 ctHash, uint8 securityZone, uint8 utype, bytes signature) encShares, uint128 maxSharesHint, address ephemeralEOA)"
+]);
+var PLACEHOLDER_SIGNATURE = "0x" + "fe".repeat(86);
 function ok(data) {
   return { ok: true, data };
 }
@@ -882,94 +1910,673 @@ function mapBackendError(e) {
     if (e.code === "unauthorized") return authRequiredPayload();
     return err(`backend.${e.code}`, e.message);
   }
-  if (e instanceof Error) return err("backend.network", e.message);
-  return err("backend.network", "unknown backend error");
-}
-async function readPortfolio(_input, deps) {
-  try {
-    const data = await deps.backend.get("/api/v1/portfolio");
-    return ok(data);
-  } catch (e) {
-    return mapBackendError(e);
+  if (e instanceof Error) return err("backend.network", e.message);
+  return err("backend.network", "unknown backend error");
+}
+async function readPortfolio(_input, deps) {
+  try {
+    const data = await deps.backend.get("/api/v1/portfolio");
+    return ok(data);
+  } catch (e) {
+    return mapBackendError(e);
+  }
+}
+async function readYields(input, deps) {
+  try {
+    const data = await deps.backend.get("/api/v1/yields", {
+      token: input.token,
+      limit: input.limit
+    });
+    return ok(data);
+  } catch (e) {
+    return mapBackendError(e);
+  }
+}
+async function readDistribution(input, deps) {
+  try {
+    const data = await deps.backend.get("/api/v1/distributions", {
+      token: input.token,
+      epoch: input.epoch
+    });
+    return ok(data);
+  } catch (e) {
+    return mapBackendError(e);
+  }
+}
+async function readTokens(_input, deps) {
+  try {
+    const data = await deps.backend.get("/api/v1/tokens");
+    return ok(data);
+  } catch (e) {
+    return mapBackendError(e);
+  }
+}
+async function readAudit(input, deps) {
+  try {
+    const data = await deps.backend.get("/api/v1/agent/policy/audit", {
+      surface: input.surface,
+      eventTypes: input.eventTypes?.join(","),
+      since: input.since,
+      until: input.until,
+      cursor: input.cursor,
+      limit: input.limit
+    });
+    return ok(data);
+  } catch (e) {
+    return mapBackendError(e);
+  }
+}
+async function readActivity(input, deps) {
+  try {
+    const data = await deps.backend.get("/api/v1/activity", {
+      limit: input.limit,
+      offset: input.offset
+    });
+    return ok(data);
+  } catch (e) {
+    return mapBackendError(e);
+  }
+}
+function buildPositionDeeplink(dashboardBaseUrl, action, params) {
+  const base = dashboardBaseUrl.replace(/\/+$/, "");
+  const path = action === "buy" || action === "sell" ? "/trade" : action === "claim" ? "/yields" : "/cash";
+  const search = new URLSearchParams();
+  if (action === "buy" || action === "sell") search.set("mode", action);
+  for (const [k, v] of Object.entries(params)) search.set(k, v);
+  search.set("from", "mcp");
+  return `${base}${path}?${search.toString()}`;
+}
+function resolveDashboardBaseUrl(deps) {
+  return deps.dashboardBaseUrl ?? "https://muhaven.app";
+}
+function resolveTokenInCatalog(identifier, catalog) {
+  const needle = identifier.toLowerCase();
+  return catalog.find(
+    (t) => t.address.toLowerCase() === needle || t.symbol.toLowerCase() === needle
+  ) ?? null;
+}
+function sanitizeSymbolForLlmContext(raw) {
+  const cleaned = raw.replace(/[^A-Za-z0-9_-]/g, "?");
+  return cleaned.length > 16 ? cleaned.slice(0, 16) : cleaned;
+}
+function sanitizeRpcMessageForLlmContext(raw) {
+  const cleaned = raw.replace(/[\x00-\x1f\x7f]/g, "").replace(/[^\x20-\x7e]/g, "?").replace(/\s+/g, " ").trim();
+  return cleaned.length > 120 ? cleaned.slice(0, 120) + "\u2026" : cleaned;
+}
+function mapBrokerCallFailure(err2, verb, defaultReason = "broker_internal") {
+  if (err2 instanceof BrokerClientError && err2.brokerCode === "unsupported_type") {
+    return {
+      kind: "fallback",
+      reason: "version_too_old",
+      message: `broker daemon rejected ${verb} as unsupported_type \u2014 daemon is likely older than protocol 0.4.0; upgrade @muhaven/mcp and restart the broker`
+    };
+  }
+  return {
+    kind: "fallback",
+    reason: defaultReason,
+    message: `broker rejected ${verb} (${typedErrorCode(err2)})`
+  };
+}
+var MCP_HEX_20_BYTE_RE = /^0x[0-9a-fA-F]{40}$/;
+var MCP_HEX_4_BYTE_RE = /^0x[0-9a-fA-F]{8}$/;
+var MCP_HEX_32_BYTE_RE = /^0x[0-9a-fA-F]{64}$/;
+var MCP_SESSION_ID_RE = /^[A-Za-z0-9_-]{1,128}$/;
+var MirrorDtoMalformedError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "MirrorDtoMalformedError";
+  }
+};
+function mirrorDtoToPolicySnapshot(dto) {
+  if (dto.mode !== "scoped") {
+    throw new MirrorDtoMalformedError(
+      `mode must be 'scoped' (got ${JSON.stringify(dto.mode)}); wildcard mirror auto-sync ships in Slice 4`
+    );
+  }
+  if (dto.status !== "active") {
+    throw new MirrorDtoMalformedError(
+      `status must be 'active' for auto-sync (got ${JSON.stringify(dto.status)}); backend mirror should have filtered this row out`
+    );
+  }
+  if (typeof dto.sessionId !== "string" || !MCP_SESSION_ID_RE.test(dto.sessionId)) {
+    throw new MirrorDtoMalformedError(
+      `sessionId must match /^[A-Za-z0-9_-]{1,128}$/`
+    );
+  }
+  if (!MCP_HEX_20_BYTE_RE.test(dto.signerAddress)) {
+    throw new MirrorDtoMalformedError(
+      `signerAddress is not a 0x-prefixed 20-byte hex`
+    );
+  }
+  if (!Array.isArray(dto.targetContracts) || dto.targetContracts.length === 0) {
+    throw new MirrorDtoMalformedError(
+      `targetContracts must be a non-empty array`
+    );
+  }
+  for (const t of dto.targetContracts) {
+    if (typeof t !== "string" || !MCP_HEX_20_BYTE_RE.test(t)) {
+      throw new MirrorDtoMalformedError(
+        `targetContracts entry is not a 0x-prefixed 20-byte hex`
+      );
+    }
+  }
+  if (!Array.isArray(dto.selectorCaps) || dto.selectorCaps.length === 0) {
+    throw new MirrorDtoMalformedError(`selectorCaps must be a non-empty array`);
+  }
+  for (const c of dto.selectorCaps) {
+    if (typeof c?.selector !== "string" || !MCP_HEX_4_BYTE_RE.test(c.selector)) {
+      throw new MirrorDtoMalformedError(
+        `selectorCaps entry has a malformed selector`
+      );
+    }
+  }
+  if (dto.permissionId != null && !MCP_HEX_4_BYTE_RE.test(dto.permissionId)) {
+    throw new MirrorDtoMalformedError(
+      `permissionId is not a 0x-prefixed 4-byte hex`
+    );
+  }
+  if (dto.consentActionHash != null && !MCP_HEX_32_BYTE_RE.test(dto.consentActionHash)) {
+    throw new MirrorDtoMalformedError(
+      `consentActionHash is not a 0x-prefixed 32-byte hex`
+    );
+  }
+  if (dto.consentTextSha256 != null && !MCP_HEX_32_BYTE_RE.test(dto.consentTextSha256)) {
+    throw new MirrorDtoMalformedError(
+      `consentTextSha256 is not a 0x-prefixed 32-byte hex`
+    );
+  }
+  return {
+    sessionId: dto.sessionId,
+    mode: "scoped",
+    signerAddress: dto.signerAddress.toLowerCase(),
+    targetContracts: dto.targetContracts.map(
+      (a) => a.toLowerCase()
+    ),
+    selectorCaps: dto.selectorCaps.map((c) => ({
+      selector: c.selector.toLowerCase(),
+      capArgIndex: c.capArgIndex,
+      maxAmount: c.maxAmount
+    })),
+    validUntilSec: dto.validUntilSec,
+    mintedAtSec: dto.mintedAtSec,
+    ...dto.consentActionHash ? { consentActionHash: dto.consentActionHash.toLowerCase() } : {},
+    ...dto.consentTextSha256 ? { consentTextSha256: dto.consentTextSha256.toLowerCase() } : {},
+    ...dto.permissionId ? { permissionId: dto.permissionId.toLowerCase() } : {}
+  };
+}
+function typedErrorCode(err2) {
+  if (err2 instanceof BackendError) return `backend.${err2.code}`;
+  if (err2 instanceof BrokerClientError) {
+    return err2.brokerCode ? `broker.${err2.brokerCode}` : `broker.${err2.code}`;
+  }
+  if (err2 instanceof MirrorDtoMalformedError) return "malformed_mirror_row";
+  return "unknown";
+}
+async function fetchJwtSubjectHint(deps) {
+  if (!deps.broker) return null;
+  try {
+    const res = await deps.broker.getJwt();
+    if (!res.jwt) return null;
+    const decoded = decodeJwtPayload(res.jwt);
+    return truncateSubject(decoded.sub);
+  } catch {
+    return null;
+  }
+}
+async function syncSnapshotFromMirror(deps, brokerSignerAddress) {
+  if (!deps.broker) {
+    return {
+      kind: "fallback",
+      reason: "mirror_sync_failed",
+      message: "auto-sync invoked without a broker dep \u2014 pipeline bug"
+    };
+  }
+  let mirror;
+  try {
+    mirror = await deps.backend.get(
+      "/api/v1/agent/policy/scoped-session",
+      { surface: "mcp" }
+    );
+  } catch (err2) {
+    return {
+      kind: "fallback",
+      reason: "mirror_sync_failed",
+      message: `backend mirror lookup failed (${typedErrorCode(err2)})`
+    };
+  }
+  if (!mirror || mirror.session == null) {
+    const subjectHint = await fetchJwtSubjectHint(deps);
+    const hintSuffix = subjectHint ? ` (broker JWT subject: ${subjectHint} \u2014 verify this matches the userId of the wallet you used to mint the scoped tier; if not, run \`muhaven-broker logout && muhaven-broker login\` and re-authorize with the correct passkey)` : "";
+    return {
+      kind: "fallback",
+      reason: "no_active_session_key",
+      message: "no active scoped session \u2014 visit /agent/policy/transition to mint one, then retry. (Mirror also empty; nothing to auto-sync.)" + hintSuffix
+    };
+  }
+  let snapshot;
+  try {
+    snapshot = mirrorDtoToPolicySnapshot(mirror.session);
+  } catch (err2) {
+    return {
+      kind: "fallback",
+      reason: "mirror_sync_failed",
+      message: `mirror returned a malformed scoped-session row (${typedErrorCode(err2)})`
+    };
+  }
+  if (snapshot.signerAddress.toLowerCase() !== brokerSignerAddress.toLowerCase()) {
+    return {
+      kind: "fallback",
+      reason: "signer_mismatch",
+      message: `mirror snapshot is bound to signer ${snapshot.signerAddress}, broker is currently signing as ${brokerSignerAddress} \u2014 re-mint the scoped tier from the dashboard against the broker's current session key, OR restart the broker with the session key matching the mirror snapshot`
+    };
+  }
+  try {
+    await deps.broker.storePolicySnapshot(snapshot);
+  } catch (err2) {
+    return {
+      kind: "fallback",
+      reason: "mirror_sync_failed",
+      message: `broker rejected store_policy_snapshot (${typedErrorCode(err2)})`
+    };
+  }
+  let activeId;
+  try {
+    const res = await deps.broker.getActiveSessionId();
+    activeId = res.sessionId;
+  } catch (err2) {
+    return {
+      kind: "fallback",
+      reason: "mirror_sync_failed",
+      message: `broker re-probe after store_policy_snapshot failed (${typedErrorCode(err2)})`
+    };
+  }
+  if (!activeId) {
+    return {
+      kind: "fallback",
+      reason: "mirror_sync_failed",
+      message: "broker accepted store_policy_snapshot but get_active_session_id returned null \u2014 most likely cause: multiple non-expired snapshots for the same signer collapse to ambiguous. Clear stale snapshots via the muhaven-broker CLI before retrying. (Snapshot signer was pre-validated to match the broker; signer mismatch already filtered upstream.)"
+    };
+  }
+  return { kind: "ok", sessionId: activeId };
+}
+async function attemptPathD(args, deps) {
+  const { shares, tokenAddress, tokenSymbol } = args;
+  if (!deps.broker || !deps.bundler) {
+    return { kind: "unconfigured" };
+  }
+  if (!deps.subscriptionAddress) {
+    return {
+      kind: "fallback",
+      reason: "subscription_address_unset",
+      message: "MUHAVEN_SUBSCRIPTION_ADDRESS not configured \u2014 Path D autonomous-buy disabled until the operator sets it in the MCP env"
+    };
+  }
+  if (!deps.entryPointAddress) {
+    return {
+      kind: "fallback",
+      reason: "entry_point_unset",
+      message: "MUHAVEN_ENTRY_POINT resolved to undefined \u2014 Path D requires the EntryPoint v0.7 address"
+    };
+  }
+  if (typeof deps.chainId !== "number") {
+    return {
+      kind: "fallback",
+      reason: "chain_id_unset",
+      message: "MUHAVEN_CHAIN_ID not configured \u2014 Path D autonomous-buy requires a chain id for userOpHash"
+    };
+  }
+  const subscriptionAddress = deps.subscriptionAddress;
+  const entryPointAddress = deps.entryPointAddress;
+  const chainId = deps.chainId;
+  const preflight = await deps.broker.preflight();
+  if (!preflight.supported) {
+    if (preflight.reason === "broker_unreachable") {
+      return {
+        kind: "fallback",
+        reason: "broker_unreachable",
+        message: `broker daemon not reachable (${preflight.message}) \u2014 falling back to Path C dashboard deep-link`
+      };
+    }
+    if (preflight.reason === "version_too_old") {
+      return {
+        kind: "fallback",
+        reason: "version_too_old",
+        message: `broker speaks ${preflight.daemonVersion}, Path D requires \u2265${preflight.requiredVersion} \u2014 upgrade @muhaven/mcp and restart the broker`
+      };
+    }
+    return {
+      kind: "fallback",
+      reason: "session_key_unavailable",
+      message: "broker is running in read-only posture (no MUHAVEN_BROKER_SESSION_KEY set) \u2014 Path D requires a loaded session key"
+    };
+  }
+  let activeId;
+  try {
+    const res = await deps.broker.getActiveSessionId();
+    activeId = res.sessionId;
+  } catch (err2) {
+    return mapBrokerCallFailure(err2, "get_active_session_id");
+  }
+  if (!activeId) {
+    const synced = await syncSnapshotFromMirror(deps, preflight.signerAddress);
+    if (synced.kind === "fallback") {
+      return synced;
+    }
+    activeId = synced.sessionId;
+  }
+  let snapshot;
+  try {
+    const res = await deps.broker.getPolicySnapshot(activeId);
+    snapshot = res.snapshot;
+  } catch (err2) {
+    return mapBrokerCallFailure(err2, "get_policy_snapshot", "snapshot_lookup_failed");
+  }
+  if (!snapshot) {
+    return {
+      kind: "fallback",
+      reason: "no_active_snapshot",
+      message: `broker reported session ${activeId} active but get_policy_snapshot returned null (race? \u2014 refresh tier from dashboard)`
+    };
+  }
+  if (snapshot.signerAddress.toLowerCase() !== preflight.signerAddress.toLowerCase()) {
+    return {
+      kind: "fallback",
+      reason: "signer_mismatch",
+      message: `snapshot ${activeId} is bound to signer ${snapshot.signerAddress}, broker is currently signing as ${preflight.signerAddress} \u2014 broker session-key likely rotated mid-flight; re-mint the scoped tier from the dashboard`
+    };
+  }
+  const purchaseCap = snapshot.selectorCaps.find(
+    (c) => c.selector.toLowerCase() === SUBSCRIPTION_PURCHASE_SELECTOR
+  );
+  if (!purchaseCap) {
+    return {
+      kind: "fallback",
+      reason: "selector_not_in_snapshot",
+      message: "active scoped session does not authorize subscription.purchase \u2014 re-mint the session with a purchase cap"
+    };
+  }
+  if (purchaseCap.maxAmount === null) {
+    return {
+      kind: "fallback",
+      reason: "selector_uncapped",
+      message: "active scoped session lists subscription.purchase but with no per-op cap (capArgIndex/maxAmount both null) \u2014 Slice 1 refuses to autonomy-buy without an explicit ceiling; re-mint with a maxAmount"
+    };
+  }
+  const maxShares = BigInt(purchaseCap.maxAmount);
+  if (shares > maxShares) {
+    return {
+      kind: "fallback",
+      reason: "out_of_scope",
+      message: `requested ${shares} shares exceeds the active session's per-op cap of ${maxShares} shares \u2014 fall back to Path C dashboard deep-link for this larger buy`
+    };
   }
-}
-async function readYields(input, deps) {
+  if (!snapshot.targetContracts.some(
+    (t) => t.toLowerCase() === subscriptionAddress.toLowerCase()
+  )) {
+    return {
+      kind: "fallback",
+      reason: "target_not_in_snapshot",
+      message: `subscription target ${subscriptionAddress} not in active session's target allowlist \u2014 re-mint the session with subscription in scope`
+    };
+  }
+  let accountAddress;
   try {
-    const data = await deps.backend.get("/api/v1/yields", {
-      token: input.token,
-      limit: input.limit
+    const stateDto = await deps.backend.get("/api/v1/agent/policy/state", {
+      surface: "mcp"
     });
-    return ok(data);
-  } catch (e) {
-    return mapBackendError(e);
+    if (!stateDto.accountAddress || !/^0x[0-9a-fA-F]{40}$/.test(stateDto.accountAddress)) {
+      return {
+        kind: "fallback",
+        reason: "no_validator_registered",
+        message: "backend /agent/policy/state returned no accountAddress \u2014 re-login the MCP"
+      };
+    }
+    accountAddress = stateDto.accountAddress.toLowerCase();
+  } catch (err2) {
+    return {
+      kind: "fallback",
+      reason: "no_validator_registered",
+      message: `backend /agent/policy/state lookup failed: ${err2 instanceof Error ? err2.message : String(err2)}`
+    };
   }
-}
-async function readDistribution(input, deps) {
+  if (!snapshot.permissionId) {
+    return {
+      kind: "fallback",
+      reason: "no_permission_id_in_snapshot",
+      message: "active scoped session snapshot lacks permissionId \u2014 frontend storePolicySnapshot wire-up is a Slice 2 prerequisite; falling back to Path C"
+    };
+  }
+  const permissionId = snapshot.permissionId;
+  let encShares;
+  let ephemeralEOA;
   try {
-    const data = await deps.backend.get("/api/v1/distributions", {
-      token: input.token,
-      epoch: input.epoch
+    const enc = await deps.backend.post("/api/v1/agent/path-d/encrypt-shares", {
+      tokenAddress,
+      sharesAmount: shares.toString()
     });
-    return ok(data);
-  } catch (e) {
-    return mapBackendError(e);
+    if (!enc.encShares || typeof enc.encShares.ctHash !== "string" || typeof enc.encShares.securityZone !== "number" || typeof enc.encShares.utype !== "number" || typeof enc.encShares.signature !== "string" || typeof enc.ephemeralEOA !== "string") {
+      return {
+        kind: "fallback",
+        reason: "encrypt_shares_server_error",
+        message: "backend /agent/path-d/encrypt-shares returned malformed payload"
+      };
+    }
+    encShares = {
+      ctHash: enc.encShares.ctHash,
+      securityZone: enc.encShares.securityZone,
+      utype: enc.encShares.utype,
+      signature: enc.encShares.signature
+    };
+    ephemeralEOA = enc.ephemeralEOA;
+  } catch (err2) {
+    if (err2 instanceof BackendError) {
+      const is4xx = typeof err2.status === "number" && err2.status < 500;
+      return {
+        kind: "fallback",
+        reason: is4xx ? "encrypt_shares_rejected" : "encrypt_shares_server_error",
+        message: `backend rejected encrypt-shares (backend.${err2.code})`
+      };
+    }
+    return {
+      kind: "fallback",
+      reason: "encrypt_shares_server_error",
+      message: `backend /agent/path-d/encrypt-shares failed: ${err2 instanceof Error ? err2.message : String(err2)}`
+    };
   }
-}
-async function readTokens(_input, deps) {
+  const innerCallData = encodeFunctionData({
+    abi: SUBSCRIPTION_PURCHASE_ABI,
+    functionName: "purchase",
+    args: [
+      tokenAddress,
+      {
+        ctHash: BigInt(encShares.ctHash),
+        securityZone: encShares.securityZone,
+        utype: encShares.utype,
+        signature: encShares.signature
+      },
+      shares,
+      // maxSharesHint — tight per spec
+      ephemeralEOA
+    ]
+  });
+  const kernelCallData = encodeKernelExecuteSingleCall({
+    target: subscriptionAddress,
+    value: 0n,
+    callData: innerCallData
+  });
+  let nonce;
+  let feeData;
   try {
-    const data = await deps.backend.get("/api/v1/tokens");
-    return ok(data);
-  } catch (e) {
-    return mapBackendError(e);
+    const nonceKey = composeKernelV3NonceKey({ permissionId });
+    nonce = await deps.bundler.getNonce(accountAddress, entryPointAddress, nonceKey);
+    feeData = await deps.bundler.getFeeData();
+  } catch (err2) {
+    return {
+      kind: "fallback",
+      reason: "bundler_setup_failed",
+      message: `bundler bootstrap failed: ${err2 instanceof BundlerClientError ? `${err2.code}: ${err2.message}` : String(err2)}`
+    };
   }
-}
-async function readAudit(input, deps) {
+  const partial = {
+    sender: accountAddress,
+    nonce: `0x${nonce.toString(16)}`,
+    callData: kernelCallData,
+    maxFeePerGas: feeData.maxFeePerGas,
+    maxPriorityFeePerGas: feeData.maxPriorityFeePerGas,
+    signature: PLACEHOLDER_SIGNATURE
+  };
+  let sponsored;
   try {
-    const data = await deps.backend.get("/api/v1/agent/policy/audit", {
-      surface: input.surface,
-      eventTypes: input.eventTypes?.join(","),
-      since: input.since,
-      until: input.until,
-      cursor: input.cursor,
-      limit: input.limit
-    });
-    return ok(data);
-  } catch (e) {
-    return mapBackendError(e);
+    sponsored = await deps.bundler.sponsorUserOp(partial, entryPointAddress);
+  } catch (err2) {
+    const detail = err2 instanceof BundlerClientError && err2.detail && typeof err2.detail === "object" ? ` (rpc code=${err2.detail.code ?? "unknown"})` : "";
+    const safeMsg = sanitizeRpcMessageForLlmContext(
+      err2 instanceof Error ? err2.message : String(err2)
+    );
+    return {
+      kind: "fallback",
+      reason: "paymaster_rejected",
+      message: `pm_sponsorUserOperation rejected${detail}: ${safeMsg}`
+    };
   }
-}
-async function readActivity(input, deps) {
+  const userOpForHash = {
+    sender: accountAddress,
+    nonce,
+    factory: void 0,
+    factoryData: void 0,
+    callData: kernelCallData,
+    callGasLimit: BigInt(sponsored.callGasLimit),
+    verificationGasLimit: BigInt(sponsored.verificationGasLimit),
+    preVerificationGas: BigInt(sponsored.preVerificationGas),
+    maxFeePerGas: BigInt(feeData.maxFeePerGas),
+    maxPriorityFeePerGas: BigInt(feeData.maxPriorityFeePerGas),
+    paymaster: sponsored.paymaster,
+    paymasterVerificationGasLimit: BigInt(sponsored.paymasterVerificationGasLimit),
+    paymasterPostOpGasLimit: BigInt(sponsored.paymasterPostOpGasLimit),
+    paymasterData: sponsored.paymasterData,
+    signature: PLACEHOLDER_SIGNATURE
+  };
+  const userOpHash = getUserOperationHash({
+    userOperation: userOpForHash,
+    entryPointAddress,
+    entryPointVersion: "0.7",
+    chainId
+  });
+  let brokerSig;
   try {
-    const data = await deps.backend.get("/api/v1/activity", {
-      limit: input.limit,
-      offset: input.offset
+    const signed = await deps.broker.signUserOp({
+      sessionId: activeId,
+      userOpHash,
+      innerCall: { target: subscriptionAddress, callData: innerCallData },
+      intent: {
+        tool: "muhaven.position.buy",
+        summary: `${shares.toString()} shares of ${sanitizeSymbolForLlmContext(tokenSymbol)}`
+      }
     });
-    return ok(data);
-  } catch (e) {
-    return mapBackendError(e);
+    brokerSig = signed.signature;
+  } catch (err2) {
+    if (err2 instanceof BrokerClientError && err2.brokerCode) {
+      const code = err2.brokerCode;
+      if (code === "policy_violation") {
+        return {
+          kind: "fallback",
+          reason: "broker_policy_violation",
+          message: "broker rejected sign_userop: policy_violation (innerCall vs snapshot mismatch)"
+        };
+      }
+      if (code === "scope_violation") {
+        return {
+          kind: "fallback",
+          reason: "broker_scope_violation",
+          message: "broker rejected sign_userop: scope_violation (snapshot expired between gate and sign)"
+        };
+      }
+      if (code === "max_spend_exceeded") {
+        return {
+          kind: "fallback",
+          reason: "broker_max_spend_exceeded",
+          message: "broker rejected sign_userop: max_spend_exceeded (innerCall maxSharesHint over cap)"
+        };
+      }
+      if (code === "no_active_snapshot") {
+        return {
+          kind: "fallback",
+          reason: "broker_no_active_snapshot_at_sign",
+          message: "broker reported no_active_snapshot at sign time \u2014 likely GC race after our snapshot read"
+        };
+      }
+    }
+    return mapBrokerCallFailure(err2, "sign_userop", "broker_internal");
+  }
+  const signedUserOpWire = {
+    sender: accountAddress,
+    nonce: partial.nonce,
+    callData: kernelCallData,
+    callGasLimit: sponsored.callGasLimit,
+    verificationGasLimit: sponsored.verificationGasLimit,
+    preVerificationGas: sponsored.preVerificationGas,
+    maxFeePerGas: feeData.maxFeePerGas,
+    maxPriorityFeePerGas: feeData.maxPriorityFeePerGas,
+    paymaster: sponsored.paymaster,
+    paymasterVerificationGasLimit: sponsored.paymasterVerificationGasLimit,
+    paymasterPostOpGasLimit: sponsored.paymasterPostOpGasLimit,
+    paymasterData: sponsored.paymasterData,
+    signature: buildKernelSessionKeySignature({ ecdsaSignature: brokerSig })
+  };
+  let submittedHash;
+  try {
+    submittedHash = await deps.bundler.sendUserOp(signedUserOpWire, entryPointAddress);
+  } catch (err2) {
+    const detail = err2 instanceof BundlerClientError && err2.detail && typeof err2.detail === "object" ? ` (rpc code=${err2.detail.code ?? "unknown"})` : "";
+    return {
+      kind: "fallback",
+      reason: "bundler_submit_rejected",
+      message: `bundler eth_sendUserOperation rejected${detail}: ${err2 instanceof Error ? err2.message : String(err2)}`
+    };
+  }
+  if (submittedHash.toLowerCase() !== userOpHash.toLowerCase()) {
+    return {
+      kind: "fallback",
+      reason: "userop_hash_mismatch",
+      message: `bundler reported userOpHash ${submittedHash} but we signed ${userOpHash} \u2014 refusing to wait for receipt`
+    };
+  }
+  try {
+    const receipt = await deps.bundler.waitForReceipt(userOpHash, { timeoutMs: 12e3 });
+    return {
+      kind: "ok",
+      data: {
+        action: "buy",
+        status: "submitted",
+        txHash: receipt.receipt.transactionHash,
+        userOpHash,
+        path: "D"
+      }
+    };
+  } catch (err2) {
+    try {
+      const lateReceipt = await deps.bundler.getReceipt(userOpHash);
+      if (lateReceipt) {
+        return {
+          kind: "ok",
+          data: {
+            action: "buy",
+            status: "submitted",
+            txHash: lateReceipt.receipt.transactionHash,
+            userOpHash,
+            path: "D"
+          }
+        };
+      }
+    } catch {
+    }
+    return {
+      kind: "fallback",
+      reason: "bundler_receipt_timeout",
+      message: `no receipt for userOp ${userOpHash} within 12s. The userOp may still mine. BEFORE proposing another position.buy for this intent, call muhaven.read.activity to verify whether the prior submit settled \u2014 re-issuing without that check risks double-filling.`,
+      submittedUserOpHash: userOpHash
+    };
   }
-}
-function buildPositionDeeplink(dashboardBaseUrl, action, params) {
-  const base = dashboardBaseUrl.replace(/\/+$/, "");
-  const path = action === "buy" || action === "sell" ? "/trade" : action === "claim" ? "/yields" : "/cash";
-  const search = new URLSearchParams();
-  if (action === "buy" || action === "sell") search.set("mode", action);
-  for (const [k, v] of Object.entries(params)) search.set(k, v);
-  search.set("from", "mcp");
-  return `${base}${path}?${search.toString()}`;
-}
-function resolveDashboardBaseUrl(deps) {
-  return deps.dashboardBaseUrl ?? "https://muhaven.app";
-}
-function resolveTokenInCatalog(identifier, catalog) {
-  const needle = identifier.toLowerCase();
-  return catalog.find(
-    (t) => t.address.toLowerCase() === needle || t.symbol.toLowerCase() === needle
-  ) ?? null;
-}
-function sanitizeSymbolForLlmContext(raw) {
-  const cleaned = raw.replace(/[^A-Za-z0-9_-]/g, "?");
-  return cleaned.length > 16 ? cleaned.slice(0, 16) : cleaned;
 }
 async function positionBuy(input, deps) {
   let catalog;
@@ -1034,6 +2641,21 @@ async function positionBuy(input, deps) {
   const effectiveNotionalDisplay = formatUsd6AsDecimal(effectiveNotionalUsd6);
   const navDisplay = formatUsd6AsDecimal(navUsd6);
   const sharesStr = shares.toString();
+  let pathDFallbackReason;
+  let pathDSubmittedUserOpHash;
+  const pathD = await attemptPathD(
+    { shares, tokenAddress: token.address, tokenSymbol: token.symbol },
+    deps
+  );
+  if (pathD.kind === "ok") {
+    return ok(pathD.data);
+  }
+  if (pathD.kind === "fallback") {
+    pathDFallbackReason = pathD.reason;
+    if (pathD.submittedUserOpHash) {
+      pathDSubmittedUserOpHash = pathD.submittedUserOpHash;
+    }
+  }
   const dashboardUrl = buildPositionDeeplink(resolveDashboardBaseUrl(deps), "buy", {
     token: token.symbol,
     amount: sharesStr
@@ -1053,7 +2675,9 @@ ${dashboardUrl}`,
       // shows the share count instead of the user-stated notional.
       amountUsdc: input.amountUsdc,
       effectiveNotionalUsd6: effectiveNotionalUsd6.toString(),
-      navUsd6: navUsd6.toString()
+      navUsd6: navUsd6.toString(),
+      ...pathDFallbackReason ? { pathDFallbackReason } : {},
+      ...pathDSubmittedUserOpHash ? { pathDSubmittedUserOpHash } : {}
     }
   });
 }
@@ -1404,14 +3028,20 @@ var SERVER_NAME = "@muhaven/mcp";
 var SERVER_VERSION = resolveServerVersion();
 function resolveServerVersion() {
   {
-    return "0.2.1";
+    return "0.2.3";
   }
 }
 function toJsonInputSchema(schema) {
-  return {
-    type: "object",
-    additionalProperties: false
-  };
+  const json = zodToJsonSchema(schema, {
+    target: "jsonSchema7",
+    $refStrategy: "none",
+    removeAdditionalStrategy: "strict"
+  });
+  if ("$schema" in json) {
+    const { $schema: _drop, ...rest } = json;
+    return rest;
+  }
+  return json;
 }
 async function loadPinnedToolHashes() {
   const here = dirname(fileURLToPath(import.meta.url));
@@ -1480,8 +3110,12 @@ function buildMcpServer(opts) {
       const result = await entry.handler(parsed, {
         backend: opts.backend,
         broker: opts.broker,
+        bundler: opts.bundler,
         surface: "mcp",
-        dashboardBaseUrl: opts.dashboardBaseUrl
+        dashboardBaseUrl: opts.dashboardBaseUrl,
+        chainId: opts.chainId,
+        subscriptionAddress: opts.subscriptionAddress,
+        entryPointAddress: opts.entryPointAddress
       });
       return toolJsonResponse(result);
     } catch (err2) {
@@ -1532,6 +3166,17 @@ async function runMcpStdioCli(opts = {}) {
     timeoutMs: config.requestTimeoutMs,
     allowedHosts: config.allowedBackendHosts
   });
+  const bundler = config.bundlerUrl ? new BundlerClient({
+    endpoint: config.bundlerUrl,
+    requestTimeoutMs: config.bundlerTimeoutMs,
+    expectedChainId: config.chainId,
+    // Wave 5 Path D 0.2.3 — Origin defaults to the dashboard URL
+    // so ZeroDev's domain-allowlist accepts the MCP server's RPC
+    // traffic. The dashboard URL is the natural match because it's
+    // also the SIWE / passkey origin the project already trusts
+    // for browser-side traffic.
+    originHeader: config.dashboardBaseUrl
+  }) : void 0;
   const baseRegistry = selectRegistry(config.readOnly);
   const registry = opts.filterRegistry ? opts.filterRegistry(baseRegistry) : baseRegistry;
   if (registry.length === 0) {
@@ -1544,8 +3189,20 @@ async function runMcpStdioCli(opts = {}) {
     registry,
     backend,
     broker: config.readOnly ? void 0 : broker,
-    dashboardBaseUrl: config.dashboardBaseUrl
+    bundler: config.readOnly ? void 0 : bundler,
+    dashboardBaseUrl: config.dashboardBaseUrl,
+    chainId: config.chainId,
+    subscriptionAddress: config.subscriptionAddress,
+    entryPointAddress: config.entryPointAddress
   });
+  if (bundler && !config.readOnly) {
+    void bundler.assertChainId().catch((err2) => {
+      process.stderr.write(
+        `[muhaven-mcp] bundler chain-id assert failed: ${err2 instanceof Error ? err2.message : String(err2)} \u2014 Path D autonomous-buys will fail until MUHAVEN_BUNDLER_URL + MUHAVEN_CHAIN_ID agree
+`
+      );
+    });
+  }
   const transport = new StdioServerTransport();
   await server.connect(transport);
   await new Promise((resolve) => {
@@ -1650,140 +3307,52 @@ var DeviceFlowClient = class {
       const body2 = await safeJson(res);
       throw new DeviceFlowAbortedError({ code: "invalid_response", status: res.status, body: body2 });
     }
-    const body = await safeJson(res);
-    if (!body || !body.deviceCode || !body.userCode) {
-      throw new DeviceFlowAbortedError({ code: "invalid_response", status: res.status, body });
-    }
-    const verificationUri = `${trim(this.options.dashboardBaseUrl)}/link`;
-    const verificationUriComplete = `${verificationUri}?code=${encodeURIComponent(body.userCode)}`;
-    return {
-      deviceCode: body.deviceCode,
-      userCode: body.userCode,
-      verificationUri,
-      verificationUriComplete,
-      expiresInSec: body.expiresInSec ?? 300,
-      pollIntervalSec: body.pollIntervalSec ?? Math.floor(DEFAULT_POLL_INTERVAL_MS / 1e3)
-    };
-  }
-  async pollOnce(deviceCode) {
-    const url = new URL("/api/v1/auth/device/token", this.options.backendBaseUrl);
-    let res;
-    try {
-      res = await this.fetchImpl(url, {
-        method: "POST",
-        headers: { "content-type": "application/json", accept: "application/json" },
-        body: JSON.stringify({ deviceCode })
-      });
-    } catch (err2) {
-      throw new DeviceFlowAbortedError({ code: "network", cause: err2 });
-    }
-    if (res.status === 429) {
-      return { state: "pending" };
-    }
-    const body = await safeJson(res);
-    if (!body || typeof body.state !== "string") {
-      throw new DeviceFlowAbortedError({ code: "invalid_response", status: res.status, body });
-    }
-    return body;
-  }
-};
-function trim(s) {
-  return s.endsWith("/") ? s.slice(0, -1) : s;
-}
-async function safeJson(res) {
-  try {
-    return await res.json();
-  } catch {
-    return null;
-  }
-}
-
-// src/broker/protocol.ts
-var BROKER_PROTOCOL_VERSION = "0.3.0";
-var HASH_HEX_RE = /^0x[0-9a-fA-F]{64}$/;
-var JWT_RE = /^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/;
-function isHashHex(value) {
-  return typeof value === "string" && HASH_HEX_RE.test(value);
-}
-function isJwtShape(value) {
-  return typeof value === "string" && value.length <= 8192 && JWT_RE.test(value);
-}
-function parseBrokerRequest(line) {
-  let parsed;
-  try {
-    parsed = JSON.parse(line);
-  } catch {
-    return { type: "error", code: "invalid_request", message: "request is not valid JSON" };
-  }
-  if (typeof parsed !== "object" || parsed === null) {
-    return { type: "error", code: "invalid_request", message: "request must be a JSON object" };
-  }
-  const obj = parsed;
-  switch (obj.type) {
-    case "hello":
-      return { type: "hello" };
-    case "sign_hash": {
-      const hash = obj.hash;
-      if (!isHashHex(hash)) {
-        return {
-          type: "error",
-          code: "invalid_request",
-          message: "sign_hash.hash must be a 0x-prefixed 32-byte hex string"
-        };
-      }
-      const intent = obj.intent;
-      const intentValid = intent === void 0 || typeof intent === "object" && intent !== null && typeof intent.tool === "string";
-      if (!intentValid) {
-        return {
-          type: "error",
-          code: "invalid_request",
-          message: "sign_hash.intent.tool must be a string when provided"
-        };
-      }
-      return {
-        type: "sign_hash",
-        hash,
-        ...intent === void 0 ? {} : { intent }
-      };
+    const body = await safeJson(res);
+    if (!body || !body.deviceCode || !body.userCode) {
+      throw new DeviceFlowAbortedError({ code: "invalid_response", status: res.status, body });
     }
-    case "store_jwt": {
-      const jwt = obj.jwt;
-      if (!isJwtShape(jwt)) {
-        return {
-          type: "error",
-          code: "invalid_request",
-          message: "store_jwt.jwt must be a JWT-shaped string \u22648192 chars"
-        };
-      }
-      const expiresAtSec = obj.expiresAtSec;
-      const expiresValid = expiresAtSec === void 0 || typeof expiresAtSec === "number" && Number.isFinite(expiresAtSec) && expiresAtSec > 0;
-      if (!expiresValid) {
-        return {
-          type: "error",
-          code: "invalid_request",
-          message: "store_jwt.expiresAtSec must be a positive number when provided"
-        };
-      }
-      return {
-        type: "store_jwt",
-        jwt,
-        ...expiresAtSec === void 0 ? {} : { expiresAtSec }
-      };
+    const verificationUri = `${trim(this.options.dashboardBaseUrl)}/link`;
+    const verificationUriComplete = `${verificationUri}?code=${encodeURIComponent(body.userCode)}`;
+    return {
+      deviceCode: body.deviceCode,
+      userCode: body.userCode,
+      verificationUri,
+      verificationUriComplete,
+      expiresInSec: body.expiresInSec ?? 300,
+      pollIntervalSec: body.pollIntervalSec ?? Math.floor(DEFAULT_POLL_INTERVAL_MS / 1e3)
+    };
+  }
+  async pollOnce(deviceCode) {
+    const url = new URL("/api/v1/auth/device/token", this.options.backendBaseUrl);
+    let res;
+    try {
+      res = await this.fetchImpl(url, {
+        method: "POST",
+        headers: { "content-type": "application/json", accept: "application/json" },
+        body: JSON.stringify({ deviceCode })
+      });
+    } catch (err2) {
+      throw new DeviceFlowAbortedError({ code: "network", cause: err2 });
     }
-    case "get_jwt":
-      return { type: "get_jwt" };
-    case "clear_jwt":
-      return { type: "clear_jwt" };
-    default:
-      return {
-        type: "error",
-        code: "unsupported_type",
-        message: `unsupported request type: ${String(obj.type)}`
-      };
+    if (res.status === 429) {
+      return { state: "pending" };
+    }
+    const body = await safeJson(res);
+    if (!body || typeof body.state !== "string") {
+      throw new DeviceFlowAbortedError({ code: "invalid_response", status: res.status, body });
+    }
+    return body;
   }
+};
+function trim(s) {
+  return s.endsWith("/") ? s.slice(0, -1) : s;
 }
-function serializeResponse(res) {
-  return JSON.stringify(res) + "\n";
+async function safeJson(res) {
+  try {
+    return await res.json();
+  } catch {
+    return null;
+  }
 }
 var MissingSessionKeyError = class extends Error {
   constructor() {
@@ -1799,6 +3368,9 @@ var NullSigner = class {
   async signHash(_hash) {
     throw new MissingSessionKeyError();
   }
+  async signRawMessage(_hash) {
+    throw new MissingSessionKeyError();
+  }
 };
 var ViemSigner = class {
   account;
@@ -1811,6 +3383,9 @@ var ViemSigner = class {
   async signHash(hash) {
     return this.account.sign({ hash });
   }
+  async signRawMessage(hash) {
+    return this.account.signMessage({ message: { raw: hash } });
+  }
 };
 var KEYRING_SERVICE = "muhaven.mcp";
 var KEYRING_ACCOUNT = "jwt";
@@ -1967,11 +3542,293 @@ async function openKeystore(options = {}) {
   }
   return { keystore: new OsKeystore(entry), fallbackReason: null };
 }
+var PolicyStoreError = class extends Error {
+  constructor(code, message, cause) {
+    super(message);
+    this.code = code;
+    this.cause = cause;
+    this.name = "PolicyStoreError";
+  }
+  code;
+  cause;
+};
+var SESSION_ID_RE2 = /^[A-Za-z0-9_-]{1,128}$/;
+var UINT256_MAX_LOCAL = (1n << 256n) - 1n;
+function validateSessionId(sessionId) {
+  if (!SESSION_ID_RE2.test(sessionId)) {
+    throw new PolicyStoreError(
+      "invalid_session_id",
+      `sessionId "${sessionId}" must be 1-128 chars [A-Za-z0-9_-] (path-traversal guard)`
+    );
+  }
+}
+var FilePolicyStore = class {
+  constructor(dir) {
+    this.dir = dir;
+  }
+  dir;
+  static defaultDir() {
+    return join(homedir(), ".muhaven", "policy-snapshots");
+  }
+  snapshotPath(sessionId) {
+    return join(this.dir, `${sessionId}.json`);
+  }
+  async get(sessionId, nowSec) {
+    validateSessionId(sessionId);
+    let raw;
+    try {
+      raw = await readFile(this.snapshotPath(sessionId), "utf8");
+    } catch (err2) {
+      if (err2.code === "ENOENT") return null;
+      throw new PolicyStoreError(
+        "read_failed",
+        `failed to read snapshot ${sessionId}: ${asMessage2(err2)}`,
+        err2
+      );
+    }
+    let parsed;
+    try {
+      const obj = JSON.parse(raw);
+      parsed = coerceFromDisk(obj);
+    } catch (err2) {
+      throw new PolicyStoreError(
+        "malformed_record",
+        `snapshot ${sessionId} is not valid JSON: ${asMessage2(err2)}`,
+        err2
+      );
+    }
+    if (parsed.validUntilSec <= nowSec) return null;
+    return parsed;
+  }
+  async put(snapshot) {
+    validateSessionId(snapshot.sessionId);
+    const dest = this.snapshotPath(snapshot.sessionId);
+    const tmp = `${dest}.tmp-${randomBytes(6).toString("hex")}`;
+    try {
+      await mkdir(this.dir, { recursive: true, mode: 448 });
+      await chmod(this.dir, 448).catch(() => void 0);
+      await writeFile(tmp, JSON.stringify(snapshot), { mode: 384 });
+      await chmod(tmp, 384).catch(() => void 0);
+      await rename(tmp, dest);
+    } catch (err2) {
+      await unlink(tmp).catch(() => void 0);
+      throw new PolicyStoreError(
+        "write_failed",
+        `failed to write snapshot ${snapshot.sessionId}: ${asMessage2(err2)}`,
+        err2
+      );
+    }
+  }
+  async delete(sessionId) {
+    validateSessionId(sessionId);
+    try {
+      await unlink(this.snapshotPath(sessionId));
+    } catch (err2) {
+      if (err2.code === "ENOENT") return;
+      throw new PolicyStoreError(
+        "delete_failed",
+        `failed to delete snapshot ${sessionId}: ${asMessage2(err2)}`,
+        err2
+      );
+    }
+  }
+  async list() {
+    let entries;
+    try {
+      entries = await readdir(this.dir);
+    } catch (err2) {
+      if (err2.code === "ENOENT") return [];
+      throw new PolicyStoreError(
+        "read_failed",
+        `failed to enumerate snapshot dir: ${asMessage2(err2)}`,
+        err2
+      );
+    }
+    const out = [];
+    for (const entry of entries) {
+      if (!entry.endsWith(".json")) continue;
+      const sessionId = entry.slice(0, -".json".length);
+      if (!SESSION_ID_RE2.test(sessionId)) continue;
+      try {
+        const raw = await readFile(join(this.dir, entry), "utf8");
+        out.push(coerceFromDisk(JSON.parse(raw)));
+      } catch {
+        continue;
+      }
+    }
+    return out;
+  }
+  async activeSessionId(activeSignerAddress, nowSec) {
+    const all = await this.list();
+    const needle = activeSignerAddress.toLowerCase();
+    const matches = all.filter(
+      (s) => s.validUntilSec > nowSec && s.signerAddress.toLowerCase() === needle
+    );
+    return matches.length === 1 ? matches[0].sessionId : null;
+  }
+};
+function coerceFromDisk(obj) {
+  if (typeof obj !== "object" || obj === null) throw new Error("snapshot not an object");
+  const o = obj;
+  if (typeof o.sessionId !== "string" || !SESSION_ID_RE2.test(o.sessionId)) {
+    throw new Error("snapshot.sessionId malformed");
+  }
+  if (o.mode !== "scoped") throw new Error('snapshot.mode must be "scoped"');
+  if (typeof o.signerAddress !== "string" || !/^0x[0-9a-fA-F]{40}$/.test(o.signerAddress)) {
+    throw new Error("snapshot.signerAddress malformed");
+  }
+  if (!Array.isArray(o.targetContracts) || !o.targetContracts.every((t) => typeof t === "string" && /^0x[0-9a-fA-F]{40}$/.test(t))) {
+    throw new Error("snapshot.targetContracts malformed");
+  }
+  if (!Array.isArray(o.selectorCaps) || o.selectorCaps.length === 0) {
+    throw new Error("snapshot.selectorCaps malformed");
+  }
+  const caps = [];
+  for (const c of o.selectorCaps) {
+    if (typeof c !== "object" || c === null) throw new Error("selectorCap not an object");
+    const cap = c;
+    if (typeof cap.selector !== "string" || !/^0x[0-9a-fA-F]{8}$/.test(cap.selector)) {
+      throw new Error("selectorCap.selector malformed");
+    }
+    const indexNull = cap.capArgIndex === null;
+    const amountNull = cap.maxAmount === null;
+    if (indexNull !== amountNull) {
+      throw new Error("selectorCap.capArgIndex/maxAmount must both be null or both non-null");
+    }
+    if (!indexNull) {
+      if (typeof cap.capArgIndex !== "number" || !Number.isInteger(cap.capArgIndex) || cap.capArgIndex < 0 || cap.capArgIndex > 31) {
+        throw new Error("selectorCap.capArgIndex must be an integer in [0, 31]");
+      }
+      if (typeof cap.maxAmount !== "string" || !/^(0|[1-9][0-9]{0,77})$/.test(cap.maxAmount)) {
+        throw new Error("selectorCap.maxAmount malformed (length)");
+      }
+      if (BigInt(cap.maxAmount) > UINT256_MAX_LOCAL) {
+        throw new Error("selectorCap.maxAmount exceeds uint256 max");
+      }
+    }
+    caps.push({
+      selector: cap.selector.toLowerCase(),
+      capArgIndex: indexNull ? null : cap.capArgIndex,
+      maxAmount: indexNull ? null : cap.maxAmount
+    });
+  }
+  if (typeof o.validUntilSec !== "number" || o.validUntilSec <= 0) {
+    throw new Error("snapshot.validUntilSec malformed");
+  }
+  if (typeof o.mintedAtSec !== "number" || o.mintedAtSec <= 0) {
+    throw new Error("snapshot.mintedAtSec malformed");
+  }
+  if (o.consentActionHash !== void 0) {
+    if (typeof o.consentActionHash !== "string" || !/^0x[0-9a-fA-F]{64}$/.test(o.consentActionHash)) {
+      throw new Error("snapshot.consentActionHash malformed");
+    }
+  }
+  if (o.consentTextSha256 !== void 0) {
+    if (typeof o.consentTextSha256 !== "string" || !/^0x[0-9a-fA-F]{64}$/.test(o.consentTextSha256)) {
+      throw new Error("snapshot.consentTextSha256 malformed");
+    }
+  }
+  if (o.permissionId !== void 0) {
+    if (typeof o.permissionId !== "string" || !/^0x[0-9a-fA-F]{8}$/.test(o.permissionId)) {
+      throw new Error("snapshot.permissionId malformed (must be 0x-prefixed 4-byte hex)");
+    }
+  }
+  return {
+    sessionId: o.sessionId,
+    mode: "scoped",
+    signerAddress: o.signerAddress.toLowerCase(),
+    targetContracts: o.targetContracts.map(
+      (t) => t.toLowerCase()
+    ),
+    selectorCaps: caps,
+    validUntilSec: o.validUntilSec,
+    mintedAtSec: o.mintedAtSec,
+    ...o.consentActionHash === void 0 ? {} : { consentActionHash: o.consentActionHash.toLowerCase() },
+    ...o.consentTextSha256 === void 0 ? {} : { consentTextSha256: o.consentTextSha256.toLowerCase() },
+    ...o.permissionId === void 0 ? {} : { permissionId: o.permissionId.toLowerCase() }
+  };
+}
+function asMessage2(err2) {
+  return err2 instanceof Error ? err2.message : String(err2);
+}
+function decodeUint256ArgAt(callDataHex, wordIndex) {
+  if (!Number.isInteger(wordIndex) || wordIndex < 0) {
+    throw new Error(`wordIndex must be a non-negative integer (got ${wordIndex})`);
+  }
+  const requiredLen = 2 + 8 + (wordIndex + 1) * 64;
+  if (callDataHex.length < requiredLen) {
+    throw new Error(
+      `callData length ${callDataHex.length} too short to carry word ${wordIndex} (need \u2265${requiredLen} chars)`
+    );
+  }
+  const wordStart = 2 + 8 + wordIndex * 64;
+  const argHex = callDataHex.slice(wordStart, wordStart + 64);
+  return BigInt(`0x${argHex}`);
+}
+function selectorOf(callDataHex) {
+  return callDataHex.slice(0, 10).toLowerCase();
+}
+function checkPolicy(input) {
+  const { snapshot, innerCall, activeSigner, nowSec } = input;
+  if (snapshot.validUntilSec <= nowSec) {
+    return {
+      ok: false,
+      code: "scope_violation",
+      message: `snapshot ${snapshot.sessionId} expired at ${snapshot.validUntilSec} (now ${nowSec})`
+    };
+  }
+  if (snapshot.signerAddress.toLowerCase() !== activeSigner.toLowerCase()) {
+    return {
+      ok: false,
+      code: "policy_violation",
+      message: `snapshot ${snapshot.sessionId} bound to signer ${snapshot.signerAddress}, broker active signer is ${activeSigner}`
+    };
+  }
+  const targetLower = innerCall.target.toLowerCase();
+  const targetMatch = snapshot.targetContracts.some((t) => t === targetLower);
+  if (!targetMatch) {
+    return {
+      ok: false,
+      code: "policy_violation",
+      message: `target ${innerCall.target} not in allowlist for session ${snapshot.sessionId}`
+    };
+  }
+  const selector = selectorOf(innerCall.callData);
+  const rule = snapshot.selectorCaps.find((c) => c.selector === selector);
+  if (!rule) {
+    return {
+      ok: false,
+      code: "policy_violation",
+      message: `selector ${selector} not in selectorCaps for session ${snapshot.sessionId}`
+    };
+  }
+  if (rule.capArgIndex !== null && rule.maxAmount !== null) {
+    let argValue;
+    try {
+      argValue = decodeUint256ArgAt(innerCall.callData, rule.capArgIndex);
+    } catch (err2) {
+      return {
+        ok: false,
+        code: "policy_violation",
+        message: `callData decode failed at wordIndex ${rule.capArgIndex}: ${asMessage2(err2)}`
+      };
+    }
+    const cap = BigInt(rule.maxAmount);
+    if (argValue > cap) {
+      return {
+        ok: false,
+        code: "max_spend_exceeded",
+        message: `arg word[${rule.capArgIndex}] = ${argValue} exceeds maxAmount ${cap} for selector ${selector} (session ${snapshot.sessionId})`
+      };
+    }
+  }
+  return { ok: true };
+}
 
 // src/broker/daemon.ts
 var noopLogger = (_e) => {
 };
-async function handleBrokerRequest(req, signer, keystore, nowSec = () => Math.floor(Date.now() / 1e3), options = {}) {
+async function handleBrokerRequest(req, signer, keystore, nowSec = () => Math.floor(Date.now() / 1e3), options = {}, policyStore) {
   switch (req.type) {
     case "hello": {
       let hasJwt = false;
@@ -2044,6 +3901,141 @@ async function handleBrokerRequest(req, signer, keystore, nowSec = () => Math.fl
         );
       }
     }
+    case "sign_userop": {
+      if (!policyStore) {
+        return errorResponse(
+          "internal",
+          "broker daemon is not configured with a policy store"
+        );
+      }
+      const now = nowSec();
+      let snapshot;
+      try {
+        snapshot = await policyStore.get(req.sessionId, now);
+      } catch (err2) {
+        return errorResponse(
+          "internal",
+          err2 instanceof Error ? err2.message : "policy store read failed"
+        );
+      }
+      if (!snapshot) {
+        return errorResponse(
+          "no_active_snapshot",
+          `no active snapshot for session ${req.sessionId}`
+        );
+      }
+      const check = checkPolicy({
+        snapshot,
+        innerCall: req.innerCall,
+        activeSigner: signer.address,
+        nowSec: now
+      });
+      if (!check.ok) {
+        return errorResponse(check.code, check.message);
+      }
+      try {
+        const signature = await signer.signRawMessage(req.userOpHash);
+        return {
+          type: "sign_userop",
+          signature,
+          signerAddress: signer.address,
+          sessionId: req.sessionId
+        };
+      } catch (err2) {
+        if (err2 instanceof MissingSessionKeyError) {
+          return errorResponse("session_key_unavailable", err2.message);
+        }
+        throw err2;
+      }
+    }
+    case "store_policy_snapshot": {
+      if (!policyStore) {
+        return errorResponse(
+          "internal",
+          "broker daemon is not configured with a policy store"
+        );
+      }
+      try {
+        await policyStore.put(req.snapshot);
+        return {
+          type: "store_policy_snapshot",
+          stored: true,
+          sessionId: req.snapshot.sessionId
+        };
+      } catch (err2) {
+        if (err2 instanceof PolicyStoreError) {
+          return errorResponse("internal", err2.message);
+        }
+        return errorResponse(
+          "internal",
+          err2 instanceof Error ? err2.message : "policy store write failed"
+        );
+      }
+    }
+    case "get_policy_snapshot": {
+      if (!policyStore) {
+        return errorResponse(
+          "internal",
+          "broker daemon is not configured with a policy store"
+        );
+      }
+      try {
+        const snapshot = await policyStore.get(req.sessionId, nowSec());
+        return { type: "get_policy_snapshot", snapshot };
+      } catch (err2) {
+        if (err2 instanceof PolicyStoreError) {
+          return errorResponse("internal", err2.message);
+        }
+        return errorResponse(
+          "internal",
+          err2 instanceof Error ? err2.message : "policy store read failed"
+        );
+      }
+    }
+    case "clear_policy_snapshot": {
+      if (!policyStore) {
+        return errorResponse(
+          "internal",
+          "broker daemon is not configured with a policy store"
+        );
+      }
+      try {
+        await policyStore.delete(req.sessionId);
+        return {
+          type: "clear_policy_snapshot",
+          cleared: true,
+          sessionId: req.sessionId
+        };
+      } catch (err2) {
+        if (err2 instanceof PolicyStoreError) {
+          return errorResponse("internal", err2.message);
+        }
+        return errorResponse(
+          "internal",
+          err2 instanceof Error ? err2.message : "policy store clear failed"
+        );
+      }
+    }
+    case "get_active_session_id": {
+      if (!policyStore) {
+        return errorResponse(
+          "internal",
+          "broker daemon is not configured with a policy store"
+        );
+      }
+      try {
+        const sessionId = await policyStore.activeSessionId(signer.address, nowSec());
+        return { type: "get_active_session_id", sessionId };
+      } catch (err2) {
+        if (err2 instanceof PolicyStoreError) {
+          return errorResponse("internal", err2.message);
+        }
+        return errorResponse(
+          "internal",
+          err2 instanceof Error ? err2.message : "policy store enumerate failed"
+        );
+      }
+    }
   }
 }
 function errorResponse(code, message) {
@@ -2073,6 +4065,7 @@ var BrokerDaemon = class {
   log;
   config;
   keystore;
+  policyStore;
   /**
    * Whether a session-key private half is actually loaded. `false` =
    * daemon booted in read-only posture (no `MUHAVEN_BROKER_SESSION_KEY`
@@ -2092,6 +4085,7 @@ var BrokerDaemon = class {
       this.hasSessionKey = false;
     }
     this.keystore = options.keystore ?? null;
+    this.policyStore = options.policyStore ?? new FilePolicyStore(FilePolicyStore.defaultDir());
     this.log = options.logger ?? noopLogger;
     this.server = createServer((socket) => this.onConnection(socket));
   }
@@ -2107,6 +4101,7 @@ var BrokerDaemon = class {
         });
       }
     }
+    if (this.policyStore.init) await this.policyStore.init();
     await prepareEndpoint(this.config.endpoint);
     await new Promise((resolve, reject) => {
       const onError = (err2) => {
@@ -2222,7 +4217,8 @@ var BrokerDaemon = class {
             dashboardBaseUrl: this.config.dashboardBaseUrl
           },
           pid: process.pid
-        }
+        },
+        this.policyStore
       );
       socket.end(serializeResponse(res));
     } catch (err2) {
@@ -2238,4 +4234,4 @@ var BrokerDaemon = class {
   }
 };
 
-export { BROKER_PROTOCOL_VERSION, BackendClient, BackendError, BrokerClient, BrokerClientError, BrokerDaemon, DeviceFlowAbortedError, DeviceFlowClient, JwtSource, KeystoreError, MissingSessionKeyError, NoJwtAvailableError, NullSigner, SERVER_VERSION, TOOL_DESCRIPTORS, ViemSigner, ZERO_ADDRESS, buildMcpServer, buildToolHashTable, defaultBrokerEndpoint, fullToolRegistry, handleBrokerRequest, hashToolDescriptor, loadBrokerConfig, loadMcpConfig, openKeystore, parseBrokerRequest, registryForReadOnly, runMcpStdioCli, selectRegistry, serializeResponse, verifyDescriptorAgainstPin };
+export { BROKER_PROTOCOL_VERSION, BackendClient, BackendError, BrokerClient, BrokerClientError, BrokerDaemon, BundlerClient, BundlerClientError, DeviceFlowAbortedError, DeviceFlowClient, JwtSource, KeystoreError, MissingSessionKeyError, NoJwtAvailableError, NullSigner, SERVER_VERSION, TOOL_DESCRIPTORS, ViemSigner, ZERO_ADDRESS, buildMcpServer, buildToolHashTable, defaultBrokerEndpoint, fullToolRegistry, handleBrokerRequest, hashToolDescriptor, loadBrokerConfig, loadMcpConfig, openKeystore, parseBrokerRequest, registryForReadOnly, runMcpStdioCli, selectRegistry, semverGte, serializeResponse, verifyDescriptorAgainstPin };