npm - @muhaven/mcp - Versions diffs - 0.2.2 → 0.2.3 - Mend

@muhaven/mcp 0.2.2 → 0.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -7,6 +7,30 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
+## [0.2.3] — 2026-05-23
+### Fixed
+- **`BundlerClient` now sends an `Origin` header on every RPC.** ZeroDev
+  bundler URLs gate access via an IP+domain allowlist; browser requests
+  from `https://muhaven.app` pass because the project's allowlist
+  accepts that domain, but Node `fetch` (the MCP server's transport)
+  sends no `Origin` by default and so hit a `403 "Neither IP nor domain
+  is on the allowlist"` on every `eth_call` / `eth_gasPrice`. The MCP
+  server then surfaced this as `pathDFallbackReason:
+  bundler_setup_failed` and degraded to Path C. Fix: stamp `Origin:
+  <MUHAVEN_DASHBOARD_URL>` on every bundler RPC (defaults to
+  `https://muhaven.app`, threaded through from
+  `buildMcpServer({ dashboardBaseUrl })`). Mirrors how ethers.js + viem
+  stamp default Origins against EVM RPC providers; surfaces a single
+  knob (`MUHAVEN_DASHBOARD_URL`) for operators on a custom domain.
+  Diagnosed 2026-05-23 via direct curl reproduction (bare → 403; with
+  `Origin: https://muhaven.app` → `result: 0x66eee`).
+  Added 3 regression tests pinning the contract (Origin sent when set;
+  omitted when undefined; omitted when explicitly empty for test
+  injection).
 ## [0.2.2] — 2026-05-23
 ### Fixed

package/dist/broker.cjs CHANGED Viewed

@@ -2783,7 +2783,7 @@ function printUsage() {
 }
 function getBrokerPackageVersion() {
   {
-    return "0.2.2";
+    return "0.2.3";
   }
 }
 function printVersion() {

package/dist/broker.js CHANGED Viewed

@@ -2785,7 +2785,7 @@ function printUsage() {
 }
 function getBrokerPackageVersion() {
   {
-    return "0.2.2";
+    return "0.2.3";
   }
 }
 function printVersion() {

package/dist/index.cjs CHANGED Viewed

@@ -1194,9 +1194,16 @@ var BundlerClient = class {
     const timer = setTimeout(() => ctrl.abort(), this.options.requestTimeoutMs);
     let res;
     try {
+      const headers = {
+        "content-type": "application/json",
+        accept: "application/json"
+      };
+      if (this.options.originHeader) {
+        headers["origin"] = this.options.originHeader;
+      }
       res = await this.fetchImpl(this.options.endpoint, {
         method: "POST",
-        headers: { "content-type": "application/json", accept: "application/json" },
+        headers,
         body,
         signal: ctrl.signal
       });
@@ -3025,7 +3032,7 @@ var SERVER_NAME = "@muhaven/mcp";
 var SERVER_VERSION = resolveServerVersion();
 function resolveServerVersion() {
   {
-    return "0.2.2";
+    return "0.2.3";
   }
 }
 function toJsonInputSchema(schema) {
@@ -3166,7 +3173,13 @@ async function runMcpStdioCli(opts = {}) {
   const bundler = config.bundlerUrl ? new BundlerClient({
     endpoint: config.bundlerUrl,
     requestTimeoutMs: config.bundlerTimeoutMs,
-    expectedChainId: config.chainId
+    expectedChainId: config.chainId,
+    // Wave 5 Path D 0.2.3 — Origin defaults to the dashboard URL
+    // so ZeroDev's domain-allowlist accepts the MCP server's RPC
+    // traffic. The dashboard URL is the natural match because it's
+    // also the SIWE / passkey origin the project already trusts
+    // for browser-side traffic.
+    originHeader: config.dashboardBaseUrl
   }) : void 0;
   const baseRegistry = selectRegistry(config.readOnly);
   const registry = opts.filterRegistry ? opts.filterRegistry(baseRegistry) : baseRegistry;

package/dist/index.d.cts CHANGED Viewed

@@ -753,6 +753,24 @@ interface BundlerClientOptions {
     /** Expected chain id (Arb Sepolia = 421614). When set, `assertChainId()`
      *  refuses to proceed if the bundler reports a different chain. */
     readonly expectedChainId?: number;
+    /**
+     * Wave 5 Path D 0.2.3 — `Origin` header sent on every bundler RPC.
+     *
+     * Why: ZeroDev's bundler URLs gate access via an IP+domain allowlist.
+     * Browser requests from `https://muhaven.app` pass because the
+     * project's allowlist includes that domain; Node `fetch` (the MCP
+     * server's transport) sends no `Origin` header by default and so
+     * hits a 403 "Neither IP nor domain is on the allowlist". Sending
+     * an `Origin` matching the project's allowlisted domain unblocks
+     * the MCP server without requiring an operator-side ZeroDev
+     * dashboard edit. Mirrors how ethers.js + viem's HTTP transports
+     * stamp a default `Origin` against EVM RPC providers.
+     *
+     * Defaults to `https://muhaven.app` at the call site
+     * (`server.ts::buildMcpServer`) — operators on a custom dashboard
+     * URL override via `MUHAVEN_DASHBOARD_URL`.
+     */
+    readonly originHeader?: string;
     /** Inject for tests. */
     readonly fetchImpl?: typeof fetch;
 }

package/dist/index.d.ts CHANGED Viewed

@@ -753,6 +753,24 @@ interface BundlerClientOptions {
     /** Expected chain id (Arb Sepolia = 421614). When set, `assertChainId()`
      *  refuses to proceed if the bundler reports a different chain. */
     readonly expectedChainId?: number;
+    /**
+     * Wave 5 Path D 0.2.3 — `Origin` header sent on every bundler RPC.
+     *
+     * Why: ZeroDev's bundler URLs gate access via an IP+domain allowlist.
+     * Browser requests from `https://muhaven.app` pass because the
+     * project's allowlist includes that domain; Node `fetch` (the MCP
+     * server's transport) sends no `Origin` header by default and so
+     * hits a 403 "Neither IP nor domain is on the allowlist". Sending
+     * an `Origin` matching the project's allowlisted domain unblocks
+     * the MCP server without requiring an operator-side ZeroDev
+     * dashboard edit. Mirrors how ethers.js + viem's HTTP transports
+     * stamp a default `Origin` against EVM RPC providers.
+     *
+     * Defaults to `https://muhaven.app` at the call site
+     * (`server.ts::buildMcpServer`) — operators on a custom dashboard
+     * URL override via `MUHAVEN_DASHBOARD_URL`.
+     */
+    readonly originHeader?: string;
     /** Inject for tests. */
     readonly fetchImpl?: typeof fetch;
 }

package/dist/index.js CHANGED Viewed

@@ -1190,9 +1190,16 @@ var BundlerClient = class {
     const timer = setTimeout(() => ctrl.abort(), this.options.requestTimeoutMs);
     let res;
     try {
+      const headers = {
+        "content-type": "application/json",
+        accept: "application/json"
+      };
+      if (this.options.originHeader) {
+        headers["origin"] = this.options.originHeader;
+      }
       res = await this.fetchImpl(this.options.endpoint, {
         method: "POST",
-        headers: { "content-type": "application/json", accept: "application/json" },
+        headers,
         body,
         signal: ctrl.signal
       });
@@ -3021,7 +3028,7 @@ var SERVER_NAME = "@muhaven/mcp";
 var SERVER_VERSION = resolveServerVersion();
 function resolveServerVersion() {
   {
-    return "0.2.2";
+    return "0.2.3";
   }
 }
 function toJsonInputSchema(schema) {
@@ -3162,7 +3169,13 @@ async function runMcpStdioCli(opts = {}) {
   const bundler = config.bundlerUrl ? new BundlerClient({
     endpoint: config.bundlerUrl,
     requestTimeoutMs: config.bundlerTimeoutMs,
-    expectedChainId: config.chainId
+    expectedChainId: config.chainId,
+    // Wave 5 Path D 0.2.3 — Origin defaults to the dashboard URL
+    // so ZeroDev's domain-allowlist accepts the MCP server's RPC
+    // traffic. The dashboard URL is the natural match because it's
+    // also the SIWE / passkey origin the project already trusts
+    // for browser-side traffic.
+    originHeader: config.dashboardBaseUrl
   }) : void 0;
   const baseRegistry = selectRegistry(config.readOnly);
   const registry = opts.filterRegistry ? opts.filterRegistry(baseRegistry) : baseRegistry;

package/manifest.json CHANGED Viewed

@@ -3,7 +3,7 @@
   "manifest_version": "0.2",
   "name": "muhaven-mcp",
   "display_name": "MuHaven (RWA portfolio)",
-  "version": "0.2.2",
+  "version": "0.2.3",
   "description": "Confidential RWA portfolio management on Fhenix CoFHE. Read your encrypted balances, propose yield claims and policy changes — all signing happens in a sibling broker daemon, the LLM never sees your private key.",
   "long_description": "MuHaven MCP exposes 24 tools across read.* / position.* / policy.* / issuer.* / governance.* groups for managing real-world asset (RWA) tokens with FHE-encrypted balances. Authentication uses a one-time device-code ceremony (run `muhaven-broker login`); subsequent tool calls fetch the JWT from the broker over a Unix socket. Position / governance tools deep-link to the dashboard for passkey signing — they NEVER auto-submit to a bundler. The companion `muhaven-broker` daemon must be running before tools can be invoked. See README for setup.",
   "author": {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@muhaven/mcp",
-  "version": "0.2.2",
+  "version": "0.2.3",
   "description": "MuHaven MCP server — read/position/policy toolsets bridging Claude Desktop / Cursor / Claude Code to the MuHaven backend, with a sibling muhaven-broker daemon holding the session-key private half over a local IPC socket",
   "type": "module",
   "repository": {