@muhaven/mcp 0.2.8 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +120 -0
- package/dist/broker.cjs +499 -6
- package/dist/broker.js +499 -6
- package/dist/index.cjs +832 -15
- package/dist/index.d.cts +301 -14
- package/dist/index.d.ts +301 -14
- package/dist/index.js +833 -16
- package/manifest.json +1 -1
- package/package.json +2 -1
package/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,126 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
## [0.3.0] — 2026-05-23
|
|
11
|
+
|
|
12
|
+
### Added
|
|
13
|
+
|
|
14
|
+
- **Wave 5 Option D Commit 3 — MCP-side MODE.ENABLE UserOp pipeline.**
|
|
15
|
+
Closes the `paymaster_rejected → AA23 reverted 0x` smoke gap by
|
|
16
|
+
installing the PermissionValidator atomically with the first Path D
|
|
17
|
+
buy. On a freshly-minted Scoped session (`enable_status='pending'`
|
|
18
|
+
on the backend mirror), `position.buy` now:
|
|
19
|
+
- Fetches install material (`enableData` + `enableSig` +
|
|
20
|
+
`validatorNonce`) from the backend's
|
|
21
|
+
`GET /agent/policy/scoped-session/:id/install-material` subroute,
|
|
22
|
+
gated by `BROKER_CALLBACK_SERVICE_SECRET`.
|
|
23
|
+
- Calls the broker daemon's NEW `current_nonce` IPC verb to read the
|
|
24
|
+
kernel's live `currentNonce()` and pre-checks it against the
|
|
25
|
+
stored `validatorNonce`; mismatch surfaces as fallback
|
|
26
|
+
`enable_sig_stale` with a re-mint remediation.
|
|
27
|
+
- Composes the UserOp with `composeKernelV3NonceKey({mode:'enable'})`
|
|
28
|
+
(byte 0 of the 24-byte composite flips `0x00` → `0x01`) AND
|
|
29
|
+
wraps the 66-byte session-key signature with NEW
|
|
30
|
+
`wrapEnableModeSignature(...)` — a byte-exact mirror of
|
|
31
|
+
`@zerodev/sdk::getEncodedPluginsData`. The byte-equality is
|
|
32
|
+
pinned by 5 regression fixtures importing the canonical SDK as a
|
|
33
|
+
`devDep` (test-only — `@zerodev/sdk` is NOT in the runtime
|
|
34
|
+
bundle).
|
|
35
|
+
- After receipt, calls the broker daemon's NEW
|
|
36
|
+
`notify_userop_landed` IPC verb so the broker can POST the
|
|
37
|
+
backend's `validator-enabled` callback route. The chain indexer
|
|
38
|
+
is the authoritative source-of-truth; the callback is a fast-path
|
|
39
|
+
optimization.
|
|
40
|
+
- **Broker protocol bump 0.4.0 → 0.5.0.** Additive surface only —
|
|
41
|
+
legacy 0.4.0 callers continue to work. New verbs: `current_nonce`,
|
|
42
|
+
`notify_userop_landed`. New optional `enableData`/`enableSig`/
|
|
43
|
+
`validatorNonce` on `PolicySnapshotWire` with an all-or-none
|
|
44
|
+
refinement. New error codes: `chain_rpc_failed`, `callback_unconfigured`.
|
|
45
|
+
- **Broker daemon outbound egress (narrow, operator-approved
|
|
46
|
+
threat-model relaxation).** Until C3 the broker had ZERO outbound
|
|
47
|
+
channels; C3 adds exactly TWO via the NEW `BrokerOutbound` module:
|
|
48
|
+
- Chain RPC `eth_call` to `MUHAVEN_BROKER_RPC_URL` (fallback
|
|
49
|
+
`MUHAVEN_BUNDLER_URL`) for `kernel.currentNonce()` reads.
|
|
50
|
+
- HTTPS POST to backend's `validator-enabled` route with
|
|
51
|
+
`BROKER_CALLBACK_SERVICE_SECRET` bearer, exponential 5s/15s/60s/5m
|
|
52
|
+
backoff (`MUHAVEN_BROKER_ORIGIN` header per the ZeroDev
|
|
53
|
+
allowlist gotcha codified in earlier commits).
|
|
54
|
+
- Per-(sessionId, txHash, accountAddress) in-process dedup folds
|
|
55
|
+
flood IPC into a single retry loop.
|
|
56
|
+
- New fallback codes on `position.buy` Path D probe:
|
|
57
|
+
`install_material_unavailable`, `install_material_malformed`,
|
|
58
|
+
`enable_sig_stale`, `validator_install_failed_re_walk_required`,
|
|
59
|
+
`broker_chain_rpc_failed`.
|
|
60
|
+
- New broker config knobs: `MUHAVEN_BROKER_RPC_URL`,
|
|
61
|
+
`BROKER_CALLBACK_SERVICE_SECRET`, `MUHAVEN_BROKER_ORIGIN`.
|
|
62
|
+
|
|
63
|
+
### Changed
|
|
64
|
+
|
|
65
|
+
- `composeKernelV3NonceKey` now accepts a `mode: 'default'|'enable'`
|
|
66
|
+
parameter. Default-omitted = `'default'` (backwards-compatible
|
|
67
|
+
with 0.2.x callers).
|
|
68
|
+
- `BackendClient` gains a `getServiceSecret(path, secret, query?)`
|
|
69
|
+
method (refactored `exchange` to share `runFetch`). Used only by
|
|
70
|
+
the install-material subroute.
|
|
71
|
+
- `daemon.ts` JSDoc header rewrites the "zero-egress" invariant to
|
|
72
|
+
document the C3 narrow outbound channels load-bearingly.
|
|
73
|
+
|
|
74
|
+
### Notes
|
|
75
|
+
|
|
76
|
+
- 28 files changed, +4029 / -20 LOC.
|
|
77
|
+
- 18 new unit tests (5 byte-equality fixtures + 8 use-case + 6
|
|
78
|
+
watchdog + 6 indexer + 12 protocol parser + 5 daemon).
|
|
79
|
+
- @muhaven/mcp 0.3.0 publish requires `npm publish` after
|
|
80
|
+
`pnpm clean && pnpm build && pnpm test`.
|
|
81
|
+
|
|
82
|
+
## [0.2.9] — 2026-05-23
|
|
83
|
+
|
|
84
|
+
### Added
|
|
85
|
+
|
|
86
|
+
- **`pathDDecodedCall` in the position.buy echo on Path D fallback.**
|
|
87
|
+
When the bundler trace contains a `zd_sponsorUserOperation` event,
|
|
88
|
+
the handler now decodes the userOp.callData inline and surfaces:
|
|
89
|
+
|
|
90
|
+
pathDDecodedCall: {
|
|
91
|
+
sender: '0x<kernel>',
|
|
92
|
+
kernelExecuteMode: '0x<32 bytes>',
|
|
93
|
+
kernelExecuteTarget: '0x<addr>', // should == MuHavenSubscription
|
|
94
|
+
kernelExecuteValue: '0',
|
|
95
|
+
innerSelector: '0xd29b624b', // purchase(...)
|
|
96
|
+
innerPurchaseTokenArg: '0x<addr>', // the RWA token (MuHavenToken)
|
|
97
|
+
innerPurchaseMaxSharesHint: '14',
|
|
98
|
+
innerPurchaseEphemeralEOA: '0x<addr>',
|
|
99
|
+
expectedSubscriptionAddress: '0x<addr>', // MCP env wiring
|
|
100
|
+
kernelExecuteTargetMatchesSubscription: true|false,
|
|
101
|
+
interpretation: 'kernel.execute target matches MuHavenSubscription. ...',
|
|
102
|
+
}
|
|
103
|
+
|
|
104
|
+
Lets the LLM read at-a-glance which contract the kernel was about
|
|
105
|
+
to call (kernel.execute target) vs which RWA token the inner
|
|
106
|
+
purchase() carries — the two are commonly confused (the inner
|
|
107
|
+
purchase's first arg IS the token address, but the kernel.execute
|
|
108
|
+
target should be the subscription).
|
|
109
|
+
|
|
110
|
+
The `interpretation` field branches on three cases:
|
|
111
|
+
1. target == expected subscription → "shape is correct; AA23 is
|
|
112
|
+
downstream of validator signature decode; check
|
|
113
|
+
muhaven.policy.session_key_status."
|
|
114
|
+
2. target == inner purchase.token → "kernel is dispatching to
|
|
115
|
+
the token instead of the subscription — code bug."
|
|
116
|
+
3. Anything else → "unexpected third-address dispatch."
|
|
117
|
+
|
|
118
|
+
- **`decodeKernelExecuteSingleCall` exported from
|
|
119
|
+
`clients/kernel-encoder.ts`.** Sibling to the existing encoder;
|
|
120
|
+
reuses the same KERNEL_EXECUTE_ABI + single-call default mode.
|
|
121
|
+
Returns `null` on unsupported modes (batch / delegate / try) so
|
|
122
|
+
the diagnostic emits a clear gap instead of garbage.
|
|
123
|
+
|
|
124
|
+
- **`scripts/decode-userop-trace.ts`** — standalone CLI that takes
|
|
125
|
+
the raw `pathDBundlerTrace` JSON via stdin and prints the same
|
|
126
|
+
decode + cross-check. Useful when triaging against an older MCP
|
|
127
|
+
version that doesn't ship `pathDDecodedCall`, or for offline
|
|
128
|
+
analysis from a saved trace.
|
|
129
|
+
|
|
10
130
|
## [0.2.8] — 2026-05-23
|
|
11
131
|
|
|
12
132
|
### Added
|