@muhaven/mcp 0.2.9 → 0.4.0

package/CHANGELOG.md

@@ -7,6 +7,117 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.4.0] — 2026-05-24
+
+### Added
+
+- **Wave 5 Option D OPEN-D — `muhaven-broker start` / `update` session-key
+  CLI.** Automates the manual last mile after a dashboard mint / revoke so
+  the operator no longer hand-edits `MUHAVEN_BROKER_SESSION_KEY` + restarts
+  the daemon:
+  - `muhaven-broker start --session <key|->` — bring the daemon UP on a
+    provided key (when it is NOT running). Refuses if a daemon is already
+    bound to the endpoint (points the operator at `update`).
+  - `muhaven-broker update --session <key|->` — ROTATE the key on a
+    (possibly) running daemon: stop → swap → restart, **reusing the
+    existing device-flow JWT** (a key rotation does not force a fresh
+    device-code login). Fully stops the old daemon before the new one binds
+    the endpoint.
+  - Both accept `--session -` to read the key from stdin (keeps it out of
+    `ps` / shell history), and when run WITHOUT `--session` ask
+    interactively ("Do you have a session key from the dashboard? [Y/n]" →
+    masked paste). Non-TTY (CI / piped) never hangs — it requires
+    `--session` instead.
+  - `setup` gained the same interactive prompt: with no
+    `MUHAVEN_BROKER_SESSION_KEY` set, it asks whether you have a
+    dashboard-minted key (paste it) or mints a fresh one (the
+    fresh-install default). Scripted runs (env var set, or non-TTY) keep
+    the prior self-mint behavior.
+- **Key-persistence model: Option B (operator decision 2026-05-24).** The
+  resolved key is injected ONLY into the spawned daemon's child env — it
+  never touches disk. The daemon (`loadBrokerConfig`) and the keystore are
+  unchanged; the broker wire protocol is unchanged (no protocol bump). The
+  session key is validated (`0x` + 64 hex) and NEVER logged / echoed /
+  embedded in an error message.
+
+### Changed
+
+- `runStop` (`broker/stop.ts`) gained an optional `clearJwtOnStop` flag
+  (default `true`, preserving the `stop` subcommand's behavior). `update`
+  passes `false` so the JWT survives the key rotation.
+
+## [0.3.0] — 2026-05-23
+
+### Added
+
+- **Wave 5 Option D Commit 3 — MCP-side MODE.ENABLE UserOp pipeline.**
+  Closes the `paymaster_rejected → AA23 reverted 0x` smoke gap by
+  installing the PermissionValidator atomically with the first Path D
+  buy. On a freshly-minted Scoped session (`enable_status='pending'`
+  on the backend mirror), `position.buy` now:
+  - Fetches install material (`enableData` + `enableSig` +
+    `validatorNonce`) from the backend's
+    `GET /agent/policy/scoped-session/:id/install-material` subroute,
+    gated by `BROKER_CALLBACK_SERVICE_SECRET`.
+  - Calls the broker daemon's NEW `current_nonce` IPC verb to read the
+    kernel's live `currentNonce()` and pre-checks it against the
+    stored `validatorNonce`; mismatch surfaces as fallback
+    `enable_sig_stale` with a re-mint remediation.
+  - Composes the UserOp with `composeKernelV3NonceKey({mode:'enable'})`
+    (byte 0 of the 24-byte composite flips `0x00` → `0x01`) AND
+    wraps the 66-byte session-key signature with NEW
+    `wrapEnableModeSignature(...)` — a byte-exact mirror of
+    `@zerodev/sdk::getEncodedPluginsData`. The byte-equality is
+    pinned by 5 regression fixtures importing the canonical SDK as a
+    `devDep` (test-only — `@zerodev/sdk` is NOT in the runtime
+    bundle).
+  - After receipt, calls the broker daemon's NEW
+    `notify_userop_landed` IPC verb so the broker can POST the
+    backend's `validator-enabled` callback route. The chain indexer
+    is the authoritative source-of-truth; the callback is a fast-path
+    optimization.
+- **Broker protocol bump 0.4.0 → 0.5.0.** Additive surface only —
+  legacy 0.4.0 callers continue to work. New verbs: `current_nonce`,
+  `notify_userop_landed`. New optional `enableData`/`enableSig`/
+  `validatorNonce` on `PolicySnapshotWire` with an all-or-none
+  refinement. New error codes: `chain_rpc_failed`, `callback_unconfigured`.
+- **Broker daemon outbound egress (narrow, operator-approved
+  threat-model relaxation).** Until C3 the broker had ZERO outbound
+  channels; C3 adds exactly TWO via the NEW `BrokerOutbound` module:
+  - Chain RPC `eth_call` to `MUHAVEN_BROKER_RPC_URL` (fallback
+    `MUHAVEN_BUNDLER_URL`) for `kernel.currentNonce()` reads.
+  - HTTPS POST to backend's `validator-enabled` route with
+    `BROKER_CALLBACK_SERVICE_SECRET` bearer, exponential 5s/15s/60s/5m
+    backoff (`MUHAVEN_BROKER_ORIGIN` header per the ZeroDev
+    allowlist gotcha codified in earlier commits).
+  - Per-(sessionId, txHash, accountAddress) in-process dedup folds
+    flood IPC into a single retry loop.
+- New fallback codes on `position.buy` Path D probe:
+  `install_material_unavailable`, `install_material_malformed`,
+  `enable_sig_stale`, `validator_install_failed_re_walk_required`,
+  `broker_chain_rpc_failed`.
+- New broker config knobs: `MUHAVEN_BROKER_RPC_URL`,
+  `BROKER_CALLBACK_SERVICE_SECRET`, `MUHAVEN_BROKER_ORIGIN`.
+
+### Changed
+
+- `composeKernelV3NonceKey` now accepts a `mode: 'default'|'enable'`
+  parameter. Default-omitted = `'default'` (backwards-compatible
+  with 0.2.x callers).
+- `BackendClient` gains a `getServiceSecret(path, secret, query?)`
+  method (refactored `exchange` to share `runFetch`). Used only by
+  the install-material subroute.
+- `daemon.ts` JSDoc header rewrites the "zero-egress" invariant to
+  document the C3 narrow outbound channels load-bearingly.
+
+### Notes
+
+- 28 files changed, +4029 / -20 LOC.
+- 18 new unit tests (5 byte-equality fixtures + 8 use-case + 6
+  watchdog + 6 indexer + 12 protocol parser + 5 daemon).
+- @muhaven/mcp 0.3.0 publish requires `npm publish` after
+  `pnpm clean && pnpm build && pnpm test`.
+
 ## [0.2.9] — 2026-05-23
 
 ### Added