@muhaven/mcp 0.3.0 → 0.4.1

package/CHANGELOG.md

@@ -7,6 +7,75 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.4.1] — 2026-05-24
+
+### Added
+
+- **Default broker chain RPC + `--broker-rpc-url` override (OPEN-D
+  follow-up).** The broker daemon needs a chain RPC URL for the Path D
+  `currentNonce()` pre-check. Previously, with neither
+  `MUHAVEN_BROKER_RPC_URL` nor `MUHAVEN_BUNDLER_URL` set, `chainRpcUrl`
+  was undefined → the `current_nonce` IPC returned `chain_rpc_failed` and
+  Path D fell back to the deep-link. Now:
+  - `loadBrokerConfig` **defaults `chainRpcUrl` to the public Arb Sepolia
+    RPC** (`https://sepolia-rollup.arbitrum.io/rpc`) when no RPC env is
+    set, so Path D works out-of-the-box. Resolution order is unchanged
+    where set: `MUHAVEN_BROKER_RPC_URL` → `MUHAVEN_BUNDLER_URL` →
+    default. (The broker's only use is a read-only `eth_call`, which the
+    public RPC serves.)
+  - `muhaven-broker start` / `update` / `setup` gained a
+    **`--broker-rpc-url <URL>`** flag to point the spawned daemon at a
+    private/faster RPC without exporting an env var. Validated by the same
+    https-or-loopback rule as the other URL flags; forwarded into the
+    spawned daemon's child env. When omitted, the daemon inherits a
+    shell-set value or falls back to the default above.
+
+### Changed
+
+- `BrokerRuntimeConfig.chainRpcUrl` is now always populated (default
+  applied) rather than possibly `undefined`. The type stays optional for
+  test-injected configs; the `current_nonce` handler's
+  `chain_rpc_failed`-when-unset path remains as a backstop.
+
+## [0.4.0] — 2026-05-24
+
+### Added
+
+- **Wave 5 Option D OPEN-D — `muhaven-broker start` / `update` session-key
+  CLI.** Automates the manual last mile after a dashboard mint / revoke so
+  the operator no longer hand-edits `MUHAVEN_BROKER_SESSION_KEY` + restarts
+  the daemon:
+  - `muhaven-broker start --session <key|->` — bring the daemon UP on a
+    provided key (when it is NOT running). Refuses if a daemon is already
+    bound to the endpoint (points the operator at `update`).
+  - `muhaven-broker update --session <key|->` — ROTATE the key on a
+    (possibly) running daemon: stop → swap → restart, **reusing the
+    existing device-flow JWT** (a key rotation does not force a fresh
+    device-code login). Fully stops the old daemon before the new one binds
+    the endpoint.
+  - Both accept `--session -` to read the key from stdin (keeps it out of
+    `ps` / shell history), and when run WITHOUT `--session` ask
+    interactively ("Do you have a session key from the dashboard? [Y/n]" →
+    masked paste). Non-TTY (CI / piped) never hangs — it requires
+    `--session` instead.
+  - `setup` gained the same interactive prompt: with no
+    `MUHAVEN_BROKER_SESSION_KEY` set, it asks whether you have a
+    dashboard-minted key (paste it) or mints a fresh one (the
+    fresh-install default). Scripted runs (env var set, or non-TTY) keep
+    the prior self-mint behavior.
+- **Key-persistence model: Option B (operator decision 2026-05-24).** The
+  resolved key is injected ONLY into the spawned daemon's child env — it
+  never touches disk. The daemon (`loadBrokerConfig`) and the keystore are
+  unchanged; the broker wire protocol is unchanged (no protocol bump). The
+  session key is validated (`0x` + 64 hex) and NEVER logged / echoed /
+  embedded in an error message.
+
+### Changed
+
+- `runStop` (`broker/stop.ts`) gained an optional `clearJwtOnStop` flag
+  (default `true`, preserving the `stop` subcommand's behavior). `update`
+  passes `false` so the JWT survives the key rotation.
+
 ## [0.3.0] — 2026-05-23
 
 ### Added