@pnlmarket/mcp-server 0.4.2 → 0.5.0

package/README.md

@@ -68,11 +68,29 @@ it comes from `PNL_PASSPHRASE` (set in your MCP host config) or an
 OS-native dialog. Cached secrets time out automatically and on
 `pnl_lock`.
 
-Autosign is bounded by the **autosign cap** (defaults 0.05 SOL),
-configurable via `pnl_unlock`'s output or by editing
-`~/.config/pnl/config.json`. Per-call override available via
-`autosignCapSol`. Anything above the cap requires the deep-link
-flow — by design.
+Autosign is bounded by **two caps**:
+
+- **Per-transaction cap** (default 0.05 SOL) — the per-tx ceiling.
+  Editable in `~/.config/pnl/config.json` as `autosignCapSol`. The
+  per-call `autosignCapSol` arg can only **lower** this ceiling for
+  one call, never raise it.
+- **Per-day cap** (default 0.5 SOL, since v0.5.0) — the rolling
+  daily limit. Editable as `dailyAutosignCapSol`. Spent total is
+  persisted at `~/.config/pnl/spent.json` and resets at UTC
+  midnight. This blocks the "chain N sub-per-tx-cap calls in a
+  loop" drain pattern.
+
+To raise either cap the user edits the config file directly — no
+tool argument can bypass them. Anything above either cap requires
+the deep-link flow.
+
+The mnemonic and the passphrase **never enter chat or tool
+arguments** — both flow through OS-native dialogs (osascript on
+macOS, zenity on Linux). `pnl_restore` takes no arguments; it pops
+the dialog and reads the phrase from the OS directly. If a wallet
+already exists, a second OS-native confirmation dialog must be
+clicked before overwrite — agent prompt-injection cannot synthesize
+that click.
 
 PNL's non-custodial framing in the
 [regulatory posture](https://docs.pnl.market/docs/transparency/regulatory-posture)
@@ -83,15 +101,13 @@ controls on their own machine.
 
 ### One-shot installer (recommended)
 
-After `pnpm install && pnpm -F @pnlmarket/mcp-server build`:
-
 ```bash
-npx @pnlmarket/mcp-server install --write
+npx -y @pnlmarket/mcp-server install --write
 ```
 
 That wires the MCP server into every supported host config it
-finds on the machine (Claude Code, Cursor, Cline, Codex, Windsurf)
-and copies the 13 slash-command skills into
+finds on the machine (Claude Code, Cursor, Cline, Codex, Windsurf,
+Claude Desktop) and copies the 16 slash-command skills into
 `~/.claude/skills/`.
 
 Run without `--write` first to see the plan. Flags:
@@ -137,6 +153,7 @@ to call.
 | `PNL_API_BASE_URL` | `https://pnl.market` | Pointing at devnet, staging, or a local Next.js dev server |
 | `PNL_RPC_URL` | `https://pnl.market/api/mcp/rpc` (hosted proxy) | BYO Helius key (recommended for heavy use — grab one at [helius.dev](https://helius.dev) and set this to your endpoint) |
 | `PNL_PASSPHRASE` | (prompt via OS dialog) | Skip the OS-native unlock prompt — useful when running an agent unattended, but only set this in your MCP host config, never in shell history |
+| `PNL_MNEMONIC` | (prompt via OS dialog) | One-shot fallback for `pnl_restore` when the OS dialog isn't usable (Windows, headless CI, container). Same warning — only set in MCP host config, never in shell history, and unset it after restore completes |
 
 The default RPC is the hosted proxy. It works zero-setup; under
 load it's rate-limited to 60 reads/min and 10 sends/min per IP.
@@ -172,7 +189,8 @@ Same shape — `pnl_vote_now` if within cap, `pnl_vote` if not.
 ```
 ~/.config/pnl/
 ├── wallet.enc          # encrypted secret + metadata (mode 0600)
-├── config.json         # autosign cap + RPC URL (mode 0644)
+├── config.json         # autosign caps + RPC URL (mode 0644)
+├── spent.json          # daily autosign spend tracker, resets UTC (mode 0600)
 └── exports/            # timestamped backup dumps (mode 0700)
 ```
 

package/dist/index.js

@@ -29,9 +29,10 @@ import { voteNowInputSchema, callVoteNow } from './tools/vote-now.js';
 import { claimInputSchema, callClaim } from './tools/claim.js';
 import { claimNowInputSchema, callClaimNow } from './tools/claim-now.js';
 import { notifyInputSchema, callNotify } from './tools/notify.js';
+import { startUpdateCheck } from './lib/update-check.js';
 import { runInstall } from './install.js';
 const SERVER_NAME = 'pnl-mcp-server';
-const SERVER_VERSION = '0.4.0';
+const SERVER_VERSION = '0.5.0';
 // CLI dispatch — when invoked as `pnl-mcp-server install`, run the
 // installer that wires this server into the user's agent configs and
 // drops the slash-command skills into ~/.claude/skills/. Otherwise
@@ -69,6 +70,10 @@ async function main() {
     server.tool('pnl_set_username', "Claim or rename the PNL username for the local wallet. Signs a time-bounded challenge with the keypair from pnl_init so the backend can verify wallet ownership -- no Privy session or Gmail login required. Usernames are 3-20 characters of letters/numbers/_/-. Returns 'taken' if another wallet has claimed the name. Use when the user says 'set my PNL username to X', 'rename my PNL profile', or after pnl_init when they want a custom name instead of the auto-generated Cosmic one.", setUsernameInputSchema, async (args) => callSetUsername(args));
     const transport = new StdioServerTransport();
     await server.connect(transport);
+    // Fire-and-forget npm registry check. If a newer version is published,
+    // a banner gets attached to the first tool reply this session. Never
+    // blocks startup, never throws — see lib/update-check.ts.
+    startUpdateCheck(SERVER_VERSION);
     // Stdio transport keeps the process alive while the host (Claude Code /
     // Cursor / etc.) holds the pipe. No need to log anything to stdout —
     // stdout is the MCP message channel. stderr is fine for diagnostics.

package/dist/lib/mnemonic.d.ts

@@ -0,0 +1,27 @@
+export interface MnemonicPromptOptions {
+    /** Title shown on the dialog */
+    title?: string;
+    /** Prompt text inside the dialog */
+    prompt?: string;
+}
+/**
+ * Read the BIP39 mnemonic from the user via OS-native dialog (or
+ * PNL_MNEMONIC env). Throws if no path is available.
+ *
+ * Does NOT validate — caller should pass the result through
+ * `isValidMnemonic` from wallet.ts (which normalises whitespace and
+ * checks the BIP39 wordlist).
+ */
+export declare function promptMnemonic(opts?: MnemonicPromptOptions): string;
+/**
+ * Ask the user via OS-native dialog whether they really want to
+ * overwrite an existing wallet. Returns false on Cancel, on any
+ * dialog error, or on unsupported platforms (fail-closed).
+ *
+ * Note: an env-var bypass is intentionally NOT provided here. The
+ * point of this dialog is to defeat prompt-injection attacks where
+ * the agent passes `allowOverwrite: true` based on instructions
+ * smuggled in via market metadata. If an env-var existed, the agent
+ * could set it.
+ */
+export declare function confirmOverwrite(oldAddress: string, newAddress: string): boolean;

package/dist/lib/mnemonic.js

@@ -0,0 +1,131 @@
+import { execFileSync } from 'node:child_process';
+function fromEnv() {
+    const raw = process.env.PNL_MNEMONIC;
+    if (raw && raw.length > 0)
+        return raw;
+    return null;
+}
+function macosMnemonicPrompt(prompt, title) {
+    // Same env-var trick as passphrase.ts — values never go through
+    // AppleScript string interpolation. Hidden answer keeps the seed off
+    // the screen (shoulder-surfing defense).
+    const script = `set p to system attribute "PNL_DIALOG_PROMPT"
+set t to system attribute "PNL_DIALOG_TITLE"
+display dialog p default answer "" with hidden answer with title t
+return text returned of result`;
+    const out = execFileSync('osascript', ['-e', script], {
+        encoding: 'utf8',
+        env: { ...process.env, PNL_DIALOG_PROMPT: prompt, PNL_DIALOG_TITLE: title },
+    });
+    return out.trim();
+}
+function linuxMnemonicPrompt(prompt, title) {
+    // zenity --password uses hidden input; perfect for a seed phrase.
+    const out = execFileSync('zenity', ['--password', '--title', title, '--text', prompt], { encoding: 'utf8' });
+    return out.trim();
+}
+/**
+ * Read the BIP39 mnemonic from the user via OS-native dialog (or
+ * PNL_MNEMONIC env). Throws if no path is available.
+ *
+ * Does NOT validate — caller should pass the result through
+ * `isValidMnemonic` from wallet.ts (which normalises whitespace and
+ * checks the BIP39 wordlist).
+ */
+export function promptMnemonic(opts = {}) {
+    const envValue = fromEnv();
+    if (envValue)
+        return envValue;
+    const title = opts.title || 'PNL Wallet — Restore';
+    const prompt = opts.prompt ||
+        'Enter your 12 or 24 word recovery phrase (words separated by spaces):';
+    try {
+        if (process.platform === 'darwin') {
+            return macosMnemonicPrompt(prompt, title);
+        }
+        if (process.platform === 'linux') {
+            return linuxMnemonicPrompt(prompt, title);
+        }
+    }
+    catch (e) {
+        throw new Error(`Couldn't open the native mnemonic dialog (${e instanceof Error ? e.message : String(e)}). Set the PNL_MNEMONIC env var in your Claude Code mcp config (or as a one-shot env on the MCP launch) and try again — see apps/mcp/README.md.`);
+    }
+    throw new Error(`Native mnemonic dialog isn't supported on ${process.platform} yet. Set the PNL_MNEMONIC env var in your Claude Code mcp config and retry.`);
+}
+// ─── Overwrite-confirm dialog ────────────────────────────────────
+//
+// Restore over an existing wallet is loss-of-funds-irreversible: the
+// old encrypted keystore is replaced with the new one, so any SOL on
+// the previous address becomes inaccessible until the user separately
+// restores the OLD mnemonic. We require a YES/NO OS dialog showing
+// both addresses + the prompt to confirm — the agent can't synthesize
+// a click, so this can't be defeated by prompt injection.
+//
+// Returns true if the user confirmed, false if cancelled.
+function macosConfirmOverwrite(oldAddress, newAddress) {
+    const message = `You are about to REPLACE your PNL wallet.\n\n` +
+        `OLD address (will become inaccessible unless you have its mnemonic backed up):\n  ${oldAddress}\n\n` +
+        `NEW address (derived from the recovery phrase you just entered):\n  ${newAddress}\n\n` +
+        `This cannot be undone. Continue?`;
+    const script = `set m to system attribute "PNL_DIALOG_MESSAGE"
+set t to system attribute "PNL_DIALOG_TITLE"
+display dialog m buttons {"Cancel", "Replace wallet"} default button "Cancel" with title t with icon caution
+return button returned of result`;
+    try {
+        const out = execFileSync('osascript', ['-e', script], {
+            encoding: 'utf8',
+            env: {
+                ...process.env,
+                PNL_DIALOG_MESSAGE: message,
+                PNL_DIALOG_TITLE: 'PNL Wallet — Confirm Replace',
+            },
+        });
+        return out.trim() === 'Replace wallet';
+    }
+    catch {
+        // osascript exits non-zero when the user clicks Cancel — treat as
+        // declined rather than as an error.
+        return false;
+    }
+}
+function linuxConfirmOverwrite(oldAddress, newAddress) {
+    const text = `You are about to REPLACE your PNL wallet.\n\n` +
+        `OLD address (will become inaccessible unless backed up):\n  ${oldAddress}\n\n` +
+        `NEW address (from the recovery phrase you entered):\n  ${newAddress}\n\n` +
+        `This cannot be undone. Continue?`;
+    try {
+        execFileSync('zenity', [
+            '--question',
+            '--title',
+            'PNL Wallet — Confirm Replace',
+            '--text',
+            text,
+            '--ok-label',
+            'Replace wallet',
+            '--cancel-label',
+            'Cancel',
+        ], { encoding: 'utf8' });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Ask the user via OS-native dialog whether they really want to
+ * overwrite an existing wallet. Returns false on Cancel, on any
+ * dialog error, or on unsupported platforms (fail-closed).
+ *
+ * Note: an env-var bypass is intentionally NOT provided here. The
+ * point of this dialog is to defeat prompt-injection attacks where
+ * the agent passes `allowOverwrite: true` based on instructions
+ * smuggled in via market metadata. If an env-var existed, the agent
+ * could set it.
+ */
+export function confirmOverwrite(oldAddress, newAddress) {
+    if (process.platform === 'darwin')
+        return macosConfirmOverwrite(oldAddress, newAddress);
+    if (process.platform === 'linux')
+        return linuxConfirmOverwrite(oldAddress, newAddress);
+    return false;
+}

package/dist/lib/output.d.ts

@@ -69,11 +69,7 @@ export declare const hr = "---";
  * recognize the pattern.
  */
 export declare function next(hint: string): string;
-/**
- * Wrap a tool result in the MCP content-block shape so callers
- * don't have to repeat the boilerplate. Joins parts with two
- * newlines so each section gets a paragraph break.
- */
+export declare function setPendingBanner(text: string): void;
 export declare function reply(...parts: Array<string | null | undefined | false>): {
     content: Array<{
         type: 'text';

package/dist/lib/output.js

@@ -146,10 +146,27 @@ export function next(hint) {
  * don't have to repeat the boilerplate. Joins parts with two
  * newlines so each section gets a paragraph break.
  */
+// ─── One-shot session banner ─────────────────────────────────────
+//
+// Used by update-check.ts to surface "new version available" notices
+// inside the FIRST tool reply of a session. After it fires once, the
+// banner is consumed and subsequent replies render normally — we
+// don't want to spam the user across every call.
+let pendingBanner = null;
+export function setPendingBanner(text) {
+    pendingBanner = text;
+}
+function consumePendingBanner() {
+    const out = pendingBanner;
+    pendingBanner = null;
+    return out;
+}
 export function reply(...parts) {
-    const text = parts
+    const body = parts
         .filter((p) => typeof p === 'string' && p.length > 0)
         .join('\n\n');
+    const banner = consumePendingBanner();
+    const text = banner ? `${banner}\n\n---\n\n${body}` : body;
     return { content: [{ type: 'text', text }] };
 }
 // ─── Common domain-specific formatters ───────────────────────────

package/dist/lib/passphrase.js

@@ -6,15 +6,24 @@ function fromEnv() {
     return null;
 }
 function macosPrompt(prompt, title) {
-    // osascript escapes: we use a heredoc-style applescript and inject
-    // strings as bash args (execFileSync arrays are safe from shell injection).
-    const script = `display dialog "${prompt.replace(/"/g, '\\"')}" default answer "" with hidden answer with title "${title.replace(/"/g, '\\"')}"
+    // Pass prompt + title via env vars so they never go through AppleScript
+    // string interpolation. `system attribute` reads them at runtime — no
+    // escape logic to get wrong, and no path for a future caller's user-
+    // controlled input to break out of the dialog literal.
+    const script = `set p to system attribute "PNL_DIALOG_PROMPT"
+set t to system attribute "PNL_DIALOG_TITLE"
+display dialog p default answer "" with hidden answer with title t
 return text returned of result`;
-    const out = execFileSync('osascript', ['-e', script], { encoding: 'utf8' });
+    const out = execFileSync('osascript', ['-e', script], {
+        encoding: 'utf8',
+        env: { ...process.env, PNL_DIALOG_PROMPT: prompt, PNL_DIALOG_TITLE: title },
+    });
     return out.trim();
 }
 function linuxPrompt(prompt, _title) {
-    const out = execFileSync('zenity', ['--password', '--title', _title], { encoding: 'utf8' });
+    // zenity args are passed via execFileSync's array form, which is already
+    // safe from shell-injection — no escape needed.
+    const out = execFileSync('zenity', ['--password', '--title', _title, '--text', prompt], { encoding: 'utf8' });
     return out.trim();
 }
 /**

package/dist/lib/update-check.d.ts

@@ -0,0 +1,2 @@
+/** Fire-and-forget startup check. Never throws, never blocks. */
+export declare function startUpdateCheck(currentVersion: string): void;

package/dist/lib/update-check.js

@@ -0,0 +1,67 @@
+import { setPendingBanner } from './output.js';
+// ─── npm version drift check ─────────────────────────────────────
+//
+// The MCP runs as a long-lived stdio child of the user's agent
+// (Claude Code / Cursor / Cline). Users have no nudge to upgrade —
+// global npm packages don't auto-update. When we ship a security or
+// behavioral fix (e.g., v0.5.0 moves the mnemonic out of the tool
+// input schema), users on the older version stay vulnerable until
+// they happen to reinstall.
+//
+// Fix: on startup, fire-and-forget a request to the npm registry's
+// public metadata endpoint for our package. If the latest published
+// version is newer than what we're running, queue a banner that the
+// first tool reply prepends. The banner shows once per session, then
+// clears.
+//
+// Privacy: registry metadata is anonymous (no auth required, no PII
+// transmitted). Same trust model as `npm outdated`.
+const PKG_NAME = '@pnlmarket/mcp-server';
+const REGISTRY_URL = `https://registry.npmjs.org/${PKG_NAME}/latest`;
+const FETCH_TIMEOUT_MS = 4_000;
+/** Fire-and-forget startup check. Never throws, never blocks. */
+export function startUpdateCheck(currentVersion) {
+    void runCheck(currentVersion);
+}
+async function runCheck(currentVersion) {
+    try {
+        const res = await fetch(REGISTRY_URL, {
+            headers: { Accept: 'application/json' },
+            signal: AbortSignal.timeout(FETCH_TIMEOUT_MS),
+        });
+        if (!res.ok)
+            return;
+        const data = (await res.json());
+        const latest = typeof data.version === 'string' ? data.version : null;
+        if (!latest || latest === currentVersion)
+            return;
+        if (compareSemver(latest, currentVersion) <= 0)
+            return;
+        setPendingBanner(`⚠️  **pnl-mcp-server update available — ${currentVersion} → ${latest}**\n\n` +
+            `Run \`npm i -g @pnlmarket/mcp-server@latest\` (or \`pnpm add -g @pnlmarket/mcp-server@latest\`) and restart your agent. ` +
+            `Security and behavior fixes between versions are published in the [GitHub releases](https://github.com/aitankfish/pnl/releases).`);
+    }
+    catch {
+        // Offline, npm unreachable, timeout, malformed response — silently skip.
+        // Update notification is best-effort; it must never break the MCP.
+    }
+}
+/** Compare two semver strings. Returns positive if a > b, negative
+ *  if a < b, zero if equal. Ignores pre-release tags (treats them as
+ *  the base version) — good enough for "is there a newer stable?". */
+function compareSemver(a, b) {
+    const parsePart = (s) => {
+        const base = s.split('-')[0]; // drop pre-release tag
+        return base.split('.').map((n) => parseInt(n, 10) || 0);
+    };
+    const pa = parsePart(a);
+    const pb = parsePart(b);
+    const len = Math.max(pa.length, pb.length);
+    for (let i = 0; i < len; i++) {
+        const x = pa[i] ?? 0;
+        const y = pb[i] ?? 0;
+        if (x !== y)
+            return x - y;
+    }
+    return 0;
+}

package/dist/lib/wallet.d.ts

@@ -4,6 +4,7 @@ import { Connection, Keypair, PublicKey } from '@solana/web3.js';
 export declare function isUsingHostedRpc(): boolean;
 export interface PnlConfig {
     autosignCapSol: number;
+    dailyAutosignCapSol: number;
     rpcUrl: string;
 }
 export declare function generateMnemonic(): string;
@@ -61,6 +62,24 @@ export declare function writeMnemonicToFile(mnemonic: string, address: string):
     path: string;
 };
 export declare function loadConfig(): PnlConfig;
+/** Returns lamports spent so far today (UTC). */
+export declare function getSpentTodayLamports(): number;
+/**
+ * Reserve `lamports` against the daily autosign cap. Throws if the
+ * reservation would exceed the cap. On success, the spent counter is
+ * incremented immediately and persisted. Call `releaseSpend(lamports)`
+ * on tx failure to roll back.
+ *
+ * Synchronous + file-based → atomic within a Node tick. Safe under
+ * concurrent autosign calls from the same MCP process.
+ */
+export declare function reserveSpend(lamports: number): {
+    totalAfterLamports: number;
+    capLamports: number;
+};
+/** Roll back a previous reservation. Use on tx-send failure. Never
+ *  drops below 0. */
+export declare function releaseSpend(lamports: number): void;
 export declare function saveConfig(updates: Partial<PnlConfig>): PnlConfig;
 export declare function getRpcUrl(): string;
 export declare function getConnection(): Connection;

package/dist/lib/wallet.js

@@ -27,6 +27,7 @@ import { randomBytes, scryptSync, createCipheriv, createDecipheriv, timingSafeEq
 const PNL_DIR = join(homedir(), '.config', 'pnl');
 const WALLET_PATH = join(PNL_DIR, 'wallet.enc');
 const CONFIG_PATH = join(PNL_DIR, 'config.json');
+const SPENT_PATH = join(PNL_DIR, 'spent.json');
 const EXPORTS_DIR = join(PNL_DIR, 'exports');
 // Default RPC is the hosted MCP proxy on pnl.market, which forwards to
 // our paid Helius endpoint. The public Solana mainnet RPC is heavily
@@ -35,6 +36,12 @@ const EXPORTS_DIR = join(PNL_DIR, 'exports');
 // Power users override via PNL_RPC_URL.
 const DEFAULT_RPC = 'https://pnl.market/api/mcp/rpc';
 const DEFAULT_AUTOSIGN_CAP_SOL = 0.05;
+// Daily ceiling on top of the per-tx cap. The per-tx cap alone is
+// trivially bypassed by chaining N sub-cap signs (cap=0.05 × 100 calls =
+// 5 SOL drained in a tight loop). The daily cap puts a hard floor on
+// total damage from prompt-injection — to raise it the user has to edit
+// ~/.config/pnl/config.json directly, same as the per-tx cap.
+const DEFAULT_DAILY_AUTOSIGN_CAP_SOL = 0.5;
 /** True iff the currently active RPC URL is our hosted MCP proxy.
  *  Tools use this to decide whether to surface the BYO-Helius hint. */
 export function isUsingHostedRpc() {
@@ -346,7 +353,11 @@ export function writeMnemonicToFile(mnemonic, address) {
 export function loadConfig() {
     ensureDir();
     if (!existsSync(CONFIG_PATH)) {
-        return { autosignCapSol: DEFAULT_AUTOSIGN_CAP_SOL, rpcUrl: DEFAULT_RPC };
+        return {
+            autosignCapSol: DEFAULT_AUTOSIGN_CAP_SOL,
+            dailyAutosignCapSol: DEFAULT_DAILY_AUTOSIGN_CAP_SOL,
+            rpcUrl: DEFAULT_RPC,
+        };
     }
     try {
         const parsed = JSON.parse(readFileSync(CONFIG_PATH, 'utf8'));
@@ -354,15 +365,89 @@ export function loadConfig() {
             autosignCapSol: typeof parsed.autosignCapSol === 'number' && parsed.autosignCapSol >= 0
                 ? parsed.autosignCapSol
                 : DEFAULT_AUTOSIGN_CAP_SOL,
+            dailyAutosignCapSol: typeof parsed.dailyAutosignCapSol === 'number' && parsed.dailyAutosignCapSol >= 0
+                ? parsed.dailyAutosignCapSol
+                : DEFAULT_DAILY_AUTOSIGN_CAP_SOL,
             rpcUrl: typeof parsed.rpcUrl === 'string' && parsed.rpcUrl.length > 0
                 ? parsed.rpcUrl
                 : DEFAULT_RPC,
         };
     }
     catch {
-        return { autosignCapSol: DEFAULT_AUTOSIGN_CAP_SOL, rpcUrl: DEFAULT_RPC };
+        return {
+            autosignCapSol: DEFAULT_AUTOSIGN_CAP_SOL,
+            dailyAutosignCapSol: DEFAULT_DAILY_AUTOSIGN_CAP_SOL,
+            rpcUrl: DEFAULT_RPC,
+        };
+    }
+}
+function utcDateKey() {
+    const d = new Date();
+    const y = d.getUTCFullYear();
+    const m = String(d.getUTCMonth() + 1).padStart(2, '0');
+    const day = String(d.getUTCDate()).padStart(2, '0');
+    return `${y}-${m}-${day}`;
+}
+function readSpentTodaySync() {
+    const today = utcDateKey();
+    if (!existsSync(SPENT_PATH))
+        return { date: today, spentLamports: 0 };
+    try {
+        const parsed = JSON.parse(readFileSync(SPENT_PATH, 'utf8'));
+        if (parsed.date !== today)
+            return { date: today, spentLamports: 0 };
+        const lamports = typeof parsed.spentLamports === 'number' && parsed.spentLamports >= 0
+            ? parsed.spentLamports
+            : 0;
+        return { date: today, spentLamports: lamports };
+    }
+    catch {
+        return { date: today, spentLamports: 0 };
+    }
+}
+function writeSpentSync(state) {
+    ensureDir();
+    writeFileSync(SPENT_PATH, JSON.stringify(state, null, 2), { mode: 0o600 });
+    try {
+        chmodSync(SPENT_PATH, 0o600);
+    }
+    catch {
+        /* non-fatal */
     }
 }
+/** Returns lamports spent so far today (UTC). */
+export function getSpentTodayLamports() {
+    return readSpentTodaySync().spentLamports;
+}
+/**
+ * Reserve `lamports` against the daily autosign cap. Throws if the
+ * reservation would exceed the cap. On success, the spent counter is
+ * incremented immediately and persisted. Call `releaseSpend(lamports)`
+ * on tx failure to roll back.
+ *
+ * Synchronous + file-based → atomic within a Node tick. Safe under
+ * concurrent autosign calls from the same MCP process.
+ */
+export function reserveSpend(lamports) {
+    const { dailyAutosignCapSol } = loadConfig();
+    const capLamports = Math.floor(dailyAutosignCapSol * LAMPORTS_PER_SOL);
+    const state = readSpentTodaySync();
+    const totalAfter = state.spentLamports + lamports;
+    if (totalAfter > capLamports) {
+        const remainingSol = Math.max(0, capLamports - state.spentLamports) / LAMPORTS_PER_SOL;
+        throw new Error(`Daily autosign cap reached. ${(state.spentLamports / LAMPORTS_PER_SOL).toFixed(4)} SOL spent today out of ${dailyAutosignCapSol.toFixed(4)} SOL daily cap; only ${remainingSol.toFixed(4)} SOL remaining. ` +
+            `Use the browser deep-link flow (pnl_vote / pnl_pitch_idea) or raise dailyAutosignCapSol in ~/.config/pnl/config.json. Resets at UTC midnight.`);
+    }
+    writeSpentSync({ date: state.date, spentLamports: totalAfter });
+    return { totalAfterLamports: totalAfter, capLamports };
+}
+/** Roll back a previous reservation. Use on tx-send failure. Never
+ *  drops below 0. */
+export function releaseSpend(lamports) {
+    const state = readSpentTodaySync();
+    const next = Math.max(0, state.spentLamports - lamports);
+    writeSpentSync({ date: state.date, spentLamports: next });
+}
 export function saveConfig(updates) {
     const current = loadConfig();
     const next = { ...current, ...updates };

package/dist/tools/pitch-now.js

@@ -1,6 +1,6 @@
 import { z } from 'zod';
 import { PublicKey, LAMPORTS_PER_SOL } from '@solana/web3.js';
-import { requireUnlockedKeypair, loadConfig, getConnection, getBalanceSol, } from '../lib/wallet.js';
+import { requireUnlockedKeypair, loadConfig, getConnection, getBalanceSol, reserveSpend, releaseSpend, } from '../lib/wallet.js';
 import { signSerializedTx, sendAndConfirm, freshNonce, signChallenge, challenge, signedRequestHash, } from '../lib/sign.js';
 import { pitchIdeaInputSchema } from './pitch-idea.js';
 import { Badge, headline, code, kvTable, inline, next, reply, hr } from '../lib/output.js';
@@ -104,11 +104,33 @@ export async function callPitchNow(rawInput) {
     if (creationFeeSol > cap) {
         throw new Error(`create_market creation fee ${creationFeeSol.toFixed(4)} SOL exceeds autosign cap ${cap} SOL. Raise the cap with autosignCapSol arg or use pnl_pitch_idea for the deep-link flow.`);
     }
+    // Daily ceiling — see wallet.ts `reserveSpend`. Per-tx cap alone is
+    // bypassable by chaining sub-cap calls; this caps the rolling total.
+    // Reserved BEFORE sign; rolled back on send failure.
+    reserveSpend(built.creationFee);
+    let spendReleased = false;
+    const releaseOnFailure = () => {
+        if (!spendReleased) {
+            try {
+                releaseSpend(built.creationFee);
+            }
+            catch { /* best effort */ }
+            spendReleased = true;
+        }
+    };
     // 4. Sign locally and send.
-    const rawTx = signSerializedTx(built.tx, keypair);
-    const { signature: txSignature } = await sendAndConfirm(rawTx, getConnection(), {
-        confirmTimeoutMs: 90_000,
-    });
+    let txSignature;
+    try {
+        const rawTx = signSerializedTx(built.tx, keypair);
+        const sent = await sendAndConfirm(rawTx, getConnection(), {
+            confirmTimeoutMs: 90_000,
+        });
+        txSignature = sent.signature;
+    }
+    catch (err) {
+        releaseOnFailure();
+        throw err;
+    }
     // 5. Build the complete-create body first, then sign a challenge that
     //    folds in a SHA-256 of the body. The hash binds the sig to the
     //    exact payload — a captured sig cannot be replayed with a tampered

package/dist/tools/restore.d.ts

@@ -1,8 +1,4 @@
-import { z } from 'zod';
-export declare const restoreInputSchema: {
-    readonly mnemonic: z.ZodString;
-    readonly allowOverwrite: z.ZodOptional<z.ZodBoolean>;
-};
+export declare const restoreInputSchema: {};
 export declare function callRestore(rawInput: unknown): Promise<{
     content: Array<{
         type: "text";

package/dist/tools/restore.js

@@ -1,25 +1,56 @@
 import { z } from 'zod';
-import { hasWallet, restoreWallet, isValidMnemonic, unlockWith } from '../lib/wallet.js';
+import { hasWallet, restoreWallet, isValidMnemonic, keypairFromMnemonic, unlockWith, getAddress, } from '../lib/wallet.js';
 import { promptPassphrase } from '../lib/passphrase.js';
+import { promptMnemonic, confirmOverwrite } from '../lib/mnemonic.js';
 import { Badge, headline, next, reply, truncAddress, inline } from '../lib/output.js';
-export const restoreInputSchema = {
-    mnemonic: z
-        .string()
-        .min(1)
-        .describe('The 12 or 24 word BIP39 phrase from pnl_init. Standard recovery format Phantom / Solflare / Backpack / Solana CLI all accept.'),
-    allowOverwrite: z
-        .boolean()
-        .optional()
-        .describe('Set to true to replace an existing wallet on this machine. Default false — refuses if one exists so the user can back it up first with pnl_export_keypair.'),
-};
-const RestoreInput = z.object(restoreInputSchema);
+// Tool input: intentionally NO `mnemonic` field. The seed phrase is the
+// most sensitive secret in PNL — passing it as a tool argument would
+// leak it into the agent's chat transcript (Claude Code history,
+// Anthropic API logs, anywhere the conversation is exported). Instead,
+// the user types it into an OS-native dialog (`promptMnemonic`), same
+// pattern as the wallet passphrase.
+//
+// We also no longer accept `allowOverwrite` from the agent. Overwriting
+// an existing wallet is irreversible; prompt-injection could trick the
+// agent into passing `allowOverwrite: true` on attacker-controlled
+// metadata. The user has to click "Replace wallet" in an OS dialog
+// (`confirmOverwrite`) — something the agent cannot synthesize.
+export const restoreInputSchema = {};
+const RestoreInput = z.object(restoreInputSchema).strict();
 export async function callRestore(rawInput) {
-    const { mnemonic, allowOverwrite } = RestoreInput.parse(rawInput ?? {});
-    if (!isValidMnemonic(mnemonic.trim())) {
-        return reply(headline(`${Badge.err} Not a valid BIP39 phrase.`), 'Check spelling, word count (must be 12 or 24), and that all words are from the BIP39 wordlist.', next('Re-run `/pnl-restore` with the correct phrase.'));
+    RestoreInput.parse(rawInput ?? {});
+    let mnemonic;
+    try {
+        mnemonic = promptMnemonic({
+            title: 'PNL Wallet — Restore',
+            prompt: 'Enter your 12 or 24 word recovery phrase (words separated by spaces):',
+        });
     }
-    if (hasWallet() && !allowOverwrite) {
-        return reply(headline(`${Badge.warn} A wallet already exists on this machine.`), `Refusing to overwrite. Back it up first with ${inline('pnl_export_keypair')}, then call \`pnl_restore\` again with \`allowOverwrite: true\`.`, next('`/pnl-export` to back up, then re-run `/pnl-restore`.'));
+    catch (e) {
+        return reply(headline(`${Badge.err} Couldn't read recovery phrase.`), e instanceof Error ? e.message : String(e));
+    }
+    const trimmed = mnemonic.trim();
+    if (!isValidMnemonic(trimmed)) {
+        return reply(headline(`${Badge.err} Not a valid BIP39 phrase.`), 'Check spelling, word count (must be 12 or 24), and that all words are from the BIP39 wordlist.', next('Re-run `/pnl-restore` and re-enter the phrase carefully.'));
+    }
+    // If a wallet already exists, surface an OS-native YES/NO dialog
+    // showing both addresses. Only proceed if the user clicks "Replace".
+    if (hasWallet()) {
+        const oldAddress = getAddress();
+        let newAddress;
+        try {
+            newAddress = keypairFromMnemonic(trimmed).publicKey.toBase58();
+        }
+        catch (e) {
+            return reply(headline(`${Badge.err} Couldn't derive address from phrase.`), e instanceof Error ? e.message : String(e));
+        }
+        if (oldAddress === newAddress) {
+            return reply(headline(`${Badge.warn} Recovery phrase matches the existing wallet.`), `Already restored to ${truncAddress(oldAddress)} — nothing to do.`, next(`${inline('/pnl-wallet')} to see balance.`));
+        }
+        const ok = confirmOverwrite(oldAddress, newAddress);
+        if (!ok) {
+            return reply(headline(`${Badge.warn} Replace cancelled.`), `Existing wallet ${truncAddress(oldAddress)} kept intact.`, `Back up the old wallet first with ${inline('pnl_export_keypair')}, then re-run ${inline('/pnl-restore')} if you really want to swap.`);
+        }
     }
     let passphrase;
     try {
@@ -33,9 +64,7 @@ export async function callRestore(rawInput) {
         return reply(headline(`${Badge.err} Couldn't read passphrase.`), e instanceof Error ? e.message : String(e));
     }
     try {
-        const { address } = restoreWallet(mnemonic.trim(), passphrase, {
-            allowOverwrite: !!allowOverwrite,
-        });
+        const { address } = restoreWallet(trimmed, passphrase, { allowOverwrite: true });
         unlockWith(passphrase, 30);
         return reply(headline(`${Badge.ok} Restored · ${truncAddress(address)} · unlocked 30m`), `On-chain history is preserved — markets, votes, balances tied to this address are visible immediately.`, `Full address: \`${address}\``, next('`/pnl-wallet` to see balance, `/pnl-pitch` to post an idea.'));
     }

package/dist/tools/vote-now.js

@@ -1,6 +1,6 @@
 import { z } from 'zod';
-import { PublicKey } from '@solana/web3.js';
-import { requireUnlockedKeypair, loadConfig, getConnection, getBalanceSol, } from '../lib/wallet.js';
+import { PublicKey, LAMPORTS_PER_SOL } from '@solana/web3.js';
+import { requireUnlockedKeypair, loadConfig, getConnection, getBalanceSol, reserveSpend, releaseSpend, } from '../lib/wallet.js';
 import { signSerializedTx, sendAndConfirm, freshNonce, signChallenge, challenge, signedRequestHash, } from '../lib/sign.js';
 import { getMarket } from '../lib/pnl-api.js';
 import { Badge, headline, code, kvTable, inline, next, reply, hr } from '../lib/output.js';
@@ -49,6 +49,22 @@ export async function callVoteNow(rawInput) {
     if (input.amountSol > cap) {
         throw new Error(`Stake ${input.amountSol} SOL exceeds autosign cap ${cap} SOL. Either raise the cap (autosignCapSol arg) or use pnl_vote for the browser deep-link flow.`);
     }
+    // Daily ceiling — see wallet.ts `reserveSpend`. Per-tx cap alone is
+    // trivially bypassed by chaining N sub-cap calls; this enforces a
+    // rolling total. Reserved BEFORE sign so racing autosign calls can't
+    // each pass the check on a stale read. Rolled back on tx failure.
+    const requiredLamports = Math.floor(input.amountSol * LAMPORTS_PER_SOL);
+    reserveSpend(requiredLamports);
+    let spendReleased = false;
+    const releaseOnFailure = () => {
+        if (!spendReleased) {
+            try {
+                releaseSpend(requiredLamports);
+            }
+            catch { /* best effort */ }
+            spendReleased = true;
+        }
+    };
     const keypair = requireUnlockedKeypair();
     const walletAddress = keypair.publicKey.toBase58();
     const base = getApiBase();
@@ -82,27 +98,37 @@ export async function callVoteNow(rawInput) {
     if (balance < required) {
         throw new Error(`Wallet balance ${balance.toFixed(4)} SOL is below the ${required.toFixed(4)} SOL needed (stake + fee buffer). Fund ${walletAddress} and try again.`);
     }
-    // 1. build-vote-tx
-    const buildRes = await fetch(`${base}/api/mcp/markets/build-vote-tx`, {
-        method: 'POST',
-        headers: { 'Content-Type': 'application/json', Accept: 'application/json' },
-        body: JSON.stringify({
-            walletAddress,
-            marketAddress,
-            voteType: input.vote,
-            amountSol: input.amountSol,
-        }),
-    });
-    const buildJson = (await buildRes.json());
-    if (!buildRes.ok || !buildJson.success || !buildJson.data) {
-        throw new Error(`build-vote-tx failed (${buildRes.status}): ${buildJson.error || 'unknown error'}`);
+    let txSignature;
+    try {
+        // 1. build-vote-tx
+        const buildRes = await fetch(`${base}/api/mcp/markets/build-vote-tx`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json', Accept: 'application/json' },
+            body: JSON.stringify({
+                walletAddress,
+                marketAddress,
+                voteType: input.vote,
+                amountSol: input.amountSol,
+            }),
+        });
+        const buildJson = (await buildRes.json());
+        if (!buildRes.ok || !buildJson.success || !buildJson.data) {
+            throw new Error(`build-vote-tx failed (${buildRes.status}): ${buildJson.error || 'unknown error'}`);
+        }
+        const built = buildJson.data;
+        // 2. sign + send locally
+        const rawTx = signSerializedTx(built.tx, keypair);
+        const sent = await sendAndConfirm(rawTx, getConnection(), {
+            confirmTimeoutMs: 90_000,
+        });
+        txSignature = sent.signature;
+    }
+    catch (err) {
+        // Build/sign/send failed → tx never landed → roll back the reservation
+        // so the user keeps their daily budget for the retry.
+        releaseOnFailure();
+        throw err;
     }
-    const built = buildJson.data;
-    // 2. sign + send locally
-    const rawTx = signSerializedTx(built.tx, keypair);
-    const { signature: txSignature } = await sendAndConfirm(rawTx, getConnection(), {
-        confirmTimeoutMs: 90_000,
-    });
     // 3. Build complete-vote body, hash it into the challenge, sign.
     //    The hash binds the sig to voteType + amountSol + marketId so an
     //    attacker who captures the sig within the nonce window cannot

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnlmarket/mcp-server",
-  "version": "0.4.2",
+  "version": "0.5.0",
   "description": "Model Context Protocol server for PNL — let agents (Claude Code, Cursor, Cline, Codex) browse live conviction markets, pitch ideas as markets, and stake YES/NO without leaving the terminal. Local encrypted wallet, autosign for sub-cap amounts, deep-link for larger ones.",
   "type": "module",
   "main": "./dist/index.js",
@@ -44,9 +44,6 @@
   "publishConfig": {
     "access": "public"
   },
-  "overrides": {
-    "rpc-websockets": ">=9.3.10"
-  },
   "engines": {
     "node": ">=18.18"
   },
@@ -56,6 +53,7 @@
     "bip39": "^3.1.0",
     "bs58": "^6.0.0",
     "ed25519-hd-key": "^1.3.0",
+    "rpc-websockets": "^9.3.10",
     "tweetnacl": "^1.0.3",
     "zod": "^3.23.8"
   },