szhygulin/recon-crypto-mcp

Minor release. New two-step signing protocol closes the on-device calldata-integrity gap in blind-sign mode, plus two new defense-in-depth layers against narrow agent compromise and compromised-MCP hash lies. Honest documentation of the full threat model in the README.

New

• Two-step signing protocol — prepare_* → preview_send → send_transaction. preview_send pins nonce + EIP-1559 fees server-side and emits a LEDGER BLIND-SIGN HASH block BEFORE the Ledger device prompt fires, so the hash the user must match is on-screen in chat at the moment the device prompts. Closes the core gap identified in #37: previously Ledger Live picked nonce + fees at send time, so the pre-sign RLP hash was unpredictable and the device displayed a value the user had no way to verify.
• EIP-1559 pre-sign hash surfaced for blind-sign matching — keccak256(serializeTransaction({type:"eip1559", chainId, nonce, maxFeePerGas, maxPriorityFeePerGas, gas, to, value, data})), emitted by preview_send in a verbatim-relay content block. This is what the Ledger device displays in blind-sign mode; matching it catches any bytes-tampering between MCP and device (Ledger Live malware, WalletConnect relay MITM).
• Fee-pin formula — baseFee * 2 + max(estimateMaxPriorityFeePerGas, 1.5 gwei), replacing viem's default 1.2× baseFee. A live-test tx pinned with the default sat stuck in the mempool over the user-review window; the new formula survives short-term base-fee ramps.
• TRANSACTION BROADCAST block — post-send verbatim-relay block carrying Chain, Tx hash, markdown explorer link. Closes a live-test regression where the orchestrator agent sometimes collapsed the raw send result and never surfaced the hash in chat, forcing the user to dig through Ledger Live.
• PREPARE RECEIPT block (new) — every prepare_* response now carries a verbatim-relay block listing the raw args the agent supplied to the MCP server (tool name + each field). Raises the tampering bar against narrow agent compromise: prompt injection from other tool output, malicious Claude skills, compromised subagents in a delegation chain. The agent's bullet summary is free-composed prose; the receipt is receipts. A vigilant user whose intent diverges from the receipt catches the mutation before send.
• Agent-side independent pre-sign hash recomputation (new) — preview_send now emits an additional agent-task block instructing the agent to OFFER the user a fourth trust-boundary option: independently recompute the EIP-1559 pre-sign hash using its own prepare-time data + MCP's returned pin + viem (a code trust boundary separate from MCP). Catches a compromised MCP that returns a hash inconsistent with the bytes it forwards to WalletConnect. Per-call pinned values are spliced into a ready-to-run node -e command template.

Security-model documentation

New Security model section in the README: trust-boundary diagram, defenses-vs-threats table, threat→catch mapping, honest asymmetry note (the agent is a real second trust boundary against compromised-MCP; MCP has no user-intent ground truth to catch a fully-coordinated compromised-agent attack — this limit is named, not hidden). The server-side payloadFingerprint verification snippet is preserved with an explicit clarification that it is NOT what Ledger displays.

Behaviour changes

• send_transaction without a prior preview_send now throws Missing pinned gas with a clear diagnostic. The preview step is load-bearing for the hash-match flow — refusing is the correct action. TRON handles skip preview (USB-HID clear-sign UX handles this path).
• Fee estimation moved from send time to preview time. User-visible impact: slightly longer preview_send latency; no change to prepare_* latency.

Tests

• test/send-hash-pin.test.ts (7) — EIP-1559 pre-sign hash helper, the verbatim-relay blocks, the preview/send split.
• test/integration-security.test.ts (5) — PREPARE RECEIPT reveals a prompt-injected to; honest MCP's hash matches an independent recompute; a to-swap at forwarding time produces a divergent device hash; MCP lying about preSignHash is caught by the agent's recompute.
• 409/409 tests pass. npm audit → 0 vulnerabilities.

Internal references

PRs #37 (pin gas + pre-sign hash), #39 (preview/send split, PREPARE RECEIPT, agent hash recompute, security-model docs), #40 (version bump).