szhygulin/recon-crypto-mcp

Headline

Bitcoin Phase 1 ships complete — pairing, native segwit + taproot sends, portfolio integration, message signing, all on Ledger USB HID with the BTC app's clear-sign UX. No Ledger Live / WalletConnect dependency for BTC; same hardware-wallet trust tier as Solana / TRON.

Two production Marinade fixes also rolled in (prepare_marinade_stake is no longer crashing under Node ESM-CJS interop quirks).

What's in here vs v0.7.0

Bitcoin Phase 1 — complete

• pair_ledger_btc — pairs all 4 mainnet address types in one device round-trip (legacy 1... / P2SH-wrapped 3... / native segwit bc1q... / taproot bc1p...); stored across sessions.
• prepare_btc_send — segwit + taproot sends with PSBT v0 build via bitcoinjs-lib, branch-and-bound + accumulative coin-selection (coinselect), RBF-on-by-default (sequence 0xFFFFFFFD), fee-cap guard at max(10× feeRate × vbytes, 2% of output) with allowHighFee opt-out.
• send_transaction BTC branch — Ledger BTC app clear-signs every output (address + amount) + fee on-screen; broadcasts via mempool.space's /tx.
• get_transaction_status BTC branch — confirmation count via mempool.space chain tip; distinguishes pending / success / unknown.
• Read tools — get_btc_balance, get_btc_balances, get_btc_fee_estimates, get_btc_tx_history. Indexer URL configurable (BITCOIN_INDEXER_URL env var or bitcoinIndexerUrl config) so self-hosted Esplora / Electrs work out of the box.
• Portfolio integration — get_portfolio_summary accepts bitcoinAddress (single) or bitcoinAddresses (1-20). BTC × USD price (DefiLlama coingecko:bitcoin) folds into breakdown.bitcoin + bitcoinUsd. Per-address fetch errors degrade via coverage.bitcoin.
• sign_message_btc — BIP-137 message signing (legacy / P2SH-wrapped / native segwit). Header byte chosen per address-type convention (31..34 / 35..38 / 39..42). Taproot is refused with a pointer to BIP-322 (which the Ledger BTC app doesn't yet expose — sign with another paired type from the same account instead). 10000-char message ceiling.

Phase 1 simplifications (documented in code)

• Sends supported on segwit + taproot only; legacy / P2SH-wrapped reads work but sends are deferred (legacy needs nonWitnessUtxo per input).
• Change goes back to source address — proper BIP-32 internal-chain change is a follow-up. Receive-as-change is functionally correct; the device still walks the user through every output.

Bug fixes

• Marinade BN named-export resolution under Node ESM-from-CJS interop (#178). await import("@coral-xyz/anchor") returns BN as undefined on the named slot because cjs-module-lexer misses the Object.defineProperty getter — fix falls back to default.BN. Regression test pins the import shape.
• Marinade nested anchor 0.28 override for the marinade-ts-sdk subtree. Marinade SDK is pinned to Anchor 0.28; our top-level override forced 0.30 globally; Anchor's Program constructor signature changed in 0.30 (programId now read from idl.address), and Marinade's bundled IDL predates that field. Fix: scoped subtree override.

Release plumbing

• Bundled binaries grouped by platform via filename order (#175).
• Snyk SNYK-JS-ELLIPTIC-14908844 suppressed with reachability justification — elliptic is transitive via bitcoinjs-lib@5 → tiny-secp256k1@1 → elliptic; the vulnerable ec.sign() is never called in our paths (Ledger device does all signing).

Out of scope / what's next

• BTC RBF fee-bump tool (prepare_btc_rbf_bump) — Phase 2 candidate
• BTC multi-sig PSBT (co-signer flow) — Phase 2 candidate
• BRC-20 / Runes / Ordinals — would require inscription-aware UTXO blacklisting in coin-selection; deferred
• Lightning, signet/testnet, multi-vendor (Trezor / Coldcard) — deferred

Notes

• Full test suite green on this commit (1047 tests).
• Build clean.
• npm @latest will flip to 0.8.0 once publish.yml runs.
• Bundled binaries for all 4 OS targets attach automatically once release-binaries.yml finishes (Linux x64, macOS arm64, macOS x64, Windows x64).