szhygulin/recon-crypto-mcp

Highlights

Fixes the broken v0.9.4 binary release — v0.9.4 shipped with vaultpilot-mcp-macos-arm64-server missing because GitHub's reverse-proxy 5xx'd a 504 MB upload mid-stream (#330 follow-up). Three independent mitigations land here:

• #346 — prune devDependencies before pkg snapshot (~20 MB smaller)
• #361 — strip @mysten/sui from @lifi/sdk via patch-package (~63 MB smaller). Cumulative: 504 MB → 420 MB linux-x64 binary.
• #349 — retry release-asset uploads on transient 5xx with 3 attempts + linear backoff (replaces softprops/action-gh-release with gh release upload --clobber in a bash retry loop).

Fixes `Failed to connect` on consumer installs — postinstall: patch-package was running on every npx -y vaultpilot-mcp install, but patch-package was a devDependency. npm install --omit=dev (the default for npx) skipped devDeps, postinstall exited 127, npm rolled the entire install back, and node_modules/vaultpilot-mcp never existed on disk. Two PRs in this release fix this:

• #369 — patch-package moved from devDependencies to dependencies
• #370 — script renamed postinstall → prepare so it runs at dev/CI/build time but not on consumer installs

Pre-restart install validation + visibility:

• #359 / #364 — new vaultpilot-mcp --check doctor for pre-restart verification
• #366 — AGENTS.md re-ordered so the doctor runs FIRST, making the npm download visible to the user before the disruptive client restart

Process discipline — CLAUDE.md push-back discipline section captures the lesson from the v0.9.4 release postmortem: when the user's ask is built on a faulty premise (re-running a workflow against a tag that predates the fix being applied), surface the mismatch before acting, not as a mid-response footnote.

Other changes since v0.9.4

Multi-sig BTC wave (PR1–PR4), security-trust verification wave (issue #325 P2/P3/P4/P5 + P1 framework), Uniswap V3 LP lifecycle (mint / increase / close-out / rebalance), and assorted CI / docs hardening. Auto-generated PR list for full detail:

What's Changed

• feat(btc): combine_btc_psbts + finalize_btc_psbt by @szhygulin in https://github.com/szhygulin/vaultpilot-mcp/pull/329
• feat(lp): prepare_uniswap_v3_mint — first Uniswap V3 LP write tool (M1a) by @szhygulin in https://github.com/szhygulin/vaultpilot-mcp/pull/334
• feat(lp): prepare_uniswap_v3_increase_liquidity (M1b) by @szhygulin in https://github.com/szhygulin/vaultpilot-mcp/pull/342
• docs(claude.md): require stacked PRs to avoid shared-line conflicts by @szhygulin in https://github.com/szhygulin/vaultpilot-mcp/pull/340
• feat(btc): watch-only multi-sig balances + UTXO reads by @szhygulin in https://github.com/szhygulin/vaultpilot-mcp/pull/331
• feat(risk-score): canonicalize 'curve' → 'curve-dex' DefiLlama slug by @szhygulin in https://github.com/szhygulin/vaultpilot-mcp/pull/341
• docs(agents): npm-first install path, shell installer as fallback (closes #343) by @szhygulin in https://github.com/szhygulin/vaultpilot-mcp/pull/347
• chore(test): targeted retry: 2 on observed-flaky tests (refs #344) by @szhygulin in https://github.com/szhygulin/vaultpilot-mcp/pull/345
• ci(release): retry release-asset uploads on transient 5xx by @szhygulin in https://github.com/szhygulin/vaultpilot-mcp/pull/349
• perf(release): prune devDependencies before pkg snapshot (~20 MB smaller) by @szhygulin in https://github.com/szhygulin/vaultpilot-mcp/pull/346
• feat(lp): Uniswap V3 close-out lifecycle (M1c — decrease + collect + burn) by @szhygulin in https://github.com/szhygulin/vaultpilot-mcp/pull/348
• feat(security): pin Ledger app versions per chain (issue #325 P2) by @szhygulin in https://github.com/szhygulin/vaultpilot-mcp/pull/350
• feat(security): verify_ledger_firmware tool (issue #325 P3) by @szhygulin in https://github.com/szhygulin/vaultpilot-mcp/pull/354
• docs(agents): demote setup wizard to optional follow-up — public RPC fallback already works (closes #352) by @szhygulin in https://github.com/szhygulin/vaultpilot-mcp/pull/355
• feat(lp): prepare_uniswap_v3_rebalance — multicall compose (M1d) by @szhygulin in https://github.com/szhygulin/vaultpilot-mcp/pull/351
• feat(security): pin WalletConnect peer to Ledger Live (issue #325 P5) by @szhygulin in https://github.com/szhygulin/vaultpilot-mcp/pull/356
• docs(claude.md): add SDK scope-probing discipline section by @szhygulin in https://github.com/szhygulin/vaultpilot-mcp/pull/357
• docs(claude.md): re-trigger CI when it stalls past ~5 min by @szhygulin in https://github.com/szhygulin/vaultpilot-mcp/pull/358
• perf(release): strip @mysten/sui from @lifi/sdk + narrow prebuild glob (~63 MB) by @szhygulin in https://github.com/szhygulin/vaultpilot-mcp/pull/361
• feat(install): --check doctor for pre-restart validation (closes #359) by @szhygulin in https://github.com/szhygulin/vaultpilot-mcp/pull/364
• feat(security): verify_ledger_live_codesign tool (issue #325 P4) by @szhygulin in https://github.com/szhygulin/vaultpilot-mcp/pull/360
• docs(agents-md): make npm install visible by running doctor first (#362) by @szhygulin in https://github.com/szhygulin/vaultpilot-mcp/pull/366
• feat(btc): multi-sig initiator flow + unregister by @szhygulin in https://github.com/szhygulin/vaultpilot-mcp/pull/335
• feat(security): SE attestation framework (issue #325 P1) by @szhygulin in https://github.com/szhygulin/vaultpilot-mcp/pull/363
• docs(claude.md): don't watch CI unless explicitly asked by @szhygulin in https://github.com/szhygulin/vaultpilot-mcp/pull/367
• fix(npm): patch-package must be a runtime dep (closes #353) by @szhygulin in https://github.com/szhygulin/vaultpilot-mcp/pull/369
• fix(install): postinstall → prepare so consumer installs work (closes #368) by @szhygulin in https://github.com/szhygulin/vaultpilot-mcp/pull/370
• chore(release): bump to 0.9.5 by @szhygulin in https://github.com/szhygulin/vaultpilot-mcp/pull/365

Full Changelog: https://github.com/szhygulin/vaultpilot-mcp/compare/v0.9.4...v0.9.5