feat(bridge): MCP server exposing gated wallet/launch/memory tools to external agents#201
Merged
Conversation
… external agents Claude Code and Cursor can now call DAEMON tools through a stdio shim that forwards to a loopback HTTP server in the main process. Every write tool blocks on an approval card inside DAEMON; sensitive tools keep typed confirm and approval summaries now carry the [MAINNET] mark. Token auth, 13-tool allowlist intersected with enabled packs, cwd-based project resolution, 120s approval timeout, and a per-project .mcp.json registration flow.
resolveProjectForCwd leaned on path.resolve + path.sep, which only behave correctly on Windows. On Linux CI path.resolve mangles C:\ paths and path.sep is /, so the longest-prefix match returned nothing and two gateway tests failed. Normalize separators and case ourselves instead of trusting host path semantics.
nullxnothing
force-pushed
the
feat/daemon-bridge
branch
from
7216dba to
59ea7f5
Compare
Bump vulnerable transitive deps to their fixed versions via pnpm overrides, and the two direct deps (vite, nodemailer) in place: - dompurify 3.4.0 -> 3.4.7 (XSS via hook tag/attr mutation) - hono 4.12.21 -> 4.12.25 (CORS credential reflection) - protobufjs 7.5.8 -> 7.6.1 (Any-expansion DoS) - tmp 0.2.6 -> 0.2.7 (path traversal via _assertPath bypass) - ws 8.20.1 -> 8.21.0 (fragment memory-exhaustion DoS) - undici 6.25.0 -> 6.27.0 (websocket fragment DoS) - tar 7.5.13 -> 7.5.16 (PAX size override) - form-data 4.0.5 -> 4.0.6 (CRLF injection in field names) - js-yaml 4.1.1 -> 4.2.0 (merge-key quadratic DoS) - nodemailer 8.x -> 9.0.1 (raw option file-access bypass) - vite 6.4.2 -> 6.4.3 (server.fs.deny bypass on Windows) @babel/core (CVSS 3.2, build-time only, no stable 7.x fix) is suppressed in osv-scanner.toml with justification and a review date.
OSV flagged newer advisories against the interim pins: - dompurify 3.4.7 -> 3.4.11 (ALLOWED_ATTR pollution, SAFE_FOR_TEMPLATES bypass, Trusted Types policy persistence) - protobufjs 7.6.1 -> 7.6.3 (schema-name property shadowing)
The rebase onto main pulled in the BUILD/PLAN toggle and one-row composer layout, which legitimately changes the agent panel header and composer renders. Update only those 6 baselines; the rest match within tolerance.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
@
What
DAEMON Bridge v1 — external agents (Claude Code, Cursor) can call a gated subset of ARIA tools over MCP.
electron/services/bridge/shim.ts) forwards MCP calls to a loopback HTTP server on 7337 in the main processBridgeToolGatewayenforces the same risk tiers as ARIA: reads run, writes block on an approval card inside DAEMON, sensitive tools keep typed confirm; approval summaries carry the [MAINNET] markread_project_status) intersected with enabled packs at runtime.mcp.jsonregistration flow in Settings → Bridgescripts/smoke/bridge-shim.mjsWhy
Keys never leave the vault. External agents request actions, a human approves on a card, DAEMON signs. This is the companion-layer path for Cursor/VS Code users — they keep their editor and add DAEMON as the approval surface.
Tests
Four new test files (gateway, server, executeToolCall risk gating, approval host DOM). Full gate green locally: typecheck + vitest suite + build.
@