Releases: Guck111/fenek-portfolio-companion
Releases · Guck111/fenek-portfolio-companion
v0.7.0
Added
portfolio_snapshot— one call covers every configured source. A new
cross-broker tool that reads all configured sources and every money bucket in a
single call: full position lists plus, where a source has them, Earn/staked
balances, open derivatives, and off-account holdings (e.g. a Bybit Funding
wallet). Each source carries a status (ok/empty/error) and per-bucket
failures — a read that was denied is never reported as "empty", so a partial
read is never passed off as the whole portfolio. Totals are per currency (no FX
conversion); Earn/derivatives/off-account holdings are listed in their own
sections and not summed into totals. Crypto sources remain Pro-gated (listed
underexcludedSourceson the free tier). A server instruction now routes broad
"whole portfolio / net worth / all my assets" questions to it, and each
single-source*_get_positionstool points to it. Implemented over the
IBrokerinterface via optionalgetEarnReport/getDerivativeReport/
getOffAccountBalancesmethods, so the existing Bybit tools are unchanged and
future sources plug in by implementing the same methods.
Verify provenance:
gh attestation verify fenek-portfolio-companion.mcpb --repo Guck111/fenek-portfolio-companion
v0.6.2
Fixed
- Bybit coin amounts are no longer mistakable for dollar values. In
bybit_get_balances_overview, Bybit'scoinDetail[].equityis a coin AMOUNT
(holdings), not a USD figure — a delisted/zero-price token shows its full coin
count while being worth ~$0. It was surfaced under the money-sounding name
equity, which could lead a reader to report, say, 48,707 BBL as $48,707. The
per-coin field is now labeledquantity; the only fiat figures are the
account/totalequitytotals (invaluationCurrency). Thebybit_get_account
per-coin description was likewise clarified —quantity/equityare coin
amounts andusdValue(absent for coins with no USD market) is the dollar value.
Security
- Pinned
viteto 8.0.16 to clear a high-severity advisory.viteis a
dev/test-only transitive dependency (viavitest) and never ships in the
.mcpbbundle, so released servers were unaffected — the pin keeps the CI
npm auditgate green.
Verify provenance:
gh attestation verify fenek-portfolio-companion.mcpb --repo Guck111/fenek-portfolio-companion
v0.6.1
Fixed
- Bybit Earn token position no longer errors out. Bybit serializes the
aprE8/bonusAprE8APY fields as strings, but the schema required numbers, so
reading a flexible-savings (token) position failed validation. The schema now
accepts a string or a number (the APY is normalized identically), matching how
the dual-assetapyE8field was already handled.
Verify provenance:
gh attestation verify fenek-portfolio-companion.mcpb --repo Guck111/fenek-portfolio-companion
v0.6.0
Added
- Ethereum & EVM wallets (Pro). Paste a public
0x…address into the wallet field and Fenek reads it across Ethereum, Arbitrum, Optimism, Base, and Polygon — native balance plus ERC-20 holdings — keyless through public Blockscout instances, priced via DefiLlama. The chain is auto-detected (EIP-55 checksum validated), so EVM addresses sit alongside the existing Solana/TON/Bitcoin/Litecoin/Dogecoin wallets in the same field, with no API key. As a crypto source it falls under Fenek Pro. NFTs (ERC-721/1155) are excluded, and per-network reads are isolated so one slow explorer never sinks the others.
Verify provenance:
gh attestation verify fenek-portfolio-companion.mcpb --repo Guck111/fenek-portfolio-companion
v0.5.0
Added
- Fenek Pro is live. Crypto sources (Bybit, on-chain wallets) now require a Fenek Pro license key, validated about once a month against Polar (the merchant of record,
api.polar.sh); the check sends only the license key. Classic brokers (Trading 212) and the cross-broker overview stay free, and the official free self-build pathnpm run pack:freepro(docs/building-pro.md) still unlocks everything without a license. Built on the tier-aware tool registry and license manager (monthly verdict cache, 14-day grace, "revoked" distinguished from "unreachable") with theLICENSE_KEYfield stored in the OS keychain. - Update notices. Fenek now reminds you in chat when a newer version is out: a no-network age-based nudge when a build is over two months old, plus an opt-out weekly check against
api.github.comthat reads only the latest release number. Toggle it with the new "Check for updates weekly" setting (CHECK_UPDATES). The manifest's homepage and privacy links now point at fenek.tech. - Stricter error handling. Tool errors now carry a directive next action — the exact missing read scope, a "wait, don't retry" on rate limits, "don't fabricate" on unexpected data — and the server instructs the assistant never to retry, work around, speculate, or invent figures on an error or empty result.
Verify provenance:
gh attestation verify fenek-portfolio-companion.mcpb --repo Guck111/fenek-portfolio-companion
v0.4.1
Security hardening release: closes every finding from a full audit of the codebase, CI pipeline, and MCP surface. No new tools, no new data — upgrade recommended for all users.
Security
- On-chain token symbols are sanitized before they reach tool results: control, bidi-override, and zero-width characters stripped, whitespace collapsed, length capped at 32. Anyone can mint a token with an arbitrary name and airdrop it to a watched wallet, which made this the one provider field a third party could weaponize for prompt injection. Server instructions now also direct the model to treat instrument and token names as data, never as instructions.
- Diagnostic dumps are credential-free: schema-mismatch excerpts are redacted (credential-shaped fields removed) and size-capped before reaching stderr, which Claude Desktop persists to a local log. Bybit's key-info endpoint echoes the API key in its response, so schema drift there would previously have written the key to that log.
- Authenticated requests refuse HTTP redirects (
redirect: "error"): fetch does not strip Bybit's customX-BAPI-*auth headers on cross-origin redirects, and no broker read endpoint redirects legitimately. - Least-privilege CI: the release workflow is split into a read-only test job and a minimal write job; dependency lifecycle scripts are disabled (
--ignore-scripts); actions are pinned to commit SHAs; checkout credentials are not persisted; the.mcpbis packed with the lockfile-verified mcpb CLI instead of an unverified registry re-fetch. - Vulnerability intake enabled: Dependabot alerts and GitHub private vulnerability reporting (the channel SECURITY.md documents).
Fixed
- Every outbound request now carries a 15-second timeout — a hung provider can no longer wedge a tool call.
- A provider-supplied
Retry-Afterheader is honored up to 60 seconds instead of verbatim (a malicious86400would have put the call to sleep for a day). - Jupiter limit-order pagination is capped at 20 pages instead of trusting the provider-reported page count.
- Free-form tool inputs (pagination cursor, search query, pie id, coin ids) are length-capped at the schema boundary.
- In-memory TTL caches are bounded (1000 entries, FIFO eviction).
Changed
- Every tool declares
openWorldHint: true for network-backed broker and analytics tools, false for local-only playbooks and onboarding. - PRIVACY.md names every outbound host (adds
litecoinspace.organd Jupiter) and documents the local-log behavior on schema drift; README gains a "Verify your download" section.
Verify provenance: gh attestation verify <file>.mcpb --repo Guck111/fenek-portfolio-companion
v0.4.0
Full exchange data coverage: every read-only money bucket Bybit and Trading 212 expose is now reachable, and previously stripped response fields are kept.
Added
Bybit
- Derivatives —
bybit_get_derivative_positions: open USDT/USDC perpetual, futures, inverse, and options positions with side, size, entry/mark price, unrealized and realized P&L, leverage, liquidation price, and TP/SL. Previously invisible. - Earn —
bybit_get_earn_positions: staked and saving balances across flexible savings, on-chain staking, fixed-term deposits, the BYUSDT yield token, and dual-asset products, with APY (normalized to percent) and claimable yield. Earn funds never appear in wallet balances. Requires the Earn read permission. - All-account overview —
bybit_get_balances_overview: total equity in USD across every account type (Funding wallet, Unified Trading, Earn, Trading Bots, Copy Trading, Launchpool) with per-account coin holdings, plus Funding-wallet quantities. Requires the Assets/Wallet read permission. - Account & margin health —
bybit_get_account: total equity, wallet/margin/available balances, perp UPL, IM/MM margin rates (liquidation-risk indicators), per-coin equity, P&L, borrow, accrued interest. - Key diagnostics —
bybit_get_key_info: read-only flag, permission groups, IP allowlist, expiry (warns within 14 days), margin mode, UTA status.
Trading 212
- Exchange hours —
t212_get_exchanges: venue working schedules including pre-market, after-hours, and overnight sessions. - Richer history — executed orders now include limit/stop price, quantities, time-in-force, and realized P&L per fill; dividends include the instrument name, quantity, gross amount per share, and the event kind (ordinary/bonus/interest/…).
- Honest pies — pie lists now actually return dividend totals (gained/reinvested/in-cash), goal progress, and status; pie details report the dividend cash action.
Changed
- Trading 212 account data is read from
/equity/account/summaryalone (one HTTP call instead of two) and now includes all-time realized P&L; the legacy/equity/account/cashendpoint remains as a fallback. - Bybit
getAccountreports the exchange'stotalEquity(includes derivatives UPL and option value) instead of summing spot coins. - Bybit key-setup guidance lists the exact read permission groups (Unified Trading, Assets/Wallet, Earn); tools missing a group fail with an error naming it.
Verify provenance: gh attestation verify <file>.mcpb --repo Guck111/fenek-portfolio-companion
v0.3.0
Keyless multi-chain crypto wallets.
Added
- Crypto wallets now cover Bitcoin, Litecoin, and Dogecoin alongside Solana and TON — all read keyless, with no API keys, via public endpoints.
- A single Wallet addresses field replaces the separate per-chain fields: paste any mix of addresses (commas, spaces, or new lines) and each address's chain is detected automatically from its format and checksum.
crypto_get_positionsreports addresses it skipped — unrecognized, on a not-yet-supported chain, or failed to load — instead of dropping them silently.
Changed
- Solana is now keyless. Holdings are read from a public Solana RPC node (native SOL plus SPL Token and Token-2022 accounts); the Helius API key is no longer used.
Removed
- The
SOLANA_ADDRESS,TON_ADDRESS, andHELIUS_API_KEYconfiguration fields, replaced by the single keyless Wallet addresses field.
Verify provenance: gh attestation verify <file>.mcpb --repo Guck111/fenek-portfolio-companion
v0.2.2
Directory-submission metadata fix.
Changed
- Point the manifest
authorfield at the maintainer's GitHub profile (a directory submission requirement).
Verify provenance: gh attestation verify <file>.mcpb --repo Guck111/fenek-portfolio-companion
v0.2.1
Connector configuration simplified.
Changed
- Trading 212 demo vs live is now detected automatically from the API key; the
ENVIRONMENTsetting is gone. Every credential field is optional, so you configure only the sources you use. - Config fields are grouped by provider with clearer titles and shorter descriptions.
Added
fenek_getting_started— a credential-free overview of what the extension does and how to set it up, runnable before any keys are entered. Exposed as both a prompt and a tool.
Fixed
- Cross-broker tools (
portfolio_overview,portfolio_concentration,portfolio_pie_overlap,portfolio_dividend_history) no longer fail entirely when a single broker errors (e.g. an expired key → 401). They return the healthy brokers' data and report per-broker failures in anerrorsfield.
Removed
- The
LANGUAGEsetting and the Russian prompt translations. Prompts are English; the model replies in the user's language conversationally.
Verify provenance: gh attestation verify <file>.mcpb --repo Guck111/fenek-portfolio-companion