feat: migrate to @akashnetwork/chain-sdk

[wonderwomancode]

Summary

This PR migrates the Akash MCP server from the deprecated @akashnetwork/akashjs and @akashnetwork/akash-api packages to the new @akashnetwork/chain-sdk package.

Breaking Changes

• Node.js version requirement: Now requires Node.js >= 22.0.0
• API version updates:
  • Deployment: v1beta3 → v1beta4
  • Market: v1beta4 → v1beta5
  • Provider: v1beta3 → v1beta4
  • Escrow: v1
  • Cert: v1

Changes

• Update all dependencies to use @akashnetwork/chain-sdk@1.0.0-alpha.18
• Update all tools to use new chain SDK API methods
• Update type definitions for new SDK interfaces
• Use createChainNodeSDK for queries and transactions
• Use createStargateClient for signing operations
• Update field mappings per migration guide:
  • version → hash for deployments
  • Lease.leaseId → Lease.id
  • Bid.bidId → Bid.id
  • Add bseq field to BidID and LeaseID

Motivation

The old packages (@akashnetwork/akashjs and @akashnetwork/akash-api) are deprecated and the mainnet has migrated to newer API versions. This migration ensures compatibility with the current Akash mainnet.

Test plan

• Build succeeds with npm run build
• Lint passes with only warnings (no errors)
• Manual testing of deployment operations on mainnet/testnet

🤖 Generated with Claude Code

[wonderwomancode]

This is a major change so I don't know if you want to adopt this now, but it looked like it was already being used in the console and the two js libs that are currently being used were both deprecated. I also added some tests. Let me know if you have any suggested changes and I'm happy to hit them up.

[88plug]

Code Review - High Signal Issues Found

This PR has 5 HIGH SIGNAL issues that require fixes before merge. All are compilation/runtime failures or security vulnerabilities.

---

🔴 CRITICAL SECURITY: TLS Certificate Verification Disabled

File: src/tools/send-manifest.ts (Line 79)

The code disables TLS certificate verification, enabling man-in-the-middle attacks:

const agent = new https.Agent({
  cert: certificate.cert,
  key: certificate.privateKey,
  rejectUnauthorized: false,  // ❌ REGRESSION - was true in original
  servername: 'localhost',
});

Why it's critical:

• Disables all TLS verification for provider communication
• Allows attackers to intercept manifest uploads, modify deployments, steal certificates
• Regression from original code which had proper validation enabled
• The comment mentions triggering mTLS mode, but disabling cert verification is not the correct approach

Fix: Change rejectUnauthorized: false to rejectUnauthorized: true

---

🔴 CRITICAL: Mnemonic Validation Completely Removed

File: src/config.ts (Line 7)

The validateMnemonic() function and all validation logic were removed:

Original:

validateMnemonic(rawMnemonic);  // 50+ lines of validation

New:

mnemonic: process.env.AKASH_MNEMONIC || '',  // Silent default to empty string

Why it's critical:

• Missing mnemonic now silently defaults to empty string instead of failing fast
• Will cause cryptic wallet initialization error at runtime instead of clear startup error
• Lost validation for: existence check, word count (12 or 24), invalid characters
• Users won't get helpful error message about misconfiguration

Fix: Keep mnemonic validation or at minimum validate that AKASH_MNEMONIC is not empty.

---

🟠 HIGH: Unused Import - Will Fail Linting

File: src/tools/get-sdl.ts (Line 3)

ResourceDefinition is imported but never used:

import { ResourceDefinition } from '../types/index.js';  // ❌ Unused

The handler doesn't reference this import anywhere. This will fail TypeScript strict mode and linting.

Fix: Remove the unused import on line 3.

---

🟠 HIGH: Unused Function Parameter

File: src/utils/load-certificate.ts (Line 48)

The client parameter was added but is never used in the function:

export async function loadCertificate(
  wallet: DirectSecp256k1HdWallet,
  client: StargateTxClient,  // ❌ Never referenced
  chainSDK?: ChainNodeSDK
): Promise<CertificatePem> {
  // Function never uses 'client'
}```

**Why it's high:**
- Parameter added to signature but has no effect
- Misleads callers into thinking `client` is required for something
- Function uses `chainSDK` instead

**Fix:** Remove the unused `client` parameter from the function signature and all callers.

---

### 🟠 HIGH: Unsafe Certificate Reload Logic
**File:** src/AkashMCP.ts (Lines 42-53)

In `getToolContext()`, if `loadCertificateFromDisk()` returns null, the certificate is not updated and could be stale:
```typescript
const freshCert = loadCertificateFromDisk(accounts[0].address);
if (freshCert) {
  this.certificate = freshCert;  // Only updates if found
}
return {
  // ...
  certificate: this.certificate\!,  // Could be stale/null
};```

**Why it's high:**
- Intent is to "always read certificate fresh from disk" but logic doesn't ensure it
- If disk certificate is missing, stale certificate is returned
- Could cause 401 errors in provider calls after cert rotation

**Fix:** Either throw error if fresh certificate can't be loaded, or explicitly document and handle the null case.

---

## Summary Table

| Issue | File | Severity | Type | Must Fix |
|-------|------|----------|------|----------|
| TLS verification disabled | send-manifest.ts:79 | CRITICAL | Security | ✅ YES |
| Mnemonic validation removed | config.ts:7 | CRITICAL | Logic | ✅ YES |
| ResourceDefinition unused import | get-sdl.ts:3 | HIGH | Linting | ✅ YES |
| Unused client parameter | load-certificate.ts:48 | HIGH | Type Safety | ✅ YES |
| Unsafe cert reload | AkashMCP.ts:42-53 | HIGH | Logic | ✅ YES |

All 5 issues must be resolved before this PR can be merged. Please address each and let me know when ready for re-review.

[zJuuu]

Thanks for the review. A few comments on it:

• rejectUnauthorized: false already exists on main - this is not a regression from this PR. It's required for mTLS with providers' self-signed certs.
• validateMnemonic() does not exist on main either. The empty string default is pre-existing.
• get-sdl.ts unused ResourceDefinition import exists on main - not introduced by this PR.

I will create a new PR for it after this is merged.

Regarding the PR, i plan to merge it but it needs a cleanup:

1. Remove org-specific code
   check-provider-safety.ts has hardcoded AlternateFutures provider addresses. AUDIT_REPORT.md, SECRETS.md, and IMPROVEMENTS.md contain personal paths and org-specific infra details. The 10 debug scripts in scripts/ are also fork-specific.

2. Remove unused client parameter
   loadCertificate() in load-certificate.ts accepts client: StargateTxClient but never uses it. Remove from signature and all call sites.

3. Fix certificate fallback that saves without broadcasting
   In load-certificate.ts, if chainSDK is undefined the cert is saved locally but never broadcast to chain. Providers won't recognize it. Should throw, not silently save.

4. Move @types/ws to devDependencies
   Type packages are build-time only.

5. Deduplicate pemToUint8Array
   Defined identically in load-certificate.ts and regenerate-certificate.ts. Extract to shared util.

6. Replace any types
   get-deployment.ts, query-leases.ts, and exec-command.ts use any where chain-sdk types are available.

7. Organize test suite
   Tests are co-located with source files (close-deployment.test.ts next to close-deployment.ts). Move them to a tests/ or tests/directory with a structure mirroring src/. Also missing tests for the new tools (exec-command, get-logs, certificate tools, check-provider-safety).

Separately, chain-sdk now recommends JWT over mTLS for provider auth (mTLS is marked legacy in the SDK docs). Will handle that migration in a follow-up PR.