Summary
Ship the security posture change directly in v2.0.0 without a v1 transition release.
In v2, this package should stop checking in and publishing third-party binaries, and instead resolve them at runtime from official vendor sources with verification.
Users who require the current fully offline behavior can pin to v1.x.
Motivation
Today the package includes third-party artifacts in the repo and npm package:
- the Interactive Brokers Client Portal Gateway JAR / gateway bundle
- a bundled Java runtime
That creates an unnecessary trust and maintenance burden:
- no clean chain of trust for vendor binaries committed here
- harder human review of updates to opaque binary blobs
- larger npm payloads and more repository churn
- ongoing responsibility to redistribute and maintain artifacts we do not own
This issue is the v2 umbrella for addressing #62 and #63.
Decision
Make this a breaking change in v2.0.0 rather than introducing a v1 transition.
Rationale:
- the install/runtime contract changes materially
- security posture improves immediately
- semver stays honest
- users who need the old model can remain on
v1.x
Proposed v2 behavior
Distribution
- remove checked-in IB Gateway binary artifacts from the repo
- remove checked-in bundled Java runtime artifacts from the repo
- stop publishing those artifacts in the npm package
- publish only MCP code, config/templates, and installer logic
Runtime resolution
On startup:
- Prefer user-managed dependencies if present
IB_GATEWAY_DIR
IB_JAVA_HOME / JAVA_HOME
- system
java if supported by the runtime checks
- If required dependencies are missing, lazily install them on demand
- download IB Gateway from official Interactive Brokers distribution
- download Java runtime from an official pinned vendor source
- Verify every downloaded artifact before use
- pinned
sha256
- explicit version manifest in the repo
- Store downloaded artifacts outside the package/repo directory
- e.g.
~/.cache/interactive-brokers-mcp or platform-appropriate equivalent
- Extract atomically and reuse on subsequent runs
Controls
- support disabling downloads entirely, e.g.
IB_DOWNLOADS_DISABLED=true
- fail with a clear error if dependencies are missing and downloads are disabled
- emit clear logs about what is being downloaded, from where, and where it is installed
User impact
New default in v2
npx interactive-brokers-mcp remains one command, but first run may:
- require network access
- take longer
- create a local cache/install directory
- fail if vendor download endpoints are unavailable or blocked
That is still a contract change, which is why this should be a major release.
Fully offline users
Users who require the current behavior can:
- pin to
interactive-brokers-mcp@1
- or preinstall/manage Java and IB Gateway themselves and disable downloads in
v2
Summary
Ship the security posture change directly in
v2.0.0without av1transition release.In
v2, this package should stop checking in and publishing third-party binaries, and instead resolve them at runtime from official vendor sources with verification.Users who require the current fully offline behavior can pin to
v1.x.Motivation
Today the package includes third-party artifacts in the repo and npm package:
That creates an unnecessary trust and maintenance burden:
This issue is the
v2umbrella for addressing #62 and #63.Decision
Make this a breaking change in
v2.0.0rather than introducing av1transition.Rationale:
v1.xProposed v2 behavior
Distribution
Runtime resolution
On startup:
IB_GATEWAY_DIRIB_JAVA_HOME/JAVA_HOMEjavaif supported by the runtime checkssha256~/.cache/interactive-brokers-mcpor platform-appropriate equivalentControls
IB_DOWNLOADS_DISABLED=trueUser impact
New default in v2
npx interactive-brokers-mcpremains one command, but first run may:That is still a contract change, which is why this should be a major release.
Fully offline users
Users who require the current behavior can:
interactive-brokers-mcp@1v2