0nmcp 2.2.0 → 2.4.0

package/orchestrator.js

@@ -38,9 +38,11 @@ const CAPABILITY_KEYWORDS = {
 export class Orchestrator {
   /**
    * @param {import("./connections.js").ConnectionManager} connectionManager
+   * @param {import("./capability-proxy.js").CapabilityProxy} [proxy]
    */
-  constructor(connectionManager) {
+  constructor(connectionManager, proxy) {
     this.connections = connectionManager;
+    this.proxy = proxy;
     this.anthropic = null;
 
     // Dynamically import Anthropic SDK if key is available
@@ -277,14 +279,7 @@ Rules:
     }
 
     try {
-      // Build URL
-      let url = service.baseUrl + endpoint.path;
-
-      // Substitute path params from step.params and credentials
-      const allParams = { ...creds, ...step.params };
-      url = url.replace(/\{(\w+)\}/g, (_, key) => allParams[key] || `{${key}}`);
-
-      // Substitute context references {{label.field}}
+      // Substitute context references {{label.field}} in params
       if (step.params) {
         const paramsStr = JSON.stringify(step.params);
         const resolved = paramsStr.replace(/\{\{(\w+)\.(\w+)\}\}/g, (_, label, field) => {
@@ -293,32 +288,8 @@ Rules:
         step.params = JSON.parse(resolved);
       }
 
-      // Build headers
-      const headers = service.authHeader(creds);
-
-      // Build request options
-      const options = { method: endpoint.method, headers };
-
-      if (endpoint.method !== "GET" && step.params) {
-        const contentType = endpoint.contentType || "application/json";
-        if (contentType === "application/x-www-form-urlencoded") {
-          headers["Content-Type"] = "application/x-www-form-urlencoded";
-          options.body = new URLSearchParams(this._flattenParams(step.params)).toString();
-        } else {
-          headers["Content-Type"] = "application/json";
-          options.body = JSON.stringify(step.params);
-        }
-      }
-
-      // Add query params for GET requests
-      if (endpoint.method === "GET" && step.params) {
-        const queryStr = new URLSearchParams(this._flattenParams(step.params)).toString();
-        if (queryStr) url += (url.includes("?") ? "&" : "?") + queryStr;
-      }
-
-      // Execute
-      const response = await fetch(url, options);
-      const data = await response.json().catch(() => ({ status: response.status }));
+      // Execute through capability proxy (rate-limited, audited, zero-knowledge)
+      const { response, data } = await this.proxy.call(step.service, step.endpoint, step.params || {});
 
       return {
         success: response.ok,

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "0nmcp",
-  "version": "2.2.0",
+  "version": "2.4.0",
   "mcpName": "io.github.0nork/0nMCP",
-  "description": "Universal AI API Orchestrator — 550 tools, 26 services, portable AI Brain bundles + machine-bound vault encryption + Application Engine. The most comprehensive MCP server available. Free and open source from 0nORK.",
+  "description": "Universal AI API Orchestrator — 819 tools, 48 services, portable AI Brain bundles + machine-bound vault encryption + Application Engine. The most comprehensive MCP server available. Free and open source from 0nORK.",
   "type": "module",
   "main": "index.js",
   "types": "types/index.d.ts",
@@ -246,6 +246,7 @@
     "catalog.js",
     "connections.js",
     "orchestrator.js",
+    "capability-proxy.js",
     "crm.js",
     "crm/",
     "webhooks.js",
@@ -258,17 +259,19 @@
     "LICENSE"
   ],
   "0nmcp-stats": {
-    "tools": 290,
+    "tools": 545,
     "crmTools": 245,
     "vaultTools": 4,
+    "vaultContainerTools": 8,
+    "deedTools": 6,
     "engineTools": 6,
     "appTools": 5,
-    "totalTools": 550,
-    "services": 26,
-    "actions": 65,
-    "triggers": 93,
-    "totalCapabilities": 708,
-    "categories": 13,
-    "lastUpdated": "2026-02-28T10:15:52.734Z"
+    "totalTools": 819,
+    "services": 48,
+    "actions": 104,
+    "triggers": 155,
+    "totalCapabilities": 1078,
+    "categories": 21,
+    "lastUpdated": "2026-03-13T00:31:43.573Z"
   }
 }

package/tools.js

@@ -16,7 +16,7 @@ import { SERVICE_CATALOG, listServices, getService } from "./catalog.js";
  * @param {import("./orchestrator.js").Orchestrator} orchestrator
  * @param {import("./workflow.js").WorkflowRunner} [workflowRunner]
  */
-export function registerAllTools(server, connections, orchestrator, workflowRunner) {
+export function registerAllTools(server, connections, orchestrator, workflowRunner, proxy) {
   // ─── execute ───────────────────────────────────────────
   server.tool(
     "execute",
@@ -291,41 +291,8 @@ Examples:
       }
 
       try {
-        let url = catalog.baseUrl + ep.path;
-        const allParams = { ...creds, ...(params || {}) };
-
-        // Substitute path params
-        url = url.replace(/\{(\w+)\}/g, (_, key) => allParams[key] || `{${key}}`);
-
-        const headers = catalog.authHeader(creds);
-        const options = { method: ep.method, headers };
-
-        if (ep.method !== "GET" && params) {
-          const contentType = ep.contentType || "application/json";
-          if (contentType === "application/x-www-form-urlencoded") {
-            headers["Content-Type"] = "application/x-www-form-urlencoded";
-            const flat = {};
-            for (const [k, v] of Object.entries(params)) {
-              if (typeof v !== "object") flat[k] = String(v);
-            }
-            options.body = new URLSearchParams(flat).toString();
-          } else {
-            headers["Content-Type"] = "application/json";
-            options.body = JSON.stringify(params);
-          }
-        }
-
-        if (ep.method === "GET" && params) {
-          const flat = {};
-          for (const [k, v] of Object.entries(params)) {
-            if (typeof v !== "object") flat[k] = String(v);
-          }
-          const qs = new URLSearchParams(flat).toString();
-          if (qs) url += (url.includes("?") ? "&" : "?") + qs;
-        }
-
-        const response = await fetch(url, options);
-        const data = await response.json().catch(() => ({ status: response.status, statusText: response.statusText }));
+        // Execute through capability proxy (rate-limited, audited, zero-knowledge)
+        const { response, data } = await proxy.call(service, endpoint, params || {});
 
         return {
           content: [{

package/vault/sync.js

@@ -0,0 +1,250 @@
+// ============================================================
+// 0nMCP — Vault: Cross-Platform E2E Encrypted Sync
+// ============================================================
+// Syncs vault credentials across CLI, web console, and other
+// platforms using Argon2id key derivation + AES-256-GCM.
+//
+// The server NEVER sees plaintext credentials — only encrypted
+// blobs are stored/transmitted. The sync passphrase never
+// leaves the user's device.
+// ============================================================
+
+import { readFileSync, writeFileSync, readdirSync, existsSync, mkdirSync } from "fs";
+import { join } from "path";
+import { homedir } from "os";
+import { randomBytes, createCipheriv, createDecipheriv } from "crypto";
+import { createRequire } from "module";
+
+const require = createRequire(import.meta.url);
+
+const DOT_ON = join(homedir(), ".0n");
+const CONNECTIONS_DIR = join(DOT_ON, "connections");
+const SYNC_SALT_FILE = join(DOT_ON, "sync-salt");
+const API_BASE = "https://0nmcp.com";
+
+// AES-256-GCM constants
+const ALGORITHM = "aes-256-gcm";
+const KEY_LENGTH = 32;
+const IV_LENGTH = 12; // 96 bits (GCM recommended)
+const TAG_LENGTH = 16;
+
+// Argon2id parameters (same as crypto-container.js)
+const ARGON2_MEMORY = 65536;     // 64MB
+const ARGON2_ITERATIONS = 4;
+const ARGON2_PARALLELISM = 2;
+const ARGON2_HASH_LENGTH = 32;   // 256 bits
+
+// ── Key Derivation ──────────────────────────────────────────
+
+/**
+ * Derive a 256-bit encryption key from passphrase using Argon2id.
+ * Memory-hard and GPU-resistant.
+ *
+ * @param {string} passphrase - User's sync passphrase
+ * @param {Buffer} salt - 32-byte salt
+ * @returns {Promise<Buffer>} 32-byte AES-256 key
+ */
+async function deriveKey(passphrase, salt) {
+  let argon2;
+  try {
+    argon2 = await import("argon2");
+  } catch {
+    throw new Error("argon2 package required for vault sync. Install: npm i argon2");
+  }
+
+  const mod = argon2.default || argon2;
+  const hash = await mod.hash(passphrase, {
+    type: 2, // argon2id
+    memoryCost: ARGON2_MEMORY,
+    timeCost: ARGON2_ITERATIONS,
+    parallelism: ARGON2_PARALLELISM,
+    hashLength: ARGON2_HASH_LENGTH,
+    salt,
+    raw: true,
+  });
+  return hash;
+}
+
+// ── Encryption / Decryption ─────────────────────────────────
+
+/**
+ * Encrypt data for cloud sync.
+ * Uses Argon2id-derived key + AES-256-GCM.
+ *
+ * @param {string} plaintext - Data to encrypt
+ * @param {string} passphrase - Sync passphrase
+ * @returns {Promise<{ encrypted_data: string, iv: string, salt: string }>}
+ */
+export async function encryptForSync(plaintext, passphrase) {
+  const salt = randomBytes(32);
+  const iv = randomBytes(IV_LENGTH);
+  const key = await deriveKey(passphrase, salt);
+
+  const cipher = createCipheriv(ALGORITHM, key, iv);
+  const encrypted = Buffer.concat([
+    cipher.update(plaintext, "utf8"),
+    cipher.final(),
+  ]);
+  const tag = cipher.getAuthTag();
+
+  // Combine tag + ciphertext for storage
+  const combined = Buffer.concat([tag, encrypted]);
+
+  return {
+    encrypted_data: combined.toString("base64"),
+    iv: iv.toString("base64"),
+    salt: salt.toString("base64"),
+  };
+}
+
+/**
+ * Decrypt data from cloud sync.
+ *
+ * @param {string} encryptedB64 - Base64 encoded [tag + ciphertext]
+ * @param {string} ivB64 - Base64 encoded IV
+ * @param {string} saltB64 - Base64 encoded salt
+ * @param {string} passphrase - Sync passphrase
+ * @returns {Promise<string>} Decrypted plaintext
+ */
+export async function decryptFromSync(encryptedB64, ivB64, saltB64, passphrase) {
+  const combined = Buffer.from(encryptedB64, "base64");
+  const iv = Buffer.from(ivB64, "base64");
+  const salt = Buffer.from(saltB64, "base64");
+
+  if (combined.length < TAG_LENGTH + 1) {
+    throw new Error("Invalid encrypted data: too short");
+  }
+
+  const tag = combined.subarray(0, TAG_LENGTH);
+  const ciphertext = combined.subarray(TAG_LENGTH);
+
+  const key = await deriveKey(passphrase, salt);
+
+  const decipher = createDecipheriv(ALGORITHM, key, iv);
+  decipher.setAuthTag(tag);
+
+  try {
+    const decrypted = Buffer.concat([
+      decipher.update(ciphertext),
+      decipher.final(),
+    ]);
+    return decrypted.toString("utf8");
+  } catch {
+    throw new Error("Decryption failed — wrong sync passphrase.");
+  }
+}
+
+// ── Sync Operations ─────────────────────────────────────────
+
+async function apiCall(method, path, token, body = null) {
+  const headers = {
+    "Authorization": `Bearer ${token}`,
+    "Content-Type": "application/json",
+  };
+
+  const opts = { method, headers };
+  if (body) opts.body = JSON.stringify(body);
+
+  const res = await fetch(`${API_BASE}${path}`, opts);
+  const data = await res.json();
+  return { ok: res.ok, status: res.status, data };
+}
+
+/**
+ * Push all local connections to cloud (E2E encrypted).
+ *
+ * @param {string} token - Access token
+ * @param {string} passphrase - Sync passphrase
+ * @returns {Promise<{ pushed: number, errors: string[] }>}
+ */
+export async function pushToCloud(token, passphrase) {
+  if (!existsSync(CONNECTIONS_DIR)) {
+    return { pushed: 0, errors: ["No connections directory found. Run: 0nmcp init"] };
+  }
+
+  const files = readdirSync(CONNECTIONS_DIR).filter(f => f.endsWith(".0n"));
+  const errors = [];
+  let pushed = 0;
+
+  for (const file of files) {
+    const serviceKey = file.replace(".0n", "");
+    try {
+      const content = readFileSync(join(CONNECTIONS_DIR, file), "utf8");
+      const { encrypted_data, iv, salt } = await encryptForSync(content, passphrase);
+
+      const { ok, data } = await apiCall("PUT", "/api/vault/sync", token, {
+        service_key: serviceKey,
+        encrypted_data,
+        iv,
+        salt,
+      });
+
+      if (ok) {
+        pushed++;
+      } else {
+        errors.push(`${serviceKey}: ${data.error || "Unknown error"}`);
+      }
+    } catch (err) {
+      errors.push(`${serviceKey}: ${err.message}`);
+    }
+  }
+
+  return { pushed, errors };
+}
+
+/**
+ * Pull all connections from cloud and write to local.
+ *
+ * @param {string} token - Access token
+ * @param {string} passphrase - Sync passphrase
+ * @returns {Promise<{ pulled: number, errors: string[] }>}
+ */
+export async function pullFromCloud(token, passphrase) {
+  if (!existsSync(CONNECTIONS_DIR)) {
+    mkdirSync(CONNECTIONS_DIR, { recursive: true });
+  }
+
+  const { ok, data } = await apiCall("GET", "/api/vault/sync", token);
+  if (!ok) {
+    return { pulled: 0, errors: [data.error || "Failed to fetch from cloud"] };
+  }
+
+  const entries = data.entries || [];
+  const errors = [];
+  let pulled = 0;
+
+  for (const entry of entries) {
+    try {
+      const plaintext = await decryptFromSync(
+        entry.encrypted_data,
+        entry.iv,
+        entry.salt,
+        passphrase
+      );
+
+      const filePath = join(CONNECTIONS_DIR, `${entry.service_key}.0n`);
+      writeFileSync(filePath, plaintext);
+      pulled++;
+    } catch (err) {
+      errors.push(`${entry.service_key}: ${err.message}`);
+    }
+  }
+
+  return { pulled, errors };
+}
+
+/**
+ * Store sync salt locally (so the passphrase prompt
+ * can remind the user they've set one up).
+ */
+export function hasSyncSetup() {
+  return existsSync(SYNC_SALT_FILE);
+}
+
+/**
+ * Mark that sync has been configured.
+ */
+export function markSyncSetup() {
+  if (!existsSync(DOT_ON)) mkdirSync(DOT_ON, { recursive: true });
+  writeFileSync(SYNC_SALT_FILE, new Date().toISOString());
+}