@atomicmail/agent-skill 0.1.0 → 0.2.0

package/README.md

@@ -0,0 +1,56 @@
+# @atomicmail/agent-skill
+
+Atomic Mail AgentSkill CLI for AI agents. It exposes three commands: `register`,
+`jmap_request`, and `help` (same surface as `@atomicmail/mcp`).
+
+## Install / run
+
+```bash
+npx --package=@atomicmail/agent-skill atomicmail --help
+```
+
+From source:
+
+```bash
+deno run -A scripts/cli.ts --help
+```
+
+## Quick start
+
+```bash
+npx --package=@atomicmail/agent-skill atomicmail register \
+  --username "myagent"
+
+npx --package=@atomicmail/agent-skill atomicmail jmap_request \
+  --ops '[["Mailbox/get", {"accountId": "$ACCOUNT_ID"}, "m0"]]'
+```
+
+## Placeholder substitution
+
+- Built-in placeholders: `$ACCOUNT_ID`, `$INBOX`
+- Custom placeholders: any `$VAR_NAME` via `--vars '{"VAR_NAME":"value"}'`
+- Works for both `--ops` and `--ops-file`
+
+Example:
+
+```bash
+npx --package=@atomicmail/agent-skill atomicmail jmap_request \
+  --ops-file send_email.json \
+  --vars '{"TO":"alice@example.com","SUBJECT":"Hello","BODY":"Hi there"}'
+```
+
+## Shared state
+
+Credential files in `~/.atomicmail` (mode `0600`):
+
+- `credentials.json`
+- `session.jwt`
+- `capability.jwt`
+
+The skill and MCP server share this layout.
+
+## Overriding defaults
+
+- Endpoints: `--auth-url`, `--api-url` or `ATOMIC_MAIL_AUTH_URL`, `ATOMIC_MAIL_API_URL`
+- Credentials path: `--credentials-dir` or `ATOMIC_MAIL_CREDENTIALS_DIR`
+- PoW salt: `--scrypt-salt` or `ATOMIC_MAIL_SCRYPT_SALT`

package/SKILL.md

@@ -1,242 +1,122 @@
 ---
-name: atomic-mail
-description: Read and write email through the Atomic Mail ESP from an AI agent. Handles the proof-of-work authentication and JMAP protocol so the agent only needs to think in JMAP method calls. Use when the user asks to register an Atomic Mail inbox, list mailboxes, fetch emails, send email, or otherwise programmatically interact with their Atomic Mail account.
+name: atomicmail
+description: Read and write email through the Atomic Mail ESP from an AI agent. Handles proof-of-work authentication and JMAP so the agent thinks in JMAP method calls. Use when the user asks to register an email inbox, list mailboxes, fetch or send email.
 license: MIT
-compatibility: Requires Deno 2.0+ to run scripts directly, or Node 20+ / Bun 1.1+ via `npx @atomic-mail/agent-skill` after publishing. Needs network access to the configured Atomic Mail auth-service and api-service.
-metadata:
-  author: atomic-mail
-  version: "0.1.0"
+compatibility: Requires Deno 2.0+ to run scripts directly, or Node 20+ / Bun 1.1+ via `npx @atomicmail/agent-skill` after publishing. Needs network access to the configured auth-service and api-service.
 ---
 
 # Atomic Mail
 
-Atomic Mail is an AI-agent-first email service provider (ESP) that exposes a
-programmable inbox over JMAP. It uses a custom proof-of-work (PoW) signup flow
-plus three short-lived JWTs (challenge -> session -> capability). This skill
-hides all of that behind two CLI scripts so the agent can focus on JMAP.
+Atomic Mail exposes a programmable inbox over JMAP with PoW signup and JWT
+rotation. This skill ships a single CLI entrypoint with three commands:
+**`register`**, **`jmap_request`**, and **`help`** — matching the MCP server.
 
 ## When to use this skill
 
-Use this skill when the user wants to:
+- Register a new inbox or log in with an existing API key.
+- Send JMAP batches (inline JSON or preset files).
+- Read built-in documentation (JMAP cheatsheet, presets, troubleshooting).
 
-- Register a new Atomic Mail inbox (signup with a username).
-- Re-authenticate an existing Atomic Mail account using its API key.
-- Read, search, or modify email via JMAP (`Mailbox/get`, `Email/query`,
-  `Email/get`, `Email/set`, etc.).
-- Send email via JMAP (`EmailSubmission/set` with the
-  `urn:ietf:params:jmap:submission` capability).
-- Discover the JMAP session object (`/.well-known/jmap`) to find the `accountId`
-  before issuing other JMAP method calls.
+## Commands
 
-## Available scripts
-
-- **`scripts/signup.ts`** — One-time setup: performs PoW signup or login and
-  writes credentials to disk. Run once per agent session/inbox.
-- **`scripts/jmap_request.ts`** — Sends JMAP requests using the saved
-  credentials. Auto-rotates the session and capability JWTs as they expire.
-
-Both scripts are invokable three ways. Pick the one that matches the runtime the
-user has installed:
+All invocations use `scripts/cli.ts` or the published binary **`atomicmail`**:
 
 ```bash
-# Deno (preferred — runs source directly)
-deno run -A scripts/signup.ts ...
-deno run -A scripts/jmap_request.ts ...
-
-# Node (after the npm package is installed/published)
-npx -y @atomic-mail/agent-skill atomic-mail-signup ...
-npx -y @atomic-mail/agent-skill atomic-mail-jmap ...
-
-# Bun
-bunx -y @atomic-mail/agent-skill atomic-mail-signup ...
-bunx -y @atomic-mail/agent-skill atomic-mail-jmap ...
+# Deno (repo)
+deno run -A scripts/cli.ts register --username alice
+deno run -A scripts/cli.ts jmap_request --ops-file x.json
+deno run -A scripts/cli.ts help --topic presets
+
+# Node / Bun (after publish)
+npx --package=@atomicmail/agent-skill atomicmail register --username "myagent" ...
+npx --package=@atomicmail/agent-skill atomicmail jmap_request --ops-file send_hello.json
 ```
 
-> The agent should always pass `--help` first if it is unsure of the exact flag
-> spelling. Both scripts print full usage to stdout and exit `0`.
-
-## Required configuration
+Run **`atomicmail --help`** or **`atomicmail <command> --help`** for flags.
 
-The auth and API base URLs come from the Atomic Mail deployment. Pass them as
-flags or set them in the environment:
+## Defaults
 
-| Flag            | Env var                   | Description                                             |
-| --------------- | ------------------------- | ------------------------------------------------------- |
-| `--auth-url`    | `ATOMIC_MAIL_AUTH_URL`    | Base URL of `auth-service` (PoW + JWT minting).         |
-| `--api-url`     | `ATOMIC_MAIL_API_URL`     | Base URL of `api-service` (JMAP).                       |
-| `--scrypt-salt` | `ATOMIC_MAIL_SCRYPT_SALT` | Optional PoW salt override (defaults match `auth-service`). |
-
-If the user does not know the URLs, ask them — they are deployment-specific.
+- `authUrl`: `https://auth.atomicmail.ai`
+- `apiUrl`: `https://api.atomicmail.ai`
+- credentials directory: `~/.atomicmail`
 
 ## Workflow
 
-### 1. First-time signup (new account)
+### 1. Register (new account)
 
 ```bash
-deno run -A scripts/signup.ts \
-  --auth-url   "$ATOMIC_MAIL_AUTH_URL" \
-  --api-url    "$ATOMIC_MAIL_API_URL" \
-  --username   "alice" \
-  --out-dir    "./.atomic-mail"
+deno run -A scripts/cli.ts register \
+  --username "alice"
 ```
 
-This writes three files into `--out-dir`:
-
-- `credentials.json` — `{ apiKey, inboxId, authUrl, apiUrl, scryptSalt }`. The
-  agent should store the `apiKey` securely; it is the long-lived secret.
-- `session.jwt` — 4-hour session token.
-- `capability.jwt` — 2-minute capability token used as the JMAP bearer.
+Writes `credentials.json`, `session.jwt`, `capability.jwt`. Prints JSON
+including `inbox` and `accountId`.
 
-The script prints a JSON summary to stdout that includes `inboxId` and `apiKey`.
-Save these in the agent's persistent memory (or echo them back to the user) —
-they are the only durable identifiers.
+### 2. Register (existing API key, in case losing the credentials file)
 
-### 2. Re-authenticate (existing API key)
+```bash
+deno run -A scripts/cli.ts register \
+  --api-key "..."
+```
 
-If `credentials.json` already exists, this is normally not needed —
-`jmap_request.ts` will auto-renew session/capability tokens via the stored API
-key. Use `signup.ts --api-key` only if the user wants to start a fresh
-credentials directory from a known API key.
+### 3. JMAP request
 
 ```bash
-deno run -A scripts/signup.ts \
-  --auth-url    "$ATOMIC_MAIL_AUTH_URL" \
-  --api-url     "$ATOMIC_MAIL_API_URL" \
-  --api-key     "11111111-2222-3333-4444-555555555555" \
-  --out-dir     "./.atomic-mail"
+deno run -A scripts/cli.ts jmap_request \
+  --ops '[["Mailbox/get", {"accountId": "$ACCOUNT_ID"}, "m0"]]'
 ```
 
-### 3. Discover the JMAP session
+`$ACCOUNT_ID` and `$INBOX` resolve from the session/credentials. Other
+placeholders such as `$TO` or `$SUBJECT` require `--vars` with a JSON object of
+strings (same substitution applies to `--ops` and `--ops-file`).
 
-Run this **once** before any other JMAP call to learn the `accountId` and
-mailbox structure.
+Preset file:
 
 ```bash
-deno run -A scripts/jmap_request.ts \
-  --credentials-dir "./.atomic-mail" \
-  --session
+deno run -A scripts/cli.ts jmap_request \
+  --ops-file fetch_last_100.json
 ```
 
-The response JSON contains `primaryAccounts`, `accounts`, `capabilities`, etc.
-Extract the `accountId` for the user's primary mail account from
-`primaryAccounts["urn:ietf:params:jmap:mail"]`.
-
-### 4. Send a JMAP request (inline ops)
+With custom placeholders:
 
 ```bash
-deno run -A scripts/jmap_request.ts \
-  --credentials-dir "./.atomic-mail" \
-  --ops '[["Mailbox/get", {"accountId": "ACCOUNT_ID"}, "m0"]]'
+deno run -A scripts/cli.ts jmap_request \
+  --ops-file send_email.json \
+  --vars '{"TO":"alice@example.com","SUBJECT":"Hello","BODY":"Hi there"}'
 ```
 
-For multiple method calls or capabilities, pass a full envelope:
+### 4. Help
 
 ```bash
-deno run -A scripts/jmap_request.ts \
-  --credentials-dir "./.atomic-mail" \
-  --ops '{
-    "using": ["urn:ietf:params:jmap:core","urn:ietf:params:jmap:mail"],
-    "methodCalls": [
-      ["Mailbox/get", {"accountId": "ACCOUNT_ID"}, "m0"],
-      ["Email/query", {"accountId": "ACCOUNT_ID", "limit": 10}, "q0"]
-    ]
-  }'
+deno run -A scripts/cli.ts help
+deno run -A scripts/cli.ts help --topic jmap_cheatsheet
 ```
 
-### 5. Send a JMAP request (preset file)
+## npm package
 
-For repeated tasks, save the JMAP body to a file and reuse it. The file may
-contain either a `methodCalls` array or a full `{ using, methodCalls }`
-envelope.
+From the `skill/` directory:
 
 ```bash
-cat > fetch_last_100.json <<'EOF'
-[
-  ["Email/query", {
-    "accountId": "ACCOUNT_ID",
-    "limit": 100,
-    "sort": [{ "property": "receivedAt", "isAscending": false }]
-  }, "q0"],
-  ["Email/get", {
-    "accountId": "ACCOUNT_ID",
-    "#ids": { "resultOf": "q0", "name": "Email/query", "path": "/ids" },
-    "properties": ["id","threadId","subject","from","receivedAt","preview"]
-  }, "g0"]
-]
-EOF
-
-deno run -A scripts/jmap_request.ts \
-  --credentials-dir "./.atomic-mail" \
-  --ops-file fetch_last_100.json
+deno task build:npm
+cd npm && npm publish --access public
 ```
 
-The agent can build a small library of these preset files (`send_email.json`,
-`mark_read.json`, etc.) and reuse them across runs.
+The published **`atomicmail`** binary exposes `register`, `jmap_request`, and
+`help`.
 
-### 6. Send email
+## Security
 
-Send is a JMAP `EmailSubmission/set` plus an optional `Email/set` to upload the
-draft. Remember to add the submission capability to `using`:
+- `credentials.json` holds the API key (mode `0600`). Do not commit it.
+- JWT files are bearer secrets — do not log them.
 
-```bash
-deno run -A scripts/jmap_request.ts \
-  --credentials-dir "./.atomic-mail" \
-  --using "urn:ietf:params:jmap:core,urn:ietf:params:jmap:mail,urn:ietf:params:jmap:submission" \
-  --ops-file send_email.json
-```
+## Overriding defaults
 
-## Token rotation (handled automatically)
-
-`jmap_request.ts` checks both JWTs before every request:
-
-- If `capability.jwt` is within 20 s of expiry, it calls
-  `POST /api/v1/capability` with the existing session JWT and rewrites
-  `capability.jwt`.
-- If `session.jwt` is within 60 s of expiry (or missing), it re-runs the full
-  PoW handshake using the API key from `credentials.json`, then rewrites both
-  `session.jwt` and `capability.jwt`.
-
-The agent does not need to call `signup.ts` again to refresh tokens — it only
-needs to call `signup.ts` for the very first registration of an account.
-
-## Troubleshooting
-
-- **`Could not read credentials file ... Did you run signup first?`** — Run
-  `signup.ts` once with `--username` (new account) or `--api-key` (existing
-  account) to create the file set.
-- **`auth-service /api/v1/session returned 409`** — The challenge was consumed
-  (likely a duplicate request or a clock skew). Just rerun `signup.ts` or the
-  failing `jmap_request.ts` once; a fresh challenge will be issued.
-- **`auth-service /api/v1/session returned 401`** — The `apiKey` in
-  `credentials.json` is unknown or suspended. Re-register with `--username` or
-  get a new API key from the operator.
-- **PoW takes a long time on first run** — Difficulty is fixed at 6 leading zero
-  bits, which averages ~64 scrypt iterations. Each scrypt is ~16 MB and ~200-500
-  ms, so the whole solve typically completes in under 30 seconds on a modern
-  laptop.
-- **`Capability JWT did not contain an inboxId claim`** — Almost certainly a
-  server/version mismatch. Verify `--auth-url` points to a current
-  `auth-service` deployment.
-
-## Security notes
-
-- `credentials.json` contains the long-lived API key. The script writes it with
-  mode `0600`, but the agent must not echo the file's contents into shared logs
-  or commit it to source control.
-- Pick a credentials directory that is private to the agent's runtime user (e.g.
-  `~/.config/atomic-mail/` or a per-task working dir).
-- `session.jwt` and `capability.jwt` are short-lived but should be treated as
-  bearer credentials too — never log them.
-
-## Building an npm package
-
-Scripts can be published as an npm package so Node and Bun environments can use
-them through `npx` / `bunx`. From the skill directory:
+- Endpoints: `--auth-url`, `--api-url` or `ATOMIC_MAIL_AUTH_URL`,
+  `ATOMIC_MAIL_API_URL`
+- Credentials path: `--credentials-dir` or `ATOMIC_MAIL_CREDENTIALS_DIR`
+- PoW salt: `--scrypt-salt` or `ATOMIC_MAIL_SCRYPT_SALT`
 
-```bash
-deno task build:npm           # writes ./npm
-cd npm && npm publish --access public
-```
+## Building
 
-After publishing, `npx @atomic-mail/agent-skill atomic-mail-signup` and
-`npx @atomic-mail/agent-skill atomic-mail-jmap` work without Deno installed.
+See repository [`AGENTS.md`](../AGENTS.md) for formatting (`deno fmt`) and
+conventions.

package/esm/{skill/scripts/lib/auth.d.ts → lib/src/agent-auth-http.d.ts}

@@ -1,19 +1,3 @@
-export declare const SESSION_TTL_MS: number;
-export declare const CAPABILITY_TTL_MS: number;
-export declare const CAPABILITY_SAFETY_MARGIN_MS = 20000;
-export declare const SESSION_SAFETY_MARGIN_MS = 60000;
-export interface JwtPayload {
-    exp?: number;
-    iat?: number;
-    jti?: string;
-    [key: string]: unknown;
-}
-export declare function decodeJwtPayload<T = JwtPayload>(jwt: string): T;
-export declare function isJwtExpired(jwt: string, marginMs: number): boolean;
-export declare function solvePow(challenge: string, difficulty: number, salt: string, onProgress?: (nonce: bigint) => void): Promise<{
-    powHex: string;
-    nonce: string;
-}>;
 export declare function fetchChallenge(authUrl: string): Promise<{
     challengeJWT: string;
     challenge: string;
@@ -39,4 +23,4 @@ export interface PerformPoWInput {
     onPowProgress?: (nonce: bigint) => void;
 }
 export declare function performPoWAndSession(input: PerformPoWInput): Promise<SessionResponse>;
-//# sourceMappingURL=auth.d.ts.map
+//# sourceMappingURL=agent-auth-http.d.ts.map

package/esm/lib/src/agent-auth-http.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-auth-http.d.ts","sourceRoot":"","sources":["../../../src/lib/src/agent-auth-http.ts"],"names":[],"mappings":"AAoCA,wBAAsB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC;IAC7D,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB,CAAC,CAqBD;AAED,MAAM,WAAW,eAAe;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,wBAAsB,eAAe,CACnC,OAAO,EAAE,MAAM,EACf,IAAI,EAAE;IACJ,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GACA,OAAO,CAAC,eAAe,CAAC,CAS1B;AAED,wBAAsB,eAAe,CACnC,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,MAAM,CAAC,CAUjB;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,IAAI,CAAC;CACzC;AAED,wBAAsB,oBAAoB,CACxC,KAAK,EAAE,eAAe,GACrB,OAAO,CAAC,eAAe,CAAC,CAgB1B"}

package/esm/lib/src/agent-auth-http.js

@@ -0,0 +1,76 @@
+// auth-service HTTP: challenge → session → capability.
+import { decodeJwtPayload } from "./agent-jwt.js";
+import { solvePow } from "./agent-pow.js";
+async function postJson(url, body, headers = {}) {
+    const res = await fetch(url, {
+        method: "POST",
+        headers: {
+            ...(body ? { "Content-Type": "application/json" } : {}),
+            ...headers,
+        },
+        body: body ? JSON.stringify(body) : undefined,
+    });
+    const text = await res.text();
+    const path = (() => {
+        try {
+            return new URL(url).pathname;
+        }
+        catch {
+            return url;
+        }
+    })();
+    if (!res.ok) {
+        throw new Error(`auth-service ${path} returned ${res.status}: ${text}`);
+    }
+    try {
+        return JSON.parse(text);
+    }
+    catch {
+        throw new Error(`auth-service ${path} returned non-JSON body: ${text}`);
+    }
+}
+export async function fetchChallenge(authUrl) {
+    const data = await postJson(`${authUrl}/api/v1/challenge`, undefined);
+    if (typeof data.challengeJWT !== "string") {
+        throw new Error("Challenge response missing challengeJWT.");
+    }
+    const payload = decodeJwtPayload(data.challengeJWT);
+    if (typeof payload.jti !== "string" ||
+        typeof payload.difficulty !== "number") {
+        throw new Error("Challenge JWT payload malformed (missing jti or difficulty).");
+    }
+    return {
+        challengeJWT: data.challengeJWT,
+        challenge: payload.jti,
+        difficulty: payload.difficulty,
+    };
+}
+export async function exchangeSession(authUrl, body) {
+    const data = await postJson(`${authUrl}/api/v1/session`, { ...body });
+    if (typeof data.sessionJWT !== "string") {
+        throw new Error("Session response missing sessionJWT.");
+    }
+    return {
+        sessionJWT: data.sessionJWT,
+        apiKey: typeof data.apiKey === "string" ? data.apiKey : undefined,
+    };
+}
+export async function fetchCapability(authUrl, sessionJWT) {
+    const data = await postJson(`${authUrl}/api/v1/capability`, undefined, { Authorization: `Bearer ${sessionJWT}` });
+    if (typeof data.capabilityJWT !== "string") {
+        throw new Error("Capability response missing capabilityJWT.");
+    }
+    return data.capabilityJWT;
+}
+export async function performPoWAndSession(input) {
+    const { authUrl, scryptSalt } = input;
+    const { challengeJWT, challenge, difficulty } = await fetchChallenge(authUrl);
+    const { powHex, nonce } = await solvePow(challenge, difficulty, scryptSalt, input.onPowProgress);
+    return exchangeSession(authUrl, {
+        challengeJWT,
+        powHex,
+        nonce,
+        apiKey: input.apiKey,
+        username: input.username,
+    });
+}

package/esm/{skill/scripts/lib/credentials.d.ts → lib/src/agent-credentials-store.d.ts}

@@ -13,6 +13,9 @@ export interface SkillFiles {
 export declare function defaultFilesFromOutDir(outDir: string): SkillFiles;
 export declare function writeCredentials(path: string, creds: Credentials): Promise<void>;
 export declare function readCredentials(path: string): Promise<Credentials>;
+export declare function tryReadCredentials(path: string): Promise<Credentials | undefined>;
 export declare function writeJwtFile(path: string, jwt: string): Promise<void>;
 export declare function tryReadJwtFile(path: string): Promise<string | undefined>;
-//# sourceMappingURL=credentials.d.ts.map
+/** Best-effort removal of credential artifacts (ignore missing files). */
+export declare function unlinkCredentialArtifacts(files: SkillFiles): Promise<void>;
+//# sourceMappingURL=agent-credentials-store.d.ts.map

package/esm/lib/src/agent-credentials-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-credentials-store.d.ts","sourceRoot":"","sources":["../../../src/lib/src/agent-credentials-store.ts"],"names":[],"mappings":"AAMA,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,UAAU;IACzB,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,CAOjE;AAMD,wBAAsB,gBAAgB,CACpC,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,WAAW,GACjB,OAAO,CAAC,IAAI,CAAC,CAGf;AAED,wBAAsB,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC,CAiCxE;AAED,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC,CAOlC;AAED,wBAAsB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAG3E;AAED,wBAAsB,cAAc,CAClC,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAO7B;AAED,0EAA0E;AAC1E,wBAAsB,yBAAyB,CAC7C,KAAK,EAAE,UAAU,GAChB,OAAO,CAAC,IAAI,CAAC,CAcf"}

package/esm/{skill/scripts/lib/credentials.js → lib/src/agent-credentials-store.js}

@@ -1,10 +1,6 @@
-// Credential file I/O. Three files form a complete skill credential set:
-//   credentials.json  — long-lived: apiKey, inboxId, server URLs, PoW salt.
-//   session.jwt       — short-lived (~4h): rotates via /session + PoW.
-//   capability.jwt    — short-lived (~2min): rotates via /capability.
-//
-// Files are written with mode 0600 so other local users cannot read them.
-import { mkdir, readFile, writeFile } from "node:fs/promises";
+// Credential file I/O shared by MCP and AgentSkill.
+// Three files: credentials.json, session.jwt, capability.jwt (mode 0600).
+import { mkdir, readFile, unlink, writeFile } from "node:fs/promises";
 import { dirname, join, resolve } from "node:path";
 export function defaultFilesFromOutDir(outDir) {
     const base = resolve(outDir);
@@ -28,7 +24,7 @@ export async function readCredentials(path) {
     }
     catch (err) {
         throw new Error(`Could not read credentials file '${path}': ${err.message}. ` +
-            "Did you run signup first?");
+            "Did you run register first?");
     }
     let obj;
     try {
@@ -51,6 +47,15 @@ export async function readCredentials(path) {
     }
     return obj;
 }
+export async function tryReadCredentials(path) {
+    try {
+        await readFile(path, "utf-8");
+    }
+    catch {
+        return undefined;
+    }
+    return readCredentials(path);
+}
 export async function writeJwtFile(path, jwt) {
     await ensureParent(path);
     await writeFile(path, jwt, { mode: 0o600 });
@@ -64,3 +69,18 @@ export async function tryReadJwtFile(path) {
         return undefined;
     }
 }
+/** Best-effort removal of credential artifacts (ignore missing files). */
+export async function unlinkCredentialArtifacts(files) {
+    for (const p of [
+        files.credentialsFile,
+        files.sessionFile,
+        files.capabilityFile,
+    ]) {
+        try {
+            await unlink(p);
+        }
+        catch {
+            // ignore
+        }
+    }
+}

package/esm/lib/src/agent-help-content.d.ts

@@ -0,0 +1,4 @@
+export declare const HELP_TOPICS: Record<string, string>;
+export declare const HELP_TOPIC_LIST: string[];
+export declare function getHelp(topic?: string): string;
+//# sourceMappingURL=agent-help-content.d.ts.map

package/esm/lib/src/agent-help-content.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-help-content.d.ts","sourceRoot":"","sources":["../../../src/lib/src/agent-help-content.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAuO9C,CAAC;AAEF,eAAO,MAAM,eAAe,UAA2B,CAAC;AAExD,wBAAgB,OAAO,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,CAW9C"}