@atomicmail/agent-skill 0.2.0 → 0.2.2

package/README.md

@@ -1,7 +1,11 @@
+---
+description: Install and run the @atomicmail/agent-skill CLI (register, jmap_request, help) for shell-capable agents and automation.
+---
+
 # @atomicmail/agent-skill
 
-Atomic Mail AgentSkill CLI for AI agents. It exposes three commands: `register`,
-`jmap_request`, and `help` (same surface as `@atomicmail/mcp`).
+Atomic Mail AgentSkill CLI for shell-capable AI agents. It exposes three
+commands: `register`, `jmap_request`, and `help`.
 
 ## Install / run
 
@@ -9,12 +13,6 @@ Atomic Mail AgentSkill CLI for AI agents. It exposes three commands: `register`,
 npx --package=@atomicmail/agent-skill atomicmail --help
 ```
 
-From source:
-
-```bash
-deno run -A scripts/cli.ts --help
-```
-
 ## Quick start
 
 ```bash
@@ -25,7 +23,7 @@ npx --package=@atomicmail/agent-skill atomicmail jmap_request \
   --ops '[["Mailbox/get", {"accountId": "$ACCOUNT_ID"}, "m0"]]'
 ```
 
-## Placeholder substitution
+## `jmap_request` and placeholders
 
 - Built-in placeholders: `$ACCOUNT_ID`, `$INBOX`
 - Custom placeholders: any `$VAR_NAME` via `--vars '{"VAR_NAME":"value"}'`
@@ -35,10 +33,44 @@ Example:
 
 ```bash
 npx --package=@atomicmail/agent-skill atomicmail jmap_request \
-  --ops-file send_email.json \
+  --ops-file send_mail.json \
   --vars '{"TO":"alice@example.com","SUBJECT":"Hello","BODY":"Hi there"}'
 ```
 
+## Presets and placeholders
+
+Presets are reusable JSON files for `jmap_request`:
+
+- Inline JSON: `--ops '[["Mailbox/get", {"accountId":"$ACCOUNT_ID"}, "m0"]]'`
+- Preset file: `--ops-file list_inbox.json --vars '{"COUNT":"10"}'`
+
+Resolution order for `--ops-file`:
+
+1. Resolve relative to `--credentials-dir` (default `~/.atomicmail`).
+2. If missing, fall back to bundled presets in the package.
+
+Placeholder rules:
+
+- Pattern: `$VAR_NAME`, where `VAR_NAME` matches `^[A-Z][A-Z0-9_]*$`.
+- Built-ins: `$ACCOUNT_ID`, `$INBOX`.
+- Lowercase `$tokens` such as JMAP back-references (`$draft`) are not matched.
+- Custom placeholders: pass string values via `--vars`.
+- Resolution order per variable: `--vars` first, then built-in auto-resolvers.
+- Built-ins can be overridden via `--vars` using `ACCOUNT_ID` or `INBOX`.
+- If any referenced variable is unresolved, `jmap_request` fails with a missing
+  variables error.
+- Substitution is single-pass: inserted values are not scanned again for nested
+  `$VAR_NAME` tokens.
+
+Bundled presets:
+
+- `send_mail.json` (`$TO`, `$SUBJECT`, `$BODY`)
+- `list_inbox.json` (`$COUNT`)
+- `reply.json` (`$MAIL_ID`, `$BODY`)
+
+`--ops-file` resolves against `--credentials-dir` first, then bundled presets
+inside the package.
+
 ## Shared state
 
 Credential files in `~/.atomicmail` (mode `0600`):
@@ -47,10 +79,17 @@ Credential files in `~/.atomicmail` (mode `0600`):
 - `session.jwt`
 - `capability.jwt`
 
-The skill and MCP server share this layout.
+This is the on-disk state used by the CLI (and MCP).
+
+## Defaults
+
+- auth endpoint: `https://auth.atomicmail.ai`
+- api endpoint: `https://api.atomicmail.ai`
+- credentials directory: `~/.atomicmail`
 
 ## Overriding defaults
 
-- Endpoints: `--auth-url`, `--api-url` or `ATOMIC_MAIL_AUTH_URL`, `ATOMIC_MAIL_API_URL`
+- Endpoints: `--auth-url`, `--api-url` or `ATOMIC_MAIL_AUTH_URL`,
+  `ATOMIC_MAIL_API_URL`
 - Credentials path: `--credentials-dir` or `ATOMIC_MAIL_CREDENTIALS_DIR`
 - PoW salt: `--scrypt-salt` or `ATOMIC_MAIL_SCRYPT_SALT`

package/SKILL.md

@@ -1,8 +1,6 @@
 ---
 name: atomicmail
 description: Read and write email through the Atomic Mail ESP from an AI agent. Handles proof-of-work authentication and JMAP so the agent thinks in JMAP method calls. Use when the user asks to register an email inbox, list mailboxes, fetch or send email.
-license: MIT
-compatibility: Requires Deno 2.0+ to run scripts directly, or Node 20+ / Bun 1.1+ via `npx @atomicmail/agent-skill` after publishing. Needs network access to the configured auth-service and api-service.
 ---
 
 # Atomic Mail
@@ -15,21 +13,15 @@ rotation. This skill ships a single CLI entrypoint with three commands:
 
 - Register a new inbox or log in with an existing API key.
 - Send JMAP batches (inline JSON or preset files).
-- Read built-in documentation (JMAP cheatsheet, presets, troubleshooting).
+- Read built-in documentation (JMAP cheatsheet, presets, troubleshooting) or
+  the package README (`atomicmail help --topic readme`).
 
 ## Commands
 
-All invocations use `scripts/cli.ts` or the published binary **`atomicmail`**:
-
 ```bash
-# Deno (repo)
-deno run -A scripts/cli.ts register --username alice
-deno run -A scripts/cli.ts jmap_request --ops-file x.json
-deno run -A scripts/cli.ts help --topic presets
-
-# Node / Bun (after publish)
-npx --package=@atomicmail/agent-skill atomicmail register --username "myagent" ...
-npx --package=@atomicmail/agent-skill atomicmail jmap_request --ops-file send_hello.json
+npx --package=@atomicmail/agent-skill atomicmail register --username "myagent"
+
+npx --package=@atomicmail/agent-skill atomicmail jmap_request --ops-file list_inbox.json --vars '{"COUNT":"10"}'
 ```
 
 Run **`atomicmail --help`** or **`atomicmail <command> --help`** for flags.
@@ -45,7 +37,7 @@ Run **`atomicmail --help`** or **`atomicmail <command> --help`** for flags.
 ### 1. Register (new account)
 
 ```bash
-deno run -A scripts/cli.ts register \
+npx --package=@atomicmail/agent-skill atomicmail register \
   --username "alice"
 ```
 
@@ -55,59 +47,90 @@ including `inbox` and `accountId`.
 ### 2. Register (existing API key, in case losing the credentials file)
 
 ```bash
-deno run -A scripts/cli.ts register \
+npx --package=@atomicmail/agent-skill atomicmail register \
   --api-key "..."
 ```
 
 ### 3. JMAP request
 
 ```bash
-deno run -A scripts/cli.ts jmap_request \
+npx --package=@atomicmail/agent-skill atomicmail jmap_request \
   --ops '[["Mailbox/get", {"accountId": "$ACCOUNT_ID"}, "m0"]]'
 ```
 
-`$ACCOUNT_ID` and `$INBOX` resolve from the session/credentials. Other
-placeholders such as `$TO` or `$SUBJECT` require `--vars` with a JSON object of
-strings (same substitution applies to `--ops` and `--ops-file`).
+`$ACCOUNT_ID`, `$INBOX`, `$UPLOAD_URL`, and `$DOWNLOAD_URL` resolve from the
+session/credentials. Other placeholders such as `$TO` or `$SUBJECT` require
+`--vars` with a JSON object of strings (same substitution applies to `--ops` and
+`--ops-file`).
 
 Preset file:
 
 ```bash
-deno run -A scripts/cli.ts jmap_request \
+npx --package=@atomicmail/agent-skill atomicmail jmap_request \
   --ops-file fetch_last_100.json
 ```
 
 With custom placeholders:
 
 ```bash
-deno run -A scripts/cli.ts jmap_request \
-  --ops-file send_email.json \
+npx --package=@atomicmail/agent-skill atomicmail jmap_request \
+  --ops-file send_mail.json \
   --vars '{"TO":"alice@example.com","SUBJECT":"Hello","BODY":"Hi there"}'
 ```
 
+Bundled presets (no local file creation required):
+
+- `send_mail.json` (`$TO`, `$SUBJECT`, `$BODY`)
+- `list_inbox.json` (`$COUNT`)
+- `reply.json` (`$MAIL_ID`, `$BODY`)
+
 ### 4. Help
 
 ```bash
-deno run -A scripts/cli.ts help
-deno run -A scripts/cli.ts help --topic jmap_cheatsheet
+npx --package=@atomicmail/agent-skill atomicmail help
+npx --package=@atomicmail/agent-skill atomicmail help --topic jmap_cheatsheet
 ```
 
-## npm package
+## Security
+
+- `credentials.json` holds the API key (mode `0600`). Do not commit it.
+- JWT files are bearer secrets — do not log them.
+
+## Attachments and blobs
+
+### Inline blobs in JMAP (RFC 9404)
 
-From the `skill/` directory:
+Use `Blob/upload` and `Blob/get` through `jmap_request` by adding
+`urn:ietf:params:jmap:blob` to `using`.
 
 ```bash
-deno task build:npm
-cd npm && npm publish --access public
+npx --package=@atomicmail/agent-skill atomicmail jmap_request \
+  --ops '{
+    "using":[
+      "urn:ietf:params:jmap:core",
+      "urn:ietf:params:jmap:mail",
+      "urn:ietf:params:jmap:submission",
+      "urn:ietf:params:jmap:blob"
+    ],
+    "methodCalls":[
+      ["Blob/upload",{
+        "accountId":"$ACCOUNT_ID",
+        "create":{"b1":{"data:asText":"Hello attachment","type":"text/plain"}}
+      },"b0"]
+    ]
+  }'
 ```
 
-The published **`atomicmail`** binary exposes `register`, `jmap_request`, and
-`help`.
+### Separate upload/download templates (RFC 8620)
 
-## Security
+`credentials.json` stores `uploadUrl` and `downloadUrl` from
+`GET /.well-known/jmap`.
 
-- `credentials.json` holds the API key (mode `0600`). Do not commit it.
-- JWT files are bearer secrets — do not log them.
+- `$UPLOAD_URL` is the RFC 8620 upload template.
+- `$DOWNLOAD_URL` is the RFC 8620 download template.
+
+Use these placeholders when building out-of-band blob transfer steps and attach
+the resulting `blobId` in follow-up JMAP calls.
 
 ## Overriding defaults
 
@@ -115,8 +138,3 @@ The published **`atomicmail`** binary exposes `register`, `jmap_request`, and
   `ATOMIC_MAIL_API_URL`
 - Credentials path: `--credentials-dir` or `ATOMIC_MAIL_CREDENTIALS_DIR`
 - PoW salt: `--scrypt-salt` or `ATOMIC_MAIL_SCRYPT_SALT`
-
-## Building
-
-See repository [`AGENTS.md`](../AGENTS.md) for formatting (`deno fmt`) and
-conventions.

package/esm/_dnt.polyfills.d.ts

@@ -0,0 +1,101 @@
+/**
+ * Based on [import-meta-ponyfill](https://github.com/gaubee/import-meta-ponyfill),
+ * but instead of using npm to install additional dependencies,
+ * this approach manually consolidates cjs/mjs/d.ts into a single file.
+ *
+ * Note that this code might be imported multiple times
+ * (for example, both dnt.test.polyfills.ts and dnt.polyfills.ts contain this code;
+ *  or Node.js might dynamically clear the cache and then force a require).
+ * Therefore, it's important to avoid redundant writes to global objects.
+ * Additionally, consider that commonjs is used alongside esm,
+ * so the two ponyfill functions are stored independently in two separate global objects.
+ */
+import { createRequire } from "node:module";
+import { type URL } from "node:url";
+declare global {
+    interface ImportMeta {
+        /** A string representation of the fully qualified module URL. When the
+         * module is loaded locally, the value will be a file URL (e.g.
+         * `file:///path/module.ts`).
+         *
+         * You can also parse the string as a URL to determine more information about
+         * how the current module was loaded. For example to determine if a module was
+         * local or not:
+         *
+         * ```ts
+         * const url = new URL(import.meta.url);
+         * if (url.protocol === "file:") {
+         *   console.log("this module was loaded locally");
+         * }
+         * ```
+         */
+        url: string;
+        /**
+         * A function that returns resolved specifier as if it would be imported
+         * using `import(specifier)`.
+         *
+         * ```ts
+         * console.log(import.meta.resolve("./foo.js"));
+         * // file:///dev/foo.js
+         * ```
+         *
+         * @param specifier The module specifier to resolve relative to `parent`.
+         * @param parent The absolute parent module URL to resolve from.
+         * @returns The absolute (`file:`) URL string for the resolved module.
+         */
+        resolve(specifier: string, parent?: string | URL | undefined): string;
+        /** A flag that indicates if the current module is the main module that was
+         * called when starting the program under Deno.
+         *
+         * ```ts
+         * if (import.meta.main) {
+         *   // this was loaded as the main module, maybe do some bootstrapping
+         * }
+         * ```
+         */
+        main: boolean;
+        /** The absolute path of the current module.
+         *
+         * This property is only provided for local modules (ie. using `file://` URLs).
+         *
+         * Example:
+         * ```
+         * // Unix
+         * console.log(import.meta.filename); // /home/alice/my_module.ts
+         *
+         * // Windows
+         * console.log(import.meta.filename); // C:\alice\my_module.ts
+         * ```
+         */
+        filename: string;
+        /** The absolute path of the directory containing the current module.
+         *
+         * This property is only provided for local modules (ie. using `file://` URLs).
+         *
+         * * Example:
+         * ```
+         * // Unix
+         * console.log(import.meta.dirname); // /home/alice
+         *
+         * // Windows
+         * console.log(import.meta.dirname); // C:\alice
+         * ```
+         */
+        dirname: string;
+    }
+}
+type NodeRequest = ReturnType<typeof createRequire>;
+type NodeModule = NonNullable<NodeRequest["main"]>;
+interface ImportMetaPonyfillCommonjs {
+    (require: NodeRequest, module: NodeModule): ImportMeta;
+}
+interface ImportMetaPonyfillEsmodule {
+    (importMeta: ImportMeta): ImportMeta;
+}
+interface ImportMetaPonyfill extends ImportMetaPonyfillCommonjs, ImportMetaPonyfillEsmodule {
+}
+export declare let import_meta_ponyfill_commonjs: ImportMetaPonyfillCommonjs;
+export declare let import_meta_ponyfill_esmodule: ImportMetaPonyfillEsmodule;
+export declare let import_meta_ponyfill: ImportMetaPonyfill;
+export {};
+//# sourceMappingURL=_dnt.polyfills.d.ts.map

package/esm/_dnt.polyfills.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"_dnt.polyfills.d.ts","sourceRoot":"","sources":["../src/_dnt.polyfills.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE5C,OAAO,EAAgC,KAAK,GAAG,EAAE,MAAM,UAAU,CAAC;AAGlE,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,UAAU;QAClB;;;;;;;;;;;;;;WAcG;QACH,GAAG,EAAE,MAAM,CAAC;QACZ;;;;;;;;;;;;WAYG;QACH,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,GAAG,GAAG,SAAS,GAAG,MAAM,CAAC;QACtE;;;;;;;;WAQG;QACH,IAAI,EAAE,OAAO,CAAC;QAEd;;;;;;;;;;;;WAYG;QACH,QAAQ,EAAE,MAAM,CAAC;QAEjB;;;;;;;;;;;;WAYG;QACH,OAAO,EAAE,MAAM,CAAC;KACjB;CACF;AAED,KAAK,WAAW,GAAG,UAAU,CAAC,OAAO,aAAa,CAAC,CAAC;AACpD,KAAK,UAAU,GAAG,WAAW,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC;AACnD,UAAU,0BAA0B;IAClC,CAAC,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,UAAU,GAAG,UAAU,CAAC;CACxD;AACD,UAAU,0BAA0B;IAClC,CAAC,UAAU,EAAE,UAAU,GAAG,UAAU,CAAC;CACtC;AACD,UAAU,kBACR,SAAQ,0BAA0B,EAAE,0BAA0B;CAC/D;AAiBD,eAAO,IAAI,6BAA6B,EA2BnC,0BAA0B,CAAC;AAMhC,eAAO,IAAI,6BAA6B,EA4DnC,0BAA0B,CAAC;AAMhC,eAAO,IAAI,oBAAoB,EAoB1B,kBAAkB,CAAC"}

package/esm/_dnt.polyfills.js

@@ -0,0 +1,127 @@
+/**
+ * Based on [import-meta-ponyfill](https://github.com/gaubee/import-meta-ponyfill),
+ * but instead of using npm to install additional dependencies,
+ * this approach manually consolidates cjs/mjs/d.ts into a single file.
+ *
+ * Note that this code might be imported multiple times
+ * (for example, both dnt.test.polyfills.ts and dnt.polyfills.ts contain this code;
+ *  or Node.js might dynamically clear the cache and then force a require).
+ * Therefore, it's important to avoid redundant writes to global objects.
+ * Additionally, consider that commonjs is used alongside esm,
+ * so the two ponyfill functions are stored independently in two separate global objects.
+ */
+//@ts-ignore
+import { createRequire } from "node:module";
+//@ts-ignore
+import { fileURLToPath, pathToFileURL } from "node:url";
+//@ts-ignore
+import { dirname } from "node:path";
+const defineGlobalPonyfill = (symbolFor, fn) => {
+    if (!Reflect.has(globalThis, Symbol.for(symbolFor))) {
+        Object.defineProperty(globalThis, Symbol.for(symbolFor), {
+            configurable: true,
+            get() {
+                return fn;
+            },
+        });
+    }
+};
+export let import_meta_ponyfill_commonjs = (Reflect.get(globalThis, Symbol.for("import-meta-ponyfill-commonjs")) ??
+    (() => {
+        const moduleImportMetaWM = new WeakMap();
+        return (require, module) => {
+            let importMetaCache = moduleImportMetaWM.get(module);
+            if (importMetaCache == null) {
+                const importMeta = Object.assign(Object.create(null), {
+                    url: pathToFileURL(module.filename).href,
+                    main: require.main == module,
+                    resolve: (specifier, parentURL = importMeta.url) => {
+                        return pathToFileURL((importMeta.url === parentURL
+                            ? require
+                            : createRequire(parentURL))
+                            .resolve(specifier)).href;
+                    },
+                    filename: module.filename,
+                    dirname: module.path,
+                });
+                moduleImportMetaWM.set(module, importMeta);
+                importMetaCache = importMeta;
+            }
+            return importMetaCache;
+        };
+    })());
+defineGlobalPonyfill("import-meta-ponyfill-commonjs", import_meta_ponyfill_commonjs);
+export let import_meta_ponyfill_esmodule = (Reflect.get(globalThis, Symbol.for("import-meta-ponyfill-esmodule")) ??
+    ((importMeta) => {
+        const resolveFunStr = String(importMeta.resolve);
+        const shimWs = new WeakSet();
+        //@ts-ignore
+        const mainUrl = ("file:///" + process.argv[1].replace(/\\/g, "/"))
+            .replace(/\/{3,}/, "///");
+        const commonShim = (importMeta) => {
+            if (typeof importMeta.main !== "boolean") {
+                importMeta.main = importMeta.url === mainUrl;
+            }
+            if (typeof importMeta.filename !== "string") {
+                importMeta.filename = fileURLToPath(importMeta.url);
+                importMeta.dirname = dirname(importMeta.filename);
+            }
+        };
+        if (
+        // v16.2.0+, v14.18.0+: Add support for WHATWG URL object to parentURL parameter.
+        resolveFunStr === "undefined" ||
+            // v20.0.0+, v18.19.0+"" This API now returns a string synchronously instead of a Promise.
+            resolveFunStr.startsWith("async")
+        // enable by --experimental-import-meta-resolve flag
+        ) {
+            import_meta_ponyfill_esmodule = (importMeta) => {
+                if (!shimWs.has(importMeta)) {
+                    shimWs.add(importMeta);
+                    const importMetaUrlRequire = {
+                        url: importMeta.url,
+                        require: createRequire(importMeta.url),
+                    };
+                    importMeta.resolve = function resolve(specifier, parentURL = importMeta.url) {
+                        return pathToFileURL((importMetaUrlRequire.url === parentURL
+                            ? importMetaUrlRequire.require
+                            : createRequire(parentURL)).resolve(specifier)).href;
+                    };
+                    commonShim(importMeta);
+                }
+                return importMeta;
+            };
+        }
+        else {
+            /// native support
+            import_meta_ponyfill_esmodule = (importMeta) => {
+                if (!shimWs.has(importMeta)) {
+                    shimWs.add(importMeta);
+                    commonShim(importMeta);
+                }
+                return importMeta;
+            };
+        }
+        return import_meta_ponyfill_esmodule(importMeta);
+    }));
+defineGlobalPonyfill("import-meta-ponyfill-esmodule", import_meta_ponyfill_esmodule);
+export let import_meta_ponyfill = ((...args) => {
+    const _MODULE = (() => {
+        if (typeof require === "function" && typeof module === "object") {
+            return "commonjs";
+        }
+        else {
+            // eval("typeof import.meta");
+            return "esmodule";
+        }
+    })();
+    if (_MODULE === "commonjs") {
+        //@ts-ignore
+        import_meta_ponyfill = (r, m) => import_meta_ponyfill_commonjs(r, m);
+    }
+    else {
+        //@ts-ignore
+        import_meta_ponyfill = (im) => import_meta_ponyfill_esmodule(im);
+    }
+    //@ts-ignore
+    return import_meta_ponyfill(...args);
+});

package/esm/lib/agent/auth/agent-auth-http.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-auth-http.d.ts","sourceRoot":"","sources":["../../../../src/lib/agent/auth/agent-auth-http.ts"],"names":[],"mappings":"AAKA,wBAAsB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC;IAC7D,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB,CAAC,CA8BD;AAED,MAAM,WAAW,eAAe;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,wBAAsB,eAAe,CACnC,OAAO,EAAE,MAAM,EACf,IAAI,EAAE;IACJ,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GACA,OAAO,CAAC,eAAe,CAAC,CA8B1B;AAED,wBAAsB,eAAe,CACnC,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,MAAM,CAAC,CAejB;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,IAAI,CAAC;CACzC;AAED,wBAAsB,oBAAoB,CACxC,KAAK,EAAE,eAAe,GACrB,OAAO,CAAC,eAAe,CAAC,CAgB1B"}

package/esm/lib/agent/auth/agent-auth-http.js

@@ -0,0 +1,85 @@
+// auth-service HTTP: challenge → session → capability.
+import { decodeJwtPayload } from "./agent-jwt.js";
+import { solvePow } from "./agent-pow.js";
+export async function fetchChallenge(authUrl) {
+    const res = await fetch(`${authUrl}/api/v1/challenge`, {
+        method: "POST",
+    });
+    const text = await res.text();
+    if (!res.ok) {
+        throw new Error(`auth-service /api/v1/challenge returned ${res.status}: ${text}`);
+    }
+    const challengeJWT = readBearerToken(res.headers.get("Authorization"), "Challenge response missing Authorization bearer token.");
+    const payload = decodeJwtPayload(challengeJWT);
+    if (typeof payload.jti !== "string" ||
+        typeof payload.difficulty !== "number") {
+        throw new Error("Challenge JWT payload malformed (missing jti or difficulty).");
+    }
+    return {
+        challengeJWT,
+        challenge: payload.jti,
+        difficulty: payload.difficulty,
+    };
+}
+export async function exchangeSession(authUrl, body) {
+    const { challengeJWT, ...payload } = body;
+    const res = await fetch(`${authUrl}/api/v1/session`, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${challengeJWT}`,
+        },
+        body: JSON.stringify(payload),
+    });
+    const text = await res.text();
+    if (!res.ok) {
+        throw new Error(`auth-service /api/v1/session returned ${res.status}: ${text}`);
+    }
+    const sessionJWT = readBearerToken(res.headers.get("Authorization"), "Session response missing Authorization bearer token.");
+    let data = {};
+    if (text.trim().length > 0) {
+        try {
+            data = JSON.parse(text);
+        }
+        catch {
+            throw new Error("auth-service /api/v1/session returned non-JSON body.");
+        }
+    }
+    return {
+        sessionJWT,
+        apiKey: typeof data.apiKey === "string" ? data.apiKey : undefined,
+    };
+}
+export async function fetchCapability(authUrl, sessionJWT) {
+    const res = await fetch(`${authUrl}/api/v1/capability`, {
+        method: "POST",
+        headers: { Authorization: `Bearer ${sessionJWT}` },
+    });
+    const text = await res.text();
+    if (!res.ok) {
+        throw new Error(`auth-service /api/v1/capability returned ${res.status}: ${text}`);
+    }
+    return readBearerToken(res.headers.get("Authorization"), "Capability response missing Authorization bearer token.");
+}
+export async function performPoWAndSession(input) {
+    const { authUrl, scryptSalt } = input;
+    const { challengeJWT, challenge, difficulty } = await fetchChallenge(authUrl);
+    const { powHex, nonce } = await solvePow(challenge, difficulty, scryptSalt, input.onPowProgress);
+    return exchangeSession(authUrl, {
+        challengeJWT,
+        powHex,
+        nonce,
+        apiKey: input.apiKey,
+        username: input.username,
+    });
+}
+function readBearerToken(headerValue, missingError) {
+    if (!headerValue) {
+        throw new Error(missingError);
+    }
+    const match = /^\s*Bearer\s+(.+?)\s*$/i.exec(headerValue);
+    if (!match || !match[1]) {
+        throw new Error("Authorization header must use Bearer scheme.");
+    }
+    return match[1];
+}

package/esm/lib/{src → agent/auth}/agent-jwt.d.ts

@@ -1,5 +1,3 @@
-export declare const SESSION_TTL_MS: number;
-export declare const CAPABILITY_TTL_MS: number;
 export declare const SESSION_SAFETY_MARGIN_MS = 60000;
 export declare const CAPABILITY_SAFETY_MARGIN_MS = 20000;
 export interface JwtPayload {

package/esm/lib/agent/auth/agent-jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-jwt.d.ts","sourceRoot":"","sources":["../../../../src/lib/agent/auth/agent-jwt.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,wBAAwB,QAAS,CAAC;AAC/C,eAAO,MAAM,2BAA2B,QAAS,CAAC;AAElD,MAAM,WAAW,UAAU;IACzB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,wBAAgB,gBAAgB,CAAC,CAAC,GAAG,UAAU,EAAE,GAAG,EAAE,MAAM,GAAG,CAAC,CAc/D;AAED,wBAAgB,YAAY,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAQnE"}

package/esm/lib/{src → agent/auth}/agent-jwt.js

@@ -1,6 +1,4 @@
 // JWT helpers for capability/session expiry checks.
-export const SESSION_TTL_MS = 4 * 60 * 60 * 1000;
-export const CAPABILITY_TTL_MS = 2 * 60 * 1000;
 export const SESSION_SAFETY_MARGIN_MS = 60_000;
 export const CAPABILITY_SAFETY_MARGIN_MS = 20_000;
 export function decodeJwtPayload(jwt) {

package/esm/lib/agent/auth/agent-pow.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-pow.d.ts","sourceRoot":"","sources":["../../../../src/lib/agent/auth/agent-pow.ts"],"names":[],"mappings":"AAuCA,wBAAsB,QAAQ,CAC5B,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,MAAM,EAClB,IAAI,EAAE,MAAM,EACZ,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,IAAI,GACnC,OAAO,CAAC;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC,CAU5C"}

package/esm/lib/{src → agent/jmap}/agent-help-content.d.ts

@@ -1,4 +1,5 @@
 export declare const HELP_TOPICS: Record<string, string>;
 export declare const HELP_TOPIC_LIST: string[];
+export declare function normalizeHelpTopic(topic: string): string;
 export declare function getHelp(topic?: string): string;
 //# sourceMappingURL=agent-help-content.d.ts.map

package/esm/lib/agent/jmap/agent-help-content.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-help-content.d.ts","sourceRoot":"","sources":["../../../../src/lib/agent/jmap/agent-help-content.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CA0P9C,CAAC;AAEF,eAAO,MAAM,eAAe,UAA2B,CAAC;AAExD,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAExD;AAED,wBAAgB,OAAO,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,CAkB9C"}