@atomicmail/mcp 0.1.0 → 0.2.1

package/README.md

@@ -1,128 +1,108 @@
 # @atomicmail/mcp
 
-AtomicMail MCP server — a local stdio Model Context Protocol server that gives
+Atomic Mail MCP server — a local stdio Model Context Protocol server that gives
 an AI agent a programmable email inbox over JMAP, with automatic Proof-of-Work
 auth and capability-token rotation.
 
-The server is authored in TypeScript on Deno and built with
-[`dnt`](https://jsr.io/@deno/dnt) into a Node-compatible npm package, so the
-**same source** runs unchanged on Deno, Node, and Bun.
+## Install
 
-It is the MCP companion to [`@atomic-mail/agent-skill`](../../skill/) — a
-CLI-first skill with identical credential semantics. The MCP and the skill share
-the same on-disk credential layout (`credentials.json` + `session.jwt` +
-`capability.jwt`), so you can mix and match the two freely.
+```json
+// mcp.json
+
+{
+  "mcpServers": {
+    "atomicmail": {
+      "command": "npx",
+      "args": ["-y", "@atomicmail/mcp"]
+    }
+  }
+}
+```
+
+Your MCP host spawns this process; see configuration below.
 
 ## Tools exposed
 
-| Tool           | Description                                                       |
-| -------------- | ----------------------------------------------------------------- |
-| `register`     | PoW signup. Persists credentials to disk; returns the API key.    |
-| `jmap_session` | `GET /.well-known/jmap` — discover accountId + mailbox URLs.      |
-| `jmap_request` | Send any JMAP method-call batch. Inline or via saved preset file. |
-| `get_docs`     | Built-in docs. Topics include `installation`, `presets`, `auth`.  |
+| Tool           | Description                                                                                                                                               |
+| -------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `register`     | PoW signup; persists credentials. Idempotent when username matches inbox.                                                                                 |
+| `jmap_request` | JMAP batch via `ops` or `ops_file`. Uppercase `$VAR_NAME` tokens are substituted (`$ACCOUNT_ID` / `$INBOX` from session; others via optional `vars` map). |
+| `help`         | Built-in docs (`topic` optional).                                                                                                                         |
 
-## Install
+## Typical MCP workflow
 
-The package is published to npm. Any of these work:
+1. Call `register` with a username (or rely on existing `credentials.json`).
+2. `jmap_request` with `ops` or `ops_file` (optional `vars` for `$TO`,
+   `$SUBJECT`, etc.).
+3. `help` when stuck.
 
-```bash
-npx -y @atomicmail/mcp
-bunx @atomicmail/mcp
-deno run -A npm:@atomicmail/mcp/atomicmail-mcp
-```
+## `jmap_request` input patterns
 
-You don't typically run it directly — your MCP host (Cursor, Claude Desktop,
-...) will spawn it for you. See the configuration section below.
+`jmap_request` accepts either:
 
-## Configure (priority order)
+- inline `ops` (JMAP methodCalls array), or
+- `ops_file` (JSON file path)
 
-The server resolves configuration from two sources, with environment variables
-overriding individual fields from the file:
+When using `ops_file`, relative paths first resolve against the credential
+directory. If a file is not present there, the runtime falls back to bundled
+presets shipped in the npm package.
 
-1. **`credentials.json` in the credential directory.** The same file produced by
-   `atomic-mail-signup`. Default location: `~/.atomicmail/credentials.json`.
-   Override the directory with `ATOMIC_MAIL_CREDENTIALS_DIR`.
-2. **Environment variables.** Useful for hermetic MCP host configs:
+## Presets and placeholders
 
-   | Variable                      | Required | Description                       |
-   | ----------------------------- | -------- | --------------------------------- |
-   | `ATOMIC_MAIL_AUTH_URL`        | Yes\*    | Auth service base URL             |
-   | `ATOMIC_MAIL_API_URL`         | Yes\*    | API service / JMAP base URL       |
-   | `ATOMIC_MAIL_SCRYPT_SALT`     | No       | Optional PoW salt override        |
-   | `ATOMIC_MAIL_API_KEY`         | No       | Existing API key (skips signup)   |
-   | `ATOMIC_MAIL_CREDENTIALS_DIR` | No       | Override default credential dir   |
+Presets are reusable JSON files for `jmap_request` batches:
 
-   \* "Yes" means at least one source must provide `authUrl` and `apiUrl`. If
-   `credentials.json` is present and complete, no env vars are required. PoW
-   salt defaults to the built-in value that matches `auth-service`.
+- Inline JSON: `{"ops":[...],"vars":{"COUNT":"10"}}`
+- Preset file: `{"ops_file":"list_inbox.json","vars":{"COUNT":"10"}}`
 
-If neither source resolves `authUrl` and `apiUrl`, the server fails fast on
-startup with the missing fields listed.
+Resolution order for `ops_file`:
 
-## Credential files
+1. Resolve relative to credentials directory (`~/.atomicmail` by default).
+2. If missing, fall back to bundled presets in the npm package.
 
-All three live in the credential directory and are written with mode `0600`:
+Placeholder rules:
 
-- `credentials.json` — `{ apiKey, inboxId, authUrl, apiUrl, scryptSalt }`.
-  Long-lived. Treat as a secret — copying it to a new machine is enough to log
-  in.
-- `session.jwt` — 4-hour TTL, rotated automatically via PoW when near expiry.
-- `capability.jwt` — 2-minute TTL, rotated automatically before each JMAP
-  request when near expiry.
+- Pattern: `$VAR_NAME`, where `VAR_NAME` matches `^[A-Z][A-Z0-9_]*$`.
+- Built-ins: `$ACCOUNT_ID`, `$INBOX`.
+- Lowercase `$tokens` such as JMAP back-references (`$draft`) are not matched.
+- Custom placeholders: passed in `vars` as string values.
+- Resolution order per variable: `vars` first, then built-in auto-resolvers.
+- Built-ins can be overridden by providing `ACCOUNT_ID` or `INBOX` in `vars`.
+- If any referenced variable is unresolved, `jmap_request` fails with a missing
+  variables error.
+- Substitution is single-pass: inserted values are not scanned again for nested
+  `$VAR_NAME` tokens.
 
-Because the on-disk layout is identical to the
-[`@atomic-mail/agent-skill`](../../skill/) skill, you can:
+Bundled presets:
 
-- Bootstrap once with `atomic-mail-signup`, then point the MCP at the same
-  directory.
-- Run `atomic-mail-jmap` from a shell while the MCP is also running — both will
-  see fresh JWTs as the other rotates them.
+- `send_mail.json` (`$TO`, `$SUBJECT`, `$BODY`)
+- `list_inbox.json` (`$COUNT`)
+- `reply.json` (`$MAIL_ID`, `$BODY`)
 
-## MCP host configuration examples
+`ops-file` resolves against credentials directory first, then bundled presets
+inside the package.
 
-### Cursor
+Example:
 
-`~/.cursor/mcp.json` (or per-project `.cursor/mcp.json`):
+`{ "ops_file": "list_inbox.json", "vars": { "COUNT": "10" } }`
 
-```json
-{
-  "mcpServers": {
-    "atomicmail": {
-      "command": "npx",
-      "args": ["-y", "@atomicmail/mcp"],
-      "env": {
-        "ATOMIC_MAIL_AUTH_URL": "https://auth.atomicmail.io",
-        "ATOMIC_MAIL_API_URL": "https://api.atomicmail.io"
-      }
-    }
-  }
-}
-```
+## Credential files and token lifecycle
 
-### Claude Desktop
+Mode `0600`:
 
-`claude_desktop_config.json`:
+- `credentials.json` — `{ apiKey, inboxId, authUrl, apiUrl, scryptSalt }`
+- `session.jwt` — 4h TTL, rotated via PoW
+- `capability.jwt` — 2m TTL, rotated before JMAP calls
 
-```json
-{
-  "mcpServers": {
-    "atomicmail": {
-      "command": "npx",
-      "args": ["-y", "@atomicmail/mcp"],
-      "env": {
-        "ATOMIC_MAIL_AUTH_URL": "https://auth.atomicmail.io",
-        "ATOMIC_MAIL_API_URL": "https://api.atomicmail.io"
-      }
-    }
-  }
-}
-```
+These files are created and rotated automatically by MCP tool calls. AgentSkill
+CLI uses the same files.
+
+## Defaults
 
-### Sharing credentials with the skill CLI
+- auth endpoint: `https://auth.atomicmail.ai`
+- api endpoint: `https://api.atomicmail.ai`
+- credentials directory: `~/.atomicmail`
 
-If you've already run `atomic-mail-signup`, no auth-service URL needs to be
-repeated — the MCP reads URLs (and optional salt override) from `credentials.json`:
+## Overriding defaults
 
 ```json
 {
@@ -131,103 +111,13 @@ repeated — the MCP reads URLs (and optional salt override) from `credentials.j
       "command": "npx",
       "args": ["-y", "@atomicmail/mcp"],
       "env": {
-        "ATOMIC_MAIL_CREDENTIALS_DIR": "/Users/me/.atomicmail"
+        "ATOMIC_MAIL_AUTH_URL": "https://custom-auth.example",
+        "ATOMIC_MAIL_API_URL": "https://custom-api.example",
+        "ATOMIC_MAIL_CREDENTIALS_DIR": "/Users/me/.atomicmail",
+        "ATOMIC_MAIL_SCRYPT_SALT": "hex-salt-override",
+        "ATOMIC_MAIL_API_KEY": "existing-api-key"
       }
     }
   }
 }
 ```
-
-When you skip the env entirely (`{}`), the MCP defaults to `~/.atomicmail/`.
-
-## Typical agent workflow
-
-Once the MCP is wired in, an agent will:
-
-1. Call `register` (only on the first run, with no existing API key).
-2. Call `jmap_session` to discover the `accountId` and the INBOX id.
-3. Call `jmap_request` with whatever method calls it needs (inline) or reference
-   saved presets via `opsFile`.
-4. Call `get_docs` with topic `presets` or `jmap_cheatsheet` for ready-to-use
-   JMAP recipes.
-
-## JMAP presets (the `opsFile` parameter)
-
-`jmap_request` accepts either an inline `methodCalls` array or an `opsFile`
-path. Relative paths resolve against the credential directory, so common batches
-can be saved once and reused. This mirrors the skill's
-`atomic-mail-jmap --ops-file` behavior — both consume the same files.
-
-Example: drop `~/.atomicmail/fetch_last_100.json` containing
-
-```json
-[
-  [
-    "Email/query",
-    {
-      "accountId": "ACC",
-      "filter": { "inMailbox": "INBOX" },
-      "sort": [{ "property": "receivedAt", "isAscending": false }],
-      "limit": 100
-    },
-    "q0"
-  ]
-]
-```
-
-…then `jmap_request` with `{ "opsFile": "fetch_last_100.json" }`.
-
-See `get_docs presets` for the full preset format.
-
-## Develop
-
-The project is a Deno-first codebase. You'll need [Deno](https://deno.com/)
-installed.
-
-```bash
-# Run directly with Deno (live source, no build step)
-deno task start
-
-# Type-check
-deno task check
-
-# Format
-deno task fmt
-
-# Build the npm package via dnt
-deno task build:npm
-
-# Run the built artifact under Node
-node npm/esm/main.js
-```
-
-The dnt build emits to `./npm/`. The package's `bin` is `atomicmail-mcp`, mapped
-to `npm/esm/main.js`. After a build you can also `npm install` it locally and
-use the binary directly.
-
-### Project layout
-
-```
-services/mcp-server-local/
-├── deno.json          # Deno config + import map
-├── build_npm.ts       # dnt build script
-├── README.md
-├── src/
-│   ├── main.ts        # MCP server entry (stdio transport)
-│   ├── auth-session.ts# PoW + JWT rotation, with disk persistence
-│   ├── credentials.ts # File I/O: credentials.json, *.jwt
-│   ├── docs-content.ts# Static text served by the get_docs tool
-│   └── tools/
-│       ├── register.ts
-│       ├── jmap.ts
-│       └── docs.ts
-└── npm/               # dnt output (gitignored)
-```
-
-The auth-session and credentials files are kept in-step with their counterparts
-in [`skill/scripts/lib/`](../../skill/scripts/lib/) so both projects produce and
-consume identical credential files.
-
-## License
-
-MIT

package/esm/_dnt.polyfills.d.ts

@@ -0,0 +1,101 @@
+/**
+ * Based on [import-meta-ponyfill](https://github.com/gaubee/import-meta-ponyfill),
+ * but instead of using npm to install additional dependencies,
+ * this approach manually consolidates cjs/mjs/d.ts into a single file.
+ *
+ * Note that this code might be imported multiple times
+ * (for example, both dnt.test.polyfills.ts and dnt.polyfills.ts contain this code;
+ *  or Node.js might dynamically clear the cache and then force a require).
+ * Therefore, it's important to avoid redundant writes to global objects.
+ * Additionally, consider that commonjs is used alongside esm,
+ * so the two ponyfill functions are stored independently in two separate global objects.
+ */
+import { createRequire } from "node:module";
+import { type URL } from "node:url";
+declare global {
+    interface ImportMeta {
+        /** A string representation of the fully qualified module URL. When the
+         * module is loaded locally, the value will be a file URL (e.g.
+         * `file:///path/module.ts`).
+         *
+         * You can also parse the string as a URL to determine more information about
+         * how the current module was loaded. For example to determine if a module was
+         * local or not:
+         *
+         * ```ts
+         * const url = new URL(import.meta.url);
+         * if (url.protocol === "file:") {
+         *   console.log("this module was loaded locally");
+         * }
+         * ```
+         */
+        url: string;
+        /**
+         * A function that returns resolved specifier as if it would be imported
+         * using `import(specifier)`.
+         *
+         * ```ts
+         * console.log(import.meta.resolve("./foo.js"));
+         * // file:///dev/foo.js
+         * ```
+         *
+         * @param specifier The module specifier to resolve relative to `parent`.
+         * @param parent The absolute parent module URL to resolve from.
+         * @returns The absolute (`file:`) URL string for the resolved module.
+         */
+        resolve(specifier: string, parent?: string | URL | undefined): string;
+        /** A flag that indicates if the current module is the main module that was
+         * called when starting the program under Deno.
+         *
+         * ```ts
+         * if (import.meta.main) {
+         *   // this was loaded as the main module, maybe do some bootstrapping
+         * }
+         * ```
+         */
+        main: boolean;
+        /** The absolute path of the current module.
+         *
+         * This property is only provided for local modules (ie. using `file://` URLs).
+         *
+         * Example:
+         * ```
+         * // Unix
+         * console.log(import.meta.filename); // /home/alice/my_module.ts
+         *
+         * // Windows
+         * console.log(import.meta.filename); // C:\alice\my_module.ts
+         * ```
+         */
+        filename: string;
+        /** The absolute path of the directory containing the current module.
+         *
+         * This property is only provided for local modules (ie. using `file://` URLs).
+         *
+         * * Example:
+         * ```
+         * // Unix
+         * console.log(import.meta.dirname); // /home/alice
+         *
+         * // Windows
+         * console.log(import.meta.dirname); // C:\alice
+         * ```
+         */
+        dirname: string;
+    }
+}
+type NodeRequest = ReturnType<typeof createRequire>;
+type NodeModule = NonNullable<NodeRequest["main"]>;
+interface ImportMetaPonyfillCommonjs {
+    (require: NodeRequest, module: NodeModule): ImportMeta;
+}
+interface ImportMetaPonyfillEsmodule {
+    (importMeta: ImportMeta): ImportMeta;
+}
+interface ImportMetaPonyfill extends ImportMetaPonyfillCommonjs, ImportMetaPonyfillEsmodule {
+}
+export declare let import_meta_ponyfill_commonjs: ImportMetaPonyfillCommonjs;
+export declare let import_meta_ponyfill_esmodule: ImportMetaPonyfillEsmodule;
+export declare let import_meta_ponyfill: ImportMetaPonyfill;
+export {};
+//# sourceMappingURL=_dnt.polyfills.d.ts.map

package/esm/_dnt.polyfills.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"_dnt.polyfills.d.ts","sourceRoot":"","sources":["../src/_dnt.polyfills.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE5C,OAAO,EAAgC,KAAK,GAAG,EAAE,MAAM,UAAU,CAAC;AAGlE,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,UAAU;QAClB;;;;;;;;;;;;;;WAcG;QACH,GAAG,EAAE,MAAM,CAAC;QACZ;;;;;;;;;;;;WAYG;QACH,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,GAAG,GAAG,SAAS,GAAG,MAAM,CAAC;QACtE;;;;;;;;WAQG;QACH,IAAI,EAAE,OAAO,CAAC;QAEd;;;;;;;;;;;;WAYG;QACH,QAAQ,EAAE,MAAM,CAAC;QAEjB;;;;;;;;;;;;WAYG;QACH,OAAO,EAAE,MAAM,CAAC;KACjB;CACF;AAED,KAAK,WAAW,GAAG,UAAU,CAAC,OAAO,aAAa,CAAC,CAAC;AACpD,KAAK,UAAU,GAAG,WAAW,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC;AACnD,UAAU,0BAA0B;IAClC,CAAC,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,UAAU,GAAG,UAAU,CAAC;CACxD;AACD,UAAU,0BAA0B;IAClC,CAAC,UAAU,EAAE,UAAU,GAAG,UAAU,CAAC;CACtC;AACD,UAAU,kBACR,SAAQ,0BAA0B,EAAE,0BAA0B;CAC/D;AAiBD,eAAO,IAAI,6BAA6B,EA2BnC,0BAA0B,CAAC;AAMhC,eAAO,IAAI,6BAA6B,EA4DnC,0BAA0B,CAAC;AAMhC,eAAO,IAAI,oBAAoB,EAoB1B,kBAAkB,CAAC"}

package/esm/_dnt.polyfills.js

@@ -0,0 +1,127 @@
+/**
+ * Based on [import-meta-ponyfill](https://github.com/gaubee/import-meta-ponyfill),
+ * but instead of using npm to install additional dependencies,
+ * this approach manually consolidates cjs/mjs/d.ts into a single file.
+ *
+ * Note that this code might be imported multiple times
+ * (for example, both dnt.test.polyfills.ts and dnt.polyfills.ts contain this code;
+ *  or Node.js might dynamically clear the cache and then force a require).
+ * Therefore, it's important to avoid redundant writes to global objects.
+ * Additionally, consider that commonjs is used alongside esm,
+ * so the two ponyfill functions are stored independently in two separate global objects.
+ */
+//@ts-ignore
+import { createRequire } from "node:module";
+//@ts-ignore
+import { fileURLToPath, pathToFileURL } from "node:url";
+//@ts-ignore
+import { dirname } from "node:path";
+const defineGlobalPonyfill = (symbolFor, fn) => {
+    if (!Reflect.has(globalThis, Symbol.for(symbolFor))) {
+        Object.defineProperty(globalThis, Symbol.for(symbolFor), {
+            configurable: true,
+            get() {
+                return fn;
+            },
+        });
+    }
+};
+export let import_meta_ponyfill_commonjs = (Reflect.get(globalThis, Symbol.for("import-meta-ponyfill-commonjs")) ??
+    (() => {
+        const moduleImportMetaWM = new WeakMap();
+        return (require, module) => {
+            let importMetaCache = moduleImportMetaWM.get(module);
+            if (importMetaCache == null) {
+                const importMeta = Object.assign(Object.create(null), {
+                    url: pathToFileURL(module.filename).href,
+                    main: require.main == module,
+                    resolve: (specifier, parentURL = importMeta.url) => {
+                        return pathToFileURL((importMeta.url === parentURL
+                            ? require
+                            : createRequire(parentURL))
+                            .resolve(specifier)).href;
+                    },
+                    filename: module.filename,
+                    dirname: module.path,
+                });
+                moduleImportMetaWM.set(module, importMeta);
+                importMetaCache = importMeta;
+            }
+            return importMetaCache;
+        };
+    })());
+defineGlobalPonyfill("import-meta-ponyfill-commonjs", import_meta_ponyfill_commonjs);
+export let import_meta_ponyfill_esmodule = (Reflect.get(globalThis, Symbol.for("import-meta-ponyfill-esmodule")) ??
+    ((importMeta) => {
+        const resolveFunStr = String(importMeta.resolve);
+        const shimWs = new WeakSet();
+        //@ts-ignore
+        const mainUrl = ("file:///" + process.argv[1].replace(/\\/g, "/"))
+            .replace(/\/{3,}/, "///");
+        const commonShim = (importMeta) => {
+            if (typeof importMeta.main !== "boolean") {
+                importMeta.main = importMeta.url === mainUrl;
+            }
+            if (typeof importMeta.filename !== "string") {
+                importMeta.filename = fileURLToPath(importMeta.url);
+                importMeta.dirname = dirname(importMeta.filename);
+            }
+        };
+        if (
+        // v16.2.0+, v14.18.0+: Add support for WHATWG URL object to parentURL parameter.
+        resolveFunStr === "undefined" ||
+            // v20.0.0+, v18.19.0+"" This API now returns a string synchronously instead of a Promise.
+            resolveFunStr.startsWith("async")
+        // enable by --experimental-import-meta-resolve flag
+        ) {
+            import_meta_ponyfill_esmodule = (importMeta) => {
+                if (!shimWs.has(importMeta)) {
+                    shimWs.add(importMeta);
+                    const importMetaUrlRequire = {
+                        url: importMeta.url,
+                        require: createRequire(importMeta.url),
+                    };
+                    importMeta.resolve = function resolve(specifier, parentURL = importMeta.url) {
+                        return pathToFileURL((importMetaUrlRequire.url === parentURL
+                            ? importMetaUrlRequire.require
+                            : createRequire(parentURL)).resolve(specifier)).href;
+                    };
+                    commonShim(importMeta);
+                }
+                return importMeta;
+            };
+        }
+        else {
+            /// native support
+            import_meta_ponyfill_esmodule = (importMeta) => {
+                if (!shimWs.has(importMeta)) {
+                    shimWs.add(importMeta);
+                    commonShim(importMeta);
+                }
+                return importMeta;
+            };
+        }
+        return import_meta_ponyfill_esmodule(importMeta);
+    }));
+defineGlobalPonyfill("import-meta-ponyfill-esmodule", import_meta_ponyfill_esmodule);
+export let import_meta_ponyfill = ((...args) => {
+    const _MODULE = (() => {
+        if (typeof require === "function" && typeof module === "object") {
+            return "commonjs";
+        }
+        else {
+            // eval("typeof import.meta");
+            return "esmodule";
+        }
+    })();
+    if (_MODULE === "commonjs") {
+        //@ts-ignore
+        import_meta_ponyfill = (r, m) => import_meta_ponyfill_commonjs(r, m);
+    }
+    else {
+        //@ts-ignore
+        import_meta_ponyfill = (im) => import_meta_ponyfill_esmodule(im);
+    }
+    //@ts-ignore
+    return import_meta_ponyfill(...args);
+});

package/esm/lib/agent/auth/agent-auth-http.d.ts

@@ -0,0 +1,26 @@
+export declare function fetchChallenge(authUrl: string): Promise<{
+    challengeJWT: string;
+    challenge: string;
+    difficulty: number;
+}>;
+export interface SessionResponse {
+    sessionJWT: string;
+    apiKey?: string;
+}
+export declare function exchangeSession(authUrl: string, body: {
+    challengeJWT: string;
+    powHex: string;
+    nonce: string;
+    apiKey?: string;
+    username?: string;
+}): Promise<SessionResponse>;
+export declare function fetchCapability(authUrl: string, sessionJWT: string): Promise<string>;
+export interface PerformPoWInput {
+    authUrl: string;
+    scryptSalt: string;
+    apiKey?: string;
+    username?: string;
+    onPowProgress?: (nonce: bigint) => void;
+}
+export declare function performPoWAndSession(input: PerformPoWInput): Promise<SessionResponse>;
+//# sourceMappingURL=agent-auth-http.d.ts.map

package/esm/lib/agent/auth/agent-auth-http.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-auth-http.d.ts","sourceRoot":"","sources":["../../../../src/lib/agent/auth/agent-auth-http.ts"],"names":[],"mappings":"AAoCA,wBAAsB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC;IAC7D,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB,CAAC,CAqBD;AAED,MAAM,WAAW,eAAe;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,wBAAsB,eAAe,CACnC,OAAO,EAAE,MAAM,EACf,IAAI,EAAE;IACJ,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GACA,OAAO,CAAC,eAAe,CAAC,CAS1B;AAED,wBAAsB,eAAe,CACnC,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,MAAM,CAAC,CAUjB;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,IAAI,CAAC;CACzC;AAED,wBAAsB,oBAAoB,CACxC,KAAK,EAAE,eAAe,GACrB,OAAO,CAAC,eAAe,CAAC,CAgB1B"}

package/esm/lib/agent/auth/agent-auth-http.js

@@ -0,0 +1,76 @@
+// auth-service HTTP: challenge → session → capability.
+import { decodeJwtPayload } from "./agent-jwt.js";
+import { solvePow } from "./agent-pow.js";
+async function postJson(url, body, headers = {}) {
+    const res = await fetch(url, {
+        method: "POST",
+        headers: {
+            ...(body ? { "Content-Type": "application/json" } : {}),
+            ...headers,
+        },
+        body: body ? JSON.stringify(body) : undefined,
+    });
+    const text = await res.text();
+    const path = (() => {
+        try {
+            return new URL(url).pathname;
+        }
+        catch {
+            return url;
+        }
+    })();
+    if (!res.ok) {
+        throw new Error(`auth-service ${path} returned ${res.status}: ${text}`);
+    }
+    try {
+        return JSON.parse(text);
+    }
+    catch {
+        throw new Error(`auth-service ${path} returned non-JSON body: ${text}`);
+    }
+}
+export async function fetchChallenge(authUrl) {
+    const data = await postJson(`${authUrl}/api/v1/challenge`, undefined);
+    if (typeof data.challengeJWT !== "string") {
+        throw new Error("Challenge response missing challengeJWT.");
+    }
+    const payload = decodeJwtPayload(data.challengeJWT);
+    if (typeof payload.jti !== "string" ||
+        typeof payload.difficulty !== "number") {
+        throw new Error("Challenge JWT payload malformed (missing jti or difficulty).");
+    }
+    return {
+        challengeJWT: data.challengeJWT,
+        challenge: payload.jti,
+        difficulty: payload.difficulty,
+    };
+}
+export async function exchangeSession(authUrl, body) {
+    const data = await postJson(`${authUrl}/api/v1/session`, { ...body });
+    if (typeof data.sessionJWT !== "string") {
+        throw new Error("Session response missing sessionJWT.");
+    }
+    return {
+        sessionJWT: data.sessionJWT,
+        apiKey: typeof data.apiKey === "string" ? data.apiKey : undefined,
+    };
+}
+export async function fetchCapability(authUrl, sessionJWT) {
+    const data = await postJson(`${authUrl}/api/v1/capability`, undefined, { Authorization: `Bearer ${sessionJWT}` });
+    if (typeof data.capabilityJWT !== "string") {
+        throw new Error("Capability response missing capabilityJWT.");
+    }
+    return data.capabilityJWT;
+}
+export async function performPoWAndSession(input) {
+    const { authUrl, scryptSalt } = input;
+    const { challengeJWT, challenge, difficulty } = await fetchChallenge(authUrl);
+    const { powHex, nonce } = await solvePow(challenge, difficulty, scryptSalt, input.onPowProgress);
+    return exchangeSession(authUrl, {
+        challengeJWT,
+        powHex,
+        nonce,
+        apiKey: input.apiKey,
+        username: input.username,
+    });
+}

package/esm/lib/agent/auth/agent-jwt.d.ts

@@ -0,0 +1,14 @@
+export declare const SESSION_TTL_MS: number;
+export declare const CAPABILITY_TTL_MS: number;
+export declare const SESSION_SAFETY_MARGIN_MS = 60000;
+export declare const CAPABILITY_SAFETY_MARGIN_MS = 20000;
+export interface JwtPayload {
+    exp?: number;
+    iat?: number;
+    jti?: string;
+    inboxId?: string;
+    [key: string]: unknown;
+}
+export declare function decodeJwtPayload<T = JwtPayload>(jwt: string): T;
+export declare function isJwtExpired(jwt: string, marginMs: number): boolean;
+//# sourceMappingURL=agent-jwt.d.ts.map

package/esm/lib/agent/auth/agent-jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-jwt.d.ts","sourceRoot":"","sources":["../../../../src/lib/agent/auth/agent-jwt.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,cAAc,QAAqB,CAAC;AACjD,eAAO,MAAM,iBAAiB,QAAgB,CAAC;AAE/C,eAAO,MAAM,wBAAwB,QAAS,CAAC;AAC/C,eAAO,MAAM,2BAA2B,QAAS,CAAC;AAElD,MAAM,WAAW,UAAU;IACzB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,wBAAgB,gBAAgB,CAAC,CAAC,GAAG,UAAU,EAAE,GAAG,EAAE,MAAM,GAAG,CAAC,CAc/D;AAED,wBAAgB,YAAY,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAQnE"}