@atomicmail/mcp 0.1.0 → 0.2.1

package/esm/lib/agent/session/agent-credentials-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-credentials-store.d.ts","sourceRoot":"","sources":["../../../../src/lib/agent/session/agent-credentials-store.ts"],"names":[],"mappings":"AAMA,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,UAAU;IACzB,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,CAOjE;AAMD,wBAAsB,gBAAgB,CACpC,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,WAAW,GACjB,OAAO,CAAC,IAAI,CAAC,CAGf;AAED,wBAAsB,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC,CAiCxE;AAED,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC,CAOlC;AAED,wBAAsB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAG3E;AAED,wBAAsB,cAAc,CAClC,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAO7B;AAED,0EAA0E;AAC1E,wBAAsB,yBAAyB,CAC7C,KAAK,EAAE,UAAU,GAChB,OAAO,CAAC,IAAI,CAAC,CAcf"}

package/esm/{mcp/src/credentials.js → lib/agent/session/agent-credentials-store.js}

@@ -1,17 +1,6 @@
-// Credential file I/O. Three files form a complete credential set:
-//   credentials.json  — long-lived: apiKey, inboxId, server URLs, PoW salt.
-//   session.jwt       — short-lived (~4h): rotates via /session + PoW.
-//   capability.jwt    — short-lived (~2min): rotates via /capability.
-//
-// Files are written with mode 0600 so other local users cannot read them.
-//
-// This file mirrors skill/scripts/lib/credentials.ts so that the MCP server
-// reads and writes the same on-disk layout as the atomic-mail-signup /
-// atomic-mail-jmap CLIs from the @atomic-mail/agent-skill skill. The two
-// are interchangeable: you can run the skill CLI to bootstrap credentials
-// and the MCP server will pick them up automatically (see resolveConfig
-// in auth-session.ts).
-import { mkdir, readFile, writeFile } from "node:fs/promises";
+// Credential file I/O shared by MCP and AgentSkill.
+// Three files: credentials.json, session.jwt, capability.jwt (mode 0600).
+import { mkdir, readFile, unlink, writeFile } from "node:fs/promises";
 import { dirname, join, resolve } from "node:path";
 export function defaultFilesFromOutDir(outDir) {
     const base = resolve(outDir);
@@ -35,7 +24,7 @@ export async function readCredentials(path) {
     }
     catch (err) {
         throw new Error(`Could not read credentials file '${path}': ${err.message}. ` +
-            "Did you run signup first?");
+            "Did you run register first?");
     }
     let obj;
     try {
@@ -58,7 +47,6 @@ export async function readCredentials(path) {
     }
     return obj;
 }
-/** Like readCredentials, but returns undefined when the file does not exist. */
 export async function tryReadCredentials(path) {
     try {
         await readFile(path, "utf-8");
@@ -81,3 +69,18 @@ export async function tryReadJwtFile(path) {
         return undefined;
     }
 }
+/** Best-effort removal of credential artifacts (ignore missing files). */
+export async function unlinkCredentialArtifacts(files) {
+    for (const p of [
+        files.credentialsFile,
+        files.sessionFile,
+        files.capabilityFile,
+    ]) {
+        try {
+            await unlink(p);
+        }
+        catch {
+            // ignore
+        }
+    }
+}

package/esm/lib/agent/session/agent-resolve-config.d.ts

@@ -0,0 +1,24 @@
+import { type SkillFiles } from "./agent-credentials-store.js";
+export type ConfigSource = "credentials-file" | "env" | "mixed" | "incomplete";
+export interface ResolvedAgentConfig {
+    authUrl: string;
+    apiUrl: string;
+    scryptSalt: string;
+    apiKey?: string;
+    inboxId?: string;
+    credentialDir: string;
+    files: SkillFiles;
+    source: ConfigSource;
+}
+/**
+ * Default credential directory:
+ *   1. ATOMIC_MAIL_CREDENTIALS_DIR
+ *   2. ~/.atomicmail/ or %USERPROFILE%/.atomicmail
+ */
+export declare function resolveCredentialDir(): string;
+/**
+ * Merge credentials.json with ATOMIC_MAIL_* env (env wins per field).
+ * authUrl and apiUrl must resolve from at least one source.
+ */
+export declare function resolveAgentConfigFromEnv(): Promise<ResolvedAgentConfig>;
+//# sourceMappingURL=agent-resolve-config.d.ts.map

package/esm/lib/agent/session/agent-resolve-config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-resolve-config.d.ts","sourceRoot":"","sources":["../../../../src/lib/agent/session/agent-resolve-config.ts"],"names":[],"mappings":"AAKA,OAAO,EAEL,KAAK,UAAU,EAEhB,MAAM,8BAA8B,CAAC;AAEtC,MAAM,MAAM,YAAY,GACpB,kBAAkB,GAClB,KAAK,GACL,OAAO,GACP,YAAY,CAAC;AAEjB,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,EAAE,UAAU,CAAC;IAClB,MAAM,EAAE,YAAY,CAAC;CACtB;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,CAW7C;AAED;;;GAGG;AACH,wBAAsB,yBAAyB,IAAI,OAAO,CACxD,mBAAmB,CACpB,CAoDA"}

package/esm/lib/agent/session/agent-resolve-config.js

@@ -0,0 +1,70 @@
+// Resolve MCP / process credential dir + URLs from env + credentials.json.
+import process from "node:process";
+import { DEFAULT_POW_SCRYPT_SALT_HEX } from "../../core/consts.js";
+import { defaultFilesFromOutDir, tryReadCredentials, } from "./agent-credentials-store.js";
+/**
+ * Default credential directory:
+ *   1. ATOMIC_MAIL_CREDENTIALS_DIR
+ *   2. ~/.atomicmail/ or %USERPROFILE%/.atomicmail
+ */
+export function resolveCredentialDir() {
+    const fromEnv = process.env.ATOMIC_MAIL_CREDENTIALS_DIR;
+    if (fromEnv && fromEnv.length > 0)
+        return fromEnv;
+    const home = process.env.HOME || process.env.USERPROFILE;
+    if (!home) {
+        throw new Error("Cannot determine default credential directory: HOME and USERPROFILE " +
+            "are both unset. Set ATOMIC_MAIL_CREDENTIALS_DIR explicitly.");
+    }
+    return `${home.replace(/[\\/]+$/, "")}/.atomicmail`;
+}
+/**
+ * Merge credentials.json with ATOMIC_MAIL_* env (env wins per field).
+ * authUrl and apiUrl must resolve from at least one source.
+ */
+export async function resolveAgentConfigFromEnv() {
+    const credentialDir = resolveCredentialDir();
+    const files = defaultFilesFromOutDir(credentialDir);
+    const fileCreds = await tryReadCredentials(files.credentialsFile);
+    const env = process.env;
+    const envAuthUrl = env.ATOMIC_MAIL_AUTH_URL;
+    const envApiUrl = env.ATOMIC_MAIL_API_URL;
+    const envSalt = env.ATOMIC_MAIL_SCRYPT_SALT;
+    const envApiKey = env.ATOMIC_MAIL_API_KEY;
+    const authUrl = envAuthUrl ?? fileCreds?.authUrl;
+    const apiUrl = envApiUrl ?? fileCreds?.apiUrl;
+    const scryptSalt = envSalt ?? fileCreds?.scryptSalt ??
+        DEFAULT_POW_SCRYPT_SALT_HEX;
+    const apiKey = envApiKey ?? fileCreds?.apiKey;
+    const inboxId = fileCreds?.inboxId;
+    const missing = [];
+    if (!authUrl)
+        missing.push("ATOMIC_MAIL_AUTH_URL");
+    if (!apiUrl)
+        missing.push("ATOMIC_MAIL_API_URL");
+    if (missing.length > 0) {
+        throw new Error(`Missing required configuration: ${missing.join(", ")}. ` +
+            `Provide these via environment variables, or place a populated ` +
+            `credentials.json in '${credentialDir}' (run register first, or set ` +
+            `ATOMIC_MAIL_CREDENTIALS_DIR).`);
+    }
+    const usingFile = fileCreds !== undefined;
+    const usingEnv = !!(envAuthUrl || envApiUrl || envSalt || envApiKey);
+    const source = usingFile && usingEnv
+        ? "mixed"
+        : usingFile
+            ? "credentials-file"
+            : usingEnv
+                ? "env"
+                : "incomplete";
+    return {
+        authUrl: authUrl.replace(/\/+$/, ""),
+        apiUrl: apiUrl.replace(/\/+$/, ""),
+        scryptSalt: scryptSalt,
+        apiKey,
+        inboxId,
+        credentialDir,
+        files,
+        source,
+    };
+}

package/esm/lib/agent/session/agent-session.d.ts

@@ -0,0 +1,62 @@
+import { type SkillFiles } from "./agent-credentials-store.js";
+export interface AgentSessionConfig {
+    authUrl: string;
+    apiUrl: string;
+    scryptSalt: string;
+    apiKey?: string;
+    inboxId?: string;
+    credentialDir: string;
+    files: SkillFiles;
+}
+export interface RegisterResult {
+    inbox: string;
+    accountId: string;
+    /** Present only on first-time signup (not idempotent replay). */
+    apiKey?: string;
+    idempotent?: boolean;
+}
+/** Local-part of an inbox email, or the whole string if no @. */
+export declare function inboxLocalPart(inboxId: string): string;
+export declare class AgentSession {
+    private readonly authUrl;
+    readonly apiUrl: string;
+    private readonly scryptSalt;
+    private apiKey;
+    private inboxId;
+    readonly credentialDir: string;
+    readonly files: SkillFiles;
+    private sessionJWT;
+    private capabilityJWT;
+    private cachedMailAccountId;
+    constructor(cfg: AgentSessionConfig);
+    static create(cfg: AgentSessionConfig): Promise<AgentSession>;
+    get hasApiKey(): boolean;
+    get currentInboxId(): string | undefined;
+    private loadFromDisk;
+    /**
+     * Primary JMAP mail accountId from GET /.well-known/jmap (cached).
+     */
+    getPrimaryMailAccountId(): Promise<string>;
+    invalidateJmapSessionCache(): void;
+    /**
+     * Register or return existing inbox when username matches (idempotent).
+     * Different username replaces on-disk credentials and creates a new inbox.
+     */
+    register(username: string): Promise<RegisterResult>;
+    getCapabilityToken(): Promise<string>;
+    private ensureSession;
+    destroy(): void;
+}
+export interface PersistLoginWithApiKeyInput {
+    authUrl: string;
+    apiUrl: string;
+    scryptSalt: string;
+    apiKey: string;
+    files: SkillFiles;
+    onPowProgress?: (nonce: bigint) => void;
+}
+/** PoW login with an existing API key; writes credentials + JWT files. */
+export declare function persistLoginWithApiKey(input: PersistLoginWithApiKeyInput): Promise<{
+    inboxId: string;
+}>;
+//# sourceMappingURL=agent-session.d.ts.map

package/esm/lib/agent/session/agent-session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-session.d.ts","sourceRoot":"","sources":["../../../../src/lib/agent/session/agent-session.ts"],"names":[],"mappings":"AAEA,OAAO,EAEL,KAAK,UAAU,EAMhB,MAAM,8BAA8B,CAAC;AAatC,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,EAAE,UAAU,CAAC;CACnB;AAED,MAAM,WAAW,cAAc;IAC7B,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,iEAAiE;IACjE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAMD,iEAAiE;AACjE,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAKtD;AAED,qBAAa,YAAY;IACvB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,MAAM,CAAqB;IACnC,OAAO,CAAC,OAAO,CAAqB;IACpC,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,KAAK,EAAE,UAAU,CAAC;IAE3B,OAAO,CAAC,UAAU,CAAqB;IACvC,OAAO,CAAC,aAAa,CAAqB;IAC1C,OAAO,CAAC,mBAAmB,CAAqB;gBAEpC,GAAG,EAAE,kBAAkB;WAUtB,MAAM,CAAC,GAAG,EAAE,kBAAkB,GAAG,OAAO,CAAC,YAAY,CAAC;IAMnE,IAAI,SAAS,IAAI,OAAO,CAEvB;IAED,IAAI,cAAc,IAAI,MAAM,GAAG,SAAS,CAEvC;YAEa,YAAY;IAU1B;;OAEG;IACG,uBAAuB,IAAI,OAAO,CAAC,MAAM,CAAC;IAShD,0BAA0B,IAAI,IAAI;IAIlC;;;OAGG;IACG,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IAuEnD,kBAAkB,IAAI,OAAO,CAAC,MAAM,CAAC;YA4B7B,aAAa;IAyB3B,OAAO,IAAI,IAAI;CAGhB;AAED,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,UAAU,CAAC;IAClB,aAAa,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,IAAI,CAAC;CACzC;AAED,0EAA0E;AAC1E,wBAAsB,sBAAsB,CAC1C,KAAK,EAAE,2BAA2B,GACjC,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAyB9B"}

package/esm/lib/agent/session/agent-session.js

@@ -0,0 +1,206 @@
+// Stateful PoW + capability JWT + optional cached JMAP session (accountId).
+import { tryReadCredentials, tryReadJwtFile, unlinkCredentialArtifacts, writeCredentials, writeJwtFile, } from "./agent-credentials-store.js";
+import { CAPABILITY_SAFETY_MARGIN_MS, decodeJwtPayload, isJwtExpired, SESSION_SAFETY_MARGIN_MS, } from "../auth/agent-jwt.js";
+import { extractPrimaryMailAccountId, fetchJmapWellKnown, } from "../jmap/agent-jmap.js";
+import { fetchCapability, performPoWAndSession } from "../auth/agent-auth-http.js";
+function normalizeUsername(u) {
+    return u.trim().toLowerCase();
+}
+/** Local-part of an inbox email, or the whole string if no @. */
+export function inboxLocalPart(inboxId) {
+    const i = inboxId.indexOf("@");
+    return i === -1
+        ? normalizeUsername(inboxId)
+        : normalizeUsername(inboxId.slice(0, i));
+}
+export class AgentSession {
+    authUrl;
+    apiUrl;
+    scryptSalt;
+    apiKey;
+    inboxId;
+    credentialDir;
+    files;
+    sessionJWT;
+    capabilityJWT;
+    cachedMailAccountId;
+    constructor(cfg) {
+        this.authUrl = cfg.authUrl.replace(/\/+$/, "");
+        this.apiUrl = cfg.apiUrl.replace(/\/+$/, "");
+        this.scryptSalt = cfg.scryptSalt;
+        this.apiKey = cfg.apiKey;
+        this.inboxId = cfg.inboxId;
+        this.credentialDir = cfg.credentialDir;
+        this.files = cfg.files;
+    }
+    static async create(cfg) {
+        const session = new AgentSession(cfg);
+        await session.loadFromDisk();
+        return session;
+    }
+    get hasApiKey() {
+        return this.apiKey !== undefined && this.apiKey.length > 0;
+    }
+    get currentInboxId() {
+        return this.inboxId;
+    }
+    async loadFromDisk() {
+        this.sessionJWT = await tryReadJwtFile(this.files.sessionFile);
+        this.capabilityJWT = await tryReadJwtFile(this.files.capabilityFile);
+        const disk = await tryReadCredentials(this.files.credentialsFile);
+        if (disk) {
+            this.apiKey = this.apiKey ?? disk.apiKey;
+            this.inboxId = this.inboxId ?? disk.inboxId;
+        }
+    }
+    /**
+     * Primary JMAP mail accountId from GET /.well-known/jmap (cached).
+     */
+    async getPrimaryMailAccountId() {
+        if (this.cachedMailAccountId)
+            return this.cachedMailAccountId;
+        const cap = await this.getCapabilityToken();
+        const session = await fetchJmapWellKnown(this.apiUrl, cap);
+        const id = extractPrimaryMailAccountId(session);
+        this.cachedMailAccountId = id;
+        return id;
+    }
+    invalidateJmapSessionCache() {
+        this.cachedMailAccountId = undefined;
+    }
+    /**
+     * Register or return existing inbox when username matches (idempotent).
+     * Different username replaces on-disk credentials and creates a new inbox.
+     */
+    async register(username) {
+        const want = normalizeUsername(username);
+        if (this.hasApiKey && !this.inboxId) {
+            throw new Error("Cannot register: an API key is configured but inboxId is unknown. " +
+                "Fix credentials.json or unset ATOMIC_MAIL_API_KEY before registering.");
+        }
+        if (this.hasApiKey && this.inboxId) {
+            const have = inboxLocalPart(this.inboxId);
+            if (have === want) {
+                const accountId = await this.getPrimaryMailAccountId();
+                return {
+                    inbox: this.inboxId,
+                    accountId,
+                    idempotent: true,
+                };
+            }
+            await unlinkCredentialArtifacts(this.files);
+            this.apiKey = undefined;
+            this.inboxId = undefined;
+            this.sessionJWT = undefined;
+            this.capabilityJWT = undefined;
+            this.cachedMailAccountId = undefined;
+        }
+        const result = await performPoWAndSession({
+            authUrl: this.authUrl,
+            scryptSalt: this.scryptSalt,
+            username,
+        });
+        if (!result.apiKey) {
+            throw new Error("Signup did not return an apiKey — this indicates a server bug.");
+        }
+        this.apiKey = result.apiKey;
+        this.sessionJWT = result.sessionJWT;
+        await writeJwtFile(this.files.sessionFile, this.sessionJWT);
+        const capability = await fetchCapability(this.authUrl, this.sessionJWT);
+        this.capabilityJWT = capability;
+        await writeJwtFile(this.files.capabilityFile, capability);
+        const claims = decodeJwtPayload(capability);
+        if (typeof claims.inboxId !== "string" || claims.inboxId.length === 0) {
+            throw new Error("Capability JWT missing inboxId claim after signup.");
+        }
+        this.inboxId = claims.inboxId;
+        this.cachedMailAccountId = undefined;
+        const creds = {
+            apiKey: this.apiKey,
+            inboxId: this.inboxId,
+            authUrl: this.authUrl,
+            apiUrl: this.apiUrl,
+            scryptSalt: this.scryptSalt,
+        };
+        await writeCredentials(this.files.credentialsFile, creds);
+        const accountId = await this.getPrimaryMailAccountId();
+        return {
+            inbox: this.inboxId,
+            accountId,
+            apiKey: this.apiKey,
+        };
+    }
+    async getCapabilityToken() {
+        if (this.capabilityJWT &&
+            !isJwtExpired(this.capabilityJWT, CAPABILITY_SAFETY_MARGIN_MS)) {
+            return this.capabilityJWT;
+        }
+        await this.ensureSession();
+        if (!this.sessionJWT) {
+            throw new Error("Internal: ensureSession() left sessionJWT unset.");
+        }
+        const cap = await fetchCapability(this.authUrl, this.sessionJWT);
+        this.capabilityJWT = cap;
+        await writeJwtFile(this.files.capabilityFile, cap);
+        try {
+            const claims = decodeJwtPayload(cap);
+            if (typeof claims.inboxId === "string" && claims.inboxId.length > 0) {
+                this.inboxId = claims.inboxId;
+            }
+        }
+        catch {
+            // non-fatal
+        }
+        return cap;
+    }
+    async ensureSession() {
+        if (this.sessionJWT &&
+            !isJwtExpired(this.sessionJWT, SESSION_SAFETY_MARGIN_MS)) {
+            return;
+        }
+        if (!this.apiKey) {
+            throw new Error("No API key configured and no valid session on disk. Run register " +
+                "first, set ATOMIC_MAIL_API_KEY, or place credentials.json in the " +
+                "credential directory.");
+        }
+        const result = await performPoWAndSession({
+            authUrl: this.authUrl,
+            scryptSalt: this.scryptSalt,
+            apiKey: this.apiKey,
+        });
+        this.sessionJWT = result.sessionJWT;
+        this.capabilityJWT = undefined;
+        this.cachedMailAccountId = undefined;
+        await writeJwtFile(this.files.sessionFile, this.sessionJWT);
+    }
+    destroy() {
+        // reserved
+    }
+}
+/** PoW login with an existing API key; writes credentials + JWT files. */
+export async function persistLoginWithApiKey(input) {
+    const authUrl = input.authUrl.replace(/\/+$/, "");
+    const apiUrl = input.apiUrl.replace(/\/+$/, "");
+    const session = await performPoWAndSession({
+        authUrl,
+        scryptSalt: input.scryptSalt,
+        apiKey: input.apiKey,
+        onPowProgress: input.onPowProgress,
+    });
+    const capabilityJWT = await fetchCapability(authUrl, session.sessionJWT);
+    const claims = decodeJwtPayload(capabilityJWT);
+    const inboxId = claims.inboxId;
+    if (typeof inboxId !== "string" || inboxId.length === 0) {
+        throw new Error("Capability JWT did not contain an inboxId claim.");
+    }
+    await writeCredentials(input.files.credentialsFile, {
+        apiKey: input.apiKey,
+        inboxId,
+        authUrl,
+        apiUrl,
+        scryptSalt: input.scryptSalt,
+    });
+    await writeJwtFile(input.files.sessionFile, session.sessionJWT);
+    await writeJwtFile(input.files.capabilityFile, capabilityJWT);
+    return { inboxId };
+}

package/esm/lib/core/consts.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"consts.d.ts","sourceRoot":"","sources":["../../../src/lib/core/consts.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,eAAO,MAAM,2BAA2B,qEAC4B,CAAC;AAErE,eAAO,MAAM,UAAU,OAAO,CAAC;AAC/B,eAAO,MAAM,UAAU,QAAkB,CAAC;AAC1C,eAAO,MAAM,WAAW,QAAkB,CAAC;AAC3C,eAAO,MAAM,UAAU,QAAmB,CAAC;AAC3C,eAAO,MAAM,YAAY,QAAkB,CAAC;AAC5C,eAAO,MAAM,WAAW,QAAmB,CAAC"}

package/esm/lib/core/types.d.ts

@@ -0,0 +1,2 @@
+export type MaybePromise<R> = R | Promise<R>;
+//# sourceMappingURL=types.d.ts.map

package/esm/lib/core/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/lib/core/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,YAAY,CAAC,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC"}

package/esm/lib/core/types.js

@@ -0,0 +1 @@
+export {};

package/esm/lib/core/utils.d.ts

@@ -0,0 +1,10 @@
+import type { MaybePromise } from "./types.js";
+export declare function delay(ms: number): Promise<void>;
+export type RetryCfg = {
+    maxTimeoutMs?: number;
+    startTimeoutMs?: number;
+    backoffMul?: number;
+    onBeforeRetry?: (e: unknown) => MaybePromise<void>;
+};
+export declare function retry<R>(fn: () => MaybePromise<R>, config: RetryCfg): Promise<R>;
+//# sourceMappingURL=utils.d.ts.map

package/esm/lib/core/utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../src/lib/core/utils.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,wBAAgB,KAAK,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAE/C;AAED,MAAM,MAAM,QAAQ,GAAG;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB,aAAa,CAAC,EAAE,CAAC,CAAC,EAAE,OAAO,KAAK,YAAY,CAAC,IAAI,CAAC,CAAC;CACpD,CAAC;AASF,wBAAsB,KAAK,CAAC,CAAC,EAC3B,EAAE,EAAE,MAAM,YAAY,CAAC,CAAC,CAAC,EACzB,MAAM,EAAE,QAAQ,GACf,OAAO,CAAC,CAAC,CAAC,CAgBZ"}

package/esm/lib/core/utils.js

@@ -0,0 +1,28 @@
+import { ONE_SEC_MS } from "./consts.js";
+export function delay(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+const defaultCfg = {
+    maxTimeoutMs: ONE_SEC_MS * 32,
+    startTimeoutMs: ONE_SEC_MS,
+    backoffMul: 2,
+};
+// retry with exponential backoff, retries the fn on throw, re-throws on max backoff
+export async function retry(fn, config) {
+    const cfg = { ...defaultCfg, ...config };
+    let curTimeoutMs = cfg.startTimeoutMs;
+    while (true) {
+        try {
+            const res = await fn();
+            return res;
+        }
+        catch (e) {
+            if (cfg.onBeforeRetry)
+                await cfg.onBeforeRetry(e);
+            if (curTimeoutMs > cfg.maxTimeoutMs)
+                throw e;
+            await delay(curTimeoutMs);
+            curTimeoutMs = Math.floor(curTimeoutMs * cfg.backoffMul);
+        }
+    }
+}

package/esm/lib/mod.d.ts

@@ -0,0 +1,14 @@
+export * from "./network/auth-client.js";
+export * from "./core/utils.js";
+export * from "./core/consts.js";
+export * from "./core/types.js";
+export * from "./agent/session/agent-credentials-store.js";
+export * from "./agent/auth/agent-jwt.js";
+export * from "./agent/auth/agent-pow.js";
+export * from "./agent/auth/agent-auth-http.js";
+export * from "./agent/jmap/agent-jmap.js";
+export * from "./agent/session/agent-session.js";
+export * from "./agent/session/agent-resolve-config.js";
+export * from "./agent/jmap/agent-help-content.js";
+export * from "./agent/jmap/agent-vars.js";
+//# sourceMappingURL=mod.d.ts.map

package/esm/lib/mod.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mod.d.ts","sourceRoot":"","sources":["../../src/lib/mod.ts"],"names":[],"mappings":"AAAA,cAAc,0BAA0B,CAAC;AACzC,cAAc,iBAAiB,CAAC;AAChC,cAAc,kBAAkB,CAAC;AACjC,cAAc,iBAAiB,CAAC;AAEhC,cAAc,4CAA4C,CAAC;AAC3D,cAAc,2BAA2B,CAAC;AAC1C,cAAc,2BAA2B,CAAC;AAC1C,cAAc,iCAAiC,CAAC;AAChD,cAAc,4BAA4B,CAAC;AAC3C,cAAc,kCAAkC,CAAC;AACjD,cAAc,yCAAyC,CAAC;AACxD,cAAc,oCAAoC,CAAC;AACnD,cAAc,4BAA4B,CAAC"}

package/esm/lib/mod.js

@@ -0,0 +1,13 @@
+export * from "./network/auth-client.js";
+export * from "./core/utils.js";
+export * from "./core/consts.js";
+export * from "./core/types.js";
+export * from "./agent/session/agent-credentials-store.js";
+export * from "./agent/auth/agent-jwt.js";
+export * from "./agent/auth/agent-pow.js";
+export * from "./agent/auth/agent-auth-http.js";
+export * from "./agent/jmap/agent-jmap.js";
+export * from "./agent/session/agent-session.js";
+export * from "./agent/session/agent-resolve-config.js";
+export * from "./agent/jmap/agent-help-content.js";
+export * from "./agent/jmap/agent-vars.js";

package/esm/lib/network/auth-client.d.ts

@@ -0,0 +1,57 @@
+export interface AuthClientOptions {
+    /** Base URL of auth-service, e.g. "http://localhost:8000". Trailing slashes are stripped. */
+    baseUrl: string;
+    /**
+     * PoW scrypt salt (hex string). When omitted, {@link DEFAULT_POW_SCRYPT_SALT_HEX}
+     * is used so clients match the bundled auth-service.
+     */
+    scryptSaltHex?: string;
+}
+export interface SignupResult {
+    /** Freshly minted API key. The server only returns it once — persist it. */
+    apiKey: string;
+    sessionJWT: string;
+}
+export interface LoginResult {
+    sessionJWT: string;
+}
+export interface RenewResult {
+    capabilityJWT: string;
+}
+/** Thrown for any non-2xx HTTP response or malformed payload. */
+export declare class AuthClientError extends Error {
+    status: number;
+    bodyText: string;
+    constructor(status: number, bodyText: string, message: string);
+}
+export declare class AuthClient {
+    private readonly baseUrl;
+    private readonly scryptSaltHex;
+    constructor(options: AuthClientOptions);
+    /**
+     * Register a new inbox under `username`. Returns the freshly minted API key
+     * (the server only ever returns it once — the caller MUST persist it) and
+     * a session JWT.
+     */
+    signup(username: string): Promise<SignupResult>;
+    /** Exchange an existing API key for a fresh session JWT. */
+    login(apiKey: string): Promise<LoginResult>;
+    /**
+     * Exchange a session JWT for a short-lived capability JWT (audience:
+     * api-service).
+     */
+    renew(sessionJWT: string): Promise<RenewResult>;
+    private fetchChallenge;
+    private postSession;
+    private parseJsonOrThrow;
+    /**
+     * Brute-force a PoW nonce. Mirrors `generatePow` in
+     * services/auth-service/src/crypto.ts: scrypt(`${challenge}:${nonce}`, salt,
+     * 64) until `difficulty` leading bits of the digest are zero.
+     *
+     * Expected work at the server's POW_DIFFICULTY=6 is ~2^6 = 64 attempts; well
+     * within the challenge JWT's 3-minute TTL.
+     */
+    private solvePoW;
+}
+//# sourceMappingURL=auth-client.d.ts.map

package/esm/lib/network/auth-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-client.d.ts","sourceRoot":"","sources":["../../../src/lib/network/auth-client.ts"],"names":[],"mappings":"AAoBA,MAAM,WAAW,iBAAiB;IAChC,6FAA6F;IAC7F,OAAO,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,YAAY;IAC3B,4EAA4E;IAC5E,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,WAAW;IAC1B,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,WAAW;IAC1B,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,iEAAiE;AACjE,qBAAa,eAAgB,SAAQ,KAAK;IACxC,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;gBAEL,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;CAM9D;AAOD,qBAAa,UAAU;IACrB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAS;gBAE3B,OAAO,EAAE,iBAAiB;IAKtC;;;;OAIG;IACG,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAwBrD,4DAA4D;IACtD,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAqBjD;;;OAGG;IACG,KAAK,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;YAgBvC,cAAc;YAkCd,WAAW;YAeX,gBAAgB;IAuB9B;;;;;;;OAOG;YACW,QAAQ;CAgBvB"}