@atomicmail/mcp 0.2.0 → 0.2.2

package/README.md

@@ -1,70 +1,233 @@
+---
+description: Install and configure the @atomicmail/mcp stdio server, tools (register, jmap_request, help), and host-specific notes for chat-based agents.
+---
+
 # @atomicmail/mcp
 
 Atomic Mail MCP server — a local stdio Model Context Protocol server that gives
 an AI agent a programmable email inbox over JMAP, with automatic Proof-of-Work
 auth and capability-token rotation.
 
-The server is authored in TypeScript on Deno and built with
-[`dnt`](https://jsr.io/@deno/dnt) into a Node-compatible npm package, so the
-**same source** runs unchanged on Deno, Node, and Bun.
+## Install
 
-It is the MCP companion to
-[`@atomicmail/agent-skill`](https://www.npmjs.com/package/@atomicmail/agent-skill)
-— a CLI with identical credential semantics. The MCP and the skill share the
-same on-disk layout (`credentials.json` + `session.jwt` + `capability.jwt`).
+```json
+// mcp.json
+
+{
+  "mcpServers": {
+    "atomicmail": {
+      "command": "npx",
+      "args": ["-y", "@atomicmail/mcp"]
+    }
+  }
+}
+```
+
+Your MCP host spawns this process; see configuration below.
 
 ## Tools exposed
 
-| Tool           | Description                                                                                                                                               |
-| -------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `register`     | PoW signup; persists credentials. Idempotent when username matches inbox.                                                                                 |
-| `jmap_request` | JMAP batch via `ops` or `ops_file`. Uppercase `$VAR_NAME` tokens are substituted (`$ACCOUNT_ID` / `$INBOX` from session; others via optional `vars` map). |
-| `help`         | Built-in docs (`topic` optional).                                                                                                                         |
+| Tool           | Description                                                                                                                                                                                 |
+| -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `register`     | PoW signup; persists credentials. Idempotent when username matches inbox.                                                                                                                   |
+| `jmap_request` | JMAP batch via `ops` or `ops_file`. Uppercase `$VAR_NAME` tokens are substituted (`$ACCOUNT_ID` / `$INBOX` / `$UPLOAD_URL` / `$DOWNLOAD_URL` from session; others via optional `vars` map). |
+| `help`         | Built-in docs (`topic` optional); use `topic: "readme"` for the published package `README.md`.                                                                                              |
 
-## Install
+## Typical MCP workflow
 
-```bash
-npx -y @atomicmail/mcp
-bunx @atomicmail/mcp
-deno run -A npm:@atomicmail/mcp/atomicmail-mcp
-```
+1. Call `register` with a username (or rely on existing `credentials.json`).
+2. `jmap_request` with `ops` or `ops_file` (optional `vars` for `$TO`,
+   `$SUBJECT`, etc.).
+3. `help` when stuck.
 
-Your MCP host spawns this process; see configuration below.
+## `jmap_request` input patterns
 
-## Defaults
+`jmap_request` accepts either:
 
-- auth endpoint: `https://auth.atomicmail.ai`
-- api endpoint: `https://api.atomicmail.ai`
-- credentials directory: `~/.atomicmail`
+- inline `ops` (JMAP methodCalls array), or
+- `ops_file` (JSON file path)
+
+When using `ops_file`, relative paths first resolve against the credential
+directory. If a file is not present there, the runtime falls back to bundled
+presets shipped in the npm package.
+
+## Presets and placeholders
+
+Presets are reusable JSON files for `jmap_request` batches:
+
+- Inline JSON: `{"ops":[...],"vars":{"COUNT":"10"}}`
+- Preset file: `{"ops_file":"list_inbox.json","vars":{"COUNT":"10"}}`
+
+Resolution order for `ops_file`:
+
+1. Resolve relative to credentials directory (`~/.atomicmail` by default).
+2. If missing, fall back to bundled presets in the npm package.
+
+Placeholder rules:
 
-## Credential files
+- Pattern: `$VAR_NAME`, where `VAR_NAME` matches `^[A-Z][A-Z0-9_]*$`.
+- Built-ins: `$ACCOUNT_ID`, `$INBOX`, `$UPLOAD_URL`, `$DOWNLOAD_URL`.
+- Lowercase `$tokens` such as JMAP back-references (`$draft`) are not matched.
+- Custom placeholders: passed in `vars` as string values.
+- Resolution order per variable: `vars` first, then built-in auto-resolvers.
+- Built-ins can be overridden by providing `ACCOUNT_ID`, `INBOX`, `UPLOAD_URL`,
+  or `DOWNLOAD_URL` in `vars`.
+- If any referenced variable is unresolved, `jmap_request` fails with a missing
+  variables error.
+- Substitution is single-pass: inserted values are not scanned again for nested
+  `$VAR_NAME` tokens.
+
+Bundled presets:
+
+- `send_mail.json` (`$TO`, `$SUBJECT`, `$BODY`)
+- `list_inbox.json` (`$COUNT`)
+- `reply.json` (`$MAIL_ID`, `$BODY`)
+
+`ops-file` resolves against credentials directory first, then bundled presets
+inside the package.
+
+Example:
+
+`{ "ops_file": "list_inbox.json", "vars": { "COUNT": "10" } }`
+
+## Credential files and token lifecycle
 
 Mode `0600`:
 
-- `credentials.json` — `{ apiKey, inboxId, authUrl, apiUrl, scryptSalt }`
-- `session.jwt` — 4h TTL, rotated via PoW
+- `credentials.json` —
+  `{ apiKey, inboxId, authUrl, apiUrl, scryptSalt, uploadUrl, downloadUrl }`
+- `session.jwt` — 1h TTL, rotated via PoW
 - `capability.jwt` — 2m TTL, rotated before JMAP calls
 
-Use **`npx atomicmail register`** (from `@atomicmail/agent-skill`) against the
-same directory, or the MCP `register` tool.
+These files are created and rotated automatically by MCP tool calls. AgentSkill
+CLI uses the same files.
+
+During PoW auth, the challenge JWT is exchanged via `Authorization: Bearer ...`
+for both `POST /api/v1/challenge` (response header) and `POST /api/v1/session`
+(request header), and session JWT is read from the `POST /api/v1/session`
+response header. `POST /api/v1/capability` accepts session JWT via bearer header
+and returns capability JWT in the response bearer header. PoW values (`powHex`,
+`nonce`) remain in the JSON body for session creation.
+
+## Attachments and blobs
 
-## MCP host configuration examples
+Two blob paths are supported:
 
-### Cursor
+- **RFC 9404 in-band blobs** via `Blob/upload` and `Blob/get` over
+  `jmap_request`.
+- **RFC 8620 out-of-band blobs** via `uploadUrl` and `downloadUrl` templates
+  from JMAP session.
 
-`~/.cursor/mcp.json`:
+### Inline blob flow (RFC 9404)
+
+Add `urn:ietf:params:jmap:blob` and upload data in the same JMAP batch:
 
 ```json
 {
-  "mcpServers": {
-    "atomicmail": {
-      "command": "npx",
-      "args": ["-y", "@atomicmail/mcp"]
-    }
-  }
+  "using": [
+    "urn:ietf:params:jmap:core",
+    "urn:ietf:params:jmap:mail",
+    "urn:ietf:params:jmap:submission",
+    "urn:ietf:params:jmap:blob"
+  ],
+  "methodCalls": [
+    [
+      "Blob/upload",
+      {
+        "accountId": "$ACCOUNT_ID",
+        "create": {
+          "b1": {
+            "data:asText": "Hello attachment",
+            "type": "text/plain"
+          }
+        }
+      },
+      "b0"
+    ],
+    [
+      "Email/set",
+      {
+        "accountId": "$ACCOUNT_ID",
+        "create": {
+          "m1": {
+            "from": [{ "email": "$INBOX" }],
+            "to": [{ "email": "$TO" }],
+            "subject": "With attachment",
+            "bodyValues": {
+              "body1": { "value": "See attachment." }
+            },
+            "textBody": [{ "partId": "body1", "type": "text/plain" }],
+            "attachments": [
+              {
+                "blobId": "#b1",
+                "type": "text/plain",
+                "name": "note.txt"
+              }
+            ]
+          }
+        }
+      },
+      "m0"
+    ],
+    [
+      "EmailSubmission/set",
+      {
+        "accountId": "$ACCOUNT_ID",
+        "create": { "s1": { "emailId": "#m1" } }
+      },
+      "s0"
+    ]
+  ]
 }
 ```
 
+### Separate upload/download flow (RFC 8620)
+
+Use the templated URLs from session/credentials:
+
+- `$UPLOAD_URL` template contains `{accountId}`.
+- `$DOWNLOAD_URL` template contains `{accountId}`, `{blobId}`, `{name}`, and
+  `{type}`.
+
+Example (MCP flow):
+
+1. Call `jmap_request` to get attachment metadata (for example `Email/get` with
+   `attachments`).
+2. Expand `$DOWNLOAD_URL` template with account/blob metadata and fetch bytes
+   via HTTP bearer auth.
+3. To upload bytes, expand `$UPLOAD_URL` with account id and POST binary content
+   per RFC 8620 upload endpoint.
+
+### Blob retrieval (RFC 9404)
+
+For in-band retrieval, use `Blob/get`:
+
+```json
+{
+  "using": [
+    "urn:ietf:params:jmap:core",
+    "urn:ietf:params:jmap:blob"
+  ],
+  "methodCalls": [
+    [
+      "Blob/get",
+      {
+        "accountId": "$ACCOUNT_ID",
+        "ids": ["$BLOB_ID"],
+        "properties": ["id", "data:asBase64", "size", "type"]
+      },
+      "g0"
+    ]
+  ]
+}
+```
+
+## Defaults
+
+- auth endpoint: `https://auth.atomicmail.ai`
+- api endpoint: `https://api.atomicmail.ai`
+- credentials directory: `~/.atomicmail`
+
 ## Overriding defaults
 
 ```json
@@ -84,50 +247,3 @@ same directory, or the MCP `register` tool.
   }
 }
 ```
-
-## Typical agent workflow
-
-1. `register` with a username (or rely on existing `credentials.json`).
-2. `jmap_request` with `ops` or `ops_file` (optional `vars` for `$TO`,
-   `$SUBJECT`, etc.).
-3. `help` when stuck.
-
-## JMAP presets (`ops_file`)
-
-Relative paths resolve against the credential directory. Example file
-`fetch_last_100.json` — then call `jmap_request` with
-`{ "ops_file": "fetch_last_100.json" }`.
-
-See `help` with topic `presets`.
-
-## Develop
-
-```bash
-deno task start
-deno task check
-deno task fmt
-deno task build:npm
-node npm/esm/mcp/src/main.js
-```
-
-### Project layout
-
-```
-mcp/
-├── deno.json
-├── build_npm.ts
-├── README.md
-├── src/
-│   ├── main.ts
-│   └── tools/
-│       ├── register.ts
-│       ├── jmap.ts
-│       └── help.ts
-└── npm/               # dnt output (gitignored)
-```
-
-Shared auth/JMAP logic lives in [`../lib/`](../lib/) (`AgentSession`, etc.).
-
-## License
-
-MIT

package/esm/_dnt.polyfills.d.ts

@@ -0,0 +1,101 @@
+/**
+ * Based on [import-meta-ponyfill](https://github.com/gaubee/import-meta-ponyfill),
+ * but instead of using npm to install additional dependencies,
+ * this approach manually consolidates cjs/mjs/d.ts into a single file.
+ *
+ * Note that this code might be imported multiple times
+ * (for example, both dnt.test.polyfills.ts and dnt.polyfills.ts contain this code;
+ *  or Node.js might dynamically clear the cache and then force a require).
+ * Therefore, it's important to avoid redundant writes to global objects.
+ * Additionally, consider that commonjs is used alongside esm,
+ * so the two ponyfill functions are stored independently in two separate global objects.
+ */
+import { createRequire } from "node:module";
+import { type URL } from "node:url";
+declare global {
+    interface ImportMeta {
+        /** A string representation of the fully qualified module URL. When the
+         * module is loaded locally, the value will be a file URL (e.g.
+         * `file:///path/module.ts`).
+         *
+         * You can also parse the string as a URL to determine more information about
+         * how the current module was loaded. For example to determine if a module was
+         * local or not:
+         *
+         * ```ts
+         * const url = new URL(import.meta.url);
+         * if (url.protocol === "file:") {
+         *   console.log("this module was loaded locally");
+         * }
+         * ```
+         */
+        url: string;
+        /**
+         * A function that returns resolved specifier as if it would be imported
+         * using `import(specifier)`.
+         *
+         * ```ts
+         * console.log(import.meta.resolve("./foo.js"));
+         * // file:///dev/foo.js
+         * ```
+         *
+         * @param specifier The module specifier to resolve relative to `parent`.
+         * @param parent The absolute parent module URL to resolve from.
+         * @returns The absolute (`file:`) URL string for the resolved module.
+         */
+        resolve(specifier: string, parent?: string | URL | undefined): string;
+        /** A flag that indicates if the current module is the main module that was
+         * called when starting the program under Deno.
+         *
+         * ```ts
+         * if (import.meta.main) {
+         *   // this was loaded as the main module, maybe do some bootstrapping
+         * }
+         * ```
+         */
+        main: boolean;
+        /** The absolute path of the current module.
+         *
+         * This property is only provided for local modules (ie. using `file://` URLs).
+         *
+         * Example:
+         * ```
+         * // Unix
+         * console.log(import.meta.filename); // /home/alice/my_module.ts
+         *
+         * // Windows
+         * console.log(import.meta.filename); // C:\alice\my_module.ts
+         * ```
+         */
+        filename: string;
+        /** The absolute path of the directory containing the current module.
+         *
+         * This property is only provided for local modules (ie. using `file://` URLs).
+         *
+         * * Example:
+         * ```
+         * // Unix
+         * console.log(import.meta.dirname); // /home/alice
+         *
+         * // Windows
+         * console.log(import.meta.dirname); // C:\alice
+         * ```
+         */
+        dirname: string;
+    }
+}
+type NodeRequest = ReturnType<typeof createRequire>;
+type NodeModule = NonNullable<NodeRequest["main"]>;
+interface ImportMetaPonyfillCommonjs {
+    (require: NodeRequest, module: NodeModule): ImportMeta;
+}
+interface ImportMetaPonyfillEsmodule {
+    (importMeta: ImportMeta): ImportMeta;
+}
+interface ImportMetaPonyfill extends ImportMetaPonyfillCommonjs, ImportMetaPonyfillEsmodule {
+}
+export declare let import_meta_ponyfill_commonjs: ImportMetaPonyfillCommonjs;
+export declare let import_meta_ponyfill_esmodule: ImportMetaPonyfillEsmodule;
+export declare let import_meta_ponyfill: ImportMetaPonyfill;
+export {};
+//# sourceMappingURL=_dnt.polyfills.d.ts.map

package/esm/_dnt.polyfills.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"_dnt.polyfills.d.ts","sourceRoot":"","sources":["../src/_dnt.polyfills.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE5C,OAAO,EAAgC,KAAK,GAAG,EAAE,MAAM,UAAU,CAAC;AAGlE,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,UAAU;QAClB;;;;;;;;;;;;;;WAcG;QACH,GAAG,EAAE,MAAM,CAAC;QACZ;;;;;;;;;;;;WAYG;QACH,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,GAAG,GAAG,SAAS,GAAG,MAAM,CAAC;QACtE;;;;;;;;WAQG;QACH,IAAI,EAAE,OAAO,CAAC;QAEd;;;;;;;;;;;;WAYG;QACH,QAAQ,EAAE,MAAM,CAAC;QAEjB;;;;;;;;;;;;WAYG;QACH,OAAO,EAAE,MAAM,CAAC;KACjB;CACF;AAED,KAAK,WAAW,GAAG,UAAU,CAAC,OAAO,aAAa,CAAC,CAAC;AACpD,KAAK,UAAU,GAAG,WAAW,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC;AACnD,UAAU,0BAA0B;IAClC,CAAC,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,UAAU,GAAG,UAAU,CAAC;CACxD;AACD,UAAU,0BAA0B;IAClC,CAAC,UAAU,EAAE,UAAU,GAAG,UAAU,CAAC;CACtC;AACD,UAAU,kBACR,SAAQ,0BAA0B,EAAE,0BAA0B;CAC/D;AAiBD,eAAO,IAAI,6BAA6B,EA2BnC,0BAA0B,CAAC;AAMhC,eAAO,IAAI,6BAA6B,EA4DnC,0BAA0B,CAAC;AAMhC,eAAO,IAAI,oBAAoB,EAoB1B,kBAAkB,CAAC"}

package/esm/_dnt.polyfills.js

@@ -0,0 +1,127 @@
+/**
+ * Based on [import-meta-ponyfill](https://github.com/gaubee/import-meta-ponyfill),
+ * but instead of using npm to install additional dependencies,
+ * this approach manually consolidates cjs/mjs/d.ts into a single file.
+ *
+ * Note that this code might be imported multiple times
+ * (for example, both dnt.test.polyfills.ts and dnt.polyfills.ts contain this code;
+ *  or Node.js might dynamically clear the cache and then force a require).
+ * Therefore, it's important to avoid redundant writes to global objects.
+ * Additionally, consider that commonjs is used alongside esm,
+ * so the two ponyfill functions are stored independently in two separate global objects.
+ */
+//@ts-ignore
+import { createRequire } from "node:module";
+//@ts-ignore
+import { fileURLToPath, pathToFileURL } from "node:url";
+//@ts-ignore
+import { dirname } from "node:path";
+const defineGlobalPonyfill = (symbolFor, fn) => {
+    if (!Reflect.has(globalThis, Symbol.for(symbolFor))) {
+        Object.defineProperty(globalThis, Symbol.for(symbolFor), {
+            configurable: true,
+            get() {
+                return fn;
+            },
+        });
+    }
+};
+export let import_meta_ponyfill_commonjs = (Reflect.get(globalThis, Symbol.for("import-meta-ponyfill-commonjs")) ??
+    (() => {
+        const moduleImportMetaWM = new WeakMap();
+        return (require, module) => {
+            let importMetaCache = moduleImportMetaWM.get(module);
+            if (importMetaCache == null) {
+                const importMeta = Object.assign(Object.create(null), {
+                    url: pathToFileURL(module.filename).href,
+                    main: require.main == module,
+                    resolve: (specifier, parentURL = importMeta.url) => {
+                        return pathToFileURL((importMeta.url === parentURL
+                            ? require
+                            : createRequire(parentURL))
+                            .resolve(specifier)).href;
+                    },
+                    filename: module.filename,
+                    dirname: module.path,
+                });
+                moduleImportMetaWM.set(module, importMeta);
+                importMetaCache = importMeta;
+            }
+            return importMetaCache;
+        };
+    })());
+defineGlobalPonyfill("import-meta-ponyfill-commonjs", import_meta_ponyfill_commonjs);
+export let import_meta_ponyfill_esmodule = (Reflect.get(globalThis, Symbol.for("import-meta-ponyfill-esmodule")) ??
+    ((importMeta) => {
+        const resolveFunStr = String(importMeta.resolve);
+        const shimWs = new WeakSet();
+        //@ts-ignore
+        const mainUrl = ("file:///" + process.argv[1].replace(/\\/g, "/"))
+            .replace(/\/{3,}/, "///");
+        const commonShim = (importMeta) => {
+            if (typeof importMeta.main !== "boolean") {
+                importMeta.main = importMeta.url === mainUrl;
+            }
+            if (typeof importMeta.filename !== "string") {
+                importMeta.filename = fileURLToPath(importMeta.url);
+                importMeta.dirname = dirname(importMeta.filename);
+            }
+        };
+        if (
+        // v16.2.0+, v14.18.0+: Add support for WHATWG URL object to parentURL parameter.
+        resolveFunStr === "undefined" ||
+            // v20.0.0+, v18.19.0+"" This API now returns a string synchronously instead of a Promise.
+            resolveFunStr.startsWith("async")
+        // enable by --experimental-import-meta-resolve flag
+        ) {
+            import_meta_ponyfill_esmodule = (importMeta) => {
+                if (!shimWs.has(importMeta)) {
+                    shimWs.add(importMeta);
+                    const importMetaUrlRequire = {
+                        url: importMeta.url,
+                        require: createRequire(importMeta.url),
+                    };
+                    importMeta.resolve = function resolve(specifier, parentURL = importMeta.url) {
+                        return pathToFileURL((importMetaUrlRequire.url === parentURL
+                            ? importMetaUrlRequire.require
+                            : createRequire(parentURL)).resolve(specifier)).href;
+                    };
+                    commonShim(importMeta);
+                }
+                return importMeta;
+            };
+        }
+        else {
+            /// native support
+            import_meta_ponyfill_esmodule = (importMeta) => {
+                if (!shimWs.has(importMeta)) {
+                    shimWs.add(importMeta);
+                    commonShim(importMeta);
+                }
+                return importMeta;
+            };
+        }
+        return import_meta_ponyfill_esmodule(importMeta);
+    }));
+defineGlobalPonyfill("import-meta-ponyfill-esmodule", import_meta_ponyfill_esmodule);
+export let import_meta_ponyfill = ((...args) => {
+    const _MODULE = (() => {
+        if (typeof require === "function" && typeof module === "object") {
+            return "commonjs";
+        }
+        else {
+            // eval("typeof import.meta");
+            return "esmodule";
+        }
+    })();
+    if (_MODULE === "commonjs") {
+        //@ts-ignore
+        import_meta_ponyfill = (r, m) => import_meta_ponyfill_commonjs(r, m);
+    }
+    else {
+        //@ts-ignore
+        import_meta_ponyfill = (im) => import_meta_ponyfill_esmodule(im);
+    }
+    //@ts-ignore
+    return import_meta_ponyfill(...args);
+});

package/esm/lib/agent/auth/agent-auth-http.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-auth-http.d.ts","sourceRoot":"","sources":["../../../../src/lib/agent/auth/agent-auth-http.ts"],"names":[],"mappings":"AAKA,wBAAsB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC;IAC7D,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB,CAAC,CA8BD;AAED,MAAM,WAAW,eAAe;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,wBAAsB,eAAe,CACnC,OAAO,EAAE,MAAM,EACf,IAAI,EAAE;IACJ,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GACA,OAAO,CAAC,eAAe,CAAC,CA8B1B;AAED,wBAAsB,eAAe,CACnC,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,MAAM,CAAC,CAejB;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,IAAI,CAAC;CACzC;AAED,wBAAsB,oBAAoB,CACxC,KAAK,EAAE,eAAe,GACrB,OAAO,CAAC,eAAe,CAAC,CAgB1B"}

package/esm/lib/agent/auth/agent-auth-http.js

@@ -0,0 +1,85 @@
+// auth-service HTTP: challenge → session → capability.
+import { decodeJwtPayload } from "./agent-jwt.js";
+import { solvePow } from "./agent-pow.js";
+export async function fetchChallenge(authUrl) {
+    const res = await fetch(`${authUrl}/api/v1/challenge`, {
+        method: "POST",
+    });
+    const text = await res.text();
+    if (!res.ok) {
+        throw new Error(`auth-service /api/v1/challenge returned ${res.status}: ${text}`);
+    }
+    const challengeJWT = readBearerToken(res.headers.get("Authorization"), "Challenge response missing Authorization bearer token.");
+    const payload = decodeJwtPayload(challengeJWT);
+    if (typeof payload.jti !== "string" ||
+        typeof payload.difficulty !== "number") {
+        throw new Error("Challenge JWT payload malformed (missing jti or difficulty).");
+    }
+    return {
+        challengeJWT,
+        challenge: payload.jti,
+        difficulty: payload.difficulty,
+    };
+}
+export async function exchangeSession(authUrl, body) {
+    const { challengeJWT, ...payload } = body;
+    const res = await fetch(`${authUrl}/api/v1/session`, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${challengeJWT}`,
+        },
+        body: JSON.stringify(payload),
+    });
+    const text = await res.text();
+    if (!res.ok) {
+        throw new Error(`auth-service /api/v1/session returned ${res.status}: ${text}`);
+    }
+    const sessionJWT = readBearerToken(res.headers.get("Authorization"), "Session response missing Authorization bearer token.");
+    let data = {};
+    if (text.trim().length > 0) {
+        try {
+            data = JSON.parse(text);
+        }
+        catch {
+            throw new Error("auth-service /api/v1/session returned non-JSON body.");
+        }
+    }
+    return {
+        sessionJWT,
+        apiKey: typeof data.apiKey === "string" ? data.apiKey : undefined,
+    };
+}
+export async function fetchCapability(authUrl, sessionJWT) {
+    const res = await fetch(`${authUrl}/api/v1/capability`, {
+        method: "POST",
+        headers: { Authorization: `Bearer ${sessionJWT}` },
+    });
+    const text = await res.text();
+    if (!res.ok) {
+        throw new Error(`auth-service /api/v1/capability returned ${res.status}: ${text}`);
+    }
+    return readBearerToken(res.headers.get("Authorization"), "Capability response missing Authorization bearer token.");
+}
+export async function performPoWAndSession(input) {
+    const { authUrl, scryptSalt } = input;
+    const { challengeJWT, challenge, difficulty } = await fetchChallenge(authUrl);
+    const { powHex, nonce } = await solvePow(challenge, difficulty, scryptSalt, input.onPowProgress);
+    return exchangeSession(authUrl, {
+        challengeJWT,
+        powHex,
+        nonce,
+        apiKey: input.apiKey,
+        username: input.username,
+    });
+}
+function readBearerToken(headerValue, missingError) {
+    if (!headerValue) {
+        throw new Error(missingError);
+    }
+    const match = /^\s*Bearer\s+(.+?)\s*$/i.exec(headerValue);
+    if (!match || !match[1]) {
+        throw new Error("Authorization header must use Bearer scheme.");
+    }
+    return match[1];
+}

package/esm/lib/{src → agent/auth}/agent-jwt.d.ts

@@ -1,5 +1,3 @@
-export declare const SESSION_TTL_MS: number;
-export declare const CAPABILITY_TTL_MS: number;
 export declare const SESSION_SAFETY_MARGIN_MS = 60000;
 export declare const CAPABILITY_SAFETY_MARGIN_MS = 20000;
 export interface JwtPayload {

package/esm/lib/agent/auth/agent-jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-jwt.d.ts","sourceRoot":"","sources":["../../../../src/lib/agent/auth/agent-jwt.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,wBAAwB,QAAS,CAAC;AAC/C,eAAO,MAAM,2BAA2B,QAAS,CAAC;AAElD,MAAM,WAAW,UAAU;IACzB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,wBAAgB,gBAAgB,CAAC,CAAC,GAAG,UAAU,EAAE,GAAG,EAAE,MAAM,GAAG,CAAC,CAc/D;AAED,wBAAgB,YAAY,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAQnE"}

package/esm/lib/{src → agent/auth}/agent-jwt.js

@@ -1,6 +1,4 @@
 // JWT helpers for capability/session expiry checks.
-export const SESSION_TTL_MS = 4 * 60 * 60 * 1000;
-export const CAPABILITY_TTL_MS = 2 * 60 * 1000;
 export const SESSION_SAFETY_MARGIN_MS = 60_000;
 export const CAPABILITY_SAFETY_MARGIN_MS = 20_000;
 export function decodeJwtPayload(jwt) {

package/esm/lib/agent/auth/agent-pow.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-pow.d.ts","sourceRoot":"","sources":["../../../../src/lib/agent/auth/agent-pow.ts"],"names":[],"mappings":"AAuCA,wBAAsB,QAAQ,CAC5B,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,MAAM,EAClB,IAAI,EAAE,MAAM,EACZ,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,IAAI,GACnC,OAAO,CAAC;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC,CAU5C"}

package/esm/lib/{src → agent/jmap}/agent-help-content.d.ts

@@ -1,4 +1,5 @@
 export declare const HELP_TOPICS: Record<string, string>;
 export declare const HELP_TOPIC_LIST: string[];
+export declare function normalizeHelpTopic(topic: string): string;
 export declare function getHelp(topic?: string): string;
 //# sourceMappingURL=agent-help-content.d.ts.map

package/esm/lib/agent/jmap/agent-help-content.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-help-content.d.ts","sourceRoot":"","sources":["../../../../src/lib/agent/jmap/agent-help-content.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CA0P9C,CAAC;AAEF,eAAO,MAAM,eAAe,UAA2B,CAAC;AAExD,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAExD;AAED,wBAAgB,OAAO,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,CAkB9C"}