@awebai/claude-channel 0.1.0

package/README.md

@@ -0,0 +1,18 @@
+# @awebai/claude-channel
+
+MCP stdio bridge for the aweb coordination server.
+
+## Usage
+
+Run the channel in a workspace that already has `.aw/workspace.yaml` and aw account config:
+
+```bash
+npx @awebai/claude-channel
+```
+
+For local development:
+
+```bash
+npm install
+npm start
+```

package/dist/api/chat.d.ts

@@ -0,0 +1,21 @@
+import type { APIClient } from "./client.js";
+import type { VerificationStatus } from "../identity/signing.js";
+export interface ChatMessage {
+    message_id: string;
+    from_agent: string;
+    from_address?: string;
+    to_address?: string;
+    body: string;
+    timestamp: string;
+    sender_leaving: boolean;
+    from_did?: string;
+    to_did?: string;
+    from_stable_id?: string;
+    to_stable_id?: string;
+    signature?: string;
+    signing_key_id?: string;
+    signed_payload?: string;
+    verification_status?: VerificationStatus;
+}
+export declare function fetchHistory(client: APIClient, sessionId: string, unreadOnly?: boolean, limit?: number): Promise<ChatMessage[]>;
+export declare function markRead(client: APIClient, sessionId: string, upToMessageId: string): Promise<void>;

package/dist/api/chat.js

@@ -0,0 +1,38 @@
+import { verifyMessage, verifySignedPayload } from "../identity/signing.js";
+export async function fetchHistory(client, sessionId, unreadOnly = false, limit = 50) {
+    const params = new URLSearchParams();
+    if (unreadOnly)
+        params.set("unread_only", "true");
+    if (limit > 0)
+        params.set("limit", String(limit));
+    const resp = await client.get(`/v1/chat/sessions/${encodeURIComponent(sessionId)}/messages?${params}`);
+    for (const msg of resp.messages) {
+        msg.verification_status = await verifyChatMessage(msg);
+    }
+    return resp.messages;
+}
+export async function markRead(client, sessionId, upToMessageId) {
+    await client.post(`/v1/chat/sessions/${encodeURIComponent(sessionId)}/read`, { up_to_message_id: upToMessageId });
+}
+async function verifyChatMessage(msg) {
+    if (msg.signed_payload && msg.signature && msg.from_did) {
+        return verifySignedPayload(msg.signed_payload, msg.signature, msg.from_did, msg.signing_key_id || "");
+    }
+    const from = msg.from_address || msg.from_agent;
+    const env = {
+        from,
+        from_did: msg.from_did || "",
+        to: msg.to_address || "",
+        to_did: msg.to_did || "",
+        type: "chat",
+        subject: "",
+        body: msg.body,
+        timestamp: msg.timestamp,
+        from_stable_id: msg.from_stable_id,
+        to_stable_id: msg.to_stable_id,
+        message_id: msg.message_id,
+        signature: msg.signature,
+        signing_key_id: msg.signing_key_id,
+    };
+    return verifyMessage(env);
+}

package/dist/api/client.d.ts

@@ -0,0 +1,15 @@
+export declare class APIClient {
+    private baseURL;
+    private apiKey;
+    constructor(baseURL: string, apiKey: string);
+    get<T>(path: string): Promise<T>;
+    post<T>(path: string, body?: unknown): Promise<T>;
+    private request;
+    /** Open an SSE stream. Returns the raw Response for streaming. */
+    openSSE(path: string): Promise<Response>;
+}
+export declare class APIError extends Error {
+    statusCode: number;
+    body: string;
+    constructor(statusCode: number, body: string);
+}

package/dist/api/client.js

@@ -0,0 +1,57 @@
+export class APIClient {
+    baseURL;
+    apiKey;
+    constructor(baseURL, apiKey) {
+        this.baseURL = baseURL;
+        this.apiKey = apiKey;
+    }
+    async get(path) {
+        return this.request("GET", path);
+    }
+    async post(path, body) {
+        return this.request("POST", path, body);
+    }
+    async request(method, path, body) {
+        const url = this.baseURL + path;
+        const headers = {
+            Authorization: `Bearer ${this.apiKey}`,
+            Accept: "application/json",
+        };
+        const init = { method, headers };
+        if (body !== undefined) {
+            headers["Content-Type"] = "application/json";
+            init.body = JSON.stringify(body);
+        }
+        const resp = await fetch(url, init);
+        if (!resp.ok) {
+            const text = await resp.text().catch(() => "");
+            throw new APIError(resp.status, text);
+        }
+        return resp.json();
+    }
+    /** Open an SSE stream. Returns the raw Response for streaming. */
+    async openSSE(path) {
+        const url = this.baseURL + path;
+        const resp = await fetch(url, {
+            headers: {
+                Authorization: `Bearer ${this.apiKey}`,
+                Accept: "text/event-stream",
+                "Cache-Control": "no-cache",
+            },
+        });
+        if (!resp.ok) {
+            const text = await resp.text().catch(() => "");
+            throw new APIError(resp.status, text);
+        }
+        return resp;
+    }
+}
+export class APIError extends Error {
+    statusCode;
+    body;
+    constructor(statusCode, body) {
+        super(body ? `aweb: http ${statusCode}: ${body}` : `aweb: http ${statusCode}`);
+        this.statusCode = statusCode;
+        this.body = body;
+    }
+}

package/dist/api/events.d.ts

@@ -0,0 +1,23 @@
+import type { APIClient } from "./client.js";
+export type AgentEventType = "connected" | "mail_message" | "chat_message" | "control_pause" | "control_resume" | "control_interrupt" | "work_available" | "claim_update" | "claim_removed" | "error";
+export interface AgentEvent {
+    type: AgentEventType;
+    agent_id?: string;
+    project_id?: string;
+    message_id?: string;
+    from_alias?: string;
+    session_id?: string;
+    subject?: string;
+    signal_id?: string;
+    task_id?: string;
+    title?: string;
+    status?: string;
+    text?: string;
+    sender_waiting?: boolean;
+}
+/**
+ * Consume the agent event stream (GET /v1/events/stream).
+ * Yields parsed AgentEvent objects. Reconnects on stream end.
+ */
+export declare function streamAgentEvents(client: APIClient, signal: AbortSignal): AsyncGenerator<AgentEvent>;
+export declare function parseAgentEvent(eventName: string, data: string): AgentEvent | null;

package/dist/api/events.js

@@ -0,0 +1,110 @@
+/**
+ * Consume the agent event stream (GET /v1/events/stream).
+ * Yields parsed AgentEvent objects. Reconnects on stream end.
+ */
+export async function* streamAgentEvents(client, signal) {
+    while (!signal.aborted) {
+        const deadline = new Date(Date.now() + 5 * 60 * 1000).toISOString();
+        let resp;
+        try {
+            resp = await client.openSSE(`/v1/events/stream?deadline=${encodeURIComponent(deadline)}`);
+        }
+        catch (err) {
+            if (signal.aborted)
+                return;
+            // Back off on connection failure
+            await sleep(5000, signal);
+            continue;
+        }
+        try {
+            yield* parseSSEResponse(resp, signal);
+        }
+        catch (err) {
+            if (signal.aborted)
+                return;
+            // Stream ended or errored — reconnect after brief pause
+            await sleep(1000, signal);
+        }
+        finally {
+            resp.body?.cancel().catch(() => { });
+        }
+    }
+}
+async function* parseSSEResponse(resp, signal) {
+    const reader = resp.body?.getReader();
+    if (!reader)
+        return;
+    const decoder = new TextDecoder();
+    let buffer = "";
+    let currentEvent = "";
+    let dataLines = [];
+    try {
+        while (!signal.aborted) {
+            const { done, value } = await reader.read();
+            if (done)
+                break;
+            buffer += decoder.decode(value, { stream: true });
+            const lines = buffer.split("\n");
+            buffer = lines.pop() || "";
+            for (const rawLine of lines) {
+                const line = rawLine.replace(/\r$/, "");
+                if (line === "") {
+                    // Empty line = event boundary
+                    if (currentEvent || dataLines.length > 0) {
+                        const event = parseAgentEvent(currentEvent, dataLines.join("\n"));
+                        if (event)
+                            yield event;
+                        currentEvent = "";
+                        dataLines = [];
+                    }
+                    continue;
+                }
+                if (line.startsWith(":"))
+                    continue; // comment
+                if (line.startsWith("event:")) {
+                    currentEvent = line.slice(6).trim();
+                }
+                else if (line.startsWith("data:")) {
+                    dataLines.push(line.slice(5).trim());
+                }
+            }
+        }
+    }
+    finally {
+        reader.releaseLock();
+    }
+}
+const KNOWN_TYPES = new Set([
+    "connected", "mail_message", "chat_message",
+    "control_pause", "control_resume", "control_interrupt",
+    "work_available", "claim_update", "claim_removed", "error",
+    "actionable_mail", "actionable_chat",
+]);
+export function parseAgentEvent(eventName, data) {
+    eventName = eventName.trim();
+    if (!eventName)
+        return null;
+    if (!KNOWN_TYPES.has(eventName))
+        return null;
+    if (eventName === "actionable_mail")
+        eventName = "mail_message";
+    if (eventName === "actionable_chat")
+        eventName = "chat_message";
+    try {
+        const payload = JSON.parse(data);
+        return { ...payload, type: eventName };
+    }
+    catch {
+        return { type: eventName };
+    }
+}
+function sleep(ms, signal) {
+    return new Promise((resolve) => {
+        if (signal.aborted) {
+            resolve();
+            return;
+        }
+        const timer = setTimeout(resolve, ms);
+        signal.addEventListener("abort", () => { clearTimeout(timer); resolve(); }, { once: true });
+    });
+}

package/dist/api/mail.d.ts

@@ -0,0 +1,26 @@
+import type { APIClient } from "./client.js";
+import type { VerificationStatus } from "../identity/signing.js";
+export interface InboxMessage {
+    message_id: string;
+    from_agent_id: string;
+    from_alias: string;
+    to_alias?: string;
+    from_address?: string;
+    to_address?: string;
+    subject: string;
+    body: string;
+    priority: string;
+    thread_id?: string;
+    read_at?: string;
+    created_at: string;
+    from_did?: string;
+    to_did?: string;
+    from_stable_id?: string;
+    to_stable_id?: string;
+    signature?: string;
+    signing_key_id?: string;
+    signed_payload?: string;
+    verification_status?: VerificationStatus;
+}
+export declare function fetchInbox(client: APIClient, unreadOnly?: boolean, limit?: number): Promise<InboxMessage[]>;
+export declare function ackMessage(client: APIClient, messageId: string): Promise<void>;

package/dist/api/mail.js

@@ -0,0 +1,40 @@
+import { verifyMessage, verifySignedPayload } from "../identity/signing.js";
+export async function fetchInbox(client, unreadOnly = true, limit = 50) {
+    const params = new URLSearchParams();
+    if (unreadOnly)
+        params.set("unread_only", "true");
+    if (limit > 0)
+        params.set("limit", String(limit));
+    const resp = await client.get(`/v1/messages/inbox?${params}`);
+    // Verify signatures on received messages
+    for (const msg of resp.messages) {
+        msg.verification_status = await verifyInboxMessage(msg);
+    }
+    return resp.messages;
+}
+export async function ackMessage(client, messageId) {
+    await client.post(`/v1/messages/${encodeURIComponent(messageId)}/ack`);
+}
+async function verifyInboxMessage(msg) {
+    if (msg.signed_payload && msg.signature && msg.from_did) {
+        return verifySignedPayload(msg.signed_payload, msg.signature, msg.from_did, msg.signing_key_id || "");
+    }
+    const from = msg.from_address || msg.from_alias;
+    const to = msg.to_address || msg.to_alias || "";
+    const env = {
+        from,
+        from_did: msg.from_did || "",
+        to,
+        to_did: msg.to_did || "",
+        type: "mail",
+        subject: msg.subject,
+        body: msg.body,
+        timestamp: msg.created_at,
+        from_stable_id: msg.from_stable_id,
+        to_stable_id: msg.to_stable_id,
+        message_id: msg.message_id,
+        signature: msg.signature,
+        signing_key_id: msg.signing_key_id,
+    };
+    return verifyMessage(env);
+}

package/dist/config.d.ts

@@ -0,0 +1,15 @@
+export interface AgentConfig {
+    baseURL: string;
+    apiKey: string;
+    did: string;
+    stableID: string;
+    address: string;
+    alias: string;
+    projectSlug: string;
+}
+/**
+ * Resolve agent configuration from the aw config files.
+ * Resolution order: worktree context → global config.
+ * Reads the same files as the Go aw client.
+ */
+export declare function resolveConfig(workdir: string): Promise<AgentConfig>;

package/dist/config.js

@@ -0,0 +1,66 @@
+import { readFile } from "node:fs/promises";
+import { join } from "node:path";
+import { homedir } from "node:os";
+import yaml from "js-yaml";
+/**
+ * Resolve agent configuration from the aw config files.
+ * Resolution order: worktree context → global config.
+ * Reads the same files as the Go aw client.
+ */
+export async function resolveConfig(workdir) {
+    const globalPath = process.env.AW_CONFIG_PATH || join(homedir(), ".config", "aw", "config.yaml");
+    const contextPath = join(workdir, ".aw", "context");
+    const workspacePath = join(workdir, ".aw", "workspace.yaml");
+    const globalConfig = await readYAML(globalPath);
+    if (!globalConfig?.accounts || Object.keys(globalConfig.accounts).length === 0) {
+        throw new Error(`no accounts configured in ${globalPath}`);
+    }
+    // Determine account name from worktree context or first available
+    let accountName;
+    const context = await readYAML(contextPath);
+    if (context?.default_account) {
+        accountName = context.default_account;
+    }
+    else if (context?.client_default_accounts?.aw) {
+        accountName = context.client_default_accounts.aw;
+    }
+    if (!accountName) {
+        accountName = Object.keys(globalConfig.accounts)[0];
+    }
+    const account = globalConfig.accounts[accountName];
+    if (!account) {
+        throw new Error(`account "${accountName}" not found in ${globalPath}`);
+    }
+    if (!account.api_key) {
+        throw new Error(`account "${accountName}" has no api_key`);
+    }
+    // Resolve server URL
+    const serverName = account.server || "default";
+    const server = globalConfig.servers?.[serverName];
+    const baseURL = server?.url || "https://app.aweb.ai";
+    // Resolve address
+    const namespace = account.namespace_slug || "";
+    const alias = account.alias || "";
+    const address = namespace && alias ? `${namespace}/${alias}` : "";
+    // Read workspace config for project slug
+    const workspace = await readYAML(workspacePath);
+    const projectSlug = account.default_project || workspace?.project_slug || "";
+    return {
+        baseURL,
+        apiKey: account.api_key,
+        did: account.did || "",
+        stableID: account.stable_id || "",
+        address,
+        alias,
+        projectSlug,
+    };
+}
+async function readYAML(path) {
+    try {
+        const content = await readFile(path, "utf-8");
+        return yaml.load(content) || null;
+    }
+    catch {
+        return null;
+    }
+}

package/dist/identity/did.d.ts

@@ -0,0 +1,6 @@
+/** Encode an Ed25519 public key as a did:key DID string. */
+export declare function computeDIDKey(publicKey: Uint8Array): string;
+/** Decode a did:key DID string to an Ed25519 public key. */
+export declare function extractPublicKey(did: string): Uint8Array;
+/** Derive the canonical did:aw stable identifier from an Ed25519 public key. */
+export declare function computeStableID(publicKey: Uint8Array): string;

package/dist/identity/did.js

@@ -0,0 +1,30 @@
+import { createHash } from "node:crypto";
+import bs58 from "bs58";
+const DID_KEY_PREFIX = "did:key:z";
+const ED25519_MULTICODEC = new Uint8Array([0xed, 0x01]);
+/** Encode an Ed25519 public key as a did:key DID string. */
+export function computeDIDKey(publicKey) {
+    const buf = new Uint8Array(2 + publicKey.length);
+    buf.set(ED25519_MULTICODEC);
+    buf.set(publicKey, 2);
+    return DID_KEY_PREFIX + bs58.encode(buf);
+}
+/** Decode a did:key DID string to an Ed25519 public key. */
+export function extractPublicKey(did) {
+    if (!did.startsWith(DID_KEY_PREFIX)) {
+        throw new Error(`invalid did:key: missing prefix "${DID_KEY_PREFIX}"`);
+    }
+    const decoded = bs58.decode(did.slice(DID_KEY_PREFIX.length));
+    if (decoded.length !== 34) {
+        throw new Error(`invalid did:key: expected 34 bytes, got ${decoded.length}`);
+    }
+    if (decoded[0] !== 0xed || decoded[1] !== 0x01) {
+        throw new Error(`invalid did:key: expected Ed25519 multicodec 0xed01, got 0x${decoded[0].toString(16).padStart(2, "0")}${decoded[1].toString(16).padStart(2, "0")}`);
+    }
+    return decoded.slice(2);
+}
+/** Derive the canonical did:aw stable identifier from an Ed25519 public key. */
+export function computeStableID(publicKey) {
+    const hash = createHash("sha256").update(publicKey).digest();
+    return "did:aw:" + bs58.encode(hash.subarray(0, 20));
+}

package/dist/identity/keys.d.ts

@@ -0,0 +1,2 @@
+/** Load an Ed25519 private key seed from a PEM file. */
+export declare function loadSigningKey(path: string): Promise<Uint8Array>;

package/dist/identity/keys.js

@@ -0,0 +1,18 @@
+import { readFile } from "node:fs/promises";
+/** Load an Ed25519 private key seed from a PEM file. */
+export async function loadSigningKey(path) {
+    const content = await readFile(path, "utf-8");
+    const match = content.match(/-----BEGIN ED25519 PRIVATE KEY-----\r?\n([\s\S]+?)\r?\n-----END ED25519 PRIVATE KEY-----/);
+    if (!match) {
+        throw new Error(`no ED25519 PRIVATE KEY PEM block in ${path}`);
+    }
+    const b64 = match[1].replace(/\s/g, "");
+    const bin = atob(b64);
+    const bytes = new Uint8Array(bin.length);
+    for (let i = 0; i < bin.length; i++)
+        bytes[i] = bin.charCodeAt(i);
+    if (bytes.length !== 32) {
+        throw new Error(`invalid seed size ${bytes.length} in ${path}`);
+    }
+    return bytes;
+}

package/dist/identity/pinstore.d.ts

@@ -0,0 +1,22 @@
+export type PinResult = "ok" | "new" | "mismatch" | "skipped";
+export interface Pin {
+    address: string;
+    handle: string;
+    stable_id?: string;
+    did_key?: string;
+    first_seen: string;
+    last_seen: string;
+    server: string;
+}
+export declare class PinStore {
+    pins: Map<string, Pin>;
+    addresses: Map<string, string>;
+    /** Check whether a DID matches the stored pin for an address. */
+    checkPin(address: string, did: string, lifetime: string): PinResult;
+    /** Record or update a TOFU pin. */
+    storePin(did: string, address: string, handle: string, server: string): void;
+    /** Serialize to YAML (compatible with Go's known_agents.yaml). */
+    toYAML(): string;
+    /** Deserialize from YAML. */
+    static fromYAML(content: string): PinStore;
+}

package/dist/identity/pinstore.js

@@ -0,0 +1,68 @@
+import yaml from "js-yaml";
+export class PinStore {
+    pins = new Map();
+    addresses = new Map();
+    /** Check whether a DID matches the stored pin for an address. */
+    checkPin(address, did, lifetime) {
+        if (lifetime === "ephemeral")
+            return "skipped";
+        const pinnedDID = this.addresses.get(address);
+        if (pinnedDID === undefined)
+            return "new";
+        if (pinnedDID === did)
+            return "ok";
+        return "mismatch";
+    }
+    /** Record or update a TOFU pin. */
+    storePin(did, address, handle, server) {
+        const now = new Date().toISOString().replace(/\.\d{3}Z$/, "Z");
+        const existing = this.pins.get(did);
+        if (existing) {
+            if (existing.address !== address) {
+                this.addresses.delete(existing.address);
+                this.addresses.set(address, did);
+                existing.address = address;
+            }
+            existing.last_seen = now;
+            existing.handle = handle;
+            existing.server = server;
+            return;
+        }
+        this.pins.set(did, {
+            address,
+            handle,
+            first_seen: now,
+            last_seen: now,
+            server,
+        });
+        this.addresses.set(address, did);
+    }
+    /** Serialize to YAML (compatible with Go's known_agents.yaml). */
+    toYAML() {
+        const pinsObj = {};
+        for (const [k, v] of this.pins)
+            pinsObj[k] = v;
+        const addrsObj = {};
+        for (const [k, v] of this.addresses)
+            addrsObj[k] = v;
+        return yaml.dump({ pins: pinsObj, addresses: addrsObj });
+    }
+    /** Deserialize from YAML. */
+    static fromYAML(content) {
+        const data = yaml.load(content);
+        const store = new PinStore();
+        if (!data)
+            return store;
+        if (data.pins) {
+            for (const [k, v] of Object.entries(data.pins)) {
+                store.pins.set(k, v);
+            }
+        }
+        if (data.addresses) {
+            for (const [k, v] of Object.entries(data.addresses)) {
+                store.addresses.set(k, v);
+            }
+        }
+        return store;
+    }
+}

package/dist/identity/signing.d.ts

@@ -0,0 +1,36 @@
+export interface MessageEnvelope {
+    from: string;
+    from_did: string;
+    to: string;
+    to_did: string;
+    type: string;
+    subject: string;
+    body: string;
+    timestamp: string;
+    from_stable_id?: string;
+    to_stable_id?: string;
+    message_id?: string;
+    signature?: string;
+    signing_key_id?: string;
+}
+export type VerificationStatus = "verified" | "verified_custodial" | "unverified" | "failed" | "identity_mismatch";
+/**
+ * Build the canonical JSON payload for message signing.
+ * Fields are sorted lexicographically, no whitespace, minimal escaping.
+ * Optional fields (from_stable_id, message_id, to_stable_id) are omitted when empty.
+ */
+export declare function canonicalJSON(env: MessageEnvelope): string;
+/** Sign a message envelope. Returns base64 signature (no padding). */
+export declare function signMessage(seed: Uint8Array, env: MessageEnvelope): Promise<string>;
+/**
+ * Verify a message envelope signature.
+ * Returns 'unverified' if DID or signature is missing.
+ * Returns 'failed' if signature doesn't verify.
+ * Returns 'verified' if valid.
+ */
+export declare function verifyMessage(env: MessageEnvelope): Promise<VerificationStatus>;
+/**
+ * Verify a signature against a pre-computed canonical payload string.
+ * Use when the server returns signed_payload alongside the message.
+ */
+export declare function verifySignedPayload(signedPayload: string, signatureB64: string, fromDID: string, signingKeyID: string): Promise<VerificationStatus>;

package/dist/identity/signing.js

@@ -0,0 +1,161 @@
+import * as ed from "@noble/ed25519";
+import { sha512 } from "@noble/hashes/sha2.js";
+import { extractPublicKey } from "./did.js";
+// @noble/ed25519 v2 requires setting the hash function
+ed.etc.sha512Sync = (...m) => sha512(ed.etc.concatBytes(...m));
+/**
+ * Build the canonical JSON payload for message signing.
+ * Fields are sorted lexicographically, no whitespace, minimal escaping.
+ * Optional fields (from_stable_id, message_id, to_stable_id) are omitted when empty.
+ */
+export function canonicalJSON(env) {
+    const fields = [
+        ["body", env.body],
+        ["from", env.from],
+        ["from_did", env.from_did],
+        ["subject", env.subject],
+        ["timestamp", env.timestamp],
+        ["to", env.to],
+        ["to_did", env.to_did],
+        ["type", env.type],
+    ];
+    if (env.from_stable_id)
+        fields.push(["from_stable_id", env.from_stable_id]);
+    if (env.message_id)
+        fields.push(["message_id", env.message_id]);
+    if (env.to_stable_id)
+        fields.push(["to_stable_id", env.to_stable_id]);
+    fields.sort((a, b) => (a[0] < b[0] ? -1 : a[0] > b[0] ? 1 : 0));
+    let result = "{";
+    for (let i = 0; i < fields.length; i++) {
+        if (i > 0)
+            result += ",";
+        result += '"' + fields[i][0] + '":"' + escapeJSON(fields[i][1]) + '"';
+    }
+    result += "}";
+    return result;
+}
+/** JSON-escape a string value, matching Go's writeEscapedString exactly. */
+function escapeJSON(s) {
+    let result = "";
+    for (const ch of s) {
+        const code = ch.codePointAt(0);
+        switch (ch) {
+            case '"':
+                result += '\\"';
+                break;
+            case "\\":
+                result += "\\\\";
+                break;
+            case "\n":
+                result += "\\n";
+                break;
+            case "\r":
+                result += "\\r";
+                break;
+            case "\t":
+                result += "\\t";
+                break;
+            case "\b":
+                result += "\\b";
+                break;
+            case "\f":
+                result += "\\f";
+                break;
+            default:
+                if (code < 0x20) {
+                    result += "\\u" + code.toString(16).padStart(4, "0");
+                }
+                else {
+                    result += ch;
+                }
+        }
+    }
+    return result;
+}
+function b64Encode(bytes) {
+    // Build binary string without spread to avoid stack overflow on large inputs
+    let bin = "";
+    for (let i = 0; i < bytes.length; i++)
+        bin += String.fromCharCode(bytes[i]);
+    // Base64 RFC 4648 no padding (RawStdEncoding)
+    return btoa(bin).replace(/=+$/, "");
+}
+function b64Decode(s) {
+    const bin = atob(s);
+    const bytes = new Uint8Array(bin.length);
+    for (let i = 0; i < bin.length; i++)
+        bytes[i] = bin.charCodeAt(i);
+    return bytes;
+}
+/** Sign a message envelope. Returns base64 signature (no padding). */
+export async function signMessage(seed, env) {
+    const payload = canonicalJSON(env);
+    const sig = ed.sign(new TextEncoder().encode(payload), seed);
+    return b64Encode(sig);
+}
+/**
+ * Verify a message envelope signature.
+ * Returns 'unverified' if DID or signature is missing.
+ * Returns 'failed' if signature doesn't verify.
+ * Returns 'verified' if valid.
+ */
+export async function verifyMessage(env) {
+    if (!env.from_did || !env.signature) {
+        return "unverified";
+    }
+    if (env.signing_key_id && env.signing_key_id !== env.from_did) {
+        return "failed";
+    }
+    if (!env.from_did.startsWith("did:key:z")) {
+        return "unverified";
+    }
+    let publicKey;
+    try {
+        publicKey = extractPublicKey(env.from_did);
+    }
+    catch {
+        return "failed";
+    }
+    let sigBytes;
+    try {
+        sigBytes = b64Decode(env.signature);
+    }
+    catch {
+        return "failed";
+    }
+    const payload = canonicalJSON(env);
+    const valid = ed.verify(sigBytes, new TextEncoder().encode(payload), publicKey);
+    return valid ? "verified" : "failed";
+}
+/**
+ * Verify a signature against a pre-computed canonical payload string.
+ * Use when the server returns signed_payload alongside the message.
+ */
+export async function verifySignedPayload(signedPayload, signatureB64, fromDID, signingKeyID) {
+    if (!fromDID || !signatureB64 || !signedPayload) {
+        return "unverified";
+    }
+    if (signingKeyID && signingKeyID !== fromDID) {
+        return "failed";
+    }
+    if (!fromDID.startsWith("did:key:z")) {
+        return "unverified";
+    }
+    let publicKey;
+    try {
+        publicKey = extractPublicKey(fromDID);
+    }
+    catch {
+        return "failed";
+    }
+    let sigBytes;
+    try {
+        sigBytes = b64Decode(signatureB64);
+    }
+    catch {
+        return "failed";
+    }
+    const valid = ed.verify(sigBytes, new TextEncoder().encode(signedPayload), publicKey);
+    return valid ? "verified" : "failed";
+}

package/dist/index.d.ts

@@ -0,0 +1,7 @@
+#!/usr/bin/env node
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { APIClient } from "./api/client.js";
+import { type AgentEvent } from "./api/events.js";
+import { PinStore } from "./identity/pinstore.js";
+export declare function dispatchEvent(mcp: Server, client: APIClient, pinStore: PinStore, selfAlias: string, dispatched: Set<string>, event: AgentEvent): Promise<void>;
+export declare function isDirectExecution(moduleURL: string): boolean;

package/dist/index.js

@@ -0,0 +1,259 @@
+#!/usr/bin/env node
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { join } from "node:path";
+import { homedir } from "node:os";
+import { realpathSync } from "node:fs";
+import { readFile, writeFile } from "node:fs/promises";
+import { fileURLToPath, pathToFileURL } from "node:url";
+import { resolveConfig } from "./config.js";
+import { APIClient } from "./api/client.js";
+import { streamAgentEvents } from "./api/events.js";
+import { fetchInbox, ackMessage } from "./api/mail.js";
+import { fetchHistory, markRead } from "./api/chat.js";
+import { PinStore } from "./identity/pinstore.js";
+const PIN_STORE_PATH = join(homedir(), ".config", "aw", "known_agents.yaml");
+const MAX_DISPATCHED_IDS = 2000;
+async function loadPinStore() {
+    try {
+        const content = await readFile(PIN_STORE_PATH, "utf-8");
+        return PinStore.fromYAML(content);
+    }
+    catch {
+        return new PinStore();
+    }
+}
+async function savePinStore(store) {
+    await writeFile(PIN_STORE_PATH, store.toYAML(), { mode: 0o600 });
+}
+function checkTOFUPin(store, verificationStatus, fromAlias, fromDID, fromStableID) {
+    if (!verificationStatus || verificationStatus !== "verified" || !fromDID || !fromAlias) {
+        return { status: verificationStatus, stored: false };
+    }
+    const pinKey = fromStableID?.startsWith("did:aw:") ? fromStableID : fromDID;
+    const result = store.checkPin(fromAlias, pinKey, "persistent");
+    switch (result) {
+        case "new":
+            store.storePin(pinKey, fromAlias, "", "");
+            if (fromStableID?.startsWith("did:aw:")) {
+                const pin = store.pins.get(pinKey);
+                pin.stable_id = fromStableID;
+                pin.did_key = fromDID;
+            }
+            return { status: verificationStatus, stored: true };
+        case "ok":
+            return { status: verificationStatus, stored: false };
+        case "mismatch":
+            return { status: "identity_mismatch", stored: false };
+        case "skipped":
+            return { status: verificationStatus, stored: false };
+    }
+}
+function pruneDispatched(dispatched) {
+    if (dispatched.size <= MAX_DISPATCHED_IDS)
+        return;
+    const excess = dispatched.size - MAX_DISPATCHED_IDS;
+    let removed = 0;
+    for (const id of dispatched) {
+        if (removed >= excess)
+            break;
+        dispatched.delete(id);
+        removed++;
+    }
+}
+async function main() {
+    const workdir = process.cwd();
+    const config = await resolveConfig(workdir);
+    const client = new APIClient(config.baseURL, config.apiKey);
+    const pinStore = await loadPinStore();
+    const mcp = new Server({ name: "aw", version: "0.0.1" }, {
+        capabilities: {
+            experimental: { "claude/channel": {} },
+        },
+        instructions: `Events from the aw channel are coordination messages from other agents in your team. Use the aw CLI to respond, not MCP tools.
+
+Mail events (type="mail") are async. Read them and act if needed. Acknowledge with: aw mail ack <message_id>
+
+Chat events (type="chat") may have sender_waiting="true", meaning the sender is blocked waiting for your reply. Respond promptly with: aw chat send-and-wait <from> "<reply>"
+If you need more time, send a status update the same way.
+
+Control events (type="control") are operational signals. On "pause", stop current work and wait. On "resume", continue. On "interrupt", stop and await new instructions.`,
+    });
+    // Connect MCP over stdio
+    const transport = new StdioServerTransport();
+    await mcp.connect(transport);
+    // Start SSE event loop in background
+    const abort = new AbortController();
+    process.on("SIGINT", () => abort.abort());
+    process.on("SIGTERM", () => abort.abort());
+    await startEventLoop(mcp, client, pinStore, config.alias, abort.signal);
+}
+async function startEventLoop(mcp, client, pinStore, selfAlias, signal) {
+    const dispatched = new Set();
+    for await (const event of streamAgentEvents(client, signal)) {
+        try {
+            await dispatchEvent(mcp, client, pinStore, selfAlias, dispatched, event);
+            pruneDispatched(dispatched);
+        }
+        catch (err) {
+            console.error(`[aw-channel] dispatch error: ${err}`);
+        }
+    }
+}
+export async function dispatchEvent(mcp, client, pinStore, selfAlias, dispatched, event) {
+    switch (event.type) {
+        case "mail_message": {
+            const messages = await fetchInbox(client, true, 10);
+            let pinsDirty = false;
+            for (const msg of messages) {
+                if (dispatched.has(msg.message_id))
+                    continue;
+                dispatched.add(msg.message_id);
+                const from = msg.from_alias || msg.from_address || "";
+                const tofu = checkTOFUPin(pinStore, msg.verification_status, from, msg.from_did, msg.from_stable_id);
+                msg.verification_status = tofu.status;
+                if (tofu.stored)
+                    pinsDirty = true;
+                const meta = {
+                    type: "mail",
+                    from,
+                    message_id: msg.message_id,
+                };
+                if (msg.subject)
+                    meta.subject = msg.subject;
+                if (msg.priority && msg.priority !== "normal")
+                    meta.priority = msg.priority;
+                if (msg.verification_status)
+                    meta.verified = String(msg.verification_status === "verified" || msg.verification_status === "verified_custodial");
+                await mcp.notification({
+                    method: "notifications/claude/channel",
+                    params: { content: msg.body, meta },
+                });
+                // Auto-ack: message has been delivered to Claude
+                ackMessage(client, msg.message_id).catch((err) => console.error(`[aw-channel] ack failed: ${err}`));
+            }
+            if (pinsDirty)
+                await savePinStore(pinStore);
+            break;
+        }
+        case "chat_message": {
+            if (!event.session_id)
+                break;
+            const messages = await fetchHistory(client, event.session_id, true, 10);
+            let pinsDirty = false;
+            let lastMessageId;
+            for (const msg of messages) {
+                if (msg.from_agent === selfAlias)
+                    continue;
+                if (dispatched.has(msg.message_id))
+                    continue;
+                dispatched.add(msg.message_id);
+                const tofu = checkTOFUPin(pinStore, msg.verification_status, msg.from_agent, msg.from_did, msg.from_stable_id);
+                msg.verification_status = tofu.status;
+                if (tofu.stored)
+                    pinsDirty = true;
+                const meta = {
+                    type: "chat",
+                    from: msg.from_agent,
+                    session_id: event.session_id,
+                    message_id: msg.message_id,
+                };
+                if (event.sender_waiting)
+                    meta.sender_waiting = "true";
+                if (msg.sender_leaving)
+                    meta.sender_leaving = "true";
+                if (msg.verification_status)
+                    meta.verified = String(msg.verification_status === "verified" || msg.verification_status === "verified_custodial");
+                await mcp.notification({
+                    method: "notifications/claude/channel",
+                    params: { content: msg.body, meta },
+                });
+                lastMessageId = msg.message_id;
+            }
+            // Mark read up to last dispatched message
+            if (lastMessageId) {
+                markRead(client, event.session_id, lastMessageId).catch((err) => console.error(`[aw-channel] mark-read failed: ${err}`));
+            }
+            if (pinsDirty)
+                await savePinStore(pinStore);
+            break;
+        }
+        case "control_pause":
+        case "control_resume":
+        case "control_interrupt": {
+            const signalType = event.type.replace("control_", "");
+            await mcp.notification({
+                method: "notifications/claude/channel",
+                params: {
+                    content: "",
+                    meta: {
+                        type: "control",
+                        signal: signalType,
+                        signal_id: event.signal_id || "",
+                    },
+                },
+            });
+            break;
+        }
+        case "work_available": {
+            await mcp.notification({
+                method: "notifications/claude/channel",
+                params: {
+                    content: event.title || "",
+                    meta: {
+                        type: "work",
+                        task_id: event.task_id || "",
+                    },
+                },
+            });
+            break;
+        }
+        case "claim_update": {
+            await mcp.notification({
+                method: "notifications/claude/channel",
+                params: {
+                    content: event.title || "",
+                    meta: {
+                        type: "claim",
+                        task_id: event.task_id || "",
+                        title: event.title || "",
+                        status: event.status || "",
+                    },
+                },
+            });
+            break;
+        }
+        case "claim_removed": {
+            await mcp.notification({
+                method: "notifications/claude/channel",
+                params: {
+                    content: "",
+                    meta: {
+                        type: "claim_removed",
+                        task_id: event.task_id || "",
+                    },
+                },
+            });
+            break;
+        }
+        default:
+            break;
+    }
+}
+export function isDirectExecution(moduleURL) {
+    const entry = process.argv[1];
+    if (!entry)
+        return false;
+    try {
+        return realpathSync(entry) === realpathSync(fileURLToPath(moduleURL));
+    }
+    catch {
+        return moduleURL === pathToFileURL(entry).href;
+    }
+}
+if (isDirectExecution(import.meta.url)) {
+    main().catch((err) => {
+        console.error(`[aw-channel] fatal: ${err}`);
+        process.exit(1);
+    });
+}

package/package.json

@@ -0,0 +1,34 @@
+{
+  "name": "@awebai/claude-channel",
+  "version": "0.1.0",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "bin": "./dist/index.js",
+  "files": [
+    "dist",
+    "README.md",
+    "package.json"
+  ],
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "prepublishOnly": "npm run build",
+    "test": "vitest run --exclude test/integration.test.ts",
+    "test:integration": "vitest run test/integration.test.ts",
+    "start": "tsx src/index.ts"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.12.0",
+    "@noble/ed25519": "^2.2.3",
+    "@noble/hashes": "^2.0.1",
+    "bs58": "^6.0.0",
+    "js-yaml": "^4.1.0"
+  },
+  "devDependencies": {
+    "@types/js-yaml": "^4.0.9",
+    "@types/node": "^24.5.2",
+    "tsx": "^4.20.6",
+    "typescript": "^5.9.3",
+    "vitest": "^4.0.0"
+  }
+}