@blink-authority-com/claude-code-plugin 1.0.0

package/dist/tools/add-signing.js

@@ -0,0 +1,317 @@
+/**
+ * blink_add_signing tool handler.
+ *
+ * Takes existing code and a signing pattern, returns enhanced code
+ * with BLINK signing added. Uses string manipulation (not AST) for v1.
+ *
+ * Patterns:
+ *   sign-response     — Add BLINK signing middleware to Express responses
+ *   sign-document     — Add document hashing + BLINK signing
+ *   sign-audit-entry  — Add hash-chained audit entry signing
+ *   verify-incoming   — Add incoming signature verification
+ */
+// ---------------------------------------------------------------------------
+// Imports to inject per pattern
+// ---------------------------------------------------------------------------
+const BLINK_IMPORTS = {
+    'sign-response': `import { BlinkSigner, AlgoSuiteId } from '@blink-technology/sdk';`,
+    'sign-document': `import { BlinkSigner, AlgoSuiteId } from '@blink-technology/sdk';
+import { createHash } from 'node:crypto';`,
+    'sign-audit-entry': `import { BlinkSigner, AlgoSuiteId } from '@blink-technology/sdk';
+import { createHash } from 'node:crypto';`,
+    'verify-incoming': `import { BlinkVerifier } from '@blink-technology/sdk';`,
+};
+// ---------------------------------------------------------------------------
+// BLINK initialization snippet (added if not already present)
+// ---------------------------------------------------------------------------
+const BLINK_INIT = `
+// --- BLINK Authority: Signer lifecycle ---
+let blinkSigner: BlinkSigner;
+let blinkPublicKey: Uint8Array;
+
+async function initBlink(): Promise<void> {
+  const bsecUrl = process.env['BSEC_URL'] ?? 'http://localhost:9100';
+  const slotName = process.env['SLOT_NAME'] ?? 'default';
+  blinkSigner = await BlinkSigner.connect(bsecUrl, slotName, AlgoSuiteId.Ed25519);
+  blinkPublicKey = await blinkSigner.vrfPublicKey();
+  console.log('[blink] Connected to BSEC');
+}
+
+async function shutdownBlink(): Promise<void> {
+  if (blinkSigner) {
+    await blinkSigner.close();
+    console.log('[blink] Disconnected');
+  }
+}
+// --- End BLINK init ---
+`;
+// ---------------------------------------------------------------------------
+// Pattern-specific code snippets
+// ---------------------------------------------------------------------------
+const SIGN_RESPONSE_MIDDLEWARE = `
+// --- BLINK Authority: Signing middleware ---
+// This middleware intercepts res.json() calls and adds a BLINK signature.
+// The signature envelope is attached as HTTP headers.
+function blinkSigningMiddleware() {
+  return (req: any, res: any, next: any) => {
+    const originalJson = res.json.bind(res);
+    res.json = (body: unknown) => {
+      const bodyStr = JSON.stringify(body);
+      const payload = new TextEncoder().encode(bodyStr);
+      blinkSigner.sign(payload)
+        .then((envelopeBytes: Uint8Array) => {
+          res.setHeader('X-BLINK-Signature', Buffer.from(envelopeBytes).toString('base64'));
+          res.setHeader('X-BLINK-PublicKey', Buffer.from(blinkPublicKey).toString('hex'));
+          res.setHeader('X-BLINK-Signed', 'true');
+          originalJson(body);
+        })
+        .catch((err: Error) => {
+          console.error('[blink] Signing failed:', err);
+          res.setHeader('X-BLINK-Signed', 'false');
+          originalJson(body);
+        });
+      return res;
+    };
+    next();
+  };
+}
+// --- End BLINK signing middleware ---
+`;
+const SIGN_DOCUMENT_CODE = `
+// --- BLINK Authority: Document signing ---
+// Hash the document with SHA-256, then sign the hash with BLINK.
+// Returns a notarization certificate with the signature envelope.
+async function signDocument(fileBuffer: Buffer, filename: string) {
+  const hash = createHash('sha256').update(new Uint8Array(fileBuffer)).digest();
+  const hashBytes = new Uint8Array(hash.buffer, hash.byteOffset, hash.byteLength);
+
+  // Sign the hash — BLINK produces a single-use credential for this operation
+  const envelopeBytes = await blinkSigner.signDetached(hashBytes);
+
+  return {
+    document: { filename, size: fileBuffer.length, hash: hash.toString('hex') },
+    envelope: Buffer.from(envelopeBytes).toString('base64'),
+    signerPublicKey: Buffer.from(blinkPublicKey).toString('hex'),
+    signedAt: new Date().toISOString(),
+  };
+}
+// --- End BLINK document signing ---
+`;
+const SIGN_AUDIT_ENTRY_CODE = `
+// --- BLINK Authority: Hash-chained audit entry signing ---
+// Each entry links to the previous via SHA-256(previous envelope).
+// The first entry uses GENESIS_HASH as its previous hash.
+const GENESIS_HASH = '0'.repeat(64);
+let lastEnvelopeHash = GENESIS_HASH;
+let auditSequence = 0;
+
+async function signAuditEntry(entry: {
+  actor: string;
+  action: string;
+  resource: string;
+  detail?: string;
+}) {
+  auditSequence++;
+  const canonical = {
+    id: \`AUD-\${auditSequence.toString().padStart(8, '0')}\`,
+    sequenceNumber: auditSequence,
+    timestamp: new Date().toISOString(),
+    actor: entry.actor,
+    action: entry.action,
+    resource: entry.resource,
+    ...(entry.detail ? { detail: entry.detail } : {}),
+    previousEntryHash: lastEnvelopeHash,
+  };
+
+  const payload = new TextEncoder().encode(JSON.stringify(canonical));
+  const envelopeBytes = await blinkSigner.sign(payload);
+  const envelope = Buffer.from(envelopeBytes).toString('base64');
+
+  // Update the chain — next entry will reference this envelope's hash
+  lastEnvelopeHash = createHash('sha256')
+    .update(Buffer.from(envelope, 'base64'))
+    .digest('hex');
+
+  return {
+    ...canonical,
+    envelope,
+    signerPublicKey: Buffer.from(blinkPublicKey).toString('hex'),
+  };
+}
+// --- End BLINK audit entry signing ---
+`;
+const VERIFY_INCOMING_CODE = `
+// --- BLINK Authority: Incoming signature verification ---
+// Verify a BLINK signature from incoming request headers.
+// Expects: X-BLINK-Signature (base64 envelope), X-BLINK-PublicKey (hex key)
+function blinkVerifyMiddleware() {
+  return async (req: any, res: any, next: any) => {
+    const signatureB64 = req.headers['x-blink-signature'];
+    const publicKeyHex = req.headers['x-blink-publickey'];
+
+    if (!signatureB64 || !publicKeyHex) {
+      res.status(401).json({ error: 'Missing BLINK signature headers' });
+      return;
+    }
+
+    try {
+      const publicKey = new Uint8Array(Buffer.from(publicKeyHex, 'hex'));
+      const verifier = new BlinkVerifier(publicKey, {
+        freshnessWindowMs: 5 * 60 * 1000, // 5 minute freshness window
+        clockSkewToleranceMs: 30_000,
+      });
+
+      const envelopeBytes = new Uint8Array(Buffer.from(signatureB64, 'base64'));
+      const result = verifier.verify(envelopeBytes);
+
+      if (!result.valid) {
+        res.status(401).json({ error: 'Invalid BLINK signature', reason: result.reason });
+        return;
+      }
+
+      // Attach verification result to request for downstream use
+      req.blinkVerification = result;
+      next();
+    } catch (err) {
+      res.status(401).json({ error: 'BLINK verification failed', detail: String(err) });
+    }
+  };
+}
+// --- End BLINK verification middleware ---
+`;
+function hasBlinkImport(code) {
+    return code.includes('@blink-technology/sdk') || code.includes('BlinkSigner') || code.includes('BlinkVerifier');
+}
+function hasBlinkInit(code) {
+    return code.includes('BlinkSigner.connect') || code.includes('initBlink');
+}
+function applyPattern(code, pattern) {
+    const lines = code.split('\n');
+    const changes = [];
+    let result = code;
+    let insertionOffset = 0;
+    // Step 1: Add imports at the top (if not already present)
+    if (!hasBlinkImport(code)) {
+        const importLine = BLINK_IMPORTS[pattern];
+        // Find the last import line or insert at line 0
+        let lastImportIdx = -1;
+        for (let i = 0; i < lines.length; i++) {
+            if (lines[i].startsWith('import ') || lines[i].startsWith('import{')) {
+                lastImportIdx = i;
+            }
+        }
+        const insertAt = lastImportIdx + 1;
+        const resultLines = result.split('\n');
+        resultLines.splice(insertAt, 0, importLine);
+        result = resultLines.join('\n');
+        changes.push({
+            description: `Added BLINK SDK import(s)`,
+            line_range: `${insertAt + 1}`,
+        });
+        insertionOffset += importLine.split('\n').length;
+    }
+    // Step 2: Add BLINK initialization (if not present)
+    if (!hasBlinkInit(code) && pattern !== 'verify-incoming') {
+        const resultLines = result.split('\n');
+        // Find a good insertion point — after imports, before main code
+        let insertAt = 0;
+        for (let i = 0; i < resultLines.length; i++) {
+            if (resultLines[i].startsWith('import ') || resultLines[i].startsWith('import{')) {
+                insertAt = i + 1;
+            }
+        }
+        // Skip blank lines after imports
+        while (insertAt < resultLines.length && resultLines[insertAt].trim() === '') {
+            insertAt++;
+        }
+        const initLines = BLINK_INIT.split('\n');
+        resultLines.splice(insertAt, 0, ...initLines);
+        result = resultLines.join('\n');
+        changes.push({
+            description: 'Added BLINK signer initialization and shutdown functions',
+            line_range: `${insertAt + 1}-${insertAt + initLines.length}`,
+        });
+        insertionOffset += initLines.length;
+    }
+    // Step 3: Add the pattern-specific code
+    let patternCode;
+    let patternDescription;
+    switch (pattern) {
+        case 'sign-response':
+            patternCode = SIGN_RESPONSE_MIDDLEWARE;
+            patternDescription = 'Added BLINK signing middleware for Express responses';
+            break;
+        case 'sign-document':
+            patternCode = SIGN_DOCUMENT_CODE;
+            patternDescription = 'Added document hashing + BLINK signing function';
+            break;
+        case 'sign-audit-entry':
+            patternCode = SIGN_AUDIT_ENTRY_CODE;
+            patternDescription = 'Added hash-chained audit entry signing function';
+            break;
+        case 'verify-incoming':
+            patternCode = VERIFY_INCOMING_CODE;
+            patternDescription = 'Added incoming BLINK signature verification middleware';
+            break;
+    }
+    // Append the pattern code at the end of the file
+    const resultLines = result.split('\n');
+    const insertAt = resultLines.length;
+    result = result + '\n' + patternCode;
+    changes.push({
+        description: patternDescription,
+        line_range: `${insertAt + 1}-${insertAt + patternCode.split('\n').length}`,
+    });
+    // Step 4: Add usage comments
+    if (pattern === 'sign-response') {
+        // Try to find app.use or express() to suggest where to add the middleware
+        const appUseIdx = resultLines.findIndex(l => l.includes('app.use(') && !l.includes('blinkSigning'));
+        if (appUseIdx >= 0) {
+            changes.push({
+                description: 'Add `app.use(blinkSigningMiddleware());` before your routes (see existing app.use calls)',
+                line_range: `${appUseIdx + 1}`,
+            });
+        }
+    }
+    if (pattern === 'verify-incoming') {
+        changes.push({
+            description: 'Add `app.use(blinkVerifyMiddleware());` to protect routes that require verified signatures',
+            line_range: 'N/A',
+        });
+    }
+    return { enhanced_code: result, changes };
+}
+// ---------------------------------------------------------------------------
+// Tool handler
+// ---------------------------------------------------------------------------
+export function handleAddSigning(args) {
+    const code = String(args.code ?? '');
+    const pattern = String(args.pattern ?? '');
+    if (!code) {
+        return {
+            content: [{
+                    type: 'text',
+                    text: JSON.stringify({ error: 'Missing required parameter: code' }),
+                }],
+        };
+    }
+    const validPatterns = ['sign-response', 'sign-document', 'sign-audit-entry', 'verify-incoming'];
+    if (!validPatterns.includes(pattern)) {
+        return {
+            content: [{
+                    type: 'text',
+                    text: JSON.stringify({
+                        error: `Unknown pattern: "${pattern}". Valid patterns: ${validPatterns.join(', ')}`,
+                    }),
+                }],
+        };
+    }
+    const result = applyPattern(code, pattern);
+    return {
+        content: [{
+                type: 'text',
+                text: JSON.stringify(result, null, 2),
+            }],
+    };
+}
+//# sourceMappingURL=add-signing.js.map

package/dist/tools/add-signing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"add-signing.js","sourceRoot":"","sources":["../../src/tools/add-signing.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,8EAA8E;AAC9E,gCAAgC;AAChC,8EAA8E;AAC9E,MAAM,aAAa,GAAG;IACpB,eAAe,EAAE,mEAAmE;IACpF,eAAe,EAAE;0CACuB;IACxC,kBAAkB,EAAE;0CACoB;IACxC,iBAAiB,EAAE,wDAAwD;CAC5E,CAAC;AAEF,8EAA8E;AAC9E,8DAA8D;AAC9D,8EAA8E;AAC9E,MAAM,UAAU,GAAG;;;;;;;;;;;;;;;;;;;;CAoBlB,CAAC;AAEF,8EAA8E;AAC9E,iCAAiC;AACjC,8EAA8E;AAC9E,MAAM,wBAAwB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA4BhC,CAAC;AAEF,MAAM,kBAAkB,GAAG;;;;;;;;;;;;;;;;;;;CAmB1B,CAAC;AAEF,MAAM,qBAAqB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA0C7B,CAAC;AAEF,MAAM,oBAAoB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAsC5B,CAAC;AAUF,SAAS,cAAc,CAAC,IAAY;IAClC,OAAO,IAAI,CAAC,QAAQ,CAAC,uBAAuB,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC;AAClH,CAAC;AAED,SAAS,YAAY,CAAC,IAAY;IAChC,OAAO,IAAI,CAAC,QAAQ,CAAC,qBAAqB,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAC5E,CAAC;AAED,SAAS,YAAY,CACnB,IAAY,EACZ,OAAmF;IAEnF,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,MAAM,GAAG,IAAI,CAAC;IAClB,IAAI,eAAe,GAAG,CAAC,CAAC;IAExB,0DAA0D;IAC1D,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1B,MAAM,UAAU,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;QAC1C,gDAAgD;QAChD,IAAI,aAAa,GAAG,CAAC,CAAC,CAAC;QACvB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBACrE,aAAa,GAAG,CAAC,CAAC;YACpB,CAAC;QACH,CAAC;QACD,MAAM,QAAQ,GAAG,aAAa,GAAG,CAAC,CAAC;QACnC,MAAM,WAAW,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACvC,WAAW,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC,EAAE,UAAU,CAAC,CAAC;QAC5C,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChC,OAAO,CAAC,IAAI,CAAC;YACX,WAAW,EAAE,2BAA2B;YACxC,UAAU,EAAE,GAAG,QAAQ,GAAG,CAAC,EAAE;SAC9B,CAAC,CAAC;QACH,eAAe,IAAI,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;IACnD,CAAC;IAED,oDAAoD;IACpD,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,OAAO,KAAK,iBAAiB,EAAE,CAAC;QACzD,MAAM,WAAW,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACvC,gEAAgE;QAChE,IAAI,QAAQ,GAAG,CAAC,CAAC;QACjB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,WAAW,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5C,IAAI,WAAW,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,WAAW,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBACjF,QAAQ,GAAG,CAAC,GAAG,CAAC,CAAC;YACnB,CAAC;QACH,CAAC;QACD,iCAAiC;QACjC,OAAO,QAAQ,GAAG,WAAW,CAAC,MAAM,IAAI,WAAW,CAAC,QAAQ,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YAC5E,QAAQ,EAAE,CAAC;QACb,CAAC;QACD,MAAM,SAAS,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACzC,WAAW,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC,EAAE,GAAG,SAAS,CAAC,CAAC;QAC9C,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChC,OAAO,CAAC,IAAI,CAAC;YACX,WAAW,EAAE,0DAA0D;YACvE,UAAU,EAAE,GAAG,QAAQ,GAAG,CAAC,IAAI,QAAQ,GAAG,SAAS,CAAC,MAAM,EAAE;SAC7D,CAAC,CAAC;QACH,eAAe,IAAI,SAAS,CAAC,MAAM,CAAC;IACtC,CAAC;IAED,wCAAwC;IACxC,IAAI,WAAmB,CAAC;IACxB,IAAI,kBAA0B,CAAC;IAE/B,QAAQ,OAAO,EAAE,CAAC;QAChB,KAAK,eAAe;YAClB,WAAW,GAAG,wBAAwB,CAAC;YACvC,kBAAkB,GAAG,sDAAsD,CAAC;YAC5E,MAAM;QACR,KAAK,eAAe;YAClB,WAAW,GAAG,kBAAkB,CAAC;YACjC,kBAAkB,GAAG,iDAAiD,CAAC;YACvE,MAAM;QACR,KAAK,kBAAkB;YACrB,WAAW,GAAG,qBAAqB,CAAC;YACpC,kBAAkB,GAAG,iDAAiD,CAAC;YACvE,MAAM;QACR,KAAK,iBAAiB;YACpB,WAAW,GAAG,oBAAoB,CAAC;YACnC,kBAAkB,GAAG,wDAAwD,CAAC;YAC9E,MAAM;IACV,CAAC;IAED,iDAAiD;IACjD,MAAM,WAAW,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACvC,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,CAAC;IACpC,MAAM,GAAG,MAAM,GAAG,IAAI,GAAG,WAAW,CAAC;IACrC,OAAO,CAAC,IAAI,CAAC;QACX,WAAW,EAAE,kBAAkB;QAC/B,UAAU,EAAE,GAAG,QAAQ,GAAG,CAAC,IAAI,QAAQ,GAAG,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE;KAC3E,CAAC,CAAC;IAEH,6BAA6B;IAC7B,IAAI,OAAO,KAAK,eAAe,EAAE,CAAC;QAChC,0EAA0E;QAC1E,MAAM,SAAS,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAC1C,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,cAAc,CAAC,CACtD,CAAC;QACF,IAAI,SAAS,IAAI,CAAC,EAAE,CAAC;YACnB,OAAO,CAAC,IAAI,CAAC;gBACX,WAAW,EAAE,0FAA0F;gBACvG,UAAU,EAAE,GAAG,SAAS,GAAG,CAAC,EAAE;aAC/B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,IAAI,OAAO,KAAK,iBAAiB,EAAE,CAAC;QAClC,OAAO,CAAC,IAAI,CAAC;YACX,WAAW,EAAE,4FAA4F;YACzG,UAAU,EAAE,KAAK;SAClB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,EAAE,aAAa,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;AAC5C,CAAC;AAED,8EAA8E;AAC9E,eAAe;AACf,8EAA8E;AAC9E,MAAM,UAAU,gBAAgB,CAC9B,IAA6B;IAE7B,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;IACrC,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAA+E,CAAC;IAEzH,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO;YACL,OAAO,EAAE,CAAC;oBACR,IAAI,EAAE,MAAM;oBACZ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,kCAAkC,EAAE,CAAC;iBACpE,CAAC;SACH,CAAC;IACJ,CAAC;IAED,MAAM,aAAa,GAAG,CAAC,eAAe,EAAE,eAAe,EAAE,kBAAkB,EAAE,iBAAiB,CAAC,CAAC;IAChG,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QACrC,OAAO;YACL,OAAO,EAAE,CAAC;oBACR,IAAI,EAAE,MAAM;oBACZ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;wBACnB,KAAK,EAAE,qBAAqB,OAAO,sBAAsB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;qBACpF,CAAC;iBACH,CAAC;SACH,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAE3C,OAAO;QACL,OAAO,EAAE,CAAC;gBACR,IAAI,EAAE,MAAM;gBACZ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;aACtC,CAAC;KACH,CAAC;AACJ,CAAC"}

package/dist/tools/decode.d.ts

@@ -0,0 +1,13 @@
+/**
+ * blink_decode_envelope tool handler.
+ *
+ * Parses a base64-encoded BLINK envelope and explains each field.
+ * Useful for debugging signing/verification issues.
+ */
+export declare function handleDecodeEnvelope(args: Record<string, unknown>): {
+    content: Array<{
+        type: string;
+        text: string;
+    }>;
+};
+//# sourceMappingURL=decode.d.ts.map

package/dist/tools/decode.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"decode.d.ts","sourceRoot":"","sources":["../../src/tools/decode.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAuFH,wBAAgB,oBAAoB,CAClC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC5B;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;CAAE,CAkMpD"}

package/dist/tools/decode.js

@@ -0,0 +1,262 @@
+/**
+ * blink_decode_envelope tool handler.
+ *
+ * Parses a base64-encoded BLINK envelope and explains each field.
+ * Useful for debugging signing/verification issues.
+ */
+// ---------------------------------------------------------------------------
+// Field explanations
+// ---------------------------------------------------------------------------
+const FIELD_EXPLANATIONS = {
+    signature: 'The digital signature over the payload hash, produced by the ephemeral signing key. ' +
+        'Length depends on algorithm: Ed25519 = 64 bytes, ML-DSA-44 = 2420 bytes.',
+    ephemeral_public_key: 'The ephemeral public key derived from the VRF output. This key is unique per signing ' +
+        'operation and is used to verify the signature. Ed25519 = 32 bytes, ML-DSA-44 = 1312 bytes.',
+    vrf_proof: 'The ECVRF proof (pi) that proves the ephemeral key was correctly derived from the ' +
+        'master key and domain input. Allows offline verification of key provenance. Typically 80 bytes.',
+    p_derive: 'The derived public key (P_derive) from the VRF evaluation. This is the public component ' +
+        'of the master identity that was used to generate the ephemeral key.',
+    domain_input: 'The domain separation string used as VRF input. Typically formatted as ' +
+        '"purpose:identity:timestamp" to bind the key derivation to a specific context.',
+    timestamp: 'ISO 8601 timestamp recording when the envelope was created. Used for freshness ' +
+        'checks — envelopes older than the freshness window may be rejected.',
+    algorithm: 'The cryptographic algorithm suite used for signing. Ed25519 is the default; ' +
+        'ML-DSA-44 provides post-quantum resistance.',
+    payload_hash: 'The SHA-256 hash of the original payload that was signed. The signature is over ' +
+        'this hash, not the raw payload, enabling hash-then-sign verification.',
+};
+// ---------------------------------------------------------------------------
+// Expected field sizes (bytes) per algorithm
+// ---------------------------------------------------------------------------
+const EXPECTED_SIZES = {
+    ed25519: {
+        signature: 64,
+        ephemeral_public_key: 32,
+        vrf_proof: 80,
+        p_derive: 32,
+    },
+    'ml-dsa-44': {
+        signature: 2420,
+        ephemeral_public_key: 1312,
+        vrf_proof: 80,
+        p_derive: 32,
+    },
+};
+const REQUIRED_FIELDS = [
+    'signature',
+    'ephemeral_public_key',
+    'vrf_proof',
+    'p_derive',
+    'domain_input',
+    'timestamp',
+    'algorithm',
+    'payload_hash',
+];
+// Freshness window: 5 minutes
+const FRESHNESS_WINDOW_MS = 5 * 60 * 1000;
+// ---------------------------------------------------------------------------
+// Helper: safe base64 decode length
+// ---------------------------------------------------------------------------
+function base64ByteLength(b64) {
+    try {
+        return Buffer.from(b64, 'base64').length;
+    }
+    catch {
+        return -1;
+    }
+}
+function isValidBase64(s) {
+    try {
+        const buf = Buffer.from(s, 'base64');
+        return buf.length > 0 && Buffer.from(buf).toString('base64') === s.replace(/\s/g, '');
+    }
+    catch {
+        return false;
+    }
+}
+// ---------------------------------------------------------------------------
+// Handler
+// ---------------------------------------------------------------------------
+export function handleDecodeEnvelope(args) {
+    const envelopeB64 = args.envelope;
+    if (!envelopeB64 || typeof envelopeB64 !== 'string' || envelopeB64.trim() === '') {
+        return {
+            content: [{
+                    type: 'text',
+                    text: JSON.stringify({
+                        valid_format: false,
+                        error: 'Missing or empty "envelope" parameter. Provide a base64-encoded BLINK envelope.',
+                    }),
+                }],
+        };
+    }
+    // Step 1: Base64 decode
+    let decoded;
+    try {
+        decoded = Buffer.from(envelopeB64, 'base64').toString('utf-8');
+    }
+    catch {
+        return {
+            content: [{
+                    type: 'text',
+                    text: JSON.stringify({
+                        valid_format: false,
+                        error: 'Failed to base64-decode the envelope. Ensure it is valid base64.',
+                    }),
+                }],
+        };
+    }
+    // Step 2: JSON parse
+    let envelope;
+    try {
+        envelope = JSON.parse(decoded);
+    }
+    catch {
+        return {
+            content: [{
+                    type: 'text',
+                    text: JSON.stringify({
+                        valid_format: false,
+                        error: 'Decoded data is not valid JSON. A BLINK envelope must be a JSON object.',
+                        raw_preview: decoded.substring(0, 200),
+                    }),
+                }],
+        };
+    }
+    // Step 3: Extract and explain fields
+    const warnings = [];
+    const missingFields = [];
+    const fields = {};
+    for (const field of REQUIRED_FIELDS) {
+        if (envelope[field] === undefined || envelope[field] === null) {
+            missingFields.push(field);
+        }
+        else {
+            fields[field] = envelope[field];
+        }
+    }
+    if (missingFields.length > 0) {
+        warnings.push(`Missing required fields: ${missingFields.join(', ')}`);
+    }
+    // Step 4: Calculate sizes for binary fields
+    const sizes = {};
+    const binaryFields = ['signature', 'ephemeral_public_key', 'vrf_proof', 'p_derive'];
+    const algo = (envelope.algorithm || 'ed25519').toLowerCase().replace(/_/g, '-');
+    const expectedForAlgo = EXPECTED_SIZES[algo] || EXPECTED_SIZES['ed25519'];
+    for (const field of binaryFields) {
+        const val = envelope[field];
+        if (val && typeof val === 'string') {
+            const bytes = base64ByteLength(val);
+            const expected = expectedForAlgo[field];
+            sizes[field] = {
+                bytes,
+                expected,
+                match: expected ? bytes === expected : undefined,
+            };
+            if (expected && bytes !== expected) {
+                warnings.push(`${field}: expected ${expected} bytes for ${algo}, got ${bytes} bytes`);
+            }
+            if (!isValidBase64(val)) {
+                warnings.push(`${field}: value is not valid base64 encoding`);
+            }
+        }
+    }
+    // Step 5: Parse domain_input
+    let domainParsed = null;
+    const domainInput = envelope.domain_input;
+    if (domainInput && typeof domainInput === 'string') {
+        const parts = domainInput.split(':');
+        if (parts.length >= 3) {
+            domainParsed = {
+                purpose: parts[0],
+                identity: parts[1],
+                timestamp: parts.slice(2).join(':'),
+            };
+        }
+        else if (parts.length === 2) {
+            domainParsed = {
+                purpose: parts[0],
+                identity: parts[1],
+            };
+            warnings.push('domain_input has only 2 parts (expected purpose:identity:timestamp)');
+        }
+        else {
+            warnings.push('domain_input does not follow expected format (purpose:identity:timestamp)');
+        }
+    }
+    // Step 6: Check timestamp freshness
+    let timestampAnalysis = null;
+    const timestamp = envelope.timestamp;
+    if (timestamp && typeof timestamp === 'string') {
+        const parsed = new Date(timestamp);
+        if (isNaN(parsed.getTime())) {
+            warnings.push('timestamp is not a valid ISO 8601 date');
+        }
+        else {
+            const now = Date.now();
+            const age = now - parsed.getTime();
+            const fresh = Math.abs(age) <= FRESHNESS_WINDOW_MS;
+            timestampAnalysis = {
+                parsed: parsed.toISOString(),
+                age_seconds: Math.round(age / 1000),
+                fresh,
+                freshness_window_seconds: FRESHNESS_WINDOW_MS / 1000,
+            };
+            if (!fresh) {
+                if (age > 0) {
+                    warnings.push(`Envelope timestamp is ${Math.round(age / 1000)}s old (freshness window: ${FRESHNESS_WINDOW_MS / 1000}s)`);
+                }
+                else {
+                    warnings.push('Envelope timestamp is in the future');
+                }
+            }
+        }
+    }
+    // Step 7: Check algorithm
+    const algorithmValue = envelope.algorithm;
+    let algorithmValid = false;
+    if (algorithmValue) {
+        const normalised = algorithmValue.toLowerCase().replace(/[_-]/g, '');
+        algorithmValid = normalised === 'ed25519' || normalised === 'mldsa44';
+        if (!algorithmValid) {
+            warnings.push(`Unknown algorithm: "${algorithmValue}". Supported: Ed25519, ML-DSA-44`);
+        }
+    }
+    // Step 8: Check payload_hash format
+    const payloadHash = envelope.payload_hash;
+    if (payloadHash && typeof payloadHash === 'string') {
+        if (!/^[0-9a-fA-F]{64}$/.test(payloadHash)) {
+            warnings.push('payload_hash does not appear to be a 64-character hex SHA-256 hash');
+        }
+    }
+    // Extra fields
+    const knownFields = new Set(REQUIRED_FIELDS);
+    const extraFields = Object.keys(envelope).filter((k) => !knownFields.has(k));
+    if (extraFields.length > 0) {
+        warnings.push(`Extra fields present: ${extraFields.join(', ')}`);
+    }
+    // Build explanation
+    const explanationParts = [];
+    for (const field of REQUIRED_FIELDS) {
+        if (envelope[field] !== undefined) {
+            explanationParts.push(`- ${field}: ${FIELD_EXPLANATIONS[field] || 'Unknown field'}`);
+        }
+    }
+    const result = {
+        valid_format: missingFields.length === 0,
+        fields,
+        sizes,
+        domain_parsed: domainParsed,
+        timestamp_analysis: timestampAnalysis,
+        algorithm_valid: algorithmValid,
+        field_explanations: explanationParts,
+        warnings,
+    };
+    return {
+        content: [{
+                type: 'text',
+                text: JSON.stringify(result, null, 2),
+            }],
+    };
+}
+//# sourceMappingURL=decode.js.map

package/dist/tools/decode.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"decode.js","sourceRoot":"","sources":["../../src/tools/decode.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAC9E,MAAM,kBAAkB,GAA2B;IACjD,SAAS,EACP,sFAAsF;QACtF,0EAA0E;IAC5E,oBAAoB,EAClB,uFAAuF;QACvF,4FAA4F;IAC9F,SAAS,EACP,oFAAoF;QACpF,iGAAiG;IACnG,QAAQ,EACN,0FAA0F;QAC1F,qEAAqE;IACvE,YAAY,EACV,yEAAyE;QACzE,gFAAgF;IAClF,SAAS,EACP,iFAAiF;QACjF,qEAAqE;IACvE,SAAS,EACP,8EAA8E;QAC9E,6CAA6C;IAC/C,YAAY,EACV,kFAAkF;QAClF,uEAAuE;CAC1E,CAAC;AAEF,8EAA8E;AAC9E,6CAA6C;AAC7C,8EAA8E;AAC9E,MAAM,cAAc,GAA2C;IAC7D,OAAO,EAAE;QACP,SAAS,EAAE,EAAE;QACb,oBAAoB,EAAE,EAAE;QACxB,SAAS,EAAE,EAAE;QACb,QAAQ,EAAE,EAAE;KACb;IACD,WAAW,EAAE;QACX,SAAS,EAAE,IAAI;QACf,oBAAoB,EAAE,IAAI;QAC1B,SAAS,EAAE,EAAE;QACb,QAAQ,EAAE,EAAE;KACb;CACF,CAAC;AAEF,MAAM,eAAe,GAAG;IACtB,WAAW;IACX,sBAAsB;IACtB,WAAW;IACX,UAAU;IACV,cAAc;IACd,WAAW;IACX,WAAW;IACX,cAAc;CACf,CAAC;AAEF,8BAA8B;AAC9B,MAAM,mBAAmB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAE1C,8EAA8E;AAC9E,oCAAoC;AACpC,8EAA8E;AAC9E,SAAS,gBAAgB,CAAC,GAAW;IACnC,IAAI,CAAC;QACH,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,MAAM,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,CAAC,CAAC;IACZ,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,CAAS;IAC9B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;QACrC,OAAO,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACxF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAC9E,MAAM,UAAU,oBAAoB,CAClC,IAA6B;IAE7B,MAAM,WAAW,GAAG,IAAI,CAAC,QAA8B,CAAC;IAExD,IAAI,CAAC,WAAW,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,WAAW,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QACjF,OAAO;YACL,OAAO,EAAE,CAAC;oBACR,IAAI,EAAE,MAAM;oBACZ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;wBACnB,YAAY,EAAE,KAAK;wBACnB,KAAK,EAAE,iFAAiF;qBACzF,CAAC;iBACH,CAAC;SACH,CAAC;IACJ,CAAC;IAED,wBAAwB;IACxB,IAAI,OAAe,CAAC;IACpB,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACjE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,OAAO,EAAE,CAAC;oBACR,IAAI,EAAE,MAAM;oBACZ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;wBACnB,YAAY,EAAE,KAAK;wBACnB,KAAK,EAAE,kEAAkE;qBAC1E,CAAC;iBACH,CAAC;SACH,CAAC;IACJ,CAAC;IAED,qBAAqB;IACrB,IAAI,QAAiC,CAAC;IACtC,IAAI,CAAC;QACH,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAA4B,CAAC;IAC5D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,OAAO,EAAE,CAAC;oBACR,IAAI,EAAE,MAAM;oBACZ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;wBACnB,YAAY,EAAE,KAAK;wBACnB,KAAK,EAAE,yEAAyE;wBAChF,WAAW,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;qBACvC,CAAC;iBACH,CAAC;SACH,CAAC;IACJ,CAAC;IAED,qCAAqC;IACrC,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,MAAM,aAAa,GAAa,EAAE,CAAC;IACnC,MAAM,MAAM,GAA4B,EAAE,CAAC;IAE3C,KAAK,MAAM,KAAK,IAAI,eAAe,EAAE,CAAC;QACpC,IAAI,QAAQ,CAAC,KAAK,CAAC,KAAK,SAAS,IAAI,QAAQ,CAAC,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC;YAC9D,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC5B,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,KAAK,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IAED,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,QAAQ,CAAC,IAAI,CAAC,4BAA4B,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACxE,CAAC;IAED,4CAA4C;IAC5C,MAAM,KAAK,GAA0E,EAAE,CAAC;IACxF,MAAM,YAAY,GAAG,CAAC,WAAW,EAAE,sBAAsB,EAAE,WAAW,EAAE,UAAU,CAAC,CAAC;IACpF,MAAM,IAAI,GAAG,CAAE,QAAQ,CAAC,SAAoB,IAAI,SAAS,CAAC,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC5F,MAAM,eAAe,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,cAAc,CAAC,SAAS,CAAC,CAAC;IAE1E,KAAK,MAAM,KAAK,IAAI,YAAY,EAAE,CAAC;QACjC,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAuB,CAAC;QAClD,IAAI,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YACnC,MAAM,KAAK,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;YACpC,MAAM,QAAQ,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;YACxC,KAAK,CAAC,KAAK,CAAC,GAAG;gBACb,KAAK;gBACL,QAAQ;gBACR,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS;aACjD,CAAC;YACF,IAAI,QAAQ,IAAI,KAAK,KAAK,QAAQ,EAAE,CAAC;gBACnC,QAAQ,CAAC,IAAI,CACX,GAAG,KAAK,cAAc,QAAQ,cAAc,IAAI,SAAS,KAAK,QAAQ,CACvE,CAAC;YACJ,CAAC;YACD,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC;gBACxB,QAAQ,CAAC,IAAI,CAAC,GAAG,KAAK,sCAAsC,CAAC,CAAC;YAChE,CAAC;QACH,CAAC;IACH,CAAC;IAED,6BAA6B;IAC7B,IAAI,YAAY,GAAkC,IAAI,CAAC;IACvD,MAAM,WAAW,GAAG,QAAQ,CAAC,YAAkC,CAAC;IAChE,IAAI,WAAW,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE,CAAC;QACnD,MAAM,KAAK,GAAG,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YACtB,YAAY,GAAG;gBACb,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC;gBACjB,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC;gBAClB,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;aACpC,CAAC;QACJ,CAAC;aAAM,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC9B,YAAY,GAAG;gBACb,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC;gBACjB,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC;aACnB,CAAC;YACF,QAAQ,CAAC,IAAI,CAAC,qEAAqE,CAAC,CAAC;QACvF,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,IAAI,CAAC,2EAA2E,CAAC,CAAC;QAC7F,CAAC;IACH,CAAC;IAED,oCAAoC;IACpC,IAAI,iBAAiB,GAAmC,IAAI,CAAC;IAC7D,MAAM,SAAS,GAAG,QAAQ,CAAC,SAA+B,CAAC;IAC3D,IAAI,SAAS,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;QAC/C,MAAM,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC;QACnC,IAAI,KAAK,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;YAC5B,QAAQ,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAC;QAC1D,CAAC;aAAM,CAAC;YACN,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,MAAM,GAAG,GAAG,GAAG,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;YACnC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,mBAAmB,CAAC;YACnD,iBAAiB,GAAG;gBAClB,MAAM,EAAE,MAAM,CAAC,WAAW,EAAE;gBAC5B,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,IAAI,CAAC;gBACnC,KAAK;gBACL,wBAAwB,EAAE,mBAAmB,GAAG,IAAI;aACrD,CAAC;YACF,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC;oBACZ,QAAQ,CAAC,IAAI,CACX,yBAAyB,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,IAAI,CAAC,4BAA4B,mBAAmB,GAAG,IAAI,IAAI,CAC1G,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,QAAQ,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;gBACvD,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,0BAA0B;IAC1B,MAAM,cAAc,GAAG,QAAQ,CAAC,SAA+B,CAAC;IAChE,IAAI,cAAc,GAAG,KAAK,CAAC;IAC3B,IAAI,cAAc,EAAE,CAAC;QACnB,MAAM,UAAU,GAAG,cAAc,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QACrE,cAAc,GAAG,UAAU,KAAK,SAAS,IAAI,UAAU,KAAK,SAAS,CAAC;QACtE,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,QAAQ,CAAC,IAAI,CAAC,uBAAuB,cAAc,kCAAkC,CAAC,CAAC;QACzF,CAAC;IACH,CAAC;IAED,oCAAoC;IACpC,MAAM,WAAW,GAAG,QAAQ,CAAC,YAAkC,CAAC;IAChE,IAAI,WAAW,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE,CAAC;QACnD,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;YAC3C,QAAQ,CAAC,IAAI,CAAC,oEAAoE,CAAC,CAAC;QACtF,CAAC;IACH,CAAC;IAED,eAAe;IACf,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,eAAe,CAAC,CAAC;IAC7C,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7E,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,QAAQ,CAAC,IAAI,CAAC,yBAAyB,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACnE,CAAC;IAED,oBAAoB;IACpB,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,KAAK,MAAM,KAAK,IAAI,eAAe,EAAE,CAAC;QACpC,IAAI,QAAQ,CAAC,KAAK,CAAC,KAAK,SAAS,EAAE,CAAC;YAClC,gBAAgB,CAAC,IAAI,CAAC,KAAK,KAAK,KAAK,kBAAkB,CAAC,KAAK,CAAC,IAAI,eAAe,EAAE,CAAC,CAAC;QACvF,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAAG;QACb,YAAY,EAAE,aAAa,CAAC,MAAM,KAAK,CAAC;QACxC,MAAM;QACN,KAAK;QACL,aAAa,EAAE,YAAY;QAC3B,kBAAkB,EAAE,iBAAiB;QACrC,eAAe,EAAE,cAAc;QAC/B,kBAAkB,EAAE,gBAAgB;QACpC,QAAQ;KACT,CAAC;IAEF,OAAO;QACL,OAAO,EAAE,CAAC;gBACR,IAAI,EAAE,MAAM;gBACZ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;aACtC,CAAC;KACH,CAAC;AACJ,CAAC"}

package/dist/tools/hierarchy.d.ts

@@ -0,0 +1,13 @@
+/**
+ * blink_hierarchy_design tool handler.
+ *
+ * Given an organisational description, suggests a BLINK key hierarchy
+ * with INS naming, algorithm recommendations, and delegation model.
+ */
+export declare function handleHierarchyDesign(args: Record<string, unknown>): {
+    content: Array<{
+        type: string;
+        text: string;
+    }>;
+};
+//# sourceMappingURL=hierarchy.d.ts.map

package/dist/tools/hierarchy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hierarchy.d.ts","sourceRoot":"","sources":["../../src/tools/hierarchy.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAgHH,wBAAgB,qBAAqB,CACnC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC5B;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;CAAE,CA4PpD"}