@fipsign/mcp 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 FIPSign
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,205 @@
+# @fipsign/mcp
+
+[![npm](https://img.shields.io/npm/v/@fipsign/mcp)](https://www.npmjs.com/package/@fipsign/mcp)
+[![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE)
+[![NIST FIPS 204](https://img.shields.io/badge/NIST-FIPS%20204-blue)](https://csrc.nist.gov/pubs/fips/204/final)
+
+MCP server for [FIPSign](https://fipsign.dev) — post-quantum digital signing via **ML-DSA-65** (NIST FIPS 204).
+
+Gives Claude Desktop, Claude Code, and any MCP-compatible AI agent full access to the FIPSign API without writing code: sign payloads, verify tokens, issue and revoke post-quantum certificates, manage webhooks, and monitor usage.
+
+---
+
+## Tools
+
+| Tool | Description | Token cost |
+|---|---|---|
+| `fipsign_health` | Check service status | free |
+| `fipsign_public_key` | Get the server's ML-DSA-65 public key | free |
+| `fipsign_sign` | Sign any payload | 1 token |
+| `fipsign_verify` | Verify a signed token | 1 token |
+| `fipsign_revoke` | Permanently revoke a token | 1 token |
+| `fipsign_usage` | Get token balance and usage history | free |
+| `fipsign_generate_key_pair` | Generate an ML-DSA-65 key pair locally | free |
+| `fipsign_ca_issue` | Issue a post-quantum certificate | 1 token |
+| `fipsign_ca_revoke_cert` | Revoke a certificate | 1 token |
+| `fipsign_ca_get_cert` | Get certificate status by ID | free |
+| `fipsign_ca_get_crl` | Get the Certificate Revocation List | free |
+| `fipsign_webhooks_register` | Register a webhook endpoint | free |
+| `fipsign_webhooks_get` | Get current webhook config | free |
+| `fipsign_webhooks_delete` | Delete webhook configuration | free |
+| `fipsign_webhooks_test` | Send a test event to your webhook | free |
+
+---
+
+## Prerequisites
+
+1. Node.js 18 or later
+2. A FIPSign account and API key — [create one free at app.fipsign.dev](https://app.fipsign.dev)
+3. For CA tools: a CA created inside your project from the dashboard
+
+---
+
+## Local testing before publishing
+
+### Level 1 — MCP Inspector (no Claude Desktop required)
+
+The Inspector opens a browser UI where you can call each tool manually and inspect responses without Claude Desktop.
+
+```bash
+git clone https://github.com/fipsign/fipsign-mcp
+cd fipsign-mcp
+npm install
+npm run build
+export FIPSIGN_API_KEY=pqa_your_real_key
+npx @modelcontextprotocol/inspector node dist/index.js
+```
+
+Open the URL shown in the terminal (typically `http://localhost:5173`). Select a tool, fill in the parameters, and run it.
+
+### Level 2 — Claude Desktop with local code (without publishing to npm)
+
+Build first, then point Claude Desktop at the local `dist/index.js`:
+
+```bash
+npm run build
+```
+
+Add to your `claude_desktop_config.json` (see path below):
+
+```json
+{
+  "mcpServers": {
+    "fipsign": {
+      "command": "node",
+      "args": ["/absolute/path/to/fipsign-mcp/dist/index.js"],
+      "env": {
+        "FIPSIGN_API_KEY": "pqa_your_real_key"
+      }
+    }
+  }
+}
+```
+
+### Level 3 — Claude Desktop with published package (production)
+
+```json
+{
+  "mcpServers": {
+    "fipsign": {
+      "command": "npx",
+      "args": ["-y", "@fipsign/mcp"],
+      "env": {
+        "FIPSIGN_API_KEY": "pqa_your_real_key"
+      }
+    }
+  }
+}
+```
+
+---
+
+## Installation for Claude Desktop
+
+`claude_desktop_config.json` is located at:
+- **macOS:** `~/Library/Application Support/Claude/claude_desktop_config.json`
+- **Windows:** `%APPDATA%\Claude\claude_desktop_config.json`
+- **Linux:** `~/.config/Claude/claude_desktop_config.json`
+
+Add the `fipsign` entry inside `mcpServers` (create the file if it doesn't exist):
+
+```json
+{
+  "mcpServers": {
+    "fipsign": {
+      "command": "npx",
+      "args": ["-y", "@fipsign/mcp"],
+      "env": {
+        "FIPSIGN_API_KEY": "pqa_your_real_key"
+      }
+    }
+  }
+}
+```
+
+Restart Claude Desktop after editing the config. You should see the FIPSign tools available in the tools panel.
+
+---
+
+## Installation for Claude Code
+
+```bash
+claude mcp add fipsign -- env FIPSIGN_API_KEY=pqa_your_real_key npx -y @fipsign/mcp
+```
+
+Or manually in your project's `.claude/mcp.json`:
+
+```json
+{
+  "mcpServers": {
+    "fipsign": {
+      "command": "npx",
+      "args": ["-y", "@fipsign/mcp"],
+      "env": {
+        "FIPSIGN_API_KEY": "pqa_your_real_key"
+      }
+    }
+  }
+}
+```
+
+---
+
+## Environment variables
+
+| Variable | Required | Default | Description |
+|---|---|---|---|
+| `FIPSIGN_API_KEY` | Yes (for most tools) | — | Your FIPSign API key. Format: `pqa_` + 64 lowercase hex chars. Get one at app.fipsign.dev. |
+| `FIPSIGN_BASE_URL` | No | `https://api.fipsign.dev` | Override API base URL (useful for self-hosted instances or local dev). |
+
+`fipsign_health`, `fipsign_public_key`, and `fipsign_generate_key_pair` work without an API key.
+
+---
+
+## Usage examples
+
+Once configured, you can ask Claude:
+
+**Signing:**
+- *"Sign a token for user_123 with role admin that expires in 1 hour"*
+- *"Verify this token: { payload: '...', signature: '...', algorithm: 'ML-DSA-65', issuedAt: 123 }"*
+- *"Revoke this token because the user logged out"*
+
+**Certificates:**
+- *"Generate a key pair for a new IoT device"*
+- *"Issue a certificate for device-serial-00123 using the public key I just generated, valid for 1 year"*
+- *"Check the revocation status of cert_abc123"*
+- *"Get the full CRL for our CA"*
+- *"Revoke certificate cert_abc123 — device was reported stolen"*
+
+**Monitoring:**
+- *"How many tokens do I have left this month?"*
+- *"Register a webhook at https://myapp.com/hooks/fipsign for limit.warning and limit.reached events"*
+- *"Send a test event to my webhook"*
+
+---
+
+## Publishing to npm
+
+```bash
+npm run build
+npm publish --access public
+```
+
+Requires an npm account with publish rights to the `@fipsign` scope.
+
+---
+
+## Links
+
+- Dashboard: [app.fipsign.dev](https://app.fipsign.dev)
+- API status: [status.fipsign.dev](https://status.fipsign.dev)
+- JS SDK: [npmjs.com/package/fipsign-sdk](https://www.npmjs.com/package/fipsign-sdk)
+- Python SDK: [pypi.org/project/fipsign-sdk](https://pypi.org/project/fipsign-sdk/)
+- Python MCP: [pypi.org/project/fipsign-mcp](https://pypi.org/project/fipsign-mcp/)
+- NIST FIPS 204: [csrc.nist.gov/pubs/fips/204/final](https://csrc.nist.gov/pubs/fips/204/final)

package/dist/index.d.ts

@@ -0,0 +1,16 @@
+#!/usr/bin/env node
+/**
+ * @fipsign/mcp — MCP server for FIPSign post-quantum signing API
+ *
+ * Exposes 15 tools covering the full FIPSign runtime API:
+ * signing, verification, revocation, usage, CA certificate lifecycle,
+ * key pair generation, and webhook management.
+ *
+ * Configuration:
+ *   FIPSIGN_API_KEY  — required for most tools (pqa_ + 64 hex chars)
+ *   FIPSIGN_BASE_URL — optional, defaults to https://api.fipsign.dev
+ *
+ * Transport: stdio (compatible with Claude Desktop and Claude Code)
+ */
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;GAYG"}

package/dist/index.js

@@ -0,0 +1,486 @@
+#!/usr/bin/env node
+/**
+ * @fipsign/mcp — MCP server for FIPSign post-quantum signing API
+ *
+ * Exposes 15 tools covering the full FIPSign runtime API:
+ * signing, verification, revocation, usage, CA certificate lifecycle,
+ * key pair generation, and webhook management.
+ *
+ * Configuration:
+ *   FIPSIGN_API_KEY  — required for most tools (pqa_ + 64 hex chars)
+ *   FIPSIGN_BASE_URL — optional, defaults to https://api.fipsign.dev
+ *
+ * Transport: stdio (compatible with Claude Desktop and Claude Code)
+ */
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { CallToolRequestSchema, ListToolsRequestSchema, } from "@modelcontextprotocol/sdk/types.js";
+import { ml_dsa65 } from "@noble/post-quantum/ml-dsa.js";
+// ─── Configuration ────────────────────────────────────────────────────────────
+const API_KEY = process.env.FIPSIGN_API_KEY ?? "";
+const BASE_URL = (process.env.FIPSIGN_BASE_URL ?? "https://api.fipsign.dev").replace(/\/$/, "");
+// ─── HTTP helper ──────────────────────────────────────────────────────────────
+async function apiRequest(method, path, body) {
+    const headers = {
+        "Content-Type": "application/json",
+    };
+    if (API_KEY) {
+        headers["X-API-Key"] = API_KEY;
+    }
+    const response = await fetch(`${BASE_URL}${path}`, {
+        method,
+        headers,
+        body: body !== undefined ? JSON.stringify(body) : undefined,
+        signal: AbortSignal.timeout(30_000),
+    });
+    let data;
+    try {
+        data = await response.json();
+    }
+    catch {
+        data = { success: false, error: `HTTP ${response.status} — non-JSON response` };
+    }
+    return { ok: response.ok, status: response.status, data };
+}
+// ─── Crypto helpers ───────────────────────────────────────────────────────────
+function toBase64(bytes) {
+    let binary = "";
+    for (let i = 0; i < bytes.length; i++)
+        binary += String.fromCharCode(bytes[i]);
+    return btoa(binary);
+}
+// ─── Tool result helpers ──────────────────────────────────────────────────────
+function ok(data) {
+    return {
+        content: [{ type: "text", text: JSON.stringify(data, null, 2) }],
+    };
+}
+function err(message, detail) {
+    return {
+        content: [
+            {
+                type: "text",
+                text: JSON.stringify({ error: message, ...(detail !== undefined ? { detail } : {}) }, null, 2),
+            },
+        ],
+        isError: true,
+    };
+}
+function missingApiKey() {
+    return err("FIPSIGN_API_KEY is not set. Export it before starting the server: export FIPSIGN_API_KEY=pqa_...");
+}
+// ─── Tool definitions ─────────────────────────────────────────────────────────
+const TOOLS = [
+    // ── Infrastructure ──────────────────────────────────────────────────────────
+    {
+        name: "fipsign_health",
+        description: "Check the health of the FIPSign service. Returns the service status, algorithm (ML-DSA-65), NIST standard, and version. No API key required. Use this to verify the service is reachable before running other operations.",
+        inputSchema: {
+            type: "object",
+            properties: {},
+            required: [],
+        },
+    },
+    {
+        name: "fipsign_public_key",
+        description: "Get the current ML-DSA-65 public key of the FIPSign server. Returns a base64-encoded 1952-byte public key. Use this when you need to verify token signatures independently without calling the /verify endpoint (e.g. for offline verification or third-party auditing). No API key required.",
+        inputSchema: {
+            type: "object",
+            properties: {},
+            required: [],
+        },
+    },
+    // ── Core signing ─────────────────────────────────────────────────────────────
+    {
+        name: "fipsign_sign",
+        description: "Sign any payload with ML-DSA-65 (NIST FIPS 204). The only required field is 'sub' — any string identifying the entity being signed: a user ID, order ID, document hash, device serial, AI agent action, or anything else. All other fields are stored in the payload and returned on verify. Costs 1 token. Returns the signed token object (payload, signature, algorithm, issuedAt) plus usage info.",
+        inputSchema: {
+            type: "object",
+            properties: {
+                sub: {
+                    type: "string",
+                    description: "Required. Entity identifier. Max 128 characters. Examples: 'user_123', 'order_456', 'doc_hash_abc', 'device_serial_001', 'agent_action_summarize'.",
+                },
+                expiresInSeconds: {
+                    type: "number",
+                    description: "Token lifetime in seconds. Default: 3600 (1 hour). Pass a larger value for long-lived tokens (e.g. document signatures: 365 * 24 * 3600).",
+                },
+            },
+            required: ["sub"],
+            additionalProperties: {
+                description: "Any additional custom fields to embed in the payload. Max 10 extra fields, string values max 256 chars.",
+            },
+        },
+    },
+    {
+        name: "fipsign_verify",
+        description: "Verify a FIPSign token signed with ML-DSA-65. Checks the cryptographic signature, expiry, and revocation list. Returns valid:true with the decoded payload on success, or valid:false with an error message on failure. Never throws — always returns a result. Costs 1 token.",
+        inputSchema: {
+            type: "object",
+            properties: {
+                token: {
+                    type: "object",
+                    description: "The token object returned by fipsign_sign. Must have: payload (string), signature (string), algorithm (string), issuedAt (number).",
+                    properties: {
+                        payload: { type: "string" },
+                        signature: { type: "string" },
+                        algorithm: { type: "string" },
+                        issuedAt: { type: "number" },
+                    },
+                    required: ["payload", "signature", "algorithm", "issuedAt"],
+                },
+            },
+            required: ["token"],
+        },
+    },
+    {
+        name: "fipsign_revoke",
+        description: "Permanently revoke a token. Once revoked, all future verify() calls will reject the token even if its signature is valid and it has not expired. Idempotent: revoking an already-revoked token returns success without consuming an extra token. Costs 1 token. Note: calling this on an already-expired token returns an error (400).",
+        inputSchema: {
+            type: "object",
+            properties: {
+                token: {
+                    type: "object",
+                    description: "The token object to revoke. Must have: payload, signature, algorithm, issuedAt.",
+                    properties: {
+                        payload: { type: "string" },
+                        signature: { type: "string" },
+                        algorithm: { type: "string" },
+                        issuedAt: { type: "number" },
+                    },
+                    required: ["payload", "signature", "algorithm", "issuedAt"],
+                },
+                reason: {
+                    type: "string",
+                    description: "Optional human-readable reason stored server-side. Examples: 'user logged out', 'order cancelled', 'suspicious activity detected'.",
+                },
+            },
+            required: ["token"],
+        },
+    },
+    // ── Account ──────────────────────────────────────────────────────────────────
+    {
+        name: "fipsign_usage",
+        description: "Get the current token balance and 6-month usage history for this API key's account. Returns free tokens remaining (resets monthly), pack tokens remaining (never expire), total remaining, and a monthly breakdown. Free — no token cost. Use before batch operations to confirm sufficient balance.",
+        inputSchema: {
+            type: "object",
+            properties: {},
+            required: [],
+        },
+    },
+    // ── Key generation ───────────────────────────────────────────────────────────
+    {
+        name: "fipsign_generate_key_pair",
+        description: "Generate an ML-DSA-65 key pair locally (no API call, no token cost). Returns a base64-encoded public key (1952 bytes) and secret key (4032 bytes). Use the publicKey when calling fipsign_ca_issue to certify a device or entity. SECURITY WARNING: the secretKey is sensitive — store it securely on the device and never send it to any server. The secretKey will appear in this tool's response; treat it like a private key.",
+        inputSchema: {
+            type: "object",
+            properties: {},
+            required: [],
+        },
+    },
+    // ── Certificate Authority ─────────────────────────────────────────────────────
+    {
+        name: "fipsign_ca_issue",
+        description: "Issue a post-quantum certificate signed by the project's CA. The certificate certifies that the entity identified by 'subject' controls the given ML-DSA-65 public key. Supports both PQCert (native JSON) and X.509 (standard PEM) CA formats — the format is determined by which CA type was created in the dashboard. For PQCert CAs, the response includes a certificate JSON object. For X.509 CAs, it includes a PEM string. Costs 1 token.\n\nRequired: subject (entity name/ID), publicKey (base64 ML-DSA-65 public key — generate with fipsign_generate_key_pair), expiresInSeconds (min 60, max 157680000 = 5 years).\n\nOptional: meta (up to 10 key-value pairs — PQCert CAs only; passing meta to an X.509 CA returns a 400 error).\n\nThe returned certId (in meta.certId) is what you need for fipsign_ca_revoke_cert and fipsign_ca_get_cert.",
+        inputSchema: {
+            type: "object",
+            properties: {
+                subject: {
+                    type: "string",
+                    description: "Entity identifier to certify. Examples: 'device-serial-00123', 'service-payment-processor', 'lock-v3-batch-2026'. Max 256 characters.",
+                },
+                publicKey: {
+                    type: "string",
+                    description: "Base64-encoded ML-DSA-65 public key of the entity to certify (1952 bytes decoded). Generate with fipsign_generate_key_pair.",
+                },
+                expiresInSeconds: {
+                    type: "number",
+                    description: "Certificate lifetime in seconds. Min: 60 (1 minute). Max: 157680000 (5 years). Example: 31536000 = 1 year.",
+                },
+                meta: {
+                    type: "object",
+                    description: "Optional custom key-value pairs to embed in the certificate (PQCert CAs only — returns 400 for X.509 CAs). Max 10 keys. Example: {\"model\": \"lock-v3\", \"batch\": \"2026-05\"}.",
+                    additionalProperties: true,
+                },
+            },
+            required: ["subject", "publicKey", "expiresInSeconds"],
+        },
+    },
+    {
+        name: "fipsign_ca_revoke_cert",
+        description: "Revoke a certificate immediately. From this point on, the certificate will appear in the CRL returned by fipsign_ca_get_crl. Use fipsign_ca_get_cert to check real-time revocation status of a single certificate. Costs 1 token. Returns 409 if the certificate is already revoked.",
+        inputSchema: {
+            type: "object",
+            properties: {
+                certId: {
+                    type: "string",
+                    description: "The certificate ID to revoke (cert_...). For PQCert: the 'id' field of the certificate object. For X.509: the 'certId' field from meta returned by fipsign_ca_issue.",
+                },
+                reason: {
+                    type: "string",
+                    description: "Optional reason for revocation. Max 256 characters. Examples: 'device decommissioned', 'device reported stolen', 'key compromise'.",
+                },
+            },
+            required: ["certId"],
+        },
+    },
+    {
+        name: "fipsign_ca_get_cert",
+        description: "Get a certificate by ID and its current real-time status (revoked, expired, revokedAt, expiresAt). Use this for single certificate checks before authorizing high-value operations. For bulk offline revocation checks across many certificates, use fipsign_ca_get_crl instead. Free — no token cost.",
+        inputSchema: {
+            type: "object",
+            properties: {
+                certId: {
+                    type: "string",
+                    description: "The certificate ID (cert_...). For PQCert: certificate.id. For X.509: meta.certId from fipsign_ca_issue.",
+                },
+            },
+            required: ["certId"],
+        },
+    },
+    {
+        name: "fipsign_ca_get_crl",
+        description: "Get the Certificate Revocation List (CRL) for this project's CA. Returns all revoked certificate IDs with their revocation timestamps and reasons. Use this to check revocation status of multiple certificates offline — download once, check locally. For a single certificate's real-time status use fipsign_ca_get_cert instead. Free — no token cost. For X.509 CAs the CRL is signed with ML-DSA-65 and includes the full signed object in the 'raw' field.",
+        inputSchema: {
+            type: "object",
+            properties: {},
+            required: [],
+        },
+    },
+    // ── Webhooks ─────────────────────────────────────────────────────────────────
+    {
+        name: "fipsign_webhooks_register",
+        description: "Register or update a webhook endpoint that will receive real-time event notifications. Available events: 'token.signed', 'token.rejected', 'token.revoked', 'limit.warning' (fired at 20% free tokens remaining), 'limit.reached' (fired when free tokens are exhausted). If omitted, all events are subscribed. Re-registering an existing webhook updates the URL and events but preserves the original secret — to rotate the secret, delete and re-register. The 'secret' field in the response is shown only once — store it securely to verify incoming request signatures via HMAC-SHA256 on the X-PQAuth-Signature header.",
+        inputSchema: {
+            type: "object",
+            properties: {
+                url: {
+                    type: "string",
+                    description: "HTTPS endpoint that will receive POST requests. Must be a valid HTTPS URL accessible from the internet. Example: 'https://yourapp.com/webhooks/fipsign'.",
+                },
+                events: {
+                    type: "array",
+                    items: {
+                        type: "string",
+                        enum: ["token.signed", "token.rejected", "token.revoked", "limit.warning", "limit.reached"],
+                    },
+                    description: "Optional list of events to subscribe to. Defaults to all events if omitted.",
+                },
+            },
+            required: ["url"],
+        },
+    },
+    {
+        name: "fipsign_webhooks_get",
+        description: "Get the current webhook configuration (URL, subscribed events, active status, creation timestamp). The webhook secret is never returned after initial registration — only the URL and event list. Returns null webhook if no webhook has been registered.",
+        inputSchema: {
+            type: "object",
+            properties: {},
+            required: [],
+        },
+    },
+    {
+        name: "fipsign_webhooks_delete",
+        description: "Delete the current webhook configuration. After deletion, no events will be delivered until a new webhook is registered via fipsign_webhooks_register.",
+        inputSchema: {
+            type: "object",
+            properties: {},
+            required: [],
+        },
+    },
+    {
+        name: "fipsign_webhooks_test",
+        description: "Send a test 'token.signed' event to the registered webhook endpoint. Use this immediately after registering a webhook to confirm delivery is working before relying on it in production. Requires a webhook to be registered first.",
+        inputSchema: {
+            type: "object",
+            properties: {},
+            required: [],
+        },
+    },
+];
+// ─── Tool handlers ────────────────────────────────────────────────────────────
+async function handleTool(name, args) {
+    // Tools that don't require API key
+    if (name === "fipsign_health") {
+        const { data } = await apiRequest("GET", "/health");
+        return ok(data);
+    }
+    if (name === "fipsign_public_key") {
+        const { data } = await apiRequest("GET", "/public-key");
+        return ok(data);
+    }
+    if (name === "fipsign_generate_key_pair") {
+        const seed = new Uint8Array(32);
+        crypto.getRandomValues(seed);
+        const keys = ml_dsa65.keygen(seed);
+        seed.fill(0);
+        return ok({
+            publicKey: toBase64(keys.publicKey),
+            secretKey: toBase64(keys.secretKey),
+            algorithm: "ML-DSA-65",
+            standard: "NIST FIPS 204",
+            sizes: {
+                publicKeyBytes: keys.publicKey.length,
+                secretKeyBytes: keys.secretKey.length,
+            },
+            note: "Store secretKey securely on the device. Never send it to any server. Pass publicKey to fipsign_ca_issue.",
+        });
+    }
+    // All remaining tools require API key
+    if (!API_KEY)
+        return missingApiKey();
+    switch (name) {
+        // ── Core signing ──────────────────────────────────────────────────────────
+        case "fipsign_sign": {
+            const { sub, expiresInSeconds, ...rest } = args;
+            if (!sub || typeof sub !== "string") {
+                return err('"sub" is required and must be a string');
+            }
+            const body = { sub, ...rest };
+            if (expiresInSeconds !== undefined)
+                body.expiresInSeconds = expiresInSeconds;
+            const { ok: success, data } = await apiRequest("POST", "/sign", body);
+            if (!success)
+                return err("Sign failed", data);
+            return ok(data);
+        }
+        case "fipsign_verify": {
+            const { token } = args;
+            if (!token || typeof token !== "object") {
+                return err('"token" is required and must be the token object returned by fipsign_sign');
+            }
+            const { ok: success, data } = await apiRequest("POST", "/verify", { token });
+            // verify returns valid:false on failure — not necessarily an HTTP error
+            return ok(data);
+        }
+        case "fipsign_revoke": {
+            const { token, reason } = args;
+            if (!token || typeof token !== "object") {
+                return err('"token" is required and must be the token object returned by fipsign_sign');
+            }
+            const body = { token };
+            if (reason !== undefined)
+                body.reason = reason;
+            const { ok: success, data } = await apiRequest("POST", "/revoke", body);
+            if (!success)
+                return err("Revoke failed", data);
+            return ok(data);
+        }
+        // ── Account ───────────────────────────────────────────────────────────────
+        case "fipsign_usage": {
+            const { ok: success, data } = await apiRequest("GET", "/usage");
+            if (!success)
+                return err("Usage request failed", data);
+            return ok(data);
+        }
+        // ── Certificate Authority ─────────────────────────────────────────────────
+        case "fipsign_ca_issue": {
+            const { subject, publicKey, expiresInSeconds, meta } = args;
+            if (!subject || typeof subject !== "string") {
+                return err('"subject" is required');
+            }
+            if (!publicKey || typeof publicKey !== "string") {
+                return err('"publicKey" is required — generate one with fipsign_generate_key_pair');
+            }
+            if (typeof expiresInSeconds !== "number") {
+                return err('"expiresInSeconds" is required and must be a number (min 60, max 157680000)');
+            }
+            const body = { subject, publicKey, expiresInSeconds };
+            if (meta !== undefined)
+                body.meta = meta;
+            const { ok: success, data } = await apiRequest("POST", "/ca/issue", body);
+            if (!success)
+                return err("CA issue failed", data);
+            return ok(data);
+        }
+        case "fipsign_ca_revoke_cert": {
+            const { certId, reason } = args;
+            if (!certId || typeof certId !== "string") {
+                return err('"certId" is required');
+            }
+            const body = { certId };
+            if (reason !== undefined)
+                body.reason = reason;
+            const { ok: success, data } = await apiRequest("POST", "/ca/revoke", body);
+            if (!success)
+                return err("CA revoke failed", data);
+            return ok(data);
+        }
+        case "fipsign_ca_get_cert": {
+            const { certId } = args;
+            if (!certId || typeof certId !== "string") {
+                return err('"certId" is required');
+            }
+            const { ok: success, data } = await apiRequest("GET", `/ca/certificate/${encodeURIComponent(certId)}`);
+            if (!success)
+                return err("CA get cert failed", data);
+            return ok(data);
+        }
+        case "fipsign_ca_get_crl": {
+            const { ok: success, data } = await apiRequest("GET", "/ca/crl");
+            if (!success)
+                return err("CA get CRL failed", data);
+            return ok(data);
+        }
+        // ── Webhooks ──────────────────────────────────────────────────────────────
+        case "fipsign_webhooks_register": {
+            const { url, events } = args;
+            if (!url || typeof url !== "string") {
+                return err('"url" is required');
+            }
+            const body = { url };
+            if (events !== undefined)
+                body.events = events;
+            const { ok: success, data } = await apiRequest("POST", "/webhooks", body);
+            if (!success)
+                return err("Webhook register failed", data);
+            return ok(data);
+        }
+        case "fipsign_webhooks_get": {
+            const { ok: success, data } = await apiRequest("GET", "/webhooks");
+            if (!success)
+                return err("Webhook get failed", data);
+            return ok(data);
+        }
+        case "fipsign_webhooks_delete": {
+            const { ok: success, data } = await apiRequest("DELETE", "/webhooks");
+            if (!success)
+                return err("Webhook delete failed", data);
+            return ok(data);
+        }
+        case "fipsign_webhooks_test": {
+            const { ok: success, data } = await apiRequest("POST", "/webhooks/test");
+            if (!success)
+                return err("Webhook test failed", data);
+            return ok(data);
+        }
+        default:
+            return err(`Unknown tool: ${name}`);
+    }
+}
+// ─── Server setup ─────────────────────────────────────────────────────────────
+const server = new Server({
+    name: "fipsign-mcp",
+    version: "0.1.0",
+}, {
+    capabilities: {
+        tools: {},
+    },
+});
+server.setRequestHandler(ListToolsRequestSchema, async () => ({
+    tools: TOOLS,
+}));
+server.setRequestHandler(CallToolRequestSchema, async (request) => {
+    const { name, arguments: args = {} } = request.params;
+    try {
+        return await handleTool(name, args);
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        return err(`Unexpected error in tool '${name}': ${message}`);
+    }
+});
+// ─── Start ────────────────────────────────────────────────────────────────────
+const transport = new StdioServerTransport();
+await server.connect(transport);
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AACnE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GAEvB,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,QAAQ,EAAE,MAAM,+BAA+B,CAAC;AAEzD,iFAAiF;AAEjF,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,EAAE,CAAC;AAClD,MAAM,QAAQ,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,yBAAyB,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AAEhG,iFAAiF;AAEjF,KAAK,UAAU,UAAU,CACvB,MAAc,EACd,IAAY,EACZ,IAAc;IAEd,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,kBAAkB;KACnC,CAAC;IACF,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,CAAC,WAAW,CAAC,GAAG,OAAO,CAAC;IACjC,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,QAAQ,GAAG,IAAI,EAAE,EAAE;QACjD,MAAM;QACN,OAAO;QACP,IAAI,EAAE,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;QAC3D,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;KACpC,CAAC,CAAC;IAEH,IAAI,IAAa,CAAC;IAClB,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,IAAI,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,QAAQ,CAAC,MAAM,sBAAsB,EAAE,CAAC;IAClF,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,QAAQ,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC;AAC5D,CAAC;AAED,iFAAiF;AAEjF,SAAS,QAAQ,CAAC,KAAiB;IACjC,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/E,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;AACtB,CAAC;AAED,iFAAiF;AAEjF,SAAS,EAAE,CAAC,IAAa;IACvB,OAAO;QACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;KACjE,CAAC;AACJ,CAAC;AAED,SAAS,GAAG,CAAC,OAAe,EAAE,MAAgB;IAC5C,OAAO;QACL,OAAO,EAAE;YACP;gBACE,IAAI,EAAE,MAAM;gBACZ,IAAI,EAAE,IAAI,CAAC,SAAS,CAClB,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAC/D,IAAI,EACJ,CAAC,CACF;aACF;SACF;QACD,OAAO,EAAE,IAAI;KACd,CAAC;AACJ,CAAC;AAED,SAAS,aAAa;IACpB,OAAO,GAAG,CACR,kGAAkG,CACnG,CAAC;AACJ,CAAC;AAED,iFAAiF;AAEjF,MAAM,KAAK,GAAW;IACpB,+EAA+E;IAE/E;QACE,IAAI,EAAE,gBAAgB;QACtB,WAAW,EACT,2NAA2N;QAC7N,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE,EAAE;YACd,QAAQ,EAAE,EAAE;SACb;KACF;IAED;QACE,IAAI,EAAE,oBAAoB;QAC1B,WAAW,EACT,+RAA+R;QACjS,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE,EAAE;YACd,QAAQ,EAAE,EAAE;SACb;KACF;IAED,gFAAgF;IAEhF;QACE,IAAI,EAAE,cAAc;QACpB,WAAW,EACT,wYAAwY;QAC1Y,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,GAAG,EAAE;oBACH,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,oJAAoJ;iBAClK;gBACD,gBAAgB,EAAE;oBAChB,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,2IAA2I;iBACzJ;aACF;YACD,QAAQ,EAAE,CAAC,KAAK,CAAC;YACjB,oBAAoB,EAAE;gBACpB,WAAW,EAAE,yGAAyG;aACvH;SACF;KACF;IAED;QACE,IAAI,EAAE,gBAAgB;QACtB,WAAW,EACT,gRAAgR;QAClR,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,KAAK,EAAE;oBACL,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,oIAAoI;oBACjJ,UAAU,EAAE;wBACV,OAAO,EAAI,EAAE,IAAI,EAAE,QAAQ,EAAE;wBAC7B,SAAS,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBAC7B,SAAS,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBAC7B,QAAQ,EAAG,EAAE,IAAI,EAAE,QAAQ,EAAE;qBAC9B;oBACD,QAAQ,EAAE,CAAC,SAAS,EAAE,WAAW,EAAE,WAAW,EAAE,UAAU,CAAC;iBAC5D;aACF;YACD,QAAQ,EAAE,CAAC,OAAO,CAAC;SACpB;KACF;IAED;QACE,IAAI,EAAE,gBAAgB;QACtB,WAAW,EACT,wUAAwU;QAC1U,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,KAAK,EAAE;oBACL,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,iFAAiF;oBAC9F,UAAU,EAAE;wBACV,OAAO,EAAI,EAAE,IAAI,EAAE,QAAQ,EAAE;wBAC7B,SAAS,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBAC7B,SAAS,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBAC7B,QAAQ,EAAG,EAAE,IAAI,EAAE,QAAQ,EAAE;qBAC9B;oBACD,QAAQ,EAAE,CAAC,SAAS,EAAE,WAAW,EAAE,WAAW,EAAE,UAAU,CAAC;iBAC5D;gBACD,MAAM,EAAE;oBACN,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,oIAAoI;iBAClJ;aACF;YACD,QAAQ,EAAE,CAAC,OAAO,CAAC;SACpB;KACF;IAED,gFAAgF;IAEhF;QACE,IAAI,EAAE,eAAe;QACrB,WAAW,EACT,sSAAsS;QACxS,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE,EAAE;YACd,QAAQ,EAAE,EAAE;SACb;KACF;IAED,gFAAgF;IAEhF;QACE,IAAI,EAAE,2BAA2B;QACjC,WAAW,EACT,maAAma;QACra,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE,EAAE;YACd,QAAQ,EAAE,EAAE;SACb;KACF;IAED,iFAAiF;IAEjF;QACE,IAAI,EAAE,kBAAkB;QACxB,WAAW,EACT,+zBAA+zB;QACj0B,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,OAAO,EAAE;oBACP,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,uIAAuI;iBACrJ;gBACD,SAAS,EAAE;oBACT,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,6HAA6H;iBAC3I;gBACD,gBAAgB,EAAE;oBAChB,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,4GAA4G;iBAC1H;gBACD,IAAI,EAAE;oBACJ,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,oLAAoL;oBACjM,oBAAoB,EAAE,IAAI;iBAC3B;aACF;YACD,QAAQ,EAAE,CAAC,SAAS,EAAE,WAAW,EAAE,kBAAkB,CAAC;SACvD;KACF;IAED;QACE,IAAI,EAAE,wBAAwB;QAC9B,WAAW,EACT,sRAAsR;QACxR,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,MAAM,EAAE;oBACN,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,sKAAsK;iBACpL;gBACD,MAAM,EAAE;oBACN,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,oIAAoI;iBAClJ;aACF;YACD,QAAQ,EAAE,CAAC,QAAQ,CAAC;SACrB;KACF;IAED;QACE,IAAI,EAAE,qBAAqB;QAC3B,WAAW,EACT,wSAAwS;QAC1S,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,MAAM,EAAE;oBACN,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,0GAA0G;iBACxH;aACF;YACD,QAAQ,EAAE,CAAC,QAAQ,CAAC;SACrB;KACF;IAED;QACE,IAAI,EAAE,oBAAoB;QAC1B,WAAW,EACT,mcAAmc;QACrc,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE,EAAE;YACd,QAAQ,EAAE,EAAE;SACb;KACF;IAED,gFAAgF;IAEhF;QACE,IAAI,EAAE,2BAA2B;QACjC,WAAW,EACT,omBAAomB;QACtmB,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,GAAG,EAAE;oBACH,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,0JAA0J;iBACxK;gBACD,MAAM,EAAE;oBACN,IAAI,EAAE,OAAO;oBACb,KAAK,EAAE;wBACL,IAAI,EAAE,QAAQ;wBACd,IAAI,EAAE,CAAC,cAAc,EAAE,gBAAgB,EAAE,eAAe,EAAE,eAAe,EAAE,eAAe,CAAC;qBAC5F;oBACD,WAAW,EAAE,6EAA6E;iBAC3F;aACF;YACD,QAAQ,EAAE,CAAC,KAAK,CAAC;SAClB;KACF;IAED;QACE,IAAI,EAAE,sBAAsB;QAC5B,WAAW,EACT,2PAA2P;QAC7P,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE,EAAE;YACd,QAAQ,EAAE,EAAE;SACb;KACF;IAED;QACE,IAAI,EAAE,yBAAyB;QAC/B,WAAW,EACT,wJAAwJ;QAC1J,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE,EAAE;YACd,QAAQ,EAAE,EAAE;SACb;KACF;IAED;QACE,IAAI,EAAE,uBAAuB;QAC7B,WAAW,EACT,qOAAqO;QACvO,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE,EAAE;YACd,QAAQ,EAAE,EAAE;SACb;KACF;CACF,CAAC;AAEF,iFAAiF;AAEjF,KAAK,UAAU,UAAU,CAAC,IAAY,EAAE,IAA6B;IACnE,mCAAmC;IACnC,IAAI,IAAI,KAAK,gBAAgB,EAAE,CAAC;QAC9B,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,UAAU,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;QACpD,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,IAAI,KAAK,oBAAoB,EAAE,CAAC;QAClC,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,UAAU,CAAC,KAAK,EAAE,aAAa,CAAC,CAAC;QACxD,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,IAAI,KAAK,2BAA2B,EAAE,CAAC;QACzC,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QAChC,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;QAC7B,MAAM,IAAI,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QACnC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACb,OAAO,EAAE,CAAC;YACR,SAAS,EAAE,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;YACnC,SAAS,EAAE,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;YACnC,SAAS,EAAE,WAAW;YACtB,QAAQ,EAAE,eAAe;YACzB,KAAK,EAAE;gBACL,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM;gBACrC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM;aACtC;YACD,IAAI,EAAE,0GAA0G;SACjH,CAAC,CAAC;IACL,CAAC;IAED,sCAAsC;IACtC,IAAI,CAAC,OAAO;QAAE,OAAO,aAAa,EAAE,CAAC;IAErC,QAAQ,IAAI,EAAE,CAAC;QACb,6EAA6E;QAE7E,KAAK,cAAc,CAAC,CAAC,CAAC;YACpB,MAAM,EAAE,GAAG,EAAE,gBAAgB,EAAE,GAAG,IAAI,EAAE,GAAG,IAAI,CAAC;YAChD,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBACpC,OAAO,GAAG,CAAC,wCAAwC,CAAC,CAAC;YACvD,CAAC;YACD,MAAM,IAAI,GAA4B,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,CAAC;YACvD,IAAI,gBAAgB,KAAK,SAAS;gBAAE,IAAI,CAAC,gBAAgB,GAAG,gBAAgB,CAAC;YAC7E,MAAM,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,MAAM,UAAU,CAAC,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;YACtE,IAAI,CAAC,OAAO;gBAAE,OAAO,GAAG,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;YAC9C,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC;QAClB,CAAC;QAED,KAAK,gBAAgB,CAAC,CAAC,CAAC;YACtB,MAAM,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC;YACvB,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBACxC,OAAO,GAAG,CAAC,2EAA2E,CAAC,CAAC;YAC1F,CAAC;YACD,MAAM,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,MAAM,UAAU,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;YAC7E,wEAAwE;YACxE,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC;QAClB,CAAC;QAED,KAAK,gBAAgB,CAAC,CAAC,CAAC;YACtB,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;YAC/B,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBACxC,OAAO,GAAG,CAAC,2EAA2E,CAAC,CAAC;YAC1F,CAAC;YACD,MAAM,IAAI,GAA4B,EAAE,KAAK,EAAE,CAAC;YAChD,IAAI,MAAM,KAAK,SAAS;gBAAE,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;YAC/C,MAAM,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,MAAM,UAAU,CAAC,MAAM,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;YACxE,IAAI,CAAC,OAAO;gBAAE,OAAO,GAAG,CAAC,eAAe,EAAE,IAAI,CAAC,CAAC;YAChD,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC;QAClB,CAAC;QAED,6EAA6E;QAE7E,KAAK,eAAe,CAAC,CAAC,CAAC;YACrB,MAAM,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,MAAM,UAAU,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;YAChE,IAAI,CAAC,OAAO;gBAAE,OAAO,GAAG,CAAC,sBAAsB,EAAE,IAAI,CAAC,CAAC;YACvD,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC;QAClB,CAAC;QAED,6EAA6E;QAE7E,KAAK,kBAAkB,CAAC,CAAC,CAAC;YACxB,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,IAAI,EAAE,GAAG,IAAI,CAAC;YAC5D,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;gBAC5C,OAAO,GAAG,CAAC,uBAAuB,CAAC,CAAC;YACtC,CAAC;YACD,IAAI,CAAC,SAAS,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;gBAChD,OAAO,GAAG,CAAC,uEAAuE,CAAC,CAAC;YACtF,CAAC;YACD,IAAI,OAAO,gBAAgB,KAAK,QAAQ,EAAE,CAAC;gBACzC,OAAO,GAAG,CAAC,6EAA6E,CAAC,CAAC;YAC5F,CAAC;YACD,MAAM,IAAI,GAA4B,EAAE,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,CAAC;YAC/E,IAAI,IAAI,KAAK,SAAS;gBAAE,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;YACzC,MAAM,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,MAAM,UAAU,CAAC,MAAM,EAAE,WAAW,EAAE,IAAI,CAAC,CAAC;YAC1E,IAAI,CAAC,OAAO;gBAAE,OAAO,GAAG,CAAC,iBAAiB,EAAE,IAAI,CAAC,CAAC;YAClD,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC;QAClB,CAAC;QAED,KAAK,wBAAwB,CAAC,CAAC,CAAC;YAC9B,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;YAChC,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;gBAC1C,OAAO,GAAG,CAAC,sBAAsB,CAAC,CAAC;YACrC,CAAC;YACD,MAAM,IAAI,GAA4B,EAAE,MAAM,EAAE,CAAC;YACjD,IAAI,MAAM,KAAK,SAAS;gBAAE,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;YAC/C,MAAM,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,MAAM,UAAU,CAAC,MAAM,EAAE,YAAY,EAAE,IAAI,CAAC,CAAC;YAC3E,IAAI,CAAC,OAAO;gBAAE,OAAO,GAAG,CAAC,kBAAkB,EAAE,IAAI,CAAC,CAAC;YACnD,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC;QAClB,CAAC;QAED,KAAK,qBAAqB,CAAC,CAAC,CAAC;YAC3B,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;YACxB,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;gBAC1C,OAAO,GAAG,CAAC,sBAAsB,CAAC,CAAC;YACrC,CAAC;YACD,MAAM,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,MAAM,UAAU,CAAC,KAAK,EAAE,mBAAmB,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YACvG,IAAI,CAAC,OAAO;gBAAE,OAAO,GAAG,CAAC,oBAAoB,EAAE,IAAI,CAAC,CAAC;YACrD,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC;QAClB,CAAC;QAED,KAAK,oBAAoB,CAAC,CAAC,CAAC;YAC1B,MAAM,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,MAAM,UAAU,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;YACjE,IAAI,CAAC,OAAO;gBAAE,OAAO,GAAG,CAAC,mBAAmB,EAAE,IAAI,CAAC,CAAC;YACpD,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC;QAClB,CAAC;QAED,6EAA6E;QAE7E,KAAK,2BAA2B,CAAC,CAAC,CAAC;YACjC,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;YAC7B,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBACpC,OAAO,GAAG,CAAC,mBAAmB,CAAC,CAAC;YAClC,CAAC;YACD,MAAM,IAAI,GAA4B,EAAE,GAAG,EAAE,CAAC;YAC9C,IAAI,MAAM,KAAK,SAAS;gBAAE,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;YAC/C,MAAM,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,MAAM,UAAU,CAAC,MAAM,EAAE,WAAW,EAAE,IAAI,CAAC,CAAC;YAC1E,IAAI,CAAC,OAAO;gBAAE,OAAO,GAAG,CAAC,yBAAyB,EAAE,IAAI,CAAC,CAAC;YAC1D,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC;QAClB,CAAC;QAED,KAAK,sBAAsB,CAAC,CAAC,CAAC;YAC5B,MAAM,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,MAAM,UAAU,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;YACnE,IAAI,CAAC,OAAO;gBAAE,OAAO,GAAG,CAAC,oBAAoB,EAAE,IAAI,CAAC,CAAC;YACrD,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC;QAClB,CAAC;QAED,KAAK,yBAAyB,CAAC,CAAC,CAAC;YAC/B,MAAM,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,MAAM,UAAU,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;YACtE,IAAI,CAAC,OAAO;gBAAE,OAAO,GAAG,CAAC,uBAAuB,EAAE,IAAI,CAAC,CAAC;YACxD,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC;QAClB,CAAC;QAED,KAAK,uBAAuB,CAAC,CAAC,CAAC;YAC7B,MAAM,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,MAAM,UAAU,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC;YACzE,IAAI,CAAC,OAAO;gBAAE,OAAO,GAAG,CAAC,qBAAqB,EAAE,IAAI,CAAC,CAAC;YACtD,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC;QAClB,CAAC;QAED;YACE,OAAO,GAAG,CAAC,iBAAiB,IAAI,EAAE,CAAC,CAAC;IACxC,CAAC;AACH,CAAC;AAED,iFAAiF;AAEjF,MAAM,MAAM,GAAG,IAAI,MAAM,CACvB;IACE,IAAI,EAAE,aAAa;IACnB,OAAO,EAAE,OAAO;CACjB,EACD;IACE,YAAY,EAAE;QACZ,KAAK,EAAE,EAAE;KACV;CACF,CACF,CAAC;AAEF,MAAM,CAAC,iBAAiB,CAAC,sBAAsB,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;IAC5D,KAAK,EAAE,KAAK;CACb,CAAC,CAAC,CAAC;AAEJ,MAAM,CAAC,iBAAiB,CAAC,qBAAqB,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE;IAChE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC;IACtD,IAAI,CAAC;QACH,OAAO,MAAM,UAAU,CAAC,IAAI,EAAE,IAA+B,CAAC,CAAC;IACjE,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,OAAO,GAAG,CAAC,6BAA6B,IAAI,MAAM,OAAO,EAAE,CAAC,CAAC;IAC/D,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,iFAAiF;AAEjF,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;AAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC"}

package/package.json

@@ -0,0 +1,45 @@
+{
+  "name": "@fipsign/mcp",
+  "version": "0.1.0",
+  "description": "MCP server for FIPSign — post-quantum signing via ML-DSA-65 (NIST FIPS 204)",
+  "type": "module",
+  "main": "./dist/index.js",
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "mcp",
+    "model-context-protocol",
+    "fipsign",
+    "post-quantum",
+    "ml-dsa",
+    "signing",
+    "cryptography",
+    "nist",
+    "fips-204"
+  ],
+  "author": "FIPSign",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/fipsign/fipsign-mcp.git"
+  },
+  "homepage": "https://fipsign.dev",
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.15.0",
+    "@noble/post-quantum": "^0.6.1"
+  },
+  "devDependencies": {
+    "@types/node": "^22.19.20",
+    "typescript": "^5.5.0"
+  },
+  "engines": {
+    "node": ">=18"
+  }
+}