@keeperhub/wallet 0.1.11 → 0.1.13

package/dist/index.js

@@ -7,31 +7,51 @@ var AGENT_SPECS = [
     agent: "claude-code",
     skillsRel: [".claude", "skills"],
     settingsRel: [".claude", "settings.json"],
-    hookSupport: "claude-code"
+    hookSupport: "claude-code",
+    // ~/.claude.json is at HOME root (not under .claude/) and is large
+    // (100+KB on real installs). registerMcpServer reads/parses/rewrites it
+    // while preserving every other top-level key byte-for-byte.
+    mcpConfigRel: [".claude.json"],
+    mcpSupport: "claude-code"
   },
   {
     agent: "cursor",
     skillsRel: [".cursor", "skills"],
     settingsRel: [".cursor", "settings.json"],
-    hookSupport: "notice"
+    hookSupport: "notice",
+    mcpConfigRel: [".cursor", "mcp.json"],
+    mcpSupport: "cursor"
   },
   {
     agent: "cline",
     skillsRel: [".cline", "skills"],
     settingsRel: [".cline", "settings.json"],
-    hookSupport: "notice"
+    hookSupport: "notice",
+    // Cline keeps MCP state in a per-VS-Code-variant globalStorage path
+    // (e.g. ~/Library/Application Support/Code/User/globalStorage/
+    // saoudrizwan.claude-dev/settings/cline_mcp_settings.json) that is too
+    // fragile to auto-detect. Ship "notice" with a copy-paste entry shape
+    // instead of guessing the variant.
+    mcpSupport: "notice"
   },
   {
     agent: "windsurf",
     skillsRel: [".windsurf", "skills"],
     settingsRel: [".windsurf", "settings.json"],
-    hookSupport: "notice"
+    hookSupport: "notice",
+    mcpConfigRel: [".codeium", "windsurf", "mcp_config.json"],
+    mcpSupport: "windsurf",
+    // Windsurf historically ships under both `.windsurf/` and the legacy
+    // `.codeium/windsurf/`; detect either.
+    extraDetect: [[".codeium", "windsurf"]]
   },
   {
     agent: "opencode",
     skillsRel: [".config", "opencode", "skills"],
     settingsRel: [".config", "opencode", "settings.json"],
-    hookSupport: "notice"
+    hookSupport: "notice",
+    mcpConfigRel: [".config", "opencode", "opencode.json"],
+    mcpSupport: "opencode"
   }
 ];
 function detectAgents(homeOverride) {
@@ -40,14 +60,26 @@ function detectAgents(homeOverride) {
   for (const spec of AGENT_SPECS) {
     const skillsDir = join(home, ...spec.skillsRel);
     const settingsFile = join(home, ...spec.settingsRel);
-    if (existsSync(dirname(skillsDir))) {
-      results.push({
-        agent: spec.agent,
-        skillsDir,
-        settingsFile,
-        hookSupport: spec.hookSupport
-      });
+    let detected = existsSync(dirname(skillsDir));
+    if (!detected && spec.extraDetect) {
+      for (const seg of spec.extraDetect) {
+        if (existsSync(join(home, ...seg))) {
+          detected = true;
+          break;
+        }
+      }
+    }
+    if (!detected) {
+      continue;
     }
+    results.push({
+      agent: spec.agent,
+      skillsDir,
+      settingsFile,
+      hookSupport: spec.hookSupport,
+      mcpConfigRel: spec.mcpConfigRel,
+      mcpSupport: spec.mcpSupport
+    });
   }
   return results;
 }
@@ -146,19 +178,212 @@ function fund(walletAddress) {
   };
 }
 
+// src/hmac.ts
+import { createHash, createHmac } from "crypto";
+function computeSignature(secret, method, path, subOrgId, body, timestamp) {
+  const bodyDigest = createHash("sha256").update(body).digest("hex");
+  const signingString = `${method}
+${path}
+${subOrgId}
+${bodyDigest}
+${timestamp}`;
+  return createHmac("sha256", secret).update(signingString).digest("hex");
+}
+function buildHmacHeaders(secret, method, path, subOrgId, body) {
+  const timestamp = String(Math.floor(Date.now() / 1e3));
+  const signature = computeSignature(
+    secret,
+    method,
+    path,
+    subOrgId,
+    body,
+    timestamp
+  );
+  return {
+    "X-KH-Sub-Org": subOrgId,
+    "X-KH-Timestamp": timestamp,
+    "X-KH-Signature": signature
+  };
+}
+
+// src/storage.ts
+import { randomBytes } from "crypto";
+import { chmod, mkdir, readFile, rename, writeFile } from "fs/promises";
+import { homedir as homedir2 } from "os";
+import { dirname as dirname2, join as join2 } from "path";
+
+// src/types.ts
+var KeeperHubError = class extends Error {
+  code;
+  constructor(code, message) {
+    super(message);
+    this.name = "KeeperHubError";
+    this.code = code;
+  }
+};
+var WalletConfigMissingError = class extends Error {
+  constructor() {
+    super(
+      "Wallet config not found at ~/.keeperhub/wallet.json. Run `npx @keeperhub/wallet add` to provision."
+    );
+    this.name = "WalletConfigMissingError";
+  }
+};
+var WalletConfigCorruptError = class extends Error {
+  path;
+  constructor(path, reason) {
+    super(
+      `Wallet config at ${path} is unreadable: ${reason}. Repair the file by hand or delete it to re-provision a new wallet (this will abandon any funds held in the current wallet).`
+    );
+    this.name = "WalletConfigCorruptError";
+    this.path = path;
+  }
+};
+
+// src/storage.ts
+async function readWalletConfig() {
+  const walletPath = join2(homedir2(), ".keeperhub", "wallet.json");
+  let raw;
+  try {
+    raw = await readFile(walletPath, "utf-8");
+  } catch (err) {
+    if (err.code === "ENOENT") {
+      throw new WalletConfigMissingError();
+    }
+    throw err;
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (err) {
+    const reason = err instanceof Error ? err.message : String(err);
+    throw new WalletConfigCorruptError(walletPath, reason);
+  }
+  if (!(parsed.subOrgId && parsed.walletAddress && parsed.hmacSecret)) {
+    throw new WalletConfigCorruptError(walletPath, "missing required fields");
+  }
+  return parsed;
+}
+async function writeWalletConfig(config) {
+  const walletPath = join2(homedir2(), ".keeperhub", "wallet.json");
+  await mkdir(dirname2(walletPath), { recursive: true, mode: 448 });
+  const suffix = randomBytes(8).toString("hex");
+  const tmpPath = `${walletPath}.${process.pid}.${suffix}.tmp`;
+  await writeFile(tmpPath, JSON.stringify(config, null, 2), { mode: 384 });
+  await chmod(tmpPath, 384);
+  await rename(tmpPath, walletPath);
+}
+function getWalletConfigPath() {
+  return join2(homedir2(), ".keeperhub", "wallet.json");
+}
+
+// src/provision.ts
+var TRAILING_SLASH = /\/$/;
+var WALLET_ADDRESS_PATTERN = /^0x[a-fA-F0-9]{40}$/;
+var ProvisionResponseInvalidError = class extends Error {
+  code = "PROVISION_RESPONSE_INVALID";
+  constructor(message) {
+    super(message);
+    this.name = "ProvisionResponseInvalidError";
+  }
+};
+var ProvisionHttpError = class extends Error {
+  code = "PROVISION_HTTP_ERROR";
+  status;
+  body;
+  constructor(status, body) {
+    super(`provision failed: HTTP ${status}: ${body}`);
+    this.name = "ProvisionHttpError";
+    this.status = status;
+    this.body = body;
+  }
+};
+function resolveBaseUrl(override) {
+  const candidate = override ?? process.env.KEEPERHUB_API_URL ?? "https://app.keeperhub.com";
+  return candidate.replace(TRAILING_SLASH, "");
+}
+function isNonEmptyString(value) {
+  return typeof value === "string" && value.length > 0;
+}
+function validateProvisionResponse(data) {
+  if (typeof data !== "object" || data === null) {
+    throw new ProvisionResponseInvalidError(
+      "provision response is not an object"
+    );
+  }
+  const { subOrgId, walletAddress, hmacSecret } = data;
+  if (!(isNonEmptyString(subOrgId) && isNonEmptyString(walletAddress) && isNonEmptyString(hmacSecret))) {
+    throw new ProvisionResponseInvalidError(
+      "provision response missing subOrgId, walletAddress, or hmacSecret"
+    );
+  }
+  if (!WALLET_ADDRESS_PATTERN.test(walletAddress)) {
+    throw new ProvisionResponseInvalidError(
+      `provision response walletAddress is not a valid 0x-prefixed 40-hex address: ${walletAddress}`
+    );
+  }
+  return {
+    subOrgId,
+    walletAddress,
+    hmacSecret
+  };
+}
+async function provisionWallet(options = {}) {
+  const baseUrl = resolveBaseUrl(options.baseUrl);
+  const fetchImpl = options.fetchImpl ?? globalThis.fetch;
+  const response = await fetchImpl(`${baseUrl}/api/agentic-wallet/provision`, {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: "{}",
+    signal: AbortSignal.timeout(3e4)
+  });
+  if (!response.ok) {
+    const text = await response.text();
+    throw new ProvisionHttpError(response.status, text);
+  }
+  const raw = await response.json();
+  const data = validateProvisionResponse(raw);
+  await writeWalletConfig(data);
+  return data;
+}
+
 // src/skill-install.ts
+import { randomBytes as randomBytes3 } from "crypto";
+import {
+  chmod as chmod3,
+  copyFile,
+  mkdir as mkdir3,
+  readFile as readFile3,
+  rename as rename3,
+  unlink as unlink2,
+  writeFile as writeFile3
+} from "fs/promises";
+import { dirname as dirname5, join as join5 } from "path";
+import { fileURLToPath as fileURLToPath2 } from "url";
+
+// src/mcp-register.ts
+import { randomBytes as randomBytes2 } from "crypto";
+import {
+  chmod as chmod2,
+  mkdir as mkdir2,
+  readFile as readFile2,
+  rename as rename2,
+  unlink,
+  writeFile as writeFile2
+} from "fs/promises";
+import { homedir as homedir3 } from "os";
+import { dirname as dirname4, join as join4 } from "path";
+
+// src/runtime-detect.ts
 import { execFileSync } from "child_process";
 import { readFileSync } from "fs";
-import { chmod, copyFile, mkdir, readFile, writeFile } from "fs/promises";
-import { dirname as dirname2, join as join2 } from "path";
+import { dirname as dirname3, join as join3 } from "path";
 import { fileURLToPath } from "url";
-var HOOK_BIN = "keeperhub-wallet-hook";
-var HOOK_COMMAND_BARE = HOOK_BIN;
 var PACKAGE_NAME = "@keeperhub/wallet";
 function readPackageVersion() {
   try {
-    const here = dirname2(fileURLToPath(import.meta.url));
-    const pkgPath = join2(here, "..", "package.json");
+    const here = dirname3(fileURLToPath(import.meta.url));
+    const pkgPath = join3(here, "..", "package.json");
     const raw = readFileSync(pkgPath, "utf-8");
     const parsed = JSON.parse(raw);
     if (typeof parsed.version === "string" && parsed.version.length > 0) {
@@ -168,9 +393,6 @@ function readPackageVersion() {
   }
   return "latest";
 }
-function buildNpxCommand(version) {
-  return `npx -y -p ${PACKAGE_NAME}@${version} ${HOOK_BIN}`;
-}
 function isNpxExecution() {
   const execPath = process.env.npm_execpath;
   if (typeof execPath !== "string" || execPath.length === 0) {
@@ -198,6 +420,144 @@ function isPathUnderTransientCache(resolvedPath) {
   }
   return false;
 }
+function resolveBinCommand(binName) {
+  const version = readPackageVersion();
+  const npxArgs = ["-y", "-p", `${PACKAGE_NAME}@${version}`, binName];
+  const npxCommandString = `npx ${npxArgs.join(" ")}`;
+  if (isNpxExecution()) {
+    return {
+      commandString: npxCommandString,
+      command: "npx",
+      args: npxArgs
+    };
+  }
+  try {
+    const resolved = execFileSync("/bin/sh", ["-c", `command -v ${binName}`], {
+      stdio: ["ignore", "pipe", "ignore"]
+    }).toString().trim();
+    if (resolved.length > 0 && !isPathUnderTransientCache(resolved)) {
+      return {
+        commandString: binName,
+        command: binName,
+        args: []
+      };
+    }
+  } catch {
+  }
+  return {
+    commandString: npxCommandString,
+    command: "npx",
+    args: npxArgs
+  };
+}
+
+// src/mcp-register.ts
+var MCP_BIN = "keeperhub-wallet-mcp";
+var MCP_SERVER_NAME = "keeperhub-wallet";
+function resolveMcpCommand() {
+  const envOverride = process.env.KEEPERHUB_WALLET_MCP_COMMAND;
+  if (envOverride && envOverride.length > 0) {
+    const parts = envOverride.trim().split(/\s+/);
+    const head = parts[0] ?? envOverride;
+    return { command: head, args: parts.slice(1) };
+  }
+  const resolved = resolveBinCommand(MCP_BIN);
+  return { command: resolved.command, args: resolved.args };
+}
+function buildStandardEntry(cmd) {
+  const entry = {
+    command: cmd.command,
+    args: cmd.args
+  };
+  if (cmd.env && Object.keys(cmd.env).length > 0) {
+    entry.env = cmd.env;
+  }
+  return entry;
+}
+function buildOpencodeEntry(cmd) {
+  return {
+    type: "local",
+    command: [cmd.command, ...cmd.args],
+    enabled: true,
+    environment: cmd.env ?? {}
+  };
+}
+async function readJsonOrEmpty(path) {
+  let raw = null;
+  try {
+    raw = await readFile2(path, "utf-8");
+  } catch (err) {
+    if (err.code !== "ENOENT") {
+      throw err;
+    }
+  }
+  if (raw === null) {
+    return {};
+  }
+  try {
+    return JSON.parse(raw);
+  } catch {
+    throw new Error(
+      `MCP config at ${path} is not valid JSON; aborting MCP registration`
+    );
+  }
+}
+async function writeJsonAtomic(path, payload) {
+  await mkdir2(dirname4(path), { recursive: true, mode: 448 });
+  const suffix = randomBytes2(8).toString("hex");
+  const tmpPath = `${path}.${process.pid}.${suffix}.tmp`;
+  try {
+    await writeFile2(tmpPath, payload, { mode: 384 });
+    await chmod2(tmpPath, 384);
+    await rename2(tmpPath, path);
+  } catch (err) {
+    await unlink(tmpPath).catch(() => {
+    });
+    throw err;
+  }
+}
+async function writeStandardMcp(path, entry) {
+  const config = await readJsonOrEmpty(path);
+  const servers = typeof config.mcpServers === "object" && config.mcpServers !== null ? config.mcpServers : {};
+  servers[MCP_SERVER_NAME] = entry;
+  config.mcpServers = servers;
+  const payload = `${JSON.stringify(config, null, 2)}
+`;
+  await writeJsonAtomic(path, payload);
+}
+async function writeOpencodeMcp(path, entry) {
+  const config = await readJsonOrEmpty(path);
+  const servers = typeof config.mcp === "object" && config.mcp !== null ? config.mcp : {};
+  servers[MCP_SERVER_NAME] = entry;
+  config.mcp = servers;
+  const payload = `${JSON.stringify(config, null, 2)}
+`;
+  await writeJsonAtomic(path, payload);
+}
+async function registerMcpServer(target, options = {}) {
+  if (target.mcpSupport === "notice") {
+    throw new Error(
+      `agent ${target.agent} does not support auto-registered MCP servers; surface a notice instead`
+    );
+  }
+  if (!target.mcpConfigRel) {
+    throw new Error(
+      `agent ${target.agent} has mcpSupport=${target.mcpSupport} but no mcpConfigRel path`
+    );
+  }
+  const home = options.homeOverride ?? homedir3();
+  const path = join4(home, ...target.mcpConfigRel);
+  const cmd = options.command ?? resolveMcpCommand();
+  if (target.mcpSupport === "opencode") {
+    await writeOpencodeMcp(path, buildOpencodeEntry(cmd));
+  } else {
+    await writeStandardMcp(path, buildStandardEntry(cmd));
+  }
+  return { path, name: MCP_SERVER_NAME };
+}
+
+// src/skill-install.ts
+var HOOK_BIN = "keeperhub-wallet-hook";
 var KEEPERHUB_HOOK_MARKER = HOOK_BIN;
 function filterKeeperhubHooksFromEntry(entry) {
   if (typeof entry !== "object" || entry === null) {
@@ -224,19 +584,7 @@ function resolveHookCommand() {
   if (envOverride && envOverride.length > 0) {
     return envOverride;
   }
-  if (isNpxExecution()) {
-    return buildNpxCommand(readPackageVersion());
-  }
-  try {
-    const resolved = execFileSync("/bin/sh", ["-c", `command -v ${HOOK_BIN}`], {
-      stdio: ["ignore", "pipe", "ignore"]
-    }).toString().trim();
-    if (resolved.length > 0 && !isPathUnderTransientCache(resolved)) {
-      return HOOK_COMMAND_BARE;
-    }
-  } catch {
-  }
-  return buildNpxCommand(readPackageVersion());
+  return resolveBinCommand(HOOK_BIN).commandString;
 }
 function buildKeeperhubEntry(command) {
   return {
@@ -245,8 +593,8 @@ function buildKeeperhubEntry(command) {
   };
 }
 function resolveDefaultSkillSource() {
-  const here = dirname2(fileURLToPath(import.meta.url));
-  return join2(here, "..", "skill", "keeperhub-wallet.skill.md");
+  const here = dirname5(fileURLToPath2(import.meta.url));
+  return join5(here, "..", "skill", "keeperhub-wallet.skill.md");
 }
 function defaultNotice(msg) {
   process.stderr.write(`${msg}
@@ -256,7 +604,7 @@ async function registerClaudeCodeHook(settingsPath, options = {}) {
   const command = options.hookCommand ?? resolveHookCommand();
   let raw = null;
   try {
-    raw = await readFile(settingsPath, "utf-8");
+    raw = await readFile3(settingsPath, "utf-8");
   } catch (err) {
     if (err.code !== "ENOENT") {
       throw err;
@@ -284,166 +632,136 @@ async function registerClaudeCodeHook(settingsPath, options = {}) {
   filtered.push(buildKeeperhubEntry(command));
   hooks.PreToolUse = filtered;
   config.hooks = hooks;
-  await mkdir(dirname2(settingsPath), { recursive: true, mode: 448 });
+  await mkdir3(dirname5(settingsPath), { recursive: true, mode: 448 });
   const payload = `${JSON.stringify(config, null, 2)}
 `;
-  await writeFile(settingsPath, payload, { mode: 384 });
-  await chmod(settingsPath, 384);
+  const suffix = randomBytes3(8).toString("hex");
+  const tmpPath = `${settingsPath}.${process.pid}.${suffix}.tmp`;
+  try {
+    await writeFile3(tmpPath, payload, { mode: 384 });
+    await chmod3(tmpPath, 384);
+    await rename3(tmpPath, settingsPath);
+  } catch (err) {
+    await unlink2(tmpPath).catch(() => {
+    });
+    throw err;
+  }
 }
 async function writeSkillToAgent(agent, skillSource) {
-  await mkdir(agent.skillsDir, { recursive: true, mode: 493 });
-  const target = join2(agent.skillsDir, "keeperhub-wallet.skill.md");
+  await mkdir3(agent.skillsDir, { recursive: true, mode: 493 });
+  const target = join5(agent.skillsDir, "keeperhub-wallet.skill.md");
   await copyFile(skillSource, target);
-  await chmod(target, 420);
+  await chmod3(target, 420);
   return { agent: agent.agent, path: target, status: "written" };
 }
-function buildNoticeMessage(agent, command) {
+function buildHookNoticeMessage(agent, command) {
   return `${agent.agent} does not support auto-registered PreToolUse hooks; run \`${command}\` on every tool use via ${agent.agent}'s settings file at ${agent.settingsFile}`;
 }
+function buildMcpNoticeMessage(agent, command) {
+  const cmd = [command.command, ...command.args].join(" ");
+  return `${agent.agent} does not support auto-registered MCP servers; add an entry named \`keeperhub-wallet\` running \`${cmd}\` to your MCP config manually`;
+}
 async function installSkill(options = {}) {
   const agents = detectAgents(options.homeOverride);
   const skillSource = options.skillSourcePath ?? resolveDefaultSkillSource();
   const onNotice = options.onNotice ?? defaultNotice;
   const hookCommand = options.hookCommand ?? resolveHookCommand();
+  const mcpCommand = options.mcpCommand ?? resolveMcpCommand();
   const skillWrites = [];
   const hookRegistrations = [];
+  const mcpRegistrations = [];
   for (const agent of agents) {
-    const write = await writeSkillToAgent(agent, skillSource);
-    skillWrites.push(write);
-    if (agent.hookSupport === "claude-code") {
-      await registerClaudeCodeHook(agent.settingsFile, { hookCommand });
-      hookRegistrations.push({
+    try {
+      const write = await writeSkillToAgent(agent, skillSource);
+      skillWrites.push(write);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      skillWrites.push({
         agent: agent.agent,
-        status: "registered"
+        path: "",
+        status: "skipped"
       });
+      onNotice(`${agent.agent}: skill copy failed (${message})`);
+      continue;
+    }
+    if (agent.hookSupport === "claude-code") {
+      try {
+        await registerClaudeCodeHook(agent.settingsFile, { hookCommand });
+        hookRegistrations.push({
+          agent: agent.agent,
+          status: "registered"
+        });
+      } catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        hookRegistrations.push({
+          agent: agent.agent,
+          status: "failed",
+          message
+        });
+        onNotice(`${agent.agent}: hook registration failed (${message})`);
+      }
     } else {
-      const message = buildNoticeMessage(agent, hookCommand);
+      const noticeMessage = buildHookNoticeMessage(agent, hookCommand);
       hookRegistrations.push({
         agent: agent.agent,
         status: "notice",
-        message
+        message: noticeMessage
       });
-      onNotice(message);
+      onNotice(noticeMessage);
     }
-  }
-  return { skillWrites, hookRegistrations };
-}
-
-// src/storage.ts
-import { chmod as chmod2, mkdir as mkdir2, readFile as readFile2, writeFile as writeFile2 } from "fs/promises";
-import { homedir as homedir2 } from "os";
-import { dirname as dirname3, join as join3 } from "path";
-
-// src/types.ts
-var KeeperHubError = class extends Error {
-  code;
-  constructor(code, message) {
-    super(message);
-    this.name = "KeeperHubError";
-    this.code = code;
-  }
-};
-var WalletConfigMissingError = class extends Error {
-  constructor() {
-    super(
-      "Wallet config not found at ~/.keeperhub/wallet.json. Run `npx @keeperhub/wallet add` to provision."
-    );
-    this.name = "WalletConfigMissingError";
-  }
-};
-
-// src/storage.ts
-async function readWalletConfig() {
-  const walletPath = join3(homedir2(), ".keeperhub", "wallet.json");
-  let raw;
-  try {
-    raw = await readFile2(walletPath, "utf-8");
-  } catch (err) {
-    if (err.code === "ENOENT") {
-      throw new WalletConfigMissingError();
+    if (agent.mcpSupport === "notice") {
+      const noticeMessage = buildMcpNoticeMessage(agent, mcpCommand);
+      mcpRegistrations.push({
+        agent: agent.agent,
+        status: "notice",
+        message: noticeMessage
+      });
+      onNotice(noticeMessage);
+      continue;
+    }
+    try {
+      const mcpResult = await registerMcpServer(agent, {
+        homeOverride: options.homeOverride,
+        command: mcpCommand
+      });
+      mcpRegistrations.push({
+        agent: agent.agent,
+        status: "registered",
+        path: mcpResult.path
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      mcpRegistrations.push({
+        agent: agent.agent,
+        status: "failed",
+        message
+      });
+      onNotice(`${agent.agent}: MCP registration failed (${message})`);
     }
-    throw err;
-  }
-  const parsed = JSON.parse(raw);
-  if (!(parsed.subOrgId && parsed.walletAddress && parsed.hmacSecret)) {
-    throw new Error(`Malformed wallet.json at ${walletPath}`);
   }
-  return parsed;
-}
-async function writeWalletConfig(config) {
-  const walletPath = join3(homedir2(), ".keeperhub", "wallet.json");
-  await mkdir2(dirname3(walletPath), { recursive: true, mode: 448 });
-  await writeFile2(walletPath, JSON.stringify(config, null, 2), { mode: 384 });
-  await chmod2(walletPath, 384);
-}
-function getWalletConfigPath() {
-  return join3(homedir2(), ".keeperhub", "wallet.json");
+  return { skillWrites, hookRegistrations, mcpRegistrations };
 }
 
 // src/cli.ts
-var TRAILING_SLASH = /\/$/;
-var WALLET_ADDRESS_PATTERN = /^0x[a-fA-F0-9]{40}$/;
-function resolveBaseUrl(override) {
-  const candidate = override ?? process.env.KEEPERHUB_API_URL ?? "https://app.keeperhub.com";
-  return candidate.replace(TRAILING_SLASH, "");
-}
-function isNonEmptyString(value) {
-  return typeof value === "string" && value.length > 0;
-}
-function provisionInvalidError(message) {
-  const err = new Error(message);
-  err.code = "PROVISION_RESPONSE_INVALID";
-  return err;
-}
-function validateProvisionResponse(data) {
-  if (typeof data !== "object" || data === null) {
-    throw provisionInvalidError("provision response is not an object");
-  }
-  const { subOrgId, walletAddress, hmacSecret } = data;
-  if (!(isNonEmptyString(subOrgId) && isNonEmptyString(walletAddress) && isNonEmptyString(hmacSecret))) {
-    throw provisionInvalidError(
-      "provision response missing subOrgId, walletAddress, or hmacSecret"
-    );
-  }
-  if (!WALLET_ADDRESS_PATTERN.test(walletAddress)) {
-    throw provisionInvalidError(
-      `provision response walletAddress is not a valid 0x-prefixed 40-hex address: ${walletAddress}`
-    );
-  }
-  return {
-    subOrgId,
-    walletAddress,
-    hmacSecret
-  };
-}
 async function cmdAdd(opts = {}) {
-  const baseUrl = resolveBaseUrl(opts.baseUrl);
-  const response = await fetch(`${baseUrl}/api/agentic-wallet/provision`, {
-    method: "POST",
-    headers: { "content-type": "application/json" },
-    body: "{}"
-  });
-  if (!response.ok) {
-    const text = await response.text();
-    process.stderr.write(
-      `[keeperhub-wallet] provision failed: HTTP ${response.status}: ${text}
-`
-    );
-    process.exit(1);
-  }
-  const raw = await response.json();
-  const data = validateProvisionResponse(raw);
-  await writeWalletConfig({
-    subOrgId: data.subOrgId,
-    walletAddress: data.walletAddress,
-    hmacSecret: data.hmacSecret
-  });
-  process.stdout.write(`subOrgId: ${data.subOrgId}
+  try {
+    const data = await provisionWallet({ baseUrl: opts.baseUrl });
+    process.stdout.write(`subOrgId: ${data.subOrgId}
 `);
-  process.stdout.write(`walletAddress: ${data.walletAddress}
+    process.stdout.write(`walletAddress: ${data.walletAddress}
 `);
-  process.stdout.write(`config written to ${getWalletConfigPath()}
+    process.stdout.write(`config written to ${getWalletConfigPath()}
 `);
+  } catch (err) {
+    if (err instanceof ProvisionHttpError) {
+      process.stderr.write(
+        `[keeperhub-wallet] provision failed: HTTP ${err.status}: ${err.body}
+`
+      );
+      process.exit(1);
+    }
+    throw err;
+  }
 }
 async function cmdFund() {
   const wallet = await readWalletConfig();
@@ -470,6 +788,58 @@ async function cmdInfo() {
   process.stdout.write(`walletAddress: ${wallet.walletAddress}
 `);
 }
+var FEEDBACK_DEFAULT_BASE_URL = "https://app.keeperhub.com";
+async function cmdFeedback(opts) {
+  const wallet = await readWalletConfig();
+  const baseUrl = (opts.baseUrl ?? FEEDBACK_DEFAULT_BASE_URL).replace(
+    /\/$/,
+    ""
+  );
+  const path = "/api/agentic-wallet/feedback";
+  const body = {
+    executionId: opts.executionId,
+    value: Number.parseInt(opts.value, 10),
+    valueDecimals: Number.parseInt(opts.decimals ?? "0", 10)
+  };
+  if (opts.comment !== void 0) {
+    body.comment = opts.comment;
+  }
+  if (opts.agentId !== void 0) {
+    body.agentId = opts.agentId;
+  }
+  if (opts.chainId !== void 0) {
+    body.agentChainId = Number.parseInt(opts.chainId, 10);
+  }
+  const bodyJson = JSON.stringify(body);
+  const headers = buildHmacHeaders(
+    wallet.hmacSecret,
+    "POST",
+    path,
+    wallet.subOrgId,
+    bodyJson
+  );
+  const response = await fetch(`${baseUrl}${path}`, {
+    method: "POST",
+    headers: {
+      "content-type": "application/json",
+      ...headers
+    },
+    body: bodyJson
+  });
+  const text = await response.text();
+  if (!response.ok) {
+    process.stderr.write(`HTTP ${response.status}: ${text}
+`);
+    process.exit(1);
+  }
+  const parsed = JSON.parse(text);
+  process.stdout.write(`feedbackId: ${parsed.feedbackId ?? ""}
+`);
+  process.stdout.write(`txHash: ${parsed.txHash ?? ""}
+`);
+  process.stdout.write(`publicUrl: ${parsed.publicUrl ?? ""}
+`);
+}
 async function runCli(argv = process.argv) {
   const program = new Command();
   program.name("keeperhub-wallet").description(
@@ -489,6 +859,27 @@ async function runCli(argv = process.argv) {
   program.command("info").description("Print subOrgId and walletAddress from local config").action(async () => {
     await cmdInfo();
   });
+  program.command("feedback").description(
+    "Submit ERC-8004 ReputationRegistry feedback for a workflow execution this wallet paid for. Signs giveFeedback() via Turnkey and broadcasts on Ethereum mainnet. Caller wallet pays gas natively."
+  ).requiredOption(
+    "--execution-id <id>",
+    "workflow execution id to leave feedback for"
+  ).requiredOption(
+    "--value <int>",
+    "raw int128 rating value (e.g. 5 with --decimals 0 for a 5-star rating)"
+  ).option(
+    "--decimals <int>",
+    "decimals for value (0..18); 0 for integer scores, 1 for 0.1-step",
+    "0"
+  ).option("--comment <text>", "optional plaintext comment").option(
+    "--agent-id <id>",
+    "rated agent NFT id (uint256 decimal); defaults to KeeperHub agent 31875"
+  ).option(
+    "--chain-id <int>",
+    "agent chain id; defaults to 1 (Ethereum mainnet, only chain supported today)"
+  ).option("--base-url <url>", "KeeperHub API base URL").action(async (opts) => {
+    await cmdFeedback(opts);
+  });
   program.command("skill").description(
     "Install the KeeperHub skill file into detected agent directories"
   ).addCommand(
@@ -511,6 +902,29 @@ async function runCli(argv = process.argv) {
         } else if (reg.status === "notice") {
           process.stderr.write(
             `notice: ${reg.agent} -> ${reg.message ?? ""}
+`
+          );
+        } else if (reg.status === "failed") {
+          process.stderr.write(
+            `hook: ${reg.agent} -> FAILED (${reg.message ?? "unknown error"})
+`
+          );
+        }
+      }
+      for (const reg of result.mcpRegistrations) {
+        if (reg.status === "registered") {
+          process.stdout.write(
+            `mcp: ${reg.agent} -> registered at ${reg.path ?? "(unknown path)"}
+`
+          );
+        } else if (reg.status === "notice") {
+          process.stderr.write(
+            `notice: ${reg.agent} mcp -> ${reg.message ?? ""}
+`
+          );
+        } else if (reg.status === "failed") {
+          process.stderr.write(
+            `mcp: ${reg.agent} -> FAILED (${reg.message ?? "unknown error"})
 `
           );
         }
@@ -538,34 +952,6 @@ async function runCli(argv = process.argv) {
   }
 }
 
-// src/hmac.ts
-import { createHash, createHmac } from "crypto";
-function computeSignature(secret, method, path, subOrgId, body, timestamp) {
-  const bodyDigest = createHash("sha256").update(body).digest("hex");
-  const signingString = `${method}
-${path}
-${subOrgId}
-${bodyDigest}
-${timestamp}`;
-  return createHmac("sha256", secret).update(signingString).digest("hex");
-}
-function buildHmacHeaders(secret, method, path, subOrgId, body) {
-  const timestamp = String(Math.floor(Date.now() / 1e3));
-  const signature = computeSignature(
-    secret,
-    method,
-    path,
-    subOrgId,
-    body,
-    timestamp
-  );
-  return {
-    "X-KH-Sub-Org": subOrgId,
-    "X-KH-Timestamp": timestamp,
-    "X-KH-Signature": signature
-  };
-}
-
 // src/client.ts
 var TRAILING_SLASH2 = /\/$/;
 function defaultCodeForStatus(status) {
@@ -639,9 +1025,9 @@ var KeeperHubClient = class {
 };
 
 // src/safety-config.ts
-import { chmod as chmod3, mkdir as mkdir3, readFile as readFile3, writeFile as writeFile3 } from "fs/promises";
-import { homedir as homedir3 } from "os";
-import { dirname as dirname4, join as join4 } from "path";
+import { chmod as chmod4, mkdir as mkdir4, readFile as readFile4, writeFile as writeFile4 } from "fs/promises";
+import { homedir as homedir4 } from "os";
+import { dirname as dirname6, join as join6 } from "path";
 var DEFAULT_SAFETY_CONFIG = {
   auto_approve_max_usd: 5,
   ask_threshold_usd: 50,
@@ -654,20 +1040,20 @@ var DEFAULT_SAFETY_CONFIG = {
   ]
 };
 function getSafetyPath() {
-  return join4(homedir3(), ".keeperhub", "safety.json");
+  return join6(homedir4(), ".keeperhub", "safety.json");
 }
 async function loadSafetyConfig() {
   const path = getSafetyPath();
   let raw;
   try {
-    raw = await readFile3(path, "utf-8");
+    raw = await readFile4(path, "utf-8");
   } catch (err) {
     if (err.code === "ENOENT") {
-      await mkdir3(dirname4(path), { recursive: true, mode: 448 });
-      await writeFile3(path, JSON.stringify(DEFAULT_SAFETY_CONFIG, null, 2), {
+      await mkdir4(dirname6(path), { recursive: true, mode: 448 });
+      await writeFile4(path, JSON.stringify(DEFAULT_SAFETY_CONFIG, null, 2), {
         mode: 420
       });
-      await chmod3(path, 420);
+      await chmod4(path, 420);
       return DEFAULT_SAFETY_CONFIG;
     }
     throw err;
@@ -864,7 +1250,7 @@ function parseMppChallenge(response) {
 }
 
 // src/payment-signer.ts
-import { randomBytes } from "crypto";
+import { randomBytes as randomBytes4 } from "crypto";
 
 // src/workflow-slug.ts
 var KEEPERHUB_WORKFLOW_RE = /\/api\/mcp\/workflows\/([a-zA-Z0-9_-]+)\/call(?:\/?)(?:\?|$|#)/;
@@ -1044,7 +1430,7 @@ function createPaymentSigner(opts = {}) {
     const now = Math.floor(Date.now() / 1e3);
     const validAfter = now - VALID_AFTER_PAST_SLACK_SECONDS;
     const validBefore = now + accept.maxTimeoutSeconds;
-    const nonce = `0x${randomBytes(NONCE_BYTES).toString("hex")}`;
+    const nonce = `0x${randomBytes4(NONCE_BYTES).toString("hex")}`;
     const client = clientFactory(wallet);
     const signature = await signOrPoll(client, {
       chain: "base",