@keeperhub/wallet 0.1.3 → 0.1.5

package/dist/index.js

@@ -146,34 +146,6 @@ function fund(walletAddress) {
   };
 }
 
-// src/hmac.ts
-import { createHash, createHmac } from "crypto";
-function computeSignature(secret, method, path, subOrgId, body, timestamp) {
-  const bodyDigest = createHash("sha256").update(body).digest("hex");
-  const signingString = `${method}
-${path}
-${subOrgId}
-${bodyDigest}
-${timestamp}`;
-  return createHmac("sha256", secret).update(signingString).digest("hex");
-}
-function buildHmacHeaders(secret, method, path, subOrgId, body) {
-  const timestamp = String(Math.floor(Date.now() / 1e3));
-  const signature = computeSignature(
-    secret,
-    method,
-    path,
-    subOrgId,
-    body,
-    timestamp
-  );
-  return {
-    "X-KH-Sub-Org": subOrgId,
-    "X-KH-Timestamp": timestamp,
-    "X-KH-Signature": signature
-  };
-}
-
 // src/skill-install.ts
 import { chmod, copyFile, mkdir, readFile, writeFile } from "fs/promises";
 import { dirname as dirname2, join as join2 } from "path";
@@ -385,47 +357,6 @@ async function cmdAdd(opts = {}) {
   process.stdout.write(`config written to ${getWalletConfigPath()}
 `);
 }
-async function cmdLink(opts = {}) {
-  const wallet = await readWalletConfig();
-  const baseUrl = resolveBaseUrl(opts.baseUrl);
-  const sessionCookie = process.env.KH_SESSION_COOKIE;
-  if (!sessionCookie) {
-    process.stderr.write(
-      "[keeperhub-wallet] link requires KH_SESSION_COOKIE env var.\nSign in at app.keeperhub.com, copy the session cookie, and re-run with:\n  KH_SESSION_COOKIE='<cookie>' npx @keeperhub/wallet link\n"
-    );
-    process.exit(1);
-  }
-  const body = JSON.stringify({ subOrgId: wallet.subOrgId });
-  const headers = buildHmacHeaders(
-    wallet.hmacSecret,
-    "POST",
-    "/api/agentic-wallet/link",
-    wallet.subOrgId,
-    body
-  );
-  const response = await fetch(`${baseUrl}/api/agentic-wallet/link`, {
-    method: "POST",
-    headers: {
-      ...headers,
-      "content-type": "application/json",
-      cookie: sessionCookie
-    },
-    body
-  });
-  const json = await response.json().catch(() => ({}));
-  if (!response.ok) {
-    process.stderr.write(
-      `[keeperhub-wallet] link failed: ${json.code ?? response.status}: ${json.error ?? ""}
-`
-    );
-    process.exit(1);
-  }
-  if (json.already) {
-    process.stdout.write("already linked\n");
-    return;
-  }
-  process.stdout.write("linked\n");
-}
 async function cmdFund() {
   const wallet = await readWalletConfig();
   const out = fund(wallet.walletAddress);
@@ -459,11 +390,6 @@ async function runCli(argv = process.argv) {
   program.command("add").description("Provision a new agentic wallet (no account required)").option("--base-url <url>", "KeeperHub API base URL").action(async (opts) => {
     await cmdAdd(opts);
   });
-  program.command("link").description(
-    "Link the current wallet to your KeeperHub account (requires KH_SESSION_COOKIE env)"
-  ).option("--base-url <url>", "KeeperHub API base URL").action(async (opts) => {
-    await cmdLink(opts);
-  });
   program.command("fund").description(
     "Print Coinbase Onramp URL (Base USDC) and Tempo deposit address"
   ).action(async () => {
@@ -524,6 +450,34 @@ async function runCli(argv = process.argv) {
   }
 }
 
+// src/hmac.ts
+import { createHash, createHmac } from "crypto";
+function computeSignature(secret, method, path, subOrgId, body, timestamp) {
+  const bodyDigest = createHash("sha256").update(body).digest("hex");
+  const signingString = `${method}
+${path}
+${subOrgId}
+${bodyDigest}
+${timestamp}`;
+  return createHmac("sha256", secret).update(signingString).digest("hex");
+}
+function buildHmacHeaders(secret, method, path, subOrgId, body) {
+  const timestamp = String(Math.floor(Date.now() / 1e3));
+  const signature = computeSignature(
+    secret,
+    method,
+    path,
+    subOrgId,
+    body,
+    timestamp
+  );
+  return {
+    "X-KH-Sub-Org": subOrgId,
+    "X-KH-Timestamp": timestamp,
+    "X-KH-Signature": signature
+  };
+}
+
 // src/client.ts
 var TRAILING_SLASH2 = /\/$/;
 function defaultCodeForStatus(status) {
@@ -676,8 +630,6 @@ function getSafetyConfigPath() {
 }
 
 // src/hook.ts
-var DEFAULT_POLL = { intervalMs: 2e3, maxAttempts: 150 };
-var APPROVAL_URL_BASE = "https://app.keeperhub.com/approve/";
 var USDC_DECIMALS2 = 1e6;
 var ADDRESS_RE = /^0x[0-9a-fA-F]{40}$/;
 var MICRO_USDC_RE = /^\d+$/;
@@ -728,16 +680,6 @@ function usdToMicro(usd) {
 async function createPreToolUseHook(options = {}) {
   const toolMatcher = options.toolNameMatcher ?? defaultToolMatcher;
   const configLoader = options.configLoader ?? loadSafetyConfig;
-  const walletLoader = options.walletLoader ?? readWalletConfig;
-  const clientFactory = options.clientFactory ?? ((w) => new KeeperHubClient(w));
-  const onAskOpen = options.onAskOpen ?? ((url) => {
-    process.stderr.write(
-      `
-[keeperhub-wallet] Approval required. Visit: ${url}
-`
-    );
-  });
-  const poll = options.poll ?? DEFAULT_POLL;
   const safety = await configLoader();
   return async (raw) => {
     const hookInput = raw ?? {};
@@ -753,43 +695,10 @@ async function createPreToolUseHook(options = {}) {
       return { decision: "deny", reason: "AMOUNT_UNDETERMINED" };
     }
     const blockMicro = usdToMicro(safety.block_threshold_usd);
-    const askMicro = usdToMicro(safety.ask_threshold_usd);
     const autoMicro = usdToMicro(safety.auto_approve_max_usd);
     if (amountMicro > blockMicro) {
       return { decision: "deny", reason: "BLOCKED_BY_SAFETY_RULE" };
     }
-    if (amountMicro >= askMicro) {
-      const wallet = await walletLoader();
-      const client = clientFactory(wallet);
-      const created = await client.request("POST", "/api/agentic-wallet/approval-request", {
-        // Server contract (Phase 33): riskLevel MUST be 'ask' or 'block';
-        // operationPayload MUST be a non-array object. The hook only creates
-        // approval-requests at the ask tier (block tier short-circuits above).
-        riskLevel: "ask",
-        operationPayload: {
-          amountMicroUsdc: amountMicro.toString(),
-          contractAddress: contractAddr ?? "",
-          toolName: hookInput.tool_name ?? "",
-          reason: `Agent tool ${hookInput.tool_name}`
-        }
-      });
-      const approvalId = "_status" in created ? created.approvalRequestId : created.id;
-      onAskOpen(`${APPROVAL_URL_BASE}${approvalId}`);
-      for (let attempt = 0; attempt < poll.maxAttempts; attempt++) {
-        await new Promise((r) => setTimeout(r, poll.intervalMs));
-        const status = await client.request("GET", `/api/agentic-wallet/approval-request/${approvalId}`);
-        if (!("status" in status)) {
-          continue;
-        }
-        if (status.status === "approved") {
-          return { decision: "allow" };
-        }
-        if (status.status === "rejected") {
-          return { decision: "deny", reason: "USER_REJECTED" };
-        }
-      }
-      return { decision: "deny", reason: "APPROVAL_TIMEOUT" };
-    }
     if (amountMicro <= autoMicro) {
       return { decision: "allow" };
     }
@@ -846,6 +755,19 @@ function parseMppChallenge(response) {
 // src/payment-signer.ts
 import { randomBytes } from "crypto";
 
+// src/workflow-slug.ts
+var KEEPERHUB_WORKFLOW_RE = /\/api\/mcp\/workflows\/([a-zA-Z0-9_-]+)\/call(?:\/?)(?:\?|$|#)/;
+function extractKeeperHubWorkflowSlug(url) {
+  if (!url || url.length === 0) {
+    return { ok: false, reason: "EMPTY_URL" };
+  }
+  const match = KEEPERHUB_WORKFLOW_RE.exec(url);
+  if (!match || !match[1]) {
+    return { ok: false, reason: "URL_PATTERN_MISMATCH" };
+  }
+  return { ok: true, slug: match[1] };
+}
+
 // src/x402-detect.ts
 function isX402Shape(value) {
   if (typeof value !== "object" || value === null) {
@@ -944,9 +866,17 @@ function createPaymentSigner(opts = {}) {
     return result.signature;
   }
   async function payViaMpp(response, mpp, wallet) {
+    const slug = extractKeeperHubWorkflowSlug(response.url);
+    if (!slug.ok) {
+      throw new KeeperHubError(
+        "UNSUPPORTED_RECIPIENT",
+        `This wallet only signs payments for KeeperHub workflows. The 402 came from a URL that does not match /api/mcp/workflows/<slug>/call (reason: ${slug.reason}). See KEEP-311 for generic x402 support.`
+      );
+    }
     const client = clientFactory(wallet);
     const signature = await signOrPoll(client, {
       chain: "tempo",
+      workflowSlug: slug.slug,
       paymentChallenge: {
         kind: "mpp",
         serialized: mpp.serialized,
@@ -966,6 +896,13 @@ function createPaymentSigner(opts = {}) {
         "x402 challenge has no accepts entries"
       );
     }
+    const slug = extractKeeperHubWorkflowSlug(x402.resource.url || response.url);
+    if (!slug.ok) {
+      throw new KeeperHubError(
+        "UNSUPPORTED_RECIPIENT",
+        `This wallet only signs payments for KeeperHub workflows. The 402 came from a URL that does not match /api/mcp/workflows/<slug>/call (reason: ${slug.reason}). See KEEP-311 for generic x402 support.`
+      );
+    }
     const now = Math.floor(Date.now() / 1e3);
     const validAfter = now - VALID_AFTER_PAST_SLACK_SECONDS;
     const validBefore = now + accept.maxTimeoutSeconds;
@@ -973,6 +910,7 @@ function createPaymentSigner(opts = {}) {
     const client = clientFactory(wallet);
     const signature = await signOrPoll(client, {
       chain: "base",
+      workflowSlug: slug.slug,
       paymentChallenge: {
         kind: "x402",
         payTo: accept.payTo,