@nekzus/liop 1.3.0-alpha.1 → 2.0.0-alpha.2

package/dist/workers/zk-verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/workers/zk-verifier.ts"],"names":["deriveImageId","logicPayload","deriveLogicImageDigest","verifyZkReceipt","payload","remoteImageIdHex","zkReceipt","sessionSecret","localImageIdHex","receiptBuf","version","journalLen","journal","seal","journalData","expectedSeal","crypto","workerHandler","task","error"],"mappings":"kFAyBA,SAASA,CAAAA,CAAcC,CAAAA,CAAkC,CACxD,OAAOC,CAAAA,CAAuBD,CAAY,CAC3C,CAMA,eAAeE,CAAAA,CACdC,CAAAA,CACkD,CAClD,GAAM,CAAE,YAAA,CAAAH,CAAAA,CAAc,gBAAA,CAAAI,CAAAA,CAAkB,SAAA,CAAAC,CAAAA,CAAW,aAAA,CAAAC,CAAc,CAAA,CAAIH,CAAAA,CAI/DI,CAAAA,CADeR,CAAAA,CAAcC,CAAY,CAAA,CACV,QAAA,CAAS,KAAK,CAAA,CAEnD,GAAIO,CAAAA,GAAoBH,CAAAA,CACvB,OAAO,CACN,QAAA,CAAU,KAAA,CACV,OAAA,CAAS,CAAA,4BAAA,EAA+BG,CAAAA,CAAgB,KAAA,CAAM,CAAA,CAAG,CAAC,CAAC,CAAA,aAAA,EAAgBH,CAAAA,CAAiB,KAAA,CAAM,CAAA,CAAG,CAAC,CAAC,CAAA,CAAA,CAChH,EAID,IAAMI,CAAAA,CAAa,MAAA,CAAO,IAAA,CAAKH,CAAS,CAAA,CACxC,GAAIG,CAAAA,CAAW,MAAA,CAAS,EAAA,CAEvB,OAAO,CACN,QAAA,CAAU,KAAA,CACV,OAAA,CAAS,sCACV,CAAA,CAGD,IAAMC,CAAAA,CAAUD,CAAAA,CAAW,CAAC,CAAA,CAC5B,GAAIC,CAAAA,GAAY,CAAA,CACf,OAAO,CACN,QAAA,CAAU,KAAA,CACV,OAAA,CAAS,4BAA4BA,CAAO,CAAA,CAC7C,CAAA,CAGD,IAAMC,CAAAA,CAAaF,CAAAA,CAAW,YAAA,CAAa,CAAC,CAAA,CACtCG,CAAAA,CAAUH,CAAAA,CAAW,QAAA,CAAS,CAAA,CAAG,CAAA,CAAIE,CAAU,CAAA,CAC/CE,CAAAA,CAAOJ,CAAAA,CAAW,QAAA,CAAS,CAAA,CAAIE,CAAU,CAAA,CAE/C,GAAIE,CAAAA,CAAK,MAAA,GAAW,EAAA,CACnB,OAAO,CACN,QAAA,CAAU,KAAA,CACV,QAAS,sDACV,CAAA,CAID,GAAI,CACH,IAAMC,CAAAA,CAAc,IAAA,CAAK,KAAA,CAAMF,CAAAA,CAAQ,QAAA,EAAU,CAAA,CACjD,GAAIE,CAAAA,CAAY,WAAaN,CAAAA,CAC5B,OAAO,CACN,QAAA,CAAU,CAAA,CAAA,CACV,OAAA,CAAS,CAAA,0BAAA,EAA6BM,CAAAA,CAAY,QAAA,CAAS,KAAA,CAAM,CAAA,CAAG,CAAC,CAAC,CAAA,IAAA,EAAON,EAAgB,KAAA,CAAM,CAAA,CAAG,CAAC,CAAC,CAAA,CACzG,CAEF,CAAA,KAAa,CACZ,OAAO,CAAE,QAAA,CAAU,KAAA,CAAO,OAAA,CAAS,+BAAgC,CACpE,CAGA,GAAID,CAAAA,EAAiBA,CAAAA,CAAc,MAAA,CAAS,CAAA,CAAG,CAC9C,IAAMQ,CAAAA,CAAeC,CAAAA,CACnB,UAAA,CAAW,QAAA,CAAUT,CAAa,CAAA,CAClC,MAAA,CAAOK,CAAO,CAAA,CACd,MAAA,EAAO,CACT,GAAI,CAACI,CAAAA,CAAO,eAAA,CAAgBH,CAAAA,CAAME,CAAY,CAAA,CAC7C,OAAO,CACN,QAAA,CAAU,KAAA,CACV,OAAA,CAAS,yCACV,CAEF,CAEA,OAAO,CACN,QAAA,CAAU,IAAA,CACV,OAAA,CAAS,6CACV,CACD,CAKA,eAAOE,CAAAA,CACNC,CAAAA,CACkD,CAClD,GAAI,CACH,GAAIA,CAAAA,CAAK,MAAA,GAAW,gBAAA,CACnB,OAAO,MAAMf,CAAAA,CAAgBe,CAAI,CAAA,CAElC,MAAM,IAAI,KAAA,CAAM,sCAAsC,CACvD,CAAA,MAASC,CAAAA,CAAO,CACf,OAAO,CACN,QAAA,CAAU,KAAA,CACV,OAAA,CAAS,CAAA,oBAAA,EAAwBA,CAAAA,CAAgB,OAAO,CAAA,CACzD,CACD,CACD","file":"zk-verifier.js","sourcesContent":["import crypto from \"node:crypto\";\nimport { parentPort } from \"node:worker_threads\";\nimport { deriveLogicImageDigest } from \"../crypto/logic-image-id.js\";\n\n// Ensure this worker is used via Piscina pool\nif (!parentPort) {\n\t// Not fatal in Piscina, but handled appropriately\n}\n\n/**\n * ZK Verification Payload Structure.\n * Modeled after RISC Zero & SP1 Receipt formats.\n */\nexport interface ZkVerificationPayload {\n\taction: \"verify_receipt\";\n\t/** Original logic payload (JS/WASM) sent by client */\n\tlogicPayload: Uint8Array;\n\t/** Expected ImageID (SHA-256) of the execution state */\n\tremoteImageIdHex: string;\n\t/** Cbor-encoded or raw buffer containing the execution Receipt (Journal + Seal) */\n\tzkReceipt: Uint8Array;\n\t/** Kyber-derived session secret to verify HMAC signature */\n\tsessionSecret?: Uint8Array;\n}\n\nfunction deriveImageId(logicPayload: Uint8Array): Buffer {\n\treturn deriveLogicImageDigest(logicPayload);\n}\n\n/**\n * Simulates heavy ZK-Proof cryptographic verification.\n * In a real environment, this delegates to @risc0/verifier or SP1 FFI bindings.\n */\nasync function verifyZkReceipt(\n\tpayload: ZkVerificationPayload,\n): Promise<{ verified: boolean; message: string }> {\n\tconst { logicPayload, remoteImageIdHex, zkReceipt, sessionSecret } = payload;\n\n\t// 1. Calculate local ImageID (Integrity Check)\n\tconst localImageId = deriveImageId(logicPayload);\n\tconst localImageIdHex = localImageId.toString(\"hex\");\n\n\tif (localImageIdHex !== remoteImageIdHex) {\n\t\treturn {\n\t\t\tverified: false,\n\t\t\tmessage: `Integrity Violation: Local (${localImageIdHex.slice(0, 8)}) != Remote (${remoteImageIdHex.slice(0, 8)})`,\n\t\t};\n\t}\n\n\t// 2. Structural Verification: Deserialize Binary Receipt\n\tconst receiptBuf = Buffer.from(zkReceipt);\n\tif (receiptBuf.length < 35) {\n\t\t// 1 version + 2 len + 32 seal minimum\n\t\treturn {\n\t\t\tverified: false,\n\t\t\tmessage: \"Receipt too short for binary format.\",\n\t\t};\n\t}\n\n\tconst version = receiptBuf[0];\n\tif (version !== 0x01) {\n\t\treturn {\n\t\t\tverified: false,\n\t\t\tmessage: `Unknown receipt version: ${version}`,\n\t\t};\n\t}\n\n\tconst journalLen = receiptBuf.readUInt16BE(1);\n\tconst journal = receiptBuf.subarray(3, 3 + journalLen);\n\tconst seal = receiptBuf.subarray(3 + journalLen);\n\n\tif (seal.length !== 32) {\n\t\treturn {\n\t\t\tverified: false,\n\t\t\tmessage: \"Invalid seal length (expected 32 bytes HMAC-SHA256).\",\n\t\t};\n\t}\n\n\t// 3. Parse journal and verify imageId\n\ttry {\n\t\tconst journalData = JSON.parse(journal.toString());\n\t\tif (journalData.image_id !== localImageIdHex) {\n\t\t\treturn {\n\t\t\t\tverified: false,\n\t\t\t\tmessage: `Journal ImageID mismatch: ${journalData.image_id.slice(0, 8)} != ${localImageIdHex.slice(0, 8)}`,\n\t\t\t};\n\t\t}\n\t} catch (_e) {\n\t\treturn { verified: false, message: \"Failed to parse journal data.\" };\n\t}\n\n\t// 4. Mathematical Verification (HMAC-SHA256)\n\tif (sessionSecret && sessionSecret.length > 0) {\n\t\tconst expectedSeal = crypto\n\t\t\t.createHmac(\"sha256\", sessionSecret)\n\t\t\t.update(journal)\n\t\t\t.digest();\n\t\tif (!crypto.timingSafeEqual(seal, expectedSeal)) {\n\t\t\treturn {\n\t\t\t\tverified: false,\n\t\t\t\tmessage: \"Invalid seal: HMAC verification failed.\",\n\t\t\t};\n\t\t}\n\t}\n\n\treturn {\n\t\tverified: true,\n\t\tmessage: \"HMAC Commitment Verified: Integrity intact.\",\n\t};\n}\n\n/**\n * Main worker entry point for Piscina.\n */\nexport default async function workerHandler(\n\ttask: ZkVerificationPayload,\n): Promise<{ verified: boolean; message: string }> {\n\ttry {\n\t\tif (task.action === \"verify_receipt\") {\n\t\t\treturn await verifyZkReceipt(task);\n\t\t}\n\t\tthrow new Error(\"Unknown action in ZkVerifier Worker.\");\n\t} catch (error) {\n\t\treturn {\n\t\t\tverified: false,\n\t\t\tmessage: `Verification Error: ${(error as Error).message}`,\n\t\t};\n\t}\n}\n"]}

package/package.json

@@ -1,12 +1,13 @@
 {
   "name": "@nekzus/liop",
-  "version": "1.3.0-alpha.1",
+  "version": "2.0.0-alpha.2",
   "description": "Official SDK for Logic-Injection-on-Origin Protocol (LIOP). Deploy Logic-on-Origin with WebAssembly at gRPC speed and bidirectional MCP compatibility.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "bin": {
     "liop-agent": "./dist/bin/agent.js"
   },
+  "sideEffects": false,
   "files": [
     "dist",
     "README.md",
@@ -15,35 +16,35 @@
   "exports": {
     ".": {
       "types": "./dist/index.d.ts",
-      "default": "./dist/index.js"
+      "import": "./dist/index.js"
     },
     "./client": {
-      "types": "./dist/client/index.d.ts",
-      "default": "./dist/client/index.js"
+      "types": "./dist/client.d.ts",
+      "import": "./dist/client.js"
     },
     "./server": {
-      "types": "./dist/server/index.d.ts",
-      "default": "./dist/server/index.js"
+      "types": "./dist/server.d.ts",
+      "import": "./dist/server.js"
     },
     "./types": {
       "types": "./dist/types.d.ts",
-      "default": "./dist/types.js"
+      "import": "./dist/types.js"
     },
     "./bridge": {
-      "types": "./dist/bridge/index.d.ts",
-      "default": "./dist/bridge/index.js"
+      "types": "./dist/bridge.d.ts",
+      "import": "./dist/bridge.js"
     },
     "./gateway": {
-      "types": "./dist/gateway/hybrid.d.ts",
-      "default": "./dist/gateway/hybrid.js"
+      "types": "./dist/gateway.d.ts",
+      "import": "./dist/gateway.js"
     },
     "./mesh": {
-      "types": "./dist/mesh/index.d.ts",
-      "default": "./dist/mesh/index.js"
+      "types": "./dist/mesh.d.ts",
+      "import": "./dist/mesh.js"
     }
   },
   "scripts": {
-    "build": "tsc -p tsconfig.build.json && npx tsx scripts/copy-protos.ts",
+    "build": "tsup && npx tsx scripts/copy-protos.ts",
     "test": "vitest run --fileParallelism=false",
     "test:all": "vitest run --fileParallelism=false",
     "test:integration": "vitest run tests/integration --fileParallelism=false",
@@ -107,6 +108,7 @@
     "@opentelemetry/sdk-metrics": "^2.7.0",
     "@types/node": "^25.3.1",
     "@vitest/coverage-v8": "^4.0.18",
+    "tsup": "^8.5.1",
     "tsx": "^4.21.0",
     "typescript": "^5.9.3",
     "vitest": "^4.0.18"
@@ -122,16 +124,15 @@
     "@libp2p/identify": "^4.0.14",
     "@libp2p/kad-dht": "^16.1.7",
     "@libp2p/mplex": "^12.0.11",
-    "@libp2p/noise": "^1.0.1",
     "@libp2p/peer-id": "^4.0.10",
     "@libp2p/peer-id-factory": "^4.0.10",
     "@libp2p/ping": "^3.0.12",
     "@libp2p/tcp": "^11.0.14",
     "@libp2p/websockets": "^10.1.7",
-    "@modelcontextprotocol/sdk": "^1.28.0",
     "@multiformats/multiaddr": "^13.0.1",
     "@opentelemetry/api": "^1.9.1",
-    "gpt-tokenizer": "^3.4.0",
+    "acorn": "^8.16.0",
+    "acorn-walk": "^8.3.5",
     "hono": "^4.12.5",
     "it-pipe": "^3.0.1",
     "libp2p": "^3.1.3",
@@ -143,5 +144,18 @@
     "uint8arrays": "^3.1.1",
     "zod": "^3.23.11",
     "zod-to-json-schema": "^3.24.1"
+  },
+  "optionalDependencies": {
+    "@modelcontextprotocol/sdk": "^1.28.0",
+    "compromise": "14.15.0",
+    "gpt-tokenizer": "^3.4.0"
+  },
+  "peerDependencies": {
+    "@modelcontextprotocol/sdk": "^1.28.0"
+  },
+  "peerDependenciesMeta": {
+    "@modelcontextprotocol/sdk": {
+      "optional": true
+    }
   }
 }

package/dist/bridge/index.d.ts

@@ -1,37 +0,0 @@
-import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
-import type { LiopServerOptions } from "../server/index.js";
-import { LiopServer } from "../server/index.js";
-export interface LiopBridgeOptions {
-    publishToMesh?: boolean;
-    meshIdentity?: string;
-    serverInfo?: {
-        name: string;
-        version: string;
-    };
-    security?: LiopServerOptions["security"];
-}
-/**
- * LIOP MCP Bridge
- * A bi-directional bridge that allows legacy MCP servers to join the LIOP mesh,
- * or exposes a LIOP server as an MCP-compatible stdio process for tools like Claude Desktop.
- */
-export declare class LiopMcpBridge {
-    private options;
-    private liopServer;
-    private legacyMcpServer;
-    constructor(source: LiopServer | McpServer, options?: LiopBridgeOptions);
-    /**
-     * Handles an incoming standard MCP JSON-RPC 2.0 payload.
-     * Pipes it to the underlying server (LIOP or Legacy MCP).
-     */
-    handleJsonRpcRequest(payload: Record<string, unknown>): Promise<unknown>;
-    private handleLiopToMcp;
-    private successResponse;
-    private errorResponse;
-    private verifyZkReceipt;
-    /**
-     * Connects the bridge via stdio or Mesh depending on mode.
-     */
-    connect(): Promise<void>;
-}
-export * from "./stream.js";

package/dist/bridge/index.js

@@ -1,249 +0,0 @@
-import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
-import { LiopServer } from "../server/index.js";
-import { log } from "../utils/logger.js";
-/**
- * LIOP MCP Bridge
- * A bi-directional bridge that allows legacy MCP servers to join the LIOP mesh,
- * or exposes a LIOP server as an MCP-compatible stdio process for tools like Claude Desktop.
- */
-export class LiopMcpBridge {
-    options;
-    liopServer = null;
-    legacyMcpServer = null;
-    constructor(source, options = {}) {
-        this.options = options;
-        // Determine mode: Exposing LIOP to MCP (Claude) or Wrapping MCP to LIOP (Mesh)
-        if (source instanceof LiopServer) {
-            this.liopServer = source;
-            log.info("[LIOP-Bridge] Mode: EXPOSE (LIOP -> MCP Stdio)");
-        }
-        else if (source instanceof McpServer) {
-            this.legacyMcpServer = source;
-            log.info("[LIOP-Bridge] Mode: WRAP (Legacy MCP -> LIOP Mesh)");
-        }
-    }
-    /**
-     * Handles an incoming standard MCP JSON-RPC 2.0 payload.
-     * Pipes it to the underlying server (LIOP or Legacy MCP).
-     */
-    async handleJsonRpcRequest(payload) {
-        const id = payload.id;
-        const method = payload.method;
-        const params = payload.params;
-        if (payload.jsonrpc !== "2.0") {
-            return this.errorResponse(id, -32600, "Invalid Request");
-        }
-        // Mode: EXPOSE (Standard behavior used by Claude Desktop)
-        if (this.liopServer) {
-            return this.handleLiopToMcp(id, method, params);
-        }
-        // Mode: WRAP (Redirecting via internal LiopServer after connect())
-        if (this.legacyMcpServer && this.liopServer) {
-            return this.handleLiopToMcp(id, method, params);
-        }
-        return this.errorResponse(id, -32601, "Bridge source not configured");
-    }
-    async handleLiopToMcp(id, method, params) {
-        if (!this.liopServer)
-            return null;
-        if (method === "initialize") {
-            return this.successResponse(id, {
-                protocolVersion: "2025-11-25",
-                capabilities: {
-                    prompts: {},
-                    resources: {},
-                    tools: {},
-                },
-                serverInfo: this.liopServer.getServerInfo(),
-            });
-        }
-        if (method === "notifications/initialized")
-            return undefined;
-        if (method === "ping")
-            return this.successResponse(id, {});
-        if (method === "tools/list") {
-            const tools = this.liopServer.listTools();
-            return this.successResponse(id, { tools });
-        }
-        if (method === "resources/list") {
-            const resources = this.liopServer.listResources();
-            return this.successResponse(id, { resources });
-        }
-        if (method === "prompts/list") {
-            const prompts = this.liopServer.listPrompts();
-            return this.successResponse(id, { prompts });
-        }
-        if (method === "prompts/get") {
-            if (!params?.name) {
-                return this.errorResponse(id, -32602, "Missing prompt name");
-            }
-            try {
-                const result = await this.liopServer.getPrompt({
-                    name: params.name,
-                    arguments: params.arguments,
-                });
-                return this.successResponse(id, result);
-            }
-            catch (err) {
-                return this.errorResponse(id, -32000, err.message);
-            }
-        }
-        if (method === "resources/read") {
-            if (!params?.uri) {
-                return this.errorResponse(id, -32602, "Missing resource URI");
-            }
-            try {
-                const result = await this.liopServer.readResource(params.uri);
-                return this.successResponse(id, result);
-            }
-            catch (err) {
-                return this.errorResponse(id, -32000, err.message);
-            }
-        }
-        if (method === "tools/call") {
-            if (!params?.name) {
-                return this.errorResponse(id, -32602, "Missing tool name");
-            }
-            const request = {
-                name: params.name,
-                arguments: params.arguments || {},
-            };
-            try {
-                const result = await this.liopServer.callTool(request);
-                const isVerified = await this.verifyZkReceipt(request, result);
-                if (!isVerified) {
-                    return this.successResponse(id, {
-                        content: [
-                            {
-                                type: "text",
-                                text: "ALERT [LIOP ZERO-TRUST SHIELD] ZK Verification Failed. The mathematical ImageID does not match the original payload.",
-                            },
-                        ],
-                        isError: true,
-                    });
-                }
-                return this.successResponse(id, result);
-            }
-            catch (err) {
-                return this.errorResponse(id, -32000, err.message);
-            }
-        }
-        return this.errorResponse(id, -32601, "Method not found");
-    }
-    successResponse(id, result) {
-        return { jsonrpc: "2.0", id, result };
-    }
-    errorResponse(id, code, message) {
-        return { jsonrpc: "2.0", id, error: { code, message } };
-    }
-    async verifyZkReceipt(request, result) {
-        if (!request.arguments?.payload ||
-            typeof request.arguments.payload !== "string") {
-            return true;
-        }
-        try {
-            const payload = request.arguments.payload;
-            const contentText = result.content[0]?.text;
-            if (contentText && typeof contentText === "string") {
-                try {
-                    const data = JSON.parse(contentText);
-                    if (data.image_id || data.zk_receipt) {
-                        // 1. Instantiate the Industrial Verifier ( backed by Piscina Worker Pool )
-                        const { LiopVerifier } = await import("../crypto/verifier.js");
-                        const verifier = new LiopVerifier();
-                        // 2. Delegate the heavy mathematical check (ZK Journal + Seal)
-                        const isAuthentic = await verifier.verifyZkReceipt(Buffer.from(payload, "utf-8"), data.image_id, Buffer.from(data.zk_receipt || "", "base64"));
-                        if (!isAuthentic) {
-                            return false;
-                        }
-                        data.audit_status =
-                            "VERIFIED: ZK-Receipt & ImageID Mathematically Verified by LiopMcpBridge";
-                        result.content[0].text = JSON.stringify(data);
-                    }
-                }
-                catch {
-                    // Output not JSON
-                }
-            }
-            return true;
-        }
-        catch (e) {
-            log.info("[LIOP-Bridge] ZK-Verifier Failure:", e);
-            return false;
-        }
-    }
-    /**
-     * Connects the bridge via stdio or Mesh depending on mode.
-     */
-    async connect() {
-        // In WRAP mode, we actually need to create a LiopServer and join the mesh
-        if (this.legacyMcpServer) {
-            const { LiopServer } = await import("../server/index.js");
-            this.liopServer = new LiopServer(this.options.serverInfo || {
-                name: "liop-bridge",
-                version: "1.0.0",
-            }, { security: this.options.security });
-            if (this.options.publishToMesh) {
-                await this.liopServer.connect();
-                // Automatically Bridge Legacy Capabilities to LIOP Mesh
-                // biome-ignore lint/suspicious/noExplicitAny: Internal legacy MCP properties are completely opaque and unexported
-                const legacy = this.legacyMcpServer;
-                // 1. Sync Tools
-                if (legacy._registeredTools) {
-                    for (const [name, tool] of Object.entries(legacy._registeredTools)) {
-                        // biome-ignore lint/suspicious/noExplicitAny: Opaque legacy structure
-                        const t = tool;
-                        this.liopServer.tool(name, t.description || "", t.inputSchema || {}, 
-                        // biome-ignore lint/suspicious/noExplicitAny: Opaque legacy callback args
-                        async (args) => {
-                            return await t.handler(args);
-                        });
-                    }
-                }
-                // 2. Sync Resources
-                if (legacy._registeredResources) {
-                    for (const [uri, resource] of Object.entries(legacy._registeredResources)) {
-                        // biome-ignore lint/suspicious/noExplicitAny: Opaque legacy structure
-                        const r = resource;
-                        this.liopServer.resource(r.name, uri, r.metadata?.description || "", r.metadata?.mimeType || "application/octet-stream", async () => {
-                            const res = await r.readCallback(new URL(uri));
-                            return res.contents[0].text;
-                        });
-                    }
-                }
-            }
-            return;
-        }
-        // In EXPOSE mode, listen to stdio (Claude Desktop)
-        const readline = await import("node:readline");
-        const rl = readline.createInterface({
-            input: process.stdin,
-            output: process.stdout,
-            terminal: false,
-        });
-        const shutdown = async () => {
-            log.info("[LIOP-Bridge] Disconnecting session...");
-            if (this.liopServer)
-                await this.liopServer.close();
-            process.exit(0);
-        };
-        rl.on("close", shutdown);
-        process.on("SIGINT", shutdown);
-        process.on("SIGTERM", shutdown);
-        rl.on("line", async (line) => {
-            if (!line.trim())
-                return;
-            try {
-                const payload = JSON.parse(line);
-                const response = await this.handleJsonRpcRequest(payload);
-                if (response) {
-                    process.stdout.write(`${JSON.stringify(response)}\n`);
-                }
-            }
-            catch (e) {
-                log.error(`[LIOP-Bridge] Error: ${e.message}`);
-            }
-        });
-    }
-}
-export * from "./stream.js";

package/dist/bridge/stream.js

@@ -1,210 +0,0 @@
-import { randomUUID } from "node:crypto";
-import { serve } from "@hono/node-server";
-import { WebStandardStreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js";
-import { Hono } from "hono";
-import { cors } from "hono/cors";
-import { log } from "../utils/logger.js";
-import { LiopMcpBridge } from "./index.js";
-const DEFAULT_MAX_SESSIONS_PER_IP = 10;
-const DEFAULT_SESSION_TIMEOUT_MS = 30 * 60 * 1000; // 30 minutes
-const EVICTION_INTERVAL_MS = 60 * 1000; // Check every minute
-/**
- * LiopStreamBridge
- *
- * Exposes a LiopServer over a remote HTTP network using the industry-standard
- * MCP Streamable HTTP Transport + Hono JS.
- *
- * Supports concurrent multi-client connections via per-session transport instances (Map pattern).
- * External agents connect using only a URL + Bearer Token (Zero-Trust).
- *
- * Security hardening:
- * - Zero-Trust Bearer Token enforcement
- * - Per-IP rate limiting on session creation
- * - Automatic eviction of idle sessions (TTL)
- */
-export class LiopStreamBridge {
-    options;
-    app;
-    httpServer = null;
-    bridgeLogic;
-    activeSessions;
-    evictionTimer = null;
-    maxSessionsPerIp;
-    sessionTimeoutMs;
-    constructor(internalServer, options = {}) {
-        this.options = options;
-        this.app = new Hono();
-        this.bridgeLogic = new LiopMcpBridge(internalServer);
-        this.activeSessions = new Map();
-        this.maxSessionsPerIp =
-            options.maxSessionsPerIp ?? DEFAULT_MAX_SESSIONS_PER_IP;
-        this.sessionTimeoutMs =
-            options.sessionTimeoutMs ?? DEFAULT_SESSION_TIMEOUT_MS;
-        this.setupRoutes();
-    }
-    /**
-     * Creates a new per-session transport instance and wires it to the LIOPMcpBridge logic.
-     */
-    createSessionTransport(clientIp) {
-        const transport = new WebStandardStreamableHTTPServerTransport({
-            sessionIdGenerator: () => randomUUID(),
-            onsessioninitialized: (sessionId) => {
-                this.activeSessions.set(sessionId, {
-                    transport,
-                    lastActivity: Date.now(),
-                    clientIp,
-                });
-                log.info(`[LIOP-StreamBridge] Session opened: ${sessionId} (IP: ${clientIp})`);
-            },
-        });
-        // Wire the transport's incoming messages to the LiopMcpBridge JSON-RPC router
-        transport.onmessage = async (message) => {
-            // Touch activity timestamp on every message
-            if (transport.sessionId) {
-                const entry = this.activeSessions.get(transport.sessionId);
-                if (entry)
-                    entry.lastActivity = Date.now();
-            }
-            try {
-                const result = await this.bridgeLogic.handleJsonRpcRequest(message);
-                // Notifications return undefined — no response needed
-                if (result !== undefined) {
-                    await transport.send(result);
-                }
-            }
-            catch (err) {
-                log.info("[LIOP-StreamBridge] JSON-RPC error:", err.message);
-            }
-        };
-        transport.onclose = () => {
-            if (transport.sessionId) {
-                this.activeSessions.delete(transport.sessionId);
-                log.info(`[LIOP-StreamBridge] Session closed: ${transport.sessionId}`);
-            }
-        };
-        return transport;
-    }
-    /**
-     * Returns the number of active sessions for a given IP.
-     */
-    countSessionsByIp(ip) {
-        let count = 0;
-        for (const entry of this.activeSessions.values()) {
-            if (entry.clientIp === ip)
-                count++;
-        }
-        return count;
-    }
-    /**
-     * Extracts client IP from the request (supports X-Forwarded-For for reverse proxies).
-     */
-    getClientIp(c) {
-        return (c.req.header("x-forwarded-for")?.split(",")[0]?.trim() ||
-            c.req.header("x-real-ip") ||
-            "unknown");
-    }
-    /**
-     * Evicts sessions that have been idle longer than the configured timeout.
-     */
-    evictIdleSessions() {
-        const now = Date.now();
-        for (const [sessionId, entry] of this.activeSessions) {
-            if (now - entry.lastActivity > this.sessionTimeoutMs) {
-                log.info(`[LIOP-StreamBridge] Evicting idle session: ${sessionId}`);
-                entry.transport.close().catch(() => {
-                    /* Swallow close errors */
-                });
-                this.activeSessions.delete(sessionId);
-            }
-        }
-    }
-    setupRoutes() {
-        this.app.use("*", cors());
-        // Initialize strict zero-trust token if not provided
-        if (!process.env.ZERO_TRUST_TOKEN) {
-            process.env.ZERO_TRUST_TOKEN = randomUUID();
-            log.info("=".repeat(60));
-            log.info("⚠️ STRICT ZERO-TRUST MODE ENABLED ⚠️");
-            log.info("No ZERO_TRUST_TOKEN found in environment.");
-            log.info("A secure ephemeral token has been generated for this session:");
-            log.info(`Token: ${process.env.ZERO_TRUST_TOKEN}`);
-            log.info("=".repeat(60));
-        }
-        // ZTA (Zero-Trust Architecture) Security Middleware
-        this.app.use("/mcp", async (c, next) => {
-            const auth = c.req.header("Authorization");
-            const expectedToken = process.env.ZERO_TRUST_TOKEN;
-            if (!auth?.startsWith("Bearer ") ||
-                auth.split(" ")[1] !== expectedToken) {
-                log.info("[LIOP-StreamBridge] ALERT: Access denied - Invalid Zero-Trust token.");
-                return c.json({ error: "Unauthorized: LIOP Zero-Trust Policy Enforced" }, 401);
-            }
-            await next();
-        });
-        // Multi-Session Streamable HTTP Handler
-        this.app.all("/mcp", async (c) => {
-            const sessionId = c.req.header("mcp-session-id");
-            // Route to existing session if session ID is present
-            if (sessionId) {
-                const existing = this.activeSessions.get(sessionId);
-                if (!existing) {
-                    return c.json({ error: "Session not found" }, 404);
-                }
-                // Touch activity on every routed request
-                existing.lastActivity = Date.now();
-                const response = await existing.transport.handleRequest(c.req.raw);
-                // If DELETE, the transport closes internally but onclose may not fire.
-                // Explicitly clean up the session from the Map.
-                if (c.req.method === "DELETE") {
-                    this.activeSessions.delete(sessionId);
-                    log.info(`[LIOP-StreamBridge] Session closed (DELETE): ${sessionId}`);
-                }
-                return response;
-            }
-            // No session ID → New client initializing.
-            // Rate-limit: enforce max sessions per IP
-            const clientIp = this.getClientIp(c);
-            const currentSessions = this.countSessionsByIp(clientIp);
-            if (currentSessions >= this.maxSessionsPerIp) {
-                log.info(`[LIOP-StreamBridge] Rate limit hit for IP: ${clientIp} (${currentSessions} sessions)`);
-                return c.json({ error: "Too Many Sessions: Rate limit exceeded" }, 429);
-            }
-            const transport = this.createSessionTransport(clientIp);
-            return transport.handleRequest(c.req.raw);
-        });
-    }
-    /**
-     * Starts the LiopStreamBridge HTTP server and session eviction timer.
-     */
-    async start(port) {
-        const listenPort = port ?? this.options.port ?? 3000;
-        // Start the idle session eviction timer
-        this.evictionTimer = setInterval(() => this.evictIdleSessions(), EVICTION_INTERVAL_MS);
-        return new Promise((resolve) => {
-            this.httpServer = serve({
-                fetch: this.app.fetch,
-                port: listenPort,
-            }, (info) => {
-                log.info(`[LIOP-StreamBridge] Streamable HTTP Gateway on http://localhost:${info.port}/mcp`);
-                resolve();
-            });
-        });
-    }
-    /**
-     * Graceful shutdown — closes all active sessions, stops timers, and releases port.
-     */
-    async stop() {
-        if (this.evictionTimer) {
-            clearInterval(this.evictionTimer);
-            this.evictionTimer = null;
-        }
-        for (const [id, entry] of this.activeSessions) {
-            await entry.transport.close();
-            this.activeSessions.delete(id);
-        }
-        if (this.httpServer) {
-            this.httpServer.close();
-            log.info("[LIOP-StreamBridge] HTTP ports released.");
-        }
-    }
-}