@neus/sdk 1.2.0 → 1.2.1

package/cjs/index.cjs

@@ -430,9 +430,9 @@ function deriveDid(address, chainIdOrChain) {
 async function resolveDID(params, options = {}) {
   const endpointPath = options.endpoint || "/api/v1/profile/did/resolve";
   const apiUrl = typeof options.apiUrl === "string" ? options.apiUrl.trim() : "";
-  const resolveEndpoint = (path2) => {
-    if (!path2 || typeof path2 !== "string") return null;
-    const trimmedPath = path2.trim();
+  const resolveEndpoint = (path) => {
+    if (!path || typeof path !== "string") return null;
+    const trimmedPath = path.trim();
     if (!trimmedPath) return null;
     if (/^https?:\/\//i.test(trimmedPath)) return trimmedPath;
     if (trimmedPath.startsWith("/")) {
@@ -491,9 +491,9 @@ async function resolveDID(params, options = {}) {
 async function standardizeVerificationRequest(params, options = {}) {
   const endpointPath = options.endpoint || "/api/v1/verification/standardize";
   const apiUrl = typeof options.apiUrl === "string" ? options.apiUrl.trim() : "";
-  const resolveEndpoint = (path2) => {
-    if (!path2 || typeof path2 !== "string") return null;
-    const trimmedPath = path2.trim();
+  const resolveEndpoint = (path) => {
+    if (!path || typeof path !== "string") return null;
+    const trimmedPath = path.trim();
     if (!trimmedPath) return null;
     if (/^https?:\/\//i.test(trimmedPath)) return trimmedPath;
     if (trimmedPath.startsWith("/")) {
@@ -3004,7 +3004,6 @@ __export(index_exports, {
   MCP_INSTALL_CLIENTS: () => MCP_INSTALL_CLIENTS,
   MCP_INSTALL_HOSTS: () => MCP_INSTALL_HOSTS,
   MONTH: () => MONTH,
-  MOUNT_MANIFEST_RELATIVE: () => MOUNT_MANIFEST_RELATIVE,
   NEUS_AUTH_CLI: () => NEUS_AUTH_CLI,
   NEUS_AUTH_NPX: () => NEUS_AUTH_NPX,
   NEUS_CHECK_CLI: () => NEUS_CHECK_CLI,
@@ -3035,7 +3034,6 @@ __export(index_exports, {
   VerificationError: () => VerificationError,
   WEEK: () => WEEK,
   YEAR: () => YEAR,
-  applyRuntimeBundle: () => applyRuntimeBundle,
   buildAuthCommandForClient: () => buildAuthCommandForClient,
   buildCursorMcpInstallUrl: () => buildCursorMcpInstallUrl,
   buildNeusMcpHttpConfig: () => buildNeusMcpHttpConfig,
@@ -3045,9 +3043,6 @@ __export(index_exports, {
   buildSetupNpxOneLiner: () => buildSetupNpxOneLiner,
   buildVerificationRequest: () => buildVerificationRequest,
   buildVsCodeMcpInstallUrl: () => buildVsCodeMcpInstallUrl,
-  bundleToClaudeMd: () => bundleToClaudeMd,
-  bundleToCodexJson: () => bundleToCodexJson,
-  bundleToCursorRules: () => bundleToCursorRules,
   combineGates: () => combineGates,
   computeContentHash: () => computeContentHash,
   constructVerificationMessage: () => constructVerificationMessage,
@@ -3077,12 +3072,10 @@ __export(index_exports, {
   pickActiveDelegation: () => pickActiveDelegation,
   pickIdentity: () => pickIdentity,
   profileAgentToIdentitySeed: () => profileAgentToIdentitySeed,
-  readMountManifest: () => readMountManifest,
   resolveDID: () => resolveDID,
   resolveEffectiveRuntime: () => resolveEffectiveRuntime,
   resolveRuntimeBundleFromMcp: () => resolveRuntimeBundleFromMcp,
   resolveZkPassportConfig: () => resolveZkPassportConfig,
-  sanitizeAgentIdForFilename: () => sanitizeAgentIdForFilename,
   signMessage: () => signMessage,
   standardizeVerificationRequest: () => standardizeVerificationRequest,
   supportsMcpInstallDeeplink: () => supportsMcpInstallDeeplink,
@@ -3094,8 +3087,7 @@ __export(index_exports, {
   validateUniversalAddress: () => validateUniversalAddress,
   validateVerifierPayload: () => validateVerifierPayload,
   validateWalletAddress: () => validateWalletAddress,
-  withRetry: () => withRetry,
-  writeMountManifest: () => writeMountManifest
+  withRetry: () => withRetry
 });
 module.exports = __toCommonJS(index_exports);
 init_client();
@@ -3164,7 +3156,7 @@ function capabilitiesToArray(caps) {
   return Object.entries(caps).filter(([, enabled]) => enabled === true).map(([key]) => String(key).trim()).filter(Boolean);
 }
 function isDelegationExpired(expiresAt) {
-  if (expiresAt === null || expiresAt === void 0 || expiresAt === 0) return false;
+  if (expiresAt === null || expiresAt === 0) return false;
   const ms = Number(expiresAt);
   return Number.isFinite(ms) && ms > 0 && ms <= Date.now();
 }
@@ -3261,7 +3253,7 @@ function extractAgentContextFromProofs(proofs) {
           runtimePolicy: vvData.runtimePolicy && typeof vvData.runtimePolicy === "object" ? vvData.runtimePolicy : void 0,
           expiresAt: vvData.expiresAt ?? null,
           isExpired: isDelegationExpired(vvData.expiresAt),
-          maxSpend: vvData.maxSpend !== null && vvData.maxSpend !== void 0 ? String(vvData.maxSpend) : void 0,
+          maxSpend: vvData.maxSpend !== null ? String(vvData.maxSpend) : void 0,
           instructions: vvData.instructions || null,
           skills: Array.isArray(vvData.skills) ? vvData.skills : [],
           provider: vvData.provider || vvData.modelProvider || null,
@@ -3546,168 +3538,6 @@ function evaluateMountFileHealth(manifest) {
   };
 }
 
-// runtime-adapters.js
-var import_node_fs = __toESM(require("node:fs"), 1);
-var import_node_path = __toESM(require("node:path"), 1);
-var MOUNT_MANIFEST_RELATIVE = import_node_path.default.join(".neus", "mount.json");
-function sanitizeAgentIdForFilename(agentId) {
-  return String(agentId || "agent").trim().toLowerCase().replace(/[^a-z0-9_-]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 64) || "agent";
-}
-function bundleToCursorRules(bundle) {
-  const id = bundle.identity.agentId;
-  const label = bundle.identity.agentLabel || id;
-  const skillsBlock = (bundle.identity.skills || []).map((skill) => {
-    if (typeof skill === "string") return `- ${skill}`;
-    const labelText = skill.label || skill.id || "skill";
-    const kind = skill.kind || "skill";
-    const provider = skill.provider ? ` / ${skill.provider}` : "";
-    return `- ${labelText} (${kind}${provider})`;
-  }).join("\n");
-  const denied = (bundle.enforce.deniedActions || []).map((action) => `- ${action}`).join("\n");
-  const capabilities = (bundle.identity.capabilities || []).map((cap) => `- ${cap}`).join("\n");
-  const services = (bundle.identity.services || []).map((svc) => `- ${svc.name}: ${svc.endpoint}${svc.version ? ` (v${svc.version})` : ""}`).join("\n");
-  return `---
-description: NEUS proof-backed agent \u2014 ${label}
-globs:
-alwaysApply: true
----
-
-# NEUS Agent \u2014 ${label}
-
-You are **${label}** (\`${id}\`). This project mounted trust context from NEUS.
-
-## Identity
-${bundle.identity.description || bundle.identity.instructions || "Follow the agent instructions below."}
-
-## Instructions
-${bundle.identity.instructions || "Use NEUS MCP for trust checks before sensitive actions."}
-
-## Capabilities
-${capabilities || "- General purpose"}
-
-## Skills
-${skillsBlock || "- None configured"}
-
-## Services
-${services || "- None configured"}
-
-## Scoped policy
-${denied ? `Denied actions (do not perform without new approval):
-${denied}` : "- Follow delegation on file via NEUS MCP."}
-
-## Trust workflow
-1. Call \`neus_context\` once per session when NEUS MCP is available.
-2. Trust before action: \`neus_proofs_check\` then \`neus_verify_or_guide\`.
-3. Do not invent qHashes, wallets, or receipt fields.
-4. Summarize NEUS outcomes as Trust Result \u2014 never dump raw tool JSON.
-
-## Proof references
-- Identity: ${bundle.trust.identityProofUrl}
-${bundle.trust.delegationProofUrl ? `- Delegation: ${bundle.trust.delegationProofUrl}` : "- Delegation: not on file \u2014 call `neus_agent_link` before acting as this agent."}
-`;
-}
-function bundleToClaudeMd(bundle) {
-  const id = bundle.identity.agentId;
-  const label = bundle.identity.agentLabel || id;
-  return `# NEUS Agent \u2014 ${label}
-
-Mounted from NEUS Runtime Mount (\`${RUNTIME_MOUNT_SCHEMA}\`).
-
-## Identity
-- **Agent ID:** ${id}
-- **Label:** ${label}
-
-## Description
-${bundle.identity.description || "Proof-backed agent on NEUS Network."}
-
-## Instructions
-${bundle.identity.instructions || "Use NEUS MCP before sensitive actions."}
-
-## Trust receipts
-- Identity: \`${bundle.trust.identityQHash}\` \u2014 ${bundle.trust.identityProofUrl}
-${bundle.trust.delegationQHash ? `- Delegation: \`${bundle.trust.delegationQHash}\` \u2014 ${bundle.trust.delegationProofUrl}` : ""}
-
-## Policy
-- Do not invent qHashes or verifier outcomes.
-- Call \`neus_context\` once; use profile context when signed in.
-`;
-}
-function bundleToCodexJson(bundle) {
-  return JSON.stringify(
-    {
-      schema: RUNTIME_MOUNT_SCHEMA,
-      name: bundle.identity.agentLabel,
-      agentId: bundle.identity.agentId,
-      agentWallet: bundle.identity.agentWallet,
-      description: bundle.identity.description,
-      instructions: bundle.identity.instructions,
-      capabilities: bundle.identity.capabilities,
-      skills: bundle.identity.skills,
-      services: bundle.identity.services,
-      effectiveRuntime: bundle.effectiveRuntime,
-      enforce: bundle.enforce,
-      trust: bundle.trust,
-      mountedAt: bundle.mountedAt
-    },
-    null,
-    2
-  );
-}
-function readMountManifest(cwd) {
-  const manifestPath = import_node_path.default.join(cwd, MOUNT_MANIFEST_RELATIVE);
-  if (!import_node_fs.default.existsSync(manifestPath)) return null;
-  try {
-    const parsed = JSON.parse(import_node_fs.default.readFileSync(manifestPath, "utf8"));
-    return parsed?.schema === RUNTIME_MOUNT_SCHEMA ? parsed : null;
-  } catch {
-    return null;
-  }
-}
-function writeMountManifest(bundle, cwd) {
-  const dir = import_node_path.default.join(cwd, ".neus");
-  import_node_fs.default.mkdirSync(dir, { recursive: true });
-  const manifestPath = import_node_path.default.join(dir, "mount.json");
-  import_node_fs.default.writeFileSync(manifestPath, `${JSON.stringify(bundle, null, 2)}
-`, "utf8");
-  return manifestPath;
-}
-function applyRuntimeBundle(flavor, bundle, cwd, options = {}) {
-  const dryRun = Boolean(options.dryRun);
-  const safeId = sanitizeAgentIdForFilename(bundle.identity.agentId);
-  const written = [];
-  const manifestPath = dryRun ? import_node_path.default.join(cwd, MOUNT_MANIFEST_RELATIVE) : writeMountManifest(bundle, cwd);
-  written.push(manifestPath);
-  if (flavor === "cursor") {
-    const rulesDir = import_node_path.default.join(cwd, ".cursor", "rules");
-    const rulesPath = import_node_path.default.join(rulesDir, `neus-agent-${safeId}.mdc`);
-    if (!dryRun) {
-      import_node_fs.default.mkdirSync(rulesDir, { recursive: true });
-      import_node_fs.default.writeFileSync(rulesPath, bundleToCursorRules(bundle), "utf8");
-    }
-    written.push(rulesPath);
-    return { flavor, written, primary: rulesPath, manifestPath };
-  }
-  if (flavor === "claude") {
-    const claudePath = import_node_path.default.join(cwd, ".claude", "NEUS_AGENT.md");
-    if (!dryRun) {
-      import_node_fs.default.mkdirSync(import_node_path.default.join(cwd, ".claude"), { recursive: true });
-      import_node_fs.default.writeFileSync(claudePath, bundleToClaudeMd(bundle), "utf8");
-    }
-    written.push(claudePath);
-    return { flavor, written, primary: claudePath, manifestPath };
-  }
-  if (flavor === "codex") {
-    const codexPath = import_node_path.default.join(cwd, ".neus", `codex-agent-${safeId}.json`);
-    if (!dryRun) {
-      import_node_fs.default.mkdirSync(import_node_path.default.join(cwd, ".neus"), { recursive: true });
-      import_node_fs.default.writeFileSync(codexPath, bundleToCodexJson(bundle), "utf8");
-    }
-    written.push(codexPath);
-    return { flavor, written, primary: codexPath, manifestPath };
-  }
-  throw new Error(`Unsupported runtime adapter: ${flavor}`);
-}
-
 // index.js
 init_errors();
 
@@ -3850,7 +3680,6 @@ var index_default = {
   MCP_INSTALL_CLIENTS,
   MCP_INSTALL_HOSTS,
   MONTH,
-  MOUNT_MANIFEST_RELATIVE,
   NEUS_AUTH_CLI,
   NEUS_AUTH_NPX,
   NEUS_CHECK_CLI,
@@ -3881,7 +3710,6 @@ var index_default = {
   VerificationError,
   WEEK,
   YEAR,
-  applyRuntimeBundle,
   buildAuthCommandForClient,
   buildCursorMcpInstallUrl,
   buildNeusMcpHttpConfig,
@@ -3891,9 +3719,6 @@ var index_default = {
   buildSetupNpxOneLiner,
   buildVerificationRequest,
   buildVsCodeMcpInstallUrl,
-  bundleToClaudeMd,
-  bundleToCodexJson,
-  bundleToCursorRules,
   combineGates,
   computeContentHash,
   constructVerificationMessage,
@@ -3922,12 +3747,10 @@ var index_default = {
   pickActiveDelegation,
   pickIdentity,
   profileAgentToIdentitySeed,
-  readMountManifest,
   resolveDID,
   resolveEffectiveRuntime,
   resolveRuntimeBundleFromMcp,
   resolveZkPassportConfig,
-  sanitizeAgentIdForFilename,
   signMessage,
   standardizeVerificationRequest,
   supportsMcpInstallDeeplink,
@@ -3939,6 +3762,5 @@ var index_default = {
   validateUniversalAddress,
   validateVerifierPayload,
   validateWalletAddress,
-  withRetry,
-  writeMountManifest
+  withRetry
 });

package/cjs/runtime-mount.cjs

@@ -54,7 +54,7 @@ function capabilitiesToArray(caps) {
   return Object.entries(caps).filter(([, enabled]) => enabled === true).map(([key]) => String(key).trim()).filter(Boolean);
 }
 function isDelegationExpired(expiresAt) {
-  if (expiresAt === null || expiresAt === void 0 || expiresAt === 0) return false;
+  if (expiresAt === null || expiresAt === 0) return false;
   const ms = Number(expiresAt);
   return Number.isFinite(ms) && ms > 0 && ms <= Date.now();
 }
@@ -151,7 +151,7 @@ function extractAgentContextFromProofs(proofs) {
           runtimePolicy: vvData.runtimePolicy && typeof vvData.runtimePolicy === "object" ? vvData.runtimePolicy : void 0,
           expiresAt: vvData.expiresAt ?? null,
           isExpired: isDelegationExpired(vvData.expiresAt),
-          maxSpend: vvData.maxSpend !== null && vvData.maxSpend !== void 0 ? String(vvData.maxSpend) : void 0,
+          maxSpend: vvData.maxSpend !== null ? String(vvData.maxSpend) : void 0,
           instructions: vvData.instructions || null,
           skills: Array.isArray(vvData.skills) ? vvData.skills : [],
           provider: vvData.provider || vvData.modelProvider || null,

package/cli-commands.js

@@ -0,0 +1,75 @@
+/**
+ * NEUS CLI command strings — SSOT for docs, MCP context, product UI, and skills.
+ *
+ * Pattern (industry default):
+ * - Install once: `npm i -g @neus/sdk`
+ * - Daily use: `neus <command>` (short)
+ * - Zero-install try: `npx @neus/sdk <command>` (no global install)
+ */
+
+export const NEUS_PKG = '@neus/sdk';
+
+/** Recommended one-time install for builders using the CLI regularly. */
+export const NEUS_INSTALL_CLI = `npm i -g ${NEUS_PKG}`;
+
+/** Zero-install prefix — works without global install. */
+export const NEUS_NPX = `npx ${NEUS_PKG}`;
+
+/** Short commands (after `NEUS_INSTALL_CLI`). */
+export const NEUS_SETUP_CLI = 'neus setup';
+export const NEUS_AUTH_CLI = 'neus auth';
+export const NEUS_CHECK_CLI = 'neus check';
+export const NEUS_DOCTOR_CLI = 'neus doctor --live';
+export const NEUS_EXAMPLES_CLI = 'neus examples';
+
+/** One-shot copy-paste (no global install required). */
+export const NEUS_SETUP_NPX = `${NEUS_NPX} setup`;
+export const NEUS_AUTH_NPX = `${NEUS_NPX} auth`;
+export const NEUS_CHECK_NPX = `${NEUS_NPX} check`;
+export const NEUS_DOCTOR_NPX = `${NEUS_NPX} doctor --live`;
+export const NEUS_EXAMPLES_NPX = `${NEUS_NPX} examples`;
+
+/**
+ * @param {string} agentId
+ * @param {'cursor' | 'claude' | 'codex'} [host]
+ */
+export function neusMountApply(agentId, host = 'cursor') {
+  const id = String(agentId || '').trim();
+  return `neus mount ${id} --apply ${host}`;
+}
+
+/**
+ * @param {string} agentId
+ * @param {'cursor' | 'claude' | 'codex'} [host]
+ */
+export function neusMountApplyNpx(agentId, host = 'cursor') {
+  const id = String(agentId || '').trim();
+  return `${NEUS_NPX} mount ${id} --apply ${host}`;
+}
+
+/** Docs / landing quick start (installed path). */
+export const NEUS_QUICKSTART_INSTALLED = `${NEUS_INSTALL_CLI}
+${NEUS_SETUP_CLI}
+${NEUS_AUTH_CLI}`;
+
+/** Docs quick try (zero-install). */
+export const NEUS_QUICKSTART_NPX = NEUS_SETUP_NPX;
+
+/** Per-repo agent bind (after auth on the machine). */
+export const NEUS_MOUNT_WORKFLOW = `${NEUS_AUTH_CLI}
+neus mount <agentId> --apply cursor
+${NEUS_DOCTOR_CLI}`;
+
+/**
+ * @param {string} subcommand
+ */
+export function neusCmd(subcommand) {
+  return `neus ${String(subcommand || '').trim()}`;
+}
+
+/**
+ * @param {string} subcommand
+ */
+export function neusNpx(subcommand) {
+  return `${NEUS_NPX} ${String(subcommand || '').trim()}`;
+}

package/index.js

@@ -72,16 +72,7 @@ export {
   evaluateMountFileHealth
 } from './runtime-mount.js';
 
-export {
-  MOUNT_MANIFEST_RELATIVE,
-  sanitizeAgentIdForFilename,
-  bundleToCursorRules,
-  bundleToClaudeMd,
-  bundleToCodexJson,
-  readMountManifest,
-  writeMountManifest,
-  applyRuntimeBundle
-} from './runtime-adapters.js';
+// Node-only adapters (fs/path): import `@neus/sdk/runtime-adapters` — not re-exported here (Next/webpack safe).
 
 export {
   SDKError,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@neus/sdk",
-  "version": "1.2.0",
+  "version": "1.2.1",
   "description": "NEUS makes trust portable across the internet — so people, apps, and AI agents can prove what is real before access, payout, or execution.",
   "bin": {
     "neus": "cli/neus.mjs"
@@ -141,6 +141,7 @@
   },
   "files": [
     "cli/neus.mjs",
+    "cli-commands.js",
     "mcp-hosts.js",
     "index.js",
     "client.js",
@@ -148,6 +149,8 @@
     "errors.js",
     "gates.js",
     "sponsor.js",
+    "runtime-mount.js",
+    "runtime-adapters.js",
     "cjs/**",
     "widgets.cjs",
     "types.d.ts",

package/runtime-adapters.js

@@ -0,0 +1,214 @@
+/**
+ * Runtime Mount adapters — apply proof-backed bundles to host workspaces.
+ */
+
+import fs from 'node:fs';
+import path from 'node:path';
+import { RUNTIME_MOUNT_SCHEMA } from './runtime-mount.js';
+
+export const MOUNT_MANIFEST_RELATIVE = path.join('.neus', 'mount.json');
+
+/**
+ * @param {string} agentId
+ */
+export function sanitizeAgentIdForFilename(agentId) {
+  return String(agentId || 'agent')
+    .trim()
+    .toLowerCase()
+    .replace(/[^a-z0-9_-]+/g, '-')
+    .replace(/^-+|-+$/g, '')
+    .slice(0, 64) || 'agent';
+}
+
+/**
+ * @param {import('./runtime-mount.js').RuntimeBundle} bundle
+ */
+export function bundleToCursorRules(bundle) {
+  const id = bundle.identity.agentId;
+  const label = bundle.identity.agentLabel || id;
+  const skillsBlock = (bundle.identity.skills || [])
+    .map(skill => {
+      if (typeof skill === 'string') return `- ${skill}`;
+      const labelText = skill.label || skill.id || 'skill';
+      const kind = skill.kind || 'skill';
+      const provider = skill.provider ? ` / ${skill.provider}` : '';
+      return `- ${labelText} (${kind}${provider})`;
+    })
+    .join('\n');
+
+  const denied = (bundle.enforce.deniedActions || []).map(action => `- ${action}`).join('\n');
+  const capabilities = (bundle.identity.capabilities || []).map(cap => `- ${cap}`).join('\n');
+  const services = (bundle.identity.services || [])
+    .map(svc => `- ${svc.name}: ${svc.endpoint}${svc.version ? ` (v${svc.version})` : ''}`)
+    .join('\n');
+
+  return `---
+description: NEUS proof-backed agent — ${label}
+globs:
+alwaysApply: true
+---
+
+# NEUS Agent — ${label}
+
+You are **${label}** (\`${id}\`). This project mounted trust context from NEUS.
+
+## Identity
+${bundle.identity.description || bundle.identity.instructions || 'Follow the agent instructions below.'}
+
+## Instructions
+${bundle.identity.instructions || 'Use NEUS MCP for trust checks before sensitive actions.'}
+
+## Capabilities
+${capabilities || '- General purpose'}
+
+## Skills
+${skillsBlock || '- None configured'}
+
+## Services
+${services || '- None configured'}
+
+## Scoped policy
+${denied ? `Denied actions (do not perform without new approval):\n${denied}` : '- Follow delegation on file via NEUS MCP.'}
+
+## Trust workflow
+1. Call \`neus_context\` once per session when NEUS MCP is available.
+2. Trust before action: \`neus_proofs_check\` then \`neus_verify_or_guide\`.
+3. Do not invent qHashes, wallets, or receipt fields.
+4. Summarize NEUS outcomes as Trust Result — never dump raw tool JSON.
+
+## Proof references
+- Identity: ${bundle.trust.identityProofUrl}
+${bundle.trust.delegationProofUrl ? `- Delegation: ${bundle.trust.delegationProofUrl}` : '- Delegation: not on file — call `neus_agent_link` before acting as this agent.'}
+`;
+}
+
+/**
+ * @param {import('./runtime-mount.js').RuntimeBundle} bundle
+ */
+export function bundleToClaudeMd(bundle) {
+  const id = bundle.identity.agentId;
+  const label = bundle.identity.agentLabel || id;
+  return `# NEUS Agent — ${label}
+
+Mounted from NEUS Runtime Mount (\`${RUNTIME_MOUNT_SCHEMA}\`).
+
+## Identity
+- **Agent ID:** ${id}
+- **Label:** ${label}
+
+## Description
+${bundle.identity.description || 'Proof-backed agent on NEUS Network.'}
+
+## Instructions
+${bundle.identity.instructions || 'Use NEUS MCP before sensitive actions.'}
+
+## Trust receipts
+- Identity: \`${bundle.trust.identityQHash}\` — ${bundle.trust.identityProofUrl}
+${bundle.trust.delegationQHash ? `- Delegation: \`${bundle.trust.delegationQHash}\` — ${bundle.trust.delegationProofUrl}` : ''}
+
+## Policy
+- Do not invent qHashes or verifier outcomes.
+- Call \`neus_context\` once; use profile context when signed in.
+`;
+}
+
+/**
+ * @param {import('./runtime-mount.js').RuntimeBundle} bundle
+ */
+export function bundleToCodexJson(bundle) {
+  return JSON.stringify(
+    {
+      schema: RUNTIME_MOUNT_SCHEMA,
+      name: bundle.identity.agentLabel,
+      agentId: bundle.identity.agentId,
+      agentWallet: bundle.identity.agentWallet,
+      description: bundle.identity.description,
+      instructions: bundle.identity.instructions,
+      capabilities: bundle.identity.capabilities,
+      skills: bundle.identity.skills,
+      services: bundle.identity.services,
+      effectiveRuntime: bundle.effectiveRuntime,
+      enforce: bundle.enforce,
+      trust: bundle.trust,
+      mountedAt: bundle.mountedAt
+    },
+    null,
+    2
+  );
+}
+
+/**
+ * @param {string} cwd
+ */
+export function readMountManifest(cwd) {
+  const manifestPath = path.join(cwd, MOUNT_MANIFEST_RELATIVE);
+  if (!fs.existsSync(manifestPath)) return null;
+  try {
+    const parsed = JSON.parse(fs.readFileSync(manifestPath, 'utf8'));
+    return parsed?.schema === RUNTIME_MOUNT_SCHEMA ? parsed : null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * @param {import('./runtime-mount.js').RuntimeBundle} bundle
+ * @param {string} cwd
+ */
+export function writeMountManifest(bundle, cwd) {
+  const dir = path.join(cwd, '.neus');
+  fs.mkdirSync(dir, { recursive: true });
+  const manifestPath = path.join(dir, 'mount.json');
+  fs.writeFileSync(manifestPath, `${JSON.stringify(bundle, null, 2)}\n`, 'utf8');
+  return manifestPath;
+}
+
+/**
+ * @param {'cursor' | 'claude' | 'codex'} flavor
+ * @param {import('./runtime-mount.js').RuntimeBundle} bundle
+ * @param {string} cwd
+ * @param {{ dryRun?: boolean }} [options]
+ */
+export function applyRuntimeBundle(flavor, bundle, cwd, options = {}) {
+  const dryRun = Boolean(options.dryRun);
+  const safeId = sanitizeAgentIdForFilename(bundle.identity.agentId);
+  const written = [];
+
+  const manifestPath = dryRun
+    ? path.join(cwd, MOUNT_MANIFEST_RELATIVE)
+    : writeMountManifest(bundle, cwd);
+  written.push(manifestPath);
+
+  if (flavor === 'cursor') {
+    const rulesDir = path.join(cwd, '.cursor', 'rules');
+    const rulesPath = path.join(rulesDir, `neus-agent-${safeId}.mdc`);
+    if (!dryRun) {
+      fs.mkdirSync(rulesDir, { recursive: true });
+      fs.writeFileSync(rulesPath, bundleToCursorRules(bundle), 'utf8');
+    }
+    written.push(rulesPath);
+    return { flavor, written, primary: rulesPath, manifestPath };
+  }
+
+  if (flavor === 'claude') {
+    const claudePath = path.join(cwd, '.claude', 'NEUS_AGENT.md');
+    if (!dryRun) {
+      fs.mkdirSync(path.join(cwd, '.claude'), { recursive: true });
+      fs.writeFileSync(claudePath, bundleToClaudeMd(bundle), 'utf8');
+    }
+    written.push(claudePath);
+    return { flavor, written, primary: claudePath, manifestPath };
+  }
+
+  if (flavor === 'codex') {
+    const codexPath = path.join(cwd, '.neus', `codex-agent-${safeId}.json`);
+    if (!dryRun) {
+      fs.mkdirSync(path.join(cwd, '.neus'), { recursive: true });
+      fs.writeFileSync(codexPath, bundleToCodexJson(bundle), 'utf8');
+    }
+    written.push(codexPath);
+    return { flavor, written, primary: codexPath, manifestPath };
+  }
+
+  throw new Error(`Unsupported runtime adapter: ${flavor}`);
+}

package/runtime-mount.js

@@ -0,0 +1,522 @@
+/**
+ * Runtime Mount — proof-backed agent context bundle (neus.runtime-mount.v1).
+ * SSOT for CLI, integrators, and protocol neus_agent_mount response shape.
+ */
+
+export const RUNTIME_MOUNT_SCHEMA = 'neus.runtime-mount.v1';
+
+const PROOF_URL_BASE = 'https://neus.network/proof/';
+
+/**
+ * @param {string | null | undefined} value
+ */
+export function normalizeWallet(value) {
+  const wallet = String(value || '').trim().toLowerCase();
+  return /^0x[a-f0-9]{40}$/.test(wallet) ? wallet : '';
+}
+
+/**
+ * @param {unknown} value
+ */
+function asString(value) {
+  const trimmed = String(value ?? '').trim();
+  return trimmed.length > 0 ? trimmed : '';
+}
+
+/**
+ * @param {unknown} value
+ * @returns {string[]}
+ */
+function asStringArray(value) {
+  if (!Array.isArray(value)) return [];
+  return value.map(item => String(item || '').trim()).filter(Boolean);
+}
+
+/**
+ * @param {Record<string, unknown> | null | undefined} caps
+ */
+function capabilitiesToArray(caps) {
+  if (Array.isArray(caps)) return asStringArray(caps);
+  if (!caps || typeof caps !== 'object') return [];
+  return Object.entries(caps)
+    .filter(([, enabled]) => enabled === true)
+    .map(([key]) => String(key).trim())
+    .filter(Boolean);
+}
+
+/**
+ * @param {number | null | undefined} expiresAt
+ */
+export function isDelegationExpired(expiresAt) {
+  if (expiresAt === null || expiresAt === 0) return false;
+  const ms = Number(expiresAt);
+  return Number.isFinite(ms) && ms > 0 && ms <= Date.now();
+}
+
+/**
+ * @param {Array<Record<string, unknown>>} identities
+ * @param {{ agentId?: string, agentWallet?: string, identityQHash?: string }} selector
+ */
+export function pickIdentity(identities, selector) {
+  const list = Array.isArray(identities) ? identities : [];
+  const qHash = asString(selector.identityQHash).toLowerCase();
+  if (qHash) {
+    return list.find(row => asString(row.qHash).toLowerCase() === qHash) || null;
+  }
+  const agentId = asString(selector.agentId).toLowerCase();
+  const agentWallet = normalizeWallet(selector.agentWallet);
+  if (agentId) {
+    const byId = list.filter(row => asString(row.agentId).toLowerCase() === agentId);
+    if (agentWallet) {
+      return byId.find(row => normalizeWallet(row.agentWallet) === agentWallet) || byId[0] || null;
+    }
+    return byId[0] || null;
+  }
+  if (agentWallet) {
+    return list.find(row => normalizeWallet(row.agentWallet) === agentWallet) || null;
+  }
+  return null;
+}
+
+/**
+ * @param {Array<Record<string, unknown>>} delegations
+ * @param {string} controllerWallet
+ * @param {string} agentWallet
+ * @param {string} agentId
+ */
+export function pickActiveDelegation(delegations, controllerWallet, agentWallet, agentId) {
+  const list = Array.isArray(delegations) ? delegations : [];
+  const controller = normalizeWallet(controllerWallet);
+  const agent = normalizeWallet(agentWallet);
+  const id = asString(agentId).toLowerCase();
+  const candidates = list.filter(row => {
+    if (isDelegationExpired(row.expiresAt)) return false;
+    const rowAgent = normalizeWallet(row.agentWallet);
+    const rowController = normalizeWallet(row.controllerWallet);
+    if (agent && rowAgent && rowAgent !== agent) return false;
+    if (controller && rowController && rowController !== controller) return false;
+    if (id && row.agentId && asString(row.agentId).toLowerCase() !== id) return false;
+    return true;
+  });
+  return candidates[0] || null;
+}
+
+/**
+ * @param {Record<string, unknown> | null | undefined} identity
+ * @param {Record<string, unknown> | null | undefined} delegation
+ */
+export function resolveEffectiveRuntime(identity, delegation) {
+  const delProvider = asString(delegation?.provider);
+  const delModel = asString(delegation?.model);
+  if (delProvider || delModel) {
+    return {
+      provider: delProvider || 'openai',
+      model: delModel || ''
+    };
+  }
+  const defaultRuntime =
+    identity?.defaultRuntime && typeof identity.defaultRuntime === 'object'
+      ? identity.defaultRuntime
+      : null;
+  const idProvider = asString(defaultRuntime?.provider);
+  const idModel = asString(defaultRuntime?.model);
+  if (idProvider || idModel) {
+    return {
+      provider: idProvider || 'openai',
+      model: idModel || ''
+    };
+  }
+  return null;
+}
+
+/**
+ * @param {unknown} proof
+ */
+export function extractAgentContextFromProofs(proofs) {
+  const identities = [];
+  const delegations = [];
+  const list = Array.isArray(proofs) ? proofs : [];
+
+  for (const proof of list) {
+    const qHash = asString(proof?.qHash);
+    const verifiedVerifiers = Array.isArray(proof?.verifiedVerifiers) ? proof.verifiedVerifiers : [];
+    for (const vv of verifiedVerifiers) {
+      const verifierId = asString(vv?.verifierId);
+      const vvData = vv?.data && typeof vv.data === 'object' ? vv.data : {};
+      if (verifierId === 'agent-identity') {
+        identities.push({
+          qHash,
+          agentId: vvData.agentId || null,
+          agentWallet: vvData.agentWallet || null,
+          agentLabel: vvData.agentLabel || vvData.agentId || 'Agent',
+          agentType: vvData.agentType || 'agent',
+          description: vvData.description || null,
+          capabilities: capabilitiesToArray(vvData.capabilities),
+          skills: Array.isArray(vvData.skills) ? vvData.skills : [],
+          instructions: vvData.instructions || null,
+          services: Array.isArray(vvData.services) ? vvData.services : [],
+          defaultRuntime:
+            vvData.defaultRuntime && typeof vvData.defaultRuntime === 'object'
+              ? vvData.defaultRuntime
+              : undefined
+        });
+      }
+      if (verifierId === 'agent-delegation') {
+        delegations.push({
+          qHash,
+          controllerWallet: vvData.controllerWallet || null,
+          agentWallet: vvData.agentWallet || null,
+          agentId: vvData.agentId || null,
+          scope: vvData.scope || 'global',
+          allowedActions: asStringArray(vvData.allowedActions),
+          deniedActions: asStringArray(vvData.deniedActions),
+          runtimePolicy:
+            vvData.runtimePolicy && typeof vvData.runtimePolicy === 'object'
+              ? vvData.runtimePolicy
+              : undefined,
+          expiresAt: vvData.expiresAt ?? null,
+          isExpired: isDelegationExpired(vvData.expiresAt),
+          maxSpend: vvData.maxSpend !== null ? String(vvData.maxSpend) : undefined,
+          instructions: vvData.instructions || null,
+          skills: Array.isArray(vvData.skills) ? vvData.skills : [],
+          provider: vvData.provider || vvData.modelProvider || null,
+          model: vvData.model || null
+        });
+      }
+    }
+  }
+
+  return { identities, delegations };
+}
+
+/**
+ * @param {Record<string, unknown>} input
+ */
+export function buildRuntimeBundle(input) {
+  const identity = input.identity || {};
+  const delegation = input.delegation || null;
+  const identityQHash = asString(input.identityQHash || identity.qHash);
+  const delegationQHash = delegation ? asString(input.delegationQHash || delegation.qHash) : null;
+  const agentId = asString(identity.agentId);
+  const agentWallet = normalizeWallet(identity.agentWallet);
+
+  if (!identityQHash || !agentId || !agentWallet) {
+    throw new Error('Runtime mount requires verified agent identity (agentId, agentWallet, identityQHash).');
+  }
+
+  const effectiveRuntime = resolveEffectiveRuntime(identity, delegation);
+  const deniedActions = delegation ? asStringArray(delegation.deniedActions) : [];
+  const allowedActions = delegation ? asStringArray(delegation.allowedActions) : undefined;
+  const requiresHumanApproval =
+    delegation?.runtimePolicy &&
+    typeof delegation.runtimePolicy === 'object' &&
+    delegation.runtimePolicy.requiresHumanApproval === true;
+
+  const capabilities = asStringArray(identity.capabilities);
+  const skills = Array.isArray(identity.skills) ? identity.skills : [];
+  const skillIds = skills
+    .map(skill =>
+      typeof skill === 'string' ? skill : asString(skill?.id || skill?.label)
+    )
+    .filter(Boolean);
+
+  const delegations = delegation ? [delegation] : [];
+  const activeDelegations = delegations.filter(row => !row.isExpired).length;
+
+  return {
+    schema: RUNTIME_MOUNT_SCHEMA,
+    mountedAt: new Date().toISOString(),
+    trust: {
+      identityQHash,
+      delegationQHash: delegationQHash || null,
+      identityProofUrl: `${PROOF_URL_BASE}${identityQHash}`,
+      delegationProofUrl: delegationQHash ? `${PROOF_URL_BASE}${delegationQHash}` : null
+    },
+    identity: {
+      agentId,
+      agentWallet,
+      agentLabel: asString(identity.agentLabel) || agentId,
+      agentType: asString(identity.agentType) || 'agent',
+      description: asString(identity.description) || undefined,
+      instructions: asString(identity.instructions) || undefined,
+      capabilities,
+      skills,
+      services: Array.isArray(identity.services) ? identity.services : undefined,
+      defaultRuntime:
+        identity.defaultRuntime && typeof identity.defaultRuntime === 'object'
+          ? identity.defaultRuntime
+          : undefined
+    },
+    delegation: delegation
+      ? {
+          controllerWallet: normalizeWallet(delegation.controllerWallet) || asString(delegation.controllerWallet),
+          scope: asString(delegation.scope) || undefined,
+          allowedActions,
+          deniedActions,
+          runtimePolicy: delegation.runtimePolicy,
+          expiresAt: delegation.expiresAt ?? null,
+          isExpired: Boolean(delegation.isExpired),
+          maxSpend: delegation.maxSpend,
+          instructions: asString(delegation.instructions) || undefined,
+          skills: Array.isArray(delegation.skills) ? delegation.skills : undefined,
+          provider: asString(delegation.provider) || undefined,
+          model: asString(delegation.model) || undefined
+        }
+      : null,
+    effectiveRuntime,
+    tools: Array.isArray(input.tools) ? input.tools : [],
+    secretBindings: Array.isArray(input.secretBindings) ? input.secretBindings : [],
+    memoryRefs: Array.isArray(input.memoryRefs) ? input.memoryRefs : undefined,
+    enforce: {
+      deniedActions,
+      ...(allowedActions?.length ? { allowedActions } : {}),
+      ...(requiresHumanApproval ? { requiresHumanApproval: true } : {})
+    },
+    contextPack: {
+      identityCount: 1,
+      delegationCount: delegations.length,
+      activeDelegations,
+      capabilitiesSummary: capabilities.slice(0, 32),
+      skillsSummary: skillIds.slice(0, 32)
+    }
+  };
+}
+
+/**
+ * @param {Record<string, unknown>} profileAgent
+ */
+export function profileAgentToIdentitySeed(profileAgent) {
+  return {
+    agentId: profileAgent.agentId,
+    agentWallet: profileAgent.agentWallet,
+    agentLabel: profileAgent.agentLabel || profileAgent.name,
+    agentType: profileAgent.agentType || profileAgent.typeLabel,
+    description: profileAgent.description,
+    instructions: profileAgent.instructions,
+    capabilities: capabilitiesToArray(profileAgent.capabilities),
+    skills: Array.isArray(profileAgent.skills) ? profileAgent.skills : [],
+    services: Array.isArray(profileAgent.services) ? profileAgent.services : [],
+    identityQHash: profileAgent.identityQHash || profileAgent.qHash
+  };
+}
+
+/**
+ * @param {import('./runtime-mount.js').RuntimeBundle | Record<string, unknown>} value
+ */
+export function isRuntimeBundle(value) {
+  return Boolean(value && typeof value === 'object' && value.schema === RUNTIME_MOUNT_SCHEMA);
+}
+
+/**
+ * Resolve mount via MCP (server tool first, then client assembly).
+ *
+ * @param {{
+ *   callMcpTool: (args: { name: string, args?: Record<string, unknown>, accessKey?: string, sessionId?: string, signal?: AbortSignal }) => Promise<{ ok: boolean, payload?: unknown, error?: string }>,
+ *   initializeMcp?: () => Promise<{ sessionId: string }>,
+ *   accessKey: string,
+ *   agentId?: string,
+ *   agentWallet?: string,
+ *   identityQHash?: string,
+ *   signal?: AbortSignal
+ * }} input
+ */
+export async function resolveRuntimeBundleFromMcp(input) {
+  const accessKey = asString(input.accessKey);
+  if (!accessKey) {
+    throw new Error('NEUS access key or authenticated MCP session is required for runtime mount.');
+  }
+
+  const selector = {
+    agentId: input.agentId,
+    agentWallet: input.agentWallet,
+    identityQHash: input.identityQHash
+  };
+  if (!selector.agentId && !selector.agentWallet && !selector.identityQHash) {
+    throw new Error('Provide agentId, agentWallet, or identityQHash.');
+  }
+
+  let sessionId = '';
+  if (input.initializeMcp) {
+    const init = await input.initializeMcp();
+    sessionId = init.sessionId || '';
+  }
+
+  const mountArgs = {
+    ...(selector.agentId ? { agentId: selector.agentId } : {}),
+    ...(selector.agentWallet ? { agentWallet: selector.agentWallet } : {}),
+    ...(selector.identityQHash ? { identityQHash: selector.identityQHash } : {})
+  };
+
+  const serverMount = await input.callMcpTool({
+    name: 'neus_agent_mount',
+    args: mountArgs,
+    accessKey,
+    sessionId,
+    signal: input.signal
+  });
+
+  if (serverMount.ok) {
+    const payload = serverMount.payload;
+    if (isRuntimeBundle(payload)) {
+      return /** @type {import('./runtime-mount.js').RuntimeBundle} */ (payload);
+    }
+    if (payload && typeof payload === 'object' && isRuntimeBundle(payload.data)) {
+      return /** @type {import('./runtime-mount.js').RuntimeBundle} */ (payload.data);
+    }
+  }
+
+  const me = await input.callMcpTool({
+    name: 'neus_me',
+    args: {},
+    accessKey,
+    sessionId,
+    signal: input.signal
+  });
+  if (!me.ok) {
+    throw new Error(me.error || 'Could not load profile context. Run `neus auth` and retry.');
+  }
+  const mePayload = /** @type {Record<string, unknown>} */ (me.payload || {});
+  if (mePayload.status === 'auth_required') {
+    throw new Error('Profile authentication required. Run `neus auth` or set NEUS_ACCESS_KEY.');
+  }
+
+  const principal = /** @type {Record<string, unknown>} */ (mePayload.principal || {});
+  const controllerWallet = normalizeWallet(principal.primaryAccount);
+  const profileAgents = Array.isArray(mePayload.agents) ? mePayload.agents : [];
+
+  let agentWallet = normalizeWallet(selector.agentWallet);
+  let agentId = asString(selector.agentId);
+
+  if (!agentWallet && agentId) {
+    const row = profileAgents.find(
+      row => asString(row.agentId).toLowerCase() === agentId.toLowerCase()
+    );
+    if (row) {
+      agentWallet = normalizeWallet(row.agentWallet);
+    }
+  }
+  if (!agentId && agentWallet) {
+    const row = profileAgents.find(row => normalizeWallet(row.agentWallet) === agentWallet);
+    if (row) agentId = asString(row.agentId);
+  }
+  if (!agentWallet && selector.identityQHash) {
+    const idProof = await input.callMcpTool({
+      name: 'neus_proofs_get',
+      args: { qHash: selector.identityQHash, verifierId: 'agent-identity' },
+      accessKey,
+      sessionId,
+      signal: input.signal
+    });
+    if (idProof.ok) {
+      const data = /** @type {Record<string, unknown>} */ (idProof.payload?.data || idProof.payload || {});
+      const proofs = Array.isArray(data.proofs) ? data.proofs : [];
+      const extracted = extractAgentContextFromProofs(proofs);
+      const identity = pickIdentity(extracted.identities, selector);
+      if (identity) {
+        agentWallet = normalizeWallet(identity.agentWallet);
+        agentId = asString(identity.agentId);
+      }
+    }
+  }
+
+  if (!agentWallet) {
+    throw new Error('Could not resolve agent wallet. Check agentId or link the agent on your profile.');
+  }
+
+  const [identityPage, delegationPage] = await Promise.all([
+    input.callMcpTool({
+      name: 'neus_proofs_get',
+      args: { identifier: agentWallet, verifierId: 'agent-identity', limit: 25 },
+      accessKey,
+      sessionId,
+      signal: input.signal
+    }),
+    controllerWallet
+      ? input.callMcpTool({
+          name: 'neus_proofs_get',
+          args: { identifier: controllerWallet, verifierId: 'agent-delegation', limit: 50 },
+          accessKey,
+          sessionId,
+          signal: input.signal
+        })
+      : Promise.resolve({ ok: false })
+  ]);
+
+  const identityProofs = identityPage.ok
+    ? /** @type {unknown[]} */ (
+        identityPage.payload?.data?.proofs || identityPage.payload?.proofs || []
+      )
+    : [];
+  const delegationProofs = delegationPage.ok
+    ? /** @type {unknown[]} */ (
+        delegationPage.payload?.data?.proofs || delegationPage.payload?.proofs || []
+      )
+    : [];
+
+  const idCtx = extractAgentContextFromProofs(identityProofs);
+  const delCtx = extractAgentContextFromProofs(delegationProofs);
+
+  let identity = pickIdentity(idCtx.identities, { ...selector, agentId, agentWallet });
+  if (!identity && profileAgents.length > 0) {
+    const row = profileAgents.find(
+      a =>
+        asString(a.agentId).toLowerCase() === agentId.toLowerCase() ||
+        normalizeWallet(a.agentWallet) === agentWallet
+    );
+    if (row) {
+      identity = { ...profileAgentToIdentitySeed(row), agentWallet, agentId: agentId || asString(row.agentId) };
+    }
+  }
+  if (!identity) {
+    throw new Error('Agent identity proof not found. Complete agent setup on neus.network first.');
+  }
+
+  const delegation = pickActiveDelegation(
+    delCtx.delegations,
+    controllerWallet,
+    agentWallet,
+    agentId || asString(identity.agentId)
+  );
+
+  return buildRuntimeBundle({
+    identity,
+    delegation,
+    identityQHash: asString(identity.qHash || selector.identityQHash),
+    delegationQHash: delegation ? asString(delegation.qHash) : null,
+    tools: [],
+    secretBindings: []
+  });
+}
+
+/**
+ * @param {import('./runtime-mount.js').RuntimeBundle | Record<string, unknown> | null | undefined} manifest
+ */
+export function evaluateMountFileHealth(manifest) {
+  if (!manifest || manifest.schema !== RUNTIME_MOUNT_SCHEMA) {
+    return {
+      mountFileValid: false,
+      missingDelegation: true,
+      delegationExpired: false,
+      needsRefresh: true,
+      reason: 'missing_or_invalid'
+    };
+  }
+
+  const delegationQHash = asString(manifest.trust?.delegationQHash);
+  const missingDelegation = !delegationQHash;
+  const expiresAt = manifest.delegation?.expiresAt;
+  const delegationExpired =
+    Boolean(manifest.delegation?.isExpired) || isDelegationExpired(expiresAt);
+
+  return {
+    mountFileValid: true,
+    missingDelegation,
+    delegationExpired,
+    needsRefresh: missingDelegation || delegationExpired,
+    reason: delegationExpired
+      ? 'delegation_expired'
+      : missingDelegation
+        ? 'delegation_missing'
+        : null
+  };
+}