@nnsk/tap 0.1.0

package/bin/setup.mjs

@@ -0,0 +1,54 @@
+#!/usr/bin/env node
+
+import { cpSync, mkdirSync, existsSync, readdirSync, readFileSync, writeFileSync } from "fs";
+import { resolve, dirname, join, basename } from "path";
+import { fileURLToPath } from "url";
+import { homedir } from "os";
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const commandsSource = resolve(__dirname, "..", "commands");
+const cwd = process.cwd();
+
+const files = readdirSync(commandsSource).filter((f) => f.endsWith(".md"));
+
+if (files.length === 0) {
+  console.error("Error: no command files found in package.");
+  process.exit(1);
+}
+
+// 1. Claude Code / NanoClaw / Cursor / Gemini CLI — .claude/commands/*.md
+const claudeTarget = resolve(cwd, ".claude", "commands");
+mkdirSync(claudeTarget, { recursive: true });
+for (const f of files) {
+  cpSync(join(commandsSource, f), join(claudeTarget, f));
+}
+console.log(`  ✓ .claude/commands/ (Claude Code, NanoClaw, Cursor, Gemini CLI)`);
+
+// Strip $ARGUMENTS (Claude Code-specific) for AgentSkills format
+function copyAsSkill(src, destDir) {
+  mkdirSync(destDir, { recursive: true });
+  let content = readFileSync(src, "utf8");
+  content = content.replace(/^\$ARGUMENTS\s*$/m, "").trimEnd() + "\n";
+  writeFileSync(join(destDir, "SKILL.md"), content);
+}
+
+// 2. OpenClaw / Hermes — ~/.agents/skills/*/SKILL.md (shared convention)
+const agentsTarget = resolve(homedir(), ".agents", "skills");
+for (const f of files) {
+  copyAsSkill(join(commandsSource, f), join(agentsTarget, basename(f, ".md")));
+}
+console.log(`  ✓ ~/.agents/skills/  (OpenClaw, Hermes)`);
+
+// 3. If SOUL.md exists (OpenClaw project), also install to project skills/ dir
+if (existsSync(resolve(cwd, "SOUL.md")) || existsSync(resolve(cwd, "soul.md"))) {
+  const projSkills = resolve(cwd, "skills");
+  for (const f of files) {
+    copyAsSkill(join(commandsSource, f), join(projSkills, basename(f, ".md")));
+  }
+  console.log(`  ✓ skills/            (OpenClaw project skills)`);
+}
+
+console.log(
+  `\nDone! Tell your agent: /setup-tap\n` +
+    `It will ask for your agent API key and proxy URL.\n`
+);

package/commands/setup-google.md

@@ -0,0 +1,28 @@
+---
+description: Walk through Google OAuth setup to get a refresh token for TAP
+---
+
+Help the user get a Google OAuth refresh token and add it as a credential in the TAP dashboard. TAP already has a shared OAuth client — the user only needs a refresh token.
+
+Follow these steps exactly:
+
+1. Tell the user to open the Google OAuth Playground:
+   https://developers.google.com/oauthplayground/
+
+2. Tell them to click the **gear icon** (top right) and check **"Use your own OAuth credentials"**, then enter the Client ID and Client Secret shown in the TAP dashboard (visible when adding a Google credential).
+
+3. Ask what Google APIs they need. Help them select the right scopes in the left panel:
+   - Gmail: `https://mail.google.com/`
+   - Calendar: `https://www.googleapis.com/auth/calendar`
+   - Drive: `https://www.googleapis.com/auth/drive`
+   - Sheets: `https://www.googleapis.com/auth/spreadsheets`
+
+4. Tell them to click **"Authorize APIs"**, sign in with their Google account, and grant access.
+
+5. Tell them to click **"Exchange authorization code for tokens"** and copy the **Refresh Token** from the response.
+
+6. Tell them to go to the TAP dashboard → Credentials → **+ Add Credential** → select **Google Workspace** → paste the refresh token → click **Create**.
+
+That's it. TAP handles token refresh automatically using the shared OAuth client.
+
+$ARGUMENTS

package/commands/setup-tap.md

@@ -0,0 +1,62 @@
+---
+description: Configure TAP credential proxy — gives this agent secure access to any API without exposing credentials
+---
+
+Set up TAP (Tool Authorization Protocol) so this agent can make authenticated API calls without ever seeing credential values. A proxy injects credentials after policy checks.
+
+Do the following steps in order:
+
+1. Ask the user for two values:
+   - **Proxy URL** — suggest the default `https://agentsec.app-dfe7954892b5.enclave.evervault.com`
+   - **Agent API key** — from the TAP dashboard (Agents page)
+
+2. Write both to `.env` (create if missing, append if exists — do not duplicate keys):
+   ```
+   TAP_PROXY_URL=<url>
+   TAP_AGENT_KEY=<key>
+   ```
+
+3. Make sure `.env` is in `.gitignore`. Add it if not.
+
+4. Find the project instruction file — check for `SOUL.md` first, then `CLAUDE.md`. If neither exists, create `CLAUDE.md`. Append this section (if a `## TAP Credential Proxy` section already exists, replace it):
+
+   ```
+   ## TAP Credential Proxy
+
+   All authenticated API requests MUST go through the TAP proxy. Never store, log, or hardcode credentials. Do not search for alternative ways to authenticate — always use the proxy.
+
+   **Making a request:**
+   ```bash
+   curl -X POST "$TAP_PROXY_URL/forward" \
+     -H "X-TAP-Key: $TAP_AGENT_KEY" \
+     -H "X-TAP-Credential: <service-name>" \
+     -H "X-TAP-Target: <real-api-url>" \
+     -H "X-TAP-Method: GET" \
+     -H "Content-Type: application/json" \
+     -d '{ ... }'
+   ```
+
+   - `X-TAP-Credential` — the service name from the dashboard (e.g. `openai`, `github`, `slack`)
+   - `X-TAP-Target` — the actual upstream URL
+   - `X-TAP-Method` — HTTP method (GET, POST, PUT, DELETE). GET is auto-approved by default; writes need human approval
+   - The proxy injects the real credential and scrubs secrets from the response
+
+   **Listing available services:**
+   ```bash
+   curl "$TAP_PROXY_URL/agent/services" -H "X-TAP-Key: $TAP_AGENT_KEY"
+   ```
+   ```
+
+5. Test the connection:
+   ```bash
+   source .env && curl -sf "$TAP_PROXY_URL/health"
+   ```
+   If it returns OK, print "Proxy is reachable." If it fails, warn the user.
+
+6. List available services:
+   ```bash
+   source .env && curl -s "$TAP_PROXY_URL/agent/services" -H "X-TAP-Key: $TAP_AGENT_KEY"
+   ```
+   Show the user which credentials are available. If none, tell them to add credentials in the dashboard first.
+
+$ARGUMENTS

package/commands/setup-telegram.md

@@ -0,0 +1,29 @@
+---
+description: Walk through Telegram credential setup for TAP
+---
+
+Help the user set up a Telegram personal account credential so their agent can interact with Telegram through TAP. This is for the agent to act as the user on Telegram — the approval bot is already running on the platform.
+
+Follow these steps exactly:
+
+1. Tell the user to go to https://my.telegram.org/apps and log in with their phone number.
+
+2. Tell them to create a new application (or use an existing one) and note the **API ID** (a number) and **API Hash** (a hex string).
+
+3. Tell them to run this command in their terminal to generate a session string (requires Python 3.8+):
+
+   ```bash
+   pip install telethon -q && python3 -c "
+   from telethon.sync import TelegramClient; from telethon.sessions import StringSession
+   c = TelegramClient(StringSession(), int(input('API ID: ')), input('API Hash: '))
+   c.start(); print('\nSession string:\n' + c.session.save())
+   "
+   ```
+
+   It will prompt for their API ID, API Hash, phone number, and a verification code from Telegram. They should copy the session string it prints at the end.
+
+4. Warn them: **keep this session string safe** — anyone with it can access their Telegram account.
+
+5. Tell them to go to the TAP dashboard → Credentials → **+ Add Credential** → select **Telegram** → enter the API ID, API Hash, and Session String → click **Create**.
+
+$ARGUMENTS

package/package.json

@@ -0,0 +1,28 @@
+{
+  "name": "@nnsk/tap",
+  "version": "0.1.0",
+  "description": "Set up Tool Authorization Protocol (TAP) for your AI agent in one command",
+  "bin": {
+    "toolauthz": "./bin/setup.mjs"
+  },
+  "scripts": {
+    "test": "node test/setup.test.mjs"
+  },
+  "files": [
+    "bin",
+    "commands"
+  ],
+  "keywords": [
+    "claude-code",
+    "tap",
+    "agentsec",
+    "credential-proxy",
+    "ai-agent"
+  ],
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/nanaknihal/agentsec.git",
+    "directory": "packages/toolauthz"
+  }
+}