@purposebot/mcp 0.1.1 → 0.1.2

package/README.md

@@ -29,7 +29,7 @@ Requires Node >= 18. Get an API key from your PurposeBot account.
   "mcpServers": {
     "purposebot": {
       "command": "npx",
-      "args": ["-y", "@purposebot/mcp@0.1.1"],
+      "args": ["-y", "@purposebot/mcp@0.1.2"],
       "env": {
         "PURPOSEBOT_API_KEY": "pb_xxx"
       }
@@ -41,20 +41,22 @@ Requires Node >= 18. Get an API key from your PurposeBot account.
 ### Claude Code
 
 ```bash
-claude mcp add purposebot --env PURPOSEBOT_API_KEY=pb_xxx -- npx -y @purposebot/mcp@0.1.1
+claude mcp add purposebot --env PURPOSEBOT_API_KEY=pb_xxx -- npx -y @purposebot/mcp@0.1.2
 ```
 
 ## Environment
 
 | Variable | Required | Default | Notes |
 |---|---|---|---|
-| `PURPOSEBOT_API_KEY` | yes | - | sent as `X-API-Key` |
+| `PURPOSEBOT_API_KEY` | no | - | sent as `X-API-Key`; keyless mode supports first-key registration |
 | `PURPOSEBOT_API_URL` | no | `https://purposebot.ai` | origin only; use `https://api.purposebot.ai` or sandbox/self-host origin |
 | `PURPOSEBOT_ALLOW_CUSTOM_HOST` | no | unset | set to `1` for non-PurposeBot self-hosts |
 
-The wrapper validates the target URL before sending the API key. It only sends
+The wrapper validates the target URL before sending an API key. It only sends
 keys to PurposeBot hosts by default, allows `http://localhost` for development,
-rejects embedded credentials, and refuses HTTP redirects.
+rejects embedded credentials, and refuses HTTP redirects. Without
+`PURPOSEBOT_API_KEY`, the wrapper can still call keyless MCP tools such as
+`begin_registration`; protected tools return the hosted PurposeBot auth error.
 
 ## Develop
 

package/dist/index.js

@@ -9,14 +9,14 @@
  * checks, so new tools appear automatically.
  *
  * Env:
- *   PURPOSEBOT_API_KEY   (required) — your PurposeBot API key (sent as X-API-Key)
+ *   PURPOSEBOT_API_KEY   (optional) - your PurposeBot API key (sent as X-API-Key)
  *   PURPOSEBOT_API_URL   (optional) — defaults to https://purposebot.ai
  *   PURPOSEBOT_ALLOW_CUSTOM_HOST (optional) — set to 1 for self-hosts
  */
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { CallToolRequestSchema, ListToolsRequestSchema, } from "@modelcontextprotocol/sdk/types.js";
-const API_KEY = process.env.PURPOSEBOT_API_KEY;
+const API_KEY = process.env.PURPOSEBOT_API_KEY?.trim() || undefined;
 const REQUEST_TIMEOUT_MS = 60_000;
 const MAX_DIAGNOSTIC_BYTES = 2048;
 const PURPOSEBOT_TOKEN_RE = /\bpb_[A-Za-z0-9_=-]{12,}\b/g;
@@ -36,10 +36,10 @@ function die(msg) {
     console.error(`[purposebot-mcp] ${msg}`);
     process.exit(1);
 }
-// The wrapper's trust boundary: we send X-API-Key to this host on every call, so
-// validate it before any request. Default + allowlist PurposeBot hosts; require an
-// explicit opt-in for anything else; never send the key over plain http (except
-// localhost dev); reject embedded credentials.
+// The wrapper's trust boundary: if an API key is configured, it is sent to this
+// host. Validate before any request. Default + allowlist PurposeBot hosts;
+// require an explicit opt-in for anything else; never send the key over plain
+// http (except localhost dev); reject embedded credentials.
 const ALLOWED_HOSTS = new Set([
     "api.purposebot.ai",
     "api-sandbox.purposebot.ai",
@@ -71,9 +71,6 @@ function resolveApiBase(raw) {
     }
     return `${u.protocol}//${u.host}`;
 }
-if (!API_KEY) {
-    die("PURPOSEBOT_API_KEY is required. Set it in your MCP client config (env).");
-}
 const API_URL = resolveApiBase(process.env.PURPOSEBOT_API_URL ?? "https://purposebot.ai");
 const MCP_ENDPOINT = `${API_URL}/mcp`;
 let rpcId = 0;
@@ -111,13 +108,16 @@ async function rpc(method, params) {
     const controller = new AbortController();
     const timeout = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
     let res;
+    const headers = {
+        "content-type": "application/json",
+    };
+    if (API_KEY) {
+        headers["x-api-key"] = API_KEY;
+    }
     try {
         res = await fetch(MCP_ENDPOINT, {
             method: "POST",
-            headers: {
-                "content-type": "application/json",
-                "x-api-key": API_KEY,
-            },
+            headers,
             body: JSON.stringify({ jsonrpc: "2.0", id: ++rpcId, method, params }),
             // Never follow redirects: undici keeps custom headers (X-API-Key) on
             // cross-origin redirects, so a 30x from an allowlisted host could leak the
@@ -142,7 +142,7 @@ async function rpc(method, params) {
     }
     return body.result;
 }
-const server = new Server({ name: "purposebot", version: "0.1.1" }, { capabilities: { tools: {} } });
+const server = new Server({ name: "purposebot", version: "0.1.2" }, { capabilities: { tools: {} } });
 server.setRequestHandler(ListToolsRequestSchema, async (request) => {
     const result = await rpc("tools/list", request.params);
     return { ...(result ?? {}), tools: Array.isArray(result?.tools) ? result.tools : [] };
@@ -161,7 +161,8 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
 });
 async function main() {
     await server.connect(new StdioServerTransport());
-    console.error(`[purposebot-mcp] connected - proxying ${MCP_ENDPOINT}`);
+    const authMode = API_KEY ? "authenticated" : "keyless";
+    console.error(`[purposebot-mcp] connected - proxying ${MCP_ENDPOINT} (${authMode})`);
 }
 main().catch((err) => {
     console.error("[purposebot-mcp] fatal:", err);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@purposebot/mcp",
-  "version": "0.1.1",
+  "version": "0.1.2",
   "description": "PurposeBot agent trust layer for MCP: agent identity, provenance, API access decisions, commerce reputation, and trust-ranked discovery.",
   "type": "module",
   "bin": {