@scales-baby/nest-bridge 1.0.1 → 1.0.2

package/dist/data.js

@@ -25,15 +25,18 @@ const PATHS = {
 class DataLayer {
     client;
     vault;
-    constructor(client, vault) {
+    ensureUnlocked;
+    constructor(client, vault, ensureUnlocked = async () => { }) {
         this.client = client;
         this.vault = vault;
+        this.ensureUnlocked = ensureUnlocked;
     }
     path(model) {
         return PATHS[model];
     }
     // --- READS ---------------------------------------------------------------
     async list(model, query = {}) {
+        await this.ensureUnlocked();
         const qs = Object.entries(query)
             .filter(([, v]) => v !== undefined && v !== "")
             .map(([k, v]) => `${encodeURIComponent(k)}=${encodeURIComponent(String(v))}`)
@@ -43,6 +46,7 @@ class DataLayer {
         return Promise.all(rows.map((r) => this.decrypt(model, r)));
     }
     async get(model, id) {
+        await this.ensureUnlocked();
         const row = await this.client.get(`${this.path(model)}/${id}`);
         if (!row)
             return null;
@@ -65,6 +69,7 @@ class DataLayer {
     // account is encrypted) and POST ciphertext. Returns the created record,
     // decrypted back for the caller.
     async create(model, fields) {
+        await this.ensureUnlocked();
         const payload = await (0, crypto_1.buildWritePayload)(model, {
             encrypted: this.vault.encrypted,
             dek: this.vault.dek,
@@ -80,6 +85,7 @@ class DataLayer {
     // record, merge the caller's changes on top, then build the write from the
     // merged full record (sensitive) + the caller's changes (cleartext only).
     async update(model, id, changes) {
+        await this.ensureUnlocked();
         let payload;
         if (this.vault.encrypted && this.vault.dek) {
             const current = await this.get(model, id); // decrypted
@@ -101,12 +107,14 @@ class DataLayer {
     }
     // Convenience: mark a task done (metadata-only write, never touches content).
     async completeTask(id) {
+        await this.ensureUnlocked();
         const updated = await this.client.patch(`${this.path("task")}/${id}`, { status: "done" });
         if (!updated)
             return null;
         return this.decrypt("task", updated);
     }
     async digest() {
+        await this.ensureUnlocked();
         return this.client.get("/api/digest");
     }
 }

package/dist/index.js

@@ -46,35 +46,57 @@ async function main() {
         process.exit(1);
     }
     const client = new nestClient_1.NestClient({ apiUrl, apiKey });
-    // 1) Fetch the password-wrapped DEK blob + the account's encryption state.
-    log(`Connecting to ${apiUrl} …`);
-    let wrapInfo;
-    try {
-        wrapInfo = await client.getBridgeWrap();
-    }
-    catch (e) {
-        log("Failed to reach Nest or authenticate the API key:", e instanceof Error ? e.message : String(e));
-        process.exit(1);
-    }
-    const encrypted = wrapInfo.encState === "encrypted";
-    let vault = { encrypted, dek: null, dekVersion: 1 };
-    if (!encrypted) {
-        log("Account is NOT end-to-end encrypted — running in pass-through mode (no key needed).");
-    }
-    else if (!wrapInfo.hasPasswordWrap || !wrapInfo.wrap) {
-        log("Account is encrypted but has NO password unlock method. The bridge unlocks by password; add a password method in Nest → Settings → Encryption, then retry. Continuing LOCKED (content will be blank).");
-    }
-    else {
+    // The vault is mutated IN PLACE once the background unlock resolves; the
+    // DataLayer holds this same reference, so a tool call that awaits the unlock
+    // gate sees the populated DEK. canWrite/encrypted are likewise filled in by
+    // the background unlock and read lazily by the write gate.
+    const vault = { encrypted: false, dek: null, dekVersion: 1 };
+    let canWrite = false;
+    let encrypted = false;
+    let unlocked = false;
+    // ---- BACKGROUND UNLOCK ----------------------------------------------------
+    // We do NOT block the MCP handshake on this. It runs right after we connect
+    // the stdio transport (kicked off below). Tool calls await `unlockGate`; a
+    // rejection carries a clean, human-readable reason that surfaces to Claude.
+    let unlockPromise = null;
+    async function doUnlock() {
+        // 1) Fetch the password-wrapped DEK blob + the account's encryption state.
+        log(`Connecting to ${apiUrl} …`);
+        let wrapInfo;
+        try {
+            wrapInfo = await client.getBridgeWrap();
+        }
+        catch (e) {
+            const msg = e instanceof Error ? e.message : String(e);
+            log("Failed to reach Nest or authenticate the API key:", msg);
+            throw new Error(`Could not unlock: failed to reach Nest or the API key is invalid (${msg}).`);
+        }
+        encrypted = wrapInfo.encState === "encrypted";
+        vault.encrypted = encrypted;
+        // Determine write capability from the key's scopes (the server still
+        // enforces authoritatively per-route).
+        const scopes = wrapInfo.scopes ?? [];
+        canWrite = scopes.some((s) => WRITE_SCOPES.has(s));
+        if (process.env.NEST_READ_ONLY === "1")
+            canWrite = false;
+        log(`Key scopes: ${scopes.join(", ") || "(unknown)"} → ${canWrite ? "read+write" : "read-only"}.`);
+        if (!encrypted) {
+            log("Account is NOT end-to-end encrypted — running in pass-through mode (no key needed).");
+            unlocked = true;
+            return;
+        }
+        if (!wrapInfo.hasPasswordWrap || !wrapInfo.wrap) {
+            log("Account is encrypted but has NO password unlock method. The bridge unlocks by password; add a password method in Nest → Settings → Encryption, then retry. Continuing LOCKED (content will be blank).");
+            throw new Error("Could not unlock: this encrypted account has no password unlock method. Add a password method in Nest → Settings → Encryption.");
+        }
         // 2) Get the password. Priority: env/connector config (NEST_PASSWORD) for
         // non-interactive launches (Claude Desktop / OpenAI inject user_config as
         // env), else a hidden TTY prompt for manual terminal runs. When launched
-        // WITHOUT a real interactive terminal AND without NEST_PASSWORD (e.g. a
-        // Claude Desktop connector with the field left blank), DO NOT try to read
-        // the MCP stdio pipe — continue locked with a clear message instead.
+        // WITHOUT a real interactive terminal AND without NEST_PASSWORD, do NOT try
+        // to read the MCP stdio pipe — fail the unlock with a clear message.
         let password = process.env.NEST_PASSWORD || "";
         if (!password) {
-            const interactive = hasInteractiveTty();
-            if (interactive) {
+            if (hasInteractiveTty()) {
                 password = await (0, prompt_1.promptHidden)("Nest encryption password: ");
             }
             else {
@@ -82,40 +104,53 @@ async function main() {
             }
         }
         if (!password) {
-            log("No password provided — continuing LOCKED (content will be blank).");
+            throw new Error("Could not unlock: no password provided. Set NEST_PASSWORD in your connector config, or run the bridge in a terminal to be prompted.");
         }
-        else {
-            // 3) Derive the password KEK (Argon2id, matches the browser) → unwrap DEK.
-            log("Deriving key (Argon2id) and unwrapping the DEK locally …");
-            try {
-                const { dek, dekVersion } = await (0, crypto_1.unlockDekWithPassword)(password, wrapInfo.wrap);
-                vault = { encrypted: true, dek, dekVersion };
-                log("Unlocked. The DEK is held in memory only; the server never sees it.");
-            }
-            catch (e) {
-                log("Unlock FAILED (wrong password or wrap mismatch):", e instanceof Error ? e.message : String(e), "— continuing LOCKED.");
-            }
+        // 3) Derive the password KEK (Argon2id, matches the browser) → unwrap DEK.
+        log("Deriving key (Argon2id) and unwrapping the DEK locally …");
+        try {
+            const { dek, dekVersion } = await (0, crypto_1.unlockDekWithPassword)(password, wrapInfo.wrap);
+            vault.dek = dek;
+            vault.dekVersion = dekVersion;
+            unlocked = true;
+            log("Unlocked. The DEK is held in memory only; the server never sees it.");
         }
-        // Best-effort scrub of the password reference.
-        password = "";
+        catch (e) {
+            const msg = e instanceof Error ? e.message : String(e);
+            log("Unlock FAILED (wrong password or wrap mismatch):", msg);
+            throw new Error("Could not unlock: wrong password (the wrapped key failed to decrypt).");
+        }
+        finally {
+            // Best-effort scrub of the password reference.
+            password = "";
+        }
+    }
+    // Idempotent gate: start the unlock once, await the same promise everywhere.
+    // A rejection is cached so every subsequent tool call sees the same clean
+    // error (we don't retry a wrong password on each call).
+    function ensureUnlocked() {
+        if (!unlockPromise)
+            unlockPromise = doUnlock();
+        return unlockPromise;
     }
-    // Determine write capability from the key's scopes (the server still enforces
-    // authoritatively per-route). The bridge-wrap endpoint reports the key's
-    // scopes; a read-only key gets a clean "read-only" message instead of a 403.
-    const scopes = wrapInfo.scopes ?? [];
-    let canWrite = scopes.some((s) => WRITE_SCOPES.has(s));
-    if (process.env.NEST_READ_ONLY === "1")
-        canWrite = false;
-    log(`Key scopes: ${scopes.join(", ") || "(unknown)"} → ${canWrite ? "read+write" : "read-only"}.`);
-    const data = new data_1.DataLayer(client, vault);
+    const data = new data_1.DataLayer(client, vault, ensureUnlocked);
     const server = await (0, mcp_1.buildServer)({
         data,
-        canWrite,
-        encrypted,
-        unlocked: vault.dek !== null,
+        ensureUnlocked,
+        getStatus: () => ({ canWrite, encrypted, unlocked }),
     });
+    // ---- CONNECT FIRST (instant handshake) ------------------------------------
+    // Connect the stdio transport BEFORE unlocking so the client's MCP
+    // initialize/connect probe completes immediately (no Argon2id/fetch on the
+    // handshake path). tools/list works right away.
     await (0, mcp_1.runStdio)(server);
     log("MCP server ready (stdio). Connect Claude to this process.");
+    // ---- THEN unlock in the background ----------------------------------------
+    // Kick it off now so the DEK is usually ready by the first tool call; if a
+    // tool is called sooner, DataLayer.ensureUnlocked() awaits this same promise.
+    // Swallow the rejection here (it's surfaced per tool call); never crash the
+    // process — tools/list must keep working even if unlock fails.
+    ensureUnlocked().catch(() => { });
 }
 main().catch((e) => {
     console.error("[nest-bridge] fatal:", e);

package/dist/mcp.js

@@ -86,13 +86,25 @@ async function buildServer(ctx) {
     const { McpServer } = await loadSdk();
     const server = new McpServer({
         name: "nest-bridge",
-        version: "1.0.0",
+        version: "1.0.2",
     });
-    const encNote = ctx.encrypted
-        ? ctx.unlocked
-            ? " This account is end-to-end encrypted; the bridge decrypts/encrypts locally so you see and write real content."
-            : " WARNING: this encrypted account is LOCKED (no key) — content fields will be blank."
-        : "";
+    // Descriptions are registered ONCE at startup, before the background unlock
+    // finishes — so this note can't depend on the (not-yet-known) unlock state.
+    // Tool calls themselves await the unlock; if it's an encrypted account the
+    // bridge decrypts locally once unlocked. Keep the note generic + honest.
+    const encNote = " If your Nest account is end-to-end encrypted, the bridge unlocks with your" +
+        " password in the background and decrypts/encrypts locally so you see and" +
+        " write real content; the server only ever sees ciphertext.";
+    // Shared write-gate: tool calls go through DataLayer (which awaits the unlock)
+    // for the heavy lifting, but the canWrite scope is only known post-unlock, so
+    // write tools ensure the unlock settled, then check the scope for a clean
+    // "read-only" message before attempting the write.
+    async function ensureWritable() {
+        await ctx.ensureUnlocked();
+        if (!ctx.getStatus().canWrite) {
+            throw new Error("This API key is read-only (no write scope).");
+        }
+    }
     // ---- generic registrars -------------------------------------------------
     const listFilter = {
         status: zod_1.z.string().optional().describe("Filter by status"),
@@ -154,10 +166,8 @@ async function buildServer(ctx) {
     }
     function registerCreate(name, model, shape, desc) {
         server.registerTool(name, { description: desc + encNote, inputSchema: shape }, async (args) => {
-            if (!ctx.canWrite) {
-                return errResult(new Error("This API key is read-only (no write scope)."));
-            }
             try {
+                await ensureWritable();
                 const clean = Object.fromEntries(Object.entries(args).filter(([, v]) => v !== undefined));
                 const created = await ctx.data.create(model, clean);
                 return jsonResult(created);
@@ -172,10 +182,8 @@ async function buildServer(ctx) {
             description: desc + encNote,
             inputSchema: { id: zod_1.z.string().describe("The record's _id"), ...shape },
         }, async (args) => {
-            if (!ctx.canWrite) {
-                return errResult(new Error("This API key is read-only (no write scope)."));
-            }
             try {
+                await ensureWritable();
                 const { id, ...rest } = args;
                 const changes = Object.fromEntries(Object.entries(rest).filter(([, v]) => v !== undefined));
                 const updated = await ctx.data.update(model, id, changes);
@@ -264,10 +272,8 @@ async function buildServer(ctx) {
         description: "Mark a task done (metadata-only).",
         inputSchema: { id: zod_1.z.string().describe("The task _id") },
     }, async (args) => {
-        if (!ctx.canWrite) {
-            return errResult(new Error("This API key is read-only (no write scope)."));
-        }
         try {
+            await ensureWritable();
             return jsonResult(await ctx.data.completeTask(args.id));
         }
         catch (e) {

package/manifest.json

@@ -2,7 +2,7 @@
   "manifest_version": "0.3",
   "name": "scales-nest",
   "display_name": "Nest by SCALES",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "Read and write your end-to-end-encrypted Nest through your own AI. Your encryption key is derived locally and never leaves your machine; Nest's servers only ever see ciphertext.",
   "long_description": "Nest is your encrypted second brain (people, companies, tasks, events). This connector runs a small MCP server on your own machine. It fetches your password-wrapped key from Nest, unwraps it locally, then decrypts on read and encrypts on write right here. The Nest server only ever stores ciphertext and never receives your password, your key, or your plaintext. Mint a scoped API key in Nest (Settings then Connect your AI), paste it plus your encryption password below, and your AI can read and (with a full-control key) write your Nest data.",
   "author": {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@scales-baby/nest-bridge",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "description": "Local MCP bridge for Nest. Read and write your end-to-end-encrypted Nest data through your own AI; the encryption key is derived locally from your password and never leaves your machine.",
   "license": "MIT",
   "author": "SCALES (https://nest.scales.baby)",