@suveren/gateway 0.2.0 → 0.2.3

package/dist/control-plane/index.mjs

@@ -197,7 +197,7 @@ var Vault = class {
 import { Router } from "express";
 
 // src/lib/mcp-bridge.ts
-var MCP_BASE = process.env.HAP_MCP_INTERNAL_URL ?? "http://127.0.0.1:3430";
+var MCP_BASE = process.env.SUVEREN_MCP_INTERNAL_URL ?? "http://127.0.0.1:3430";
 var internalSecret = "";
 function setInternalSecret(secret) {
   internalSecret = secret;
@@ -854,7 +854,7 @@ ${contextParts.join("\n")}` : "",
   }
 }
 var CHAT_SYSTEM_PROMPTS = {
-  context: `You help a human author "context.md" \u2014 the standing-orders brief that is prepended to every AI agent session under the Human Agency Protocol (HAP).
+  context: `You help a human author "context.md" \u2014 the standing-orders brief that Suveren prepends to every AI agent session it gates.
 
 This text goes straight into the system prompt of downstream agents. Keep it operational, concrete, and short. Favor examples the user would recognize from their work.
 
@@ -870,7 +870,7 @@ When you propose a complete draft (or a full-document rewrite) of the context, w
 \`\`\`
 
 Only use that fence for full-document drafts the user can click "Apply". For partial suggestions, comments, or questions, write prose without the fence.`,
-  intent: `You help a human write an "Intent" paragraph for an AI agent authorization under the Human Agency Protocol (HAP).
+  intent: `You help a human write an "Intent" paragraph for an AI agent authorization issued by Suveren.
 
 The Intent is read by two audiences:
 1. The agent, on demand via list-authorizations(domain), when it's about to act in this domain.
@@ -1391,6 +1391,9 @@ function createApprovedIntentsRouter(vault2) {
 }
 
 // src/lib/update-checker.ts
+import { execSync } from "child_process";
+import { dirname as dirname2 } from "path";
+import { fileURLToPath } from "url";
 var GHCR_IMAGE = "suverenai/suveren-gateway";
 var NPM_PACKAGE = "@suveren/gateway";
 var CHECK_INTERVAL = 60 * 60 * 1e3;
@@ -1454,11 +1457,28 @@ function compareSemver(a, b) {
   }
   return 0;
 }
+function checkDev() {
+  const cwd = dirname2(fileURLToPath(import.meta.url));
+  try {
+    execSync("git fetch origin --quiet", { cwd, stdio: "ignore", timeout: 15e3 });
+    const out = execSync("git rev-list HEAD..origin/main --count", {
+      cwd,
+      encoding: "utf8",
+      timeout: 5e3
+    }).trim();
+    const behind = parseInt(out, 10) || 0;
+    updateAvailable = behind > 0;
+    latestVersion = behind > 0 ? `${behind} commit${behind === 1 ? "" : "s"} behind origin/main` : null;
+  } catch {
+    updateAvailable = false;
+    latestVersion = null;
+  }
+  lastCheckedAt = Date.now();
+}
 async function check() {
   try {
     if (installMethod === "dev") {
-      updateAvailable = true;
-      lastCheckedAt = Date.now();
+      checkDev();
       return;
     }
     if (installMethod === "npm") {

package/dist/mcp-server/http.mjs

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 // bin/http.ts
-import { randomUUID } from "crypto";
+import { randomUUID as randomUUID2 } from "crypto";
 import express from "express";
 import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
@@ -15,12 +15,19 @@ var SPReceiptError = class extends Error {
     this.name = "SPReceiptError";
   }
 };
+var DEFAULT_RECEIPT_RETRY = {
+  maxAttempts: 3,
+  delaysMs: [100, 300]
+};
+var sleep = (ms) => ms > 0 ? new Promise((resolve3) => setTimeout(resolve3, ms)) : Promise.resolve();
 var SPClient = class {
-  constructor(baseUrl) {
+  constructor(baseUrl, receiptRetry = {}) {
     this.baseUrl = baseUrl;
+    this.receiptRetry = { ...DEFAULT_RECEIPT_RETRY, ...receiptRetry };
   }
   sessionCookie = "";
   apiKey = "";
+  receiptRetry;
   setApiKey(key) {
     this.apiKey = key;
   }
@@ -89,18 +96,39 @@ var SPClient = class {
    * Errors throw SPReceiptError with the structured `errors` array in `body`.
    */
   async postReceipt(data) {
-    const res = await this.fetch("/api/as/receipt", {
-      method: "POST",
-      body: JSON.stringify(data)
-    });
-    const body = await res.json().catch(() => ({}));
-    if (!res.ok || body.approved === false) {
-      const errors = body.errors;
-      const first = errors?.[0];
-      const message = first?.message ?? first?.code ?? body.error ?? `SP receipt request failed: ${res.status}`;
-      throw new SPReceiptError(message, res.status, body);
+    const body = JSON.stringify(data);
+    const maxAttempts = data.idempotencyKey ? this.receiptRetry.maxAttempts : 1;
+    let lastError;
+    for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+      const isLast = attempt === maxAttempts;
+      let res;
+      try {
+        res = await this.fetch("/api/as/receipt", { method: "POST", body });
+      } catch (err) {
+        lastError = err;
+        if (isLast) throw err;
+        await sleep(this.receiptRetry.delaysMs[attempt - 1] ?? 0);
+        continue;
+      }
+      const respBody = await res.json().catch(() => ({}));
+      if (res.status >= 500 && !isLast) {
+        lastError = new SPReceiptError(
+          `SP receipt request failed: ${res.status}`,
+          res.status,
+          respBody
+        );
+        await sleep(this.receiptRetry.delaysMs[attempt - 1] ?? 0);
+        continue;
+      }
+      if (!res.ok || respBody.approved === false) {
+        const errors = respBody.errors;
+        const first = errors?.[0];
+        const message = first?.message ?? first?.code ?? respBody.error ?? `SP receipt request failed: ${res.status}`;
+        throw new SPReceiptError(message, res.status, respBody);
+      }
+      return { receipt: respBody.receipt };
     }
-    return { receipt: body.receipt };
+    throw lastError ?? new Error("postReceipt: retries exhausted");
   }
   /**
    * Submit a proposal for deferred commitment review.
@@ -818,7 +846,8 @@ function countToolsByGating(profileId, integrationManager2) {
 function buildMandateBrief(opts) {
   const { authorizations, executionLog, integrationManager: integrationManager2, contextDir } = opts;
   const lines = [
-    "You are an agent operating under the Human Agency Protocol (HAP).",
+    "You are connected to Suveren \u2014 the gateway that gates every privileged tool call you make.",
+    "Suveren implements the bounded-authority model from the open Human Agency Protocol (HAP).",
     "You have bounded authorities granted by human decision owners.",
     "You MUST stay within these bounds \u2014 the Gatekeeper will reject actions that exceed them."
   ];
@@ -878,6 +907,7 @@ import { getProfile as getProfile2 } from "@hap/core";
 // src/lib/tool-proxy.ts
 import { readFile } from "fs/promises";
 import { extname } from "path";
+import { randomUUID } from "crypto";
 var IMAGE_MIME = {
   ".jpg": "image/jpeg",
   ".jpeg": "image/jpeg",
@@ -1048,7 +1078,8 @@ Proposal ID: ${proposal.id}. Check status with check-pending-commitments(proposa
             action: tool.namespacedName,
             actionType,
             executionContext: { ...execution },
-            amount: typeof execution.amount === "number" ? execution.amount : void 0
+            amount: typeof execution.amount === "number" ? execution.amount : void 0,
+            idempotencyKey: randomUUID()
           });
         } catch (err) {
           if (err instanceof SPReceiptError && err.statusCode === 409) {
@@ -1427,7 +1458,7 @@ function listIntegrationsHandler(state2, integrationManager2) {
       if (matchingAuths.length > 0) {
         const soonestExpiry = Math.min(
           ...matchingAuths.flatMap(
-            (a) => a.attestations.map((att) => att.expires_at)
+            (a) => a.attestations.map((att) => att.expiresAt)
           )
         );
         const remainingMs = soonestExpiry * 1e3 - Date.now();
@@ -2497,7 +2528,7 @@ app.all("/mcp", async (req, res) => {
     }
     if (req.method === "POST" && !sessionId) {
       const transport = new StreamableHTTPServerTransport({
-        sessionIdGenerator: () => randomUUID()
+        sessionIdGenerator: () => randomUUID2()
       });
       transport.onclose = () => {
         if (transport.sessionId) {