@truealter/sdk 0.2.2 → 0.4.1

package/dist/index.cjs

@@ -1,8 +1,16 @@
 'use strict';
 
+var p256 = require('@noble/curves/p256');
+var sha256 = require('@noble/hashes/sha256');
+var utils = require('@noble/hashes/utils');
 var ed25519 = require('@noble/ed25519');
 var sha512 = require('@noble/hashes/sha512');
-var utils = require('@noble/hashes/utils');
+var child_process = require('child_process');
+var os = require('os');
+var path = require('path');
+var process$1 = require('process');
+var fs = require('fs');
+var crypto$1 = require('crypto');
 
 function _interopNamespace(e) {
   if (e && e.__esModule) return e;
@@ -24,7 +32,166 @@ function _interopNamespace(e) {
 
 var ed25519__namespace = /*#__PURE__*/_interopNamespace(ed25519);
 
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// node_modules/tsup/assets/cjs_shims.js
+var init_cjs_shims = __esm({
+  "node_modules/tsup/assets/cjs_shims.js"() {
+  }
+});
+
+// src/signing.ts
+var signing_exports = {};
+__export(signing_exports, {
+  canonicalArgsSha256: () => canonicalArgsSha256,
+  canonicalStringify: () => canonicalStringify,
+  loadPrivateKey: () => loadPrivateKey,
+  signInvocation: () => signInvocation
+});
+function canonicalStringify(value) {
+  return stringifyInner(value);
+}
+function stringifyInner(value) {
+  if (value === null) return "null";
+  if (value === void 0) {
+    throw new TypeError("canonicalStringify: undefined is not representable in JSON");
+  }
+  if (typeof value === "boolean") return value ? "true" : "false";
+  if (typeof value === "number") {
+    if (!Number.isFinite(value)) {
+      throw new TypeError("canonicalStringify: non-finite numbers are not representable");
+    }
+    return JSON.stringify(value);
+  }
+  if (typeof value === "string") return encodeString(value);
+  if (Array.isArray(value)) {
+    return "[" + value.map((v) => stringifyInner(v)).join(",") + "]";
+  }
+  if (typeof value === "object") {
+    const obj = value;
+    const keys = Object.keys(obj).sort();
+    return "{" + keys.map((k) => encodeString(k) + ":" + stringifyInner(obj[k])).join(",") + "}";
+  }
+  throw new TypeError(`canonicalStringify: unsupported type ${typeof value}`);
+}
+function encodeString(s) {
+  return JSON.stringify(s);
+}
+function canonicalArgsSha256(toolArgs) {
+  const canonical = canonicalStringify(toolArgs ?? {});
+  const bytes = new TextEncoder().encode(canonical);
+  const digest = sha256.sha256(bytes);
+  return bytesToHex(digest);
+}
+function bytesToHex(bytes) {
+  let out = "";
+  for (let i = 0; i < bytes.length; i++) {
+    out += bytes[i].toString(16).padStart(2, "0");
+  }
+  return out;
+}
+function base64urlEncode(bytes) {
+  const raw = typeof bytes === "string" ? new TextEncoder().encode(bytes) : bytes;
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(raw).toString("base64url");
+  }
+  let binary = "";
+  for (let i = 0; i < raw.length; i++) binary += String.fromCharCode(raw[i]);
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+function loadPrivateKey(key) {
+  if (key instanceof Uint8Array) {
+    if (key.length !== 32) {
+      throw new TypeError("ES256 raw private key must be 32 bytes.");
+    }
+    return key;
+  }
+  if (typeof key === "string" && key.includes("-----BEGIN")) {
+    const nodeCrypto = __require("crypto");
+    const keyObj = nodeCrypto.createPrivateKey({ key, format: "pem" });
+    const jwk = keyObj.export({ format: "jwk" });
+    if (jwk.crv !== "P-256" || !jwk.d) {
+      throw new TypeError("PEM is not a P-256 private key.");
+    }
+    return base64urlDecodeToBytes(jwk.d);
+  }
+  throw new TypeError("loadPrivateKey: expected Uint8Array(32) or PEM string.");
+}
+function base64urlDecodeToBytes(s) {
+  const pad = s.length % 4 === 0 ? "" : "=".repeat(4 - s.length % 4);
+  const b64 = (s + pad).replace(/-/g, "+").replace(/_/g, "/");
+  if (typeof Buffer !== "undefined") {
+    return new Uint8Array(Buffer.from(b64, "base64"));
+  }
+  const binary = atob(b64);
+  const out = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) out[i] = binary.charCodeAt(i);
+  return out;
+}
+function signInvocation(toolName, toolArgs, options) {
+  const { kid, privateKey, handle } = options;
+  const nonce = options.nonce ?? base64urlEncode(utils.randomBytes(24));
+  const iat = options.iatSeconds ?? Math.floor(Date.now() / 1e3);
+  const claims = {
+    tool: toolName,
+    args_sha256: canonicalArgsSha256(toolArgs ?? {}),
+    nonce,
+    iat,
+    iss: handle
+  };
+  const headerB64 = base64urlEncode(JSON.stringify({ alg: "ES256", kid }));
+  const payloadB64 = base64urlEncode(JSON.stringify(claims));
+  const signingInput = `${headerB64}.${payloadB64}`;
+  const signingBytes = new TextEncoder().encode(signingInput);
+  const dBytes = loadPrivateKey(privateKey);
+  const digest = sha256.sha256(signingBytes);
+  const sig = p256.p256.sign(digest, dBytes, { prehash: false });
+  const sigBytes = sig.toCompactRawBytes();
+  const sigB64 = base64urlEncode(sigBytes);
+  return `${signingInput}.${sigB64}`;
+}
+var init_signing = __esm({
+  "src/signing.ts"() {
+    init_cjs_shims();
+  }
+});
+
+// src/index.ts
+init_cjs_shims();
+
+// src/client.ts
+init_cjs_shims();
+
+// src/discovery.ts
+init_cjs_shims();
+
 // src/errors.ts
+init_cjs_shims();
 var AlterError = class extends Error {
   code;
   cause;
@@ -123,7 +290,12 @@ async function discover(domain, opts = {}) {
     try {
       const dnsHit = await tryDns(host);
       if (dnsHit) {
-        const result = { url: dnsHit, transport: "streamable-http", source: "dns" };
+        const parsed = validateDiscoveredUrl(dnsHit, "dns");
+        const result = {
+          url: parsed.toString().replace(/\/$/, ""),
+          transport: "streamable-http",
+          source: "dns"
+        };
         if (cache) _cache.set(host, result);
         return result;
       }
@@ -164,6 +336,28 @@ function normaliseDomain(input) {
   if (!host) throw new AlterDiscoveryError(`Empty domain: "${input}"`);
   return host;
 }
+function validateDiscoveredUrl(url, source) {
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch {
+    throw new AlterDiscoveryError(`${source}: malformed URL ${url}`);
+  }
+  if (parsed.protocol !== "https:") {
+    throw new AlterDiscoveryError(
+      `${source}: non-https MCP endpoint rejected (got ${parsed.protocol}//${parsed.hostname})`
+    );
+  }
+  if (parsed.username || parsed.password) {
+    throw new AlterDiscoveryError(
+      `${source}: MCP endpoint must not contain userinfo (user:pass@host)`
+    );
+  }
+  if (!parsed.hostname) {
+    throw new AlterDiscoveryError(`${source}: MCP endpoint missing hostname`);
+  }
+  return parsed;
+}
 async function tryDns(host) {
   let resolveTxt;
   try {
@@ -224,14 +418,17 @@ async function tryWellKnown(host, file, timeoutMs, fetchImpl) {
   if (file === "mcp.json") {
     const remotes = doc.remotes || [];
     const remote = remotes.find((r) => r.transportType === "streamable-http" || r.transportType === "http");
-    const url2 = remote?.url || doc.url;
-    if (!url2) return null;
-    return { url: url2, transport: "streamable-http", source: "mcp.json", raw: doc };
+    const rawUrl = remote?.url || doc.url;
+    if (!rawUrl) return null;
+    const parsed = validateDiscoveredUrl(rawUrl, "mcp.json");
+    return { url: parsed.toString().replace(/\/$/, ""), transport: "streamable-http", source: "mcp.json", raw: doc };
   }
   const mcpHost = doc.mcp;
   if (!mcpHost) return null;
+  const normalised = ensureMcpPath(mcpHost);
+  validateDiscoveredUrl(normalised, "alter.json");
   return {
-    url: ensureMcpPath(mcpHost),
+    url: normalised,
     transport: "streamable-http",
     source: "alter.json",
     publicKey: doc.pk,
@@ -250,7 +447,11 @@ function ensureMcpPath(url) {
   }
 }
 
+// src/mcp.ts
+init_cjs_shims();
+
 // src/x402.ts
+init_cjs_shims();
 var X402Client = class {
   signer;
   maxPerQuery;
@@ -277,11 +478,14 @@ var X402Client = class {
     if (!this.assets.has(envelope.asset)) {
       throw new AlterError("PAYMENT_REQUIRED", `asset ${envelope.asset} not permitted by client policy`);
     }
-    if (this.maxPerQuery !== void 0 && Number(envelope.amount) > this.maxPerQuery) {
-      throw new AlterError(
-        "PAYMENT_REQUIRED",
-        `quote ${envelope.amount} ${envelope.asset} exceeds maxPerQuery ${this.maxPerQuery}`
-      );
+    if (this.maxPerQuery !== void 0) {
+      const amt = Number(envelope.amount);
+      if (!Number.isFinite(amt) || amt < 0 || amt > this.maxPerQuery) {
+        throw new AlterError(
+          "PAYMENT_REQUIRED",
+          `quote ${envelope.amount} ${envelope.asset} exceeds maxPerQuery ${this.maxPerQuery}`
+        );
+      }
     }
     if (!this.signer) {
       throw new AlterPaymentRequired(envelope.resource ?? "unknown", envelope);
@@ -339,6 +543,7 @@ var MCPClient = class {
   maxRetries;
   clientInfo;
   x402;
+  signing;
   requestCounter = 0;
   initialised = false;
   constructor(opts = {}) {
@@ -349,6 +554,7 @@ var MCPClient = class {
     this.maxRetries = opts.maxRetries ?? 2;
     this.clientInfo = opts.clientInfo ?? { name: "@truealter/sdk", version: "0.2.0" };
     this.x402 = opts.x402;
+    this.signing = opts.signing;
   }
   /**
    * Send the MCP `initialize` handshake and capture the resulting session
@@ -435,6 +641,7 @@ var MCPClient = class {
       method
     };
     if (params !== void 0) payload.params = params;
+    const signatureHeader = this.buildSignatureHeader(method, params);
     let attempt = 0;
     let lastErr = null;
     while (attempt <= this.maxRetries) {
@@ -445,7 +652,7 @@ var MCPClient = class {
       try {
         resp = await this.fetchImpl(this.endpoint, {
           method: "POST",
-          headers: this.buildHeaders(),
+          headers: this.buildHeaders(signatureHeader),
           body: JSON.stringify(payload),
           signal: controller.signal
         });
@@ -472,7 +679,8 @@ var MCPClient = class {
         throw new AlterPaymentRequired(this.guessToolName(payload), envelope);
       }
       if (resp.status === 429) {
-        const retryAfter = Number(resp.headers.get("Retry-After") ?? 60);
+        const rawRetryAfter = Number(resp.headers.get("Retry-After") ?? 60);
+        const retryAfter = Number.isFinite(rawRetryAfter) && rawRetryAfter >= 0 ? Math.min(rawRetryAfter, 300) : 60;
         if (attempt > this.maxRetries) {
           throw new AlterRateLimited(`HTTP 429 on ${method}`, retryAfter);
         }
@@ -508,7 +716,7 @@ var MCPClient = class {
     }
     throw lastErr ?? new AlterNetworkError(`MCP ${method}: exhausted retries`);
   }
-  buildHeaders() {
+  buildHeaders(extra) {
     const headers = {
       "Content-Type": "application/json",
       Accept: "application/json",
@@ -516,8 +724,27 @@ var MCPClient = class {
     };
     if (this.apiKey) headers["X-ALTER-API-Key"] = this.apiKey;
     if (this.sessionId) headers["Mcp-Session-Id"] = this.sessionId;
+    if (extra) Object.assign(headers, extra);
     return headers;
   }
+  /**
+   * Produce the `Mcp-Invocation-Signature` header for a `tools/call`
+   * payload, when signing is configured. Returns `undefined` when no
+   * signing key is attached or the method is not `tools/call`.
+   */
+  buildSignatureHeader(method, params) {
+    if (!this.signing) return void 0;
+    if (method !== "tools/call") return void 0;
+    const p = params;
+    if (!p?.name) return void 0;
+    const { signInvocation: signInvocation2 } = (init_signing(), __toCommonJS(signing_exports));
+    const headerValue = signInvocation2(p.name, p.arguments ?? {}, {
+      kid: this.signing.kid,
+      privateKey: this.signing.privateKey,
+      handle: this.signing.handle
+    });
+    return { "Mcp-Invocation-Signature": headerValue };
+  }
   async extractPaymentEnvelope(resp) {
     const headerValue = resp.headers.get("X-402-Payment") ?? resp.headers.get("x-402-payment");
     if (headerValue) {
@@ -555,6 +782,12 @@ async function safeText(resp) {
     return "";
   }
 }
+
+// src/provenance.ts
+init_cjs_shims();
+
+// src/auth.ts
+init_cjs_shims();
 ed25519__namespace.etc.sha512Sync = (...m) => sha512.sha512(ed25519__namespace.etc.concatBytes(...m));
 function generateKeypair() {
   const privateKey = utils.randomBytes(32);
@@ -593,14 +826,14 @@ async function verify(publicKeyHex, signatureHex, message) {
 }
 function encodeDid(publicKey) {
   const bytes = typeof publicKey === "string" ? utils.hexToBytes(publicKey) : publicKey;
-  return `ed25519:${base64urlEncode(bytes)}`;
+  return `ed25519:${base64urlEncode2(bytes)}`;
 }
 function decodeDid(did) {
   const ed25519Match = did.match(/^ed25519:(.+)$/);
   if (ed25519Match) return base64urlDecode(ed25519Match[1]);
   throw new Error(`Unrecognised DID encoding: ${did}`);
 }
-function base64urlEncode(bytes) {
+function base64urlEncode2(bytes) {
   let b64;
   if (typeof Buffer !== "undefined") {
     b64 = Buffer.from(bytes).toString("base64");
@@ -625,6 +858,8 @@ function base64urlDecode(input) {
 // src/provenance.ts
 var _jwksCache = /* @__PURE__ */ new Map();
 var JWKS_TTL_MS = 5 * 60 * 1e3;
+var JWKS_MAX_BYTES = 64 * 1024;
+var JWKS_CACHE_MAX_ENTRIES = 32;
 var DEFAULT_VERIFY_AT_ALLOWLIST = Object.freeze([
   "api.truealter.com",
   "mcp.truealter.com"
@@ -734,7 +969,8 @@ async function fetchPublicKeys(jwksUrl, fetchImpl = fetch) {
   return fetchJwks(jwksUrl, fetchImpl);
 }
 async function fetchJwks(url, fetchImpl) {
-  const cached = _jwksCache.get(url);
+  const cacheKey = jwksCacheKey(url);
+  const cached = _jwksCache.get(cacheKey);
   if (cached && Date.now() - cached.fetched < JWKS_TTL_MS) return cached.jwks;
   let resp;
   try {
@@ -751,13 +987,45 @@ async function fetchJwks(url, fetchImpl) {
     );
   }
   if (!resp.ok) throw new AlterNetworkError(`${url} \u2192 HTTP ${resp.status}`);
-  const doc = await resp.json();
+  const contentLength = resp.headers.get("content-length");
+  if (contentLength !== null) {
+    const n = Number.parseInt(contentLength, 10);
+    if (Number.isFinite(n) && n > JWKS_MAX_BYTES) {
+      throw new AlterProvenanceError(
+        `${url} \u2192 JWKS too large: ${n} > ${JWKS_MAX_BYTES} bytes`
+      );
+    }
+  }
+  const body = await resp.text();
+  if (body.length > JWKS_MAX_BYTES) {
+    throw new AlterProvenanceError(
+      `${url} \u2192 JWKS too large: ${body.length} > ${JWKS_MAX_BYTES} bytes`
+    );
+  }
+  let doc;
+  try {
+    doc = JSON.parse(body);
+  } catch (err) {
+    throw new AlterProvenanceError(`invalid JWKS at ${url}: ${err.message}`);
+  }
   if (!doc || !Array.isArray(doc.keys)) {
     throw new AlterProvenanceError(`invalid JWKS at ${url}`);
   }
-  _jwksCache.set(url, { fetched: Date.now(), jwks: doc });
+  if (_jwksCache.size >= JWKS_CACHE_MAX_ENTRIES && !_jwksCache.has(cacheKey)) {
+    const oldest = _jwksCache.keys().next().value;
+    if (oldest !== void 0) _jwksCache.delete(oldest);
+  }
+  _jwksCache.set(cacheKey, { fetched: Date.now(), jwks: doc });
   return doc;
 }
+function jwksCacheKey(url) {
+  try {
+    const parsed = new URL(url);
+    return `${parsed.origin}${parsed.pathname}`;
+  } catch {
+    return url;
+  }
+}
 function resolveVerifyAt(verifyAt, allowlist = DEFAULT_VERIFY_AT_ALLOWLIST) {
   if (typeof verifyAt !== "string" || verifyAt.length === 0) {
     throw new Error("verify_at must be a non-empty string");
@@ -780,6 +1048,9 @@ function resolveVerifyAt(verifyAt, allowlist = DEFAULT_VERIFY_AT_ALLOWLIST) {
   if (parsed.protocol !== "https:") {
     throw new Error(`verify_at must be https: ${verifyAt}`);
   }
+  if (parsed.username || parsed.password) {
+    throw new Error(`verify_at must not contain userinfo: ${verifyAt}`);
+  }
   const host = parsed.hostname.toLowerCase();
   const allowed = allowlist.some((h) => h.toLowerCase() === host);
   if (!allowed) {
@@ -860,6 +1131,15 @@ var AlterClient = class {
     await this.mcp.initialize();
   }
   // ── Free tier ────────────────────────────────────────────────────────
+  /** First handshake — confirms the connection, returns trust tier and tool counts. */
+  async helloAgent() {
+    return this.mcp.callTool("hello_agent", {});
+  }
+  /** Resolve a ~handle (e.g. ~drew) to its canonical form and kind. No auth required. */
+  async resolveHandle(args) {
+    const payload = typeof args === "string" ? { query: args } : args;
+    return this.mcp.callTool("alter_resolve_handle", payload);
+  }
   /** Verify a person is registered with ALTER (handle or id). */
   async verify(handleOrId, claims) {
     const args = handleOrId.includes("@") ? { candidate_id: "", email: handleOrId } : handleOrId.startsWith("~") ? (
@@ -896,12 +1176,6 @@ var AlterClient = class {
   async getCompetencies(args) {
     return this.mcp.callTool("get_competencies", args);
   }
-  async createIdentityStub(args) {
-    return this.mcp.callTool("create_identity_stub", args);
-  }
-  async submitContext(args) {
-    return this.mcp.callTool("submit_context", args);
-  }
   async searchIdentities(args) {
     return this.mcp.callTool("search_identities", args);
   }
@@ -926,9 +1200,6 @@ var AlterClient = class {
   async getPrivacyBudget(args) {
     return this.mcp.callTool("get_privacy_budget", args);
   }
-  async disputeAttestation(args) {
-    return this.mcp.callTool("dispute_attestation", args);
-  }
   // ── Golden Thread ────────────────────────────────────────────────────
   async goldenThreadStatus() {
     return this.mcp.callTool("golden_thread_status", {});
@@ -964,18 +1235,6 @@ var AlterClient = class {
   async generateMatchNarrative(args, opts) {
     return this.mcp.callTool("generate_match_narrative", args, opts);
   }
-  async submitBatchContext(args, opts) {
-    return this.mcp.callTool("submit_batch_context", args, opts);
-  }
-  async submitStructuredProfile(args, opts) {
-    return this.mcp.callTool("submit_structured_profile", args, opts);
-  }
-  async submitSocialLinks(args, opts) {
-    return this.mcp.callTool("submit_social_links", args, opts);
-  }
-  async attestDomain(args, opts) {
-    return this.mcp.callTool("attest_domain", args, opts);
-  }
   async getSideQuestGraph(args, opts) {
     return this.mcp.callTool("get_side_quest_graph", args, opts);
   }
@@ -1043,7 +1302,14 @@ var AlterClient = class {
   }
 };
 
+// src/index.ts
+init_signing();
+
+// src/adapters/claude-code.ts
+init_cjs_shims();
+
 // src/adapters/generic-mcp.ts
+init_cjs_shims();
 function generateGenericMcpConfig(opts = {}) {
   const serverName = opts.serverName ?? "alter";
   const headers = { ...opts.headers ?? {} };
@@ -1063,12 +1329,491 @@ function generateClaudeConfig(opts = {}) {
 }
 
 // src/adapters/cursor.ts
+init_cjs_shims();
 function generateCursorConfig(opts = {}) {
   return generateGenericMcpConfig({ serverName: "alter", ...opts });
 }
 
+// src/adapters/claude-desktop.ts
+init_cjs_shims();
+function generateClaudeDesktopConfig(opts = {}) {
+  const serverName = opts.serverName ?? "alter";
+  const bridgeCommand = opts.bridgeCommand ?? "alter-mcp-bridge";
+  const env2 = {};
+  env2.ALTER_MCP_ENDPOINT = opts.endpoint ?? DEFAULT_ENDPOINT;
+  if (opts.apiKey) env2.ALTER_API_KEY = opts.apiKey;
+  const entry = {
+    command: bridgeCommand,
+    env: env2,
+    description: "ALTER Identity \u2014 psychometric identity field for AI agents"
+  };
+  if (opts.extraArgs && opts.extraArgs.length > 0) {
+    entry.args = [...opts.extraArgs];
+  }
+  return { mcpServers: { [serverName]: entry } };
+}
+
+// src/wire/index.ts
+init_cjs_shims();
+
+// src/meta.ts
+init_cjs_shims();
+var SDK_NAME = "@truealter/sdk";
+var SDK_VERSION = "0.3.0";
+
+// src/wire/paths.ts
+init_cjs_shims();
+var HOME = os.homedir();
+var PLAT = os.platform();
+function appData() {
+  return process$1.env.APPDATA ?? path.join(HOME, "AppData", "Roaming");
+}
+function xdgConfig() {
+  return process$1.env.XDG_CONFIG_HOME ?? path.join(HOME, ".config");
+}
+function macAppSupport() {
+  return path.join(HOME, "Library", "Application Support");
+}
+function claudeDesktopConfigPath() {
+  if (PLAT === "darwin") return path.join(macAppSupport(), "Claude", "claude_desktop_config.json");
+  if (PLAT === "win32") return path.join(appData(), "Claude", "claude_desktop_config.json");
+  return path.join(xdgConfig(), "Claude", "claude_desktop_config.json");
+}
+function claudeDesktopDir() {
+  if (PLAT === "darwin") return path.join(macAppSupport(), "Claude");
+  if (PLAT === "win32") return path.join(appData(), "Claude");
+  return path.join(xdgConfig(), "Claude");
+}
+function vscodeConfigPath() {
+  if (PLAT === "darwin") return path.join(macAppSupport(), "Code", "User", "mcp.json");
+  if (PLAT === "win32") return path.join(appData(), "Code", "User", "mcp.json");
+  return path.join(xdgConfig(), "Code", "User", "mcp.json");
+}
+function vscodeDir() {
+  if (PLAT === "darwin") return path.join(macAppSupport(), "Code", "User");
+  if (PLAT === "win32") return path.join(appData(), "Code", "User");
+  return path.join(xdgConfig(), "Code", "User");
+}
+var cursorDir = path.join(HOME, ".cursor");
+var cursorConfigPath = path.join(cursorDir, "mcp.json");
+var claudeCodeProbeDir = path.join(HOME, ".claude");
+var CLAUDE_CODE = {
+  id: "claude-code",
+  label: "Claude Code",
+  configPath: null,
+  probeDir: claudeCodeProbeDir,
+  rootKey: "mcpServers"
+};
+var CURSOR = {
+  id: "cursor",
+  label: "Cursor",
+  configPath: cursorConfigPath,
+  probeDir: cursorDir,
+  rootKey: "mcpServers"
+};
+var CLAUDE_DESKTOP = {
+  id: "claude-desktop",
+  label: "Claude Desktop",
+  configPath: claudeDesktopConfigPath(),
+  probeDir: claudeDesktopDir(),
+  rootKey: "mcpServers"
+};
+var VSCODE = {
+  id: "vscode",
+  label: "VS Code",
+  configPath: vscodeConfigPath(),
+  probeDir: vscodeDir(),
+  // VS Code's user-scoped mcp.json uses `servers`, not `mcpServers`.
+  rootKey: "servers"
+};
+var ALL_CLIENTS = [CLAUDE_CODE, CURSOR, CLAUDE_DESKTOP, VSCODE];
+function alterConfigDir() {
+  return path.join(xdgConfig(), "alter");
+}
+function wireStatePath() {
+  return path.join(alterConfigDir(), "wire-state.json");
+}
+
+// src/wire/probe.ts
+init_cjs_shims();
+function probeClaudeCode() {
+  try {
+    const result = child_process.spawnSync("claude", ["--version"], {
+      encoding: "utf8",
+      shell: process.platform === "win32",
+      timeout: 5e3
+    });
+    if (result.error) {
+      return {
+        client: ALL_CLIENTS.find((c) => c.id === "claude-code"),
+        installed: false,
+        reason: `claude binary not on PATH (${result.error.message})`
+      };
+    }
+    if (result.status === 0) {
+      return {
+        client: ALL_CLIENTS.find((c) => c.id === "claude-code"),
+        installed: true,
+        version: result.stdout.trim() || void 0,
+        reason: "claude --version returned 0"
+      };
+    }
+    return {
+      client: ALL_CLIENTS.find((c) => c.id === "claude-code"),
+      installed: false,
+      reason: `claude --version exited ${String(result.status)}`
+    };
+  } catch (err) {
+    return {
+      client: ALL_CLIENTS.find((c) => c.id === "claude-code"),
+      installed: false,
+      reason: err.message
+    };
+  }
+}
+function probeByDir(id) {
+  const client = ALL_CLIENTS.find((c) => c.id === id);
+  if (!client) throw new Error(`unknown client id: ${id}`);
+  const installed = fs.existsSync(client.probeDir);
+  return {
+    client,
+    installed,
+    reason: installed ? `found ${client.probeDir}` : `no directory at ${client.probeDir}`
+  };
+}
+function probeAll() {
+  return [
+    probeClaudeCode(),
+    probeByDir("cursor"),
+    probeByDir("claude-desktop"),
+    probeByDir("vscode")
+  ];
+}
+
+// src/wire/sync.ts
+init_cjs_shims();
+var SYNC_PREFIXES = [
+  // iCloud Drive — both the new and legacy mounts.
+  "Library/Mobile Documents/com~apple~CloudDocs",
+  "iCloud Drive",
+  // OneDrive variants Microsoft ships across editions.
+  "OneDrive",
+  "OneDrive - ",
+  // Dropbox standard + enterprise mounts.
+  "Dropbox",
+  "Dropbox (",
+  // Google Drive (ALTER does not integrate with Google; still refuse).
+  "Google Drive",
+  "GoogleDrive",
+  "CloudStorage/GoogleDrive",
+  // Box, pCloud, Sync.com, MEGA — high-signal names worth refusing.
+  "Box Sync",
+  "pCloud Drive",
+  "Sync.com",
+  "MEGAsync"
+];
+function detectSyncedVolume(path$1) {
+  const absolute = path.resolve(path$1);
+  const normalised = os.platform() === "win32" ? absolute.replace(/\\/g, "/") : absolute;
+  for (const prefix of SYNC_PREFIXES) {
+    if (normalised.includes(`/${prefix}/`) || normalised.includes(`/${prefix}`)) {
+      return { refused: true, matchedPrefix: prefix, resolvedPath: absolute };
+    }
+  }
+  return null;
+}
+
+// src/wire/state.ts
+init_cjs_shims();
+var WIRE_STATE_VERSION = 1;
+function readWireState() {
+  const path = wireStatePath();
+  if (!fs.existsSync(path)) return null;
+  try {
+    const parsed = JSON.parse(fs.readFileSync(path, "utf8"));
+    if (parsed.version !== WIRE_STATE_VERSION) {
+      throw new Error(
+        `wire-state.json version ${String(parsed.version)} is not supported by this SDK (expected ${WIRE_STATE_VERSION})`
+      );
+    }
+    return parsed;
+  } catch (err) {
+    throw new Error(`failed to parse wire-state.json: ${err.message}`);
+  }
+}
+function writeWireState(state) {
+  const path$1 = wireStatePath();
+  fs.mkdirSync(path.dirname(path$1), { recursive: true, mode: 448 });
+  fs.writeFileSync(path$1, JSON.stringify(state, null, 2) + "\n", { mode: 384 });
+}
+
+// src/wire/write.ts
+init_cjs_shims();
+function sha2562(bytes) {
+  return crypto$1.createHash("sha256").update(bytes).digest("hex");
+}
+function atomicJsonMerge(opts) {
+  const { path: path$1, timestamp, merge, idempotent = true } = opts;
+  const tmpPath = `${path$1}.alter-tmp-${timestamp}`;
+  const backupPath = `${path$1}.alter-backup-${timestamp}`;
+  let existed = false;
+  let preBytes = null;
+  let parsed = {};
+  if (fs.existsSync(path$1)) {
+    existed = true;
+    preBytes = fs.readFileSync(path$1, "utf8");
+    if (preBytes.trim().length > 0) {
+      try {
+        parsed = JSON.parse(preBytes);
+      } catch (err) {
+        throw new Error(
+          `refusing to wire ${path$1}: existing file is not valid JSON (${err.message}). Hand-fix the file, then re-run \`alter-identity wire\`.`
+        );
+      }
+      if (typeof parsed !== "object" || Array.isArray(parsed) || parsed === null) {
+        throw new Error(`refusing to wire ${path$1}: existing JSON root is not an object`);
+      }
+    }
+  }
+  const merged = merge(parsed);
+  const serialised = JSON.stringify(merged, null, 2) + "\n";
+  if (idempotent && preBytes !== null && preBytes === serialised) {
+    return {
+      path: path$1,
+      backupPath: null,
+      preSha256: sha2562(preBytes),
+      postSha256: sha2562(preBytes),
+      noop: true
+    };
+  }
+  fs.mkdirSync(path.dirname(path$1), { recursive: true });
+  fs.writeFileSync(tmpPath, serialised, { mode: 384 });
+  try {
+    if (existed) fs.copyFileSync(path$1, backupPath);
+    fs.renameSync(tmpPath, path$1);
+  } catch (err) {
+    try {
+      fs.unlinkSync(tmpPath);
+    } catch {
+    }
+    throw err;
+  }
+  return {
+    path: path$1,
+    backupPath: existed ? backupPath : null,
+    preSha256: preBytes === null ? null : sha2562(preBytes),
+    postSha256: sha2562(serialised),
+    noop: false
+  };
+}
+function restoreFromBackup(path, backupPath) {
+  if (backupPath === null) {
+    if (fs.existsSync(path)) fs.unlinkSync(path);
+    return;
+  }
+  if (!fs.existsSync(backupPath)) {
+    throw new Error(`cannot restore ${path}: backup missing at ${backupPath}`);
+  }
+  fs.renameSync(backupPath, path);
+}
+
+// src/wire/index.ts
+var TIMESTAMP = () => String(Math.floor(Date.now() / 1e3));
+var ISO_NOW = () => (/* @__PURE__ */ new Date()).toISOString();
+function clientById(id) {
+  const hit = ALL_CLIENTS.find((c) => c.id === id);
+  if (!hit) throw new Error(`unknown client id: ${id}`);
+  return hit;
+}
+function wire(opts = {}) {
+  const endpoint = opts.endpoint ?? DEFAULT_ENDPOINT;
+  const apiKey = opts.apiKey;
+  const probes = probeAll();
+  const selection = opts.only ?? probes.filter((p) => p.installed).map((p) => p.client.id);
+  const ts = TIMESTAMP();
+  const targets = [];
+  for (const id of selection) {
+    const probe = id === "claude-code" ? probeClaudeCode() : probeByDir(id);
+    if (!probe.installed && opts.skipMissing !== false) {
+      targets.push({
+        client: id,
+        method: id === "claude-code" ? "cli" : "file",
+        status: "skipped",
+        ...id === "claude-code" ? { command: "" } : { path: clientById(id).configPath ?? "", backupPath: null, rootKey: clientById(id).rootKey, serverName: "alter", preSha256: null, postSha256: "" },
+        reason: probe.reason
+      });
+      continue;
+    }
+    try {
+      if (id === "claude-code") {
+        targets.push(wireClaudeCode({ endpoint, apiKey }));
+      } else {
+        targets.push(wireFileTarget({ id, endpoint, apiKey, timestamp: ts }));
+      }
+    } catch (err) {
+      const message = err.message;
+      targets.push({
+        client: id,
+        method: id === "claude-code" ? "cli" : "file",
+        status: "failed",
+        ...id === "claude-code" ? { command: "" } : { path: clientById(id).configPath ?? "", backupPath: null, rootKey: clientById(id).rootKey, serverName: "alter", preSha256: null, postSha256: "" },
+        reason: message
+      });
+    }
+  }
+  const state = {
+    version: 1,
+    sdkVersion: SDK_VERSION,
+    writtenAt: ISO_NOW(),
+    endpoint,
+    targets
+  };
+  writeWireState(state);
+  return { state, probes };
+}
+function wireFileTarget(args) {
+  const client = clientById(args.id);
+  if (!client.configPath) {
+    throw new Error(`client ${client.id} has no file-based config path`);
+  }
+  const sync = detectSyncedVolume(client.configPath);
+  if (sync) {
+    throw new Error(
+      `refusing to wire ${client.label}: config path ${sync.resolvedPath} lives under ${sync.matchedPrefix}. Synced volumes propagate credentials across devices \u2014 move the config off the sync root, or run wire on the device you want to target.`
+    );
+  }
+  const entry = args.id === "claude-desktop" ? generateClaudeDesktopConfig({ endpoint: args.endpoint, apiKey: args.apiKey }) : generateGenericMcpConfig({ endpoint: args.endpoint, apiKey: args.apiKey });
+  const rootKey = client.rootKey;
+  const serverName = "alter";
+  const result = atomicJsonMerge({
+    path: client.configPath,
+    timestamp: args.timestamp,
+    merge: (existing) => {
+      const bucket = existing[rootKey] ?? {};
+      const source = entry.mcpServers.alter;
+      return {
+        ...existing,
+        [rootKey]: {
+          ...bucket,
+          [serverName]: source
+        }
+      };
+    }
+  });
+  return {
+    client: args.id,
+    method: "file",
+    status: result.noop ? "already-wired" : "written",
+    path: result.path,
+    backupPath: result.backupPath,
+    rootKey,
+    serverName,
+    preSha256: result.preSha256,
+    postSha256: result.postSha256
+  };
+}
+function wireClaudeCode(args) {
+  const cmd = "claude";
+  const argList = [
+    "mcp",
+    "add",
+    "--scope",
+    "user",
+    "--transport",
+    "http",
+    "alter",
+    args.endpoint
+  ];
+  if (args.apiKey) {
+    argList.push("--header", `X-ALTER-API-Key:${args.apiKey}`);
+  }
+  const full = `${cmd} ${argList.join(" ")}`;
+  const run = child_process.spawnSync(cmd, argList, {
+    encoding: "utf8",
+    shell: process.platform === "win32",
+    timeout: 1e4
+  });
+  if (run.error) {
+    return {
+      client: "claude-code",
+      method: "cli",
+      status: "failed",
+      command: full,
+      stdout: run.stdout,
+      stderr: run.stderr,
+      reason: run.error.message
+    };
+  }
+  const stderr = (run.stderr ?? "").toLowerCase();
+  const alreadyExists = stderr.includes("already exists") || stderr.includes("already configured");
+  if (run.status === 0) {
+    return { client: "claude-code", method: "cli", status: "written", command: full, stdout: run.stdout, stderr: run.stderr };
+  }
+  if (alreadyExists) {
+    return { client: "claude-code", method: "cli", status: "already-wired", command: full, stdout: run.stdout, stderr: run.stderr };
+  }
+  return {
+    client: "claude-code",
+    method: "cli",
+    status: "failed",
+    command: full,
+    stdout: run.stdout,
+    stderr: run.stderr,
+    reason: `claude mcp add exited ${String(run.status)}`
+  };
+}
+function unwire() {
+  const state = readWireState();
+  const undone = [];
+  if (!state || state.targets.length === 0) {
+    return { state, undone };
+  }
+  for (const target of state.targets) {
+    try {
+      if (target.method === "file") {
+        if (target.status === "written") {
+          restoreFromBackup(target.path, target.backupPath);
+          undone.push({ client: target.client, action: target.backupPath ? "restored" : "removed" });
+        } else {
+          undone.push({ client: target.client, action: "skipped", reason: `target status was ${target.status}` });
+        }
+      } else if (target.method === "cli") {
+        if (target.status === "written") {
+          const run = child_process.spawnSync("claude", ["mcp", "remove", "--scope", "user", "alter"], {
+            encoding: "utf8",
+            shell: process.platform === "win32",
+            timeout: 1e4
+          });
+          if (run.error) {
+            undone.push({ client: target.client, action: "failed", reason: run.error.message });
+          } else if (run.status === 0) {
+            undone.push({ client: target.client, action: "cli-removed" });
+          } else {
+            undone.push({ client: target.client, action: "failed", reason: `claude mcp remove exited ${String(run.status)}` });
+          }
+        } else {
+          undone.push({ client: target.client, action: "skipped", reason: `target status was ${target.status}` });
+        }
+      }
+    } catch (err) {
+      undone.push({ client: target.client, action: "failed", reason: err.message });
+    }
+  }
+  writeWireState({
+    version: 1,
+    sdkVersion: state.sdkVersion,
+    writtenAt: ISO_NOW(),
+    endpoint: state.endpoint,
+    targets: []
+  });
+  return { state, undone };
+}
+
 // src/types.ts
+init_cjs_shims();
 var FREE_TOOL_NAMES = [
+  "hello_agent",
+  "alter_resolve_handle",
   "list_archetypes",
   "verify_identity",
   "initiate_assessment",
@@ -1076,8 +1821,6 @@ var FREE_TOOL_NAMES = [
   "get_profile",
   "query_matches",
   "get_competencies",
-  "create_identity_stub",
-  "submit_context",
   "search_identities",
   "get_identity_earnings",
   "get_network_stats",
@@ -1088,7 +1831,6 @@ var FREE_TOOL_NAMES = [
   "get_agent_trust_tier",
   "get_agent_portfolio",
   "get_privacy_budget",
-  "dispute_attestation",
   "golden_thread_status",
   "begin_golden_thread",
   "complete_knot",
@@ -1102,15 +1844,13 @@ var PREMIUM_TOOL_NAMES = [
   "compute_belonging",
   "get_match_recommendations",
   "generate_match_narrative",
-  "submit_batch_context",
-  "submit_structured_profile",
-  "submit_social_links",
-  "attest_domain",
   "get_side_quest_graph",
   "query_graph_similarity"
 ];
 var TOOL_TIERS = {
   // L0 (free)
+  hello_agent: 0,
+  alter_resolve_handle: 0,
   list_archetypes: 0,
   verify_identity: 0,
   initiate_assessment: 0,
@@ -1118,9 +1858,7 @@ var TOOL_TIERS = {
   get_profile: 0,
   query_matches: 0,
   get_competencies: 0,
-  create_identity_stub: 0,
-  submit_context: 1,
-  search_identities: 1,
+  search_identities: 0,
   get_identity_earnings: 0,
   get_network_stats: 0,
   recommend_tool: 0,
@@ -1128,8 +1866,6 @@ var TOOL_TIERS = {
   check_assessment_status: 0,
   get_earning_summary: 0,
   get_privacy_budget: 0,
-  dispute_attestation: 0,
-  // Free tools not present in upstream TOOL_TIERS — default to 0
   get_agent_trust_tier: 0,
   get_agent_portfolio: 0,
   golden_thread_status: 0,
@@ -1140,12 +1876,8 @@ var TOOL_TIERS = {
   // L1
   assess_traits: 1,
   get_trait_snapshot: 1,
-  submit_structured_profile: 1,
-  submit_social_links: 1,
-  attest_domain: 1,
   // L2
   get_full_trait_vector: 2,
-  submit_batch_context: 2,
   get_side_quest_graph: 2,
   // L3
   query_graph_similarity: 3,
@@ -1157,6 +1889,8 @@ var TOOL_TIERS = {
 };
 var TOOL_COSTS = {
   // L0 free
+  hello_agent: 0,
+  alter_resolve_handle: 0,
   list_archetypes: 0,
   verify_identity: 0,
   initiate_assessment: 0,
@@ -1164,7 +1898,6 @@ var TOOL_COSTS = {
   get_profile: 0,
   query_matches: 0,
   get_competencies: 0,
-  create_identity_stub: 0,
   search_identities: 0,
   get_identity_earnings: 0,
   get_network_stats: 0,
@@ -1175,22 +1908,16 @@ var TOOL_COSTS = {
   get_agent_trust_tier: 0,
   get_agent_portfolio: 0,
   get_privacy_budget: 0,
-  dispute_attestation: 0,
   golden_thread_status: 0,
   begin_golden_thread: 0,
   complete_knot: 0,
   check_golden_thread: 0,
   thread_census: 0,
   // L1 ($0.005)
-  submit_context: 5e-3,
   assess_traits: 5e-3,
   get_trait_snapshot: 5e-3,
-  submit_structured_profile: 5e-3,
-  submit_social_links: 5e-3,
-  attest_domain: 5e-3,
   // L2 ($0.01)
   get_full_trait_vector: 0.01,
-  submit_batch_context: 0.01,
   get_side_quest_graph: 0.01,
   // L3 ($0.025)
   query_graph_similarity: 0.025,
@@ -1202,6 +1929,8 @@ var TOOL_COSTS = {
 };
 var TOOL_BLAST_RADIUS = {
   // Low: read-only reference
+  hello_agent: "low",
+  alter_resolve_handle: "low",
   list_archetypes: "low",
   verify_identity: "low",
   get_engagement_level: "low",
@@ -1214,13 +1943,12 @@ var TOOL_BLAST_RADIUS = {
   begin_golden_thread: "low",
   check_golden_thread: "low",
   thread_census: "low",
-  dispute_attestation: "low",
   get_identity_earnings: "low",
   get_identity_trust_score: "low",
   initiate_assessment: "low",
+  get_agent_trust_tier: "low",
+  get_agent_portfolio: "low",
   // Medium: writes data or searches
-  create_identity_stub: "medium",
-  submit_context: "medium",
   search_identities: "medium",
   get_profile: "medium",
   query_matches: "medium",
@@ -1228,26 +1956,16 @@ var TOOL_BLAST_RADIUS = {
   complete_knot: "medium",
   assess_traits: "medium",
   get_trait_snapshot: "medium",
-  submit_structured_profile: "medium",
-  submit_social_links: "medium",
-  submit_batch_context: "medium",
-  attest_domain: "medium",
   // High: returns sensitive identity data or computes scores
   get_full_trait_vector: "high",
   compute_belonging: "high",
   get_match_recommendations: "high",
   generate_match_narrative: "high",
   get_side_quest_graph: "high",
-  query_graph_similarity: "high",
-  // Tools not in upstream TOOL_BLAST_RADIUS — default to "low"
-  get_agent_trust_tier: "low",
-  get_agent_portfolio: "low"
+  query_graph_similarity: "high"
 };
 
-// src/index.ts
-var SDK_NAME = "@truealter/sdk";
-var SDK_VERSION = "0.1.1";
-
+exports.ALL_CLIENTS = ALL_CLIENTS;
 exports.AlterAuthError = AlterAuthError;
 exports.AlterClient = AlterClient;
 exports.AlterDiscoveryError = AlterDiscoveryError;
@@ -1259,6 +1977,9 @@ exports.AlterProvenanceError = AlterProvenanceError;
 exports.AlterRateLimited = AlterRateLimited;
 exports.AlterTimeoutError = AlterTimeoutError;
 exports.AlterToolError = AlterToolError;
+exports.CLAUDE_CODE = CLAUDE_CODE;
+exports.CLAUDE_DESKTOP = CLAUDE_DESKTOP;
+exports.CURSOR = CURSOR;
 exports.DEFAULT_DOMAIN = DEFAULT_DOMAIN;
 exports.DEFAULT_ENDPOINT = DEFAULT_ENDPOINT;
 exports.DEFAULT_VERIFY_AT_ALLOWLIST = DEFAULT_VERIFY_AT_ALLOWLIST;
@@ -1271,24 +1992,37 @@ exports.SDK_VERSION = SDK_VERSION;
 exports.TOOL_BLAST_RADIUS = TOOL_BLAST_RADIUS;
 exports.TOOL_COSTS = TOOL_COSTS;
 exports.TOOL_TIERS = TOOL_TIERS;
+exports.VSCODE = VSCODE;
 exports.X402Client = X402Client;
 exports.base64urlDecode = base64urlDecode;
-exports.base64urlEncode = base64urlEncode;
+exports.base64urlEncode = base64urlEncode2;
+exports.canonicalArgsSha256 = canonicalArgsSha256;
+exports.canonicalStringify = canonicalStringify;
 exports.clearDiscoveryCache = clearDiscoveryCache;
 exports.decodeDid = decodeDid;
+exports.detectSyncedVolume = detectSyncedVolume;
 exports.discover = discover;
 exports.encodeDid = encodeDid;
 exports.fetchPublicKeys = fetchPublicKeys;
 exports.generateClaudeConfig = generateClaudeConfig;
+exports.generateClaudeDesktopConfig = generateClaudeDesktopConfig;
 exports.generateCursorConfig = generateCursorConfig;
 exports.generateGenericMcpConfig = generateGenericMcpConfig;
 exports.generateKeypair = generateKeypair;
 exports.keypairFromPrivateKey = keypairFromPrivateKey;
+exports.loadPrivateKey = loadPrivateKey;
 exports.parsePaymentHeader = parsePaymentHeader;
+exports.probeAll = probeAll;
+exports.probeByDir = probeByDir;
+exports.probeClaudeCode = probeClaudeCode;
+exports.readWireState = readWireState;
 exports.resolveVerifyAt = resolveVerifyAt;
+exports.sha256 = sha2562;
 exports.sign = sign;
+exports.signInvocation = signInvocation;
+exports.unwire = unwire;
 exports.verify = verify;
 exports.verifyProvenance = verifyProvenance;
 exports.verifyToolSignatures = verifyToolSignatures;
-//# sourceMappingURL=index.cjs.map
-//# sourceMappingURL=index.cjs.map
+exports.wire = wire;
+exports.writeWireState = writeWireState;