npm - @truealter/sdk - Versions diffs - 0.4.1 → 0.5.1 - Mend

@truealter/sdk 0.4.1 → 0.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/README.md +103 -74
package/dist/bin/alter-identity.js +177 -19
package/dist/bin/mcp-bridge.js +47 -11
package/dist/index.cjs +203 -20
package/dist/index.d.cts +431 -30
package/dist/index.d.ts +431 -30
package/dist/index.js +199 -23
package/dist/mcp-bridge.js +166 -0
package/package.json +7 -4

package/dist/index.cjs CHANGED Viewed

@@ -3,14 +3,14 @@
 var p256 = require('@noble/curves/p256');
 var sha256 = require('@noble/hashes/sha256');
 var utils = require('@noble/hashes/utils');
+var crypto$1 = require('crypto');
 var ed25519 = require('@noble/ed25519');
 var sha512 = require('@noble/hashes/sha512');
-var child_process = require('child_process');
-var os = require('os');
+var fs = require('fs');
 var path = require('path');
+var os = require('os');
+var child_process = require('child_process');
 var process$1 = require('process');
-var fs = require('fs');
-var crypto$1 = require('crypto');
 function _interopNamespace(e) {
   if (e && e.__esModule) return e;
@@ -132,8 +132,7 @@ function loadPrivateKey(key) {
     return key;
   }
   if (typeof key === "string" && key.includes("-----BEGIN")) {
-    const nodeCrypto = __require("crypto");
-    const keyObj = nodeCrypto.createPrivateKey({ key, format: "pem" });
+    const keyObj = crypto$1.createPrivateKey({ key, format: "pem" });
     const jwk = keyObj.export({ format: "jwk" });
     if (jwk.crv !== "P-256" || !jwk.d) {
       throw new TypeError("PEM is not a P-256 private key.");
@@ -457,11 +456,19 @@ var X402Client = class {
   maxPerQuery;
   networks;
   assets;
+  // undefined = allowlist check disabled (backward-compatible default).
+  // Non-null = active allowlist; reject any recipient not in the set.
+  recipientAllowlist;
   constructor(opts = {}) {
     this.signer = opts.signer;
     this.maxPerQuery = opts.maxPerQuery !== void 0 ? Number(opts.maxPerQuery) : void 0;
     this.networks = new Set(opts.networks ?? ["base", "base-sepolia"]);
     this.assets = new Set(opts.assets ?? ["USDC"]);
+    if (opts.recipientAllowlist !== void 0) {
+      this.recipientAllowlist = opts.recipientAllowlist.length === 0 ? void 0 : new Set(opts.recipientAllowlist.map((a) => a.toLowerCase()));
+    } else {
+      this.recipientAllowlist = void 0;
+    }
   }
   /**
    * Validate the envelope against this client's policy and, if a signer
@@ -487,6 +494,15 @@ var X402Client = class {
         );
       }
     }
+    if (this.recipientAllowlist !== void 0) {
+      const recipientNorm = (envelope.recipient ?? "").toLowerCase();
+      if (!recipientNorm || !this.recipientAllowlist.has(recipientNorm)) {
+        throw new AlterError(
+          "PAYMENT_REQUIRED",
+          `recipient "${envelope.recipient}" is not on the known-recipient allowlist`
+        );
+      }
+    }
     if (!this.signer) {
       throw new AlterPaymentRequired(envelope.resource ?? "unknown", envelope);
     }
@@ -544,6 +560,7 @@ var MCPClient = class {
   clientInfo;
   x402;
   signing;
+  extraHeaders;
   requestCounter = 0;
   initialised = false;
   constructor(opts = {}) {
@@ -555,6 +572,7 @@ var MCPClient = class {
     this.clientInfo = opts.clientInfo ?? { name: "@truealter/sdk", version: "0.2.0" };
     this.x402 = opts.x402;
     this.signing = opts.signing;
+    this.extraHeaders = opts.extraHeaders;
   }
   /**
    * Send the MCP `initialize` handshake and capture the resulting session
@@ -718,6 +736,7 @@ var MCPClient = class {
   }
   buildHeaders(extra) {
     const headers = {
+      ...this.extraHeaders ?? {},
       "Content-Type": "application/json",
       Accept: "application/json",
       "User-Agent": `${this.clientInfo.name}/${this.clientInfo.version}`
@@ -864,6 +883,7 @@ var DEFAULT_VERIFY_AT_ALLOWLIST = Object.freeze([
   "api.truealter.com",
   "mcp.truealter.com"
 ]);
+var ALTER_PLATFORM_ISS = "did:alter:platform";
 async function verifyProvenance(envelope, opts = {}) {
   const token = typeof envelope === "string" ? envelope : envelope.token;
   if (!token) return { valid: false, reason: "empty token" };
@@ -946,9 +966,55 @@ async function verifyProvenance(envelope, opts = {}) {
   if (typeof payload.iat === "number" && payload.iat > now + 300) {
     return { valid: false, reason: "issued in the future", payload, kid: header.kid };
   }
+  const expectedIss = opts.expectedIss !== void 0 ? opts.expectedIss : ALTER_PLATFORM_ISS;
+  if (expectedIss !== "" && payload.iss !== expectedIss) {
+    return {
+      valid: false,
+      reason: `iss mismatch: expected "${expectedIss}", got "${payload.iss}"`,
+      payload,
+      kid: header.kid
+    };
+  }
+  if (opts.expectedAud !== void 0 && opts.expectedAud !== "") {
+    const tokenAud = payload.aud;
+    const audList = tokenAud === void 0 ? [] : Array.isArray(tokenAud) ? tokenAud : [tokenAud];
+    if (!audList.includes(opts.expectedAud)) {
+      return {
+        valid: false,
+        reason: `aud mismatch: expected "${opts.expectedAud}", got ${JSON.stringify(tokenAud ?? null)}`,
+        payload,
+        kid: header.kid
+      };
+    }
+  }
   return { valid: true, payload, kid: header.kid };
 }
-async function verifyToolSignatures(tools, signatures) {
+async function verifyToolSignatures(tools, signatures, opts = {}) {
+  const jwksUrl = opts.jwksUrl ?? "https://api.truealter.com/.well-known/alter-keys.json";
+  const fetchImpl = opts.fetch ?? fetch;
+  if (!jwksUrl.startsWith("https://")) {
+    return tools.map((t) => ({
+      tool: t.name,
+      valid: false,
+      reason: `jwksUrl must be https: got ${jwksUrl}`
+    }));
+  }
+  const needsJwks = tools.some((t) => {
+    const sig = signatures[t.name];
+    return sig && sig.signature;
+  });
+  let jwks = null;
+  if (needsJwks) {
+    try {
+      jwks = await fetchJwks(jwksUrl, fetchImpl);
+    } catch (err) {
+      return tools.map((t) => ({
+        tool: t.name,
+        valid: false,
+        reason: `jwks fetch failed: ${err.message}`
+      }));
+    }
+  }
   const out = [];
   for (const tool of tools) {
     const sig = signatures[tool.name];
@@ -961,6 +1027,63 @@ async function verifyToolSignatures(tools, signatures) {
       out.push({ tool: tool.name, valid: false, reason: "schema hash mismatch" });
       continue;
     }
+    const jwsToken = sig.signature;
+    if (!jwsToken) {
+      out.push({ tool: tool.name, valid: true, warn_no_signature: true });
+      continue;
+    }
+    const jwksDoc = jwks;
+    let jHeader;
+    let jPayloadRaw;
+    let jSigBytes;
+    try {
+      const parts2 = jwsToken.split(".");
+      if (parts2.length !== 3) throw new Error("JWS must have three segments");
+      jHeader = JSON.parse(new TextDecoder().decode(base64urlDecode(parts2[0])));
+      jPayloadRaw = new TextDecoder().decode(base64urlDecode(parts2[1]));
+      jSigBytes = base64urlDecode(parts2[2]);
+    } catch (err) {
+      out.push({ tool: tool.name, valid: false, reason: `malformed tool JWS: ${err.message}` });
+      continue;
+    }
+    if (jHeader.alg !== "ES256") {
+      out.push({ tool: tool.name, valid: false, reason: `unsupported tool sig alg: ${jHeader.alg}` });
+      continue;
+    }
+    if (jPayloadRaw !== sig.schema_hash) {
+      out.push({ tool: tool.name, valid: false, reason: "tool JWS payload does not match schema_hash" });
+      continue;
+    }
+    const jwk = jwksDoc.keys.find((k) => jHeader.kid ? k.kid === jHeader.kid : true);
+    if (!jwk) {
+      out.push({ tool: tool.name, valid: false, reason: `no JWK for kid=${jHeader.kid}` });
+      continue;
+    }
+    let publicKey;
+    try {
+      publicKey = await importEs256JwkAsPublicKey(jwk);
+    } catch (err) {
+      out.push({ tool: tool.name, valid: false, reason: `jwk import: ${err.message}` });
+      continue;
+    }
+    const parts = jwsToken.split(".");
+    const signedInput = new TextEncoder().encode(`${parts[0]}.${parts[1]}`);
+    let sigValid = false;
+    try {
+      sigValid = await crypto.subtle.verify(
+        { name: "ECDSA", hash: "SHA-256" },
+        publicKey,
+        toArrayBuffer(jSigBytes),
+        toArrayBuffer(signedInput)
+      );
+    } catch (err) {
+      out.push({ tool: tool.name, valid: false, reason: `sig verify error: ${err.message}` });
+      continue;
+    }
+    if (!sigValid) {
+      out.push({ tool: tool.name, valid: false, reason: "tool signature mismatch" });
+      continue;
+    }
     out.push({ tool: tool.name, valid: true });
   }
   return out;
@@ -1142,10 +1265,10 @@ var AlterClient = class {
   }
   /** Verify a person is registered with ALTER (handle or id). */
   async verify(handleOrId, claims) {
-    const args = handleOrId.includes("@") ? { candidate_id: "", email: handleOrId } : handleOrId.startsWith("~") ? (
-      // ~handle — server resolves these via the candidate_id field
-      { candidate_id: handleOrId }
-    ) : { candidate_id: handleOrId };
+    const args = handleOrId.includes("@") ? { member_id: "", email: handleOrId } : handleOrId.startsWith("~") ? (
+      // ~handle — server resolves these via the member_id field
+      { member_id: handleOrId }
+    ) : { member_id: handleOrId };
     if (claims) args.claims = claims;
     return this.mcp.callTool("verify_identity", args);
   }
@@ -1620,6 +1743,26 @@ function restoreFromBackup(path, backupPath) {
 // src/wire/index.ts
 var TIMESTAMP = () => String(Math.floor(Date.now() / 1e3));
 var ISO_NOW = () => (/* @__PURE__ */ new Date()).toISOString();
+function readCfAccessEnv() {
+  const envPath = path.join(os.homedir(), ".config", "alter", "cf-access.env");
+  try {
+    const content = fs.readFileSync(envPath, "utf8");
+    let clientId = "";
+    let clientSecret = "";
+    for (const line of content.split("\n")) {
+      const trimmed = line.trim();
+      if (trimmed.startsWith("#") || !trimmed.includes("=")) continue;
+      const eqIdx = trimmed.indexOf("=");
+      const key = trimmed.slice(0, eqIdx).replace(/^export\s+/, "").trim();
+      const val = trimmed.slice(eqIdx + 1).trim().replace(/^["']|["']$/g, "");
+      if (key === "CF_ACCESS_CLIENT_ID") clientId = val;
+      if (key === "CF_ACCESS_CLIENT_SECRET") clientSecret = val;
+    }
+    if (clientId && clientSecret) return { clientId, clientSecret };
+  } catch {
+  }
+  return void 0;
+}
 function clientById(id) {
   const hit = ALL_CLIENTS.find((c) => c.id === id);
   if (!hit) throw new Error(`unknown client id: ${id}`);
@@ -1628,6 +1771,7 @@ function clientById(id) {
 function wire(opts = {}) {
   const endpoint = opts.endpoint ?? DEFAULT_ENDPOINT;
   const apiKey = opts.apiKey;
+  const cfAccess = opts.cfAccess ?? readCfAccessEnv();
   const probes = probeAll();
   const selection = opts.only ?? probes.filter((p) => p.installed).map((p) => p.client.id);
   const ts = TIMESTAMP();
@@ -1646,9 +1790,9 @@ function wire(opts = {}) {
     }
     try {
       if (id === "claude-code") {
-        targets.push(wireClaudeCode({ endpoint, apiKey }));
+        targets.push(wireClaudeCode({ endpoint, apiKey, cfAccess }));
       } else {
-        targets.push(wireFileTarget({ id, endpoint, apiKey, timestamp: ts }));
+        targets.push(wireFileTarget({ id, endpoint, apiKey, cfAccess, timestamp: ts }));
       }
     } catch (err) {
       const message = err.message;
@@ -1682,7 +1826,12 @@ function wireFileTarget(args) {
       `refusing to wire ${client.label}: config path ${sync.resolvedPath} lives under ${sync.matchedPrefix}. Synced volumes propagate credentials across devices \u2014 move the config off the sync root, or run wire on the device you want to target.`
     );
   }
-  const entry = args.id === "claude-desktop" ? generateClaudeDesktopConfig({ endpoint: args.endpoint, apiKey: args.apiKey }) : generateGenericMcpConfig({ endpoint: args.endpoint, apiKey: args.apiKey });
+  const cfHeaders = {};
+  if (args.cfAccess) {
+    cfHeaders["CF-Access-Client-Id"] = args.cfAccess.clientId;
+    cfHeaders["CF-Access-Client-Secret"] = args.cfAccess.clientSecret;
+  }
+  const entry = args.id === "claude-desktop" ? generateClaudeDesktopConfig({ endpoint: args.endpoint, apiKey: args.apiKey }) : generateGenericMcpConfig({ endpoint: args.endpoint, apiKey: args.apiKey, headers: cfHeaders });
   const rootKey = client.rootKey;
   const serverName = "alter";
   const result = atomicJsonMerge({
@@ -1714,7 +1863,8 @@ function wireFileTarget(args) {
 }
 function wireClaudeCode(args) {
   const cmd = "claude";
-  const argList = [
+  const bridgePath = resolveBridgeScript();
+  const argList = bridgePath ? ["mcp", "add", "--scope", "user", "alter", "--", "node", bridgePath] : [
     "mcp",
     "add",
     "--scope",
@@ -1722,16 +1872,15 @@ function wireClaudeCode(args) {
     "--transport",
     "http",
     "alter",
-    args.endpoint
+    args.endpoint,
+    ...args.apiKey ? ["--header", `X-ALTER-API-Key:${args.apiKey}`] : []
   ];
-  if (args.apiKey) {
-    argList.push("--header", `X-ALTER-API-Key:${args.apiKey}`);
-  }
   const full = `${cmd} ${argList.join(" ")}`;
   const run = child_process.spawnSync(cmd, argList, {
     encoding: "utf8",
     shell: process.platform === "win32",
-    timeout: 1e4
+    timeout: 1e4,
+    env: bridgePath ? { ...process.env, ALTER_PUBLIC_MCP_ENDPOINT: args.endpoint, ...args.apiKey ? { ALTER_API_KEY: args.apiKey } : {} } : void 0
   });
   if (run.error) {
     return {
@@ -1762,6 +1911,17 @@ function wireClaudeCode(args) {
     reason: `claude mcp add exited ${String(run.status)}`
   };
 }
+function resolveBridgeScript() {
+  const { existsSync: existsSync4 } = __require("fs");
+  const { join: join3, dirname: dirname3 } = __require("path");
+  const siblingBridge = join3(dirname3(__filename), "..", "dist", "mcp-bridge.js");
+  if (existsSync4(siblingBridge)) return siblingBridge;
+  const srcBridge = join3(dirname3(__filename), "..", "mcp-bridge.js");
+  if (existsSync4(srcBridge)) return srcBridge;
+  const npmGlobalBridge = join3(dirname3(__filename), "mcp-bridge.js");
+  if (existsSync4(npmGlobalBridge)) return npmGlobalBridge;
+  return null;
+}
 function unwire() {
   const state = readWireState();
   const undone = [];
@@ -1965,6 +2125,26 @@ var TOOL_BLAST_RADIUS = {
   query_graph_similarity: "high"
 };
+// src/homepage.ts
+init_cjs_shims();
+var HOMEPAGE_LIMITS = {
+  whoami_max_chars: 240,
+  opener_max_chars: 280,
+  pronouns_max_chars: 32,
+  attunement_glyph_max_chars: 16
+};
+// src/themes.ts
+init_cjs_shims();
+var THEME_LIMITS = {
+  meta_name_pattern: /^[a-z][a-z0-9-]{0,63}$/,
+  meta_description_max_chars: 240,
+  opener_library_max_entries: 32,
+  opener_entry_max_chars: 240,
+  share_note_max_chars: 280
+};
+var OSC8_ALLOWED_SCHEMES = ["https:", "mailto:"];
 exports.ALL_CLIENTS = ALL_CLIENTS;
 exports.AlterAuthError = AlterAuthError;
 exports.AlterClient = AlterClient;
@@ -1984,11 +2164,14 @@ exports.DEFAULT_DOMAIN = DEFAULT_DOMAIN;
 exports.DEFAULT_ENDPOINT = DEFAULT_ENDPOINT;
 exports.DEFAULT_VERIFY_AT_ALLOWLIST = DEFAULT_VERIFY_AT_ALLOWLIST;
 exports.FREE_TOOL_NAMES = FREE_TOOL_NAMES;
+exports.HOMEPAGE_LIMITS = HOMEPAGE_LIMITS;
 exports.MCPClient = MCPClient;
 exports.MCP_PROTOCOL_VERSION = MCP_PROTOCOL_VERSION;
+exports.OSC8_ALLOWED_SCHEMES = OSC8_ALLOWED_SCHEMES;
 exports.PREMIUM_TOOL_NAMES = PREMIUM_TOOL_NAMES;
 exports.SDK_NAME = SDK_NAME;
 exports.SDK_VERSION = SDK_VERSION;
+exports.THEME_LIMITS = THEME_LIMITS;
 exports.TOOL_BLAST_RADIUS = TOOL_BLAST_RADIUS;
 exports.TOOL_COSTS = TOOL_COSTS;
 exports.TOOL_TIERS = TOOL_TIERS;