npm - @truealter/sdk - Versions diffs - 0.4.1 → 0.5.1 - Mend

@truealter/sdk 0.4.1 → 0.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/README.md +103 -74
package/dist/bin/alter-identity.js +177 -19
package/dist/bin/mcp-bridge.js +47 -11
package/dist/index.cjs +203 -20
package/dist/index.d.cts +431 -30
package/dist/index.d.ts +431 -30
package/dist/index.js +199 -23
package/dist/mcp-bridge.js +166 -0
package/package.json +7 -4

package/dist/index.js CHANGED Viewed

@@ -1,14 +1,14 @@
 import { p256 } from '@noble/curves/p256';
 import { sha256 } from '@noble/hashes/sha256';
 import { randomBytes, bytesToHex as bytesToHex$1, hexToBytes } from '@noble/hashes/utils';
+import { createPrivateKey, createHash } from 'crypto';
 import * as ed25519 from '@noble/ed25519';
 import { sha512 } from '@noble/hashes/sha512';
-import { spawnSync } from 'child_process';
-import { homedir, platform } from 'os';
+import { existsSync, readFileSync, mkdirSync, writeFileSync, copyFileSync, renameSync, unlinkSync } from 'fs';
 import { join, resolve, dirname } from 'path';
+import { homedir, platform } from 'os';
+import { spawnSync } from 'child_process';
 import { env } from 'process';
-import { existsSync, readFileSync, mkdirSync, writeFileSync, copyFileSync, renameSync, unlinkSync } from 'fs';
-import { createHash } from 'crypto';
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
@@ -104,8 +104,7 @@ function loadPrivateKey(key) {
     return key;
   }
   if (typeof key === "string" && key.includes("-----BEGIN")) {
-    const nodeCrypto = __require("crypto");
-    const keyObj = nodeCrypto.createPrivateKey({ key, format: "pem" });
+    const keyObj = createPrivateKey({ key, format: "pem" });
     const jwk = keyObj.export({ format: "jwk" });
     if (jwk.crv !== "P-256" || !jwk.d) {
       throw new TypeError("PEM is not a P-256 private key.");
@@ -407,18 +406,24 @@ function ensureMcpPath(url) {
     return url;
   }
 }
-// src/x402.ts
 var X402Client = class {
   signer;
   maxPerQuery;
   networks;
   assets;
+  // undefined = allowlist check disabled (backward-compatible default).
+  // Non-null = active allowlist; reject any recipient not in the set.
+  recipientAllowlist;
   constructor(opts = {}) {
     this.signer = opts.signer;
     this.maxPerQuery = opts.maxPerQuery !== void 0 ? Number(opts.maxPerQuery) : void 0;
     this.networks = new Set(opts.networks ?? ["base", "base-sepolia"]);
     this.assets = new Set(opts.assets ?? ["USDC"]);
+    if (opts.recipientAllowlist !== void 0) {
+      this.recipientAllowlist = opts.recipientAllowlist.length === 0 ? void 0 : new Set(opts.recipientAllowlist.map((a) => a.toLowerCase()));
+    } else {
+      this.recipientAllowlist = void 0;
+    }
   }
   /**
    * Validate the envelope against this client's policy and, if a signer
@@ -444,6 +449,15 @@ var X402Client = class {
         );
       }
     }
+    if (this.recipientAllowlist !== void 0) {
+      const recipientNorm = (envelope.recipient ?? "").toLowerCase();
+      if (!recipientNorm || !this.recipientAllowlist.has(recipientNorm)) {
+        throw new AlterError(
+          "PAYMENT_REQUIRED",
+          `recipient "${envelope.recipient}" is not on the known-recipient allowlist`
+        );
+      }
+    }
     if (!this.signer) {
       throw new AlterPaymentRequired(envelope.resource ?? "unknown", envelope);
     }
@@ -501,6 +515,7 @@ var MCPClient = class {
   clientInfo;
   x402;
   signing;
+  extraHeaders;
   requestCounter = 0;
   initialised = false;
   constructor(opts = {}) {
@@ -512,6 +527,7 @@ var MCPClient = class {
     this.clientInfo = opts.clientInfo ?? { name: "@truealter/sdk", version: "0.2.0" };
     this.x402 = opts.x402;
     this.signing = opts.signing;
+    this.extraHeaders = opts.extraHeaders;
   }
   /**
    * Send the MCP `initialize` handshake and capture the resulting session
@@ -675,6 +691,7 @@ var MCPClient = class {
   }
   buildHeaders(extra) {
     const headers = {
+      ...this.extraHeaders ?? {},
       "Content-Type": "application/json",
       Accept: "application/json",
       "User-Agent": `${this.clientInfo.name}/${this.clientInfo.version}`
@@ -815,6 +832,7 @@ var DEFAULT_VERIFY_AT_ALLOWLIST = Object.freeze([
   "api.truealter.com",
   "mcp.truealter.com"
 ]);
+var ALTER_PLATFORM_ISS = "did:alter:platform";
 async function verifyProvenance(envelope, opts = {}) {
   const token = typeof envelope === "string" ? envelope : envelope.token;
   if (!token) return { valid: false, reason: "empty token" };
@@ -897,9 +915,55 @@ async function verifyProvenance(envelope, opts = {}) {
   if (typeof payload.iat === "number" && payload.iat > now + 300) {
     return { valid: false, reason: "issued in the future", payload, kid: header.kid };
   }
+  const expectedIss = opts.expectedIss !== void 0 ? opts.expectedIss : ALTER_PLATFORM_ISS;
+  if (expectedIss !== "" && payload.iss !== expectedIss) {
+    return {
+      valid: false,
+      reason: `iss mismatch: expected "${expectedIss}", got "${payload.iss}"`,
+      payload,
+      kid: header.kid
+    };
+  }
+  if (opts.expectedAud !== void 0 && opts.expectedAud !== "") {
+    const tokenAud = payload.aud;
+    const audList = tokenAud === void 0 ? [] : Array.isArray(tokenAud) ? tokenAud : [tokenAud];
+    if (!audList.includes(opts.expectedAud)) {
+      return {
+        valid: false,
+        reason: `aud mismatch: expected "${opts.expectedAud}", got ${JSON.stringify(tokenAud ?? null)}`,
+        payload,
+        kid: header.kid
+      };
+    }
+  }
   return { valid: true, payload, kid: header.kid };
 }
-async function verifyToolSignatures(tools, signatures) {
+async function verifyToolSignatures(tools, signatures, opts = {}) {
+  const jwksUrl = opts.jwksUrl ?? "https://api.truealter.com/.well-known/alter-keys.json";
+  const fetchImpl = opts.fetch ?? fetch;
+  if (!jwksUrl.startsWith("https://")) {
+    return tools.map((t) => ({
+      tool: t.name,
+      valid: false,
+      reason: `jwksUrl must be https: got ${jwksUrl}`
+    }));
+  }
+  const needsJwks = tools.some((t) => {
+    const sig = signatures[t.name];
+    return sig && sig.signature;
+  });
+  let jwks = null;
+  if (needsJwks) {
+    try {
+      jwks = await fetchJwks(jwksUrl, fetchImpl);
+    } catch (err) {
+      return tools.map((t) => ({
+        tool: t.name,
+        valid: false,
+        reason: `jwks fetch failed: ${err.message}`
+      }));
+    }
+  }
   const out = [];
   for (const tool of tools) {
     const sig = signatures[tool.name];
@@ -912,6 +976,63 @@ async function verifyToolSignatures(tools, signatures) {
       out.push({ tool: tool.name, valid: false, reason: "schema hash mismatch" });
       continue;
     }
+    const jwsToken = sig.signature;
+    if (!jwsToken) {
+      out.push({ tool: tool.name, valid: true, warn_no_signature: true });
+      continue;
+    }
+    const jwksDoc = jwks;
+    let jHeader;
+    let jPayloadRaw;
+    let jSigBytes;
+    try {
+      const parts2 = jwsToken.split(".");
+      if (parts2.length !== 3) throw new Error("JWS must have three segments");
+      jHeader = JSON.parse(new TextDecoder().decode(base64urlDecode(parts2[0])));
+      jPayloadRaw = new TextDecoder().decode(base64urlDecode(parts2[1]));
+      jSigBytes = base64urlDecode(parts2[2]);
+    } catch (err) {
+      out.push({ tool: tool.name, valid: false, reason: `malformed tool JWS: ${err.message}` });
+      continue;
+    }
+    if (jHeader.alg !== "ES256") {
+      out.push({ tool: tool.name, valid: false, reason: `unsupported tool sig alg: ${jHeader.alg}` });
+      continue;
+    }
+    if (jPayloadRaw !== sig.schema_hash) {
+      out.push({ tool: tool.name, valid: false, reason: "tool JWS payload does not match schema_hash" });
+      continue;
+    }
+    const jwk = jwksDoc.keys.find((k) => jHeader.kid ? k.kid === jHeader.kid : true);
+    if (!jwk) {
+      out.push({ tool: tool.name, valid: false, reason: `no JWK for kid=${jHeader.kid}` });
+      continue;
+    }
+    let publicKey;
+    try {
+      publicKey = await importEs256JwkAsPublicKey(jwk);
+    } catch (err) {
+      out.push({ tool: tool.name, valid: false, reason: `jwk import: ${err.message}` });
+      continue;
+    }
+    const parts = jwsToken.split(".");
+    const signedInput = new TextEncoder().encode(`${parts[0]}.${parts[1]}`);
+    let sigValid = false;
+    try {
+      sigValid = await crypto.subtle.verify(
+        { name: "ECDSA", hash: "SHA-256" },
+        publicKey,
+        toArrayBuffer(jSigBytes),
+        toArrayBuffer(signedInput)
+      );
+    } catch (err) {
+      out.push({ tool: tool.name, valid: false, reason: `sig verify error: ${err.message}` });
+      continue;
+    }
+    if (!sigValid) {
+      out.push({ tool: tool.name, valid: false, reason: "tool signature mismatch" });
+      continue;
+    }
     out.push({ tool: tool.name, valid: true });
   }
   return out;
@@ -1093,10 +1214,10 @@ var AlterClient = class {
   }
   /** Verify a person is registered with ALTER (handle or id). */
   async verify(handleOrId, claims) {
-    const args = handleOrId.includes("@") ? { candidate_id: "", email: handleOrId } : handleOrId.startsWith("~") ? (
-      // ~handle — server resolves these via the candidate_id field
-      { candidate_id: handleOrId }
-    ) : { candidate_id: handleOrId };
+    const args = handleOrId.includes("@") ? { member_id: "", email: handleOrId } : handleOrId.startsWith("~") ? (
+      // ~handle — server resolves these via the member_id field
+      { member_id: handleOrId }
+    ) : { member_id: handleOrId };
     if (claims) args.claims = claims;
     return this.mcp.callTool("verify_identity", args);
   }
@@ -1546,6 +1667,26 @@ function restoreFromBackup(path, backupPath) {
 // src/wire/index.ts
 var TIMESTAMP = () => String(Math.floor(Date.now() / 1e3));
 var ISO_NOW = () => (/* @__PURE__ */ new Date()).toISOString();
+function readCfAccessEnv() {
+  const envPath = join(homedir(), ".config", "alter", "cf-access.env");
+  try {
+    const content = readFileSync(envPath, "utf8");
+    let clientId = "";
+    let clientSecret = "";
+    for (const line of content.split("\n")) {
+      const trimmed = line.trim();
+      if (trimmed.startsWith("#") || !trimmed.includes("=")) continue;
+      const eqIdx = trimmed.indexOf("=");
+      const key = trimmed.slice(0, eqIdx).replace(/^export\s+/, "").trim();
+      const val = trimmed.slice(eqIdx + 1).trim().replace(/^["']|["']$/g, "");
+      if (key === "CF_ACCESS_CLIENT_ID") clientId = val;
+      if (key === "CF_ACCESS_CLIENT_SECRET") clientSecret = val;
+    }
+    if (clientId && clientSecret) return { clientId, clientSecret };
+  } catch {
+  }
+  return void 0;
+}
 function clientById(id) {
   const hit = ALL_CLIENTS.find((c) => c.id === id);
   if (!hit) throw new Error(`unknown client id: ${id}`);
@@ -1554,6 +1695,7 @@ function clientById(id) {
 function wire(opts = {}) {
   const endpoint = opts.endpoint ?? DEFAULT_ENDPOINT;
   const apiKey = opts.apiKey;
+  const cfAccess = opts.cfAccess ?? readCfAccessEnv();
   const probes = probeAll();
   const selection = opts.only ?? probes.filter((p) => p.installed).map((p) => p.client.id);
   const ts = TIMESTAMP();
@@ -1572,9 +1714,9 @@ function wire(opts = {}) {
     }
     try {
       if (id === "claude-code") {
-        targets.push(wireClaudeCode({ endpoint, apiKey }));
+        targets.push(wireClaudeCode({ endpoint, apiKey, cfAccess }));
       } else {
-        targets.push(wireFileTarget({ id, endpoint, apiKey, timestamp: ts }));
+        targets.push(wireFileTarget({ id, endpoint, apiKey, cfAccess, timestamp: ts }));
       }
     } catch (err) {
       const message = err.message;
@@ -1608,7 +1750,12 @@ function wireFileTarget(args) {
       `refusing to wire ${client.label}: config path ${sync.resolvedPath} lives under ${sync.matchedPrefix}. Synced volumes propagate credentials across devices \u2014 move the config off the sync root, or run wire on the device you want to target.`
     );
   }
-  const entry = args.id === "claude-desktop" ? generateClaudeDesktopConfig({ endpoint: args.endpoint, apiKey: args.apiKey }) : generateGenericMcpConfig({ endpoint: args.endpoint, apiKey: args.apiKey });
+  const cfHeaders = {};
+  if (args.cfAccess) {
+    cfHeaders["CF-Access-Client-Id"] = args.cfAccess.clientId;
+    cfHeaders["CF-Access-Client-Secret"] = args.cfAccess.clientSecret;
+  }
+  const entry = args.id === "claude-desktop" ? generateClaudeDesktopConfig({ endpoint: args.endpoint, apiKey: args.apiKey }) : generateGenericMcpConfig({ endpoint: args.endpoint, apiKey: args.apiKey, headers: cfHeaders });
   const rootKey = client.rootKey;
   const serverName = "alter";
   const result = atomicJsonMerge({
@@ -1640,7 +1787,8 @@ function wireFileTarget(args) {
 }
 function wireClaudeCode(args) {
   const cmd = "claude";
-  const argList = [
+  const bridgePath = resolveBridgeScript();
+  const argList = bridgePath ? ["mcp", "add", "--scope", "user", "alter", "--", "node", bridgePath] : [
     "mcp",
     "add",
     "--scope",
@@ -1648,16 +1796,15 @@ function wireClaudeCode(args) {
     "--transport",
     "http",
     "alter",
-    args.endpoint
+    args.endpoint,
+    ...args.apiKey ? ["--header", `X-ALTER-API-Key:${args.apiKey}`] : []
   ];
-  if (args.apiKey) {
-    argList.push("--header", `X-ALTER-API-Key:${args.apiKey}`);
-  }
   const full = `${cmd} ${argList.join(" ")}`;
   const run = spawnSync(cmd, argList, {
     encoding: "utf8",
     shell: process.platform === "win32",
-    timeout: 1e4
+    timeout: 1e4,
+    env: bridgePath ? { ...process.env, ALTER_PUBLIC_MCP_ENDPOINT: args.endpoint, ...args.apiKey ? { ALTER_API_KEY: args.apiKey } : {} } : void 0
   });
   if (run.error) {
     return {
@@ -1688,6 +1835,17 @@ function wireClaudeCode(args) {
     reason: `claude mcp add exited ${String(run.status)}`
   };
 }
+function resolveBridgeScript() {
+  const { existsSync: existsSync4 } = __require("fs");
+  const { join: join3, dirname: dirname3 } = __require("path");
+  const siblingBridge = join3(dirname3(__filename), "..", "dist", "mcp-bridge.js");
+  if (existsSync4(siblingBridge)) return siblingBridge;
+  const srcBridge = join3(dirname3(__filename), "..", "mcp-bridge.js");
+  if (existsSync4(srcBridge)) return srcBridge;
+  const npmGlobalBridge = join3(dirname3(__filename), "mcp-bridge.js");
+  if (existsSync4(npmGlobalBridge)) return npmGlobalBridge;
+  return null;
+}
 function unwire() {
   const state = readWireState();
   const undone = [];
@@ -1890,4 +2048,22 @@ var TOOL_BLAST_RADIUS = {
   query_graph_similarity: "high"
 };
-export { ALL_CLIENTS, AlterAuthError, AlterClient, AlterDiscoveryError, AlterError, AlterInvalidResponse, AlterNetworkError, AlterPaymentRequired, AlterProvenanceError, AlterRateLimited, AlterTimeoutError, AlterToolError, CLAUDE_CODE, CLAUDE_DESKTOP, CURSOR, DEFAULT_DOMAIN, DEFAULT_ENDPOINT, DEFAULT_VERIFY_AT_ALLOWLIST, FREE_TOOL_NAMES, MCPClient, MCP_PROTOCOL_VERSION, PREMIUM_TOOL_NAMES, SDK_NAME, SDK_VERSION, TOOL_BLAST_RADIUS, TOOL_COSTS, TOOL_TIERS, VSCODE, X402Client, base64urlDecode, base64urlEncode2 as base64urlEncode, canonicalArgsSha256, canonicalStringify, clearDiscoveryCache, decodeDid, detectSyncedVolume, discover, encodeDid, fetchPublicKeys, generateClaudeConfig, generateClaudeDesktopConfig, generateCursorConfig, generateGenericMcpConfig, generateKeypair, keypairFromPrivateKey, loadPrivateKey, parsePaymentHeader, probeAll, probeByDir, probeClaudeCode, readWireState, resolveVerifyAt, sha2562 as sha256, sign, signInvocation, unwire, verify, verifyProvenance, verifyToolSignatures, wire, writeWireState };
+// src/homepage.ts
+var HOMEPAGE_LIMITS = {
+  whoami_max_chars: 240,
+  opener_max_chars: 280,
+  pronouns_max_chars: 32,
+  attunement_glyph_max_chars: 16
+};
+// src/themes.ts
+var THEME_LIMITS = {
+  meta_name_pattern: /^[a-z][a-z0-9-]{0,63}$/,
+  meta_description_max_chars: 240,
+  opener_library_max_entries: 32,
+  opener_entry_max_chars: 240,
+  share_note_max_chars: 280
+};
+var OSC8_ALLOWED_SCHEMES = ["https:", "mailto:"];
+export { ALL_CLIENTS, AlterAuthError, AlterClient, AlterDiscoveryError, AlterError, AlterInvalidResponse, AlterNetworkError, AlterPaymentRequired, AlterProvenanceError, AlterRateLimited, AlterTimeoutError, AlterToolError, CLAUDE_CODE, CLAUDE_DESKTOP, CURSOR, DEFAULT_DOMAIN, DEFAULT_ENDPOINT, DEFAULT_VERIFY_AT_ALLOWLIST, FREE_TOOL_NAMES, HOMEPAGE_LIMITS, MCPClient, MCP_PROTOCOL_VERSION, OSC8_ALLOWED_SCHEMES, PREMIUM_TOOL_NAMES, SDK_NAME, SDK_VERSION, THEME_LIMITS, TOOL_BLAST_RADIUS, TOOL_COSTS, TOOL_TIERS, VSCODE, X402Client, base64urlDecode, base64urlEncode2 as base64urlEncode, canonicalArgsSha256, canonicalStringify, clearDiscoveryCache, decodeDid, detectSyncedVolume, discover, encodeDid, fetchPublicKeys, generateClaudeConfig, generateClaudeDesktopConfig, generateCursorConfig, generateGenericMcpConfig, generateKeypair, keypairFromPrivateKey, loadPrivateKey, parsePaymentHeader, probeAll, probeByDir, probeClaudeCode, readWireState, resolveVerifyAt, sha2562 as sha256, sign, signInvocation, unwire, verify, verifyProvenance, verifyToolSignatures, wire, writeWireState };

package/dist/mcp-bridge.js ADDED Viewed

@@ -0,0 +1,166 @@
+#!/usr/bin/env node
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+import * as https from 'https';
+import * as http from 'http';
+import * as crypto from 'crypto';
+import * as readline from 'readline';
+var DEFAULT_ENDPOINT = "https://mcp.truealter.com/api/v1/mcp";
+var BRIDGE_VERSION = "0.4.0";
+var xdgConfig = process.env.XDG_CONFIG_HOME ?? path.join(os.homedir(), ".config");
+var SESSION_FILE = process.env.ALTER_SESSION_FILE ?? path.join(xdgConfig, "alter", "session.json");
+var CF_ENV_FILE = process.env.ALTER_CF_ACCESS_ENV ?? path.join(xdgConfig, "alter", "cf-access.env");
+var ENDPOINT = process.env.ALTER_PUBLIC_MCP_ENDPOINT ?? DEFAULT_ENDPOINT;
+function readSession() {
+  try {
+    const raw = fs.readFileSync(SESSION_FILE, "utf8");
+    const clean = raw.charCodeAt(0) === 65279 ? raw.slice(1) : raw;
+    return JSON.parse(clean);
+  } catch {
+    return {};
+  }
+}
+function readCfAccess() {
+  try {
+    const raw = fs.readFileSync(CF_ENV_FILE, "utf8");
+    const idMatch = raw.match(/CF_ACCESS_(?:MCP_ORG_ALTER_)?CLIENT_ID=['"](.*?)['"]/);
+    const secretMatch = raw.match(/CF_ACCESS_(?:MCP_ORG_ALTER_)?CLIENT_SECRET=['"](.*?)['"]/);
+    return {
+      id: idMatch?.[1] ?? "",
+      secret: secretMatch?.[1] ?? ""
+    };
+  } catch {
+    return { id: "", secret: "" };
+  }
+}
+function versionHash() {
+  const digest = crypto.createHash("sha256").update(`@truealter/sdk-bridge@${BRIDGE_VERSION}`).digest("hex").slice(0, 32);
+  return `sha256:${digest}`;
+}
+function b64url(buf) {
+  return buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function canonicalJson(v) {
+  if (v === null || typeof v !== "object") return JSON.stringify(v);
+  if (Array.isArray(v)) return "[" + v.map(canonicalJson).join(",") + "]";
+  const obj = v;
+  const keys = Object.keys(obj).sort();
+  return "{" + keys.map((k) => JSON.stringify(k) + ":" + canonicalJson(obj[k])).join(",") + "}";
+}
+function loadSigningKey(session) {
+  const kid = session.signing_kid;
+  if (!kid) return null;
+  const candidates = [];
+  if (process.env.ALTER_SIGNING_KEY_FILE) candidates.push(process.env.ALTER_SIGNING_KEY_FILE);
+  candidates.push(path.join(xdgConfig, "alter", "signing-keys", `${kid}.pem`));
+  candidates.push(path.join(xdgConfig, "alter", "signing-key.pem"));
+  for (const p of candidates) {
+    try {
+      const pem = fs.readFileSync(p, "utf8");
+      return { kid, key: crypto.createPrivateKey(pem) };
+    } catch {
+    }
+  }
+  return null;
+}
+function signInvocation(signer, toolName, toolArgs, handle) {
+  const header = b64url(Buffer.from(JSON.stringify({ alg: "ES256", kid: signer.kid })));
+  const claims = {
+    tool: toolName,
+    args_sha256: crypto.createHash("sha256").update(canonicalJson(toolArgs ?? {}), "utf8").digest("hex"),
+    nonce: b64url(crypto.randomBytes(24)),
+    iat: Math.floor(Date.now() / 1e3),
+    iss: handle
+  };
+  const payload = b64url(Buffer.from(JSON.stringify(claims)));
+  const signingInput = `${header}.${payload}`;
+  const sig = crypto.createSign("SHA256").update(signingInput).sign({ key: signer.key, dsaEncoding: "ieee-p1363" });
+  return `${signingInput}.${b64url(sig)}`;
+}
+function proxyRequest(body, msg) {
+  return new Promise((resolve, reject) => {
+    const session = readSession();
+    const cfAccess = readCfAccess();
+    const apiKey = process.env.ALTER_API_KEY ?? session.member_api_key ?? "";
+    const url = new URL(ENDPOINT);
+    const isHttps = url.protocol === "https:";
+    const transport = isHttps ? https : http;
+    const headers = {
+      "Content-Type": "application/json",
+      "Content-Length": String(Buffer.byteLength(body)),
+      "X-Agent-Version-Hash": versionHash()
+    };
+    if (apiKey) headers["X-ALTER-API-Key"] = apiKey;
+    if (cfAccess.id) headers["CF-Access-Client-Id"] = cfAccess.id;
+    if (cfAccess.secret) headers["CF-Access-Client-Secret"] = cfAccess.secret;
+    if (apiKey && msg.method === "tools/call" && msg.params?.name) {
+      const signer = loadSigningKey(session);
+      if (signer) {
+        try {
+          headers["Mcp-Invocation-Signature"] = signInvocation(
+            signer,
+            msg.params.name,
+            msg.params.arguments ?? {},
+            session.handle ?? ""
+          );
+        } catch (e) {
+          process.stderr.write(`bridge sign error: ${e.message}
+`);
+        }
+      } else {
+        process.stderr.write(
+          `bridge: no signing key for kid ${session.signing_kid ?? "(unset)"} \u2014 run 'alter login' to provision one
+`
+        );
+      }
+    }
+    const req = transport.request(
+      {
+        hostname: url.hostname,
+        port: url.port || (isHttps ? 443 : 80),
+        path: url.pathname,
+        method: "POST",
+        headers
+      },
+      (res) => {
+        let data = "";
+        res.on("data", (chunk) => data += chunk.toString());
+        res.on("end", () => resolve(data));
+      }
+    );
+    req.on("error", (err) => reject(err));
+    req.write(body);
+    req.end();
+  });
+}
+async function main() {
+  const rl = readline.createInterface({ input: process.stdin });
+  for await (const line of rl) {
+    const trimmed = line.trim();
+    if (!trimmed) continue;
+    let msg;
+    try {
+      msg = JSON.parse(trimmed);
+    } catch {
+      continue;
+    }
+    try {
+      const response = await proxyRequest(trimmed, msg);
+      process.stdout.write(response + "\n");
+    } catch (err) {
+      const errResponse = JSON.stringify({
+        jsonrpc: "2.0",
+        id: msg.id ?? null,
+        error: { code: -32e3, message: err.message }
+      });
+      process.stdout.write(errResponse + "\n");
+    }
+  }
+}
+main().catch((err) => {
+  process.stderr.write(`bridge fatal: ${err.message}
+`);
+  process.exit(1);
+});

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@truealter/sdk",
-  "version": "0.4.1",
+  "version": "0.5.1",
   "description": "ALTER Identity SDK — query the continuous identity field from any JavaScript/TypeScript environment",
   "license": "Apache-2.0",
   "type": "module",
@@ -36,9 +36,9 @@
     "prepublishOnly": "npm run build"
   },
   "dependencies": {
-    "@noble/curves": "^1.6.0",
-    "@noble/ed25519": "^2.1.0",
-    "@noble/hashes": "^1.4.0"
+    "@noble/curves": "1.9.7",
+    "@noble/ed25519": "2.3.0",
+    "@noble/hashes": "1.8.0"
   },
   "devDependencies": {
     "@types/node": "^20.11.0",
@@ -46,6 +46,9 @@
     "typescript": "^5.4.5",
     "vitest": "^4.1.3"
   },
+  "overrides": {
+    "postcss": ">=8.5.10"
+  },
   "keywords": [
     "alter",
     "identity",