@truealter/sdk 0.5.1 → 0.5.8

package/dist/bin/mcp-bridge.js

@@ -2,16 +2,25 @@
 import { p256 } from '@noble/curves/p256';
 import { sha256 } from '@noble/hashes/sha256';
 import { randomBytes } from '@noble/hashes/utils';
+import * as crypto from 'crypto';
 import { createPrivateKey } from 'crypto';
 import { createInterface } from 'readline';
 import { env, stderr, exit, stdin, stdout } from 'process';
+import * as fs from 'fs';
+import * as nodePath from 'path';
+import * as os from 'os';
 
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __esm = (fn, res) => function __init() {
-  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+var __esm = (fn, res, err) => function __init() {
+  if (err) throw err[0];
+  try {
+    return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+  } catch (e) {
+    throw err = [e], e;
+  }
 };
 var __export = (target, all) => {
   for (var name in all)
@@ -214,6 +223,10 @@ var AlterInvalidResponse = class extends AlterError {
     Object.setPrototypeOf(this, new.target.prototype);
   }
 };
+
+// src/meta.ts
+var SDK_NAME = "@truealter/sdk";
+var SDK_VERSION = "0.5.8" ;
 var X402Client = class {
   signer;
   maxPerQuery;
@@ -324,6 +337,9 @@ var MCPClient = class {
   x402;
   signing;
   extraHeaders;
+  preflightHook;
+  preflightPromise = null;
+  preflightDone = false;
   requestCounter = 0;
   initialised = false;
   constructor(opts = {}) {
@@ -332,17 +348,43 @@ var MCPClient = class {
     this.fetchImpl = opts.fetch ?? fetch;
     this.timeoutMs = opts.timeoutMs ?? 3e4;
     this.maxRetries = opts.maxRetries ?? 2;
-    this.clientInfo = opts.clientInfo ?? { name: "@truealter/sdk", version: "0.2.0" };
+    this.clientInfo = opts.clientInfo ?? { name: SDK_NAME, version: SDK_VERSION };
     this.x402 = opts.x402;
     this.signing = opts.signing;
     this.extraHeaders = opts.extraHeaders;
+    this.preflightHook = opts.preflightHook;
+  }
+  /**
+   * Run the lazy version-floor preflight hook exactly once.
+   * Idempotent and serialised: concurrent callers share the same
+   * promise. Throws from the hook propagate to every concurrent caller.
+   */
+  async runPreflight() {
+    if (this.preflightDone) return;
+    if (!this.preflightHook) {
+      this.preflightDone = true;
+      return;
+    }
+    if (!this.preflightPromise) {
+      this.preflightPromise = this.preflightHook().then(
+        () => {
+          this.preflightDone = true;
+        },
+        (err) => {
+          this.preflightPromise = null;
+          throw err;
+        }
+      );
+    }
+    await this.preflightPromise;
   }
   /**
    * Send the MCP `initialize` handshake and capture the resulting session
-   * id. Idempotent — safe to call multiple times.
+   * id. Idempotent: safe to call multiple times.
    */
   async initialize() {
     if (this.initialised) return null;
+    await this.runPreflight();
     const result = await this.rpc("initialize", {
       protocolVersion: MCP_PROTOCOL_VERSION,
       capabilities: {},
@@ -435,7 +477,14 @@ var MCPClient = class {
           method: "POST",
           headers: this.buildHeaders(signatureHeader),
           body: JSON.stringify(payload),
-          signal: controller.signal
+          signal: controller.signal,
+          // Prevent fetch from silently following 3xx redirects. When
+          // Cloudflare Access credentials are absent or expired the edge
+          // returns HTTP 302 → CF Access login page (text/html). Without
+          // this option undici follows the redirect, lands on a 200 HTML
+          // body, and resp.json() throws the opaque "invalid JSON body"
+          // error that was surfaced as "MCP <method>: invalid JSON body".
+          redirect: "manual"
         });
       } catch (err) {
         clearTimeout(timer);
@@ -452,6 +501,19 @@ var MCPClient = class {
       clearTimeout(timer);
       const sessionHeader = resp.headers.get("Mcp-Session-Id");
       if (sessionHeader) this.sessionId = sessionHeader;
+      if (resp.status >= 300 && resp.status < 400) {
+        const location = resp.headers.get("Location") ?? "";
+        const isAuthRedirect = location.includes("cloudflareaccess.com") || location.includes("/cdn-cgi/access/") || !location.startsWith("/") && !location.startsWith(new URL(this.endpoint).origin);
+        if (isAuthRedirect) {
+          throw new AlterAuthError(
+            `MCP ${method}: Cloudflare Access blocked the request (session expired or credentials missing). Run \`alter login\` to re-authenticate.`,
+            302
+          );
+        }
+        throw new AlterNetworkError(
+          `MCP ${method}: unexpected redirect ${resp.status} to ${location || "(no Location)"}`
+        );
+      }
       if (resp.status === 401 || resp.status === 403) {
         throw new AlterAuthError(`HTTP ${resp.status} on ${method}`, resp.status);
       }
@@ -476,11 +538,56 @@ var MCPClient = class {
         const body2 = await safeText(resp);
         throw new AlterError("NETWORK", `HTTP ${resp.status} on ${method}: ${body2.slice(0, 200)}`);
       }
+      const contentType = resp.headers.get("Content-Type") ?? "";
+      const isHtml = contentType.includes("text/html");
+      const isSse = contentType.includes("text/event-stream");
+      if (isHtml || isSse) {
+        if (isSse) {
+          const rawText = await safeText(resp);
+          const dataLine = rawText.split("\n").find((l) => l.startsWith("data:"));
+          if (dataLine) {
+            const jsonPart = dataLine.slice("data:".length).trim();
+            try {
+              const parsed = JSON.parse(jsonPart);
+              if (parsed.error) {
+                const code = parsed.error.code;
+                const message = parsed.error.message ?? `MCP ${method} error`;
+                throw new AlterToolError(this.guessToolName(payload), message, code);
+              }
+              return parsed.result;
+            } catch (parseErr) {
+              if (parseErr instanceof AlterError) throw parseErr;
+              throw new AlterInvalidResponse(
+                `MCP ${method}: could not parse SSE data frame as JSON`,
+                parseErr
+              );
+            }
+          }
+          throw new AlterInvalidResponse(
+            `MCP ${method}: received text/event-stream response with no data: frame`
+          );
+        }
+        const excerpt = (await safeText(resp)).slice(0, 300);
+        const looksLikeLoginPage = excerpt.toLowerCase().includes("cloudflareaccess") || excerpt.toLowerCase().includes("access denied") || excerpt.toLowerCase().includes("<title>");
+        if (looksLikeLoginPage) {
+          throw new AlterAuthError(
+            `MCP ${method}: received an HTML login page instead of JSON (Content-Type: ${contentType}). Run \`alter login\` to re-authenticate.`,
+            200
+          );
+        }
+        throw new AlterInvalidResponse(
+          `MCP ${method}: unexpected Content-Type "${contentType}" (expected application/json). Body excerpt: ${excerpt.slice(0, 120)}`
+        );
+      }
       let body;
       try {
         body = await resp.json();
       } catch (err) {
-        throw new AlterInvalidResponse(`MCP ${method}: invalid JSON body`, err);
+        const hint = contentType ? ` (Content-Type: ${contentType})` : "";
+        throw new AlterInvalidResponse(
+          `MCP ${method}: failed to parse JSON response${hint}. The server may have returned a non-JSON body. Run \`alter login\` if the session is expired.`,
+          err
+        );
       }
       if (body.error) {
         const code = body.error.code;
@@ -501,8 +608,11 @@ var MCPClient = class {
     const headers = {
       ...this.extraHeaders ?? {},
       "Content-Type": "application/json",
-      Accept: "application/json",
-      "User-Agent": `${this.clientInfo.name}/${this.clientInfo.version}`
+      Accept: "application/json, text/event-stream",
+      "User-Agent": `${this.clientInfo.name}/${this.clientInfo.version}`,
+      "X-Alter-Client-Id": "alter-identity",
+      "X-Alter-Client-Version": SDK_VERSION,
+      "X-Alter-Client-Channel": "npm"
     };
     if (this.apiKey) headers["X-ALTER-API-Key"] = this.apiKey;
     if (this.sessionId) headers["Mcp-Session-Id"] = this.sessionId;
@@ -566,7 +676,7 @@ async function safeText(resp) {
 }
 
 // bin/mcp-bridge.ts
-var ENDPOINT = env.ALTER_MCP_ENDPOINT ?? "https://mcp.truealter.com/api/v1/mcp";
+var ENDPOINT = env.ALTER_MCP_ENDPOINT ?? "https://api.truealter.com/api/v1/mcp";
 var API_KEY = env.ALTER_API_KEY ?? void 0;
 function buildExtraHeaders() {
   const headers = {};
@@ -588,14 +698,67 @@ function buildExtraHeaders() {
   return Object.keys(headers).length ? headers : void 0;
 }
 var EXTRA_HEADERS = buildExtraHeaders();
-console.warn(
-  "This bridge is a dev/demo surface. Authenticated MCP tools require ES256 per-invocation signing; for production, import `@truealter/sdk` directly. Bridge signing lands in Wave-2."
-);
+var xdgConfig = env.XDG_CONFIG_HOME ?? nodePath.join(os.homedir(), ".config");
+function readSession() {
+  const sessionFile = env.ALTER_SESSION_FILE ?? nodePath.join(xdgConfig, "alter", "session.json");
+  try {
+    const raw = fs.readFileSync(sessionFile, "utf8");
+    const clean = raw.charCodeAt(0) === 65279 ? raw.slice(1) : raw;
+    return JSON.parse(clean);
+  } catch {
+    return {};
+  }
+}
+function resolveSigningOptions(session) {
+  const envPem = env.ALTER_SIGNING_KEY;
+  if (envPem) {
+    const envKid = env.ALTER_SIGNING_KID ?? session.signing_kid;
+    if (envKid) {
+      try {
+        crypto.createPrivateKey(envPem);
+        return { kid: envKid, privateKey: envPem, handle: session.handle ?? "" };
+      } catch (e) {
+        stderr.write(`bridge: ALTER_SIGNING_KEY parse error: ${e.message}
+`);
+      }
+    }
+  }
+  const kid = session.signing_kid;
+  if (!kid) return null;
+  const candidates = [];
+  if (env.ALTER_SIGNING_KEY_FILE) candidates.push(env.ALTER_SIGNING_KEY_FILE);
+  candidates.push(nodePath.join(xdgConfig, "alter", "signing-keys", `${kid}.pem`));
+  candidates.push(nodePath.join(xdgConfig, "alter", "signing-key.pem"));
+  for (const p of candidates) {
+    try {
+      const pem = fs.readFileSync(p, "utf8");
+      crypto.createPrivateKey(pem);
+      return { kid, privateKey: pem, handle: session.handle ?? "" };
+    } catch {
+    }
+  }
+  return null;
+}
+var _session = readSession();
+var _signingOpts = resolveSigningOptions(_session);
+if (API_KEY && !_signingOpts) {
+  stderr.write(
+    `bridge: no signing key for kid ${_session.signing_kid ?? "(unset)"}: run 'alter login' to provision one
+`
+  );
+}
 var client = new MCPClient({
   endpoint: ENDPOINT,
   apiKey: API_KEY,
   clientInfo: { name: "@truealter/sdk-mcp-bridge", version: "0.2.0" },
-  extraHeaders: EXTRA_HEADERS
+  extraHeaders: EXTRA_HEADERS,
+  ..._signingOpts ? {
+    signing: {
+      kid: _signingOpts.kid,
+      privateKey: _signingOpts.privateKey,
+      handle: _signingOpts.handle
+    }
+  } : {}
 });
 function send(response) {
   stdout.write(JSON.stringify(response) + "\n");
@@ -694,3 +857,5 @@ main().catch((err) => {
 `);
   exit(1);
 });
+
+export { resolveSigningOptions };