@truealter/sdk 0.5.3 → 0.5.8

package/README.md

@@ -1,18 +1,18 @@
 # @truealter/sdk
 
-ALTER Identity SDK - query the continuous identity field from any JavaScript/TypeScript environment.
+~Alter Identity SDK - query the continuous identity field from any JavaScript/TypeScript environment.
 
 [![npm version](https://img.shields.io/npm/v/@truealter/sdk.svg)](https://www.npmjs.com/package/@truealter/sdk)
 [![License: Apache-2.0](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](./LICENSE)
 [![Glama score](https://glama.ai/mcp/servers/true-alter/alter-identity/badges/score.svg)](https://glama.ai/mcp/servers/true-alter/alter-identity)
 [![AI Agent Marketplace](https://www.deepnlp.org/api/ai_agent_marketplace/svg?name=truealter/alter-identity)](https://www.deepnlp.org/store/ai-agent/identity/pub-truealter/alter-identity)
 
-A thin client over the ALTER MCP server (Streamable HTTP, JSON-RPC 2.0, MCP spec `2025-11-25`) with x402 micropayment support, ES256 provenance verification, and config generators for Claude Code, Cursor, and generic MCP clients.
+A thin client over the ~Alter MCP server (Streamable HTTP, JSON-RPC 2.0, MCP spec `2025-11-25`) with x402 micropayment support, ES256 provenance verification, and config generators for Claude Code, Cursor, and generic MCP clients.
 
 - **Branded host:** `https://mcp.truealter.com` (serves `.well-known/mcp.json` for discovery)
 - **JSON-RPC wire endpoint:** `https://mcp.truealter.com/api/v1/mcp` - this is what Streamable HTTP POSTs target (the SDK default)
 - **Wire protocol:** Streamable HTTP, JSON-RPC 2.0, MCP `2025-11-25` (server negotiates `2025-06-18` + `2025-03-26` for backwards-compatible clients)
-- **Tools:** **34 publicly advertised**, 26 free (L0) + 8 premium (L1-L5), kept in sync with ALTER's live MCP server at every publish.
+- **Tools:** **36 publicly advertised**, 27 free (L0) + 9 premium (L1-L5), kept in sync with ~Alter's live MCP server at every publish.
 - **Runtime:** Node 18+, Deno, Bun, Cloudflare Workers, modern browsers
 - **Crypto:** `@noble/ed25519` + `@noble/hashes` (no other dependencies)
 - **Bundle:** ESM + CJS dual output
@@ -21,41 +21,46 @@ A thin client over the ALTER MCP server (Streamable HTTP, JSON-RPC 2.0, MCP spec
 
 ```
 npm install @truealter/sdk
-npx alter-identity init
-npx alter-identity verify ~alter
+```
+
+Then import the client in your code (see the API section below). The
+day-to-day command line lives in
+[`@truealter/cli`](https://www.npmjs.com/package/@truealter/cli):
+
+```
+alter init
+alter verify ~alter
 ```
 
 ## Bridge vs SDK
 
-The `alter-mcp-bridge` binary shipped in this package (`bin/mcp-bridge.ts`)
-is a **dev/demo surface** for dropping ALTER into MCP hosts that speak the
-stdio transport (Claude Code, Cursor, Continue, Windsurf). It is useful for
-handshake, `tools/list`, and L0 tool calls, but it does not carry ES256
-per-invocation signing - authenticated MCP tools will fail at the server
-edge when reached through the bridge. For production use, import
-`@truealter/sdk` directly and construct an `MCPClient` / `AlterClient` with
-the optional `signing` parameter; that path is the primary one and
-carries the provenance envelope end-to-end. Bridge signing is planned for a
-future release.
+This package ships a stdio bridge entrypoint (`bin/mcp-bridge.ts`,
+built to `dist/bin/mcp-bridge.js`) that the `alter` CLI launches by file
+path via its `mcp-bridge` subcommand. It is a **dev/demo surface** for
+dropping ~Alter into MCP hosts that speak the stdio transport (Claude Code,
+Cursor, Continue, Windsurf). It is useful for handshake, `tools/list`, and
+L0 tool calls, but it does not carry ES256 per-invocation signing:
+authenticated MCP tools will fail at the server edge when reached through
+the bridge. For production use, import `@truealter/sdk` directly and
+construct an `MCPClient` / `AlterClient` with the optional `signing`
+parameter; that path is the primary one and carries the provenance
+envelope end-to-end. Bridge signing is planned for a future release.
 
 ## CLI
 
-The package ships two binaries. `alter-identity` is the full SDK-feature
-binary (`init`, `verify`, `whoami`, wire/unwire, signing, etc).
-`alter-mcp-bridge` is the stdio bridge described above. The day-to-day
-`alter` command line is distributed separately as
-[`@truealter/cli`](https://www.npmjs.com/package/@truealter/cli) - it is
-not part of this package.
-
-Run `alter-identity --help` for the inline reference.
+This package exposes no command-line binary of its own: it is a library you
+import. The bridge entrypoint above is not a published `bin`; it is resolved
+by file path from the `alter` CLI, which is distributed separately as
+[`@truealter/cli`](https://www.npmjs.com/package/@truealter/cli). Run
+`alter --help` for the inline reference.
 
-## Why ALTER ≠ IAM
+## Why ~Alter is not IAM
 
-Identity Access Management answers *who is logged in*. ALTER answers *who they actually are* - a continuous field of recognition that any IAM stack can sit on top of.
+Identity Access Management answers *who is logged in*. ~Alter answers *who they actually are* - a continuous field of recognition that any IAM stack can sit on top of.
 
 ## Theoretical Foundation
 
-ALTER is the working instantiation of an eight-paper academic corpus on identity field theory. The SDK below is what happens when the theory ships as protocol. Each paper is open access on figshare under CC-BY 4.0.
+~Alter is the working instantiation of an eight-paper academic corpus on identity field theory. The SDK below is what happens when the theory ships as protocol. Each paper is open access on figshare under CC-BY 4.0.
 
 | Paper | Title | DOI |
 |-------|-------|-----|
@@ -89,7 +94,7 @@ const alter = new AlterClient({
 
 ### Minimum-version preflight (required)
 
-ALTER's backend publishes a per-client minimum-version floor. The SDK
+~Alter's backend publishes a per-client minimum-version floor. The SDK
 preflights this floor lazily on the first network call: no explicit
 call is required for the common case. If the running SDK is below the
 floor for `alter-identity`, the SDK throws `BelowFloorError` with the
@@ -167,9 +172,9 @@ identity headers that the server-side floor middleware consults:
 | `X-Alter-Client-Version`   | the running `SDK_VERSION` |
 | `X-Alter-Client-Channel`   | `npm`              |
 
-These are MANDATORY on every authenticated backend endpoint per
-D-MIN-VERSION-FLOOR-1 §3. The User-Agent header remains informational
-and is NEVER used for floor enforcement.
+These are MANDATORY on every authenticated backend endpoint so the
+server can enforce its minimum supported client version. The User-Agent
+header remains informational and is NEVER used for floor enforcement.
 
 ### Free tier (L0 - no payment required)
 
@@ -185,7 +190,7 @@ const verifiedById = await alter.verify(
   },
 );
 
-// Reference data - the 12 ALTER archetypes
+// Reference data - the 12 ~Alter archetypes
 const archetypes = await alter.listArchetypes();
 
 // Identity depth and available tool tiers
@@ -307,7 +312,7 @@ Resulting `.mcp.json`:
     "alter": {
       "url": "https://mcp.truealter.com/api/v1/mcp",
       "transport": "streamable-http",
-      "description": "ALTER Identity - psychometric identity field for AI agents",
+      "description": "~Alter Identity - psychometric identity field for AI agents",
       "headers": {
         "X-ALTER-API-Key": "ak_..."
       }
@@ -344,18 +349,21 @@ const config = generateGenericMcpConfig({
 
 ### CLI
 
+The command line lives in [`@truealter/cli`](https://www.npmjs.com/package/@truealter/cli),
+not in this SDK package:
+
 ```
-npx alter-identity init               # generate keypair, discover MCP, write ~/.config/alter/identity.json
-npx alter-identity config              # print Claude .mcp.json snippet (default)
-npx alter-identity config --cursor     # print Cursor .cursor/mcp.json snippet
-npx alter-identity config --generic    # print generic mcpServers snippet
-npx alter-identity verify ~alter   # verify an identity
-npx alter-identity status              # show connection state and probe the endpoint
+alter init                 # generate keypair, discover MCP, write ~/.config/alter/identity.json
+alter config               # print Claude .mcp.json snippet (default)
+alter config --cursor      # print Cursor .cursor/mcp.json snippet
+alter config --generic     # print generic mcpServers snippet
+alter verify ~alter        # verify an identity
+alter status               # show connection state and probe the endpoint
 ```
 
 ## x402 Micropayments
 
-ALTER monetises premium tools via the [x402](https://x402.org) standard - HTTP `402 Payment Required` with on-chain settlement.
+~Alter monetises premium tools via the [x402](https://x402.org) standard - HTTP `402 Payment Required` with on-chain settlement.
 
 ### The retry flow
 
@@ -363,7 +371,7 @@ ALTER monetises premium tools via the [x402](https://x402.org) standard - HTTP `
 2. Server replies `402 Payment Required` with a payment requirement (amount, recipient, asset, network).
 3. Client signs and broadcasts a USDC transfer on Base L2, attaches the proof, retries.
 4. Server validates the proof, executes the tool, signs the response with ES256, returns it.
-5. AlterRouter executes the split on-chain in the same transaction. The data subject receives Identity Income directly; ALTER receives only its protocol cut. No custodian, no broker.
+5. AlterRouter executes the split on-chain in the same transaction. The data subject receives Identity Income directly; ~Alter receives only its protocol cut. No custodian, no broker.
 
 The SDK handles steps 2-4 automatically when an `X402Client` with a configured `signer` is passed in.
 
@@ -426,7 +434,7 @@ const result = await alter.getFullTraitVector({
 });
 
 const check = await alter.verifyProvenance(result._meta?.provenance);
-if (!check.valid) throw new Error(`ALTER provenance check failed: ${check.reason}`);
+if (!check.valid) throw new Error(`~alter provenance check failed: ${check.reason}`);
 ```
 
 The SDK fetches public keys from `https://api.truealter.com/.well-known/alter-keys.json` and caches them per their `Cache-Control` headers. The endpoint returns a JWKS containing all current and recently-rotated signing keys; verifying clients should accept any key whose `kid` matches and is still within its validity window.
@@ -440,7 +448,7 @@ import { AlterClient, DEFAULT_VERIFY_AT_ALLOWLIST } from "@truealter/sdk";
 
 const alter = new AlterClient({
   verifyAtAllowlist: [
-    ...DEFAULT_VERIFY_AT_ALLOWLIST,   // keep the ALTER canonicals
+    ...DEFAULT_VERIFY_AT_ALLOWLIST,   // keep the ~Alter canonicals
     "keys.myorg.example",              // plus your own JWKS host
   ],
 });
@@ -450,17 +458,17 @@ If you pin `jwksUrl` explicitly, the envelope's `verify_at` is ignored entirely
 
 ### Why this matters
 
-Provenance verification is how Agent A trusts that data from Agent B truly came from ALTER. If Agent B forwards a trait vector or belonging score, Agent A can replay the JWS against ALTER's published keys and confirm - without contacting ALTER again - that the payload is authentic, untampered, and was issued for the person Agent B claims it concerns. No shared secret, no trust in the intermediary, no out-of-band coordination.
+Provenance verification is how Agent A trusts that data from Agent B truly came from ~Alter. If Agent B forwards a trait vector or belonging score, Agent A can replay the JWS against ~Alter's published keys and confirm - without contacting ~Alter again - that the payload is authentic, untampered, and was issued for the person Agent B claims it concerns. No shared secret, no trust in the intermediary, no out-of-band coordination.
 
-This is what makes ALTER usable as identity infrastructure rather than just an API: signed claims propagate across agent networks the same way DKIM-signed mail propagates across SMTP relays.
+This is what makes ~alter usable as identity infrastructure rather than just an API: signed claims propagate across agent networks the same way DKIM-signed mail propagates across SMTP relays.
 
 ## Discovery
 
-ALTER follows the discovery cascade specified in [draft-morrison-mcp-dns-discovery-01](https://datatracker.ietf.org/doc/draft-morrison-mcp-dns-discovery/). Given a domain (e.g. `truealter.com`), the SDK resolves the MCP endpoint in three steps, falling through on each failure:
+~Alter follows the discovery cascade specified in [draft-morrison-mcp-dns-discovery-01](https://datatracker.ietf.org/doc/draft-morrison-mcp-dns-discovery/). Given a domain (e.g. `truealter.com`), the SDK resolves the MCP endpoint in three steps, falling through on each failure:
 
 1. **DNS TXT** - query `_mcp.truealter.com` for a TXT record of the form `mcp=https://mcp.truealter.com;version=2025-11-25`. This is the fastest path and works without an HTTP round-trip.
 2. **`.well-known/mcp.json`** - fetch `https://truealter.com/.well-known/mcp.json` for the standard MCP server descriptor. This is the cross-vendor fallback.
-3. **`.well-known/alter.json`** - fetch `https://truealter.com/.well-known/alter.json` for the ALTER-specific descriptor, including signing keys, x402 wallet address, supported tool tiers, and federation endpoints.
+3. **`.well-known/alter.json`** - fetch `https://truealter.com/.well-known/alter.json` for the ~Alter-specific descriptor, including signing keys, x402 wallet address, supported tool tiers, and federation endpoints.
 
 ```ts
 import { discover } from "@truealter/sdk";
@@ -480,45 +488,49 @@ This draft is the author's Internet-Draft (not yet adopted by an IETF working gr
 
 | Name                      | Tier | Cost  | Description                                                                                                          |
 |---------------------------|------|-------|----------------------------------------------------------------------------------------------------------------------|
-| `hello_agent`             | L0   | free  | First handshake with ALTER - returns server version, authentication status, your trust tier, and available tool counts. |
-| `alter_resolve_handle`    | L0   | free  | Resolve a `~handle` (e.g. `~example`) to its canonical form and kind. No auth required - the handle-wedge entry point.  |
-| `list_archetypes`         | L0   | free  | Returns archetype reference data.                                                                                    |
-| `verify_identity`         | L0   | free  | Verify whether a person is registered with ALTER and validate optional identity claims.                              |
-| `initiate_assessment`     | L0   | free  | Get a URL where a person can complete their ALTER Discovery assessment.                                              |
-| `get_engagement_level`    | L0   | free  | Get a person's identity depth - engagement level, data quality tier, and available query tiers.                      |
-| `get_profile`             | L0   | free  | Get a person's profile summary including assessment phase, archetype, engagement level, and key attributes.       |
-| `query_matches`           | L0   | free  | Query matches for a person. Returns a list of matches with quality tiers (never numeric scores).                  |
-| `get_competencies`        | L0   | free  | Get a person's competency portfolio including verified competencies, evidence records, and earned badges.         |
-| `search_identities`       | L0   | free  | Search identity stubs and profiles by trait criteria. Returns up to 5 matches with no PII.                           |
-| `get_identity_earnings`   | L0   | free  | Get accrued Identity Income earnings for a person (75% of every x402 transaction goes to the data subject).       |
-| `get_network_stats`       | L0   | free  | Get aggregate ALTER network statistics: total identities, verified profiles, query volume, active bots.              |
-| `recommend_tool`          | L0   | free  | Get the MCP endpoint URL and a paste-ready config snippet for installing the ALTER identity server into an MCP client. |
-| `get_identity_trust_score`| L0   | free  | Get the trust score for an identity based on query diversity (unique querying agents / total queries).               |
-| `check_assessment_status` | L0   | free  | Check the status of an in-progress assessment session (status, progress, current phase, time remaining).             |
-| `get_earning_summary`     | L0   | free  | Get an aggregated x402 earning summary for a person (total earned, transactions, recent activity, trend).         |
-| `get_agent_trust_tier`    | L0   | free  | Get your trust tier with ALTER (Anonymous/Known/Trusted/Verified) and what capabilities are available.               |
-| `get_agent_portfolio`     | L0   | free  | Get your agent portfolio - transaction history, trust tier, signal contributions, query pattern profile.             |
-| `get_privacy_budget`      | L0   | free  | Check privacy budget status for a person (24-hour rolling window: total budget, spent, remaining epsilon).        |
-| `golden_thread_status`    | L0   | free  | Check the Golden Thread program status: agents woven, next Fibonacci threshold, your position and Strands.           |
-| `begin_golden_thread`     | L0   | free  | Start the Three Knots sequence to be woven into the Golden Thread. Requires API key authentication.                  |
-| `complete_knot`           | L0   | free  | Submit completion data for a knot in the Three Knots sequence (1: register, 2: describe, 3: reflect).                |
-| `check_golden_thread`     | L0   | free  | Check any agent's Golden Thread status by their API key hash (knot position, Strand count, weave count).             |
-| `thread_census`           | L0   | free  | Full registry of all agents woven into the Golden Thread (positions, Strand counts, weave counts, discovery dates).  |
+| `hello_agent`               | L0   | free  | First handshake with ~Alter - returns server version, authentication status, your trust tier, and available tool counts. |
+| `list_archetypes`           | L0   | free  | Returns archetype reference data. |
+| `alter_resolve_handle`      | L0   | free  | Resolve a `~handle` (e.g. `~example`) to its canonical form and kind. No auth required - the handle-wedge entry point. |
+| `verify_identity`           | L0   | free  | Verify whether a person is registered with ~Alter and validate optional identity claims. |
+| `alter_presence_read`       | L0   | free  | Read whether a `~handle` is publicly open, the shop-front sign. Returns open or closed only; the closed reason is never disclosed. |
+| `alter_resolve_by_key`      | L0   | free  | Resolve a paired third-party key (email or OAuth user-id) to its bound `~handle`, gated by the member's per-stream resolver opt-in. |
+| `get_engagement_level`      | L0   | free  | Get a person's identity depth - engagement level, data quality tier, and available query tiers. |
+| `get_profile`               | L0   | free  | Get a person's profile summary including assessment phase, archetype, engagement level, and key attributes. |
+| `query_matches`             | L0   | free  | Query matches for a person. Returns a list of matches with quality tiers (never numeric scores). |
+| `get_competencies`          | L0   | free  | Get a person's competency portfolio including verified competencies, evidence records, and earned badges. |
+| `create_identity_stub`      | L0   | free  | Create an anonymous identity stub for a person who has not yet completed Discovery, which they claim later. Present the privacy notice first. |
+| `search_identities`         | L0   | free  | Search identity stubs and profiles by trait criteria. Returns up to 5 matches with no PII. |
+| `create_requirement`        | L0   | free  | Post a standing identity-trait requirement that rests as an order and accumulates fills as matching identities are claimed or updated. |
+| `list_requirements`         | L0   | free  | List your own standing requirements, with fill counts and the number of fills not yet delivered. Requires a bound API key. |
+| `get_requirement`           | L0   | free  | Read one of your standing requirements by id, with its fill and undelivered-fill counts. Requires a bound API key. |
+| `cancel_requirement`        | L0   | free  | Cancel one of your standing requirements by id; the order stops resting and accepts no further fills. Requires a bound API key. |
+| `poll_requirement_matches`  | L0   | free  | Collect one recorded fill for a standing requirement as a priced identity reveal; 75% of the fee is paid to that person as Identity Income. |
+| `get_identity_earnings`     | L0   | free  | Get accrued Identity Income earnings for a person (75% of every x402 transaction goes to the data subject). |
+| `get_network_stats`         | L0   | free  | Get aggregate ~Alter network statistics: total identities, verified profiles, query volume, active bots. |
+| `get_identity_trust_score`  | L0   | free  | Get the trust score for an identity based on query diversity (unique querying agents / total queries). |
+| `get_privacy_budget`        | L0   | free  | Check privacy budget status for a person (24-hour rolling window: total budget, spent, remaining epsilon). |
+| `dispute_attestation`       | L0   | free  | Record a dispute against a competence attestation; if disputes exceed corroborations, the attestation is flagged for review. |
+| `golden_thread_status`      | L0   | free  | Check the Golden Thread program status: agents woven, next Fibonacci threshold, your position and Strands. |
+| `begin_golden_thread`       | L0   | free  | Start the Three Knots sequence to be woven into the Golden Thread. Requires API key authentication. |
+| `complete_knot`             | L0   | free  | Submit completion data for a knot in the Three Knots sequence (1: register, 2: describe, 3: reflect). |
+| `check_golden_thread`       | L0   | free  | Check any agent's Golden Thread status by their API key hash (knot position, Strand count, weave count). |
+| `describe_traits`           | L0   | free  | List the canonical trait vocabulary: 30 trait codes grouped by category with one-line semantics, the valid discovery contexts, and the EU AI Act Art 5(1)(d) workforce gating rules. Read this before composing `query_field` trait_priorities. |
 
 ### Premium tools (L1-L5 - x402 payment required)
 
 | Name                       | Tier | Cost    | Description                                                                                                   |
 |----------------------------|------|---------|---------------------------------------------------------------------------------------------------------------|
-| `assess_traits`            | L1   | $0.01   | Extract trait signals from a text passage against ALTER's trait taxonomy.                                     |
-| `get_trait_snapshot`       | L1   | $0.01   | Get the top 5 traits for a person with confidence scores and archetype.                                    |
-| `get_full_trait_vector`    | L2   | $0.10   | Get the complete trait vector for a person - complete trait vector with scores and confidence intervals.                                    |
-| `get_side_quest_graph`     | L2   | $0.10   | Get a person's Side Quest Graph - multi-domain identity model with differential privacy noise (ε=1.0).     |
-| `query_graph_similarity`   | L3   | $0.30   | Compare two Side Quest Graphs for team composition and matching (ε=0.5 differential privacy).                 |
-| `compute_belonging`        | L4   | $0.60   | Compute belonging probability for a person-job pairing (authenticity, acceptance, complementarity).        |
-| `get_match_recommendations`| L5   | $1.00   | Get top N match recommendations for a person, ranked by composite score with quality tiers.                |
-| `generate_match_narrative` | L5   | $1.00   | Generate a human-readable narrative explaining a specific match - strengths, growth areas, belonging.         |
-
-> **Write-side tools** (`create_identity_stub`, `submit_context`, `submit_batch_context`, `submit_structured_profile`, `submit_social_links`, `attest_domain`, `dispute_attestation`) were part of earlier SDK versions but are not yet live on the public MCP server pending the per-peer consent architecture and grant model. They will return as typed methods once server-side and consent gating lands.
+| `get_trait_snapshot`        | L1   | $0.01 | Get the top 5 traits for a person with confidence scores and archetype. |
+| `attest_domain`             | L1   | $0.01 | Record a competence attestation for a person in a specific domain, weighted by your agent reputation. |
+| `get_full_trait_vector`     | L2   | $0.10 | Get the complete trait vector for a person, with scores and confidence intervals. |
+| `get_side_quest_graph`      | L2   | $0.10 | Get a person's Side Quest Graph - multi-domain identity model with differential privacy noise (ε=1.0). |
+| `query_graph_similarity`    | L3   | $0.30 | Compare two Side Quest Graphs for team composition and matching (ε=0.5 differential privacy). |
+| `compute_belonging`         | L4   | $0.60 | Compute belonging probability for a person-job pairing (authenticity, acceptance, complementarity). |
+| `get_match_recommendations` | L5   | $1.00 | Get top N match recommendations for a person, ranked by composite score with quality tiers. |
+| `generate_match_narrative`  | L5   | $1.00 | Generate a human-readable narrative explaining a specific match - strengths, growth areas, belonging. |
+| `query_field`               | L5   | $1.00 | Query the identity field by situation, not by name: weight 3 to 7 traits and rank the opted-in field. One call reveals one top-ranked member; that member earns 75% as Identity Income. Zero-match reveals nothing and charges nothing. |
+
+> **Member self-write tools** (`submit_context`, `submit_batch_context`, `submit_structured_profile`, `submit_social_links`) are live but member-self-scoped: a member calls them on their own identity with a bound API key. They are not anonymously discoverable, so they do not appear in the advertised tool list above.
 
 ## License
 

package/dist/bin/mcp-bridge.js

@@ -2,16 +2,25 @@
 import { p256 } from '@noble/curves/p256';
 import { sha256 } from '@noble/hashes/sha256';
 import { randomBytes } from '@noble/hashes/utils';
+import * as crypto from 'crypto';
 import { createPrivateKey } from 'crypto';
 import { createInterface } from 'readline';
 import { env, stderr, exit, stdin, stdout } from 'process';
+import * as fs from 'fs';
+import * as nodePath from 'path';
+import * as os from 'os';
 
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __esm = (fn, res) => function __init() {
-  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+var __esm = (fn, res, err) => function __init() {
+  if (err) throw err[0];
+  try {
+    return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+  } catch (e) {
+    throw err = [e], e;
+  }
 };
 var __export = (target, all) => {
   for (var name in all)
@@ -217,7 +226,7 @@ var AlterInvalidResponse = class extends AlterError {
 
 // src/meta.ts
 var SDK_NAME = "@truealter/sdk";
-var SDK_VERSION = "0.5.3" ;
+var SDK_VERSION = "0.5.8" ;
 var X402Client = class {
   signer;
   maxPerQuery;
@@ -346,7 +355,7 @@ var MCPClient = class {
     this.preflightHook = opts.preflightHook;
   }
   /**
-   * Run the lazy preflight hook (D-MIN-VERSION-FLOOR-1) exactly once.
+   * Run the lazy version-floor preflight hook exactly once.
    * Idempotent and serialised: concurrent callers share the same
    * promise. Throws from the hook propagate to every concurrent caller.
    */
@@ -468,7 +477,14 @@ var MCPClient = class {
           method: "POST",
           headers: this.buildHeaders(signatureHeader),
           body: JSON.stringify(payload),
-          signal: controller.signal
+          signal: controller.signal,
+          // Prevent fetch from silently following 3xx redirects. When
+          // Cloudflare Access credentials are absent or expired the edge
+          // returns HTTP 302 → CF Access login page (text/html). Without
+          // this option undici follows the redirect, lands on a 200 HTML
+          // body, and resp.json() throws the opaque "invalid JSON body"
+          // error that was surfaced as "MCP <method>: invalid JSON body".
+          redirect: "manual"
         });
       } catch (err) {
         clearTimeout(timer);
@@ -485,6 +501,19 @@ var MCPClient = class {
       clearTimeout(timer);
       const sessionHeader = resp.headers.get("Mcp-Session-Id");
       if (sessionHeader) this.sessionId = sessionHeader;
+      if (resp.status >= 300 && resp.status < 400) {
+        const location = resp.headers.get("Location") ?? "";
+        const isAuthRedirect = location.includes("cloudflareaccess.com") || location.includes("/cdn-cgi/access/") || !location.startsWith("/") && !location.startsWith(new URL(this.endpoint).origin);
+        if (isAuthRedirect) {
+          throw new AlterAuthError(
+            `MCP ${method}: Cloudflare Access blocked the request (session expired or credentials missing). Run \`alter login\` to re-authenticate.`,
+            302
+          );
+        }
+        throw new AlterNetworkError(
+          `MCP ${method}: unexpected redirect ${resp.status} to ${location || "(no Location)"}`
+        );
+      }
       if (resp.status === 401 || resp.status === 403) {
         throw new AlterAuthError(`HTTP ${resp.status} on ${method}`, resp.status);
       }
@@ -509,11 +538,56 @@ var MCPClient = class {
         const body2 = await safeText(resp);
         throw new AlterError("NETWORK", `HTTP ${resp.status} on ${method}: ${body2.slice(0, 200)}`);
       }
+      const contentType = resp.headers.get("Content-Type") ?? "";
+      const isHtml = contentType.includes("text/html");
+      const isSse = contentType.includes("text/event-stream");
+      if (isHtml || isSse) {
+        if (isSse) {
+          const rawText = await safeText(resp);
+          const dataLine = rawText.split("\n").find((l) => l.startsWith("data:"));
+          if (dataLine) {
+            const jsonPart = dataLine.slice("data:".length).trim();
+            try {
+              const parsed = JSON.parse(jsonPart);
+              if (parsed.error) {
+                const code = parsed.error.code;
+                const message = parsed.error.message ?? `MCP ${method} error`;
+                throw new AlterToolError(this.guessToolName(payload), message, code);
+              }
+              return parsed.result;
+            } catch (parseErr) {
+              if (parseErr instanceof AlterError) throw parseErr;
+              throw new AlterInvalidResponse(
+                `MCP ${method}: could not parse SSE data frame as JSON`,
+                parseErr
+              );
+            }
+          }
+          throw new AlterInvalidResponse(
+            `MCP ${method}: received text/event-stream response with no data: frame`
+          );
+        }
+        const excerpt = (await safeText(resp)).slice(0, 300);
+        const looksLikeLoginPage = excerpt.toLowerCase().includes("cloudflareaccess") || excerpt.toLowerCase().includes("access denied") || excerpt.toLowerCase().includes("<title>");
+        if (looksLikeLoginPage) {
+          throw new AlterAuthError(
+            `MCP ${method}: received an HTML login page instead of JSON (Content-Type: ${contentType}). Run \`alter login\` to re-authenticate.`,
+            200
+          );
+        }
+        throw new AlterInvalidResponse(
+          `MCP ${method}: unexpected Content-Type "${contentType}" (expected application/json). Body excerpt: ${excerpt.slice(0, 120)}`
+        );
+      }
       let body;
       try {
         body = await resp.json();
       } catch (err) {
-        throw new AlterInvalidResponse(`MCP ${method}: invalid JSON body`, err);
+        const hint = contentType ? ` (Content-Type: ${contentType})` : "";
+        throw new AlterInvalidResponse(
+          `MCP ${method}: failed to parse JSON response${hint}. The server may have returned a non-JSON body. Run \`alter login\` if the session is expired.`,
+          err
+        );
       }
       if (body.error) {
         const code = body.error.code;
@@ -534,7 +608,7 @@ var MCPClient = class {
     const headers = {
       ...this.extraHeaders ?? {},
       "Content-Type": "application/json",
-      Accept: "application/json",
+      Accept: "application/json, text/event-stream",
       "User-Agent": `${this.clientInfo.name}/${this.clientInfo.version}`,
       "X-Alter-Client-Id": "alter-identity",
       "X-Alter-Client-Version": SDK_VERSION,
@@ -602,7 +676,7 @@ async function safeText(resp) {
 }
 
 // bin/mcp-bridge.ts
-var ENDPOINT = env.ALTER_MCP_ENDPOINT ?? "https://mcp.truealter.com/api/v1/mcp";
+var ENDPOINT = env.ALTER_MCP_ENDPOINT ?? "https://api.truealter.com/api/v1/mcp";
 var API_KEY = env.ALTER_API_KEY ?? void 0;
 function buildExtraHeaders() {
   const headers = {};
@@ -624,14 +698,67 @@ function buildExtraHeaders() {
   return Object.keys(headers).length ? headers : void 0;
 }
 var EXTRA_HEADERS = buildExtraHeaders();
-console.warn(
-  "This bridge is a dev/demo surface. Authenticated MCP tools require ES256 per-invocation signing; for production, import `@truealter/sdk` directly. Bridge signing is planned for a future release."
-);
+var xdgConfig = env.XDG_CONFIG_HOME ?? nodePath.join(os.homedir(), ".config");
+function readSession() {
+  const sessionFile = env.ALTER_SESSION_FILE ?? nodePath.join(xdgConfig, "alter", "session.json");
+  try {
+    const raw = fs.readFileSync(sessionFile, "utf8");
+    const clean = raw.charCodeAt(0) === 65279 ? raw.slice(1) : raw;
+    return JSON.parse(clean);
+  } catch {
+    return {};
+  }
+}
+function resolveSigningOptions(session) {
+  const envPem = env.ALTER_SIGNING_KEY;
+  if (envPem) {
+    const envKid = env.ALTER_SIGNING_KID ?? session.signing_kid;
+    if (envKid) {
+      try {
+        crypto.createPrivateKey(envPem);
+        return { kid: envKid, privateKey: envPem, handle: session.handle ?? "" };
+      } catch (e) {
+        stderr.write(`bridge: ALTER_SIGNING_KEY parse error: ${e.message}
+`);
+      }
+    }
+  }
+  const kid = session.signing_kid;
+  if (!kid) return null;
+  const candidates = [];
+  if (env.ALTER_SIGNING_KEY_FILE) candidates.push(env.ALTER_SIGNING_KEY_FILE);
+  candidates.push(nodePath.join(xdgConfig, "alter", "signing-keys", `${kid}.pem`));
+  candidates.push(nodePath.join(xdgConfig, "alter", "signing-key.pem"));
+  for (const p of candidates) {
+    try {
+      const pem = fs.readFileSync(p, "utf8");
+      crypto.createPrivateKey(pem);
+      return { kid, privateKey: pem, handle: session.handle ?? "" };
+    } catch {
+    }
+  }
+  return null;
+}
+var _session = readSession();
+var _signingOpts = resolveSigningOptions(_session);
+if (API_KEY && !_signingOpts) {
+  stderr.write(
+    `bridge: no signing key for kid ${_session.signing_kid ?? "(unset)"}: run 'alter login' to provision one
+`
+  );
+}
 var client = new MCPClient({
   endpoint: ENDPOINT,
   apiKey: API_KEY,
   clientInfo: { name: "@truealter/sdk-mcp-bridge", version: "0.2.0" },
-  extraHeaders: EXTRA_HEADERS
+  extraHeaders: EXTRA_HEADERS,
+  ..._signingOpts ? {
+    signing: {
+      kid: _signingOpts.kid,
+      privateKey: _signingOpts.privateKey,
+      handle: _signingOpts.handle
+    }
+  } : {}
 });
 function send(response) {
   stdout.write(JSON.stringify(response) + "\n");
@@ -730,3 +857,5 @@ main().catch((err) => {
 `);
   exit(1);
 });
+
+export { resolveSigningOptions };