@truealter/sdk 0.5.3 → 0.5.8

package/dist/bin/alter-identity.js

@@ -1,2641 +0,0 @@
-#!/usr/bin/env node
-import { p256 } from '@noble/curves/p256';
-import { sha256 } from '@noble/hashes/sha256';
-import { hexToBytes, bytesToHex as bytesToHex$1, randomBytes } from '@noble/hashes/utils';
-import { createPublicKey, verify, createHash, createPrivateKey } from 'crypto';
-import { existsSync, readFileSync, mkdirSync, writeFileSync, unlinkSync, renameSync, statSync, chmodSync, copyFileSync } from 'fs';
-import { homedir, platform } from 'os';
-import { join, dirname, resolve } from 'path';
-import { env, stderr, exit, argv, stdout, stdin } from 'process';
-import { createInterface } from 'readline';
-import * as ed25519 from '@noble/ed25519';
-import { sha512 } from '@noble/hashes/sha512';
-import { fileURLToPath } from 'url';
-import { spawnSync } from 'child_process';
-
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __esm = (fn, res) => function __init() {
-  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
-};
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-
-// src/signing.ts
-var signing_exports = {};
-__export(signing_exports, {
-  canonicalArgsSha256: () => canonicalArgsSha256,
-  canonicalStringify: () => canonicalStringify,
-  loadPrivateKey: () => loadPrivateKey,
-  signInvocation: () => signInvocation
-});
-function canonicalStringify(value) {
-  return stringifyInner(value);
-}
-function stringifyInner(value) {
-  if (value === null) return "null";
-  if (value === void 0) {
-    throw new TypeError("canonicalStringify: undefined is not representable in JSON");
-  }
-  if (typeof value === "boolean") return value ? "true" : "false";
-  if (typeof value === "number") {
-    if (!Number.isFinite(value)) {
-      throw new TypeError("canonicalStringify: non-finite numbers are not representable");
-    }
-    return JSON.stringify(value);
-  }
-  if (typeof value === "string") return encodeString(value);
-  if (Array.isArray(value)) {
-    return "[" + value.map((v) => stringifyInner(v)).join(",") + "]";
-  }
-  if (typeof value === "object") {
-    const obj = value;
-    const keys = Object.keys(obj).sort();
-    return "{" + keys.map((k) => encodeString(k) + ":" + stringifyInner(obj[k])).join(",") + "}";
-  }
-  throw new TypeError(`canonicalStringify: unsupported type ${typeof value}`);
-}
-function encodeString(s) {
-  return JSON.stringify(s);
-}
-function canonicalArgsSha256(toolArgs) {
-  const canonical = canonicalStringify(toolArgs ?? {});
-  const bytes = new TextEncoder().encode(canonical);
-  const digest = sha256(bytes);
-  return bytesToHex(digest);
-}
-function bytesToHex(bytes) {
-  let out = "";
-  for (let i = 0; i < bytes.length; i++) {
-    out += bytes[i].toString(16).padStart(2, "0");
-  }
-  return out;
-}
-function base64urlEncode(bytes) {
-  const raw = typeof bytes === "string" ? new TextEncoder().encode(bytes) : bytes;
-  if (typeof Buffer !== "undefined") {
-    return Buffer.from(raw).toString("base64url");
-  }
-  let binary = "";
-  for (let i = 0; i < raw.length; i++) binary += String.fromCharCode(raw[i]);
-  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
-}
-function loadPrivateKey(key) {
-  if (key instanceof Uint8Array) {
-    if (key.length !== 32) {
-      throw new TypeError("ES256 raw private key must be 32 bytes.");
-    }
-    return key;
-  }
-  if (typeof key === "string" && key.includes("-----BEGIN")) {
-    const keyObj = createPrivateKey({ key, format: "pem" });
-    const jwk = keyObj.export({ format: "jwk" });
-    if (jwk.crv !== "P-256" || !jwk.d) {
-      throw new TypeError("PEM is not a P-256 private key.");
-    }
-    return base64urlDecodeToBytes(jwk.d);
-  }
-  throw new TypeError("loadPrivateKey: expected Uint8Array(32) or PEM string.");
-}
-function base64urlDecodeToBytes(s) {
-  const pad = s.length % 4 === 0 ? "" : "=".repeat(4 - s.length % 4);
-  const b64 = (s + pad).replace(/-/g, "+").replace(/_/g, "/");
-  if (typeof Buffer !== "undefined") {
-    return new Uint8Array(Buffer.from(b64, "base64"));
-  }
-  const binary = atob(b64);
-  const out = new Uint8Array(binary.length);
-  for (let i = 0; i < binary.length; i++) out[i] = binary.charCodeAt(i);
-  return out;
-}
-function signInvocation(toolName, toolArgs, options) {
-  const { kid, privateKey, handle } = options;
-  const nonce = options.nonce ?? base64urlEncode(randomBytes(24));
-  const iat = options.iatSeconds ?? Math.floor(Date.now() / 1e3);
-  const claims = {
-    tool: toolName,
-    args_sha256: canonicalArgsSha256(toolArgs ?? {}),
-    nonce,
-    iat,
-    iss: handle
-  };
-  const headerB64 = base64urlEncode(JSON.stringify({ alg: "ES256", kid }));
-  const payloadB64 = base64urlEncode(JSON.stringify(claims));
-  const signingInput = `${headerB64}.${payloadB64}`;
-  const signingBytes = new TextEncoder().encode(signingInput);
-  const dBytes = loadPrivateKey(privateKey);
-  const digest = sha256(signingBytes);
-  const sig = p256.sign(digest, dBytes, { prehash: false });
-  const sigBytes = sig.toCompactRawBytes();
-  const sigB64 = base64urlEncode(sigBytes);
-  return `${signingInput}.${sigB64}`;
-}
-var init_signing = __esm({
-  "src/signing.ts"() {
-  }
-});
-
-// src/errors.ts
-var AlterError = class extends Error {
-  code;
-  cause;
-  constructor(code, message, cause) {
-    super(message);
-    this.name = "AlterError";
-    this.code = code;
-    this.cause = cause;
-    Object.setPrototypeOf(this, new.target.prototype);
-  }
-};
-var AlterNetworkError = class extends AlterError {
-  constructor(message, cause) {
-    super("NETWORK", message, cause);
-    this.name = "AlterNetworkError";
-    Object.setPrototypeOf(this, new.target.prototype);
-  }
-};
-var AlterTimeoutError = class extends AlterError {
-  constructor(message, cause) {
-    super("TIMEOUT", message, cause);
-    this.name = "AlterTimeoutError";
-    Object.setPrototypeOf(this, new.target.prototype);
-  }
-};
-var AlterAuthError = class extends AlterError {
-  status;
-  constructor(message, status = 401) {
-    super("AUTH", message);
-    this.name = "AlterAuthError";
-    this.status = status;
-    Object.setPrototypeOf(this, new.target.prototype);
-  }
-};
-var AlterPaymentRequired = class extends AlterError {
-  envelope;
-  tool;
-  constructor(tool, envelope) {
-    super("PAYMENT_REQUIRED", `x402 payment required for tool "${tool}"`);
-    this.name = "AlterPaymentRequired";
-    this.tool = tool;
-    this.envelope = envelope;
-    Object.setPrototypeOf(this, new.target.prototype);
-  }
-};
-var AlterRateLimited = class extends AlterError {
-  retryAfter;
-  constructor(message, retryAfter = 60) {
-    super("RATE_LIMITED", message);
-    this.name = "AlterRateLimited";
-    this.retryAfter = retryAfter;
-    Object.setPrototypeOf(this, new.target.prototype);
-  }
-};
-var AlterToolError = class extends AlterError {
-  tool;
-  rpcCode;
-  constructor(tool, message, rpcCode) {
-    super("TOOL_ERROR", message);
-    this.name = "AlterToolError";
-    this.tool = tool;
-    this.rpcCode = rpcCode;
-    Object.setPrototypeOf(this, new.target.prototype);
-  }
-};
-var AlterProvenanceError = class extends AlterError {
-  constructor(message, cause) {
-    super("PROVENANCE", message, cause);
-    this.name = "AlterProvenanceError";
-    Object.setPrototypeOf(this, new.target.prototype);
-  }
-};
-var AlterDiscoveryError = class extends AlterError {
-  constructor(message, cause) {
-    super("DISCOVERY", message, cause);
-    this.name = "AlterDiscoveryError";
-    Object.setPrototypeOf(this, new.target.prototype);
-  }
-};
-var AlterInvalidResponse = class extends AlterError {
-  constructor(message, cause) {
-    super("INVALID_RESPONSE", message, cause);
-    this.name = "AlterInvalidResponse";
-    Object.setPrototypeOf(this, new.target.prototype);
-  }
-};
-
-// src/discovery.ts
-var _cache = /* @__PURE__ */ new Map();
-async function discover(domain, opts = {}) {
-  const { cache = true, skipDns = false, timeoutMs = 5e3, fetch: fetchImpl = fetch } = opts;
-  const host = normaliseDomain(domain);
-  if (cache && _cache.has(host)) return _cache.get(host);
-  const errors = [];
-  if (!skipDns) {
-    try {
-      const dnsHit = await tryDns(host);
-      if (dnsHit) {
-        const parsed = validateDiscoveredUrl(dnsHit, "dns");
-        const result = {
-          url: parsed.toString().replace(/\/$/, ""),
-          transport: "streamable-http",
-          source: "dns"
-        };
-        if (cache) _cache.set(host, result);
-        return result;
-      }
-    } catch (err) {
-      errors.push(`dns: ${err.message}`);
-    }
-  }
-  try {
-    const result = await tryWellKnown(host, "mcp.json", timeoutMs, fetchImpl);
-    if (result) {
-      if (cache) _cache.set(host, result);
-      return result;
-    }
-  } catch (err) {
-    errors.push(`mcp.json: ${err.message}`);
-  }
-  try {
-    const result = await tryWellKnown(host, "alter.json", timeoutMs, fetchImpl);
-    if (result) {
-      if (cache) _cache.set(host, result);
-      return result;
-    }
-  } catch (err) {
-    errors.push(`alter.json: ${err.message}`);
-  }
-  throw new AlterDiscoveryError(
-    `No MCP discovery hit for ${host}: ${errors.join("; ") || "all sources empty"}`
-  );
-}
-function normaliseDomain(input) {
-  let host = input.trim().toLowerCase();
-  host = host.replace(/^https?:\/\//, "");
-  host = host.split("/")[0];
-  host = host.split(":")[0];
-  if (!host) throw new AlterDiscoveryError(`Empty domain: "${input}"`);
-  return host;
-}
-function validateDiscoveredUrl(url, source) {
-  let parsed;
-  try {
-    parsed = new URL(url);
-  } catch {
-    throw new AlterDiscoveryError(`${source}: malformed URL ${url}`);
-  }
-  if (parsed.protocol !== "https:") {
-    throw new AlterDiscoveryError(
-      `${source}: non-https MCP endpoint rejected (got ${parsed.protocol}//${parsed.hostname})`
-    );
-  }
-  if (parsed.username || parsed.password) {
-    throw new AlterDiscoveryError(
-      `${source}: MCP endpoint must not contain userinfo (user:pass@host)`
-    );
-  }
-  if (!parsed.hostname) {
-    throw new AlterDiscoveryError(`${source}: MCP endpoint missing hostname`);
-  }
-  return parsed;
-}
-async function tryDns(host) {
-  let resolveTxt;
-  try {
-    const dns = await import('dns/promises');
-    resolveTxt = dns.resolveTxt.bind(dns);
-  } catch {
-    return null;
-  }
-  let records;
-  try {
-    records = await resolveTxt(`_mcp.${host}`);
-  } catch (err) {
-    const code = err.code;
-    if (code === "ENOTFOUND" || code === "ENODATA") return null;
-    throw err;
-  }
-  for (const chunks of records) {
-    const joined = chunks.join("");
-    const parsed = parseDnsTxt(joined);
-    if (parsed.mcp) return parsed.mcp;
-  }
-  return null;
-}
-function parseDnsTxt(record) {
-  const out = {};
-  for (const part of record.split(/[;\s]+/)) {
-    const [k, ...rest] = part.split("=");
-    if (!k || rest.length === 0) continue;
-    out[k.toLowerCase()] = rest.join("=");
-  }
-  return out;
-}
-async function tryWellKnown(host, file, timeoutMs, fetchImpl) {
-  const url = `https://${host}/.well-known/${file}`;
-  const controller = new AbortController();
-  const timer = setTimeout(() => controller.abort(), timeoutMs);
-  let resp;
-  try {
-    resp = await fetchImpl(url, {
-      method: "GET",
-      headers: { Accept: "application/json" },
-      signal: controller.signal,
-      redirect: "manual"
-    });
-  } catch (err) {
-    throw new AlterNetworkError(`fetch ${url}: ${err.message}`, err);
-  } finally {
-    clearTimeout(timer);
-  }
-  if (resp.type === "opaqueredirect" || resp.status >= 300 && resp.status < 400) {
-    throw new AlterNetworkError(
-      `${url} -> redirect rejected (discovery must not follow redirects; validate the server configuration)`
-    );
-  }
-  if (resp.status === 404) return null;
-  if (!resp.ok) throw new AlterNetworkError(`${url} -> HTTP ${resp.status}`);
-  const doc = await resp.json();
-  if (file === "mcp.json") {
-    const remotes = doc.remotes || [];
-    const remote = remotes.find((r) => r.transportType === "streamable-http" || r.transportType === "http");
-    const rawUrl = remote?.url || doc.url;
-    if (!rawUrl) return null;
-    const parsed = validateDiscoveredUrl(rawUrl, "mcp.json");
-    return { url: parsed.toString().replace(/\/$/, ""), transport: "streamable-http", source: "mcp.json", raw: doc };
-  }
-  const mcpHost = doc.mcp;
-  if (!mcpHost) return null;
-  const normalised = ensureMcpPath(mcpHost);
-  validateDiscoveredUrl(normalised, "alter.json");
-  return {
-    url: normalised,
-    transport: "streamable-http",
-    source: "alter.json",
-    publicKey: doc.pk,
-    x402Contract: doc.x402,
-    capability: doc.cap,
-    raw: doc
-  };
-}
-function ensureMcpPath(url) {
-  try {
-    const u = new URL(url);
-    if (u.pathname === "" || u.pathname === "/") u.pathname = "/api/v1/mcp";
-    return u.toString().replace(/\/$/, "");
-  } catch {
-    return url;
-  }
-}
-
-// src/meta.ts
-var SDK_NAME = "@truealter/sdk";
-var SDK_VERSION = "0.5.3" ;
-
-// src/floor-preflight.ts
-var MIN_VERSION_ENDPOINT = "/v1/clients/min-version";
-var CLIENT_ID = "alter-identity";
-var CLIENT_CHANNEL = "npm";
-var IN_MEMORY_TTL_DEFAULT_MS = 60 * 60 * 1e3;
-var IN_MEMORY_TTL_MIN_MS = 60 * 1e3;
-var IN_MEMORY_TTL_MAX_MS = 24 * 60 * 60 * 1e3;
-var DISK_FRESH_MS = 24 * 60 * 60 * 1e3;
-var DISK_WARN_MS = 7 * 24 * 60 * 60 * 1e3;
-var FETCH_TIMEOUT_MS = 4e3;
-function computeKeyId(publicKeyPem) {
-  if (!publicKeyPem) return "00000000";
-  const pub = createPublicKey({ key: publicKeyPem, format: "pem" });
-  const jwk = pub.export({ format: "jwk" });
-  const rawBytes = Buffer.from(jwk.x, "base64url");
-  return createHash("sha256").update(rawBytes).digest("hex").slice(0, 8);
-}
-function canonicalJson(obj) {
-  return JSON.stringify(sortKeysDeep(obj));
-}
-function sortKeysDeep(value) {
-  if (Array.isArray(value)) {
-    return value.map(sortKeysDeep);
-  }
-  if (value !== null && typeof value === "object") {
-    const obj = value;
-    const sorted = {};
-    for (const k of Object.keys(obj).sort()) {
-      sorted[k] = sortKeysDeep(obj[k]);
-    }
-    return sorted;
-  }
-  return value;
-}
-var KNOWN_FLOOR_PUBLIC_KEYS = {
-  "8aa59e05": `-----BEGIN PUBLIC KEY-----
-MCowBQYDK2VwAyEAgqw28dlniOuiTE1f4BxCPSEgMLaPtHsO8wN5RWEwEhE=
------END PUBLIC KEY-----`,
-  "640f7d9a": `-----BEGIN PUBLIC KEY-----
-MCowBQYDK2VwAyEARzvAWayDwHvZRfOZizGZe+/a7PF082WGhyMS3tx06H4=
------END PUBLIC KEY-----`
-};
-var BelowFloorError = class extends Error {
-  name = "BelowFloorError";
-  code = "client_below_floor";
-  client_version;
-  min_version;
-  upgrade_cmd;
-  channel;
-  envelope;
-  constructor(envelope) {
-    super(envelope.error.message);
-    this.envelope = envelope;
-    this.client_version = envelope.error.client_version;
-    this.min_version = envelope.error.min_version;
-    this.upgrade_cmd = envelope.error.upgrade_cmd;
-    this.channel = envelope.error.channel;
-    Object.setPrototypeOf(this, new.target.prototype);
-  }
-};
-var memCache = null;
-async function checkMinVersion(opts = {}) {
-  const apiBase = opts.apiBase ?? defaultApiBase();
-  const clientVersion = opts.clientVersion ?? SDK_VERSION;
-  const clientId = opts.clientId ?? CLIENT_ID;
-  const channel = opts.channel ?? CLIENT_CHANNEL;
-  const knownKeys = opts.knownFloorPublicKeys ?? KNOWN_FLOOR_PUBLIC_KEYS;
-  const fetchImpl = opts.fetchImpl ?? globalThis.fetch;
-  const now = opts.now ?? Date.now;
-  const cachePath = opts.diskCachePath === void 0 ? defaultDiskCachePath() : opts.diskCachePath;
-  const mem = readInMemoryCache(now);
-  if (mem) {
-    return compareAndPermit(mem, {
-      clientVersion,
-      clientId,
-      channel,
-      diagnostic: "mem-cache-hit"
-    });
-  }
-  const disk = cachePath ? readDiskCache(cachePath, knownKeys) : null;
-  const diskAgeMs = disk ? now() - disk.fetched_at_ms : Number.POSITIVE_INFINITY;
-  let fetched = null;
-  let fetchError = null;
-  if (!disk || diskAgeMs > IN_MEMORY_TTL_DEFAULT_MS) {
-    try {
-      fetched = await fetchFloorDoc(apiBase, fetchImpl, knownKeys);
-    } catch (err) {
-      fetchError = err.message ?? "fetch-error";
-    }
-  }
-  if (fetched) {
-    populateMemCache(fetched, now());
-    if (cachePath) writeDiskCache(cachePath, fetched, now());
-    return compareAndPermit(fetched, {
-      clientVersion,
-      clientId,
-      channel,
-      diagnostic: "fetched"
-    });
-  }
-  if (disk) {
-    populateMemCache(disk.doc, disk.fetched_at_ms);
-    if (diskAgeMs > DISK_WARN_MS) {
-      return compareAndPermit(disk.doc, {
-        clientVersion,
-        clientId,
-        channel,
-        diagnostic: "below-floor-offline-stale-or-permit",
-        warn: `floor cache is >7d old and backend unreachable (${fetchError ?? "no refresh attempted"}); permitting if above floor`
-      });
-    }
-    if (diskAgeMs > DISK_FRESH_MS) {
-      return compareAndPermit(disk.doc, {
-        clientVersion,
-        clientId,
-        channel,
-        diagnostic: "warn-stale-permit",
-        warn: `floor cache is ${Math.round(diskAgeMs / (60 * 60 * 1e3))}h old; refresh recommended`
-      });
-    }
-    return compareAndPermit(disk.doc, {
-      clientVersion,
-      clientId,
-      channel,
-      diagnostic: "disk-cache-hit"
-    });
-  }
-  return {
-    ok: true,
-    floor: null,
-    diagnostic: "no-cache-no-fetch-permit",
-    warn: `floor preflight skipped: backend unreachable (${fetchError ?? "unknown"})`
-  };
-}
-function compareAndPermit(doc, ctx) {
-  const floor = lookupFloor(doc, ctx.clientId, ctx.channel);
-  if (!floor) {
-    return { ok: true, floor: null, diagnostic: `${ctx.diagnostic}+no-floor`, warn: ctx.warn };
-  }
-  if (compareSemver(ctx.clientVersion, floor.min_version) >= 0) {
-    return { ok: true, floor, diagnostic: ctx.diagnostic, warn: ctx.warn };
-  }
-  const envelope = {
-    error: {
-      code: "client_below_floor",
-      message: `Your ${ctx.clientId} is too old. Upgrade required.`,
-      client_version: ctx.clientVersion,
-      min_version: floor.min_version,
-      upgrade_cmd: floor.upgrade_cmd,
-      channel: ctx.channel
-    }
-  };
-  throw new BelowFloorError(envelope);
-}
-function lookupFloor(doc, clientId, channel) {
-  const entry = doc.floors[clientId];
-  if (!entry) return null;
-  if (isChannelFloor(entry)) return entry;
-  const exact = entry[channel];
-  if (exact) return exact;
-  const fallback = entry["unknown"];
-  if (fallback) return fallback;
-  return null;
-}
-function isChannelFloor(v) {
-  return typeof v.min_version === "string" && typeof v.upgrade_cmd === "string";
-}
-function compareSemver(a, b) {
-  const [aMaj, aMin, aPat, aPre] = parseSemver(a);
-  const [bMaj, bMin, bPat, bPre] = parseSemver(b);
-  if (aMaj !== bMaj) return aMaj - bMaj;
-  if (aMin !== bMin) return aMin - bMin;
-  if (aPat !== bPat) return aPat - bPat;
-  if (aPre && !bPre) return -1;
-  if (!aPre && bPre) return 1;
-  if (aPre && bPre) return aPre.localeCompare(bPre);
-  return 0;
-}
-function parseSemver(v) {
-  const m = /^(\d+)\.(\d+)\.(\d+)(?:-([0-9A-Za-z.-]+))?/.exec(v);
-  if (!m) return [0, 0, 0, null];
-  return [Number(m[1]), Number(m[2]), Number(m[3]), m[4] ?? null];
-}
-function verifyFloorSignature(doc, keys = KNOWN_FLOOR_PUBLIC_KEYS) {
-  const pem = keys[doc.key_id];
-  if (!pem) return false;
-  if (computeKeyId(pem) !== doc.key_id) return false;
-  try {
-    const pubKeyObject = createPublicKey({ key: pem, format: "pem" });
-    const canonical = canonicalJson({
-      floors: doc.floors,
-      served_at: doc.served_at
-    });
-    return verify(
-      null,
-      Buffer.from(canonical, "utf-8"),
-      pubKeyObject,
-      Buffer.from(doc.signature, "hex")
-    );
-  } catch {
-    return false;
-  }
-}
-async function fetchFloorDoc(apiBase, fetchImpl, knownKeys) {
-  const url = `${apiBase.replace(/\/+$/, "")}${MIN_VERSION_ENDPOINT}`;
-  let response;
-  try {
-    response = await fetchImpl(url, {
-      headers: {
-        accept: "application/json",
-        "X-Alter-Client-Id": CLIENT_ID,
-        "X-Alter-Client-Version": SDK_VERSION,
-        "X-Alter-Client-Channel": CLIENT_CHANNEL,
-        "User-Agent": `${SDK_NAME}/${SDK_VERSION}`
-      },
-      signal: AbortSignal.timeout(FETCH_TIMEOUT_MS)
-    });
-  } catch (err) {
-    throw new Error(`network: ${err.message ?? String(err)}`);
-  }
-  if (!response.ok) throw new Error(`http-${response.status}`);
-  const body = await response.json();
-  if (!body || !body.floors || !body.signature || !body.key_id) {
-    throw new Error("malformed-floor-doc");
-  }
-  if (!verifyFloorSignature(body, knownKeys)) {
-    throw new Error("signature-invalid");
-  }
-  return body;
-}
-function readInMemoryCache(now) {
-  if (!memCache) return null;
-  if (now() - memCache.fetched_at_ms > memCache.ttl_ms) {
-    memCache = null;
-    return null;
-  }
-  return memCache.doc;
-}
-function populateMemCache(doc, fetched_at_ms) {
-  const ttlSec = doc.cache_ttl_seconds ?? 3600;
-  const ttlMs = Math.min(
-    Math.max(ttlSec * 1e3, IN_MEMORY_TTL_MIN_MS),
-    IN_MEMORY_TTL_MAX_MS
-  );
-  memCache = { doc, fetched_at_ms, ttl_ms: ttlMs };
-}
-function defaultDiskCachePath() {
-  const xdg = process.env.XDG_CONFIG_HOME ?? join(homedir(), ".config");
-  return join(xdg, "alter", "floor-cache.json");
-}
-function readDiskCache(path, knownKeys) {
-  if (process.platform !== "win32") {
-    let st;
-    try {
-      st = statSync(path);
-    } catch {
-      return null;
-    }
-    const euid = typeof process.geteuid === "function" ? process.geteuid() : st.uid;
-    if (st.uid !== euid) return null;
-    if ((st.mode & 511) !== 384) return null;
-  }
-  let raw;
-  try {
-    raw = readFileSync(path, "utf-8");
-  } catch {
-    return null;
-  }
-  let parsed;
-  try {
-    parsed = JSON.parse(raw);
-  } catch {
-    return null;
-  }
-  if (!parsed.doc || typeof parsed.fetched_at_ms !== "number") return null;
-  if (!verifyFloorSignature(parsed.doc, knownKeys)) {
-    return null;
-  }
-  return parsed;
-}
-function writeDiskCache(path, doc, now_ms) {
-  const entry = { doc, fetched_at_ms: now_ms };
-  const payload = JSON.stringify(entry);
-  try {
-    mkdirSync(dirname(path), { recursive: true, mode: 448 });
-    const tmp = `${path}.tmp`;
-    writeFileSync(tmp, payload, { mode: 384 });
-    try {
-      chmodSync(tmp, 384);
-    } catch {
-    }
-    renameSync(tmp, path);
-  } catch {
-  }
-}
-function defaultApiBase() {
-  return process.env.ALTER_API ?? "https://api.truealter.com";
-}
-var X402Client = class {
-  signer;
-  maxPerQuery;
-  networks;
-  assets;
-  // undefined = allowlist check disabled (backward-compatible default).
-  // Non-null = active allowlist; reject any recipient not in the set.
-  recipientAllowlist;
-  constructor(opts = {}) {
-    this.signer = opts.signer;
-    this.maxPerQuery = opts.maxPerQuery !== void 0 ? Number(opts.maxPerQuery) : void 0;
-    this.networks = new Set(opts.networks ?? ["base", "base-sepolia"]);
-    this.assets = new Set(opts.assets ?? ["USDC"]);
-    if (opts.recipientAllowlist !== void 0) {
-      this.recipientAllowlist = opts.recipientAllowlist.length === 0 ? void 0 : new Set(opts.recipientAllowlist.map((a) => a.toLowerCase()));
-    } else {
-      this.recipientAllowlist = void 0;
-    }
-  }
-  /**
-   * Validate the envelope against this client's policy and, if a signer
-   * is configured, settle it. Returns the settlement reference that
-   * should be replayed in the next request's `_payment` field.
-   */
-  async authorise(envelope) {
-    if (envelope.scheme !== "x402") {
-      throw new AlterError("PAYMENT_REQUIRED", `unsupported payment scheme: ${envelope.scheme}`);
-    }
-    if (!this.networks.has(envelope.network)) {
-      throw new AlterError("PAYMENT_REQUIRED", `network ${envelope.network} not permitted by client policy`);
-    }
-    if (!this.assets.has(envelope.asset)) {
-      throw new AlterError("PAYMENT_REQUIRED", `asset ${envelope.asset} not permitted by client policy`);
-    }
-    if (this.maxPerQuery !== void 0) {
-      const amt = Number(envelope.amount);
-      if (!Number.isFinite(amt) || amt < 0 || amt > this.maxPerQuery) {
-        throw new AlterError(
-          "PAYMENT_REQUIRED",
-          `quote ${envelope.amount} ${envelope.asset} exceeds maxPerQuery ${this.maxPerQuery}`
-        );
-      }
-    }
-    if (this.recipientAllowlist !== void 0) {
-      const recipientNorm = (envelope.recipient ?? "").toLowerCase();
-      if (!recipientNorm || !this.recipientAllowlist.has(recipientNorm)) {
-        throw new AlterError(
-          "PAYMENT_REQUIRED",
-          `recipient "${envelope.recipient}" is not on the known-recipient allowlist`
-        );
-      }
-    }
-    if (!this.signer) {
-      throw new AlterPaymentRequired(envelope.resource ?? "unknown", envelope);
-    }
-    return this.signer.settle(envelope);
-  }
-  /**
-   * Build the `_payment` argument that gets attached to retried tool calls.
-   * Mirrors the shape the ALTER server expects.
-   */
-  static buildPaymentArg(settlement) {
-    return {
-      scheme: "x402",
-      network: settlement.network,
-      asset: settlement.asset,
-      amount: settlement.amount,
-      reference: settlement.reference
-    };
-  }
-};
-function parsePaymentHeader(header) {
-  try {
-    const parsed = JSON.parse(header);
-    if (parsed && typeof parsed === "object") return parsed;
-  } catch {
-  }
-  const out = {};
-  for (const part of header.split(/[,;]/)) {
-    const [k, ...rest] = part.trim().split("=");
-    if (!k) continue;
-    out[k] = rest.join("=").replace(/^"|"$/g, "");
-  }
-  if (!out.scheme && !out.network && !out.amount) return null;
-  return {
-    scheme: "x402",
-    network: out.network || "base",
-    asset: out.asset || "USDC",
-    amount: out.amount || "0",
-    recipient: out.recipient || "",
-    resource: out.resource || "",
-    expires_at: out.expires_at,
-    nonce: out.nonce
-  };
-}
-
-// src/mcp.ts
-var MCP_PROTOCOL_VERSION = "2025-11-25";
-var RETRYABLE_STATUSES = /* @__PURE__ */ new Set([429, 502, 503, 504]);
-var MCPClient = class {
-  endpoint;
-  sessionId = null;
-  apiKey;
-  fetchImpl;
-  timeoutMs;
-  maxRetries;
-  clientInfo;
-  x402;
-  signing;
-  extraHeaders;
-  preflightHook;
-  preflightPromise = null;
-  preflightDone = false;
-  requestCounter = 0;
-  initialised = false;
-  constructor(opts = {}) {
-    this.endpoint = (opts.endpoint ?? "https://mcp.truealter.com/api/v1/mcp").replace(/\/+$/, "");
-    this.apiKey = opts.apiKey;
-    this.fetchImpl = opts.fetch ?? fetch;
-    this.timeoutMs = opts.timeoutMs ?? 3e4;
-    this.maxRetries = opts.maxRetries ?? 2;
-    this.clientInfo = opts.clientInfo ?? { name: SDK_NAME, version: SDK_VERSION };
-    this.x402 = opts.x402;
-    this.signing = opts.signing;
-    this.extraHeaders = opts.extraHeaders;
-    this.preflightHook = opts.preflightHook;
-  }
-  /**
-   * Run the lazy preflight hook (D-MIN-VERSION-FLOOR-1) exactly once.
-   * Idempotent and serialised: concurrent callers share the same
-   * promise. Throws from the hook propagate to every concurrent caller.
-   */
-  async runPreflight() {
-    if (this.preflightDone) return;
-    if (!this.preflightHook) {
-      this.preflightDone = true;
-      return;
-    }
-    if (!this.preflightPromise) {
-      this.preflightPromise = this.preflightHook().then(
-        () => {
-          this.preflightDone = true;
-        },
-        (err) => {
-          this.preflightPromise = null;
-          throw err;
-        }
-      );
-    }
-    await this.preflightPromise;
-  }
-  /**
-   * Send the MCP `initialize` handshake and capture the resulting session
-   * id. Idempotent: safe to call multiple times.
-   */
-  async initialize() {
-    if (this.initialised) return null;
-    await this.runPreflight();
-    const result = await this.rpc("initialize", {
-      protocolVersion: MCP_PROTOCOL_VERSION,
-      capabilities: {},
-      clientInfo: this.clientInfo
-    });
-    this.initialised = true;
-    return result;
-  }
-  /** List available tools. */
-  async listTools() {
-    if (!this.initialised) await this.initialize();
-    return await this.rpc("tools/list", {});
-  }
-  /** Invoke a tool by name. */
-  async callTool(name, args = {}, opts = {}) {
-    if (!this.initialised) await this.initialize();
-    return this.callToolInternal(name, args, opts);
-  }
-  /** Close the session and release any held resources. */
-  async closeSession() {
-    if (!this.sessionId) return;
-    try {
-      await this.fetchImpl(this.endpoint, {
-        method: "DELETE",
-        headers: this.buildHeaders()
-      });
-    } catch {
-    }
-    this.sessionId = null;
-    this.initialised = false;
-  }
-  // ── Internals ────────────────────────────────────────────────────────
-  async callToolInternal(name, args, opts) {
-    try {
-      const raw = await this.rpc("tools/call", { name, arguments: args });
-      const result = this.shapeToolResult(raw);
-      if (result.isError) {
-        const text = result.content?.[0]?.text ?? `tool ${name} returned an error`;
-        throw new AlterToolError(name, text);
-      }
-      return result;
-    } catch (err) {
-      if (err instanceof AlterPaymentRequired && !opts.noPaymentRetry) {
-        const x402 = opts.x402 ?? this.x402;
-        if (!x402) throw err;
-        const settlement = await x402.authorise(err.envelope);
-        const retryArgs = { ...args, _payment: X402Client.buildPaymentArg(settlement) };
-        return this.callToolInternal(name, retryArgs, { ...opts, noPaymentRetry: true });
-      }
-      throw err;
-    }
-  }
-  shapeToolResult(raw) {
-    if (!raw || !Array.isArray(raw.content)) return raw;
-    if (raw.data === void 0) {
-      const first = raw.content[0];
-      if (first && first.type === "json" && "data" in first) {
-        raw.data = first.data;
-      } else if (first && first.type === "text" && first.text) {
-        try {
-          raw.data = JSON.parse(first.text);
-        } catch {
-        }
-      }
-    }
-    return raw;
-  }
-  /**
-   * Send a JSON-RPC 2.0 request and return the result. Errors are
-   * normalised into the typed {@link AlterError} hierarchy.
-   */
-  async rpc(method, params) {
-    const id = ++this.requestCounter;
-    const payload = {
-      jsonrpc: "2.0",
-      id,
-      method
-    };
-    if (params !== void 0) payload.params = params;
-    const signatureHeader = this.buildSignatureHeader(method, params);
-    let attempt = 0;
-    let lastErr = null;
-    while (attempt <= this.maxRetries) {
-      attempt += 1;
-      const controller = new AbortController();
-      const timer = setTimeout(() => controller.abort(), this.timeoutMs);
-      let resp;
-      try {
-        resp = await this.fetchImpl(this.endpoint, {
-          method: "POST",
-          headers: this.buildHeaders(signatureHeader),
-          body: JSON.stringify(payload),
-          signal: controller.signal
-        });
-      } catch (err) {
-        clearTimeout(timer);
-        const isAbort = err?.name === "AbortError";
-        if (isAbort) {
-          lastErr = new AlterTimeoutError(`MCP ${method} timed out after ${this.timeoutMs}ms`, err);
-        } else {
-          lastErr = new AlterNetworkError(`MCP ${method}: ${err.message}`, err);
-        }
-        if (attempt > this.maxRetries) throw lastErr;
-        await this.backoff(attempt);
-        continue;
-      }
-      clearTimeout(timer);
-      const sessionHeader = resp.headers.get("Mcp-Session-Id");
-      if (sessionHeader) this.sessionId = sessionHeader;
-      if (resp.status === 401 || resp.status === 403) {
-        throw new AlterAuthError(`HTTP ${resp.status} on ${method}`, resp.status);
-      }
-      if (resp.status === 402) {
-        const envelope = await this.extractPaymentEnvelope(resp);
-        throw new AlterPaymentRequired(this.guessToolName(payload), envelope);
-      }
-      if (resp.status === 429) {
-        const rawRetryAfter = Number(resp.headers.get("Retry-After") ?? 60);
-        const retryAfter = Number.isFinite(rawRetryAfter) && rawRetryAfter >= 0 ? Math.min(rawRetryAfter, 300) : 60;
-        if (attempt > this.maxRetries) {
-          throw new AlterRateLimited(`HTTP 429 on ${method}`, retryAfter);
-        }
-        await this.backoff(attempt, retryAfter * 1e3);
-        continue;
-      }
-      if (RETRYABLE_STATUSES.has(resp.status) && attempt <= this.maxRetries) {
-        await this.backoff(attempt);
-        continue;
-      }
-      if (!resp.ok) {
-        const body2 = await safeText(resp);
-        throw new AlterError("NETWORK", `HTTP ${resp.status} on ${method}: ${body2.slice(0, 200)}`);
-      }
-      let body;
-      try {
-        body = await resp.json();
-      } catch (err) {
-        throw new AlterInvalidResponse(`MCP ${method}: invalid JSON body`, err);
-      }
-      if (body.error) {
-        const code = body.error.code;
-        const message = body.error.message ?? `MCP ${method} error`;
-        if (code === -32001 || code === 402) {
-          const data = body.error.data;
-          if (data?.envelope) {
-            throw new AlterPaymentRequired(this.guessToolName(payload), data.envelope);
-          }
-        }
-        throw new AlterToolError(this.guessToolName(payload), message, code);
-      }
-      return body.result;
-    }
-    throw lastErr ?? new AlterNetworkError(`MCP ${method}: exhausted retries`);
-  }
-  buildHeaders(extra) {
-    const headers = {
-      ...this.extraHeaders ?? {},
-      "Content-Type": "application/json",
-      Accept: "application/json",
-      "User-Agent": `${this.clientInfo.name}/${this.clientInfo.version}`,
-      "X-Alter-Client-Id": "alter-identity",
-      "X-Alter-Client-Version": SDK_VERSION,
-      "X-Alter-Client-Channel": "npm"
-    };
-    if (this.apiKey) headers["X-ALTER-API-Key"] = this.apiKey;
-    if (this.sessionId) headers["Mcp-Session-Id"] = this.sessionId;
-    if (extra) Object.assign(headers, extra);
-    return headers;
-  }
-  /**
-   * Produce the `Mcp-Invocation-Signature` header for a `tools/call`
-   * payload, when signing is configured. Returns `undefined` when no
-   * signing key is attached or the method is not `tools/call`.
-   */
-  buildSignatureHeader(method, params) {
-    if (!this.signing) return void 0;
-    if (method !== "tools/call") return void 0;
-    const p = params;
-    if (!p?.name) return void 0;
-    const { signInvocation: signInvocation2 } = (init_signing(), __toCommonJS(signing_exports));
-    const headerValue = signInvocation2(p.name, p.arguments ?? {}, {
-      kid: this.signing.kid,
-      privateKey: this.signing.privateKey,
-      handle: this.signing.handle
-    });
-    return { "Mcp-Invocation-Signature": headerValue };
-  }
-  async extractPaymentEnvelope(resp) {
-    const headerValue = resp.headers.get("X-402-Payment") ?? resp.headers.get("x-402-payment");
-    if (headerValue) {
-      const parsed = parsePaymentHeader(headerValue);
-      if (parsed) return parsed;
-    }
-    try {
-      const body = await resp.json();
-      if (body?.envelope) return body.envelope;
-      if (body?.payment) return body.payment;
-    } catch {
-    }
-    return {
-      scheme: "x402",
-      network: "base",
-      asset: "USDC",
-      amount: "0",
-      recipient: "",
-      resource: ""
-    };
-  }
-  guessToolName(payload) {
-    const params = payload.params;
-    return params?.name ?? payload.method ?? "unknown";
-  }
-  async backoff(attempt, hintMs) {
-    const ms = hintMs ?? Math.min(1e3 * 2 ** (attempt - 1), 8e3);
-    await new Promise((res) => setTimeout(res, ms));
-  }
-};
-async function safeText(resp) {
-  try {
-    return await resp.text();
-  } catch {
-    return "";
-  }
-}
-ed25519.etc.sha512Sync = (...m) => sha512(ed25519.etc.concatBytes(...m));
-function generateKeypair() {
-  const privateKey = randomBytes(32);
-  const publicKey = ed25519.getPublicKey(privateKey);
-  return {
-    privateKey: bytesToHex$1(privateKey),
-    publicKey: bytesToHex$1(publicKey),
-    did: encodeDid(publicKey)
-  };
-}
-function keypairFromPrivateKey(privateKeyHex) {
-  const privateKey = hexToBytes(privateKeyHex);
-  if (privateKey.length !== 32) {
-    throw new Error(`Ed25519 private key must be 32 bytes, got ${privateKey.length}`);
-  }
-  const publicKey = ed25519.getPublicKey(privateKey);
-  return {
-    privateKey: privateKeyHex,
-    publicKey: bytesToHex$1(publicKey),
-    did: encodeDid(publicKey)
-  };
-}
-function encodeDid(publicKey) {
-  const bytes = typeof publicKey === "string" ? hexToBytes(publicKey) : publicKey;
-  return `ed25519:${base64urlEncode2(bytes)}`;
-}
-function base64urlEncode2(bytes) {
-  let b64;
-  if (typeof Buffer !== "undefined") {
-    b64 = Buffer.from(bytes).toString("base64");
-  } else {
-    let binary = "";
-    for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i]);
-    b64 = btoa(binary);
-  }
-  return b64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-}
-function base64urlDecode(input) {
-  const padded = input.replace(/-/g, "+").replace(/_/g, "/") + "=".repeat((4 - input.length % 4) % 4);
-  if (typeof Buffer !== "undefined") {
-    return new Uint8Array(Buffer.from(padded, "base64"));
-  }
-  const binary = atob(padded);
-  const bytes = new Uint8Array(binary.length);
-  for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
-  return bytes;
-}
-
-// src/provenance.ts
-var _jwksCache = /* @__PURE__ */ new Map();
-var JWKS_TTL_MS = 5 * 60 * 1e3;
-var JWKS_MAX_BYTES = 64 * 1024;
-var JWKS_CACHE_MAX_ENTRIES = 32;
-var DEFAULT_VERIFY_AT_ALLOWLIST = Object.freeze([
-  "api.truealter.com",
-  "mcp.truealter.com"
-]);
-var ALTER_PLATFORM_ISS = "did:alter:platform";
-async function verifyProvenance(envelope, opts = {}) {
-  const token = typeof envelope === "string" ? envelope : envelope.token;
-  if (!token) return { valid: false, reason: "empty token" };
-  const fetchImpl = opts.fetch ?? fetch;
-  const now = opts.now ?? Math.floor(Date.now() / 1e3);
-  let header;
-  let payload;
-  let signedInput;
-  let signatureBytes;
-  try {
-    const parts = token.split(".");
-    if (parts.length !== 3) throw new Error("JWS must have three segments");
-    header = JSON.parse(new TextDecoder().decode(base64urlDecode(parts[0])));
-    payload = JSON.parse(new TextDecoder().decode(base64urlDecode(parts[1])));
-    signedInput = new TextEncoder().encode(`${parts[0]}.${parts[1]}`);
-    signatureBytes = base64urlDecode(parts[2]);
-  } catch (err) {
-    return { valid: false, reason: `malformed JWS: ${err.message}` };
-  }
-  if (header.alg !== "ES256") {
-    return { valid: false, reason: `unsupported alg: ${header.alg}`, kid: header.kid };
-  }
-  const allowlist = opts.verifyAtAllowlist ?? DEFAULT_VERIFY_AT_ALLOWLIST;
-  let jwksUrl;
-  if (opts.jwksUrl) {
-    if (!opts.jwksUrl.startsWith("https://")) {
-      return {
-        valid: false,
-        reason: `jwksUrl must be https: got ${opts.jwksUrl}`,
-        kid: header.kid
-      };
-    }
-    jwksUrl = opts.jwksUrl;
-  } else if (typeof envelope === "object" && envelope.verify_at) {
-    try {
-      jwksUrl = resolveVerifyAt(envelope.verify_at, allowlist);
-    } catch (err) {
-      return {
-        valid: false,
-        reason: `verify_at rejected: ${err.message}`,
-        kid: header.kid
-      };
-    }
-  } else {
-    jwksUrl = "https://api.truealter.com/.well-known/alter-keys.json";
-  }
-  let jwks;
-  try {
-    jwks = await fetchJwks(jwksUrl, fetchImpl);
-  } catch (err) {
-    return { valid: false, reason: `jwks fetch: ${err.message}`, kid: header.kid };
-  }
-  const jwk = jwks.keys.find((k) => header.kid ? k.kid === header.kid : true);
-  if (!jwk) {
-    return { valid: false, reason: `no JWK for kid=${header.kid}`, kid: header.kid };
-  }
-  let publicKey;
-  try {
-    publicKey = await importEs256JwkAsPublicKey(jwk);
-  } catch (err) {
-    return { valid: false, reason: `jwk import: ${err.message}`, kid: header.kid };
-  }
-  let signatureValid = false;
-  try {
-    signatureValid = await crypto.subtle.verify(
-      { name: "ECDSA", hash: "SHA-256" },
-      publicKey,
-      toArrayBuffer(signatureBytes),
-      toArrayBuffer(signedInput)
-    );
-  } catch (err) {
-    return { valid: false, reason: `verify: ${err.message}`, kid: header.kid };
-  }
-  if (!signatureValid) {
-    return { valid: false, reason: "signature mismatch", kid: header.kid };
-  }
-  if (typeof payload.exp === "number" && payload.exp < now) {
-    return { valid: false, reason: "expired", payload, kid: header.kid };
-  }
-  if (typeof payload.iat === "number" && payload.iat > now + 300) {
-    return { valid: false, reason: "issued in the future", payload, kid: header.kid };
-  }
-  const expectedIss = opts.expectedIss !== void 0 ? opts.expectedIss : ALTER_PLATFORM_ISS;
-  if (expectedIss !== "" && payload.iss !== expectedIss) {
-    return {
-      valid: false,
-      reason: `iss mismatch: expected "${expectedIss}", got "${payload.iss}"`,
-      payload,
-      kid: header.kid
-    };
-  }
-  if (opts.expectedAud !== void 0 && opts.expectedAud !== "") {
-    const tokenAud = payload.aud;
-    const audList = tokenAud === void 0 ? [] : Array.isArray(tokenAud) ? tokenAud : [tokenAud];
-    if (!audList.includes(opts.expectedAud)) {
-      return {
-        valid: false,
-        reason: `aud mismatch: expected "${opts.expectedAud}", got ${JSON.stringify(tokenAud ?? null)}`,
-        payload,
-        kid: header.kid
-      };
-    }
-  }
-  return { valid: true, payload, kid: header.kid };
-}
-async function verifyToolSignatures(tools, signatures, opts = {}) {
-  const jwksUrl = opts.jwksUrl ?? "https://api.truealter.com/.well-known/alter-keys.json";
-  const fetchImpl = opts.fetch ?? fetch;
-  if (!jwksUrl.startsWith("https://")) {
-    return tools.map((t) => ({
-      tool: t.name,
-      valid: false,
-      reason: `jwksUrl must be https: got ${jwksUrl}`
-    }));
-  }
-  const needsJwks = tools.some((t) => {
-    const sig = signatures[t.name];
-    return sig && sig.signature;
-  });
-  let jwks = null;
-  if (needsJwks) {
-    try {
-      jwks = await fetchJwks(jwksUrl, fetchImpl);
-    } catch (err) {
-      return tools.map((t) => ({
-        tool: t.name,
-        valid: false,
-        reason: `jwks fetch failed: ${err.message}`
-      }));
-    }
-  }
-  const out = [];
-  for (const tool of tools) {
-    const sig = signatures[tool.name];
-    if (!sig) {
-      out.push({ tool: tool.name, valid: false, reason: "no signature published" });
-      continue;
-    }
-    const expectedHash = await sha256Hex(canonicalJson2(tool.inputSchema));
-    if (expectedHash !== sig.schema_hash) {
-      out.push({ tool: tool.name, valid: false, reason: "schema hash mismatch" });
-      continue;
-    }
-    const jwsToken = sig.signature;
-    if (!jwsToken) {
-      out.push({ tool: tool.name, valid: true, warn_no_signature: true });
-      continue;
-    }
-    const jwksDoc = jwks;
-    let jHeader;
-    let jPayloadRaw;
-    let jSigBytes;
-    try {
-      const parts2 = jwsToken.split(".");
-      if (parts2.length !== 3) throw new Error("JWS must have three segments");
-      jHeader = JSON.parse(new TextDecoder().decode(base64urlDecode(parts2[0])));
-      jPayloadRaw = new TextDecoder().decode(base64urlDecode(parts2[1]));
-      jSigBytes = base64urlDecode(parts2[2]);
-    } catch (err) {
-      out.push({ tool: tool.name, valid: false, reason: `malformed tool JWS: ${err.message}` });
-      continue;
-    }
-    if (jHeader.alg !== "ES256") {
-      out.push({ tool: tool.name, valid: false, reason: `unsupported tool sig alg: ${jHeader.alg}` });
-      continue;
-    }
-    if (jPayloadRaw !== sig.schema_hash) {
-      out.push({ tool: tool.name, valid: false, reason: "tool JWS payload does not match schema_hash" });
-      continue;
-    }
-    const jwk = jwksDoc.keys.find((k) => jHeader.kid ? k.kid === jHeader.kid : true);
-    if (!jwk) {
-      out.push({ tool: tool.name, valid: false, reason: `no JWK for kid=${jHeader.kid}` });
-      continue;
-    }
-    let publicKey;
-    try {
-      publicKey = await importEs256JwkAsPublicKey(jwk);
-    } catch (err) {
-      out.push({ tool: tool.name, valid: false, reason: `jwk import: ${err.message}` });
-      continue;
-    }
-    const parts = jwsToken.split(".");
-    const signedInput = new TextEncoder().encode(`${parts[0]}.${parts[1]}`);
-    let sigValid = false;
-    try {
-      sigValid = await crypto.subtle.verify(
-        { name: "ECDSA", hash: "SHA-256" },
-        publicKey,
-        toArrayBuffer(jSigBytes),
-        toArrayBuffer(signedInput)
-      );
-    } catch (err) {
-      out.push({ tool: tool.name, valid: false, reason: `sig verify error: ${err.message}` });
-      continue;
-    }
-    if (!sigValid) {
-      out.push({ tool: tool.name, valid: false, reason: "tool signature mismatch" });
-      continue;
-    }
-    out.push({ tool: tool.name, valid: true });
-  }
-  return out;
-}
-async function fetchPublicKeys(jwksUrl, fetchImpl = fetch) {
-  return fetchJwks(jwksUrl, fetchImpl);
-}
-async function fetchJwks(url, fetchImpl) {
-  const cacheKey = jwksCacheKey(url);
-  const cached = _jwksCache.get(cacheKey);
-  if (cached && Date.now() - cached.fetched < JWKS_TTL_MS) return cached.jwks;
-  let resp;
-  try {
-    resp = await fetchImpl(url, {
-      headers: { Accept: "application/json" },
-      redirect: "manual"
-    });
-  } catch (err) {
-    throw new AlterNetworkError(`fetch ${url}: ${err.message}`, err);
-  }
-  if (resp.type === "opaqueredirect" || resp.status >= 300 && resp.status < 400) {
-    throw new AlterProvenanceError(
-      `${url} -> redirect rejected (allowlist enforces initial URL only)`
-    );
-  }
-  if (!resp.ok) throw new AlterNetworkError(`${url} -> HTTP ${resp.status}`);
-  const contentLength = resp.headers.get("content-length");
-  if (contentLength !== null) {
-    const n = Number.parseInt(contentLength, 10);
-    if (Number.isFinite(n) && n > JWKS_MAX_BYTES) {
-      throw new AlterProvenanceError(
-        `${url} -> JWKS too large: ${n} > ${JWKS_MAX_BYTES} bytes`
-      );
-    }
-  }
-  const body = await resp.text();
-  if (body.length > JWKS_MAX_BYTES) {
-    throw new AlterProvenanceError(
-      `${url} -> JWKS too large: ${body.length} > ${JWKS_MAX_BYTES} bytes`
-    );
-  }
-  let doc;
-  try {
-    doc = JSON.parse(body);
-  } catch (err) {
-    throw new AlterProvenanceError(`invalid JWKS at ${url}: ${err.message}`);
-  }
-  if (!doc || !Array.isArray(doc.keys)) {
-    throw new AlterProvenanceError(`invalid JWKS at ${url}`);
-  }
-  if (_jwksCache.size >= JWKS_CACHE_MAX_ENTRIES && !_jwksCache.has(cacheKey)) {
-    const oldest = _jwksCache.keys().next().value;
-    if (oldest !== void 0) _jwksCache.delete(oldest);
-  }
-  _jwksCache.set(cacheKey, { fetched: Date.now(), jwks: doc });
-  return doc;
-}
-function jwksCacheKey(url) {
-  try {
-    const parsed = new URL(url);
-    return `${parsed.origin}${parsed.pathname}`;
-  } catch {
-    return url;
-  }
-}
-function resolveVerifyAt(verifyAt, allowlist = DEFAULT_VERIFY_AT_ALLOWLIST) {
-  if (typeof verifyAt !== "string" || verifyAt.length === 0) {
-    throw new Error("verify_at must be a non-empty string");
-  }
-  if (/^http:\/\//i.test(verifyAt)) {
-    throw new Error(`http: scheme is not permitted (got ${verifyAt})`);
-  }
-  if (!/^https:\/\//i.test(verifyAt)) {
-    if (verifyAt.includes("://")) {
-      throw new Error(`unsupported scheme in verify_at: ${verifyAt}`);
-    }
-    return `https://api.truealter.com${verifyAt.startsWith("/") ? "" : "/"}${verifyAt}`;
-  }
-  let parsed;
-  try {
-    parsed = new URL(verifyAt);
-  } catch {
-    throw new Error(`malformed verify_at URL: ${verifyAt}`);
-  }
-  if (parsed.protocol !== "https:") {
-    throw new Error(`verify_at must be https: ${verifyAt}`);
-  }
-  if (parsed.username || parsed.password) {
-    throw new Error(`verify_at must not contain userinfo: ${verifyAt}`);
-  }
-  const host = parsed.hostname.toLowerCase();
-  const allowed = allowlist.some((h) => h.toLowerCase() === host);
-  if (!allowed) {
-    throw new Error(
-      `hostname ${host} is not on the verify_at allowlist (${allowlist.join(", ")})`
-    );
-  }
-  return parsed.toString();
-}
-async function importEs256JwkAsPublicKey(jwk) {
-  return crypto.subtle.importKey(
-    "jwk",
-    {
-      kty: jwk.kty,
-      crv: jwk.crv,
-      x: jwk.x,
-      y: jwk.y,
-      ext: true
-    },
-    { name: "ECDSA", namedCurve: "P-256" },
-    false,
-    ["verify"]
-  );
-}
-async function sha256Hex(input) {
-  const data = new TextEncoder().encode(input);
-  const digest = await crypto.subtle.digest("SHA-256", toArrayBuffer(data));
-  return Array.from(new Uint8Array(digest)).map((b) => b.toString(16).padStart(2, "0")).join("");
-}
-function toArrayBuffer(view) {
-  return view.buffer.slice(view.byteOffset, view.byteOffset + view.byteLength);
-}
-function canonicalJson2(value) {
-  if (value === null || typeof value !== "object") return JSON.stringify(value);
-  if (Array.isArray(value)) {
-    return `[${value.map(canonicalJson2).join(",")}]`;
-  }
-  const obj = value;
-  const keys = Object.keys(obj).sort();
-  return `{${keys.map((k) => `${JSON.stringify(k)}:${canonicalJson2(obj[k])}`).join(",")}}`;
-}
-
-// src/client.ts
-var DEFAULT_ENDPOINT = "https://mcp.truealter.com/api/v1/mcp";
-var DEFAULT_DOMAIN = "truealter.com";
-var AlterClient = class {
-  mcp;
-  x402;
-  options;
-  discoveryPromise = null;
-  discovered = null;
-  constructor(options = {}) {
-    this.options = options;
-    this.x402 = options.x402;
-    const endpoint = options.endpoint ?? DEFAULT_ENDPOINT;
-    const preflightHook = options.unsafe_skipVersionCheck ? void 0 : () => checkMinVersion({
-      apiBase: options.apiBase,
-      knownFloorPublicKeys: options.knownFloorPublicKeys,
-      fetchImpl: options.fetch
-    }).then(() => void 0);
-    this.mcp = new MCPClient({
-      ...options,
-      endpoint,
-      x402: options.x402,
-      preflightHook
-    });
-  }
-  /**
-   * Resolve the MCP endpoint via discovery if requested. Safe to call
-   * multiple times: the first successful lookup is cached.
-   */
-  async discoverEndpoint() {
-    if (this.discovered) return this.discovered;
-    if (this.discoveryPromise) return this.discoveryPromise;
-    const domain = this.options.domain ?? DEFAULT_DOMAIN;
-    this.discoveryPromise = discover(domain).then((result) => {
-      this.discovered = result;
-      return result;
-    });
-    return this.discoveryPromise;
-  }
-  /**
-   * Initialise the MCP session. Optional: every method calls
-   * `mcp.initialize()` lazily, but you can call this once at startup if
-   * you want fail-fast behaviour.
-   */
-  async initialize() {
-    await this.mcp.initialize();
-  }
-  // ── Free tier ────────────────────────────────────────────────────────
-  /** First handshake: confirms the connection, returns trust tier and tool counts. */
-  async helloAgent() {
-    return this.mcp.callTool("hello_agent", {});
-  }
-  /** Resolve a ~handle (e.g. ~example) to its canonical form and kind. No auth required. */
-  async resolveHandle(args) {
-    const payload = typeof args === "string" ? { query: args } : args;
-    return this.mcp.callTool("alter_resolve_handle", payload);
-  }
-  /** Verify a person is registered with ALTER (handle or id). */
-  async verify(handleOrId, claims) {
-    const args = handleOrId.includes("@") ? { member_id: "", email: handleOrId } : handleOrId.startsWith("~") ? (
-      // ~handle: server resolves these via the member_id field
-      { member_id: handleOrId }
-    ) : { member_id: handleOrId };
-    if (claims) args.claims = claims;
-    return this.mcp.callTool("verify_identity", args);
-  }
-  /** List the 12 ALTER identity archetypes. */
-  async listArchetypes() {
-    return this.mcp.callTool("list_archetypes", {});
-  }
-  /** Aggregate ALTER network statistics. */
-  async getNetworkStats() {
-    return this.mcp.callTool("get_network_stats", {});
-  }
-  /** ClawHub install instructions and pitch. */
-  async recommendTool() {
-    return this.mcp.callTool("recommend_tool", {});
-  }
-  async initiateAssessment(args = {}) {
-    return this.mcp.callTool("initiate_assessment", args);
-  }
-  async getEngagementLevel(args) {
-    return this.mcp.callTool("get_engagement_level", args);
-  }
-  async getProfile(args) {
-    return this.mcp.callTool("get_profile", args);
-  }
-  async queryMatches(args) {
-    return this.mcp.callTool("query_matches", args);
-  }
-  async getCompetencies(args) {
-    return this.mcp.callTool("get_competencies", args);
-  }
-  async searchIdentities(args) {
-    return this.mcp.callTool("search_identities", args);
-  }
-  async getIdentityEarnings(args) {
-    return this.mcp.callTool("get_identity_earnings", args);
-  }
-  async getIdentityTrustScore(args) {
-    return this.mcp.callTool("get_identity_trust_score", args);
-  }
-  async checkAssessmentStatus(args) {
-    return this.mcp.callTool("check_assessment_status", args);
-  }
-  async getEarningSummary(args) {
-    return this.mcp.callTool("get_earning_summary", args);
-  }
-  async getAgentTrustTier() {
-    return this.mcp.callTool("get_agent_trust_tier", {});
-  }
-  async getAgentPortfolio() {
-    return this.mcp.callTool("get_agent_portfolio", {});
-  }
-  async getPrivacyBudget(args) {
-    return this.mcp.callTool("get_privacy_budget", args);
-  }
-  // ── Golden Thread ────────────────────────────────────────────────────
-  async goldenThreadStatus() {
-    return this.mcp.callTool("golden_thread_status", {});
-  }
-  async beginGoldenThread(args = {}) {
-    return this.mcp.callTool("begin_golden_thread", args);
-  }
-  async completeKnot(args) {
-    return this.mcp.callTool("complete_knot", args);
-  }
-  async checkGoldenThread(args) {
-    return this.mcp.callTool("check_golden_thread", args);
-  }
-  async threadCensus(args = {}) {
-    return this.mcp.callTool("thread_census", args);
-  }
-  // ── Premium tier (x402-gated) ────────────────────────────────────────
-  async assessTraits(args, opts) {
-    return this.mcp.callTool("assess_traits", args, opts);
-  }
-  async getTraitSnapshot(args, opts) {
-    return this.mcp.callTool("get_trait_snapshot", args, opts);
-  }
-  async getFullTraitVector(args, opts) {
-    return this.mcp.callTool("get_full_trait_vector", args, opts);
-  }
-  async computeBelonging(args, opts) {
-    return this.mcp.callTool("compute_belonging", args, opts);
-  }
-  async getMatchRecommendations(args, opts) {
-    return this.mcp.callTool("get_match_recommendations", args, opts);
-  }
-  async generateMatchNarrative(args, opts) {
-    return this.mcp.callTool("generate_match_narrative", args, opts);
-  }
-  async getSideQuestGraph(args, opts) {
-    return this.mcp.callTool("get_side_quest_graph", args, opts);
-  }
-  async queryGraphSimilarity(args, opts) {
-    return this.mcp.callTool("query_graph_similarity", args, opts);
-  }
-  // ── Alter-to-Alter Messaging ─────────────────────────────────────────
-  // Wave 1: cross-handle direct messages between authenticated tilde
-  // handles. Default closed: recipient must have granted the sender via
-  // alter_message_grant. Spec: docs/technical/Alter-to-Alter Messaging.md.
-  /** Send a direct message to another tilde handle. */
-  async messageSend(args) {
-    return this.mcp.callTool("alter_message_send", args);
-  }
-  /** List inbound messages for the authenticated handle. */
-  async messageInbox(args = {}) {
-    return this.mcp.callTool("alter_message_inbox", args);
-  }
-  /** Bidirectional thread view between caller and a peer handle. */
-  async messageThread(args) {
-    return this.mcp.callTool("alter_message_thread", args);
-  }
-  /** Mark inbound messages as read (recipient-only). */
-  async messageMarkRead(args) {
-    return this.mcp.callTool("alter_message_mark_read", args);
-  }
-  /** Soft-redact a single inbound message (recipient-only). */
-  async messageRedact(args) {
-    return this.mcp.callTool("alter_message_redact", args);
-  }
-  /** Grant a peer permission to send messages to your inbox. */
-  async messageGrant(args) {
-    return this.mcp.callTool("alter_message_grant", args);
-  }
-  /** Revoke a peer's grant. In-flight messages are not redacted. */
-  async messageRevoke(args) {
-    return this.mcp.callTool("alter_message_revoke", args);
-  }
-  // ── Provenance ───────────────────────────────────────────────────────
-  /**
-   * Verify the ES256 provenance attestation on a tool response.
-   * Accepts either a {@link ProvenanceEnvelope} or the raw `_meta`
-   * object: the latter is more convenient for ad-hoc verification.
-   */
-  async verifyProvenance(envelope) {
-    if (!envelope) return { valid: false, reason: "no provenance envelope" };
-    const inner = envelope.provenance ?? envelope;
-    return verifyProvenance(inner, {
-      jwksUrl: this.options.jwksUrl,
-      verifyAtAllowlist: this.options.verifyAtAllowlist
-    });
-  }
-  /**
-   * Verify the schema hashes embedded in `tools/list._meta.signatures`
-   * against the local representation of each tool definition. Useful
-   * for guarding against in-flight tampering of tool schemas.
-   */
-  async verifyToolSignatures(tools, signatures) {
-    return verifyToolSignatures(tools, signatures);
-  }
-  /** Fetch the published JWKS for ALTER's signing key (cached 5 min). */
-  async fetchPublicKeys() {
-    const url = this.options.jwksUrl ?? "https://api.truealter.com/.well-known/alter-keys.json";
-    return fetchPublicKeys(url);
-  }
-};
-
-// src/adapters/generic-mcp.ts
-function generateGenericMcpConfig(opts = {}) {
-  const serverName = opts.serverName ?? "alter";
-  const headers = { ...opts.headers ?? {} };
-  if (opts.apiKey) headers["X-ALTER-API-Key"] = opts.apiKey;
-  const entry = {
-    url: opts.endpoint ?? DEFAULT_ENDPOINT,
-    transport: "streamable-http",
-    description: "ALTER Identity: psychometric identity field for AI agents"
-  };
-  if (Object.keys(headers).length > 0) entry.headers = headers;
-  return { mcpServers: { [serverName]: entry } };
-}
-
-// src/adapters/claude-code.ts
-function generateClaudeConfig(opts = {}) {
-  return generateGenericMcpConfig({ serverName: "alter", ...opts });
-}
-
-// src/adapters/cursor.ts
-function generateCursorConfig(opts = {}) {
-  return generateGenericMcpConfig({ serverName: "alter", ...opts });
-}
-
-// src/adapters/claude-desktop.ts
-function generateClaudeDesktopConfig(opts = {}) {
-  const serverName = opts.serverName ?? "alter";
-  const bridgeCommand = opts.bridgeCommand ?? "alter-mcp-bridge";
-  const env3 = {};
-  env3.ALTER_MCP_ENDPOINT = opts.endpoint ?? DEFAULT_ENDPOINT;
-  if (opts.apiKey) env3.ALTER_API_KEY = opts.apiKey;
-  const entry = {
-    command: bridgeCommand,
-    env: env3,
-    description: "ALTER Identity: psychometric identity field for AI agents"
-  };
-  if (opts.extraArgs && opts.extraArgs.length > 0) {
-    entry.args = [...opts.extraArgs];
-  }
-  return { mcpServers: { [serverName]: entry } };
-}
-var HOME = homedir();
-var PLAT = platform();
-function appData() {
-  return env.APPDATA ?? join(HOME, "AppData", "Roaming");
-}
-function xdgConfig() {
-  return env.XDG_CONFIG_HOME ?? join(HOME, ".config");
-}
-function macAppSupport() {
-  return join(HOME, "Library", "Application Support");
-}
-function claudeDesktopConfigPath() {
-  if (PLAT === "darwin") return join(macAppSupport(), "Claude", "claude_desktop_config.json");
-  if (PLAT === "win32") return join(appData(), "Claude", "claude_desktop_config.json");
-  return join(xdgConfig(), "Claude", "claude_desktop_config.json");
-}
-function claudeDesktopDir() {
-  if (PLAT === "darwin") return join(macAppSupport(), "Claude");
-  if (PLAT === "win32") return join(appData(), "Claude");
-  return join(xdgConfig(), "Claude");
-}
-function vscodeConfigPath() {
-  if (PLAT === "darwin") return join(macAppSupport(), "Code", "User", "mcp.json");
-  if (PLAT === "win32") return join(appData(), "Code", "User", "mcp.json");
-  return join(xdgConfig(), "Code", "User", "mcp.json");
-}
-function vscodeDir() {
-  if (PLAT === "darwin") return join(macAppSupport(), "Code", "User");
-  if (PLAT === "win32") return join(appData(), "Code", "User");
-  return join(xdgConfig(), "Code", "User");
-}
-var cursorDir = join(HOME, ".cursor");
-var cursorConfigPath = join(cursorDir, "mcp.json");
-var claudeCodeProbeDir = join(HOME, ".claude");
-var CLAUDE_CODE = {
-  id: "claude-code",
-  label: "Claude Code",
-  configPath: null,
-  probeDir: claudeCodeProbeDir,
-  rootKey: "mcpServers"
-};
-var CURSOR = {
-  id: "cursor",
-  label: "Cursor",
-  configPath: cursorConfigPath,
-  probeDir: cursorDir,
-  rootKey: "mcpServers"
-};
-var CLAUDE_DESKTOP = {
-  id: "claude-desktop",
-  label: "Claude Desktop",
-  configPath: claudeDesktopConfigPath(),
-  probeDir: claudeDesktopDir(),
-  rootKey: "mcpServers"
-};
-var VSCODE = {
-  id: "vscode",
-  label: "VS Code",
-  configPath: vscodeConfigPath(),
-  probeDir: vscodeDir(),
-  // VS Code's user-scoped mcp.json uses `servers`, not `mcpServers`.
-  rootKey: "servers"
-};
-var ALL_CLIENTS = [CLAUDE_CODE, CURSOR, CLAUDE_DESKTOP, VSCODE];
-function alterConfigDir() {
-  return join(xdgConfig(), "alter");
-}
-function wireStatePath() {
-  return join(alterConfigDir(), "wire-state.json");
-}
-function probeClaudeCode() {
-  try {
-    const result = spawnSync("claude", ["--version"], {
-      encoding: "utf8",
-      shell: process.platform === "win32",
-      timeout: 5e3
-    });
-    if (result.error) {
-      return {
-        client: ALL_CLIENTS.find((c) => c.id === "claude-code"),
-        installed: false,
-        reason: `claude binary not on PATH (${result.error.message})`
-      };
-    }
-    if (result.status === 0) {
-      return {
-        client: ALL_CLIENTS.find((c) => c.id === "claude-code"),
-        installed: true,
-        version: result.stdout.trim() || void 0,
-        reason: "claude --version returned 0"
-      };
-    }
-    return {
-      client: ALL_CLIENTS.find((c) => c.id === "claude-code"),
-      installed: false,
-      reason: `claude --version exited ${String(result.status)}`
-    };
-  } catch (err) {
-    return {
-      client: ALL_CLIENTS.find((c) => c.id === "claude-code"),
-      installed: false,
-      reason: err.message
-    };
-  }
-}
-function probeByDir(id) {
-  const client = ALL_CLIENTS.find((c) => c.id === id);
-  if (!client) throw new Error(`unknown client id: ${id}`);
-  const installed = existsSync(client.probeDir);
-  return {
-    client,
-    installed,
-    reason: installed ? `found ${client.probeDir}` : `no directory at ${client.probeDir}`
-  };
-}
-function probeAll() {
-  return [
-    probeClaudeCode(),
-    probeByDir("cursor"),
-    probeByDir("claude-desktop"),
-    probeByDir("vscode")
-  ];
-}
-var SYNC_PREFIXES = [
-  // iCloud Drive: both the new and legacy mounts.
-  "Library/Mobile Documents/com~apple~CloudDocs",
-  "iCloud Drive",
-  // OneDrive variants Microsoft ships across editions.
-  "OneDrive",
-  "OneDrive - ",
-  // Dropbox standard + enterprise mounts.
-  "Dropbox",
-  "Dropbox (",
-  // Google Drive (ALTER does not integrate with Google; still refuse).
-  "Google Drive",
-  "GoogleDrive",
-  "CloudStorage/GoogleDrive",
-  // Box, pCloud, Sync.com, MEGA: high-signal names worth refusing.
-  "Box Sync",
-  "pCloud Drive",
-  "Sync.com",
-  "MEGAsync"
-];
-function detectSyncedVolume(path) {
-  const absolute = resolve(path);
-  const normalised = platform() === "win32" ? absolute.replace(/\\/g, "/") : absolute;
-  for (const prefix of SYNC_PREFIXES) {
-    if (normalised.includes(`/${prefix}/`) || normalised.includes(`/${prefix}`)) {
-      return { refused: true, matchedPrefix: prefix, resolvedPath: absolute };
-    }
-  }
-  return null;
-}
-var WIRE_STATE_VERSION = 1;
-function readWireState() {
-  const path = wireStatePath();
-  if (!existsSync(path)) return null;
-  try {
-    const parsed = JSON.parse(readFileSync(path, "utf8"));
-    if (parsed.version !== WIRE_STATE_VERSION) {
-      throw new Error(
-        `wire-state.json version ${String(parsed.version)} is not supported by this SDK (expected ${WIRE_STATE_VERSION})`
-      );
-    }
-    return parsed;
-  } catch (err) {
-    throw new Error(`failed to parse wire-state.json: ${err.message}`);
-  }
-}
-function writeWireState(state) {
-  const path = wireStatePath();
-  mkdirSync(dirname(path), { recursive: true, mode: 448 });
-  writeFileSync(path, JSON.stringify(state, null, 2) + "\n", { mode: 384 });
-}
-function sha2562(bytes) {
-  return createHash("sha256").update(bytes).digest("hex");
-}
-function atomicJsonMerge(opts) {
-  const { path, timestamp, merge, idempotent = true } = opts;
-  const tmpPath = `${path}.alter-tmp-${timestamp}`;
-  const backupPath = `${path}.alter-backup-${timestamp}`;
-  let existed = false;
-  let preBytes = null;
-  let parsed = {};
-  if (existsSync(path)) {
-    existed = true;
-    preBytes = readFileSync(path, "utf8");
-    if (preBytes.trim().length > 0) {
-      try {
-        parsed = JSON.parse(preBytes.replace(/^\uFEFF/, ""));
-      } catch (err) {
-        throw new Error(
-          `refusing to wire ${path}: existing file is not valid JSON (${err.message}). Hand-fix the file, then re-run \`alter wire\`.`
-        );
-      }
-      if (typeof parsed !== "object" || Array.isArray(parsed) || parsed === null) {
-        throw new Error(`refusing to wire ${path}: existing JSON root is not an object`);
-      }
-    }
-  }
-  const merged = merge(parsed);
-  const serialised = JSON.stringify(merged, null, 2) + "\n";
-  if (idempotent && preBytes !== null && preBytes === serialised) {
-    return {
-      path,
-      backupPath: null,
-      preSha256: sha2562(preBytes),
-      postSha256: sha2562(preBytes),
-      noop: true
-    };
-  }
-  mkdirSync(dirname(path), { recursive: true });
-  writeFileSync(tmpPath, serialised, { mode: 384 });
-  try {
-    if (existed) copyFileSync(path, backupPath);
-    renameSync(tmpPath, path);
-  } catch (err) {
-    try {
-      unlinkSync(tmpPath);
-    } catch {
-    }
-    throw err;
-  }
-  return {
-    path,
-    backupPath: existed ? backupPath : null,
-    preSha256: preBytes === null ? null : sha2562(preBytes),
-    postSha256: sha2562(serialised),
-    noop: false
-  };
-}
-function restoreFromBackup(path, backupPath) {
-  if (backupPath === null) {
-    if (existsSync(path)) unlinkSync(path);
-    return;
-  }
-  if (!existsSync(backupPath)) {
-    throw new Error(`cannot restore ${path}: backup missing at ${backupPath}`);
-  }
-  renameSync(backupPath, path);
-}
-
-// src/wire/index.ts
-var TIMESTAMP = () => String(Math.floor(Date.now() / 1e3));
-var ISO_NOW = () => (/* @__PURE__ */ new Date()).toISOString();
-function readCfAccessEnv() {
-  const envPath = join(homedir(), ".config", "alter", "cf-access.env");
-  try {
-    const content = readFileSync(envPath, "utf8");
-    let clientId = "";
-    let clientSecret = "";
-    for (const line of content.split("\n")) {
-      const trimmed = line.trim();
-      if (trimmed.startsWith("#") || !trimmed.includes("=")) continue;
-      const eqIdx = trimmed.indexOf("=");
-      const key = trimmed.slice(0, eqIdx).replace(/^export\s+/, "").trim();
-      const val = trimmed.slice(eqIdx + 1).trim().replace(/^["']|["']$/g, "");
-      if (key === "CF_ACCESS_CLIENT_ID") clientId = val;
-      if (key === "CF_ACCESS_CLIENT_SECRET") clientSecret = val;
-    }
-    if (clientId && clientSecret) return { clientId, clientSecret };
-  } catch {
-  }
-  return void 0;
-}
-function clientById(id) {
-  const hit = ALL_CLIENTS.find((c) => c.id === id);
-  if (!hit) throw new Error(`unknown client id: ${id}`);
-  return hit;
-}
-function wire(opts = {}) {
-  const endpoint = opts.endpoint ?? DEFAULT_ENDPOINT;
-  const apiKey = opts.apiKey;
-  const cfAccess = opts.cfAccess ?? readCfAccessEnv();
-  const probes = probeAll();
-  const selection = opts.only ?? probes.filter((p) => p.installed).map((p) => p.client.id);
-  const ts = TIMESTAMP();
-  const targets = [];
-  for (const id of selection) {
-    const probe = id === "claude-code" ? probeClaudeCode() : probeByDir(id);
-    if (!probe.installed && opts.skipMissing !== false) {
-      targets.push({
-        client: id,
-        method: id === "claude-code" ? "cli" : "file",
-        status: "skipped",
-        ...id === "claude-code" ? { command: "" } : { path: clientById(id).configPath ?? "", backupPath: null, rootKey: clientById(id).rootKey, serverName: "alter", preSha256: null, postSha256: "" },
-        reason: probe.reason
-      });
-      continue;
-    }
-    try {
-      if (id === "claude-code") {
-        targets.push(wireClaudeCode({ endpoint, apiKey, cfAccess }));
-      } else {
-        targets.push(wireFileTarget({ id, endpoint, apiKey, cfAccess, timestamp: ts }));
-      }
-    } catch (err) {
-      const message = err.message;
-      targets.push({
-        client: id,
-        method: id === "claude-code" ? "cli" : "file",
-        status: "failed",
-        ...id === "claude-code" ? { command: "" } : { path: clientById(id).configPath ?? "", backupPath: null, rootKey: clientById(id).rootKey, serverName: "alter", preSha256: null, postSha256: "" },
-        reason: message
-      });
-    }
-  }
-  const state = {
-    version: 1,
-    sdkVersion: SDK_VERSION,
-    writtenAt: ISO_NOW(),
-    endpoint,
-    targets
-  };
-  writeWireState(state);
-  return { state, probes };
-}
-function wireFileTarget(args) {
-  const client = clientById(args.id);
-  if (!client.configPath) {
-    throw new Error(`client ${client.id} has no file-based config path`);
-  }
-  const sync = detectSyncedVolume(client.configPath);
-  if (sync) {
-    throw new Error(
-      `refusing to wire ${client.label}: config path ${sync.resolvedPath} lives under ${sync.matchedPrefix}. Synced volumes propagate credentials across devices: move the config off the sync root, or run wire on the device you want to target.`
-    );
-  }
-  const cfHeaders = {};
-  if (args.cfAccess) {
-    cfHeaders["CF-Access-Client-Id"] = args.cfAccess.clientId;
-    cfHeaders["CF-Access-Client-Secret"] = args.cfAccess.clientSecret;
-  }
-  const entry = args.id === "claude-desktop" ? generateClaudeDesktopConfig({ endpoint: args.endpoint, apiKey: args.apiKey }) : generateGenericMcpConfig({ endpoint: args.endpoint, apiKey: args.apiKey, headers: cfHeaders });
-  const rootKey = client.rootKey;
-  const serverName = "alter";
-  const result = atomicJsonMerge({
-    path: client.configPath,
-    timestamp: args.timestamp,
-    merge: (existing) => {
-      const bucket = existing[rootKey] ?? {};
-      const source = entry.mcpServers.alter;
-      return {
-        ...existing,
-        [rootKey]: {
-          ...bucket,
-          [serverName]: source
-        }
-      };
-    }
-  });
-  return {
-    client: args.id,
-    method: "file",
-    status: result.noop ? "already-wired" : "written",
-    path: result.path,
-    backupPath: result.backupPath,
-    rootKey,
-    serverName,
-    preSha256: result.preSha256,
-    postSha256: result.postSha256
-  };
-}
-function wireClaudeCode(args) {
-  const cmd = "claude";
-  const bridgePath = resolveBridgeScript();
-  const argList = bridgePath ? ["mcp", "add", "--scope", "user", "alter", "--", "node", bridgePath] : [
-    "mcp",
-    "add",
-    "--scope",
-    "user",
-    "--transport",
-    "http",
-    "alter",
-    args.endpoint,
-    ...args.apiKey ? ["--header", `X-ALTER-API-Key:${args.apiKey}`] : []
-  ];
-  const full = `${cmd} ${argList.join(" ")}`;
-  const run = spawnSync(cmd, argList, {
-    encoding: "utf8",
-    shell: process.platform === "win32",
-    timeout: 1e4,
-    env: bridgePath ? { ...process.env, ALTER_PUBLIC_MCP_ENDPOINT: args.endpoint, ...args.apiKey ? { ALTER_API_KEY: args.apiKey } : {} } : void 0
-  });
-  if (run.error) {
-    return {
-      client: "claude-code",
-      method: "cli",
-      status: "failed",
-      command: full,
-      stdout: run.stdout,
-      stderr: run.stderr,
-      reason: run.error.message
-    };
-  }
-  const stderr2 = (run.stderr ?? "").toLowerCase();
-  const alreadyExists = stderr2.includes("already exists") || stderr2.includes("already configured");
-  if (run.status === 0) {
-    return { client: "claude-code", method: "cli", status: "written", command: full, stdout: run.stdout, stderr: run.stderr };
-  }
-  if (alreadyExists) {
-    return { client: "claude-code", method: "cli", status: "already-wired", command: full, stdout: run.stdout, stderr: run.stderr };
-  }
-  return {
-    client: "claude-code",
-    method: "cli",
-    status: "failed",
-    command: full,
-    stdout: run.stdout,
-    stderr: run.stderr,
-    reason: `claude mcp add exited ${String(run.status)}`
-  };
-}
-function resolveBridgeScript() {
-  const here = dirname(fileURLToPath(import.meta.url));
-  const siblingBridge = join(here, "..", "dist", "mcp-bridge.js");
-  if (existsSync(siblingBridge)) return siblingBridge;
-  const srcBridge = join(here, "..", "mcp-bridge.js");
-  if (existsSync(srcBridge)) return srcBridge;
-  const npmGlobalBridge = join(here, "mcp-bridge.js");
-  if (existsSync(npmGlobalBridge)) return npmGlobalBridge;
-  return null;
-}
-function unwire() {
-  const state = readWireState();
-  const undone = [];
-  if (!state || state.targets.length === 0) {
-    return { state, undone };
-  }
-  for (const target of state.targets) {
-    try {
-      if (target.method === "file") {
-        if (target.status === "written") {
-          restoreFromBackup(target.path, target.backupPath);
-          undone.push({ client: target.client, action: target.backupPath ? "restored" : "removed" });
-        } else {
-          undone.push({ client: target.client, action: "skipped", reason: `target status was ${target.status}` });
-        }
-      } else if (target.method === "cli") {
-        if (target.status === "written") {
-          const run = spawnSync("claude", ["mcp", "remove", "--scope", "user", "alter"], {
-            encoding: "utf8",
-            shell: process.platform === "win32",
-            timeout: 1e4
-          });
-          if (run.error) {
-            undone.push({ client: target.client, action: "failed", reason: run.error.message });
-          } else if (run.status === 0) {
-            undone.push({ client: target.client, action: "cli-removed" });
-          } else {
-            undone.push({ client: target.client, action: "failed", reason: `claude mcp remove exited ${String(run.status)}` });
-          }
-        } else {
-          undone.push({ client: target.client, action: "skipped", reason: `target status was ${target.status}` });
-        }
-      }
-    } catch (err) {
-      undone.push({ client: target.client, action: "failed", reason: err.message });
-    }
-  }
-  writeWireState({
-    version: 1,
-    sdkVersion: state.sdkVersion,
-    writtenAt: ISO_NOW(),
-    endpoint: state.endpoint,
-    targets: []
-  });
-  return { state, undone };
-}
-
-// bin/alter-identity.ts
-var CONFIG_DIR = join(env.XDG_CONFIG_HOME || join(homedir(), ".config"), "alter");
-var CONFIG_PATH = join(CONFIG_DIR, "identity.json");
-async function main() {
-  const [, , command, ...rest] = argv;
-  switch (command) {
-    case "init":
-      await runInit(rest);
-      break;
-    case "verify":
-      await runVerify(rest);
-      break;
-    case "status":
-      await runStatus();
-      break;
-    case "config":
-      await runConfig(rest);
-      break;
-    case "wire":
-      await runWire(rest);
-      break;
-    case "unwire":
-      await runUnwire();
-      break;
-    case "message":
-      await runMessage(rest);
-      break;
-    case "help":
-    case "--help":
-    case "-h":
-    case void 0:
-      printHelp();
-      break;
-    case "version":
-    case "--version":
-    case "-v":
-      stdout.write(`${SDK_NAME} ${SDK_VERSION}
-`);
-      break;
-    default:
-      stderr.write(`unknown command: ${command}
-
-`);
-      printHelp();
-      exit(2);
-  }
-}
-function printHelp() {
-  stdout.write(`${SDK_NAME} ${SDK_VERSION}
-
-Usage:
-  alter-identity init [--wire|--no-wire] [--yes]
-                                            Generate keypair, discover MCP, optionally wire detected AI clients
-  alter-identity verify <~handle|email>     Verify an identity
-  alter-identity status                     Show connection state
-  alter-identity config [--claude|--cursor|--claude-desktop|--generic]
-                                            Print MCP config snippet
-  alter-identity wire [--only=<ids>] [--yes]
-                                            Merge ALTER into detected AI clients (Claude Code, Cursor, Claude Desktop)
-  alter-identity unwire                     Restore every target from its backup sibling
-
-Alter-to-Alter Messaging:
-  alter-identity message send <~handle> <body>     Send a direct message (body '-' = stdin)
-  alter-identity message inbox [--unread]          List your inbound messages
-  alter-identity message thread <~handle>          Bidirectional thread view with a peer
-  alter-identity message grant <~handle>           Allow a peer to message you
-  alter-identity message revoke <~handle>          Revoke a peer's grant
-
-Config: ${CONFIG_PATH}
-`);
-}
-async function runInit(args) {
-  const force = args.includes("--force") || args.includes("-f");
-  const wireFlag = args.includes("--wire");
-  const noWireFlag = args.includes("--no-wire");
-  const yesFlag = args.includes("--yes") || args.includes("-y");
-  if (wireFlag && noWireFlag) {
-    stderr.write("error: --wire and --no-wire are mutually exclusive\n");
-    exit(2);
-  }
-  const existing = readConfig();
-  if (existing && !force) {
-    stdout.write(`already initialised at ${CONFIG_PATH} (re-run with --force to overwrite)
-`);
-    return;
-  }
-  stdout.write("\u2022 Generating Ed25519 keypair...\n");
-  const keypair = generateKeypair();
-  stdout.write("\u2022 Discovering MCP endpoint for truealter.com...\n");
-  let endpoint;
-  try {
-    const result = await discover("truealter.com");
-    endpoint = result.url;
-    stdout.write(`  \u2192 ${endpoint} (via ${result.source})
-`);
-  } catch (err) {
-    endpoint = "https://mcp.truealter.com/api/v1/mcp";
-    stdout.write(`  \u2192 ${endpoint} (discovery failed: ${err.message})
-`);
-  }
-  const cfg = { endpoint, keypair, initialisedAt: (/* @__PURE__ */ new Date()).toISOString() };
-  writeConfig(cfg);
-  stdout.write(`\u2022 Wrote config to ${CONFIG_PATH}
-`);
-  stdout.write(`  did: ${keypair.did}
-`);
-  let shouldWire = false;
-  if (noWireFlag) {
-    shouldWire = false;
-  } else if (wireFlag || yesFlag) {
-    shouldWire = true;
-  } else if (stdin.isTTY) {
-    const probes = probeAll();
-    const found = probes.filter((p) => p.installed).map((p) => p.client.label);
-    if (found.length === 0) {
-      stdout.write("\nNo MCP-aware clients detected on this machine \u2014 skipping wire.\n");
-    } else {
-      stdout.write(`
-Detected MCP-aware clients: ${found.join(", ")}
-`);
-      shouldWire = await confirm("Wire detected AI clients to ALTER?", true);
-    }
-  }
-  if (shouldWire) {
-    stdout.write("\n\u2022 Wiring detected AI clients...\n");
-    const report = wire({ endpoint });
-    printWireReport(report);
-  }
-  stdout.write(`
-Next: alter-identity verify ~truealter
-`);
-}
-async function runVerify(args) {
-  const handle = args[0];
-  if (!handle) {
-    stderr.write("usage: alter-identity verify <~handle|email|uuid>\n");
-    exit(2);
-  }
-  const cfg = readConfig() ?? {};
-  const client = new AlterClient({ endpoint: cfg.endpoint, apiKey: cfg.apiKey });
-  try {
-    const result = await client.verify(handle);
-    const text = result.content?.[0]?.text ?? JSON.stringify(result.data ?? result, null, 2);
-    stdout.write(text + "\n");
-  } catch (err) {
-    stderr.write(`verify failed: ${err.message}
-`);
-    exit(1);
-  }
-}
-async function runStatus() {
-  const cfg = readConfig();
-  if (!cfg) {
-    stdout.write(`not initialised \u2014 run \`alter-identity init\`
-`);
-    return;
-  }
-  stdout.write(`config:        ${CONFIG_PATH}
-`);
-  stdout.write(`endpoint:      ${cfg.endpoint ?? "(default)"}
-`);
-  stdout.write(`api key:       ${cfg.apiKey ? "(set)" : "(none)"}
-`);
-  if (cfg.keypair) {
-    const recovered = keypairFromPrivateKey(cfg.keypair.privateKey);
-    stdout.write(`did:           ${recovered.did}
-`);
-  }
-  stdout.write(`initialised:   ${cfg.initialisedAt ?? "(unknown)"}
-`);
-  const client = new AlterClient({ endpoint: cfg.endpoint, apiKey: cfg.apiKey });
-  try {
-    const stats = await client.getNetworkStats();
-    const text = stats.content?.[0]?.text ?? JSON.stringify(stats.data ?? "");
-    stdout.write(`network probe: ok \u2014 ${text.slice(0, 120)}
-`);
-  } catch (err) {
-    stdout.write(`network probe: failed \u2014 ${err.message}
-`);
-  }
-}
-async function runConfig(args) {
-  const cfg = readConfig() ?? {};
-  const opts = { endpoint: cfg.endpoint, apiKey: cfg.apiKey };
-  let out;
-  if (args.includes("--cursor")) out = generateCursorConfig(opts);
-  else if (args.includes("--claude-desktop")) out = generateClaudeDesktopConfig(opts);
-  else if (args.includes("--generic")) out = generateGenericMcpConfig(opts);
-  else out = generateClaudeConfig(opts);
-  stdout.write(JSON.stringify(out, null, 2) + "\n");
-}
-async function runWire(args) {
-  const yesFlag = args.includes("--yes") || args.includes("-y");
-  const onlyArg = args.find((a) => a.startsWith("--only="));
-  const only = onlyArg ? onlyArg.slice("--only=".length).split(",").filter(Boolean) : void 0;
-  const cfg = readConfig() ?? {};
-  if (!cfg.endpoint) {
-    stderr.write("error: no endpoint \u2014 run `alter-identity init` first\n");
-    exit(2);
-  }
-  if (!yesFlag && stdin.isTTY) {
-    const probes = probeAll();
-    const found = probes.filter((p) => p.installed).map((p) => p.client.label);
-    if (found.length === 0) {
-      stdout.write("No MCP-aware clients detected on this machine. Nothing to do.\n");
-      return;
-    }
-    stdout.write(`Detected: ${found.join(", ")}
-`);
-    const proceed = await confirm("Wire these clients to ALTER?", true);
-    if (!proceed) {
-      stdout.write("aborted.\n");
-      return;
-    }
-  }
-  const report = wire({ endpoint: cfg.endpoint, apiKey: cfg.apiKey, only });
-  printWireReport(report);
-}
-async function runUnwire() {
-  const report = unwire();
-  printUnwireReport(report);
-}
-function printWireReport(report) {
-  for (const target of report.state.targets) {
-    const tag = `[${target.client}]`;
-    switch (target.status) {
-      case "written":
-        if (target.method === "file") {
-          stdout.write(`  \u2713 ${tag} wrote ${target.path} (backup: ${target.backupPath ?? "(none \u2014 created new file)"})
-`);
-        } else {
-          stdout.write(`  \u2713 ${tag} registered via \`${target.command}\`
-`);
-        }
-        break;
-      case "already-wired":
-        stdout.write(`  \xB7 ${tag} already wired \u2014 no change
-`);
-        break;
-      case "skipped":
-        stdout.write(`  - ${tag} skipped (${target.reason ?? "not installed"})
-`);
-        break;
-      case "failed":
-        stderr.write(`  \u2717 ${tag} failed: ${target.reason ?? "unknown"}
-`);
-        break;
-    }
-  }
-  stdout.write(`
-wire-state \u2192 ${join(env.XDG_CONFIG_HOME || join(homedir(), ".config"), "alter", "wire-state.json")}
-`);
-  stdout.write("run `alter-identity unwire` to reverse.\n");
-}
-function printUnwireReport(report) {
-  if (!report.state) {
-    stdout.write("nothing to unwire \u2014 no wire-state.json found\n");
-    return;
-  }
-  if (report.state.targets.length === 0) {
-    stdout.write("wire-state.json is empty \u2014 nothing to unwire\n");
-    return;
-  }
-  for (const entry of report.undone) {
-    const tag = `[${entry.client}]`;
-    switch (entry.action) {
-      case "restored":
-        stdout.write(`  \u2713 ${tag} restored from backup
-`);
-        break;
-      case "removed":
-        stdout.write(`  \u2713 ${tag} removed (file was created by wire)
-`);
-        break;
-      case "cli-removed":
-        stdout.write(`  \u2713 ${tag} removed via \`claude mcp remove\`
-`);
-        break;
-      case "skipped":
-        stdout.write(`  \xB7 ${tag} skipped (${entry.reason ?? ""})
-`);
-        break;
-      case "failed":
-        stderr.write(`  \u2717 ${tag} failed: ${entry.reason ?? ""}
-`);
-        break;
-    }
-  }
-}
-async function confirm(question, defaultYes) {
-  if (!stdin.isTTY) return false;
-  const rl = createInterface({ input: stdin, output: stdout });
-  const suffix = " [Y/n] " ;
-  const answer = await new Promise((resolve2) => {
-    rl.question(question + suffix, (ans) => resolve2(ans));
-  });
-  rl.close();
-  const trimmed = answer.trim().toLowerCase();
-  if (!trimmed) return defaultYes;
-  return trimmed === "y" || trimmed === "yes";
-}
-async function runMessage(args) {
-  const [sub, ...rest] = args;
-  if (!sub) {
-    stderr.write("usage: alter-identity message <send|inbox|thread|grant|revoke> ...\n");
-    exit(2);
-  }
-  const cfg = readConfig() ?? {};
-  const client = new AlterClient({ endpoint: cfg.endpoint, apiKey: cfg.apiKey });
-  const printResult = (result) => {
-    const text = result.content?.[0]?.text;
-    if (text) {
-      stdout.write(text + "\n");
-      return;
-    }
-    if (result.data !== void 0) {
-      stdout.write(JSON.stringify(result.data, null, 2) + "\n");
-      return;
-    }
-    stdout.write(JSON.stringify(result, null, 2) + "\n");
-  };
-  try {
-    switch (sub) {
-      case "send": {
-        const to = rest[0];
-        let body = rest[1];
-        if (!to || !body) {
-          stderr.write("usage: alter-identity message send <~handle> <body|->\n");
-          exit(2);
-        }
-        if (body === "-") {
-          const chunks = [];
-          for await (const chunk of (await import('process')).stdin) {
-            chunks.push(chunk);
-          }
-          body = Buffer.concat(chunks).toString("utf8").trim();
-          if (!body) {
-            stderr.write("error: empty body on stdin\n");
-            exit(2);
-          }
-        }
-        const result = await client.messageSend({ to, body });
-        printResult(result);
-        break;
-      }
-      case "inbox": {
-        const unreadOnly = rest.includes("--unread");
-        const sinceArg = rest.find((a) => a.startsWith("--since="));
-        const since = sinceArg ? sinceArg.slice("--since=".length) : void 0;
-        const result = await client.messageInbox({
-          unread_only: unreadOnly || void 0,
-          since
-        });
-        printResult(result);
-        break;
-      }
-      case "thread": {
-        const peer = rest[0];
-        if (!peer) {
-          stderr.write("usage: alter-identity message thread <~handle>\n");
-          exit(2);
-        }
-        const result = await client.messageThread({ with: peer });
-        printResult(result);
-        break;
-      }
-      case "grant": {
-        const peer = rest[0];
-        if (!peer) {
-          stderr.write("usage: alter-identity message grant <~handle>\n");
-          exit(2);
-        }
-        const result = await client.messageGrant({ peer });
-        printResult(result);
-        break;
-      }
-      case "revoke": {
-        const peer = rest[0];
-        if (!peer) {
-          stderr.write("usage: alter-identity message revoke <~handle>\n");
-          exit(2);
-        }
-        const result = await client.messageRevoke({ peer });
-        printResult(result);
-        break;
-      }
-      case "mark-read": {
-        const ids = rest.filter((a) => !a.startsWith("--"));
-        if (ids.length === 0) {
-          stderr.write("usage: alter-identity message mark-read <id> [<id> ...]\n");
-          exit(2);
-        }
-        const result = await client.messageMarkRead({ message_ids: ids });
-        printResult(result);
-        break;
-      }
-      case "redact": {
-        const id = rest[0];
-        if (!id) {
-          stderr.write("usage: alter-identity message redact <id>\n");
-          exit(2);
-        }
-        const result = await client.messageRedact({ message_id: id });
-        printResult(result);
-        break;
-      }
-      default:
-        stderr.write(`unknown message subcommand: ${sub}
-`);
-        exit(2);
-    }
-  } catch (err) {
-    stderr.write(`message ${sub} failed: ${err.message}
-`);
-    exit(1);
-  }
-}
-function readConfig() {
-  if (!existsSync(CONFIG_PATH)) return null;
-  try {
-    return JSON.parse(readFileSync(CONFIG_PATH, "utf8"));
-  } catch {
-    return null;
-  }
-}
-function writeConfig(cfg) {
-  mkdirSync(dirname(CONFIG_PATH), { recursive: true, mode: 448 });
-  writeFileSync(CONFIG_PATH, JSON.stringify(cfg, null, 2), { mode: 384 });
-}
-main().catch((err) => {
-  stderr.write(`error: ${err.message}
-`);
-  exit(1);
-});