npm - @tuskydp/cli - Versions diffs - 0.1.2 → 0.2.1 - Mend

@tuskydp/cli 0.1.2 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (54) hide show

package/bin/tusky-dev.sh +5 -0
package/dist/src/commands/account.d.ts.map +1 -1
package/dist/src/commands/account.js +32 -2
package/dist/src/commands/account.js.map +1 -1
package/dist/src/commands/download.d.ts.map +1 -1
package/dist/src/commands/download.js +27 -7
package/dist/src/commands/download.js.map +1 -1
package/dist/src/commands/upload.d.ts.map +1 -1
package/dist/src/commands/upload.js +23 -2
package/dist/src/commands/upload.js.map +1 -1
package/dist/src/commands/vault.d.ts.map +1 -1
package/dist/src/commands/vault.js +145 -7
package/dist/src/commands/vault.js.map +1 -1
package/dist/src/config.d.ts +5 -0
package/dist/src/config.d.ts.map +1 -1
package/dist/src/config.js +7 -0
package/dist/src/config.js.map +1 -1
package/dist/src/index.js +3 -1
package/dist/src/index.js.map +1 -1
package/dist/src/mcp/context.d.ts +11 -2
package/dist/src/mcp/context.d.ts.map +1 -1
package/dist/src/mcp/context.js +3 -2
package/dist/src/mcp/context.js.map +1 -1
package/dist/src/mcp/server.d.ts.map +1 -1
package/dist/src/mcp/server.js +13 -0
package/dist/src/mcp/server.js.map +1 -1
package/dist/src/mcp/tools/files.d.ts +2 -1
package/dist/src/mcp/tools/files.d.ts.map +1 -1
package/dist/src/mcp/tools/files.js +49 -12
package/dist/src/mcp/tools/files.js.map +1 -1
package/dist/src/mcp/tools/sharedVaults.d.ts +7 -0
package/dist/src/mcp/tools/sharedVaults.d.ts.map +1 -0
package/dist/src/mcp/tools/sharedVaults.js +90 -0
package/dist/src/mcp/tools/sharedVaults.js.map +1 -0
package/dist/src/mcp/tools/vaults.js +1 -1
package/dist/src/mcp/tools/vaults.js.map +1 -1
package/dist/src/seal.d.ts +58 -0
package/dist/src/seal.d.ts.map +1 -0
package/dist/src/seal.js +207 -0
package/dist/src/seal.js.map +1 -0
package/package.json +16 -13
package/src/__tests__/seal.test.ts +357 -0
package/src/commands/account.ts +35 -2
package/src/commands/download.ts +34 -13
package/src/commands/upload.ts +25 -2
package/src/commands/vault.ts +158 -7
package/src/config.ts +8 -0
package/src/index.ts +3 -1
package/src/mcp/context.ts +13 -2
package/src/mcp/server.ts +13 -0
package/src/mcp/tools/files.ts +61 -19
package/src/mcp/tools/sharedVaults.ts +122 -0
package/src/mcp/tools/vaults.ts +2 -2
package/src/seal.ts +266 -0

package/src/mcp/tools/sharedVaults.ts ADDED Viewed

@@ -0,0 +1,122 @@
+/**
+ * MCP tools — Shared vault member management
+ */
+import { z } from 'zod';
+import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import type { McpContext } from '../context.js';
+import { wrapToolError } from './helpers.js';
+export function registerSharedVaultTools(server: McpServer, ctx: McpContext) {
+  // ── Grant access to a shared vault ─────────────────────────────────
+  server.tool(
+    'tusky_vault_grant_access',
+    'Grant another user or agent access to a shared vault by their Sui address.',
+    {
+      vaultId: z.string().describe('Shared vault ID'),
+      suiAddress: z.string().describe('Sui address of the user/agent to grant access'),
+    },
+    async ({ vaultId, suiAddress }) => {
+      try {
+        const result = await ctx.sdk.sharedVaults.addMember(vaultId, { suiAddress });
+        return {
+          content: [{ type: 'text' as const, text: JSON.stringify(result, null, 2) }],
+        };
+      } catch (err) {
+        return wrapToolError(err);
+      }
+    },
+  );
+  // ── Revoke access from a shared vault ──────────────────────────────
+  server.tool(
+    'tusky_vault_revoke_access',
+    'Revoke access from a shared vault member.',
+    {
+      vaultId: z.string().describe('Shared vault ID'),
+      memberId: z.string().describe('Member ID to revoke'),
+    },
+    async ({ vaultId, memberId }) => {
+      try {
+        await ctx.sdk.sharedVaults.removeMember(vaultId, memberId);
+        return {
+          content: [{ type: 'text' as const, text: `Access revoked for member ${memberId}.` }],
+        };
+      } catch (err) {
+        return wrapToolError(err);
+      }
+    },
+  );
+  // ── List members of a shared vault ─────────────────────────────────
+  server.tool(
+    'tusky_vault_list_members',
+    'List all members of a shared vault.',
+    {
+      vaultId: z.string().describe('Shared vault ID'),
+    },
+    async ({ vaultId }) => {
+      try {
+        const result = await ctx.sdk.sharedVaults.listMembers(vaultId);
+        return {
+          content: [{ type: 'text' as const, text: JSON.stringify(result, null, 2) }],
+        };
+      } catch (err) {
+        return wrapToolError(err);
+      }
+    },
+  );
+  // ── List shared vaults the user is a member of ─────────────────────
+  server.tool(
+    'tusky_vault_list_shared',
+    'List all shared vaults that the authenticated user is a member of (not owner).',
+    {},
+    async () => {
+      try {
+        const result = await ctx.sdk.sharedVaults.list();
+        return {
+          content: [{ type: 'text' as const, text: JSON.stringify(result, null, 2) }],
+        };
+      } catch (err) {
+        return wrapToolError(err);
+      }
+    },
+  );
+  // ── Link Sui address to account ────────────────────────────────────
+  server.tool(
+    'tusky_account_link_sui',
+    'Link a Sui wallet address to the authenticated account. Required for shared vault access.',
+    {
+      suiAddress: z.string().describe('Sui wallet address (0x followed by 64 hex characters)'),
+    },
+    async ({ suiAddress }) => {
+      try {
+        await ctx.sdk.sharedVaults.linkSuiAddress(suiAddress);
+        return {
+          content: [{ type: 'text' as const, text: `Sui address ${suiAddress} linked to account.` }],
+        };
+      } catch (err) {
+        return wrapToolError(err);
+      }
+    },
+  );
+  // ── Unlink Sui address from account ─────────────────────────────────
+  server.tool(
+    'tusky_account_unlink_sui',
+    'Unlink the Sui wallet address from the authenticated account.',
+    {},
+    async () => {
+      try {
+        await ctx.sdk.sharedVaults.unlinkSuiAddress();
+        return {
+          content: [{ type: 'text' as const, text: 'Sui address unlinked from account.' }],
+        };
+      } catch (err) {
+        return wrapToolError(err);
+      }
+    },
+  );
+}

package/src/mcp/tools/vaults.ts CHANGED Viewed

@@ -15,8 +15,8 @@ export function registerVaultTools(server: McpServer, ctx: McpContext) {
     {
       name: z.string().describe('Vault name'),
       description: z.string().optional().describe('Vault description'),
-      visibility: z.enum(['public', 'private']).optional().describe(
-        'Vault visibility. "private" enables client-side encryption. Defaults to "private".',
+      visibility: z.enum(['public', 'private', 'shared']).optional().describe(
+        'Vault visibility. "private" uses passphrase-based E2E encryption. "shared" uses SEAL protocol for multi-party access. Defaults to "private".',
       ),
     },
     async ({ name, description, visibility }) => {

package/src/seal.ts ADDED Viewed

@@ -0,0 +1,266 @@
+/**
+ * SEAL encryption service for shared vaults (headless/CLI mode).
+ *
+ * Ported from packages/web/src/lib/seal.ts, adapted for headless use
+ * with an Ed25519 keypair instead of a browser wallet signer.
+ *
+ * Handles client-side encrypt/decrypt using the @mysten/seal SDK.
+ * - Encrypt: uses the vault's Whitelist object ID as the identity namespace
+ * - Decrypt: creates a SessionKey, signs with Ed25519 keypair, builds seal_approve PTB
+ *
+ * Requires TUSKYDP_SUI_PRIVATE_KEY env var for decrypt operations.
+ * Encrypt only requires a Sui RPC client (no signing needed).
+ */
+import { SealClient, SessionKey, EncryptedObject } from '@mysten/seal';
+import type { SealCompatibleClient } from '@mysten/seal';
+import { Ed25519Keypair } from '@mysten/sui/keypairs/ed25519';
+import { SuiJsonRpcClient } from '@mysten/sui/jsonRpc';
+import { Transaction } from '@mysten/sui/transactions';
+import { fromHex } from '@mysten/sui/utils';
+import { SEAL_PACKAGE_ID, SEAL_DEFAULT_KEY_SERVER_CONFIGS } from '@tuskydp/shared/constants.js';
+import type { VaultResponse } from '@tuskydp/sdk';
+import { getSuiPrivateKey } from './config.js';
+// ---------------------------------------------------------------------------
+// Lazy singletons
+// ---------------------------------------------------------------------------
+let _suiClient: SuiJsonRpcClient | null = null;
+let _suiKeypair: Ed25519Keypair | null = null;
+let _keypairLoaded = false;
+function getSuiNetwork(): { url: string; network: 'testnet' | 'mainnet' } {
+  const tuskyEnv = process.env.TUSKY_ENV || 'production';
+  const rpcOverride = process.env.SUI_RPC_URL;
+  const network = tuskyEnv === 'development' ? 'testnet' as const : 'mainnet' as const;
+  const url = rpcOverride || (network === 'testnet'
+    ? 'https://fullnode.testnet.sui.io:443'
+    : 'https://fullnode.mainnet.sui.io:443');
+  return { url, network };
+}
+function getSuiClient(): SuiJsonRpcClient {
+  if (!_suiClient) {
+    const { url, network } = getSuiNetwork();
+    _suiClient = new SuiJsonRpcClient({ url, network });
+  }
+  return _suiClient;
+}
+/**
+ * Load the Sui keypair from TUSKYDP_SUI_PRIVATE_KEY env var.
+ * Returns null if the env var is not set.
+ * Cached after first call.
+ */
+export function getSuiKeypair(): Ed25519Keypair | null {
+  if (_keypairLoaded) return _suiKeypair;
+  _keypairLoaded = true;
+  const privateKey = getSuiPrivateKey();
+  if (!privateKey) return null;
+  try {
+    _suiKeypair = Ed25519Keypair.fromSecretKey(privateKey);
+  } catch {
+    console.error('Invalid TUSKYDP_SUI_PRIVATE_KEY — could not load Ed25519 keypair.');
+    return null;
+  }
+  return _suiKeypair;
+}
+/**
+ * Get the Sui address for the loaded keypair, or null.
+ */
+export function getSuiAddress(): string | null {
+  const kp = getSuiKeypair();
+  return kp ? kp.toSuiAddress() : null;
+}
+// ---------------------------------------------------------------------------
+// SealClient factory
+// ---------------------------------------------------------------------------
+const _sealClients = new Map<string, SealClient>();
+function getSealClient(
+  serverConfigs: { objectId: string; weight: number }[],
+): SealClient {
+  const cacheKey = serverConfigs.map((c) => c.objectId).join(',');
+  let client = _sealClients.get(cacheKey);
+  if (!client) {
+    client = new SealClient({
+      suiClient: getSuiClient() as unknown as SealCompatibleClient,
+      serverConfigs,
+      verifyKeyServers: true,
+    });
+    _sealClients.set(cacheKey, client);
+  }
+  return client;
+}
+// ---------------------------------------------------------------------------
+// Identity helpers
+// ---------------------------------------------------------------------------
+/**
+ * Build SEAL identity bytes for a file in a shared vault.
+ * Format: [whitelist_object_id_bytes][file_nonce_hex]
+ * Must match the web implementation in packages/web/src/lib/seal.ts.
+ */
+export function buildSealId(whitelistObjectId: string, fileNonce: string): string {
+  const wlBytes = whitelistObjectId.replace(/^0x/, '');
+  const nonceHex = Array.from(new TextEncoder().encode(fileNonce))
+    .map((b) => b.toString(16).padStart(2, '0'))
+    .join('');
+  return wlBytes + nonceHex;
+}
+/**
+ * Check if a vault is SEAL-configured (has the necessary on-chain objects).
+ */
+export function isSealConfigured(vault: VaultResponse): boolean {
+  return !!(
+    vault.visibility === 'shared' &&
+    vault.sealAllowlistObjectId &&
+    vault.sealPackageId &&
+    vault.sealKeyServerIds?.length
+  );
+}
+// ---------------------------------------------------------------------------
+// Encrypt
+// ---------------------------------------------------------------------------
+export interface SealEncryptResult {
+  /** The encrypted data (BCS-encoded EncryptedObject) */
+  encryptedData: Uint8Array;
+  /** The SEAL identity used for encryption */
+  sealIdentity: string;
+  /** Base64-encoded serialized EncryptedObject metadata (for API storage) */
+  sealEncryptedObject: string;
+}
+/**
+ * Encrypt file data using SEAL for a shared vault.
+ *
+ * Does NOT require a Sui keypair — encryption is purely a client-side
+ * operation using the SEAL key servers and vault's allowlist identity.
+ */
+export async function sealEncrypt(
+  data: Uint8Array,
+  vault: VaultResponse,
+  fileNonce: string,
+): Promise<SealEncryptResult> {
+  if (!vault.sealAllowlistObjectId || !vault.sealPackageId) {
+    throw new Error('Vault is not configured for SEAL encryption (missing allowlist or package ID)');
+  }
+  const threshold = vault.sealThreshold ?? 1;
+  const serverConfigs = (vault.sealKeyServerIds ?? []).map((id) => ({
+    objectId: id,
+    weight: 1,
+  }));
+  if (serverConfigs.length === 0) {
+    throw new Error('No SEAL key servers configured for this vault');
+  }
+  const sealClient = getSealClient(serverConfigs);
+  const sealIdentity = buildSealId(vault.sealAllowlistObjectId, fileNonce);
+  const { encryptedObject } = await sealClient.encrypt({
+    threshold,
+    packageId: vault.sealPackageId,
+    id: sealIdentity,
+    data,
+  });
+  // Store compact metadata for the API (same format as web app).
+  // The full BCS-encoded EncryptedObject (ciphertext) goes to S3.
+  const sealEncryptedObject = Buffer.from(
+    JSON.stringify({
+      id: sealIdentity,
+      packageId: vault.sealPackageId,
+      threshold,
+    }),
+  ).toString('base64');
+  return {
+    encryptedData: encryptedObject,
+    sealIdentity,
+    sealEncryptedObject,
+  };
+}
+// ---------------------------------------------------------------------------
+// Decrypt
+// ---------------------------------------------------------------------------
+const SESSION_TTL_MIN = 10;
+/**
+ * Decrypt SEAL-encrypted file data.
+ *
+ * Requires a Sui keypair (TUSKYDP_SUI_PRIVATE_KEY) to sign the SessionKey
+ * and authorize decryption through the SEAL key servers.
+ */
+export async function sealDecrypt(
+  encryptedData: Uint8Array,
+  vault: VaultResponse,
+  keypair: Ed25519Keypair,
+): Promise<Uint8Array> {
+  if (!vault.sealPackageId || !vault.sealAllowlistObjectId) {
+    throw new Error('Vault is not configured for SEAL decryption');
+  }
+  const serverConfigs = (vault.sealKeyServerIds ?? []).map((id) => ({
+    objectId: id,
+    weight: 1,
+  }));
+  const suiClient = getSuiClient();
+  const sealClient = getSealClient(serverConfigs);
+  const userAddress = keypair.toSuiAddress();
+  // Parse the encrypted object to extract the identity
+  const encryptedObject = EncryptedObject.parse(encryptedData);
+  // Create a session key — in CLI mode we create a fresh one each time
+  // (unlike the web app which caches per vault for 10 minutes).
+  const sessionKey = await SessionKey.create({
+    address: userAddress,
+    packageId: vault.sealPackageId,
+    ttlMin: SESSION_TTL_MIN,
+    suiClient: suiClient as unknown as SealCompatibleClient,
+  });
+  // Sign the session key with the Ed25519 keypair
+  const personalMessage = sessionKey.getPersonalMessage();
+  const { signature } = await keypair.signPersonalMessage(personalMessage);
+  await sessionKey.setPersonalMessageSignature(signature);
+  // Build the seal_approve transaction kind bytes
+  const tx = new Transaction();
+  tx.setSender(userAddress);
+  tx.moveCall({
+    target: `${vault.sealPackageId}::shared_vault::seal_approve`,
+    arguments: [
+      tx.pure.vector('u8', Array.from(fromHex(encryptedObject.id))),
+      tx.object(vault.sealAllowlistObjectId),
+    ],
+  });
+  const txBytes = await tx.build({
+    client: suiClient as any,
+    onlyTransactionKind: true,
+  });
+  // Decrypt via SEAL key servers
+  const decrypted = await sealClient.decrypt({
+    data: encryptedData,
+    sessionKey,
+    txBytes,
+  });
+  return decrypted;
+}