@zeph-to/mcp-server 1.11.0 → 1.11.2

package/dist/crypto.d.ts

@@ -27,13 +27,28 @@
  *   sensitive-but-not-secret.
  */
 /**
- * Initialize crypto: sync keys with server, then fallback to local/generate.
- * Server is source of truth for per-user key pair.
+ * Initialize crypto.
+ *
+ * The MCP server is a CONSUMER of encryption keys, not a generator. Keys
+ * are created in the Zeph app where the user explicitly opts in (Settings
+ * → Encryption). This function only imports keys that the server already
+ * has, and only when the server confirms encryption is enabled.
+ *
+ * Any other state — server says disabled, server has no keys, server is
+ * unreachable — leaves encryption OFF (cache empty, no fallback). A
+ * previous version generated and uploaded a fresh keypair on the "no keys
+ * anywhere" path; combined with a transient fetch failure, that silently
+ * turned encryption on without user consent and locked the account into
+ * an "encryption enabled" state on the server.
+ *
+ * Opt-out: `ZEPH_DISABLE_ENCRYPTION=1` forces crypto off regardless of
+ * server state — useful while cleaning up legacy state or for users who
+ * never want encryption.
+ *
  * Safe to call concurrently — deduplicates to single init.
- * Returns the exported public key (Base64 SPKI).
+ * Returns the exported public key when encryption is active, '' otherwise.
  *
- * NOTE: when `apiKey` is provided, `baseUrl` is required — otherwise a
- * caller in a dev environment would silently upload keys to prod.
+ * NOTE: when `apiKey` is provided, `baseUrl` is required.
  */
 export declare const initCrypto: (apiKey?: string, baseUrl?: string) => Promise<string>;
 export declare const getKeyPair: () => CryptoKeyPair | null;

package/dist/crypto.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AA2JH;;;;;;;;GAQG;AACH,eAAO,MAAM,UAAU,GAAI,SAAS,MAAM,EAAE,UAAU,MAAM,KAAG,OAAO,CAAC,MAAM,CAyE5E,CAAC;AAqCF,eAAO,MAAM,UAAU,QAAO,aAAa,GAAG,IAAqB,CAAC;AACpE,eAAO,MAAM,YAAY,QAAO,MAAM,GAAG,IAA+B,CAAC;AAEzE;;GAEG;AACH,eAAO,MAAM,sBAAsB,GACjC,OAAO;IAAE,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,KACrD,OAAO,CAAC;IACT,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,MAAM,CAAC;IACrB,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,IAAI,CAAC;CACnB,CAaA,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,kBAAkB,GAC7B,SAAS,MAAM,KACd,OAAO,CAAC;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,CAAA;CAAE,CAQlE,CAAC"}
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AA4JH;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,UAAU,GAAI,SAAS,MAAM,EAAE,UAAU,MAAM,KAAG,OAAO,CAAC,MAAM,CAsE5E,CAAC;AA8BF,eAAO,MAAM,UAAU,QAAO,aAAa,GAAG,IAAqB,CAAC;AACpE,eAAO,MAAM,YAAY,QAAO,MAAM,GAAG,IAA+B,CAAC;AAEzE;;GAEG;AACH,eAAO,MAAM,sBAAsB,GACjC,OAAO;IAAE,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,KACrD,OAAO,CAAC;IACT,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,MAAM,CAAC;IACrB,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,IAAI,CAAC;CACnB,CAaA,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,kBAAkB,GAC7B,SAAS,MAAM,KACd,OAAO,CAAC;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,CAAA;CAAE,CAQlE,CAAC"}

package/dist/crypto.js

@@ -52,14 +52,8 @@ const fromBase64 = (base64) => {
 };
 // ─── ECDH key management ───
 const ECDH_PARAMS = { name: 'ECDH', namedCurve: 'P-256' };
-const generateKeyPair = async () => crypto.subtle.generateKey(ECDH_PARAMS, true, ['deriveKey', 'deriveBits']);
-const exportKeyPair = async (keyPair) => {
-    const [publicRaw, privateRaw] = await Promise.all([
-        crypto.subtle.exportKey('spki', keyPair.publicKey),
-        crypto.subtle.exportKey('pkcs8', keyPair.privateKey),
-    ]);
-    return { publicKey: toBase64(publicRaw), privateKey: toBase64(privateRaw) };
-};
+// generateKeyPair / exportKeyPair were removed in fix/no-auto-encryption.
+// This module imports keys only; it never creates or exports them.
 const importPublicKey = async (base64) => crypto.subtle.importKey('spki', fromBase64(base64), ECDH_PARAMS, true, []);
 const importPrivateKey = async (base64) => crypto.subtle.importKey('pkcs8', fromBase64(base64), ECDH_PARAMS, true, ['deriveKey', 'deriveBits']);
 const importKeyPair = async (exported) => {
@@ -117,80 +111,102 @@ const storeKeys = (exported) => {
     (0, fs_1.mkdirSync)(KEYS_DIR, { recursive: true, mode: 0o700 });
     (0, fs_1.writeFileSync)(KEYS_PATH, JSON.stringify(exported, null, 2), { mode: 0o600 });
 };
+const deleteStoredKeys = () => {
+    try {
+        (0, fs_1.unlinkSync)(KEYS_PATH);
+    }
+    catch { /* not present — fine */ }
+};
+const envIsTrue = (key) => {
+    const v = process.env[key];
+    return !!v && /^(1|true|yes|on)$/i.test(v.trim());
+};
 // ─── Cached state ───
 let cachedKeyPair = null;
 let cachedExportedPublicKey = null;
 let cachedOwnPublicKey = null;
 let initPromise = null;
 /**
- * Initialize crypto: sync keys with server, then fallback to local/generate.
- * Server is source of truth for per-user key pair.
+ * Initialize crypto.
+ *
+ * The MCP server is a CONSUMER of encryption keys, not a generator. Keys
+ * are created in the Zeph app where the user explicitly opts in (Settings
+ * → Encryption). This function only imports keys that the server already
+ * has, and only when the server confirms encryption is enabled.
+ *
+ * Any other state — server says disabled, server has no keys, server is
+ * unreachable — leaves encryption OFF (cache empty, no fallback). A
+ * previous version generated and uploaded a fresh keypair on the "no keys
+ * anywhere" path; combined with a transient fetch failure, that silently
+ * turned encryption on without user consent and locked the account into
+ * an "encryption enabled" state on the server.
+ *
+ * Opt-out: `ZEPH_DISABLE_ENCRYPTION=1` forces crypto off regardless of
+ * server state — useful while cleaning up legacy state or for users who
+ * never want encryption.
+ *
  * Safe to call concurrently — deduplicates to single init.
- * Returns the exported public key (Base64 SPKI).
+ * Returns the exported public key when encryption is active, '' otherwise.
  *
- * NOTE: when `apiKey` is provided, `baseUrl` is required — otherwise a
- * caller in a dev environment would silently upload keys to prod.
+ * NOTE: when `apiKey` is provided, `baseUrl` is required.
  */
 const initCrypto = (apiKey, baseUrl) => {
+    // Hard opt-out — skip everything, leave cache empty.
+    if (envIsTrue('ZEPH_DISABLE_ENCRYPTION')) {
+        cachedKeyPair = null;
+        cachedExportedPublicKey = null;
+        cachedOwnPublicKey = null;
+        return Promise.resolve('');
+    }
     if (apiKey && !baseUrl) {
         return Promise.reject(new Error('initCrypto: baseUrl is required when apiKey is provided. ' +
-            'Pass the resolved config.baseUrl to avoid silently syncing dev keys to prod.'));
+            'Pass the resolved config.baseUrl to avoid talking to the wrong environment.'));
     }
     if (initPromise)
         return initPromise;
-    // The check above guarantees baseUrl is defined when apiKey is — narrow once.
     const baseUrlRequired = apiKey ? baseUrl : baseUrl;
     initPromise = (async () => {
-        const stored = loadStoredKeys();
-        // Try server sync if API key available
         if (apiKey) {
             const serverResult = await fetchServerKeys(apiKey, baseUrlRequired);
-            // Server says encryption disabled — skip crypto init
-            if (serverResult && !serverResult.encryptionEnabled) {
+            // The only path that turns encryption ON: server confirms enabled AND
+            // hands us a real keypair. Everything else leaves the cache empty.
+            const haveServerKeys = !!serverResult && serverResult.encryptionEnabled && !!serverResult.keys;
+            if (!haveServerKeys) {
                 cachedKeyPair = null;
                 cachedExportedPublicKey = null;
                 cachedOwnPublicKey = null;
-                return '';
-            }
-            if (serverResult?.keys) {
-                if (!stored || stored.publicKey !== serverResult.keys.publicKey) {
-                    storeKeys(serverResult.keys);
+                // If the server is reachable and explicitly says encryption is off,
+                // drop any stale local cache so a future regression can't resurrect
+                // a keypair that the user already disabled.
+                if (serverResult && !serverResult.encryptionEnabled) {
+                    deleteStoredKeys();
                 }
-                cachedKeyPair = await importKeyPair(serverResult.keys);
-                cachedExportedPublicKey = serverResult.keys.publicKey;
-                cachedOwnPublicKey = cachedKeyPair.publicKey;
-                return serverResult.keys.publicKey;
+                return '';
             }
-            if (stored) {
-                await uploadServerKeys(stored, apiKey, baseUrlRequired);
-                cachedKeyPair = await importKeyPair(stored);
-                cachedExportedPublicKey = stored.publicKey;
-                cachedOwnPublicKey = cachedKeyPair.publicKey;
-                return stored.publicKey;
+            const keys = serverResult.keys;
+            const stored = loadStoredKeys();
+            if (!stored || stored.publicKey !== keys.publicKey) {
+                storeKeys(keys);
             }
-            const keyPair = await generateKeyPair();
-            const exported = await exportKeyPair(keyPair);
-            storeKeys(exported);
-            await uploadServerKeys(exported, apiKey, baseUrlRequired);
-            cachedKeyPair = keyPair;
-            cachedExportedPublicKey = exported.publicKey;
-            cachedOwnPublicKey = keyPair.publicKey;
-            return exported.publicKey;
-        }
-        // No API key — local-only mode
-        if (stored) {
-            cachedKeyPair = await importKeyPair(stored);
-            cachedExportedPublicKey = stored.publicKey;
+            cachedKeyPair = await importKeyPair(keys);
+            cachedExportedPublicKey = keys.publicKey;
             cachedOwnPublicKey = cachedKeyPair.publicKey;
-            return stored.publicKey;
+            return keys.publicKey;
         }
-        const keyPair = await generateKeyPair();
-        const exported = await exportKeyPair(keyPair);
-        storeKeys(exported);
-        cachedKeyPair = keyPair;
-        cachedExportedPublicKey = exported.publicKey;
-        cachedOwnPublicKey = keyPair.publicKey;
-        return exported.publicKey;
+        // Local-only mode (no apiKey): load stored keys if they exist; do NOT
+        // generate. Used by tests and offline / pre-provisioned setups where
+        // a keypair has been dropped into ~/.config/zeph/keys.json out-of-band.
+        const stored = loadStoredKeys();
+        if (!stored) {
+            cachedKeyPair = null;
+            cachedExportedPublicKey = null;
+            cachedOwnPublicKey = null;
+            return '';
+        }
+        cachedKeyPair = await importKeyPair(stored);
+        cachedExportedPublicKey = stored.publicKey;
+        cachedOwnPublicKey = cachedKeyPair.publicKey;
+        return stored.publicKey;
     })().catch((err) => {
         initPromise = null;
         throw err;
@@ -216,17 +232,9 @@ const fetchServerKeys = async (apiKey, baseUrl) => {
         return null;
     }
 };
-const uploadServerKeys = async (keys, apiKey, baseUrl) => {
-    try {
-        const url = `${baseUrl.replace(/\/$/, '')}/users/me/keys`;
-        await fetch(url, {
-            method: 'PUT',
-            headers: { 'X-API-Key': apiKey, 'Content-Type': 'application/json' },
-            body: JSON.stringify(keys),
-        });
-    }
-    catch { /* non-critical */ }
-};
+// uploadServerKeys was removed in fix/no-auto-encryption — the MCP server
+// must never write to /users/me/keys. Keys are created by the Zeph app
+// where the user explicitly opts in.
 const getKeyPair = () => cachedKeyPair;
 exports.getKeyPair = getKeyPair;
 const getPublicKey = () => cachedExportedPublicKey;

package/dist/poll.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"poll.d.ts","sourceRoot":"","sources":["../src/poll.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AACrD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAEpD,MAAM,WAAW,WAAW;IAC1B,KAAK,CAAC,EAAE;QAAE,aAAa,CAAC,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAC;IAE5C,gBAAgB,EAAE,CAAC,YAAY,EAAE,GAAG,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACxD;AAOD,eAAO,MAAM,eAAe,GAC1B,QAAQ,aAAa,EACrB,QAAQ,MAAM,EACd,SAAS,MAAM,EACf,gBAAgB,MAAM,EACtB,KAAK,WAAW,KACf,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAsClC,CAAC"}
+{"version":3,"file":"poll.d.ts","sourceRoot":"","sources":["../src/poll.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AACrD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAEpD,MAAM,WAAW,WAAW;IAC1B,KAAK,CAAC,EAAE;QAAE,aAAa,CAAC,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAC;IAE5C,gBAAgB,EAAE,CAAC,YAAY,EAAE,GAAG,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACxD;AAOD,eAAO,MAAM,eAAe,GAC1B,QAAQ,aAAa,EACrB,QAAQ,MAAM,EACd,SAAS,MAAM,EACf,gBAAgB,MAAM,EACtB,KAAK,WAAW,KACf,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAwClC,CAAC"}

package/dist/poll.js

@@ -33,8 +33,10 @@ const pollForResponse = async (client, hookId, eventId, timeoutSeconds, ctx) =>
                 });
             }
         }
-        // Adaptive interval: 2s for first 5 attempts, then 3s
-        const interval = attempt < 5 ? 2000 : 3000;
+        // Adaptive interval: poll every 1s while the user is likely still at
+        // their device (first ~60 attempts ≈ 1 min), then back off to 3s for
+        // long waits. The tight 1s window keeps post-tap detection snappy.
+        const interval = attempt < 60 ? 1000 : 3000;
         await sleep(interval);
         attempt++;
     }

package/dist/sanitize.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Defensive cleanup for tool arguments.
+ *
+ * An agent occasionally emits a malformed tool call where a parameter's
+ * closing tag is wrong, so the serialized markup of the *following*
+ * parameters bleeds into an earlier string argument.
+ *
+ * Observed in the wild — a zeph_ask `body` arrived as:
+ *
+ *   "...Commit now or test first?</body>
+ *    <parameter name=\"actions\">[{\"id\":\"commit\",...}]"
+ *
+ * The actions JSON leaked into `body`, and `actions` itself arrived
+ * undefined — so the push showed the raw markup and no buttons.
+ *
+ * sanitizeText strips the leaked markup; recoverActions pulls the
+ * swallowed actions array back out so the call still works.
+ */
+export interface RecoveredAction {
+    id: string;
+    label: string;
+    style?: 'primary' | 'secondary' | 'danger';
+}
+/**
+ * Strip leaked tool-call markup from a free-text argument. Returns the
+ * text unchanged when no leak is detected.
+ */
+export declare const sanitizeText: (text: string | undefined) => string | undefined;
+/**
+ * Recover an `actions` array that leaked into the body of a malformed
+ * zeph_ask call. Returns undefined when nothing parseable is found.
+ */
+export declare const recoverActions: (text: string | undefined) => RecoveredAction[] | undefined;
+//# sourceMappingURL=sanitize.d.ts.map

package/dist/sanitize.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitize.d.ts","sourceRoot":"","sources":["../src/sanitize.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,SAAS,GAAG,WAAW,GAAG,QAAQ,CAAC;CAC5C;AAeD;;;GAGG;AACH,eAAO,MAAM,YAAY,GAAI,MAAM,MAAM,GAAG,SAAS,KAAG,MAAM,GAAG,SAIhE,CAAC;AASF;;;GAGG;AACH,eAAO,MAAM,cAAc,GAAI,MAAM,MAAM,GAAG,SAAS,KAAG,eAAe,EAAE,GAAG,SAgB7E,CAAC"}

package/dist/sanitize.js

@@ -0,0 +1,71 @@
+"use strict";
+/**
+ * Defensive cleanup for tool arguments.
+ *
+ * An agent occasionally emits a malformed tool call where a parameter's
+ * closing tag is wrong, so the serialized markup of the *following*
+ * parameters bleeds into an earlier string argument.
+ *
+ * Observed in the wild — a zeph_ask `body` arrived as:
+ *
+ *   "...Commit now or test first?</body>
+ *    <parameter name=\"actions\">[{\"id\":\"commit\",...}]"
+ *
+ * The actions JSON leaked into `body`, and `actions` itself arrived
+ * undefined — so the push showed the raw markup and no buttons.
+ *
+ * sanitizeText strips the leaked markup; recoverActions pulls the
+ * swallowed actions array back out so the call still works.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.recoverActions = exports.sanitizeText = void 0;
+// Markers that should never appear in a real notification body — their
+// presence means tool-call markup has leaked in. Cut at the earliest one.
+const LEAK_MARKERS = ['</body>', '</parameter>', '<parameter name=', '<parameter '];
+const findLeakStart = (text) => {
+    let earliest = -1;
+    for (const marker of LEAK_MARKERS) {
+        const idx = text.indexOf(marker);
+        if (idx !== -1 && (earliest === -1 || idx < earliest))
+            earliest = idx;
+    }
+    return earliest;
+};
+/**
+ * Strip leaked tool-call markup from a free-text argument. Returns the
+ * text unchanged when no leak is detected.
+ */
+const sanitizeText = (text) => {
+    if (!text)
+        return text;
+    const cut = findLeakStart(text);
+    return cut === -1 ? text : text.slice(0, cut).trimEnd();
+};
+exports.sanitizeText = sanitizeText;
+const isActionArray = (value) => Array.isArray(value) &&
+    value.length > 0 &&
+    value.every((a) => a && typeof a.id === 'string' && typeof a.label === 'string');
+/**
+ * Recover an `actions` array that leaked into the body of a malformed
+ * zeph_ask call. Returns undefined when nothing parseable is found.
+ */
+const recoverActions = (text) => {
+    if (!text)
+        return undefined;
+    const marker = text.search(/<(?:antml:)?parameter name="actions">/);
+    if (marker === -1)
+        return undefined;
+    const after = text.slice(marker);
+    const start = after.indexOf('[');
+    const end = after.lastIndexOf(']');
+    if (start === -1 || end <= start)
+        return undefined;
+    try {
+        const parsed = JSON.parse(after.slice(start, end + 1));
+        return isActionArray(parsed) ? parsed : undefined;
+    }
+    catch {
+        return undefined;
+    }
+};
+exports.recoverActions = recoverActions;

package/dist/tools/ask.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ask.d.ts","sourceRoot":"","sources":["../../src/tools/ask.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEzE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAGtD,OAAO,EAAmB,KAAK,eAAe,EAAE,MAAM,cAAc,CAAC;AAuBrE,eAAO,MAAM,eAAe,GAAI,QAAQ,SAAS,EAAE,QAAQ,aAAa,EAAE,QAAQ,eAAe,SAwHhG,CAAC"}
+{"version":3,"file":"ask.d.ts","sourceRoot":"","sources":["../../src/tools/ask.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEzE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAGtD,OAAO,EAAmB,KAAK,eAAe,EAAE,MAAM,cAAc,CAAC;AAwBrE,eAAO,MAAM,eAAe,GAAI,QAAQ,SAAS,EAAE,QAAQ,aAAa,EAAE,QAAQ,eAAe,SAgIhG,CAAC"}

package/dist/tools/ask.js

@@ -7,6 +7,7 @@ const poll_js_1 = require("../poll.js");
 const config_js_1 = require("../config.js");
 const crypto_js_1 = require("../crypto.js");
 const mime_js_1 = require("../mime.js");
+const sanitize_js_1 = require("../sanitize.js");
 // The device feed shows a short preview of the body. Anything longer than
 // this gets truncated there, so we attach the full text as a file — the
 // user can always open the complete content instead of squinting at a
@@ -63,16 +64,22 @@ const registerAskTool = (server, client, config) => {
             return (0, error_format_js_1.hookNotConfiguredError)();
         try {
             const pushTitle = (0, config_js_1.formatPushTitle)(config.projectName, title);
+            // Defend against malformed tool calls where the actions array leaked
+            // into the body (a mis-closed `body` parameter). Recover the actions
+            // from the raw body first, then strip the leaked markup. Without this
+            // the push arrives with no buttons and raw markup in the text.
+            const effectiveActions = actions && actions.length > 0 ? actions : (0, sanitize_js_1.recoverActions)(body);
+            const cleanBody = (0, sanitize_js_1.sanitizeText)(body);
             // Attach a file whenever the body would be clipped in the feed preview.
-            const exceedsPreview = !!body && body.length > PREVIEW_LENGTH;
-            let triggerBody = body;
+            const exceedsPreview = !!cleanBody && cleanBody.length > PREVIEW_LENGTH;
+            let triggerBody = cleanBody;
             let files;
-            if (exceedsPreview && body) {
+            if (exceedsPreview && cleanBody) {
                 const fileName = 'response.md';
                 const fileType = (0, mime_js_1.inferMimeType)(fileName);
                 const canEncrypt = !!(0, crypto_js_1.getKeyPair)() && !!(0, crypto_js_1.getPublicKey)();
                 // Self-contained Markdown so the file alone tells the whole story.
-                const fileMarkdown = buildAskMarkdown(title, body, actions);
+                const fileMarkdown = buildAskMarkdown(title, cleanBody, effectiveActions);
                 const fileBytes = new TextEncoder().encode(fileMarkdown).byteLength;
                 let uploadContent = fileMarkdown;
                 let uploadContentType = fileType;
@@ -92,13 +99,13 @@ const registerAskTool = (server, client, config) => {
                 }
                 const upload = await client.requestUpload({ fileName, fileType: uploadContentType, fileSize: typeof uploadContent === 'string' ? fileBytes : uploadContent.length });
                 await client.uploadToS3(upload.data.uploadUrl, uploadContent, uploadContentType);
-                triggerBody = body.slice(0, PREVIEW_LENGTH) + '...';
+                triggerBody = cleanBody.slice(0, PREVIEW_LENGTH) + '...';
                 files = [{ fileKey: upload.data.fileKey, fileName, fileSize: fileBytes, fileType, iv: fileIv, encryptedKey: fileEncryptedKey }];
             }
             const trigger = await client.triggerHook(config.hookId, {
                 title: pushTitle,
                 body: triggerBody,
-                actions,
+                actions: effectiveActions,
                 timeout,
                 fallback,
                 hookType: 'combo',

package/dist/tools/input.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"input.d.ts","sourceRoot":"","sources":["../../src/tools/input.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEzE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAGtD,OAAO,EAAmB,KAAK,eAAe,EAAE,MAAM,cAAc,CAAC;AAErE,eAAO,MAAM,iBAAiB,GAAI,QAAQ,SAAS,EAAE,QAAQ,aAAa,EAAE,QAAQ,eAAe,SAwDlG,CAAC"}
+{"version":3,"file":"input.d.ts","sourceRoot":"","sources":["../../src/tools/input.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEzE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAGtD,OAAO,EAAmB,KAAK,eAAe,EAAE,MAAM,cAAc,CAAC;AAGrE,eAAO,MAAM,iBAAiB,GAAI,QAAQ,SAAS,EAAE,QAAQ,aAAa,EAAE,QAAQ,eAAe,SAwDlG,CAAC"}

package/dist/tools/input.js

@@ -5,6 +5,7 @@ const zod_1 = require("zod");
 const error_format_js_1 = require("../error-format.js");
 const poll_js_1 = require("../poll.js");
 const config_js_1 = require("../config.js");
+const sanitize_js_1 = require("../sanitize.js");
 const registerInputTool = (server, client, config) => {
     server.registerTool('zeph_input', {
         description: 'Request text input from the user via push notification. The tool blocks until the user responds or the timeout is reached. Requires ZEPH_HOOK_ID environment variable.',
@@ -34,7 +35,7 @@ const registerInputTool = (server, client, config) => {
         try {
             const trigger = await client.triggerHook(config.hookId, {
                 title: (0, config_js_1.formatPushTitle)(config.projectName, title),
-                body,
+                body: (0, sanitize_js_1.sanitizeText)(body),
                 timeout,
                 hookType: 'input',
                 metadata: { placeholder, inputType },

package/dist/tools/notify.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"notify.d.ts","sourceRoot":"","sources":["../../src/tools/notify.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACzE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAEtD,OAAO,EAAmB,KAAK,eAAe,EAAE,MAAM,cAAc,CAAC;AAQrE,eAAO,MAAM,kBAAkB,GAAI,QAAQ,SAAS,EAAE,QAAQ,aAAa,EAAE,QAAQ,eAAe,SAiHnG,CAAC"}
+{"version":3,"file":"notify.d.ts","sourceRoot":"","sources":["../../src/tools/notify.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACzE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAEtD,OAAO,EAAmB,KAAK,eAAe,EAAE,MAAM,cAAc,CAAC;AASrE,eAAO,MAAM,kBAAkB,GAAI,QAAQ,SAAS,EAAE,QAAQ,aAAa,EAAE,QAAQ,eAAe,SAmHnG,CAAC"}

package/dist/tools/notify.js

@@ -6,6 +6,7 @@ const error_format_js_1 = require("../error-format.js");
 const config_js_1 = require("../config.js");
 const crypto_js_1 = require("../crypto.js");
 const mime_js_1 = require("../mime.js");
+const sanitize_js_1 = require("../sanitize.js");
 // The device feed shows a short preview of the body. Anything longer gets
 // truncated there, so we attach the full text as a file for full viewing.
 const PREVIEW_LENGTH = 200;
@@ -31,14 +32,16 @@ const registerNotifyTool = (server, client, config) => {
         try {
             const deviceId = targetDeviceId ?? config.deviceId;
             const pushTitle = (0, config_js_1.formatPushTitle)(config.projectName, title);
+            // Strip any tool-call markup that leaked into the body argument.
+            const cleanBody = (0, sanitize_js_1.sanitizeText)(body);
             // Attach a file whenever the body would be clipped in the feed preview.
-            const isLongBody = !!body && body.length > PREVIEW_LENGTH;
+            const isLongBody = !!cleanBody && cleanBody.length > PREVIEW_LENGTH;
             const canEncrypt = !!(0, crypto_js_1.getKeyPair)() && !!(0, crypto_js_1.getPublicKey)();
-            if (isLongBody && body) {
+            if (isLongBody && cleanBody) {
                 const fileName = 'response.md';
                 const fileType = (0, mime_js_1.inferMimeType)(fileName);
                 // Self-contained Markdown so the file alone carries the full text.
-                const fileMarkdown = `# ${title}\n\n${body}`;
+                const fileMarkdown = `# ${title}\n\n${cleanBody}`;
                 const fileBytes = new TextEncoder().encode(fileMarkdown).byteLength;
                 // Encrypt file content if keys available
                 let uploadContent = fileMarkdown;
@@ -59,7 +62,7 @@ const registerNotifyTool = (server, client, config) => {
                 }
                 const upload = await client.requestUpload({ fileName, fileType: uploadContentType, fileSize: typeof uploadContent === 'string' ? fileBytes : uploadContent.length });
                 await client.uploadToS3(upload.data.uploadUrl, uploadContent, uploadContentType);
-                const preview = body.slice(0, PREVIEW_LENGTH) + '...';
+                const preview = cleanBody.slice(0, PREVIEW_LENGTH) + '...';
                 // Encrypt push body (title/preview/url) if keys available
                 let pushPayload = {
                     title: pushTitle,
@@ -86,7 +89,7 @@ const registerNotifyTool = (server, client, config) => {
             // Short body — encrypt push only
             let pushPayload = {
                 title: pushTitle,
-                body,
+                body: cleanBody,
                 url,
                 type: 'hook',
                 priority,
@@ -95,7 +98,7 @@ const registerNotifyTool = (server, client, config) => {
             };
             if (canEncrypt) {
                 try {
-                    const enc = await (0, crypto_js_1.encryptPushBodyForSelf)({ title: pushTitle, body, url });
+                    const enc = await (0, crypto_js_1.encryptPushBodyForSelf)({ title: pushTitle, body: cleanBody, url });
                     pushPayload = { ...pushPayload, title: undefined, body: enc.body, isEncrypted: enc.isEncrypted, encryptedKey: enc.encryptedKey, senderPublicKey: enc.senderPublicKey };
                 }
                 catch (err) {

package/dist/tools/prompt.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"prompt.d.ts","sourceRoot":"","sources":["../../src/tools/prompt.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEzE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAGtD,OAAO,EAAmB,KAAK,eAAe,EAAE,MAAM,cAAc,CAAC;AAErE,eAAO,MAAM,kBAAkB,GAAI,QAAQ,SAAS,EAAE,QAAQ,aAAa,EAAE,QAAQ,eAAe,SAuEnG,CAAC"}
+{"version":3,"file":"prompt.d.ts","sourceRoot":"","sources":["../../src/tools/prompt.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEzE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAGtD,OAAO,EAAmB,KAAK,eAAe,EAAE,MAAM,cAAc,CAAC;AAGrE,eAAO,MAAM,kBAAkB,GAAI,QAAQ,SAAS,EAAE,QAAQ,aAAa,EAAE,QAAQ,eAAe,SAuEnG,CAAC"}

package/dist/tools/prompt.js

@@ -5,6 +5,7 @@ const zod_1 = require("zod");
 const error_format_js_1 = require("../error-format.js");
 const poll_js_1 = require("../poll.js");
 const config_js_1 = require("../config.js");
+const sanitize_js_1 = require("../sanitize.js");
 const registerPromptTool = (server, client, config) => {
     server.registerTool('zeph_prompt', {
         description: 'Ask the user to choose from predefined options via push notification. The tool blocks until the user responds or the timeout is reached. Requires ZEPH_HOOK_ID environment variable.',
@@ -43,7 +44,7 @@ const registerPromptTool = (server, client, config) => {
         try {
             const trigger = await client.triggerHook(config.hookId, {
                 title: (0, config_js_1.formatPushTitle)(config.projectName, title),
-                body,
+                body: (0, sanitize_js_1.sanitizeText)(body),
                 actions,
                 timeout,
                 fallback,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zeph-to/mcp-server",
-  "version": "1.11.0",
+  "version": "1.11.2",
   "description": "Zeph MCP server — AI agent notifications, prompts, and input via MCP protocol",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",